Mandy Andress, the Chief Information Security Officer (CISO) at Elastic, has had an unconventional journey to the top of the cybersecurity world. After starting her career in accounting, she was introduced to systems auditing – ensuring that financial systems were secure and accurate: “That was my first real foray into security and controls, and I loved the blend of business and technology,” she explains, sitting down to talk with The Stack at ElasticON.
The experienced CISO joined us to talk security, relationships with development teams, security hygiene and what she looks for when hiring.
Q: You’ve got an unusual background with degrees in accounting and law. How did you transition from financial systems auditing to information security – and how do those degrees play into what you do?
As with a lot of folks in security, happenstance is how we get into the industry. [After working in systems auditing] I transitioned to security consulting, working with startups and large enterprises in Silicon Valley, designing security programs tailored to their unique needs. I realized that no two companies are the same; no two security programs should be the same.
And then in that role, I started to see the expanding role of laws and regulations applying to security that became much more critical to the success of businesses and governments. I thought ‘why not go to law school?’ So I did, and I still use [what I learned] every day in my CISO role.
There’s a lot of snobbery in the information security space around CISOs who didn’t come up through the engineering or a network security route. How technical do you consider yourself as a CISO?
I don't consider myself overly technical, though some might disagree. My background is more in infrastructure and network security.
I'm always learning. To stay current in security, you need to constantly evolve your knowledge. An early, early mentor in my career said, ‘be the person that raises your hand for the things that no one else wants to do. You'll learn a lot of things, you'll fail a bit, but learn a lot through that process.’ [Throughout my career] when anything seemed interesting to me and I thought I might learn something, I raised my hand…
What were your priorities when you joined Elastic seven years ago?
I was Elastic's first CISO, joining just before their IPO. They already had a strong security culture, particularly within engineering and product security. My focus was on building a more formalized security program, filling in the gaps on the enterprise control side, and scaling the program as Elastic grew.
It's been fascinating to see how the company and its security needs have evolved. We've expanded from the core ELK stack to solutions, to serverless, and now AI infrastructure. Each step has required us to adapt our security posture and address new threats.
How involved are you in the product security side of Elastic?
We have a dedicated product security team within the information security team. They focus on secure development practices, external security testing, and our bug bounty program. They also work closely with customers on product security issues. Ultimately, the responsibility for secure development lies with our engineering team. InfoSec provides the governance, guardrails, and framework for the overall process.
Supply chain security has become a major concern. How has Elastic approached this… and do you recommend any particular frameworks?
There are many strong security frameworks available, like NIST in the US. For me, it's not about choosing one framework over another, but about finding what works best for your organization and industry. The key is to collaborate with developers and engineers to implement the framework effectively.
A lot of the challenges are security teams coming into engineering organisations and saying, ‘here's how we're going to do security.’ Oftentimes it's coming from security professionals that haven't lived in an engineering role and are coming at it [without having to] live with this process every day.
So one of the key success points is doing that together and in collaboration [with engineering teams]; having some ownership within the development teams for those processes.
Talking of teams, what do you look for when hiring security professionals?
I'm looking for 1) folks that enjoy security; enjoy what they do. There are stressful times when things are happening in the industry. They really need to love it to stay in it. And 2) folks that are very curious.
The key thing with security, if you're not continuously learning, then you are stagnant and stale in your knowledge, and you just won't be as effective. The key thing, certainly at Elastic, that I really look for, for someone to be successful in the role, is being comfortable challenging yourself.
I know a number of security folks [who] come into a new company and say, ‘what I did that was successful there, so I'm going to do the same thing here’. Coming to a company like Elastic – cloud-native, moving fast, moving into serverless, solutions – [you need people] really comfortable looking at what they did yesterday and saying, ‘you know what? I could do that better.’
You've been with Elastic for seven years, which is quite a long time in the cybersecurity world. What has kept you there?
I'm very careful and deliberate about the companies I choose to work for. I put a lot of upfront time in, making sure that I'm going into an environment where I'll be set up for success, where I'll enjoy working with the people.
It's surrounding yourself with a team that helps; building a team that has different experiences, different perspectives, and together, we're able to do even more. Those are the two focus areas. Then it's just, can you make it fun? Can we add some laughter? Because this job can get pretty serious.
How has the threat landscape evolved over the past few years?
If you look at recent threat reports, whether it's the Elastic Global Threat Report or any others that companies put out, it's credential leaks [that are one of the biggest risks right now]. Some of it’s configurations, some of it's human error… As we're moving more and more into server-based APIs, API keys, access tokens, we’re paying more attention to those. That’s come up rather quickly with the cloud and SaaS infrastructures that we're all moving toward… That’s the trend in security: it's new technology; we adopt it rapidly; we realize that there's some holes in it; we go back and secure it…
Can you share any specific measures you've taken to protect credentials?
I cannot recommend strongly enough to adopt phishing-resistant multi-factor authentication; something that's tying a person to a device or something that's more than just username, password or one-time token.
If you want to do one thing to improve your security posture, do that.
Then when you're looking at more systems integration development, it's taking a step back and really understanding how your service or your application or your environment works, where access is needed, and how is it happening? A lot of it's now API keys [and involves] looking at things like hyperscalers’ various access tokens, and how to implement them…
The ideal state is where everything is just kind of happening, machine to machine. But then it's also about having some standard processes. In the early days of companies, someone will create an API key or a certain account that propagates everywhere, through an organization… [You have to do] a lot of work to understand, ‘right, where is this being used, and what impact could it have if we change that?’ So keeping that in mind as you're building out new applications and new services these days is vital.
How do you ensure discipline in managing credentials?
It's a challenge because people tend to fall back on comfortable habits. We're applying behavioral science principles to security, recognizing that we can't change human behavior but can work with it. Automation is key to reducing manual processes and errors. We also rely on governance processes, like quarterly access reviews, to ensure that accounts are removed when people leave the organization.
Rolling out MFA widely can still entail a lot of friction…
[The challenge of deploying] phishing-resistant multi-factor authentication is that often as people want to move around, change devices, they get a new phone… So it's one of those operational processes you really need to understand; to [know] how your organization works and how your employees work, to try to alleviate a lot of those challenges early on. Getting senior leadership to understand and support and be front and center of both adopting and communicating is a really key step.
Delivered in partnership with Elastic
