Dell's Chief Security Officer on physical security, frameworks, burnout and incident response
Getting digitally sucker punched by a nuclear-armed rogue state weeks into the job has to be up there with some of industry’s worst hard landings, but John Scimone has...
John Scimone looks so fresh-faced, it’s hard to believe that he’s been around the block a bit, but Dell Technologies’ Chief Security Officer (CSO) has seen a thing or two in his time. Scimone – who cut his teeth as a security analyst back at the Defense Information Systems Agency 20 years ago – in 2014 found himself at the heart one of the world’s biggest cybersecurity incidents; just weeks after being appointed CISO at Sony in 2014, getting pummelled by a nation state attack that ultimately bricked 3,262 of Sony’s 6,797 personal computers and 837 of its 1,555 servers.
Getting digitally sucker punched by a nuclear-armed rogue state (the attack was later attributed to North Korea) weeks into the job has to be up there with some of industry’s worst hard landings and there can be little doubt that the experience was formative. Sitting down with The Stack for an interview at the Dell Technologies World conference in Las Vegas on May 23, Scimone has the present tense on his mind however.
As CSO at Dell, a $100 billion by annual revenue colossus, he is responsible for, in his words: “Cybersecurity, product and application security, physical security, insider risk, fraud, crisis management, all of these different disparate programme areas that are helping reduce risk to the company”, and somewhat unusually he reports not to a CIO/COO but to Dell’s General Counsel (who in turn reports upwards to Michael Dell.)
“There are a number of reasons we chose this alignment,” he explains. “First, my responsibilities are broader than just IT security. Even within our cybersecurity programme, we quite often get the question ‘why doesn't your CISO report to the CIO? Have you thought that through?’
“I think there's a few good reasons why we chose in our case not to do this. First, cybersecurity risks exist across the company, not just IT organisations. Dell is on the front lines of seeing our customers digitally transform their businesses everywhere every day. [We’ve moved] from a world in which your cybersecurity risk maybe historically was mostly in your IT shop. Nowadays, it could be your facilities team, or your product engineering teams are certainly [also] a big part of your attack surface.
“Having the cybersecurity leader in a vantage point that… has access to the full spectrum of enterprise risk, we think is really important,” he says.
Dell’s CSO adds: “From our perspective, there's good hygiene in being able to have a little bit of separation relative to the two functions (cybersecurity and IT.) We mitigate the trade-offs by deeply embedding our cybersecurity programme inside of IT. So our CISO sits on the staff of our CIO. We do joint budget planning, we do joint programme planning, we have single dashboards that we stare at – the CIO and myself and our CISO as one team. We sit down monthly, we look at the same metrics together.
"At the operational level, it's pretty tightly interlocked.”
Dell CSO John Scimone on legal risk and security risk
Ultimately, he points out, “there's some really strong commonality and synergy amongst the culture of a legal department and security programme at the end of the day. The security industry is moving from [a binary mindset of] ‘secure or not secure’, ‘compliant or not compliant’ to a mindset of business-enabled risk management, which at the end of the day, that is what the general counsel is doing. They're saying, ‘here's the risk profile of certain decision making. Here's the guardrails of the current legal frameworks that exist… helping [business leaders] navigate a legally risky world. We're doing the same thing from a security perspective.”
Asked what lessons he’s learned from responding to major incidents in the past, Dell CSO John Scimone says “you’ve got to plan and you’ve got to train… the basic steps of crisis management team formation: understanding decision rights, understanding the various participants in the ecosystem. Handling security incidents, is less about the security team itself. It's really a broader team sport: you consider communications, legal, IT, HR, how you communicate with your employees… it's really a whole of company effort, when you think about these major security incidents and how you navigate them in a way that minimises the consequences for your company, your customers and your other stakeholders.”
Human capital, automation, and skills
As with most CSOs and CISOs, Scimone is heavily focused on skills: “I think you live or die by your talent, your talent management strategy and your ability to implement it; the rest will work itself out. In particular, in the security space, if you can't do well, on that front, you're dead in the water.
