The keys to managing identity risk: Insights from Craig Riddell, Field CISO at Netwrix

37:18 VIDEO

This episode of Code to Cloud features an interview with Craig Riddell, Field CISO at Netwrix Corporation, a provider of data security solutions for on-premises, hybrid, and cloud IT environments. Host Tim Chase and Craig discuss managing third party permissions, how your tools are only as good as your implementation of them, and why a single daily identity authentication isn’t enough.

Time Stamps

Why did COVID make identity a priority for businesses?
How do you navigate over-provisioning in identity management?
How will identity tools change in the future?
What does zero trust mean to Craig, and how does it play into the future of identity?
What’s the best habit an IT leader can have?
Open Transcript

[00:00:00] Craig Riddell: a modern identity practice really needs to look at truly reducing the risk to the business, not just managing the risk to the business. A heavy degree of automation, especially in the concepts of like movers, joiners, and leavers so that you can prevent snowballing permissions and then also needs to heavily look at third parties.

[00:00:17] Tim Chase: Hello and welcome to Code to Cloud. I'm Tim Chase, global Field CISO at Lacework, and here with me today is Craig Reell. Craig is field CISO at Netwrix Corporation, a provider of visibility and governance platform for on-premises hybrid and cloud IT environments. Previously, Craig served as director of Identity and access management at hp. He brings a wealth of knowledge and experience around modernizing identity solutions while reducing costs and improving security. Craig, welcome to the show.

[00:00:48] Craig Riddell: Hey. Thanks Tim. Thanks for having me.

[00:00:50] Tim Chase: let's just get into it and start talking about, identity. 'cause I think, over your career, like your focus and your specialty really has been around identity and I find that a lot of people, myself included, you know, tend to have, one or two aspects of security that they really hone in on and really. really love and have a passion for it. And, and it feels like, either that's yours or you've kind of fallen into it one way or another. But, can you tell me, a little bit more about maybe why identity was kind of forgotten prior to Covid? Like, I feel like it was one of those things we talked about, but we didn't put a focus on, and maybe the team struggled to get funding, but I think something happened in Covid that really made that change. what are your thoughts there?

[00:01:29] Craig Riddell: I think it was honestly, like you said, it was just a lost focus. it wasn't that it wasn't important, it just, you had bigger threats, and the business needed different things, right? So it was just deprioritized. I think it's pretty easy to see which companies had an identity strategy and which didn't. You know, whenever we transitioned during the Covid pandemic to a remote workforce, all of a sudden identity became the logical perimeter of your network. You had to start worrying about your employee's home networks. How were they accessing your systems, which devices were in their offices, all of these types of various things that could be an attack vector. it made identity a priority.

[00:02:07] Tim Chase: Yeah, that, that makes sense. I think, you know, kind of the whole workforce transformation, everybody being distributed really kind of put a, an immediate focus on it, right? When everybody was starting to work from home and they weren't coming in, into the office. but one of the things that I've noticed, as we've made that transformation during covid and after Covid, I think identity looks different than it used to. I remember, years ago when I was first kind of getting into identity. I worked at Nielsen and we were looking at things like SailPoint and CyberArk and some of these technologies that were out there at the time. that was kind of we were focused on. Right. And it was mainly on-prem shifting into the cloud. Right. And that was kind of of a newer thing even where the SaaS models, for identity didn't exist yet. So in your view and, and in your, perspective, like what does modern identity look like?

[00:02:53] Craig Riddell: the interesting thing to me is that all of those technologies, if you look at like a Gartner analyst report or something like that, they're all still. In the industry, but very few of them have actually innovated anything. They maybe bought some companies or something like that. But for me, a modern identity practice is heavily predicated on automation. I think, we have to look at things through a new lens, Just because you've spent money on something in the past doesn't mean it's still a worthy investment today. technology has changed, but we still have the same PAM solutions that we had when the market was invented 20 years ago. We're still rotating passwords when we know that that's not the best approach to, you know, authentication. And, I think a modern identity practice really needs to look at truly reducing the risk to the business, not just managing the risk to the business. A heavy degree of automation, especially in the concepts of like movers, joiners, and leavers so that you can prevent snowballing permissions and then also needs to heavily look at third parties. You don't see a lot of 30 year tenured employees anymore at, at these companies the biggest identity threat back in the day was how many permissions did this admin have because they've been here since the systems were built. Right. now we've got a third party user who needs, you know, some level of crazy access who's gonna be on a project for 10 days and then leave if you don't have a system that's able of controlling that access, verifying that identity, and then making sure it's removed. At the end, that's why you see so many of these identity, shops available on the black market, right? Being able to go out and just buy logging credentials.

