Q&A Shawn Henry, CSO of CrowdStrike
Shawn Henry serves as chief security officer for CrowdStrike, a global cybersecurity company that works with nearly half of the Fortune 500 and some of the largest entities globally in areas like transportation, technology, hospitality, manufacturing, critical infrastructure and the public sector.
A former FBI agent, Mr. Henry retired in 2012 from the bureau’s senior executive service as executive assistant director, where he oversaw half of the FBI’s investigative operations. Now, he supervises all aspects of security for CrowdStrike, ranging from the physical security of its global facilities, personnel, executives and events, to the company’s information security, business continuity and resiliency, and risk reduction programs.
We talked with Mr. Henry about the security challenges his
company faces as the pandemic wanes and physical-cyber security convergence continues to ramp up. We also asked him about the need for greater collaboration with law enforcement and more comprehensive training for employees.
Keith Oringer: What are some of the unique security challenges facing a global technology services company like CrowdStrike?
Shawn Henry: We’re a security technology company that protects some of the biggest companies around the world from many different cyber threat actors that are seeking opportunities to get inside organizations, such as nation-state actors like Russia, China, Iran and North Korea, and organized crime groups. There’s no shortage of adversaries looking to steal information or to disrupt those networks, and they’ve got very substantial capabilities. Trying to stay a step ahead of the adversaries, while constantly innovating our solutions, maintaining a high level of rigor and our sense of commitment and mission to protect our customers – it’s all a challenge. And we’re very, very fortunate to have amazing employees in the organization who are focused on the mission: stopping breaches.
KO: How has the COVID-19 pandemic impacted CrowdStrike’s physical and cyber-security operations over the past 2 1/2 years?
SH: We were built as a remote-first company. Before COVID, about 70% of our workforce was remote already, so when the pandemic hit, it wasn’t a major impact on us to move people off-site. Our technology, as a cloud-based security company, is built for that specific purpose. What the pandemic did do, though, was offer us a lot more opportunities – because as corporations moved to the cloud and made their workforces remote, they did not necessarily have the capabilities in place to secure their new infrastructure. As a result, we were really pressed into action. Because of that significant increase in workload, we had to scale to meet the demand by growing our workforce, which, from a security perspective, resulted in increased background investigations, a lengthy vetting process, and the onboarding piece. That was a lot of extra work for us, but it was done for the right reasons: to support the increasing remote workforce of these global corporations. It was an interesting couple of years.
We’re in a really strong place now, and a lot more companies have adopted our remote-first workforce model. I think they’ve learned that it’s easier for them to recruit people. In many cases, they’re more effective and more efficient. I think that we’ll see that model continue long-term.
KO: It’s interesting, you hear about some companies whose top executives have a different mindset. They want to have control, and some people are now coming back into the buildings in New York.
SH: That’s important. There are parts of our organization where there are some synergies by having people together because of very quickly changing adversary models and the ability to share intelligence. When people are training, for example, oftentimes, it’s easier when you’re sitting next to somebody than doing it over Zoom. There’s pros and cons, always. So, I think every company needs to determine what the right mix is for them. There are so many considerations in addition to the efficiencies. You’ve got to look at the costs, you’ve got to look at morale, you’ve got to look at the retention and recruiting that I mentioned earlier. Each company has to make that determination, but the fact is that remote workforces and cloud-based capabilities are not going away.
KO: Given your responsibilities, and the increasing pace of technology convergence, how does CrowdStrike approach collaboration between physical and IT security?
SH: It’s a really important question. I’ve said for the last few years that there are more similarities between the physical world and the IT world than there are differences. There’s this merging of the two worlds. Historically, people have looked at information technology as this kind of ephemeral, up-in-the-ether type of delivery system. But the reality is, there’s a lot of physical components to digital: there’s hardware, data centers, people operating pieces of equipment. There’s always going to be that link. In our organization, I’m the chief security officer, and I’ve got information security in my area of responsibility, as well as the physical security of our buildings and our people. It all comes within the same chain of command. And I think there’s a lot of value there because of the sharing of intelligence, and the ability to collaborate.
