Join us Thurs, June 24 at 11 AM PT for a live discussion about the growing risks of data exfiltration posed by code repos. Learn more.
CISO Insider S2E1 — A Passion for Security with Mitch Zahler
At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.
We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.
Even Financial Chief Information Security Officer Mitch Zahler kicks off Season 2 of CISO Insider with insights into how living through the last year of COVID has impacted cybersecurity, why concise communication is essential for security leaders, and a great story on the first CISO — how security got a seat at the executive table.
Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at email@example.com.
Chris Martinez: Welcome to CISO Insider, Nightfall’s chat with chief information security officers. We host CISOs from different industries to discuss their pathways to the role, the challenges they face in their everyday work, and lessons they can share with anyone aspiring to become a CISO. This podcast brings you into the world of cybersecurity and gives you a window into the most brilliant minds in the business.
Chris Martinez: Today on CISO Insider, it’s our season two premiere with Mitch Zahler, the CISO of Even Financial. Mitch shares why concise communication is essential for security leaders, how he gives back to the community through teaching into consulting work, plus a great story on the first CISO and how the security role evolved to become part of the C-suite, and those are only a few of the incredible insights Mitch has to share with us today. Please join us in welcoming Mitch to CISO Insider.
Chris Martinez: Thank you so much, Mitch, for joining us on the CISO Insider podcast.
Mitch Zahler: My pleasure. Thanks for having me.
Chris Martinez: What attracted you to get into cybersecurity and work in financial services?
Mitch Zahler: I’m not sure you can use the word attracted. It may be more like being at the right place at the right time. When I started my IT career, I was in the financial services arena. At that point, there was only a mainframe security as local area networks that connected to desktops were really in their infancy. I was working for American Express, and we were bringing on this new technology which needed to be installed as new infrastructure. Once we installed it, they asked for a volunteer to run the security portion of the newly installed network. Since I was fairly new to the group and there was no one who had time to do it, I was volunteered by my boss. Which at the time didn’t seem like a great thing. But it was probably one of the best things he could have done for me, and I haven’t looked back since.
Mitch Zahler: Those early days in security gave me opportunities that aren’t as available today. I was one of 10 people who met with the architects of Novell twice a year in Texas. We gave them suggestions about how we can improve their security. It’s really exciting to see some of the enhancements that I suggested actually were incorporated into the operating system.
Chris Martinez: Did you have a mentor as you were building your career path as a security leader?
Mitch Zahler: I had quite a few. Since the world of data security, as it was called back then, was very small, I was speaking and interacting with people like Steve Katz who I’ve stayed in touch with after all these years. Steve, for those listeners who don’t know, was the first CISO. I still have a connection with him, and his insights into various security ideas have stayed with me. I apply many of the things that we spoke about over those past years. I would have lunch with Steve and we’d discuss where I was going in my career and he would give me advice. I probably couldn’t get that kind of advice from anybody else in the field because Steve had pretty much the most experience, again, being the first CISO.
Mitch Zahler: I also used to speak at conferences with people like John McAfee and other security leaders who were trying to launch their security products. It was an amazing time in the industry, and I learned a lot from these people in the early days as well. But I think the one person that really changed my thinking about security and mentored me quite a bit was my boss at a place I used to work at, Republic National Bank. He told me that I needed to make sure that any controls I put in place were as transparent as possible for the user. He used to tell me if they weren’t, then people would try to bypass them, and then security wouldn’t work. He told me also that you can’t slow down the business. We need to find a way to implement security controls in a smart and effective way. He gave me that advice a long time ago and I still practice it.
Mitch Zahler: Here’s a cute story which illustrates that. When I worked at one of the banks we had to assure that the trading desk computers were secure since they interfaced with quite a few systems in the bank internally and externally. There were about 10 machines where trades were executed and they needed to be extremely fast for various reasons. Those machines, however, couldn’t have anti-virus on them because anti-virus, as you know, slows them down. But they did have a few games on them so the traders could “relax” during the day. Anybody who’s worked with traders knows that traders usually get anything they need.
