The New CISO Podcast Episode 62: Demonstrating the Value of Your Program to the ‘Layman’
Podcast Transcript | Air Date November 18, 2021
Listen to the Podcast | Read the Blog Post
Steve: From Exabeam, this is the new CISO. A show about the people who lead IT security teams, the challenges they face and how they overcome them. If you like what you hear, please rate, review and subscribe to hear our new episodes first. Andrew, good day to you, sir. Thank you so much for being on the show. For the uninitiated, if you would please tell us who you are. Introduce yourself, please.
Andrew: Thank you very much, Steve. My name is Andrew Obadiaru. I’m the CISO for Cobalt. In that capacity I’m responsible for information security and IT. Prior to joining Cobalt, I was head of information security for BBVA Corporate Investment Banking.
Steve: So that’s an interesting and I think fairly unique combination of responsibility, Andrew, where it’s head of IT and CISO. We had a guest that’s been on a part of the show, Martin Litman. He is CISO and I believe CTO. I hope I don’t mess that up. Sorry, Martin. We’re starting to see some of these combinations happen. Is that two specific roles or is that kind of in title for a particular reason? What exactly is that seemingly hybrid position?
Andrew: That’s a good question. I mean, there are two school of thoughts to that. Some people feel it’s an absolute no-no to do that, because it takes away the independence to truly evaluate what IT is doing. When you bring everything under the same umbrella and then it makes it much more difficult. But most organizations adopted that approach for a variety of reasons, whether it is where you are in the organization or trained, if it’s a startup, resource issues, they need to still kind of manage those two sectors together. For us it’s worked well because we have two separate teams, even though I’m responsible for both teams. But the teams still operate as an independent outfit, right? We still kind of provide that oversight over IT. IT has a key role in driving technological missions for us. We on the security side, we also value what IT is doing, identify risk within that process. So for us, it’s worked well for us and because I’ve had backgrounds in both sectors I’m able to manage that and still bring a level of independence to it.
Steve: It’s certainly heavily interconnected. I used to say, and others have I’m sure, I was once asked by someone very high up at a very important company that they wanted world class security. And I had to ask them at the same time, “Do you also want world class IT?” Because you kind of have to have both on that journey. And the example is, in this case I brought up, is even something like an asset list, where at that point didn’t know what assets we had. And no matter how much money I spend on some capability on the security side, I can’t really make up for that easily. Right? You kind of have to have both. And having a leader that’s setting vision for both I think could be incredibly helpful. It might be burdensome some days, it might be stressful, but I think the direction at the top would be helpful.
Andrew: Oh, no question at all. Because a lot of the things we do integrate very well with IT. Now we’re deploying Okta. Okta, while it’s an IT function, does have a security company baked into it as well. Right? So to your point on the asset list, we just completed a data classification. We couldn’t have done that without understanding what our assets are. So there’s always that touch point with IT. So having everything under the same umbrella to say so, certainly helps in terms of having a clear view of your overall set of security and technology stack and then understand the true mission you can develop from that proper. So yeah, there’s tremendous advantages to having it together. But as organizations scales and get bigger, it becomes much more of an issue depending on the industry as well. So if you’re in a highly regulated environment, it becomes very difficult to manage both together.
Steve: Andrew, do you have any advice because most of positions are one or the other, but they’re still pretty rare to have both. I mean, ultimately they typically report to somebody. But to own both is a little bit rare. And for the listener that is thinking about a career change or maybe in the process of interviewing, if they’ve only ever been a security person or maybe they’ve only been an IT person, one or the other and never have been responsible for both, do you have any advice just generically as you’re going through that process of getting to know the new company, is there any school of thought or any question that you might make sure you include or just general advice if you find yourself needing to own both?
Andrew: It’s an excellent question, Steve. I think for me it was relatively easy because I started my career as an IT person and I transitioned into security. So it makes that transition a lot easier. But if you’ve never done anything in IT or you’ve never done anything in security and you either want to be able to take on both of them, it’s a bit of a challenge, right? For variety. One, if you’re looking to set an agenda, if you’re looking to set a mission, you have to understand at a very visceral level what IT is all about, what the position of the organization is. How do you define a strategy if you’ve never really walked in that space at all? So you might have to ramp up very well or have good managers that will bring you up to speed. But in order for you to be effective in both roles, I think it’s helpful to have some background in either IT or information security in order to be able to effectively manage both teams successfully.
Steve: You said it well there. And I was going to mention it if you didn’t. If you’ve not done one of the two, you had better have good lieutenants in those supporting roles. Because otherwise, you’re going to get caught off guard and it probably have an unfriendly outcome if you’ve never done it before. Yeah. It’s an interesting hybrid role. Earlier, we spoke. And it’s one of my favorite questions to ask a guest on the show is, what’s the worst thing about our industry or maybe the most difficult thing? And there’s lots of reasons. And I ask it not for us to sit around and complain, but to instead move past this difficult thing. And you had several perspectives on what the worst thing could be. And the first one started with just general perception. Talk to us a little bit about how perception plays a role in one of the worst things about our industry from your perspective.
