Managing Security Risk at Cloudflare
Presented by: Madeline Gregory, Miriam Levenstein
Originally aired on November 29, 2023 @ 9:00 PM - 9:30 PM EST
At Cloudflare, we use risk management to drive what the Security team prioritizes. Join Madeline Gregory and Miriam Levenstein from Cloudflare’s Security Risk Team to learn about how we manage security risk across the organization.
English
Security Awareness Month
Transcript (Beta)
Hello, and welcome to Cloudflare TV. I'm Madeline Gregory and I'm here with my colleague Miriam Levenstein.
And today we're here as part of Security Awareness Month to talk to you about security risk management.
So we will get to what security risk management is in a minute.
But first, I wanted to introduce ourselves.
So as I said, I'm Madeline. I'm based in Colorado, and I'm the manager for security risk at Cloudflare.
I've been at Cloudflare just over four years now. And before that, I did start my career in Washington DC and government consulting.
I've spent some time in healthcare, managing third party risk and I've finally found my way here to Cloudflare.
And about a year and a half ago, we hired Miriam for our security risk team.
Miriam, do you want to introduce yourself? Well, I am here in Austin, Texas, and I'm a security risk management specialist.
As Madeline said, I joined about a year and a half ago.
I think I was hired in the middle of Snowmageddon, or at least I was interviewing during it.
Quite memorable. So my security career has been a mix of doing external consulting, going out, being a PCI, that's payment card industry consultant to make sure people are keeping credit cards safe, doing some other assessments and working internally in companies to work on their risk programs.
There are several years when I was focused on mergers and acquisitions and the security in due diligence and integrations, which was an interesting aspect of security that I enjoyed as well.
So one thing we wanted to talk about was to kick off with a personal perspective.
We are both risk professionals and do risk professionals think about risk in their own lives?
So people make risk decisions all day long, in my opinion. And I thought I would give you an example of a time when I did something a little bit risky, but I felt it was well worth it.
I am an avid bird watcher, birder, and I will actually travel across the globe just to see a migration or an unusual bird that I haven't put on my life list yet.
So in one case, I was with an international group, people all over the world, and we were in a desert to seek out some unusual birds that were found only in that place at that time.
It so happened this area was in the demilitarized zone between two countries that didn't like each other quite as much as they should have perhaps, but they were not actively engaged in hostilities.
So they allowed us to go bird watching and do a little ecotourism.
We had an armed guard and a guide with us.
And as we're walking around with our binoculars, looking at the birds, looking at the birds, there's tanks on either side of us driving up and down that the guard mentioned.
So the only thing you really want to watch out for is these guys, they haven't seen any real action in a long time.
They get bored sometimes, so they might just take a shot at a bird now and then.
We tried to discourage it, but just be prepared to duck if you hear gunshots.
Yeah, when you told me this story, Miriam, I was thinking about risk in my personal life.
I think I'm a much more calculated risk taker, I would say. But I did have one interesting incident when I was younger.
I did go on a cruise of the Greek islands with my family and our cruise ship ended up hitting an underwater rock and sinking in the harbor of Santorini.
So in risk, we try not to let recent incidents affect our future risk judgment.
So I still do get on boats, but now I have some kind of mitigating controls.
I make sure I always know my emergency protocols, whether it's on a boat or a plane, and make sure I know where my nearest exit is.
So a little bit different risk styles in our personal lives, maybe, but let's turn to talk a little bit more about where we sit within Cloudflare.
Cloudflare, we have many technical organizations that help run and deliver our services.
So we have an entire infrastructure team dedicated to our data centers and hardware and running our network, our engineering teams that build our software, and of course, our IT team that supports all of our internal business needs.
So security is lucky is that we're our own standalone organization, and we partner with each of these technical organizations to identify and manage risk.
Miriam is going to talk a little bit about where GRC sits.
So we are within the security org. Yeah, so since I've knocked around in this field for a while, I've been in different organizational structures.
So governance, risk and compliance can sit in different places in the organization.
It can be part of finance, it could be part legal. I was for a while on a team that actually was part of legal.
