When a cybersecurity incident occurs, who should be the first call the CISO makes? And once that call gets made, what is the CISOs role in handling the fallout?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Ryan Bachman, evp and global CISO, GM Financial.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Vanta
Full Transcript
Intro
0:00.000
[Voiceover] What I love about security vendors. Go!
[Ryan Bachman] Cyber security vendors offer us the unique opportunity to be able to partner, especially as design partners, which allows us to really shape the solution for our company and make it work for our company. Also, let’s not understate the fact that it gives our team members the opportunity to work on more avant-garde and innovative technologies, which helps from a team retention standpoint, as well as just keeping them engaged.
It gives us the opportunity to not only operate security but also be on the frontline of innovation in cyber security.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And joining me as my cohost for this very episode… You’ve heard him before. Whether you like it or not, you’re going to hear him again. Unless you were to stop this podcast, which we do not recommend because this is going to be a fantastic episode.
And joining me for that fantastic episode is Andy Ellis. He is the operating partner over at YL Ventures. Say hello to the audience, Andy.
[Andy Ellis] Good morning, folks. Or depending on when you’re listening to this, good afternoon, good evening, or possibly even good night. You might fall asleep halfway through if you’re too tired.
[David Spark] Have you done that before? I’ve done that before. You turn on a podcast to fall asleep, and you’re out within five minutes.
[Andy Ellis] Oh, absolutely.
[David Spark] I’ve done that plenty of times.
[Andy Ellis] Just hopefully not while you’re commuting.
[David Spark] [Laughs] Here’s the problem though, and I’ve done this before, is I’m out in five minutes. Hopefully nobody is doing that with this. Then, because it plays all the way through, the podcast app will automatically delete the file and take it out of the thing, so you have to go pull it back up again.
And it’s a big pain in the butt. And then you don’t know where you fell asleep.
[Andy Ellis] Yeah, it’s awful. Or you do it where you’re watching a TV how, and it’s a similar thing. It plays the next couple episodes, and you’re like, “Wait, wait, wait. Where am I supposed to be now?”
[Laughter]
[David Spark] The worst is with an audiobook. Because the audio books, you can set it for 20, 25 minutes, but I’ve fallen asleep. And it’s read the whole damn book, and it’s archived it already. [Laughs] All right. Our sponsor for today’s episode is Vanta, automate compliance and streamline security reviews with the leading trust management platform.
Vanta helps SaaS businesses of all sizes manage risk, improve security in real time. More about just that a little bit later in the show. Andy, I mentioned this before. We’re working on a new show for the CISO Series. I’ve listened to a bunch of auditions. Great stuff. And here is… I’m just going to give you little tidbits of what I’ve learned from people throwing in podcast auditions, and it also would speak also, I think, to generally podcasts in the cyber security space.
First, everyone who submitted was savvy on the microphone. There was no question that they had cyber security knowledge. What I noticed though… And this is just one aspect I’m talking about, and I’m sure you’ve run into this as well, is the situation of, “I’m so smart, I don’t know how to explain this at all.”
[Andy Ellis] Yes.
[David Spark] [Laughs]
[Andy Ellis] Yeah, they’re savvy on the microphone but not savvy on the microphone. Right? It’s a unique skill that some people have and some people don’t, which is the ability to understand that you have multiple audiences and you’re not talking to yourself.
[David Spark] That’s a good point.
[Andy Ellis] And so you can’t explain it to you. You have to explain it to like 12 different people that range from your grandparent that barely knows how to use the internet, or maybe they really know how to use the internet because they were an early adopter, to your kids, to your boss, to your peers, to people who are just entering the career field.
And all of them need to be able to walk away having learned something.
[David Spark] Well, also it’s knowing your audience. Like for this, it isn’t going to be my mom listening. Although, technically my mom does listen to this show every now.
[Andy Ellis] Mine does not, but yours does.
[David Spark] Yeah. Well, maybe I’ll tell you a very quick story. I may have told this story on the show before. My apologies if I’m repeating myself. But I used to be on a cable television network originally called ZDTV, later known as TechTV.
