Jerry Perullo has served as the CISO of Intercontinental Exchange, Inc. (NYSE: ICE) since 2001 and in that time has seen how security has moved from the ‘blame game’ to securing the human layer. In this interview, he explains how InfoSec teams can work together with employees, for a stronger security culture.

You’ve been the CISO at Intercontinental Exchange for over 20 years. How has the narrative changed on the “human factor” over that time?

Jerry: I’ve always worked closely with customers and peers, so I’ve gotten a lot of insight into the financial services landscape. It wasn’t top-of-mind in the early days—mainly because it was such a small company. It was a bit later that phishing became the number one threat vector. Because of that, the human element really came up.

Unfortunately though—as technology professionals are wont to do—the initial reaction was full-on victim-shaming. In traditional IT, there’s a lot of: “I can’t believe this person didn’t know how to plug their keyboard in,” or whatever it’s going to be. And in security, it was immediately: “I can’t believe this person clicked that…” or “…plugged in this USB,” or whatever it may have been.

And then a bit later, I think that a lot of people came around to realizing that the people they were shaming were generating their revenues and paychecks, at the end of the day, and so it wasn’t a good idea to just mock them.

So things really did start to pivot to more of an era of collaboration, and that was great. And we see some evidence of that in a lot of the training material now, which came to be more entertaining—the gamification, trying to get people involved.

And then lately I’ve seen some questioning of where that line needs to be. Some people saying, “If anything goes wrong, it’s never the person’s fault,” so to speak—it’s always on information security, and we should know that people are humans and that they should be permitted to click things if they are available to them, and it should be on cyber to get in the way of problems.

Do you think security teams are taking the attitude of: “It’s not because users are stupid, it’s because they’re human, and humans are going to make mistakes”?

Jerry: Yes. I do see a lot of that. And in different environments—some environments don’t have the ability to impose many controls at all. So in those cases, they’re playing “clean up” all the time.

And there’s other organizations that do have the ability to impose some pretty heavy controls. And there, it is a little bit different. There, you do have individuals who have a little more time so they can work with individuals and hold them to a higher standard.

Everything you do as a security team is having some impact on the employee. How do you consider the trade-off of better security versus impacting the productivity of the employee that you’re trying to secure?

Jerry: There has historically been this notion of an inverse relationship between security and user experience. 

I think that controls that have that attribute—when you impose it, people’s lives get a little bit less fun, and the more that you do the less fun it is—are generally bad controls. They’re really the “control of last resort.”

There are other things that can actually be quite helpful, and enhance productivity, visibility and awareness. 

To that end, any tools that really empower the user and give them the means to protect themselves—so for example, enriching emails and giving them the idea of the threat of it, rather than just blocking it, and giving them advice, informing them and allowing them to make those calls, or phish report buttons that a lot of products have been delivering, so they can make their own claims about what they think is good or bad.

And then giving a feedback loop on that, so they know whether they’re right or wrong, just for their education. But also, where they can gamify it a bit, and really be incentivized to spot security issues—I think that’s been really effective overall.

How has the shift to remote work impacted organizations’ security strategies and the way they’re thinking about protecting their people in 2021?

Jerry: Having a unified security strategy—I’ll be the first to admit that that’s not a given, and it’s not universally agreed what that even means. I’m fortunate that we have gone through the process of doing that, and putting pen to paper. 

For us, the strategy has really been about paying attention to the threat landscape, learning from our peers or others who may have had cybersecurity issues in the world, internalizing and seeing if those same issues could manifest, and—when we identify that they could—identifying the new controls that we need to adjust, making those adjustments, then repeating the whole cycle again.

That’s certainly not changed. So we’re going to look at what’s manifesting externally, and if that happens to lever the remote-work environment more, in the threat intelligence, then that would utilize the exact same strategy, but the operationalization of it would be a little bit different.

So strategy is unchanged—but the manifestation of it may.

I know you have a lot of thinking about this concept of adversarial risk management. Could you please outline your thoughts on that?

Jerry: Your controls that are good enough today will not be tomorrow. Because you have an adaptation of the problem. 

As computing professionals, we want to have an algorithmic solution to something like phishing, And in many ways, we have. 

We have a lot of platforms that are, for example, looking through attachments that are in email. And the ones that are either short-sighted or in a really unforgiving environment are trying to disassemble and sandbox attachments in real time—that sort of thing. The ones that are more effective are just blocking all attachments of certain natures.

But as that technology has evolved, the adversarial side has turned to what I call “narrative phish.” So, instead of a link or an attachment, it’s: “Hey Bob, do you have a minute?” And there’s not an algorithmic solution to that one. 

I think you guys at Tessian are really fast on it. Because it’s great that the advances in machine learning have really matched that. 

Because that’s what you need it for, isn’t it? Real-time, behavioral, statistical monitoring. To figure out that no-one calls you “Bob,” that this customer doesn’t really care how you’re doing. That’s how deep you’re going to have to get to really be able to have an adversarial management approach.

Listen to the full interview on our podcast, and follow us on your Spotify and Apple Music.