Talking with the expert- BILL BURNS
By Ashish Chhatani - March 2, 2019
Bill Burns is a well known face in the InfoSec world. Bill currently serving as Chief Trust Officer at Informatica has pursued Electrical engineering and business degrees from Michigan Technological University.
Prior to Informatica, Bill has provided his services to Netflix as a Director of Information Security and at Scale venture partners. Being Chief of Security in Informatica, he has ensured the proper establishment of HIPAA and SOC2 compliance and leading Cloud Business Transformation Strategy.
He has excelled in plenty of skills-PKI, cryptography, network security, Identity Management, Business Process Consulting, risk and threat modelling, audit compliance and governance, security strategy, effective negotiation. It was great to have a leader like Bill sharing his journey and thoughts on various InfoSec topics. Here’s the full interview of Bill Burns!
1. You’ve got one hack off a journey. Can you please tell your journey till date in a snapshot and tell how it all started?
When I was in college pursuing electrical engineering, my roommate and I wanted an access to a printer which was placed in the department lab which we didn’t had access to. We started figuring out how to get access to that printer. So he and I wrote a software which take over the printer and we can use it to fulfil our purposes and release it back to the general team. As matter of fact, when I was using that printer, no one can use that printer other than me. Eventually someone is like, hey you are not part of this department and you need to go talk to the lab manager and the lab manager ended up becoming my WIFE. I worked with her and explained that you have got a security problem and you need to lock things down. That was the first time I realise that you can trick the system for what you want. At the same time I was working on a software with my roommate to use dial up network to get news feeds and binaries. And Eventually we were contacted by a hacker organisation and they told we really like what you are doing and we want you to write some software for us- kind of destructive stuff. I realised at that point of time that it’s not right and made a conscious decision that I do like hacking from the productivity perspective but not for the evil sort of purposes. You have two choices- You use it for functionality or product testing purpose to make it better or use it for mean and evil cause. I also realised that I love electrical engineering but I do like computer networking and communication systems as well. My first job at college was running R&D lab at Accenture for NSC consulting. We had the first internet connection for NSC consulting to build the first firewall, ran the first web server. We were doing a lot of work and figuring how do make it secure. So that was really a start of journey and how do I think about security to solve problems, add values and protect people.
2. There’s a wave of so many trending and emerging techs in market- AI, ML, Cloud and many more. What’s your take on this? Which tech is exciting and has an impact on the next generation?
So there are couple of thoughts. I was on a panel with city bank benchers number of years ago, and they asked me a question: What’s the impactful creation in the security space? ML? Firewall? Internet? Or Is it Cloud? I said in the past 15-20 years, the most impactful thing which has emerged is API. So before we had APIs in security products or products in general, Security was always ball-time. You bought a box, you stuck it in front of the other box and that was your protection. Whether it was application firewall or database protection system or encryption box, didn’t matter. It was always buy a box, pluck something in front of it and monitor it. With APIs, as software started to eat the world, and teams said we need to do this programatically, now you could wire security things inline and you can program them, configure them. So API allows you to do security at the speed of business. Early 2000, Virtual computing started to take place. So you had more boxes doing more functions in a single box. That made really hard to protect the stuff. Information security was in the dark space at that time. When we got cloud and APIs, we were like now we have a new tool and a toolkit. InfoSec concepts remains the same. Containment, Isolation, Data classification, segmentation are all the same tricks even in the cloud. But things move faster. So you need APIs and programming skills to keep things up rather than hiring someone watch a box and click on dashboards. The endgame here is both good and bad guys have robots, but who can protect the environment faster than the bad guys can find the vulnerabilities and exploit them.
3. How do you reckon the cloud transformation as it was not quite popular in past years?
So a new company getting started, one of the first things they are not going to do is not to buy some boxes, stand up a server and data centre and manage those. They are not going to do all these things instead of focusing on their business. The companies getting started now are going to leverage cloud as much as they can. So the future is wiring those systems together logically and not buying all these stuff. So the cloud is essentially someone else’s data centre but because of the APIs, connectivity and higher order functions like SaaS apps, it's easy to derive value quickly. The endgame is company will rely on public cloud and older companies are getting to public cloud as well. We will begin hybrid cloud which is you know data centre private cloud connecting the public cloud require some time. There’s so much valuable data resides in old infrastructure. At least for two decades hybrid cloud will be around. As the new company onboard, need for private cloud on on premise system will go down but the need to get the data between those places- connect, transform, enrich data that’s just continue to grow rise. No one is gonna be able to run or manage all systems even on public cloud. They are gonna be connected to other systems who are experts in what they are doing. Workday, Salesforce, S3 all these platforms and softwares you know SaaS, those are all going to get better. The new companies are going to figure out how to use them.
4. Recently we’ve seen compliance are on the go. The likes of GDPR, FedRamp are the hot topics currently. Are these going to be really effective? Your views on this.