[Andy Ellis] Yep.
[David Spark] And I made many appearances on different shows. To get the network, you had to have satellite cable, and my parents didn’t. So, I had recorded two hours of me appearing on different shows on the network, and I sent the video to my mom. And I called my mom like a week later, and I go, “Did you get a chance to watch it?” And she goes, “Yes, I watched it.
Not only that, I watched it again with your father, and I loved it.” I said, “What was your favorite part?” And my mom said, “The blue shirt. You looked really nice in your blue shirt.”
[Laughter]
[David Spark] I said, “What about the things I was saying?” She said, “I really didn’t understand any of that, but you looked very nice in the blue shirt.”
[Andy Ellis] There you go.
[David Spark] So, that became the running joke at the office, was, “Are you going to put on the blue shirt?”
[Andy Ellis] Sometimes we just need that little bit of validation that we actually got up and got dressed this morning, and we did an okay job on that.
[David Spark] Yeah. So… My recommendation if you’re going to appear on television, wear a blue shirt that my mother likes.
[Andy Ellis] I go for pink.
[Ryan Bachman] Sage advice.
[Andy Ellis] Pink shirts. You stand out. Especially as a man wearing a pink shirt, everybody is like, “Oh, you look really nice.” And I’m like…
[David Spark] I’ve seen you wear a pink shirt before. Yes.
[Andy Ellis] Yeah.
[David Spark] I do remember that. By the way, a moment ago, you may have heard another voice that wasn’t mine and Andy’s, because it is our guest who jumped in, saying, “Sage advice.” Let me introduce him. I’m thrilled to have him onboard. We had a little hiccup of an earlier recording where his network was constantly dropping us.
But now he’s back, and he’s not going anywhere. He’s going to be here for the entire show. So thrilled to have him. He’s the EVP and global CISO over at GM Financial. None other than Ryan Bachman. Ryan, thanks for joining us.
[Ryan Bachman] Thank you. I am so happy to be here and glad that my network is operating appropriately now.
Why is everyone talking about this now?
5:55.201
[David Spark] About nine years ago, I attended the AWS re:Invent Conference, and I was asking attendees a question about their IT department. And at least half of the attendees there said, “What IT department?” Andy, I think this response was also reflected in your recent piece on CISO Online about the “Death of the CIO.” Not CISO but CIO.
And you laid it out as the rise of internet native corporate revenue streams resulting in Shadow IT unsupported by a typical IT department. So, hence, the role of the CISO rising up to address that. So, with SaaS based solutions often serving the same support functions as traditional IT, is it as clean cut as the CISO replacing the CIO before too long?
And that’s going back to these companies that said, “What IT department?”
[Andy Ellis] Yeah, so the answer is yes and no. In new startups, I’m seeing more and more, there is no IT department. There is a corporate engineering team that reports to the CISO or the director of IT security, who then becomes a director of security, who’s going to grow up to be the CISO by the time the company goes public.
Now, that doesn’t mean that every CIO out there should just quit and give up because their job is over. Because if you’re a large company, you’ve got a legacy of IT. The thing I worry about is digital transformation used to be a thing the CIOs drove. And many don’t. I think if you don’t drive digital transformation and you’re a CIO then you should expect to hopefully retire before the CISO takes your job.
But if you’re the CISO and you’re not doing digital transformation, it may be more likely that the CIO takes your job.
[David Spark] That’s a very good point. All right. I throw this to you, Ryan. You’re in an organization that probably has not made a full transition to SaaS, but I’m sure you’ve got plenty of that in the mix right now, and I’m sure you’ve got an IT department. Yes?
[Ryan Bachman] Absolutely.
[David Spark] So, what say you to this sort of theory that Andy has that the CIO role in its traditional sense with SaaS driven organizations may be coming to an end and/or how the mix sort of plays itself out now.
[Ryan Bachman] I think like many roles in the C-suite, I don’t know if it’s necessarily going to come to an end as much as I can just see it transform over time. I think you’ve seen the immergence of the chief digital officer, which you just spoke about, and that really brings the unique marriage, I think, of business, customer experience, and technology together.
