CISO of Fortune 35 company talks 55 million alerts – CyberTalk

EXECUTIVE SUMMARY:

Thomas Dager is the CISO at Archer Daniels Midland Company (ADM). He develops, implements and monitors a strategic, comprehensive enterprise information security and IT risk management program to ensure the integrity, confidentiality and availability of information owned, controlled or processed by the organization. Previously, he was with Delta Community Credit Union as an audit committee member.

In this edited interview excerpt from the CISO’s Secrets podcast, CISO Thomas Dager shares insights into managing alerts, IoT, growing cyber security programs and artificial intelligence.

Take us through your journey. Talk to us a bit about how you got to where you are.

I had the great fortune, after I left the military and went into law enforcement, of working in white collar crime or computer crime during the early days.

And that piqued my interest, as I’d always been a bit of a computer geek. The two just kind of gelled really well – At a certain point in my law enforcement career, I looked forward and asked myself ‘what do I really want to do?’

I made that leap from law enforcement, back into IT. After about a year or two of doing a traditional networking kind of job, I landed in Secureworks – before it was Dell Secureworks.

While there, I had the opportunity to delve into all aspects of security. I eventually became the Director of Security for a security company, which is a unique position to be in.

A lot of that helped formulate my vision and viewpoint as I grew in my career and eventually landed at ADM…

In two consecutive years during your tenure at ADM, you were recognized as a top global CISO by a cyber defense magazine. That’s pretty impressive.

Well, I appreciate that. The honor really goes to my team. I am just their humble servant and leader. I believe that my accomplishments couldn’t have been done without them. So, it’s really a recognition of my direct reports and the leadership that they have driven across the greater cyber organization at ADM. But I appreciate that, thank you.

You joined at an early stage of Secureworks’ development (subsequently Dell). You were also ahead of the curve when it came to Security Operations Center (SOC) development. Talk a bit about the dawn of SOC and subsequent market saturation?

When I first joined Secureworks, it was literally four folding tables in a square. We used to ‘hot-swap’ seats on computers in our SOC center. Early days, it was startup…We were still manually creating and collating tickets…

If you weren’t there in those early days, the manual processes are probably just ‘unthinkable’ to anyone who runs a SOC today. The sheer volume of information today…I mean…

It really fostered a deep knowledge of how those things work, of how attacks worked at the time, of what matters and what doesn’t…You know, some of this has changed over time. We’ve gotten smarter and faster…

But having had that formative experience, and then continuing my journey in cyber security has really helped me gain an appreciation of and insight into how important a Security Operations Center is.

I am sitting here and kind of pondering and thinking about alerts, and being able to really have the time to delve into them…

Here at ADM, just last quarter, we had 55 million alerts. They’re, of course, run through a series of filters, both manual and (mostly) automatic, to get down to an actionable set of incidents that we can investigate.

But again, that visibility – just the alerts, they’re growing in volume. And as we bring more tooling online – internet of things, manufacturing companies adopting smart tools – one of my internal mantras is ‘you can’t protect what you cannot see’.

If I can’t see it, we’ve got a problem. You just get that sheer volume of information that comes in. And it takes expertise and dedication to really build those use-cases…

I have a great director over at what we call Global Cyber Defense Operations and he uses an internal threat intelligence team that helps inform what our best-case use-cases should be…he’s continually evaluating that on a literally constant basis.

It just boggles my mind when I talk to the team, and say ‘what are you working on today?’ and get a sense of what they’re investigating…Internally as a CISO, I’m only seeing the tip of the iceberg. But that’s where you trust your people.

What a transformation you’ve been at the height of in terms of the IoT phenomenon…

Absolutely. Not just IoT in the sense that we talk about today, but regular old OT.

When you really think about a manufacturing plant, you have traditional OT. I’m talking about your PLCs and your SCADA systems environments, but increasingly, there’s also IoT that’s layered on top of that…Or there’s a value-add to using certain tools, that we wouldn’t have thought of previously, that are internet-connected today. The explosion on both the IoT and OT sides of things have been dramatic.

For those readers who don’t know who we are, we’re a Fortune 35 company. We’re one of the largest companies in the world. About 70% of what the average person eats or drinks contains something in it from us. While we’re not the traditional target of a Microsoft, Amazon or Walmart, we’re part of critical infrastructure when it comes to food.

If we have a major incident, the downstream impacts to the supply chain, as it relates to food (human and animal nutrition) could be substantial. It means that we have to monitor, across the globe, all of these cyber threats that seem to just come out of the woodwork, all the time!

One of the things that I’d love to hear about is your view on AI. What’s your position on AI? What do you think of it?

…We’re looking at how AI can assist analysts; helping them action an incident faster, and things of that nature. We’re looking at ways to leverage AI in order to help people gain efficiency within their jobs, and access information more quickly…but we do want to contain that within certain guardrails, because we don’t want for sensitive information to be out there in the public domain.

But when I think beyond that…

For the full conversation, listen here.

For more CISO strategy insights: