[00:00:00] Stan Wisseman: Welcome to another edition of Reimagining Cyber. This is Stan, and we decided to do something a little different today. Rob and I, along with our producer Ben, have pulled together a number of clips from previous episodes. And the theme is around being in the role of the Chief Reformation Security Officer.
[00:00:21] And so we're going to start off today with an episode. With Parham Eftekhari, it was episode 17, titled Cybersecurity and the Modern CISO. And at the time, Param was the Executive Vice President of the Cyber Risk Alliance, and he's speaking to the role of the CISO and how it's changed over the years. I
[00:00:41] think
[00:00:41] Parham Eftekhari: that the role of the CSO and really, depending on the size of the organization those who are tasked with being leading cybersecurity and leading risk, I think what we see is that they're becoming more and more business leaders and business executives.
[00:00:58] At least I think the ones who are [00:01:00] more effective and efficient in their role understand that it's less about them actually implementing the technology and kind of doing the blocking and tackling themselves. They have teams to do that. What's really important for the CSO to do is understand how to navigate the business side of the organization.
[00:01:19] To make sure that the priorities that they have as the head of the security shop get elevated to the business leaders, right? The board, the CFO, the CEO, the president, all the business unit leads within their organization. And that CISO really acts as that liaison between these, these roles. So I think as you go up kind of the food chain, so to speak, and organizations become larger, have more employees and more endpoints have, have just you know, more.
[00:01:48] More scale to them. You see the CSO becoming more involved in, in being a business leader. I think that's really been the most stark evolution and, and, and how that trains translates into what they
[00:01:59] Stan Wisseman: do. Our [00:02:00] next clip is with Tim Rorbaugh. Tim was the former CISO of JetBlue and has been in a number of different organizations over the years and has reported to different.
[00:02:11] executives, and he gives his perspective on that as well as the budgeting process for information security organizations.
[00:02:18] Tim Rohrbaugh: First there's the overall budget question, right? And I've tried to address this because it's the season and there's a lot of different debate, but I'll tell you, I am a firm believer and I, and first let me qualify this is that in 15 years of being a public company, public market CEO, a CISO, I actually have.
[00:02:36] I've probably reported to a CIO or CTO maybe five of those years. The rest of the time, general counsel and, you know, across the board. Okay. I wasn't, I wasn't directly in banking, so not the risk officer, but you get my point. I've been
[00:02:50] all
[00:02:51] of various, various reporting structures. Yes.
[00:02:54] And honestly. I don't think it matters.
[00:02:57] It matters the relationship, the people, do they [00:03:00] understand, are they an advocate, but you've got to have, regardless of who that reporting structure is, you've got to have face time with your audit committee, you know, you got to have, you got to have, you got to have, you know, the people who actually need to know that you're protecting them, the shareholders, the employees and the customers, they need to, they need to hear it from you and you need to be challenged to explain it to them.
[00:03:23] Okay, so, so. That being said, I do believe that the budget should be tied to to a metric. Which is I. T. And the reason is because in cyber, if you have if you're C. S. O. And you have physical set that aside. But if you're a if you're a C. So and you have cyber, then what you're doing is you're trying to address risk associated or potential of misuse of technology.
[00:03:48] Technology investment by the company is captured in the I. T. Budget. So is the labor output. That is associated with using that I. T. And so what you have is you have this [00:04:00] perfect place to actually pin your budget to a certain percentage. And if we're not pinned in, this is the way, you know, a lot of people can debate this, but I think we are 10 percent of I.
[00:04:10] T. As a base. And then we adjust up and down based on the threat landscape and the regulatory landscape.
[00:04:16] Stan Wisseman: So that was Tim Robau from Episode 70, speaking on the role of the CISO and how they aligned in the organization as well as the budget. Next up, we're going to the federal sector with Nick Ward, who at the time was the CISO for the Department of Justice in Episode 18.
[00:04:32] Which we focused on really the executive order that just hit at the street at the time and how the U. S. was focusing on cybersecurity more specifically and how Nick viewed the EO and what CISOs need to do in response to it.
[00:04:48] Nick Ward: You know, I'm not going to presume to be in the minds of whoever authored different part portions of the executive order but it was certainly a major driver for everybody working on [00:05:00] that.