And the interesting aspect of that was the focus on data management and privacy.
In that sense, GRC has strong ties to legal and privacy and works closely with them.
And the advantage, though, of being with security, especially in a technical company, a high tech company, is you can work very closely with security engineering and infrastructure and help to identify risks in that.
So I think it's a very good place for us. My experience once was with a GRC program that was just joining security engineering, not here at Cloudflare, but at another place.
And what GRC can bring to security engineering, in my view, is a balanced viewpoint.
We're not looking at terms of specific areas, like if you have a group that grew up as firewall engineers, they're going to have like top of the line firewalls.
But GRC can bring in different control frameworks and say, we're going to look at identity management, we're going to look at data management and asset inventory and all the things, all the building blocks and foundation stones that lead to a really balanced security program and help make sure we don't have any major control gaps.
Yeah.
Yeah. So we think we've got a pretty good position. Security is a standalone org.
GRC within security, so we really work with all of the technical teams really well.
And then within GRC, we're set up as three kind of sub teams. So we have our validations team that works closely with our external auditors and helps us get all those certifications that lets customers know they can trust us.
We have our customer compliance team that interfaces with those customers and answers any questions they may have.
And then lastly, of course, is our risk management team.
So we're more of that internally facing team. We take all the feedback from the other teams within GRC, incorporate that into our risk register, which we will talk more about later, and push to improve our internal controls.
And then again, you know, in reverse, we, you know, when we better our internal controls, we can also feed that information back into our customer compliance and audit teams and really beef up those assurances as well.
And Madeline, you're going to tell us a little bit about what we accomplished through our risk program at Cloudflare.
Yeah, so let's talk a little bit more about what security risk is and what we do.
So really, our goals are to identify risk. We want to prioritize risk and tell the teams what's the most important things to fix.
And then of course, actually helping the teams to execute and mitigate risk in accordance with Cloudflare's risk tolerance.
So risk is really about likelihood and impact. So talk about risk, it's the likelihood that something bad is going to happen, and then, you know, measuring what are those negative results of that event.
And security, that looks like, you know, how likely is it that a threat actor, like a cyber criminal, is able to exploit, you know, vulnerability or a weakness in Cloudflare software security controls?
And then what is the actual harm to Cloudflare or to our customers?
So think downtime, data breach, those things that nobody wants to happen.
So, you know, once we identify things that could go wrong, we do rate them based on our kind of tailored methodology.
And then we propose security controls that could help either remediate or mitigate the bad thing from happening, the risk.
So as Miriam said, we can recommend access controls or audit logs or more technical controls, maybe encryption.
But so those are kind of our top three. Yeah.
And one thing I like to talk about is that when we think about risk at Cloudflare, we're not looking at it in a silo or in an abstract kind of way.
It's very tied to business priorities and succeeding as a company.
So you cannot have a business without risk.
No one's trying to say we're going to eliminate all risk.
What we want to do is identify risks that are above our risk tolerance that, you know, we say this is something we need to address and we need to take care of to keep our customers secure, to keep us secure and so on.
But, you know, there is always some inherent risk in doing business and there is a pragmatic approach to that.
It's not about going through a compliance list and checking the box and saying we have this and this and this.
I've been on a lot of different security forums where people argue about is security and compliance the same thing or are they at odds or are they the opposite?
And really, I think compliance and risk help secure a company, especially when they're done right and when they're done in a sort of business focused way that is very practical.
And I think real world and that's we're looking at real world risk that works with the whole company, whether it's engineering, infrastructure, new products, et cetera.
Right. Exactly. All right.
Well, let's talk a little bit more about the activities that we actually do to identify, prioritize, manage risk.
So, I'll go through kind of the identify activities.
So, really as the risk team, what we focus on are risk assessments. At Cloudflare, we do a couple types of risk assessments, our enterprise risk assessment.
That's the first one I'll talk about. This is required by all of our certifications, but it's our once a year activity.
It's a business level assessment.
We interview teams across our business, focusing initially on our production and customer facing teams, critical business functions as well.
