While making informed technical decisions is key for a CISO, the biggest problems they face often aren’t technical. Instead they stem from a failure to translate conversations about risk to the rest of the business. What difference does it make for a CISO when they consider getting buy-in to be their primary role in an organization?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis (@csoandy), principal of Duha. Joining us is Gary Chan, CISO, SSM Health. Be sure to check out Gary’s security mentalism website: https://www.gschan2000.com.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Vanta
Vanta’s Trust Management Platform automates key areas of your GRC program—including compliance, internal and third-party risk, and customer trust—and streamlines the way you gather and manage information. And the impact is real: A recent IDC analysis found that compliance teams using Vanta are 129% more productive. Get started at Vanta.com/ciso.
Full Transcript
Intro
0:00.000
[Voiceover] Best advice for a CISO. Go!
[Gary Chan] Create experiences. People forget what you tell them, but they don’t forget how you make them feel.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series. And joining me as my co-host, it’s Andy Ellis, the principal of Duha. Andy, say hello to the audience.
[Andy Ellis] [Foreign language 00:00:35].
[David Spark] How many members of our audience actually know what you just said there?
[Andy Ellis] Well, it’s one that you might actually get because it’s Esperanto, so it draws very common words from other languages, but I picked a language that I think nobody actually speaks.
[David Spark] I’ve never met a single person who speaks Esperanto. Have you?
[Andy Ellis] I’ve met people who’ve practiced it, yeah, but you know I hang out in weird geeky crowds.
[David Spark] There you go. We’re available at CISOseries.com. Why not listen to all our other wonderful programming to teach you about how to be a cybersecurity leader or learn about the cybersecurity news for that day? We’ve got plenty of it. Our sponsor for today’s episode, a longtime phenomenal sponsor of the CISO Series, and that would be Vanta – automate compliance, security, and trust with AI. More about exactly that a little bit later in the show. But Andy, one of the things we do before we hit the Record button that the audience may not know is that we plan this little moment of banter. It just goes on for about a minute or so. And I always ask you, what should we discuss? And 9 times out of 10, I shoot down your ideas.
[Andy Ellis] Pretty much.
[David Spark] [Laughter]
[Andy Ellis] You say nobody wants to hear about it when it’s really David doesn’t want to talk about it.
[David Spark] So, the thing is, is that sports, especially esoteric sports, you mentioned something about a rugby team called Free Jacks. Nobody cares.
[Andy Ellis] Okay, wait, it’s an audience question. Put this in, whether it’s LinkedIn or wherever you consume this, let us know. Do you care? Like the New England Free Jacks just won the Major League Rugby Championship.
[David Spark] Who cares.
[Andy Ellis] They brought home the shield. They just three-peated, the first professional sports team in America to three-peat in like 20-odd years, and only the ninth one to do it ever.
[David Spark] Well, the Chicago Bulls did that.
[Andy Ellis] Right. The Chicago Bulls did it. But it’s very rare. Only nine teams have ever three-peated in professional sports in the US, and the Free Jacks are now one of them.
[David Spark] Mm-hmm. But I would say NBA, professional rugby, there’s a gigantic gap between interest on those two.
[Andy Ellis] Oh, absolutely. Rugby is like a sixth- or seventh-tier team. I’m not going to say they’re at the top, like the NFL clearly at the top, NBA, NHL, maybe MLB somewhere, NASCAR, F1. Like, there’s a lot of stuff up there. But it was a good championship.
[David Spark] And you put rugby as number six after you listed six that are more popular.
[Andy Ellis] I think I only listed five.
[David Spark] [Laughter] Anyways, I think most are in agreement with me that we really don’t care.
[Andy Ellis] So, here’s for our listeners – tell us.
[David Spark] What can they contribute? Like what am I learning from this? Oh, they won. Yay. Who cares? Or I could care less. Like, nobody cares.
[Andy Ellis] Oh, there’s a lot to learn about perseverance and teamwork and how to get a mission done.
[David Spark] Yes. Yes, yes, yes. Sports. I am a huge fan of sports for learning how to work with others and just teamwork and that stuff, but to talk about another team winning a championship, who cares?
[Andy Ellis] Okay, here’s the question then for everybody. What’s worse, Andy talking about the sports du jour or David talking about pinball?
[David Spark] Oh, yeah, you got a good point [Laughter] there, Andy. I’ll give you that.
[Andy Ellis] Okay.
