Q&A with Chief Information Security Officer Chris Vaughn
As team collaboration evolves from simple chat into a digital workplace hub – integrating chat, calling, video conferencing, documents, and application data – CISO’s, cybersecurity personnel, and risk management professionals are wondering how to protect information contained within these environments. The reality is collaboration security chaos already plagues far too many organizations. Helping lead Unify Square’s collaboration security set of initiatives bolstered by our industry-leading workstream collaboration software tools is Unify Square’s own Chief Information Security Officer (CISO), Chris Vaughn.
Chris has over 20 years of experience building enterprise information security programs, holding positions at premier organizations including Nestlé and the Bill & Melinda Gates Foundation.
Q: How and why did you end up as a Chief Information Security Officer (CISO)?
A: When I got started in InfoSec, outside of the government and mainframe computing, information security was very immature as a discipline. Corporations were not even connected to the internet yet. I was always interested in information security, and I was lucky enough to be working at Ralston Purina, a Fortune 500 company, when they started talking about connecting to the internet. When Purina began to build a real InfoSec program and hired their first InfoSec leader (what we would call a CISO today), my dev-ops background blended nicely with his mainframe background, and I was recruited to be his deputy. I had the opportunity to learn and study under him, and it has been onward and upward ever since.
Q: What was it about the opportunity to go into the Ralston Purina InfoSec team that attracted you. Was it them recruiting you because of a particular skill set you had or you looking for a fresh opportunity?
A: Both. When I was in grad school, I started researching about this “new” information security field. I developed this interest in technology and how it could be used to do things that it was not intended to do. Based on that, I did a lot of studying and learning on my own. During my time at Ralston Purina, I had the opportunity to build an information program from the technical side. It was just the CISO, myself as the lead architect, and a couple of user administrators. So, as a small team I had the ability to be a significant contributor to the program build-out. I knew that this was going to be a growing field, and I wanted to be at the forefront of it.
Q: What does your role entail as CISO at Unify Square?
A: I would describe my role as very much focused on enabling the business. When I started in the InfoSec space, I was an information security purist; I felt that there was a right way to do things…and a wrong way. Full stop. Over the years, I have come to appreciate the notion of a risk management scale, and the balanced science PLUS art of the job. The important thing is to understand that without the business, there is no need for the information security team. InfoSec exists to enable the business. We help to identify risks and the risk owners, to educate those owners on the options, and ultimately empower them to make the best decision for the organization. This makes organizational knowledge and effective relationship building an extremely critical part of the CISO’s job. The focus is both internal – for example working with the product group on the design of new features, or the legal and finance teams on contracts; but also external – for example working with our Unify Square customers to help explain our information security program, and to gather their security-related feedback to feed back into our product and services development process.
Q: Do you have a philosophy about how to approach accepting risk?
A: One of the essential things about information security is you have to hold a high bar of doing the right thing even when it is not comfortable, or you feel like it is the wrong decision for the business. It is not the job of information security to stop a company from doing something. It is our job to identify risk and educate decision-makers on the risk. Rather than measuring success by “Did they do what I thought they should do,” a better measure is “Did I give the right information to the right person and help them make an informed decision?” Rather than thinking about the CISO being the “Office of No,” I believe in the philosophy of empowering businesses to take risks with confidence.
Q: What mistakes have you learned from while working as a CISO?
A: In my younger days, it took me some time to learn not to get frustrated when the organization made an InfoSec step in what I deemed to be an ill-advised direction. This would happen because I was thinking about the issue purely from an information security orientation, and they were thinking about it from the standpoint of the business. I think that’s part of what causes a lot of friction to this day between information security and other parts of the organization. There is not a lot of understanding on what each group is trying to achieve. I love the saying that “Nobody is the villain in their own movie,” meaning that no one thinks of themselves as actively playing the part of the bad guy. Nevertheless, oftentimes both InfoSec and/or the end-users are inadvertently cast into the villainous role. When information security comes raises concerns over an initiative, sometimes people think that “you don’t understand what I do.” It can be quite challenging for both sides (IT/InfoSec vs. “the business”) to understand each other’s intent.
Q: Why is the relationship between information security and business different at Unify Square?
A: It’s all about trust. At Unify Square, I work hard to ensure that information security is supporting our business in a full 360o manner — customer, product group, marketing, sales, etc. It is definitely not a simple execution maneuver, but I think if more organizations were able to take this approach, there would be more cohesive and synergistic connections between information security and IT, which, would in turn lead towards weaving InfoSec methodology more strategically throughout the entirety of an organization.
An organization is defined by people and the culture that is created by those people. I could say that Unify Square is primarily a product company. We make software, and because we do that, naturally, information security is a core part of that. I could say that, but that would not be true. I have many InfoSec peers who work in software companies, but who’s InfoSec contributions are detached from the actual business. The InfoSec work occurring at Unify Square is embraced by the Unify Square leadership team and is aimed squarely at giving our customers the security that they expect and deserve. Again, it’s all about trust.
