Former CSO at the World’s Largest Aerospace Company Talks How to Tackle Insider Risk

Lindy Kyzer (00:31):

This is Lindy Kyzer with ClearanceJobs.com. September marks National Insider Threat Awareness Month. Insider threats are an ongoing issue across the national security community, but fortunately there are a number of both individuals and companies focused on addressing this big topic of insider risks. So today we’re chatting with an expert who has seen security risks from a variety of perspectives, and I always love that, bringing different voices to the table and having conversations on this show. So Dave Komendat, who recently retired as Chief Security Officer at Boeing, founded DSKomendat Risk Management Services. He’s also an advisor to SIMS Software, the industry’s leading security information management system. SIMS Software is a great partner to the security community, help make this podcast possible. So we really appreciate them and we appreciate you Dave, taking the time to chat with us today about this really important topic.

Dave Komendat  (01:19):

Hey, Lindy, it’s a real pleasure to be here with you today.

Lindy Kyzer (01:21):

National Insider Threat Awareness Month. I think I got it. I don’t even know if I’m allowed to say the acronym. Is it T tam? I feel like that makes it worse, so I’m not going to say that. But the topic of insider threat, nothing new to the security community, but it does seem to have taken a clearer shape in both policy and process over the past decade. So how would you kind of rate companies and agencies in creating insider risk programs? Are there key areas of opportunity or missed opportunity that you think that companies should be focusing on right now?

Dave Komendat  (01:48):

Yeah, I think overall I would give the industry still about a C, and you’re correct, there has been a lot more focus, much more attention given to the topic over the last number of years. But I still think companies struggle with how to implement a program, how to implement something that’s successful, how to get senior level buy-in at the company. I believe there’s still a perception out there that it happens to everybody else but us, and so therefore we’re probably not as far along as we collectively should be. There are some companies out there doing some really great work and they’ve got some security leaders and HR leaders who get it and who’ve worked together along with our IT organizations who really put together first class programs. But there are a lot of companies out there still that I think are trying to figure it out, don’t have a clear roadmap, don’t really know how to get to the North Star that they’re looking to get to. And so I think we still have ways to go in this space. We’re not where we need to be collectively across all the industrial sectors. I think there’s some that do better than others because they’ve kind of been legislated into it earlier on. So they’re further ahead, but we need to be better in this space for everyone’s best interest.

Lindy Kyzer (02:58):

On that note, you recently retired from a long career with one of the top defense industry contractors. Probably saw a lot in that career. You went from the front lines to the C-suite. That’s definitely been an emerging change where we have security in the C-suite. That seems like a more modern phenomenon. Maybe with the larger companies it’s been more prevalent, but especially with, I mean a lot of small companies, I think there’s still kind of a tension and a fight to get security engaging with senior leadership the way that they should. Do you have any key lessons that you’ve learned for building and advancing a security program? Certainly speak to doing so at a very large company, but also to the number of small companies that we have. How does one even kind of start that journey?

Dave Komendat  (03:39):

I think probably the most important thing is you’ve got to create a seat at the table for yourself, you’ve got to demystify the security function. There’s a tendency at times for security to silo themselves within a company to be unnecessarily secretive when they don’t need to be. And I think one of the things that I learned early in my tenure was for me to be successful within the corporation, for my organization to be successful, we really had to be transparent and we had to talk about the things that we did. We had to show our value proposition to the company and we had to run our business just like any other business in the company. So just simple things like having your charts look the same as your colleagues when you’re in presentations or using some of the same language when you’re talking about things like budgets and general administrative things.

(04:25):

A lot of CSOs have a tendency to not do that, and so they never get that regular seat at the table. They never had that opportunity to showcase their organization and more importantly, the capabilities that their organization has. And so I think that that’s an area where sometimes as a group we fall down for those that have figured that out, how to get that seat at the table. Then I think the really important thing is keeping that seat at the table and the way you do that is by showing value to the corporation. So having a good set of value metrics. I was lucky enough to have a set of those that we were able to present on a regular basis where we took a look, maybe one or two metrics from each of our service offerings within our organization, and we get that opportunity a couple times a year with the C E O and his leadership team to go over just a few of them.

