JetBlue CISO. PHOTO: Cybercrime Magazine.

JetBlue CISO On Flying Faster With Automation

Tim Rohrbaugh explains AI and Bot vs. Bot scenarios

David Braue

Melbourne, Australia – Jul.15, 2021

Effectively countering the attacks of cybercriminals is all about deconstructing their business model to the point where you become uneconomical to attack, according to one CISO who sees the role as one side of an adversarial relationship where empathy and creative thinking are the keys to success.

Cybersecurity teams have long been composed of an eclectic mixture of skills because security job descriptions were never quite prescriptive enough to breed out the need for creative problem-solving skills, JetBlue CISO Tim Rohrbaugh told Cybercrime Magazine.

“In one sense we all come from builder backgrounds,” he explained. “We’re coders; we’re systems engineers. I ran product, and I ran customer experience as a longtime technologist.”

“These things are all about creating opportunities for the business to create revenue — but at some point your mind switches, and you think about how to take things apart.”

That mentality quickly becomes fundamental to the role, he said. “As you mature in your career in information security, you start to understand how others in the ecosystem are trying to take things apart and serve their advantage. That’s where there is benefit in being empathetic to what the business is actually trying to do.”

Cybercrime Radio: JetBlue CISO On The Criminal Mind

Tim Rohrbaugh talks cybercrime and cybersecurity

Such empathy also needs to be directed at ever more-corporatized attackers that are increasingly operating as little more than mirror images of legitimate companies — with reporting structures, supporting technologies, HR departments and other functional analogs.

Viewed through this lens, Rohrbaugh said, the whole process of cybersecurity defense was about actively frustrating attackers. “We’re the only ones in a company that are actually paid to undermine someone else,” he said, “but we’ve got to make sure that it’s not the employees, but focused on the criminal adversary.”

Automation of security responses — including increasingly common “bot vs bot” scenarios — will see increasing use of AI on both sides push enterprises into a “rapid attack, rapid defense” strategy where, he explained, “it’s really going to be about speed and accuracy, with both of us doing that and trying to keep out of the way of the business.”

“You’ve got to figure out how to take their business apart — whether it’s to drive up their direct marketing costs, phishing, or to undermine their call centers. And the part that I really enjoy is to figure out how to make the value proposition for them in attacking you, one that pushes them to another direction.”

Flying faster with automation

Applying the adversarial mindset has been a long-running strategy for Rohrbaugh, who started his career in the Navy’s Communications Security (COMSEC) operations before moving into a senior engineering role with CSC, where he was working with systems in the air defense space.

Other positions — including a year as IT manager at consultancy firm NDC Group; CIO at systems engineering consultancy Etensity; twelve years as CISO with identity risk management provider Intersections; VP Americas with compliance as a service firm ControlCase; and four years as a “virtual CISO” with CISOonCall — gave him a range of perspectives about the interplay between corporate strategy and information security.

Ultimately, he said, the most successful cybersecurity practitioners were those “who actually had their amygdala driven by the trauma or experience of being owned as a sysadmin.”

“Those were the ones that had passion, and that passion could convert into skills,” he said. “I put people first with respect to the possibility and capability of the team, find the technologies or areas that they’re interested in, and then marry that up with the technologies that really augment the team.”

Being a successful CISO, Rohrbaugh said, also requires a continual effort to align those teams’ activities in a way that helps them not only focus on building corporate defenses, but also on understanding attacker motivations enough to make sure those defenses are the right defenses.

“I’m always willing to look back at where I came from and throw away things that don’t work and adopt things that do,” he explained, citing the MITRE Threat-Informed Defense paradigm as a similarly attacker-focused strategy.

That approach “encapsulates what we really have to do with respect to our maturity program,” he explained, “which is really figuring out exactly who the adversary is and the tactics and techniques that they use, and then to build and react our defensive posture to those things.”

Selectivity is key, since companies typically fail to protect against every risk even when they try.

“If we try to boil the ocean and come at it from every risk and every potential tactic,” he said, “we’re going to spend our time in areas which are not of value.”

“The places where a lot of CISOs and security organizations aren’t really spending the time they should,” Rohrbaugh added, “is trying to figure out and identify: who are the actors? What do they want? And what, specifically, are the techniques that they’re using today?”

Once those core issues have been clarified, aligning security teams to confound their attack techniques becomes a process that taps into the individual capabilities and unique perspectives of every team member.

“I love the creativity of our profession,” he said, calling the process his “art relief.”

“It comes from specifically trying to think about criminality as a business, and how to undermine it.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.