Cloud Control: Q&A with Jennifer (JJ) Minella on Enhancing Security through Human-Centric Practices

February 6, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

‍

Jennifer (JJ) Minella on Enhancing Security through Human-Centric Practices

Let's talk the intersection of technology and human-centric solutions with Jennifer (JJ) Minella, Founder and Principal Advisor of Viszen Security. In this week's Cloud Control Q&A, Jennifer dives into the correlation between enhanced communication and the optimization of security teams. From the pivotal moments shaping her career to the role of mindfulness in network security, JJ provides a nuanced perspective. Gain valuable knowledge on the future of Zero Trust architectures, the evolving landscape of certifications and standards, and the ethical considerations in AI advancements. Join us for a deep dive into the critical domains of cybersecurity and emerging trends in the industry 👇

‍

Question 1 💭

You have a diverse background as an author, international speaker, and advisor to Fortune 50 companies. In your own words, what challenges and pivotal moments have had a lasting impact on your career? How have these experiences influenced your approach to cybersecurity?

Answer 1 🎯

I've had many pivot points in my career from being a technical individual contributor, to a manager, to an advisor/coach. But, the biggest moment of enlightenment for me was when I realized this truth -- that more than 90% of what I thought were technical issues were really just the ripened fruits of very fundamental human issues.

Specifically, I came to understand to be successful in cybersecurity meant better communication, giving and earning trust, and approaching work life with a mindfulness that would foster open-mindedness.

Mindful habits let us separate our personal preferences and feelings from fact, and offer a way to approach new challenges without the baggage of emotion. It's freeing in so many ways.

Question 2 💭

As the creator of mindfulness-based leadership workshops for CXOs, you advocate for a unique skill set obtained through mindfulness. How do you see mindfulness playing a role in addressing the evolving challenges in network security, especially in the context of emerging technologies like AI, or evolving solutions in cloud security?

Answer 2 🎯

First, I think it's important to get on the same page about how we define mindfulness. For example, "meditation" is often the first word people correlate when they hear "mindfulness", and that's not the goal here.

Instead, I like to talk about mindfulness as a habit - a way of thinking and being, versus something we're doing.

In cybersecurity, the habit of mindfulness serves us at many levels. Engineers and architects can think outside the box with ease, solving problems in innovative ways. Managers and leaders can build strong relationships within and between teams. Mindful habits let us separate our personal preferences and feelings from fact, and offer a way to approach new challenges without the baggage of emotion. It's freeing in so many ways.

And perhaps most importantly - building mindful habits keeps everything in perspective and protects us from the overwhelm and stress this industry brings.

Question 3 💭

Beyond conventional approaches, how does mindfulness-driven leadership contribute to shaping solutions for the dynamic challenges often faced by cybersecurity leaders?

Answer 3 🎯

In the first workshop exercise, I always ask the room, "what makes a good leader" or "what do good leaders do?" They say things like "build trust", "don't blame their team", "don't hide from criticism". They say good leaders are "authentic and approachable." There's always a long list. We write down the lists of what good leaders do and don't do. And then we talk about how each of those are connected to a way of thinking - a habit.

Here's a funny secret about mindfulness and leadership skills. Every leadership skill - every feature or behavior of a "good leader" as described by team members - they're all rooted in mindfulness.

I've been reading Andy Ellis' new book "1% Leadership" and I really love everything in it. It aligns so well with what I teach in the workshops and bring to my work with clients. It’s a blueprint for being present and leading with authenticity.

Question 4 💭

Having served on the (ISC)2 Board of Directors and various program committees, you've played a critical role in shaping industry standards. Looking ahead, what initiatives or changes do you believe are important to improve cybersecurity certifications and standards?

Answer 4 🎯

Oh boy, that's a loaded question! There are two balls of yarn to unravel here - professional credentials (like the CISSP and certifications), and industry standards which are typically serving an organization's security practice.

Professional certifications will move down the path of more micro-learning, with the possibility of stacking discrete mini-certificates as part of a larger credential. Take the CISSP for example. It's a whopper. Imagine if instead of one giant body of knowledge, there were eight or ten bite-sized pieces, each aligned with a domain perhaps.

In full transparency, the CISSP is a bad example because it (like most of ISC2's credentials) is ANSI accredited, which imposes strict guidelines around building and issuing the cert. But you get the point.

Today's professionals are overwhelmed. We need "just in time" information, not "just in case" information. A series of 20-minute videos or whitepapers about a specific topic is just-in-time. A week-long course composed primarily of knowledge you'll never use again is just-in-case.

Question 5 💭

In your experience working with Fortune 50 companies and as a security advisor, can you share instances of how regulation and compliance has shaped security or vice versa? Have there been moments of conflict or misaligned incentives?

Answer 5 🎯

Compliance does not equal security. But here's the jagged little pill - compliance does force many companies (and professionals) to pay attention to cybersecurity in ways they would have never pursued on their own.

I love compliance and regulations.

Pause one moment while I grab the soapbox.

