Shedding Light: Blackstone CISO Jay Leek Flips the Security Script

Jay Leek doesn’t know how to smile. Or at least he feigns as much.

From his perch on Blackstone’s development floor peering over midtown Manhattan, with a handful of staffers gathered around our photoshoot having a laugh, he finally gives in and flashes the pearly whites … just for a second.

Is it really so far fetched, though? Given what’s going on in the world of cyber crime, it could well be understandable for chief information security officers, or CISOs, like Leek to actually forget how to laugh.

The list of hacks and embarrassments, breaches and revelations during the past few years has grown ever longer, with media and boardroom scrutiny spinning hot as an overworked hard drive. From entertainment and finance to government, no one is immune. 

Private equity firms may not be at risk in quite the same way as consumer-facing banks are—indeed, Blackstone is more likely to own a credit card processing company than actually issue the cards itself. But as threat vectors change and cyber actors increasingly target proprietary knowledge and technology in the capital markets—in addition to traditional methods of identifying information or passwords—even those “white-shoe” buy-side firms working exclusively with institutions are up on their tippy-toes.

As recently as eight years ago, it would’ve been a career-limiting move for me to say, ‘I assume we’re going to get compromised—it’s not a matter of if but how we respond’. Today, we assume at Blackstone and our portfolio companies alike, that there will be security issues. Now it’s really about how you respond, before harm to the organization is done, that differentiates success from failure.

Leek details for Waters what an active security posture in 2015 looks like, noting both its constituent parts—hint: a lot of creative investment is involved—and the travails of getting some stubborn aspects right. Brass tacks? Cyber in the capital markets may, in its own way, be more of a puzzle than elsewhere.

Long Way from Helsinki

Leek spent much of his early career in IT security at Nokia, the once-mighty Finnish mobile phone giant. Living and working in Helsinki, the land of midnight sun, he got used to the dark—literally. In the depths of winter, the sun only appears for six hours. He was also right in the thick of northeastern Europe, a region synonymous with cyber issues today. But the real takeaway, Leek tells Waters, was how to tackle threats actively as an organization, years before peculiarities like Shellshock and Carbanak began hitting broadsheets’ front pages.

“It’s a different point of view I come from,” he says. “The Finns have always been very privacy-aware and they’re also very into decision-by-consensus, as opposed to argument or confrontation. Still, back then, and as recently as eight years ago, it would’ve been a career-limiting move for me to say, ‘I assume we’re going to get compromised—it’s not a matter of if but how we respond’. Today, we assume at Blackstone and our portfolio companies alike, that there will be security issues. Now it’s really about how you respond, before harm to the organization is done, that differentiates success from failure.”

In the past, Leek says it was all about “layered defenses”—essentially building one perimeter around the next until, it was assumed, enough of those would mean threats could never get through. But hackers have learned to jump higher over the walls, just as digitization and smartphones have made the territory to protect larger and more porous. Today, relying on preventative measures alone does little good.

“We have upended the traditional security paradigm—prevent, detect and react—and embraced an approach that balances prevention with enhanced visibility, intelligence and situational awareness, and finally response,” Leek explains. “Our prevention controls are inevitably going to fail somehow, no matter how much we invest. So we focus on visibility into the environment, intelligence to know who it is and why they’re doing this, and then respond before harm is done. It’s a completely different mindset because our adversaries really have advanced.”

The well-intending, non-malicious insider is still, by far, Leek’s biggest concern at this point. He recently addressed one of Blackstone’s business units with 100 people, and told them plainly: “You’re my biggest risk; you’re also the best opportunity for the firm to make money. People making mistakes, working in haste, that’s by far the biggest risk and that hasn’t changed. So it always comes down to a combination of awareness, training and technical aspects to fight this.”

Further up the threat ladder, he says, four categories of threats have emerged. First are actors, usually nation states, that aren’t looking to monetize information directly but rather are looking for a strategic advantage—inside knowledge of an M&A deal, for instance—or to inflict reputational damage as was the case in late 2014 at Sony. Another type will be looking for financial gain directly, stealing credit card numbers at point-of-sale, or heisting information they can then use as a lure for a phishing campaign.

Third is quite physical, and purely destructive. For example, when the infiltrators were caught at Sony, they used a Wiper virus like the Flame program uncovered in the Middle East a few years ago, and destroyed significant hardware. And the last comes back to the institutions itself: the malicious insider who either wants to take some data with him to a competitor, or perhaps has ulterior motives, as happened at HSBC in Geneva.

Invest to Protect

At Blackstone, hackers are less likely to lift actual dollars out of the firm than they are to heist intellectual property with strategic advantage, and that contrasts with Leek’s colleagues at banks, who have a different problem on their hands. “They deal with what we have in the capital markets but they also have millions of consumer transactions that could be fraudulent,” he says. “We have a finite number, but at the same time, our resources are also more constrained.”

Indeed, 2015 has seen a steady trickle of reports showing that these more difficult but lucrative targets— trading algorithms, code and other IP at capital markets firms—are all in play. The ground is shifting underfoot.

But much of the technology available is more positioned to the consumer side and is generally associated with plain-old, commodity-based malware. “People aren’t patching their systems, not doing those basic things they should, and malware is effective,” he says.

“Contrast that with going after proprietary information such as ours, which is more challenging to monetize and more challenging to get. Often, even if the techniques are borrowed, those attacks will be crafted for one purpose and a specific organization, so the actual malware is very customized, and that’s where current technology on offer starts to fall down.”

Blackstone has responded to this shortfall in a way only it can: direct investment. Since joining the firm, Leek has helped vet more than two-dozen, early-stage security firms for venture capital-like investment arrangements. So far, Blackstone has invested in four.

