The ABCs of building the right security team

 Lee Vorthman, is currently the head of Global Security Engineering at Pearson Education in Denver, Colorado. Lee has over two decades of security experience, having also played the role of Chief Technology Officer (Federal & Cybersecurity) at Netapp and CISO at P2 Energy Solutions. When not working, Lee is known to be taking full advantage of the nature in Colorado.

**Please note that this interview has been abbreviated for this blog. a

Hiba Sharief: Hi, everyone! We have the pleasure of having Lee Vorthman with us. Lee, would you please tell everyone about yourself and how you came to be where you are?

Lee Vorthman: I’m currently leading security, engineering, and architecture team at Pearson Education. It’s been a circuitous journey involving military, sales, and product. I have also been on the corporate side of things, specifically within security, which has always been my role typically in the past 20 years that I’ve been in IT.

Hiba Sharief: You interact with the board on a regular basis. How do you help the executive team and the board understand the importance of your role?

Lee Vorthman: I’ve been in both the situations: where the board understands and where it doesn’t understand the role. Regardless of whether you are in security or technology, it is your job to explain to the board how your function will impact and benefit the business.

Lee Vorthman: For example, within security, we typically get a bad rap where we’re the Mafia that comes around and tells people they can’t do stuff and they installed malware on their system and that’s really, really bad. You don’t want to be the person telling them what they shouldn’t do. Be the person who tells them WHAT to do and HOW to do it better to improve the business.

Lee Vorthman: Particularly with security the question is how to minimize risk or how to ensure that you’re doing things that don’t impact our customers. Give the board an insight into what you deal with on a daily basis and ask them to guide you from the visibility they have.

Hiba Sharief: What are some of the other kinds of cybersecurity risks that you have to convince your board to consider more strongly, and how do you do that?

Lee Vorthman: The biggest struggle that most security folks are facing right now with board level or senior exec-level conversations is understanding how that function fits within the business. This has a direct impact on how well the organization is funded. It ties into your visibility of the breaches. So if you’re breached and the board asks you why, that could be because you are either underfunded or they didn’t establish enough priority for your function. So, I would say that you need to sit with a board and have a conversation around this beforehand.

Lee Vorthman: IT security can be a cost sink. There’s not a lot going on that can demonstrate positive revenue. But that doesn’t mean that there can’t be positive value. There are ways where you can show that you’ve influenced customers to the product roadmap or that you’ve been able to sell the value of security because you’re the most secure in your industry. I really think that there’s a political conversation that needs to happen around the importance and priority that the company sets on security. It is obviously not going to be as much as we security professionals want, but it still needs to be a give and take to make sure that security is not compromised for maximized availability.

Hiba Sharief: How do you interact with the board in their language and explain these security risks? Have you had any challenges matching fund appetite with risk appetite?

Lee Vorthman: I’ve had challenges in the past where they just didn’t get it. But, since that experience, I think the industry as a whole has changed. If you put it in terms of business impact, tell them the top risks, their likelihood of being exposed and the cost and time compromised because of it, the board realises its gravity. That’s when you tell them how to use funds to controls in place to avoid the breach. But, set your priorities because you won’t get everything you ask for.

Hiba Sharief: Are there any specific KPIs or metrics that you use to measure the effectiveness of your security program?

Lee Vorthman: Yeah, we measure a lot of things at Pearson, from number of endpoints that have antivirus or certain controls in place to a number of systems that are patched and when they’re patched. We also measure risk exceptions. Then we report not only the number of open exceptions that we have, but the risk level those exceptions have too.

Lee Vorthman: So, if there are 100 critical risks open for longer than a certain period of time, we attract that because it goes back to the conversation of business impact. We try and put a metric and measurement on everything and it ties into not only our strategic goals, but also into our tactical goals for the year. They are also tied to individuals goals to measure how they are trying to drive the security of the business to match those strategic objectives. We do that across the board with the KPIs that we have. We’ve been pretty successful with that.

Hiba Sharief: Are there any specific goals that you’re using outside of your team to ensure that security is everyone’s responsibility?

Lee Vorthman: We have a shared accountability model for security. Earlier security was everybody’s responsibility. But that doesn’t scale well because security is typically a very small function and it didn’t have the accountability there. We have a shared accountability model where our IT function actually does the patching and reports on it.

Lee Vorthman: We also have an executive support where if certain things didn’t get done as part of the shared goal, it goes up to our C-level or the board and their performance reviewed and rewarded in forms of bonuses.

