William Zhang is the Lead Security Architect for the World Bank Group. He has been with the organization for over a decade and oversees security needs of all legal entities within the group, and builds security architecture capacity for the organization.
**Please note that this interview has been abbreviated for this blog.
Mayank: Hi everyone! My name is Mayank and I’m the CEO and co-founder of Pulse. We are privileged to be joined by William, who is currently the Security Architect at the World Bank.
Mayank: William, we’d love to know about your journey to where you are today, especially after your computer science degree and a PhD from the University of Maryland.
William: I was a software developer back in China after getting my bachelor’s degree. After more than three years of doing that, I felt the need to explore the world a little bit more, instead of continuing to develop software. That’s when I came to the US to pursue my graduate studies and got my PhD in computer science. Post that, I got involved in enterprise IT, performing different functions including user experience design, emerging technology research and system architecture. That eventually lead me to information security. I joined the World Bank back in 2009 when the informative security was just being established. Now, I lead a team of about a dozen people on security architecture.
Mayank: For people who are thinking about their careers post computer science, there are so many options available to them. How did you venture into the world of security?
William: That’s is a very good question. There are, indeed, so many different things you can do in the realms of IT. At one point, I was a System Architect and I realized that I was being pulled in different directions. Sometimes I worked on batch processing and other times on web architecture. I wanted to focus. When we were doing the architecture design for applications, around 2005 or later, we realized that security is a key component of the overall architecture. Over the years, I just decided that this may be the area I want to focus on. So, I jumped into a dedicated security architecture role. I just didn’t look back after that.
Mayank: Your rise at the World Bank has been tremendous and you have a whole team that you are running there now. What, do you think, has been the reason for your success at the organization?
William: I think one is focus. You have a job that is so critical that if you ignore one aspect then your information asset can be compromised. We all understand that danger. Have a focus, understand the business value of what you are doing, and also stay on top of the new technologies. There are so many new developments now: new tools, new platforms. We moved to a very cloud-orientated hybrid architecture and also adopted a lot of the mobile applications. All of these changes demand a lot of ongoing learning. That’s what makes my job exciting as well.
Mayank: Speaking of new technologies, what are some of the trends you are noticing?
William: I am seeing that with the increased awareness of security and privacy, there are more people paying attention and getting involved. You do have a situation where too many vendors are chasing the same problem. Overall, it is a reflection of the importance of security and privacy. That applies not only for the industry but the global community as a whole.
Mayank: One of the points that is being raised is the shift from security as something that you have to think about and do versus it being a mission critical board-level objective. How do you balance and stabilize the time and resources, limited as they are, from an innovation and driving-the-business perspective versus security?
William: We are lucky enough that our senior management understands the criticality of security. They always want to have updates from us, to understand where we are. We are also conducting regular assessments to see where we are as compared to our peers and we show that result to our senior management. They usually ask what it takes for us to go to the next level to be at par or even above and beyond where the industry is. We do the assessment, present them with the investment that is needed for us to go to the next level.
Mayank: From the new exhibitors in the market, which are some of the companies that you are excited about?
William: There is a company coming out of Google called Chronicle. They have a tool where they use their cloud-computing power to store and analyze all your security event logs. They use that information to show what has happened in your environment; so that whenever there’s a new reported compromise or vulnerability out there, they can use that signature to go back to your log history and tell you whether you are compromised or not with that new threat. I saw a demo and I think that it is a pretty interesting offer.
William: Of course, this year, there are a lot of vendors still trying to chase the GDPR buzzword. It’s a little overcrowded, you have to be selective to see what you actually need before you talk to these vendors.
Mayank: What are you seeing as the biggest threat rectors for companies?
William: Today, I think number one is still spear phishing through email.
Mayank: Isn’t that amazing? It’s 2019!
William: I think that’s probably the easiest vector from an attacker’s perspective. From a user community perspective, with mobile computing, you often have a situation where people have their personal and work email combined in one mobile. That makes it even easier for the user to get attacked. Also, we do have the human factor there. They make the email so attractive and real that people are compelled to click on those links. Lots of unfortunate things happen after that. Sadly, email and phishing is still number one.
Mayank: You just mentioned that there are a ton of vendors in the security space and there seem to be a number of point solutions as well along the way. As you think about approaching security from a holistic organization perspective, how do you consider these point solutions versus a platform approach? Is there one ring to rule them all or does it need to be a conglomeration of all these multiple things along the way?
William: I think it is very hard to find one solution to solve all the problems and it is important to differentiate between the compliance driven solutions versus the real security driven solutions. A lot of vendors are trying to sell the fear factor, using compliance as the reason for you to be interested in their tool. But, you really need to be aware of this analysis. Compliance is one thing you need to worry about. At the same time, the true security vulnerabilities and risk is something you really want to focus. To know where your critical assets are, what are you trying to protect, and also if you have all the detection capabilities and instant response capabilities.
