CISOs are common among the Fortune 500. But it remains rare to see them listed in executive leadership. Given that every company says security is of prime importance, why aren’t CISOs named within the top company echelons?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series, and Allan Cockriel, CIO and group CISO of Shell. Joining us is our special guest, Mary Rose Martinez, CISO, Marathon Petroleum.
This episode was recorded in front of a live audience in Nashville at Evanta’s annual Global CISO Executive Summit. Huge thanks to Evanta for inviting us to record again at the event.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Censys
Full Transcript
Intro
0:00.000
[Voiceover] Best advice I ever got in security. Go!
[Mary Rose Martinez] Cybersecurity is a team sport. We need to play with both our internal teammates as well as our external teammates. Internally, that would include legal and internal audit but really working hand in glove with the very business that you’re trying to secure. External teammates would include competitors even, government regulatory bodies, trade associations, ISACs, customers, and suppliers.
Together we’ll make cybersecurity stronger.
[Voiceover] You’re listening to CISO Series Podcast recorded in front of a live audience in Nashville.
[Applause]
[David Spark] Welcome, everybody, to the CISO Series Podcast. My name is David Spark, I am the producer and the host of the CISO Series, and I have a guest with me who is our guest co-host for today’s episode. He is the CIO of global functions and group CISO over at Shell. Please, warm round of applause for my guest co-host, Alan Cockriel.
Let’s hear it for him!
[Applause]
[David Spark] Also I do want to mention our sponsor Censys. Censys – the leading internet intelligence platform for threat hunting and exposure management. Thank you very much, Censys, for sponsoring this live audience recording of the podcast, more about them a little bit later in the show. But I do want to mention the big news for those of you listening out there, we are at Evanta’s Global CISO Executive Summit in Nashville.
And Allan, I have a question for you. You have attended other Evanta events, correct?
[Allan Cockriel] I’ve been to several of them, yep.
[David Spark] All right. So, I want to sort of – because we’re kicking off this whole show right here and I want the audience [Inaudible 00:01:56] here to know what they’re in for. I want to know one thing you learned from attending a previous Evanta event that you actually took back with you to the office, and you truly learned it.
You didn’t know it going in and after, you were like, “Oh, this is coming back with me.” What is that?
[Allan Cockriel] I’d have to say it’s new friends. It’s the connections that we make in these events.
[David Spark] Hold it. You took them back to your office, the new friends?
[Allan Cockriel] The good ones.
[David Spark] They couldn’t stay at their office?
[Allan Cockriel] They can come back and have a visit.
[David Spark] Okay. [Laughter] But new friends, yes?
[Allan Cockriel] I’d have to say it’s mainly new friends, it’s all about the relationship.
[David Spark] Yep. But that’s an ongoing relationship that I’m sure you mine your relationship friends for future needs, yes?
[Allan Cockriel] Correct, yeah. I’m a big believer in frenemies so these are the people that we compete with on one hand, but we collaborate with on the other hand.
[David Spark] You’re sitting next to one on your left.
[Allan Cockriel] That’s right.
[David Spark] That’s a great setup for our guest who’s joining us right now. Big warm round of applause for the VP CISO of Marathon Petroleum, Mary Rose Martinez. Let’s hear it for Mary Rose!
[Applause]
[Mary Rose Martinez] Thank you so much. It’s a pleasure being here.
Close your eyes. Breathe in. It’s time for a little security philosophy.
3:04.570
[David Spark] “Try implementing rigid processes and policies in a startup or punishing insecure behaviors in a collaborative organization,” said Marco Túlio Moraes, CISO over at Raízen. “It’s just not going to happen,” said Moraes, “and you will be seen as someone pushing against company culture.” Whenever we interview security leaders about taking on a new CISO role, they always say their top priority is to listen, learn the organization and its culture.
As Moraes said, “Culture is not doing things your way or the way that you understand how a company does things, but the way that people outside of InfoSec do things in the organization.” I’m going to start with you, Allan, here. Can you think of a security action that did work at one organization that simply won’t work in another because of the culture?
[Allan Cockriel] I’d have to say it’s optionality.
[David Spark] Hold it. Optionality? What does that mean?
[Allan Cockriel] Optionality. So, the way to think about is how much latitude do people have to make decisions about the technologies they want to put in, how they implement it, how they configure it. And I think moving from company to company, if you don’t understand optionality and how that’s embedded in your culture, you’re going to run into problems.
So, if you’re in a strong top-down kind of authoritative environment or if it’s heavily regulated, pretty low optionality. If you’re in a newer company, a bit cowboy, you can find a lot of optionality. You can read into that shadow IT. But I think once you assess that, then you can understand what’ll actually work in that business.
[David Spark] And have you worked at the spectrum of businesses that have low and high optionality? Which again, is this really a word? [Laughter]
[Allan Cockriel] It is actually a word.
[David Spark] Okay.
[Allan Cockriel] I have worked at the bookends of that from very multinational corporates and regulated environments all the way through to startups that were building things on the fly.
[David Spark] Okay. What’s the pros and cons, quickly, on both extremes?
