An Interview with Colorado’s CISO – Debbi Blyth
Have you ever wondered how someone can go from a job as a mainframe administrator to CISO for the state of Colorado? In this profile I sat down with Debbi Blyth and learned how her career took her along that very path. I learned about Debbi’s background, her plan for Colorado, her advice for new entrants to the security industry, and her advice for current CISOs. If you find yourself hungry for more details about Debbi’s plan for Colorado security, attend the June meeting of ISSA Denver – Debbi and coworker Trace Ridpath will be presenting details on their Secure Colorado program.
My passion is to organize and energize the Colorado information security community as the Mecca for information security. As I’ve worked in the community, I’ve been continually surprised at just how many fantastic individuals we have in the area and the wide variety of ways they contribute to the industry. So I set out to start meeting those people, and writing up those interviews for you, the loyal reader, to enjoy along with me. I am hopeful that one of these stories will inspire you to throw your own hat in the ring, or take a chance and try something new. Click the links below to read the previous interviews.
- Dave Navetta – Information Security Lawyer
- Chris Petersen – Co-founder of Boulder-based Log Rhythm
- Johan Hybinette – CISO for Hosting.com
- Jericho – Founder Attrition.org
- Dan Wilson – Co-founder of Denver-based Accuvant
- Mike Kalac – CISO for Western Union
- Brian Krebs – Investigative Security Journalist
Not only do I need to thank Debbi for taking the time to sit down with me, but also for her lunch recommendation. This discussion took place at Park Burger near DU on Pearl Street. The ahi tuna burger was great, and the blue cheese chips were even better.
My questions are in bold, with Debbi’s responses paraphrased below.
What’s your background? How did you get into the security field?
In the early 90’s I worked for a company called Galileo International (later TravelPort), supporting their mainframe systems. Initially, my goal there was to be an MVS systems programmer. My boss approached me at one point and asked me to help with Unix administration and automation. In that role I had the opportunity to look at network and system events and figure out how to automate responses to them.
At that time the firewalls were managed by the networking team. They continually had problems with firewall management. At some point they recognized that the devices were really Unix under the hood, and handed off the firewall systems to me. As soon as I was given responsibility for the firewalls, I dove into learning the technology. I stopped by SoftPro Books (edit note: SoftPro’s closing left a big hole in the Tech Center!) and bought all of the firewall books they had. As I started reading the books I realized how big an undertaking and responsibility I had in front of me.
I hear you made an interesting friend at work during this time.
Indeed I did! I met my husband at work. He was working on the Unix team. There was a little inside joke at work that ended up with him getting the nickname “hacker,” because a vendor of ours didn’t like the configuration changes he made to their product. So, I changed his username to “hacker.”
One day I got a frantic call from a user calling to tell me that there was a hacker in our system. He had seen the hacker account logged into the system. I played it very straight on the phone. I learned across the cube wall and asked “hacker” (later, my husband) to log off the firewall, then got back on the phone and said, “Is the hacker gone now? I think I eliminated the threat.” While we were very serious about security, we worked hard to also keep it fun!
So at this point, you were still not officially reporting into the security organization?
No, in fact the security director at the time used to call me up and tear into me for stepping in his team’s area. I was doing a lot of security work, trying to implement the firewall rules appropriately. There was some contention between our areas.
At the same time, the firewalls were taking up all of my time, and was really where my interest lied. I was so focused on getting those tuned appropriately that I wasn’t appropriately focused on my normal Unix administration and automation. After running the firewalls for 2-3 years, I reached out the security director and proposed that I move over to his team. He accepted my proposal and created a position for me in security.
So, did you bring the firewall administration over with you?
No, the day-to-day administration stayed in the infrastructure area. Security was responsible for the policy and oversight for the firewalls. My new role was much broader in nature. I was so excited to learn. I took as many classes and trainings as I could. Initially I spent a lot of time learning network security – routing and switching, and how to secure that area.
Eventually I shifted my focus to application security; specifically software development lifecycle security. Back in the mid-90’s our business wasn’t reliant on the internet. But now in the early 2000’s it was a key component to our business. I recognized that our developers were creating all of these web applications that were essential to our business model. I believed that this was where we were most vulnerable. So I worked with the development team to start doing some OWASP Top 10 testing, and secure coding training.
How did you learn about application security to help run this effort?
A few ways. I started attending the monthly OWASP meetings. I read application security books. I also worked with a local company RedShell. They were doing some consulting for us, and they provided a lot of guidance on application security. I wasn’t an expert on it by any stretch, but I knew enough to ask questions like, “how are you handling authentication?” and “how are you sanitizing input?”
Pushing into appsec is always a challenge for a security department that’s traditionally focused on infrastructure. How did that go for you?
There was definitely some resistance. At about that time, in 2005, our director left. I hadn’t expected it, but my bosses promoted me to the security manager. I became a reluctant manager. I had really planned to stay completely technical. I loved the learning and the hands-on work. But, it wasn’t really an option – I was just told I was the new manager of information security. I was the only female on the team at the time… and I honestly believe they picked me for the manager role because I LOOKED the most organized!
In my last months at Travelport, I was reporting to the VP of Network Infrastructure. He kept telling me to leave the developers alone, and stay focused within the network. He thought of me as being a network security manager… the firewall people.
The reporting structure can really make a difference, can’t it?
