Often, news reports about a company data leak come from threat actors who perpetrated the attack. News organizations can be quick to pick up reports that organizations suffered a data leak, even when they come from these unreliable sources. So what should a company do when their name is in the press, but they didn’t actually suffer a security incident? How much difference is there in responding to a fake data breach versus a real one?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Bob Schuetter, CISO, Ashland.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Thoropass
Full Transcript
Intro
0:00.000
[Voiceover] Best advice for a CISO. Go!
[[Bob Schuetter] Fundamentally, our real job and the responsibility we have is not to actually mitigate risk. It’s actually to fundamentally transform risk-taking from downside risk to upside risk that has business value, right? Things that the company can actually go forward with and make more money out of.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of said CISO Series. And joining me is my co-host for this very episode. His name is Andy Ellis. He’s the operating partner for YL Ventures. Andy, say hello to the audience.
[Andy Ellis] Shalom.
[David Spark] I will take that as well. Aloha works as well. We’re available at CISOseries.com. Why not check out our other programs? We have tons of shows on the CISO Series. Our sponsor for today’s episode is Thoropass, meeting you where you are on your compliance journey.
That is what Thoropass does, and we’ll have more about just that a little bit later in the show. Andy, we are recording this episode in late October, and I just came back from the Chicagoland area where I attended a Pinball Expo. My son actually beat me in a competition there.
Literally.
[Andy Ellis] Excellent! Well done.
[David Spark] We were ranked 157 – by the way, don’t get too excited, we were like 107, 108 out of 157 – but he was 107 and I was literally right after him, 108.
[Andy Ellis] Well done. What more can you ask for as a parent?
[David Spark] Yeah. He just barely, barely beat me. It was tough. Here’s the other thing, let me ask you if you’ve done this, and this is what I’m working on these days. I’m trying to figure out how I can mix my two worlds of my interest in pinball and my interest in the cyber world.
And I am working connections, I did make some connections over at Stern and also up at Marco Pinballs. Stern is the biggest manufacturer of pinball machines.
[Andy Ellis] Mm-hmm.
[David Spark] Marco is the biggest supplier of pinball parts. I’m working all the angles I can. I’m going to figure somehow to bring this all together.
[Andy Ellis] Maybe you need a CISO Series pinball game.
[David Spark] Interesting you mention that because at this convention we were at, the Pinball Expo, they have what they call the home-brew machines, people who build their own pinball machines, so it’s conceivable that could exist. The problem is, I’m not as mechanically inclined to actually build a CISO Series pinball machine.
[Andy Ellis] But I bet one of your listeners is.
[David Spark] Oh, I’d be impressed. I’m interested to know if there’s any. I do know a few of our listeners who are into pinball, but I don’t know if they’re as capable as making their own machine, but that I would love. Hold it, wait. Our guest is saying…
Hold it, we’re going to bring them in. Are you capable of making a pinball machine, Bob?
[[Bob Schuetter] So, we have made a number of virtual pinball playfields, right? So, that’s an angle for you. So, yeah, I’m actually a pinball player as well. I’ve got four or five pinball machines in the basement.
[David Spark] Which machines do you have?
[[Bob Schuetter] So, I’ve got mine basically on theme. So, it’s Star Wars, Mandalorian, Jurassic Park, all the big kind of movie themes that we love.
[David Spark] I have the Jurassic Park machine as well.
[[Bob Schuetter] Was a big Jersey Jack player for a while, and had Pirates of the Caribbean, had Dialed In!, had a number of those.
[David Spark] Oh, jeez. You have a much bigger collection than I have.
[[Bob Schuetter] [Laughter] Yeah. Think about the virtual pinball. You can actually put it into a full pinball machine case and play it like real.
[Andy Ellis] And listeners, that’s the voice of Bob Schuetter, the CISO of Ashland that David normally would have welcomed, but pinball always trumps for David.
[David Spark] Yeah, it does. Well, I’m impressed, Bob. Then you and I need to play. I didn’t know that because when I was in Nashville, when I met you, I went to a place called Game Terminal that has over a hundred machines. Did you see it?
[[Bob Schuetter] I did. I was there for a little bit, actually.
[David Spark] Ah! I’m bummed I wasn’t there with you. All right. Well, everybody, that’s Bob Schuetter who is the CISO over at Ashland. Thank you so much for joining us, Bob.
