Confessions of a Financial CISO - Ep. 106
Ross Young shares his journey when he first discovered he wanted a career in cyber, to his exciting "pirate" days at the CIA as a financial CISO. He reveals the top three things that’ll make the biggest impact on your organization's cybersecurity and his top cybersecurity read.
Episode Table of Contents
- [00:59] A Passion for Hacking
- [05:56] The Two Routes That Led to Becoming a Financial CISO
- [13:39] The Banking Industry and the Financial CISO Industry
- [21:02] The Connection That We Don’t Get Over Technology
- [29:07] No More Scraping Off the Mustard
- About Our Guest
A Passion for Hacking
Carolyn: I'm excited to talk to our guest today, Ross Young. He’s the CISO at Caterpillar Financial Services Corporation, a former divisional CISO for Capital One. He has over a decade of experience within multiple government agencies, including the NSA, Federal Reserve and CIA. Ross also has a passion for hacking. Good morning, Ross. How are you?
Ross: I'm doing very well. Thank you for having me on the show today.
Eric: Hopefully that's hacking as in white hat hacking as my old CEO, Chris Young used to call it.
Ross: I've always enjoyed learning and using hacking as a way to increase my technical skills. Nothing illegal, of course. It's been a lot of fun. It really helped me have a career I could truly love and no, I'm not related to Chris.
Eric: Ross, you talked about a career you enjoy. You've got an extensive educational background, but how did you decide cyber? Where did it start?
Ross: From a young age, I always knew computers were really what I wanted to do. When I started in my computer science program at Utah State, I just really fell in love with it. There are so many different flavors of computer science. There's programming, there's data science, there's artificial intelligence. But the piece that I really thought was cool was cyber.
Ross: You kind of feel like you're a magician because you know how tricks work, but everybody else doesn't. That's what brought me into hacking. You learn how to break things. Other people may not know how to do that and so you can help to solve some of these problems.
A Cyber Track That Leads to Leadership
Ross: When I was a junior in college, I went to DEFCON. I got to see more of the different fields and things that you could do, I just knew that was the career for me. In 2005, there were schools that really started focusing on cybersecurity and became certified by the NSA. Idaho State was one of those that really focused on an MBA program to train the next generation of cyber management.
Ross: It's brand new and cutting edge for the field whereas a lot of folks who were focusing on Computer Science and Master of Engineering type programs. Having a cyber track that leads to some of the leadership is really what I wanted to do. Because I love managing and leading folks and being able to leverage my skills. It was something that just looked like a lot of fun.
Eric: Is that a National Center for Academic Excellence in Cyber Defense school?
Eric: I forgot how many schools there are across the nation. It's one of them.
Ross: I think there are at about a 100 or more now. It's really grown over the years, but they were one of the original four.
Carolyn: Did you find cybersecurity? I'm just curious because in the early 2000s, this was kind of before cyber was even invented.
Eric: Come on Carolyn. You're older than that. We know that come on, it's been earlier than that. It became big. No, you're right.
Carolyn: Early 2000s is when it really became big. So I'm wondering Ross, did you find cyber and cybersecurity by computer engineering? Is that where you started computer science and then that led you to cybersecurity?
Going Down the Rabbit Hole
Ross: In computer science programs, you're going to take classes where you're going to build websites and software applications. One of the electives I had when I was doing my computer science program was a computer security course.
Ross: That kind of got my appetite for it. As I started looking, you went down this rabbit hole of wanting to know more and more. Then you say, "Well, if I really want to do more, how about I do a degree in this? A degree where I can specialize and really spend a lot of time doing things I enjoy."
Carolyn: I like that you said you're like a magician. I'm going to use that as a hook for our millennials to get them more interested in cybersecurity.
Eric: Looking at LinkedIn, you had a degree, a bachelor's of Science in Business and Cyber and Computer Science. You double-majored?
Ross: I started in computer science and I was looking to get some internships. For whatever reason, I just didn't have luck into them. So I said, "Well, if I can't get an internship, the best thing I should do is pick up a business degree on the side. Then I'll learn how to start my own business."
Ross: "I’ll learn the soft skills of writing, communications, marketing, and business plans that'll ultimately help me do better in my jobs." By just taking an extra two classes every semester on top of my computer science workload, I picked up a business degree in four years with my computer science degree.