I talk to a lot of companies, and they’ve got the chief information security officer reporting to the CIO; they’ve got the physical security people reporting to somebody else – maybe the CEO, or the CFO, or the general counsel. And sometimes there’s this deep bifurcation that inhibits collaboration and creates blind spots for companies from a security perspective. The ability to work in a collaborative environment, to share intelligence across all risks to the company, physical and digital, is the right model. Many companies have different iterations of it, and you’ve got to do what’s right for you; but at the very least, there needs to be an absolute coordination and sharing of intelligence between the two teams, even if they’re not the same chain of command.
KO: Right, you can react a lot quicker if it’s under one roof rather than two. And then you don’t get into the politics, with everyone controlling their domain or their power base.
SH: I’ll give you a great example. You have a company that has an insider threat of a disgruntled employee, who is now exfiltrating data from the internal network because they’re going to go to a competitor. If you’re on the security team, and you’ve got a physical human being who’s sitting in an office or working from home; you’ve got one security group that’s responsible for disrupting that employee, or for exiting that person from the organization. You’ve got a whole other group of people who are responsible for looking at what has been exfiltrated, or somehow engaged in the collection of evidence. You also have a team responsible in case the disgruntled employee deploys some type of malware in the environment. It would be wonderful if people are not only talking to each other, able to move at the speed of the internet and not have to wait for somebody to make a decision, or for another supervisor to sign off on documentation – but also reacting in real time to get ahead of some of these things.
KO: In this post-pandemic work world, what are your concerns about CrowdStrike employees using internet-connected devices for business outside of the office?
SH: My answer is always: it depends. Every company is going to be a little different. You’ve got to allow employees to utilize their work resources for what we would call – going back to my time in the government – de minimis use for personal work. Somebody wants to check their personal email account, or they’re having a text-chat with their parents about a big party coming up over the weekend, that’s de minimis use. I had a big meeting last week with about 15 CISOs, and we were talking about companies that have found employees working multiple jobs in the remote workforce. Somebody who’s literally sitting with two computers, getting paid two salaries, and working on two computers for two separate companies at the same time. That, of course, would be completely inappropriate and unacceptable – quite honestly, that’s fraud.
We’ve got to build an environment that allows our employees to engage in some private activity, but we’ve got to also instill in them a sense of responsibility. You’re not spending three hours a day on some separate side project, or you’re not engaged in outside employment that’s impacting your ability to do your job. It’s incumbent upon the employees, it’s incumbent upon the managers, it’s incumbent upon the company to ensure that the parameters are very clearly described and enforced. And that’s what we do here. We make sure that folks are well aware of what the protocols are, and what acceptable behaviors are.
KO: What advice do you have for CSOs and CIOs in working with organizations to add new physical and IT security tools and technology?
SH: I talk to boards all the time about risk, and what the impact might be on the company to have some type of an exposure of data or disruption of their network. And it’s really important for these companies to ensure that they’ve got cutting-edge technology that allows them to keep up with the pace of innovation. I mentioned at the outset the sophistication of the adversaries that we deal with—if you don’t have the proper tools to identify their anomalous behavior, you’re not going to even know they’re on your network. You’ve got to invest in technology, both on the physical and the IT side, because the risk of not doing so is so high. If you’re unable to detect or see anomalous behavior, the first time you’re going to know there was a problem is after something bad has already happened.
You need to have the right capabilities from a physical perspective, access to intelligence sources, access to technology that allows you to lawfully look at unusual behavior, and access to IT security tools and technology that allows you to detect these types of activities before they create that negative impact. You’ve got to stay abreast of that. And I know a lot of CISOs and CSOs that are talking to their peers regularly, looking for best practices, looking for recommendations on new technology. That’s also an important part of the CISO or CSO job, is making sure you’re staying tuned in to what the current behaviors or trends are, and where there’s opportunity to make yourself more effective and more efficient.
KO: How do you go about promoting a company-wide security culture, and how do you see that challenge evolving?
SH: It’s the tone at the top – it all starts with leadership. If the leader doesn’t think something’s important, the rest of the company is not going to think it’s important. I talk to boards and C-suites all the time about the need to lead from the front, to lead by example, to carry the right message, and to set that tone. In our company, we have a security-first mindset that is instilled from the very day people onboard as a new hire. It’s one of the first things that they hear from me, personally, about understanding what the risks are and recognizing the role that individuals play in defending the company. I talked a minute ago about the tools and technology that you need, but it starts with people. It starts with people having a recognition of what the risks are, and then understanding their role as a first responder – seeing something and saying something.
