CISOs first appeared in the C-Suite over thirty years ago. But their responsibilities and function within an organization still vary wildly. Organizations need to understand how their CISO operates if they want to make them effective.
This week’s episode is hosted by me, David Spark, producer of CISO Series and Brett Conlon, CISO, American Century Investments. Joining them are Ryan Barras, CISO, Mount Sinai Medical Center.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Dropzone AI
Full Transcript
Intro
0:00.000
[Voiceover] Biggest mistake I ever made in security. Go.
Okay, that might have started with taking the job. Besides that, I think, maybe assuming that people actually understood the distinction between cybersecurity, the role, and IT in general. And in addition to that, probably making assumptions that when you accept the job, that there was a clear understanding of what budget you had allowed for hiring and for specific spending amounts.
[Voiceover] You’re listening to CISO Series Podcast, recorded in front of a live audience in Florida.
[David Spark] Welcome to the CISO Series Podcast. Yes, we are live in Boca Raton, Florida at the Boca Raton Innovation Center for the South Florida ISSA Chili Cookoff event, 25th anniversary event. Let’s hear it for this phenomenal group.
My name is David Spark. I’m the producer of the CISO Series. And to my immediate left is my guest co-hosts for this episode. It is Brett Conlon, the CISO of American Century Investments. Let’s hear it for Brett. Say hello to the audience, Brett.
[Brett Conlon] How are you, everyone? Good to be here.
[David Spark] All right. I also want to mention our sponsor. It is Dropzone AI – AI SOC analysts that never sleep. That’s very attractive. We’re going to talk a little bit more about that later in the show. But first, I want to talk about where we are.
We are at the Boca Raton Innovation Center, and what’s really cool about this, Brett, is the very first IBM PCs were made here. I guess 1981 is when that happened. Do you remember your very first computer?
[Brett Conlon] I do.
[David Spark] What was it?
[Brett Conlon] Okay, so the HP Pavilion, and I think it had a CD player on it. Not a DVD player, but it did have a CD player on it.
[David Spark] Was it like a 286, 386?
[Brett Conlon] I would say 2… I think the 386 was more expensive, so it was the least expensive one.
[David Spark] Well, I’m going to one-up you because I’m going to date you in a big, big way, and I’m wondering where all the gray hairs are here. But mine was a TI-99/4A, and that is an old, old computer that we used to load applications via cassette tape.
Have you ever seen that?
[Brett Conlon] I have not. Not the cassette tape.
[David Spark] No, literally you would load it, and you would wait minutes for the program to load.
[Brett Conlon] I don’t think I touched a computer before the floppy drive, right? And then the floppy drive came out.
[David Spark] This thing had a cartridge for, like, video games too, but if you wanted to do your own programming and basic, you had to load it via cassette tapes. Anyways, this place, it’s pretty cool, the history of here, and they have kind of like a mini museum all throughout.
All right. Let’s get to introducing our guest who’s to your left and my left. He is the CISO for the Mount Sinai Medical Center, Ryan Barras. Let’s hear it for Ryan.
[Ryan Barras] Welcome, South Florida. Thank you. Thank you for having me.
I tell ya, CISO’s get no respect
3:01.729
[David Spark] Quote, “A CISO does everything related to cybersecurity that nobody else in the company wants to do,” end quote. Now, that’s how our frequent co-host, Andy Ellis, defines a CISO role in a recent piece for CSO Online. And it captures why this is still the sentiment even 30 years after the first CISO was named at Citicorp.
Quote, “This relatively late-comer leadership role remains largely misunderstood.” So by the nature of the title, CISOs are in the C-suite, but as, unfortunately, I think you guys know, they often lack any real organizational power, and responsibilities vary drastically between organizations.
So some are seen as the C-Suite, some are not. But ultimately, here’s what I want to know. And I’m going to start with you, Brett. Why is it important for people to understand what a CISO does?
[Brett Conlon] So, in my opinion, there’s probably no greater threat to a company than a cyber threat at this point. If you look at the amount of loss, the amount of disruption, and what kind of damage it can cause, both internal and external to your customers, it’s probably the greatest responsibility that exists inside of an organization.
So to me, I think that sometimes we forget what we’re actually trying to articulate to the leadership. And then also that we forget a lot about our job is to develop relationships. The higher you go up, your job is to develop those relationships, create those relationships, create that network, and have them understand why what you’re doing is important to the organization.
We naturally, as CISOs and cybersecurity professionals, jump into action, and we just start doing because we want to get things done. But we don’t take the time to look at, “What’s the relationship I’m trying to build and what am I trying to solve here?” If you take your job and try to explain it to your kids or your parents, they’ll glaze over.
So try to look at them as your audience and say, “What can I do to explain this so it makes sense and build that relationship?”
[David Spark] Ryan, I’m going to throw this to you. That’s a really interesting point that a good portion of your job is relationship-building. Would you agree?
