September 14, 2022

What Is (And Isn’t) a CISO with Matthew Lang

by Cyber Ranch

Show Notes

Matthew Lang, former CISO at SECU, former CISO of 3D Systems, and former Chief Petty Officer in the US Navy, comes on down to the Ranch to talk about what it really means to be a CISO. Many folks wear the title of CISO, but the role itself is still often considered a confusing mixed bag when talking about what it entails and who should have this role. Matthew walks through what a CISO is, what a CISO isn’t, and where the bridges between the CISO role and other roles in the company should be.

 

Timecoded Guide:

[00:00] Defining what a CISO isn’t in order to discover what a CISO is

[06:45] Finding the bridges between CISO & other company roles  

[12:12] Getting things clear between CISO, COO, CIO, and CEO

[16:20] Understanding a CISO’s peers & meeting with security points of contact

[24:49] What the CISO role should be & solidifying the CISO definition 

 

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour

 

What is the CISO not? 

The role of CISO, or Chief Information Security Officer, is nuanced and occasionally complicated to define. However, in Matthew’s opinion, the things that a CISO absolutely is not is (1) a BISO, or Business Information Security Office, and on the other hand, (2) someone with no experience in information security. The strongest CISOs Matthew has come across know how to combine information security experience with an understanding of business, all while being guided by a desire to protect the company and prevent incidents. 

“The CISO is a preventer of something bad happening at the organization. You can't prevent every breach, it's never going to happen, but if the CISO is involved, he can possibly prevent a merger or acquisition that is not in the best interest of the company.”

 

Who should the CISO be interfacing with as we bridge in and out of that defined role?

To be an effective CISO, Matt believes that you have to build strong relationships with individuals in departments like legal and HR. Referring to them as security points of contact, Matthew explains that keeping in touch with these individuals can give the CISO the full scope of the company. Additionally, Matthew says that a CISO should always be friends with the COO, or Chief Operating Officer, because those roles have essential communication between one another. 

“If your company is large enough to have a chief operating officer, the CISO and the COO should be the best of friends, because they rely on each other more than they realize.”

 

How does the Board of Directors shape and influence what the CISO is and isn't?

The Board of Directors’ involvement with a company’s CISO can be just as nuanced as the CISO role itself. Matt explains that the largest gaps between a CISO and the Board they have to report to are due to either a weak board structure or a misunderstanding of security amongst Board members. In Matthew’s experience, being thorough in security explanations with transparency about topics that members may not know helps to bridge the gap and develop a stronger and more positive relationship between the CISO and Board. 

“I think, personally, CISOs struggle a lot with their presentations to the Board of Directors, because they don't really know what information the Board wants and the Board won't ask them questions.”

 

What should be the role of the CISO?

While a large majority of the conversation in this episode is about what a CISO isn’t, Matthew defines what a CISO is using the words “preventer” and “leader.” A CISO should prevent risky behaviors that are not in the best interest of a company, and they lead the cybersecurity division of a company through establishing security and governance practices. Overall, CISOs help a business to meet goals and go where it wants to go safely and effectively, like a good brake system on a high-end car. 

“There's a lot of different responsibilities a CISO could have, but I'm gonna say the role is cybersecurity leadership. They should be responsible for establishing the right security and governance type practices, and a framework to scale the business.” 

-------------

Links:

