Cloud Control: Q&A with Allison Miller, From Cyber Frontlines to Digital Trust

March 26, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

From Cyber Frontlines to Digital Trust: The Allison Miller Method

Hello and welcome back to Cloud Control ✌️From confronting cyber threats to fostering online confidence, Allison Miller reveals her strategy for bridging the gap with expertise and insight. Allison is a renowned expert reshaping how we think about digital protection and trust. In this interview, she dives deep into strategies for navigating the complex landscape of online security and the pivotal role of AI. Dive in now and be part of the conversation shaping the next frontier of the internet's security 👇

Question 1 💭

Let’s start with giving our readers a quick history of who you are and what you do. Can you share with us what technologies or cybersecurity areas you're currently zooming in on, considering your extensive experience in the industry?

Answer 1 🎯

I’m a cybersecurity “polyglot” - I speak dialects of enterprise cybersecurity, product development, behavioral analytics, e-commerce, and anti-fraud/anti-abuse. From a technical perspective, my expertise is really in designing and implementing detection systems at scale, with a preference for systems that are embedded in customer-facing products or platforms. This grew out of early career interests in tuning network intrusion detection systems, and understanding how those techniques could be applied in payment systems, and later social. video game, and advertising systems.

In addition to the technical side of cybersecurity and risk, I’ve also spent time in roles where I was working through the business impacts and problems in these companies - that resulted in an interesting blend of product and customer-experience mindset blended with the technical approaches to system and platform design.

When one is building products that are going to be used in adversarial situations, products that are always under attack, a best bet is to focus on where the product drives value for the customer. That’s the dimension that will most be attacked, and the dimension that needs the most reinforcing and protection.

Question 2 💭

As technology evolves, so do the threats. In your experience, what's the key to not just reacting to, but anticipating and preparing for, the next big cybersecurity challenge?

Answer 2 🎯

I like the truism “Follow the Money” when trying to understand where cybersecurity challenges are going to go. When working in fraud detection, it seemed like fraud was like water - the bad actors were constantly testing, and when they found weak points - cracks in the system - they would flow into those weak points. When we reacted, they’d find the new weakest points and flow. When one is building products that are going to be used in adversarial situations, products that are always under attack, a best bet is to focus on where the product drives value for the customer. That’s the dimension that will most be attacked, and the dimension that needs the most reinforcing and protection.

Question 3 💭

Throughout your career, you’ve had roles that encompass both 'trust' and 'security', which is fascinating. How do these domains intersect in your work, and how do you balance the two to create a secure yet open platform for users?

Answer 3 🎯

In many companies, the concepts of “trust” and “security” are very distinct - trust is generally outward facing, embedded in products and customer experience - where security is inwardly focused on protecting corporate and enterprise systems. That said, companies that are going through digital transformations start to find overlaps between the two concepts as their “product” offerings become software - and their customers need to be verified, authenticated, and protected as they move their way through a platform. The domains start to overlap, and tools from security become relevant not just for solving corporate technology problems, but in-product business problems.

You’ve captured the essence of the challenge in the question: it’s all about balance. A business exists to provide services to customers, and regardless of defensive capabilities needed, the business needs to be open for business - and usable by legitimate users. Striking the right balance generally requires flexible controls that can be tuned and re-tuned, and re-tuned again as the features change and the threats change.

A more specific way to envision balance is - let’s say you are being flooded with some kind of bad activity. You’ve developed a mechanism to block the bad activity - but it’s not right all of the time. Typically we have a dial here, we can turn the dial up to “High” and make the mechanism really strict, which will block a lot of the bad activity but also block a bunch of good customers. Or we can turn the dial to “Low” and make the mechanism very relaxed - most good customers will get through, no problem, but so will a lot of bad actors. The first choice is a business question: how bad are the bad actors, and what’s the acceptable tradeoff to the business? You have the ability to adjust the dial but ultimately you’re just traveling up and down a particular false positive/false negative curve. The second choice is one of investment: how much would you need to invest in order to improve the power of your mechanism? (and also, of course, is such an investment available to you)

As someone with an economics and finance background, I love it when we can simplify problems down to this kind of trade-off. Oftentimes the discussions are a bit more speculative, though, because we are imagining impacts on customer experience, and also hoping that the performance of our security (identity, anti-fraud, detection) controls are predictable and don’t degrade too quickly before we’ll need to invest again.

Question 4 💭

In your view, how does cybersecurity extend beyond protection and into building digital trust, especially in platforms where community and user engagement are critical?