Many of my peers in cybersecurity have a wealth of knowledge but have developed that in a vacuum of privilege. They've spent their entire careers in Fortune-sized and/or publicly-traded companies with a history of structure and maturity. They have teams for infosec. Most often, they have teams of teams within infosec. Some clients I work with have five people just to run the security awareness program. Many have an entire team to manage OT/ICS cybersecurity.

But that's not normal. Well over 99.9% of the world's companies don't have those resources. Almost as many also don't have the time, support, or knowledge required to build a cyber security program.

Compliance does not equal security.

But here's the jagged little pill -- compliance does force many companies (and professionals) to pay attention to cybersecurity in ways they would have never pursued on their own.

So for that, I love compliance and regulations.

The flip side of that is that those compliance requirements need to be helpful. They need to be actionable, reasonable, educational, and they need to reduce risk. Otherwise it's a waste of time, and it puts our limited attention on the wrong things.

I'll pick on OT/ICS for a moment. Many of the guidance put out there is simply ignorant. "Remove all remote access" and "replace legacy products" is asinine advice and proves that, while well-intended, the authors have never worked in those environments.

Question 6 💭

You’re known as a pioneer in network security architecture, advocating for zero trust, proposing innovative approaches to NAC, amongst many other significant contributions. What considerations are often overlooked by organizations when designing and implementing robust security measures? What will be key considerations as cloud evolves?

Answer 6 🎯

I think many of us in cybersecurity and IT are here because we love puzzles. I love Zero Trust architectures and I've loved NAC projects because they're complex. They're intricate. They're like 3D puzzles that move and have life.

Security architecture really demands a holistic approach if it's done correctly, and I think that is what's overlooked by organizations.

Technology evolves -- it morphs and changes into systems of systems that are more and more complex. Including, and especially cloud architecture. It's hard for incoming professionals to learn security for this newer tech when they have no concept of the basics of technology, applications, and networking -- which is just as critical for cloud as on-prem.

Question 7 💭

You play an active role in the Cloud Security Alliance Zero Trust Working Group, how do you envision the future of Zero Trust architectures in cloud environments, and what considerations are critical for organizations adopting zero trust security solutions?

Answer 7 🎯

This is probably counter-intuitive, but the complexity of managing security in the cloud can be boiled down to three things.

First, it's new for some people and we have to break ourselves of the habit of wanting to lift and shift what we're already familiar with on-prem to the cloud.

Second, managing multi-cloud environments is going to remain a challenge. It's like dealing with Apple and Android for mobile device security - there's no parity and to some degree you're maintaining X sets of controls, monitoring, and toolsets, where X = number of cloud providers.

Third, and most frustratingly, for organizations working heavily with SaaS applications, the behavior and configuration of those apps is being changed by the vendor constantly. It's really hard to keep up and ensure constant cloud security posture against the baselines.

Zero Trust is a mindset, like a "layered defense." It's not a product but a shift in how we think about fundamental architecture.

Question 8 💭

Looking into the future, what role do you see Network Access Control (NAC) playing in the context of Zero Trust security models, and how can organizations align their strategies accordingly?

Answer 8 🎯

I'm sure this is going to be a wildly unpopular statement, but in some ways Zero Trust is NAC 2.0. It's NAC re-imagined with more hooks, better automation, and more surfaces. Except, not really.

Zero Trust is a mindset, like a "layered defense." It's not a product but a shift in how we think about fundamental architecture. But the policy sets, the trust inferences, the complexity of integrating multiple platforms -- that's all very NAC-ish, at least conceptually.

Here's what it boils down to moving towards 2025 -- things we can put an agent on (laptops, servers, microservices, cloud and on-prem, etc.) -- we'll be able to shift from NAC-type products into more mature and integrated platforms that can offer layer 7 enforcement and leverage SDP. All the rest of the "things" on-prem, the headless devices, the IoT, the OT/ICS -- we'll still need something. NAC is still one option there, for now.

Question 9 💭

How do you believe cybersecurity professionals, in light of the advancement of AI and AIOps, can effectively ensure the ethical and unbiased use of these technologies, especially in critical domains such as threat detection and response?

Answer 9 🎯

There's a lot of work being done around the world on managing the ethics and bias in AI, and I'm always interested to watch and learn what professionals in that space are thinking about. And more importantly perhaps, what they're *worried* about.

Question 10 💭

What is your perspective on the current state and future trajectory of the industry? What shifts or trends do you foresee? What emerging technologies are top of mind for you?

Answer 10 🎯

We're making great strides in Zero Trust programs with many subsets of environments. I think the future trajectory will pull along other supporting technology.

Specifically, from the device perspective, I think the industry will be forced to do better with device identity and authentication options, namely device certs and ways to manage them, even for all those cute little IoT things.

But the biggest shift if we're going to be successful in our forward-looking statements is in how we can do better getting hi fidelity alerting and building integrations for the trust inferences. If we're going to tell our Zero Trust network to take 5 very dynamic and real-time data points into account when making an access decision -- we need all 5 of those data sets providing inputs to the policy engine. That means standardization. It means better API control. It means we have to stop living in the vendor-specific ecosystems so prevalent today.