And we kind of take a bird's eye view of what has changed in the last year.
So, we like to look at, you know, what's changed in the regulatory landscape?
Are there new privacy laws or security laws that are going to affect us over the next year?
Has the threat environment changed?
Are we seeing, you know, last year, we saw a lot of supply chain attacks.
So, you know, how should we take that into account for our security planning?
You know, how have our products and architecture changed? We have to talk a little bit more about that, but at Cloudflare, we're always changing and building new things.
So, you know, has that introduced any new risk for the team? And then, of course, our security controls and our programs, how effective are those?
The second type of assessment that we do is we call it a targeted risk assessment, but it's really like system specific or control area specific.
So, diving into one of our Cloudflare production systems and kind of looking at all the controls in place and seeing if there are any risks we need to remediate there.
And then, you know, outside of the risk team, there are lots of other teams that are doing risk assessments or identifying risk.
And so, we try to incorporate those into our program as well.
So, whether it's customer or external audit findings, penetration test results, threat models that our security engineering teams do, vulnerabilities, incidents, word of mouth, we're really trying to plug everything in so that we have a full picture of risk.
And I'm going to hand it off to Miriam to talk about what we do once we identify all these findings.
Yeah. So, once we know our risk findings, they have to live somewhere.
So, basically, we're thinking, you know, you're thinking database, spreadsheet, something like that.
So, we call it the risk register.
That's just the industry term for where you track your risks.
And there are many different ways to do that, different programs. If you come from a government background, you may think of like the POAM, the plan of action and milestones, which is very similar as well.
So, the tools that we use are, we have risks that are in JIRA because that's a tool used throughout the company.
And it also integrates with Smartsheet, which is, you can think of it as a souped up spreadsheet, which basically it has the wonderful functionality of integrating with JIRA so that we don't have to do everything twice, once in JIRA and once in Smartsheet.
So, we do it in one place and we have automation, so we can automatically update things.
And that is where we track each risk. It's basically, it's an item in the spreadsheet.
We also use other tools like Google Workspace and Confluence for our wiki pages and instructions and so on and procedures.
Using these tools, which are accessible throughout the company, having the risks in JIRA makes it easier for us to work with other teams so that we can sync up with security engineering, internal audit, as well as the other teams throughout the company.
And we think our program is a little bit different. Let's talk a little bit about what makes us different.
I did mention earlier, we are trying to get that full picture of risk by aggregating data from our other security programs.
I think that a lot of companies do mostly focus on that enterprise risk assessment.
And so, I think that's one way that we're a little bit different is trying to aggregate all those data sources.
So, it's not just what the risk team thinks the risks are, it's what we've seen across our security team through all these different programs.
And the automation too that Miriam was talking about, if we have vulnerabilities that are also generating JIRA tickets, that integrates well with our risk program and our Smartsheet's tooling.
Yeah. One thing I like about Cloudflare particularly is it really, it takes seriously the idea of risk-driven security and planning out security roadmaps with an eye to what are the risks that we want to address.
It really helps make sure that your security resources are applied in the right places to address the highest risks.
And that's a process that's constantly evolving, but even in the year and a half that I've been here, I've seen it become stronger.
And I have a lot of optimism about how that's going to really mature the security program overall.
Yeah. Yeah. So, we meet frequently with our security leadership team as well.
And that's part of the planning process and bundling up the highest risk to them.
But we're also really lucky we've had great leadership support from across our technical organization.
So, we've gotten to have a quarterly cadence with our leaders from infrastructure and engineering and IT.
And we also have a direct line up to the compliance committee.
So, all of our risk reports go to that risk and compliance committee as well.
Yeah. There's a lot of communication back and forth and visibility of risk.
Our program is forward -looking.
We want to see what's on the horizon. So, our, what would we call it? Our symbol is a meerkat.
If you were a fan of meerkat manner back in the day, you know how they like to climb up on the rocks and look out like, do my little meerkat thing.
So, that's one of the reasons why we want to keep a lot of open communication with all the teams in the company so that if there's an upcoming area of risk, we can know about it and talk to the right people and get prepared.