From a foundational perspective, platforms where community and user engagement are integral components inherently carry consumer expectations regarding the quality of discourse and services provided. The presence of bad actors or mishandling of sensitive account information can significantly undermine these expectations.

Answer 4 🎯

From a foundational perspective, platforms where community and user engagement are integral components inherently carry consumer expectations regarding the quality of discourse and services provided. The presence of bad actors or mishandling of sensitive account information can significantly undermine these expectations. Therefore, ensuring that protections are in place – and instilling confidence that the platform is managed appropriately – are now baseline expectations for these systems. Cybersecurity plays a crucial role in fulfilling these expectations. Previously, the scope of cybersecurity was often perceived as limited to securing infrastructure and application code. However, as more companies transition to digital platforms and strive to forge lasting relationships with customers—who return seeking a consistent and positive user experience—cybersecurity has evolved to become an extension of product security and product value. This evolution reflects a proactive approach to protection, encompassing not only the security of the platform but also the authenticity and integrity of the information presented.

Moreover, the role of cybersecurity extends to the meticulous handling of sensitive information, a concern that transcends the specifics of community engagement or user interaction platforms. While the foundational measures like encryption and safeguarding against unauthorized access remain critical, the complexity of modern platforms introduces new challenges. These platforms often integrate with other services, facilitating the movement of data across different environments—from mobile apps to backend platforms—thereby broadening the scope of cybersecurity. This includes ensuring data handling is secure both within a single platform and as data traverses between platforms or devices.

In essence, cybersecurity is integral to maintaining digital trust, safeguarding sensitive information, and ensuring that user expectations for a secure and reliable online experience are met.

Question 5 💭

Navigating through a range of domains like risk management, financial services, and fraud prevention undoubtedly offers a rich perspective. Reflecting on your career, could you share a moment or project from each sector that significantly influenced your current cybersecurity ethos? How do these experiences converge to inform your strategies in tackling today's cyber and fraud challenges in a digital-first world?

Answer 5 🎯

Working in payments shaped a lot of my ideas on risk. I joined Visa to work on “Technology Risk” - how do we protect the tech that is used in the payment system? I ended up working on methods for securing e-commerce - outputs of those initiatives are 3D Secure (payer authentication) and PCI-DSS (the Payment Card Industry Data Security Standard). Developing standards, policies and reference architectures is a lot of work, and yet, the rubber really meets the road in implementation. Those two programs are (still) fundamental in digital payments, and I learned a lot working on them - but actually my bigger takeaway from Visa was time working on “Product RIsk”, evaluating the design of payment products themselves (not just the tech!) that has shifted my thinking on how and where to look for risk in systems.

Going deeper into payments at PayPal, risk management isn’t about policies and setting standards - it’s about quantitative analysis and modeling techniques. Those quantitative approaches are so effective, I wanted to bring that thinking back to cybersecurity, which I did in later roles where I spanned boundaries between anti-fraud/anti-abuse and cybersecurity programs.

In video games (Electronic Arts), I gained a great appreciation for managing digital capabilities (like Identity, Commerce, and Fraud) in an industry that has been shifting to a digital model from a past of “shrink wrapped software”.

User facing platforms like Tagged, Google, and Reddit brought me new perspectives of dealing with user generated content in addition to (structured) transaction data. While at Google, I really appreciated working with the folks in Safe Browsing and TAG, and understanding how large platforms can be mindful, and not just protect themselves but uplevel cybersecurity and trust for people working across the web.

Back to financial services, working in banking gave me newfound perspectives on the realities of cyber-ing in regulated industries, and balancing the need for speed versus the need for customization and control in some build-versus-buy discussions.

I’d say that the way these experiences have converged is with an understanding that although every industry and environment faces different challenges, the lessons learned have been portable. Meaning, every job and role has been unique, but everything I learned along the ways helped wherever I landed next.

Question 6 💭

Now, you’ve worked in many organizations across various sectors. How do you integrate cybersecurity considerations into broader business strategies to drive both security and growth?

Answer 6 🎯

Integrating cybersecurity considerations into broader business strategies is fundamentally about understanding their role within the overarching business objectives. It's less about imposing cybersecurity on the business and more about comprehending how these cybersecurity efforts can bolster and align with the business's goals. The effectiveness of this integration is seen when cybersecurity is not merely an addition to the business but an integral part of its strategic planning, especially in areas that may not be immediately obvious, such as finance, procurement, human resources, marketing, and sales. The intersection between cybersecurity and these facets of the business can be surprising but is crucial for driving both security and growth.