[[Bob Schuetter] No, thanks for the invitation, really appreciate it.
Why is everyone talking about this now?
4:18.565
[David Spark] Over on our Cyber Security Headlines show, we’ve covered more stories about ransomware groups putting up an organization on their leak site, posting allegedly leaked data, only for the company to deny that they were actually breached. So, what’s an organization to do when the media is reporting these claims?
Rosalyn Page outlined some steps for dealing with this issue on CSO Online. These include getting “proof of life” from the alleged hackers that they got access, following through with response plans as if it were legitimate, and communicating with all stakeholders in the process.
Andy, walk me through this. How would you handle responding to a fake breach claim?
[Andy Ellis] The first thing I’d want to do is I want to assume I’m breached and assume I’m not breached. I think people often get this wrong. They only want to do one of those two and you have to do both. So, you have to make sure anything you say is relevant and true, whichever one of those scenarios it is.
So, if I say let’s assume I’m not breached, let’s go figure out how this data could have been falsified, how it’s not legitimate. Now if I assume I am breached, let’s figure out where they could have gotten this data from because maybe in the things that make me think it’s not breached because they put up a bunch of customers and there’s some interesting ones that are missing.
I say, “Okay, well, maybe they’re looking at a backup copy of my site from before I had those three customers that I don’t see.” So, you really want to sort of hunt down both of these tracks to figure it out. So, you’re really running parallel incidents, one of which is just a PR issue of, “Okay, somebody’s lying about me in public.” But one of which is a PR and a security issue, which is, “Somebody’s pointing out in public that I have bad security.” And whichever one is true, I want to have the humility to accept that I might not be right about which one is true.
[David Spark] And my guess is that can very much conceivably happen, in that you could claim, “We haven’t been breached,” but you were wrong about that.
[Andy Ellis] Right.
[David Spark] That’s a really good point. Bob, how would you handle this situation, and have you ever seen anything like this in your environment that someone accused you, saying that they did breach you, but it didn’t really happen?
[[Bob Schuetter] Not quite to that level. What we did see actually just this last week is a spoof that looks like an email to the target of a spoof of themselves, saying, “We’re inside your email address.” Well, it wasn’t, it was a spoofed email address, right?
But that’s one of the first that I saw of oh, my gosh, here’s a scenario where they’re claiming they’re inside your email box, right? They never were. And I think to some degree we’re going to see this more and more as we kind of see… After a big scale ransomware event, you have potentially more class-action lawsuits come on board, but as data gets posted, I could absolutely see more attackers try and jump onto this.
But the other piece that I have lived through, and I’ve seen it before, is multiple attackers come forward and say, “Hey, we have compromised your environment,” and in some of those environments that were maybe a big zero-day came through, things like that, it’s very possible to have multiple attackers actually successfully compromise you at once.
So, which one’s the real one that you should be working with, right?
[David Spark] That actually sounds like… [Laughter] Do you want to work with one? I think you have to deal with all of them because they’re all going to want something out of you, aren’t they? Yes?
[[Bob Schuetter] Yeah, absolutely. I think that’s, back to Andy’s point, that becomes the interesting piece here, is identifying who it is, identifying that it’s real, assuming that maybe it is, and how do you validate that? How do you justify it? What do you show within the environment that says, “Yes, this is real-time, it is recent, and they do still have access.” To some degree, if you do have a communications channel open, that can also be kind of your jumpstart into the forensics side of it, right, to get them to show, “Hey, go look over here, I left this for you.”
[David Spark] Andy, can you ever make a confident claim at any point, like when it’s a bogus claim of a breach, saying, “All right, I think we can comfortably say we were not breached, and we can flat out publicly claim that this is bogus,” or you don’t like to do that?
[Andy Ellis] So, I think that – second half of that sentence – you don’t say, “I was not breached.” You say, “This is not evidence of a breach.”
[David Spark] Okay.
[Andy Ellis] Right? Because you might look at something and say, like, “Look. There’s a list of things and it looks like it might be our customers, but there’s things in there that have never been in our customer database. Not a breach.” Right? If they’ve put something that’s clearly false.
