Compliance doesn’t equal security, but that doesn’t mean it can’t be part of the equation. Instead of dismissing compliance as mere security theater, how can we use what we have to do to augment our security efforts?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), partner, YL Ventures. Joining us is Alex Hall, CISO, Gensler.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Vanta
Vanta’s Trust Management Platform automates key areas of your GRC program—including compliance, internal and third-party risk, and customer trust—and streamlines the way you gather and manage information. And the impact is real: A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get started at Vanta.com/ciso.
Full Transcript
Intro
0:00.000
[Voiceover] Ten-second security tip. Go!
[Alex Hall] Stop the email threat. That’s the primary vector for the hackers. So, if you focus your time and effort on the email threat, it buys you time to fix those many other problems that many of us find that we have in our organizations to solve. So, you need time and distance from the adversary to set up your information security program. So, if you’re ever wondering what to do, stop the email threat.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series. And joining me as my co-host for this very episode, why, it’s Andy Ellis, and you know him also as a partner at YL Ventures. Andy, say hello to the audience.
[Andy Ellis] [Foreign language 00:00:56].
[David Spark] Was that Japanese?
[Andy Ellis] That would be Japanese. I took two years of Japanese in college, which probably most people don’t know, and basically have three sentences I can do.
[David Spark] [Laughter]
[Andy Ellis] That was not one of them, as I’m sure our Japanese speakers will criticize.
[David Spark] That was money and time well spent, Andy. [Laughter]
[Andy Ellis] [Foreign language 00:01:24].
[David Spark] All right. For all our Japanese listeners, please let us know how much he screwed that up.
[Alex Hall] Or in San Diego, [Spanish 00:01:34].
[David Spark] [Laughter] Yes. I haven’t studied. How’s your Spanish?
[Alex Hall] [Spanish 00:01:39].
[David Spark] [Spanish 00:01:41]?
[Alex Hall] Si.
[David Spark] Our Spanish listeners are also mocking us.
[Andy Ellis] Have I actually done this in Spanish? I think that was one of the first ones I did was Spanish, but I’m not sure.
[David Spark] I don’t know how into this our audience is, all your varying languages.
[Andy Ellis] Nobody has complained except for you.
[David Spark] No one knows what to say because they’re so stunned at how, I go, inane it is.
[Andy Ellis] Hey, if you actually listen to this and you have any commentary, whether it’s…
[David Spark] Positive or negative.
[Andy Ellis] Whether it’s positive, whether it’s negative, whether it’s critical, drop me a line, put it on one of the LinkedIn posts when we share this, let me know.
[David Spark] We’re available at CISOseries.com, so go check out all our programming. We have five shows on our network. We drop now 11 episodes every week of all our programming.
[Andy Ellis] That’s crazy.
[David Spark] Our sponsor for today’s episode, Andy, is Vanta, another phenomenal sponsor of CISO Series. Remember – automate compliance, manage risk, improve trust continuously. You want to do all of that and have it going all the time. Guess what? We’ll be talking about that a little bit later in the show. But Andy, and actually I’m going to rope in our guest right here because he’s actually sitting in my office. All right? He’s actually local. He lives only like two miles from me. It is the CISO for Gensler, Alex Hall. Alex, say hello to the audience.
[Alex Hall] Hello, audience. Great to be here. And all my comments here are personal.
[David Spark] Yes, they don’t reflect his business.
[Alex Hall] [Laughter]
[David Spark] Alex is going to RSA.
[Andy Ellis] Actually, they reflect David Spark. Blame David for everything Alex does.
[David Spark] Yeah. Yeah. If anything you don’t like, blame me. Alex, myself and Andy, we’re all going to RSA, which is literally like a week and a half from now. Here’s my number one question. What constitutes a very successful RSA for you, Andy?
[Andy Ellis] I don’t get sick.
[David Spark] You don’t get sick? I’ve gotten sick of two RSAs.
[Andy Ellis] I have like a 50% success rate on that one. Like, I usually come back sick from RSA.
[David Spark] You know what my problem is? I don’t really set the time, unless I’m invited, I don’t set the time to have a sit-down meal. I’m literally running from one thing to another thing, and I don’t have enough just plain old sit-down meals.
[Andy Ellis] Well, the worst part is I would always do Wednesday lunchtime at Wise Son’s Deli.
[David Spark] Mm-hmm.
[Andy Ellis] Except they’ve closed the location that was in the Contemporary Jewish Museum.
[David Spark] That’s a bummer.