Mitch Zahler: So we had a dilemma. How do we protect machines from viruses and allow these games on the system? We came up with a control process where we tested and scanned those games on other workstations to assure the new versions were safe. We had strict controls over those traders’ workstations, so no one else could put anything on them. We also limited where they could go externally. So we let the business run while putting in controls to protect the organization.
Chris Martinez: Can you elaborate a little bit on what you meant by the first CISO?
Mitch Zahler: This was many, many years ago. Citibank, at that time, had been hit by a Russian hacker. People were pulling their money out of Citibank because they thought that their money was being stolen by this hacker. Steve Katz came into the organization, and he really became the first chief information security officer who started dealing directly with the C-suite. Before Steve, the security people would have a seat up in the executive row. But now that Steve came in, they changed the whole model. Steve would be there and be the first CISO who would actually be able to talk to all the other suites. CISO people advised them what the risks are and then tell them how to mitigate the risks. That’s how the whole CISO project started.
Mitch Zahler: I believe that clear and concise communication is essential for any person in security. You need to have your listeners and/or readers understand threats and how they can reduce or mitigate their risks totally. I’ve been working on my entire career trying to enhance my speaking, enhance my writing. Around tax time, I usually write about tax fraud since I want to educate people on fraud. It gives me personal satisfaction to know that I may have saved someone thousands of dollars of their hard earned money. I also try to focus on community or town publications and get down to really the grassroots where I can reach people from all walks of life so that I can give them some useful information, even though security is probably the furthest thing from their mind.
Mitch Zahler: Also, when I speak at conferences, I always want to give the attendees something that they can take back with them that they could actually use that will make a difference. I usually try to share anywhere between three and five tips and tricks that I have learned throughout my career with the audience. I remember speaking a few years ago at a financial crimes conference. I told the audience they should try my tips and see what happens, and they might be surprised with what they find out.
Mitch Zahler: About two weeks later I received an email from an attendee who wrote to thank me for the tips. She said that she was amazed at what she found when she applied those tips and tricks, and that she brought it to management and they were very pleased with her results, and actually acted on them. That means they saw a security gap and they gave her the ability to act on those security gaps. It was very nice that she took the time to email me, and I appreciate it.
Chris Martinez: How did you get into teaching at Rutgers University? What’s it like working as a professor and a CISO at the same time?
Mitch Zahler: I’ve always been a big believer in giving back to the community, and I’ve done so throughout my career by mentoring and providing sometimes gratis security consulting in special situations, just to name a few things. Teaching, while having a full-time position, isn’t easy. But I still wanted to continue my path of giving. A colleague that I met a few years ago at a meeting told me that she teaches part-time at Rutgers and they were looking for an adjunct professor to teach information security. She thought I would be great for the fit. Initially, I didn’t know how I’d be able to juggle it, but after the first few semesters I have it to the point where I can do both without any concern that either my day job or teaching will be impacted.
Mitch Zahler: I usually try to dedicate one class each semester where I explain the various domains of information security to my students and what it takes to get a job in those areas. I also bring real-life examples from organizations I’ve worked at into the classroom, which is really important. Many times I’ve explained to my students current hacks that were reported in the news, because invariably we always have something that happened during the semester. This company got hacked, that company had a breach, or whatever it was. Something always happens at least once during the semester.
Mitch Zahler: I remember when I first started teaching at Rutgers, I asked those who were going to graduate what their next steps were. Most of them said that they weren’t sure since they learned a lot of theory, but not enough practical hands-on skill. At that point I decided to add a Splunk lab to the syllabus. I know this great engineer, David Wiedaseck, from Splunk. He drove down from Boston every semester to run the lab. Of course, now we do it by Zoom. But the best part is that the students get a certificate for basic Splunk skills, which they can now put on their resume. Two students from my classes sent me an email and they said, “thanks for the lab. I put it on my resume, I got an interview, and I’m starting to work low level in a SOC.” That’s really gratifying.