[[Bob Schuetter] And you hit the nail on the head with the specifics. What do we actually truly know? What’s an assumption, and what’s actual evidence and data? Right? That has to be your way through it. In every situation, you do need to go through and make sure you’re following your guidance, your structure, to assume that this is real and that you’re taking it seriously.
How a security vendor helped me this week.
9:18.764
[David Spark] Where does vendor size make the biggest difference? It seems like when it comes to vendors, a lot of CISOs like to get in with vendors early. Now, we’ve talked about this on the show before, actually. How many of our CISOs do like to work with startups.
So, your company, Andy, YL Ventures, recently published its CISO Circuit Report, and it found that 12% of CISOs will only meet with early-stage startups. First, why do they demand this? It’s an interesting requirement. What are the advantages? I do know some of them, but I want to hear from you.
And in a piece for SC Media, Liat Hayun said, “Speed of innovation and flexibility are a startup’s advantages, while incumbents can benefit from scale and reputation.” So, again, Andy, what have you seen that draws you to a cybersecurity startup versus an established vendor?
I know you work with a lot of startups for that matter, so I know you’re going to be very much pro that. But I’m interested in this, “12% of CISOs will only meet with early-stage startups.” Why do you think they react like that?
[Andy Ellis] So, really important to understand the context of that edition of the CISO Circuit. And for those not familiar, we survey an awful lot of CISOs and ask them, “Hey, here’s a set of questions, we’re trying to get your vibe on something.” And this was in the context of saying, “Hey, economic downturn, what’s going on with your budget?
How many of you have seen the budget fall? How are you dealing with vendors?” Because certainly a lot of people, some say, “I’m not engaging with any vendors right now. Either you’re in my portfolio, or no conversations.” I forgot what the number was there.
But 12% basically were saying, “I cannot justify a large purchase from a vendor right now, so the only people I’m engaging with are the startups who might understand it’s a long sales cycle. I might be able to get something super discounted.” Especially if I’m going to be one of those early flagship customers, where I’m exploring a solution that is narrowly tailored to a problem I’ve got, or that’s widely tailored to a problem nobody else in the company believes.
Because one thing that a lot of startups are doing, is they’re solving the problems that the rest of your business partners have not believed were problems. So, last year, you couldn’t have been tackling this problem at all. And by next year, you will have had to tackle it.
And therefore, you’re going to engage with a startup right now, figure out exactly how you’re going to deal with it, and sort of strike when the moment is right. When nobody will question that, “Oh, yeah. I’m going to go spend some money on maybe tackling SaaS security, and that’s what I’m dealing with,” or maybe it’s the new DLP, and I’m dealing with that, or process optimization, and cleaning up all of our security processes that don’t work.
All of those are things that a few years ago, nobody would justify spending money on. And in three years, every CISO’s going to have to have spent money on them, and so the startups is the place you often go look first.
[David Spark] Getting a leg up. All right, Bob. What’s your feeling with engaging with startups? Let’s just start overall.
[[Bob Schuetter] So, overall, we’re big on startups. We like it. We jump in very, very early. We try and get into design partnerships.
[David Spark] And what’s the rationale for getting in early? I mentioned these examples of speed of innovation and flexibility. That, I’m assuming. Anything else?
[[Bob Schuetter] It is largely speed based, right, but we also believe that because the speed of innovation on the attacker side is so significant and has actually accelerated in the last couple years, the speed on the defender side has to be equivalent to that acceleration, right?
And the only place we can actually get that is going to be in the startup world. Unfortunately, you are correct in that the large companies, especially the large public companies, they’ve got to show quarter-over-quarter gains. They can’t submit, put in $10 million into this bet that maybe we have something unique or different here that might be commercialized.
[David Spark] I know what you’re going to go with, Andy. It makes no sense for an established company to go the innovation route, does it?
[Andy Ellis] It’s not that it makes no sense. A lot of big companies innovate. I came out of a big company where we innovated our way into being one of the biggest security players in the market, but the challenge is big companies sell to procurement teams, and startups sell to security professionals.
And the way you should think about that is a startup is laser focused on we have a handful of features and we’re going to get them all right, and we will not solve every problem you have. But if you’re a large company, you actually have to check the box on every single problem, so you have to be able to solve to the procurement team that has a list of 750 requirements that this solution needs to meet.