[Andy Ellis] And so, now I’m like, where am I going to have that lunch? Because that was my one sit-down meal.
[David Spark] I don’t know. I think there’s other restaurants in San Francisco, Andy.
[Andy Ellis] Yeah, but that was my jam was like doing that. Like last year, we got a whole bunch of folks together. We all went and had lunch there. So, I’ll find other things.
[David Spark] Well, I’m sorry about that. All right. I throw this to you, Alex. What constitutes a successful RSA for you?
[Alex Hall] Well, this particular time, we’re going to have many members of our information security team up there. So, for a successful RSA for me is actually a successful RSA for our team, and what I want them to come back with is new knowledge, new ways of doing the things that we’re doing and getting out of, as I say, beaten about the head and shoulders by the day-to-day security operations and have an opportunity to think bigger picture and finding new ways of solving our current problems.
[David Spark] Did you hear that, Andy? Because that’s the correct answer.
[Andy Ellis] I did. Hey, Alex, I got some companies to pitch you later.
[Laughter]
[Andy Ellis] And you can tell me which ones match up to problems your team is interested in, so you don’t have to talk to anybody else.
[Laughter]
[Alex Hall] Oh.
How CISOs are digesting the latest security news.
5:11.616
[David Spark] In the spring, the encrypted messaging app Signal got the world’s best free publicity when a journalist was accidentally included in some Department of Defense conversations. You may have heard of this, but for most users, we think of Signal as a very security- and privacy-focused app, one we’d recommend to security-conscious people, but the narrative in this case was how potentially insecure Signal was for highly sensitive conversations involving national security and journalists. So, context matters when thinking about application security. So, I’m going to start with you, Andy. What are the types of questions you, as a security leader, should be asking about the app and the people using it? So, whether this app matches your use case.
[Andy Ellis] So, in fact, this is one of my favorite questions to ask vendors. For every tool you’re going to use, instead of that checklist we send people, like, “Here’s 200 questions to see if you can pretend to be ISO 27002-compliant,” instead ask, “How can I shoot myself in the foot using your app?” Because the problem here was not Signal. Signal was fine. The problem was one of the people had the wrong information in their contacts, and when they went to add one person, they added a different person instead. That’s a known problem. That’s not a Signal problem. That’s a, like, you had the wrong phone number for somebody, and you added them into a group chat. And look, this is a huge problem for us. Alex started by saying, like, stop the email threat. Why is email our threat? Because we run our businesses on unauthenticated communication channels and Signal is one of them. How do you deal with groups with 50 people on it? Like I have this problem with text messaging my neighbors. I’m assuming you have a group chat for your neighborhood group; I certainly do. And like, I message that, and I put the list together. Half the people on that group don’t know who the other half are. They’re relying that I didn’t screw up.
[David Spark] Right. But your neighborhood group doesn’t have the same level of security concerns as, I don’t know, a bunch of military leaders for the US government discussing what bombs are going to be dropped and where.
[Andy Ellis] Absolutely. But it’s the same problem at a different scale.
[Andy Ellis] Please tell me, by the way, your neighborhood group doesn’t discuss that. [Laughter]
[Andy Ellis] Well, I could tell you we don’t discuss it, but then you have to decide if you really believe us.
[David Spark] [Laughter] That’s true. I’m going to believe you. Go ahead.
[Andy Ellis] I’d be obligated to tell you we don’t discuss it there.
[David Spark] All right, let me throw this to Alex. All right, Alex, same question. You have two variables here. What you’re using it for – neighborhood group or national security – two different factors, and the app and how this matches up. So, what are the questions you ask? And I love this, like, how could I shoot myself in the foot? That’s what Andy said.
[Alex Hall] Yeah, I maybe wouldn’t use that exact terminology, but the identity management component of any of these tools, and I’ve looked at these out-of-band communication tools in the past significantly, and there’s a place for them. Such as we have our internal collaboration tools that have the full identity management of our team member employees of when they start at our organization. We know who they are. They get put into our directory, our user account directory, and then we can add them into these communication platforms that are the authorized ones. But then we get to the second- and third-order effects of what happens if those primary communications platforms go down? What are we going to use? So, would we use an app like this? And we bring up those issues of but how are we going to do – the old encryption term – the key management? How are we going to know the who’s who on each side and how are we going to add new people in? And so, it really comes down to these are some things you need to do ahead of time to get those capabilities in place. And if you have to do it after the fact, you might have to go slower so you don’t make the mistakes, or you understand that your risk is going to be reputational damage of certain information that gets out during a, say, a data breach or something like that.