[Ryan Barras] Yeah, no, absolutely. I mean, we’re facilitators, right? I mean, I think a lot of organizations make the mistake of seeing the CISO as the police officer of the organization. You know, more often than not, I’m trying to convey the message to folks that, “Look, we’re basically security as a service to the organization.”
Now, sometimes you come with a stick. We’re a mandatory service, but for the most part, we’re a service to the organization. We’re trying to add value. From my perspective, and it’s a slightly different angle than most CISOs… I mean, I spent the first half of my career on the economic development and business development side, and then I slowly transitioned into IT and IT security.
What I found is, and I give presentations in front of students a lot, and I usually tell them, I say, “Look, if you’re the type of person that likes to take things apart and figure out how they work and put them back together, you have the right mindset.
You’ve got to be inquisitive as a security professional.”
Because ultimately, as a CISO or someone in security, you need to better understand the organization often than the folks that are actually doing the work. You know, we have to understand the culture. We have to understand the breadth of the business.
We have to understand the risks. We have to understand IT. We have to understand the vendors. There’s very few disciplines that I believe exist out there that are as broad as IT security.
[David Spark] But let me ask, because the question is really important of why people need to understand what you’re doing. And part them understanding is you being able to communicate it well. But we always talk about, “Well, you really need to speak the language of the CFOs, speak the language of that.” But there isn’t that feeling that comes back.
I would just ask, what would you want your C-suite to know about your role? Like, “If they knew this about my role and looked at me this way, everything would run smoother.”
[Brett Conlon] Yeah. I go back to what I said earlier, which is they need to understand that we’re here to protect them from what is the greatest risk out there to their company and how that impacts not only their computers, but the operations that they run on and the trust that they’ve built with their customers.
And I think once they understand that, and they understand that as you’re telling them and not using any technical jargon… And part of that is also bringing to them that you do understand the business, that you do understand what you’re protecting and what drives revenue and where their customers come from, so they can see that you’ve taken time to learn their business.
And then they start listening to you, and now they know what you’re actually protecting them from.
[David Spark] Well, I mean, it sounds like you just want to be brought into, and correct me if I’m wrong, Ryan, every risk conversation there is, yes?
[Ryan Barras] I don’t know if it would have to be every risk conversation, but I think the bottom line is what the CEO wants to know is what is the business impact? How is it going to impact the bottom line? And when you can speak in those terms, when you can explain them in layman’s terms so that they understand what the immediate impact of the work that you’re doing actually is, I think that’s where you’re going to be successful.
And that is not always easy to do. How do you translate hundreds, sometimes thousands of vulnerabilities that you’re trying to address into business impact? That doesn’t necessarily resonate. How do you even explain the concept of vulnerabilities in IT systems to someone that’s maybe technology-agnostic?
That’s a challenge. But I think really conveying what that business impact is and what we’re doing to ensure business continuity and revenue continuity.
[Brett Conlon] So let me just add to that real quick. I’m just going to say because I’ve used this example quite a bit when we talk to our board and stuff. But talk about vulnerabilities, and that’s what we typically hear about, “Here are the vulnerabilities.
Here’s what you need to address. Here’s that.”
But if you have a conversation, so let’s say you’re talking to the Starbucks CEO, and you let them know that there’s a high probability that your point of sales systems are going to go out, will be disrupted for two days, you won’t be able to sell any of your product, and the mobile application will be down, so that’s going to equate to X amount of dollars in revenue.
Now he wants to know, “Well, how would that happen?” And that’s what the conversation needs to lead with. That’s what they care about.
[David Spark] Wait for our “What’s Worse?” scenario coming up soon.
What’s it going to take to get them motivated?
9:23.099
[David Spark] “Definitely one of the biggest challenges in our industry – figuring out incentives for the critical stuff that aren’t business problems,” end quote. That was said from Ross Haleliuk of Venture in Security, who was actually quoting Adrian Sanabria of the Defenders Initiative.
Haleliuk goes on to say, quote, “Industry problems are serious technical, philosophical, and operational challenges,” citing examples such as memory corruption vulnerabilities in different protocols, insecure Bluetooth pairing, and formal verification of code.
So a good tell-tale sign, if it’s an industry problem, is you’ll hear someone say, quote, “There needs to be.” You’ve heard this line before. Which essentially means somebody else figure this out because it’s holding me back, and I see no financial incentive to fix it myself.
So I’m going to start with you, Ryan, on this. How do you check if you’re worrying about a business problem or an industry problem? And if it is an industry problem, what are the possible motivations to get the industry to move in the right direction?
I’m going to say it’s either new regulations or even more regulations. What do you think?
[Ryan Barras] So that’s a great question. And there’s no easy answer to that question. So let me kind of unpack that a little bit. So if we go back to determining if this is a business or an industry problem, it really depends on the problem itself, right?
So let me give you an example. Actually, I can even ask for a show of hands here. Who here has heard of the year 2038 problem? Okay, actually…
[David Spark] About six hands went up.
