The relationship between a CIO and CISO can be fraught. Often this stems from the reporting structure of an organization, with CISO’s reporting directly to the CIO. So how can CISOs help navigate what can be a frustrating relationship? And how is that relationship changing as organizations continue to embrace SaaS rather than more traditional IT?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), partner, YL Ventures. Joining us is Ty Sbano, CISO, Vercel.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, BackSlash
Full Transcript
Intro
0:00.000
[Voiceover] Biggest mistake I ever made in security. Go!
[Ty Sbano] One of the biggest mistakes was I was the head of security…first time head of security at a small company called Periscope Data, and I was running IT, trying to get permissions set up for a single user account for a test suite. Accidentally I disabled the entire G Suite for the entire company.
As a result, someone right next to me said, “Ty, is there something wrong?” And immediately I saw our CEO walking towards my desk saying, “Dude, what just happened?” And I’m like, “I’ve just reverted everything, but I’ve tendered my resignation.” The look of disgust on his face and the panic that ensued, I had to immediately say, “I’m only joking, but I apologize for disabling G Suite right now.”
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of said CISO Series. And my cohost for this episode, it’s Andy Ellis, the operating partner over at YL Ventures. He’s pointing to himself, giving himself the thumbs up. Andy, say hello to the audience.
[Andy Ellis] Good morning, folks. Or depending on when you are in the world, good afternoon, good evening, or good night, or apparently sleep well if you happen to be listening to this while you’re asleep.
[David Spark] Yes. I want to know… This has become your official sign on for this show. I want to know from the audience, do you like it, or are you annoyed by it? Let’s hear. Let’s hear what they have to say.
[Andy Ellis] And I want to know if you like it. If you’re annoyed by it, well, you’re going to have to live with it for a while.
[David Spark] [Laughs] So, our audience’s opinion does not matter?
[Andy Ellis] Not on this one. No, this is my style thing.
[David Spark] I’m asking for their opinion.
[Andy Ellis] They’re asking for their opinion. I’m telling you, this is my style. I’m going to live with it.
[David Spark] Well, my editor can always pull it out. I can always say…
[Andy Ellis] That’s a fair point. Except I keep bribing your editor.
[David Spark] I don’t think they’re getting any of those bribes. They’re not making it through. I’ll tell you that much. All right, our sponsor for today’s episode is BackSlash, the most accurate code analysis and open source analysis for efficient and compliant AppSec teams. That is BackSlash. They are our sponsor, and you’ll hear more about them later in the show.
All right, Andy, before we jump into this, we started… Actually it’s something we launched. We hadn’t tested it. But now I’m kind of going in both feet. I don’t really fully know how to use it. I’m fearful that not enough CISOs are going to be in it. I’m hoping they will. And now I realize you’re doing the same thing as me.
And the answer is we have a Discord presence, and you do as well, yes?
[Andy Ellis] Yes, I do. I have one for leadership focused community for people who want to develop their leadership at any level of their career, beginning to end.
[David Spark] So, everyone is welcome?
[Andy Ellis] Everyone is welcome. Come find me if you would like an invitation. It’s semi invite only at the moment because I just don’t want every CISO Series listener to show up simultaneously and overwhelm it. But if you reach out and say, “Hey, Andy, I want an invite,” I’ll send you one.
[David Spark] Well, we have…the Discord button for ours is on the…where you see the subscribe on the ciso-dev.davidspark.dcgws.com, on the right. It is… By the time of this recording, you will see a little button for Discord, and you can subscribe.
[Andy Ellis] I was just looking for it. I can’t find it to click.
[David Spark] It’s not there now.
[Andy Ellis] Oh.
[David Spark] But it will be there definitely by the time of this recording.
[Andy Ellis] So, just so you folks know, you might join it before I do. That’s how much David values your opinion over mine.
[David Spark] Yeah, I do actually. Yeah. I value their opinion. Because many of those people listening compromise our audience.
[Andy Ellis] Yes.
[David Spark] Which gives our audience numbers that we then show to our sponsors.
[Andy Ellis] Right. And we all know that I don’t actually listen to the podcast.
[David Spark] You don’t listen to the show. As was evidenced once when we did a live show, and I was playing the musical bumpers during the live show. Because we don’t play them actually, audience, when we do our recording. And Andy goes, “Oh, that’s how it sounds like.” And I looked at you like, “You’ve never heard the show.” So, now we know.