But to the point that was made earlier, you’re starting to see IT being…and technology service delivery capability really be federated into business teams throughout the organization. So, I think that notion of this monolithic IT function that we might have been used to for the past 15, 20 years or what have you might be something that’s going by the wayside as you see technology embedded more and more in business.
And if I may say so, I think it’s really becoming more a function of operations. I think technology serving as the backbone of operations. So, I think you might start to see CIOs maybe traditionally become more into a chief operating officer role or type function.
I think you could also see them maybe getting out of the technology infrastructure hardware components, which would obviously make sense, but then getting more into how to deliver better innovation and better value proposition for technology in the enterprise. So, whether you see that as a…in an organization as large as mine as like a chief strategy officer or chief operating officer, but I do agree that you’re not necessarily going to see the traditional CIO focused on infrastructure, and hardware, and network availability, and things like that going into the future.
Now, as far as the CISO replacing that role, I don’t necessarily see a CISO replacing that role. I’d like to see the CISO as more managing the risk associated with not just the technology and systems that we have responsibility for putting controls in place over but maybe also helping drive and enable launching businesses, launching products, things along those lines, and the risks associated with that.
So, I actually see the CISO role continuing to morph and transform itself into something that’s really broader enterprise risk management more than I would see it gravitating towards what I would call the traditional CIO role today. That’s my perspective.
[David Spark] I want to close with one question for you, Andy. And that is you said you got a lot of activity and a lot of response on this article. I want to know, what was the number one complaint that you actually agreed with?
[Andy Ellis] Oh, I actually have yet to have anybody complain.
[David Spark] Really?
[Andy Ellis] But the biggest disagreement I’ve seen is the one Ryan just pointed out, which is especially in large organizations, there aren’t enough technology executives. And so there’s this opportunity for the CIO to become the CTO, especially in companies that are not core technology businesses, maybe become an innovation officer, maybe become a product officer honestly.
So, I think that’s the… People looked at it and said, “Hey, big organizations are not just going to…it’s one or the other.” It’ll probably be both. But the CIO may get rid of IT and end up as a completely different title at the end of that.
Are we having communication issues?
11:14.453
[David Spark] Are CISOs missing an opportunity with cyber insurance? Now, a lot of times when we talk about cyber insurance, the topic comes to increasing costs or tighter restriction. But as cyber insurance matures as an industry, CISOs should increasingly look to make insurers their partners in risk reduction, argues Rob Jenks in Dark Reading.
Now, the idea being that sharing more in depth internal information versus questionnaire answers, insurers could both better price policies based on risk and also share insights gleaned from working with other organizations. I will start with you, Ryan. Does that kind of partnership with insurers seem feasible, and have you actually done it?
[Ryan Bachman] I think that type of partnership seems feasible. When I think about the notion of going through the annual process of assessing risk that the insurance companies perform to help determine what the premiums are going to be for that period of time, they’re already getting much deeper into it.
I would say that from what I’ve seen, it’s definitely moved beyond more of a check the box type exercise and really seeking to understand in detail the risks that your organizations is facing, and more importantly, the capability that you have to respond to those risks successfully. So, I think that it’s already starting to happen.
But at the same time, I think is opportunity for it to grow deeper. I look at the whole ecosystem of insurance, vendors, design partners, looking at ways to innovate and to leverage those relationships to help drive better risk management within the organization I think makes a lot of sense.
I think with insurance companies, it can make a lot of sense as well. But as the CISO, I also would want to sit back and understand, “Okay, to the extent that we are partnering even further and even more deeply as part of that relationship, how do they plan on using that information to broaden their business?” So, again, I think on the back end, there is going to be a lot of CISOs that would ask themselves, “Okay, great.
We’re happy to have that deeper relationship. How do you plan on using that information and/or aggregating that information across your other clients to drive better actuarial basis and all those types of things?”
[David Spark] Is there a fear this information could be used against you? I’m going to throw this to you, Andy.
[Andy Ellis] [Chuckles] Can I start by pointing out this is a vendor puff piece that we’re responding to?