Mayank: So, how do you tell the good ones from the ones that may not be a good fit?
William: I think you have to go deep and not just look at the surface. Talk to their engineers to understand the underlying technology. Don’t just look at the user interface. After you talk to the engineers, you have to bring your other stakeholders into the conversation to see if this tool fits in the overall organization and the overall process. Check if it integrates with all the other tools necessary. Cost, of course, is also another important factor.
Mayank: That makes sense.
Mayank: William, hiring these days has become a task for a lot of people in the community. Great talent is very difficult to come by. How do you approach this as you build your team?
William: It is a very powerful job market for information security. My team has a mix of staff members and contractors. For contracting, we have a few sourcing firms that are providing these resources to us. We have to constantly tell them about the opportunities where they can give us their resumes and we have them reviewed. That’s one pool. The other is just for stock improvisation. It’s an open competition, so anybody can apply. Recently, we took about a year to fill a senior cloud architect role. It took a lot of patience to find the right candidate and we are glad that we finally were able to find somebody who is now doing a very good job for us.
Mayank: So patience is a big variable.
William: Yeah, sometimes it takes a lot of patience. At the same time, without this person onboard your work form is suffering a little bit. You just cannot rush it.
Mayank: Let’s talk a little bit about the buzzwords. AI is one that comes up over and over again, especially in cyber security. From the VC perspective, it sounds like something that everyone wants to fund. How do you distill signal from noise and think about the real role AI has played when it comes to cyber security solutions?
William: In recent years, AI or actually machine learning has improved quite a lot. It is very impressive and its success is mostly based on a large amount of data. That’s relevant even for security from a detection behavior based security detection protection. However, artificial intelligence in general, other than machine learning, has really not advanced so much in the last 10 years or so. So, if somebody is telling you that they already know how to understand natural language, you probably want to question them a little bit and see if that’s the case.
Mayank: Have you been able to use some of the AI solutions, or machine learning based solutions, to actually see real business impact?
William: We are doing a project where we are leveraging a user behavior analysis. Behind the scenes, I am sure, there is an AI engine involved using a lot of data to generate the models and then to compare a day-to-day user activity against the model and see if there’s any potential compromise.
Mayank: One thing that we are noticing these days is that internal threats in an organization are thought about as deeply as external threats. What are some of the strategies you use to approach inside threat detection?
William: I think user behavior analysis is probably the most recent advanced technology we are trying to help with insider threats. The other tools we are working on include Azure Information Protection which is part of the Office 365 suite. Because we have a lot of information already in that space, we only use that tool to tag information. When there is public information versus confidential information, once it is tagged, wherever the information travels, the tagging goes with it, whether its an email or a word document. The tool can watch what is going on and then either stop the confidential document being sent to an address or at least generate some alerts. That way, we know where we are with the information and if we should tighten the policies to prevent mishaps.
Mayank: Another buzzword that comes up all the time is blockchain. Most of the people, at least consumer-side, think about blotching and cryptocurrency as the same thing. Obviously bloching is underlying technology that happens to power this as well. What do you think about the impact that it is having or will have in the cyber security world?
William: Blockchain had a lot of hype last year, and now has cooled down because of the drop in cryptocurrency prices. I am glad it has cooled down so that we don’t have to deal with a lot of wrong use cases of using blockchain. I think in cybersecurity, blockchain does provide data integrity. So, for cases where you do need data integrity, maybe you can consider using blockchain to have immutable record of something. Also, in identity access management, blockchain actually is not totally different.
William: I know organizations mostly use an active directory, but if you think about it, you are also using smart cards which has a PKI infrastructure behind it. It has public and private keys and that’s the same kind of identity that blockchain uses. Therefore, there is some intersection between the traditional identity access management and the blockchain based identification systems. But, over time they may converge. One vital token will generate different key pairs for different applications. That’s very similar to the self-sovereign identity approach where you use a different identity for different relationships. You use one identity for Facebook but another identity for Citybook. Those are totally different relationships and you don’t want the same identity. So, both vital and the blockchain based self-sovereign identity are going towards that direction. I think there is quite some synergy there.
Mayank: How do you engage with some of the younger companies that are trying to ensure their solution or already have a mature solution?
William: We always like to talk to them, to know their thinking. But from enterprise adoption perspective, it is very hard for us to work with startups. Usually, our procurement rules say that the company has to be established for a certain number of years and should generate a certain amount of revenue. But, we also have the World Bank operations part where we work in a lot of developing countries for solving all kinds of poverty-related issues. In those areas, we actually work with startups a lot. Reason being, in those markets, many kinds of established companies do not have much interest whereas there are some startups that really have a passion to solve the poverty problems by providing innovative technical solution.