(05:14):

And these are 32nd elevator speeches on why we do something, the value it’s creating, the risk it’s reducing, the lives it’s saving, whatever the case may be. And those really resonated with senior leadership. And I found those meetings a lot of fun because I would speak for about two minutes and then the leadership team would get very engaged in regards to what they had just heard. What did that mean as a company? What could they do differently as a leadership team? And the best part of it was when they would say, what could they do for me? Did I have enough budget? Did I have enough headcount to do what I needed to do? And so when you have that seat at the table and you have some influence and you have some trust within the organization, generally things happen on the opposite end of the spectrum when there are difficult times at the company and you’re forced to go through headcount reductions.

(06:04):

And I think every one of us has had to go through that several times in our career. I know I had to go through it multiple times. Having been able to tell your story and having the senior leadership at the company understand what you do and the risks that you’re mitigating resulted many, many times in me being required to take less of a reduction, whether it was in dollars or in reduced headcount than my peers and colleagues in other parts of the organization. Not that their organizations weren’t important, they were, but I think we had done a really good job in articulating what we were doing, why we were doing and the risks associated with not doing it. And those facts resonated in our senior leaders’ mind and that helped mitigate some of those real pain points. So I think if you’re able to do that and that it doesn’t matter if you’re in a big company, medium-sized or small company, being able to tell that story, telling your organization story effectively is really important. I used to tell people that not only was I the chief security officer, but I also looked at myself as the chief marketing officer for our organization. No one else can tell that story except the senior leader. And I think that’s a responsibility that all of us that have that position, whether in a big or small company, you need to be able to do that effectively.

Lindy Kyzer (07:18):

You’re talking my love language here with better communication, and I think that’s so critical. I feel like we’ve had a lot of conversations about that recently with the role of the security officer and the need for visibility in that function. I think you highlight that perfectly. I think there’s obviously a right balance of saying you’re protecting secrets, but that doesn’t mean that you within the company need to be a secret. And as a security officer, you actually can’t be in developing an insider threat program. We’ve talked a lot about best practices for that and different content over at ClearanceJobs, and you need a security officer with some visibility. So I also love that you highlight the role of CSO and CMO. You kind of have to market yourself and your function so that the organization knows and understands what your role is, who you are, what you do. You are projecting a lot of information out there and have a key role in conveying that both up and down the chain. And I don’t think necessarily large, the security function folks aren’t necessarily built with that in their DNA per se, but I love that you focus on that.

Dave Komendat  (08:18):

I just want to make one additional comment to that. And in full transparency, I was not built that way. And I was lucky enough many years ago to have a communication specialist that was assigned to our organization. She came to me about a story that she wanted to do. I listened to her idea and I poo-pooed it. I said, nah, I don’t want to do that. I told her why I didn’t want to do it. She paused for probably about four or five seconds and she said, you’re really good at what you do, but I’m really good at what I do and I’m a lot better at knowing how to tell people’s story and how to communicate all the great things that your organization does and you need to let do my job. So I paused for a bit and I thought about that and she was right.

(08:59):

So really over the next five years that she supported my organization, she taught me a lot about what was important, how to communicate it effectively, who the right audience was. This was not something that I would say innately came naturally to me. It was a learned skill. I would tell you it was one of the most valuable bits of coaching that I got from anybody during my entire career. And I remember exactly where I was at the time when we had this conversation. It was super beneficial to me over the years. And so I think that for security leaders who are uncomfortable telling their organization stories, a lot of people, and I felt this way, feel like, well, if you just do a good job, your organization’s performance will be recognized. That’s true to some degree, but there are a lot of things going on in corporations and there are a lot of other organizations doing great work, and sometimes you do have to get up and toot your organization’s horn and you have to do it in a way that’s meaningful. I’m very thankful to that communication leader. She really helped me in a big blind spot in my leadership style, and it made a difference during I would say the last half of my tenure as C S O.

Lindy Kyzer (10:04):

No, I love that. So pivoting a little bit in terms of my questions here. So you’ve had to deal with mergers and acquisitions as part of a big organization. That’s always a hot topic. It seems like every day at ClearanceJobs, we’re talking to somebody who’s going through a merger and acquisition, we’re consolidating some new announcement about that. That’s definitely something that can come up an insider threat scenario. So do you have specific advice for companies that maybe are going through a mergers and acquisitions process is a hot topic that’s going to be on the radar screen of a lot of our security officers? Are there tips to keep folks from falling through the cracks literally and figuratively as it were?