In my experience, the most compelling and effective approach to aligning cybersecurity with business objectives is to view cybersecurity as a component that infuses existing business strategies, rather than trying to retrofit or force it into an unrelated narrative. This perspective becomes particularly clear in companies that are embracing digital transformation or offering online services and software. In these contexts, cybersecurity must be woven into the fabric of the product and customer experience from the outset.

However, the relevance of cybersecurity extends beyond digital or customer-facing technologies. Even in companies that primarily operate offline or without direct technology interfaces with customers, there remains a critical role for cybersecurity. The key lies in fully understanding the business strategy and identifying how cybersecurity outcomes can positively impact and enhance overall business outcomes. By aligning cybersecurity initiatives with the broader objectives of the company, it becomes possible to not only safeguard the organization but also to contribute to its growth and success in a meaningful way.

The development and operational efficiency of these systems at internet scale, particularly in real-time scenarios, depend heavily on integrating them seamlessly into the application's flow. This requires simplifying the decision-making process to ensure it's both fast and economical, avoiding the need for extensive database queries during each evaluation.

Question 7 💭

You've pioneered the development of real-time risk prevention and detection systems. Could you elaborate on the technologies and methodologies that enable these systems to operate effectively at internet-scale?

Answer 7 🎯

At the core, risk prevention and detection systems are essentially decision-making systems powered by data. My experience with various companies has often involved developing our own detection systems tailored to unique use cases, requiring us to embed these systems directly into the product. This customization was primarily driven by the necessity to handle non-standard detection scenarios, leveraging data science and technology to enable real-time or near-real-time evaluations.

Historically, the foundational technologies and methodologies for these systems were pioneered in the banking sector, particularly within credit card authorization processes. Banks evaluate each transaction in real-time, a principle that can be adapted to various contexts—be it a login attempt on a consumer platform, an incoming email assessed for spam, or other digital interactions. The key to these systems, whether dealing with financial transactions or digital content, often revolves around identifying the actors involved and the authenticity of the event itself.

Drawing parallels from my background in network intrusion detection, I've applied similar principles to a wide array of challenges, including fraud detection, spam filtering, game cheating, account hijacking, and bad ads detection. As digital products have evolved and more companies have moved online, there's been a significant increase in commercially available technologies designed for these purposes. While these products may be marketed under various names, they fundamentally operate on the same principle: they are positioned within a flow to make instantaneous decisions—approve, deny, or flag for review.

The development and operational efficiency of these systems at internet scale, particularly in real-time scenarios, depend heavily on integrating them seamlessly into the application's flows. This requires simplifying the decision-making process to ensure it's both fast and economical, avoiding the need for extensive database queries during each evaluation. Cloud computing has been instrumental in providing the necessary elasticity for scaling these operations, allowing for real-time decisions that are crucial for both the business's operational integrity and the customer experience.

In sum, the effectiveness of real-time risk prevention and detection systems at internet scale lies in a blend of data science and technology, tailored to specific use cases and simplified for efficiency. The ability to make swift decisions based on accurate data analysis is paramount, and the advancements in cloud technology have played a pivotal role in facilitating these capabilities, ensuring that businesses can maintain security and trust at scale.

Question 8 💭

With AI transforming nearly every aspect of tech, how do you see artificial intelligence reshaping cybersecurity strategies? Both as a tool for defenders and a weapon for attackers.

Answer 8 🎯

Based on my experience with developing real-time detection systems, I hold a favorable view of AI's potential to significantly enhance cybersecurity measures. AI, particularly generative AI, is poised to introduce automation in areas traditionally managed manually, offering digital assistance for investigations and intelligence development. This evolution in cybersecurity practices is eagerly anticipated, as AI's capability to streamline and improve defense mechanisms holds considerable promise.

The creative application of technology by our technologists and innovators suggests that we're on the cusp of witnessing some unexpected, yet highly beneficial, advancements on the defense side. This is an exciting prospect, especially considering the current landscape where AI's potential for misuse is already evident. One of the initial concerns was the emergence of AI-powered phishing attempts, which have now become a reality. These developments are concerning, particularly with the advent of deep fakes, which not only enhance phishing strategies but also enable sophisticated real-time social engineering attacks. A notable incident involved the impersonation of a CFO and their team during a call, showcasing the advanced capabilities of these attacks and underscoring the urgent need for effective countermeasures.