[Andy Ellis] And the way Alex just phrased that captures one of my other soapboxes I’d love to step on, which is when we talk about identity, we talk about a facet of identity. We say Alex at Gensler rather than Alex, and we have no way of tying the fragment that is Alex at Gensler with Alex at his phone. And that’s the big challenge we have here.
Managing security changes for business optimization.
10:00.576
[David Spark] If I took a drink every time I saw “Compliance doesn’t equal security” in my LinkedIn feed, I wouldn’t be in any state to host this show. But is that idea a truism or simply conventional wisdom? Can’t compliance also be “a powerful business lever that security leaders can and should use strategically,” wondered Shaun Kelley of IBM. He argued that compliance gives security leaders a natural justification for investments that are directly tied to winning contracts and provide a baseline of trust for products. Now, if compliance doesn’t equal security, is it rather – I’m going to say to you, Alex – a guiding light? Are far too many security professionals dismissing compliance? So, let me ask, does compliance sort of lead the way possibly to security?
[Alex Hall] I’ll use a saying that let’s not let perfection get in the way of good enough. So, on this way to perfection, there is room for compliance controls to utilize those. If we look at the perfect security program where we’ve outlined our policies and procedures and then the individual security controls, such as password length must be so long and such, those individual controls are part of your compliance documents. And so, if your business needs to be compliant with a certain regulatory or other business-to-business relationship, that might be a starting point, that you look at those individual controls and make sure you at least meet those. But then you need to go into your business risk analysis to say, what are we missing from our compliance documents to get to the actual risk level, a risk reduction level that our organization needs? Because the compliance bodies, they may not care whether your business stays in business as a going concern. They care that certain data may not leave the organization, but other factors of shutting your business down due to a cyber breach or outage may happen and it has nothing to do with the actual compliance. So, our responsibility as CISOs is to combine all those into a full, well-rounded program that protects the business appropriately or to the low-level risk that it needs to be.
[David Spark] Andy, your take on this?
[Andy Ellis] So, I’m a fan of saying that compliance is a product feature, and your job as a CISO is to be the combined product manager, product marketer for compliance. You also have to secure the business and that’s an engineering function of do the right things to make the business operate safely. And operate safely is what’s key, not just be safe because it still needs to operate. But compliance is about how you are selling and marketing that safety program to either your own regulators because you’re a regulated entity, in which case it’s like having UL certification, it’s just required to sell the product, or your customer’s care, in which case now it’s a product marketing thing. I get to say, “Hey, I’m SOC 2 compliant.” My customers are happy with me being able to say those words. And what I like about this, and which is a thing that Shaun sort of hinted at, is as soon as you just say this is a product feature, this is now an easy conversation to have. If an engineer is building a product and they don’t want to be compliant, you’re not trying to say you need to do this to be secure. Because let’s be honest, many of the compliance requirements have nothing to do with security.
[David Spark] Mm-hmm.
[Andy Ellis] You are saying, “You have to do this if you want to sell to that target vertical,” and it changes the conversation.
[David Spark] That we’ve heard. And by the way, then you are going against sort of my setup question is, is compliance a guiding light? You say, in many cases, it has nothing to do with security.
[Andy Ellis] In a bunch of cases, there is overlap. I’m not saying like 180 degrees in the wrong direction.
[David Spark] Right, not all of it, but there’s some cases, yes.
[Andy Ellis] It’s an attempt to capture this super set of security requirements, 80% of what’s in there matches 80% of your security needs; 20% of what’s in there does not match your other 20%. You still have to go do security to be safe, tailored to your business. But for that 80%, this takes out the conversation, like, why do we have to rotate passwords? I don’t have to justify password rotation frequency for you. If we have passwords, we’re required to rotate them every 90 days if we want to sell our products. Do you want to sell our products? Yes? Great. I’m not going to try to convince you. Because the reality is either passwords are basically safe forever because there’s no Oracle for somebody to attack them with, or they’re not safe at all because there’s an Oracle and people can quickly crack them. Like, the 90-day rule is based on 30-year-old technology. This is one of the stupidest rules ever and security people have to try to defend it. Don’t defend the rule. Auditors require we do this. I would prefer we get off of passwords. You don’t want to rotate passwords? Join me in the passwordless world.
