Talking Trust, Security, and Scalability with LinkedIn CISO Cory Scott
September 13, 2017
In our efforts to help security marketers reach their audience in the best way possible, oftentimes it helps to go right to the source — and where better to go than LinkedIn’s own Chief Information Security Officer, Cory Scott.
We recently spoke with Cory, covering a wide range of topics from IT management to trust and branding in the modern internet era. He was generous enough to share his candid perspective on the security industry’s complex relationship with marketing and provide a few tips on how both functions can work together more effectively as the business landscape changes.
Enjoy our conversation below, and be sure to continue following our security series on the LinkedIn Marketing Solutions blog!
Q: As the CISO of LinkedIn, what keeps you up at night?
A: The mass complexities of a modern Internet platform. We have thousands of engineers committing code at all hours of the day so our product is in a constant state of flux. Coming up with scalable solutions to address that keeps me up. Building strong security-by-default frameworks with repeatable operational practices is how I can rest.
One of the other things about processing data from such a massively complex system is, what I call, separating the “wheat” from the “chaff,” as far as the instrumentation of billions of events simultaneously happening on our systems is concerned. Through all these instances, we must consistently figure out which ones are good and which ones are bad — throughout multiple layers. Just logging into our network or checking email generates thousands of auditable events that our systems evaluate to determine whether or not it’s really you.
All of this is very challenging when you have as much data as we do. I’d also point out the importance of having the right team to execute your security program. This is something I’m sleeping a little better on these days, because the market for security talent is incredibly competitive. I’m very proud to have amassed a world-class team and give them opportunities to grow and become magnets for other talented security professionals.
Q: As a security expert in today’s Internet era, what value do you place on trust?
A: Trust is extremely important. My role is to ensure the trustworthiness of our products and to protect our members from harm. That is what I spend all my hours thinking about. From that perspective, we invest heavily in securing our infrastructure and applications to ensure we can detect when things go wrong — and that we’re able to effectively reduce any damage caused when they do.
But, trust is not just about securing data. It entails keeping our promises to members, partners, and customers when it comes to their security. We don’t want to combine or share data in unexpected ways that can erode members’ trust in LinkedIn. And trust can be defined in different ways.
Q: With trust in many brands across the technology space at an all-time low, what can technology marketers do to build trust in a better way?
A: Lead with transparency. Demonstrate what you’re doing and show as much as you possibly can to ensure your products represent those commitments. For example, if you say that you have audit logs for accessing data, always keep those accurate and up to date and explain exactly how the data flows through your system so that people can understand how your products work.
In the security space, it’s very important to also represent your security talent as a brand. At LinkedIn, our security team is very involved in the community. We speak at major conferences and represent LinkedIn’s security organization as strongly as we can. At the end of the day, it comes down to documenting what you do in a way that your potential buyers believe is appropriate — in addition to having the team and talent to execute that vision.
Q: How have you seen the decision-making process change when it comes to making and implementing technology purchases?
A: The traditional IT buying committee has expanded dramatically with the adoption of cloud-based services and SAAS. For smaller teams outside of IT, the functionality of rapid, stand-up applications has reached a tipping point. Adopting a cloud-first approach, which we did several years ago, shifted the decision-making process towards the business and the business owners.
Under these circumstances, IT must focus more on ensuring solutions that work together and build platforms for support — from account provisioning to authentication, security review and admin controls. We hope that a cloud of applications should come together and help the business move forward. However, if there is massive decentralization, you will see redundant systems that multiple teams have purchased or introduced — especially when it comes to collaboration solutions. These teams will want to talk to one another, so there is a place and purpose for IT to step in and provide guidance early on. At its worst, IT is a referee, at its best, it’s an enabler for innovation across the business as a whole.
Putting my security hat on, I’d prefer vendors have good security processes and protect the data and functionality to the same standards as if we were to build the application in-house. However, this proves challenging because you can’t push your standards and policies to vendors and say, “This is how we do it here. Please do it this way.”
Q: What is your take on the state of security conversations on LinkedIn?
A: There is a good security community on LinkedIn, where people are able to find one another and have great dialogues. For example, if I’m really interested in a new technology, chances are I can find a connection I worked with ten years ago who works for that particular company. You can also visit groups or see conversations taking place within the newsfeed that provide an open, honest dialogue about how things actually work. LinkedIn is invaluable from that perspective. I get pings and questions almost every other day from security folks I’ve worked with in the past — and it works both ways, allowing us to keep the community alive and together on our platform.
Q: What are your go-to sources for content and news — both in general and in the security space?
A: Every week there is an amazing email newsletter by a colleague of mine, Scott Piper, called Downclimb, that summarizes InfoSec news from the week and provides links to content presented at major conferences, all in one spot. It’s an amazing amount of work and has a good pulse on the environment, particularly because Scott used to work at Yelp, so he’s very familiar with internet companies and technologies. As far as day-to-day sources of information, Twitter is still my go to. Curating a good set of people to follow, who don’t introduce extra noise into the stream, is very important.
Q: We’re seeing a new pattern in IT buying — one that values peer and crowdsourced information more so than traditional industry reports, especially with younger professionals. Do you see this happening? If so, is it here for good?
A: I’m glad to see more disruption and new thinking around the role of the traditional industry analyst. With insights coming from many new sources, crowdsourcing and open communication on social channels is a powerful new trend. Today, you also see a lot more meetups and colleague-based networks. For example, I’m on a Slack channel with security leaders of other internet companies. If I have a question about using one particular technology, I’d likely ask them before deferring to an analyst or an industry report. When I ping the channel and say, “Hey, what do you think about X? Who has it?” five people will quickly raise their hand with feedback. That is invaluable to me. Ten years ago, we’d meet-up at a bar every month. But now, it’s instantaneous.
Q: With the rise of the modern surveillance state, consumers are increasingly confused and concerned when it comes to issues of privacy and security. Is this mostly just hype?
A: There’s tons of hype, and the hype certainly makes things challenging when it comes to government surveillance and its erosion of public trust. It instills a sense of helplessness, but, ultimately, people have control and a say in preventing themselves from becoming a victim from the majority of threat actors out there. I’d encourage consumers to understand the many measures you can take to be aware and protect yourself.
Q: What are your personal security habits and what steps do you take to ensure that you, as an individual, are safe and secure each day?
A: As far as things that I do personally to stay safe and secure, it’s really the adoption of a multi-factor authentication on all my online accounts and whenever possible U2F or a one-time hardware token. I try to avoid password reuse across sites and leverage password management tools to reduce the change of password duplication. I run and apply automatic updates to all my systems so that when a security patch comes out, it’s automatically updated. It’s important to practice good hygiene when someone emails me out of the blue with a link to click or a file to download.
To keep up with the latest from tech marketing influencers, subscribe to the LinkedIn Marketing Solutions blog.