Learn more about Matthew Lang’s work with the SECU

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store 

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast



Transcript

Matthew 00:00
It's probably really good if you're big enough, to have a CRO and a COO and a CISO, to have those three meeting on a regular basis because the risk side of the house comes in and says, "Hey, this is kind of risky." And somebody from security says, "Yep, this is a known risk. There're exploits in the wild being used against companies our size, bigger than us, smaller than us in different parts of the world. This is real." And the COO is saying, "I don't think it's that big a risk." Thinking it's not a big risk isn't a good plan for the business.
Allan 00:30
Howdy, y'all, and welcome to the Cyber Ranch podcast. That's Matthew Lang, former CISO at SCCU, former CISO of 3d Systems, and former Chief Petty Officer in the US Navy. Matthew and I are having a great conversation on the role of the CISO itself, what defines it, what shapes it, what it is, and even what it isn't. We talk about the role in terms of relationships with those around the CISO as well. It's a good conversation, so dive on in with us. Matthew, thank you so much for coming on down to the Ranch.
Matthew 00:56
Thanks, Allan. I appreciate the opportunity to be here and talk about a good topic, I think we got one.
Cyber Ranch Podcast Intro 01:05
Welcome to the Cyber Ranch podcast. Recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts. Here's your host, Allan Alford.
Allan 01:20
I think we got a great topic going here, you and I had some good conversation before the show, and I'm always worried when the conversation gets too good too early, that we're going to not capture it for the show, but I think we got enough material here. I think it's gonna be a good one. We're talking about the role of the CISO. And I know this is obvious, like this is a show for CISOs, why have we never done a show on the role for the CISO? Not because it's obvious, because it's actually really, really nuanced and something a lot of us make a lot of assumptions about that, you and I said, let's dig into this and get into something a little more concrete. We talked about better defining the role of the CISO, nd the idea here is that many folks bear the title, but there's still a very mixed bag as to what that means and what the job actually entails. You'll talk to folks that are CISOs, who are still very much hands on keyboard, you'll talk to people who have almost no tech stack background and are very much just
business people. So, what's your 10-second take on what the role actually is.
Matthew 02:13
I like the idea of preventer. The CISO is a preventer of something bad happening at the organization. You can't prevent every breach, it's never going to happen, but if the CISO is involved, he can prevent possibly a merger or acquisition that is not in the best interest of the company if the acquiring company doesn't have good security posture, or the one you're trying to gain control of, or they've had a breach. It's not just preventer of a cybersecurity incident, it's preventer of just some bad business decisions sometimes. And so, I kind of like the idea of being a preventer of making a mistake.
Allan 02:54
Okay, so this is the brakes on the car thing that we brought up before on the show, where sometimes the brakes are actually there to speed you around the corner, not to stop you. Preventer is not the same thing as slowing down the business.
Matthew 03:04
Absolutely. I love that brakes analogy. I had a friend and mentor, Andre Mintz, tell me the first time I ever heard that when he said, "The best security programs are brakes on a car." It's not to prevent the car from moving because the car is a business has to move to make money. But it's to make that and enable that car to go as blistering fast as it needs to be, but not run into the wall.
Allan 03:27
Exactly, to do it safely. I love it. I love it. So, one of the techniques that I like to use when I'm defining a thing, and this is just sort of general philosophical stuff we're talking about here, is to start by defining what it is not. If we're going to draw a circle and say inside that circle is CISO, let's talk about what's outside of that circle. So, I'm going to start with a few. I'm gonna say a CISO should not be a hands-on technician. If you are a hands-on technician still bearing a CISO title, the odds are you're not really a CISO, you're a Director of InfoSec. That's my hot take on that.
Matthew 03:53
I agree with that. 100%.
Allan 03:54
So, I'm gonna also say it's not even primarily a technologist role. Now, this is going to be really
interesting because I grew up on the tech stack side of the house. I became a CISO and had to learn to let a lot of that technological thinking go. I will argue your best CISOs do come from technology backgrounds, as opposed to the GRC camp I think finds it much harder to be a CISO, because of the presence of the tech stack that they have to still supervise and manage, but I'm still gonna say not a technologist role primarily. What's your take on that one?
Matthew 04:23
I think it depends on the business. If you're a technology company, then having technology
background, you're going to be better suited for that CISO role. It really depends on the business. But to your point, if it's finance or retail or manufacturing or something along those lines, you can be dead on right, they don't have to be a technology person. They need to understand the business.
Allan 04:44
I love it. What are your thoughts here and what other bullets do you have in terms of this "outside of the CISO" circle? What else is the CISO role not?
