Cybersecurity Q&A with Dave Elfering, VP information security at Werner Enterprises
Werner Enterprises, founded in 1956 by executive chairman Clarence L. Werner, began with a single truck. Werner went public in 1986 with 630 trucks, and today Werner consists of more than 7,800 tractors, 24,000 trailers, and 13,000 associates and independent contractors across the world.
That’s a tremendous amount of growth. Dave Elfering, currently Vice President of information security has also witnessed a considerable amount of growth and change over his career when it comes to information security.
In 1997, Elfering began working at Werner as a project manager to help the company build its online presence and secure its data. Over that time, security and regulatory compliance grew more important and Elfering worked his way to network security manager and then to senior director of information security before reaching his current role. During his tenure, Elfering has helped to build and shape Werner’s security program, from its vulnerability-management efforts to the creation of security policies and the identity and access management efforts. Elfering was also instrumental in creating a security governance council at Werner, which transformed information security into a governance effort across the company.
We caught up with Dave to discuss how he got his start in information security, the maturing of security at Werner, and his creation of a formal identity and access management program.
Thanks for joining us. We’ve been interviewing CISOs, identity executives, and others in the industry about how they got their start in security, how their careers have evolved over the years, and the role of identity management in security. Now it’s your turn. Tell us how you got interested and eventually started in information security?
I first started with what people consider “hacking” while I was in the service. I was in the Air Force in the early ’80s and I worked in Space Operations. This work took place on shifts in satellite operation centers. We’d work in 12-hour shifts, locked in the operation center. For computers, we had these old Tektronix smart terminals. They were fancy for the time, displaying at least four different colors. They were programmable. When you put 12 people between the ages of 20 and 32 in a control center for 12 hours at a time, they will get bored. And part of the military culture, at least where I was, involved a level of pranking and experimenting.
We figured out how to reprogram those terminals, and I began to figure out how to reprogram other peoples’ terminals. We would do kooky little things to each other, like program the character return key to do two-character returns or program their B key to log them off the system. These pranks became part of the culture and we started to figure out how to probe and tweak the system. We learned how to make the system do unexpected and weird things.
Nobody knew it was hacking. We didn’t think of it as hacking. It was just having fun at the time. This carried over to my professional career outside of the Air Force. When I got out of the Air Force, I worked at Goddard Space Flight Center on a NASA operation. The Unix admins there were, well, lazy. I knew TCP/IP, and I knew that different Unix servers were used for different operations and I realized one could prank an entire team by typing “shutdown” as the user name. When you did this, it did exactly as described and it would shut their computers off.
During this time, I was also finishing a four-year degree.
I’m guessing when you were in school, security wasn’t taught as part of programming or computer science?
No, it was not. I was in computer information management, but I took additional classes in shell scripting and programming. And I started creating dialog boxes that I would send to people. You know, funny things like, “How’s your day going?” And if they clicked “great”, I programmed the backend script to say, “That’s awesome. It’s about to go badly.”
It was meant to be funny stuff, and it wasn’t really breaking into systems. But the stage for me was set. Information technology work looked like the place to be, and that was what my degree was related to. I found an IT job as a consultant. I guess the moment it really clicked was after I read the book Building Internet Firewalls, by Elizabeth Zwicky and Brent Chapman in 1997.
How did you make the transition to the security profession in the private sector?
I was on the road consulting as a system integrator at the time, and I was in a data center for a large utility company in New Jersey when I asked about a box that was sitting on the floor. “That’s our router. It connects us to the internet,” they replied. That surprised me. They were a utility and they were connected directly to the internet?
We recognized a commercial opportunity and we sold them a firewall. That was my first commercial firewall set up. I set up the Raptor Proxy Firewall on Windows NT.
The system integrator I worked for also had an outsourced data center where we would host the networks for other customers. It was then when I started installing firewalls for customers. It was a value-add upsell, and in 1997 a trucking company decided it wanted to be on the internet.
Werner Enterprises advertised for what amounted to be a webmaster, but part of the job description included firewalls and TCP/IP networking. I was quite lucky to find that opportunity because it combined a number of things that I knew at the time. I understood security and I was already hacking around in HTML. HTML wasn’t really widely disseminated, as many would use FrontPage or the like, to create a webpage. I don’t think that, as a company, they knew with certainty why they wanted to be on the internet, but they did and they understood enough to know that there were risks involved and they needed somebody with the skillset to manage those risks.
I started coding the website and securing the corporate Internet presence. In those days, some would ask, Who cares if there’s a patch that you need in Internet Explorer? I would demonstrate why it mattered, sometimes exploiting the vulnerability to do something on their computer. This cemented the idea in my mind that there were risks involved in IT and how it was implemented and managed. Over time I became the tactical champion for security in the company, which resulted in a promotion to security leader. But, keep in mind, the security leader in 2002 or 2003 was seen as somebody interesting that you wanted around, but it wasn’t considered a mission-critical position at most companies.