[David Spark] All right. Let’s bring our guest on, everybody. He is the CISO over at SSM Health, none other than Gary Chan. Gary, thank you so much for joining us.
[Gary Chan] It’s a pleasure to be here. Thanks for having me.
What’s the starting point for a CISO?
4:16.259
[David Spark] What happens when you have to make decisions with imperfect and uncertain information? It’s a part of everyday life and it’s definitely a part of cybersecurity. Chris Grundemann of Khadga Consulting faced this lesson of making a critical decision with limited information when faced with a dying pet. Now, the same issue appears often with business decisions. He found that in both instances, we often wait for a perception of certainty before making a decision or cling to false certainties in a search for comfort. Andy, but we’re always awash in uncertainty and this happens all the time in cybersecurity. So, how do you create a decision-making framework to account for that, and how do we train our staff – this is key – to do the same?
[Andy Ellis] So, I think there’s several ways you look at this. And there’s a very common aphorism that is shared in the military a lot, and it’s attributed to very different people, depending on what the phrasing is. I think General Krulak’s phrasing is my favorite, which is that a 70% plan violently executed will always defeat the 100% plan. And that’s where you have to teach people that at some point you have to commit and execute, even though you don’t yet know enough. And so, you have to be comfortable that based on what you know, you’re making the best decision that is available to you, and you’re not going to second guess it once new information comes out. You might pivot. You might say, “Oh, my goodness, I made a decision. I just learned something that makes it worth pivoting back to a different decision.” But you’re not going to say, “Wow, I should have made a different decision.” No, you didn’t actually know better. You did not know that critical piece of information.
And I can look through my life at career decisions, house-buying decisions that I’ve made, that had I known something. Like right now, I own two homes, I just moved. We’re trying to sell our old house. Market looked fantastic until the day we put it on the market. A certain person in the administration announced tariffs and nobody’s buying houses in that price range anymore. Okay, had I known that was going to happen, would I have changed my plan? Probably. But I didn’t know, so I’m not going to go second guess and say, “Oh, buying a new house was the wrong thing to do.”
[David Spark] Good point.
[David Spark] All right, Gary, I throw this to you. This just seems a core skill. Any cybersecurity professional should know, but definitely a CISO making decisions with imperfect information and a good point of that you can pivot over time. So, what’s been your experience and how do you do with this?
[Gary Chan] Yeah, well, I completely agree with Andy that we just have to make a decision sometimes, and that goes with everything in life. And I would say, especially when we’re talking about work, a lot of times the concern is about being blamed or simply just needing more confidence to feel good about what it is that we know to be the correct answer. And for a lot of engineers, because I know there are a lot of those who are probably listening on this show, they probably would feel a lot more comfortable if they write something down on paper because seeing it on paper, using some math somehow makes you feel more confident, even though it’s really the exact same thing in your head.
[David Spark] Right. [Laughter]
[Gary Chan] But draw a probability tree. So, just be like, “If I do this, there’s a 30% chance that this outcome will happen, a 70% chance that this outcome will happen.” And you can make it a very complicated probability tree. And the more complicated that you make it, the more confident you’ll be in your answer, even though you’re like, “Well, I drew all these things, and there’s a 57% chance that this is the thing that should happen.” Well, it’s only 57%. But hey, it’s math. Math doesn’t lie, and that’s the best answer that I have on this sheet of paper. And that’ll make you feel confident, and so you can go make that decision.
[David Spark] So, how do you wrestle with the lack of confidence? Like I’m not sure, but I’m making a decision, and I’m going with it, and you have to lead a group to go with this decision, Andy.
[Andy Ellis] So, I think that you just say, like, this might go bad, and here’s how it will go bad. The biggest challenge that people often have is they need to show so much confidence that they refuse to admit they could be wrong. And so, you say, “Look, we’re going to do this. I might be wrong, but we’re still going to do it.” And if I turn out to be wrong, then here’s what I’m looking for to figure out, “Oh, I made the wrong choice. Let’s do something different.”
[David Spark] And do you like – and I’ll ask you, Gary – do you build contingencies? “Okay, this is what I think. But if it goes the route that is not what I think, we do this.” So, you have like sort of a whole decision tree built out. What do you think?