Mitch Zahler: I find it very satisfying when my former students contact me and ask for advice. This may help them get their first security role. Before the pandemic I had the FBI come into class and give a lecture on what it’s like to work within the FBI. One student talked to this person, got his card, and that student now is working for the FBI cyber division. Another former student recently reached out to me and I helped him with some tips on his upcoming interview at Google. There are many others who have gone on to obtain a security job since I started teaching. At the end of the day, this is where I get a lot of satisfaction from teaching.
Mitch Zahler: Just to close this part out, two things, two main things that I teach my students. Again, there are many things you need is security. But the two main things I always teach them is they must have a passion for security and they have to think outside of the box.
Chris Martinez: Over your career you’ve worked in financial services and financial technology with some huge companies, like HSBC and American Express, and then some small firms where you worked with small and medium-sized businesses. Are there any lessons and common threads that apply to working for big and small companies?
Mitch Zahler: Larger organizations have much more red tape, which is expected. They’re huge. Some things progress slower, but they have funds to implement many more security controls in a given year because they have a larger attack surface. Smaller organizations, on the other hand, many times don’t have the ability to implement the controls as quickly as the big organizations. They can do it fast, but they lack the security funding. So while SMBs may get things done faster, you need to carefully identify your risks and address them in a hierarchical fashion.
Mitch Zahler: One of the things I also learned is you need buy-in. In both types of organizations, you need a clear and concise description of the risks and why you rated them in a particular way, and most importantly, to let the business’s C-suite be involved in the decision making process of remediating those risks. After all, they’re the ones that ultimately decide on your funding and accepting risks for the organization. One of the things that I found, which is totally amazing to me, is when you do get the business’s C-suite involved, they take ownership in it. When they take ownership in it, first of all, you get their point of view, which is great. But they’re also more apt to give you the funding and anything you need.
Mitch Zahler: Over the years I’ve been asked to present security budgets to executive management, and I’ve noticed there are some who truly understand the risks to the business while others really don’t have really any idea. I’ve always seen my job as twofold. One is to educate the audience so they understand the risks, and two, to explain in layman terms how you propose to remediate those risks. If you don’t put it in layman terms, and you have it in all security terms, it’s going to totally go over their heads and they’re not going to be able to work with you. Also, due to regulatory issues, some of the people who now sit in the boardroom and executives can be held responsible for security incidents. Usually that’s the people in the audience when you present.
Mitch Zahler: One thing that is present in both large and small organizations is reading about a security incident in another company. If it makes its way all the way to the Wall Street Journal or New York Times, you know the next morning you’re going to get a call. I find that when people in senior roles perk up and ask what type of protections they have against that attack that happened to this other company, it sometimes results in getting more security budget, and more security people within the organization. We don’t want other people to get hit with an incident, but since it did happen, it’s a way that a lot of other companies can get benefits out of it.
Chris Martinez: When you think about security in your role as security leader at Even Financial, what are the most important things for your organization, and what have you learned along the way?
Mitch Zahler: For people who aren’t familiar with us, Even Financial’s mission has always been to build the definitive search comparison and recommendation engine for financial services. I work with very talented people who are always collaborating with each other across the entire organization. The innovation I see in different areas is fantastic. Along with that innovation we may need to put in new security controls that have to be integrated with our new products. One of the reasons I’m here at Even Financial is to make sure security is integrated into those new innovative products, because we want to keep them secure.
Mitch Zahler: The culture in many startups is to move ahead as quickly as possible, without necessarily thinking about security. One of the things I’ve noticed is more people reaching out to me to ask security questions and engaging security to work with them. I believe this is a result of a culture shift, which comes from security awareness and education. That does a tremendous amount in organizations.
Mitch Zahler: For our organization, we place special emphasis on the protection of customer information. To this end, we are constantly working on new ways to protect the organization, like with SOC 2 compliance. We place multiple levels of security controls within our systems to protect our customer’s data, and each employee is aware that this is extremely important. I look at security in the same way, no matter the size or vertical of the organization. At the end of the day, the basic principles of security are still the same and controls need to be created and implemented as they relate to the data that you’re protecting in your environment.
