Podcast

CISO Insider S2E2 — Assuming good risk as a CISO with Coleen Coolidge, Part 1

by
Osakwe
Osakwe
,
June 15, 2021
On this page

At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.     

We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.  

Segment CISO Coleen Coolidge joins CISO Insider for a two-part chat about assuming good risk as a CISO and controlling your affect within your org. Here’s part one with Coleen.

Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at marketing@nightfall.ai.

 

Chris Martinez: Welcome to CISO Insider, Nightfall’s chat with chief information security officers. We host CISOs from different industries to discuss their pathways to the role, the challenges they face in their everyday work, and lessons they can share with anyone aspiring to become a CISO. This podcast brings you into the world of cybersecurity and gives you a window into the most brilliant minds in the business.  

Chris Martinez: Segment CISO Coleen Coolidge joins CISO Insider to talk about what she’s learned on her journey in cybersecurity. We’re talking about topics like the value of doing compliance well as an affirmation that your team is doing security the right way, approaching mergers and acquisitions as the acquirer with a learning mindset, and the bravery that’s required for CISOs to excel as good people managers and good security practitioners. We get into these ideas and a lot more in part 1 of our chat.

Chris Martinez: In our previous conversations, you mentioned you were tricked into going into security when you were managing projects in 2005. And today you're a CISO. Can you elaborate on that path?

Coleen Coolidge: My path had a lot of twists and turns and there's a ton of detail. Back in 2005, I was managing projects that were analyzing mortgage data for subprime lenders, to find things like which borrowers are more likely to default so we could reach out to them and see what kind of loss mitigation could help them get on track before they fall into trouble.

Coleen Coolidge: You can imagine there was a lot of sensitive data there and we also had no security representation on the project, and no security training whatsoever for anybody who worked on those projects. The developers didn't go through any security training. We were just sort of mildly aware that there were infosec policies and an infosec team out there. On the project, I was helping the project manager (PM). We had a developer, a QA person, and the vendor who was doing the analysis. At one point the PM started stepping out of the project meetings to take calls for other projects. He would leave me to run the meetings and then update all of the PM documentation and do all the communications.

Coleen Coolidge: This happened over about nine weeks. About halfway through we had a security person knock on the conference room door and ask to sit in and observe for a security design review. That was my very first introduction to a real live security person. My team on the project all looked panicked. I felt, the more the merrier will make this project go well. We continued our meeting. At the end of it, the security person asked to see the product documentation. He looked very concerned as he read it and kept highlighting sections as he read. For me, never talking to a security person and having no security background and then this person comes out of the blue and starts marking stuff up, it was scary.

Coleen Coolidge: Once he was done reviewing the documentation he came to us and he said, “I don't want to say to my director of security that this project is not being run well because you don't have security representation, but what do we do about this?” He saw that the way we were sending files and leaving them on the server for too long wasn’t good. He asked if our vendor went through the proper procedures. When we said that yes, the vendor went through procurement, he told us that procurement doesn't include a security review. What we found through him looking at our information was that this was representative of every single project: security was being left out at the procurement side, and nobody was really being trained in security basics and security principles. Our developers and QA people needed that training.

Coleen Coolidge: We didn’t have a sense of a checklist or references. It was clear that we were going to do a really bad job in that case and I'm glad that he marked those things up. Because if you think about it, if that was your mortgage data, would you want zero security representation on that project? I told the security person that this was my first project that I was running alone and I was happy to fix these things together.

Coleen Coolidge: He took me through each section of the documentation to revise the template and include the security activity that needed to happen. We fixed every single area that was a concern for him. I asked our procurement person to add a third party security review to this process. They said, it’s not even my job to talk about this. I insisted that we needed this for better security, so we had to figure out how to have this in the procurement checklist. From the network security side to the way the code was being developed, we made sure to add those security activities. 

Coleen Coolidge: The QA person and the developer said to me that every time you introduce a security person onto a project, they slow it down. Their job is to say no or get in the way. They asked me to change the meeting information like the date, the day, and the conference room for the meeting and leave him out of it. I insisted no, because we were almost three quarters of the way done. We needed to get this done right and get his approval. I tried to appeal to them: if it were your mortgage data, wouldn't you want it to be handled the right way? They finally agreed, and eventually the project concluded. At the very last meeting the security person had with us, he told us our team went from an F minus to an A minus. That was a huge improvement. And then we found out that among all the projects he was auditing, ours was the one and only project that did so well.

