If you search online, you’ll find no dearth of lists claiming to rank the top security leaders. The question is, how do these actually get created? Most of the time, these lists include CISOs from the biggest companies, or the ones with the best name recognition. But is that any kind of objective criteria? These lists generally serve the interest of boosting the credibility of the publisher, rather than being based on any kind of rigor. Is there any way to make these lists anything but fluff?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our guest, Janet Heins, CISO, iHeartMedia.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, LimaCharlie
Full Transcript
[Voiceover] What I love about cybersecurity. Go!
[Janet Heins] I really love to learn from them. I find that I learn which vendors really understand the business or really want to understand the business that I’m in, and which vendors just want to sell a product. I learn where the market is consolidating and where it’s expanding. So I think that’s the gist of it is I learn from them.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. And joining me as my very co-host for this very episode, it’s Andy Ellis. You also may know him as the operating partner over at YL Ventures. Andy, say hello to our audience.
[Andy Ellis] Hello to our audience.
[David Spark] We are available at CISOseries.com and we have many other shows, not just this one, so you should check out our other programs. Our sponsor for today’s episode is LimaCharlie. They are a SecOps cloud platform and essentially delivering security operations for the modern era. More about exactly that later in the show.
Andy, I want to begin this episode, now we’re recording this episode way in advance, so we’re actually the beginning of June, it does happen, but I read your book, I actually wrote a small written review but did a video review.
[Andy Ellis] You did. It was a fantastic video review.
[David Spark] I’m glad you liked it, and you wrote a fantastic book. As much as I would like to give you crap for it, you did write a [Laughter] fantastic book.
[Andy Ellis] Thank you. And you’ve had to listen to me pimping the book for like a year on the podcast.
[David Spark] I know. You’ve been pimping it for so long. So I will kind of echo what I said. It’s 1% Leadership but there’s two things I took from it. All these little, small things you can do for yourself personally, for your team, for managing. Also I think it was also a lot of the stupid things we’re doing, like the 1% you should stop doing…
[Andy Ellis] Yes.
[David Spark] …I think is also what kind of what it speaks to. And again, small things we do, we go, “Oh, this couldn’t cause any problem,” and you don’t realize, oh, these things do have ripple effects. The one I liked was the story of stopping by your fellow colleague’s desk and talking about the game last night.
[Andy Ellis] Inclusion is the sum of countless everyday micro-inclusions.
[David Spark] Yes.
[Andy Ellis] I love that chapter.
[David Spark] And I didn’t think about like, “Oh, if you just keep doing that, you keep excluding the others who don’t care about sports at all.”
[Andy Ellis] Right.
[David Spark] Because the people who love sports just assume everyone loves sports, and they don’t realize.
[Andy Ellis] I don’t know they assume everyone loves sports, but I think the challenge is they’re getting what they need out of it and they don’t realize that there are other people who aren’t and that they’re noticing that lack. And the problem is if you go talk to most HR professionals who are busy and have to be very careful about what they say, they’ll just tell you, “Stop talking about sports.” And so their attitude is not to include more people, it’s to include fewer people so there’s no discrepancies.
Like if nobody gets included, at least nobody’s excluded differently, which is doing it wrong.
[David Spark] But here’s my question for you because immediately what I was thinking about when you gave that description, you said, “Well, if you’re going to go stop by this person’s desk and talk about sports, then you have to understand the special interests of all your other employees and make the time for them.” My feeling is if you’ve got a big team, that is quite a tantamount effort to keep track of that information and know, “Oh, did I talk to this person about whatever their personal interest is?” So, my question to you was how big did your teams ever get and were you able to personally manage that, getting those little tidbit micro events with all the people?
Because that alone seems like a tough job.
[Andy Ellis] Yep. So, I think my team at its largest was 94 people, not all of whom were colocated, and I think at that point I really did not have that level of direct connection with everyone.
[David Spark] Mm-hmm.
[Andy Ellis] But what I tried to do was say, “Look, all of the people who had cubes outside my office, I should have something. I shouldn’t walk past somebody every day and never engage with them.”
[David Spark] That’s a good point.