[Gary Chan] Well, definitely. If there’s a 30% chance of this really bad thing happening, of course, you’re going to want to have some sort of contingency plan. But of course, you have more information at that time, and you can build better plans. But the bottom line is you’re going to be leading your team, and hopefully, you’re leading the same team over and over again, so you have some sort of track record. And people, they keep tally, right? So, if you’re doing good decisions pretty frequently, and then sometimes you get a wrong one, hey, it’s no big deal. People will still follow you, they still respect you. Because people oftentimes, they’re quite happy following someone else who’s leading, so they can feel confident in it. And they can also shift blame. Unfortunately, sometimes from a negative perspective, you just don’t want to be the guy who created the problem, right? Now, of course, if you are the guy who constantly gets it wrong, well, maybe there is a problem there.
[Laughter]
[Gary Chan] But in general, if you’re not, I think you’ve got a track record, and your team will know that.
[Andy Ellis] Yeah, accepting blame is super powerful, but only up until some amount. It’s like spice in your soup, really good until your soup is nothing but spice.
[Gary Chan] Yep.
What we’ve got here is failure to communicate.
10:04.317
[David Spark] New CISOs who are used to talking with technical audiences often face issues transitioning to business communications, a critical aspect of the new role. Now, as Binoy Koonammavu of Secusy AI noted, CISOs rarely have a tech problem, they have a translation problem. He talks about thinking about security buy-in from the business as your primary job, and suggests framing risk as business impact, speaking to outcomes rather than alerts, and moving from urgency to strategy. It’s kind of a nice sort of a continuation from our last segment. So, I’ll start with you, Gary. How hard is it for first-time CISOs to make this shift, there’s this less technical, more translation communication, and where exactly is the greatest struggle you find most CISOs have?
[Gary Chan] Sure, I definitely think that it is a very tough thing to do, especially for first-time CISOs. And so, you end up with two groups of people, those who don’t figure it out, and those who do.
[David Spark] [Laughter] As simple as that.
[Gary Chan] As simple as that.
[David Spark] All right, take that home with you, everybody who’s listening. You’re going to get it right or not.
[Gary Chan] And I would say those who get it understand that everybody cares about something different. You, as the CISO, are trying to solve one problem, but everyone else in the room who’s not in information security probably doesn’t care. And in fact, when you talk about reducing risk, everyone just rolls their eyes. Because, I mean, that’s, yes, that is your job function. But again, nobody kind of really understands or cares about that. So, I’ll give one really good example that I think sort of brings it home. So, one of the things that information security teams love to talk about is how patching reduces risk. Well, I don’t know any CEO who’s not a cyber expert, who really understands what 100,000 vulnerabilities on 30,000 devices means. Like, is that a big thing? Is that a small thing? Am I going to lose money? Is this a good thing? I have no idea.
So, one of the things that I did, for example, is for one of our board meetings, there was a Microsoft vulnerability in Exchange, and I think this was like a couple of years ago, and this, they understood this. I explained that the publication of this vulnerability and patch came out at – I’m just making up a number here, I don’t remember when – it was like 8:00 a.m. that day. And my team patched it at 10:00 a.m. And we could see on the firewall, somebody tried to exploit it at 3:00 p.m. And so, I told the story and said, basically, my team was on top of things. We did things in two hours. And we were ahead of the bad guys by like eight hours or whatever it was. And had we not done that, the bad guys would have been able to read all of our emails.
I think that’s a really powerful story that they all understood. And I said, “Hey, by the way, you could remove some of the resources from my team, and what that would mean is we’d probably be slower next time. And if we were slower by a few hours, 5 hours, 10 hours, 24 hours, maybe we would have gotten hacked on the next run.” Right? So, of course, they’re not going to want to remove resources. But when you can tell a story where you can actually show I patched this, it resulted in a hacker not coming in, then they understand that versus I reduce the risk, and they really don’t understand what that meant.
[David Spark] To your opening tip of this very show. All right, Andy, you have dealt with this a lot. You have written and are writing How to CISO. So, this is very much your language. I’m going to start with this last question. Where is the greatest struggle?
[Andy Ellis] So, I think that Gary just nailed it there. With the greatest struggle is CISOs try to justify new investment, and they forget to continuously justify existing investment. Right? I have a team, what did they do for you? Like, “Oh, we patched a bunch of stuff.” No, “We kept this hack from going bad.” Right? “We protected us in this incident.” Show the value your team is always producing. Because if you can’t articulate the value of your 10 or 100 or 1,000 heads, then every time you walk in and ask for more money because you’re talking about some risk, people are just looking at you and like, “Do we really have to do this? What can we get away with?” Because they’re not really bought in. That’s the greatest struggle is you’re not talking business value in the way that Gary just demonstrated for your existing staff. Everybody needs to really understand like, here’s what we do. And I think Gary hit the other nail on the head with we don’t reduce risk. We help the business succeed by making sure we don’t take stupid risk. Like we’re here to take risk. That’s what the business does. We take risk to make money. Our job is to find the unprofitable, dangerous risk and get rid of it so that we can take more profitable risk.