Sponsor – Vanta
15:06.267
[David Spark] Before I go on any further, I do want to tell you about Vanta. They’ve been a phenomenal sponsor of the CISO Series, and we just talked about compliance, and this is a great setup to talk about Vanta. So, compliance regulations, third-party risk, and customer security demands are all growing. We know this. And they’re also changing and it’s happening fast. So, is your manual GRC program actually slowing you down? If you’re thinking there must be something more efficient than spreadsheets, screenshots, and all manual processes, guess what? You’re right. GRC can be so much easier while strengthening your security posture, ah, and actually driving revenue for your business.
So, Vanta’s trust management platform automates key areas of your GRC program, including compliance, internal and third-party risk, and customer trust, and streamlines the way you gather and manage information. And the impact is real. So, a recent IDC analysis found that compliance teams using Vanta, listen to this, are 129% more productive. So, you get more time and energy to focus on strengthening your security posture and scaling your business. Vanta, GRC, how much easier trust can be. So, go to their website, vanta.com/CISO. Now please specifically type that in so they know that we sent you there. So, it’s vanta.com/CISO to learn more.
It’s time to play “What’s Worse?”
16:40.440
[David Spark] Alex, are you familiar with this game? The “What’s Worse?” game?
[Alex Hall] I’m familiar with it, yes.
[David Spark] Okay. So, two crappy scenarios. They are sent in from our audience. You have not seen them, Andy has not seen it either, and I’m pulling it up right now. And this comes in from Dustin Sachs of CyberRisk Collaborative. He has sent in many a “What’s Worse?” scenario. I always have Andy answer first so you can agree or disagree with Andy. Andy, here we go. And let me also point out that this is one of the classic ones, you’re going to immediately want to fix something in it. You can’t fix anything. It is what it is. All right? So, what’s worse? And by the way, when I say that, it’s clear there’s a lot of variability in it. I’m not defining the variability. One could be low and high.
[Andy Ellis] I love that the lawyerspeak from you, David, on this one.
[David Spark] Yes. All right, here we go. So, what’s worse, Andy? Old, unfixed tech debt. We all have it. It’s no fun unless you’re a brand-new company that’s greenfield [Phonetic 00:17:50] right now. Old, unfixed tech debt. And I don’t know how bad or good it is, but you’ve got it. Or you got a new technology implemented, but it was done in a way that introduces new vulnerabilities. Which one’s worse? And again, you can’t fix either situation. It is what it is.
[Andy Ellis] I know. I can’t fix either one. I’ve got to think about this one.
[David Spark] Okay, good. This is a tough one because I’ve had a lot of really easy ones for Andy.
[Andy Ellis] No, no. So, I have to think about how I’m going to phrase this because I think I know the answer.
[David Spark] No, you don’t.
[Andy Ellis] So, first of all here, let’s talk about old, unfixed tech debt is just a thing, which is first of all, tech debt is an awful name. We should stop using it. Why should we stop using it? Because companies believe that debt is a way of funding investments. So, if you say technical debt, they’re like, great, we took shortcuts as a way to invest in our future. Why is that a problem? Like we have a lot of debt on our balance sheet. So, here’s some more.
[David Spark] So, let’s just take the word debt out. Old, unfixed tech, period.
[Andy Ellis] This is partly I’m buying myself time to think. So, you have risks that are accruing that are not vulnerability risk. It’s oh, we just didn’t quite do this the right way. The architecture’s wonky, and everybody’s architecture’s wonky.
[David Spark] Mm-hmm.
[Andy Ellis] And I’m comparing that against, well, we just did something in a way that is actively dangerous with vulnerabilities that we’re never going to fix. But it’s new tech, which means everybody’s exploiting it. So, based on those two, one is I get the world as it exists today, and the other is I’m deploying new stuff that is not patched. Like it’s not even architectural tech debt. This is just like this stuff has vulnerabilities in it. I’m going to say that that’s worse.
[David Spark] Because just because it’s newer, it’s on everybody’s radar, probably today.
[Andy Ellis] Right. It’s on everybody’s radar. And if we can’t get the brand-new stuff even remotely right, well, if I can’t fix that, that itself encompasses tech debt. Like it is starting with an amazing amount of tech debt.
[David Spark] Yes.
[Andy Ellis] And I can’t fix it. So, yeah, rather than accumulating tech debt, I’m just buying more? Yeah, I think I’ll stick with the old world.
[David Spark] So, you’re betting on the old, unfixed tech, not saying debt, but you’re betting on the old, unfixed tech as the security through obscurity. The fact that it’s old.
