Black Hat Executive Interviews: Q&A with Phil Quade, Fortinet CISO

Q: You joined Fortinet recently after three decades in cybersecurity roles in government, including most recently the NSA. What has that experience taught you about the nature and scope of the threats that organizations face these days?

Some people say that street cops and detectives see an especially negative view of humanity, because, more often than not, they are called to assist with an unlawful or sad situation.  Similarly, coming from the foreign intelligence business, you get a first-hand view of what foreign adversaries aspire to do, and how they do it.  It is indeed sobering.  In fact, that's one of the reasons why NSA conducts both a foreign intelligence mission and an information assurance mission, so that the insights on the foreign threat helps to set the bar for how much rigor is needed to protect the nation's most sensitive secrets.

As the former head of the NSA's cyber task force, I worked closely with the highest levels of the White House and Congress and spent years on the front lines of developing cybersecurity strategies to help protect our nation's most critical assets. At Fortinet, I apply my experience managing diverse and complex cyber strategies with a variety of partners to ensure that both Fortinet and its global customers have the most effective, broad security postures. 

The gallows-humor quip that those in cybersecurity have job security is an unfortunate truth.  But customers can't just buy their way out of cybersecurity threats.  It takes strategic choices.  For example, to take on the cybersecurity problems of speed and scale, you need to embrace the solutions of integration and automation. 

The private sector has much to offer in these areas, and is what Fortinet specializes in with its Security Fabric architecture. Another key strategy is to make sure you're looking at all dimensions of risk [and] not mitigating just threats and vulnerabilities, but mitigating bad consequences out of the risk equation by engineering them out by design.  We call that 'Consequence-based Engineering'.

Q: You are in charge of expanding Fortinet's Federal and Critical Infrastructure business. How similar—or different—are the security challenges that organizations in these sectors face, compared to other organizations?

Our country's economic competitiveness, national security, and general well being is highly dependent on the cybersecurity of the government, critical infrastructures, and private institutions. Federal agencies have unique security needs for a number of reasons. In addition to being a favorite target of hacktivists, for-profit blackhats, and hostile foreign governments, they often have strict compliance regulations, need solutions for combat and have more critical data and lower budgets. Federal cybersecurity solutions often need to be specifically tailored, and even validated, to protect agencies within the intelligence community and the Department of Defense, as well as civilian agencies.  

The scope and scale of the Critical Infrastructure security challenge has mostly frozen ambitions to take on the problem holistically. No one owns and operates all critical infrastructure anywhere. There are different infrastructures. Various companies own it. The industry needs to look at this as a problem that can only be solved over time. We need to establish a multi-year planning and action horizon and steadily march toward it. Rushing into this and trying to solve it overnight will just lead to more problems. 

By creating automated information-sharing standards and mechanisms, we can better help identify and mitigate the risks due to the dependencies among infrastructures. The establishment and practice of private-public partnerships is key for innovative solutions to be shared and for muscle-memory (e.g., relationships, procedures) to be established during normal conditions that can be flexed during times of crisis.  

The Federal and Critical Infrastructure markets share the unfortunate distinction of having especially big targets on their backs.  Adversaries seek to project influence or gain attention by affecting them.

Q: As a Platinum Plus Sponsor of Black Hat USA 2017 what is Fortinet's biggest focus going to be at the event? What is your main messaging there?

Black Hat is a very important event for the industry, so we will have lots to talk about. In particular, we will be emphasizing actionable threat intelligence. With the data deluge of threat information today, security professionals need customized insight to help determine how to prioritize resources to best protect against threats to their organizations. We use big data analytics to help IT decision makers understand those threats in context with timely threat intelligence, trends among other organizations, and statistical analysis of potential risks.

Now more than ever, security controls need to be able to automatically trust and digest threat intelligence at speed and scale. The challenge is that today's security teams monitor an average of 14 separate security consoles to try and manage, assess, and secure the expanding array of devices and technologies deployed across their hybrid and distributed networks. Many times, they end up having to compare log files, hand correlate data, and manually change policies between devices in order to address threats. It means that far too many threats go undetected, and for the ones that are, response times are too slow for attacks that operate at machine speeds. This is essentially a growing big data problem for cybersecurity today. 

We will be demonstrating the latest in actionable threat intelligence. Fortinet’s Security Fabric is powered by the security services deployed by our FortiGuard Labs Global Threat Research team, which consists of more than 200 expert researchers and analysts around the world who discover and analyze breaking threats and automatically feed the intelligence to our more than 3 million sensors around the globe. Our threat research team has dedicated experts studying every critical area including malware, botnets, mobile and zero-day vulnerabiliites to protect more than 310,000 customers every day.

Read more about Fortinet at BlackHat USA here.