Lee Vorthman: We have shared goals across teams as well. So, even though I primarily focus on engineering and architecture, I have a shared goal with our operations team. We don’t run the identity platforms, but we set policy for how identity works. So, there’s shared goals to make sure that the identity function is working right. But also, that we’re meeting the security of those.

Hiba Sharief: What are your thoughts on the best way to structure a security team?

Lee Vorthman: It depends on the size and funding of your organization. But, regardless of that, there are three kinds of disciplines that you should think about within a security function: engineering, operations (including everything from eyes on screens to finding threats, to doing threat hunting, to doing forensics, incident response, etc.), and compliance governance where you deal with the legal side of security. All three should compliment each other.

Lee Vorthman: At Pearson, we’re well funded and hence we have three separate dedicated groups for those that report it to our CISO. They have a number of people within each pillar that I’ve mentioned. But, at smaller organizations, you may only get funding for three or five people, you might want one of each or two engineers to sock guys and one compliance person. It totally depends on the appetite and strategy of the organization.

Lee Vorthman: I’ve seen a little bit of bias in the smaller organizations towards the external. They want to make sure that their products are secure and they are interacting with vulnerabilities in the products. Internally, because it’s a startup, they are consuming a lot of IT services. The security is inherent and built in there so they don’t have to have a technology play there. But as they grow then it shifts into this fibroid with internal versus external and enterprise versus customer focus.

Hiba Sharief: So, from an application security perspective, do you feel that those individuals should be a part of the security organization or are they more suited to be within the application teams?

Lee Vorthman: I’ll say yes to both because we embed our technical resources like application security people or engineers within the development teams. It comes back to shared accountability model where we pay the development team for that resource so that they have a financial accountability, but it’s line managed by security so that there is an actual accountability for the goals and objectives. We found that works pretty well because otherwise the engineer, the application security person embedded can go native where they’re totally focused on just the application and then they get really excited about it.

Lee Vorthman: But, we don’t want to impact the development cycle or the release cycle. So, the embedded model with the shared accountability works best. I’ve seen it embedded without the reporting to CISO and I’ve seen where it’s not embedded. I just think it depends on your organization’s size, but the most successful is the shared accountability embedded model.

Hiba Sharief: Absolutely. And if you could write the perfect security job description what would write or take out?

Lee Vorthman: I won’t say specifics. I think we, across industry, especially in technical roles, fall prey or guilty of making our job descriptions a little too complicated. We want everyone to know Java and Python. We just go on and on about the technical stuff and that’s where we lose the purpose of the job description. It ends up being an advertisement and a little bit of a window into your culture.

Lee Vorthman: What I did recently was, I took our job description that was three pages long and I condensed it down to one page. I will unabashedly say that I stole it from a startup company that I saw in Vulcan, Colorado. But, it’s been fairly successful. It says, this is what Pearson does, this is what we want you to do, and if you think that you matched that, give us a call. I’m not overly concerned about your college degree or your certifications or about your years of experience. I’ve told you the outcomes that you’re expected to perform and your deliverables. If you think you can do that, give us a call.

Lee Vorthman: It becomes a conversation of not just technical screening in the interview process, but also of cultural fit as well. My advice is that the job description is not just one sided. People are looking at that job description to see what your company is actually doing.

Hiba Sharief: The security individuals are in very high demand with very limited supply, especially when you start looking at cultural fits and personalities. What advice do you have for your peers on building the right team given the market availability for top talent in the security space?

Lee Vorthman: This is a raging debate right now within the CISO community. One camp says that you should be able to hire directly for the role that you want. That’s not always the case. In Colorado specifically, there’s negative unemployment. So, I’m fighting for the same three people that someone else is fighting for and I can’t always have the luxury of directly hiring someone with the senior level skill set.

Lee Vorthman: The other camp says, instead of having someone that’s a security specialists, hire anyone that’s security and train them. We’re seeing a lot of DevSecOps type functions come out. The question is, would you rather have a programmer that’s heavy on programming and doesn’t know a lot about security and teach them the security side or would you rather have a security guy that you’d have to teach programming?

Lee Vorthman: Honestly, I think the answer is both. You can find someone that has the right attitude, skill set and a just culture fit, they will be willing to learn anything. It’s very challenging for the staff but you must think out of the box. Lately, I’ve been focusing more on the soft skills and the psychological stuff and not worrying so much on the technical side..