[Ryan Barras] Yeah. That’s actually more than I expected. So believe it or not, guys, we’re about to relive Y2K all over again in the year 2038. Now, most of us don’t know about this, right? I would say that this is probably an industry problem.
And I won’t go into too many details here, but essentially it’s very similar to the Y2K problem with 32-bit-based systems. Now, how do we address that if it’s an industry-based problem, looking for a solution? I think forums like this. We go to the associations like ISSA or ISACA or ISC2.
We basically push for conversations, we push for presentations, we have open dialogue, and we decide, “Okay, as a group, how do we move this forward?”
I don’t think regulation factors into this item at all, and this specific item. Now, having said that, my background is I was raised in a European country that was very regulatory, and I have to admit my bias is towards regulation because I’ve seen it work.
Having said that, I also don’t believe in over-regulation. But I think there’s a place for regulation, but it’s not going to fix all of our problems. This Y-2038 problem, hopefully AI solves it. But AI is another example of a problem that, yeah, it’s specific to my organization, but also to the industry.
So I know that’s a bit of a broad answer. I’m not sure if it’s entirely what you’re looking for.
[David Spark] No, but you brought up a really good issue. So what do you think? Industry problems, how do you spot them? And, I mean, how can we move the industry so we’re not all held back from it, Brett?
[Brett Conlon] Yeah, I want to agree, actually. I don’t think regulation is going to help. And I’ll cite healthcare as a great example. Heavily-regulated industry, look at how many breaches they have, right? And so now you have an industry problem. Why aren’t they able to do something?
And then since we have silenced most of the vendors, I’ll pick on the vendors a little bit. The industries have certain needs, but the vendors don’t always look at what the need of the industry is. It’s more around, “Look at what my product does, and I want to sell that to you.”
So they think that they’ve captured a need in the market, and sometimes they have. But if you look at industry problems as a whole, you’re going to find out that what a manufacturing company has to address versus what a healthcare company has to address versus what a financial company has to address, all regulated manufacturing, maybe not so much, but definitely healthcare, definitely finance, the vendors don’t really tailor their solutions by the industry.
And if they do, they’re going to go after what’s the most profitable industry.
So to me, what would be great is to find a way to sort of almost reverse a conference like this where the vendors are here to listen to the industry’s problems, where they’re struggling, and then see if they can take that back and where they can help.
I think that would actually be probably one of the most beneficial things that we could do.
[David Spark] I like that.
Sponsor – Dropzone AI
13:49.044
[Voiceover] Who’s our sponsor this week?
[David Spark] Here’s a scenario every SOC manager knows. A credential theft alerts fires at midnight. Your skeleton crew is juggling 15 other investigations. That alert sits untouched until morning giving attackers hours to establish persistence. Now, what if that changed?
Dropzone’s AI SOC analyst works like having your best analyst on duty 24/7. The moment an alert hits, it starts investigating, pulling user activity, checking authentication patterns, analyzing file access, building the complete story. No playbooks to maintain, no custom rules to break when attackers change tactics.
It learns what’s normal in your environment.
Now, while your team sleeps, Dropzone handles routine investigations and delivers detailed reports by morning. Real threats escalated immediately, false positives get closed automatically, your team wakes up to actionable intelligence, not an overwhelming backlog.
So are you ready to stop playing catch-up with attackers? You got to go visit Dropzone. Go to dropzone.ai and see for yourself. That’s dropzone.ai. And when you go there, let them know that you heard about them from the CISO Series.
It’s time to play “What’s Worse?”
15:22.612
[David Spark] So we have been playing this game, What’s Worse, since we started the show over seven years ago, and it is our most popular game, What’s Worse? And it pretty much is played the way it sounds. I’ll give you two scenarios. These are sent in by our audience members.
I’m going to give you two scenarios, and you’re going to have to tell me which one’s worse.
And there was a little bit of a tease to this of something you said, Brett, earlier in the show, because you kind of alluded to what the What’s Worse? scenario is, even though you don’t know what it is.
[Brett Conlon] Okay.
[David Spark] All right. They don’t know what it is. These are all surprise. All right. This comes from Ozren Bogovac of Generac, and let me set up the overall scenario first. It’s Black Friday. You run a major E-commerce platform. The site is up, orders are pouring in, and revenue is at its peak.
You’re in a change freeze for the next few weeks, and the business is focused on stability above all else.
Your security team detects a critical vulnerability in your stack. It’s starting to gain attention on X and in security circles. You investigate and confirm that the vulnerability is being exploited in your environment. A small number of fraudulent orders have been placed, and less than 1% of customers may have had their PII or PCI data accessed.
Your team puts a WAF rule in place to slow the activity based on available signals, but it is far from full mitigation.
All right. Here are your two scenarios, all right? Scenario one, you break the freeze, you take the site offline, and you patch the issue. That stops the attack, but in just that 10 minutes that you needed to do that, millions of revenue is lost for the business, and you actually cause major friction with the business.