Mayank: Would you please give us some examples?
William: I wouldn’t say the names, but if I had to talk about providing identity solution for people so they can get aid in a refugee camp or a displacement situation, some companies are very innovative. They use metrics to identify a person who may not have any record on paper. How do you make sure this person is not going to get the same aid twice, for example? There are definitely some interesting solutions from these startup companies.
Mayank: What are some of the most basic mistakes security teams or companies make and how to avoid them?
William: I think one of the biggest mistakes is to think that as long as you have a strong firewall, a strong parameter control, you are good. These days if you have insider threat or a spear phishing attack, your internal user or application can be compromised. You have to make sure you have good detection mechanism. You also have network segmentation so that you limit the blast radius of any compromise. Especially when you move through the cloud, things are changing very fast. If you don’t have proper segmentation and something goes wrong, it can have a large impact on your overall cloud event.
Mayank: Absolutely! Speaking of which, you have recently adopted hybrid cloud. How did you think about making that transition and what was the role that security played to make it happen in the speed it did?
William: Moving to the cloud was quite scary initially. It was a lot of studying of the risks, especially legal aspects of it. But, eventually you have to take the plunge because the store is very compelling from a business perspective. The speed of innovation is just not possible on PRIM.
William: From a security perspective, we worked pretty hard to define the security controls in our virtual private cloud, NAAS for example. But after that cloud based boundary is established, we have to look at various other aspects. For example, whenever we adopt a new class service, we need to see what are the proper controls for each service. When you leverage multiple services together to build an application architecture you have to keep in mind the additional controls you need from identity access management perspective and from network traffic control perspective.
William: Also, we are looking at security automation because the good thing about cloud is that there is a lot of innovation there and everything is defined by software. So now, we are trying to do security as code. With that approach we can have security quickly and automatically built-in into the infrastructure, into the application architecture and also have a good monitoring compliance solution because the right configuration is code. Whenever there is deviation from the code, you know something has gone wrong. So you can generate alerts and respond to it. That’s where we are trying to increase the speed of security while the business and IT shop is trying to increase the speed of innovation.
Mayank: That’s amazing that you guys made that. A lot of companies are still talking through that transition.
William: We’re still in that journey, but we see a great opportunity there, so we’re trying to take advantage of that.
Mayank: Well, I see no white hair, so obviously it’s been a smooth transition.
William: They’re starting to show up.
Mayank: What are some of the questions that TISOs and security experts overall should be asking themselves in 2019 and look ahead into 2020?
William: I think if I could offer a few, one for a CIO is, “Are you providing the right resources for your information security team?”
William: Second is, “Are your critical information assets well protected? Given it’s your intellectual property or your payment system, all these critical assets you have to make sure, at anytime, are well protected.”
William: The number three item, I would remind a CIO is, “Do you know your third-party risk? Nowadays, you have much more dependency on a hosting provider, or a sourcing vendor who is providing the contractor for your IT organization. You are also dependent on HR benefit providers in healthcare or insurance companies who have a lot of your HR data. Are they in good shape? Do you have a program to manage all these third-party vendor risks? That is something you have to think about.”
Mayank: Those are good questions, I must say.
Mayank: What are some of the projects that you’ve worked on that have not gone well? What have you learned from some of those that you can pass forward to the next generation of security experts that are coming up?
William: Interesting. I think one project we did not do well was … We worked with a vendor, which just did not have the right capability to provide what they needed to. That’s when we were not doing our due diligence in terms of assessing the partnership, assessing who we are working with before we grant the contract to the company. Then we realized, given the size of the project, they’re just not going to provide the amount of resources needed.
William: From a security perspective, we have seen cases where the vendor painted a very nice picture initially, but once you start executing you realize that there are certain areas that they’re just not going to meet your requirements. I think the lesson learned is that you probably want to do more due diligence before you start executing a project, especially if it’s a multi-year project that’s going to have a large impact on your overall IT infrastructure and landscape. So, there are so many things that can go wrong.
Mayank: Did you put a new process in place following that or a new checklist of, “Hey, these are the things that we missed that we need to start thinking about and doing in the future”?
William: Definitely, there were lessons learned from some of these failed attempts. We have a more robust procurement process, from that perspective. But sometimes you learn as you go. You don’t see the end product before you need to get started. Sometimes we are getting on the journey together with our technology providers. In some cases they have their agenda, and we have our objectives. Sometimes they do not necessarily align well along the way. It is hard to avoid but you have to have some kind of plan to deal with some of those faults.
Mayank: Great! Well, thank you so much for being here. I really appreciate your time. The community is going to love this.
William: Sure. Thank you very much, I hope it’s helpful.