Establishing a cybersecurity program is hard, and Bryan Galloway has taken on the challenge twice, from two different perspectives. In this episode, he discusses the importance of tying the criticality of security to business outcomes, shifting business culture, and getting back to fundamentals when creating a cyber strategy.
Ep. 16 | Reimagining Cyber | Powering Your Cyber Strategy | Bryan Galloway
Bryan Galloway 00:04
I'm not going to be the first person you guys have talked to that is going to lament our reputation in info sec as being blockers and that the owners have constraints when it comes to business process, right? Our job is viewed as saying no and creating complications. We're all aware of this stigma. I joke about it, and we think we get into our info sec conferences and our roundtables and we laugh about it and say, 'Oh, you know, these guys don't get it. They don't understand what we do'. But you need to embrace that and understand that that's on us to fix.
Rob Aragao 00:33
Welcome to the Reimagining Cyber podcast where we share short to the point perspectives on the cyber landscape. It's all about engaging yet casual conversations, and what organizations are doing to reimagine their cyber programs, while ensuring their business objectives are top priority. With my co-host Stan Wisseman, Head of Security Strategist. I'm Robert Aragao, Chief Security Strategist, and this is Reimagining Cyber. So Stan, who do we have joining us today?
Stan Wisseman 01:02
Rob, our guest today is Bryan Galloway. Bryan is currently the Director of Information Security at Enphase Energy, covering not only enterprise security, but also product security. He previously served as the Head of Information Security at Sonoco Products Company, a global packaging firm, where he helped them establish their cybersecurity program. Bryan, it's great to have you with us today. Can you expand on your background a bit for our listeners?
Bryan Galloway 01:27
Sure. So happy to be here with you guys. I started out as an electrical engineer with no idea about security. And since then, I've been able to focus on security in a variety of ways from compliance, risk management, engineering, system development, to operations and strategy. And I've been able to do those across a bunch of industries. I've benefited from all that, and it's given me a chance to see and interact with a diverse set of perspectives and interests.
Stan Wisseman 01:54
As far as your opportunity at Enphase, you're helping them establish an information security program. And you had the same opportunity in a completely different sector, at Sonoco. I was just wondering, as far as just the differences and working with executive leadership in these kind of firms, again, technology, green technology firm, and more of a blue collar industrial firm, what kind of differences have you seen as far as, again, the same goal, helping them protect their assets, and then standing up a program, but completely different kinds of sectors?
Bryan Galloway 02:27
My experience with the industrial sector, and specifically in manufacturing and product manufacturing, is those organizations in general tend to be less sophisticated when it comes to cyber because it has the luxury of being less visible targets, that lack of a sense of threat creates, unfortunately, a level of comfort. Along with that comes the thinking that the data, the IP that they have isn't valuable. And obviously, we can all agree that that's wrong. The hard reality is even if a manufacturing organization doesn't tick the box for political or ideological motivator, all businesses provide financial and commercial drivers for the right cybercriminals. I think the statistics last year from 2020, or something like 1400 ransomware incidents were observed, and most of those target manufacturing, engineering, and tech. For manufacturing to think they're not a target is in this day and age is absurd. We need these large organizations, regardless how well known they are make great targets, because they can pay larger ransoms. But you know, conversely, with a technology firm, there's there's more sophisticated understanding of the threats and risks. They grasp the implications there, they understand the risks, certainly from a product side, because that's the business lifeblood, there's a different set of dynamics right there. The differentiation is how do we build security in a way that makes sense for the business to operate effectively. You know, they're more willing to invest at a rapid pace, because they're more aware and more sensitive to it, and a willingness to adapt, but it still has to work for the business.
Rob Aragao 03:52
When you look at your particular business today, and you look at that green technology sector, right, that's that's an extremely fast, right competitive industry. The drive of security and how you actually are tying it and injecting it and building it in, what are you seeing as some of those key capabilities? Kind of tie into the development processes tied into, you know, other areas of how you can really embed security into the organization? What are some of the lessons you've learned as you've been going along the way and doing so?