[00:05:00] I think if you read through some of the language, there's probably some influence of the colonial pipeline incident as well. that that likely went into the E. O. But as you can tell, the E. O. Is pretty focused on how does the federal government defend itself against our foreign adversaries? And so for that reason, I think SolarWinds was probably the major driver
[00:05:23] behind that.
[00:05:24] You know, one of the requirements out of the executive orders for for NIS with others supporting them to define
[00:05:33] What critical
[00:05:34] software means and that should help you Prioritize what you need to focus on they've also rolled out some preliminary guidance That they call fundamental around the the kind of measures you need to put in place.
[00:05:48] Stan Wisseman: How are
[00:05:49] you going to move forward given that this is now on the table?
[00:05:54] As far as identifying critical
[00:05:55] software, taking action based on the recommendation recommendations [00:06:00] they've rolled out,
[00:06:02] Nick Ward: this gives us the tool is giving us another tool for us to be able to figure out how to apply supply chain risk management.
[00:06:08] And it's gonna helps us focus on those situations where A foreign nation state may target U. S. trusted, high quality companies, and because they have that trust with us. And it helps us realize and focus and prioritize looking at the same kinds of criteria for those vendors. And then we certainly have to modernize our supply chain risk management programs to how do we evaluate a trusted company.
[00:06:39] And a lot of that's going to focus on what are the right mitigations, like this is a critical vendor, how do we build our security architectures, in the context that that trusted vendor could be compromised by an adversary and used to target me. And that's probably the biggest change that we're looking at is.
[00:06:59] Supply [00:07:00] chain risk management won't be should we use this vendor or not, but how do we integrate them into our architecture in a safe way?
[00:07:07] Stan Wisseman: So that was Nick Ward, former cybersecurity leader of the year award winner. All right, next up we have Roland Cloutier. And Roland was the former TikTok CISO, as well as at ADP, and EMC.
[00:07:21] And in episode 71, he focuses in on an issue that everybody now cares about, which is how CISOs should be looking at how to secure and ensure that artificial intelligence implementations are safe and trustworthy.
[00:07:37] Roland Clothier: I think it's good for CISOs to look at it in two ways. The first is If my business is going to compete and succeed in the industry we're in today, and everyone else is using AI to reduce their OpEx and adjust their margins and drive new technology to make us better than the next guy, well, I better be doing it too.
[00:07:57] The second is, my job is to defend the [00:08:00] business and ensure the sustainability of the operations, the resiliency of the company itself, and, you know, and the security Of all the things that I'm, I'm, I'm supposed to be securing. So I've got to do those things. And AI is just a faster way of doing that.
[00:08:14] And there, I think there were key components we need to look at. So first of all, how do I help my organization figure this out? Cause a lot of them are turning to us and say, make us, make us safe and let us use AI. Right. Like you know, and I think the team like over at General Mills did a great job.
[00:08:27] Right. So they established clear guidelines, not hard and fast policy, but clear guidelines. Then they educated their entire company, like their entire company. They went and said, here's how you can use
[00:08:38] Stan Wisseman: AI and which, so, so here, here are the guardrails,
[00:08:40] right? And then exactly ensuring that everybody understands what those
[00:08:44] guardrails are and how that potentially could then jumpstart their processes from there.
[00:08:49] And
[00:08:50] Roland Clothier: if you don't understand it, call one 800 help desk for AI and we'll help you figure it out. The other thing we do is protect infrastructure and Right. Really AI [00:09:00] pipelines, guys. It's just infrastructure and software. It's, it's CICD on crack for ai. And it's the infrastructure that goes along with it.
[00:09:08] The 20% is the weird stuff like insertion, defense and scorecard management on the side. Yeah. Model defense. Right? That's the 20%. And by the way, there's what, five companies out there? Four companies that are kind of doing that in the market today in any real way. And so people are getting wound up around the, what do I do for the 20%?
[00:09:28] Do you know where all your AI is? Do you know the infrastructure it's sitting on? Is it micro segmented from the rest of the environment? Do you know what data is in that data infrastructure? Have you done data analysis, data defense on it? Do you know what is connecting and going out of those data stores?
[00:09:44] All right, do you know your API infrastructure that is connected to, to that? And, and do you have the right controls and monitoring capability in place? You've got a network for the next year or two. To protect the divine segment and protect your [00:10:00] AI environments that will get you 80 percent of the way of protecting it the rest of it, you know, there are great partners out there.