[Allan Cockriel] From the startup side, it’s flexibility, it’s the agility, it’s the speed of reaction. On the flip side, you have structure, you control your costs, you can control your security risks when you’re in a more structured environment with low optionality.
[David Spark] Good point. All right. I’m going to ask the same question for you, Mary Rose. Security action that did work at one organization that simply won’t work in another because of the culture.
[Mary Rose Martinez] Well, in this case, I’ll take a different slant. You talked about wanting to understand how work actually gets done within a company. So, if you think about an office worker and somebody out in an industrial control system – very, very different. So, just take your phone as an MFA tool, for instance.
That’s nothing. We don’t think about it. We all have phones, we use it. In an industrial environment or a field environment, you may not even have a phone because it’s not allowed, or even if you did you might have workman’s gloves, or it might be smudged, so the user experience is vastly different, and you have to think about very differently that way.
[David Spark] So, talk about when you’re dealing with a very structured environment versus startup, but that is the two extremes, does it make your job easier or harder or just different? Where do you sort of find yourself? And can you say you like one over the other?
[Allan Cockriel] I prefer the more structured environment. From a security perspective, it’s a lot easier to regulate what you know about, you have a known quantity of tools in the environment, you have relatively…
[David Spark] By the way, Shell is very happy you said that. Continue on.
[Allan Cockriel] Oh, yeah. Very high insecurity on that side. From the CIO perspective, to have the ability to move fast and meet customer obligations very quickly. Environments that are a lot more fluid tend to be able to meet that need faster but with my CISO hat on today, structured environments are far easier to secure.
[David Spark] Have you experienced what Allan described too?
[Mary Rose Martinez] Yes, I have experienced them. And again, the pros and cons he alluded to are exactly right. I would say depending on where a company is, like what phase it’s in, a structured versus unstructured environment might work better.
[David Spark] Mm-hmm. And what about the middle ground? Because not everybody is on these extremes, if you will, and I’m kind of playing more into your optionality here. Is there a balance that can be struck or can one exist in the other? Because I’ve seen this happen many times where a big, big organization in an effort to attract people who like the startup concept will say, “Oh, we’re like a startup inside of a big corporation.” Does that really play itself out?
Or can you create I guess like a padded room for that environment?
[Allan Cockriel] Well, first I have to say that I’ve patented optionality, so if you use it in the CISO Series, I do require a…
[David Spark] I’ll get you the commission fee.
[Allan Cockriel] I require a royalty. Well, look. The way I look at it is most processes in a corporate environment are at parity, so they’re market standard processes, 85-90% of the processes are standard, so don’t like to see a lot of experimentation there because you’re basically trying to build something that exists in the market.
Now for the remaining 10 to 15% which is your innovation, your differentiation, there you can have a lot more optionality and a lot more creativity, so in that you just secure it in a different way. So, it’s a lot more flexible, you’re in the DevSecOps space and you’re actually starting to build things with security as a core element rather than a side ingredient.
Question for the board
8:19.373
[David Spark] 82% of CISOs admitted to feeling pressured to make things sound better than they really are when addressing the board, according to a study by FTI. Now this fear is the result of a “shoot the messenger” and “heads are going to roll” attitude upon hearing bad news, noted Karen Schwartz in an article on IT Pro Today.
The reality is during an incident, problems need to be solved, and knee-jerk reactions such as firing staff don’t necessarily solve problems. So, the article noted the need for building rapport beforehand, tabletop exercises, and having a clear chain of command of communication. I’m going to start with you, Mary Rose, on this one.
Even with all that preparation, bad things happen as we know, and CISOs are often the messenger. So, when it comes to communicating bad news to the board and to the C-suite, what techniques have worked the best for you?
[Mary Rose Martinez] So, typically when I report up into the board, I’m as transparent as possible and I literally will tell them we are never going to be 100% secure. I say that to the board, I say it to the management and executive team.
[David Spark] And they swallow that because that is the reality of our world.
[Mary Rose Martinez] That is the reality of the world. I think actually if you don’t tell me that, I think that they know you’re getting fooled because they hear and read about all these things, all the incidents that happen every single day. So, I tell them that upfront, I try to stay as transparent as possible as well about what risks we do have within our own organization.
Now tabletop exercises absolutely hands down are important, not just within organizations or departments. Not even cross departments but all the way up to the CISO because it’s hyper important that we get those folks [Inaudible 00:10:04] from an awareness perspective, process perspective. All that gets ferreted out in a tabletop exercise.
Communications is hugely the biggest thing. So, communications, governance, approval authorities are paramount. I say all this but as you very well know and as you alluded to in the article, when an incident happens and you’re in a pressure cooker situation, sometimes that entire playbook, as beautiful as it is, laminated and all, gets thrown out the window, right?
[David Spark] Yeah. Or people’s panic gets in the way of remembering how to behave.
[Allan Cockriel] 100%, 100%. Even if you draw it back there. And so the other prework I would say that has to happen way ahead of time in addition to tabletop exercises is literally building that relationship. Building that relationship with the board and the executive management team. Building your credibility that they know you know what you are talking about and doing.
And building that ahead of time pays its way in spades.
