Katie Jenkins, Liberty Mutual | AWS re:Inforce 2019

>>Live from Boston, Massachusetts, it’s theCUBE covering AWS re:Inforce 2019. Brought to you by Amazon Web Services and its ecosystem partners.>>Hello everyone, welcome
back to theCUBE’s live coverage here in Boston, Massachusetts
for AWS re:Inforce, Amazon Web Services’
first inaugural conference around cloud security. I’m John Furrier, my
co-host Dave Vellante, our next guest is Katie Jenkins. SVP, senior vice president, CISO, chief information security officer with Liberty Mutual?>>Yes.>>Big company, lot of
activity, insurance, probably lot of action on your side. Welcome to theCUBE.>>Thanks so much. It’s good to be here.
>>Thanks for coming on. So you been the job for about a year. Tell us about what’s goin’
on at Liberty Mutual. You guys have a large
company, 100-plus years old. You’re–>>That’s right.>>the CISO, so you’re in charge,
you’re running everything. We’re at a security conference. Tell us the reality. What’s goin’ on in the real world?>>Yeah, well this is super
exciting that re:Inforce, of course, is in Boston. This is Liberty Mutual’s hometown. As you mentioned, 107-year-old security, not security company, insurance company, but we’re doing really cool things in technology and security specifically. I would say, to kind of bring
this gathering together, we have a real rich
pool of security talent, of security innovators that
mashes up with what we’re doing, so Liberty Mutual has made a
very significant commitment to moving to the public
cloud for our tech knowledge and computing needs. We’re in ‘about the year
three of that journey, maybe 25% of the our
workload in the public cloud, and it’s really been a catalyst for, not just transforming our
technology organization, but transforming the
way security its work, and the way security engages
our development community.>>Well, you’re the head
honcho, as I say, as a CISO, but you’ve had 20-plus
years in cyber security. This is now kind of a new category with re:Inforce being
a branded show for AWS. Obviously, this deserves
its own conversation, and industries, lot of action goin’ on. What is cloud security mean to you? Because this is the focus of this show. I mean, it’s not just pure cloud, there’s a lot of on-promise
and on-cloud interactions, with hybrid, etc. You guys have been doing tons of IT over the generations with Liberty Mutual, but cloud security is the focus. What does that mean to you guys from a cybersecurity standpoint?>>In a word: enablement. I think that the public cloud offers us a really interesting opportunity to reinvent security, right? So, if you think about
all of the technologies and processes and, many of
which are manual over the years, I think we have an opportunity
to leverage automation to make our work easier in some ways, to avoid the situation where
we have error or oversight. “Gosh, we encrypted everything, “but this set of assets over here.” So, through using
automation and enforcement, it’s an exciting opportunity
to further develop our security capabilities. But also, cloud security,
cloud in general has went a transformation of the
way our practitioners do work through Agile, and it
means that security has to, work without technologists
in a different way.>>So, you’ve had a really
interesting background. You’ve worked for a
company that does audits, I can infer from that. You’ve worked for a services company, you’ve worked for a technology vendor, you’ve worked as practitioner,
so you’ve seen it, all sides. And you know, Amazon it made
some comments yesterday, that said look at the narrative
in the security industry, has always been fear, fear, fear. And we’d like to put forward the narrative that is about, “Listen,
the state of security “is really good and strong,
the union is strong, “and we got to work together
on a positive message.” So my question is, you an optimist?>>A reluctant optimist. (laughs) I think the days of having security be something that’s fearful are just not, they’re not doing us any
justice in that area. I mean, security is an
area of partnership. There’s very little of
what we do in security that’s just doing by
security practitioners. We need asset managers,
we need compliance people, we need the privacy team,
we need our auditors. We need procurement, I mean there’s just so many different parties
involved in security, that if we’re just
instilling fear in everyone, I think it’ll be difficult for
us to get that partnership. And we need to empower people, right? We need both empower our developers to do their work in a secure manner, and we have to empower our whole workforce and our trusted third parties
to make good decision, or educating them on how to
prevent phishing attacks, or doing all sorts of
cultural-based initiatives recognizing that if it’s
just the security folks doing security, we’re
going to have a big gap.>>One of the things
that we were discussing with a lot of our CISOs who
we’ve privately off the record, in the hallways and private briefings, is the common theme of integration as a big part of dealing with ecosystem, either suppliers and/or different teams within their different pillars of how they’re organized
internally and externally. And then also reducing the
number of security vendors that they’ve been buying products from to get some also in-house coding teams working more closely on
use cases that matter, so this has become kind of
a CISO conversation where What is that criteria? How do you figure out
who to have as suppliers, who’s going to be around
