Five years in the army (with deployments to Iraq and Panama) and eight years in the police, including as an officer working in high crime areas in Washington DC, have given Veeam CISO Gil Vega a visceral understanding of risk in the “real world” and how threat actors behave – on the streets and in combat. It’s not physical security that concerns him now so much (although that remains part of the job) but, instead, cybersecurity.
Securing a sprawling IT estate and securing tens of thousands of prisoners of war as a military policeman in the wake of Operation Desert Storm are, of course, extraordinarily different tasks. Prodded on whether he takes any lessons from his military or law enforcement career into the office however, the experienced CISO thinks for a moment before answering: “I suppose convincing people to think in a different way about a problem is the main overlap; sometimes security jobs involve convincing people to do things that they ordinarily don't find a lot of value in doing. Security is always a people business; relationships are always important.”
As Veeam’s first CISO, Vega joined with “the wind at my back”
Veeam, for those unfamiliar with the company, is a disaster recovery (DR), backup and data protection/management company that boasts 82% of the Fortune 500 among its 400,000+ customers. Previously headquartered in Switzerland, it was bought by US-based private equity firm Insight Partners for $5 billion in early 2020, with Vega hired as its first CISO a month after that deal was announced.
His appointment also came 17 months after the company suffered a data breach that saw 4.5 million unique email addresses exposed (via an unsecured marketing database server; found by a security researcher) and Veeam’s new owners were doubling down on security. There is, arguably, no better time to join a company as CISO than after a data breach and Vega suggests that he joined “with the wind at my back”.
Vega’s resume includes a heavyweight mix of experience at systemically important institutions, including as CISO at exchanges giant CME Group; as global head of cybersecurity at insurance behemoth AIG and as CISO and associate CIO for the US Department of Energy. (“People sometimes think DOE is all solar panels and gas stations, but it also runs the programme to develop, test, safeguard and dispose of nuclear weapons – I had to work with a lot of counter-intelligence officials there," recalls Vega, who before that was "at various Department of Defence and intelligence community agencies”). And Veeam’s reporting lines show how seriously the company's new owners take the CISO role and indeed cybersecurity more broadly: resourcing it heavily and giving the experienced security professional the kind of boardroom heft many CISOs can only dream of.
As Vega puts it to The Stack: “They really swung for the fence in setting up this position.”
“The Veeam CISO position is set up in a way that reports directly into the CEO, with an independent path directly to our board of directors. I am part of the CEOs leadership team, and the executive team, and that allows me to provide a lot of input and guidance on the company's strategic plans; where we're going to spend money, where we're going to invest, where we're going to open new business. I feel like Veeam has set this position up in a way that really reflects a state-of-the-art governance model; because there's still a lot of large companies out there that don't quite take this issue [cybersecurity], as importantly as they should.”
See also: The Colonial Pipeline Hack: 2 (just 2!) key takeaways
Given the company's ubiquity in the DR setups of so many organisations, to what extent does its CISO feel – particularly given the FireEye/Microsoft/SolarWinds breaches and a growing risk/amply demonstrated efficacy of supply chain attacks --- that Veeam itself looks like an appetising target for APTs?
“There’s definitely a target on our backs”, Veeam CISO Gil Vega says cheerfully.
“Part of our process involves performing adversarial intelligence modelling. So we've got an idea about who is targeting us now; who might target us in the future. And those are the folks that we're building our programme to defend against. I think we’re good at defending against the commodity-style attacks, with people, process and technologies. But we wargame against those higher-level actors, all the time and keep a close connection to our intelligence providers that give us information on how these attack groups are evolving, what kinds of tools are using, what their attack infrastructure looks like, what kinds of companies they're targeting.”
"That's what we're preparing for."
It's a stressful job being in the crosshairs and CISO burnout, along with mental health stresses proliferate widely in the community. How does he cope? “People ask me all the time ‘how do you sleep well at night?’ he admits.
“But I don't take this job home with me because I've been doing it a long time, and I've built a team that really operates under the premise that we're in a perpetual state of compromise; that if we always believe there are bad guys inside the wire, then we'll always behave in a way that prepares us best to deal with the worst-case scenario. I think CISOs that make that mental leap to assuming they will be breached, and they've got to build their ability to recover and build resiliency will be able to sleep well at night.
“So that's what we've done here at Veeam. We've built a large, capable team; invested millions of dollars in different technologies to provide for that resiliency -- including on zero trust technologies, monitoring, logging, AI, those kinds of things that will help us get those early indications that something's not just right. And allow us to put our crisis management plan into place in order to recover from any significant attack.”