Carolyn: When you graduated, were you recruited by the government? Or was the government next?
The Two Routes That Led to Becoming a Financial CISO
Ross: After I graduated from my undergraduate program, I kind of had two routes. Go into the workforce or go into a Master's program. I thought it was better to do a Master's program at that point in time in my life. Having college experiences and getting an opportunity to not just be a computer science person, but a cyber person.
Ross: I enrolled in Idaho State, they had an MBA program in cybersecurity. It was called Information Assurance back then and they paid all of your tuition. They give you a stipend to live off of every month. The only caveat was you had to work for the federal government for two years after completing your two-year program. Very similar to an ROTC experience that you would have for military folks.
Eric: Was that only for Master's level or they did it for undergrad too?
Ross: They did it for undergrad as well.
Eric: What a deal.
Ross: There was one student in my program who went through that as.
Carolyn: Do they still do that?
Ross: Yes. It's done through all of the NSA certified schools. The scholarship is called Scholarship for Service. You can find it on sfs.opm.gov.
Eric: So you finish your Master's, you go to the government, how'd you figure out where to go?
Carolyn: What did you do in the government?
Ross: While I was doing my MBA program, I did my internship at NSA. I had a really good time learning a lot of different things and exposure to what they did. And I always loved that classified world of being essentially a modern-day pirate.
Finding Ways to Hack Things
Ross: You learn to find ways to hack into things and do this where you might go to prison. That is, if you’re trying to just do this on your own. I love that. Coming out of my MBA program in year two, I had an offer from CIA as a project manager to lead a lot of their IT pieces.
Ross: To focus on some of their securing software efforts, as well as an offer from the Federal Reserve Board. But my CIA clearance didn't actually take my NSA clearance so I had to wait for that. I took a job at the Federal Reserve for about a year, doing vulnerability assessments on the federal banks.
Eric: They made you wait before they hired you. I had a friend once who applied at the CIA and he was going to be a field operative of some sort. Two and a half years later, they came back to bring him on board. He's like, "Look, my life moved on." I have no idea why they keep people waiting when you have to find a job.
Carolyn: You're the poster for attracting millennials to cybersecurity. You are a magician, a pirate, a renegade. You're breaking the law without going to jail, everything a millennial wants to be.
Eric: Now you're almost at the two-year limit or two year payback period.
Ross: I worked at the Federal Reserve for about a year. Afterwards, I spent 10 and a half years in the CIA. I well compensated that two-year requirement that was asked of me for paying my stipend. At the agency, I had a fantastic time. I got to do so many cool things.
The Difference Between the Government and the Commercial World
Ross: A lot of them are still very sensitive to this day. They’re really cool missions where you can do a lot of offensive and defensive cybersecurity.
Eric: We have a lot of government listeners on this podcast. You left the CIA, you went to Cap One. I know you do a lot on DevOps, you do a lot in the cloud. How do you compare and contrast the difference between the government and the commercial world as you make that transition?
Ross: The federal sector was really interesting because of the size of scale in cybersecurity. Just think about this. If you have a cyber department that only has five people, that's the limit of what you can specialize in. But if you have a group that has 50 people, now think of how many more things you can specialize in. Have these different cyber programs, and keep growing.
Ross: Now go to 500 people or 5,000 people. Think of how many different roles and expertise in niches in cyber that you can grow in. As you think about that, you think about the places that have those large 500 to 5,000 numbers of people. That's where you can go and get so much exposure to this cutting edge industry. It’s where things are going. There are very few places that have that talent and those capabilities.
Ross: The biggest thing that I saw when I transitioned from CIA to Capital One was the different types of talent. If you think about it, what is the primary mission of an intelligence agency? It's to recruit people and that typically means you need people who speak foreign languages. People who have political science backgrounds.
Capital One as a Financial CISO Company and Not as a Technology Company
Ross: Those are not what you're going to call a technical person. Not an IT degree by the way. Now, compare that with Capital One. Capital One doesn't view themselves as a banking company. I know that's very different because everybody thinks about that from all their marketing. They view themselves as a technology company. Much like Facebook or Amazon or Google that sells banking products.
Ross: They try to hire a large amount of computer scientists and computer engineers to build all these digital portfolios. I left the federal sector where I was working along with non-technical audiences and went to a technology sector, instantly, I felt at home with people who are like me, who thought like me.