[Andy Ellis] No, no, no. I’m not saying security through obscurity. The difference between tech debt and vulnerabilities is key in the framing here.
[David Spark] Mm-hmm.
[Andy Ellis] Which is tech debt just includes things like the architecture isn’t scalable. Like we took shortcuts in doing the build out. It doesn’t have HA that really works.
[David Spark] Oh, but old, unfixed tech also has usually like holes in it like Swiss cheese.
[Andy Ellis] It might, but that was not specified.
[David Spark] Not. No, but it’s…
[Andy Ellis] No.
[David Spark] You can count on that.
[Andy Ellis] Then tech debt is a term of art.
[David Spark] Hold it. Hold it. Let me ask you, Alex. Can you count on old, unfixed tech as having vulnerabilities?
[Alex Hall] Well, you don’t know about them because they don’t tell you they’re not testing for it, such as Windows XP, Windows 7, Windows 10.
[David Spark] If you installed Windows XP in your environment, and just as is.
[Alex Hall] Oh, it’s still running. It’s still running well. Embedded especially in the medical device world and hospitals.
[Andy Ellis] Oh, yeah.
[Alex Hall] XP is there.
[Andy Ellis] Right. You’ve got XP…
[David Spark] You put controls around it. Yes.
[Andy Ellis] The tech debt is the existence of XP, not XP being unpatched. This is where the questioner, I think, is using terms that we all use them a little bit differently from a term of art. Tech debt does not mean vulnerabilities. I’m not saying those machines are therefore patched, but tech debt is like you have machines that are on unsupported hardware, on unsupported OS’s, does not mean that those are necessarily directly affecting you.
[David Spark] They’re essentially keeping your business on life support is the way I see it.
[Andy Ellis] But they keep your business up and running.
[David Spark] All right, I’m throwing this to you, Alex. Do you agree or disagree? Which is the worst? Again, the old, unfixed tech or that brand-new technology implemented incorrectly, and it’s got new vulnerabilities.
[Andy Ellis] Already vulnerable.
[Alex Hall] I’ll frame it that I’d rather have the new, poorly configured, or whatever tech debt. And one of the…
[David Spark] So, that is not the worst. The worst is the old tech?
[Alex Hall] The worst is the old one.
[David Spark] Okay, so we got a disagreement here.
[Andy Ellis] David’s happy.
[David Spark] Let’s hear.
[Alex Hall] So, the newer stuff, some assumptions here is that the vendor is going to support this and they want it to be successful.
[Andy Ellis] Oh, no, no, no. He’s changing it now.
[Alex Hall] I know, I’m putting assumptions in on why I’m making…
[Andy Ellis] Yeah, but they can’t fix your problem.
[David Spark] You can’t…
[Crosstalk 00:22:18]
[David Spark] You’ve introduced new vulnerabilities.
[Alex Hall] That’s fine.
[David Spark] It’s your team screwed up is what it is, not the software manufacturer.
[Alex Hall] So, I’d rather have the new stuff that is generally more supported in my assessment than the old stuff that usually the vendors are trying to get rid of it themselves, usually, because they don’t want to support old stuff. They want to out with the old, in with the new, and the support available for that, what I’ve found, is not nearly as great as the newer product. And so, with that limited information…
[Andy Ellis] I’ll give an example as a counter for you, Alex.
[Alex Hall] Sure.
[Andy Ellis] Let’s just imagine that your ecosystem might include like displays that said at what time your planes are taking off, and you were running your entire airline on your technology. Would you rather have kiosks that worked, running old technology that had some tech debt, or kiosks implemented with the latest and greatest endpoint detection system integrated into everything, well supported by the vendor, and then for a couple of days, your airline can’t fly because you have no systems that work because you didn’t implement them the way you ought to have.
[Alex Hall] But I think that’s the prime example of what happened two holidays ago with the old tech debt [Laughter] from an airline.
[Andy Ellis] No, that was new. That was an airline who was doing everything new, everything well integrated, except it was done in a dangerous fashion.
[Alex Hall] Oh, touché. Well, that particular example, but so my assessment is that’s one point in time example. As I look forward, if I had to make the choice, I would generally choose the newer issue, the newer product from a vendor that theoretically is going to support it and fix it and going forward. And then now I don’t have old tech debt that’s fixed. I have new technology that’s fixed, and I have a lifespan on it.
[Andy Ellis] That’s fair. And for our listeners, I just want to remind you that Alex is in the same room as David, and I cannot disclose exactly what David said beforehand about Alex’s survival chances if he had agreed with me.