[Andy Ellis] So, for me, that was a really big piece of the rubric was, “Look, if you’re going to notice that I didn’t interact with you but I interacted with the next person, I need to do something about that.”
[David Spark] I remember working at one company where the president, who by the way, did not last long, came into the company, went straight to his office, closed the door, spoke to no one. And he did that on a day-to-day basis and it was like, “This isn’t going to last long,” [Laughter] and it didn’t.
[Andy Ellis] That’s painful. Well, especially because as a leader, the less work you do the better. And it sounds backwards but any time that you could be doing work that you could instead give that work to somebody else and use your effort to improve everybody else’s output, that is a much better way for leaders to operate.
So, I don’t know how you would do it entirely without talking to the people who work with you.
[David Spark] Excellent point. I want to bring in our guest, very thrilled to have her here, and I have been a consumer of the product that she secures. It is the CISO over at IHeartMedia, none other than Janet Heins. Janet, thank you so much for joining us.
[Janet Heins] Hi! Thank you very much for having me, great to be here.
Close your eyes. Breathe in. It’s time for a little security philosophy.
5:31.170
[David Spark] This was the question that was asked by Jennifer Ouellette in an article on Ars Technica. Now, besides being unsolvable, we’ve also heard cybersecurity being referred to as an infinite game. Either way, there’s no finish line, nor is there the desired outcome of, “Are we secure?” And the argument is that cybersecurity is a more human issue.
“Cybersecurity is not a primarily technological problem that requires a primarily engineering solution,” said Scott Shapiro, who’s a professor of law and philosophy at Yale University and author of a brand-new book, Fancy Bear Goes Phishing: The Dark History of the Information Age in Five Extraordinary Hacks.
By the way, read Andy’s book first, 1% Leadership. But coming back to Shapiro, he went on to say of cybersecurity, “It is a human problem that requires an understanding of human behavior.” That’s his mantra throughout this book, “Hacking is about humans,” and it portends, for Shapiro, “The death of…'” this is an interesting word “…solutionism.'” Never heard that term – solutionism.
So, tip of the hat, by the way, to Jose Hoyos for posting this. So, question – if it’s unsolvable or an infinite game, Andy, what the heck are we doing? Are we actually in cybersecurity and is that an industry to be proud of, or are we just protecting the business, we’re standing batting away stuff?
[Andy Ellis] So, I think this is a false choice of a question and I disagree with its framing.
[David Spark] All right, I accept that.
[Andy Ellis] I don’t think that cybersecurity is a problem. It’s a discipline and it has technological components and it has people components, and you can’t just say, “Oh, it’s a human problem.” One of my favorite mentors, Professor Nancy Leveson at MIT, who actually has a conference going on today while we’re recording it which is the Partnership for a Systems Approach to Safety and Security, and she says, “Human error is a symptom of a system in need of redesign.” And so when we think about cybersecurity, most of what we’re doing is design.
It’s how do you build control systems which aren’t just a system somebody interacts with, but everything around it, that are resilient to adversarial behavior. It’s just a safety discipline pointed at humans instead of the environment as the cause of what might happen.
I think it’s going to be around for a long time, like this is not a problem to be solved. It is a risk area to be managed. Hopefully, we don’t have to keep reinventing the wheel every six months because every time somebody implements a new framework they reinvent all of the problems that we’ve had. At some point that will go away.
I think we’re seeing some higher-level languages that are really bringing that to bear. So I’m actually pretty optimistic. I’m happy with cybersecurity. I hope that in 50 years we don’t have a separate discipline that is cybersecurity but it’s in fact embedded throughout all disciplines.
[David Spark] All right, Janet. We throw this to you. Your take on this philosophical discussion of is it unsolvable, what the heck are we doing? By the way, I don’t want people listening to all of a sudden think, “Did I make the wrong choice in getting into cybersecurity?” Janet?
[Janet Heins] Yeah. So, I like to explain it as though we’re treading water, right? We are constantly trying to stay above the waterline, to stay alive, to keep things running.
[David Spark] So this is more like the infinite game philosophy.
[Janet Heins] Yeah. And then underneath the water there’s different levels of effort, right? And I totally agree it’s not all technology, it’s not all people, it’s a combination I think. I like to use the kind of normal nomenclature people, process, technology, right? It’s a combination of that. And it’s never ending.
