Exclusive: Yahoo CISO Bob Lord discusses historic breach, security culture at Structure Security 2016
Yahoo’s security team has learned a lot of hard lessons over the past month. While Yahoo CISO Bob Lord didn’t shed a ton of new light on some of the security issues recently suffered by the company during his appearance last week at Structure Security, he did vow to share more information about how the theft of personal information from nearly 500 million Yahoo users occurred once the investigations are complete.
I interviewed Lord for about 20 minutes on stage at Structure Security last Wednesday, after the company disclosed that historic privacy breach, but before we learned this week that Yahoo has been scanning incoming emails at the behest of the U.S. government using a tool that was reportedly modified without the knowledge of its security team and later discovered by that team, which is kind of crazy.
We rushed the video into production, and it’s embedded below. Lord clarified the timeline of the incidents to some extent, and reiterated that be believes “state-sponsored” attackers were behind the theft, but was restricted by what he could say in public. Honestly, I didn’t completely believe he was going to show up until he walked in the door, and I would like to thank Bob and Yahoo for showing up and taking questions; I’m pretty sure this is the only interview Yahoo has granted since the breach was disclosed.
We also spent some time talking about our original subject, which took on new meaning in light of the breach: how do security professionals convince product-driven companies to take security seriously? The New York Times and others reported ahead of Structure Security that Yahoo CEO Marissa Mayer was loath to employ security measures that might frustrate Yahoo users right as she was trying to sell the company, and while Lord wouldn’t comment directly on that article, he acknowledged that convincing executives obsessed with product details to put the same value on security is one of the biggest parts of his job.
Check out our full Structure Security 2016 coverage here, and a video embed of the session follows below: the video below.