John Shaffer is the Chief Information Officer of Greenhill. Prior to joining Greenhill in 2001, he was Director of Information Systems for Whitney & Co. and previously was a technology consultant for firms including Reuters and Unilever. John has a degree in Information Technology from the University of Connecticut.
How did you wind up leading security at Greenhill?
I’ve been the CIO at Greenhill for 22 years. I didn’t start my career as a security professional, but I took on the security role when it was still in its early days for companies like ours. I was drawn at least in part to the challenge: security is dynamic and constantly-changing. And I viewed it as my responsibility as a technology leader to mature the tools and processes we use to manage our security posture.
What were some of the “trials by fire” on your security journey?
Firewall technology was the focus of my early time at Greenhill, but what I remember most vividly was the battle to manage email spam as a security risk. It’s hard to believe now, but spam was really perplexing at the time. There wasn’t the awareness that there is today. Recipients were confused…Why am I getting this? And at the time, the technology wasn’t mature enough to handle it effectively – the tech required a lot of care and feeding.
Another signal moment was around archiving emails for compliance. We saw the foresight to view it not just as a regulatory requirement, but as a commonsense security precaution. We had a system in place two years before the SEC mandate…in fact, we were one of Palo Alto Networks’ first customers back in 2008.
Wait. How did you become one of Palo Alto Network’s first customers?
We had a need, and they were there at the right time.
That’s a bit of an over-simplification – but only a bit. I didn’t start my security career as a tech enthusiast, constantly on the hunt for the latest and greatest solutions. The truth is that I just kept looking for solutions to address the problems that we were having. It became a cascading effect, to the point where I became known as someone who would take risks on innovative solutions, even if they hadn’t (yet) been proven at scale.
Too many companies adhere to the adage about no one getting fired for buying [the cybersecurity equivalent of] IBM.
This is an incredible opportunity for cybersecurity startups. Cyber is such a crowded market, and there are too many enterprises that adhere to the adage about no one getting fired for buying (the security equivalent of) IBM. Instead, cyber startups should identify companies with a burning unsolved need or a proactive stance towards security – these are the ones who are going to be willing to take a chance on new technologies.
It seems like all companies should have a proactive stance towards security, no?
Yes, but in reality many don’t. When I talk to 20 of my colleagues, there are maybe three that I feel are really proactive about evaluating and embracing technology.
What holds companies back?
- Complacency. It hasn’t happened to me, so I don’t need to do anything about it.
- Budgetary limitations. Plain and simple: being cheap about it.
- Talent shortages. It’s hard to hire and retain the right people to implement new security initiatives.
What’s the root cause of these challenges?
Ultimately, it all comes down to executive buy-in. You need an executive leadership team that fundamentally understands the value of security and prioritizes it accordingly.
There’s a lesson here for security teams.
Rather than assuming that value of better security is self-obvious, think about how to demonstrate your team’s impact and build trust incrementally in the organization.
For us, the best example is MFA. Most of the time, MFA is a pain in the neck – but it’s massively important. By the time we got around to “selling” MFA into our organization, we had built up enough trust and credibility to make it a no-brainer. If we hadn’t had that…we would still be trying to get MFA implemented.
What are the biggest changes that you’ve observed in the cybersecurity landscape over your time in the industry?
Hackers have become much more sophisticated. At a really basic level, everything is being connected to the internet. The result is that the downside is huge if you’re not protected properly. It can disrupt a business – even an industry. As a result, the security space has become quite a bit more complex and fragmented.
Another major trend: people have ceded vast amounts of privacy. I was just listening to a podcast about a guy who won’t use Google anymore. The fact that this is a podcast tells you how rare it is for someone to opt out of that data infrastructure. But in reality, we’re all increasingly susceptible to having our information stolen or personal data misappropriated.
The security challenge is accentuated by two factors. First is the rise of big, monolithic tech leviathans. Second is the move to reinvent the digital workplace and remote work. These factors together make it increasingly challenging for employees to work and maintain some semblance of privacy – and for companies to manage the leakage of potentially sensitive data.
What’s one major trend that you’re paying attention to in 2022?
Related to the trends that I mentioned earlier (loss of privacy, the rise of the fully digital/remote workplace), the attack surface for the enterprise is greater than it has ever been. This puts pressure on teams to identify innovative solutions once a malicious actor gains access to your environment.
That’s why microsegmentation is so important. Microsegmentation – powered by zero-trust design – has the promise to ensure that people can only get to what they need to get the job done. It’s the initiative that we’re leaning into most heavily this year.
Of course this is more challenging to do on a physical network: it requires redesigning the network, putting firewalls in place, separating servers from workstations, and more. But the promise of this technology is enough to justify the investment.
Any words of advice to your peers in security leadership roles?
I’m a big proponent of partnering with innovative, fast-moving cybersecurity vendors to discover – or jointly build – a solution to your challenges. It’s ironic given how crowded the space is, but our industry has not embraced this model of partnership and co-innovation nearly enough. At Greenhill, I credit our success in overcoming industry-wide security challenges to our partner-friendly stance.
The key is to structure the partnership in a way that’s mutually beneficial. Identify companies that are a good philosophical fit, where the value is a no-brainer, and where the risk-reward ratio is right for your business.