[Alex Hall] [Laughter]
[David Spark] I did not say anything of such sort. Don’t lie to our audience.
[Andy Ellis] Of course you would say that now.
[Alex Hall] No, I was not prompted. I chose that answer of my own free will.
[David Spark] He did.
Is this the best use of my money?
24:41.607
[David Spark] “In the end, I’m going to get the budget. It’s how I get the budget. Am I going to get it in a thoughtful process year over year with small incremental investments? Or am I going to get it all at once in the wake of a massive breach when customers and clients are asking, ‘What are we doing for security?'” This is what Lee Parrish, who’s the CISO over at Newell Brands, recently said on a recent episode of Defense in Depth. So, I’m going to throw this to both of you. How do we start the thoughtful process of small investments? This can start with building cross-functional teams in the organization, from understanding the CFO’s priorities to working closely with IT to align with broader goals or looping in general counsel when it comes to privacy initiatives,” suggested Rosalyn Page in a recent CISO Online piece. She also suggested CISOs maintain a visible profile within the organization and use financial literacy to underpin conversations about risk. Now, I’m going to start with you, Alex, on this. Do you agree with Lee on getting the budget one way or the other, or that it does inevitably happen that way? And how do you make the slow and steady way successful?
[Alex Hall] So, to start off the initial part, I was thinking of the Star Wars quote, one of the later episodes on only a Sith Lord talks in absolutes, either or, this or that. I look at this as you look at the entire environment and understand at this point in time, what’s the best option? Is it there’s a data breach or a minor event that happens that you want to definitely use that and communicate and while the iron’s hot, strike with that? Or is this one that you are, there’s almost a zero-sum gain on the budget, and what your information security team receives another team doesn’t. And so, there’s more incremental battles, if you will, or discussions on what the appropriate use of the dollars are to reduce the risk, whether it’s operationally in IT or business risk in information security. So, I’m going to use all the tools in my handbag or tool case to accomplish that. You can’t be the one-trick pony. As they say, you need to be able to utilize all those as the business evolves and grows or contracts.
[David Spark] Anyone in a relationship knows that the ultimatum technique does not work [Laughter] at all. Andy, your take on this, of the slow and steady, the tortoise versus the hare technique of building your security program.
[Andy Ellis] So, I’m a firm believer in embrace the power of “and.” You should be doing slow growth and seizing opportunities for fast growth because they will both come.
[David Spark] Mm-hmm.
[Andy Ellis] The one thing I would challenge is the CFO does not have money. You don’t get money by appealing to the CFO. The CFO is the person who’s going to be the arbiter within the business to make sure you’re asking for money in a way that makes sense, but you have to figure out who has the money. Right? Either it might be that you managed to slide it in before the FP&A function finalizes the budget forecast, and you can just sort of make money appear and then fight for it, or you’re fighting for it, but you’re not fighting with finance. If you’re fighting with finance, you’re doing it wrong. You need to be talking to the rest of the business and saying, hey. Like, you’re going into this business line. Here’s the security requirements and the compliance requirements product feature. Here’s what it’s going to cost you to implement those. Would you prefer I do it for you? Because I can do it more cheaply. But one way or another, it’s got to get done. And that’s really the way to get this slow progress is you have to make sure that you’re providing business value to the people who really control the budget, which is the people who make money.
[Alex Hall] To follow up on that, we started this talk off with security tip of the day, if you will. But one of the close seconds was what advice would I share with other CISOs or others in information security? And that would be to either earn an MBA or some sort of business strategy certification. But the key component that we’re talking about in this particular question is the business. How does cybersecurity, information security fit within the business environment? And are we prepared to have those conversations, those business conversations and not necessarily the zeros and ones while we’re wearing a hoodie and sunglasses and haven’t slept in three days kind of look that you see on Hollywood shows? We’re talking business. How does this benefit the business, whether it’s a financial bottom line or a second bottom line, whatever that mission of that organization is? How can we articulate it?
[David Spark] So, by the way, this is a recurring theme on this show. And to bring up a quote that we have used multiple times, Steve Zalewski is one of the co-hosts of Defense in Depth who used to be the CISO over at Levi Strauss. He would say, “How does this help me sell jeans?” If you can’t boil it down to that, if the vendor who’s pitching you can’t explain that to you, then that’s a lost cause. Andy?
[Andy Ellis] It’s absolutely right. You’ve got to be able to figure out how are you going to sell this to the business? And sell it to yourself, honestly? All too often we do stuff because the vendor scared us or it checks a box, but we can’t even justify it to ourselves. How do we expect to justify it to our partners?