Andrew: Yeah. I mean, that’s true, Steve. I think the perception thing is usually within the organization, not just the industry as a whole, right? Most organizations, their perception of security is just another platform function, another cost center, right? It’s always hard to quantify the value security brings to the organization, especially when you haven’t had any major incidents or breach to your critical data. And it’s always difficult for you to make the case. So most security professionals, whether it’s in the cost of you trying to get additional budget for additional initiative, there’s always questions coming which typically don’t go to other business units. Right? And there’s always that. And I understand where those questions are coming from. Unless you have a good appreciation for what security is bringing to the table, the value we bring to the table, it’s always difficult for whether the executive level or even at the board level to see the value that you bring on board.
Andrew: Now, that perception is changing now because of the proliferation of cyber crimes and all of that. So people generally are taking time to understand what that means to on the organization and how it could impact the bottom line of the organization. So that perception issue is starting to change. Now as an industry, the way security is looked at, it varies, right? There’s an expectation that, oh, security ought to be able to do everything. Right? The user community shouldn’t do much. When in fact, security is everybody’s task. Right?
Steve: Right.
Andrew: Security can only do so much. So I think for me, it depends on where you are and your ability. And that perception obviously also affect how you are able to make your case. So it makes it a lot more daunting exercise for you when you engage the board. Right? So if they don’t see value in what you’re bringing because you’ve not been able to demonstrate that in real time, or there’s no KPIs or stats you can use to demonstrate value add, it becomes you have to go the extra mile to be able to make that case on a consistent basis why security adds value to the business.
Steve: That I think is an interesting point. I like this point. I came up in IT and then moved into the role of security analyst, intrusion analyst, and then upward into the leadership and senior leadership, executive leadership ranks. But one of the struggles for many teams, and you said this, is if nothing has happened, how do you show value? Meaning if there hasn’t been some sort of attack or newsworthy event, how is value shown? And I have my own opinions on this. One of the statements that stuck with me is always having to reprove security. What’s your perspective on that? I think there’s always a story to tell, even if nothing has happened. And I would argue that something’s always happening, but that’s my point not anybody else’s. What’s your take on that?
Andrew: No, you’re right. There’s always something happening. Right? So what I’ve adopted over the course of my career as a way of countering that point is to be able to bring some kind of matrix into the discussion, right? So if we have told discussing budget, or even security initiative, if I’m able to demonstrate return on investment either through matrix or data points, you’re able to see value add, right? Whether it’s the number of blocked attempts we’ve successfully done over a period of time or the amount of patches we’ve applied, implications of those patches. Those types of things. The severity levels of different things. The systems that we have, the devices that we currently have, AVS on them or the ones that don’t have AV. Ability to identify threats, whether it’s an industry or even directly to us as an organization. The more you’re able to tell the story a lot around that certainly helps to bring value to the organization, even though some people will still look at it, “Eh.” And, “We don’t know.” But the more you’re able to use data points to make your case, then it becomes a lot more obvious, right?
Andrew: So those that are truly genuinely entrusted will see the value being added through those discussion points. But there’s some folks that will continue to see security that’s just applied from function. You’re never going to be able to win those people over. But the folks that matter, that are truly interested in seeing what we do, those matrices and data points will certainly help convey that message.
Steve: Yeah. And there’s a couple of points. One of the things I wanted to get to is we covered a little bit of what some of the worst things about the industry, what those are. We covered that. You get a little bit into the solution now, you kind of gave me two tips on this but I think that the two you mentioned that I think are most interesting is understanding the business in sufficient detail to start to reset of how do we get around these worst perceptions? And then the other one was, and many of us suffer from this, is only speaking in technical terms, that that’s a tough lesson that I think you said you learned maybe earlier in your career, but I think affects probably all of us at some point.
Steve: How do we make that change? You mentioned a matrix earlier and we have to use something that’s consumable by the audience. So are there more than one matrix, are there several? Is there advice that you have in order to make it consumable with those two things in mind? Right? So understanding the business in sufficient detail and not speaking too technical, how do you walk the line there?
Andrew: That’s a very good question. And again, most of us struggle with that. But I think the key is to develop some of your sub skills as well. Right? So most technical professionals, as they climb up the ladder it becomes a challenge, right? They’re so buried in the weeds, right? And you have to be able to get out…
PART 1 OF 4 ENDS [00:13:04]
Andrew: … challenge that’s so buried in the weeds, and you have to be able to get out and have a big picture view. For me, yes, understanding the business is critical because if you don’t speak the language of the business, you’re not going to be able to get across. So understand at a very detailed level the strategy of the organization, what makes the organization tick, what is the organization is really about, how can security align with that? So your ability to align with those organizational objectives certainly puts you in a position to speak to the key players within the organization.
