Todd Foley: Hello and welcome to the CDO Magazine interview series. I’m Todd Foley, Chief Digital and Information Security Officer at Lydonia. Today, I have the pleasure of talking with Jacob Lorz, Chief Information Security Officer at Cintas. Jacob, thank you for taking the time to talk with us today.
Jacob Lorz: Hey, thanks, Todd. I appreciate the opportunity. I’m looking forward to it.
Todd Foley: It should be a good conversation. I can’t think of anything more topical than security. Maybe you could tell us a little bit about your career path, any pivotal moments that shaped your approach to security, how you got into it, and how your perspective has changed as the field of cybersecurity has evolved over the years?
Jacob Lorz: Yeah, I mean, so that’s a really good place to start off. As you mentioned, I’m currently the Chief Information Security Officer at Cintas, but obviously you don’t start in that role. And, you know, you can probably see by some of the gray hairs on the side, I’ve been in the industry for a moment. I’ve always been interested in technology. I’ve always been interested in cybersecurity, but it really came to be a passion of mine when 20-plus years ago, I worked for an organization that had a threat actor compromise one of our forward-facing, internet-facing file share services. And at the time, as a low-level support analyst, I didn’t understand how that could possibly happen. I just understood that it did, but it really made me want to dig in and try to, okay, recognize how it happened and how to prevent it from happening. So, I took it upon myself to learn to kind of geek out and learn the Cisco PIX firewall. Okay, let’s at least build it. Put some blocking in place to prevent that from happening and then the career itself just kind of continued and progressed and evolved from there.
Okay, what’s the next way that a threat actor could potentially compromise us? What type of technology do we need to put in place? But along the line somewhere, my career, my perspective of it evolved from, you know, getting away from just the technical controls that we could put in place and really taking a more holistic approach of, well, there’s a people component and there’s a process component. All this together creates a security program. And when you’re thinking about the program, okay, you’re thinking about what’s actual benefit to the business besides reducing the opportunity for threat actors. Where do you get the opportunity to do business enablement? And I think that’s truly what a security executive and practitioner has to think about is we’re not operating just for fun because yes, cybersecurity is fun, but it’s about how do we allow the business to continue to run and generate the revenue or continue their operations or continue in our case to service our customers. You know, at the end of the day, the customer is the first thing that we need to think about.
Todd Foley: I think you call out something that maybe doesn’t get enough attention sometimes, which is while the technical aspects are important and evolving and always interesting. There’s that geek in my background too that can’t not dive into it a little bit. But, the problems that happen more often than not are related to processing people. And the impact that security has, not just from a risk standpoint and the negative impact, but the impact that security has in the day-to-day of business operations and on new initiatives and new releases to market new offerings, new partnerships. There’s a real challenge, right? Which we always jokingly say things would be much more secure if there weren’t any users. But there’s a real challenge there where you don’t want to be the barrier to business, right? You want to be not just an enabler, but if you can be an accelerator to what the organization does. And I think that’s really why it’s a board level role in really every organization, right? It’s why there’s the C in the title. And I think talking about those aspects of it, how the people aspect and the business aspect is part of a program, but how you have that north star there of enabling and driving the business, I think is really important. I think, too, I’m curious because that has evolved a little bit as well, right? Now, there isn’t an organization where security isn’t in every board meeting discussion, right? And people are concerned, not just about brand reputation, but about personal liability at a board level. And that’s made things even more interesting, I guess is the way to say it. Can you tell without, you know, disclosing anything inappropriate, how do you approach that at Cintas?
Jacob Lorz: That’s a really good call out. I would say, especially executive leadership or level leadership, they’re definitely more cyber aware now. I think it’s just the nature of the game, right? It’s just the world that we live in. We have to. As the cyber leaders take the approach and get away from the days of old where it was, no, you can’t do that. We’re going to lock everything down, to take reducing the friction that comes along with cybersecurity, you know, to continue the business progression and enablement without adding that barrier that you’re talking about.
So, it’s getting away from the office of no, but getting towards risk recognition and the office of yes, we can do that as long as whatever it is. We can do that as long as we understand what the risk is, we understand what the inherent risk is, we understand what opportunities we have to place some risk-reducing controls in place or processes in place, and then get to a level of comfort with whatever that residual risk is, and then be able to convey that to potentially non-technical people. This is what we started with, this is what we put in place, this is what we’re left with, and are we all comfortable with that? And if so, great, we move forward. If not, we go back to the drawing board a little bit, but all then, the whole process, we have to also keep in mind the impact to that, let’s say end user population, you know, we want to continue, to keep coming back to enablement, but we want to continue to have our partners are our employees operate and operate effectively and efficiently without adding unnecessary pain through cyber risk reduction, right? And I think that’s kind of like, the sometimes the fun in it is how can we do all that and still be the kind of security champion at the end of the day to where we continue to get the support that we need from our board level and our executives say, okay, you were building the right program. You’re putting the right. Technology and processes and people in play, and we’re better with less risk at the end of the day, and we’re still able to operate, but perhaps even able to operate more effectively.