Scenario number one. Now, scenario two, you keep the site running to protect revenue and stay within policy, but you knowingly allow the attacker to continue limited exfiltration of customer data. Which one is worse?
[Brett Conlon] So I’m going to say hypothetically, I would say taking the site down would be worse.
[David Spark] Okay. Why is that?
[Brett Conlon] Well, I think you have to look at it…
[David Spark] I like how you stress hypothetically. “This is not my business.” [Laughs]
[Brett Conlon] Hypothetically, and I’m going to put a CEO’s hat on, I think you have to look at what’s the overall revenue damage. Because remember, your revenue is powering not just your site and the money you’re making off customers, but this is what drives your business, your employees, their benefit, all that stuff.
So to me, I think you have to look at it from the perspective of, “We might have a few people that have their identities compromised and we’re going to help them out with that. But overall, we want to keep the revenue going so that we can make sure our business is operating, and we can pay all these employees who are working very hard.”
[David Spark] All right. So focusing on the… Do you agree or disagree, scenario number one where you take the site offline, lose a lot of money, and you’ve got friction with the business? Is that the worst scenario or not?
[Ryan Barras] Actually, I actually go for the other scenario. I think the other scenario is worse, just simply because you don’t know what you don’t know. And the attack is still ongoing. And you also not have to think about the actual damage that you might be incurring at that moment, but also the fallout.
Think of legal, think of the ramifications after the fact. You don’t know the extent of what that means and what the fallout’s going to be on that end, and that could far exceed the revenue that you’re losing in scenario one.
[David Spark] All right. We have a split decision here. I’m going to send this to the audience right now. I want to know from the audience which one do you think is worse. By applause, just applaud. Again, worse. Not the one you like, not the one you choose but the one that would end up with the worst scenario.
Scenario number one is you break the freeze, take the site offline, lose millions, and the business is annoyed with you. By applause, how many think that’s the worst scenario? [Applause] Only about five or six. Not a lot of people are with you on this.
All right.
But scenario number two, keeping the site running to protect revenue and stay within policy, but knowingly let the attacker go out with the data. How many people think that’s a worse scenario? [Applause] And I will just say, and I can look at the entire back, some of them are not playing the game.
They did not applaud either one of them.
[Brett Conlon] I noticed that too, and I saw a lot of people back there that just raised their hands in support of me. They just didn’t want to clap. See, there you…
[Crosstalk 00:19:46]
[Laughter]
[Brett Conlon] Yeah, so I win.
It’s time to play a brand new game!
19:50.523
[David Spark] All right. I’m very excited. You are all in luck because we have yet to play this game in front of an audience. It’s such a brand new game, we don’t even have a name for it yet. But I’m going to describe what it is. And it’s a fun game, and you’re all going to get to play along as well.
We went to RSA, and we asked a bunch of security professionals a number of questions. We’re going to play four rounds of this. What you’re going to hear is three different voices answering the same question. So you’re just going to hear the answers.
What you have to do, and essentially wait till the clip finishes, what you have to do is try to guess what was the question they were asked that they’re answering. If you can’t get it, we throw it to the audience, all right? Here comes the first one.
Remember, it’s three voices, wait till all three answer, and then jump in if you think you know the answer.
“Communication, understanding what the team is going through and being able to balance or socialize that with leadership.” “Empathy, innovation, and a really broad understanding of the business.” “Determination, perseverance, and thick skin.” What was the question?
[Brett Conlon] What makes a good cybersecurity professional?
[David Spark] Kudos. Good job on that. I’m impressed. All right. You jumped in, you got it. All right, let’s go to the next one. “It’s cybersecurity’s the department of no.” “It is the end-all be-all. Once everything’s in place, you’re good to go.” “It’s the user’s fault.” “More data equals better security.” All right.
You want to guess what this is? Ryan, you think you know what the question was?
[Ryan Barras] I’m drawing a blank. I’m not really sure of this one right now.
[David Spark] Brett, you think you know what it is? I’m going to go to the audience if you can’t get this one.
[Brett Conlon] What is the reason that the breach occurred?
[David Spark] [Laughs] No. Anyone think they know what the answer is? Yell it out. What do you think?
[Audience member] What are some misconceptions about [Inaudible 00:21:47] security?
[David Spark] What are some misconceptions of cybersecurity? That is correct. All right, very good. All right. Round three. Okay, so right now we got one for Brett, zero for Ryan, one for the audience. Here we go. Next one. “My job is to help keep you safe in a digital world.” “I try to help so that bad guys don’t take what is yours.” “I’m always picking up somebody else’s mess.” “I help protect organizations against bad guys.”
[Ryan Barras] What does a cybersecurity professional do?
[Brett Conlon] What do they sound like?
[David Spark] Hold it. That is half correct. I’m going to make you… I’m going to just say, who is the audience?
