Professional Association of CISOs: Redefining Cybersecurity Leadership - Ep 136

Show Notes

In this episode of Reimagining Cyber, host Rob Aragao explores the role of the Professional Association of CISOs (PAC) with Demetrius Comes, a CISO executive advisor at EVOTEK and a leader within PAC. Comes, who has held cybersecurity leadership roles at companies like GoDaddy and Warner Brothers Games, discusses PAC’s mission to support CISOs through professional development, peer collaboration, and industry education.

The conversation covers PAC’s initiatives, including local chapters, certification programs, and resources designed to help CISOs navigate leadership responsibilities, liability concerns, and emerging cybersecurity threats. Combs also provides insight into broader industry trends, such as the evolving role of CISOs, the importance of cyber hygiene, and the growing impact of AI in cybersecurity.

This episode offers valuable information for cybersecurity professionals looking to understand the benefits of PAC and the challenges facing modern security leaders.

Links relevant to this episode: 

Professional Association of CISOs -  https://theciso.org/

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

Transcript

[00:00:00] Rob Aragao: Welcome everyone to another episode of Reimagining Cyber. Rob Orego here, and today's guest is Demetrius Comes, who formerly served as CTO and CISO at companies like GoDaddy, Warner Brothers Games and Sovereign and is currently a CISO executive advisor at EVOTEK. He also leads the chapters working group for Professional Association of CISOs, otherwise known as PAC, which is we're going to focus our conversation on today.

[00:00:25] Demetrius, really happy to have you here with us today. Anything else you'd like to share in your background? 

[00:00:30] Demetrius Comes: Yeah, I mean, I spent 15 years in the video game industry building software for the masses. Um, the interesting part about being in video games and what sparked a deep interest in Was early in my game development career, we found out that basically one out of every four games was being purchased and the other three were being compromised in some fashion, either through the black market or that sort of thing, which sparked the interest in, I mean, if you work with game teams and see how hard they work, um, and how much they strive to get products out that will, you know, ignite the imagination of their audiences.

[00:01:07] And then, you know, three quarters of them not being paid for. That was definitely a focus. And I think it's a big reason why you see so many games have moved online with online protections now is to try to prevent that from happening. So that was where my, you know, spark for, for security came, came in. Um, since then, and, you know, grew into a role all the way up to the 

[00:01:26] Rob Aragao: CISO.

[00:01:26] That's extremely interesting kind of how that led you to cyber security and the aspects of it and it brings up actually a thought back, I don't know, might have been a year or so ago, we had, um, one of our guests that was really talking about kind of the digital aspect now of video games and really because of the security mechanisms that are behind it, but there's still opportunity, right?

[00:01:46] For fraud, of course, as always with anything. But yeah, that's, that's, that's great to hear that that's kind of how you got your start and, uh, and drove you down this path. And I wanted to talk about it. Dimitri said, I kind of mentioned in the intro, the great work that's been done to kind of launch the professional association of CISOs, PAC, and we'd like you to just want to kind of give a basis of, you know, what is PAC all about and more importantly, also kind of in that regard, 

[00:02:11] Demetrius Comes: what sparked your interest to get involved?

[00:02:13] So I actually got involved because of, uh, some friends in the industry that then reached out to me once they formed, because this actually started well before me, um, there's. There's people that deserve a lot more credit about getting this whole thing started than I do. Um, however, Um, the passion around this group and where I think all CISOs need to know about it is it is literally going to become a location for CISOs to be able to go out and communicate with each other, share experience with each other, um, understand and promote what the roles and responsibilities are of anybody in security and make sure that those folks are well armed when they go and take those big seats as a CISO and understand what liability they're taking on for themselves.

[00:02:57] How do they go about addressing that liability? Who should they be reporting to? That's a great debate to have because many, many times you're seeing CISOs reported to the CTO or the CIOs. Yet not directly to the, uh, CEO. And therefore they're not in as many meetings as potentially they need to be because security is not just about the technology end of it.

[00:03:17] In fact, most of the time, as we know from report after report, after report, the wink weak link is the humans, not the engineering, right? So, you know, this group is meant to promote those types of things. I, I would liken it. I wouldn't hold this, you know, exactly to my specific words, but you can think of the PAC as something like what the ABA is for lawyers.

