CIO and CISO Tammy Moskites says companies face mounting risks from insecure digital certificates in the era of the Internet of Things u2013 itu2019s those cybersecurity threats that drew her to the dual C-suite role at Venafi.
By Clint Boulton
Most seasoned CIOs and CISOs looking for an exit have the luxury of hiring executive search firms to find them a landing spot. But sometimes chaotic business environments force IT leaders to take matters into their own hands.
Such was the case for former Time Warner Cable CISO Tammy Moskites, who along with other members of the cable company’s C-suite found herself out of a job in February 2014, part of Comcast’s house-cleaning to make way for the merger (which ultimately failed). Word about Moskites’ sudden availability spread quickly and she was offered roles at top-tier companies. But Moskites had something else in mind.
She called Jeff Hudson, the CEO of security software maker Venafi, of whom she was a long-time customer, and asked if she could join the executive team. Hudson, unable to believe that he had a shot at landing a seasoned IT leader with CISO stints at both TWC and Home Depot, thought Moskites was having a laugh at his expense and promptly returned the joke by hanging up on her. “He thought I was busting his ass and he hung up on me,” Moskites recalls. “He knew I’d always worked for organizations with tens of thousands of employees and built very large security organizations.”
Technology proves cool, refreshing to this IT leader
Moskites called back later, said she was serious and the two quickly worked out a deal to name her as CIO and CISO. The foundation for this unconventional courtship was laid in 2010 when Moskites began using Venafi while working as Home Depot’s CISO. She joined Venafi’s customer advisory board in 2011, and implemented Venafi when she jumped to TWC in August that year. “I really drank the Kool-Aid,” Moskites says.
[ Related: How to become a CISO ]
Moskites is hardly the first IT leader to make such a move. Vendors often hire experienced CIOs and CISOs from their customers because they can articulate the value proposition of a technology effectively to their peers. Box has a history of hiring CIOs who have used, and come to appreciate of its cloud collaboration software. Colin Black became Crowdstrike’s CIO last fall after using the startup’s software while working as CIO of Kratos Defense and Security Solutions.
What is so special about Venafi that it can entice a CISO to break from the ranks of global Fortune 500 businesses?
Venafi makes software that automates the monitoring and management of digital certificates, the crucial software bits with which banks, retailers and other corporations exchange information via the Internet. If a certificate’s signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.
[ Related: Business leaders still in denial about cybersecurity threats ]
When certificates expire, they can, for example, trigger website outages or stop an airline baggage system. Certificates may also become compromised, posing great security threats. “If something shows up that wasn’t there yesterday, you can assume it’s no good,” Moskites says. In recent years, Heartbleed, Stuxnet and other certificate-related vulnerabilities have struck fear into CIOs and CISOs.
What Venafi does
Most companies acquire such certificates from VeriSign or some other provider, create loads of documentation around them, then track the data in a spreadsheet, a practice Moskites calls woefully inefficient. Venafi automates this crucial task, assessing which certificates are trusted, protects those that should be trusted, fixes or blocks those that are not and alerts IT when it detects anomalous activity. Venafi provides a certificate reputation service that identifies and enables remediation for rogue or anomalous certificates. Four of the five top retailers and banks in the U.S. use the software.
Moskites spends 90 percent of her time traveling, speaking about digital trust at conferences and writing whitepapers. She estimates that she’s met with some 400 CIOs, CISOs and other executives and board of director members in the past two years. She says her team is Venafi’s leading software tester, advising product managers on quality and other details.
When Moskites is on the road, Rick Bill, senior director of IT security and infrastructure takes point, overseeing such tasks as a new firewall and a private cloud. Yet Moskites remains closely connected to her IT team, conversing with peers via phone, Web conferences, instant messaging, email and “whatever works to make sure we’re communicating.” It’s all worth it to support Venafi’s growth at a time when unsafe certificates, particularly in the evolving era of the Internet of Things, pose a threat vector like none other.
Preparing for the proliferation of connected devices, CISOs and CIOs must work faster and be more nimble to protect corporate information, starting with certificates, Moskites says. “It’s like the law of large numbers,” she says. “The more you have to manage the more difficult it becomes.”