[Brett Conlon] God, I hope it’s not the board.
[David Spark] [Laughs] No.
[Ryan Barras] You’re trying to explain it to kids.
[David Spark] Yes, correct. Yes, explaining to a kindergartner. Very good. All right. Good job. Two for Brett. All right. This is last one. Here we go. “One of those slippy things that you grab and they slip out of your hand immediately.” “Stuff that you have to carry through TSA.
Electronic gizmos that look like they’re a bomb or something like that.” “Pam spray cans for a privileged access management vendor.” What do you think that is?
[Brett Conlon] Networking after having a lot of drinks at a social event. [Laughs]
[David Spark] No. Ryan?
[Ryan Barras] What are the available solutions cybersecurities work with?
[David Spark] No, anyone? Anyone think they know this one?
[Audience member] Stuff [Inaudible 00:23:12]?
[David Spark] Stuff…
[Audience member] [Inaudible 00:23:14].
[Audience member] What is [Inaudible 00:23:17]?
[David Spark] No.
[Brett Conlon] Is this swag you get from vendors?
[David Spark] Okay, yes, swag you get from vendors, but one little element.
[Brett Conlon] At DEF CON? [Laughs]
[David Spark] Well, no, swag you get from vendors, but they… Listen to how they were talking in that clip. Here, I’m going to play it one more time. “One of those slippy things that you grab and they slip out of your hand immediately.” “Stuff that you have to carry through TSA, electronic gizmos that look like they’re a bomb or something like that.” “Pam spray cans for a privileged access management vendor.”
[Audience member] [Inaudible 00:23:47] worst [Inaudible 00:23:48].
[David Spark] Who said worst? Yes, worst swag from… There you go. Good job audience. So tie score between Brett and the audience. Good job for both of you.
You couldn’t have done better than that?
24:04.494
[David Spark] All right. I have witnessed many poor panel sessions, and I’ve complained a lot about this on the show, with my biggest pet peeve, and I hate to say I saw it happening today, being moderators who asks the panel to introduce themselves.
And before you ask me why that is so horrible, please name one talk show host, radio or TV, that has ever done it. There’s a reason they don’t do it. It’s not that professional. So that’s my pet peeve, and I’m going to throw this first to you, Ryan. I’m eager to hear from you as what’s a red flag warning that you’re about to watch a really bad panel session?
And conversely, I’d like to know what have you seen that makes a panel session really fantastic.
[Ryan Barras] So I think the answer of that is really knowing your audience. Do the panelists, do they understand, do they speak the language of the audience? Are they going to stand up there and speak at a technological level that doesn’t resonate with the audience?
Are they going to stand up there with a bunch of dry spreadsheets? How are they going to engage the listeners? I think that’s really the key to successful panelists. Probably the worst ones I’ve seen is where I attended a panelist where one of the panelists was insulting the people in the audience.
People started walking away.
[David Spark] Hold on. I want to know the details. Walk me through that. What happened?
[Ryan Barras] It was a discussion. Actually, it was somewhat political. It was back in the Netherlands. We had a panelist who basically was insulting folks that were immigrating into the Netherlands. And people were walking out and they left, and…
[Crosstalk 00:25:48]
[David Spark] By the way, I’ve watched the CEO of Oracle, Larry Ellison, do that. I’ve watched him insult the audience.
[Ryan Barras] Well, believe it or not…
[David Spark] He can get away with that, I think.
[Ryan Barras] …this particular panelist was actually assassinated a few years later in the Netherlands. It was quite shocking. But he was a very confrontational type of personality. So that kind of took of a left turn to that question. But yeah, that was definitely a panelist that went wrong.
[David Spark] Yeah. Try not to insult the audience. But, okay, so what are pet peeves you have for panel discussions and what sort of excites you? What is a panel session when it does really well?
[Brett Conlon] Gosh, so pet peeve of mine is when the moderator… So the moderator’s there to facilitate the conversation. So if you’re having good conversation, then let it go. But when the moderator basically takes all the questions and then starts answering them before they’ve asked the panel.
So that’s made it tough.
And then I would say I really enjoy panels where either they know each other or they’ve done it before, and then they obviously are very comfortable with each other on the stage. I think that’s some of the most fun panels where everyone sort of let their guard down, they trust the other person that’s on that panel, and you can have a good time with that.
[David Spark] Well, and you bring up a really good point right there is what I think is really good for a moderator is they make it clear, you know, “Welcome to the David show. I brought Brett and Ryan here. I’m glad that they’re here.” And this is why I don’t like the introductions because it makes it clear to the audience you barely know who these humans are.
If you know who somebody is, you introduce them. That’s kind of how we operate in life. And so it’s always good to… It makes a person feel good about being up on stage. And it’s always better for me to introduce Brett than for him to say, you know, your resume on stage or whatever it is.
I mean, it comes off better and makes the person feel good and sets a good tone as well. What about other things that you’ve seen that… Like, the closing for the show or how they get the audience more involved in a panel session? What is kind of exciting for you there?