Andrew: The second thing you also mentioned is how do you demonstrate that? How do you go? For me, when I engage my board or fellow executive, I try not to get to technical. I try to be able to convey without using fear to drive that message. So that’s where matrix comes in, KPIs, KRIs. If we have performance indicators that we can go to, to demonstrate what we are doing, we certainly will leverage that, as against using our [inaudible] to drive your message home.
Andrew: So, it’s a combination of different things. You have to understand your audience. You have to know what you’re trying and convey. All of that will come into play as you make that message. So if you are going for a budget discussion, you adapt a different approach. If you’re going just a routine quarterly update to the board, you also would adapt a different approach. So understanding your audience, their level of know-how relative to the topics you’re looking to speak on, certainly helps. So that would help manage the level of details you want to demonstrate. Technical knowledge is also important at times. It’s good to get into the weeds at times, if the situation calls for it, but you don’t want to make that a go-to approach because you have to be able to tailor that message to your audience.
Steve: You wouldn’t want to be in a spot where you couldn’t back up the statement, I think, but you wouldn’t want to start also just with the tech, because you’ll lose them. But every now and then, you’ll get challenged and you’ll have to… There’s a ringer in the room or there’s somebody who knows a little bit, and they’re going to quiz you. I’ve had this happen many times. Yeah, so I think you have to have… You don’t want to get caught not knowing. And if you’re not a technical CISO, that’s okay. But I think that you have to be able to break the point down into three levels of increasing detail, if you’re going to give a high level presentation. You got to be able to dive a level deeper and then a level deeper again. Otherwise, you can have negative results. But you don’t want to start at the technical bits like I have in my past.
Andrew: No, no question, no question at all. I completely agree with that. You have to do your homework. There’s always somebody who’s going to press you, and you don’t want to be in a position where you say, “Oh, I don’t know,” or “I’m going to get back to you.” That’s just not acceptable. You lose credibility very quickly. At that level, you should understand in sufficient technical detail to speak to the board. You’re not talking to hackers or whatever, Andy. So you ought be able to hold your own in that conversation, to explain to them whether you go into details or you go into… You keep it at a very high level, but you have to be able to walk out of there, making them understand what you came to deliver.
Steve: The theme, if those that listen to the show, if they listen to what I’ve shared, is you have to provide them comfort and confidence in your ability to execute on your mission. Comfort and confidence. And that’s an ever-changing thing, and there’s no firm definition, but when you leave the room, they have to think, “Ah, this person knows their craft, and they have a path set. And what they have shown us today and what they have requested is reasonable from a position of authority,” I think is my formula for that.
Steve: And I want to ask, you mentioned a budget meeting being different than a normal status meeting. And I think that part of budgeting is also getting cooperation. So it’s asking for a million dollars, and it’s also getting help from the other executives to see it through. Now you’re in a spot where you own IT and security, but you still need help from other organizations to make sure testing occurs agreeably, that there’s no disruptions, that you have help in seeing success. It starts with budgeting. How is a budgeting meeting different than a status meeting? What are the things that you go in with that make sure that you lead with that comfort and confidence in that meeting? What’s different?
Andrew: The budget discussion is certainly different from routine update, so two things you want to keep in mind. First, if you are looking for a brand new budget or it’s just a recurring budget, or you’re looking for some big security initiative or IT initiative, I think the key thing to do first is to understand, as you approach that process, what are the crown jewels of your organization? What needs to be protected as part of your day to day business operation? How critical are these crown jewels? And by crown jewels, I mean your data, your systems, your devices, all of those things, your organization need to function. How protected are these crown jewels? If they’re not sufficiently protected or your budget discussion is around these crown jewels, then it makes it a lot more easier for you to be able to convey that message.
Andrew: Now, the board is interested in what could potentially impact their bottom line. So the better you’re able to articulate that and tie that to your budget discussion, it changes the outcome of that conversation.
Andrew: And two, you also want be able to understand the risk to the organization, security risk to the organization, whether it is losing competitive edge or market share or reputation on the impact, financial losses. So if you don’t get the budget to execute against those specific initiative, these are the potential implications of not doing that. Without necessarily driving fear, but you want to be able to state facts along those lines. So, when you articulate your message in that way, and you tie that to your budget discussion, the board certainly, or even the executive team will certainly see the relevance of that request. And then also having an ally, another ally that is with you on that, but to understand the implications of what you’re discussing, whether it is on the engineering side, or even on the sales side. People that you’ve had interactions with, that this particular security initiative would also benefit. So it’s good to have that ally as you approach those discussions, so they can second some of the points that you’re making. And that certainly conveys the message a lot better from a budgeting standpoint.
Andrew: Now, if you’re doing a routine update on a particular track to your organization or to your industry, that’s a whole different approach. So yeah, you want to highlight specific implications of a breach. If your industry is saying a pervasive type of threat, and then you want to be able to mitigate against or you want demonstrate your levels of preparedness to address that kind of threat, and then it’s important to go to hey, organization B and C had this issue. This is what happened to them. However, this is where we are. We’ve implemented number of these different measures, so no cause for alarm, but we’re going to continue to evaluate our levels of preparedness, controls we have in place, et cetera, et cetera.