They don’t care if you meet them well, they just care that you can check the box. And so that’s when people talk about the innovation, that’s often really what they mean, is the larger your company is, the more you’re going to spend your energy creating just barely good enough.
And look, I’ve done that myself, so I’m not entirely being critical of it, but these features that maybe isn’t what the buyer really wants for a narrowly tailored problem, right? They’re saying, “Hey, I want to solve this specific thing. I don’t care that you’ve given me a 60% solution to 700 features I don’t need.”
[[Bob Schuetter] And quite honestly, in a price range that is appropriate.
[Andy Ellis] Yep.
[[Bob Schuetter] Right? So, you are paying for the level of maturity that is currently there. And we take a look at it as, quite honestly, it’s an extension of our capabilities. It’s an extension of our development as well.
Sponsor – Thoropass
14:47.855
[David Spark] Before we go on any further, I do want to tell you about our awesome brand-new sponsor, Thoropass. So, ask your security and IT teams if this sounds familiar – hours of evidence collection, folders of screenshots, messy handoffs to auditors, and an audit cycle that never ends.
If they say to you, “Yep, that’s me,” they’re unfortunately not alone. This common description was the old way of doing InfoSec audits. Thoropass presents a new way called the OrO Way. With Thoropass, it’s all included. You never leave the platform, and they never leave your side.
Looking to get or maintain compliance without the hassle of working with multiple companies or uncertainty about costs and timelines? Go check out their site. Visit thoropass.com to find out how to ditch the old way and get the OrO Way.
It’s time to play “What’s Worse?”
15:49.265
[David Spark] All right, it’s time to play “What’s Worse?” Bob, are you familiar with this segment?
[[Bob Schuetter] I am a little bit.
[David Spark] It’s a game of two bad scenarios, neither one is good, although this has pro and con attached to it, this, today’s. This comes from an anonymous listener. The person themself is not anonymous, but they wish to remain anonymous. I know who they are.
[Andy Ellis] [Laughter] Sometimes this means that they’re telling us about a decision they recently faced and don’t want to give it away.
[David Spark] Usually that. Or they don’t want to be publicly heard on our show. One or the other.
[Andy Ellis] Yeah.
[David Spark] Okay. Here we go. I make Andy answer first. You can agree or disagree with him. I always enjoy it when you disagree. So, here we go. And this is actually very relevant to what we just discussed. You have a cybersecurity team that is strapped for resources and the workload is increasing due to rapid growth and innovation of the company.
You can’t focus 100% on either the new functionality and the existing environment. So, what’s worse? You favor new products and you let the established products and procedures atrophy, or you focus on your existing environment and not fully understanding the new technologies and their implications.
So, it’s essentially stay with what you got, focus on that, get that going. As the environment develops and as the new hacks develop, you’re unfortunately not using new tools to it. Or focus on the new tools and let what you got fall apart.
[Andy Ellis] Well, so I just want to clarify. Is this focusing on the new defense or is this focusing on the new environments that I need to protect? So, they’re two very different things that will completely change my answer.
[David Spark] It’s about talking about products.
[Andy Ellis] Okay.
[David Spark] It has to do…
[Andy Ellis] But is it my products or external products?
[David Spark] External products that you’re using. Your tool set. Your security tool set.
[Andy Ellis] Okay. I think the answer is I’m going to stay focused on what I’ve got that’s working because one of the worst things that I can do is sort of keep jumping to the latest thing and never actually get it working. I functionally end up with shelfware.
And I say, “Oh, look, I’ve bought the latest and greatest products, but I have no idea if they actually work.” Because as soon as I start to get something innovative, I’m moving to the next latest and greatest. Because that’s one of the constraints here, is I don’t get to thread the needle and say, “Well, I moved to all the latest today, but then I’m just going to stay on that for three years.”
[David Spark] Well, we’re not looking at this as a complete endless cycle in the environment. This is a one stage. Like today, you’re going to either go all in on new stuff, and you’re going to let everything atrophy, or…
[Andy Ellis] Oh, I get to do this just once? Oh, then I’m totally going and jumping in all in on new stuff right now.
[David Spark] Right now.
[Andy Ellis] And then not innovate past that and just focus on getting that right. And the reason for that is, is that a bunch of that legacy stuff was not helpful. Like, think about the zero-trust revolution that never really developed and happened for everybody.