[00:04:26] Tim Chase: can you dig in a little bit more on the automation part? Like I, I'm a big automation fan, DevSecOps guy, for way back obviously this is a little bit different, but the same 'cause we're seeing, I. focus on infrastructure as code, which is automation. There's security as code, which is automating some of your security checks. Obviously DevOps, integrating into the pipeline, like all of that focuses on automation. but when it comes to identity, like what does automation look like? what are the goals there?

[00:04:54] Craig Riddell: I had a meeting yesterday with a potential customer that is looking to do, that literally destroy and rebuild their environment on a weekly and then eventually a daily basis. I think for me, a heavy degree in automation means. If I hire somebody, I shouldn't have to go into any other system than my hiring system, whatever that is. You know, Workday, for example, if I onboard a contractor, that should be the only thing that I have to do. I should have an understanding of what that employee or contractor's job is going to be, what persona they fit in, therefore what permissions they need, what systems they need access to, and I should have a privilege orchestration platform that's going to give them. Number one, it's gonna validate their identity. Number two, it's gonna give them just the amount of permission that they need to do whatever their, work is fully Automate the identity creation, the authentication workflow, all of those things. And then also give me that immutable audit trail so that I, I know exactly what happened in those sessions.

[00:05:50] Tim Chase: Yeah, that's a great way of looking at it. You want it as hands off as possible so that you just, Click a button or you've got somebody starting and you've got your HR system that kicks off the creation, which then kicks off all the identity stuff. You know, your, your Slack and your email and everything that you need access to the same thing kind of applies to like cloud technologies in general. Like when people are going into Azure and a w s, they've got all these, permissions that they have, the entitlements that they can do in the cloud providers, and then maybe they leave or maybe they change roles and all of a sudden, they still have all those permissions hanging out, and that's just security risk, right? Because from a security perspective, you just maybe even dig a little bit deeper. I'd love to get your thoughts on this. It's a security risk because maybe not that particular individual right? May never do anything nefarious but if their identity is compromised and they're over permissioned, Then all of a sudden they can do all of this other stuff. Right. Is that kind of where you see, a lot of the, the risk.

[00:06:46] Craig Riddell: Yeah, absolutely. one of the biggest things is, how many times have you seen this? You have a, an account that runs a job or you know, is used to launch an application. You're setting it up. You've got 15 other projects on your plate that all have to be done in the next 45 minutes, and you're having an identity problem. Well, if you give an identity enough level of access, that identity problem just goes away, and you have the best intention of coming back and fixing that thing that you know you over-provisioned forever ago. It never happens because the next day you've got another 15 projects and another and another. Right? So you are absolutely right. I think the backend of that whole automation is breaking apart. Authorization, authentication and really understanding that I. Just having a multifactor authentication check in the middle of the day, or, or at the beginning of the day, does not mean that your identity is now validated for the next 24 hours, right? We need to be looking at things like user behavior analytics. We need to be looking at things like adaptive authentication. If you move into a certain risk profile, all of those things. There is no silver bullet for identity. like we were sold by some vendors maybe a few years ago.

[00:07:54] Tim Chase: Yeah, absolutely. And do you find and maybe it's, can be, you know, different in different organizations, but do you find like to really get identity right in a modern. landscape that you have to have a dedicated team for identity. Is it something that you see other people, take on amongst other things like, you know, their their G R C program?or do you find like a dedicated identity team is really needed or person.