[David Spark] All right. So, I want to know, I’m just interested not in the bad news but like that first line you say before you’re about to deliver bad news. It’s not a meeting that’s prepared. All of a sudden you go, “I need to talk to you.” What is that first line just before you deliver the bad news?
[Allan Cockriel] Houston, we have a problem.
[Laughter]
[Mary Rose Martinez] I usually say, “We have an event.”
[David Spark] That’s it. You keep it cool like that? “We have an event.”
[Mary Rose Martinez] “We have an event,” and then we go into the specifics.
[David Spark] And then they start asking, “How bad is this event?”
[Mary Rose Martinez] Well, and that’s where you actually have to be prepared in terms of what questions come your way, right?
[David Spark] Mm-hmm.
[Mary Rose Martinez] And you can preempt some of that with saying, “This is how much we know at this time.” And you can also then do the cadence of reporting, etc.
[David Spark] Okay. I am taking the same question to you, Allan. When it comes to communicating bad news to the board and C-suite, what techniques work best for you?
[Allan Cockriel] Well, I think if you’re in front of the board for the first time and you’re in a crisis, it’s going to be a career-limiting opportunity.
[David Spark] That is a good point. Very good.
[Allan Cockriel] There’s not a lot of good things that can happen in that. But I think Mary Rose did a great job talking about the trust, the credibility, the data points that they have with you to make sure that you show up as a business leader that just happens to have a discipline/expertise in cybersecurity.
So, again, very similar, lead with data, speak through the lens of the business strategy, show up not as a technocrat but as a business leader there trying to help run the business in the most secure way possible.
[David Spark] Okay. I’m going to ask also the other question I asked, what’s your opening line? Because you have to tell the bad news, just how do you ease that sucker in?
[Allan Cockriel] Well, I can tell you the most feared message that people can get from me is, “We need to talk.” Because that usually means something’s happening, and it usually is at Christmas or it’s Friday before Thanksgiving when things are really going to hit the fan. So, that is the text that…
[David Spark] It’s, “We need to talk.”
[Allan Cockriel] No one wants to get that.
[David Spark] “What’s your address so I can send you a box of chocolates?”
[Allan Cockriel] That’s right.
[David Spark] No, it’s never that. Let’s go just a little bit deeper. We actually did a great episode with this with actually Tim Brown of SolarWinds talking about dealing with really, really intense stress. When that significant – we’re going to call it a significant event – happens, is there a way you sort of say, “We need to stay controlled here and from my viewpoint, here are some options.” Because they know the options for the business, you only know the options from your side.
How do you sort of have that dialogue of, “Okay, what options are we going to take now?”
[Allan Cockriel] I think it really depends on the event. So, in my history I’ve been part of small events and all the way up to state-sponsored events. And when you have the higher sophisticated events and the more extreme events, you really just have to take the decision when you have to shut things down.
And it is the empowerment that you have as a CISO, where you can take that decision and it really is a function of just how bad it is. Can you contain it? Do you know what it is? Can you get the business back online? And for most of the events, they’re very small. You can get them controlled and remediated but then you have the really big-ticket events, and you just have to hit that red button.
[Mary Rose Martinez] That’s really where the tabletop exercises come into play. Our tabletop exercises don’t necessarily press on backup and recovery which is the IT side of the house. We actually have tabletop exercises with the business and say, “How long can you run manually?” and “What can you do in terms of restoration?” I mean, like how long can you run.
It’s really more of understanding on the risk to the business as well.
[David Spark] Oh, let me actually double down on that for a second because I spoke with one CISO who had this question – how long can you run without power and internet? They said, “Oh, 24 or 48 hours.” And they actually had an incident and they realized they couldn’t handle an hour. And so how do you get that real number of what they can really handle?
[Mary Rose Martinez] It’s actually very tough. I’ve had tabletop exercises where they are very optimistic. And optimistic is, “We can run for three to four days,” and that’s optimistic, and you find out that it’s not even that. But you have to just keep pressing and then keep running the exercises and trying to make it more and more grave and then that helps really push that button.
Sponsor – Censys
14:59.762
[David Spark] I do want to mention our awesome sponsor Censys. Thank you so much for sponsoring this episode. Let me tell you a little something about Censys. So, first I’ll explain something many of the people in the room and those listening understand. Protecting your company from a cyber attack is a pretty monumental task.
Surprise, surprise. We all know this. But not only do you have to stay a step ahead of the threat actors who, let’s face it, are getting increasingly good at what they do. You have to secure a technology landscape that’s becoming more vast, complex, and fragmented.
So, think about all of your company’s internet-connected tech. We’re talking about assets living in the cloud, your software and web properties, remote devices, not to mention all the shadow IT you don’t even know about it. As your digital footprint grows, it becomes more challenging to identify, monitor, and defend all that you own, and just one unknown or undermanaged asset can be an attacker’s point of entry to your network.
That’s why continuous visibility into your entire attack surface and larger threat landscape is critical. To prevent an attack, you need visibility that’s informed by a comprehensive, highly contextualized set of internet intelligence for both proactive and reactive security analysis at scale. You need visibility into all of the exposures an attacker could exploit, and this is exactly the kind of visibility our sponsor Censys provides.