[Ryan Barras] Yeah. I think the engagement, I mean, like you just did a moment ago. You involved the crowd with some of these questions with the game. I mean, the activity and, again, just the true engagement and participation of the audience is generally what I’ve seen is the most successful formula for a panel discussion.
[Brett Conlon] Yeah, I’ll double down on that. We were in a panel overseas, and it was the whole day of just us coming up and talking at the audience. And there was from all different industries, from all different countries within the European areas and the Asia areas, and they all have different needs.
They’re all at different technologically-advanced areas in cybersecurity.
And so we went back to the moderator and said, “If you want us to come back next year, we want to do like an, ‘Ask me anything.’ We’ll sit up there and they can ask anything they want, and we’ll take the questions.” It was so popular, we filled up a room this size, it went over time, they gave us another slot, and they came back.
And to me, whenever you have that good back and forth dialogue, then now you have people who are actually getting their questions answered. And then what happens is someone actually asks the question that the other person really wanted to know about, but they felt embarrassed to ask, and everything just gets better from there.
[David Spark] By the way, sort of a twist on that technique that I like to do and I’ve seen others do is they don’t wait to the end of the session to take questions. The reason being is sometimes things come up in the middle of the session, like, “No, I got to ask the question now because of something Ryan just said.” And so I always like, “Hey, if you got a question, raise your hand at any time during the session.”
What’s a CISO to do?
29:25.119
[David Spark] CEOs should be asking their CISOs. You remember when I said what others need to know about you, but CEOs should be asking their CISOs, quote, “Tell me what I don’t know and should be doing,” and quote, “make me look good.” And this was the advice Nick Ryan, who’s the BISO at RSM, suggested.
So an ideal CEO/CISO relationship means the head of the company is looking to you, the CISO, as a risk advisor. We talked about this earlier. So I’ll start with you, Brett. How can a CISO best address these two questions from a CEO? I think these are two good questions.
And I’ll say them again, “Tell me what I don’t know and should be doing.” This is what the CEO is asking. And, “Make me look good.” How can the CISO make the CEO look good?
[Brett Conlon] Yeah. So I’m going to answer this also from the perspective of most of you probably here are not reporting to the CEO. So I’m going to also give you things not to do, which is this is not your moment to go say, “Here are all the things that you need to know about that’s not getting escalated up, or that I want you to know about.” That’s not what he’s asking or she’s asking.
What the CEO is asking is really to understand the landscape and how it affects their industry, give them a good soundbite for something related to maybe even their business, and what you’re doing about it. And that is really what they want to know at that point in time.
So again, if you’re not reporting to the CEO, now is not your time on that question to say, “Here are the things that are going on.” But if you do have a good relationship with them, it really should just be an ongoing reiteration of, “Here are the things that exist in our industry, here are the things that exist within our company, and here’s what we’re doing about it.”
And then if there’s any innovative or areas that you feel you’re groundbreaking in or that you’re really leaning in on that would do well for that company and the position it’s in for the industry, then let them know about that.
[David Spark] Let me ask you a follow-up question. Have you ever had a CEO relationship, and you don’t have to tell me present or past, but where you kind of had that communication and then you watched them communicate security issues to somebody else?
Have ever seen that?
[Brett Conlon] Not directly. not where they were trying to act as if they played my role, per se.
[David Spark] No, but like give a high… You know how sometimes you will introduce someone and give a high-level explanation? Like, “Brett explained to me this, this, and this about security. Brett, you can continue on.” They can sort of give the cliff notes version.
[Brett Conlon] Yes, 100%, that’s happened.
[David Spark] And they do it effectively?
[Brett Conlon] Yeah, I would think so. I mean, as long as it’s not too lengthy and it’s pretty short and concise, they do a very good job, yeah.
[David Spark] Okay. So that means great communication between you and the CEO. Great. All right. I’ll take this to you, Ryan. Again, the two questions is, “Tell me what I don’t know and should be doing.” That’s the CEO asking the CISO. And, “Make me look good.”
[Ryan Barras] So let me start by answering the second question first. I think, first of all, it’s my job to ensure that the CEO does look good in the same way that I feel it’s also my job to make sure that my team looks good. My team looks good, I look good by default.
If I’m making my CEO look good, then I’m doing a good job in my role.
I think the best way to answer the first question, “Tell me what I don’t know,” is to take a holistic approach to the question. Because a lot of times as CISOs or even CIOs, we find ourselves really pegged in a specific corner that we’re thinking purely along the lines of technology and IT.
But a lot of the problems and a lot of the, I would say even, processes that we deal with are often embedded in larger organizational processes. And to make the CEO look good, you basically need to answer that question, addressing issues that exist within the context of those larger problems of the organization.
So give you a simple example, who here deals with TPRM, third-party risk management?
[David Spark] Everyone.