So, we talked about our program being a little bit different, but we still have a lot of challenges and opportunities as well.
I think one of the things Miriam and I talk about is there's always a challenge is really keeping up with Cloudflare's pace of innovation, just our product and network scale.
We're not maintaining, we're in high growth mode as a company.
And, you know, in the four years that I've been here, we've gone from being a really content delivery network or web app firewall products to also adding in our Zero Trust suite.
So, we, you know, released an email security product, and now we're doing Cloud and SaaS security and data loss prevention.
So, all of these things, they work differently. They involve more customer data.
So, we're not just caching, you know, website data at our edge.
We're kind of in between, you know, looking at data through our data loss prevention product.
And so, it just changes our risk profile. So, those are the types of things that we have to keep up with.
And, you know, of course, under the hood, as we like to say, Cloudflare's network is growing really quickly as well.
So, you know, we've expanded our presence to 275 cities.
So, when we talk about risk to our data centers, our hardware infrastructure, we have to make sure that we're really scaling and we're designing risk mitigations that will support the company in the future as well.
Yeah. And as I've talked about the prioritizing risk to align with the business, business changes.
Sometimes it changes quite dramatically.
Like, for example, when the company acquires another company, and risk has to pivot as needed to address new risks that are brought on by bringing on a new company.
We've, Area 1 was a wonderful acquisition, and it does bring some new areas for security to be looking at, which we are securing.
So, it's great. And another area can be changes in the global environment, data localization, keeping data in one place, not letting it transfer to other places.
That's a growing concern, especially internationally.
And we have a spotlight on data management and how to address that without losing some of the things that make Cloudflare great, like the performance across the Internet.
Yeah. Yeah, definitely. So, we've got all these changes that kind of the macro level that we're trying to keep up with.
But I think what, you know, with the company growing too, that means our actual security risk program is growing and we're trying to scale.
And so, I think the other challenges we have are just programmatic.
So, figuring out how to change our engagement model.
So, we can't, you know, the teams grow so much. And so, we can't keep meeting with every stakeholder.
We have to kind of find some efficiencies. So, you know, working through other security teams, security engineering, our program management team, and making sure we have solid key partners in legal and internal audit and the technical orgs.
So, that's, you know, one area we have to focus on.
And we've really changed our model so that we are doing better knowledge sharing and we're integrating with the planning process overall.
We're leveraging the relationships that our security engineering team members have with other orgs.
Yeah.
So, I was going to talk a little bit about one of the big projects I work on each year is the enterprise risk assessment.
This year, I did 39 interviews, including the scoping interviews with executives and the stakeholder interviews where I asked questions about risks and controls and new products, concerns in each of their areas.
That's a big project. We're looking at other ways of possibly organizing in the future.
I think of it as a Kit Kat bar. We might want to break it up into separate sticks just to make it a little bit more manageable.
But it's a lot of fun to learn about what's going on in engineering and infrastructure and what's new, what the roadmaps are and the opportunities are.
And so, yeah.
So, the other thing I wanted to talk about was a little bit more about the risk register.
So, we are ingesting findings from a lot of different sources, vulnerabilities, incidents, and so on.
We do prioritize these and looking at how we do our risk measurements and our automation.
These are all areas that we're doing some continuous improvement and work on as well.
And building out more risk process workflows with JIRA.
And as always at PiloThera, we like to automate things. We like to make things efficient and effective and produce some.
And as the risk register grows, we're actually going to get some really interesting metrics, I think, out of it and information about where we may have our strengths and controls and where there's areas where we might want to improve and so on.
Yeah. Yeah.
So, really scaling kind of every part of our program there. I would say just the last kind of challenge area that I'm sure is a challenge for many risk teams out there is making sure risks are mitigated on time without kind of impacting our production schedules.
We are the risk team. We don't actually mitigate the risk.
We assign ownership and we really partner with other teams to make sure that our highest risk are prioritized effectively and that we get ahead of their quarterly planning so that we're baked into that process and we're not impacting our production schedules either.