That was about to start to change, as regulations began to kick in around that time.
Yes, this was also the beginning of the Sarbanes-Oxley era. I started writing a lot of security policies. I knew that there was a governance aspect to security that needed to be addressed, because if people do the same risky things over and over, how do you deal with it? Governance is one of the ways that you codify some practices and deal with recurring issues. We had a bare minimum set of policies at the time, and they were not yet in any way reflective of true risk management.
To fix that, security became more tactical, and I developed a security program. And we hired additional people, so it wasn’t just the “Dave security show.” We built a reputation for representing the business and for keeping the business in mind. And, as far as anybody in information security did in the early to mid 2000s, we all said things about supporting the business. But we didn’t always understand what that meant. But I started learning how information security really applied to business.
As we were developing that program, security was also growing more and more strategic. We watched risk levels increase, and finally, perhaps around 2012, we started getting more involved with senior management. Prior to this, we really didn’t have much exposure to senior management. However, this exposure was essential. If you try to create roles for the company and you’re not involved with senior management, you’re just not going to succeed at securing your environment.
By the time we became involved with the board, I had gone through a series of hard lessons about what makes information security relevant to the business. One lesson, in particular, I learned from a professor I had been working with at a local university. I had gone to the CEO to gain approval for a vulnerability scanner. The expense was denied. I complained to the professor about it, and he asked me a question: “Did you talk to them about trucks?” My answer was, “Why would I talk about trucks? This is about vulnerability scanning.”
“What company do you work at,” he asked. “A trucking company,” I replied. “What you do has to be relevant to them in terms of what the company does. It has to be about trucks. Why do you care about vulnerability scanning in reference to moving trucks,” he asked?
I replied: “There’s an uptime issue and the vulnerability of the system can represent an interruption to the business.”
He replied: “I bet if you included that in your presentation, you might have had a better reception.”
He was right.
What role does identity and access management play in your security program today?
Identity and access management affects every employee, every vendor, and every contractor that comes into contact with this company. We have about 13,000 employees, and that includes about 3,000 back-office personnel. We also have 10,000 truck drivers. What’s shared among all of them, if not the same system, is a need for the right access at the right time. In summer of 2017, the CIO decided to make identity and access management a priority and an aspect of information security.
I have to say that my understanding of identity and access management prior to that was rudimentary: people log in with passwords. Information security tends to focus on making sure that passwords are between 48 and 298 characters long. A lot of the information-security people want passwords that look like hash algorithms. That was much of my perspective on identity management.
But I also knew enough to know that we would fail if that was the way we looked at identity. So, I took on a strategic outlook with regard to identity and access management. Because at the end of the day, while people worry about their credit card numbers, credit card numbers can be reissued. However, by and large, identities cannot.
Privacy was also one of the initiatives that I started to tackle several years ago. We started our privacy efforts prior to GDPR and the California Consumer Privacy Act.
We started to really look hard at privacy, and when I think back on it, this is where our focus on identity originated. We knew from a strategic standpoint that this affected every employee and every lifecycle of their employment with the company.
How did moving identity management into the security program affect security?
Identity management is the most relevant, involved and in-depth ingress into the core business. This is probably true at any company, and I think it’s a great move for any information security department can make. Identity management involves things that are essential to business. People want to log on and they want to have the things that they need to do their work available to them. By making identity and access management one of the core areas of information security, we are now embedded in that work. We enable staff to be productive and to do their work. We can unify their resources when it comes to their profiles and credentials to allow them to do that work.
We set a goal that we wanted every employee when they walked in the first day that they start work, to be able to actually log in and work. That doesn’t mean, of course, that they’d log in and actually do work on their first day. But we absolutely didn’t want the reason that they couldn’t work to be a result of the access technologies not supporting them.
With this, we were able to kill at least two birds with one stone— both security and enabling the business. Identity management is core to information security in terms of the security systems, credentials, accounts, privileged accounts, and those things, but it also enables us to provide an improved customer service experience if we have the right focus in a way that many IT departments don’t or can’t.
We took that on, and we found areas where identity management could improve the business. We analyzed the metrics around where are we losing time and money in the access processes. We found a lot of inefficiencies. We identified what we believed to be around 16,000 hours associated with inefficient access processes. Now, I don’t know if that’s a scientific, precise number. But it’s a number we worked hard on and that I believe to be reasonably accurate, and it translates into about eight full-time staff for one year. That was eight full-time jobs, all of that time, being drained out of the company. That’s time that people can do other things with, like work and make money for the company.
That dual nature of identity and access management is fascinating. It can help with security and compliance by making sure that only the right people can access things and provide accurate reports on who has access to what resources, but when it’s done right it can also make the company more efficient. Not every security technology can say that.