But there’s an example where when I was at Akamai, we basically went all in and we said, “Okay, we’re going to get rid of our VPN.” We ripped out our VPN. We didn’t have one anymore. Because we went in X.509 certs, multi-factor auth, and boom, upgraded and built a defensive solution that meant that a whole bunch of my legacy stuff I could get rid of.
And so I’m going to do that across the board, move everything up to the latest, be innovative, and get rid of the dead weight. That’s what I want. So, the worst thing to do would be not take this one-time opportunity to move myself forward and just be stuck in the past.
[David Spark] All right, I saw you smiling when all of a sudden Andy switched his answer.
[[Bob Schuetter] I said, “Finally he has the right answer.” [Laughter]
[Andy Ellis] Yeah. Well, I thought I was going to be permanently constrained. If I was going to be permanently constrained to always only use new stuff.
[David Spark] Yeah, yeah, yeah. Well, if you’re constantly having to dump stuff, then yeah, that’s a bit…
[Andy Ellis] Yeah. But I think that’s an easy one for me.
[David Spark] All right. And Bob, are you agreeing here?
[[Bob Schuetter] 100% agree that especially as you look at the new technologies, the new capabilities, you hope it is displacing a lot of the way we used to work before.
[David Spark] Right.
[[Bob Schuetter] So, eventually it does come around and does clean itself up, but you have to be overly aggressive every two to three years. You want to be cutting and going through your tool set and getting rid of the low value capabilities.
[Andy Ellis] Yep.
[David Spark] So, you don’t feel that trashing your existing environment is going to open up a ton of holes?
[Andy Ellis] Oh, it probably will, but I’m stuck one way or another. The real answer is I’m going to do a little bit of both, right?
[David Spark] Right. But you can’t. This is an all or nothing.
[Andy Ellis] But since I can’t, you’re making me pick one, I’m going to look at this and say, “This is my opportunity to clean out all the stuff.” Like, how many people are still using firewalls as network access control tools instead of your firewall basically being nothing comes inbound except, sadly, email to my mail transfer agent, but maybe I’ve outsourced that entirely to Google.
That would be my first thing is I’d say, “Ooh. I am getting rid of all of my IT infrastructure that is inside my corporate network and it’s all going to be out in the cloud. Not my problem anymore.” And yes, when Okta gets breached I’m going to have a bad day, but that’s Okta’s problem, it’s not my personal problem.
[[Bob Schuetter] And the reality is we bought that equipment and those technologies when it had a certain value to the business because we ran everything through that platform.
[Andy Ellis] Right.
[[Bob Schuetter] As that business is actually shifting to other places, we didn’t reduce down our cost, we didn’t reduce down the spend on that. Right? So, innovation to me is huge and I think you have to address that, and you have to be accepting of that change.
Even if it means throwing out the baby with the bathwater in a couple of different areas.
[Andy Ellis] Yeah, especially if I can do it to my IT infrastructure at the same time. Like, if I can throw out my entire IT stack because I’ve been around for 25 years, and here’s a brand-new IT stack that’s either built on Chromebooks or MacBooks, get rid of Active Directory entirely.
Absolutely. I’m not qualified to run Active Directory.
[David Spark] Isn’t this also always kind of the case when you’re ever making a big shift, like all of a sudden you go to a new email platform and you have to lift and shift everybody off of one, move them to another, and there’s a lot of pain. But once you’re in the new one, you’re like, “Oh, my God.
Why weren’t we on this five years ago?” kind of a thing.
[Andy Ellis] Exactly, right? And the challenge often is you do this partial lift and shift, like, “Oh, we want to move to this new thing, but it’s so slow, we don’t want to create pain,” rather than saying, “Just like, suck it up with the pain. If you’re going to move to Gmail, then just move to Gmail.
Accept the specific pains you’re going to get and do it.”
[David Spark] By the way, I moved to Gmail from Outlook’s Business Contact Manager, which was labeled as a CRM, which should be sued for false advertising because that thing is not.
[Andy Ellis] Is it even an email handler?
[David Spark] [Laughter] I don’t know what it is. It barely scraps the surface of what a CRM is. It’s pretty bad.
How have you actually pulled this off?