I would love to know or think that maybe someday the discipline can go away and it’s actually embedded and not considered, like I like to call it, aftermarket, right? Security aftermarket slapped on like a “not made by the original manufacturer” and that it’s just built into everyone’s DNA as they’re standing up systems, writing applications, whatever.
Even just the non-technical people just using tools that they normally use to get their jobs done. So, yeah, I think it’s just continually, like I said, that treading water. If you think of it that way, that to me puts a visual out there that there’s constant effort to just stay above the water.
[David Spark] So, Mike Johnson, the other co-host of this show, has referred to it as ducks. He says, “The ducks look calm above water, but underneath their webbed feet are furiously going back and forth.” Andy, you’re sort of nodding your head. Do you see it that way?
[Andy Ellis] Yeah, yeah. I like that one and I think we should remember that ultimately security sits within this grander scheme of society, right? There are societal constraints on us that affect security, and that may sound grandiose but just think about root of identity, right? Do you want to have privacy or do you want to have security because there is a tradeoff around identity between those two that’s very societal.
Are we having communication issues?
10:49.081
[David Spark] Janet, on this show we talk a lot about the CISO being the great translator. That they have to go to each department, understand each department’s business and talk about their needs in their language. Now, of this conversation, which again, we’ve had a lot of on this show, Jason Saputo of Fantom Corporation asked this, “Is this unique to the CISO role or do you see or experience the other functional executives having to do the same type of translations, or do they simply just focus on their one area?” Like the CFO, do they need to do that?
What do you think, Janet, or what have you experienced?
[Janet Heins] Well, my experience I’ve seen the CIO for sure having to build those similar relationships and really understand the business. I think due to the technical nomenclature and technical nature of CISO roles and CIO roles, there’s definitely that translation that’s needed to understand two ways, both ways, right?
What is it we’re trying to accomplish and why does that matter to anyone outside of security, right? I think that’s the number one job of CISOs is to get that footing and understand what that means. And it’s different at different companies obviously. I would like to think, I’ve not been in the seat, that people in other kind of centralized functions or core functions to the business would need to do the same thing, but maybe not to the extent that we do.
[David Spark] Yeah. I mean, I think you’re right there. Let me throw this out. Do you at all learn from the other C-level executives about communications with departments, like maybe with the CIO who has to do it a lot, do you sort of take their lead or just learn something from them in this respect?
[Janet Heins] Yeah. I mean, I’ve learned what to do, I’ve learned what not to do, right? You see the good and the bad, right? What works, what doesn’t work. I think that it’s really just building a trusting relationship and having candid conversations and being able to, like I said, not just say, “I want to come in here and put this tool in because it’s going to make it better throughout the company,” but what’s it going to do specifically for what you in your part of the company are trying to accomplish.
[David Spark] And that is really the core, the need for translation. Andy, you’re nodding your head. What has been your experience of other C-levels doing translations?
[Andy Ellis] Yeah. So, I think the CIO absolutely probably is the discipline that has mastered this the most, and I think it has to do with being an embedded service operation. That when you are serving others, it’s not like they’re coming to you. Like Legal often doesn’t do this because Legal’s just like, “This is what we do.
You have to come to us.” They’re not trying to drive their service into organizations, although sometimes Procurement and Finance will do that. What I found works really well is we have the benefit in security of being really near a universal word that everybody does use and we can use to learn their language which is risk.
[David Spark] Mm-hmm.
[Andy Ellis] You can walk to any executive and say, “Hey, when you go talk to the board about the biggest risk that you face, what is it and what language do you use?” Because 90% of our translation is just using a model that works for our listener, right? If our listener loves to talk about football, then we know we can use football analogies.
If they love to talk about knitting, then we can talk about the algorithmic nature of knitting, right? But they go to the board and they say, “Oh, here’s how I mention risk.” Great. Now I know the language you use for risk, and so I can use the same language you do, and that’s a benefit really that the CIO doesn’t have.
They don’t necessarily have that same common, like, what’s this phrase that means almost the same thing but is used very differently.