for the long haul, who’s going to be that
partnership for the enablement? So rather than having hundreds of vendors, we want to get ’em to a handful. Is that something that you think about, or is that a trend that
you see is happening now?>>It is a trend. I think it starts at how we even procure and select our suppliers. I mean, we are really
giving a lot of thought to the area of third-party
risk management, and do we understand not just
the element of cyber-risk and engaging with a third-party, but privacy and continuity
kind of risk too. So it starts there. I don’t have a sort of
fabricated number in terms of, “I’m trying to go from X
number of vendors down to Y,” but I think that there’s a
very purposeful thought process that we’re undergoing to say, “Yeah, we recognize for
certain technologies “we wanted have to have
different providers “to provide some of that redundancy. “Let’s be smart about that, “let’s make sure we really understand “where those overlapping capabilities are, “‘cos we don’t want to be
wasteful either,” all right.>>And the spend question
comes up too, around DevOps. What we’ve seen is the
DevOps and security paradigms are kind of coming together
in terms of the concepts. Agility, you can do some
prototyping, a hackathon, do some things, and then ultimately tryin’ to get into production
are two different animals, so enablement of doing innovative
things is Agility, right? That’s been a key theme, a positive theme, and the question is, is
there a funding model? Does it automatically
get security funding? And where’s the spend? Is your spend going up? And so all the monetary
spend questions come up. How do you deal with that ballistically, and how do ya think about
the spend conversation?>>Yeah. It’s a really interesting
one, because of course, expense pressures, I’m
not immune to those, but I also think that
we’re in a position where our executive leadership
team understands the value of the work that we’re doing, understands the importance
to our policy holders, so it’s less often a need to
justify why we need more spend. It’s a demonstration of
using that spend responsibly. And understanding where
we might have an uplift from something we’ve automated, to say, “Well now we have these resources “that could be doing something else.” There’s always a something
else in security, right? So if we’re committed to re-skilling, and making sure that people are evolving the work that they do, and the talents that they have to address
a different kind of–>>So no rule of thumb, per se. It’s more of that your management recognizes the criticality of it, therefore you can make those
calls on your own, build it in, build it into projects.
>>Yeah, we’re asked tough questions. Have they demonstrate that we’re making responsible decisions? But I think it come down
to knowing your technology and your team.>>So the skills gap,
obviously, is a huge challenge in your industry. We talked to someone yesterday, they said, “We just can’t find people, “so we had to bring ’em in
and train ’em ourselves. “We have to homegrown,
take the long view.” Amazon talks about this
shared responsibility model, and lot of small companies
don’t really understand that, and misunderstood, obviously
Liberty Mutual gets it. My question is, as you see
Amazon focusing on compute and storage and the database layer, and you guys have the opportunity
to focus on other areas that are your responsibility, that shared responsibility model, have you been able to shift resources? How have you handled that? Do you retrain people? Has it freed up, not Freed up time to do more
of those strategic things that you want to do? Maybe respond more
quickly, prioritize better, automate, etc. Can you talk about that
from your perspective?>>Yeah. So the shared responsibility
model is, you know, I think that’s an important speaking point of this whole ecosytem. At the end of the day, Liberty Mutual, our duty is to protect policy holder data. It doesn’t matter if it’s in the cloud. If it’s in our datacenters,
we have that duty.>>It’s on you. (laughs) So I think a lot about the
skills that we will need in the future, so I reference
sort of vaguely that, yeah the compliance area is a
particularly interesting area, where we have opportunities to be able to more easily and
cleanly produce artifacts that our auditors need,
to really bring automation to a process that just
has a very steep history in being manual in nature. So I understand that, tomorrow, we’re not going to ask
everyone to make a big switch and all become developers,
but we do send, you know, plenty of people to this conference, and they are participating in the tracks, and how to bring automation to compliance, and I think we invest pretty heavily in training opportunities for people.>>How do you look about the
vendor lock-in conversation? Because of cloud, the value
propositions certainly shifts. In the old model, it was
oh you buys a supplier and you’re in, you’re locked-in
with database or whatever. With cloud, there’s a lot of
switching cost opportunities to move around, but also people
are generally settling in on one main cloud, and having, yes, maybe a hybrid backup cloud or multicloud as secondary,
‘cos the focus of the teams. How do you view the lock-in
when you deal with suppliers? Because you don’t want to
be stuck with one supplier if you have the need to be agile. You want to have options. How do you guys think about that? Because agility’s key for
