CIO Interview: Kevin Fielder, CISO, Just Eat
Fielder talks about cloud complexity, trust and fighting phishing
It has taken less than 20 years for Just Eat to grow from a Danish startup with five employees to its current position as a FTSE-100 member, delivering millions of takeaway meals from restaurants to customers in 13 countries every week.
In today's internet age, any business expansion inevitably means a larger attack surface. Last year Just Eat brought on its first Chief Information Security Officer, Kevin Fielder, who is working to change the way that employees think about how they - and the company - stay safe online.
Fielder says that he was both lucky and challenged to be recruited to a "relatively greenfield" team, where his role is both to grow the security strategy and retain the agile, startup-like that still dominates Just Eat.
Kevin Fielder is Just Eat's first CISO
"[The security team wasn't] fully-formed...so it was a great opportunity but also a big challenge and responsibility", he told us. "I wasn't coming in to crank the handle; I was coming in to build the team out and work with the guys to decide how the team should look, how security should work for Just Eat."
We're looking at how we make security into a process that developers and people buy into
Having a relative blank slate to work with has given Fielder an opportunity to make his mark on the company's security culture, and he is keen to help other employees share his passion for the topic.
Fielder and his team are working to gamify security. An early example is a scorecard system; all of the components in production at Just Eat are assigned a red, amber or green mark in areas including security, reliability and scalability.
"You don't want to be the guy at the bottom of the leaderboard, so we're looking at how we make it into a process that developers and people buy into… [It's about] how you provide security that people will work with, rather than trying to work around to get their job done."
Turning security into a competition has helped Just Eat to change how employees think about it
A combination of people, processes and technology drive the most successful changes, says Fielder. ‘People' comes through the security-first culture, and ‘process' is about finding and adopting an appropriate approach for your business. Tying these two together is the first step:
"What you have to do is work out what works for your organisation in terms of keeping the culture and the culture that your organisation wants to build, but also having the right steps in place."
The ‘technology' side is sometimes seen as the easiest part but, like process, the right solution is key. Fielder, who wants to make sure that his team can devote time to more than just ‘saying no', is pushing an automation approach.
"Taking the example of development, we're looking at how we can automate security checks on everything that gets to production. Rather than having tollgates and waterfall that stop people delivering, can we make sure that all code...is immediately scanned as it's checked in? Can we make sure that all third-party libraries are assessed for vulnerability as part of the build process, or earlier?
"We work on the principle of, how can we help the culture and the process, but also build security into that without slowing things down?"
What I'm aiming for is when security does ‘say no', the people take it seriously
The reaction to this increased automation has been "pretty good" - not just from the security staff, but general business employees as well. That's because it has helped Fielder's team be seen as a resource, not a roadblock.
"We're not a blocker unless it's absolutely essential," he says. "What I'm aiming for is when security does ‘say no', the people take it seriously, because it's so rare that they know it's a serious occurrence."
Trading on trust
As any security professional knows, securing investment for innovations like automation and gamification is difficult. The provable benefits of good cyber are difficult to quantify; by definition there's nothing to show from a successful strategy. So how do you secure support from the board?
Fielder's approach is not to focus on the financial benefits, but on trust.
"A lot of [the financial benefits] are not strictly quantifiable, but it's around how you want your brand to appear. We obviously have a desire to be a trusted brand; our CEO said, ‘We'd like to be a brand you can happily tell your grandmother to use'.
"As a brand, we want our customers and our partners to trust us and to feel safe using us. Obviously, part of that is making sure that we have appropriate security in place to protect the systems that host all of their information."
A lot of the financial benefits of security are not strictly quantifiable... It's around how you want your brand to appear
Keeping customer data safe has always been important, and is even more so under the GDPR. While no record-breaking fines have been recorded yet (Google's £3.8 billion penalty was for an antitrust case rather than data security), the maximum charge could reach as high as £17 billion, or four per cent of annual worldwide turnover.
Your reputation is one of your most important assets, especially in the digital age when word of any misdemeanour - real or imagined - can spread across the country before your CISO has had their Cornflakes. Fielder says:
"I like to think it's a bit like, if you go away on holiday and lock your doors and windows and get burgled, no-one blames you at all; it's a crime, it's sad, it shouldn't have happened. Even if your friends had their stuff at your house and it was stolen, they would still trust you because you did the right thing.
"If you go on holiday and leave your front door open and your jewels on the doorstep, you being robbed is still a crime, but people wouldn't necessarily trust you to look after their jewellery in the future."
Insufficient security is equivalent to leaving your front door open
Security is not only there to protect your business and data, but your customers'. Securing their investment, which is just as important as the board's, is almost impossible without a minimum level of trust.
"If something bad does happen, you're still trusted because they know that you've done the right thing, and you did what you should do to protect systems and data," Fielder says.
Beyond the basics
Reassuring customers that you deserve their trust becomes even more important in the wake of a cyber incident, like the phishing emails that "one-man crimewave" Grant West sent to Just Eat customers in 2015.
Fielder has been pushing to roll out better email protection for customers against these types of attacks, using tactics including template email forms and proactively scanning for fake websites and social media profiles.
Short of completely dropping email, these are some of the best approaches that companies can take to protect customers from social engineering.
Phishing is part of the ‘low-hanging fruit' of cybercrime, which consists of easy-to-fix vulnerabilities and bad practices. In business terms, that refers to all of the information that a business stores without adequate protection.