Ross: People who understood it's about technical approaches. Unlike this other bureaucratic organization where you have a lot of things, very well structured program, project management focuses. I thought that was a very big stark contrast.
Eric: Cap One Technology Company thinks of themselves as a technology company, but they're really in the finance business. I don't think you'd put them up against Amazon, Facebook, Microsoft from a technology perspective in what they sell. But they leverage technology to really advance their capabilities in the financial space.
Ross: That's spot on. The key difference here is instead of recruiting bankers and MBAs, Capital One is recruiting computer science students.
Eric: Technologists. So you went to CIA, NSA, DHS. And like Cap One is in the financial sector, their mission is intelligence gathering. Different mechanisms, different methods, but intelligence gathering. The intelligence-gathering component relies on technology more and more these days than ever before.
The Banking Industry and the Financial CISO Industry
Eric: Same as the banking industry and the financial industry, would it suit them? Would it work as well for them to hire technologists and think of themselves as a technology organization? As opposed to an intelligence organization, almost like Cap One does.
Ross: They understand the need for technology. There's a lot of ways you're going to use technology with an intelligence agency. From tracking and locating terrorists to having covert communications with people. Those things rely on technology. However, CIA isn't that heavy tech place compared to an NSA, which is that 100% tech focus agency. They're more focused on the human side, which is their core mission.
Eric: Different collection capability. What I heard you say, and maybe I misunderstood, Cap One being in the financial sector is a technology company. They think of themselves as a technology company. I think what you were saying is they see themselves as hiring technologists. They’re leveraging technologists to competitive advantage in the financial sector.
Eric: The intelligence agencies also use a ton of technology, I agree with you. They have a lot of smart people, a lot of technologists. What if they thought of themselves in a similar way that Cap One does to their financial business. Similar to the intelligence business. Hey, we're a technology organization. We're going to leverage technology to collect data.
Eric: They do, but I've spent a lot of time in the community. The mindset is, “we're an intelligence organization, we collect intelligence”. You could say the same thing about Cap One. They're a financial organization, they do financial things. But you described them very differently, which was exciting. It sounded like that was a competitive advantage to them.
A Very Drastic Mind Shift
Ross: I think the federal sector, particularly in the intelligence communities, isn't ready for that shift. We're going to make 70% of all of our hires as computer science graduates. It's just not ready for something like that. But places that understand every company is a software company or a technology company, it's a very drastic mind shift.
Ross: If you think about it, you can take any industry. Let's just take something like John Deere, tractors. Most people think of that not as a technology company. Could you have sensors all through your field that tell you exactly when you need to water? It tells you when you need to plant, when you need to grow. Would you like sensors on all your tractors, knowing when they need maintenance?
Ross: Sensors that know when they need parts to come and be delivered for upgrades. There's a lot of things you can do to do data-driven decisions and turning a company into a software company. That's where you really start to change. It’s where you make these different types of value and specialization around your company.
Carolyn: What you just said right there, that excites me. The technology, the cyber, really it's just woven into the fabric of our lives. It does make our lives better and it can make it worse depending on how it's used. I love that analogy with the farmers and using the technology and big data in that way.
Eric: I'd love to weave it into the IC, into the intelligence community even more so. I feel sometimes we're a little slow, but we won't dwell on that. Now you're a CISO, Chief Information Security Officer at Caterpillar Financial. How's that been?
The Financial CISO Behind a Large Construction Company
Ross: We're the bank behind the large construction company. We do all the loans, the warranties, the insurance products around all the manufacturing that you see. It's been a fantastic role. I've loved the financial sector. I've spent most of my career in it.
Ross: I just can't think of something we need to protect as much as our banking system. If our banking system just were to go shot, everybody's 401(k)s, everybody's savings would all be just destroyed. I don't think we would have a first-world company and a first world country without it.
Carolyn: What kind of challenges does working from home had given you as far as a financial CISO goes? In security, are there advantages and disadvantages?
Eric: You took your job in the middle of this COVID-19 crisis too?
Ross: I moved in June to the Nashville area from DC. In the middle of a pandemic, my family and I were living in Holiday Inn extended stay hotels. I have four kids that are 10, eight, six, and four at the time. You got to imagine living that. It was a little bit crazy, but I think it's really an interesting place. Caterpillar Financial has just been a fantastic company.