[David Spark] So, let me ask you a question. And we kind of talked in two different ways. And this might be the role of a BISO. But we, in episodes a while ago, we talked about the need for like an internal communications security person, which kind of sounded like a luxury. Like, oh, that’d be great if, like, we’re doing so. But you’re nodding your head. It’s not a luxury. And could this also be the role of a BISO? The person who sort of tells that story, as you just described, “We patched this. So, this didn’t happen. You should all know that.”
[Andy Ellis] So, I think that needs to be embedded through your organization, but it starts with the CISO. The CISO needs to be an amazing storyteller. And every time there’s a bad day for anybody, part of the job of the CISO is to say, “Yeah, but it could have been worse. See how amazing everybody is, not just my team.” Like, I’m not here telling doom and gloom. I’m here saying, “Yeah, it’s raining, and our feet are wet, but we’re all carrying umbrellas.” It’s a reminder. I’m the one who pointed out last year, we should all buy umbrellas and give those out to the team. That’s why we’re not soaking wet. Like, that’s the job of an executive. And look, the CRO has it easy because they walk in every quarter and like, “Look how much money we made. That’s all on me.” The CMO walks in and says, “Look how much money the CRO made. I’m going to claim 50% of that came from me.” Everybody else has a really hard time here.
Sponsor – Vanta
16:24.304
[David Spark] Who’s our sponsor this week? Well, it’s our fantastic sponsor, Vanta. And if you are not on board and understand the Vanta solution, you need to pay attention to what I’m going to say right now. So, compliance regulations, third-party risk, and customer security demands are all growing and they’re changing fast. We all know this. Now is your manual GRC program actually slowing you down? My guess is yes. So, if you’re thinking there must be something more efficient than spreadsheets, yes there is. More efficient than screenshots and all these manual processes – you’re right, you’re right, you’re right. GRC can be so much easier while strengthening your security posture and actually driving revenue for your business. That’s what it’s all about. You know, that we’re talking about? You take risk for the business. All right, this is for the business.
So, Vanta’s trust management platform automates key areas of your GRC program, including compliance, internal and third-party risk, and customer trust, and streamlines the way you gather and manage information. And the impact is real. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. All right, so you get more time and energy to focus on strengthening your security posture and scaling your business. That’s what it’s all about. And Vanta, GRC, how much easier trust can be. So, you want to learn more? You got to go to their website. That’s vanta.com/CISO. Add the /CISO so they know we sent you there, vanta.com/CISO to learn more.
It’s time to play “What’s Worse?”
18:08.014
[David Spark] Gary, you know how this game is played, correct?
[Gary Chan] I do.
[David Spark] Two crappy scenarios. You’re not going to like either one, but you have to pick one. I make Andy answer first. You can agree or disagree with Andy. Now, this comes from one of our absolutely favorite submitters, and that’s Jay Dance from StubHub, and here are the two scenarios. First one, an insider has introduced a Chaos Monkey-like clone into your environment that has agentic AI integrated into it, though thus increasing scenario variability. Okay? Chaos Monkey with a lot more variability, and it’s learning from you. So, it’s ugly on top of ugly. Got it? Scenario number two. Stuxnet-like malware – also not good, that doesn’t start off good – in your environment that introduces enough subtle changes to your environment, thereby tainting the output of your product over time. So, it’s an internal or what’s going out. Both are crappy. I know usually you say out is always worse, but I want to know what you think. Is it still out is more worse than inside? And I’m being very vague here. Andy, what do you say?
[Andy Ellis] [Laughter] Yeah, so you’ve got me predicted right on this one. I think I know what Jay was thinking, but he didn’t give me a consequence on the first one. Like, oh, look, we have a Chaos Monkey. I’m going to assume my infrastructure is big enough that a Chaos Monkey is interesting, and the Chaos Monkey’s actually fantastic. I’m kind of happy with this. Like, yeah, we’re going to have a couple bad days as we discover non-reliant systems. But compared to that, I’ve got a system that actually isn’t working, but I think it’s working, and it’s causing problems in the long run. Oh, God, that’s the worst of them. So, Stuxnet-like malware that basically is devastating my production system in a way I don’t know? Absolutely way worse than an actual competent Chaos Monkey.
