At Okta, CTO and CISO collaborate by design

Jameeka Green Aaron and Bhawna Singh have a lot of conversations.

As CTO at the authentication provider Okta, Singh leads software development and the overall creation of products and features. Aaron, as the company’s CISO, has to ensure that those products meet security standards: ISO 27001, SOC 2, and PCI DSS, for example.

For a new tool like Okta’s Security Center—a real-time view of threats and remediations—Aaron is the “in-house customer voice,” said Singh, and the CISO must determine the important attacks to monitor on the dashboard (say, credential-stuffing attempts) and distinguish between what’s nefarious and what’s noise. Singh ultimately has to deliver the product and its features—and make sure it stays up and running.

“I would say she’s probably my biggest coconspirator,” Aaron says of Singh.

The artful relationship between CTO and CISO is an essential one as manufacturers face increasing pressures to incorporate security into the earliest phases of design.

“I don’t come back on the end and go, ‘You failed a pen test.’ That’s not how it works,” said Aaron.

Check check. When Okta brought its Customer Identity Cloud (previously known as Auth0 Identity Platform) to Microsoft Azure, the CTO and CISO had a number of items on the checklist: Are there configurations that allow detection and response teams to review logs? Or to respond to threats? Do the builds meet PCI compliance standards?

Singh’s team had to build and integrate the dashboards, controls, and configurations with those answers incorporated into the design.

There are times when an engineering team’s goals—to get a product out on time, for example—clash with a security team’s priorities, like fixing up a discovered vulnerability.

“Since our approach is that trust is a prime factor, we would pivot and address the vulnerability versus the deadline,” said Singh.

Print and repeat. In the late ’90s, Aaron was part of the Navy Marine Corps internet command, an outfit for modernizing the Navy’s applications, which meant patching close to 10,000 printers for a date-formatting bug known as “Y2K.”

On a good Y2K day, the software (or, yes, CD) was uploaded to the server, and the fix was done in 5 minutes. On a bad one, there was a puzzling installer issue or a disk scratch.

The mass update of thousands of printers is more security by Band-Aid than security by design.

“The architects of those products: I assume many of them probably started in the ’60s and ’70s, and the year 2000 seemed very far away. I think the contrast is that now, when we build and architect products, we are thinking about what will happen in 20 years,” said Aaron, who is already considering how Security Center’s design can provide more remediation in real time.

“The future of that product might look very different, and might actually be a lot more integrated into a SIEM or a SOAR suite of a CISO,” Aaron told IT Brew.

CISO and CTO. Since patching naval printers, Aaron has come to appreciate the critical work revolving around securing identity.

“We’re protecting employees around the world and companies to make sure that they can do their jobs,” Aaron told IT Brew.

That includes the jobs of CISO and CTO and supporting their many interactions.

“These are collaborations that are deeply, deeply necessary across industry,” said Aaron.