[00:08:15] Craig Riddell: I think definitely identified identity team at scale. I mean, I, I think maybe if you're, if you're dealing in the mid market or certainly in the s b space, you definitely don't need an identity team, but I would recommend, you know, At least consulting with somebody or hiring somebody that has some sort of background and identity so that they understand, you know, even the basics of like what good password hygiene is and, and all of that type of stuff. but at scale, yeah, I think you have to have it. And I think it's actually a step further than that where you had this like central silo of cybersecurity professionals that were kind of your traffic cops of what could and could not happen in your environment. Now with this rapid adoption of cloud and things like that, the standard provisioning process is gone. So the traffic cops have kind of lost their ability to, to slow down traffic. It's more important than ever, especially as an identity professional, to interface with the business, go out, understand what they're trying to do, why and how they're trying to do it. Because it, I mean, it's, a proven metric. It's more secure and cheaper if we can get it built in versus bolted on and post.

[00:09:19] Tim Chase: Yeah, that makes total sense.shifting just a little bit, you know, one of the things I think probably just like with all of security, we, we love. Acronyms. Right. you know, there's C S P M and k Ss p m and, all, all sorts of stuff. Identity is, is not immune to that. I feel like, you know, you've got, I a m and iga, A and I DSS and like all of this different stuff, that's out there today. And so like when, when somebody's coming in and wanting to start this identity program, like. they could maybe be a little bit intimidated, like, do I need all of this? What does it all mean? So maybe, can you break down some of the, the acronym soup? Like what are, what's some of the most common acronyms that we talk about, in identity today? I.

[00:10:01] Craig Riddell: Sure. I would say, you know, i g a is probably a big one. Identity governance and administration. You could look at that as from the time an employee starts till the time they retire, get fired, as they move through the company, get promoted, anything else that is going to control their access and, who and what they are, what systems they have access to downstream. I a m is the field that we're in, identity access and administration. and then you've got some that are kind of confusing to even some identity professionals like Pam and pim. privilege Access Management and Privilege Identity Management. good luck finding somebody who can give you a, a real solid definition in between those. And then now you're starting to see a blend of Pam and I g a and you're seeing POM which is privilege orchestration management.

[00:10:47] Tim Chase: Oh, that's a new one.

[00:10:48] Craig Riddell: multifactor authentication, m f a, you probably hear that a lot. Single sign-on s s o. You probably hear that a lot. you know, I think those are probably , the big ones in the, in the identity market. But of course, like you said, you can go down a path of there's, no shortage, especially as you get into vendor specific acronyms too.

[00:11:05] Tim Chase: Do you think eventually over time,some of these things will, come together? Like if I look at, the cloud space and what we're seeing in cloud security, like a lot of people are wanting to get all their cloud security in one place, right? they don't wanna have seven different tools. They don't want a C S P M tool and then a compliance tool and then, you know, a workload protection tool. Like they don't want all of this kind of separate, they want it together. So do you think that it's always been a little bit confusing to me that, like your privilege, access tools and your identity governance tools are separate and they maybe taught together, but I'm like, why wouldn't they just be one tool? Like, I don't understand why you need two. So do you think some of these will eventually, merge together and, and like I think c a is obviously what we call it in the cloud space. So I'm just curious, like, you know, do you think identity will kind of go through that same transformation in the next couple years?

[00:11:55] Craig Riddell: I do, I think, if you just look not even at the technology, if you just look at what's going on in the market, right? Like Toma Bravo bought pinging, they own SailPoint, they own BeyondTrust back in the day. you look at Okta who bought, scale FT and now they have their advanced server access. networks, we have an identity suite that, that encompasses all those areas that we talked about before. I think even if you look at like the reseller and the staff org space, they're all starting to build boutique identity firms that, focus specifically on that because identity touches everything from the end user to the most complicated critical application. We have to know how all of these different workflows work. So it's a very hard skillset to staff with and collapsing some of these tools down and making them to where you can have one engineer to run, you know, multiple things, obviously helps. I think the other side of it too, have you looked into the cybersecurity mesh architecture, frameworks at all?

[00:12:56] Tim Chase: Mm-hmm. Sure. Yeah. Yeah.