[00:10:06] So priorities for AI help your company be successful and embracing and understanding it. Second part of it's going to be go do our jobs on the, the infrastructure data and components that make up your AI environment.
[00:10:21] Stan Wisseman: So now we've talked about AI, now we're going to shift over to Jeff Brown, who was at the time the CISO of the state of Connecticut.
[00:10:28] In episode 29, he talks about how the role of the CISO in the state government compares to working in private sector, which he has also experience in. One of the really
[00:10:40] Jeff Brown: great things about information sharing. The partnership is really incredible. So, I mean, I've met, like, most of the other CISOs, many of which in person you know, across all 50 states, really, like, 54 plus the territories.
[00:10:54] You know, and there's groups like NACIO, which is the National Association of States. state [00:11:00] CIOs, the multi state ISAC, which is our information sharing but also like FBI, you know, all of our federal partners the really big key difference is that we're not in competition with each other. Even when I look at something like the FS ISAC, the financial services ISAC you know, they were very good, right?
[00:11:18] But I mean, like, they're, at the end of the day, they're in competition with each other. Right. Right. The states are not, I mean, the, the, the idea of competing with like the state of Colorado, that just, you know, that's just not really in the cards. So we, we tend to be very, very transparent with each other.
[00:11:33] And of course, since we're using taxpayer money, there's that element of, of just having a transparent program. So we do share a lot of like what we're doing you know, anything that doesn't really expose obviously any security vulnerabilities that, that might be used against us. But I mean, we really try to run a very transparent program.
[00:11:49] and and work with all of the other 50 states because you know really what we see is you know we're on like signal together so we can all like kind of text each other in real time and it's it's I have to say it's really [00:12:00] you don't really feel like you're on your own here you know obviously working in a state government you have a little bit less freedom in terms of, of you know, spending.
[00:12:09] It's a little tougher to hire people, but I have to say the the quality of people that I run across in certainly in the state of Connecticut the, the quality is extremely high. A lot of us are coming from, believe it or not, private private sector. So, so it's not always, you know, that 30, 40 year employee that's been in the public sector their whole career.
[00:12:28] We have a really, I think, very good mix of public and private now. So that's really bringing a lot of different thought leadership and thought diversity you know, in terms of how we run things. And it's just been, it's been really interesting. I have to say it's a fascinating
[00:12:42] Stan Wisseman: job. One of the trends we explored was with Taylor Hersel back in episode 38 and the, the, the use of virtual CISOs.
[00:12:50] The fact that you may not actually want to bring somebody on full time or can't afford to. And he goes through the pros and cons as to when it would be [00:13:00] appropriate to actually bring on a virtual CISO as opposed to a full time CISO. The way I
[00:13:04] Taylor Hersom: describe security in general is, it's very much a loop and not a line.
[00:13:07] So I think people need to realize that as soon as they start it, they can't stop it. There is, whether you're pursuing SOC 2 or you are doing customer security assessment questionnaires, those don't just happen once and then they're done. You have to maintain that SOC 2 at a station. You have to answer those questionnaires every year for the same customers.
[00:13:25] And so, first, realizing that, that this is something that once you start, you can't technically stop. I think the way that we describe it, and, and I realize I'm, I'm biased here, but Anytime you're under 500 employees, I think that there is actually value in going the virtual route or the vendor route.
[00:13:43] I do think that as companies get past that 500 employee mark, you need to have some kind of internal stakeholder. It doesn't necessarily need to be a CISO. We've seen people get by with compliance manager coupled with contractors. We've seen people with just senior security analysts and then I think that the, the way we'd [00:14:00] like to describe it as your security team needs to be about 1 percent of your total headcount 0.
[00:14:04] 5 to 1% and people don't realize that that's like, that's, that's a pretty significant investment. So you go look at the salary of a CISO and a data compliance or a data privacy officer, a compliance manager they, they start to add up a lot. And I think I truly, truly believe that, especially for the startup and scale up market.
[00:14:22] You can replicate and, and use a lot of the, you, you can usually get more value out of contractors than you can out of hiring full time. And the reason I say that for the security industry specifically is because there is a ton of volatility. There is the, the whole issue of people getting poached left and right and people being unfulfilled because we're all humans.