22:43.757
[David Spark] What questions should a security professional ask when applying for a CISO role? That question came up over at the cybersecurity subreddit. Redditors suggested making sure you see the organization’s existing cyber strategy and clarify that you’ll actually have a mandate as a CISO to actually changing, rather than the position just being a compliance checkbox.
So, you’ve obviously both interviewed for CISO roles. You obviously did it right because you’ve landed as CISOs before. What did you ask and what would you ask if you had to interview today? Not saying that either one of you is doing it – just reassuring your employers of that.
But what would you ask, Bob? I’m starting with you.
[[Bob Schuetter] The critical question that we all have, right, is what is the perception of the CISO role. That’s what we’re trying to get down to because unfortunately, our position is fairly new in the world. CFOs know what their job is. CIOs know what their job is.
It’s very, very structured. It’s been around for a long time. This idea of a CISO is actually fairly new and still fairly young. So, is it really a business driver? Is it just a risk mitigation? Is it just a compliance engine? What is the perception of the company?
I’m always okay with being able to change the perception of the company because I believe in how I work, but I want to know what I’m getting into. So, I think that’s the biggest question, and the conversation really has to revolve around is, okay, so how do you perceive the value of what this team has already done?
Where do you think it needs to go? What else do you think it needs to do? What’s the biggest failure points? Right? Because that starts to get into, “Oh. Well, I was thinking about the security team this way. They never really did that; I think there’s a gap there.” Right?
So, that helps you identify what’s the expectation, and what do they think your job is going to be.
[David Spark] Would you be afraid, Andy, going into an organization, like a very… Because we’ve had a lot of first-time CISOs of really big organizations, and even though they’re not savvy enough to understand what a CISO should do, is there something that they could say that would reassure you, like, “I’m going to have the breathing room to do what I need to do here”?
[Andy Ellis] So, it’s a really hard one. And I actually want to give the caveat that I have never been hired into a CISO role that I applied for.
[David Spark] Oh, right. Because you graduated into it.
[Andy Ellis] Because I created the one that I was in at Akamai. I have actually applied and interviewed for multiple roles.
[David Spark] So, therefore you’re really bad at interviewing for CISO jobs. Is that what you’re saying?
[Andy Ellis] I have been offered CISO roles, but I have not accepted any of the ones I’ve been offered.
[David Spark] Oh, so you never interviewed for.
[Andy Ellis] I have interviewed for CISO roles elsewhere, yes.
[David Spark] Oh, you have, okay. So, obviously, you were no good because you didn’t get those roles, or you didn’t go.
[Andy Ellis] Some of them I was asked to take them, and I said no.
[David Spark] Okay.
[Andy Ellis] Because there wasn’t the alignment. There’s this really important question, which is, “Why are you hiring a CISO?” And if you don’t know the answer to that question, you’re probably set up for failure. Because sometimes the company’s like, “We have had a breach.
Our security is unacceptable, and our CISO has a blank check to fix stuff.” In which case, you want to say, “How long does that blank check last for? If I come in and I want to spend $30 million next year, do you really have that?” And they’re like, “Our entire budget is 20 million.
No.” It’s like, “Okay, I didn’t have a blank check, great, but I want no limit on my credit card.” What am I going to do? Maybe you love the program.
I interviewed with someone who they came to me and said, “We love the program our CISO has instituted, but they are going to have to leave the company for health reasons. Has nothing to do with this. We want you to come in and take over what this person has done.
Finish the last bit of transformation, and then that’s it.” And that was actually kind of an interesting one. I was like, “Okay, not my vision but somebody else’s vision. But everybody’s in alignment, they love the security teams.” I’ve seen other ones where the security was a disaster, and the company was basically like, “We don’t want to have to stress about security,” and I’m looking at them, and I’m like, “But you should be stressing about where you are today.
You didn’t say you want to fix the problem.” So, that’s really the question. What do they want out of you as a CISO? Like, why are you here? You’re going to run a security team, but is their vision that they don’t want to worry about security? They want to transform security?
They want to improve? Like, what are they looking for?
[David Spark] All right, so you’re throwing out a lot of different things, all very, very good. And same with you, Bob. So, let me isolate one of the questions of, do you know why you want a CISO, what is your goal? Like, are these the basic questions, or am I missing something here?
[Andy Ellis] Yeah, right there – why are you hiring a CISO?
