The New CISO Podcast: Don’t Be Afraid to Break Things

On this episode of The New CISO Podcast, David Lingenfelter, Vice President of Information Security at Penn National Gaming, discusses the importance of constantly learning and evolving in the information technology (IT) security field. After falling into his passion for IT, David quickly realized just how far his knowledge could take him if he constantly built upon it. Now, after a nearly 30-year-long career in IT with a focus on computer security, he shares his experiences growing and advancing through his work in the industry. 

The early days of modern IT

When David began his IT career in the early ‘90s, modern technology like remote access was not standard in work computers. Reflecting on his past, David remembers how he learned to market these new products to average users who didn’t understand IT.  David describes, “I remember one company we worked with, they wanted their workers working out of their homes. Well, part of my job was to go to these people’s homes and set up the remote software on their workstations at home, which was personally owned. It was quite a learning curve for me because it was my first time working with the true end users, the people that didn’t understand IT. There were a lot of different environments there. It was a long road for me to learn how to talk to end users at that time.” 

Learning by breaking things 

Before beginning his career, David was told, “If you never want to be bored, if you want to constantly be learning, go into security.” As a beginner in the field, he constantly played with new technology and learned defense methods against the ever-evolving security attacks on IT systems. The IT security field is demanding new strategies and technologies to combat threats. David stays sharp by constantly theorizing with colleagues, “how can we make this work? And better yet, how can we break it?” He found that by working together to build something or tear it apart, you can learn how different technologies would typically work in the security space. David says, “We would build and learn all the traffic flows and understand how things were working. And we would set up a VM farm — an entire host of systems as a honey pot — and throw it out there and just watch the bad actors play with it and break into it and see their techniques.” 

Creating team cohesion through communication 

David holds monthly meetings with his company’s IT team to show them different things that they’re doing from a security sprint, different threats coming up, and more. He values communication with his team as one of the ways to connect all operations of his business. In describing these monthly meetings, he says, “Every month I’m talking about these threats, or these activities that I know the properties need to be working on to do improvements. I absolutely agree with the repetitive nature and setting things up so that you are doing that at an operational level.” 

David stresses the importance of developing a cohesive team, stating, “With my security teams, I’ve always made sure that we’re saying the same thing in the same manner, not trying to one-up each other, not trying to work on our pet projects. We all have pet projects and by all means, work on them when there’s downtime, but don’t make that a focus. Let’s stay focused on the main projects.” 

Driving adoption of new security protocols

Creating new security policies for end users can often be met with resistance. David shares his thoughts on how to balance focus on implementing security and doing so in a way that has the least impact on end users. David understands that it’s critical to provide metrics on how security tools are helping, stating, “The right answer is showing them how it’s actually made people’s lives at the company better. I’ll use email as an example. Most companies now have some level of email filtering in place and I show a couple of different metrics from that one. I show how many emails we are blocking. If we weren’t blocking it, these would be cluttering your inbox. I also show people’s reaction when something does get through, either intentionally that we push through because we do phishing simulations, or something that does slip through the filters. I show the maturity of how the end users are replying to that and responding to that. I think that has helped me a lot over the years, not just in email, but in other areas as well where, whether it’s system patching or knowing how to recognize a bad website or a website link that maybe doesn’t make any sense. Being able to show how the end users are maturing in their view of how security is being done, to me, is always a huge win.”

Advice for a new leader: question everything

It is essential for leaders in the workplace to feel confident in their team. David shares the one thing a security leader can do to increase their confidence in their team that represents the analytic capability of their organization — the importance of communicating with team members, asking questions, and finding answers. David gives advice for a new leader, stating, “The key word there when you’re talking about being a new leader is new, not leader, you’re new. You don’t know anything at this point. So you need to ask questions, constantly be asking questions, constantly be trying to learn. As a leader, people are going to look to you for answers. You will have some of those answers, but for the ones that you don’t have those answers, don’t be afraid to say, ‘I don’t have that answer but, I’m going to go get it.’ And then go get it, go find the answers, go ask the questions. If you’re not learning, then what’s the point? You’ve got to learn every day.”Overall, David provided insight on the importance of constantly learning, developing a cohesive team, and getting others to understand the benefit of new security protocols. He also offered some advice for new leaders.

To learn more, listen to the podcast or read the transcript.