Could this possibly work?
30:08.977
[David Spark] “When employees are assessed and rewarded based on their adherence to security protocols, it fosters a sense of accountability.” Now we talk a lot about building a security culture on this show, and that can all feel kind of squishy. Does tying employee performance to following security practices set the tone for a security culture, as argued by Wylie Hartwell of SIM Jacksonville on LinkedIn? And how do you stop this from becoming employees not getting bonuses because they failed a phishing test? So, I’m going to start with you, Andy, on this. Here’s a big challenge. How screwed is your security program if your security culture sucks? Like, you build the best security program, but the security culture is way off.
[Andy Ellis] Well, let’s just answer that one, which is if your security culture’s off, you probably have a big problem. Probably means your culture’s off. But let’s tackle this premise here, which is, oh, we’re going to compensate employees based on their adherence to security. How would you feel as a CISO if some other part of the business came in and said, “Oh, by the way, I’m going to grade your employee, and their bonuses are impacted by my grade. You, their boss, do not have the control to compensate them because I am making the decisions about their compensation.” You would laugh them off because you wouldn’t even think they were serious. And so, that’s sort of how I often take this. This comes up, like it feels like every six months, someone says we need to tie bonuses to security performance. And the answer is no. Never going to happen, nor should it happen.
[David Spark] So, is there a way to measure and honor and give some kind of positive recognition that is desirable, I guess is my question?
[Andy Ellis] Oh, absolutely. You can do positive recognition. And in fact, there’s a lot of research that says employees respond better to non-monetary recognition because they come to expect monetary recognition. If you give them a small bonus, like a hundred bucks, not a huge thing for most people. And they’re like, “Okay, fine, whatever.” But now they expect 100 bucks every year for passing the phishing test. If you give them a sticker or you give them a stuffed animal, you’re like, “Hey, you’re my security champion. Meet the penguin.” Whatever those are, those are the things that really motivate people because you’re connecting with the human. So, that’s part of your culture is how you, the security team, engage with your employees. It is not just how your employees engage with security.
[David Spark] Yeah, my fear is something like this could backfire in a big, big way. Alex?
[Alex Hall] Well, I’m going to start off with…
[David Spark] And by the way, when I say something like this, not saying Andy, but specifically bonuses tied to security performance.
[Alex Hall] I’m going to get to that, but I’m going to start at the very beginning as I started this [Laughter] talk off with stop the email threat. So, I actually put the onus on the security professionals initially. What are the technical security controls in place? And we’ll say, why did that email, phishing email, even get to that team member employee? And so, are you tracking your metrics? And how are you determining how many actually get through? Are your technical email security tools doing the job that they’re supposed to? And if you’re keeping metrics on how many actually get through, meaning your team members are reporting those with a positive attitude, if you will, or they feel part of the team, you’ll then know how well your technical security tool is doing. Now we can say, well, they’re going to get through. Yeah, but let’s say that you get one a day that gets through and your phish test shows that you have 5% failure rate. Statistically, what’s the likelihood of that one email campaign that gets through that hits the person’s inbox that’s going to click on it? These are kind of mathematical and also business discussions.
Now I’m going to go directly to your question. Organizations that are highly regulated and that can go out of business by having team-member employees that just don’t get it, that you do everything you can to help educate and train, but the implications for that organization of a failed phish test are so significant. The CEO may decide that something like that happens. But the vast majority of the organizations, you need your team members working with you. And I just mentioned the reason being is the emails that get through that are actual malicious phishes or malicious emails, how are you going to know about those unless your team members report those? And so, you want a group that doesn’t feel like there’s going to be a repercussion if they report, or quite honestly, if they click on something, you want them to tell you about it and say, “Hey, mea culpa, I clicked on this.” And then your security operations team can get going really quick and remediate these things. So, it’s a huge team effort. And so, in general, to an early point, it usually backfires with these draconian type policies.
[David Spark] Yeah, I brought up a long time ago on the show and I’ve repeated a few times that I had a friend work for a big company in HR. And I know you didn’t like this, Andy, and most have not liked this, but they had a mechanic who was not a knowledge worker, not heavily on the computer, but kept… Well, first of all, he was getting phish tests by the company and he kept failing. Just consistently kept failing, could not stop failing. They actually fired him for this.
[Andy Ellis] Mm-hmm.
[David Spark] They just couldn’t do it and didn’t sit well with you, Andy. How does it sit well with you, Alex?