Todd Foley: Well, said, I think, too, and I won’t date myself either, but haven’t been in the industry for a long time, there’s 1 thing that’s common among everyone, which is we’ve all seen a few interesting things, I guess, is the way to say it. And without again, disclosing anything, can you talk about any, maybe, memorable — I’m not saying good or bad — incidents that you’ve encountered in your career and maybe what you took away from those experiences and how it shaped how you approach your program today?
Jacob Lorz: Yeah, sure. So I’ll get to that question directly in a second, but what I will say to preempt that is that one thing I love about a cybersecurity career is that it’s just so dynamic, right? Every day is so different. You’re not going to deal with the same threat day after day after day.
Todd Foley: Yeah. I wouldn’t hate that at the same time.
Jacob Lorz: Right? Yeah. Well, yeah, it’s that’s also kind of where that level of stress comes from in the role. But what I will say is that one — multiple things stick out. But one thing I think I can convey was, again, not at my current place of employment but in a previous role. It was a company that was an early entrant into the cloud, right? Into the cloud, back in the day, infrastructure as a service. And, this IT team was standing up some infrastructure in a cloud space, and we had put what we thought were the appropriate security controls in place to protect the environment. We put what we thought were the appropriate processes in place. And, you know, we checked the box. Okay, we’re good. We can operate now, and we operated for, you know, months. And then we got a call from our finance team. It’s like, why did your cloud spend? Why did the monthly bill just shoot up skyrocket in price? What we found is that a threat actor was still somehow able to compromise the environment, even though all the logging and alerting that we’d put in place at the time, they had implemented a crypto mining machine in the infrastructure platform.
Right. So, our controls we’re working, they hadn’t failed. They just weren’t looking at the right thing. So it was interesting to learn that the monitoring we had in place, the learning we had in place, our awareness to that cyber event came through our finance team. So you don’t always, you’re not always aware, or maybe you might be surprised how you actually find out about a cyber incident.
And then I guess like a lesson learned from that would be that’s when in my career I started saying, okay, I’m never really happy with what we’ve built. I’m never really comfortable. I’m always waiting for that other shoe to drop. So everywhere I work after that, there is a need for what I call a verification validation team. A very envy team. So, it’s continuous internal self-assessment on a daily, weekly, monthly, quarterly, whatever the cadence is, we’re going to assess the effectiveness and the correctness of the control and the process that we’ve put in place. So, I will personally, not personally, but I will invest resources. I will build the team necessary to ensure that what we’ve put in place again, is operating correctly so that we’re not caught off guard again.
Todd Foley: So, tell me a little bit more about that. I think that’s very interesting, right? I think we all look at it, needing to have checks and balances on what we do but often it takes the form of like red team, blue team, external testers. You’re talking about being able to have checks and balances and validation, against every aspect of your program, right? Not just the, the technical, controls.
Jacob Lorz: Yeah, that’s exactly right. So, I mean, if you think about building out a cyber program, you have multiple legs to the program. You’ll often have an architecture or engineering team. You’ll of course have an operations team. You’ll have a GRC team. What I’m talking about is a, still a separate team or maybe a sub team of your GRC function that is dedicated to working with all the other teams to say, okay, what have you done over the last month or quarter? What have you built? What have you implemented? What process have you created? Documenting that and then adding that to a task list of continuous validation. So it’s kind of that first line of defense before we started even talking to internal audit teams or third party auditors, which of course we still work with, but helping to ensure that we’re going to catch it, even if our conceptual tools and processes have failed, everything that we build up to date, which we think is the right thing to do, we still want to double check and ensure that there hasn’t been configuration drift, for example, or that there hasn’t been something has been over permission, which we didn’t expect.
Todd Foley: I think that’s yeah, I think that’s really interesting that that’s buildings security resiliency into your culture is what that sounds like to me, how is. How do you avoid having that validation team, be seen as the enemy by your other groups internally? Cause they’re checking up on everyone, right? How do you avoid that sort of internal affairs branding? And how does that work in your culture today?
Jacob Lorz: You have to highlight successes, right? You have to you have to make a mind shift happen to a security, first thought, right? And you have to say, okay, it’s good that we found something we didn’t expect. That’s the whole point of the team. And we’re only better at the end of the day because somebody else isn’t going to take whatever we found and use that as a point of exploitation. So it’s no fault. I’m not saying engineer over there. You did something wrong. I’m saying just didn’t work out how we wanted it to work out. So now we’re going to correct it, but it truly is kind of like a culture shift and mind shift towards that security. First, security always, again, reducing friction, but let’s do the right thing.
Todd Foley: Well, thank you, Jacob, for joining me today. For our listeners and viewers, please visit cdomagazine.tech for additional interviews. It’s been a pleasure talking to you. I hope you have a great day.
Jacob Lorz: Oh, thanks a lot, Todd. I had a great time. I appreciate the conversation. It’s good talking to you.