Dave Komendat  (10:39):

Yeah, and that’s a hard thing to go through. In full transparency, a corporation, the size of the Boeing company, the mergers and acquisitions that would make, we would generally be acquiring companies that from a scale perspective and capability perspective, and this wasn’t always true, but in general, they were much smaller and less sophisticated. They did not have the resources, they did not have the security infrastructure or the processes or the tools as they came on board. And so that was one of the things that we would always be looking at during the due diligence period is we had the opportunity to go out and meet with those companies that were target companies and really understand what did they have in place, what was working well for them, where did they have gap? So going into it, we would know kind of where we needed to spend time and energy and focus and assuming they were going to come on to our main company network that they were going to be enrolled into that it made the process a little bit easier because they would automatically be enrolled in our insider threat program.

(11:40):

And we did persistent monitoring there. So if you were on our network, you were being persistently monitored. There were times where some of these acquisitions were not on our network, and so we would work with their security organization, provide them with advice and guidance support and sometimes tools if they had a program that I would say did not meet our minimum standard of expectation, it was kind of a little bit of a cafeteria style approach to it. In some cases, it was easy if they were bigger and we’d roll ’em right in. And we felt confident that the program we had in place would allow us to identify individuals who might be doing something that was anomalous, and for those that weren’t going to be on the network, that were going to maintain a level of independence to give them the agility that they needed to be competitive.

(12:26):

We would provide them with insight help and expertise to make sure that their program was as good as it could be and that we could mitigate risks to the greatest extent possible. And I don’t think we’re unique in that space. I think every company, especially larger companies that are acquiring target companies on a regular basis, you go through similar things. It’s not a one size fits all approach. I think you have to look at each one of these acquisitions independently and figure out what’s going to work best for them, what’s going to mitigate the risk at the highest level possible for you as the corporate entity. Because at the end of the day, if you have a subsidiary and there’s a significant insider threat issue, the headline is always going to be it’s the parent company. It could be some small X, Y, Z subsidiary, but the headline is going to be that major iconic Fortune 50 corporation that had the issue and incident. So you got to work really hard to make sure that all the way up and down your kind of subsidiary acquisition value chain, that you’ve done everything possible to mitigate those risks.

Lindy Kyzer (13:31):

And I think that’s one of the reasons that supply chain security is so big right now because it is, you have to look at every angle that this is coming in from and making sure that your entire enterprise is secure across the board because as you said, if there’s a negative headline, it’s not going to cherry pick and look for the one bright spot or the one thing that didn’t go wrong. It’s definitely going to affect how the company is perceived.

Dave Komendat  (13:53):

One comment on the supply chain, you’re a hundred percent correct in that space, and I think realistically in most corporations would be honest to say that their level of depth and breadth and scrutiny really goes down one, maybe two tiers in their supply chain. Once you get to tier three through five, three through six, however deep your supply chain goes in a certain area, you lose sight of those sub-tier suppliers pretty quickly. And to your point, there’s a lot of risk that is, that’s brought to bear by that supply chain, especially further down in it where they’ve got access to your systems, but they may not have a very robust security within their entity because they’re a smaller business. And so that’s a great target of opportunity for an insider or someone using that third party supplier to get access to

Lindy Kyzer (14:39):

Boeing is a great example of a company that has cleared facilities and contracts, but also a huge commercial presence and we’re seeing a ton more interest in this across our space, across the defense industry, you’d have two different groups there. You have the commercial sector employees, employment tier, but then you also have cleared personnel. Do you think in the commercial sector companies, there’s an understanding of the insider threat risk that folks who don’t even have NIST POM requirements have? And we’re seeing, again, DoD, I think with CMMC requirements doing a lot more saying, Hey, it’s not just this opening kind of the aperture of who is defined in the ecosystem and also what kind of information is through C U I and things like that. As a company who has both, like are there best practices or approaches or thought processes around keeping your commercial sector business as safe and contained as your cleared sector business?

Dave Komendat  (15:37):

I think that the simple answer is you try to make it that way. You hit the nail on the head when you’ve got two really distinct and different business lines. You’ve got a commercial business that’s doing business all over the world, and then you’ve got a defense sector that in itself, if it was standing alone, would be one of the largest corporations in the United States. And you put those two together and it’s a huge entity. It’s also a huge cultural difference. And so I think the way you win in that space on the commercial side is with facts and data. And so when we developed our insider threat program back in 2013 and got executive sponsorship for it, one of the things that we did with frequency is bring forward data that would show across the board that those people that were engaging in anomalous activity, it was a pretty equal spread percentage wise between employees that were based in the commercial business and in the defense and services business.