Matthew 04:51
So, the first thing that comes to my mind is the CISO is not a BISO. You hear this BISO title all the time, business information insecurity officer, that's not a CISO. That is somebody who reports to a CISO in a good organization, and usually, in a very large organization, you will have a BISO, but the CISO is the chief person in charge of information security for the organization, and to be the CISO, you have to have that skillset and the influential power or business acumen to be able to make change in the organization, to enable that company to succeed. Doesn't matter what the company is, but if information security is not involved and not involved early, then they usually have an issue.
Matthew 05:39
It's also not somebody who has no experience in information security. I have found that CISOs that came up through information security, it does not have to be 20 years, but they spent some amount of time, maybe even being a SOC analyst or something, and coming up through the ranks. Those are some of the strongest CISOs that I've ever run across, because they understand information security. Now, the hard part for them is grasping that business side of the house that you and I spoke about a few minutes ago. If you can't let go of the "no," or you can't do this because too big a risk, then they don't succeed. So, I've seen both extremes where they were so risk averse, they just couldn't let go of any risk, they didn't succeed. Whereas somebody who can adjust and say, "You know what? Yeah, this is risky, but the potential return on investment for the organization outweighs that risk. It's worth it." Even though I don't like it. I may hate it as the CISO, but it's probably the best decision for the organization at this point in time.
Allan 06:45
Yeah, and we've had that conversation on this show a few times now with a few guests. Yeah, there's that sense of compromise that must be there, snd a pure play information security person who can't adapt to the business mindset is going to get themselves in trouble there for sure. So, we've talked about roles that it's not. We've talked about technician, we talked about the degree it should or shouldn't be technologist you brought up BISO, which I think is a great one and that's a nice segue. Let's talk about again, with the circle, inside is the word CISO and outside of that circle, let's talk about the roles around CISO that helped sort of shape and inform that whole CISO role. In other words, not just what the CISO was not, but what should be an influencer, where there should be bridges to other roles. I'm thinking like Head of GRC, obviously, a very critical interface into and out of that CISOs circle,the technology folks on the , the tech stack team, and then who else? The rest of the business. Who else should the CISO be interfacing with as we bridge in and out of that defined role?
Matthew 07:38
So, it's a great question. So, the GRC folks, sometimes they report into a CISO, depending on the. Certainly, in financial institution, which is the preponderance of my experience, a lot of the GRC folks and the DR folks, disaster recovery folks, they may report directly to the CISO, or be part of their CISOs organization, which I think works very well in large organizations. I don't know about small organizations, because I think the DR side of the house struggles a lot in a small organization, because companies think, "We don't need to worry about that, we will recover, we'll just spin up a new cloud presence." That's not a great way of planning for when a crisis hits, and you don't want to be planning in the middle of a crisis.
Matthew 08:24
So, I do think those kinds of areas fall into the CISO realm, but certainly, liaisons, or what I like to call security points of contact in other business areas: HR, legal, because if you're dealing with a an incident, you don't know the full scope of it when you're dealing with it, you don't know how far reaching it's going to be, how big or how small it's going to be in the early stages. So, you definitely have to have those relationships, and those people that you can call at 2am and say, "W have an oh crap moment." You need to have those people, take them to lunch, buy them coffee, whatever it is they like, build that relationship with them. But the other area that I don't hear a lot is the COO of a company. If your company is large enough to have a chief operating officer, the CISO and the COO oh should be the best of friends, because they rely on each other more than they realize. I saw a statistic, it was either on LinkedIn or Cyber Wired News, about 40% of executive leadership are worried about a cyber incident at their organization. It didn't say 40% of CISOs or CEOs, it said executive leadership across the board. And I thought that is a great metric for a CISO to bring to the table and say, "Look, there's 10 of you in here. 4 of you are concerned about cyber, at the very least 4 of you, maybe all 10 of you are at this organization. So, why am I not being told that we're thinking about acquiring this company, or we're about the rollout of a new product, or we're looking at a new piece of software?" I need to be involved with that, because I'm the breaks. I'm going to prevent something bad from happening. I can't prevent it if I don't know about it.
Allan 10:12
Yeah. Okay. COO, that's a valuable one. I don't know if that gets talked about much in our circles at all, really, and I'm with you.
Matthew 10:18