Mitch Zahler: This is something that’s really difficult to do, but like many in the field I need to keep up with new issues facing the security community. I really don’t have a lot of time to read hundreds of articles, and believe me, there are lots of articles. Some of the articles I read are on security-focused magazines like Dark Reading and Bleeping Computer. I belong to multiple groups that have various public and private newsletters. The ones I use are mostly private, from connections and relationships I’ve built over my career. Team Cymru at CYMRU.org have a service that puts out daily digest of important information security links to articles that you can click on and read. You can choose what you want to read from the subject line and synopsis, which is really helpful.
Mitch Zahler: I think each person will need to search the internet and see what is right for them. They also need to make sure that they know what the source of the article is to ensure reliability. There are a lot of people out there who put out articles and they’re, how do I say this nicely? They’re something that people shouldn’t rely on. In a specific vertical, such as healthcare, there are organizations such as HITRUST which send out newsletters and produce webinars on various security topics for the healthcare industry. Even though they sell a service, they still put out newsletters and have webinars. You’ll see your vendors for your hardware do this as well. Your firewall vendor will usually have seminars. Make sure you go to those and sign up for their newsletters. There’s a lot of good information there.
Mitch Zahler: I would also suggest that if you’re in an industry that has an ISAC, which stands for information sharing and analysis center, to join that if you possibly can. There are over 20 ISACs for various industries like automotive, real estate, oil and gas, healthcare, and of course financial. There’s a lot of great information that comes out of those different ISACs that will deal directly with your vertical, and it may save you a lot of time.
Mitch Zahler: I would also search the internet for lists of security blogs which people rate highly. You’ve got to be very wary until you check them out for yourself. There are currently a lot of virtual conferences that are free since there’s no physical venue because of COVID. Take advantage of those and choose the ones that align with your organization. When I find the ones that I want to listen to, I’ll actually put them on in the background while I work. When I hear something that I need to hear I’ll stop working and listen to what they’re saying. So I’m really, I’m not just sitting there for three hours listening to it. Everybody can do it at their own pace, but that’s something that I do.
Mitch Zahler: Finally, I would also make sure you keep up with the news about your specific business sector. Remember that the CISO is also a proponent for business units within their organizations and ask their stand not only about security, but also about the business that they’re in.
Chris Martinez: What are some of the unique challenges of working as a security leader in fintech and financial services, especially managing partnerships with other financial institutions?
Mitch Zahler: Coming from the world of big banks most of my career, I understand my peers in those institutions and how they operate and practice security. When you’re in financial technology, the culture is usually very different compared to large institutions. So I would advise those in financial technology, if they haven’t done any work in large corporations, to listen and forge relationships with your security peers in those larger organizations. Keep in mind that they may operate in different ways, but we all have the same end goal. I truly believe that each side can learn from each other, whether it be about business or security.
Mitch Zahler: Also remember that you not only need to deal with security, but you need to be an advocate for the business. The role of the CISO has matured in many organizations to where you’re a member of the business team as well. Understanding your business and the institution you’re partnering with is important for a win-win outcome. Some people may be intimidated by the larger security teams that big financials have. Don’t be. Try to forge a partnership with those teams. You’d be surprised how many of the same issues they share with fintech organizations. There are things that are different, but a lot of things are the same.
Mitch Zahler: I think that’s a topic for an entire podcast within itself. But let me give you a few of my observations. For the most part, I believe most people rose to the occasion, and in many organizations we have a remote workforce that will probably remain remote. The security teams that helped them get to this point will have to continue to innovate and make remote work the new normal, even if the pandemic winds down.
