Mike Convertino, CISO at F5 Networks, is an expert on information security leadership. Convertino graduated with a degree in electrical engineering specializing in chip design, Convertino developed his technical expertise in the US Air Force’s information operations corps, where he rose to the ranks of Colonel.
Having retired from the military in 2011, Convertino used his experience to help shape information security in the technology sector. As senior Senior Director of Network Security for Microsoft, he helped protect the Microsoft corporate network as well as some of the technology giant’s most important online properties, from Outlook.com to Office 365 to Xbox Live.
After about 2 years in Redmond, Convertino joined end-point detection specialist startup company CrowdStrike, where he assumed the role of CISO and Vice President of Information Security. Convertino spent three and half years at CrowdStrike and had the opportunity to build the firm’s security operations center.
Convertino moved to his current position of Vice President and CISO at F5 Networks at the start of 2016. His position as CISO covers three main areas: first, protecting F5 itself from attacks and compromise; second, advising the CTO on trends in information security and how to shape the security products that F5 builds; and third, providing thought leadership on security to the IT industry at large.
Increasing CISO responsibility
“Definitions of the CISO role can vary widely,” he says, reflecting on his career experiences, increasing CISO responsibilty and the role of the modern security chief. “Some CISOs are still biased towards compliance, which is a necessary baseline, but to be truly successful as a security leader, you have to do more than simply be compliant to protect your information today.”
Convertino says it is crucial to recognize the nature of protection has changed irrevocably. The traditional enterprise network perimeter – which dominated enterprise IT in the early days of the Internet – has been made porous through increased use of cloud services and mobile devices.
Over the past decade, there has been increasing CISO responsibility and CISOs must now focus on protection at three new boundaries says Convertino – the gateways to the application and application itself, the user’s endpoint and user identity and access. Great CISOs, says Convertino, work proactively to detect and block intruders, drawing heavily on the latest tools, particularly analytics and automation.
The most cutting-edge security organizations use these new tools for more than detecting malicious activity. They correlate knowledge around the three key new boundaries of application, endpoint and identity and use automation to stop intrusions within milliseconds. Not every security organization, however, is at this advanced stage of development.
“The sophistication of the sensing and automation enterprise of a security organization varies greatly from company to company,” says Convertino, reflecting on the progress made within the industry. “There have been some big advancements in terms of identity and assurance. But to be successful, you must also include non-traditional log data like geographical location and travel data on employees to make sure your systems automate the detection and remediation of unusual activity.”
Physical security has always played a role information security. Convertino says the most thorough approaches to information security combine physical data, such as recording entry to a building, with records of logins and other traditional security logs. The result should be an approach that allows businesses to grant access privileges logically and automatically.
“It’s simple to say, but not always easy to do, and so it does not often happen,” says Convertino. “That’s where my background as an engineer helps. At F5, I place a heavy emphasis on automation. Our engineering team is three times bigger than our intrusion detection team. Successful CISOs have to both understand and trust automation, and they must invest in it.”
CISOs that build the most effective team will be the ones balance strong engineering, planning and budgeting skills. Increasing CISO responsibility means CISOs must help guide this team, offering advice and support, while also communicating with the senior decision makers in the boardroom.
“As a modern CISO, you should advocate the importance of security to the Board,” says Convertino. “If you don’t understand the business you’re pledging to protect, you’ll be ineffective. You must know which information needs protection and you must advocate across organizational boundaries to get the support needed to keep it safe. At F5, that crucial information is our customer data and our intellectual property.”
Effectiveness of a CISO
The important role of business engagement leads Convertino to suggest the effectiveness of a CISO and increasing CISO responsibility is directly related to the strength of C-suite relationships. He reports to the CIO and COO at F5, and has a matrixed relationship with the CTO, to whom he provides feedback on the firm’s current and future security product roadmap.
Convertino says F5’s heritage in load balancing means the firm has much to offer in terms of security best practice. He points to the firm’s recently released Herculon SSL Orchestrator, which provides improved insight for the visibility gaps created by the growing use of encryption for application data.
Research suggests the security of applications, particularly those hosted in the cloud, remains a key concern for IT leaders, especially as the work of security teams adopts more and more cloud services and expands beyond the traditional enterprise perimeter. Convertino says F5 has key strengths when it comes to blunting DDoS attacks due to the firm’s ability to absorb and analyze traffic going to and from applications.
Yet great security relies on a blended mix of people, process and technology. Convertino raises the importance of engagement again as a large part of increasing CISO responsibility, mentioning he spends a lot of time with the leaders of various business groups to stay in touch with their needs and ensure security can support them. It is this close relationship, he says, which helps ensure a tight partnership between his work and the operational demands of the rest of the business. Similar partnerships should exist in all firms, but not every senior security professional is as lucky.
“Too many businesses still don’t understand the importance of security or the increasing CISO responsibility within a business,” says Convertino, with research suggesting only slightly more than half of companies employ a dedicated security officer. “You must be present to win. If there’s no one truly responsible, then your business won’t create an effective approach to information security management.”
Many firms, therefore, still have much work to do. The good news, concludes Convertino, is that security savviness is increasing, particularly at the Board level. Budgets continue to rise and boards are developing a more sophisticated sense of the role of the CISO and greater awareness of increasing CISO responsibility, particularly when it comes to the importance of the position and the broad challenges security chiefs face.
“Things are definitely getting better for CISOs,” says Convertino. “Now is the time to get the buy-in for security investment from your Board. Responsible CISOs will seek support from the c-suite and partner with the business to keep the company safe.”