Andrew: So I think one is more aimed at trying to alleviate concerns on the board’s part. The second is more to say, hey, this is what we need to do. So they’re two different approaches, but you have to be able to understand what you’re looking to convey and how best to get that message across.
Steve: So you’ve added things, but when you answer questions, I have more that are forming as you speak, which is actually a really good thing. In speaking with a new budget request, you said something I think is very important. And it sounds simple and basic, but I see many people mess it up, and it is having an ally. So, a new budget request, and having someone in the room, and I can tell you how powerful this is. If you present on a topic and in the right moment that other individual, that other VP or SVP or EVP just gives a nod and say, “This is absolutely the case.” And she says something as short as that, it can take it from, “Well, we’re not sure,” to “Sounds good. Let’s do it. Let’s move on to the next topic.”
Andrew: Yep. Absolutely.
Steve: And you even mentioned sales in there, which is if you continually help drive sales, meaning if there is something you can add, a capability that makes the sale… The people who make money for the company, make them look good or make them better at their job, you’re almost impossible to defeat. I think that is incredibly sage advice. And I would ask you now, that it doesn’t happen in the room, though. Meaning unless you’re just friends, and you’re going to cover each other’s back all the time and you’re aligned ahead of time, maybe that happens naturally. Typically, it takes work ahead of time to have an ally in the room. You do a lot of work. There’s preparation. Talk to us about that, for those that might not know what I’m talking about, or that may not have been in this scenario, having an ally in the room, in a budget meeting, requesting new money, trying to show business relevance. What do you do to prepare for that?
Andrew: Oh yeah. That’s incredibly important. So it’s not, “Hey, I’m going to go talk today. Can you back me up?” It’s based on weeks and months of relationship building. So I typically, the way I approach not even budget, but just my day to day, I have standing meetings with all the colleagues, head of sales, the VP of sales, head of customer service, head of product development. So we have touch points. We discuss initiative. This is what we’re working on, these are the implications of this for your product, building a product security team, and also product initiative.
Andrew: So now, if that now comes up in the course of a budget discussion, the chief product officer is already aware of some of those details because of the background discussions we’ve had around it. So it’s easy for him to weigh in, in those discussions. So in my routine touch points with them, all of these different initiatives come up. So it’s always important for you to build allies along those lines. You want to be aligned with them because security can have impact across the board. And if you don’t do much, you’re just going to be isolated. So you have to know how to engage, know how to build relationship, how to make security relevant to all these other business unit, because security is really relevant. Security has an impact on what most of these business units are working on, whether it’s product development or even our sales team.
Andrew: So from a product perspective, there’s a number of different things they do with us that we also deal with them. And we can improve on that by making yourself much more relevant or making your team the go-to team as part of their concept of design process. So once the chief product officer is including to some of those details, if that comes up in the budget discussion, he can certainly… You don’t need to discuss with him hours before the meeting say, “Hey, I’m going to be doing A, B, and C. Can you back me up?” But those conversations are going to resonate with him because you’ve had those conversations in previous discussions you’ve had with him. So it’ll be natural for him to say, “Yeah, this is impactful to us, blah, blah, blah, blah.” And that may exactly be what gets you across the hurdle because they are now looking for that addition of viewpoint, how to drive that message home.
Steve: So you’ve covered a lot there, and I think it’s something that’s completely worth studying, all of what you’ve said. And I think another thing that maybe have helped you in this process, growing as an executive, is your past as an auditor. Meaning you had to explain things in a way that a wide audience can understand. Is there a benefit or maybe a detriment? Did you ever… Being an auditor, did you see that as a superpower or a hindrance or both? Did it help give you skills that others didn’t, meaning for the auditor listening that’s thinking about changing over, in lieu of all this other that we’re talking about, is there anything there that you would give advice on? I meant to ask you this earlier, because I get this question. Anything that comes to mind, either the good or the bad?
Andrew: Oh yeah. I think there’s more good as you go up the ladder, having… As an auditor, when I worked for a big four, even though I wasn’t technically an auditor per se, but we did a number of audit type functions. So that’s why when you delivering reports on those, whether it’s findings or whatever, you already engaging the executive team of those organizations. So your ability to understand how to navigate those very treacherous conversations, it becomes very useful as you engage, as you grow up in your career. And that’s something you do on a regular basis when you’re doing a number of audit engagements. So you have findings that the board, that the executive team may not necessarily agree with.
Andrew: And you don’t know these people from anywhere. You’re consultant, you’re part of a consult, engagement team. You’ve completed your task. Now you’re presenting findings to the board. So those conversations, your ability to navigate, and how you laid not so palatable information to them and still be able to get them to invest more money in helping you remediate what needs to be remediated suddenly prepares you for those conversations. If you’ve never gone through a process like that, and all of a sudden, you’re thrown into this role, and you have to get it from the board, it becomes very difficult for you to know how to convey those type of messages.