[David Spark] Well, it’s a competent Chaos Monkey that I think is turning into the behavior of like Stuxnet and like what you said.
[Andy Ellis] But there was no outcome specified that looked like that. This is one of the rules that Nir put on us. We’re not allowed to modify the scenario once you read it, David. Even you can’t.
[David Spark] Well, no. No, no, I’m not modifying the scenario, but it’s like it’s increasing scenario variability. That is part of the description.
[Andy Ellis] But that’s the whole point of Chaos Monkey. The idea is if you have a high resilience system, you build at planetary scale, which I got to do for 20 years of my career, then you really do want high variability in your bad random acts that happen. Like what system fails should never be the same system. You want it to be a different system, and you want it to be, oh, you only have three systems that look like that. They’ll never randomly get picked, but the agent will be like, “Oh, let’s go knock out one of those today.” So, I’m going to have a lot more incidents that will matter, but they’re all incidents that I learn from. That’s the whole point of Chaos Monkey. The, “I’ve got Stuxnet,” I’m not learning anything other than one day, I don’t have a business anymore, or maybe I don’t have a nuclear enrichment site.
[David Spark] Right. Andy makes a very good argument here, Gary. Are you going to agree or disagree with him on this?
[Gary Chan] I agree with the outcome. The thing is the second one, the Stuxnet one, if it’s impacting my customers, then that affects my revenue. The internal stuff affects my cost. And so, I’d much rather have a higher cost that I have to go fix things than I don’t have revenue. Plus with a Chaos Monkey, and this might be making too many assumptions because that’s, someone’s throwing it in, and I’m assuming that they’re helping us test, they can tell me what it’s doing.
[David Spark] Well, they’re not helping you test. This is a clone. So, you’ve got your own Chaos Monkey. This is a Chaos Monkey on top, or you may or may not, whatever, but it’s a Chaos Monkey potentially on top of another Chaos Monkey.
[Andy Ellis] But as long as you’ve got a Chaos Monkey program, the purpose of a Chaos Monkey is to give you incidents.
[David Spark] That might’ve made this worse if you do not have a Chaos Monkey program.
[Andy Ellis] Right. So, maybe that’s what Jay wanted to say, but he didn’t say that we don’t have an instant response program to learn from a Chaos Monkey. That might make the Chaos Monkey really bad.
[David Spark] That, actually, that’s a good point.
[Andy Ellis] But even so, I would still pick the Stuxnet output as the worst case.
[Gary Chan] Yeah. Without revenue, you’ve got nothing.
[David Spark] Yeah. So, yeah, we should have clarified it, and I think you’re right on that, is that if you don’t have a Chaos Monkey program, then yes, the first scenario is very bad because you’re just not prepared at all. If you do, it’s just another Wednesday.
[Andy Ellis] This is a better Chaos Monkey. Like, honestly, now it’s not taking down systems that won’t bother me. Like, it only takes down systems that give me bad days I can learn from, great. That’s actually a fantastic Chaos Monkey program.
[David Spark] All right. More agreement with Andy, and you know how much I dislike that.
[Andy Ellis] Yes.
How have you actually pulled this off?
23:00.853
[David Spark] Is influence the most powerful tool in a CISO’s arsenal, Troy Wilkinson, former CISO of the Interpublic Group, said. He pointed out that this gives you “influence to prioritize the right risks, influence to navigate competing business objectives, influence to say no in a way that still moves the business forward.” He sees influence as a way to mitigate the reality that CISOs hold accountability for security without control of the infrastructure or vendor relationships. Andy, this discussion screams your book, 1% Leadership. Actually, I’m tossing to you, Andy, on this. Do you describe the leadership role of one of influence as to achieve your goal as a leader? What do you think?
[Andy Ellis] It’s sort of funny because I just pulled out the book to be like, do I actually have a chapter specifically about influence? The answer is no, I don’t.
[David Spark] By the way, he’s got in this shot, in this video shot, I want everyone to know he’s got 11 copies of the book behind him.
[Andy Ellis] David, count it. Plus I’ve got all the ones to the side too, so you should count those.
[David Spark] Well, this is just in the video shot that I see.