[David Spark] Sure.
[Andy Ellis] So, the person who wrote it, their company has a relationship with cyber insurers. They want us to share because they share, and they facilitate the sharing. So, of course, we sort of have this bias. Which might be okay.
[David Spark] Which, by the way, let me also point out that I’ve brought this up on the show before. That I think insurance has the capability of leading security here. Where it becomes more of a demand… Because think about it with other insurance. Often, insurance leads people to be more secure with their homes, more secure with their cars.
[Andy Ellis] Right, and I think the difference is that for cyber insurance specifically… First of all, the carriers do not have good data. There’s a reason why they stopped writing ransomware policies for a year. Because their data was awful, and they started taking massive losses. And they said, “Guess what?
Have a nice day with your ransomware policy because we’re not going to pay on it.”
[David Spark] By the way… And let me pause there. I argue the reason for that is because the whole marketplace is so erratic. It isn’t linear like we see with auto insurance.
[Andy Ellis] Right, it’s a non-actuarial market.
[David Spark] Yeah.
[Andy Ellis] This is not a market in which the actuarial tables of what happened yesterday are strongly predictive of what will happen tomorrow.
[David Spark] Exactly. That’s my point. Go ahead.
[Andy Ellis] That you’re under attack because someone doesn’t like you is very different than there is going to be X hacks today, and the question is just who gets them, which is sort of what you get with physical crime, home invasions, etc., or with vehicular accidents. So, let’s put aside the question for a moment of whether cyber insurance is the right thing.
I think the challenge is that for some people, cyber insurance can help you. Because they’ll just say, “Hey, look, you don’t have an EDR platform. You should get an EDR platform because we don’t want to insure you.” And so it serves almost the same role as basic regulation or basic compliance. Like, “Oh, you want to be PCI DSS compliance?” Your cyber insurance is going to help you do the same thing.
But if you have a unique platform, I’m not convinced that the insurer actually has enough context to really help you assess the right risks and what you should invest in next.
[Ryan Bachman] I think that’s a really good point, but what I would also just indicate is I think as those relationships potentially mature, you’re going to see insurance companies looking for that real data. So, for instance, if you think about the large auto insurance companies that are out there, the incumbent auto insurance companies that are out there, they want to put devices into your vehicle that will record your driving habits.
Imagine something similar on the cyber front, to be able to determine what they think your susceptibility is to hack or to a breach well beyond what you say your capability is but actually getting telemetry and then using that to make their decisions. Again, I think that telemetry could be useful to some security shops.
The other thing that I would just mention though is to what extent is that going to be an advantage for the company that’s having that telemetry harvested versus the insurance company, which is trying to drive profits at the end of the day. So, to me, I think there in lies the challenge.
[Andy Ellis] And how much risk do you add because the insurance carrier has the data of every vulnerability of their clients?
[Ryan Bachman] Right.
Sponsor – Vanta
16:48.332
[David Spark] Before we go on any further, I do want to tell you about our spectacular sponsor, and that is Vanta. Now, whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO27001, and more. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer facing trust center.
If you don’t have one of those, get on it. So, over 7,000 companies like Atlassian, Flow Health, and Quora use Vanta to manage risk, improve security. Listeners of the CISO Series, get $1,000 off Vanta at vanta.com/ciso. Remember, that’s vanta.com/ciso.
It’s time to play, “What’s worse?”
17:50.664
[David Spark] Two crappy scenarios. You’re not going to like either one. And this one, I’m actually surprised it took this long for this one to come in because it seems like a very standard one, like, “Oh, this is obvious.” But no, we haven’t. So, here we go. It comes from Seth Earby of Pediatric Associates, and here’s the scenario.
I’m throwing it to Andy first, and you will either agree or disagree with Andy. What is worse? The threat and risk of physical social engineering capabilities in an organization or threats and risk of digital social engineering capabilities. Andy, which one is worse?
[Andy Ellis] This one is hard, because I think for a lot of organizations, the physical social engineering is completely and utterly uninteresting, so I could just sort of use that as the answer and say if you’re an internet based company, totally cloud native, SaaS native, there’s nothing interesting on your physical premises, I think the physical social engineering doesn’t really matter for you.