[00:03:40] You can imagine a time in the future where the PAC has put out certifications. If you don't pass that certification, maybe that's, that becomes a requirement to become a CISO at a publicly held company, that sort of thing. None of that is true yet. And this group is very new, but these are the types of ideas that are being bounced around.

[00:03:59] That way we can hold ourselves accountable. We can communicate and handle the details. And if the government does want to, you know, put restrictions and that sort of thing, we can be that enforcement arm. 

[00:04:09] Rob Aragao: And that's a great parallel to draw. I like that approach, you know, knowing about what you're doing with PAC, that does make a lot of sense to tie to the ABA.

[00:04:16] One of the things you called out that I think is critically important. I'm glad you called it up right up front is CISOs today, or someone who's looking at it, become a CISO. Needs to truly understand, not just the reporting structure, which is critically important. I get that for sure. But the liability, the personal liability aspect that now taking back right over the past year, we've seen that accelerated with so many different examples out there.

[00:04:40] So I think it's, it's critically important. I'm glad to hear that that's part of the, um, you know, kind of theme or topics that are definitely covered there. So, so another thing I wanted to get into is from PAC's perspective, you know, you talked about some of the things from an educational kind of perspective and everyone getting together, which is great.

[00:04:58] I mentioned if you want to become a CISO. So what guidance would you start kind of offering people there as they're looking to elevate into that role 

[00:05:04] Demetrius Comes: specifically? Well, first, I think you need, you know, somewhere between seven and 15 years in the, in doing it to step into that role, at least at the executive level.

[00:05:15] So you can see, because security in many organizations becomes this cross cutting organization. It is unlike, you know, a CTO where you're focused on the, on just the technology, right? It's more akin to what CEOs do, which is, you know, across the whole company, keeping things in balance, you know, being able to train your customer service representatives to know when they're being vished or phished or, um, they're trying to be scammed while they're working with a customer.

[00:05:46] And is that even our customer? To also being able to do networking scans to make sure that the technology is securing us as well, that broad base and understanding all the things you need to consider. And then how to work with all your counterparts across the organization. Cause you, as you, as the CISO or the VP of security or whatever the head highest level of security is in your company cannot do it themselves.

[00:06:08] It has to be everybody's job and having them understand that and giving them giving anybody or sharing the experiences with some of the new, newer security folks coming up to coming up. The chain will be the next generation seesaws. So they understand vast majority of your job is going to be partnering with other portions of the organization.

[00:06:29] Explaining to them why what they're doing is not secure and how they need to go about changing it and working with them to get it done is the only way we're going to move security across and level up security at all the companies. In the country so that we can take advantage of that. 

[00:06:44] Rob Aragao: I agree with you there.

[00:06:45] I think that it's, um, it's critically important to have the experience, as you said, right, understand, you know, kind of the, the foundational elements of cybersecurity for sure, but more importantly, it's, it's understanding how they do interconnect to deliver what's appropriate for the business. So yes, we have to obviously drive at how we protect the organization.

[00:07:04] We have to understand what that given organization's risk appetite is as well. And it doesn't matter. or vertical they're in because even they're in, you know, a financial service, it does not matter. It's the individual organization has a specific risk appetite, and you better understand what that is pretty quickly, which also plays into, you know, the stakeholders that you were talking about that they have to engage with, they have to understand to build a rapport, have the right communication, speak the right language as part of that, you know.

[00:07:30] So I think those are really good Elements that it sounds like pack is helping support as people are looking to evolve and up level to become more of a business with technology still tied in kind of see. So, um, you know, of the future, if you will, 

[00:07:45] Demetrius Comes: the other thing the pack is focused on is ensuring that twofold, making sure that the folks that are going to be taking on these big seats for see.

[00:07:53] So as a companies. Understand the liability they're getting themselves into but also on the other hand The pack is working hard to make sure that the government and the companies understand the level of risk that those people are taking on because if there ever becomes too big of an imbalance And because we're gonna show all the you know, all the potential Security professionals out there what the risk is And if we don't start mitigating that risk, you're gonna find yourself a lot less people have a much larger hesitation And putting their hand up for that.