Andrew: But having gone through that over my years in consulting, it certainly prepares you, and you’re not intimidated, you know what facts you need to go to, how to present those facts. So it certainly helps to have an early background because it’s all about discussing things that may not be so palatable to the board or to the executive team, but you still have an obligation to-
PART 2 OF 4 ENDS [00:26:04]
Andrew: … you know, palatable to the board or to the executive team, but you still have an obligation to convey that message. And so, I think going through that certainly prepares you for these kinds of roles in the future.
Steve: Well, I think that you get to share maybe some bad news. You get to share a recommended go forward, but you really don’t have to take necessarily the blame for the circumstance. There’s not a permanence to the job. You’re there to help. You’re an outsider. You’re not going to get in as much trouble or there’s not as much … So, it’s good practice. And you’re still probably very stressed out especially if you’re junior on the team and having to present, but it’s still different though. But I think that it’s a valuable practice being in the room, just sitting in the room.
Steve: I’ll tell you. The first time you’re in an ELT or SLT or a board meeting, if you don’t know, you don’t know. You don’t know how people act. Where do you sit? Here’s one. Where do you seating in these meetings is important. I didn’t know this. You don’t just sit anywhere, Andrew. At least I didn’t. There’s a place you were told. In fact, I went in there once and the person, I won’t say who or I don’t want to divulge, but the person I was with had a seat and I was all the way around the corner. But until you know this, and I had to learn that on the fly, so that’s … I wasn’t really going to discuss seating charts with you today, but that’s a small thing. Do you know what the room is like? Do you know when to speak? Do you know how long you should speak? Those are all little ingredients that go into it, and the only way you learn is just spending time there.
Andrew: No, that’s so true. I mean, as a consultant, you don’t know. You don’t know some clients are very aggressive. They come, they just yell. I mean, I agree with it. So, now you have to be able to compose yourself and still be able to convey that message. So, if you’ve never dealt with people of those kind of temperament, it becomes very difficult for you to … I mean, there’s like hot and cold with some of them. You just don’t know. Something would trigger them and they just go off because they come in very defensive. You’re essentially trying to point out issues to them, so they also have their own dynamic coming into that. You’re not going to put me on the spot. You’re not going to make me look bad before my boss or whatever, so they come prepared to try to rip you out as well. Your ability to stand your ground and still maintain the facts and comport yourself is very important. When you do that over and over and over, I mean, it gives you the lessons you need to deal with this kind of situation in the board situation.
Andrew: So, you’re right. It may not be your job situation, but you have an obligation, at least from my perspective, you want to grow that engagement, so if you screw it up, then it becomes a lot more difficult for your organized to expand their presence within that company. So the more you’re able to compose yourself, entertain what may not be so pleasant in the course of those discussions, certainly would help grow that business within that prime business unit.
Steve: Kind of going back to an earlier point, we were talking about using a matrix to describe the situation and some of the topics that were discussed were maybe more foundational, meaning antivirus and patching and assets and kind of baseline ingredients. One of the things I like to ask of a leader is maybe you take over or maybe now you’re on your journey and you’re becoming more mature, you have more of a mature and known environment, how then do you show value or what matrix then do you use?
Steve: You’ve kind of talked to the leaders about assets and patching and vulnerabilities and that’s all kind of done, and they’re very comfortable with it and they’re kind of getting comfortable and they’re less interested in hearing that because you fixed it all. It’s all done now. And so, when you’re in a more mature environment, what then do you begin to look at? What advice do you have? How do you shift your messaging or do you shift your messaging?
Andrew: That’s an interesting question and it’s a real one because the more mature environment you are, you’re more maintaining and then you can easily get complacent if you don’t find a way to keep yourself relevant. So what we’ve done in the past, in my previous organization, certainly not at Cobalt, my previous organization it’s true now, we used to have a thing that gives us a sense of our overall security posture relative to our competitors. What are they doing that we are doing differently? If there’s a situation, they contend it with how prepared are we to tackle with such a situation?
Andrew: So, when we have those discussions, to be able to go from internal issues, while those are still important, but then we want to be able to have a broader discussion. How secure are we as an organization relative to some of the trends we’re seeing, whether there’s some new trend coming up or some pervasive trend that most of the industry sectors are dealing with? That becomes a key discussion.
Andrew: It’s still in the line of what we are doing internally, but now the conversation shifts a little bit to a much more broader set of issues that we have to contend as against getting into the nitty gritty of what we are doing from a control perspective to a much more broad organizational conversation. How well are we aligned with the business? How well are we going to help drive the trajectory growth of the business from a security standpoint? How can security align more with the objective of the organization? So, there’s always some way to make yourself relevant without getting into specifics impacting day-to-day.
Steve: I think that at that point you might be a little more into storytelling rather than showing sort of facts. You’re sort of taking them on a journey to say, “Okay, this is,” as you mentioned, “this is what we’re facing.” Even earlier in our chat you mentioned this is what others in our industry peers have faced, whether it’s a failure or a concerning condition has met them, some sort of supply chain issue and you’re going to tell a story on that rather than a patching percentage or something, right?