I was gonna say the number one person you hear is the CIO, because a lot of CISOs still report to a CIO. I don't think that's a good thing. I think it is a conflict of interest and there are a lot of CIOs that are out here, probably hearing this saying, "Oh, that's a bunch of crap. I'm going to do whatever the CISO tells me," and then it comes right back to, well, it depends on the CISO. Because if it's that CISO who can't live with any risk, you're going to argue with them and say, "No, we can live with this. I want this system up, even though it's not secure. We need to service our customers, we need to help our members," whatever the scenario is.
Allan 10:55
And uptime and vulnerability management as two possible to-dos on the server teams list, for example. They're not necessarily in congruence there, you may have a direct conflict between those two, and you may have a budget conflict between those two. And you may even have, "Oh, dear, we've got to upgrade all these old servers over here," and it's either that or spend the time patching the ones that we know are vulnerable, or upgrading the ones we know we're about to crash, because they're old and the drives are starting to fail. There's a million and one places where the CIO and the CISO have different interests, that's always going to happen. And the one that gets me is all my friends that are CIO/CISOs. And I'm like, "Wow, do you just stare at yourself in the mirror all day?" How does that work?
Matthew 11:30
In a small organization, where they don't really need to CISO, they probably have just a Director of Security, then the CIO isn't really the CISO at that point. He's wearing that hat, so to speak, maybe for a bump in pay, maybe for an additional bonus or something, until they grow to a point where they want a CISO, and then they'll split it off. It just depends. There's a lot of politics, I think, at that level, where the CIO is the CISO as well. I just, I do see that as a potential problem as the company grows, but if it's a small enough company, then hey, let the guy wear two hats. If he's willing to put up with that level of stress, more power to him, or her.
Allan 12:12
There you go. So, how about the leadership role. You hinted that CIO and COO are two models. When we talk about defining the role of the CISO, who you report into isn't necessarily defining the role in its own right, but those interactions and what those interactions look like certainly shape the role. So, if I'm reporting into a CIO, for example, I think we just discussed that there's going to be these moments where we're having risk conversations where we're on very different sides of the fence. What does that conversation look like between the CISO and the COO? That other example you gave. What are some of the dialogues? What are some of the influencing factors that are actually shaping who and what the CISO is? Based on these COO level conversations?
Matthew 12:46
That is a great question. The biggest thing is, when the CISO and the COO are talking, they're almost 100% of the time talking about business. They'll talk about risks. If you're big enough to have a COO and a CRO, you got C's coming out the woodwork, you can have different level conversations. It's probably really good if you're big enough to have a CRO and COO and a CISO, to have those three meeting on a regular basis, because the risk side of the house comes in and says, "Hey, this is risky." Information Security says, "Yep, this is a known risk. There’re exploits in the wild being used against companies our size, bigger than us, smaller than us, in different parts of the world. This is real." And the COO is saying, "I don't think it's that big of a risk." Thinking it's not a big risk isn't a good plan for the business. We need to know whether or not it's a big risk or not. So, let's find the information. We'll get some information, and me and the chief risk officer can go get information, bring it back to the COO and say, "Hey, here's the statistics," right? It's a real risk, we need to rethink this now. We might be able to mitigate it. So, the coming back to the CEO says, "We found out as a pretty big risk, but we also found out that we have these layers of security and these assessments that risk does on a regular basis. We feel like we can live with this level of risk, we can manage." And then, the COO is happy. He's been delayed a little bit, but at the end of the day, he doesn't have to fight the chief risk officer and the CISO to go to the CEO and say, "Hey, I want to do this, even though risk says it's bad, information security says it's bad." He's already got us on his side, and that's a huge win at that point. So, I do think those business relationships at the C level have to mature and I do think the CISO has to be involved.
Reporting to the CIO, I think, limits his ability, his or her ability, to define his role and his value to the company.
Allan 14:51
Yeah, I get that. I absolutely get that.
Axonius Ad 14:55
Hey, everyone, it's me, Simone Biles. You might be wondering why you're hearing my voice on a cybersecurity podcast ad. Well, it's because I'm partnering with Axonius. Whether you're a gymnast, like me, or an IT, or a Security Pro, complexity is inevitable. I've learned that the key to success is focusing on what you can control. Go check out my video at Axonius.com/Simone.
Allan 15:29
We've talked about who you report into, we've talked a little bit about these business dialogues, how some of these bridges in and out of that CISO role looks. The next one is the peers. By the peers. I mean, in most organizations, the CISO is either a VP or an SVP. I guess these days, you still find a few senior director CISOs, but I think that's much rarer now, except in smaller orgs. So, we're talking about VPs, and SVPs around the organization. Not EVPs, probably, and not the rest of the C suite.
Matthew 15:53