“[But] I think every day that goes by, we have to find ways to achieve the same security outcomes with less human capital involved. It's simply an unwinnable battle at the moment relative to the demand on labour. I'm really proud that we’ve assembled a super talented, very diverse, very experienced security organisation with very healthy retention rates. But that's not the story for most organisations worldwide. We as an industry have to find ways to be more technology-enabled,” he tells The Stack.
“A big part of our strategy, as a security organisation, is not designing additional security practices and processes that you then throw on top of what the business is doing, but rather, enhancing the business practices themselves to be more secure and resilient. [Security] is a team sport.”
"I have concerns for myself as an individual"
Burnout is rife among senior security professionals. How does Dell CSO John Scimone keep it at bay and what keeps him up at night? The latter question goes back to skills and the sheer scale of the threat in a world in which cybercrime now reportedly generates more for criminals than the world’s not insignificant drugs trade. As he puts it: “What keeps me up at night is contending with the scale and sophistication of threats that are being faced in a labour market, where there's not enough people to help.
“One of the most really confounding consequences of this security mess of an industry and ecosystem we're in is that it erodes trust in technology.
“We need people to be able to place their bets on technology and have the trust to do so. That's a huge focus of ours as we think about our go-to-market. What we're doing in our products is building the world's most trusted technology so people can continue to digitally transform themselves.” (At Dell Technologies World 2023 this month, the company revealed its “Project Fort Zero” programme that will provide an “end-to-end Zero Trust security solution for global organizations to protect against cyberattacks… validated by the U.S. Department of Defense.”)
In terms of burnout and other concerns, Scimone is candid: “I have concerns for myself as an individual, it's probably not the interest of the interview, but I've got a handful young kids, I've got concerns for the organisation and the company, where my, you know, laser focus is always on talent… [staying afloat takes discipline]: Any one of us could look within our own job and our own remit and feel like we're not doing enough on a given day; work 15-18 hours and still not feel good about ourselves. There is a bit of self discipline and control [required] in managing that and saying ‘here's my goal setting, here's my expectations, security is not binary, we’re not going to be ultimately secure in a ‘never have an incident’ sense. Therefore [the question is] how do we make the most of every hour, every dollar that we have, in a way that takes a balanced approach; that values the health and well being of the organisation, and the mission and goals that we're seeking to achieve.”
Input from peers and associations
Time's nearly up. Sitting down for a 25 minute conversation, The Stack and Dell Technologies' CSO John Scimone have squeezed a lot in. (Watch the video above for more of the conversation, including supply chain and physical security). A final question. With such a sweeping remit, where does he go to for input in terms of peer groups or associations and what is he seeing there?
"It's been interesting. I've been invited to speak over the last five years at a number of CISO forums, CSO forums, business continuity forums. It's interesting as these traditional monolithic disciplines or professions have pretty well established industry associations, where for example the Fortune 100 CISOs get together once or twice a year and share best practices in cyber.
"[But] there's been really high interest in the last few years amongst peers, whether it's a physical or cybersecurity [where people are saying] 'my business is actually starting talk to me about,what synergy or opportunity might we find by bringing things together?' I see CISOs that also now have privacy responsibility, or business continuity responsibility... [where you're] taking business continuity plans and putting them together like a cybersecurity operations programme. It's one of the areas I found the greatest pickup.
"One of the biggest challenges in cybersecurity is that nobody has enough resources or time or people to protect everything, everywhere, always. So actually deeply understanding the business and how you prioritise in a very scrupulous manner where you put those precious cyber resources [is critical]. And that's the essence of business continuity planning: deeply understanding your business processes, where the revenue streams are coming from. So by having those teams together, being able to increasingly digitise those processes and combine them, I think we're actually getting far higher ROI on our cybersecurity investments than most other programmes."