[00:08:23] Yeah. I mean, let's face it. Eight CISOs have gone to jail in the last few years. We're not section 16 employees. We don't have that level of protection. Most of the time companies don't even give us DNO insurance, right? And that's one thing the PAC has already provided. Once you join, you can sign up to get liability insurance.

[00:08:41] So these are, these are powerful things that the group is doing so that we can a protect ourselves, but also educate and make sure that the businesses understand the level of risk these individuals are taking on because we have chosen as a company, as a country, however you want to word it, is if there is a security problem, it has to be the CISO's fault, even though they don't control all the pieces and aren't even at that top tier of executives yet.

[00:09:07] Rob Aragao: Yep. We haven't had many examples. You're absolutely right. One of the things I know that's important, um, as part of PAC is the, the code of conduct. So I wanted you to kind of just share a little bit about, you know, the relevance of it and why it is really, truly a very important aspect of people becoming part of PAC and the way they should be in essence conducting themselves.

[00:09:25] So the 

[00:09:25] Demetrius Comes: team that put this together within the PAC was truly, you know, lawyers and really, um, some of our best CISOs across the planet. What I liked about it was it again mirrored much of what the ABA did. , right? Here's your code of conduct. If you join the group, you're gonna do this. And if you don't, there will be a mechanic to expel you from the group if you don't follow the, the code of conduct.

[00:09:49] Mm-hmm . I don't see how we can be a respected organization if we don't have that. Like we have to hold ourselves to the highest possible standards so that we can act as the beacon for those standards to everybody else pulling the rest of the other organizations up. We have to have that. Otherwise we, we lose our moral high ground in the conversations.

[00:10:07] Rob Aragao: It sounds like, as you're talking about what. The way the ABA kind of operates is almost kind of a blueprint that you've looked at and obviously making the proper adjustment for the CISO role and what we need to take into account as well, which is back to the point of liability being a critical aspect of it as well.

[00:10:22] Demetrius Comes: I don't know if we've used it as a blueprint, but it is. When you started, I think it was more of like we started it down a path and I went, is anybody else doing the same thing like we're doing? And then we looked over, Oh, it's kind of like that. And then that we started drawing, um, similarities out of the two of them.

[00:10:37] And it's helped communicate what our goals are because there's already one established that we can look at and go kind of like that. 

[00:10:43] Rob Aragao: Yeah, makes sense, right? You're going to make the adjustments for sure. So that makes sense. So I want to transition, talk a little bit about the, the role of kind of what I would refer to as the modern C.

[00:10:51] So we, we've already got into it a little bit. You were talking about, um, you know, understanding your, your, your key constituents, the stakeholders within the business, understanding, you know, what the, appetite for risk is, and that could be even in different parts of the business. Um, but understanding again how technology fits and cuts across, as you mentioned, Demetrius, different elements, you know, that deliver different services, capabilities, you know, routes to market, all of the different, you know, opportunities that drive the organization to also bring forward revenue, not just the protection side of it, not just the protection of the brand and everything else that comes along with trust and so on.

[00:11:26] There's, there's a lot more going on in the, the new modern. So, one of those is In line with everything we've just been discussing is, you know, how would you guide them to properly engage with the board? 

[00:11:38] Demetrius Comes: It's a couple of things. Um, one, any new CISO that's coming in, it's going to work with a board the first time.

[00:11:43] You need to be able to state where you're at, where security currently is at. And there's some really good frameworks out there. There's CIS, there's NIST CSF, that you can pull from, have an assessment done, and it gives you a baseline. Right? It doesn't, like, there's still frameworks, they don't cover Perfectly everything for every industry, although this CSF does a pretty good job of that.

[00:12:03] Um, you know, understanding the company and saying, here's where we're at, here's where I think we should be, and then negotiating with the board and senior leadership to know where we're going and then how fast do you want to get from point A to point B. I think if you get that in place, you're setting yourself up for success.

[00:12:22] If you don't, then what ends up happening is you're pushing for You know, a CMMI score of a four and the rest of the business is like, we got an appetite for like two. What are you talking about? Another way to look at it is, um, Synapse has put out a report 10 or 15 years ago that I referenced a lot called, um, CISO tribes.

