It was our distinct pleasure to speak with the originator of the “Virtual CISO” (fractional security chief) concept, Barak Engel, for this thought leadership profile and review of his upcoming book, The Security Hippie (to be published by Routledge in 2022). Barak has served as security leader of dozens of major organizations, such as Mulesoft, Stubhub, Amplitude Analytics, and many others. The Security Hippie follows his previous title, Why CISOs Fail, a sleeper hit that earned a spot in Palo Alto Networks’ / The Ohio State University’s prestigious Cybersecurity Canon project as a leading text on the topic of information security management.So what does pioneering the virtual CISO concept look like in practice? Barak is the Founder and Chief Geek of EAmmune, a boutique information security firm with a proven track record of advising, developing, and implementing security programs tailored to all sorts of organizations’ individual needs. Clients are enabled to efficiently manage risk, achieve technology objectives, and meet their compliance obligations efficiently and with the minimum possible business disruption. The goal is to help each organization derive the greatest business value from its information security investments.This thought leadership profile reviews the truly excellent and unusual The Security Hippie, and examines the stories and insights that define Barak Engel as an out-of-the-box security thinker and leading voice in his field.
A particularly nasty trojan had just escaped his sandbox, and Barak Engel feared his infosec ambitions had ended before they’d begun. He’d envisioned serving multiple companies as a "virtual CISO," building and managing their lean information security functions for optimal efficiency and minimal business disruption. But then he watched with a mixture of horror and fascination as the trojan, seemingly defying the laws of computer science, crept into the network and blasted itself into the inboxes of his friends, acquaintances… and potential clients.
To prevent exactly this situation, he’d created the sandbox with a Lenovo X60 laptop. That old 2006 model had a wireless hardware switch customized for network security. When clicked, it would keep the laptop disconnected from WiFi, Bluetooth, radios and any other external medium, providing the ideal safe malware-testing environment. As such, he’d loaded the wicked new trojan and connected it to his address book to see how it would behave. And then, impossibly, it broke loose. Barak jumped out of his seat. His laptop jumped with him, clamped onto his shirt by the wireless master button. It would have been funny if it weren’t so bad.
That shirt-snag had effectively switched his private sandbox into a public beach party for malware. Swallowing his pride, Barak composed an apology email detailing the silly mistake and then hopped onto a job site, certain his information security ambitions had just died in the cradle.But then the damndest thing happened.“I had a couple of these people I’d just infected with this horrible trojan convert into customers within a few weeks, which was insane,” said Barak, a graduate of Israel’s Technion University. “And it turned out the reason was because I was just so plain and honest about such a silly mistake. People make mistakes, even experts, and I related to these CEOs as people. That lesson (of the power of honesty and relatability) has carried with me ever since.”
The sandbox story is but one of the many lessons in the dark arts of information security management that Barak shares in The Security Hippie. that remind us that CISOs are, more importantly than IT experts, people. Drawing source material from the frontlines of the evolution of infosec, Barak shares relevant personal experiences that are by turns illuminating and thought-provoking while being funny and engaging, and always informative and well-written. Security Hippie offers a confessional-style memoire that emphasizes the human aspect of information security, providing CISOs actionable insights for unlocking next-level performance. You’ll laugh, you’ll cry, you’ll re-examine your information security management system design and implementation.
Like other great counterculture authors before him, Barak takes his readers into new territory on a journey paved with personal experiences. Courageously displaying the good, the odd, and the downright embarrassing moments of his career, Barak spins a yarn that showcases the soft skills and strategic business mindset needed to elevate this traditionally IT-focused profession. Today’s CISO cannot thrive in an IT sandbox sealed off from the business they are charged with protecting. In conversational-but-intelligent prose, Barak explains how to think outside the CISO sandbox.
“My goal is to make the field of information security more relatable,” said Barak, who has managed or advised security operations at the highest levels of over 100 organizations, including his current role as CISO of Stub Hub. “It’s the stuff that everyone can really relate to that matters; going to work, making mistakes, learning from them, listening to people. If we are going to finally get information security out of the realm of being some crazy technology thing ‘over there’ that’s very dramatic in the news, we must learn how to talk about it and make it something that everybody can relate to and understand. It’s about relating to people and understanding the business, not being the smartest person in the room. That is the most essential component to making information security a real business discipline.”
Since publishing his first book, “Why CISOs Fail,” Barak has urged CISOs to reconsider infosec as a business discipline, and to rethink themselves as business leaders. Although Barak has a technical background—he grew up breaking apart and fixing Ataris before earning his computer science degree and working in IT in the 90s—he said he’s never fit in with the traditional security engineer-as-a-CISO groupthink crowd. Rather, he has thrived as a bridge between the technical and business divisions.
His stories in The Security Hippie beautifully illustrate his grander points with practical examples. It starts with having a business mindset. From the depths of the global financial crisis in 2008, Barak shares a touching moment when he was down to his last and most important client. On the verge of bankruptcy after years of being flush, Barak explained to the Fortune 500 executive, who he refers to as “Mr. X,” that he understood the dire financial situation and would hold no hard feelings if he were let go. But to his great relief, his services were retained. Leaning forward in his chair, Mr. X explained that he needed a business-minded CISO like Barak, someone he enjoyed working with and could trust. The virtual CISO was too rare and too valuable to lose, especially in a financial crisis. In fact, Mr. X was doubling his contract so he'd fill in for others who'd been let go.
The pandemic-related sea change in cybercrime and the threat landscape has forced many CEOs to recognize that information security is invaluable in a global crisis. And the board is looking for CISOs who, likewise, understand that security is there to support the business. Information security must be the department of “how,” not the department of “no.”
“If you don't understand how the business really operates--how money comes into one door and how it goes through the other door, and what happens in the piping of the business--you can never protect it,” says Barak. “You do not have the context. You do not have the capability to understand what your job is. You're going to run yourself ragged worrying about, as the old saying goes, ‘I don't know what I don't know.’ It will keep you up at night. Everything will seem like a big fire you’re constantly trying to put out, and that’s because you don’t have the context to understand what you’re really trying to do.”
Truly understanding the business requires thinking like the keeper of the castle, not the guardian at the gate. The CISO who thinks and communicates in purely technical terms of absolute data breach risk will stymie business operations, confuse leadership with incomprehensible risk assessments… and ultimately get fired when a breach (inevitably) happens. Well, guardian, your gate got breached and you had one job.It’s a limiting mindset. Barak notes that the CISO community is now asking what’s next in their career path. What does one do after being a CISO? The natural answer, he says, would be Chief Information Officer, a position that matured in the 1990s as a bridge between the IT department and the C-suite.“In our industry we still often style ourselves as the guard of the gate. If you think of yourself as the guard of the gate, you're never going to stop being the guard of the gate. You might be the captain of the guard of the gate, but you won't be anything more than the guard of the gate. Nobody's ever going to invite you to the cellar where the good wine is, where the real deals are taking place. You're never going to even know where the damn thing exists.”In the next article, we will share key insights from our conversation with Barak Engel on what makes the modern CISO successful and how to develop into a business leader. And yes, there are some epic stories.