Coleen Coolidge: I took that template into the future and thought I’d never have to see that auditor guy again. And then I saw his name at a reorg at another company where I worked. His name was at the top of a security department on the new org chart. He was the director of security now. He took the stage to tell us the company was hiring like crazy, and you'll never go hungry again if you are a security person. 

Coleen Coolidge: Right after that meeting, he asked me if I’d like to work on his team. I said no, nobody likes this field. He asked me where managing projects was going to take me. He told me that anyone can manage projects, but not everyone can do security. He saw the way I helped transform the product we worked on together when we first met into something that was good in the end. He saw that as the kind of transformation the org needed.

Coleen Coolidge: He asked me to think about it, and give it a try for one year. He promised to point me in the right direction and get me the training I needed. After that, if I decided I hated it, I could always go back to managing projects. I went for it. I was early enough in my career that I could pivot. He put me through a week of SANS training: Unix security, Windows security, network security, cryptography, the standard with the lab, and the test. Many of these topics were things that I had really never dealt with before. And they went quite deep, which I wasn't necessarily ready for. To reinforce this training and get a sense of what was out there with security, he would drop me into different teams for short term projects. For example, the network security folks at the time were really getting into forensics using EnCase and found some weirdness with the loans. That’s how I learned EnCase, how to maintain chain of custody, how to do the collection of evidence, and how to do the searches. I'd essentially just go group by group, jump in and help with all of the grunt work they needed, like documentation or reviews.

Coleen Coolidge: For the other side of network security, they handed me this green pager. It meant I was on call and I needed to respond with the correct procedures. I had to look at the alerts coming in from the firewall and the IPS. Being a beginner and thrown in at the bottom of each of these stacks was not fun. There were days that I went home crying and thinking it was the worst thing ever. Why would anybody sign up for this job?

Coleen Coolidge: But it taught me the basics of what it's like to be on each of these teams. I don't have a developer background. But these teams would ask if I could threat model, follow directions, and have other people follow directions. And yes, I have that background. So I was able to do a threat model for applications on their teams. I found that it wasn't as terrible as I thought. One of the best things about going from app security to network security to desktop security, I found the most gracious group of internal customers I ever came across was the developers. 

Coleen Coolidge: I told them right away, I don't have the same background that you do. The background I have is security. And even then I've only been doing it a short time, but here's what I know. The developers were extremely helpful to me with decomposing their application, seeing where are the inputs and the outputs, and understanding who would care about attacking this [and] what is the most valuable piece of this. Seeing the look of discovery on their faces, I don't think anybody had ever sat with them before and asked them to look at their application and features the way that an attacker would. They’d always looked at it as if they're a user and wanted to get the most out of everything. 

Coleen Coolidge: I was the one asking: “What if you have a user who's bad? How would any of these protections change?” I would say it was mutually beneficial. My boss wanted me to gain experience in every single area. He even had me do a stint with the physical security, so I sat with the building security folks. I was up for anything that he could think of. He’d put me on an upcoming audit for review work and help write the management response. I think I got the full buffet table of what it was like to work in security. 

Coleen Coolidge: At the end of that first year, he said I’d learned so much like working on EnCase, writing policies, helping us pass audits, working on the IDS, revamping network documentation, and helping developers. He asked if I really wanted to go back to just managing projects? I think he knew the answer was no. Even though I had started at the very bottom and honestly, still was at the bottom then, there was just so much richness in the broad field of security that there's no way that I could go back.

Chris Martinez: You mentioned that compliance really speaks to you. Can you tell us about how that's become more important to you in your career?

Coleen Coolidge: There were different areas of security that I thought were more fun and more effective. I did not necessarily think that about governance, risk, and compliance (GRC). Looking back on it, I was young. I didn't know what I was talking about. But part of it was because of the way that everyone in security that I worked with back then. They treated compliance as a really boring but required checkbox exercise. There's a long list of things that you need to say that you do. You need to be able to prove that you do it. 

Coleen Coolidge: I always asked, what does this actually mean? If it's written down here, surely it's meant to actually protect someone or something. And sometimes security people look at me and put their hands up like, if we don't do it, we're going to fail, so let's just figure out a way to write it down so it looks right. And that never sat well with me. Because if we're going through the effort of not only writing these things down, but then putting the people in the organization through these exercises, they should have a real purpose.