[00:12:42] The idea behind this was, is like, there's basically four traits that an organization exhibits around security. And there's four traits that a CISO exhibits around security. If you're if you and the company you're working for are exhibiting the same traits, you'll be successful. If you're exhibiting two different traits, that's a problem.

[00:13:00] And real quickly, the overview is like, there's a cost center mindset. There's a compliance mindset, meaning security only gets better when compliance gets better. There's a tech enabler mindset. That's like Hey, I'm bringing all this cool technology. Look at all the safety things we can do. This is usually in software development.

[00:13:18] Like you get the engineers excited about some of the security stuff you can do. They, they start reacting to it. And then lastly, there's the business enabler where you're sending our security is so good that customers are choosing us that we're getting a surplus of customers because. They trust us to do the business effectively, right?

[00:13:35] If you, even if you just use those four boxes, laid them out with your board and said, currently we're a compliance driven organization, but I believe we should be a business enabler and they go, we agree, and you've laid out what the traits are and what's going to have to change. Even that will give you enough.

[00:13:50] Just make sure you have some, where are we, where are we starting and where are we going and what's the speed in which we want to get there. If you can get those things aligned, the path becomes a lot easier. 

[00:14:01] Rob Aragao: You know, it's funny you bring that up, because I haven't used that in a while. I actually used that.

[00:14:04] It's a tribe. Oh, good. Yeah. Yeah. Because I think it's, it's, it's so relative. Right. And, and, and even like we're talking about, like to me, a lot of what in conversations I'm having and educating people to get to this point of really being the business enabler, like you just described, right? Because why?

[00:14:19] Yeah. Having the conversation at that point in time with the board. There's more relevance. You understand the right vernacular and communication, right? And we talk about this many times in this podcast because we kind of launched at this point in time back several years ago, where we were driving the aspects of cyber resiliency and resiliency and cyber resiliency or digital resiliency, whichever you prefer to call it.

[00:14:41] Resiliency in and of itself. At the executive level at the board level is very well understood because they understand operational resiliency They have to it's part of the way they normally operate so that kind of connection point As a business enabler conversation became very very valuable at that time the other thing that you just discussed which i'm a huge fan of is You can use whatever you want for your maturity model, right?

[00:15:00] If you want to use a traditional kind of cmmi approach and take it there And if you can get to a four my friend good for you 

[00:15:07] Demetrius Comes: I don't I don't think any company should be able to like Couldn't say that like this four is before it gets pretty complicated to get to three three and a half 

[00:15:14] Rob Aragao: I, yeah, that's a nice aspiration, but.

[00:15:17] Keep that inside your head, right? But I think the aspect that's important as you're getting that, um, you're building that trust, right? You're, you're, you're proving yourself out and your program and your people and process is all part of that is what I refer to as you set kind of that path forward. You prevent, you present what that is to the board, you get the buy in.

[00:15:38] And you know that basically what you're doing is you're saying, Hey, I'm going to get to a hundred percent of this thing over here. And in your mind, it's like, it's only going to take me 50%, maybe 75 percent because I need the quick visible win to get them to continue to fund and invest more into my program that I laid out for them, the path in my timeline, I can start accelerating after the fact, but if I failed out of the gates, I may no longer be here myself.

[00:15:58] Right? So I think that's, again, something you called out. I just wanted to kind of amplify a little bit, because I think it's critically important for sure. 

[00:16:05] Demetrius Comes: And I think there's, there's opportunity for the new CISO coming in because many organizations, quite frankly, are so behind or where they need to be for security.

[00:16:15] There are, you don't even have to really set up the roadmap to be like, I'm going to get this fast early win. It's usually just lying in there. Like at least from my experience so far, like you come into a place and you're like, you're missing a CMDB. Hmm. If we don't know all our assets, I don't know how we can think we're protecting all our assets.

[00:16:35] Rob Aragao: I love how you asked the question. Oh, so, uh, do you have a CMDB? Do you know where all the assets are? Yeah. Yeah, I do. Really? Let's take a look at it. Oh, well, uh, you know, yeah, there's all these gaps. So yeah, exactly. Cause no one knows exactly where everything is, but let's do better. Let's do better. Hey, so I got to ask this question.