Mitch Zahler: I’ve also spoken to peers and placed them in two groups, on first glance. The first are those that are heavily cloud-based, when this began last year. The second is those that were still on LAN and on-premise systems. Each has their own unique challenges, but those that had their employees using cloud-based systems, let’s say for mail, instant messaging, and file storage, didn’t have to make as many tweaks since they already had built security into their model and weren’t that dependent on a lot of local infrastructure that was in the office. Most of it just needed high-speed access for the workforce, maybe some local controls, like firewalls, multi factor authentication, and those types of things.
Mitch Zahler: But those that depended on local infrastructure for their employees in the office had much more to do to ensure that their employees could safely work remotely. In many organizations, I’m sure security and IT personnel didn’t sleep much those first few weeks as they had to build out more and more services, and they had to make sure that they were secure. For sure, some security vendors like those that provide multi factor authentication enjoyed increased sales during this period.
Chris Martinez: What’s one thing that you know now that you wish you’d known earlier in your career?
Mitch Zahler: Good question. Well, as I stated before, earlier in my career I didn’t factor enough of the businesses fear into my security recommendations. I remember early on in my career when IT ran the business, as opposed to the other way around, we called it the tail wagging the dog. I feel like technology was supposed to tell the business what they would be developing and the business would adapt. If I would’ve known how to better integrate with the business units that I supported, I think I probably would have had a lot less stress and probably moved security initiatives along further and faster.
Chris Martinez: What should aspiring CISOs and security leaders look for in a mentor?
Mitch Zahler: I think initially you need someone who’s passionate about security. You also want someone who’s known to be a creative thinker in the field. There are people that have multiple jobs in security and those that just have one. I remember coming up in this field that I was always tasked with three or four jobs. I used to say, this is just too much. But what it taught me was I got to be in every single department within information security. So I knew what happened in each one. I was able to be more creative because I knew how all of the different parts worked. I think if you can find somebody like that, that’s the person to look for in a mentor.
Mitch Zahler: You also want to have somebody who’s been in the front lines of security for more than 10 years. When you do something for a while you see things that aren’t in textbooks. There’s a lot of security that those of us who’ve been in the field for a while have seen, and there may not even be articles written on it. So it’s just really word of mouth to anybody that I speak to. Nobody may even ever know about it until it happens to somebody else. I think that’s important.
Mitch Zahler: Also, someone who’s willing to take time with you, because they truly want to give you advice based on their experiences. Some people say, yeah, I’ll mentor you, and you’ll speak to them maybe once a year. You want to have somebody who’s actually going to be there to talk to you. When you call them, they may not be able to take your call right away, but they’ll get back to you. They’ll make the time because they really want to mentor you.
Mitch Zahler: Also, someone who will be honest with you. You don’t want to mentor who’s going to agree with you when they think that what you’re saying is incorrect. You want somebody who’s going to say, “I hear what you’re saying, but did you think about this?” And then work out the problem with the mentor. The mentor doesn’t have to be correct a hundred percent of the time, just like you don’t have to be correct a hundred percent of the time. But you want somebody that is going to be honest with you, because in the long run you need to know if what you’re saying, or the theories that you have, or the things you’re telling the person are actually true. You want somebody who’s going to be honest.
Mitch Zahler: Finally, you want somebody who can introduce you to other security professionals who can help you in your career. We all have networks on LinkedIn, but wouldn’t it be great to have these big security CISOs who’s mentoring connect you to someone they know from X company, where they’re increasing their staff? Could they pass your resume over? There’s your foot in the door. That’s something you want to look for in a mentor as well.
Chris Martinez: In your opinion, what is the biggest challenge CISOs will face in 2021?
Mitch Zahler: Good question. There’s so many. Securing the new perimeter, which is no longer just in the office, but anywhere really in the world where you have your remote employees working. Which in turn increases the attack surface, and means that if you have people working in foreign countries, there may be some countries that are intercepting data. That means you may have to have everything encrypted. So a lot of things change when we’re now dealing with a new perimeter.
Mitch Zahler: I think also increased sophisticated attacks, including residual compromises from the SolarWinds hack, and of course the ever continuing ransomware attacks. Supply chain risks have been there for a while, and in my personal opinion, we need to pay more attention to supply chain risks. And acquiring and retaining solid security talent is going to be another challenge for 2021.