[David Spark] That’s a really good point, risk is the universal word, so anytime you talk about any kind of technology or any kind of implementation, Janet, you have to bring up risk, I’m assuming, yes?
[Janet Heins] Yes. As a CISO you’re looking at everything from a risk perspective, right? And I think the important thing – I think Andy brought it up – is not only learning the language but also using the language when you’re speaking to them because you can see the engagement, you can see them change and sit forward in their seat.
I mean, literally I’ve seen it happen. When you start using the terms that the Legal Department uses or the Finance Department uses or the sales organization, whatever group you’re talking to, it really connects.
[David Spark] How long did it take you to learn, do you feel you’re always in an education mode in that respect? I mean, more I would guess is like when did you feel comfortable?
[Janet Heins] Wow. I think it depends on the actual human being you’re trying to connect with, for sure, to be candid. But in general, it’s been something that I’ve been doing really in my whole career in IT, in my entire IT career is be able to be that kind of liaison translator. It’s just something that – really short story, not even a story – but I was in IT and in a very technical role and I was supporting a specific area of the company and I was given feedback during one of my performance evaluations that I was too close to the business.
And I thought, “Wow, I didn’t think that was possible, but apparently some people think that’s possible.” So, I think it’s just something that I had a natural tendency for is to really be the bridge and bridge the gaps and get everyone to understand each other.
[David Spark] That is a first for hearing that complaint.
[Janet Heins] Right?
[David Spark] I don’t think I’ve heard that one at all.
[Janet Heins] Yep. That was interesting.
[Andy Ellis] I’m trying to figure out if that’s code for something else, like were they trying to say you weren’t being paranoid enough, which is also a weird thing.
[Janet Heins] I asked for examples and the examples I got were, “You’re attending meetings with them,” I mean, it was just…
[Andy Ellis] Oh, wow.
[Janet Heins] Yeah.
[David Spark] This seems like it might have been like a personal battle kind of a thing is what it sounds like.
[Janet Heins] Maybe not a strong leader. Just saying. Maybe he needs to read your book.
[Andy Ellis] There you go. Send him a copy.
[Laughter]
[Andy Ellis] It’s been suggested, have the service of you give me the name and I’ll ship the copy.
[David Spark] Oh, that would be an awesome service for your crappy managers.
[Andy Ellis] For your crappy managers, give me their name and address and I will send one and I will not tell you who ordered it.
[David Spark] [Laughter]
[Janet Heins] I love it.
Sponsor – LimaCharlie
17:18.070
[David Spark] Before we go on any further, I do want to tell you about our amazing new sponsor, LimaCharlie. Now, gone are the days – and we all know this because we talk about this all the time on the show – of the one-size-fits-all security solutions that do not adequately address the complexity of modern networks and evolving threats.
We wouldn’t have a show if that was not the case, but we need solutions to deal with that. So this is exactly what I’m talking about with LimaCharlie. These general-purpose tools that are out there, they lack the flexibility to adapt to your unique environment and special needs. Now, as a result, you end up with a fragmented collection of tools that need to be manually integrated and stitched together, leading to inefficiencies, gaps in security coverage, and extreme costs.
This all sounds familiar, right? Okay. This is not the case anymore. Introducing our sponsor LimaCharlie’s SecOps Cloud Platform, the modern platform that provides businesses with comprehensive enterprise protection that brings together critical cybersecurity capabilities and eliminates integration challenges and security gaps for more effective protection against today’s threats.
Now, the SecOps Cloud Platform provides all the core solutions needed to secure and monitor your organization, like deploying endpoint capabilities through a single agent regardless of the technology and alerting and correlating from logs regardless of the source and automating analysis and response regardless of your environment.
Get started for free or learn more about how LimaCharlie is transforming cybersecurity for the modern era with the SecOps Cloud Platform at their website limacharlie.io. You remember? That’s lima like the bean, charlie like the name, .io, and tell them that I sent you.
It’s time to play “What’s Worse?”
19:05.400
[David Spark] Janet, you know how this game is played. We will have Andy answer first, then you will get to answer second. I love it when the guests disagree with Andy. No pressure there.