[Andy Ellis] Just in the video shot, I got 11. I think the answer is, look, leadership is however you interact with people who do work, which is turning energy into value. And one of the ways of interaction is influence. And for CISOs who are functionally a staff function, right, our entire job is to look at how other people work and make them more effective. So, yeah, of course, influence is how we’re going to do that outside of our own team where we get to be directive instead. So, absolutely, like, influence is necessary to achieve anything as a CISO because you actually don’t get to say no. That’s the single biggest lie that we were told. Certainly, I got told as I was coming up as a CISO. People were like, “Your goal is to be able to say no and make it stick.” And the day you get to the point that you say no, and people actually stop what they’re doing, and the rest of the executives look over you and are like, “Why did you just tell my organization to stop doing something? You have to come talk to me first.” Like, that’s what influence is.
[David Spark] So, Gary, going back to you, and it sounds like influence goes back to your desire. And we hear this all the time, by the way, from CISOs, to be a storyteller. And when you’re a storyteller, you have influence because of, really, the advice you gave at the beginning of the show. So, it seems like the storytelling is what builds you as someone who has influence because the story is the thing that sticks that will have the impact. Not just I’m big and strong, listen to me, and that’s it. Yes?
[Gary Chan] So, I would say the experience that you create for others is what sticks because that’s how you make them feel. However, because people like really bite-size single-sentence answers that they can apply immediately, then I say storytelling. Because that’s specific enough to where people understand, “Oh, yeah, I could just add some storytelling into it.” But understand that the storytelling is really just part of the broader picture, which is you being someone that people like and that they want to be around because you’ve created a great experience for them that even when you have told them no, which I do agree with Andy is very rare, even when you do tell them no, that they’re still okay with that because of how you made them feel and that they’re okay.
[David Spark] The thing is, the military works through orders and through instruction. Andy, being former Air Force…
[Andy Ellis] If you’re outside the military, that’s an absolutely fine way to describe it, but it is not the experience of most people inside the military.
[David Spark] Okay. And again, someone who has not been in the military, you speak for me here, Andy. The thing is, does that work in the military or does the military have to create the experience like Gary said, because you are simulating experiences in the military, yes?
[Andy Ellis] Oh, absolutely. And there are people who are still staff functions. My last posting in the military, I was technically an arms dealer. I mean, sorry, acquisitions officer, but I was a consultant. My job was to go to other acquisitions officers and convince them to plan for testing years down the road. Like, that’s it. My job was to come into somebody who’s going to be in a post for three years to convince him to engage with the team that will not do testing for seven years. It’s like outside of his remit, but that was my job was to convince him. There was no order for him to have to do it.
[David Spark] Mm-hmm.
[Andy Ellis] But it needed to be done. So, there’s a lot of influence that happens in the military. The number of people you get to say, “Hey, go do this thing this way.” And in fact, in the US military, that’s pretty much anathema. Very, very rarely do we just give orders. What we do is we say, “Get this thing done.” There’s a running joke that is told to cadets, which is doubly ironic for me, is that cadets get told, “Hey, imagine your first posting in the military. You get told to put a flagpole up. Your squadron’s in a new building. They need a flagpole up. How do you do it?” Right? And the only correct answer is you go find your senior non-commissioned officer and you say, “Sergeant, we need a flagpole up in front of the building. What do you need?” Right? You basically present yourself as, “I will clear roadblocks for you because you’re the one who’s going to do the work.” The reason this is ironic is my first posting, there were more lieutenants than airmen in our squadron. So, the colonel decided that raising the flagpole would be a lieutenants-only function, and we were not actually allowed to delegate and influence other people to do it.
If you haven’t made this mistake, you’re not in security.
28:46.183
[David Spark] Practically every security professional I’ve spoken to admits they’ve suffered imposter syndrome at some point. In an effort to overcome that, there is a desire to showcase your technical prowess. That’s an initial response that probably won’t provide long time value. WM CISO Jerich Beason offered insight from a mentor who guided him away from this tech flex, if you will. Once you’re in leadership, “Being right isn’t sufficient. You need to bring people along with you.” Oh, discussion of influence. He goes on to say, “Currently, you’re creating adversaries instead of allies.” Security leaders need to build themselves up as trusted partners with executive leadership. This goes hand in hand with influence that we talked about in the last segment, where at some point, security leaders need to focus on soft skills of emotional intelligence, communication skills, and political acumen if they want to drive organizational change. All right, Andy, did you ever make this tech flex mistake yourself that Jerich Beason speaks of, and what was your turning point?