Lee Vorthman: If you have a grounding but don’t have this specific skill in Splunk or anything else, I know you can learn that because you have done other things that can show me that example. I think that’s the approach a lot of people take because there is a shortage of talent and you have to find them somehow.

Hiba Sharief: Any advice on how you assess and evaluate soft skills? What questions do you ask to get better talent pool within the organization?

Lee Vorthman: I ask open ended questions to see how well they can do critical thinking and also express themselves. Where I’ve actually tried to take this into a more extreme sense is, I ask my team to set up a list of adjectives that they think describe the ideal team member, ideal outcomes that the team should have or should represent within a year etc. Then I ask the candidate to select the best adjectives that defines him. Then I see whether his description of himself matches with the team’s description of an ideal team member. That tells me whether I have a good culture fit or if his goals are aligned with our goals.

Hiba Sharief: What is the level of interaction in your organization? How do you handle conflict of interests between what the CTO wants to do, pushing out code as fast as possible and making sure that you’re protecting the environment?

Lee Vorthman: Our CIO and CISO report to the CTO. The CTO is responsible for everything technical that person is doing. The CIO has the responsibility for all our enterprise internal applications. She owns the identity platform, our e-business suites etc. Our CISO has the responsibility for all of security at Pearson: internal, external, cloud, security, customers, dealing with breaches, everything.

Lee Vorthman: We have a process run by the CIO, his organization of our enterprise architecture group, called Architecture Review Board. It is anything technical that someone wants to do and requires funding and/or a change to the enterprise. We have a review process and we’ve been successful in getting CISO to sit on that review process, specifically my team and my architects, where they go through what we want, the data, its security, how we are handling identity.

Lee Vorthman: That is a shared model with our CIO and CISO group, because we’re making sure that the enterprise as a whole is not only advancing right, but is also doing it in a secure way. A similar kind of an external CTO product side is that we have folks embedded within the product teams and they interact with them. When they want to launch a new product, we embed with them as well.

Lee Vorthman: Once we have something that is approved through our Architecture Review Board and goes to funding, it becomes a major program. We ask those business leaders funding that program to fund a security resource for security. This is where a shared accountability model comes in. They can’t just go build something. They actually have to show us that it’s done and we’re going to have someone in there that actually does that. And we do that again on the CTO side and on the CIO side. The CISO has to sign on the investment reviews. He is the funding side of things.

Hiba Sharief: Speaking of funding, if you had unlimited funds and it was Christmas time and you could buy whatever you wanted, what would you get that you don’t have today, from a security product standpoint.

Lee Vorthman: I don’t want to go through a list of vendors that we’re using, but if it was Christmas, I would fix identity, which I think is a common complaint across most technologies in organizations. Given the scope of Pearson, it tends to always be a challenge. It’s not bad, but improvements can be made.

Hiba Sharief: What are some of the criteria that you look for in certain products? How do you make those decisions and put vendor evaluation criteria together as separate from your product evaluation? What advice do you have for your peers in terms of decision making around products?

Lee Vorthman: We first look at the next three to five years of where we want to go. Our CTO, CIO, and CISO push out the north stars or high level objectives for where they want the business to go over the next several years. We figure out the end state and break it down into phases year over year from our current state to how we’re going to get there. Then we look at what we have now:technology stacks, investment etc.

Lee Vorthman: We break down our requirements and do a gap analysis . Then we come to Architectural Review Board. Once everything is in place, we go through and get funding.

Lee Vorthman: For us, it’s a very technical and defined process all the way from the roadmap and architecture that we want to align to when we’re ready to suggest something that we need to change the direction. It’s a lengthy process and takes us a long time. The biggest advice I can say to my peers and also the biggest lesson learned is that the cultural impact and the mind share the political support that is 90% of the problem.

Hiba Sharief: What keeps you up at night?

Lee Vorthman: Lots of things keep me up at night. My side projects that are not work related keep me up at night.

Hiba Sharief: Lee, tell me a little bit more about what drove you to get into the security space and where does your passion within security actually lie?

Lee Vorthman: Long, long time ago in a galaxy far, far away, I had an introduction to basic networking and I learned all about the OSI networking model. I still had questions. So, by natural instinction of asking those questions, you start to learn more about things like buffer overflows and how there’s vulnerabilities and all those type of things.