[Andy Ellis] I love it when the guest agrees with Andy.
[David Spark] So, the idea is if you agree with Andy, he wins. If you disagree, I win.
[Janet Heins] Got it.
[David Spark] All right. But I think this is a tough one, Andy, I hope so. Sometimes we have ones you go, “Oh, this is easy,” and like, “Rrr, drat.” Here we go. This comes from Dustin Sachs of World Fuel Services who gives us a ton, in fact he’s given a lot.
[Andy Ellis] Oh, Dustin does. His are problematic.
[David Spark] And I will also say Dustin will also send some silly ones in. This one isn’t so silly. But when he gives them to me, he gives them to me in string of like seven to eight at a time. All right, here we go. What’s worse? A successful spearfishing attack targeting a high-level executive within your organization leading to the theft of sensitive corporate data – that stinks – or a malicious insider intentionally leaking confidential information to competitors.
Which one’s worse?
[Andy Ellis] Oh, the first one.
[David Spark] Okay. Why do you think that’s much worse?
[Andy Ellis] Because the second one violates Title 18. I’ve got the employee in the middle of doing economic espionage and this is fantastic.
[David Spark] It’s not saying it’s an employee. It’s a malicious insider. We don’t know yet.
[Andy Ellis] Who else is an insider?
[David Spark] I don’t know. It could be a contractor too; it wouldn’t be an employee.
[Andy Ellis] That counts as an employee. If somebody who is bound by confidentiality agreements and the Trade Secrets Act who has violated that like this.
[David Spark] Yeah, but you don’t know who this person is. You just know it’s happening.
[Andy Ellis] Oh. If it went to my competitors and my competitors have the data, this is easy because I have the best investigative arm on the planet. It’s called the FBI. Like I just sic the FBI on them, I don’t have to deal with this problem anymore, and at some point somebody goes to jail. Sorry, I’ve actually had somebody go to jail who was an employee for leaking inside information.
[David Spark] Really?
[Andy Ellis] It’s annoying. The worst part about it is how long it takes because they get distracted because all of a sudden the US Attorney’s busy doing something else and this case might linger for four years.
[David Spark] How long did your case last?
[Andy Ellis] Mine was four years while the person still worked for us.
[David Spark] [Laughter]
[Andy Ellis] You can go read it. It reads like a really, really bad ’80s spy movie. The person thought they were leaking information to a foreign government and he had a handler who was really an FBI agent having him do dead drops all around the city of Boston.
[David Spark] Really?
[Andy Ellis] Yes. We just wanted it over with, that was the annoying part of it. But I’m going to go with I think that the first one is therefore just worse. Normally I would not go with, “Oh, yeah. One of my executives gets spearfished.” I assume that’s going to happen from time to time but I have recourse for this other one, so I’m going to go with the spearfishing is worse today.
[David Spark] All right. Janet, you’ve been nodding your head a lot. I’m fearing that you’re going to agree with Andy. Is that the case?
[Janet Heins] I do. I agree with Andy. Yeah.
[Andy Ellis] Yes!
[Janet Heins] I was going back and forth a little bit but Andy sold me.
[David Spark] Now, do you have any other rationale for why you think the first one’s worse?
[Janet Heins] Well, I think there’s a reputational thing involved, right? That if that gets out, that top executives at the company had something bad happen to them, I think that’s a problem. And then depending, of course, on what confidential data is stolen that execs have access to, it could be pretty significant, right?
It could be financial, it could have to do with your operations, it could be a regulatory issue, right? There’s just all those things that the board worries about. We talked about risk earlier, right? Financials, operations, reputation, and not breaking the law.
[David Spark] Well, let me ask you this and I don’t know legals, but what if this leaked information to competitors is going overseas where FBI wouldn’t have jurisdiction or you just don’t have control? Yes, you can get that person in jail, but that information’s still going out to the competitor overseas.
[Andy Ellis] It depends on who the overseas competitor is, in which country they are, and what sort of [Inaudible 00:23:27] we have. The one reason why the insider might be worse than the spearfishing of the executive is if I have an executive who got spearfished and we were harmed as a result of it, I have the attention of the entire executive room, right?