Companies must beware of their sensitive data becoming easy to pluck
While this 'fruit' is normally limited to non-critical data, sensitive information like customer lists can sometimes go unprotected, too - and that's good news for hackers, for whom low-hanging fruit is also their bread and butter.
Just because they're basic doesn't necessarily make them easy
Food analogies aside, it's a fact that the least guarded targets in an organisation's network are often those most targeted by attackers. On the face of it, the problem is easy to solve by investing in more security - but the solution is rarely that easy.
"We call that ‘doing the basics' - but just because they're basic doesn't necessarily make them easy," says Fielder. "There's a difference between ‘What are security basics, what is security hygiene?' and how easy it is to do that."
Protection certainly is easier said than done, especially on a modern network. One major reason is complexity: the more complicated a system, the more difficult it is to seal.
Today's systems, especially if they're virtualised, are extremely complex. Not only do they feature many points of entry, but also multiple stakeholders and sources of code. Even worse, outsourcing is common, so the security team is often lacks control over the entire network. That makes recovery slow.
There's always a bunch of tradeoffs, and a lot more complexity than people think
"If you're in a typical company now, you've got things potentially on-premise, in multiple SaaS cloud providers, probably several IaaS cloud providers as well; global office locations, people working from home, people in seamless working environments, developers who work for you, developers who work offshore, code developed for you by other people, third parties who need to use the intranet…
"[These] environments may sound simple, but are actually very very complex. Then you've got the fact that you need to balance security with uptime and reliability and everything else."
One solution is to forcibly patch your systems regularly - you can even do it relatively easily using a cloud network - but that risks breakages if something in that patch isn't optimised. Fielder said:
"You have to make those priority calls of, ‘Do we take a risk of a breach versus the risk of the site being down?' There's always a bunch of tradeoffs, and a lot more complexity than people think."
Slow doesn't mean ineffective
Once a hacker successfully gets onto a network, they have options. They can make a fast smash-and-grab style attack, aggressively stealing and corrupting everything that they can reach - or they can take a much slower, measured approach, trying to avoid detection while hoovering up data.
We're all seeing ‘bigger, faster, more'...but also ‘lower, slower, more distributed'
"We're all seeing ‘bigger, faster, more' in terms of DDoS, password-guessing, credential-checking, those kind of things; all of the standard web attacks, just more of them and more distributed…[but] as people start to detect things like account takeover attempts, the criminals are starting to be even more distributed and even slower, so ‘bigger, faster, more' but also ‘lower, slower, more distributed'," says Fielder.
These types of attack can include snowshoe spam (with a large but light footprint); malvertising; and botnets, which can go undetected for months or years.
Slow, distributed cybercrime attacks like botnets infiltrate a network and then lie low as they leech resources and data
Criminals are increasingly using distributed botnets to make credential-based attacks, which are then sold on the dark web; a trend spotted in 2015. Because the nets are checking a huge number of sites, automated security struggles to spot them:
"You'll have people using these botnets...checking the same set of credentials across a bunch of sites quite slowly; so you'll only see the same machine once every minute or two, so it's very hard to detect...but it'll be busy because it's trying the same email and password across Just Eat, Atos, Spotify, Amazon, wherever. [The botnet owner] can then use that or sell it."
I'm not a big fan of the ‘insider threat' term, because most of the people who work for you are trusted
Then, of course, there is the problem of insider threat - although Fielder prefers ‘people risk', arguing that most people who compromise your security internally aren't acting maliciously.
"With a huge complex environment there's always [the element of] how you manage your own colleagues and the people who have access to it… People can make mistakes, or work around security [in an attempt to] do the right thing.
"[In] that balance of security, usability and culture, how do you provide security that people will work with, rather than trying to work around to get their job done?"
I'm a huge fan of visibility and monitoring underpinning nearly everything
There are as many approaches to combat cyber crime as there are attacks to defend against. Fielder acknowledges their importance, but for him the fight starts at a more basic level: you need to be able to see your opponent to hit him.
"I'm a huge fan of visibility and monitoring underpinning nearly everything, so [the counter is] understanding your environment and getting that visibility across it; understanding what is normal and then starting to look for things outside of that.
"That, for me, is the key; it's monitoring as much as you can of everything and then using...machine learning, AI and those kinds of things to start building patterns and looking for anomalies."
Network visibility is key for protection
If there's one thing that IT professionals are known for, it's investing in shiny new technology - sometimes unnecessarily. Fielder warned that throwing money at a problem is often not the right approach.
"You don't necessarily need super-fast AI. Most attacks are going to try and make unapproved systems changes or to exfiltrate data...so you look for systems talking to things that they don't normally talk to, or transferring larger volumes of data than normal, or processes changing what they're doing or the files they're accessing. Those kind of things you can set up rules for; they don't have to be super-advanced machine learning kinds of things.
"Understand the environment, monitor the environment and look for anomalies and changes, and obviously augment it with intel and knowledge… If you already know what a lot of the CNC servers and botnets look like in terms of their IP ranges and so on, you can easily spot something that's bad even before they've necessarily broken the threshold of data transfer volume."
Author spotlight
Tom Allen
More from Tom Allen
National Grid is turning analogue to digital - Ctrl Alt Lead podcast