[David Spark] Mm-hmm.
[Andy Ellis] What is it about me that makes you think that I might be the right CISO for your company, and that you might be the right place for my skills? Like, turn the interview question around.
[[Bob Schuetter] Yeah. I think Andy hit it exactly on the head, right? It is 9 times out of 10, I get called just because of my history. I’ve been a CISO now for 12 years, some big companies. I often will get called because the board has removed the CISO, right?
Because the expectation wasn’t met of something, right? The questions that I get into then is, okay, so from a people perspective, a group perspective, what is the expectations here? Because a lot of times, the expectation was, “No, no. That leader was the wrong leader.
We have the right team, we have the right capabilities, we have the right platforms, right? But we just didn’t have the right leader, and we think you are it.” That’s the recipe for a disaster. Right?
[Andy Ellis] Yeah. I actually had an interview like that, and I was like, “I’m not going to touch that one with a 10-foot pole.”
[[Bob Schuetter] Yeah, every time.
[Andy Ellis] If you think everything is right about your security program except the person in charge, you’re probably wrong.
[David Spark] Then that just becomes, like, they just have a problem with that individual.
[Andy Ellis] Right. But odds are, whatever that problem is cascades down through that organization. So, the board might be misled. This might be a great security team, and they had a leader who’s telling them the truth and maybe they don’t have the right diplomacy, but your problem is that whole organization isn’t the right organization for you.
Doesn’t mean they’re a bad organization, but that’s probably not a good organization.
Understanding security sales.
29:06.291
[David Spark] When it comes to CISOs, do we need to add another S to the acronym for Sales? Changing organization structures mean we’re increasingly seeing CISOs pulled in different directions. One of the big one is into sales conversations. Now, SC Media quoted a survey from Checkmarx, finding the vast majority of the 200 responding CISOs have been dragged into sales-related engagements, with almost half saying it occurred very often.
Virtually all CISOs say that potential buyers are asking questions about how secure a product or service is from their organization, with AppSec particularly considered in specific industries like financial services. I will start with you, Bob. What are CISOs being asked in these sales conversations and have you been brought in yourself?
[[Bob Schuetter] We’ve been in a number of those conversations. So, if you look at Ashland, it’s a supply chain, it’s a supplier to other companies. A lot of our customer base and I think a lot of the customer base across the board is looking at third-party risk.
[David Spark] Yes.
[[Bob Schuetter] And trying to understand do they have risk to their supply chain if we go into an agreement with you, especially when you’re a sole source provider. So, I think, one, you have an opportunity to actually increase your business value and start talking about business and getting into the actual business value you’re creating by having good cybersecurity.
But two, it certainly is much more of a sales piece because you got to realize you are now representing a new opportunity for the company. So, absolutely, I think it’s an S, I think it’s an L for Legal, I think it’s a C for Contract negotiations. I think we’re getting into a lot more areas that are truly getting us into that “C-suite” that we always talk about, right?
The true leadership of the company and not just being this resource to reduce down risk.
[David Spark] We hear it more and more that security is used as a differentiator for an organization’s value, we hear it constantly. And like you said, with third-party risk, being that it’s becoming more and more on literally the front page of major newspapers, that CEOs are well aware that this is something they need to bring into a sales conversation.
Andy?
[Andy Ellis] So, absolutely. My only question is, where have you all been? I was doing this for 15, 16 years at Akamai. Actually, probably longer than that. I have to think, I think my first being dragged onto a sales call because I was dragged that first time, probably was back in like 2000, 2001.
I actually know exactly the bank that we were selling to, and it was very interesting.
[David Spark] Okay. So, back in 2000, 2001, what were the kind of questions back then?
[Andy Ellis] Oh. The very first question I got from a bank because we were trying to sell them SSL object delivery at Akamai, where we would just offload and take your SSL objects on your website. And they said, “How many transactions per second can you handle?” And my first question was, “Well, are they unique signings or not?
Because we’re doing it on our own certificate, so it’s not as big of a challenge.” So, it was just this very narrow technical conversation about our capability. Fast forward, and over the years, it becomes this very heavy, compliance-driven conversation.
And what I realized very early on – and I’m going to disagree slightly with Bob because he did not name the one discipline that we actually are – which is marketing, all of what we’re talking about here is marketing. Our job is to market the security of our platform and of our company to prospects.