(16:31):

It never created a situation where one senior leader in the company could look at another and say, well, that’s your problem. My people are all squared away. That wasn’t the case. As we were able to start developing metrics and capture and refine what was happening within our company, we could clearly see that there was a relatively equal distribution of poor behavior at times between the different business units services and to some degree functions. And so that made the discussion a lot easier because that information flowed all the way up to the senior leadership of the company. They all got to see that facts and data as did our board. And so there was never that kind of us against them mentality. We looked at insider threat as a one Boeing approach. You mentioned the requirements that come along with the NIST pom. That was great because between our overall insider threat program and then the additional requirements that come with having cleared programs, I think we did a really good job being able to keep track of people inside and outside of those secure spaces.

(17:36):

There were times where we would see behavior involving a cleared employee on our unclassified network that would cause us to want to spend a little bit more time scrutinizing what they were doing within our classified environment and vice versa. There could be some anomalous activity in the classified environment that would lead us to take a harder look at what was going on on the open network. And there were times where the two connected and we had a problem. There were other times where it was nothing. And I think that’s one of the things about a good insider threat program. It’s just as important to prove that people are not doing anything wrong as it is to prove that they are. And so if you have a good program and you’ve got good tool and good investigative capability in your organization, if your program is working well, you’ll see behavior that will look unusual.

(18:20):

And when you dig deep into it, you’ll find out that individual changed jobs and now they’re working on proposals or now they’re in the same job but they’ve gotten a new assignment and they’re accessing information or they’ve been granted access to information to work on a special project on the side. So you’ll figure those things out. Initially, it might look like you’ve got a problem, but as you go forward and you do the investigation, you’ll determine it’s completely legitimate. And I think that’s one of the signs of a really good strong program is you’ve got the capability to look across the lines, to not be siloed, to get all the right functions involved, to take a look at a person and really make a solid determination. Are they acting appropriately? Are they doing something that is going to create potential damage to the company or are they just doing their job and their job is a bit more unusual than other people’s, and that’s why they showed up as kind of an anomaly in some of the triggers that we set.

Lindy Kyzer (19:16):

Yeah, I think some of the best communication around insider risk programs and continuous vetting programs is the proactive approach to it’s actually caring for your workforce in a way that doesn’t just protect somebody’s clearance and eligibility for employment, but also just helps them as a person, whether it’s financial issues or a lot of the other stressors that come with life. A lot of those things are triggers that would show up in a continuous vetting scenario. And it gives employers a chance to step in with resources that a lot of these companies have and know people don’t take advantage of. And I do see employees seeing it that way too, and not looking at it as like big brother looking at them. It’s actually proactive and predominantly positive interactions that you’re having if you have the right approach to it. And that comes down to security too and how they approach it and if they consider it as an opportunity to help maintain their employees or whether they use it as an excuse to push them out.

Dave Komendat  (20:11):

One of the things that we used to talk about is the whole reason behind having an insider threat program was to change the culture. The goal being that when we would have people that made poor decisions, we would communicate that we had a highly read anticipated ethics moment that would come out every month and it was put on by the ethics organization. And at least once a quarter, we would always inject one of our insider threat stories. And it could be a story surrounding someone who had done something wrong, potentially had been terminated or worse, maybe had faced criminal charges. But we would also talk about those cases that I mentioned previously where somebody had done something right and we had been able to prove and determine that they had done something right. But the whole intent was to, number one, let people know, Hey, we have a program B, it’s here to protect the company and the assets of the company so that we will all have long-term viability here.

(21:07):

Our retirements will be worth something somewhere down the line. And it was really about helping people understand how to do the right thing and if they were concerned about a coworker, if they didn’t think a coworker was doing the right thing, here’s what you can do. And that’s really the goal of the program. In a perfect world, five, 10 years from now, if everything had gone the way you would want culturally, you wouldn’t necessarily need to have an insider threat program or you could scale it back. But I think when you’re in that initial phase and you’re putting one together, it is really important to communicate that you have one. We never communicated kind of how we were doing things, but we did tell people that we had a program and we told people that it was really important. If they saw something, let us know.

