The New CISO Podcast: Building The Right Relationships

On this episode of The New CISO Podcast, Den Jones, Chief Security Officer at Banyan Security, discusses the importance of trustworthy and transparent relationships in the cybersecurity field. Before joining the security intelligence industry, Den first worked as a postman walking the streets of his native Scotland and dreamed of becoming a musician. Now a CISO, he shares the value of creating relationships worth leveraging, being proactive in terms of security, how to keep an eye on user behavior, and what it means to be a security leader. 

Every relationship matters

Den believes it’s better to have a “build relationships, not sell stuff” mentality to develop transparent vendor relationships. It is crucial to think of vendors as partners rather than as suppliers. He says, “If you do this right, your team is not just the people that are full-time employees in your organization. Your team is these third-party vendors, and getting to know them and getting to understand their constraints and their troubles and things that hold them back or things that help them is really important in our business.” 

Den says that as a leader, every relationship matters in order to create trust and transparency. He says, “When you’re an individual contributor, you need some relationships to be successful. But when you’re a leader, you need all relationships. You need relationships with peers in your company. You need relationships with vendors. You need to build good relationships with people in your organization.”

Invest in proactive security

Den stresses the benefits of proactive security, giving the example of how not requiring users to change their passwords every 90 days has helped the company. “100,000 people not changing passwords every 90 days,” he says. “That is tangible savings right there. So for me, that was just such a great win. Use the data you have to try and solve problems and get security in the background.” 

Den touches on the ways to push and maintain proactive security intelligence. “I look at proactive security and reactive security as different expense line items. I’d rather put more dollars in proactive security that gets you out of the face of the workers because the other thing is, we need a productive workforce,” he says. “So as we’re plying our trade, it’s just really important to think about how do we enable the business, but in a secure way? What’s practical from a technology perspective? I love this concept of security intelligence as a proactive force for good, rather than my IR team as a reactive response based on bad things happening.”

Keeping an eye on user behavior 

Den explains how to determine the core questions that lead to good data protection. By looking at identities, user devices, and the intelligence behind both, Den can develop data security strategies. Den mentions, “I think the front line of the defense is all around the user identity and the machine identity, to begin with. So first of all, make sure that you have a really robust identity platform, so the ability for onboarding and offboarding workers has got to be solid. So from your HR system, your identity management, your directory services, all of that needs to be in place, and a capability for logging all of that information needs to be solid. I want to be able to know, demonstrate, and understand when an account was created, why it was created, when it was deactivated, and if the account was stale.” 

Aligning security strategies with executive goals

All service accounts should be predictable so that the security team can detect any deviations from the norm. Den recommends maintaining tight access and monitoring of service accounts’ task functions to keep data safe. He understands that executives do not share his interest in users’ security, and are more motivated by avoiding bad press coverage, — which could happen if a preventable security breach were to occur. For practitioners, the goal then must be to help their organizations maintain a solid reputation, but also to find ways to use their work for good.

What does it mean to be a security leader?

To Den, being a CISO means building a solid network of healthy relationships. With the right people around you, you can leverage their wisdom and advice to be a productive leader in the cybersecurity world. Den opines, “I think the biggest thing is relationships and your network. We mentioned it earlier about how you want to be, as a leader, leveraging and building these relationships. As a new security leader, I reached out to people in my network that I’ve gotten to know over the years and built good relationships with, and leveraged their wisdom, their expertise, and guidance. It’s really important to build your network in advance of needing [it], so that when you do become that new CISO for the first time, then you have a bunch of trusted people you can leverage and call upon when you need to.”

To learn more, listen to the podcast or read the transcript.