[David Spark] Mm-hmm.
[Andy Ellis] So if I want to make improvements to the security program, I’ve got a crisis that is just heat up the iron and it is time to strike, right? I had an internal employee leak information, nobody’s going to learn from that and say, “Here’s what we should do better,” other than yell at the CISO because they couldn’t protect against an employee deciding to do a bad thing.
[David Spark] I mean, all that’s good but I was just saying that if it does go out of your jurisdiction or out of the FBI’s jurisdiction.
[Andy Ellis] Oh, I assume you’ve lost the data either way.
[David Spark] It could competitively, like you’re talking about burnt, but if a competitor gets the information and creates something that’s competitive to you, it could be direct loss of business.
[Andy Ellis] It could but that’s really, really rare in short-run scenarios. I think most companies who are at risk of that are functionally giving away a lot of that proprietary information directly to the competitors anyway when they’re doing offshoring.
Can this be measured?
24:37.628
[David Spark] Andy, I saw yet another list of top 50 CISOs, for which I know you’ve appeared on many, yes? You appeared on a few top CISO lists, yes?
[Andy Ellis] I have. Sometimes I knew about before it happened but rarely.
[David Spark] All right. At this point, I’m not creating any top 50 CISO awards. I can’t, and I honestly don’t know how anyone can. Now I will say that I have created these lists of top security leaders to follow, and being brutally honest they’re all designed to just pump up the publisher’s credibility, that’s why I did it.
Now, how would I know if someone is a good CISO? I don’t know if you are a good CISO or any of my co-hosts are good CISOs. All I know is you’re good on the microphone. That I can give you credit for. So I could create a list of top 50 CISOs on the microphone because I’ve had a lot of good CISOs on the microphone.
[Andy Ellis] That’s a great list.
[David Spark] By the way, Janet is also a good CISO on the microphone as well. But I’m going to start with you, Andy. If you were going to create a list of top 50 CISOs, what possible criteria could you use? Like what insight could you say, “All right, this person is a good CISO”?
[Andy Ellis] So, if I’m creating a list not just for the credibility boost, which let’s assert that’s mostly the reason people, like if I said I have to pick the top 50 CISOs. Ew. That’s a really hard one. What I might actually is I might do something like the clean-up CISOs. I want the top 50 CISOs who came into an organization that we all knew was a problem and nothing happened.
They cleaned up a mess, they did their job, and it was boring. And we need to embrace and celebrate the heroism of people who can make boring happen.
[David Spark] Mm-hmm.
[Andy Ellis] So, I want the top 50 CISOs who made boring real.
[David Spark] And this is the one thing that is kind of publicly visible because you just don’t hear about it again.
[Andy Ellis] Right. That would be embarrassing if you published a list and the next day you find out one of them got breached, but that’s always the risk.
[David Spark] All right. I throw this to you, Janet. Janet, what criteria could you use to determine a list of 50 great CISOs?
[Janet Heins] Well, if I had the information, which I don’t, and I don’t think we ever could get it, I would look at their ability to mature the organization. So taking it from a lower level of maturity to a higher level of maturity and the time it took them and their ability to get funding to do it, right?
And there’s a lot of things in there, for sure, but that would probably be my first.
[David Spark] So, actually, I mean, you make a good point at the beginning, like I don’t know I’d get this. But there’s certain kind of information in private channels you could get, while you wouldn’t publicly say that, I’m assuming you’re on Slack groups with other CISOs that you find out about or you ask them questions about maturing security programs, so you kind of have an idea of how other people are maturing their programs.
Yes? No?
[Janet Heins] The CISOs that I’m networked with that I stay in contact with, for sure. Without giving away anything, we talk about approaches and the fun of trying to get funding and that kind of thing.
[David Spark] This also goes to my concern of most of that’s pretty proprietary. What on the outside, like what Andy mentioned, could you figure out? I mean, I get a sense from your answer that you could get part of the way there.
[Janet Heins] Yeah, I think so.
[David Spark] Is there anything public that you think could help you determine a good CISO?
[Janet Heins] I mean, staying out of the news or being boring is definitely an indicator but it can change at any moment.
[Andy Ellis] Right. It could just be luck.