Ross: They're allowing people to work remotely during the pandemic. They see that as an opportunity. Maybe we should be remote 100% of the time for certain types of jobs or most of the time. That can really change a culture and allow a company to do very different things. Hire people that you probably would have lost as they moved back to living closer to their families.
The Disadvantages of Working From Home as a Financial CISO
Ross: Hiring people that you might not have been able to get. Who's hiring in the middle of South Dakota? Probably not many. But if there's a good cybersecurity specialist that you could find there, that’d be a good addition to your team.
Eric: We've had a lot of people talk about that. Opening up of the aperture with the number of jobs we need to fill. The population is now more, you can live at home, wherever you grew up.
Carolyn: We don't limit to geography, we look for talent. It doesn't matter where you are. What about the disadvantages, especially for you as a financial CISO? Was there a kind of heartburn that this caused for you?
Ross: For me, the older I get, the more important I realize relationships are. The way I typically build relationships of trust is to sit and chat with people. I love going to lunches to kind of just getting to know somebody. Seeing what they're working on and then discussing. When people understand how much you care about what they're trying to accomplish, then they're more willing to open up.
Ross: It's very hard having Zoom meetings or Teams meetings with others. You just don't get that same level of connection as you do when you sit with people day after day. Having lunches with them and getting to know them. I think that piece is really missing and we haven't figured out an alternative yet. Hopefully, that'll come back some point soon.
Carolyn: I'm close friends with a musician, also a fabulous yoga instructor. He said, "When we are face to face, we have that physical exchange literally of the sound waves."
The Connection That We Don’t Get Over Technology
Carolyn: "Of my sound waves traveling, meeting you, going into your ears. That’s a literal physical connection that we don't get to have over technology." I thought that was an interesting perspective.
Ross: That's really good, but you also get 100% of their attention. If you're in a Zoom or Team meeting, how many times are we also on our phone? Opening up another tab in Google, multitasking, and then you're losing some of that attention. I think it’s really important when you can go out to lunch, you put all that away and really just focus on the one on one.
Eric: It's very obvious if you're reading your phone at lunch while you're eye to eye with someone.
Carolyn: I read your bio. Among the many things that you do, you're also an instructor at the Sands Institute. One of the things that jumped out at me is your instructional style. You break information down into bite-sized chunks so your students can take it and have immediate impact on their organizations. What kind of bite-sized chunks would you break down for the federal government? As far as CISO advice, a cybersecurity advice that have the most impact right now.
Ross: The first thing you have to understand in the federal sector is how do we keep people happy? You’re in an organization in cyber where you're paying people half to maybe a third of their commercial salary. There has to be a love of mission and enjoyment, a field that they're learning new things. Doing things that they can only do there and no place else. If you tie that, I think that allows you to keep and attract the good people.
What We Want Our Security Functions to Perform
Ross: You're just not cycling through young college students year after year. The next thing you have to focus on is what we really want our security functions to perform? In the commercial side, you typically focus on something like we're in the business of revenue protection. What are our applications that make money? If they go down, they cause us major heartburn. That's different in the federal government because you're not making money for most places.
Carolyn: The mission is different.
Ross: It is about protecting the lives of assets if you're in the CIA. It's about ensuring safe travel if you're in the TSA or other places like that. It is understanding what the core mission is. Enabling them to operate and understanding the risks they need to take.
Ross: How do you do that? Typically, you have to look in a variety of ways, you need a program where you can understand what you have. You need to have developers doing things like threat modeling to understand where things can go wrong. Also, you need to have some type of check where you're making sure the basics are done.
Ross: You're patching, you're securing your configurations. You need to have active protections like WAFs and RASPT devices, runtime application self-protection tools. Those will help secure your applications because nothing is perfect.
Carolyn: Sounds like DevSecOps.
Ross: A little bit.
Eric: Going back to Derek Weeks.
Carolyn: Do you know what though? This is so cool because your message, Ross is one that we have heard over and over from other CTOs. The first thing you said was, "Your people" build that relationship. I love that. Then understanding the mission, and that DevSecOps piece I just learned about.
