Executive Insights: An Interview with Phil Quade

We regularly do deep dive Q&A pieces with our executives to share the leadership perspectives at Fortinet. Read below for an interview with Phil Quade, Fortinet's CISO. You can also read his most recent blog post here about "Take-aways for CISOs from WannaCry."

Could you briefly share more about your career path before Fortinet?

Threats to national and commercial security come in all forms and my speciality is understanding how to strategize, plan, operate, and communicate prudent cybersecurity solutions. In my 30-year career, I’ve had the opportunity to work across the defense, intelligence, and attack aspects of cyber in domestic, foreign, government, commercial, and critical infrastructure and sectors.

I was working most recently for the Director of the National Security Agency (NSA), representing at the White House, and coordinating cyber efforts at the NSA, and previously served as the Chief Operating Officer of the NSA Directorate that focused on securing the USA’s most sensitive (e.g., classified) government systems. Prior, I served as the head of the Information Operations Technology Center’s Advanced Technology Group, as a professional staffer to the U.S. Senate, and at the Office of the Director for National Intelligence. Along the way, I’ve had some great assignments as a computer and network security evaluator, cryptanalyst, and export policy specialist.

At Fortinet, I am applying my experience to manage diverse and complex cyber strategies solutions with a variety of partners to ensure that both Fortinet and its global customers have the most effective, broad security postures.

I’d like to think that having a former NSA fed working and learning in Silicon Valley will help with some cross-pollination of the collective team, and ultimately help improve defenses against advanced cyber adversaries.

Can you expand on how you will be applying your experience to the private sector?

As the former head of the NSA’s cyber task force, I worked closely at the highest levels of the White House and Congress. A few of my roles in NSA included managing day-to-day operations, strategy, planning, integration, and relationships in cybersecurity. The integration of right mix of technology, threat intelligence, risk management, and partnerships are the fundamental elements of a strategy to help protect global information and assets.

The Fortinet Security Fabric played a part in my decision to join the company, and it is a seamless architectural approach to security that is designed to connect security components into a unified, future-proof solution. I think Fortinet’s Security Fabric vision aligns perfectly to what it takes to deliver an end-to-end, intelligent, scalable, and integrated security architecture for today’s digital economy. I am thrilled to be a part of Fortinet’s leadership team and contribute to its vision, both in leading our internal information security efforts as well as providing strategic guidance and programs to help safeguard our global customers.

At Fortinet, I have a great opportunity to build and foster strategic private and public sector partnerships so that we can leverage the best of both worlds to solve hard cybersecurity problems, like the protection of our critical infrastructures. Fortinet is leading the charge with meeting customer demands with its automated end-to-end security solutions, which excited me about changing positions on the team and joining the private sector.

Can you tell us more about the role of the CIO? 

When my children used to ask me about my job, I told them simply that ‘I help keep the country safe’. Similarly, a CISO’s role is to help protect a number of things that are keys to our economy and personal well-being, be they a company’s intellectual property, or the privacy of sensitive data. A CISO needs to think strategically about how to get this done based on a sound understanding and management of cyber risks – threats, vulnerabilities, and consequences to avoid. In my opinion, a CISO needs to effortlessly & effectively work and communicate in both management and technical environments.

A CISO also has a responsibility to help achieve optimal customer satisfaction and achieve maximum shareholder value in light of the fact that security is viewed by many as overhead.  Said more positively, risk-aligned cybersecurity is the grease that makes the world’s information technologies work optimally— an awesome responsibility for the digital engine of our global economy.  But one company can’t do it alone; you also need to help shape the direction of commercial strategy and technology so that it is postured to address evolving threats, since commercial solutions are a tide that floats all boats: i.e., the solutions that we develop are used in both private and public (e.g., government) applications. A great example of that is Fortinet’s work as a founding member of the Cyber Threat Alliance, where we formed an alliance with our direct competitors to share global threat intelligence with each other, to better serve our customers and organizations around the world.

To be successful as a CISO, it requires a strategic and disciplined person. In this job, and in others, I’ve found the ‘formula for success’, if there is such a thing, is: Surrounding yourself with smart people; Establishing over-the-horizon-goals that are underpinned with achievable steps toward it (the journey of a thousand miles starts with a single step), being relentlessly focused on the goal, and;  taking & communicating prudent risks. 

In our digital economy, a CISO should be a full-fledged member of the C-Suite, whose peers include the CFO and General Counsel.  Those three roles, and perhaps others, each have a responsibility to the organization to ‘say no’, i.e., to be the decision making authority, directly below the CEO, on their areas of responsibility.

Can you talk about the cyber landscape today?

The risk is real, and comes from vulnerabilities, threats, and lack of bad-consequence-avoidance. Fortinet regularly releases our quarterly Threat Landscape Report. In our last report, our findings revealed that the bulk of threats faced by most organizations, and then therefore majority of financial losses, are opportunistic in nature. An important takeaway from this report is the critical reminder that the most effective security work still involves reviewing your security posture and policies, minimizing the externally visible and accessible attack surface through patching and hardening, building and implementing advanced threat detection and response throughout the network, and expanding visibility and control across the distributed network, including endpoints, IoT, and the cloud.  It’s as straightforward as it sounds, and Fortinet can help customers do it.

Regarding the threat, it’s as bad as it’s ever been, if not worse.  Cybercrime is big business, and is growing at an exponential rate. British insurer Lloyd’s of London estimated the cybercrime market at $400 Billion in 2015. Today, just two years later, the World Economic Forum estimates that the total economic cost of cybercrime to currently be $3 trillion. And Cybersecurity Ventures is predicting that cybercrime will cost the world in excess of $6 trillion annually by 2021.

From a bad-consequences-to-avoid perspective, you’d be surprised at the answer you get when you ask an already-compromised organization ‘ What would you do differently if you knew you were going to be compromised?’.  The answer is almost always rooted in identifying, upfront, the bad consequences they would have liked to avoid, and engineering out ahead of time that potential bad consequence.

Ordinary users and sophisticated businesses alike have inadequate appreciation for what adversaries seek to do to them.  Adversaries – particularly nation-state ones – have both the motivation and means to do very harmful things.  The way to address those problems of speed & scale, is, in part, by employing solutions like Fortinet’s that embrace automation & integration.  Those attributes will go a long way of reducing overall risk.

My advice to friends and family is simple: Never put anything on your computer or the Internet that can’t afford to lose.