The New CISO Podcast: Invest in People as Much as Tools

As a new CISO with a technical background, how do you tailor your message to relate to non-technical stakeholders? And, when the time comes to refresh your tech stack, why is it important to invest in people as much as tools? In this episode of The New CISO Podcast, Luk Shoonaert, CISO at Exclusive Networks, discusses the following: 

• How to work with vendors
• How to represent and simplify cybersecurity to others 
• What to look out for when kicking off future cloud migrations
• Creating a Threat Hunting Academy
• Advice for being a new CISO

Currently based in Belgium, Luk has been in security for more than 20 years. Working in startups for most of that time, he developed his passion for security and has recently become the CISO for Exclusive Networks. 

How to work with vendors 

If you are working with vendors or as a defender in a network, it is essential to equip the buyer and teach them how to sell internally. Leaving them with a clear picture, number, or story that enables them to get their job done is an important skill to have. Luk gives the following advice, “I think it starts with listening. Like on the vendor side of things, you need to sell and then you go into the meeting, you start going through your slide deck and you just talk and talk and talk and talk. First, listen and ask the right questions.”

How to represent and simplify cybersecurity to others 

What should a CISO report to the board? How should they represent their program? Be there for the business so the business can function. Think about how you can best help the business to grow in what they are doing. Luk states, “For me, I see my role as I am there for the business to do their thing. Security by itself is not the core. Well, we are actually a distributor of security solutions, but let’s say I worked for a cookie company. Security is not what they sell. So whatever I do is to enable the business to do that in a secure way. So that there’s no drama. And I think that’s to understand debt fault, how can I explain that we need to have certain processes or certain technologies or whatever, how does that translate into them or into enabling the business to sell more, grow more, or transact more safely. And I think that’s the very difficult part.” 

Luk also discusses how to shift from technical explanations to business explanations in terms of explaining cybersecurity. Luk states, “I tend to very often compare cybersecurity to real-life security. So if you talk about prevention-based technologies, I would say, you have an airport, and in that airport, you have police and they check everybody. You have scanners that scan if you have devices on you. And that’s prevention-based technology. If you look at something like user behavior analytics that would be in an airport, they have cameras and they can identify by the behavior of how people walk and how they act that there might be something going on.” Comparing physical security to cybersecurity and using language others will understand can be a useful tactic for CISOs when explaining the value of cybersecurity to others. 

What to look out for when kicking off future cloud migrations

With the cloud becoming more in use, sometimes the security team gets left behind well before the data transfer occurs. Adapting to such changes requires extra help and can also lead to mistakes or attacks. If you lose your logs, it can cause many problems to arise. However, it can be a great opportunity if you get ahead of it. Luk states, “Security is a journey; it’s not a destination. If you have an incident in your cloud environment, how do you take a packet capture? Is it even supported in that cloud environment? Like the things I used to do in my own environment, all of a sudden they don’t work anymore. And I think this is where people, process, and training sometimes get forgotten because tools don’t really solve the problem.” This is why it is just as important to invest in people as investing in tools because the people are the ones who truly solve the problems. 

Creating a threat hunting academy 

Luk has helped to build a threat hunting academy. People can oftentimes stay too connected to old technology. He is giving workshops where, using a lab environment, they show how a breach occurs. This visualization of an attack is something many people never see or truly understand. Their program has received positive feedback and they now have an even more hands-on class. By showing how an intrusion happens, along with hands-on analytical tools, it can help people realize what capabilities they may lack. 

Luk goes in depth describing the academy, saying “This is not a vendor-based workshop. We don’t talk about vendors, or we don’t teach training on products. So once they have built a whole pipeline, they understand where the logs come from and how that flows. On the second day, we go into the attacks. So we explain, we take a specific kill chain, the most used techniques like lateral movement or privilege escalation techniques, all of them. So we’re not using malware. That’s just using PowerShell or using whatever’s available. And we explain how these attacks work. We use the MITRE framework as a reference, how they work, and we let the students perform these effects in their environment. And then we explain how we can go about detecting this.”

Advice for being a new CISO

Luk gives advice for CISOs on how to build credibility and gain leadership merit, stating, “If you’re starting out, especially as a new CISO, my statement is to pick one thing you want to do and do that well. So try to figure out what your quick win is going to be. What’s the capability? What sort of phase one of this capability do you want to create? Do that and get that right for everything, call your own shots, and celebrate that rather than doing 10 things very poorly.”

Being a CISO comes with major responsibilities and can often be a challenging position. Use the advice Luk gives to better communicate with vendors, improve how you represent cybersecurity to others, and be successful as a new CISO.

Listen to the Podcast

To learn more about demonstrating the value of your cybersecurity program, listen to the full episode or read the transcript.