Right? We don’t sell. That’s the person who actually brings in the contract. I hate when people say everybody sells. I’m like, “No, no, no.” Because we don’t get commissions. We’re not on quota, we don’t get commissions, we’re marketing. But in the same way that product marketing helps you with collateral, we help you with collateral.
In the same way that field marketing helps you target specific industries and regions, we help you do that.
So, if you’re a security team and you have, let’s say, 100 people in your organization, right? You’re the global governance, you’re not operations, you just oversee everything in general. I’m going to ask you, why don’t you have a five-person sales support team inside the security team who’s creating collateral?
A lawyer? I actually had two lawyers on staff that worked for me, right? One to do contract negotiations, so we had a legal specialist, and one of the first things they did is they said, “Why don’t we have a standard legal template like, ‘Here’s what we’re willing to attest to’?” And here’s the beauty of having a lawyer on staff, is when you say, “I don’t want to attest to anything besides this small statement.” They took that small set of statements, and they turned it into this 15-page contract attachment that literally said nothing technically, but sounded really good and checked every box that the procurement team was looking for.
Like, “Do you do this? Do you do that?” Sure, it says that we do all of these things, but contractually it doesn’t give you crazy rights.
I had people who were basically sales engineers. They’ll go on that sales call. And if it’s an executive you’re going to meet, I’m going to go on the sales call. You should absolutely be doing that and you should be looking at how is that an upsell opportunity.
That’s how Akamai become a security behemoth, was not just that one day we woke up and said, “Oh. We’ll sell security stuff.” It’s that we would go on these sales calls, and someone would be like, “Okay. How do you make sure that this doesn’t happen to my content?” And I’m like, “Well, our base product doesn’t do that.” And they’re like, “Well, why not?” I said, “That’s what we have a WAF for.
We’ll sell you a WAF if you want that.” And they’re like, “Okay, we need the WAF.” So, we’d been talking to a different team. Security got involved, and we upsold them a security product. And all of a sudden, Akamai had this massive line of business selling security products because we were upselling them left and right every time the security team got involved in a sales cycle.
[David Spark] So, you really were directly related to revenue?
[Andy Ellis] Absolutely. And if you go look today, Akamai, a company that was born…
[David Spark] Well, Akamai is a security vendor.
[Andy Ellis] They’re there now. Security is their largest line of business.
[David Spark] Yeah.
[Andy Ellis] Right. But Akamai was not born as a security vendor. We made that happen by focusing on product security and security products.
[[Bob Schuetter] Yeah. But I think there’s the shift away from the technology space that obviously you grew up in. I think that the shift that a lot of people are finding themselves in is from a product perspective, whatever you sell, all of a sudden ransomware changed the value play that we all had.
I talked to several of the folks that were interviewing and said, “So, why are you asking us these questions?” And the answer was, “Because ransomware took out my service providers, my suppliers, all these different areas.” And now all of a sudden, it’s business risk, it’s supply chain risk for me, that security has to be at the table.
Closing
35:59.750
[David Spark] All right. Well, that brings us to the very end of today’s episode. Thank you very, very much, Bob. I want to provide a huge thanks to our brand-new sponsor, Thoropass. You remember? Go to their website – thoropass.com – to learn how they can help you with your compliance journey because everyone’s dealing with it, and it’s a big pain.
Wouldn’t it be a lot nicer to go with someone who’s seen it and experienced all of it? Check them out – thoropass.com. Bob, I’ll let you have the very last word on today’s show. Any last thoughts? Are you hiring? I always ask.
[[Bob Schuetter] We are not hiring currently. We’re actually doing very, very well though. And I would say to everyone, again, transform risk. We are there to take on more risk. We’re there to accelerate risk taking that has good business impact.
[Andy Ellis] I have a last word for you now.
[David Spark] What’s your last word, Andy?
[Andy Ellis] Everybody, keep your eye out because RSA submissions are going to be notified in the coming up weeks. Late January 2024 is when they’re going to come out, so look to see who’s speaking.
[David Spark] We will be there. CISO Series is planning on being there at RSA. We look forward to seeing you there. We greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review.
This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com.
Thank you for listening to the CISO Series Podcast.