With the Censys internet intelligence platform, your security team can access the most comprehensive, accurate, and up-to-date internet data available so that you can take down threats in as close to real-time as possible with no deployment or configuration required. Governments, enterprises, and researchers around the world use Censys to defend their attack surfaces and hunt for threats, including the US government and over half of the Fortune 500.
You can learn more about Censys on their website Censys.com.
It’s time to play “What’s Worse?”
17:15.120
[David Spark] All right, for those of you who are familiar with this show, you know this game. “What’s Worse?” is essentially a series of bad things or two options of bad things and you have to tell me of these two horrible things which one is worse. You’re familiar with how the game’s played? It’s essentially a risk management exercise, that’s it.
I will make Allan answer first and then, Mary Rose, you can agree or disagree with him. Sometimes we have people agreeing but for completely different reasons, so feel free. We’re going to play two rounds of this. Here’s the first round, it comes from Osman Young of Setec Astronomy. Now that is a pseudonym, Osman hands down, he delivers the most creative scenarios we’ve ever had, and this is another good one.
All right? And by the way, if any of you know the movie, Setec Astronomy, that is the company in the movie Sneakers, so we know it’s a pseudonym. All right, here we go. Here’s the situation.
A ransomware group publicly claims to have compromised your environment and stolen troves of sensitive data. They threaten to dump it if you don’t pay the ransom. Okay, two scenarios. Scenario number one – sure enough, coinciding with the ransom demand, a very low criticality system with no customer data was encrypted.
You decide not to pay the ransom and restore from backup. True to their word, the group dumps the data online. No one’s sensitive data was exposed but now your customers are skittish about trusting you to protect their data. That’s scenario number one.
Scenario number two – your SOC thoroughly investigates the matter and finds absolutely no evidence of a compromise of any systems that contain sensitive data. You come to the conclusion that the ransomware group is bluffing, and you publicly call horse manure. I believe you use more colorful language.
The deadline comes and goes, and nothing happens. However, now some customers are suspicious that you actually were badly compromised and secretly paid the ransom to get your data back. Many are skittish about doing business with you. All right, Allan. What’s worse?
[Allan Cockriel] I would say it’s the second one. So, we wouldn’t engage in that situation and the fact that you just basically upped the ante led to just a bigger firefight, so the second one’s by far worse.
[David Spark] Hold it. So, the second one where you see nothing happening, but the community thinks you did do something where you didn’t is worse.
[Allan Cockriel] And then publicly escalate with an attacker. We wouldn’t do that.
[David Spark] No, you don’t publicly escalate with the attacker.
[Allan Cockriel] Oh, you publicly call horse manure?
[David Spark] You call horse manure. I mean, you’re not escalating but you’re saying…
[Allan Cockriel] We’re very classy, we don’t use horse manure.
[David Spark] You don’t. All right. But you don’t fight them, you say, “We think they’re lying.” I mean, you don’t really do a full…
[Mary Rose Martinez] But there is no data at the end, that second one, right?
[David Spark] There’s no data released in the second one, but the audience thinks it. So, it’s the reality and what people perceive is going on. So, they think you released. It’s interesting. It’s not the reality but what they think. So, what are you, I’m sorry, you sticking with your answer?
[Allan Cockriel] I’m sticking with it.
[David Spark] You’re sticking with it, the second one is worse. What do you think, Mary Rose?
[Mary Rose Martinez] The first one is worse.
[David Spark] Okay, why?
[Mary Rose Martinez] Well, because there was an actual breach.
[David Spark] But it wasn’t really sensitive data, that’s the other thing.
[Mary Rose Martinez] But on both situations, your customers are skittish regardless.
[David Spark] Correct. But one is skittish because they think, even though you didn’t, that you palled up with the attackers.
[Mary Rose Martinez] I would still say number one is worse.
[David Spark] Okay, so give me more details of that.
[Mary Rose Martinez] Well, maybe that’s going to be a test really of the relationship you have with your customers. If they believe, and you’ve had a solid relationship so far, they believe that you’re telling the truth, then I would say that’s the better scenario.
[David Spark] Better scenario with the worst, but they’re still skittish about working with you in both.
[Mary Rose Martinez] They’re skittish regardless, right?
[David Spark] One they think you’re telling the truth; the other one they think you’re lying.
[Mary Rose Martinez] Yeah. But they’re both skittish regardless and in the first scenario, you’ve actually encouraged the attackers to actually conduct more aggressive attacks if you’re willing to pay.
[David Spark] You don’t pay the ransom in the first scenario.
[Mary Rose Martinez] Oh, I’m sorry, you didn’t pay. We are so bad at…
[Crosstalk 00:21:26]
[Laughter]
[David Spark] Let me go through the details of this.
[Mary Rose Martinez] …so bad at this game, Allan.
[David Spark] Let me go through the details of this. In the first scenario, data was released but it’s not highly sensitive, all right? But you don’t pay the ransom and you restore from backup. Still, they’re skittish with you. In the second scenario, you see nothing that was taken so you think they’re bluffing, and you publicly call on them.