[00:12:58] Craig Riddell: think that's a really interesting concept too. Running a lot of these tools, headless and maybe you have, at at hyperscale HP size, stuff like that, you're going to buy. Probably best in breed type of solutions instead of one solution that can cover a ton of different use cases. but being able to run all of these various solutions integrated through a single orchestration platform or have a single reporting dashboard, I think is becoming more and more of a requirement. So, you know, integrating everything through ServiceNow and not actually logging into the backend, unless you're tuning it or something like that. Is a good example of that.

[00:13:37] Tim Chase: No, that's a, that's a great point. You know, I just had a conversation with a customer yesterday where, they were really wanting to dig in, like on our APIs and the CLIs and what they can pull from the command line. 'cause he's like, you know, maybe some folks on a smaller scale will log into the UI and do things through the ui. But like we take all of this data and we run everything orchestrated and we need to have it, run through the command line because that's how everything works on the backend. they don't use the ui. So obviously using something like a ServiceNow to drive all of that is a great point. I think especially with the larger organizations, that's kind of where they're headed. what about cloud? So I've mentioned it a couple times, but I'll throw it over to you. Like, how has Cloud changed identity and how we think of the identity? I.

[00:14:18] Craig Riddell: massively, right? I mean, we used to be a stop on this provisioning process where, you know, we could make sure that whatever identities were on this server before it got racked and turned on with the right identities, with the right permissions and all this other stuff. And now we're, combating against things like pre-configured workloads being launched from marketplaces. You know, who knows what's on that stuff. Things being utilized out of public repositories, all of these things. So it's not, only, identity as a proactive practice anymore, it's a reactive practice and it's a day-to-day scanning, making sure that you don't have admin sprawl. just, the flat out, nature of cloud networking makes those types of transitive trust attacks and east to west, type of movements. Way, way easier than, a physical network where you could set up, you know, ingress, egress points and all of that type of stuff. So cloud massively changed the game. and then now we've got this fun new identity type of, you know, r p a, so robotic process automation,

[00:15:19] Tim Chase: yeah, yeah. Yeah.

[00:15:20] Craig Riddell: Not quite interactive, but also not quite non-interactive. And it's a whole fun new thing that we get to try to figure out how to lock down appropriately. Right. So it's, great. It, it definitely keeps you on your toes.

[00:15:32] Tim Chase: R p a is always interesting to me 'cause it just reminds me back in my days of, doing testing. I used to do automated testing, you know, 15, 17 years ago, and I'm like, We used to do that back then with Selenium and,

[00:15:44] Craig Riddell: yeah. Mouse macros.

[00:15:46] Tim Chase: and my smack. And I'm like, I'm like, is is that just like, is r p a like the newer version of, of that? But they've got some really interesting companies. 

[00:15:55] Craig Riddell: I saw that meme the other day that was like a sailboat, you know, going across and it was like, look, wind powered boats. And I was like, yeah, great. Right. 

[00:16:02] Tim Chase: Yeah, exactly. That's right. It is full circle. That's what I'm finding a lot. which is super interesting. it still confuses me, but, speaking of, of confusing, Because we haven't thrown enough acronyms out there between R P A and i A M and I g A and everything. Let's talk a little bit about Zero Trust, right? 'cause that's one that I think everybody's talking about. You go to the trade shows and you see Zero Trust everywhere. like what do you think zero Trust means? 'cause I think it's an identity concept at its core. it is a security concept, but I think, I think it really connects. Into the identity concept and securing the identity. So like what, what does Zero trust mean to you and, how do you see it playing into kind of the future of identity?

[00:16:42] Craig Riddell: Yeah, I think, you know, any of my colleagues who happen to listen to this are probably gonna laugh right now. 'cause I absolutely just despise the phrase zero trust. I think it's exactly like what you said, it means something completely different to every single person you talk to. but from an identity perspective, I think you're right. I mean, when you talk about trust, my natural kind of, Word association is with a person, right? So I think zero trust in an identity framework means are you really who you say you are? Should you really have access to the system you say you need access to? And do you really need the level of access to that system that you requested? If I can validate all of those things and continuously validate all of those things, I think then you have a pretty solid identity Zero trust framework. But if you only validate those things at the beginning of the day, which is a pretty common configuration that I see, if you only validate those things at the beginning of a session, then I think that you've started down the zero trust journey, but you haven't gone all the way there. You need continuous validation, and then you need a post validation because like I said, there's no more provisioning process. So your tools are as only as good as. Implementation. Right. If it's super easy to bypass your PAM solution by, say, dropping in an s s H key and bypassing it every time instead of going through it, your engineers probably have the best of intentions. They're just trying to get their job done, but they just created a backdoor through critical security tool. So having that trust but verify kind of mentality on the back end of it and continuous authentication and rechecking of, of all of those three things, I think is critical. I.

