RSA 2018 Conversation: Citrix’s Mike Orosz
Watch how he spends money. That’s popular advice on dating sites for finding “Mr. Right.” If he spends money on you, he loves you, or so the thinking goes. While it’s debatable if this is healthy dating wisdom, the guidance is worthwhile in cybersecurity.
Mike Orosz, Senior Director of Threat Services and Technology Transformation at Citrix, advocates examining spending to assess an organization’s level of commitment to robust security. He comes to this insight after a career that includes 20 years in security roles in the US Army and Department of Defense.
“You can learn a lot about an enterprise by looking for gaps between identified risks and budget to mitigate them,” Orosz said. “If you’ve got good correlation between risk and spend, you know the organization is taking the threats seriously. The opposite is also true, though in some cases they may not understand the seriousness of the risk.”
A big part of his job is to address these gaps and help clients understand their vulnerabilities and the best remediation practices. “I like to ask, ‘are we ready for vulnerabilities?’,” he added. “Coming from the military, we can treat vulnerabilities as intel, so to speak, and base our strategies on what we learn.” Orosz then prefers to assemble an integrated team to address vulnerabilities and any associated spending gaps.
“We may not recommend increasing spend,” he said. “A lot of the time, it’s a matter of allocation.” For example, some security teams are overly focused on firewalls and traditional notions of the “perimeter.” “The perimeter is all over the place today,” Orosz observed. “You could have exposure to attack based on deficient identity management and access control in the public cloud. No amount of firewall investment is going to make a difference in that case.”
Asked about the difference between working in government versus the corporate world, Orosz explained, “In the government, people generally understand their job and your job. Roles have been long-established, so little explanation is needed. In corporate life, you have to sell yourself. Why should I work with you? Why should I support your budget? We have to make the case that we’re making peoples’ lives easier. If we can’t win that argument, we aren’t going to get anywhere.”