And the date comes and goes, and they don’t do anything, they don’t come after you. Like, even though you make a public thing, they don’t come after you. But your customers think that there was some collusion going on and they’re skittish of working with you.
[Mary Rose Martinez] In the first scenario, did anybody go public?
[David Spark] No. Nobody went public. Although data was exposed but nothing sensitive. So, you do, I’ll probably have to say, okay, data was exposed but nothing sensitive.
[Mary Rose Martinez] Yeah. But you still have to disclose that, especially with our new SEC disclosures.
[Allan Cockriel] Yes.
[David Spark] You would still have to disclose it. So, how do we feel on this? Are we still good?
[Mary Rose Martinez] I’m still sticking with number one.
[David Spark] You’re still sticking, number one is worse. And you’re still sticking with number two?
[Allan Cockriel] I like it, I like number two. You control your narrative.
[David Spark] Hold it.
[Mary Rose Martinez] No.
[David Spark] It’s “What’s Worse?”
[Allan Cockriel] So, number two is the worst and then the first one, you own your narrative, you’re transparent, you get out there and you own it.
[David Spark] Okay. So, you think number one is worse, right?
[Mary Rose Martinez] Yeah. I own my narrative in number two, in my mind.
[David Spark] Number two, you don’t. Hold on.
[Laughter]
[David Spark] Wow. I’ve never had CISOs so confused by a “What’s Worse?” scenario.
[Laughter]
[David Spark] All right. Number two, they think you did, they think you colluded even though you didn’t. So, you think that’s better than the first scenario?
[Mary Rose Martinez] Yes.
[David Spark] Okay. And you think the second scenario’s worse?
[Allan Cockriel] Absolutely.
[David Spark] All right. Did our audience understand everything here?
[Laughter]
[David Spark] All right. I’m going to get applause of, again, what you think is worse, not better. Who thinks the first scenario where you don’t pay the ransom, restore from backup, but some nonsensitive data exposed. By applause, how many people think that’s worse?
[Applause]
[David Spark] All right. A lot of people are agreeing with you, Mary Rose. All right. Who thinks the second scenario where nothing happens but everyone thinks you colluded is worse? By applause.
[Applause]
[David Spark] A good number but I think Mary Rose, I think more on your side. All right. This next one I think is a little bit easier to follow, and kudos to Osman Young for just confusing our…
[Mary Rose Martinez] We’re horrible players. Oh, my gosh.
[David Spark] All right, here we go, second scenario from Dustin Sachs of World Fuel Services. What’s worse – taking over for a CISO whose employees love them and they’re predisposed to not like you or taking over for a CISO who the board loved, and the board is predisposed to not like you? Mary Rose, I’ll actually make you answer this one first.
What do you think is worse?
[Mary Rose Martinez] I think the first one is worse.
[David Spark] So, the employees not liking you?
[Mary Rose Martinez] Employees not liking me. That would be worse because at the end of the day, cybersecurity’s based on your team and your folks. And if you’re able to execute on strategies and such because you have a team that’s going to be with you, then you can prove that up to the board eventually and build that credibility.
But the flip side, so number one is worse.
[David Spark] But I would also argue that if the board doesn’t like you, you probably won’t get any money, and you might not even have a staff at that point. [Laughter]
[Mary Rose Martinez] I would actually, that’s where you use data and risk and all those other ways to basically…
[David Spark] So, you win them over in some sense?
[Mary Rose Martinez] Well, I’m not winning them over because apparently, they don’t like me.
[David Spark] Yeah, they don’t like you.
[Mary Rose Martinez] I will use data and facts.
[David Spark] And who could not like you, Mary Rose? Geez.
[Mary Rose Martinez] But I will use data and facts.
[David Spark] I don’t like these employees who don’t like you, I’ll tell you that much. All right, Allan.
[Allan Cockriel] All right. So, I would normally agree with Mary Rose but for the purpose of the conversation I’ll take up the board conversation.
[David Spark] And that’s worse?
[Allan Cockriel] I think that’s worse.
[David Spark] Why?
[Allan Cockriel] So, if you’re starting from a point that leadership doesn’t trust you, they don’t like you, they won’t invest in you, you don’t have credibility, then it’s just going to be very, very difficult. You can have a great team but if every time they go up, your message falls on deaf ears, I think that’s probably, of the two, the worst of the two scenarios.
[David Spark] All right. I throw this now again to the audience. Which ones think the worse scenario is your employees don’t like you? They’re predisposed to not like you. By applause.
[Applause]
[David Spark] That’s a good amount, good amount. By applause, how many think it’s worse that the board is predisposed to not like you?
[Applause]
[David Spark] Ah!
[Allan Cockriel] Got to do a tiebreaker.
[David Spark] Allan comes out top on that one.
How to become a CISO
25:53.043
[David Spark] “The deck couldn’t be more stacked against succession planning for CISOs,” said Matt Aiello of Heidrick & Struggles. A survey by the executive recruitment firm found that many organizations lack any plan for their next CISO. Those that do generally only have one candidate in mind. The talent pool for CISOs with wider business risk experience is already thin.