[Andy Ellis] [Laughter] Oh, I have made it so many times. And just pull out my mini soapbox. Those are not soft skills. Those are much harder skills.
[David Spark] Mm-hmm.
[Andy Ellis] So, I just always object to people calling them soft skills. My turning point was we had what we called our executive risks or the severe vulnerabilities that I would go up and I would brief the CEO and his team once a quarter, like, “Here’s the like 10 worst things that face the business.” And there was one that had the potential for a data breach of end user data, not ours, but the end user data for our customers. And I could just never get people engaged on this one. In fact, it had gotten to the point that I would go up to present, and half of the execs were on their Blackberries, to give you some timing on when this was happening.
And one day I went in, and I was like, “So Tom, how would you feel if it was your financial records that got breached?” Right? And there’s a little bit of a tech flex there because what the whole room heard was me threatening to do that, to exploit the vulnerability. And so, my boss comes in and he says, “What were you trying to achieve?” and I said, “I was trying to get people engaged.” And he said, “Well, then we’re about to fire you because it sounded like you were going to go do this,” which was not at all what I meant. I was just trying to show that like, “Here’s a risk and you could be the one who gets hit by it.” And he said to me a phrase that has stuck with me forever. He said, “Before you open your mouth, know what you’re trying to achieve.” And I thought that was a really great way to think about this, and it might make you feel like you have more imposter syndrome, but what it does is when you have that moment of anxiety and you’re about to be chaotic, whether it’s a tech flex or something else, just pause and say, “What is your goal in this conversation?”
[David Spark] Very good point. All right, Gary, I throw this to you. Have you tech flexed before?
[Gary Chan] Oh, definitely. And I would also say that I was very lucky early on in my career and going a little bit into storytelling because I think this is what helps people remember things. There was another person on my team, I started with a group of analysts at a consulting firm, and the other person was very sharp technically. He was definitely into computers, and he could do all the amazing things on there. And one of the things that happened was at the end of the year when we did our annual reviews. At this company, they stack ranked everyone, and everyone got basically ranked from 1 through N. And I was ranked, everybody else was ranked, but this guy was not ranked. They didn’t give him a ranking despite how great his work was, or at least in my opinion, how great his technical work was. And the reason? Because I actually asked the senior person, I said, “Hey, this guy’s not on there. What happened? Did he leave?” He’s like, “Oh. Oh, we forgot that he works here.”
[Laughter]
[Gary Chan] “He’s so quiet. He just gets his work done.” And deadlines were already passed. So, they just put him at the bottom of the ranking for the year.
[David Spark] Yikes.
[Gary Chan] And that was when I learned that you can be great at tech, but nobody cares.
[David Spark] You’ve got to have an impact on them as the individual.
[Gary Chan] That’s right.
Closing
33:15.938
[David Spark] Well, that’s a good place to close this conversation. That was excellent. Thank you so, so much, Gary. And thank you, Andy, as well. But also, our awesome sponsor. That’ll be Vanta. You remember, go to vanta.com/CISO to essentially automate your GRC experience, vanta.com/CISO. Remember to add the /CISO so they know that we sent you there. Just so everyone knows, I met Gary at a conference where he was doing a security-themed magic show. And this is something you regularly do, correct, Gary?
[Gary Chan] It is.
[David Spark] So, by the way, if someone wants to book you or see some of your videos of your security magic, where would one go to see that?
[Gary Chan] Yeah, they could just look me up, Gary Chan security mentalism. They can search for that on Google or go to my website, gschan2000.com.
[David Spark] Excellent. And we will make those links available on the blog post for this very episode. Huge thanks to Gary Chan, CISO over at SSM Health, and also Andy Ellis, who’s in his new show with 11 books behind him. I’m happy to say that you can buy a book from Andy or probably go onto Amazon. Where’s the best place for people to buy your book, 1% Leadership?
[Andy Ellis] I think at this point, probably Amazon gives you the best prices, but you go to my website, csoandy.com/book, and I’ve got links to all of the various online retailers if you have a preference.
[David Spark] There you go. Just do that. I have read the book. I think it’s excellent. And I’m not biased because I truly try to knock Andy down a peg or two when I do have a chance.
[Andy Ellis] He does. Every listener knows that.
[David Spark] [Laughter] And I liked the book very much. Thank you, everybody. We always appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.