[00:18:22] Tim Chase: Yeah. Zero trust is one of those terms that. it's like CSS B to me. Like, there are six different definitions of a csb and, and I don't know that anybody can agree on it, right? But I think ultimately it comes down to at least a concept and the concept being, you know, that they wanna secure, all of the applications that an end user uses, You can work anywhere. How can we be sure that people are logging into, you know, Salesforce securely, how can we be sure that they're logging in to the cloud providers securely? Right? It's kind of like an always on, like a modern, always on V P M kind of is how I envision it anyway. and then identity is obviously core to that. 'cause, you know, the Zero trust may provide like the framework of how to connect, but the identity is like, okay, once they connect, what can they do and how do we manage that? 

[00:19:10] Tim Chase: well let's, let's talk a little bit about, you, You're a field CISO today, but you used to run identity for hp. Can you talk a little bit about your background there, like what you did and how you started doing identity for hp?

[00:19:23] Craig Riddell: Yeah. it kind of happened through Covid, honestly. I was working with Trend Micro and I was, traveling around a decent amount, globally, and I. Then obviously travel stopped and, Joanna Burkey, who's the CISO at hp, her and I have had a, a pretty conversational relationship and she's been a mentor to me for a while. And, they had a, a massive issue around identity. identity was a part of supply chain. They had multiple IDPs through, organic and inorganic growth, Just segmented teams, and still kind of trying to clean up a lot of the dirty space from when HP separated into the multiple different companies. so came in, evaluated the business and then started making business cases, you know, it's not often in cybersecurity that we have the ability to show an R o I on anything, but being able to, collapse down, you know, 16, 17 different IDPs into one. That's a pretty tangible r o i, you know, looking at collapsing, you know, the identity team and the customer identity team, into a solid stack. You know, we've, looked at a lot of different things like that, but I mean, really at HP it was about increasing efficiency, reducing cost, and then they actually had. In my opinion, one of the most impactful, purchasing processes, there's a gating function where you actually have to get acceptance from a user community. So, they challenged us to go out and do better, and we did.

[00:20:43] Tim Chase: That's awesome. I, I love that like sometimes the identity projects, aren't always successful. Like, I don't know any other way to say that. Right. I've been a part of some and I've seen some that just bombed, right? 'cause it was hard. it required all the different teams to work. Like when you're trying to configure how to grant access to applications that maybe, don't have Skimm and, just in time and all of this kind of stuff already integrated, it's like, then you gotta build it or you've gotta make, you know, build calls to kind of manually do the identity part. So like, I'm, I'm glad to hear that hp, that it was successful there. And so, that obviously led you to, being. A field ciso, today at Netwrix. And so, tell me about that. Like how did that transition happen? 'cause obviously running identity to being a field CISO is an interesting one. So what made you wanna do that?

[00:21:29] Craig Riddell: I've been a fan of ephemeral access, if anybody hasn't ever looked up Netflix, bless B L E S Ss. It's a very interesting use case. They published it. I've been a fan of that ephemeral access type of solution and approach for a long time. When we were at hp, we were challenged by that employee experience team that I was talking about, to go out and find a better privilege access solution for cloud workloads. Something that works well in dynamic environments, lightweight, it doesn't have this monolithic architecture, stuff like that. I came across, Netwrix and Martin Kinard specifically who built the n p s solution that we have today. it's based around ephemeral access. And I think it's where the identity market is going, but I also think that there's a large degree of, education that needs to happen. You have a lot of very established vendors who aren't quite ready to let go of those revenue streams of. this old way of approaching identity and they have a lot of influence and going out identity is one of the few things that there's not really a good degree program for. There's some decent certifications for, but you have to decide, like you're probably already in your career and then you're like, ah, I guess I'll go give identity a shot, or, you know, whatever. so the education piece is, is really, important to me. as a leader, I love talent cultivation, you know, helping people grow in their career and stuff like that. So, coming over and, and transitioning into this field CISO role, it gives me that platform to go out and, you know, talk at conferences, do podcasts, stuff like this, and kind of talk about, hey, there's a, a lot of different ways to approach identity. You don't just have to shove stuff in a vault and rotate it. so let's talk about that.