And compared to other C-suite positions, firms are almost twice as likely to bring in an outsider for the role rather than hire within. In an industry as compartmentalized as cybersecurity – I’m going to ask you, Mary Rose, first – how can organizations groom their next CISO by developing internally cyber leaders with more general business skills?
[Mary Rose Martinez] So, I take a two-pronged approach. One is how do I take cyber personnel and make them more business and risk savvy, and the second is how do I take business personnel and make them more cyber savvy. So, let me talk about the first one. So, on the very first one, it’s more of exposing your team to the business.
I expose them to business strategy, we do quarterly strategic planning meetings where you actually are able to roll up and pull them out of their day to day and see how what they do rolls up into the organization. I actually ask my team, “Did you listen to the last earnings call?” Really, going back into the partnership and collaboration and really understanding the business, the very business that we’re trying to secure is super important in terms of doing that.
From the external perspective, in other words taking someone outside of our organization and making them cyber savvy, whenever I have an organization, I usually design my organization such that there’s at least one role on my leadership team that does not require cyber expertise in order to succeed and that allows for job rotations inside my organization and to make more folks who are business folks more cyber savvy.
[David Spark] Ah.
[Mary Rose Martinez] I would also like to point out that I myself was not born and raised in cyber. So, I had multiple roles inside and outside of IT and was fortunate enough to have a leader who entrusted me with a position. I entered cybersecurity at the CISO position.
[David Spark] All right, excellent answer. Your take on this?
[Allan Cockriel] You’re going to think I’m copying Mary Rose but I’m also a CISO in sheep’s clothing as well. So, I spent most of my career in IT and Operations, but in terms of succession planning within the team, I think rotations are the way forward. You got to get people out of the technology for a certain amount of time, in the business and as far into the business as they can comfortably go, where they’re successful.
And that is either pulling them out of their role and putting them in a functional role or starting to get them involved in the business side of IT. So, that’s everything from budgeting to strategy, any type of commercial activity. You just have to get people exposed to broaden them to understand how do you actually monetize IT and what’s the importance of security in that monetization.
And I think it’s also just building the softer skills as well, so how do you communicate, how do you roll up a message, how do you create a strategy, how do you start to show, again, the importance of cyber but framed in the context of the business strategy. And there’s a lot of formal and informal ways to do that, but you have to have people that are willing to step out of their comfort zone and willing to get into those areas, where if they’re a 20+-year veteran of core technology, it’s uncomfortable to be in a completely new space.
But I think through that activity and getting people out of their comfort zone, you start to create some really well-rounded leaders.
[David Spark] Question for both of you. Now, when you’re doing this to try to groom more leaders because really, this is something that you’re doing for the business because the business needs it. Do you discuss with the business saying, “Hey, we need to groom more senior-level cybersecurity people”?
A, does that conversation happen, and then B, if someone listening to this who would like to be a CISO someday, what would be a good way to approach you? Saying like, “I don’t know what I should be doing more differently to groom myself to be a CISO.” So, question – how do you bring the C-suite or board in, and then B, what should the person say if they want to be doing this.
Either one of you.
[Allan Cockriel] I think in terms of the conversation around how do you actually get this ball rolling, the average tenure of a CISO now is three or four years, and with boards and senior leaders getting more expertise in cybersecurity, they know it’s a role that can turn over. So, just from their perspective, I want to be in my role for a long period of time, but the reality is the world can change and I think once you have that conversation and they say, “Well, okay, who is your backfill or who is your successor and what’s your pipeline of talent throughout the organization?” Then it becomes very, very clear that you need that type of skillset and that type of succession planning.
Then the other reality is that cybersecurity leaders make a lot of money so they can get poached and make a tremendous amount of money to go next door, so you have to make sure that that succession planning goes through your entire organization. And in terms of people that are interested in being a CISO, I kind of give them my background, I say, “Look, I know cyber because I went through a very, very severe cybersecurity attack as a CIO.
And having to cold start the business and rebuild literally everything from scratch is a trial by fire when it comes to being a cybersecurity leader. So, there’s no straight line, there’s no checklist. You just have to be very curious and keep learning.
I tell you CISOs get no respect.
31:16.388
[David Spark] Most large companies have a CISO these days, but not many of them are listed in the ranks of executive leadership. Journalist Brian Krebs found that only five companies in the Fortune 100 had a CISO or CSO listed in the highest corporate echelons, a number unchanged since 2018. Meanwhile, departments that would likely be most impacted by data breaches, like marketing or human resources, are commonly listed in leadership.
So, we’ve seen big shifts in the importance in security over the last five years, first question is why isn’t that reflected in executive leadership – I’m going to start with you, Mary Rose – and with the new SEC requirements around disclosure of cybersecurity expertise, my guess is this is now going to be a required change for publicly traded companies.
What do you think?
[Mary Rose Martinez] Well, actually they took that out of the SEC disclosures.
[Allan Cockriel] That got dropped.
[David Spark] Well, it’s not required but you have to disclose what the expertise is, right? It’s not required.
[Mary Rose Martinez] It’s highly softened.