What Does a Win Look Like for a Government Financial CISO
Eric: Let's talk about wins. You're a government financial CISO, what does a win look like versus a commercial CISO?
Ross: It comes back to risk. What is it you want to focus on? Is it allowing the business to build the next generation of tools securely? Or is it looking at our current inventory then, drastically reducing the number of vulnerabilities that provide unnecessary risk to our organization? Is it just helping people combat the threats?
Ross: Is it the user education of not clicking the phishing emails that cause ransomware in our environments? It can be a portfolio of all those different things. Really, it comes down to priority of what you want to focus on in your organization.
Carolyn: As we wrap up, Ross, what do you want to say?
Ross: I think we're at a really interesting point in history for CISOs. Look at a lot of other industries, like the financial industry. People could do all sorts of shady finances and they had to standardize things with financial accounting regulations. Creating SOX compliance and things like that to safeguard companies against embezzlement and insider threats.
Ross: We haven't seen that level of sophistication in the cyber industry. But I think we're on the crux right now, where more and more companies are having ransomware causing million-dollar breaches. You name any Fortune 500 company, they probably had a major breach. They've lost data records. I think we have to figure out how that's going to change. There's probably a lot of ways, but it's maturing the industry. It's setting standards.
The Kind of People We Need to Secure Our Infrastructure
Ross: Perhaps, we'll see some type of government legislation that comes to continue to improve maybe some licensure around that. I'm not sure what's going to happen, but I can tell you this, if you're not studying all the time, if you're not constantly reading and improving yourself, you're not going to be the kind of people that we need to secure our infrastructure for tomorrow.
Eric: If you had to recommend one book, Ross, to a new person entering the cyberspace. Could be coming out of college, looking at college, changing mid-career, changing careers, what would it be?
Ross: I think the best book is the Phoenix Project. It's not solely a cybersecurity, it's more of a DevOps book and it teaches so many valuable lessons. It teaches about a person in IT operations who essentially becomes almost the CIO. He has to go and fix things taking that mindset of doing things proactively upfront and solve that? That transformational change is what we need in cybersecurity.
Ross: If you think of it this way, you go to a sandwich place and they make your sandwich. You hate mustard, just absolutely can't stand mustard or tomatoes. Whatever the thing is that you hate, sardines on your sandwich and they put it in your sandwich. Then you go and you look at the end and you unwrap your sandwich. It's just not a good taste. You can take those things off, but you can still taste it and it's just bad. That's what we've done to cyber. We've tried to fix security at the end.
No More Scraping Off the Mustard
Eric: Tried to remove the mustard.
Ross: Instead of, hey don't introduce things. We're scraping off the mustard, but it still remains.
Ross: We can do things that block the introduction of bad things into our environment, that's where we have to focus.
Carolyn: No more scraping off the mustard, we're building it right from the start.
Eric: The Phoenix Project, I haven't read that one.
Carolyn: That is my next book to read and I'm going to end this podcast. Well also, I feel a part two with Ross Young, Eric. What do you feel?
Eric: I feel we could probably do a 20 part series, but there is more of Ross Young out there.
Carolyn: I'm going to give a challenge to our listeners. The first person to share this episode on LinkedIn, you got to tag me. I will send you your own copy of the Phoenix Project.
Ross: If any of the listeners would like to learn more, I have a podcast called CISO Tradecraft. We're trying to teach the next generation of CISOs all the things you need to know to be an effective executive leader.
Eric: When we get you back on, the next question I want to ask is, how do you pick your topics? Where do you prioritize? We'll get to that next time.
To The Point Cybersecurity was recently named one of the 30 top Federal IT influencers 2019 and 2020 because of fantastic guests. We are always looking for great thought leaders to interview. Please email me with guests you would like to have on the podcast firstname.lastname@example.org.
About Our Guest
Ross Young is the CISO at Caterpillar Financial and a former Divisional CISO for Capital One. With a background in Cloud, DevSecOps, and Container security, he has led multiple organizations through digital transformations to the Cloud.
Ross is considered a subject matter expert in DevSecOps pipelines as well as Container/Kubernetes Security. He has over a decade of experience within multiple government agencies including NSA, Federal Reserve, and CIA. Ross is a Lecturer for Johns Hopkins Whiting School of Engineering as well as an associate instructor for the SANS Institute.