[00:23:14] Tim Chase: Oh man, that's, that's awesome. I had not heard of that Netflix. open source. I'm gonna have to look into that, a little bit more, but I, I like the idea of kind of the ephemeral nature, of stuff. But, you know, today where you're at, in the field CISO role, like what are your kind of day in and day out responsibilities and what are you most concerned about, in, in your role?

[00:23:34] Craig Riddell: It is kind. I kind of have an interesting role because I don't really align in sales and I don't really align in product. I get to go out and just talk to, you know, our strategic customers that we already have. I. Some prospecting, a lot of conference type of stuff, a lot of, you know, writing papers and putting content out, but then also taking that feedback, back to the product side and say, Hey, look, you know, here's what our customers are looking for in an ephemeral access solution. Here's what their concerns are. Switching from a, zero standing privileges or switching to a zero standing privileges or zero standing accounts type of approach, versus this, you know, static shared account type of approach. Making that easier, hearing their pain points, and like I said, collapsing down product lines. The last thing I wanna do is go into a, a company and, sell them 15 things that do 15 different things. I wanna be able to say, you know, Hey, look, here's how you approach orchestration, whether it's privilege or third party, or, whatever that happens to be. I've lived a lot of those pain points on the practitioner side, so now coming over to the product side and kind of getting to influence that has, been really, really fun.

[00:24:42] Craig Riddell: It seems like it goes back to what you mentioned previously, which was about the education part, right? Like, in your role. It seems like, whether it's by the conversations, the blogs, the conferences, it's kind of about educating, people on identity. 'cause I think it's somewhat that way for the different aspects of security in general. Like I. We're to the point now where you can get a degree in cybersecurity. I mean, five years ago, there were some, but it wasn't like they were everywhere. but if you look at the cybersecurity degrees and, education that's out there, they're very just high level, right? Because they don't dig into any certain discipline. I, I remember when I was getting into cybersecurity, I was a little intimidated 'cause of all the, you know, do you wanna do physical security vault management, G R C apps, set cloud security. network security. Like, you're like, oh, holy crap, I can't do it. All right. but I think that, roles like yours and mine where we get to talk about this and educate, it's one of my favorite parts of my job too. It seems like your role there that kind of really feeds into what you like to do. Absolutely. Have you ever heard of a charity called Mission Bit?

[00:25:38] Tim Chase: I have not, no. I like what is that?

[00:25:40] Craig Riddell: So, when I was at hp, there was an engineer who worked for me, his name's Angelo Colon, who did some work for them. and we ended up kind of launching an identity focus with them. Fantastic charity based outta San Francisco, but I think they have, chapters now in Texas and a few other places. The whole concept is, and, and I'm a firm believer in this, Degrees are great, don't get me wrong. But cybersecurity is kind of a binary function. You either know it or you don't. you don't have to have a degree to do this. You could get certs and stuff like that. So their whole premise was originally taking inner city youth and teaching them how to sell cybersecurity. then they partnered with some of the bigger technology companies in the Bay Area, and they started teaching cybersecurity, you know, principles of, you know, identity principles of, how to be in a soc, threat assessment, vulnerability management, all of these compliance, all of these various different, practices. But, uh, yeah, shout out to mission bit. They do a really good job, and I think it's something that we should talk a lot more about. You know, we talk a lot about the cybersecurity shortage and staffing, but we only recruit heavily from universities. Like we're missing a massive talent pool.