you guys to be successful, not so much just dealing with the vendors.>>It does come down to balance. We do leverage multiple cloud providers. I think that if we’re too focused on making sure that we have that portability, we could quickly move from one to another, then we miss an opportunity
to kind of deeply leverage some of the services, for
example, that AWS provides. But we also, you know,
we’ve been around the block a few times, right. (laughs)>>Not your first rodeo. (laughs)>>Yeah, exactly, and I
think that it’s important to have that prospective
and prepare for the future.>>Do you attend board meetings regularly?>>I do, I do present out
to our board of directors.>>Is that sort of a frequent thing? Is it once a year? Once a quarter? I’m interested in what the
board conversation is like with the CISO.>>I have been to couple
different contexts, whether it’s specific to
sort of an audit readout, or sort of a general state
of security type report-out, but yeah we have a really engaged board that ask great questions about
our partners, about things that are more culture-based
in terms of how we’re doing with our anti-phishing protection, and we talk about technology
architectures too, and the work that we’re doing to make sure that we’re being more
fine-grain in the way that we’re authenticating
users and devices, no matter where they work,
in a more secure way. They’re interested in that,
so I feel pretty lucky to both have the opportunity and get to speak pretty deeply of our program.>>Would you say the conversation is more of a strategic nature with the board? Is it more, you just
mentioned some tactical items. Is it more metrics-driven, or sort of a combination of all three?>>It’s a combination, right? I think they want to see demonstrated progress against areas
that we’ve self-identified as areas that we’ve liked
to prove, er improve, but they’re also looking
to see that I have a vision for where we’re going, fully cognizant of the work that we’ve
done in the public cloud, and want to understand
that the level of trust that they had in their program on premise will perpetuate and
advance into the cloud.>>When you look at cloud security, and now security in general,
you guys have a perspective on both sides, and cloud
certainly accelerating, evolving fast. Will you find a legacy app
that you’ve been working with? We’ve heard other CISOs we’ve talked to, who have had frank
conversations and, “Look, “we’re deciding we going to
lift and shift it, or rebuild.” And so there’s been some visibility into when it’s great to lift and shift and when it’s great to rebuild. So that’s been a conversation
that I don’t think’s been fully baked-out yet
in the full narrative in the industry. But it’s what people are talking about. What’s your view on when
you have a legacy app, and you want to lift and
shift it or rebuild it? What goes through your mind? What’s the conversation like at Liberty?>>It’s a conversation that we have. We have legacy, I won’t hide behind that, but it’s not a conversation and a decision that’s just made by technologists, right? I think we have to articulate
what the options are, and that has to be a joint decision with our business partners. I think generally I’m not
preferring a lift and shift, because I think that we
are maybe overlooking some of the opportunities to make some of those security
improvements that I see, but when we can get an application that’s using our software
development pipelines, that we have embedded security controls, we have better visibility,
we have better enforcement and ensuring that we know
what’s going into the cloud, has met a number of our
security standards, so to speak, it’s a much better
position for us to be in.>>Sorry, this notion of multiple clouds. I’m interested in how you handle that. You take separate teams,
is it the same team, sort of handling everything? And it’s a sort of follow-up on that is, I’m interested in your
relationship with AWS, and how that’s affected your business.>>So the security team does
not own the cloud environment, so to speak. That’s a secure DevOps team within our infrastructure organization, and they’re very close partner of ours. So yes, I do have resources
that are specialist in AWS versus other clouds, and others that are identity and access
management specialists, and are able to work on the
development of those patterns across different cloud environments. There’s nothing bad that I
can say about the relationship with our AWS partners. I think we’ve felt very supported, and understanding what we’ve tried to do, and introduce us to new services, and probably most importantly, introducing us to other customers that, you know, are a
little bit ahead of us in their journey, so we can hopefully not repeat any of–>>Amazon helping you with
the security piece as well. That’s something that they,
with the shared responsibility, are they working with you on
this, securing those workloads as you move to the cloud?>>Yep, we’ve definitely
leveraged their expertise.>>And you mentioned that you
guys kind of made a decision a few years ago to go all in on the cloud. How has that affected your business? What kind of results have you seen? Has it met expectations? Has it exceeded, you know, or behind?>>I mean, as I mentioned,
we do still have a lot of our technology on premise, but for the use cases
that have really seen that rapid acceleration,
the Agile practices have allowed teams to develop
code so much more quickly. I think the business
is generally delighted that their needs are
being far more quickly met than in the past.