Yeah. Yeah. So, we have a little time to talk a little more about how we got into this field.
I don't know if anybody in first or second grade says I'm going to be a governance risk and compliance specialist when I grow up.
It's a little bit unusual. You want to tell us, Madeline, how you got into it?
Yeah. My path was a little bit random. I was a business major, actually, and I wanted to have a specialization in information systems and technology, but I actually didn't take the cybersecurity course until my last semester of college.
Then I thought, hey, this is really cool.
I think I could get into this. My professor at the time suggested I take the CSSP exam, which is Certified Information Systems Security Professional.
Very long acronym, but the certification can kind of demonstrate that you have the knowledge to get into the field.
I was able to get onto a lot of government contracts in D.C.
and get that kind of on-the-job experience as well.
So, yeah, as I said, I kind of started in that government consulting realm, learned a lot and got into healthcare and now tech, but I've really gotten to see through that journey all the parts and pieces of GRC from doing the internal validations and owning the controls and being on the assessor side for either systems or third-party systems.
Now my focus is more on developing and managing the the RISC program here, but yeah, interesting path.
You kind of found your way to security too, Miriam, not where you started either.
Yeah, it was not my first career, but I did grow up around computers.
I like to tell people how it was kind of unusual in my childhood.
We had a rec room full of computers. This was very early age.
We had TRS-80s. I can't see you, but you can raise your hands if you know what that is.
Apples and Commodores. My father was doing a research paper on what was the future of microcomputers, and he decided his four children were his test subjects, so he basically gave us a book on how to program in BASIC and free access to these microcomputers, they called them in those days, or early generation PCs, and we mostly played games.
So his paper says great, great future for gaming and maybe some mathematics too.
So I went on to major in English and I did some work as a grant writer and did different areas, but I always sort of had a side interest in computers, and I used them.
I kept my database of grants when I was a grant writer and so on, and when I moved from Bloomington, Indiana, where I went to school and worked afterwards, I moved from there to Austin, Texas, where tech was a really huge thing, and so it just gravitated towards doing sysadmin and DBA type work, database administration, and I was working as an IT manager for a small security consulting firm when I realized that security looked like a lot of fun, you know, especially the ethical hacking part where you break into things.
So I started, my manager supported me to take a course in Linux and build my own computer, start doing some Nessus scans, and this was also fairly early in the days of payment card industry assessments, so I think I was the third class to get PCI training, which was a three-day live training back then with a really hard written exam at the end.
Now I'm being the old timer who says it was a lot harder.
We walked through the snow to take our PCI exam, but, you know, it got me into security, and I really never looked back.
It's been a terrific career, and however you want to get here, I would say, you know, come on and get here because it's a great field to work in, and we have about three minutes.
We're actually doing pretty good on our little schedule here. So we both actually come from, I was an English major, and we didn't actually, I think computer science is great, and actually both my kids studied it, which I'm happy about, but I like it when liberal arts majors go into computers because I think we bring writing and communication skills, learning how to learn, you know, how to think, and you know, listening to different points of view, which I think is super important in every field.
Yeah, it's, you know, with RISC, we are like, we have to have those analysis, analytical skills, but you're right.
It isn't just about kind of understanding the technical piece.
It's being able to, you know, we can't understand every piece of what's going on at Cloudflare.
Inherently, we have to be able to jump in and learn and then, you know, communicate those risks and actually get people to action on them.
So there are a lot of other skills that translate really well, and it is security awareness month.
So I think we both, you know, wanted to pitch, you know, you don't have to be a computer science background to get into security.
There's lots of interesting paths to this work. Yeah, and check out the, we're going to have like a, a, okay, now I've forgotten the name of it.
What's our, what's our online tests or not? Capture the flag. Capture the flag. Thank you.
Our CTF. So, you know, look forward to that and a lot of other security awareness month activities that are being planned that are a lot of fun.
Yeah.
Yeah. Well, I think that concludes our, our time, our update on security risk management.
We hope you'll tune into other security awareness month content here and see you next time.
All right. Thank you. We'll see you next time.