See regulations are important because it holds people accountable to things that are really important. And if the free market economy doesn’t solve the problem themselves then you typically have a government step in to work together and standardise the level of protection and compliance that we need. You can have things like HIPAA which is self governed, its a law-regulation. If you breach it, you get fine or may end up going in jail. But there is no third party attestation for it. No certification for HIPAA. While PCI is not a law or regulation but is really important and people do take it seriously as the sensitive data should be cared properly. GDPR came as a global regulation which is not focused on only flavour of data but it covers behavioural, privacy and also security which you know some of the PII information. So all these things are coming up because companies didn’t it seriously. If someone loses their identical or healthcare records, some one has to be held accountable for that. And that’s what these compliances are setting up. There’s gotta be some sort of accountability especially for the sensitive data. So yes these compliance are important. There’s always a balance between a very prescriptive control like PCI versus a more descriptive like GDPR which sort of gives you goals but not specifics on how to do it. When the regulations become too specific in their control then they become very brutal and inadequate. But then people check the box to that they’re supposed to solve the problem or try to address the spirit of the regulation. So on high level they’re important and necessary when industry won’t solve it for themselves.
5. What are the biggest challenges you have faced being a chief of the security of an organisation?
There are two big challenges: 1. Being able to articulate the intention of a security control or privacy control. So being able to articulate it in such a way that the person I’m working with understands it in their context. So they might understand- well, yes sounds important but what do I do really differently? So getting them to understand the context. The second biggest challenge is being able to allow teams to innovate in their space and implement the control they think it's necessary without restricting their ability to innovate or coming down too hard. So it’s partnering with my stakeholders and say- What do you need to do, how do you need to do? let me help you figure out how we are going to do that. It’s easy to say NO but harder to say HOW. So really its me understanding their context and they understanding the objective or purpose of the control. Those are two biggest challenges in security space.
6. The best way to tackle data breach is?
I would say the best way to tackle the breach is to prevent it in the first place. Having the security programme in the place that empowers and enables every piece of the chain from the person who is buying it to the person deploying it. The best way to prevent the data breach is to empower each and every person associated with the chain to say it’s wrong- if something is misconfigured or has loophole in it. Because if you are going to push all the responsibility to one team, person or security team at the end of the process chain, you’re never going to be successful. So it's important to think about security as part of their overall job responsibility.
7. How do you reckon your journey? Quite satisfied? There’s still lot more to achieve in coming time?
I think if you’re a competent security professional, you are never satisfied with what you are. You are always hungry for doing something either better more optimally or having influence over another part of value chain of the business process and hoping that you can prevent even more things or finding an other way to influence someone. So I don’t think you’re fully satisfied. You are always looking to improve in some area either yourself or the control.
8. Ever had any nightmares or fear of any data breach being a head of the security? What does it take to handle pressure situations or incidents?
Yes, I do have sleepless nights. Let me put in this way, If I’m running the program poorly, then I have lots of sleepless nights. If we are doing our job adequately to protect our customers, because we’ve got controls in place. Monitor in place. But more importantly we’ve got people who are aware of what safe looks like and if not safe, they know who to call. Then you have fewer sleepless nights. If you are positioning your security teams as them versus us like product development vs product security team inside, unhealthy tension then you are going to have way more than sleepless nights and it means that you have built unhealthy security mindset in the company. If you have opposite to that then sure you always worry because you want to improve things a little bit here and there but you know you’ve got adequate controls and people in place. So that’s how I’m able to sleep at night as I know we’re building relationships with the customers and people, clarifying their responsibility and they’re going to do their job.
9. There are plenty of security certifications out there in the industry. How do you see them? Is it mandatory to pursue them? How do you measure the candidate capability?
So I find value in certifications because they help you with specific domain knowledge or expertise. But in other cases, you have to re-apply for certifications and redo them and I think that’s good as it helps you to sharpen the saw. But certifications are not necessary. If someone can demonstrate to me that they can do everything which a certified professional can do. I think that’s fine. There’s another level of certification which is broad. So take CISSP for instance, it covers many domains from appsec to physical security. It can not make you an expert in all the domains but gives you a holistic view of things you should be knowing. So that level of certification is more broad and it gives you a broader perspective of what else you should be worried about or focused on. Depending on the company, may be you don’t need all of those but you probably need some level of competence or expertise in every one of those. So certifications as you go higher in your career then your specific domain expertise is not that helpful. You need to have that broader experience. And its not just security certifications, it can be program management certifications or organisation’s design expertise. All these certifications gives you broader or deeper perspective about where you wanna go in your career.
10. Any advise for the young readers or the folks who wants make it big in Infosec career?
Couple of things. First is when you are early in your career, you don’t know what you don’t know. So you should spend some more time on exploring different things as much as you can so that you can figure out what you are good at or passionate about. What other people will pay you for because the intersection of all these things is where you can have a very healthy career and can really enjoy your job. So start figure out what you are good at and love to do so that it’s less a work and actually something more what you enjoy. Having that self awareness and discipline to keep trying things and not being afraid to fail because you are not going to be good at everything, you should actually learn what you are good at what you are not good at. So you should jump into everything and give a try. If you fail that’s totally ok. That makes you more resilient. The other thing is Finding a mentor or mentors. Partner with them, learn what they’ve learnt so you can grow faster you know. You can make the same mistakes or learn from them and say what mistake should I avoid. They should help you to get the expertise, build your career and help you grow faster than they did.