It depends, there's a lot of EVP CISOs out there now, especially in the finance fields.
Allan 15:56
Yeah, that's true. So, we'll even go to there. So, now, that's the defined rank of the CISO, if you will, as part of our honing in on what the role is. Now we have a rank we can speak to, but that means you've
got peers all over the business of that same rank, who are all representing completely different interests. Marketing, sales, the whole bit, general counsel. Help me understand some of those bridges, and some of those ins and outs that help sort of shape that circle that the CISO is in.
Matthew 16:20
You're 100% correct. And from my perspective, I always came to the table from the viewpoint of: the more relationships that I can establish with my peers, regardless of what area they're in, the better off and easier my job is going to be long term. Having a relationship with a VP who may have a kid in high school, they're worried what they're doing on the internet. Hey, I can come to him with some solutions on how he can help his personal family, or maybe his elderly parents who might get scammed. So, you come to that person with some solutions, real world solutions that they may be thinking about. At that same time, you're pushing your agenda of cyber awareness, because cyber awareness is probably one of the most important areas in an information security program. As far as getting out in front of potential threats, the better educated your employees are, and I don't care if it's 300 employees, or 7000
employees, or 250,000 employees, it doesn't matter. The more well trained they are about cyber and risks, and what they do with their computer and their data, man, it just makes your life that much better down the road. It may take a year, 18 months for it to really start to kick in, but man, I could see when I did cybersecurity awareness training for like, day one, people coming on board day one and talked about it, and I would always try to relate it to, "Hey, where do you live? Do you have a front door?" Wherever you live, whether it's an apartment, your house, even if it's your parents' house, a kid fresh out of college, your first job, you might still be living in a home, okay. Your parents still have a front door. Why do they have a front door on the house? Because they don't want the rain, the snow, the wind, the leaves, the bugs coming in the house. They also don't want some strangers just randomly walking in their house and stealing something or trying to hurt them. It's that first layer of defense. So, think of day one, this is your first layer of defense for this new company that you now work for. You're
going to have access to data, I want you to take that seriously and I want you to be as careful as you possibly can be, and then, I always ended up with, "If you ever got a question, here's the CISO email. You email this, somebody on my security program, it may be me, it may be an analyst, but somebody's gonna respond to you and get back to you within 24 hours." And I would always kind of force that commitment. We're going to get back to you 24 hours. I found out very quickly it's easy to say 24 hours, man, when you get a flood of emails, all of a sudden you're in the middle of an incident and you're trying to deal with this, it's like, "Okay, I have got a delegate." So, it's a challenge, but it's extremely important.
Allan 19:20
It is and I'll tell you this, when I was in the unified communication space as a CISO years ago at a different company, I actually coordinated with HR— You're going to love this, the new employee onboarding orientation sessions, where they had six or seven hires from all over the company, different locations, and whatever, and they'd say, "Okay, we're all going to go to orientation at the same time because we all got hired within a few days of each other." It would be just a random sampling, who knows who these employees were, what level, what rank, what site, what anything, division. Who knows? It was just a random shotgun blast of a handful of employees. I would personally as the CISO spend 30 minutes in every one of those orientation sessions welcoming them, starting their journey on cybersecurity awareness, letting them know I was available. giving them my info and letting them contact me. Literally from day one, they walked in the door. As CISO, I would do that. I had CISO peers that were like, "You're crazy for giving out your contact info to who knows who." Yeah, this is exactly the
way I want to do it. This is exactly what, and it's amazing how many of those new hires became my champions.
Matthew 20:17
Yes, that was the thing I was about to bring up. When you do that to a brand-new employee, and you might be an SVP or VP, and this person is brand new, fresh out of college. Now, they feel like they've got a VP that's a friend. And so, you never know who that next security champion is going to be, that is going to just save the day. One organization, I had that same exact scenario play out, and the gentleman came to me and made me aware of something that put the entire company at risk. There was a router that had been installed on some third-party vendor server, so that the vendor could manage those servers better, and I was like, "What? They did what? We installed what? Who allowed this?" It was just this rainfall of errors from security guard to the power people to the network people, no one really stopped and said, "Hey, why are we doing this? Why are we allowing this?" And this guy just happened to walk by, he sees this router attached to a service, like, "I think that's like the HVAC server. Why is that doing that?" Man, it blew up from there, but that was one of those people that I've met day one. He just happened to be looking, because I told him, "Hey, if you see something squirrely, let me know that. I'll let you know if, hey, it's not a big deal. Thanks for letting me know, but if it was something good, then man, I'm getting you a Starbucks gift card or some other Lowe's gift card," whatever I could think of from a gift card standpoint, to reward that. Even if it was nothing, it was worth the communication to get out in front of a potential issue. This particular thing could have saved the entire company from horribly embarrassing breach down the road, we never would know, but bottom line is we got in front of it and solved the problem before it was a real problem.