[David Spark] Okay.
[Mary Rose Martinez] The language was highly softened with respect to cybersecurity expertise on the board. I think it’s a matter of time and it’s a question of maturity, quite frankly, but I would say I would not let an org chart hold you back, right? Don’t let an org chart hold you back from representing the office and executing your job.
If you do those, you build credibility. With credibility, you formulate essentially and become a voice of authority, and with that you get your job done. Now, granted, policies and such grant a CISO explicit authority. I personally don’t like to use it. Like I mentioned, I like to partner with the business and influence and jointly come to a conclusion around cybersecurity controls and risk management and risk mitigation because I find that has way more durability than using the big stick.
[David Spark] All right. What’s your take on this?
[Allan Cockriel] If I roll the clock back 20+ years, there weren’t a lot of CFOs and financial folks in the boardrooms. It took Enron, WorldCom, and basically a gigantic financial collapse to have SOCs which required that type of expertise in the room. Now, I hope we don’t have that level of catastrophic event happen from a cybersecurity perspective, but I think if you look the last couple years, you’re seeing enough risk in cybersecurity, you’re seeing the geopolitical tensions, you’re seeing the rapid frequency of fairly significant events, and then you see the SEC responding.
So, I see the direction of travel headed that way where cybersecurity is going to be a critical part of leadership. Hopefully, it doesn’t take a major catastrophe to get there.
[David Spark] I mean, then this is maybe good news in that, all right, we’re all kind of coming onboard, we see we don’t need an Enron-like type scandal to force this to happen. Because we’ve seen this. This is not just with the SEC ruling. We’ve seen prior regulations that said somebody needs to be in charge of privacy or this data or something like that, which translated meant, “Oh, go get yourself a CISO.”
[Allan Cockriel] I think that’s a big part of it. A lot of the global regulations that are happening in Europe now, you have NIS2, you have DORA, you have all the regulations that are happening in China and potentially in India, and these are all regulations that are going to force corporates to be far more responsible from a security and a data privacy perspective.
And I see that all forcing pressure to have that expertise in the boardroom and senior executive leadership because it’s going to be a key part to the way companies are operating.
It’s time for the audience question speed round.
34:42.697
[David Spark] We have some time left and I actually have a lot of questions in my right hand here written on index cards that came from this audience that I’m looking at right in front of me. I have questions. We’re going to get through as many of these as we possibly can. And again, you can both answer or one of you can answer.
Let’s just see how many we can get through. This comes from Juan Gomez Sanchez who’s the CISO over at Whirlpool Corp. So, you’re starting a new job, brand new, what’s one piece of information you want to learn on day one? Allan?
[Allan Cockriel] I would learn how decisions get done in the company, what’s the subculture for how things get done in the company.
[David Spark] Good answer.
[Allan Cockriel] That’s a good answer. What he said.
[Laughter]
[David Spark] All right. Ditto for Mary Rose. All right. This comes from John Scrimsher over at Kontoor Brands. Ah, this is a good question, I like this one. What’s the business function that has the lowest cyber risk you think, Mary Rose?
[Mary Rose Martinez] One that does not have any systems whatsoever.
[Laughter]
[David Spark] And what is that business function?
[Allan Cockriel] She wants to make friends and keep friends with her corporate functional partners.
[David Spark] Here’s the thing – I’m not saying it doesn’t have any cyber risk, but if you were to rank all the business functions, this one’s at the lowest. And by the way, the spectrum could be from 9.5 to 9.6. [Laughter]
[David Spark] We’re getting a lot of answers from the audience.
[Mary Rose Martinez] I know. I want to say is it physical security?
[David Spark] What do you want to do? You want to call a friend? Is that what you want to do?
[Mary Rose Martinez] Yeah. Can I call a friend? Physical security?
[David Spark] Physical security. There is digital connections. Okay. You think that’s the lowest cyber risk?
[Allan Cockriel] I would say sales and marketing. I love those guys but they’re cowboys and cowgirls.
[David Spark] Yeah.
[Allan Cockriel] Yeah. Not a lot of cyber skills in marketing.
[Mary Rose Martinez] Why would they have the lowest cyber risk? I was thinking of sales and marketing which is customer information and such. Why would they have the lowest cyber risk?
[Allan Cockriel] Have you met a sales and marketing person?
[Laughter]
[David Spark] They don’t have access to this information.
[Mary Rose Martinez] Once again, Allan is correct.
[Allan Cockriel] No, I like them.
[David Spark] All right.
[Allan Cockriel] They’re my favorite.
[David Spark] Okay, CISO Arvin Bansal has this question. What is the one aspect of security your – and I can’t stress the “one” part on this because this could be a long list – what is the one aspect of security you’re frustrated with that over two decades still hasn’t been solved?
[Allan Cockriel] Agh.
[David Spark] Pick one. Just one, the one that’s like, “Oh, my God. Why hasn’t this been solved?”
[Allan Cockriel] I want OT security vendors to play together a lot nicer than they do today. So, if you guys can solve that, if we can solve that as an industry, that is a tremendous burden.
[David Spark] Good answer, yes.