[00:26:44] Tim Chase: Oh, I agree. so much like, I, I'll be honest, like when I fill roles, I don't look at the degrees, right? Like I look at their work experience, what they've done, what their interests are, but I. I couldn't tell you if anybody on my team even has a degree. I have to, totally honest. and some of the, some of same as some of the best people that I've worked with. thinking back even to my Nielsen days, I know didn't have a degree and they literally started at like a, a, a cable provider doing network work and then they just learned, oh, I'm pretty good at networking. Oh, I'm pretty good at knowing Linux. Well, if you're good at learning Linux, like you ever thought of hacking Linux? Oh, well, no. Let me learn that. Right? And so, like I agree totally. Like I love the idea of, finding those people that maybe have an interest or a skillset that could be, tuned in it. And I love the mission bit. I'm gonna look more on that, here in a little bit because I think that's a great idea. So I'll, I'll look more into that, But,how do you like to bring people into the, to the fold? Obviously you like to do teaching and things like that. So how do you like to mentor or what advice could you give to people even that maybe want to get into the cyber, security world?

[00:27:47] Craig Riddell: Literally ask somebody. I don't know very many cyber professionals, especially at like our level in a field CISO role or something like that, that aren't willing to help. I. Once upon a time, I, I had no business being in, in cybersecurity and, and a guy gave me a job and I just kind of ran with it. Right. I think that it's a massive disservice in an industry that has a negative unemployment rate to not reach your hand back down, you know, and, and pull somebody else back up. But as far as like how I like to do it, I like to find out what motivates people. Is it just the technology? Because we can certainly nerd out on the technology for hours. Is it financial? Because there's a ton of money to be made in cybersecurity. you know, what motivates you? And then I can kind of help push you in certain directions. But the thing that I tell people, when they first start talking to me, especially if they're early outta college or, you know, have no college new, in the industry, whatever is. Do as much as possible. Say yes to as much as possible. Get on all the projects that nobody wants to be on and get exposed to everything because you'll find something that interests you. And that was identity for me years ago. identity at the time that I got into it, it wasn't the cool thing to be a part of. It was kind of like, oh, you're the identity guy. Go, go away. You know? So, find the job that interests you. or at least find the job that you're motivated by and then dive deep. I've seen too many people who get, obsessed with something that they're not really interested in. They just need to figure it out, and then they build a career around it and 20 years later they're like, oh man, I hate my job. So don't, don't do that.

[00:29:21] Tim Chase: Or they wanna be a hacker 'cause they watch Mr. Robot and they're like, that's what I wanna

[00:29:24] Craig Riddell: Yeah, yeah, yeah.

[00:29:25] Tim Chase: and I'm like, do you like, do you know what that means and how many hours you'd

[00:29:28] Craig Riddell: Are you sure?

[00:29:29] Tim Chase: Yeah.

[00:29:30] Craig Riddell: Yeah.

[00:29:30] Tim Chase: You know, so, but I think that that's great advice. Like, what motivates you? do you like the risk side of the house? Do you like, doing the audits like if your passion is, you know, I can do really well in Java and Python. Well, let's talk about that. Take that to the next step. 'cause I'm, I'm with you, like I said, of identity. My path was, AppSec, right? And so it wasn't cool at the time either. It was like back in the early two thousands, when nobody was really doing AppSec. Well, I mean, OASP was around and things like that, but it wasn't. Cool. And it wasn't a priority. and, CISO kind of took interest in me, as well. I was like, you wanna do it? Do it, man. Like I'll let you do some, AppSec testing and do some SQL injection, testing with the app. So, I think that's kind of a very similar thing. So that, that's great advice. Um, so, what would you say is the biggest learning, of your career?

[00:30:18] Craig Riddell: I will give you an old school example that I think some of, maybe some of our, Linux engineers or something like that will. I was doing a, disc replacement on a drive. And you know, this is, for anybody who knows Dunning Kruger, I was very firmly on, on Mount stupid and I thought I knew what I was doing and I didn't check, I didn't flash the lights. I just told the guy, yeah, go ahead and pull the drive. And he pulled the drive on the wrong box and it just so happened to be the G p s transportation servers for. One of the largest retailers in the world and all of their semi-truck lost g p s for, about eight hours. And it was, very, very bad. So I guess my lesson learned on that was, It doesn't matter how good you think you are, you can be in hot water really quick. It's important to double check. and now I do, I double check everything. I don't push enter on a, on a text message without making sure that it's, you know, good to go. , Linux will teach you the hard way.

