The State of Security LeadershipCensys CEO Brad Brooks on the Responsibilities - and Feelings - of CISOs Steve King (@sking1145) • September 12, 2023 32 Minutes
In the a year marked by vulnerabilities being found in the world's most widely used software, the results of the 2023 State of Cybersecurity Leadership Report by Censys are not surprising: 93% of organizations with over 5,000 employees surveyed said they had experienced a successful cyberattack in the past year. And of that group, 53% said they had experienced two or more successful attacks.
Censys CEO Brad Brooks said the "disease" of cyberattacks cannot be cured, but it can be managed. And CISOs are the people responsible for that management.
"There is no role out there more stressful than the CISO role," Brooks said. He said CISOs need to share information about breaches, get the right tools to detect and prevent attacks, and have a mindset that helps them handle the stress of the job.
In this episode of CyberEd.io's podcast series "Cybersecurity Insights," Brooks discussed:
- How the burdens of potential personal liability and fiduciary responsibility for a breach weigh on CISOs and influence their decisions about whether to disclose or bury breaches;
- How marketers of cybersecurity tools can get the attention of CISOs by emphasizing the core value of the product rather than its features;
- How tools that help achieve provable, shareable results can help CISOs relieve their anxiety and increase their confidence in doing their jobs well.
Brooks has over 25 years of experience in technology. Prior to Censys, he served as the president and CEO at OneLogin, where he led the team to a successful acquisition by One Identity in October 2021. He also served as marketing head at DocuSign and as CMO at Juniper Networks and held roles at Microsoft and Enron.
This transcript has been edited and refined for clarity.
Anna Delaney: Welcome to Cybersecurity Insights, the podcast for the CyberEd.io learning community. Our goal is to bring cybersecurity practitioners the latest and most relevant education and training to upskill and dive deeper into topics that matter in today's modern cybersecurity world.
Steve King: Good day, everyone. This is Steve King. I'm the director at CyberEd.io. This podcast today is featuring Brad Brooks, the CEO of Censys, who is a market leader in the attack surface management space. Prior to this assignment, Brad was CEO of OneLogin for approximately five years and then spent three years as a marketing head at DocuSign. And prior to that he served as the chief marketing officer at Juniper Networks for four years. All in all, Brad has over 25 years of experience in technology, encompassing consumer and business applications, which included nine years at Microsoft running both the consumer and commercial Windows product business unit, and two years at Enron as the general manager. Welcome, Brad, it's great to have you on the show.
Brad Brooks: Well, thank you, Steve.
King: Tell our audience a bit about Censys and any parts of your background that I may have missed?
Brooks: Well starting with Censys, it's a company that's been around since 2017 timeframe. Started out as a doctoral program, graduate program by five individuals at the University of Michigan, of which the founder that is, was the writer of the Z-Mapper code set. So if you know the Z-Mapper tool around scanning engines, he was the original author who created the basis for the company. And it's kind of gone from there. Since that timeframe, we do two things. We do what you talked about attack surface management; we also do a set of data for threat hunting, so allowing customers as well as government agencies to go out there and find threats on the worldwide internet.
King: Well, it's great. You also published a 2023 State of Security Leadership report recently. What were the key takeaways from your point of view as part of your observations there?
Brooks: Yes, we did publish that. And there are a couple of things. Number one I think, with all of these types of surveys, is a lot of times the most interesting stuff can be found at the edges of the numbers. And one that stands out immediately when you look at the data is the first thing which is 93%. So let me back up a minute is that this is companies that have employee sizes of 5,000 or more. So these are not necessarily small companies. And there were several hundreds included in the survey from the United States, Western Europe, Australia, etc. And getting back to the edges of the numbers is that 93% of the survey respondents said that there was a successful attack on their infrastructure in the last year. 93%, just think about that percentage. And the key word here is successful attack, which means somebody got in - across all of these companies. I mean these are not small companies. These are the ones that have staffs, tools, etc. The other interesting thing about that is you drill a little bit more into that number - 53% said that a successful half attack happened two or more times in the last year. So it just goes to the level, the pace, the sophistication of these attacks, and what's happening to these customers right now.
