Commoditizing Cybersecurty: Shannon Lietz on Security Priorities at Intuit

What if’s can be a powerful way for people to understand what is meaningful to them. That’s one of the main reasons I so enjoyed Fortinet’s “100 Coins” exercise about cybersecurity. Taking a page from national security exercises, Fortinet CISO Phil Quade asked a number of top security executive to imagine that they had 100 coins to spend across various areas of cybersecurity spending and then to catalog how they’d allocate those limited resources. Ultimately, the responses highlight what these security leaders and their companies value the most in cybersecurity.

Recently, I had a conversation with Shannon Lietz, leader for DevSecOps at Intuit, about her views on populating a cybersecurity portfolio with a range of security products and capabilities, as well as her responses to the 100 Coins exercise. It was a fascinating conversation in which she explained her theory of how to keep up with cyber attack trends and how that informs her portfolio design. 

First of all, Lietz said that she loves to keep track of security industry trends and the problems that the industry is successfully solving and commoditizing, because it means she no longer has to worry about that in her role. In essence, she loves buying products and the business to implement. That’s what true commoditization means — the ability to implement a solution that doesn’t require a security professional to run. She prefers to spend her time in areas vendors haven’t gotten to quite yet, but where adversaries are very active, or in areas where a company has issues unique to it, and the vendors are never going to address. 

The challenge for these areas is how does a company create the right solutions? There are two things that Lietz is doing that are quite interesting. First, when she finds a solution that is too complex, she and her team turn it into a low code system that can be configured and managed by expressing the rules or the configuration at a higher level of abstraction, and then translating that into the terms that are used to control the underlying solution. In this way, she achieves two things. First of all, unusable solutions become usable. And second of all, she can express the complexity of the rules to do the work in a simpler form. The result is that someone without extensive technical expertise can operate the solution on his or her own.

Secondly, she seeks out platforms and products that allow her to complete the job. For instance, if a solution has a product, but also has a set of APIs and raw capabilities, she can then take those, use the APIs, and write applications that leverage the solutions, and essentially productize them in a way that offers full customization over the raw product she and her team received from the vendor. 

This context about how she approaches her job is helpful in understanding her responses to the 100 Coins exercise. Ultimately, in her mind, her job is to be an active defense team leader in which she is engaging in heavy duty risk assessment and trying to be proactive and stay ahead of attacks. Here’s how she applies that perspective to her 100 Coins selections.

Knowing What Is Most Valuable

During our conversation, Lietz said repeatedly how much she enjoyed the 100 Coins exercise, calling it “one of the most brilliant things” that she had done during the year. She said it was beneficial in part because the comparisons between her answers and those of the people she worked with sparked a variety of worthwhile discussions. 

For Lietz, the major takeaway of the exercise was the differing mindset between companies that are solving for security compared to those that are focusing on compliance. She leaned much more towards security in that dichotomy. “As a security professional, some of the things that I might consider to be really high risk because of what the adversaries are doing just may not be on the top of somebody else’s list,” she said. “To see compliance and security squarely end up in different camps was really eye-opening.” 

Lietz placed her coins heavily on areas where she knew there to be risk and where she was already confronting adversaries. She did this in part because she had a clearly delineated vision of her priorities, goals, and perspective on security. By doing so, she believes she can solve for 80% of the risks. She focused on the need to create rugged and resilient applications, in which the controls match the model. Additionally, there is a growing trend of moving to the cloud and so she prioritized cloud-related risks. 

“You need clarity, which comes from your assessment of what the threats are,” she said. “We’re pretty threat-intel driven. We study a lot of adversary behavior. Our general principle is we want to focus on covering 80% of the threats with our spend, we want to give precise instructions, and we want to make sure that we’re creating something that’s maximally resilient and doesn’t involve a lot of work-arounds to implement.” 

Lietz said that her team uses a “Security Hierarchy of Needs,” which is a five dimension paradigm to empower security decisions. Those five dimensions are:

  1. Ensuring proper zoning and containment to ensure that an application is scoped to the right environment with the right level of controls around it.
  2. Doing rigorous assessment to ensure that the company knows what’s in their applications and what the possible attack surface areas could be. 
  3. Engaging in deception. “Even if you might get false positives with deception, if you build chain deceptions, it’s really hard to fake good intent. Being able to prove bad intent through deception is thus really helpful.”
  4. Having systematic authentication, which Lietz considers a mandatory first-line defense. 
  5. And finally, having strong encryption helps to cover up for other errors. “Even if you had bad authorization rules, encryption could help you because it’s a secondary authentication method,” she said. 

With this hierarchy of needs, Lietz and her team are able to think about applications from a maturity standpoint and know how well an application will perform and whether it will be resilient against an adversary.

During the 100 Coins exercise, Lietz said she returned repeatedly to deception because of its ability to provide transparency into both internal and external adversaries. For someone who said she spends most of her time “looking ahead and trying to figure out what the emerging space is for adversaries,” this makes sense. “You want to know what the industry’s getting really good at solving, so you can know what you don’t have to worry about anymore. By understanding that industry trend, you can then understand the companies that are actually trying to join you in your quest to figure out what’s next. And there are also areas where vendors haven’t gotten yet or they’re problems for us but not for enough people to support a product. That’s where you spend your time figuring out, ‘As a security professional, how can I put it all together to prevent something that’s only our problem, which we will be best at preventing.’”

Ultimately, what was so refreshing about speaking with Lietz is that because she and her team have clearly defined problem spaces that are well-articulated and mapped out, they can approach the 100 Coins exercise and cybersecurity in general from a perspective in which they keep their own goals and challenges in mind. There’s no guesswork. They know what they need and whether or not there are products out there to help them address those problems.