[Alex Hall] Yeah, as you were mentioning that, I was thinking about some of the reasons that our team member employees, they do click. It could be the culture in the organization. It could be that they’re so stressed out at their job, they’re overtaxed, and they’re being graded on how quick they respond to emails or how quick they communicate back. Or potentially a culture at the top that there’s fear in that organization that, “Oh, here came an email from the CFO or the CEO. I better answer this quickly because I’m being graded on how quick and responsive I am.”
[David Spark] That is a really good point because there are a bunch of software programs out there that companies employ – not in Europe, I know, because it’s not cool – but that monitor your entire screen behavior and are seeing how often you’re clicking, getting activities done. That would flip people out. And yes, I could see people making the wrong step in that kind of environment.
[Alex Hall] Right. Some of these business email compromise where funds are wire transferred, you have to ask yourself, why did that person feel compelled to do that wire transfer?
[David Spark] Well, sometimes it’s because they want to look at one of the other stories we’ve talked about is that the attackers are going after the newest people in the company that want to perform well, and they think they should do this.
[Alex Hall] And this still goes to the culture of the organization. Your new team members, we know that they’re vulnerable. And so, how are we conveying to them that this is the culture of our organization? We’re not a fear-based organization. If something doesn’t seem right, don’t react out of fear. We’re here to support you and bring it up to someone else and let’s solve this problem together.
[Andy Ellis] Right. Is the CEO out telling people, like, “Hey, if you get an email that purports to be from me telling you to do this, it’s not me.” If you don’t have that happening, then you’re going to fall victim to business email compromise.
[David Spark] Tell your staff early when they come in.
[Andy Ellis] But it has to come not from security.
[David Spark] From the CEO.
[Andy Ellis] Has to come actually from the CEO saying, “Look, if you get a text message purporting that it’s me trying to get you to buy gift cards, it’s not me, and I want you to tell me when you get one of those.”
[David Spark] Have you had that? Have you had someone tried to do the…
[Alex Hall] I’ve seen that in my career.
[David Spark] Did someone fall for it or almost fall for it?
[Alex Hall] Almost fall for it. But again, each organization’s different. If the CEO and the culture of the organization is open and clear, that person will respond, “Hey, did you really want me to buy 100 gift cards? I know we had talked about this and rewarding our team members. But is this the best way to do it?”
Closing
38:38.178
[David Spark] All right. Well, that brings us to the end. By the way, our listeners can send me and Andy and Alex gift cards if you’d like to. Please feel free. Just contact us directly and send us a gift card. We won’t buy any, but we’re happy to receive them. Yes, Andy?
[Andy Ellis] Absolutely.
[David Spark] We are. We’re open to receiving gift cards. I want to thank my guests, Alex Hall, who’s the CISO over at Gensler and also a neighbor of mine, and Andy Ellis, who will by the time this episode airs possibly be moving into his new home.
[Andy Ellis] I hope so.
[David Spark] Just across town. Is that correct?
[Andy Ellis] Just across town.
[David Spark] There you go. Alex, are you hiring over at Gensler?
[Alex Hall] We’re always looking for top talent and take a look at Gensler.com and our human resources page and you’ll see some of the great career opportunities we have. We’re always looking for top talent.
[David Spark] And you could get an opportunity to work with Alex. And if someone contacts you and said they heard you on the CISO Series, will that get them a bump up higher in the pile?
[Alex Hall] You know, what it tells me is that they’re educating themselves.
[David Spark] There you go.
[Alex Hall] They’re looking to become a high-performing individual, which means you’re always curious. You’re always trying to find new ways of doing things. So, we have a high-performing team at Gensler, and we are always looking for high-performing individuals.
[David Spark] You don’t have to pay thousands of dollars for one of these cybersecurity training programs. You can just listen to the CISO Series and other CISOs will be impressed by that. That’s what I take from that. Andy, you take the same from that, right?
[Andy Ellis] Absolutely.
[David Spark] That’s exactly what Andy said. Hey, I have to thank our sponsor. That’d be Vanta. Vanta – automate compliance, manage risk, improve trust continuously. We talked about compliance on the show and please go to their website, vanta.com/CISO. Add that /CISO so they know we sent you there and proves that their sponsorship is actually doing something. Even if you’re not interested, just go [Laughter] and type that in. We’d appreciate it. Vanta.com/CISO. Show your support to them. We want everyone to check them out. Please go check them out. Thank you to our audience. We greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.