[00:31:18] Tim Chase: Oh man, Linux is not forgiving, man. Like Windows, you know, it's a little bit more forgiving with what they let you do and, being able to undo. But man, I. You can hose yourself in Linux and just completely lock yourself out of your account and lock the entire computer outta what it's meant to do. So, there's good and bad to that. That's great advice. so let's wrap up with some rapid fire questions. so the first one, and possibly the most important question I'll ask on the podcast, since you're from Texas, what's your favorite football team? College or pro, or both?

[00:31:48] Craig Riddell: Ravens for pro, Arkansas for college.

[00:31:51] Tim Chase: Whoa. Okay. That, took me by surprise. So go. S e c for sure. nothing wrong. I like the Razorbacks. Good stuff. the next one may be, slightly less important, but, uh, what is the most important habit that you think an IT leader can have?

[00:32:05] Craig Riddell: I'm gonna answer that question in two different, in two different ways, habit that they can have for themselves. One of the most impactful things and, and something that changed how I approach my day to day is by just literally setting my intentions before I log in for work and return my first email or message or whatever, So, Setting those out. Here's my things that I cannot bend on. Here's the things that I can be a little bit flexible on because I know I'm gonna have a million fires pop up. and then the other thing that I would say is take a Toastmasters class. Do something, get used to communicating. The biggest hindrance that I see when people are trying to take that next step is not being able to do this. Talk to a person, talk to a room of people. Talk to a room of a thousand people. Doesn't matter what it is. At some point, if you know your subject at a high enough level, you're gonna be asked to talk in front of somebody. It'd be really great if you weren't, you know, freaking out when that happened.

[00:33:06] Tim Chase: Communication. I love it. that is very key. especially in our roles, that we have. excluding your own, what is the one tool that you can't live without?

[00:33:15] Craig Riddell: I'm gonna say my email filter because the amount of span that I get on a daily basis is just insane.

[00:33:21] Tim Chase: it is insane. You wanna buy our product? yes. I would agree with that. and last question. what one tip would you offer listeners to increase their cybersecurity? 

[00:33:31] Craig Riddell: Oh, to just like help increase their cybersecurity, awareness or posture. I would say literally go engage with your business. As cybersecurity professionals, we have this really bad habit and I've definitely found myself in this boat. Why don't they just understand my process? Why won't they do what I tell them to do? You know, those types of things where I expect them to reach out to me, but I never reach out to them. It has cleared so many roadblocks to me, whether that's, you know, going through the financial procurement process, whether that's onboarding a new tool, changing an existing process or procedure. getting invited to social hours, you know, it doesn't really matter. Personal professional development. Engage with your peers in the business. You are not operating in a silo anymore. I see more and more companies decentralizing their cybersecurity teams and making champions in various large bus. Be that advocate, be the ally. Go out and engage with your business partners. Try to understand what they need, why they're doing things the way they are, and I bet you can find a cybersecurity solution that's gonna fit in cleaner. It's gonna give you a, better outcome, and it's probably gonna save you a lot of money.

[00:34:39] Tim Chase: Perfect. I love it. I could, spend another 30 minutes talking about that, I, I wish we did have the time, but that'll do it for today. thanks for all of our listeners for tuning in. Do you like the show? Please take a moment to subscribe, rate and review, and we'll see you next time on the Code to Cloud podcast.

About the guest

Craig Riddell
Craig Riddell

Craig Riddell is Field CISO at Netwrix Corporation. He is a multiple award-winning Director and Strategist in Identity and Access Management. Craig joined Netwrix in January 2023. Prior to joining Netwrix, Craig was responsible for all of Identity at HP. He brings a wealth of knowledge and experience around modernizing identity solutions while reducing costs and improving security. Outside of work Craig is an avid reader, semi-retired rugby player and loves spending time with his wife and daughter. Craig is based in Houston, Texas.

Try Lacework for free

Spot unknowns sooner and continuously watch for signs of compromise. Take us on a test drive to see for yourself.