Material CEO Ryan recently sat down with Joel de la Garza, who has previously managed security programs at global organizations like Deutsche Bank, Citi, and Box. He’s now an Operating Partner at multibillion dollar investment firm Andreessen Horowitz. The two discuss geopolitics and cybersecurity and offer advice for managing infosec programs during a crisis like the Russo-Ukrainian war.

You’re extremely geopolitically savvy when it comes to cybersecurity. Where and how did you learn this?

I was pretty serious on the debate team in high school. We would memorize excerpts to use as arguments, and there was one card that started with “what if the global economy stagnates or even shrinks?” and then went into all these horrible scenarios that could play out. I went on to be the top debater in Texas. I'm also a newshound and just really addicted to processing the news. I think there are pretty large unseen forces that shape our world, and so just understanding those is important to me.

Why is the Russo-Ukrainian war so relevant for infosec? Why are CISOs pulled so heavily into acute crises like this even when some might have very little to do with infosec?

Over the last couple of years, there's been a lot of bleeding together of infosec and physical security. Especially in places like Silicon Valley, where it's tech-forward, you have a lot of CIOs and CISOs that are starting to own physical security and take on a more extensive program.

Even for some of our portfolio companies that are under 100 people, it turns out that they have five engineers somewhere in Ukraine. Ukraine is very impressive and punches above its weight when it comes to technology. It's got an extensive offshore and development ecosystem, as do a lot of other Eastern European countries. CISOs have to understand the geopolitics, their supply chain, and what this means for their organization. Even before there's any crazy ransomware or malware hacking, the CISOs are engaged.

Back when I was at Deutsche Bank, I remember they spent a ton of money on business continuity after 9/11. Many big banks started to see the actual manifestation of benefits for these investments. Then when we saw the original SARs outbreak, every large multinational corporation had a pandemic playbook, stockpiling masks and Tamiflu and preparing all sorts of responses.

So the CISO's role has evolved rapidly, becoming the last stop for any risk issue that doesn't cleanly belong elsewhere. Anything that has a financial impact typically migrates to the CFO, the ultimate owner of risk in the organization. Some of this stuff finds its way to the CLO. The remainder in most organizations ends up in the CISO's office. This is yet another example where CISOs now have to engage and understand the situation. If you're a multinational corporation or have offshore resources, you need to put a plan in place.

The COVID crisis accelerated IT… what sort of long-term impact will nation-state warfare in Europe have on cybersecurity?

I'm genuinely interested to know what's going on right now because we haven't heard about a lot of cyber activity from either side. If you read open public sources, we know that many US cyber operators are currently deployed in Eastern Europe. This is that classic fog of war period where we won't know what's happened, probably for another year or two. So if you didn't think cybersecurity could be any more serious or impactful, think again. 

It's obvious that there's some stuff in the works, and this will probably unleash what's to come in future warfare. We're crossing that chasm from things just on your computer to “oh my gosh, my water is out, and I have no power.” So we may start to see the deployment of these things at scale.

How do you manage a security org in a global crisis like this? How do you communicate with stakeholders? What changes do you make to your security posture and position?

We're seeing discussions in the CISO community about the appropriate response in the current crisis, how you track it, exfiltration plans for employees, employee assistance programs, and more. I can share some things that I've seen people suggesting that are pretty good. 

First, you need to set up a regular cadence of communications and understand at what level you will communicate to your stakeholders. If you provide a high-level summary, you probably only want to share things that impact your organization. You'll want to start with a kickoff message to your board or senior management, clarifying the situation, explaining the resources on the ground, and sharing information about people impacted. Then you can move to a regular cadence of updates like “this team was not impacted today and are all clear.” This lets people know that you're on top of tracking the situation. The worst thing is when a CEO or business leader reads something in the news and reaches out to you to ask what you are doing about it. You want them to ingest the information and know that you are already on it.

The second responsibility is around employee safety and employee exfiltration. Many discussions right now concern actively getting people out of the country. Companies are assisting in getting their people into Poland or other nearby countries. That all involves a much larger and coordinated response. Typically you’ll need specific immigration and travel resources to keep abreast of what airports and borders are open and how to get people out of the country.

Finally, you get to cyber risks. CISA released a “shields up” message a while back around how to prepare for Russian cyber operations. A lot of those controls and many things they recommended mapped to existing security controls. I saw several CISOs reporting things like “CISA said we need to do these ten things. We're doing all ten as part of this, and, by the way, we're doing these 20 other things, so we're good.” In fairness, most of the recommendations they make are pretty standard such as 2FA usage, patch management, firewall configs, etc.

More interesting, if you're a critical infrastructure provider or part of the supply chain for critical infrastructure, you have to start thinking very closely about sabotage and targeted attacks if you haven't already. Most folks are not thinking about this, but the beautiful thing about computers as a weapon of war technology is that attribution is hard. Even with $60 trillion to figure out attribution, a good operator with a solid offset can hide their tracks pretty well. So I think that the high end of the Russian cyber operators could probably act without attribution and do some pretty horrible things.

Similar to how COVID pushed tech trends forward and changed the role of the CISO, these kinds of things will also change the function.

Do you have advice for security teams charged with divesting assets, relationships, and teams from Russia?

There are many different ways that divestitures can happen. Essentially you'll get into situations where the divestiture organization leans towards their native habitat. Although they're working for you, they have an organizational identity separate from yours and will work against you in some cases. In those situations, you have to worry about insider threats including the damage they can do and what access they have. Whether or not people are inherently good or evil doesn't matter. The issue is that you have a host country that is more than willing to exert coercion on people to do bad things. That's always the challenge.

It's unrealistic to believe that you can have an entire large company full of committed employees who drank the Kool-aid and are all rowing in the same direction. But as a CISO, you also need to avoid treating employees like they're suspicious. The right approach is to just not put people in positions where they could be coerced. Don't give them access to things that provide them with the ability to hurt the organization, hurt themselves, or become victims. 

I think you can be very deliberate in structuring your organization with different levels of trust. It's not that you don't trust employees; it's that you don't want them to become victims of their host government. So you have to be very mindful and build suitable, trusted systems.