Coleen Coolidge: If they're not making employee data, customer data safer, or our operations safer, why are we doing it? It took a really long time before I found people who were able to really articulate the value of doing compliance, and that piece of security really well. If your security program is complete and it is effective, then you almost get compliance for free. It should be an attestation that you are working on the right things and you're not just having people go through the motions, but you're actually reducing risk in the area that you mean to reduce it. I feel like that's not something that I really understood when I was first airdropped into a SAS 70 situation to fix.

Coleen Coolidge: Today, that realization has stayed with me. The person that I brought on to be the director of GRC is really good. I would say that I call him the Elon Musk of GRC, in the best way possible. And what that means is that he understands the point of these 350 or so things that we have to write down. He understands what they're trying to protect, but he’s not married to one way of doing it. Do we have to use spreadsheets? No. Do we have to do things that feel like they have zero value and they just take up a lot of manual time? No. He would define the actual goal that we're trying to achieve and work with the team to get there.

Coleen Coolidge: For example with something like change control, before we had these modern environments, a lot of people who've worked in the old environments might dial into a bridge line once or twice a week. There was this giant spreadsheet of changes that people in the org wanted to make. So everyone was blocking one another. If you're there representing your change and someone else is representing their change, but they don't want you to make a possibly breaking change to their area, you would pitch your change and then someone else would ask a lot of questions. So we would all propose changes and very few changes would get approved. We would do these dangerous changes on Saturday night at 10:00 PM, which was such a huge inconvenience.

Coleen Coolidge: I'd never really looked at change management as something that was well done. I understand why we need to do change management, but I never understood how we could do it right. Fast forward to today, our director of GRC worked really closely with the technical teams and explained the purpose of change management. We're trying to make sure that we don't introduce changes to the production environment that could hurt our customers. And that could be anything from messed up business logic because of the wrong kind of testing or someone pushed a malicious change that could cause a flaw. The director of GRC sat with these folks and asked questions like, “What is it that you want to protect? Where does the information live?”

Coleen Coolidge: He was able to help identify critical repos. Once the critical repos have been identified, you have to understand who owns them. What's the process you want to follow? And be able to standardize on the process that we want to follow and then work with the technical teams to come up with the technical solution. If you're trying to push a change on one of those critical repos, you need to make sure that you have testing. What does testing look like? You need to make sure you have approval. What does approval look like? They went through several iterations, and they ended up thinking that it's not that it's impossible to make an allowed change, but it's very difficult because there are these guide rails in place to remind you that making proper changes to that repo requires those changes to be tested and approved by the right person.


Coleen Coolidge: Before we would have alerts go off when a person did something wrong and it would pull them into a Slack room to notify the user that made the changes that they needed to go fix it. This all happened after you pushed the change and after you created the mistake. Now, all alerting happens before, in a “are you sure?” way. At the same time, it prevents these mistakes from happening, but it also educates people on a process. I just think that if compliance is thought of in the right way, it can actually be a big saving grace. And it's an affirmation that you're doing security the right way.

Chris Martinez: I would like to address the elephant in the room with your time at Segment and Twilio. How do you effectively manage through mergers and eventually blended teams?

Coleen Coolidge: I don't think I have a complete answer for you, but I can tell you where I started. In my earlier days in security, I'd definitely been on the acquirer side. And so what I learned on that acquirer side, because depending on who we acquired, each company was very different, their culture was super different. I think the mistake that I made when I was very young was this is what the mothership my company wants you to know and wants you to do. Let's make sure you do it as soon as you can.

Coleen Coolidge: That was just a few years into my security career. I was really just following those instructions from the mothership. What I found was as an acquirer, you have a lot to learn from these acquired companies. There are things in every organization, specifically on the security side, that you're not doing extremely well. You might have a policy for it. You might have a process that’s not at the maturity level that you want. I think one of the things that all acquirers think is we’re mothership and we bought you. Just do what we say. 

Coleen Coolidge: This can be really annoying to people in the acquired org. That is definitely the wrong approach for the acquirer. I learned relatively early on that as I was teaching things like, this is how we do security in our software development life cycle, or let's go through the different types of security policies that we have that are different from yours, or let's do a compare and contrast. When you work with the security folks on the other side, they could know as much as you or maybe even more, and in some ways their security could be better than yours. I think it's wrong to approach it like, we are the Borg and you will comply. I think it's better to treat an acquisition as an opportunity to build a superior hybrid model.

