Last week we launched our 2017 CISO Investment Blueprint which analyzes survey responses from 100 security decision makers regarding the current state of application security. In addition to the survey results, we’ve chatted with several innovators in the security industry to get their thoughts on appsec today and the future.
Over the next couple of months, we’ll be publishing these interviews, filled with insights around the challenges and opportunities present for security decision-makers in 2017. We welcome your feedback and observations as well! Tweet us or shoot us an email to share your thoughts.
Our second interview is with Richard Rushing, CISO at Motorola Mobility who also joined us for a webinar at the end of 2016 to share his thoughts and predictions for the upcoming year.
Jason Haddix: You’re a bit of a security vet at this point. How did you first get into security?
Richard Rushing: I think it’s a common trait; I grew up with a passion for technology. My dad was working in the technology business in the 70’s working with mainframes and exposed me to many things that at the time seemed like science fiction. With that early exposure to computers, I started programming and doing more, and more. That soon became a quest for knowledge that was different.
No Internet, No real books you could find. You need to find people that could help you, and it was bartering for information or just meeting the right person and hanging out for a while, until they trusted you, or figured out you were–for lack of a better term– “CooL.” This lead to many hours online which meant a very slow speed, reading the text, on Bulletin Boards (BBS) and finding information. Understanding hacking and systems wasn’t about breaking. In many cases, all you needed was a modem phone number, a username, and passwords, but understanding the system and commands, accounts, access, modification, and navigation was key and finding the required knowledge. The only place to find that information was in write-ups and manuals.
Moving forward, I did more of the same. Learning more about applications, networks, languages, and everything else became a hobby, but I never thought about it as a career. At some point, I realized, that I should accept my skill and focus on it as a career. Working with small groups and nimble organizations, I got to learn more about programming, networks, applications, etc. which was great, but the nimbleness soon became what I looked for, and startups were founded and sold. But playing offense wasn’t always fun, so I thought I’d try putting my knowledge to work on the defense end. Think of it as the circle of security life.
Yeah, I’ve heard the offense to defense story quite a bit. Since switching, you’ve worked at some great companies working with great security teams. Now you’re at Motorola–what are you most proud about in 2016 that you’ve accomplished?
Only one thing? Simple. I’m proud of moving forward and not making the same mistakes as we did before. 2016 was the year when CEOs and BODs started to ask about security. Everyone was interested in security from e-commerce to products and no one wanted to be the breach poster child. Being prepared with how to solve problems, how to spend more money, what new people to hire, and how to measure success allowed me to hit the ground running.
JH: That has been a common thread: solving new, never before seen, problems. On that note, what have the biggest challenges over the past year been for you in appsec?
RR: For me, it has been working security into APIs and flexible programming. Programmers and developers want to make code flexible, designed to do multiple things, and this is a direct issue with security. APIs are being built to be extensible, so instead of handing back a single piece of information, the API can be a query for everything and anythings.
And as always, scale. So many apps, so little knowledge to fix them.
JH: What do you think can be improved in appsec in the short-term?
RR: Secure coding will come, but there is still a disconnection with speed and flexibility and security. Such things like SQL injection and APIs are created open and flexible vs. secure.
JH: How do you see bug bounties fitting into appsec? Do you think that will change in the future?
RR: I see bug bounties as an excellent way to get a full product review versus a single point in time review. They are much better than website vulnerability scans, to test web properties, databases, access points, and connections to 3rd parties. Bounty programs allow me to continue changing my application over time and realize the cost savings versus a pen test for every version.
JH: Looking to the future. What are your 2017 goals?
RR: More sleep as a result of awareness at all levels from developers to executives, with newer tunable controls, new technologies and the acceptance for security to be implemented early in the development process.
I think I get at least may 30 more minutes a day, which is 10,950 minutes, which is 182.5 hours, which is almost eight days in a year. This is a win which I will take credit for in 2017. I’ll try for an hour in 2018.
To learn more about top appsec challenges and opportunities for the upcoming year, download our recently downloaded asset, “2017 CISO Investment Blueprint.”
We welcome your feedback and insights! Look out for our Q&A session next week!