It’s always strategic: Blackstone is a customer; portfolio companies are customers; the start-up could really use the help, and it needs to truly change the industry.

“We have invested in a company operationalizing incident responders called Carbon Black, which is now part of Bit9,” the CISO explains. “Blackstone also partnered with iSight Partners, a large cyber intelligence company, and invested in Cylance, which detects malware without the traditional controls and examining signatures that other software uses by solely using mathematics to determine if the file is good or bad the first time it ever sees it without having to execute the file. These three all face external threats; the fourth, a recently sealed investment with RedOwl Analytics, will focus on sniffing out insider threats with advanced mathematical algorithms, as well.”

Extended Relationships

But it doesn’t stop there. Today, Blackstone monitors between 70 and 80 threats across 16 or 17 countries at any point in time, according to Leek. Intelligence is therefore key, and much of what the firm does with its technology partners revolves around transforming systems oversight into historical understanding.

“The intelligence capabilities available are pretty good today, but there’s always room to improve and it requires effort to turn it into something actionable. There’s so much to sift through. We always partner out our 24/7 operations, in this case to Accuvant, and we run a small internal team.

"We then rely on our vendors who almost all have a solution-with-a-service angle. iSight does our threat intelligence, for instance, but they also do malware reverse engineering and consulting for us with an entire farm of analysts behind that,” Leek continues. “We talk to them on a daily basis about things we’re monitoring: someone knocking on the door from a unique place, should we worry or not? Or is that happening elsewhere? There’s a lot more than just technology provision to many of those relationships.”

Speaking of relationships, Leek says the application security program run in partnership with Blackstone’s Innovations team has been equally crucial as the firm has almost doubled in size and revamped many of its systems, including its BXAccess portal and Strategic Partners Fund Solutions platform, in the past couple of years.

“When they’re making major changes or introducing new functionality, we build ourselves into the development lifecycle as needed, taking stock of something new they’re doing that could introduce risk all the way through to the actual change in the environment,” Leek says. “You set milestones along the way.”

Success here also goes back to the core technology team that came to Blackstone with CTO Bill Murphy from their earlier days at Capital IQ, which helps to balance the firm’s coding and infrastructure skillset at the uppermost technology echelons. “Having a developer leading our technology organization, with design and innovation in mind, is unique,” Leek says. “It’s more natural for them to bake security into the design.”

Action Orientation

Security has good penetration into the technology organization, then, but what about Blackstone itself? This is where Leek spends much of his time, and where the industry’s greatest challenges still lie, starting with third-party risk management and vendor evaluation processes across the firm. 

“No one has nailed this yet from a cyber perspective,” he says, noting that Blackstone is on the second iteration of its homegrown program after kicking it off about 18 months ago. “We’re heavily integrating that into different business groups, because the process has to be led by the business owner rather than the technology side, itself. Our senior leaders and individual groups are mindful of it—it’s a big point of conversation in discussions, and we’ve revamped our contracts’ security language to make it stronger but still balanced from a realistic perspective.”

Leek believes the key is to advocate for the specific Blackstone investment arm at hand, each with a different risk profile. Where necessary, he’ll reach out directly to vendors’ CISOs to explain exactly what the firm is trying to do. “It’s meant to be a partnership and not adversarial. If we’re sending them our data, here is where we quantify the risk introduced, and represent that to the internal stakeholder.”

Likewise, Leek adds that while there are increasingly popular options available in the industry to guard against the cost of breaches—data loss insurance, to name one—these, too, tend to be designed for consumer rather than capital markets protection.

Even as Blackstone assesses those options, he says, the reputational risk involved is too great not to engage the business actively, from the boardroom to the heads of each respective business unit, like Jonathan Gray in real estate and chief administrative officer Patty Lynette in private equity. And that goes for Blackstone, itself, as well as for its portfolio companies.

“We learn every day from that process,” he says. “There’s always a chance of being pulled into a situation downstream with our portfolio, so we put together a methodology among our private equity and real estate companies for how they can implement a security program to appropriately manage cyber risks,” Leek explains, adding that his team sent at least 11 advisories externally and 13 internally last year as part of the regime, using real-life breaches as illustrations for training. 

“Working with them, we take good information back to Blackstone, so it goes both ways,” he says. “We hired eight CISOs last year, at least two this year, and we have four open positions. I’ve been pleasantly surprised at C-level and board level by how cyber’s treatment has changed over the past few years. The level of questions they ask is almost scary.”

Getting Personal

That alone shows how far forward cyber has moved, and, as a result, how the CISO’s role has diversified. As Leek recalls, IT security back at Nokia was a business issue with its own steering group, but solutions were always technical and passive. Today, however, cyber issues are more complicated matters of risk management, residing partly within technology though much of it well outside.

“When I joined Blackstone we were at $168 billion under management; now we’re knocking on $300 billion,” he says. “You have to engage leadership at both C-level and just below; they are the engine that pushes the change down to the firm. And you have to make it personal. The simple analogy I gave our real estate group recently was around password security: just like you don’t use the same password for your bank and social media accounts, there’s a reason we ask you use a different one for the firm. As you educate people on how this applies in personal life and draw corollaries, they protect themselves, remember that, and hopefully bring that into the office.”

Early-stage investments, internal technology partnerships, and new business processes may all be part of the deal now, but solving the people problem would make Leek smile most.

He’ll figure the rest out. Seriously.

Jay Leek Fundamental Data

Name: Jay Leek

Age: 37

Title: CISO, Blackstone Group

Home town: Lubbock, Texas

Education: Bachelor’s degree from Capella University in information risk and security assurance

Total Experience in IT Security: 15 years

Number of Staff: 18 to 20 across the firm

Hobbies: Skiing

Favorite Security-Related Book: Though dated, Leek says Secrets and Lies is still probably one of his favorites