Allan 22:13
So, there you go, build those champions, build that champion network into your company. That's the life lesson there for all CISOs.
Matthew 22:21
It is more than we want to admit, I think.
Allan 22:23
Yeah, let's move on to the next outside the circle. Let's talk about the Board of Directors. The CISO in front of the board. Boy, there's some boundary definition stuff going on there, there's some bridging across the line of the circle there. So, how does the board help shape and influence what the CISO is and isn't?
Matthew 22:39
They do more than they realize, I think, for a lot of organizations. A weak CISO may present the wrong information to the board, but if you have a weak board who doesn't really understand cybersecurity, they may not know that that's useless information, or information that is really more for the CISO himself than for the board of directors. I think, personally, CISOs struggle a lot with their presentations to the Board of Directors, because they don't really know what information the board wants and the board won't ask them questions. Unfortunately, for some boards, people are embarrassed to admit they don't know something. And so, they don't want to ask the question and sound ignorant. I always tried, when I did my board presentations, I always tried to come in very apologetic to them, say, "I don't want you to feel like I'm talking down to you, but because I don't know you, most of you that well yet, I don't know what your level of cyber maturity is our understanding of threats. So, I'm going to talk really at a low level these first couple of meetings, and then, we're going to build from there based on experience." Coming in with that kind of humble attitude, I think, I won over more boards than if I had to come in with that arrogant, I'm the CISO, chip on my shoulder, I know everything about cybersecurity. For all I know, there could be another CISO sitting on the board, somebody better than me. So, coming in with an arrogant chip on your shoulder, you might get embarrassed really bad, really quick. And so, unfortunately, I have seen and worked for some CISOs who got eaten alive by the board. They would ask them questions and they didn't have the answer. It was painful for me just being there as the support person. Well, I'm kind of behind the scenes.
Matthew 24:27
You're watching the fighter plane crash into the ocean.
Matthew 24:31
Right. It's like a train wreck, watching a train wreck happen, you can't do anything about it. And if I say something, it's probably more embarrassing for the CISO.
Allan 24:39
Oh, right. All you can do is hold your tongue and debrief later.
Matthew 24:43
I took a lot of notes and came back to the CISO said, "So, this is probably how we should have handled this."
Allan 24:49
This is good. So, we talked about attitude, we talked about knowledge base, and I love your
recommendation for overcoming that possible knowledge gap. Alright, so let's bring this all back home. So, we've talked about what the CISO isn't We've talked about the CISO's relationship to whom he or she reports. We've talked about relationships with peers. We've even talked about the board of directors. So, now here's our chance to solidify all that and say, "Here's what the heck the role of the CISO actually is, and should be." So, I'll let you go first. Give it to me.
Matthew 25:19
Okay, there's a lot of different responsibilities a CISO could have, but I'm gonna say the role is
cybersecurity leadership. They should be responsible for establishing the right security and governance type practices, and a framework, if that helps, to scale the business and enable it to grow at the pace that it wants to grow safely.
Allan 25:43
And we're back to the effective brakes actually are designed for fast cars, right? The faster the car, the better the brakes need to be.
Matthew 25:48
Absolutely. You look at those high-end cars, they have some of the best braking systems in the world.
Allan 25:54
Exactly. Okay. So, get the business there safely and effectively. I love that, and that, to me is all about that business objective alignment. That's all about that challenge of, as the CISO, trying to figure out, "Okay, I know I've got this security thing I need done, and I know the business is over here trying to get this thing done. I got to figure out a way to bridge these two phenomena. I have got to demonstrate that what I'm trying to do from a security perspective is aligned to business." And I think sometimes, we start exactly that way, where we already have a security project in hand and then, we're also looking at what the business is up to, and we're trying to mash them up. This is not the same thing as saying, "Here's what the business is trying to do. What kind of security can I build around that and build for it?"