If you see something unusual – somebody walking in, hey don’t badge-in, but they walk in behind somebody else – challenge them. Or you get a phishing email that has some type of a malicious payload on it, and you’re trained to recognize those things, you alert the CISO so that they can pull it out of everybody else’s mailbox. Those are little things, but it’s about building that culture. And culture is important. We have a very strong culture in our company. I send out messages regularly, our CEO talks about it regularly, and it’s addressed when we do our all-hands communications. We do a lot of testing, internally, of our employees so that they recognize the risks. And people who violate those rules – certainly, if they do it willfully – we ensure that there are consequences. Otherwise, it’s more of a suggestion than a deterrent.
KO: Given your professional background, how do you approach collaboration between CrowdStrike and law enforcement agencies?
SH: First off, I’m a big believer in collaboration, not just with law enforcement agencies, but with other companies. We’ve been very collaborative with some of our competitors, where we found something that was unusual, and we shared it with them, so they could share with their customers. Recognizing that our competition is less important than getting out the message and helping to secure infrastructure. Collaboration is very, very important. We’ve got a lot of partnerships in this industry.
I’ve encouraged companies to share with law enforcement. I can’t do it unilaterally without their concurrence, but I’ve many times suggested: “Look, here’s something that the FBI or the Secret Service could use. It’s valuable intelligence. We can share it in a way that does not undermine you, or place you at risk, but it would be helpful for the broader internet community.” And that works well and has resulted in some really positive interactions.
My background allows me to have conversations with law enforcement because I understand what they’re trying to do, and what they need to accomplish their goals. And again, I can oftentimes navigate between the victim- customer and law enforcement in a way that allows for a win-win situation. Law enforcement is able to get what they need, and the customer maintains their privacy and is not put at greater risk. And that’s helpful for all parties involved.
KO: How do you see your approach to security training and awareness evolving, especially as a global company?
SH: Awareness has really got to be top of mind. I’m still bumping into executives of major companies who do not have an appreciation for their risk, and I take that seriously. Organizations need to understand what they’re facing. They have the ability to influence the long-term success of their company; conversely, they also have the opportunity to negatively impact their company because of a lack of attention, or a reluctance, or malfeasance. If they’re not paying attention, if they’re not aware of the risks, they’re putting themselves, their customers, and their employees at risk.
Internally, every company needs to ensure that they’ve got an adequate training program in place. We’ve seen in the physical world companies doing active shooter drills and of course fire drills. Those are normal courses of business; fire drills have been for many decades, active shooter drills in the last five years or so. There needs to be drills and training around cyberattacks, and companies need to adopt that. They need to encourage it. They need to hold people accountable if they’re not taking the training, because awareness is the first piece in a successful defense.
KO: With all the lessons learned over the course of your career, what’s your best piece of advice for security profes- sionals?
SH: There are a couple of things. First of all, you can never become complacent. You’ve always got to be on edge. People tell me I’m intense. And I feel good about that [description] because I don’t ever want to be asleep at the switch. You want to be looking forward, to see what’s coming through the windshield. You don’t want to be looking in the rearview mirror to try to figure out what just hit you. The other piece that’s really important for security professionals, is to position yourself in your company as an enabler of the business. Too often, people see security as an obstacle: “No, the CISO doesn’t want us to do this, the head of security doesn’t want us to do that.”
If people understand the risks, they’re going to be more accepting and more willing to take actions. Because rather than being told, “you can’t do this,” if they understand why they can’t do it, it helps them to have a better appreciation. If you want to be an enabler of the business, you’ve got to make allies within the organization. The general counsel can be one of your biggest allies: somebody who has an appreciation for risk, somebody who can help represent to others who might not understand what the corporate liability is, what the regulations are related to HIPAA, for example, or PCI (payment card industry). They can help you spread that message.
It’s about developing relationships and getting people to buy into what you want to do, not you walking around with a big stick telling people they have to do things. It’s about you encouraging people. They want to do it because they respect and appreciate you. They want to do it because it’s the right thing to do. Not because that crazy guy in the corner office told us we had to do it.