King: Yeah, that raises the question that I wake up every day thinking about, which is what are we going to do? I hate to put it that way, and I'm not a pessimist, but the weight of the opposition, if you will, feels like it increases every day. And with what's if you look at MOVEit and what went on with that is going on with Microsoft and as your AD and it's just slayed vulnerabilities and they keep coming out of the woodwork every day. We're talking about the most widely used software product on the planet. It feels to me like no one cares. To me, this is like global government kind of a problem that needs to be addressed. And it just isn't happening. So what do we do?
Brooks: Well, I think you hit on several things there. Number one is, and l will bring it all back round in the end to what do we do. But first off is you spoke about the consistency or the pace of these exploits. MOVEit, we just were working with our U.S. government customers about identifying the federal agencies that were impacted by that. We put out a report right after that happened of locating several thousand different instances of compromised MOVEit installations across the globe and the specific companies that were having it. To your point, is that when one of these happens, it happens on a big scale. And, yes, we've got a lot of legacy code out there that was written years ago, and all code is written by human beings, and therefore it's going to be having mistakes, and eventually somebody's going to find. And I think the first thing is to think about this is as if this is a disease of the internet, it is not a disease that is going to be cured. It's a disease that's going to be managed. And the question is like all of these things is how well are you doing to manage it? And what's your mindset in terms of going out there and managing it. And that's what you see also in the respondents of this survey that we did, which is whether the leadership feels like they're equipped with the tools, they're equipped with a budget, they're equipped with the right people, that they're equipped with the right mental mindset is when you think about it is when you're under siege, again. I got to use the analogy of a disease is when you're trying to find a cure for it and get into a manage state is the mental state is maybe the most important. If that goes to these organizations that can't find the talent. They're constantly under attack. And it's showing up in terms of their mental health as well. So getting to your question, how do we solve it? First and foremost, is that we've got to come up with some more common practices, it is only solved by a community. And it'll only resolve by us working together. And, some of these enforcement actions that have happened, where we're going after CISOs, because of how they've reported certain things, I don't think is actually helpful toward getting the information out. The first thing is, you got to share this information. The community needs to share with one another. An exploit is happening, when something new is happening, where you can see these things happening, you got to spread the word. And so anything that detracts from that either from a regulatory standpoint or enforcement standpoint, I don't think it's helpful. The second thing is that you've got to have the right tools and why we placed a lot of emphasis in the last 10 years around putting access management controls and thinking about zero trust. Treating the immediate symptoms rather than going after some of the more underlying causes. And that's where new tools - like the tools what Censys provides - come in, which is giving more visibility. You can't fix, you can't go after, you can't remediate, if you don't know that it exists, if you don't know that a certain thing is in your environment, because of shadow IT sprawl, where you don't know that an old marketing server that was held for an event three years ago, is still connecting back into your environment and given an exposure point. If you don't know that a Bitbucket that you just set up on Amazon is configured wrong, and is now exposing a bunch of PII information, you can't do anything about it. And so, this new wave of tools and investment that's coming in, around the VC community, around given that visibility is absolutely critical for folks to be able to go after it. And I also think that AI is going to play both a benefit and a curse here. These AI tools will be used by the bad guys to immediately label and find vulnerabilities quicker. There'll be able to go after these vulnerabilities faster. But taking these same types of tools and automating responses, at least at the basic levels around an exposure, Hey, I see a server it's got this particular type of issue, automated taking it offline or putting access controls around it immediately before anything else happens. And can do that in an automated way. I think that these generative predictive models are going to be very helpful in terms of machine learning and helping assist these understaffed teams to go after these vulnerabilities. So, it comes down to number one is don't think of it as a problem that can ever be completely solved. Think about it, it's something that needs to be managed. Think about it from a mindset that I can get on top of this with the right sets of tools, and then think about it is to, do I have the visibility? Do I see everything that's happening? Do I have a good perimeter set up so I can see the attacks as they occur? And then have I optimized my infrastructure using automation tools, machine learning, others, to automate the response as much as possible because things are just going to be coming at me so quickly?