Lee Vorthman: Not only can I think like an attacker and I naturally want to break, manipulate, and social engineer things, but I have an inclination towards being able to do something about that and fix it because I have a well rounded background in technology. That blossomed into where we are now. I grew up in an engineering household I am an engineer by education and by trade. I love the technical aspects of it, I love the adversarial game of ‘someone is attacking you’.

Lee Vorthman: If I do my job appropriately and build things correctly, everything should be protected. But that’s not how it always works. Security never gets old. Just as technology never gets old. There’s always something new. Being on the front lines, that type of game is really what excites me and it keeps me up and keeps me going.

Hiba Sharief: What general advice do you have for this and your fellow CIOs out there?

Lee Vorthman: Political tensions can sometimes take over and especially the upper levels of the C-suite. At the end of the day, everyone is trying to achieve the same goal. We’re all there to make the business run. We’re all there to make money or be compensated or whatever it is you’re getting out of the business. Whether you’re a CIO or CTO or a CISO, building those political alliances and putting yourself a day in the life of that person can really help.

Hiba Sharief: What advice do you have for them about interacting with their board other executives on the business side? 

Lee Vorthman: I have two thoughts: First one says that it’s the same way that you have to build political alliances within your organization for different C-levels. It’s always advised that you should befriend and have at least some support from your boss’s boss. If you’re a C-level, your boss’s boss is the board. So, you should be interacting with the board. You should at least be aware of who they are. If you don’t have a seat at the table, then that’s your opportunity to build the case and go to lunch with one of them. Tell them all the good stuff that you’re doing and get that support.

Lee Vorthman: Next thing that matters is what’s the philosophy of the company? What’s the support of the company? Does it make sense to have that person at that board? If it’s a small company, probably not. What if it’s a big company? You should have those different groups and functions represented at the table. If you’re at the C-level or at an exec level, you’re fairly successful in convincing people to do things that they have never thought of doing in the first place. This is your opportunity to do that as well.

Lee Vorthman: A little bit of a different tactic: What I would say for just making all of my peers successful, regardless of whether you’re in a big metropolis or whether you have Wall Street network, there’s nothing preventing you from being a catalyst for change. The greatest example I’ve seen that is I’ve started up informal groups of just peers that get together and network over stuff. It doesn’t even have to be the same security periods. It could be people that you want to know within your area. Easy way to find that is on LinkedIn or Pulse or wherever that you’re at. You can even attend events like Built in Colorado.

Lee Vorthman: The most driven and successful people go out and meet the influencers in their field. They throw themselves in the natural path of talent to get on the same level. Put yourself in atypical situations to meet those people.

Hiba Sharief: It’s much easier in some of those larger hubs where there is a strong presence of larger organizations and not so easy when you’re in a smaller town. But there are plenty of opportunities to connect with peers and share insights, day in and day out, like the Pulse platform.

Lee Vorthman: You don’t have to look for the traditional means. Think orthogonal or think outside the box and go to a training session on CPA or accounting if you want to learn more about the accounting function. You can find ways to interact with the community regardless of where that community is.

Hiba Sharief: How do you engage with startups?

Lee Vorthman: I engage with startups on a personal level for security advice or as a board member. I try and make time where I can. But, at Pearson, we engage with startups because we want to know what the latest technology is. We’re bringing these startups in to tell us what they’re doing within this market, this industry, and that’s something that we tie into our long term strategy and see if it’s something that we want to pursue.

Lee Vorthman: The risk with startups is what if they are not around in the future. Then we have to question if it is worthwhile to partner with these people because it’s truly differentiating. So, we wait and see how the market plays out cause we’re not sure that all of these people are going to be around.

Lee Vorthman: We use it as much as an intelligence and information gathering session as we do to assess the pulse of the market. We give and take in terms of we try and see if there’s a synergy there. If it makes sense to invest, that’s great. If not, then we’ll keep an eye on them and see how it plays out. So it’s really not much different from how we evaluate most of our vendors and technology stacks that we want to use for now.

Hiba Sharief: Awesome. Well, thank you so much for your time and for being such an active member of the community, sharing your insights on a regular basis with everyone out there. 

Lee Vorthman: My pleasure.

Leave a Reply

You May Also Like
Read More

Becoming an Integrated CIO

Six months after Michael Hailye showed the leadership at Embassy Management his achievements with mental health and substance…
Read More

The CISO as evangelist

Clarify Health CISO Fred Bret-Mounet has given much thought to the tension between securing a business and growing…