Andrew: Yep. Yep.
Steve: Now, one of the things I mentioned, because I mentioned mature environment, this always kind of gets me and you coming from an audit background I can kind of pick on this a little bit too. Typically, if you’re being evaluated from the outside, maturity is thrown around often, and it’s some sort of element of a CMMI type rating of is it defined? Is it repeatable? Is it documented? All these things. But I always had trouble because maturity doesn’t match efficacy, meaning those are two very different things. You can be very mature and when a crisis happens, you can be poorly effective is what I’ll say. And is there a perspective you have between the two, and do you differentiate those, and how do you differentiate between these two concepts?
Andrew: Yeah. I mean, they’re very different concepts and I differentiate. A good example would be incident response plan, for instance. The matter of fact that you have a complete document or a very mature document does not necessarily point to the efficacy of that process. For me, you have to find a way to test that efficacy separately from what you may consider “mature process.”
Andrew: So building a process is one thing, but then how effective would this process be? The situation [inaudible]. For us, we’ve done tabletop exercises to further demonstrate effective or efficient items in our incident response plans, and then we found out that even though we’ve had that plan in place over a year, folks within the team still don’t know what is expected of them. Our first line of defense don’t know that. The team have no clue of what the escalation procedures are.
Andrew: So, it’s not enough to say, “Hey, we built a document. We’ve had it signed by all the key stakeholders. We have a mature process.” It’s doesn’t equate to efficacy. You’ve got to be able to test that separately to ensure that, yes, what you have in place is consistent with an efficient process. And if the sufficient does call for it, everyone is clear on what their roles and responsibilities are. I think that’s when you can see your efficacy is truly up to par.
Steve: I think that’s an excellent example. I think tabletop exercises are overlooked even if you cannot synthesize it perfectly. I think that looking for gaps in ownership, looking at pauses in action, looking at introducing new thoughts or new ideas, new conditions that may not have been and thought of is a fantastic way to get your hands around your ability, not only for your technical team, but also for the people that are going to be impacted by the failure, by this condition, this incident, ransomware, supply chain, outage failure, whatever that may be, and it could be as something as simple something I worked on a long time ago.
Steve: We had to send a letter to millions of people and we didn’t have the ability to send that and no one had thought about that before. We had to print and put in an envelope and put postage on millions of letters and no one had ever thought about that. How would we contact our customers this way, millions? I think 79 million of them, in fact. How do you do that? And that’s a business discussion. That’s a process discussion, and it’s not a fun one to be had when you’re in the middle of a crisis, so drill, drill, drill.
Steve: I was asked this once after spending a bunch of money and building a bunch of stuff after a big problem. The question was, and I’ll just ask you. So, Andrew, are we now secure? That’s a question that I’ve been given many times in my career at many different levels from many different people, and it’s a tough one. The CEO asks and, let’s say, you’re working at a hypothetical company, maybe not a Cobalt now, but someplace else, maybe you’re an advisor to a CISSO, maybe you’re a board member. I don’t know. But the questions asked, “Are we now secure?” Is there a correct way to answer that?
Andrew: There’s never a correct way to answer that. You don’t want to be so affirmative in answering that because that may come back and bite you. The key thing is to say, “We’re as prepared as we can be. We are doing everything to mitigate whatever perceived or real risk we have.” I mean, there’s not a short answer to that, that’s what I’m essentially trying to get at. And there’s always that temptation to say, “Oh, yes. We are.” Because you want to demonstrate, you’re front of the CEO. You want to quickly tell him what he wants to hear, but the CEO is going to walk away from that and say, “Oh, Andrew told me we’re 100% safe, so we are not going to worry about,” and tomorrow something happens. “Hey, you said we are good.” You know what I mean? So, it’s always important to resist that urge to jump and say, “Yes, we are.”
Andrew: You want to be able to address the nuances around this question. It’s never an easy question to ask, and I’ve been asked that in the past. My goal is always say, “Yes. We as prepared as we can be,” or, “We’re as secure as we can be, but that’s never 100%. Nobody can give you assurances of 100%. We’re going to continue to evaluate risk, whether real or perceived or emerging, and then take measures to show that we’re in a position to deal with that if it does occur.” That would be the best way to answer that. But it’s always, there’s a temptation to say, “Yes, we are secure,” especially when you just got a budget for a million dollars, how do you say you [crosstalk]-
Steve: Right. Well, and now we’re in a place where you look at supply chain problems and third-party risk where whoever you use for your email, you have made the decision that it didn’t make sense for you to manage your own email services or maybe you’re using cloud services or whatever, and you’ve done your due diligence. You’re using a large vendor. I’m not going to name any vendors, but you’re using the biggest and the best with all the good options, and they can still have a problem. They can still be breached, which means you have a breach.