The digital does. Now, I’m trying to look and see on the other side, is there somebody for whom the physical social engineering matters way more than the digital social engineering. And I do think that there do exist those companies. Folks who deal with classified information, for instance. I’ve heard great stories of people who physical socially engineering their way into classified facilities in ways that digital social engineering would not be helpful for.
[David Spark] We have seen movies like “Sneakers” before, haven’t we?
[Andy Ellis] I’ve been part of a team that’s done this, where I got to sit in a car just in case somebody needed assistance because his job was to go into a classified facility that had armed guards and get root access on all of their systems using only social engineering.
[David Spark] Was he successful?
[Andy Ellis] He was absolutely successful. Most common way to get in was to walk in and say, “I’m here from the help desk, and I hear you’re having problems with Exchange.” They were like, “Oh, please, let me give you root access.” You didn’t even have to ask for it. They could hand it to you. But I think that’s the outlier.
So, I’m going to say that the digital social engineering simply because it is possible at scale for the adversaries. And so somebody shows up physically to social engineer you, they’re putting themselves at risk. I don’t think that’s as prevalent a problem. It’s still a bad problem, as the digital engineering.
[David Spark] Prevalent, but don’t you think…? I think the physical has the capability doing a greater level of harm, but the at scale is the doozy, right, there?
[Andy Ellis] Right, you’re not going to lose millions of dollars to physical social engineering, but companies have lost millions to digital. Your executives might have issues. Like they get physically social engineered when they’re in China. That is a very different problem, but it’s a narrowly tailored one.
So, I think digital is worse simply because of the scale is what I’m going to go with.
[David Spark] All right. Ryan, I’m throwing this to you. I think there’s a lot of physical social engineering scenarios that could be plenty damaging, far more than digital. What say you?
[Ryan Bachman] I think it depends on the motive of the attacker. So, I think…
[David Spark] By the way, you can walk through this whole thing, but it depends doesn’t work in this game. But go on.
[Ryan Bachman] No, I get it. I get it. I get it. But I’ll play devil’s advocate here a bit, and I’m going to go with the physically social engineering. The reason being is because if I think about DOD grade facilities or I think about FERC and NERC regulated facilities, nuclear energy facilities, electric facilities, the types of places that I’ve socially engineered over time in my previous life… I’ve been a part of those red teams that have been able to social engineer.
And depending on what the motivation of the attacker is, there’s a significant amount of damage that can be done if you get access to a physical premises. Especially if that physical premises is involving dangerous chemicals, other things that could cause massive issues and significant loss of life.
So, again, if I think about the comment around which sector or industry you’re in really does matter, but if the motive of the attacker is to get in and either cause potentially loss of life issues, or potentially sabotage industrial control systems, or whatever else it may be, physically sabotage, then you’re talking about other potential loss of life issues in addition to loss of intellectual property and other regulated type information.
So, not to say that you can’t impact digitally lives or things like that. But certainly on the physical social engineering, if you get access to physical premises, that risk definitely does play there, and I’ve seen that risk manifest itself.
[David Spark] And also, adding to what you’re saying… And pretty much what you’re saying, Ryan, is that there is a dynamic of physical security where digital has no access to. I’m going with Ryan’s answer.
[Andy Ellis] [Laughs] I’ve got a good story on that front, if you want to hear it.
[David Spark] Quick, let’s hear it.
[Andy Ellis] An agent I worked with who did physical pen test… You know, did the… He went to the base dry cleaners and said, “Hi, I’m here from base security. I hear you have a badge.” Was handed a badge. Didn’t look like him. Walks into a classified facility, thumb over the picture, gets in. Walks in with an empty briefcase, goes sweeping classified materials until his briefcase is bulging to sort of just show how easy it is.
As he’s walking out the door, he gets stopped by this 19-year-old security guard that says, “Sir, I’m going to need to have you open that briefcase.” And like his whole career is flashing through his eyes. Not that anything bad is going to happen, but he will never live down getting caught by the 19-year-old security guard because he doesn’t get to run away.