King: All of that makes sense. I guess that my view is we have a CISO community that isn't as equipped as they might be to deal with the kind of changes that you just alluded to, and we're talking about and generative AI is the obvious one. So I've got 450 clients who are the top cybersecurity vendors in the space. And we're constantly doing survey work for them. And, we've got a huge network of CISOs that we communicate with all the time, but every time you talk to them, I always walk away thinking, well, if you know that company X, and you know, that solves this problem, why haven't you implemented that you must have as well, you've been in this space a long time. If you can't figure out that you need attack surface visibility. I do that it's hard for me to even like make eye contact with somebody saying, I'm not interested in that it's like, and why is that? How can you not be interested? You know what I mean?
Brooks: Yeah, I completely get it. And I guess I'm part of the gray area, Steve, is that you either get frustrated with the human condition, or you understand it to have what it means to be human. And understand that sometimes you get overwhelmed. And you'd say, but hey, wait a second, you're supposed to be professional, and you're supposed to be the person in charge, you're supposed to be doing these basic activities. But I think again, it gets to, like I said, some of the data points in the survey around mental health is that well over 70% of the respondents are already are highly concerned about the mental state of their teams, as well as them individually. And people just do funky things under stress. It's just that condition. And there is no more stressful role out there right now than the CISO role. It used to be a CMO. And the CMO had the distinction of as part of the executive leadership team having the shortest tenure of any member of the executive leadership team. And CISOs, still, for the most part, don't rise to the executive leadership team level in a lot of companies, but when they do, their tenure is even less than the CMO now. And I again, it goes to the stress of the job, and just all of the impossibility. You don't have visibility; you don't know what you're trying to defend against. But at the same time is, how do I get there? How do I find these tools? That's the question that they're all asking.
King: Yeah, of course, and then the Joe Sullivan verdict. And you alluded to that. It not only didn't help, but it hurt significantly. And, I hope he wins in the appeal. But it was, felt to me like a vindictive, legal event that was staged by the FTC that for some purpose, and I don't know what it is, but somebody up there doesn't understand the ramifications.
Brooks: So it's going to stop best practices sharing; it's going to stop sharing with the officials; it's going to stop sharing with enforcement agencies - it just does not help to do it.
King: Right. And then if I offer you half a million bucks to go be the CISO at XYZ and told you that you have personal liability or fiduciary, you have a fiduciary duty like a board member. If I were the candidate, I'd be like, yeah, I don't think so.
Brooks: Yeah, I don't need that personal risk in my life. It's just not worth it based on the state of the condition.
King: I mean, going to jail for Company X for doing what you thought was the right thing, and that's what I believe Joe did. Maybe makes no sense to me at all, but you're using the wrong incentives and the wrong motivations, but it is a reality. I know a lot of folks, and I was a CISO for six years for the world's largest banks. And back then and that was like seven years ago, it was much easier than today because things didn't move as fast. So if a new technology came over the horizon, it came very slowly, relatively speaking. And so today, it changes every day: the threat landscape changes, the profiles change, the technology - both to defend and to discover, and to get visibility, all of that changes. And so, I don't know how you can possibly have time to do the job any longer. I run the education division here. We talk to companies all the time about things like, why aren't you doing this? It makes it very tough.
Brooks: It makes it very tough. And we talked about the number of successful attacks in that data point a little bit earlier. And the point about those successful attacks is they are going to run into a monetary value and maybe rise to the level of materiality, and therefore wise to level the board and the board decision. And the question is, is it material? The next thing is, do I disclose it? If I disclose it, do I have to disclose it to the SEC, as well as the FTC and others? Or do I want to keep it buried? And do I try to push it under that minimum threshold of what's on material disclosure? And the CISOs are involved in these conversations now, and they're being pulled into it. And to your point is, hey, do I want that job at any price is now I'm basically dealing with some of these matters at this level that I haven't been trained before, or the compensation system to overcome that risk is just not there. And therefore, I want to be hands up, there's only so much that I want to know. And that's part of this problem that you talked about, Steve, which is, sometimes you get frustrated with, hey, the tools are out there, and you're not even trying to engage with tools and put them in place. But there's also the shoot, do I want to know what I don't know because if I find out about it, and do I have the capability to handle the response to it? And then if I don't, does that put me at personal risk? And so it is quite a conundrum, I feel for the CISOs. I do. And the other thing, too, is let's face it, cybersecurity industry over the last 20 years does not also have the best track record is there's been a lot of snake oil that comes out through the years in terms of providing protections that were not provable or didn't exist in the right way, or stop that was sold too early, that wasn't providing the level of protections that customers thought and they got better over time, certainly, but wasn't quite there. And I think for all of these reasons, is that there's, if you're a CISO, you're cynical, you're hyper-vigilant, you got a high IQ, you've got an understaffed team. Budgets are coming your way. That's the good thing. Data continues to prove that and budgets are shrinking. But you also have to have a mindset, again, I'll go back to that word, a mindset, which you get the confidence that you can go do this. It's almost one of those things where if somebody feels completely confident about doing this job these days that you got to question whether they belong in the job.
