“We need to rethink this entirely,” states Charles Henderson, “We need to ‘give up’ on Security as we currently know it.”
According to the Global Managing Partner and Head of IBM X-Force, what you formerly thought safe is no longer so and cannot be trusted in this new reality. We’ve outgrown the necessity to keep the adversary out; now, we must master the art of discovering them in the victim environment before they gain access to critical data.
Charles helps businesses stay ahead adversaries, using his 20+ year experience as a hacker.With the belief that modern business models have rendered the perimeter obsolete and our reliance on a plethora of trusted connections, Charles suspects a complete overhaul of our security strategy.
The firms that X-Force works with range from Fortune 500 companies to small and midsized businesses looking to improve their security posture or deal with a security incident.
CIO Look caught up with Charles in our attempt to find “The 10 Most Iconic Leaders in Enterprise Security, 2022.”
Below are the highlights of the interview.
Brief our audience about your journey as a business leader until your current position at your company name. What challenges have you had to overcome to reach where you are today?
My introduction to Security goes back to my early childhood –I was always fascinated with how things work, what they are supposed to do, and what more they might do. I was more interested in the way things broke rather than how they were built. In my youth, I started hacking, making devices do something other than what they were intended to – it was a form of problem-solving that stuck with me for the long haul. It all started from there and led to a more than 20-year career as a hacker, being hired by some of the world’s largest companies to outsmart their security technologies and strategies.
As a hacker, I’ve found that one of the biggest challenges I’ve had to overcome is a dated, deep-rooted misconception of hackers as criminals, but it’s also made me very passionate and incentivized me to educate the business community about offensive security and the value of hackers.
Today, as the head of IBM X-Force, I have the privilege of leading a global team of hackers, security researchers, investigators, incident responders, and intelligence analysts. The team provides clients -from Fortune 100 enterprise companies to small and mid-sized companies – with offensive and defensive security services. On the offensive side, our team of hackers is hired by clients to find, prioritize, and help fix exploitable vulnerabilities before attackers find them. On the defensive side, our team of first responders, investigators, and researchers helps clients rapidly detect, respond to, and investigate threats to reduce attacker dwell time and minimize impact.
Tell us something more about your company and its mission and vision.
IBM Security is a global security leader charged with helping businesses thrive securely, protecting their data, trusted relationships, and mission by leveraging one of the most advanced and integrated portfolios of enterprise security products and services. As part of this effort, the team I lead, X-Force, enables organizations to effectively manage risk and defend against emerging threats.
IBM operates one of the world’s broadest security research, development, and delivery organizations and monitors more than 150 billion security events per day in more than 133 countries. We serve all types of businesses, all the way up to the world’s largest multinational corporations. And no matter who our customer is, we can scale to whatever their demands are at any given time.
Enlighten us on how you have impacted Security through your expertise in the market.
As I mentioned earlier, there was a lot of education that needed to be done when it comes to hackers and offensive Security, and I’m proud of how X-Force Red, IBM’s hacker team within X-Force, contributed to elevating and destigmatizing the hacking profession, as well as raising awareness about the importance of penetration testing, vulnerability management, and adversary simulations to strengthen businesses’ cyber readiness. X-Force Red is also sought out by some of the most renowned conferences in the global security community as featured speakers to help not only advance offensive security practices but attract aspiring talent to the field, including Black Hat, DEF CON, RSA, OWASP AppSec USA/Europe, and SXSW.
Undeniably, technology is playing a significant role in almost every sector. How are you leveraging technological advancements to make your solutions resourceful?
It’s mistakenly believed that one of the biggest challenges in Security is complexity – but complexity is not the challenge; simplicity is. The current security construct is formed in such a way that businesses are accustomed to adding tools on top of the tool, technology on top of technology, in an effort to bolster their security posture against threats. As a result, businesses have entangled themselves in a web of complexity that they can’t get out of and one that adversaries know all too well how to manipulate to their advantage.
At its core, IBM’s security portfolio is meant to help simplify Security for our customers, and we’re doing that by relying on open technologies and solutions founded on open security standards, so interoperability, collaboration, and agility are never sacrificed. More and more businesses are recognizing the business value in an open, hybrid cloud approach, making the adoption of open security standards all the timelier and more important.
What, according to you, could be the next significant change in the Security sector? How is your company preparing to be a part of that change?
In Security, it takes a village to defend against a constantly evolving adversarial landscape, and the private and public sectors are both parts of that village. Following the Solarwinds compromise, and shortly after the ransomware attack on Colonial Pipeline to the more recent disclosure of the critical Log4j vulnerability, we’ve seen a rapid shift in how private companies and government security agencies collaborate to stay ahead of the threats. The progress we’ve begun seeing with more information sharing and threat-sharing partnerships between security teams and the government is the start of a new chapter in Security- what I call the democratization of threat intelligence.
IBM is a proud Alliance Partner in the Joint Cyber Defense Collaborative (JCDC) that DHS CISA formed, helping its critical mission to establish a collective and coordinated defense against cybercrime. In addition, we remain committed to democratizing our X-Force threat intelligence and developing new threat insights daily, stemming from our cross-industry incident response and penetration testing engagements, threat monitoring capabilities, and open-source data, which we make available through the open-access X-Force Exchange threat sharing platform.
Where do you envision yourself to be in the long run, and what are your future goals for your company?
When you look at where X-Force has come since its inception, our long-term vision stays largely the same: to continue building expert teams of hackers, incident responders, intelligence analysts, and developers to resist modern threat actors and protect and inform the clients we serve.
What would be your advice to budding entrepreneurs who aspire to venture into the business sector?
An essential piece of advice I can offer is to value your team. There is no greater asset than teamwork and cultivating an environment where each team member can feed off each other’s creativity, brainstorm, and problem-solve together. Success has no room for superhero syndromes – especially in the security industry, where it’s essential to collaborate, lean on diverse skillsets, and each team member can cover the other’s blind spots.