Like if he gets caught, he gets caught. He’s like, “Okay, I’m going to do this.” And he opens up the briefcase, and the kid look inside, moves around the material in the briefcase, and says, “You wouldn’t believe how many staplers go missing here.” Closes the briefcase and lets the guy go.
[Laughter]
[Andy Ellis] Thank God no staplers lost that day.
[David Spark] My goodness.
Close your eyes and visualize the perfect engagement.
23:48.853
[David Spark] Is the CISO a soothsayer or someone who can predict the future for the business? A paper from researchers at the University of London making that argument made the rounds on the cybersecurity subreddit. The argument being that you don’t go to a soothsayer to hear about chicken bones and entrails.
You just want to hear about your future. Similarly, executives don’t need to know about different ransomware variants. They need to know what the consequences of this risk will be. The CISO, as a communicator, clearly needs to speak the language of the business. We talk about this endlessly on the show.
But some commenters on the post remain skeptical of how much to put things in more relatable with comments like, “There is a reason why they require colorful reports with graphics.” We know going too technical can quickly lose an audience, but is there a danger of going too simplistic when it comes to cyber issues?
Ryan, have you ever had someone going, “I get it. Move ahead,” kind of to you?
[Ryan Bachman] Yes, but I see that as a little bit of a positive thing. Because I think what that shows is that the literacy, and the understanding, and the acumen of executives has actually increased and grown in this age of cyber risk. So, I think while you can’t say that for every single company, if I look at my organization, the executives at my organization have made it a point because it impacts their business.
Whether they’re wanting to launch products, whether they’re wanting to launch business expand, you name it, they understand that there are cyber security ramifications and consideration on all of those things, and they’ve chosen as responsible business owners to get smart and to get informed on that, not just through me as their CISO, but they actually established a network of other individuals that help advise them on that.
So, it’s uncommon for me to hear that they were recently at some sort of dinner, or potentially playing golf, or whatever it may be where they were able to bounce some ideas off of somebody that works in the cyber security field, and they wanted to get my perspectives on those things. So, I think with the right type of leaders and the right type of management team, you’re going to see that this is considered an important enough area that nobody really wants to be illiterate.
Yes, you can get entirely too Radio Shack on certain comments. But at the same time, I think that they gravitate towards wanting to understand not in layman’s terms certainly what the message is, but also they want to stretch their capabilities a little bit to understand it better. At least that’s been my experience, and I think that’s a good thing.
[David Spark] “Entirely too Radio Shack on certain comments.” Love that quote. [Laughs]
[Andy Ellis] I haven’t heard a Radio Shack reference in a long time. I love that. I think Ryan is really onto something, but I think what’s also important for people to understand is that most executives make a decision…in fact, most humans make a decision within like the first 15 seconds of being presented with an issue.
Everything after that is rationalizing the decision they’ve already made. And so that’s about how long you have to sort of nudge them in one direction or the other. And so if you go too deep then, yeah, absolutely they’re going to be like, “Okay, I’m bored. And if it’s going to take you five minutes to explain this to me, it’s actually not that bad.”
Imagine if I said to you, “The world is about to end,” and then I can explain whether it’s an asteroid, or an EMP, or whatever. But the world is about to end. It gets your attention, and then you’re like, “Okay, I want to act.” Now, if I’m chicken little, I’m like, “The world is about to end. My room is painted the wrong color,” you’re like, “I’m never listening to Andy again.” Because I’ve used up my one world is ending card.
So, a lot of this is not about pick the language that you think is going to be right – dollars and risk. Reading the comments, a lot of people think they understand what their counterparty wants to know. What they want to know is, “Is this something I need to act on? And what do I need to know to act on it?” And over time, you can get them more and more savvy.
But if you expect that you’re going to teach them cyber language as part of making a risk decision, it’s already too late. Like they’re making a risk decision. Whatever language they have is what you have to operate with.