King: Which part of this don't you understand?
Brooks: Yeah, exactly.
King: So as we're talking about CISOs, you've been in marketing a long time, and particularly in cybersecurity, what's your take on the current state of cybersecurity messaging? And from a vendor kind of point of view. What do you think CISOs want to hear, and how do you get their attention from a positioning messaging point of view?
Brooks: Yeah, I think first off is that this is my comment. In general, but certainly in cybersecurity, is it still too much of a focus on the features, speeds and feeds conversation which is XYZ. And the reality is that the CISO doesn't need XYZ. What they need is they need it to do specifically what they're asking it. They need to do it in a way that's provable. And they need to do it in a way that they could then share that outcome at the senior or board level. And still not enough products do that. There's a lot of products that focus on the practitioners, the daily users, which are fine, but then elevating the, hey, I stopped that attack, or I gained that visibility and actually being able to prove that with the product and prove that in the messaging, and actually explain that at a value level. Rather than doing it faster, cheaper, smarter, etc. Is that faster, cheaper, smarter will happen, the next day will happen the next day. It's kind of table stakes. But the messaging needs to elevate to a how do I give you some relief of that anxiety around the role? How do I build some of that confidence? But more importantly, how do I prove it to you? And how do I allow you to prove it to your board, your CFO, etc., as you're going into those budget conversations and saying, this is why I need this product to do this. And that's where, again, I think a lot of our messaging, if you look across cybersecurity does not go to the value, it goes to the future value proposition. And maybe it's sometimes the economic value proposition, but it doesn't go to the core value of what they're getting out of it. And at the end of the day, is we've just spent 25 minutes talking about emotions and the feelings that you get in these leadership positions, you get a product that can actually give a message to you that you are going to feel more confident, and you're going to feel more qualified in your role because it is doing what it says it does and approves it. You're going to have a winning product that CISOs are going to keep calling up and asking you more about. This is also a tight community is once they find a product that works, they're going to be sharing it with all their friends, and it's going to move very quickly.
King: Yeah, exactly. So I'm always amazed that why is it that so many marketing folks don't kind of get that. Because I don't know how it happens, but you look at it. Look at them. And what I mean is I don't know, internally, Company X how that manifests itself exactly. But you look at the messaging that comes out of 80%-90% of the vendors, you're right, it's all features and speeds. Speeds has nothing to do with outcomes. You ran both consumer and commercial for a pretty decent-sized product. Yeah, my guess is product that we all know, tell me, do you perceive there's a difference in marketing to one buyer versus another buyer in business versus as a consumer product?
Brooks: Yeah, Steve. I do. I don't see that there's a difference. But I see that there's a difference in the type of marketers that go through that methodology. I'm very intentional in my marketing teams. And this has been ever since I left Microsoft running B2B marketing functions. I look to folks that have done consumer marketing. And the reason why is consumer marketers are much better in terms of defining their markets as around the individuals and talking to the people. Which means you got to quickly get out of that speeds and feed conversation and talk more to the value of that what they're going to get out of that product. They think about it that way. And they communicate it that way. And therefore those that specifically have had some kind of background in consumer marketing, I find are much more effective when they come over into these B2B marketing roles, particularly in these technical marketing roles. Too often, you get a lot of engineer cross-overs coming into marketing, which is fine, but they're going go with what they know. And they're going to go to the speeds and feeds conversation, getting background. How do you differentiate between Cheerios and Frosted Flakes? You're not doing it based on the grains, or the field that the wheat came from, or the quality counts of X, Y or Z, what you're doing is, you're going to a more visceral, more value, emotional-based conversation. And people that think that way, are very effective in the technical B2B marketing space, and there's just not enough problem.