Coleen Coolidge: You have to figure out what that is and be honest about it. If there's something that the acquired company is doing really well, that's awesome. You need to figure out how to evolve and become that tertiary thing. I definitely softened my approach over time and looked at mergers and acquisitions on the security side as, do they meet the spirit of this policy? What is this policy that we have trying to defend against, or trying to promote? Are there things that they're already doing that are working? And then what can we spruce up? Then fill in the areas where they have gaps instead of trying to completely remodel everything that they have. Is there something they have that we don't have at all, or we just do poorly that we could copy and paste and start using?

Coleen Coolidge: Now that I’m on the acquired side, we're going through that process right now. There's a sense of “who wore it best” and with that you can see which personality comes out on top. Which ego is getting in the way of this? This is all natural, normal human interaction. I think one important takeaway for people going through a merger and acquisition is that you are largely merging people. And when you merge people, there's a huge cultural component. People have feelings and fears. They want to be acknowledged and you can't atom smash them together. Otherwise, a bunch of people will quit.

Coleen Coolidge: I'm happy to say that in the old days, one of the most important things for us was to preserve the people that were there. We wanted to make sure that the good people who are doing good work would continue to do so in a larger organization. So making sure that they have a path forward in their career, that they're listened to, that their advice is actually welcomed and implemented instead of saying, that'll never work. I think that it's human nature, especially on the acquirer sidem to push back and say, “You can't tell me what to do. You couldn't possibly know.” I think that it's a good message for everybody, to get over that. If you have the good fortune of meeting new security people and adding to your security community, you should welcome them with open arms.

Coleen Coolidge: On the Segment side, that is definitely the way that we look at it. We love our security community. We can't wait to make our acquaintance known to more people. And we can't wait to invite more people. That's the attitude that we take when we approach a situation like this. But as I mentioned, we're still relatively early into this integration. I think the companies are trying to be very thoughtful about how things land. I think that there's definitely an effort to try a best of both worlds approach.

Chris Martinez: What are the top two things you've learned from your team over the last year?

Coleen Coolidge: My team teaches me things every day, so it's pretty hard for me to roll it up into a couple of things. I'll try to bundle it into a couple of spots here. One, this is the best set of security GRC and IT folks I've ever had the pleasure of working with. And when you have a lot of A players on the team, they create this virtuous circle effect. Everyone nearby gets pulled into this whirlwind where things just get better and better. Everyone gets better, including people like me. I've never considered myself really an A-player. I feel like I'm a very solid B player. My work with them is supporting them in their endeavors and helping to unblock them when there are issues. I feel like I'm getting better just by working with them because of the level of excellence they have every day. That's something that I can't emphasize enough.

Coleen Coolidge: I really encourage people to hire the very best security GRC and IT people you possibly can. It's worth it. They always show you what that next level of even better looks like. Most CISOs would be happy with a good three to five year roadmap that has gradually increasing levels of maturity and increasing levels of good security. That's great, but they're never happy to rest on their laurels. They want to one up even themselves. 

Coleen Coolidge: The way that these A players step up and get it done, it raises the bar. They don't rest until it's done right. Then they keep double checking and seeing what else could I do? How else could I raise the bar? It can be a bit tiring to keep up with them if I'm honest with you, but I'd rather expend my energy chasing after people who are really this good. This is a great way to spend my time and energy. I look forward to the next couple of years, with what levels we're going to achieve on top of what we've already achieved. And I'm really honored and humbled to work with them every day of the year.

Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry's first cloud native data loss prevention solution. If you are enjoying this show, please leave us a review and rating on Apple Podcasts. The ratings and reviews help more people find us. Follow Nightfall on Twitter, Facebook, LinkedIn and Instagram at Nightfall AI. That's Nightfall AI, and email us at marketing@nightfall.ai with questions, feedback and suggestions about CISO Insider, including suggestions for CISOs you'd like to hear from. Stay safe out there and we'll see you again next time. 

Part two of our episode with Segment CISO Coleen Coolidge is coming June 23. And stay tuned for the rest of our season 2 lineup. You won’t want to miss this!