Lindy Kyzer (21:52):

I love that. And I think it ties to my next question, which is talking about your career. I know I did my research before you chat a few Dave, and you’ve talked before about kind of highs and lows and learning points in your career. I think that’s really important in security because it’s not a zero sum game. Things are going to happen. It’s a very human-centric field. There’s a lot of moving pieces. There’s going to be things that happen. It’s not kind of, if you have a security incident, it’s when and what scale it is. Can you kind of maybe give some takeaways for companies, even if you’re dealing with an incident or you’ve kind of recovered from an insider threat scenario, what are some takeaways or lessons learned that you would want to convey?

Dave Komendat  (22:31):

I think the most important thing is be okay after an incident, really stepping back and taking the emotion out of whatever the situation was and doing a really hard look at your team, at yourself, at your processes. I think we have a tendency over time to think that we’ve got things pretty figured out. You go for a long time and nothing happens or nothing serious happens, and then boom, one day something serious does. And you don’t perform necessarily at times the way that you thought you would or that your leadership thinks. You should have your employees feel that you didn’t perform at a level that they had expected of you. It’s important at that point to take a breath and to step back and say, okay, first of all, what could I have done to where did I maybe fail or not live up to the leadership expectations that had been set or expected of me?

(23:26):

Where did the team fail? Did they fail because they were not resourced properly because they were not trained properly because we didn’t have the right process or procedure in place? Maybe we didn’t have the right people in the right roles. So that really, again, comes back to leadership, whether it’s at my level or the level below me, it’s about making sure the team can be successful in any situation. And generally if they weren’t, there’s a reason for it. We either cut back in an area, we didn’t fund it correctly, we didn’t train them properly. Our process was old, it hadn’t been tested. I used to try to in areas where we felt like we were pretty good, I used to want to kick the tires a little bit, and at the beginning of every year, I would ask director that was in charge of one of those programs, say, let’s get together for several hours and let’s sit down with the team and let me ask ’em questions.

(24:17):

There is no right or wrong answer. I just want to get a feel and a sense for, are we doing the things that we say we do? Are we doing them with the frequency that we say we do them? Do we have documentation that shows that we’re doing it? And if I didn’t feel comfortable after one of those discussions, that would become a focus area. It wasn’t a negative on that leader or people. It was the fact that circumstances of change changed, the threat dynamics have changed, the risks have changed and we haven’t. So we’ve got to go take a look at this now again, and we’re not going to throw the baby out with the bathwater. There’s some things in here that work really well still, but there’s some things that we’re missing. Let’s go figure out what we need to do differently, what we need to do better.

(25:00):

So it was never kind of a criticism. It was always more of a let’s make sure that we are doing what we say we were doing and that we’re doing it at the level that we should be doing it at. And if we’re not, let’s go fix it. If we have to do it completely different or if we look at it and we realize, Hey, we don’t have the right leadership in place here. We have the right team, we just don’t have the right leader. We’re going to make a change there and make sure that we have the right leadership. And this scales at any level, whether you’re a big corporation or you’re a small shop, I think you can do this. And if you can’t do it because you’re concerned about objectivity, then bring somebody in, bring a third party in that can do it for you, whether it’s a third party within your own company, a peer leader that can come in that you partner with on a regular basis, and take a non advocate look or go actually hire somebody and bring ’em in and have ’em take a look at a couple of these things just to give you a sense and peace of mind that you are where you need to be in these areas.

Lindy Kyzer (25:59):

I love that advice. I do think there’s a lot of lessons learned. Anytime you have an incident, and many times they’re painful lessons, but they are their applications there. Companies have processes and they have security officers so that they have the steps they can take to recover from something that happens and can create a framework for addressing issues and moving forward. Well, I so appreciate your time, Dave, and chatting with us. I think the insider threat, insider risk topic is not going away. Again, we are seeing more insight. I feel like the month is kind of flooded with interest and activities and events around it, and so we will be plugged into those. I just appreciate your chatting with us about this important topic.

Dave Komendat  (26:35):

Hey, Lindy, thanks to you and thanks to SIMS for giving me the opportunity. I really enjoyed the time.

Lindy Kyzer (26:39):

Fantastic. Well, thank you again, thank you to SIMS Software. We do appreciate their support and we appreciate the companies that are kind of really investing the time, resources, leaders that are engaging around this topic. Because keeping our classified work classified programs and keeping our workforces safe is incredibly important. So thank you so much.