[Janet Heins] It could just be luck; it could be an industry that the threat actors aren’t targeting right now so it’s all quiet. There’s just so many trends and waves and different things. I think another thing might be where the CISO reports, which would be a little bit more accessible.
[David Spark] So why would that be valuable information?
[Janet Heins] It would show – now again, it might not be the CISO’s doing, but it might be the CISO’s doing, right? To get into a reporting structure that is outside of IT that is more aligned to a risk organization and the company more aligned to the C-suite. I mean, we all have our CNR [Phonetic 00:28:48] title and very few of us are sitting at that level.
Attention CISOs, your expert opinion is needed!
28:51.856
[David Spark] You need to spend $500,000 in one week. Sounds like a dream for a cybersecurity professional, but not easy, said one redditor on the cybersecurity subreddit asking for help from the community. This person has a one-time funding for a state government agency that supports multiple offices.
So they could do something that supports each office, and given the number of offices, you’re looking about 5 to 10K apiece, or something indirect like giving to his staff that would benefit them, the agency, and in turn the offices they support. Some of the suggestions that were in the thread were training, paying for a cyber range, pentesting, tools for his team to make their life easier, and similarly low code automation to make everyone’s life easier.
So, I’ll ask you, Janet. Do you like that list? And if not, tell me essentially what would you spend your $500K given the constraints that I spelled out?
[Janet Heins] My first choice would be to give the 50 top CISOs a great vacation because they probably deserve it.
[Laughter]
[David Spark] Well, I think you’re probably going to blow all the money right there.
[Janet Heins] Yeah, exactly. But seriously, I would look downstream from what… So, information security causes other teams work. I hear it all the time, I’ve heard it in every CISO role I’ve been in, right? There’s this downstream effect. We discover vulnerabilities, we don’t like the way you’re coding, whatever the case may be, that these other teams have to or should respond to, right?
And so hopefully, as we talked about further on down years away it’ll just happen naturally. There won’t be this legacy work that we have to do. I would invest it there for the roles needed to get those security vulnerabilities fixed because the teams that are running those areas, whether it’s the network team or the app development teams or whatever, pick one, they’re strapped and they’re not focused on security.
That might not get you too far, 500,000, but it would be a start to see if it really can be a game changer.
[David Spark] And so are you looking at staff to do this? Are you spending the money on the staff?
[Janet Heins] Yes. Just not necessarily reporting in to the CISO.
[David Spark] Okay.
[Janet Heins] But focused on security in those different technical functional areas.
[David Spark] All right, I throw this one to you, Andy. What are you going to spend the $500K on?
[Andy Ellis] Well, I could go with the flippant answer and say that would buy an awful lot of copies of 1% Leadership for people who might need that training, but I went and looked at the redditor and they had added the constraint that they had to spend it through existing contracts.
[David Spark] Yeah, yeah, yeah.
[Andy Ellis] But this is one of those things that’s really fascinating is they don’t have that much flexibility. And at a moment like this, what I would actually do is basically I’d treat the money like a wash, I don’t care how it gets spent. What I care about is that I get all of my team engaged across those offices.
And so I would go to my team and I’d say, “Look, we have this money to spend and I want each person to nominate a way to spend the money that doesn’t benefit you. It benefits somebody else, a different function on this team.”
[Janet Heins] That might take more than a week.
[David Spark] [Laughter]
[Andy Ellis] That’s okay. I’d tell them, “If by the end of the week we don’t have an answer, I’m just going to spend the money on one cruise for one CISO.”
[Laughter]
[Andy Ellis] And they can, “Oops.” But what’s fascinating is then you get people, and yes, there will be some lobbying, but odds are there’s a team that is the most broken team that everybody’s been covering for because they don’t have enough people or the right tools, and everybody’s going to be like, “Oh, my God.
If this team just had a better ticketing system, all of our lives would be better.” Great, okay. My team just voted. More importantly, they’re now engaged in making this successful. Because the problem with this one-time $500K drop is if I take it and I buy something, everybody’s going to resent me because they’re like, “Why couldn’t you have done this for raises or bought more people?” like Janet suggested, “Instead you gave us yet another tool from one of the vendors we already hate.” And now what should have been this positive is a negative.