Bryan Galloway 04:21
Yeah, Rob, great, great point and getting to transition into how we actually make this a reality. Because it's one thing to make people aware and another to say what we do about it, and that's, that's always the key challenge is communicating that understanding. And really what that turns into is, for any organization, is a culture change. It's an understanding of the relevance of security within the business culture and making it part of that every step of the way. So, it's about how we build it in. Like, I'm not going to the first person you guys have talked to is going to lament our reputation in info sec as being blockers and that the owners have constraints when it comes to business process, right. Our job is viewed as saying no and creating complication. We are all aware of this stigma, we get into our info sec conferences and our roundtables and we laugh about it and say, 'Oh, you know, they got it, don't get it, they don't understand what we do'. But you need to embrace that and understand that that's on us to fix, we've got to be the ones who come to the table with a way that makes this make sense. I can talk to them blue in the face about how dev sec ops is going to make our business more secure. And my dev teams are going to look at me with blank stares, as I talk to them about static and dynamic analysis being required, they can't go live without security sign off. They're gonna say, 'Yes, we did it, thanks. But this is tied to business objectives. And we've got these goals, and we're gonna hit it, whether you like it or not.' Your organization has to, in order to be successful and grow has to meet certain market needs. But that all ties back to me, you know, we're no longer, I'm no longer in a position as a security leader be able to say that, you know, my my goals and objectives and my timelines don't get tied to business outcomes. They absolutely do. This is where we reevaluated how we accomplish what we can do, what I've been preaching to my organizations, as I've been, there is no, there's no rule, stating that my team has to be one to perform and triage these tests and findings. There's nothing that says that I have to be ultimately responsible for implementing all this security. My job is to establish what has to be done, and make sure that it happens. So I provide governance oversight, and frankly, some internal consultative services. But I can allow self service for my dev teams, which allows them to operate on their own cadence, I can allow self-service, and integrate my testing into quality testing and validation because now it's a feature of the product. So if I do a good job, and you know, we always talk about moving left in our, in our security processes, whether it's mitre attack or kill chains, and we talked about moving left and being, you know, being more secure, but that works on business process, too. That the sooner we move left and start integrating the requirements, as soon as we move left, start integrating, you know, the architectures and good security practices, whether it's, you know, secure coding practices, or like talking about the SAS and DAS components that allow our business operators to run these things on their own as part of their own thing. And then my organization's job is to make sure that when we get to those gates, we get to those promotion gateways and production gateways, and we'd love to push a product out, they can look to us and say, did all these things happen the way they should? Do we have confidence in the product that it's going to operate the way it should? And can we provide trust out to our partners and consumers that they're just going to operate the way we expect? If I can't answer yes, then we shouldn't go live. That's really where I create value for the business is by letting the business run itself, integrating security, and invalidating the things that happen appropriately.
Stan Wisseman 07:28
So, so Bryan, you have some unique challenges, though, in the space, too. I mean, you guys provide a micro inverter, right for your solar panels that connects back to a networking hub. And one of the challenges that you have is it's complicated is just the longevity of these deployed systems, right? It's not as if you're dealing with just an application that's out there, and it has a release cycle. You have to deal with a deployment that may be there for 25+ years, and changing ownership of that particular dwelling, that house, that has the solar panels and ultimately, your your products integrated into it. In that context of understanding the requirements and how to secure these deployments effectively, what are some of the areas of focus that you're working on?