[Ryan Bachman] I think that’s a really good point. So, one of the ways that I try to frame things is in this notion of issue, action, and impact. I don’t want people starting out at square one with me on trying to figure out what to do. If I can give them and clearly state what the issue is…if I can give them clearly the action that I think we need to take and why, and then what the impact or outcome is that they should expect, that starts them at square five, square seven, square ten, whatever it may be.
And they don’t have to go through the middle gymnastics of trying to understand what the hell I’m talking about. So, I think that that’s a really important thing to be able to do. And the discerning executive will be able to listen to and point out where they think your thinking might be off or ask the questions they think they need to, to make sure that they agree with the path that you’re taking.
[Andy Ellis] Yeah, and a key piece of that is recognizing that executives have no long-term memory. You walk in, and you remember the last time you met with an executive. It was highly stressful, so you have pinned this in. And you’re like, “I’m just continuing the conversation from two months ago.” The executive doesn’t remember that conversation.
They’re trying to piece it together. So, giving them a whole framing, “Here’s what we’re going to talk about. Here’s what the issue is. Here’s what I think we ought to do. Here’s the impact, and I’m prepared with 80 backup slides if you want. But really you can make your decision based on this one slide.” And you don’t look like a fool because you’re trying to remember the context.
Give them the whole context as cleanly and simply as possible.
Where does the CISO begin?
29:30.932
[David Spark] Reporting structure is a big talking point with CISOs. Whether a CISO reports to a CEO, CFO, or CIO can speak to how an organization views cyber security in general. But when a data compromise event takes place, who should a CISO actually contact first? Mark Bruns, who’s the CISO over at FirstBank, said, “The first call should be to their legal counsel.
The CISO follows the lead of cyber insurance and legal. If that relationship is so important, when the worst happens, why isn’t that the primary CISO relationship? Or should all CISOs be reporting to legal counsel instead of a CIO or CEO?” And I should note that the other cohost of this show, Mike Johnson, his former job, he used to report to legal counsel.
I’ll ask you, Andy. Why aren’t they all reporting to legal counsel if we all agree the first call should be to legal when something happens?
[Andy Ellis] It’s fascinating that that’s the argument, because I actually don’t necessarily…
[David Spark] Well, it’s the argument I’m making. [Laughs]
[Andy Ellis] I don’t necessarily agree that your first call should be to legal. Your first call should be to whoever is documented in the incident response plan, which might be legal. But you should not be making it up based on an incident. You should have already done the work to decide who you’re calling.
The legal counsel got called by the lawyer who already got brought in once we suspected data compromise, so general counsel knows probably about the same time I do. And then I’m actually calling the CEO. That’s a critical… We got data compromised. The CEO is actually one of my first phone calls. But every organization, it’s going to be different.
The CISO should not report to the general counsel outside of some interesting, weird niches, and that is because the CISO is not just a staff entity, like general counsel is.
CISO is an operational technology unit. It should be embedded closer to operational or technology. Preferably it should report to the CEO, but we’re not that mature as an industry yet, that CISOs aren’t really treated like C-level executives in many companies. But until we are, I think the better spot for a CISO is whoever engineering reports to is probably where the CISO ought to report to.
If you’re a technology company…if you’re not a technology company but technology is a big piece of it, you should probably report to whoever the CIO reports to, or be tagged under the CIO, or vice versa.
[David Spark] I will tell you before, Ryan, you speak that this is a topic that comes up again, and again, and again. It’s highly debatable. But where do you stand, and would you argue that the CISO should be reporting to legal counsel, besides just reporting to them first when an incident happens?
[Ryan Bachman] So, I think, first of all, in my case, I report to the CEO directly. So, I can tell you that that really is the ideal situation and set up for a variety of reasons. But stepping back for a second, you’re 100% right. You follow your incident response book. But the minute that you have determined that it’s likely a breach or whatever your escalation procedures are, one of the first calls you make is to your general counsel because it’s going to help dictate communications from there on out, especially if you’re doing things under ACP and want that type of coverage.
So, that’s a protection mechanism for everybody in the organization, including the C-suite, other members of the C-suite. So, getting in touch with your general counsel, that should be baked into your incident response procedures. Now, the way you read it at the beginning of this question, it almost sounded like you could a business case for why everybody should report to the general counsel.