>>So, let me ask ya. There’s a perpetual
line in the men’s room. It’s quite long. So what’s it like to be–>>It’s not long in the ladies’.>>I was going to say. I don’t think it is, ‘cos I would say the proportion of women
here is actually lower than even the industry, and
most conferences that we attend, so what’s it like being a woman in this male-dominated security business?>>I’ve been in it so
long that I certainly have grown a little bit accustomed to it, but not so accustomed
that I’m not motivated on a daily basis to bring more women in. I think that security just
has tremendous opportunities and certainly the marketing
of security professionals is hoodie-wearing, white male
kind of persona, just–>>And there are opportunities for women. What are some of those
opportunities for women who are STEM, science? Like my two daughters, all
STEM, love public policy, the sociology impact,
society impact that’s here. There’s a lot of range of skills, what are some those that you
would inspire someone to–>>I studied math as an undergrad. We didn’t have security back then. I’ve since gotten a masters’
degree in cybersecurity, so that’s cool, but I think
a great security professional is a great communicator,
a great collaborator. I need technologists, I need developers. I need process experts,
I need people that think very deeply about
insurance type controls, so we have tried to attract people out of other technology realms.>>And it’s just not just
math or computer science. There’s creativity involved,
there’s a lot of things that blends together all kinds of diversity.>>There is. I mean, I think about human psychology. We just totally transformed
one of the systems that we use for approving, for managers to approve the access of their people. The past system was
ugly, people didn’t know how to interact with it. I mean that user experience
expertise that overlaid, and how we developed our new platform just makes all the difference. Just make sure that it’s
actually a valuable process, I’m there like, “I’m so frustrated, “I’m just going to sign off
on this, ‘cos I give up.”>>That’s really
interesting, ‘cos of course you spend a lot of and effort and money on things that drive revenue, but this drives so much
productivity and business value that, not maybe direct
dollars, but clearly there. I have a question: when
you recruit people, presumably you tap your network, and it’s not just the
good old boys’ network, you tap in women, are
you able to successfully find women or young women in particular that you can attract and
recruit into your business, as security practitioners? Have you had much success there?>>So we definitely are
outpacing industry numbers, in terms of women in security. We have a long way to go. Historically, excluded people, right? Not just women, people of color, I mean we just have a long ways to go, I think it takes more than sitting back and waiting for a recruiter
to bring a slate of candidates to say, “No, I know
people, and I know people that know people,” and I
really have to invest myself and make sure that my leaders know that that’s my expectation of them. I mean, I think that we feel that the diversity of thought, no matter how that diversity is expressed,
is really important to doing the work that we do.
>>Well, let us know how we can help in Silicon Valley, and Dave’s here in Boston as well. Love to help get the word
out, so anything you need from us, let us know. Katie, thank you so much
for these great insights.>>This is terrific, thank you.>>And love to have you
on theCUBE again sometime, thanks for comin’ on.>>Very good.>>SVP, CISO at Liberty
Mutual here on theCUBE, extracting the signal, sharing the reality of what’s going on in
the security equation for cloud security. I’m John Furrier, Dave Vellante. Be right back, after this short break. (smooth music)

Leave a Reply

Your email address will not be published. Required fields are marked *