The challenge extends beyond defending against AI-enabled threats to protecting the AI systems themselves from attackers who leverage AI for malicious purposes. This dual challenge necessitates a reinforced focus on verifying and authenticating identities of both employees and customers. Moreover, it compels us to enhance our detection capabilities to identify and counteract these threats as they arise on our platforms.

At the end of the day, AI is transforming cybersecurity strategies by both augmenting the defender's toolkit and presenting new vectors for attackers. As we navigate this evolving landscape, the focus will likely shift towards automating defense mechanisms, enhancing investigative capabilities with AI, and fortifying our systems against the sophisticated threats posed by AI-driven attackers. The interplay between AI's potential for bolstering cybersecurity defenses and its exploitation by adversaries underscores the dynamic nature of this field, demanding continuous innovation and vigilance.

Question 9 💭

Given trends in both technologies and businesses, how do you see the role of the CISO changing?

Answer 9 🎯

The role of the Chief Information Security Officer (CISO) is undergoing significant evolution, influenced by both technological advancements and business trends. We're witnessing a diversification in the types of CISO roles, reflecting the varied demands of different industries and technological environments. This differentiation can be seen in the specific experiences and expertise required—be it in regulated sectors like banking and healthcare or technical competencies such as managing hybrid cloud infrastructures or bridging diverse technology stacks.

Moreover, in many cases, the scope of responsibilities for CISOs is expanding. While some CISOs continue to focus primarily on overseeing security teams, others are stepping into more strategic executive roles. These roles not only involve addressing traditional security concerns but also guiding companies through complex risk landscapes and contributing to overarching business strategies. This shift is partly driven by regulatory changes, such as those proposed by the SEC, which aim to formalize and clarify the expectations for the CISO role. This regulatory push towards standardization presents challenges, as the CISO role has traditionally been flexible, adapting to the needs of their specific organizational context without a codified set of practices akin to those in finance (e.g., GAAP).

The digital transformation journey that many companies are embarking on further complicates the CISO's role. Direct customer interaction, once a peripheral concern for CISOs who were focused on protecting enterprise and production systems, is now a central aspect of their remit. CISOs are increasingly involved in addressing security within the product development process and managing emerging risks, such as those associated with the adoption of generative AI technologies.

The rapidly changing landscape presents a dual challenge for CISOs: navigating the intricacies of regulatory compliance and expanding their role to encompass broader business and strategic initiatives. However, it also offers exciting opportunities for CISOs to redefine their contributions to their organizations. As the role continues to evolve, we can expect a greater recognition of the diversity within the CISO community, mirroring the differentiation observed among CEOs, where the leadership style and focus vary significantly depending on the company's stage and strategy. This recognition of the varied types of CISO roles highlights the dynamic nature of the cybersecurity field and its growing importance in shaping business strategies and outcomes.

Question 10 💭

Reflecting on your experience, what do you foresee as the most significant challenges and opportunities on the horizon for cloud security and cybersecurity at large?

Answer 10 🎯

Navigating the complexities of cloud security remains a formidable challenge, particularly as we strive to achieve clarity regarding visibility and accountability within the cloud's multifaceted layers. The integration of diverse processes and the advent of tooling has enabled many teams to make progress in closing those gaps. However, the shift towards multi-cloud environments complicates these efforts, even as we are still in the process of mastering the most basic strategies for effective cloud security management.

Among the perennial challenges, issues such as identity and access management (IAM), data classification, and governance stand out. These foundational aspects of cybersecurity are critical, yet ensuring visibility and control over them in a cloud-enabled environment poses ongoing difficulties. These challenges are not just immediate concerns but are expected to persist into the foreseeable future, underscoring the need for continuous innovation and adaptation in our approaches to cloud security.

Of course, given my background in customer-facing technologies, my attention is also pulled towards the evolving nature of companies' technology deployments, particularly those that enhance customer experiences and require robust customer authentication mechanisms. It’s clear to me that this focus on innovation and customer engagement is relevant across all sectors of cybersecurity. The landscape of technology is in constant flux, with innovation occurring at the periphery and enabling businesses to adopt new technologies. This dynamic environment presents both challenges and opportunities for cybersecurity professionals.

The overarching task for cybersecurity, then, is to maintain a baseline level of security and control amidst this technological evolution. This endeavor represents the enduring narrative of cybersecurity: adapting to and embracing technological advancements while safeguarding against emerging threats and vulnerabilities. As we look to the future, the ability to navigate these complexities and capitalize on new opportunities will define the success of cloud security and cybersecurity at large.