Bryan Galloway 08:10
We do have some interesting dynamics. We do have an IoT fleet. These systems are designed to live for a long time. They may experience some unusual events, you know, being offline or unconnected for extended periods of their life cycle, which is, which is a little bit unusual for IoT type device. The point of an IoT device is to be a connected device. These are designed to run connected for, as you said, decades at a time. So throughout that lifecycle, you know, we have requirements where we may need to upgrade software or communicated after telemetry, support other interactions like break fix, or rather in place upgrade type things. We do have these requirements for how we specifically manage and integrate security into the operational lifecycle of our products that we've got millions of devices deployed globally, and various levels of connectivity. That's tied to both the internet and to the grid, where these things live. So these are grid tied devices, that context, I think, you know, we couple that with the need to provide digital services connecting these systems and you said the homeowners and you know the site to someone who can manage it, and whether that's an installer or, or that the customer, the homeowner, themselves to moniter how much production they've got or any issue they're having. But what we've really identified is that identity management, you know, very much like our legacy enterprise and IT systems, identity management is key to ensuring long-term security and long term resiliency and sustainability of this fleet. Then we have the other constraints that we deal with, which are equally interesting. We have technical aspects of these IoT systems that come into play. And now we have to account for technical limitations, you know, around memory or processing power and communication bandwidth.
Rob Aragao 09:45
Those are really interesting areas. You think about the green energy organizations in general, right, they're still in the infancy. So when you look at that, and you start thinking about different standards, right, coming out, do you see are you guys active in anything that's kind of tying together some of the things you were discussing like the cybersecurity aspects interconnecting with the identities? And then some of that tie back, and especially with all the different IoT devices that are intertwined as part of the capabilities and services that you're delivering back out?
Bryan Galloway 10:14
It's it's an emerging space. We're still maturing, we're still evolving as an industry. And that's a nice way of saying that, that means there's not a lot of standards in place. There's regulation, but it's not really focused on the security aspects, necessarily. Those are hard and those create constraints, those create issues for scalability and want to achieve renewable energy saturation level that helps whatever the agenda might be saying that you have to slow that down in order to account for these types of very complex solutions runs counter to that. There needs to be a balance between the regulation that comes in and our going forward to market. So, what we can, what we can say is, you're not going to see clear guidance on things like identity and assurance standards, you know, we look to enterprise IT security, we have things like 853 from NIST, we've got ISO 27001 and COVID, that talk about programs and processes and technical controls. There's some good references and tailorable frameworks that we can pull in and some good examples of things we can tailor down, but we really need is a standard that that helps scale for this industry that provides for things like interoperability. So, we do have groups like the SunSpec Alliance, which publishes interoperability specifications and information models for software developers and hardware manufacturers. These specs are designed to provide that interoperability for the distributed energy resources and smart grid applications. The interesting bottom line due to a lot of this is that the the sophistication and the nature of the technology underpinning my industry, you know, it all reduces to the same fundamentals. You know, as we've heard, in our short talk here, you know, there's some very basic concepts that tie through all of these things. Technology is, I don't want to be reductive, but there is a simple way to look at cyber hygiene and the fundamentals of what we do. When we have vulnerabilities to identify, we have to patch, meaning we have to have an open line of communication to a device in order to send an update that closes a security vulnerability. As much as we can customize and tailor our own software, and we can tailor our own data, remove some of our third party dependencies, we're always going to have the need to do some of these basic fundamental security things so that hygiene is super critical. It just has to scale.
Stan Wisseman 12:24
I agree with you as far as there's certainly commonalities. But folks, many times, differentiate between the IT environment and the OT, or the operational environment. Some of the fragility in the OT environment as far as being able to cope with vulnerability testing and runtime environments that could potentially disrupt certain processes, and there's concerns about how best to monitor it. Going back to the whole challenge we faced with ransomware, and we had Colonial Pipeline; now that was an impact honestly, on their IT side, that caused them to shut down the pipeline. But, how do you perceive the vulnerability, you know, detection, as well as threat monitoring on the OT side? And there may be commonalities, but what do you see is some of the differences too?