So get your whole team’s buy-in on what you’re spending the money on and the easiest way to do that is let them pick.
[David Spark] And threaten them that it’s going to be spent on a vacation for you. I think that’s a good idea.
[Andy Ellis] I mean, you make that as a joke, but you actually say, “Here’s the constraints. I’ve got to spend this by Friday so I’m going to start making a plan. If y’all come up with a better plan and here’s the way I want it structured getting your input.” That’s how I would do it.
[David Spark] Janet, any follow-up? I mean, this is actually something that, Andy, I’ve quoted you on also about when you come in as a new CISO just ask people what’s the annoying thing that’s still around that you’d like to get rid of.
[Andy Ellis] Yep.
[David Spark] And this is kind of a version of that answer that you’ve given before. Have you sort of gotten that kind of feedback from your staff, Janet?
[Janet Heins] Yeah, coming in as a new CISO in the roles that I’ve had, there’s always something noisy, right? There’s always something that no one’s ever able to get rid of. I mean, I like that approach, I think that would be very impactful.
[David Spark] Have you ever been able to get rid of something noisy? Because my feeling is if there’s this thing that’s been sticking around for too long and you come in and you solve an irritation that’s been lingering, you’re kind of seen as a hero, yes? I mean, have you had one of those opportunities before?
[Janet Heins] I have and I’ve gotten feedback that no one’s ever been able to do this before. And I go back to being able to explain in words that everyone understands why it’s important to get rid of this noisy thing.
Closing
34:33.532
[David Spark] Well, that brings us to the very end of the show. Janet, thank you so much. Thank you, Andy. Huge thanks to our sponsor LimaCharlie. Remember – dealing with integration challenges and security gaps for a more effective protection against today’s threats. Huge thanks to them for sponsoring us.
Remember their website – limacharlie.io. Janet, I’ll let you have the very last word here but Andy, for those of you don’t know, he has this book called 1% Leadership. He has mentioned it a few times. I have now read it. If you would like to see my review, just go to amazon.com, 1% Leadership. You can buy it immediately, or if you don’t trust that, watch my review and then buy it.
Simple as that. Anything else to add, Andy?
[Andy Ellis] I think that’s the best review I could hope for.
[David Spark] Mm-hmm. I would delete all the other reviews.
[Andy Ellis] Well, it’s good to have things that you can stand above.
[David Spark] Ah, good point. Thank you, Andy. Janet, are you hiring over at IHeartMedia?
[Janet Heins] Not at the moment, but thanks for asking.
[David Spark] Okay. Well, that’s a good situation to have. Kudos to filling out your team.
[Janet Heins] Not easy but yeah.
[David Spark] Any other last plugs you would like to make?
[Janet Heins] Well, speaking of hiring, I would like to ask everyone out there who is hiring to think about however you identify, whether you’re a man or a woman, just to think about, look at your teams and look at the diversity of your teams and consider building diverse candidate slates which will ultimately end in bringing in more diversity to security.
I go to events all the time, and me and the other woman there look around and go, “Well, there’s no line in the ladies’ room.”
[David Spark] There’s got to be some benefit there.
[Janet Heins] Right, exactly.
[David Spark] We are all well aware of this very issue, but I’m sure it sticks far more to you than it does to us because I am, as the white middle-aged male, I am part of the crowd, if you will.
[Janet Heins] Yes.
[Andy Ellis] I went to a Taylor Swift concert a couple weeks ago so I understand exactly what that’s like.
[Janet Heins] No line in the men’s room.
[Andy Ellis] No, there was a line in the men’s room because the ladies had taken that over as well.
[Janet Heins] Yes. Well deserved, as it should be. I mean, I’m very supportive of the groups that are out there for women that support women, but I think that we need men supporting women as well. I look at it this way – if there’s only, I don’t know, let’s pick a number, 20% of the people in security are women, what if we could get the other 80% to help us?
It would be great. Think of the momentum we would have in closing that gap.
[David Spark] Very good point. Thank you very much, Janet. Thank you very much, Andy. And thank you to our audience as well. We greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.