Yes, when you report into a strictly infrastructure area, it is no surprise that you’re considered to be an infrastructure security department.
What came next for you?
I worked at Galileo/Travelport for almost 20 years. In 2009 I got a call from a recruiter for TeleTech. I listened to their pitch, and it sounded like a fantastic opportunity. I came on as their director of security and compliance and got to run the program. It was at that point that I decided that I really was on the management track and I should embrace it completely.
At TeleTech I reported directly to the CIO, initially as Director of Security, eventually as Executive Director. I worked for them for just over 5 years.
How was TeleTech?
I enjoyed working for TeleTech, it was a great opportunity. I got to build up the program and learned so much about running a program and developing a strategy in a large organization. I really didn’t have a desire to leave, but when the state came knocking, I had to answer.
How did you end up with Colorado?
When I read the job description for the Colorado CISO position I was floored; it seemed to be describing me exactly, and what I would love to do. Additionally, I love the idea of getting to serve the citizens of Colorado.
Tell me about Secure Colorado, and what you’re doing to implement your program throughout the state.
I came into my position a year into the Secure Colorado program, which is funded and scheduled to run 2014-2016. The program has four big tenets.
- Safeguard and protect state data and assets. To support this initiative, we adopted the 20 Critical Security Controls (formally SANS Top 20).
- Conduct research and partner with higher education institutions and other entities to take advantage of and contribute to security research. Utilize cutting edge technology.
- Create strategic partnerships with other state and local public agencies and divisions, including law enforcement and other organizations. Share intelligence and best practices. We meet monthly with these external groups to share information.
- Compliance, especially with federal requirements. Historically, some agencies have been better at compliance than others. We have rolled out a strategic and consistent approach to tracking and managing risk.
These principles provide high-level guidance, and my job is to ensure the program continues rolling along effectively, make course-corrections as we go, and ensure that our program is staying on track.
In year 1 we worked on getting the first five Critical Controls rolled out. I wouldn’t suggest that we are done, but we’ve got an initial iteration completed.
Can you provide an example of course-correction?
Sure. For example, the last couple of years have made it clear that anyone can be breached. As a result, as we continue to refine our program, we will incorporate a larger focus on incident response than the program had originally. We want to make sure our organization is ready to handle that inevitable breach. It’s not really a course correction – the program direction and goals are still valid and relevant. However, at this time, we are selectively highlighting a few areas in which we will deepen our level of maturity.
Can you provide some specific examples of controls you’ve rolled out, and the impact of them?
We implemented the McAfee suite. It provides network and end-point security, such as malware, application whitelisting and hard-drive encryption. Getting this standardized approach has provided great benefit to us. We aren’t completely done with the deployment, but we’ve already seen a 75% decrease in malware instances.
What comes next in the deployment?
We will continue to mature those first five critical security controls while we work on getting the next batch of controls deployed. For example, we currently have rogue system detection on the network to alert us when a device plugs into the network. Currently, a person has to manually go figure out what is going on with the rogue device. The next step in maturity would be to automate that response.
Secure Colorado is a 3-year plan, but we know that even if we do our job perfectly, the job still won’t be done. We will have more work to mature and refine the controls. When the Secure Colorado program was created, the previous CISO assembled a committee of private and public sector security, privacy, and business professionals to vet our plan and give feedback on how to improve it. I am reassembling that group (along with some new members) to review the status and discuss how it should change in the future. I hope to do this update process on an annual basis.
Secure Colorado is a public document, and you all can view it here.
Do you have plans for what comes next for Debbi Blyth after CISO of Colorado?
I feel like I have reached the pinnacle of my career. I am working with a fantastic group of people who I enjoy daily, and I’m making a real difference for the people of the state. I have no plans for something different in the future. My boss (the CIO) is appointed by the governor, so there’s no guarantee what will happen when we have a new governor, but I am thrilled to stay where I am for the foreseeable future.
One of my favorite questions… for someone who is just looking to get into security, what do you recommend as their first steps?
I strongly recommend that they start technical. Firewall administration, networking, application security or another technical discipline will give them the background they need to be successful in the industry. They should be taking security classes and pursuing security certifications. At whatever level they can. Maybe start with Security+ until you have the work experience to get the advanced certifications.
The main key is that you just need to spend time with security to learn it. Go talk to the security department at your current company and ask to help them. Get experience helping with projects, or just helping out. It’s a great way to find out what you like about it, and whether it will be a good fit for you. Many times the way I have hired into my team is pulling in the people who have been my allies in other departments.
What advice do you have for CISOs and other folks who run a security program?
Security is all about relationships. Build relationships with those who are running the business, doing mergers and acquisitions, marketing, with product testers. These relationships are the biggest component to being effective in your role. A lot of decisions are being made on a regular basis, and if you don’t have the right relationships you won’t know about the decisions until they’re already made.
Debbi, you just put it perfectly. Our success is all about the relationships.
The CISO’s who get fired are the ones who nobody can get along with, or who are considered “the department of ‘no’.” Saying no doesn’t make us more secure, it just means we will be left out of the conversation.
Thanks so much to Debbi Blyth for making room in her schedule to grab lunch, and opening up about her Colorado success story. I look forward to continuing this series and shining a light on more interesting members of the Colorado security community. If there an individual or corner of the security spectrum you’d like to see spotlighted, drop me a note and I’ll see what I can do. Please join us June 10th and hear Debbi’s plan for security.