Q: What do you do in your free time?
A: What free time? Seriously though, in my true free time, I spend a lot of it with my family or playing guitar in a rock cover band.
Q: What makes you passionate about security?
A: Security has been an underserved and generally undervalued area. This does not mean that there are not a lot of people working on it, but it’s definitely a function that is still maturing. This means that you have a wide range of people with varying ideas and capabilities. I’ve been in this business long enough to see patterns repeating as we’ve moved from client-server to web to cloud. There is a real opportunity to improve the understanding of information security within organizations and equally to educate people coming into the InfoSec field about how to be effective. I am at the point in my career where I have the opportunity to help with that and to contribute meaningfully to the future of the information security practice.
Q: What’s the #1 piece of security-related advice that you would like to pass on to Unify Square customers?
A: Two tidbits of “wisdom.” First, take someone from your information security team to lunch. Spend time with them to understand their role in the organization and the procurement process from their perspective. At the same time, take the opportunity to share with them what you do and how your team fits into the overall organization. Remember – it’s all about trust – and building strong relationships help with that a great deal.
Second, when you are evaluating vendors, thoroughly assess their security credentials, experience, and certifications. Bringing in new applications and third-party service providers introduce a level of unknown risks to your organization. Taking the time to vet that your vendors have a good information security program in place can go a long way toward reducing or even eliminating risk down the road.
As an example, and to make a quick and obvious plug for Unify Square, our PowerSuite software and PowerSuite Cloud Managed Services are ISO 27001 certified. We are now going into our third year of full certification, and two unique aspects of this certification make it not at all easy to achieve and maintain. First, ISO certification requires an annual, extremely comprehensive external audit of the information security program. Second, every year that the certification is renewed requires the company to show that continuous InfoSec improvements and enhancements are being made. That is, the program is not stagnating or treading water, it’s actually getting demonstrably and measurably better year over year.
Q: How do you clear the security product clutter and select the right product for internal Unify Square needs?
A: There are definitely a lot of vendors to choose from, and everyone says that they have the right solution for us! One of the biggest challenges stems from the fact that most companies today are “in the cloud,” but they are not all in the cloud. There is still quite often some amount of the service or technology this is running in an on-premises network. One of the things that I have found challenging in my role is trying to keep the information security program aligned across the on-prem and cloud worlds, and sometimes that has required multiple solutions. Hence, one key aspect I evaluate my vendors on is how/if they can help me to navigate the hybrid landscape.
Q: What is it about the workstream collaboration niche, that makes it extra risky for businesses?
A: The paradox is that Workstream Collaboration is positioned as an open model to align with the communication patterns of the younger digital generation. While this model of empowerment appeals to digital information workers, it simultaneously concerns information security teams because traditional security measures aren’t equipped to deal with information sharing that effectively dissolves any notion of an organizational perimeter. For example, what if an intern adds an external guest user to a team, not knowing a sub-channel mentions confidential product pricing details? Our PowerSuite software specifically targets these sorts of collaboration security loopholes to zero in on this modern security perimeter that starts and ends with the end-user.
Q: What’s the most exciting part of the PowerSuite Collaboration Security initiative and associated technologies?
A: We’re trying to shift the way that IT manages collaboration platforms from the traditional command and control motif to more of a trust but verify approach. We can’t just go telling people no without a good reason — but if IT can find the data/evidence to show “why” there’s a problem, then you build consensus from the bottom up. Certainly, there will always be a minimum level of “common sense” policies that get put in place. However, extending from there, we have implemented a 3M (monitor, measure, and then manage) approach, which allows for experimentation, but not at the expense of good risk management practices.
Q: As the Unify Square customer base broadens from Skype for Business and Microsoft Teams to also include the Zoom, Slack, and Workplace by Facebook platforms, how has that changed the type of security challenges that you need to work with customers on?
A: The challenge of defining clear and actionable collaboration security policies is hard enough with just a single app platform such as Microsoft Teams. However, the complexity is compounded by multiple factors with this workstream collaboration space for a couple of key reasons. First, more often than not, an app like Slack is not introduced by IT, but by various end-users or teams. As such the governance approach for the category may not yet exist and needs to be implemented from scratch. Gaining acceptance from the ground up and understanding for the need for the new policies can be onerous in this cloud-based world. Second, we know that the typical enterprise often has over two different collaboration platforms in active use. The challenges of lifecycle management for policies are magnified when working cross-platform. In particular, identifying an easy way to have policies pushed down from a central repository source so that they are applied and run across all the different platforms from heterogeneous workstream collaboration platform vendors can be extremely challenging. Luckily this is an area where our PowerSuite software excels!
To learn about Unify Square’s collaboration security efforts, listen in to Chris Vaughn and Alan Shen discuss the best practices for collaboration security, or click here to see Unify Square’s unique collaboration security solution.