Steve: And there’s little that beyond the ongoing due diligence that in this example that Andrew can do because you don’t run their security. You can assess them, you can get their documentation, you can review them, you can review the risk, but ultimately it’s if they have a problem. So answering the question, even if you believe, yes, we are secure, or that’s the wrong answer, but if you believe it, there’s a risk there that’s greater now than ever before. And that’s a tough one. That’s an additional story to tell that produces risk.
Steve: I want to talk with you a little bit about interviewing. It’s one of my favorite areas of discussion, and I think it’s something that gets overlooked and these things don’t get shared unless you have very close friends that are interviewing. I like the idea of setting expectations in interviews. I think many times, and this goes along with a question of, are we secure? The same kind of thing is asked when you interview. It’s like, well, “Are you going to make us a 100% secure?” That could be a question. People get that. Or, “What’s your method, Andrew, of making sure we’re 100% secure?” The CEO’s asking you this at a hypothetical company. What advice do you have for the CISO interviewer? I know you’ve recently done some interviewing yourself, so do you have a perspective there?
Andrew: That’s a tough one. Tough one for a variety of reasons. When you’re looking for a job, there’s a fair amount of pressure on you through that process and you know you’re at the tail end of the interview process and they say, “Oh yeah, Andrew, can you-“
PART 3 OF 4 ENDS [00:39:04]
Andrew: … you know you’re at a tail end of the interview process and they say, “Oh, yeah. Can you guarantee us blah, blah, blah, blah, blah?” The odds is always going to be like, “Oh, yeah. Sure. Why not? Oh, of course. I could [inaudible].” You don’t even know the environment well enough, but you’ll be inclined because you want that job. You’re going to be, “Oh, sure. Absolutely. I think based on what I know, I could give you assurances,” but you’ll be essentially misrepresenting yourself by doing that. But I understand why most people do it. It’s not because they don’t know better, but they don’t want to be in a position where they have derailed their ability to get this job by giving them the answer, which is the right answer, but may not be what they want to hear that point in time.
Andrew: So what my advice would be to say, “Well, I don’t know enough off to be able to give you that, but once I come on board as part of my 90 day, I’ll be able to give you a definitive view of what I think we can do to put ourselves in that position. But for me to speculate right now, it would not be the appropriate thing to do.” I mean, it’s always very difficult to answer that. I mean, I can easily say that now, but if I was in front of a position that I really, really want, I’m not sure how I’m going to answer that question. That’s just a big fact. So there’s always a temptation to say, “Oh, yeah. of course.” You want to answer, “Yes, yes, yes,” to everything because you want to give them the assurance that, “Hey. We got the right person. He’s going to come in here and [inaudible] to sky, whatever. And he’s going to change everything for us. So…”
Andrew: Yeah. My advice would be try to temper it with some reality and be honest and just tell them that, “Yeah. What I know now is going to be difficult for me to give you that answer definitively, but if I’m given the opportunity to come on board and I’m able to do a true evaluation, I’ll be able to tell you definitively what would it take us to get to a point where we can say we’re fully secure or how to enhance your overall [inaudible] posture.”
Steve: You want to give them a sense of confidence that you’re the right person, but I think part of the message, depending on your own personality and the culture of that company, is letting them know just exactly what you said in a way that resonates to say, “Look because of my experience, because of the confidence in my ability to build a program that’s relevant, I am unable at this stage to promise anything, but here’s my plan of how I would move forward with it and then I can make assurances. But until I know more, I can’t tell you more. But here’s how I go about… Here are my methods of success from my past and here are what I think would be successful here.” I’ve had CISOs that have come back, newer CISOs, tell me that they sort of over-promise and doing so out of not out of ego, but just out of enthusiasm for the new opportunity.
Andrew: True.
Steve: And this costs them. One of the other things you me was, “Don’t rush to answer questions.” It was a version of that. And I think that’s a very important thing for two reasons. One, if you’re in a big meeting, whether it’s an interview or board meeting, people in authority are not in a hurry to answer anything. And if they are, they’re not overly verbose. They don’t rush to answer. Technicians often rush to the answer because they know so many things and they want to share, “And here’s how smart I am,” or, “Here’s…” But not rushing to answer, I think, has a bigger picture where it just takes time to give a good answer, meaning you have to be more familiar. Is that what you meant by that? Or was it something else? But I wrote note of that when we had our earlier chat. “Don’t rush.”
Andrew: Yeah. That’s precisely what I meant, Steve, because it’s important, Because you want to be able to gather your thoughts. Again, there’s always that desire to just give a quick rebuttal, a quick answer, but in that situation, you want to weigh your response and give the right sort of answer. So it was something I had to learn, not to jump into answering questions. It’s all part of leadership. And as you grow, you realize you just want to be able to take it in. There’s no rush. If you wait an extra minute to answer the question, a few seconds, nobody’s going to penalize you for that. Your answers are generally obviously better if you just rush that. You don’t want to say something and then go back and have to recount something or correct something.