[Ryan Barras] Right. And I think we all know that there’s no silver bullet for that process. But really, the TPRM process really rolls up into a procurement process, which should be an organization-wide approach. You should have a centralized procurement process of which security is just a part of it.
So in answering that question to the CEO, you need to be addressing these issues from an organization-wide approach while you’re highlighting the issues that you’re trying to correct on your end. That’s my take.
[David Spark] All right. Similar to all this, and I’m sure you have heard this before, and I’m interested to know how you answer this. When a CEO comes to you and says, “Are we secure?” how do you answer that question, Brett?
[Brett Conlon] Yeah, I think that you have to be honest with them on where you stand and just sort of bring it back to, “Here’s where we’re doing really, really well, and here’s where we’re focused on in the areas that we’re improving.”
[David Spark] They want a yes [Laughs] to that question. I mean, you can’t give that to them.
[Brett Conlon] So hopefully, what you should be able to say is, “I feel really good about the position we’re in,” or you should be able to say something of, “I do have some concerns and we’re addressing them, and here’s how we’re doing it.”
Just remember, and I can’t stress this enough, even if you’re reporting to the CEO, it comes back to the relationships. But as any leader, even yourself, you’re not looking for someone to come bring a bunch of problems to you. So it’s not the opportunity to come and say, “Here are all the problems.”
It’s more around that the question is, “Are we secure?” You have to be honest with them, but you can say, “Yes, we are,” or, “We feel really good about the position we’re in and we have investments here, here and here.” Or you could say, “We’re definitely playing some catch-up in these areas, but we’re making as much progress as we can.” And then let them bring the conversation further than that.
It’s time for the audience question speed round
35:10.447
[David Spark] All right, this is our last segment, and I have on my hand a series of index cards. I have had conversations with many of you today. And I asked you for questions for my guests up here. They have not seen these. So these are all going to be surprises.
Give me quick answers so we can get through as many of these as possible in the little time that we have left.
All right. This one I thought was interesting. So this actually Donnie Strumpf of Good At Marketing has actually done this so he wants to know this question. For people who are vibe coding and have created spectacular apps, Donnie is really impressed what he’s created, but he is now realizing he is now a sitting duck with no security.
What would you suggest their first step be to put some security on this spectacular app that they created even though they have no development experience? Ryan?
[Ryan Barras] And this is a outside vendor that…
[David Spark] This is just someone who’s created an app.
[Ryan Barras] Oh, created an app.
[David Spark] Yeah, they haven’t necessarily connected to you or anything like that. But just, “I’ve got this great app, and I vibe coded, and I have no development experience. I’m a sitting duck waiting to get attacked.” What do you suggest? First step.
[Ryan Barras] So the first step, I would subject it to a scripting review. Essentially, review the code, understand what the application does.
[David Spark] Who should he go to for something like that? Because he just did it by himself.
[Ryan Barras] Inside the organization or…
[David Spark] No, he just did this by himself.
[Ryan Barras] I would defer to an outside party.
[Crosstalk 00:36:44]
[David Spark] So you’ve got to look for a consultant at this point.
[Ryan Barras] That’s probably what I’d say. But probably want to better understand the ins and outs of the app.
[David Spark] All right. Your advice?
[Brett Conlon] Yeah. I mean, if you’re really trying to launch something that’s going to consumers, then…
[David Spark] You’ve got to have someone take a look at it.
[Brett Conlon] You do. If you are just sort of messing around with something, use AI, see what happens.
[David Spark] All right. This one comes from Tyler Peters of Linx Security. And just interested to know, what type of cybersecurity marketing do you actually respond to? Is there a kind of cyber marketing you have a positive response to?
[Brett Conlon] For me, personally, I would just appreciate someone coming in. If they want to introduce themselves to me as a person, not a vendor, that would be great. You don’t have to sell me on anything. You’re just developing that relationship and you’re creating the relationship.
Same thing goes with VARs. Coming in and saying here’s what you know about me and here’s what you know about the business, and here’s how you can help me, yeah, I’ll just tune it out.
[David Spark] All right. Is there a type of cyber marketing you respond to?
[Ryan Barras] No, I actually agree 100% with that. In fact, I recently had a discussion with a vendor where we spent about 45 minutes, an hour, during lunch talking about everything but the application and the offering. And we got to know one another, and it was a really intriguing conversation.
I respect that.
[David Spark] This sounds more like sales than marketing, though.
[Ryan Barras] Right. But it was more than that, it was relationship building. And the thing is from a vendor perspective, we only have this amount of time, and that time you need to use effectively. And you can only spend that time looking at items that solve a solution that you’re working with at that moment that fit within the budget, that fit within the needs of the organization.
And that will, more than likely, not happen overnight. I mean, it’s a lengthy process. Unfortunately, I always have to tell our vendors, it’s a marathon, not a sprint.
[David Spark] All right. You are both wrong. The correct answer is valuable research reports. All right. From Castor Morales, what is AI going to do to your staff?
