Secret CSO: Gunnar Peterson, Forter

Name: Gunnar Peterson

Organisation: Forter

Job title: Chief Information Security Officer

Date started current role: July 2021

Location: USA

Gunnar Peterson, CISO at Forter, a fraud prevention and trust platform for digital commerce that enables merchant/customer trustworthiness to be assessed at every stage of the purchasing journey. Prior to joining Forter as CISO in July 2021, Peterson served as Chief Cybersecurity Architect at Bank of America for nearly six years, and as a visiting scientist at Carnegie Mellon University’s Software Engineering Institute. Peterson specialises in software architecture and security for distributed systems and the applications that run on them.

What was your first job? I started out as an entry-level programmer fixing tiny bugs that no one else wanted to. I felt like I had the best job because it was like getting paid to solve puzzles all day.

How did you get involved in cybersecurity? My boss at the time asked me to look into a LDAP interface for authentication. It was quickly apparent that while everyone used LDAP for authentication, there was little security in the protocol, a worrisome combo. I went to the BlackHat conference in Amsterdam so I could hear a talk by a German hacker named FX about “hacking lesser known protocols” that included LDAP.

Unfortunately, I was right – there was not much protecting LDAP at that time, and worse yet, FX showed that many routing and infrastructure protocols were quite vulnerable as well. I thought, wow this is going to be a big problem.

What was your education? Do you hold any certifications? What are they? I did not come up as a Computer Science major; I studied Classics. I have contributed to many certifications in application security, identity, and Cloud Security including CSA, Open Group’s Enterprise Security Architecture, and Carnegie Mellon University’s SEI curriculum.

Explain your career path. Did you take any detours? If so, discuss. I started out as a programmer and really enjoyed doing that for a few years, but once I started to learn about all of the interesting problems to solve at the intersection of software and security, I was hooked and have stuck with that since.

Was there anyone who has inspired or mentored you in your career? There are a lot of inspirations in this field. Some that really stand out are Dan Geer for his deep understanding of the confluence of technical, policy, and security change; NSA Technical Director, Brian Snow for his practical vision on the role of assurance; Robert Morris, Sr., for his ideas on the importance of scale in security; and Robert Garigue, former CISO of Bank of Montreal and Bell Canada, for his philosophy that security teams are first and foremost learning teams.

What do you feel is the most important aspect of your job? Communication and coordination – making sure people are working in a cohesive way.

What metrics or KPIs do you use to measure security effectiveness? The main metrics are around coverage (where are we positioned to defend), efficacy (how well do we defend), and efficiency (what is the mean time to find and fix when things do not go as planned).

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I think everyone can use more help, but I do not view the skills shortage as problem number one. I have always liked building teams that are comprised of different types of people with different skills. It is easy to say; I cannot find enough security engineers.

But a security engineer has to know quite a lot, and not just about straight-up security. Ideally, you want to find people who know a lot about what they are defending (such as a database or a network) and know a lot about security, too. It is hard to find both, and available security talent is more scarce than it was a few years back.

For example, let’s say you need to recruit a database security person; a security professional who does not know databases does not totally solve your problem, as you still have to train them on databases. Why not also, in this example, double your chances and interview database people who want to make a career leap and teach them what they need to know about security?

Cybersecurity is constantly changing – how do you keep learning? This is my favorite thing about security; we sit at the junction of constant technical change with new things to defend, and attackers who continually raise the bar on what is achievable. Attacks that were in the “too hard” bracket a few years back are point-and-click tools today. You need to watch both areas closely.

What conferences are on your must-attend list? I think the Identiverse conference is one that more security people should attend. It is a big conference with a large following of identity “nerds”, and since identity is a new perimeter to defend, more security people should look at going.

What is the best current trend in cybersecurity? The worst? Zero Trust is both the best and the worst. It’s a great and powerful idea, which at the same time has been bent and twisted out of all recognition. The core principles are worth anyone’s time and I hope to see the industry reflect on what it takes to truly deliver on it, and identify where the current strengths are, and the gaps that new tools are needed to solve.

What’s the best career advice you ever received? This was from Dan Geer, who once told me “the future of security is risk management.”

What advice would you give to aspiring security leaders? Security is about strength at scale. Everyone focuses on making things stronger. If we have a password, let’s make it more complex. Now let’s add lockout, now let’s add MFA, etc. We always have to progress the strength spectrum, but scale is equally important and that is a different set of tools. How do we take this security capability and make it easy to use, simple to integrate and operate?

What has been your greatest career achievement? My favourite thing is building great teams that allow people to grow their careers.

Looking back with 20:20 hindsight, what would you have done differently? Early in my career, I was a huge introvert and painfully shy. Midway through, I realised I would not be able to get my ideas to scale without getting more people involved. Therefore, I learned some basic presentation skills that really helped me formalise concepts and communicate ideas.