Tips on building a strong security culture
Without finding a way to imbue an organisation with a strong security culture, even the most capable CISO rapidly runs into the issue of folks-who'll-click-any-phishing-email; the CEO wedded to their Windows XP laptop, or their equivalent: "Any company is potentially one click away from an existential event," he agrees.
"So for me, it's about making sure that employees understand that they're part of the solution; that it's not just the CISO's responsibility to to worry about this. Changing the security culture of the company was my first challenge [at Veeam]. For CISOs coming through I'd say make sure that you have access to people who control the resources and understand just how important it is to get the culture of the company right; make the business cases for those investments and build a good programme to change that culture."
At the coal face, what do those programmes look like?
"In a prior life we created this competitive spirit amongst employees to find security vulnerabilities in our infrastructure; identify legitimate phishing emails. We created a trophy system where when employees did the right thing, we were sending them tiny gold trophies -- we were sending those things all over the globe! I travelled extensively with that company and in every office I ever visited, those trophies were prominently displayed -- people really loved being rewarded for identifying these problems", he says.
"We went pretty goofy, with different style trophies; it probably went a bit overboard, with people getting really competitive about trying to get the newest trophy [laughs]."
Physical security
Vega spent time with the US Army during operation Desert Storm and Desert Shield in the early '90s, winding up guarding POWs in the Saudi Arabian desert as a military policeman, and physical security remains part of his remit as a CISO. In a previous role, he admits, he's seen threat actors physically infiltrate facilities to gain access to internal IT systems -- in one incident with a "very sophisticated replica of an employee ID" and in another, when someone tailgated through an entry turnstile then waltzed into a large corporate meeting, sat through it, and wasn't challenged -- or indeed identified until three months after the meeting.
The window for such attacks has narrowed at most organisations, he notes, as awareness of such threats grows. A shift to remote work has actually improved the company's ability to guard against this kind of issue, although staff have had to be reminded of their responsibilities at home too. Veeam conducts twice-yearly penetration testing using trusted third-party contractors and Vega makes sure their findings are shared with the board.
"It's critical to bring the board along..."
"I put a requirement on myself to make sure that all of the results of our penetration testing, including the identification of gaps and the implementation of fixes are briefed every quarter to our board of directors.
"I really find that it's absolutely critical in this role to bring the board of directors along for the ride" he emphasises. "To make sure they understand the threats the company is facing and how it is going to manage those threats. Bringing the board into the conversation early and often in a CISO's tenure is absolutely critical. Penetration tests are a really good way to begin that conversation -- to create the trust and the dynamic that there's no guarantee against a breach: We operate a global infrastructure, we are going to have vulnerabilities. But it's important that we continue to look for them, and that we put programmes in place to mitigate them, making sure that the Board of Directors understands that gives them an opportunity to ask questions.
"My favourite question is, 'do you have enough resources to handle this problem?' And you know, depending on where I've been in my career, I've answered that question differently. On the pen tests, it's not enough to have independent third parties doing those twice-a-year: you've got to build an internal capability. I've done that in my last in my last few roles and we've got a team of threat hunters here at Veeam whose full-time job it isto supplement the pen test activities between those scheduled independent third party penetration."
CISOs should also know when to walk away
Not all CISOs would feel comfortable sharing a flurry of security vulnerabilities found by external contractors with their board -- fearing it might reflect badly on their performance -- and having the confidence that you have the backing of company leadership goes a long way: "CISO can mean 'Career Is Soon Over' if you're not able to have those conversations", Veeam CISO Gil Vega notes. "We've all heard that before.
"I think my advice to CISOs coming through is different today to what it might have been 15 years ago. In companies where the culture is imperfect you need to try and find someone that can understand your point of view; someone influential that can help the company understand what it is you're managing through. Quite frankly -- and I've told this to other CISOs that I've mentored -- where you can't get the the worm to turn, then perhaps look for other opportunities. Because it takes two to tango. If people are unwilling to hear your concerns or you're being set up to fail, then it may not be the best professional place for you."
"As a CISO you need to turn highly technical information from an adversary report into layman's terms for senior leaders and board members -- to make them understand that they could be the next above-the- fold Wall Street Journal story; the next Colonial Pipeline or SolarWinds."
Vega's clearly passionate about this and the challenges CISOs face. Just over a year in, there's still work to do at Veeam: "I've got personal involvement, understanding what technologies we're using, what we're considering changing, how our process goes through the Kill Chain approach. It's really near and dear to me.
"The CISO community is a really interesting one because we stay in touch with one another. CISOs will be talking with their competitors -- in highly regulated organisations perhaps very formal conversations through information sharing organisations; or one-to-one to compare notes, talk about technologies, talk about threat actors, share indicators, even at our level, and put make sure that our staffs are talking to one another.
"It's counterintuitive to some people. But it's the most important thing we have."