Insider ambassadors and security culture, with Michael Montoya

Michael Montoya (CISO at Equinix) has extensive experience overseeing global cybersecurity programs, and advising governments, enterprises, and regulators across global markets. He’s recognised as an innovative leader in IT and security, and he serves as an Independent Director to F5 Networks and Sygnia Security.

With an academic background in economics and political science, his approach to security is comprehensive – recognising the cultural influences, as well as the technological processes, that enable effective security operations.

Montoya is coming to Riyadh to share his knowledge at Black Hat MEA 2023. So we caught up with him this week to learn more about his perspective on cybersecurity.

Could you share your career journey so far?

“You could say I got into security out of necessity. My career journey started at Microsoft, leading me to manage large global networks and IT datacenter operations, where security became our greatest challenge. That led me to lean deeper into security around 2002, and I began to recognise security's profound impact on organisational productivity.

“One key instance in that journey was the outbreak of the Love Bug virus, which targeted Microsoft and affected our operations in a significant way. This incident vividly illustrated how a single event can disrupt a substantial portion of a company. This compelled us to undertake a comprehensive overhaul of our systems; unfortunately, we could not promptly identify or prevent its spread. During this experience, I realised that the challenge wasn't something that would naturally become easier over time. Instead, it's a complex issue for which a definitive solution still needs to be discovered.”

And has your perspective on cybersecurity changed over the course of your career?

“Absolutely, CULTURE, CULTURE, CULTURE. The statement that culture eats strategy for breakfast remains tested and true. Technical controls will always be important and required. My perspective on the importance of building a culture of security needs to be essential for any security strategy.

“The role is also shifting. We are entering the second generation of the CISO profession and now moving from technical operators to officers. This transition requires our function to be risk leaders and business leaders. Our roles require us to accept we cannot stop all risk – but need to help our companies manage risk in a way that helps empower innovation while building systems of resiliency that are designed to fail and secure by design.”

What are the most pressing security challenges Equinix, or digital infrastructure providers more generally, are facing now?

“The same risks still exist, and ransomware continues to be the single largest cyber threat any company faces. It is a digital pandemic. The innovation surrounding ransomware will increasingly leverage generative AI.

“Generative AI is two sides of the same coin: threat actors will exploit this for advantage, while businesses will harness it for innovation. Security organisations must rapidly adapt to understand generative AI, manage its potential, and mitigate its risks.

“Drawing parallels to the mid-nineties, a similar shift is underway. Back then, there was a debate about the risks of connecting to the internet, and forward-thinking companies thrived when they embraced it. Likewise, organisations today face a pivotal choice – to lean into this opportunity or risk becoming laggards. This stands as our most pressing challenge.

“Beyond this, broader security challenges are inherently cultural. While technology has improved, and our security practitioners are some of the best, it's about transforming mindsets and encouraging everyone to contribute to enterprise safety. A heightened awareness and a 'see something, say something' approach is vital.

“Additionally, as every company transforms digitally, software development emerges as a prominent hurdle. Safely creating and operating code, especially open source, is paramount.

“Finally, the war for talent in cybersecurity continues to be a challenge for every organisation – and inevitably a risk. This talent gap will continue to put more focus on security as code (automation) and developing organisations with more machine learning capabilities.”

How do you approach upskilling/training employees within an organisation?

“To ensure a seamless security experience, the key is integrating technology and training for non-security employees that effortlessly align with their daily workflow, without friction.

“For instance, let’s consider emails – envision having to manually scrutinise every email, assessing the safety of multiple embedded URLs in every email before clicking. The time investment, around 30 minutes per email, becomes impractical. Here's where automation steps in, sandboxing and deeply analysing emails beforehand. Over 99% of potentially problematic emails are screened out before an employee opens an email.

“This frictionless approach extends across diverse workflows, whether you're a developer, HR professional analysing résumés or dealing with customer data for support or success. Security becomes seamlessly designed into the business processes or workflow in the same way you don’t think about the airbags in your car – they have an unobtrusive yet crucial role in ensuring your safety.

“Tailoring security awareness engagement through gamification is a powerful tool and creating training specific to development, HR, finance, or legal roles. This keeps employees connected to their roles' impact on security outcomes, fostering greater understanding.

“And as education and awareness play pivotal roles, translating broader cybersecurity trends into tangible implications for the company is important.  

“We also realise that we can trigger a more impactful change by tapping security-savvy champions within the rest of the organisation. Our cybersecurity ambassador program, led by our security awareness team, is incredibly impactful. This approach provides bottom-up advocacy rather than just top-down directives from the infrastructure team. This holistic strategy ensures natural security integration, seamlessly woven into every aspect of operations.”

What's one thing you wish everyone knew about cybersecurity?

“Drawing a parallel to physical fitness and staying healthy, the analogy holds true for cybersecurity. There's no magic involved; it's about embracing simple concepts like a wholesome diet, staying active and having regular health checkups. Similarly, when it comes to cybersecurity, following some foundational hygiene-related principles reduces a majority of risks.  

“For example, password management, multi-factor authentication and keeping systems updated will make a profound impact on reducing the chances of being successfully attacked. Equate this with your regular medical visits, a balanced diet and a consistent exercise routine. While robust passwords are foundational, coupling them with multi-factor authentication and diligently applying security patches considerably reduce your vulnerability to breaches.”

And finally, why are events like Black Hat MEA valuable to you?

“First and foremost, networking with fellow problem solvers is immensely valuable. These events offer invaluable learning experiences and constructive discussions.

“Secondly, these gatherings grant access to the latest industry insights and tactics, including how experts combat challenges like those encountered at Black Hat events. You can enhance your cybersecurity skill set by delving into specific breach cases and the technologies used to remedy them. The opportunity to connect with my peers and hone my technical expertise makes the event rewarding and invaluable.”

Thanks to Michael Montoya at Equinix. Join us at Black Hat MEA 2023 to learn more.