Bob Lord took a position as chief information security officer at Yahoo in 2015, just in time to learn the company suffered a major data breach that resulted in more than 500 million user credentials being compromised.

At Structure Security in San Francisco, Lord spoke about his experience at Yahoo, where he found the company’s culture was open to dealing with many of the challenges presented by the cyber security landscape but still fell victim to a targeted attack from nation-state actors that he called a “real life spy story.”

According to Lord, at his first meetings with the board of Yahoo, he told the executives one thing: “We are up against dedicated human adversaries who organize their work in campaigns,” a point he used to try to illustrate the attacker lifecycle, which he believed was vital to understanding how threat actors behave.

That mindset was important in shaping the security team’s approach at Yahoo by enforcing the idea that attacks are ongoing and can take place over a long period of time—they aren’t as simple as just breaking and entering. He said he also tried to instill the mindset that “an attack against any one company may be part of a larger effort."

Yahoo for its part was open to the approach and interested in involvement from the security side of the conversations, but most companies recognize they should be listening to their security team. The problem is, in practice, it doesn’t always happen.

"When you start to peel back the onion, most organizations don't actually act that way,” Lord said. “Most boards don't work with their CiSOs in ways that are truly informed by that philosophy.”

Conversations about security too often focus on technology, Lord said. While technology plays a role in the conversation, Lord said the “real issue is, security is not a technology problem...it’s a people and process problem."

“We need to figure out how to teach people so they're willing to do the right thing without having the CiSO or the security team telling them what to do," he explained.

Following the breach at Yahoo, the organization started to improve its culture. Lord headed up an effort to hire a full-time red team that could look at shortcomings in the company’s security that its internal team may have missed as part of his philosophy that organizations “shouldn’t grade your own homework.”

"We're looking for people to tell us what else is wrong, and that's one of the things we can always do more of,” Lord said. “We shouldn't be asking 'Are we safe?' we should be asking, 'What else is wrong?' When a CiSO runs out of things that are still not right, hire a consultant to find more."

Of course, those solutions are much easier for a company of the size and scale of Yahoo—and one that is technology-oriented. For businesses that are smaller in scale or unfamiliar with what they should be looking for to begin with, the issue is much harder.

Regardless of an organization’s resources, Lord said a mark of success for the culture of a company is when people “come back and argue with the security team” in the context of the team’s philosophy, as it means everyone is operating on the same page.

Even though the culture of Yahoo made changes under Lord’s leadership, the company still has to live with a major black mark on its record, given that state-sponsored Russian hackers were able to breach the company.

"No one really expects the Spanish inquisition,” he said. “No one really expects a foreign government will be after you.” The attack—carried out by officers at the FSB, a Russian intelligence agency, and two criminal hackers who helped breach the internet company—was something that Yahoo simply couldn’t prepare for or respond to in a way to prevent the damage.

“This is a real-life spy story,” he said. “It is remarkable.” Lord advised everyone to read the indictment against the attackers from the U.S. Department of Justice and “in the back of your mind, think about about the attacker lifecycle,” as the document serves as an intimate look into how exactly the attack was carried out over time.

When a breach does happen, whether it’s the result of a nation-state actor or an individual hacker, Lord said it was good to have friends in high places. “We had an existing relationship with the FBI. Heaven forbid, if you have a breach, you should know who your contacts are,” he said.

Editor’s Note: Newsweek Media Group and International Business Times partnered with Structure to host Structure Security 2017.

RELATED STORIES
Security Software Security Security