[00:14:42] That that you've is exacerbated in the security space and then of course, the fact that people get overworked in this area and so you start to invest a lot of money into resources that aren't all that reliable. And I don't mean that to knock on CISOs or security professionals by any means, but [00:15:00] it's the reality that we're seeing.
[00:15:01] And so, yeah. At least with vendors, you, you have that ability to, to get dedication. People will, I guess, always take your money, for lack of a better term. And so, usually the smaller companies can get by for a long time with using third parties.
[00:15:15] Stan Wisseman: All the clips so far have been from men, which is not surprising, since research shows that only 16 percent of CISOs are female.
[00:15:23] And how can you address that? In episode 9, we had three powerful leaders in the information security space. We had Laurie Sussman, Assistant Professor in Department of Technology at the University of Southern Maine. Tammy Schering, who was the VP and Global Leader for Voltage Status Privacy and Protection at the time at MicroFocus, but is now the CRO at Longbow.
[00:15:44] And we also had Phyllis Woodruff, VP of IT Risk and Compliance at Global Payments, who will be starting us off. One
[00:15:52] Phyllis Woodruff: of the things I counsel any woman I come in contact with is own your skills, recognize them, embrace your superpowers. They [00:16:00] are there.
[00:16:01] Lori Sussman: And I think it's so important that people see, you know, women see people like you, Phyllis, and you, Tammy, as, you know, vice presidents, as executives, and have that executive presence that Isn't necessarily emulating anybody but yourself.
[00:16:21] They're creating new pictures of leadership that include very feminine, wonderful attributes, including collaboration, inclusiveness, all the wonderful skill sets that women bring into the leadership role.
[00:16:35] Phyllis Woodruff: For me in, in. Security and in compliance. I have played a role that's different from many of my male peers, and I refuse to be pigeonholed.
[00:16:46] I tend to work much more broadly than they do. And a lot of what I do is about building consensus and building that buy in to get us to the next level within the organization. And [00:17:00] those are skills that we tend to have and own in greater proportion, I think, than many of our male peers.
[00:17:09] Tammy Schuring: Yes, absolutely. I, you know, I, I will admit I spent a lot of years of my career, not realizing that I was the only woman in the room, not even realizing I was the woman because I did show up knowing I belonged there.
[00:17:27] I'd earned my way there. Now looking back on it, there were moments where it felt like I did 10 X my male counterpart to get there. But I was in the room and I had no doubt in my mind that by my voice mattered and I knew my superpowers, but in the last number of years, I've really transitioned from, from that to literally making space at the table, you know, creating as much space for more women and trying [00:18:00] to find ways to inspire and
[00:18:04] excite.
[00:18:06] Stan Wisseman: One of the things that I think has changed with cyber security, let's face it, it's gone from a, you know, a focus on technology in the last five plus
[00:18:18] years, more supporting the
[00:18:20] business and some of the skills, Phyllis, that you talk about that, that women can bring to bear and the business. And Tammy, you're saying, you know, that some of the ability to communicate that lends itself also to this change, right?
[00:18:35] The
[00:18:35] Phyllis Woodruff: geek techie guy, isn't really good in front of the board.
[00:18:38] Stan Wisseman: Exactly.
[00:18:38] Watch one of them.
[00:18:40] Yes.
[00:18:42] Phyllis Woodruff: In any higher level position within any organization, communication skills are paramount.
[00:18:51] Stan Wisseman: Well, hey, I hope you've enjoyed this episode. We've pulled together, I think, some really useful clips to help better understand how the role has evolved [00:19:00] and different perspectives on how you could think about alignment as well as budget, as well as how the leaders work with others. Thanks for listening.
[00:19:08] Until next time.
[00:19:11] Producer Ben: Hello, producer Ben here. And if you enjoyed this clip show, then we've got another edition of reimagining cyber that you may want to check out. Right at the start of 2023, we put together a selection of carefully curated highlights to mark the 50th episode of the podcast. Topics included the pandemic and its impact on cyber security, Iranian cyber strategy, and behind the curtain view of the world of cybercriminals.
[00:19:39] Finally, please remember to rate and review the show wherever you listen to your podcasts. If you're not sure how, well, it's pretty easy. Just click on the rate button on the app and hit five stars out of five. Goodbye.