[Mary Rose Martinez] That is a very good answer but since Allan took that one, I’m going to go with passwords.
[David Spark] Passwords, oh yeah. That’s more than two decades problem, geez. That is good. Why are we still on passwords? The password list companies out there I’m sure have an answer to that. All right, next question. This comes from Nebai Tecleab of Intercast Global. For what reason do you reject candidates?
[Mary Rose Martinez] Those who are not willing to learn.
[Allan Cockriel] Yep.
[Mary Rose Martinez] I always hire attitude over aptitude.
[Allan Cockriel] I fully agree with that. The only thing I would add to it is that you have to have people that are persistent and that are willing to figure things out. So, they have to be creative, they have to think on their feet, they have to solve problems because that is cybersecurity. It’s all about solving problems.
[David Spark] All right. Another question from Juan Gomez Sanchez over at Whirlpool.
[Allan Cockriel] He’s busy.
[David Spark] You’re in an interview, okay? By the way, I’m speaking to Shell and Marathon Petroleum, they are not currently interviewing right now. The interviewer says something to you and at that point, whatever the heck they say, you say, “I’m out.” What’s that trigger? During an interview, what can get you just completely out of the interview or like, “I’m not working for this company,” what would happen?
[Mary Rose Martinez] If I don’t have autonomy.
[David Spark] You don’t have autonomy. Oh, good answer. You’re nodding to that, Allan.
[Allan Cockriel] She just sets up all the perfect answers. I have to think on my feet now. I would say if IT is not an important part of the business. If IT is only viewed as a cost center and a back-office function, there’s very little hope that you’ll be successful as a security leader.
[David Spark] Ooh, good answer, good answer. All right. We still have time for a couple more here. Okay, got two questions on generative AI. You knew you weren’t going to get out of this without that.
[Allan Cockriel] What is that?
[Laughter]
[David Spark] Okay. What is one risk of generative AI that we do not see today? And this comes from Ali Syed of Amway.
[Allan Cockriel] I think for me, it’s how many different avenues GenAI will come into a company. Because I think a lot of folks say, “Well, I’ll go to GenAI.com, that’ll be the extent, that’ll be the conduit into the organization.” I see this technology coming in through every single facet of every product that we have and every vendor that comes to work with us and I think not understanding and realizing that will shoot a lot of folks in the foot.
[Mary Rose Martinez] For me it’s misinformation and disinformation of the future. So, you could seed existing large learning models today and it becomes the ground truth in five years.
[David Spark] And actually the flip side of that from Tony Velleca, CISO over at UST. Where have you seen generative AI actually help in security operations?
[Mary Rose Martinez] The promise is that it could help with respect to our SOC operations. That’s really where I see a lot of the use cases around GenAI.
[Allan Cockriel] Perfect, yep, same.
[David Spark] There’s a lot of ditto with Mary Rose here, isn’t there? All right, very last question. Again, Juan Gomez Sanchez over at Whirlpool was on fire.
[Laughter]
[David Spark] I like this question. What is the best question, when you’re interviewing a security pro to join your team, what do you find the best question to filter people out or to find if they’re good or not, what’s the best question to ask?
[Allan Cockriel] I always ask them the last thing they learned. Walk me through something that you’ve learned recently.
[Mary Rose Martinez] I use this question not just for security purposes but really just to interview folks in general and it’s usually I just say what is the greatest compliment anyone’s ever paid you. You would be surprised at the kinds of answers that you get.
[David Spark] Give me one, what you’ve heard.
[Mary Rose Martinez] So, some people would talk about being a good parent, some will talk about only work, some will talk about their integrity. So, really it gives a lot of insight into a person.
[David Spark] Love it.
Closing
41:07.042
[David Spark] Well, that is the end of our show. Big warm round of applause for my guest Allan Cockriel.
[Applause]
[David Spark] And Mary Rose Martinez as well.
[Applause]
[David Spark] Thank you very much. I’m going to let the two of you have the last word. Is there any last words? You can mention if you’re hiring or anything right now, any last words to our audience here and the people listening at home?
[Allan Cockriel] I think for the people listening at home, keep fighting the good fight. Cybersecurity is an incredibly important part of the way we operate and the way the world operates, so keep fighting the good fight.
[Mary Rose Martinez] Absolutely. Whether it’s your job or not, it’s all of our jobs.
[David Spark] All right. Well, I want to thank Evanta for bringing us out yet again for the show. And I have a big announcement to make for Evanta and that is they have announced the date and location of next year’s Global CISO Executive Summit. It is going to be held at the Fairmont Grand Del Mar September 16th through 18th, that’s 2024.
So, if you’ve got plans, you’re canceling them and you’re going to be there joining us for this event, and we are so thrilled that they asked us back again and hopefully we’ll be there again next year as well. So, we’ll see you at the Fairmont Grand Del Mar in 2024. And I want to thank our audience here as well.
And our sponsor as well, Censys.com, please check out their stuff at Censys.com, the leading internet intelligence platform for threat hunting and exposure management. And again, to our audience, we greatly appreciate your contributions and listening to the CISO Series Podcast.
[Applause]
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.