The Big Interview: CISO and CTO Chuck Herrin on olive branches and APIs
"They all looked at me like I had lobsters crawling out of my ears"
CTO Chuck Herrin is pondering the challenges of his previous career as a CISO and head of IT security, risk, and compliance across banking and insurance. Such roles are among the hardest in technology; responsibilities include fending of relentless attacks, keeping regulators happy and understanding the carousel of risk changes.
“If you’re not naturally curious and trying to learn new things there’s no way to do the job,” Herrin -- now CTO and board member at API security startup Wib -- tells The Stack. “[It’s impossible] if you’re not keeping up with new stuff because things are moving faster than ever before and slower than they ever will again.
At AIG, the insurance giant where he worked for almost a dozen years he believes had had six roles and 19 bosses.
A sign of things to come was apparent very early: “On my first day as an employee, my boss quit…
"It was very much a Tommy Lee Jones, Will Smith Men In Black moment: ‘I’m not training a partner, I’m training a replacement’. All of a sudden, it was ‘we don’t have a security programme for this division; it’s [over to] you’.
"And that’s when you just have to figure it out. I think that was one formative moment when I realised OK, if we’re going to do this then I’m going to have to lead this, and I’ve never done it before and we’ll figure it out. We went out to certify against BS 7799 standard in 16 months, which was a pretty remarkable transition..."
Another interesting day was his 35th birthday in 2008, which he was celebrating with a holiday.
“I'm on a Disney cruise. We pulled back into port and I pulled my Blackberry out.
"We're getting ready to disembark and I turned on the news. And I see CNN with this banner, ‘world’s largest insurer collapses under subprime debt’ and I turned on my phone and I had 700 emails and dozens of voicemails from my staff and from other people asking what's going on. And everything changed. Over a little bit of time, we got some gallows humour about it. So, when I got back to the office, I told my team, ‘I'm gone for a week. Guys. I didn't ask you to feed my fish. I didn't ask you to get my laundry, just don’t let the company go under…”
Fighting fire? You need to have deployed olive branches...
Through days like these Herrin developed a reputation as a fire fighter but his advice to others in cybersecurity or risk isn’t about tactics, strategies or frameworks: "[Security is] multifaceted and it's hard to be the smartest guy or girl in the room on every single topic, but you do have to have a working knowledge of a lot of different things."
“I think the biggest thing that I learned through bumps and bruises was that no matter what business you're in, you're in the people business. Your subject matter may be technical, it may be cybersecurity, it may be firewalls and WAFs and vulnerability assessments and whatever. But what's going to make or break somebody in that role is their relationships that they make with their peers, understanding the business, building that credibility with the business leaders.
"Because if you're gonna go and tell some COO or some CEO of a division ‘we shouldn't do this’ or ‘I have concerns about this’ in that moment they need to believe you and they only believe you if you've put in the work to establish that relationship, and build the credibility that you actually understand their business; that you're not just reading off some checklist, divorced from the realities of business" he emphasises on a call this week.
“I would not have predicted that I enjoyed working with insurance as much as I did.
"But insurance executives understand risk. You just need to put it in risk terms that makes sense to them. And they're not going to learn the technical language. The olive branch has to be to build an entity on those relationships to establish that credibility. I think that's the do-or-die characteristic.
"You need to say ‘Here's the goal’ and then try to separate the ‘what’ from the ‘how’. I see way too many people start with a ‘how’ so I think it's important that you lead with ‘this is what we want to accomplish’.
Wib CTO Chuck Herrin: API security is overlooked
Today, Herrin has flipped his career: he’s the CTO of Wib, a security company purely focused on APIs.
He tells me his arrival at Wib came via an effort to build a fintech and being faced with a lack of options for protecting the APIs it relied on. He adds that he recognises that a long IT tradition from client/server to BYOD means we trade off reward for risk but he says that the interfaces that underpin fintechs and much else are horribly exposed.
“Gartner predicted that by 2025, at least half of APIs would be completely unmanaged and honestly, I think that's low,” he argues: “We see 2x to easily 5x undercounting of APIs that are exposed and people are unaware of APIs that maybe are running as part of some third-party software or somebody wrote years ago.
"It’s just basic hygiene type stuff, right? You're on version four right now [and] the three, two and one are still exposed. And from an attacker’s perspective, when you see an API path and it's got slash V4 in it, I know that there's a v3. I know there's a v2 I know there's a v1. It makes for really easy enumeration of attack patterns of attack paths.”
"Your defence needs to be informed by the offense"
He agrees that his deep experience in penetration testing makes him a case of a poacher-turned-gamekeeper and believes that “your defence needs to be informed by the offence”. That is, understanding the motivations and actions of attackers is a big part of being able to confront their threats.
"In new banking, the whole fintech ecosystem is all APIs.
"I wanted a threat model of my ecosystems so I could understand all of these trust barriers and variance of threat behaviour to raise a flag. But there was no tooling to get the visibility I wanted. [When I asked] they all looked at me like I had lobsters crawling out of my ears, so we started looking at the players.”
He liked Wib’s approach so much he joined the Israeli company. It’s a very young company at just a year and a half but its penetration testing as a service model is being well received, he says.
“We have designed and built and then redesigned an API security platform that we think is going to give the best visibility into this attack surface of anything that's on the market,” he says.
See also: Pentagon CIOs slapped over cloud security by auditors days before 3TB of emails exposed
“But right now, we're in such a market education phase that we spend a lot of time talking to CISOs and CIOs: this is what's exposed the APIs, this is why it's different. We have to do a lot of education because people who live outside of the app dev world don't necessarily understand APIs, or how APIs are exposing a lower level of access than your monolithic applications used to. And while this market education is going on, the adoption is racing forward. Even in one organisation we'll see thousands of APIs exposed, and almost no governance, no visibility.
"It's the most pronounced gap between adoption and security that I've seen in 20-plus years of doing it, and it's only accelerating.”
Herrin says an operational cadence that sees Wib release code updates fortnightly are going well and now the company is at the classic early stage of hiring like crazy and adding new vertical and geographical coverage. Might it expand beyond its niche? “It’s a niche but this niche is 91 per cent of web traffic,” he counters.
He points to the latest version of PCI mandating API security monitoring and penetration testing as an example of a growing recognition of the importance of protection: “If you’re a PCI-covered entity, you’re going to need this and we have the best attackers in the world,” he says. “You gotta get your arms around the issue,” he says. “I don’t have a problem with tolerating a certain amount of risk, but I have a big problem with unrewarded risk.”
And with that it’s back to the day job of understanding the latest threats and anticipating what the bad guys will do next. That’s a job that should keep him busy for a while yet.