Bryan Galloway 13:14
There was a time, and it was, the simplicity of OT and IoT devices helped us secure them. But, what we've seen is, as we've became more dynamic with what these deployed devices can do, you know, integrating things like PLCs, with making real time decisions for digital or mechanical devices, you know. We started putting robotics in place. You know, our approach had to change for the risk profile. Which means we had to understand the changing in the threats, right? Once I allow an OT or an IoT device to make decisions, then it has the ability to do things, which means it changes an active player now. It's not just a passive collector or sensor, or intruder. We've just become more sophisticated in how to assess vulnerabilities in the context of the operating environment these things live in. Specific to your question, you know, we have to understand the risks associated with our products, and how they interact with critical infrastructures like the energy grid, you know, our threat monitoring, monitoring and detection processes, don't change significantly from the IT methodology. Our thresholds are much tighter. For our deviations and anomalies, there's less noise and an expectation of noise for things like we see in network monitoring, where you get heuristic detection, and you're looking for thresholds of certain things. So, if I have one device, that normally connects to one other device, and something connects to a third device, that's unusual, and I may flag it, but if it's not doing active total environment scanning, I may not raise that up as a significant issue. On these devices, any deviation from the proposed purpose becomes a significant event that we want to evaluate.
Rob Aragao 14:40
When you look at the energy kind of sector side of things, right, there's a lot of different third-party aspects of things back into the grid, different providers that you can kind of, you know, feed information or feed energy back into, but the interconnections and potential concerns that that it brings. Then it's back in through the consumers house back that can help into your environment as well, right? So it's coming from all different angles for you guys. What are some of the things that you guys are looking at specifically to that type of concern, that type of risk from supply chain perspective?
Bryan Galloway 15:10
The nature of our, our deployed systems, makes them interesting target, a compelling target for compromise, because we do touch local networks and we do touch the grid. So, like I said, you know, there's various actors that would have different motivations to to take a look at what we have. Now, frankly, the scale required to impact critical infrastructure at this point would be significant. We, being in the solar and PV industry, do not have a saturation level that would, you know, at any mass compromise of these systems with persistent control, allow for much fluctuation in the energy grid at this point. So, we can cause some blips and issues localized but nothing significant. But thats real. As we continue to grow, that's going to increase. So, it's one of those problems where we either, you know, deal with it now, or we deal with it worse one late. You know, where we've got additional debt we have to deal with from the technical implementation side, we've got emerging and changing technologies are coming into play, so it's definitely something from a supply chain perspective, and then a niche that we fill that we're taking very seriously. We play the same role as many other IoT vendors. Now the difference is, your Alexa or your Google Home device isn't going to map back into your power grid. Could it cause power to or your thermostat to cause for a significant catastrophic event, that kinetic event? Maybe, but probably not. You know, we've got an interesting niche that we have to fill, and that is where, to your point, we create this up the supply chain obligation that we have, as as a partner as as a provider of this service, to create secure solutions and, and provide transparency and education to our consumers and partners about our security practices. It gives people a sense of of awareness for how we expect the product to run and and what they can expect from us. And I think that level takes us away from being just a third party supply chain partner or a vendor and really moves us into true partnership with these consumers and with these other actors.
Rob Aragao 17:04
And I think Bryan, you know, it's great to see that your organization is invested in security, right. For bringing you on to say we we believe in it, we know we need it. And to your point, right, it's the opportunity that you have to not say, well, we'll think about this later and have all this additional technical insecurity debt that comes along for the ride. Right now you guys are doing a great job from what you just shared on being able to plug it in early, being engaged, and making it more seamless to deliver the trust that you guys need, obviously, and working and ultimately safety as well, of course, as part of the equation. So really great perspectives on different, you know, aspects of what's happening in your background, and also very real with the energy sector and green energy, specifically, so we appreciate the time.
Bryan Galloway 17:46
Thanks very much for the pleasure to talk to you guys. It was a lot of fun.
Stan Wisseman 17:49
Rob Aragao 17:50
Thank you, Bryan. Thanks for listening to the Reimagining Cyber podcast. We hope you enjoyed this episode. If you would like to have us cover a specific topic of interest, feel free to reach out to us and you can find out how in the Show Notes. Don't forget to Subscribe. This podcast was brought to you by CyberRes, a Micro Focus line of business, where our mission is to deliver cyber resilience by engaging people, process, and technology to protect, detect and evolve.