Sometimes, we have our own needs that arise internally, and this is where that whole, you mentioned before, you have to have that cybersecurity expertise. This is a real nuanced thing I'm talking about here, because having your team come to you and say, "We've got a major risk of this sort over here in this area and we feel like we need to deploy this kind of technology solution to solve this kind of a problem." These are the kinds of conversations you're having internally with your team. You've got a CEO who has just declared we're going to enter a European market, we're going to decrease time of sale by X percent, and we're going to increase revenue and profits by y percent, and you've got all these high-level business objectives that have just been handed down. You've now got the challenge of figuring out, "Okay, my team is right, there's a risk over here. My team is probably already pretty right on what the solution to fix that risk is. How the heck am I gonna match that up with what I just heard from the CEO?" And that to me, is the real job of the CISO right there.
Matthew 27:18
Oh, absolutely. What if you have to give the CEO some feedback, he doesn't really want to hear? That you're going to have to delay the rollout? Your example right there, we're going to expand into the European market, we're going to reduce our time to market, whatever it is, whether you're selling pencils or loans, doesn't matter what it is. Now, me as the CISO, the first thing I'm coming into is saying, "Woah, we now have to comply with GDPR? Do I have anybody in my entire team that is a GDPR expert? Okay, this person has some background. Oh, this one does." So, you're going through your list of all your employees, "Okay, who's my number one guide for compliance in GDPR? Who's gonna know GDPR? Oh, wait, legal! Legal probably has a good resource, I need to reach out to legal," and then you're reaching out to HR. And so, it's bouncing around to you: Who's going to be your go to person? And it usually ends up being a team, and it's not always your people. It's going to be people that different areas, that's where those business relationships come into play, and help you get out in
front of the potential bad news you got to share with the CEO and say, "Hey, I think we need to wait 30 more days, but here's why and here's the plan we have in place to get us there in the next 30 days." If you come to the CEO with that, I would hope most CEOs are gonna be like, "I hadn't considered that. Great, let's move forward with it. What do you need support wise?" That's the kind of conversation you want to be able to have with your CEO. Not, "Hey, boss, I don't think we can do that." He doesn't want to hear, "I don't think we can do that." That's the last thing he wants to hear from the senior information
security executive, that he doesn't think we can do it. "Get back to me with yes or no. And if it's no, I
better have a great answer for why it's no."
Allan 29:14
And it needs to be a "no, but."
Matthew 29:16
It's always a "no, but." Doesn't matter how much you're good at saying no, it always ends up becoming a "no, but."
Allan 29:23
So you might as well just plan for that part to begin with there. Alright, this has been a great
conversation, Matthew, I got one last question for you. This is the question I ask every guest on the show. If you could wave a magic wand and change any one thing about cybersecurity— people, process, technology, the ecosystem, the business of it, anything— what would you change?
Matthew 29:42
I'm glad you kind of sent me this. For everyone that's worried about being on your podcast, Allan did a great job sent me the questions ahead of time that he was thinking of, to get feedback from me on the questions and potential different ones. So, I did have time to think about this one and this is the one I probably spent agonized over the most, because there's a lot of things I would like to, but when you say magic one, this is the one poof thing that you could do that could really have an impact in cybersecurity. For me, I really think it would be go back in time, whether it is 5, 10 years, doesn't matter what it is, and begin an education program for our middle school kids and high school kids, teaching them about cybersecurity, and teaching them about the benefits, potential job, future, but just about staying safe with data, because they all become employees at some point down the road. If you can teach a 12 year old, 13 year old, 15 year old, 17 year old, the importance of keeping their data safe, whatever their data is, might be their favorite song list, might be their pictures from their birthday, their favorite homework they did, or article they wrote, or video of them skateboarding, whatever it is, doesn't matter. It's whatever is important to them, that's that data and if you can drive that home about keeping that safe, that's the employee I want to hire 10 years from now, because they've already been doing 10 years, keeping data that is important to them safe. And now, I've got that 10 years into keeping data safe, they might be up on the latest hacks and attacks and threats and vulnerabilities out there. They might be
better qualified than the kid I'm hiring from another company that's got five years of experience, because he's just now focused on data loss prevention, which I know is your favorite topic to talk about. In my head, it's that jump on information security awareness. That would be the biggest thing.
Allan 31:51
I love that. I love using the magic wand to time travel. That's the best answer I think I've gotten yet on that question. I love it.
Matthew 31:57
Good. I spent enough time thinking about it.
Allan 31:59
I appreciate that, man. I appreciate the thought you put in. This has been a really good conversation. Matthew, thank you so much for coming on down to the Ranch. Thank you, listeners. Y'all be good now.
Matthew 32:08
Thanks, everyone. Thanks, Allan.

00:00:00