Being the chief information security officer (CISO) for a major supplier brings challenges: you’re working with people who understand your job as well as you do, and you’ve a large target on your back for an attacker.
Sitting with Stephen McDermid, regional chief security officer (CSO) for EMEA at Okta, he talks openly about maintaining a strong connection with customers and partners, and ensuring a smooth experience for all – something he has experience of having served in senior cyber security roles for the likes of Salesforce and the Scottish Police force.
Inside of Okta, he says he acts as the eyes and ears for company CISO David Bradbury, in which he is able to engage with customers and help them understand Okta’s concepts of security, offer support “and do all of the right things in terms of a company strategy”.
In terms of the customer, McDermid says he sees them very much as a partner of the company, in that they are given as much protection as possible.
“We find ourselves doing things that typically a SaaS [software as a service] provider wouldn’t do; if you’re a normal SaaS provider, you wouldn’t be proactively monitoring for attackers targeting your customer, but Okta does that because we know that if you know we have that visibility we can see it, and if we can stop it and alert the customer, then that’s going to be a good thing.”
This concept of a shared responsibility model was one that McDermid was keen to press, praising the work done by the company’s senior-level executives in enabling Okta to work with the security team to ensure corporate buy-in, and allow a more frictionless experience internally.
“I think ultimately security is still a people business,” he says. “Even though we have people who are incredible experts [working for Okta], ultimately, security is a people business. It’s hearts and minds. Even just being clear on why we’re doing things is important, because even though they might not understand it, it makes sense to do that, because it’s really about the road map.”
One direction
McDermid mentioned the Okta Secure Identity Commitment, launched in February 2024, which he says lays out the company’s mission, and so not just customers and partners know the direction of the company, but ultimately their own staff know where the company is trying to get to achieve, and what the long-term vision is.
“I think it’s really important you explain ‘the why’ to people regardless of whether they are in security or not, because ultimately that will then allow them to kind of get on board and you bring them along with you, rather than just telling them to do something.”
One example he cited was how using phishing simulations as a training method, in order to determine both preparedness and how it affects the user’s mindset.
“Like any organisation, we do phishing training and we measure phishing success, and we also send out the training and then literally, the next thing they’ll receive is a legitimate email asking them to give us feedback,” he says. “So it’s that mindset of knowing when it’s a good thing and when it’s not.”
Frictionless
He says that an aim of being more frictionless is to not force changes upon people “without them fully understanding it or why you’re doing it or what the end may look like.” This led to the formation of a security culture team, to ensure there is a focus on messaging internally and measure and monitor that culture, as “ultimately, that’s how we’re going to raise and elevate the security bar that we have and continue progressing and making these improvements.”
He admits that the concept of the “department of no” that security is often tarred with, and that often works as that is “often the least riskiest option,” but he admits that attitude doesn’t help the business move forward, and doesn’t help customers either.
“So, the reality is, we have to be in this position where we enable the business and make them aware of what the risks are.” By keeping the staff in tune and on side, they should feel more involved in the security road map and understand where blocks are encountered, it is not about preventing them or slowing them down.
Attacks on others
That point on risks leads me to wonder, how does the CISO of a major cyber security company see the attacks on other companies, and draw learning points from them? McDermid says: “How we respond when we see these incidents in the press; we respond by looking at what happened, look at the threat actor and look at how we would have responded to that. That gives us an ability to think about these threats in a real perspective rather than ‘what if this happened’.“
He also said that there is a period of self-reflection, and think about what the impact on customers would be, and what questions customers would have for Okta. “That gives us a chance ro prepare and analyse our own capabilities, and gives us opportunities to learn – we monitor these things and we can learn from it.”
McDermid says anything which affects customers would be a primary concern, and addressing and dealing with any issues will enable the company to address them immediately – for example if a common vulnerability or exploit was used, or if an attacker was identifying targets in specific verticals.
In an industry as close-knit as cyber security, McDermid says that if an affected company were a partner or customer, he would contact them to offer any assistance, as “even just a second set of ears to bounce something off is appreciated”.
He is keen to stress the point that instances can and should be learned from, and the key for Okta is a need to be transparent, “and that is where you earn trust – what happened, what you’re doing about it, what changes you’re making and I think that’s where I think you can actually learn from other people’s mistakes and then obviously try and elevate your own position.”
Some 12 months on from a well-reported breach of access tokens, Okta is making steps forward in cyber security and is proving that incident did not set it back. In fact, the company is now developing its role as a secure identity provider, and as an enabler of cloud-based services, and its apparent strong core internally serves as part of that journey.