King: You're selling it's kind of the DTH thing. You're selling to humans in both of those equations, correct?
Brooks: As I keep reminding my organizations, entities don't buy products, people do. And you get out and talk to the people and make it worth their while, make them understand the value to them, how they are going to get something out of it. And then the conversation changes, and the trust level changes too. Because now they believe you get them, that you understand actually what they're going through, which speeds and feeds conversation is never going to get you to.
King: Yeah, and but the amazing part to me is that we don't seem to know that as an industry. Do you remember the apple silhouette ad campaign? One of those most effective, I shouldn't say best, but most effective campaigns in history and Jobs initial reaction was the one you just described. Hey, wait a minute. This doesn't say anything about the product. And of course, the chat, their team said, you're right, Steve. It says everything about how it makes you feel.
Brooks: Yeah, the guy behind that was David Roman, who was working at Apple at the time and was a good friend of mine.
King: It's one of my all-time favorites. It is such a great illustration of what we're talking about, and they finally capitulated and threw in the "10,000 Songs in Your Pocket," which is also a fabulous tagline. And on, they went to billions of dollars in sales over a three-month or six-month period. But my last question is, I know, RiskIQ is an old client of ours. And we know a lot of those people pretty well. And they had this kind of I'll call it kind of an open-source free collective that I think you guys have something similar and whatever you want to call it crowdsource attack vulnerabilities forum or something. And I know, they have like, I thought that they had a million members or something at one point in time. And they use that as a free product for their client base, which seemed to me to make a lot of sense. You have a community program, is that similarly constructed like that? Or that's the purpose, is it not?
Brooks: Yes, it is. And we do have a community. It's got several tens of thousands of members, we're not quite up to a million yet. But we're definitely growing very fast. It's global in nature. And two things around that. Number one is they get free access to our data, and they come in, they can search, they can use our search tools. We have a community forum where we can engage with those users to help them. We've got specifically engagement with universities around the world as well as their research teams to engage on a flagpole filing, labeling of assets, identification of risks, etc. But we use those all as feeds as well as that, when the community see something interesting, they see an anomaly, they see a command-and-control network that's under construction, they see some of these other things that are going on, as they feed it back to us. And then we can put that into our tooling. And for the customers of our attack service management product, they immediately get the benefits of us recognizing issues within the environment. One of the areas where that popped up quickly was how fast we could respond to the VMware Hypervisor flaw that was at the beginning of this year is that we started recognizing a lot of these issues within the community and our research before it was actually highlighted as a zero-day exploit. And we could get that information out to our customer users, based on this research that the community was finding about some activity that we saw. So yeah, we've got this base, we've got this user community, we put it together and it's a big part of above background of the company starting out as a college research project. But also of our feeling around engagement and community is that we're getting some benefits out of our data and we're turning it into a commercial business. But the only way that we collectively get stronger is by sharing information, what we see it and holding it back when we see major exploits or having our community identify some of these exploits can share them. We want to encourage that as part of our product development. It helps us but it also helps the community at large and helps us share information much more quickly.
King: Yeah, sure. Have you end up with tens of thousands of product management team.
Brooks: Feedback all the time. Yeah, do better - better data, better labeling, better understanding - it does help tremendously in terms of improving the quality of the product.
King: Yeah. And to be fair, you build yours from scratch, RiskIQ bought theirs. So that company had years to put together a million subscribers or whatever.
Brooks: We were building it one user at a time based on reputation and quality product. That's how we did it.
King: It was great meeting you and talking with you. We have mindshare on a lot of stuff here. And I'd like to do it again sometime, maybe a few months from now. And if you'd like to join me on air again that would be great. Thanks, Brad. It was enjoyable for me.
Brooks: Steve, I enjoyed it as well. I look forward to it and happy to come back next time around as well. Thank you.
King: Great. Thank you. And thanks to our audience for hanging in with us for another episode of our podcast. And until next time, I'm Steve King, your host signing off.
Delaney: Thank you for joining us for another episode of Cybersecurity Insights. You can connect with us on LinkedIn or Facebook, or send us an email at social at CyberEd.io. For more information about the podcast, visit cybered.io/podcast. Until next week, stay safe and secure. And we'll see you on the next episode of Cybersecurity Insights.