[Laughter]
[Andy Ellis] I love that.
[Ryan Bachman] Which made me think that, “Well, this was definitely written by a general counsel.”
[Laughter]
[Ryan Bachman] Right? Because at the end of the day, whenever something happens from a crises management perspective or something that has legal or regulatory implications, one of the first calls you’re going to make is to your general counsel to make sure that they’re able to make the call on whether or not something should be covered under ACP, and then you should have appropriate steps to take going forward to protect the company and protect everyone involved.
So, I think for that reason then you could almost make the argument that anybody who would ever be subject to a legal or regulatory issue should report up.
So, that obviously doesn’t makes sense. But I can tell you that as far as business partners goes, there might not be a closer business partner to the CISO than general counsel, but that doesn’t necessarily mean it has to be a reporting relationship. I still firmly believe that CEO…representation directly to the CEO is the right model, and I have witnessed a lot of models over the years, serving clients, and I’ve been in the model of where I haven’t reported to the CEO.
I can tell you that universally with every CISO that I’ve spoken to, regulators, external auditors, you name it, they’re unanimous in believing that that’s the right approach if the organization is supportive of it. But of course, other organizations may have very good reason for not doing that. It doesn’t mean it can’t work.
But, again, I think that’s the ideal situation.
[David Spark] Andy, do you want to jump in with the last comment?
[Andy Ellis] I’ll quick jump in because Ryan mentioned ACP, attorney-client privilege, a lot. One thing every company should do is bring in outside counsel, somebody who has lots of practice with attorney-client privilege in an operating fashion. They’ve had to deal with it in a courtroom, and have them educate your CISO and your general counsel on what attorney-client privilege is.
Because all too often, I see general counsels who do not understand attorney-client privilege, which terrifies me, as well as CISOs who don’t. And people think, “Oh, we can [Inaudible 00:35:05] our incident, and because we have the lawyer on the call, we have attorney-client privilege on all of our incident documentation.” And that’s a very pediatric view of attorney-client privilege.
You should get expert consultation before you get into an incident on how you’re going to leverage privilege and what it actually means.
[Ryan Bachman] I couldn’t agree more.
[David Spark] All right, “What’s worse,” scenario? What’s worse, your attorney not knowing attorney-client privilege or your doctor not knowing doctor patient confidentiality.
[Andy Ellis] Your attorney.
[David Spark] Your attorney. What do you think, Ryan?
[Ryan Bachman] It depends on who they tell your confidential patient information to.
[David Spark] Of course. [Laughs]
Closing
35:42.350
[David Spark] Well, excellent, everybody. Thank you so much for an awesome show. I know not to talk like I’m talking to somebody at Radio Shack right now. Ryan has educated me on that. Our sponsor for today’s episode, huge thanks to them, Vanta. Remember, your security and compliance verified in real time.
Get yourself a trust center and get $1,000 off Vanta if you go to vanta.com/ciso. Andy, thank you as always for an awesome show today. And, Ryan, I’m going to let you have the very last word here. I greatly appreciate it. One question we often ask our guests is are you hiring. I’ll ask you, are you hiring?
[Ryan Bachman] We are. We have a number of positions posted online. You can reach out via LinkedIn to GM Financial. You can reach out to me directly, and I can direct you to the right people. Whether you’re talking about governance, engineering, cyber security related roles and careers, currently we have positions open from vice president down to engineers.
So, there’s leadership, individual contributor positions available. We are hiring.
[David Spark] That is absolutely awesome to hear. And we will, by the way, have a link to Ryan’s LinkedIn page on the show notes in the blog post for this very episode. In fact, it’s more than show notes. You get the whole transcript of the entire show. Well, huge thanks to Ryan. Huge thanks to Andy.
And thanks to you, audience. We greatly appreciate your contributions and need lots more, “What’s worse,” scenarios, so send them in. And thank you for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cyber Security Headlines Week In Review. This show thrives on your input.
Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to the CISO Series Podcast.