Andrew: So for me, I’m always very measured in responding to those very loaded questions, especially in that kind of setting. Whether it’s with my fellow executives or with board, I’m always very measured to ensure I’m giving the right, best answer I can give at that point in time. I don’t want to come back or have somebody misquote me or take my position out of context and then later on I can’t defend that position. So I always take a very measured approach to how I answer those questions.
Steve: So I’m going to go back in time now. Take us both back in time. This is one of my key questions is, what advice would you give to your younger self? And I want to add, and this kind of goes back to some of what you already mentioned. Younger Steve would’ve signed up for any kind of work. Didn’t matter what it was. Steve was physically and metaphorically hungry. And so there’s no limit to what’s… For money, for a job, especially a professional job, making a transition from laborer, farmer, construction worker to a professional role. I said, “Yes.” Doesn’t matter. Stay up all night. Cool. I want to go back to younger Andrew, earlier in Andrew’s career. What advice would you give your younger self as it relates to career and maybe even choosing the right company, the right fit? What’s your perspective there? Do you have advice for us?
Andrew: Yeah. My perspective is to be mindful, to be clear of what this job truly entails. Two things, you want to be on your ability to execute against that job and also evaluate the company. So there’s always the urge to take anything that comes, especially when you have nothing on your plate. So it’s easy for me to… They say hindsight is always 20/20. So my advice would be… There’s some organization I’ve gone into, in retrospect, I would’ve never ever go into… What I realized for my time there, it left me with very bad experiences. So typically, when you’re going through interview process, you want to be able to evaluate, not just them evaluating you, but you also evaluate that company, see if this is a good fit for you. Is this an environment that you can flourish, that you can really do well? The folks that you interview with, how you engage, how they engage you, what they say.
Andrew: Everything is important. It goes to how that organization is set, the culture, structure of the organization, I think is important to factor all of that into your decision making process. So my advice to a young me would be, “Be measured. Evaluate the organization and make the right decision.”
Steve: That is something I’ll tell you that I very rarely considered. Really I didn’t consider it at all when I was younger. I didn’t think twice. And maybe I was in a position where I didn’t have to. Maybe my own ignorance kept me from having to think much about it. And even when I had bad managers, bad working conditions, I just did it. And I wish I wouldn’t have. As my father used to say, “I wish I would’ve fired more of my managers,” is what he would say. Fire. When you have a bad scenario, when you have people that are treating you poorly, that don’t appreciate the effort, that just exploit you, to leave. It’s not worth it. And I put my career above pain if you will.
Steve: And I think that’s something that many technicians, many junior people, learn. And then when it’s time to think about it seriously as an executive, they don’t know how to do it. They haven’t thought about it. And they don’t know about cultural fit, as in this to example a CISO. And so they still get it wrong. And so that’s why I think it’s so important to bring up. Some would say it’s a soft skill. I would argue it’s a hard skill, meaning in the terms of its value going into a new opportunity,
Andrew: I completely agree. It’s definitely a hard skill. And I understand why people don’t do it, because you’re desperate at that point. But people will still be desperate and still make the right decision. I’ve know folks that have said, “Eh. I just don’t.” And I couldn’t comprehend at the time. I said, “Really? You have an offer. You’re not taking it?” I just couldn’t comprehend it. But now I could look back and understand why people took a much more different approach to it. I never truly evaluated jobs, the company. I just reset the company for purposes of the interview, not whether I’m a fit or not. I was more inclined to get the job. I don’t care what the environment look like. But over time, I realized it was important because it could tarnish your image. It could destroy your career if you get in the wrong place. It could even affect your psyche as an individual. So it’s important for you to do that evaluation as well. Don’t rush into an offer. Just make sure this is the right fit for you, because it’ll serve you better that way.
Steve: Andrew, one final question. We ask this of all of our guests. And to you, I ask, what does being a new CISO mean to you?
Andrew: Good question. Well, for one, it gives me a seat at the table, so where I’m able to influence things better. On a personal level, it is an accomplishment that I’m truly excited about. But organizationally or professionally, it puts you in a position where you’re able to truly execute against a mission and a vision. You have the support of the organization. You’re tasked with the ability to move things forward and change the direction of things. That is an incredible amount of responsibility placed on you. And there’s this desire not to let the folks that have entrusted you with this responsibility down. So there’s this [inaudible] to give it your all for that reason and a lot more.
Andrew: So for me as a CISO, personally, yes, it’s a height. It’s an accomplishment. It’s a pinnacle of your career, which is very good. But on the professional side, it gives you a seat at the table. You’re able to now influence the direction of things in your organization. So it’s an incredible position. I’m excited about it. I look forward to doing my best in this role.
Steve: Andrew, thank you so much for making time for us today. You’ve been a wonderful guest. I’ve learned so much. Thank you for sharing.
Andrew: Thank you, Steve. It’s a pleasure talking.
Steve: That’s it for this episode of The New CISO. Thank you for listening. Check out more episodes on exabeam.com/podcast. And remember to rate, review and subscribe to get brand new episodes first.