[Brett Conlon] I think we’re in the hype cycle of AI, but I think it will augment my staff. So I think it’s definitely going to help the staff out, and I think it will get certain things that are time-consuming and tedious, and it will help speed those up.
[David Spark] Okay.
[Ryan Barras] I agree, and I think it’s going to level up the skillset.
[David Spark] All right. From George Antonio of Lynn University… This is great. You’re in health and also in finance over here. How do you keep up with regulations in your specific industry, and also tagged to that regulations tied to IoT. How do you keep up with them?
[Ryan Barras] For us, it’s really a number of different ways. I mean, there’s reliance on partners, there’s reliance on industry insiders, there’s reliance on sometimes on associations and co-workers and colleagues in the industry. Keeping up with it, if we’re talking about just staying abreast of what’s taking place, then that’s the answer.
If we’re talking the actual execution of it, that’s a whole different discussion. I mean, that’s a resource allocation issue, and that’s a more difficult question to answer.
[Brett Conlon] Yeah, I think you have certain industries, the ISACs are all there, and they’ll help you keep up with regulation and finance. You have outside counsel that’s responsible for helping you keep up with the regulations. It expands.
I mean, there’s so much regulation out there now. There’s so much regulation in the U.S. alone. The states have different regulations. Then you go over to the globe and you’ve got European Union has regulations. [Inaudible 00:40:09] has their own regulations.
The Asia countries…
[Crosstalk 00:40:11]
[David Spark] Right. So how are you keeping up with it? You’re leaning on others to do it for you?
[Brett Conlon] Yeah, we lean on outside counsel. We lean on some industry experts that come and sort of talk to us about what those regulations are that are changing. And then the governing bodies of those will usually send out alerts, and we’ll read those alerts and figure out what we have to do.
And agree with what Ryan said that the solving for it is very different than keeping up with it.
[David Spark] All right. Last question. This comes from Ronnie [Phonetic 00:40:37] Kaleeks of [Phonetic 00:40:38]Halion. Give me your top strategy to recruit top talent.
[Brett Conlon] So we do have strong college partnerships, and so that’s sort of how we bring them in. We do the internship pipeline. And then really…
[David Spark] And, by the way, the question doesn’t have to be specifically for green people, too. Just any top talent.
[Brett Conlon] Yeah. So I will say, I don’t know how you would determine if they’re top talent when they’re out there, but we tell our team all the time that we want to create an environment where they enjoy working there and they like the environment and like what they’re doing.
And that’s sort of how we bring in and recruit the top talent when they need to come in. So that’s how I do it.
[Ryan Barras] So for me, bringing in and more importantly, retaining the talent, I believe is all about being vested in your staff and relationship building. And so I’ll give you an example. Just yesterday, my team, the ones that are focused on forensics and E-discovery, they were looking to learn how to better their skillset.
And so I reached out to my former team at my organization with whom I maintain great relations, and they were willing to educate my current team. I thought that was a win that moment, to be able to reach out to folks that I’ve worked with in the past that were willing to educate my current team and bring them up to speed.
And so, I do try to create that environment where people are happy, enjoy their job. There’s so much pressure in the IT security field. I mean, I try to mix it a little bit with humor. On Monday mornings the first order of business is asking the Gen Z guys on my team, “Okay, guys, what’s the Gen Z word of the week?” That’s how we start the week.
Teach me something.
[David Spark] All right, hold it. Teach us what has been the last Gen Z word of the week?
[Ryan Barras] I think it was slay.
[David Spark] Slay? And can you tell us what that means?
[Ryan Barras] I think it means very cool or I did the job. You know, “I’m slaying the job.”
[David Spark] You don’t use that in normal conversation, do you?
[Ryan Barras] No, not…
[Crosstalk 00:42:30]
[Ryan Barras] …business conversation.
[Brett Conlon] You could use it with the CEO if you like. Tell them their slang.
[David Spark] That would work.
[Ryan Barras] It’d be worth a try.
Closing
42:39.936
[David Spark] All right, that brings us to the end of this show. Let’s hear it for my guests here. Brett Conlon over at American Century Investments, and also Ryan Barras with the Mount Sinai Medical System, correct?
[Ryan Barras] Thank you, David.
[David Spark] Yes. Both CISOs at their organizations. And also, let’s hear it for our sponsor, Dropzone AI. Remember, for 24/7 SOC analysts that will do the work for you. Go check out what they’re doing at dropzone.ai. Let them know you heard about them from the CISO Series.
A huge thanks to the South Florida ISSA for bringing us out, for Yosi for bringing us out as well. We greatly, greatly appreciate it.
And to this amazing audience, this has been a phenomenal show. This is a two-day event. There’s a whole other day of this, which is going to be a hackathon. So I hope all of you come back for that. Thank you very much. Let’s hear it once again.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review.
This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com.
Thank you for listening to the CISO Series Podcast.