[00:16:52] Wouldn't be, you know, in, in the theme of what's happening in the world. If I didn't ask this question, AI. So from your perspective, right, there's, there's, it's shared challenges, you know, on us as cyber professionals. But there's also benefits. So I'd love to get your perspective as a whole, kind of the pros and cons, if you will.

[00:17:13] Demetrius Comes: So, um, so first of all, I had the benefit of, uh, the practice that I worked in at Evotech. Um, actually put together, you know, some internal white papers on the subject and I got to be the one to write it. So this is a particular subject that's near and dear to my heart. My view of all the AI stuff out there right now is there are a few new attack surfaces.

[00:17:35] Right. There are, you know, you can, you can reverse engineer some of the prompt responses and try to get it to, you know, dump any memorized data out and that sort of thing. The vast majority of the tooling that's coming along, like you look at Microsoft's copilot or, you know, anything that's going to help your workforce do more and more quickly means they have to consume the data within your company.

[00:18:02] And if they're going to do that, Then it really goes back to the security hygiene and security basics at that point. Do you know who's accessing this data? Do you know that they're only accessing the data they should be being accessed to? Is there all their IAM roles, the IAM roles they should have? Or because they've worked at the company for a decade, and they've moved around between three different groups, and you haven't removed their permissions or re added their permissions when they moved the group, they now have permissions to everything at the company.

[00:18:26] And that means that person gets phished, and now the threat actor doesn't have to go through God knows how many documents trying to find the piece of, you know, financial data they're looking to leak, leak to the press. Instead, they're just asking Copilot. Where is this data and then says, show me the sources and it spits it right out, right?

[00:18:46] So when I see AI from a, from a defensive posture of AI, I'll talk about offensive in a second, but from a defensive posture of AI, there are a few new, um, attack surfaces that we have to address. You know, the, the prompts and how we go about what gets asked in those prompts, that sort of thing. And there are some pretty good tools out that are starting to like act like a proxy where they, you know, vet the question before it actually goes through.

[00:19:10] Um, I think DLP is, becomes incredibly important because if you don't tag your data or what's allowed to be searched and what isn't allowed to be searched, then you're just turning it over to the AI. And the AI is just a mathematical construct. It's not a thinking machine. You, you ask it questions and it goes, solves a mathematical question.

[00:19:27] It's. Problem is, but back at the answer. So it's the security hygiene piece that I think that I, that through my time at EvoTech, I spent a lot of time communicating. That's where you need to focus. Make sure that your basics are in place. Do you have all the, you know, are your IAM policies where they need to be?

[00:19:45] Are your policies about what tools are allowed to be used to what tools aren't allowed to be used? Do you have the ability to stop people from using tools that you said they shouldn't be using? Like these, make sure you have those controls in place. And then lock them down to only the tools that the company has agreed upon using.

[00:20:01] Cause most of that legal construct, not necessarily a security construct. And, but we need to be there to help those things move forward. As for offensive security, I think it's going to accelerate the types of attacks that you see Across the spectrum. Reason why is, you know, when you did reconnaissance, I've been a pen tester before you, you do reconnaissance and you're sitting there like you're relying on your mental agility and your mental ability to memorize a whole bunch of data that you had come back in and then say, okay, where's the weak spot?

[00:20:34] How do I develop the attack plan? That sort of thing. Imagine being able to recon, you know, a company with a couple of million nodes, throw it in an AI and go, tell me where's the weakest link. I mean, now the attack pattern speed up and if the defensive guys aren't doing the exact same thing and running the exact same scenario and then asking it, where can I be attacked?

[00:20:54] So it understands like, This is where I see the arms race. It'll still be the same as arm race defenders versus attackers. It, the rate at which it will escalate will get much faster because we can ask these much more massive questions and we don't have to rely on the limited ability of us to be able to memorize it or write code around it or that sort of thing.

[00:21:11] Because. AIs are great at picking out patterns and that's what we're looking for. And that's 

[00:21:15] Rob Aragao: a good example, right? Cause it does take me into, you know, thinking about, um, red teaming, blue teaming aspects of how AI can help both sides of it. Purple teaming is part of that equation as well, but that's a, that's a good way to kind of look at it.

