Interview with CSO Ray Steen

In the latest instalment of our interviews speaking to leaders throughout the world of tech, we’ve welcomed Ray Steen, CSO at MainSpring.

Tell us about the business you represent, what is their vision & goals?

MainSpring was born out of the frustrations our founder had with the IT world - many IT businesses are focused on fighting fires rather than addressing the root cause of security and productivity problems. They aren't built to benefit organizations from the perspective of profit, loss, and client/employee retention.

At MainSpring, we are focused on being a proactive partner - not only do we solve problems, but we prevent them from happening in the first place. Like the mainspring in a clock, MainSpring is the cog that helps an organization to keep ticking - we help our clients work day-to-day, productively and without interruption.

What inspires and energizes you within your work?

I love the way tech touches every part of an organization - we're all dependent on it. Making improvements to tech saves money over the long run and prevents wrong decisions that can hinder companies for years. A third of our clients are nonprofits, and our work makes a measurable difference both in their day-to-day operations and long-term missions.

There's also a fun side - we're techies, and we love our work. We ride close to the cutting edge and get to test everything before recommending it. After working here for 10 years, I still get a kick from clients saying our solutions were the best they ever spent money on - whether that's simple help desk improvements that have a big long-term impact or NIST assessments that uncover major security holes.

Can you share a little bit about yourself and how you got into cybersecurity?

I started out in Public Relations. During the September 11th attacks, I was thrown into supporting Red Cross disaster relief efforts. After that, I continued with the organization and found IT essential for delivering critical information to those in need. After my time with Red Cross, I helped the military with the digitalization of healthcare records - I was knee-deep in health IT, HIPAA and PII. It showed me the importance of IT solutions and cybersecurity more specifically.

When I finally moved on to consulting for GovCons, I saw a big potential to change the way IT services and strategy are delivered in the private sector. It interested me because the commercial world has many tools and solutions at its disposal but often lacks the expertise to make the most of them. The virtual chief information officer (vCIO) role was my biggest draw - a consultant that can connect technology with business in tangible ways.

Unlike consulting firms, we do offer IT services and solutions - we don't just show up, say you have termites and walk away. But unlike other managed service providers (MSPs), we are also focused on helping our clients understand their problems from a big picture level - we think outside the box to find the best solution for their individual needs.

How would you explain your role to a non-technical audience?

vCIOs are trusted business advisors with real technical expertise - they are focused on organizational outcomes more than technology, but they know how the two relate. vCIOs apply that experience to make better decisions and evaluate solutions for their effectiveness - while most business departments have subject matter experts, an impartial third party can help them evaluate things more objectively.

Our vCIOs are tool and vendor agnostic - they're not driven by sales. If we can find a way to eliminate a lot of work when evaluating solutions, we'll do it - a lot of things we recommend are outside our day-to-day operations. It's all about the client, and what's best for them.

What advice would you give to someone wishing to start a career in cybersecurity?

Cybersecurity is an ever-expanding field with many inroads - there's really no "best place" to start, and a lot of our cybersecurity experts didn't begin in the field of cybersecurity at all. Working at a help desk can lead to a system admin role, which can lead to a security operations centre (SOC) role - working as a software developer can lead to an application security as a service role - working in networking can lead to an infrastructure and cloud security role.

My best advice would be to get an IT job first - pursue your interests in a technical field, and then consider working towards a cybersecurity certification related to your expertise.

Can you give an example of security issues at your jobs, and how you and your team fixed them?

There are common gaps we see with new clients - one is the lack of a thorough process for onboarding and offboarding employees. Former employees stay inside the system longer than they should - current employees have access where they shouldn't because apps aren't managed by active directory. They may have undocumented accounts that aren't written down anywhere - God forbid they leave for a competitor. Ultimately this problem isn't caused by negligence on anyone's part; it's caused by convoluted and sprawling tech stacks without effective, centralized governance.

We also see a lack of effective security training - businesses pay lip service to it and go through the motions, but they're just checking boxes. Employees need incremental preparation to refine their skills, and tools to help them understand the threats they are facing - especially phishing scams, which remain the top way that ransomware and cyberattacks perpetuate.

Multifactor authentication is a must for employees - it's been in use by the government for over 20 years, but the private sector is still catching up. So those are three examples of security issues off the top of my head - poor offboarding processes, overprovisioning of permissions, and lack of cyber training which includes poor authentication. We address these issues through a combination of centralized governance and better cybersecurity training.

Does your organization use log and metrics data to improve and secure your systems? How do you find managing logs assists your day-to-day work?

We use a variety of tools not only to monitor activity on clients' networks but also the health of their systems, their security and productivity. We take a continual improvement approach to compliance, doing an audit for our clients once every year to once every year and a half. Things change almost month to month, including security best practices - ensuring we have an audit that is constantly updated allows us to change management structure as necessary.

Our business model is centred around reducing the time our clients spend on IT issues - our rate stays the same no matter how many problems they have, so we're incentivized to prevent repeat issues and get to the root of the problem rather than the symptoms. We sit down with our clients and talk through the importance of best practices - lower risk means fewer issues, and that translates to both cost and time savings. If we can show a measurable percentage of improvement with the help of metrics, that makes the benefits more concrete.

What are your thoughts on companies looking to prepare for CMMC compliance?

First, get confirmation that you're going to be handling controlled unclassified information (CUI). Second, start by focusing on the rules and regulations that are already in place with NIST SP 800-171 or DFARS. Complete a self-assessment for compliance - that will save you time and money. If you don't know how to, seek help from qualified IT experts - initial assessment should not cost an arm and a leg, but that's what a lot of companies pay when they get someone to do it for them. With the way CMMC is evolving, best practices are likely to change, and simply getting an overview of your security gaps and fixing them is the best way to prepare for now.

After assessing your security gaps, get dollar values for the issues you need to fix and make an educated decision on the cost of doing business in the Defense sector. Compliance is and always will be a prerequisite for government contacts - is your business situated to keep up with changing compliance requirements over time?

We've been doing 800-171 assessments for a few years now, and generally, we're coaching our clients through a self-assessment. We've refined our approach to the point that we can determine major issues in the first couple of hours of consultation - is the company handling CUI, and does it exist in a variety of places? This gives our clients a clear picture of what compliance means, and how much it's going to cost them in both the long and short term.

What are your takes in response to the Log4shell incident?

Log4Shell obviously demonstrates the growing danger of software supply chain attacks, but it also demonstrates the importance of modernization and proactive compliance. After the SolarWinds attacks, the White House mandated that software vendors should provide a software bill of materials (SBOM) describing the third-party components of their software products.

Development and standardization of SBOMs have been slow - but companies who got ahead of the curb were able to quickly determine which of their products contained the vulnerable Log4j dependency, and which didn't, a key challenge that slowed other businesses' response to the incident.

Would you like to share any cybersecurity forecasts or predictions of your own with our readers?

With the rise of hybrid workplaces, remote employees seem like the next major frontier for cyber actors. Organizations are still struggling to define guidelines and security parameters around remote employment - mismanagement of devices, and use of insecure networks is a major issue.

I also predict that Web and SaaS surfaces are going to become a major target due to the lack of centralized governance and permissions management. The average company is using over 200 SaaS apps at a time, many of them extraneous or unnecessary - that's way too much to keep track of and generates extra attack surfaces that are poorly protected.

If you enjoyed this post and want to keep reading our articles then why not check out our guide covering the top Prometheus tools or Kubernetes management tools?