Chris Martinez: What makes you get out of bed every day as a security leader?
Mitch Zahler: It’s the excitement of not knowing what issues the day will bring. You can plan your day, but many times you get pulled into something that you didn’t plan for. It can range from newly discovered gaps through controls all the way up to a security incident. I probably could count on two hands when I went into the office planning to do something and actually got it done, because things just don’t happen like that in security. It’s always moving. Discovering new areas where we could also strengthen our controls and thereby reinforce our overall security posture is another reason to get up. We love doing this, and sometimes it can be an “aha” moment. Those are the things I think that get me out of bed everyday.
Chris Martinez: What’s one key lesson you’ve learned over time as a CISO and as cybersecurity has evolved?
Mitch Zahler: I’d say the biggest thing that I’ve learned is make sure that executive management understands what the risks to the organization are, and that you articulate solutions in a clear and concise manner.
Chris Martinez: What’s your proudest moment as an InfoSec executive?
Mitch Zahler: We had an employee in an organization I used to work for that was being stalked via our corporate email system. The employee was extremely frightened due to the nature of the text within the emails. I directed the staff to launch an internal investigation, and we worked with law enforcement and eventually the person was arrested. The employee’s whole demeanor changed once this person was put in jail, and they were so thankful to our group. Due to the circumstances of the case, we spent many days working on it. While we didn’t stop anything like a big hack on our systems that day, we helped an employee get their life back. She was so ecstatic. That was rewarding, and I was proud of the team. It’s about using our experience to protect and give back.
Chris Martinez: What would you say is the most important article that you’ve published as a contributor to CISO Online or the other outlets you write for?
Mitch Zahler: That’s an interesting question. There are many security practitioners that write articles for our peers, which entail many great security topics. I like to focus a portion of my career on the first canon from ISACA, which says protect society, the common good, necessary, public trust, and confidence, and the infrastructure. To that end, for many years around tax time, I publish articles about tax fraud and how to protect against it from a cybersecurity point of view. One of the biggest challenges is conveying in non-technical terms how scammers and hackers steal millions from unsuspecting Americans each year, especially the elderly. I’ve known two people this happened to. It upset me tremendously. So I started putting these articles out. The articles always include tips to save someone’s life savings or heartache knowing that they lost money.
Mitch Zahler: I also wrote an article for CSO Magazine that was titled “Volunteer Your Services, Not Your Personal Information”, based on another true story that happened to me. I helped a nonprofit who had their database of volunteers hacked. There was personally identifiable information (PII) in that database and the volunteers weren’t too happy it was stolen. The article tells the story, and shares practical tips for those volunteers who want to volunteer their services to worthy causes. I had someone from the infosec industry tell me he sent the article to a few of his relatives who do volunteer work many times a year and they implemented some of the tips I wrote about. I love doing that stuff.
Mitch Zahler: I think in the overall scheme of things it’s important to move forward. It’s important for you to learn more about security every day. And just remember that why we’re in this. We’re in this to protect, and not only do we protect our organizations, we’re also here to protect our fellow man. If there’s something that we can do to decrease spam and phishing, even though we’re not compensated for it, it behooves us to take care of and help other people with the tools that we’ve learned and the things that we’ve been given over our careers.
Chris Martinez: Mitch, this has been such an incredible interview. Thank you so much for taking time out to speak with us, and have a wonderful day.
Mitch Zahler: Thank you. Take care.
Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry’s first cloud native data loss prevention solution. If you are enjoying this show, please leave us a review and rating on Apple Podcasts. The ratings and reviews help more people find us. Follow Nightfall on Twitter, Facebook, LinkedIn and Instagram at Nightfall AI. That’s Nightfall AI, and email us at firstname.lastname@example.org with questions, feedback and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from. Stay safe out there and we’ll see you again next time.
Join us for our part one of our two-part episode with Segment CISO Coleen Coolidge coming June 9.