[00:21:27] And, and, you know, it's one of the things we've talked about as well in previous episodes is that we understand that the bad guys in essence have this headstart and they kind of always will, because they're there's, there's, there's no borders of what they have to deal with and constraints per se, they can kind of go let loose.

[00:21:41] Demetrius Comes: Right. But honestly, they don't have, they don't like any, any professional white hat has things that they will not do. That's right. Right. We are, we are bound by laws. We are, but it's the same thing that the criminals have over the justice system, right? That's exactly right. The criminals don't obey the laws.

[00:21:58] They can break the rules. So they will always have the advantage, right? The idea is to make it high enough, painful enough. And when they get caught, make the, make the penalty high enough so that we discourage the behavior. 

[00:22:08] Rob Aragao: Yeah. Or go back to your point about just having that good cyber hygiene put in place, right?

[00:22:12] The more difficult you make it on them in the first place, your target, the more likely Not, not as soft as I hoped it was. I'm moving on to the next guy. Great. Go take, go take it somewhere else for sure. Um, to me, just one thing, the client closed things out on pack. Um, you know, just talk about what's coming up, right?

[00:22:27] Where the chapter is just, how can people get involved? So if you can share some information, it'd be helpful. The 

[00:22:32] Demetrius Comes: best way to get involved is the website is the CISO. org. Um, you can go there, there's a membership. Uh, link that you can fill out. Um, once you're signed up, you can then look over the liability insurances that we're putting out.

[00:22:47] Um, if you're concerned about that, um, uh, myself and a few others run what, uh, what will launch as chapters. So there'll be local cities chapters, probably towards the middle, you know, late 2nd quarter of this year will be some of the 1st meetings there. Um, we're trying to get together like a packet that when somebody steps up and says, Hey, I wanna run a chapter, we can give them enough information.

[00:23:12] Like, here's what the structure looks like. Here's like, here's the roles you should be able to fill. You should have at least, you know, three or four people and they should have, you know, somebody's gotta be the president and vice president and probably a secretary and, you know, maybe a treasurer. Like, these are the roles you at least have.

[00:23:25] Like, if you don't have at least that, you probably shouldn't even start a chapter 'cause you don't have enough interest yet. That sort of thing. And getting them like, here's a framework for running a meeting. Here's the framework for running an event, that sort of thing. Just so people have something to start from.

[00:23:38] Um, that's, that's, you know, look for that on the website, probably in the next, you know, 2 to 3 months, um, there's an incredible amount of work going on. Um, there's, uh, uh, we'll be doing some, uh, You know, videos released on just what it's like to be a CISO and things like that. Like all, all this is coming in near future.

[00:23:57] There's so much work going on in the background. It's, it's almost staggering. Every time I go to another meeting, I'm like, really, all this is going on. And it's all volunteers. Like that's how passionate people are around this subject. And that's what I love about it is like, this is a group of professionals that have literally just said, we're in a dangerous situation as a profession.

[00:24:15] And as businesses, and if we don't address this, because if we put the risk too high, people will stop stepping up. And if we don't train people and make sure they understand what they're getting themselves into, people won't step up and we have to have these people step up. Otherwise, you know, we'll just continue with some of the same security issues we've had over and over and over again.

[00:24:33] And, you know, with the geopolitical world, the way it is, I'm not sure that's where anybody wants us to be. 

[00:24:38] Rob Aragao: And it's a fair point. Fair point. Well, we're going to include obviously the link. In the show notes so people can get, take a look at that. And again, as you shared, right, you're, you're really at, there are still early stages of building up, but a great opportunity for them to get involved.

[00:24:50] And um, I think that's great. I may raise my hand to participate for sure, because I think it's a great cause as you went through it. So to me, just thank you so much for coming on and sharing exactly the different work that you guys are doing. Great. I think, uh, for what is a gap currently in the marketplace for us in the cybersecurity realm.

[00:25:06] Just thinking about if you're a CISO today. Considerations you better be aware of partner with one another collaborate and by the way, help kind of the next evolution of new CISOs to come to the marketplace as well and help us all. So thank you so much for coming on. 

[00:25:20] Demetrius Comes: Thank you, sir. I really appreciate it.

[00:25:21] Thanks Robin.