Let’s bring on our guest. Enough of this discussion about Discord. It’s a return guest. He’s been on multiple shows and thrilled to have him back on again. It’s none other than the CISO of Vercel, Ty Sbano. Ty, thank you so much for joining us.
[Ty Sbano] Thanks for having me back. Really excited to join you on another adventure here at the CISO Series Podcast.
Okay, what’s the risk?
4:22.677
[David Spark] How do CISOs integrate employee discontent into their insider risk management strategy? There are a lot of technical tools to look at employee behavior, but Christopher Burgess in a piece for CISO Online made the argument that we need to be addressing the root cause more systematically.
Of course, we’ve seen research for years that non-malicious insider threats cause the most incidents. Does promoting a positive company culture both for security and overall help address both of these issues, the malicious and the non-malicious, or does employee discontent fall outside of the CISO purview?
Maybe that’s an HR issue. Andy, I ask you. What do you think here?
[Andy Ellis] So, if you’re a CISO, first of all, take the I-S out, and you have C and O. You are a chief officer, which means you’re an executive of the company. So, you have to care about how your employees perceive the company because you’re part of the executive management of the business. You cannot separate that and say, “Oh, I just care about information security.” You should care.
And, look, when I lecture people about leadership and I go do keynotes all over the world…
[David Spark] He has a book about it, too.
[Andy Ellis] And I have a book about it. I start by saying most leadership is about destroying value in your companies, and one of the biggest ways you destroy value is you burn out your employees. You make them feel excluded, and you cease to inspire them. Those are the first three ways that you just mess it all up, so you should care.
Now, from a security perspective, just wearing that hat because that’s sort of where the question was, I would tell you that keeping your employees happy and treating them as decent human beings so that they don’t screw you over is part of your job.
I can recall doing a riff in which the HR person in charge of the riff and the corporate security person in charge of physical security had decided without me in the room that they would riff employees, give them one week of access to technical assets but lock them out of the building immediately. And I was like, “Are you effing kidding me?
There is no way you’re going to lock someone out of the building and then give them access.” I have no problem with a dignified reduction in force where you tell people and you give them a week to transition, and they have access to get whatever is theirs. You’re not going to get a lot of people screwing you over when you do that.
And the ones that would screw you over probably already screwed you over, you just don’t know about it. But you cannot create a discontent problem and then pretend you haven’t created the security hazard right there.
[David Spark] That is a good example right there. All right, I throw this one to you, Ty. So, let’s talk about the keeping everybody happy so they don’t turn into a malicious employee.
[Ty Sbano] Company culture is critical. And when you think of the employee experience, I think Andy hit it well. Not only are you an officer, but as a person that’s caring about the wellness factor for the business to become resilient, I think you have to understand the human element. And so our jobs as CISO is to secure the human element and the data.
But for me, I think having empathy for how well is the business doing… Because I’ve been in organizations where stock price is up, everyone is buzzing, things are cooking. Stock price is down, things are slowly crawling to a stop. People are feeling terrible. You see the impact of the emotional EQ for individuals.
So, as you look at individuals, and teams, and groups, and leaders, I think it’s critical as a CISO to understand where are the faults in the business. And these are the fault tolerances, not the fault of someone making mistakes or treating someone poorly. Maybe it is. But I’ve always looked at engagement survey results as a treasure trove of data.
But what I end up doing as a CISO is because we have visibility across the entire org, well, I also look at how quickly people get offboarded. Is there a leader that is going through constant transition and turmoil? What is the root cause of that? So, even some of the offboarding surveys become another area of intelligence gathering as well.
And so I’m aligned with Andy here. And I think as an officer, especially one that is grounded in integrity, I often find myself that people come to me with the whisper net, or the sneaker net, or just the old school, “I’m sending you the email because I do not trust X person. What should I do?”
And then you set up a chat, and you talk them through what is the proper protocol. And I think that’s part of our job, to ensure that integrity is at an all-time high. But employee engagement and experience, sometimes you’re riding those challenging waves, and I think it’s important for you to be the level setter.
So, to Andy’s description of choosing to do a riff, I’ve been there many times where I go, “We could do this riff. We can do it that way.” And sometimes we do. It’s never good or fun. But paying people the respect that they deserve, especially if they’ve been respectful and really good at their job… And maybe they just had an off quarter.
Maybe they just had a life event. We don’t know all these things. And I think the element there is trying not to create more turmoil. Because if you do one more person wrong you might actually burn out some of your best people at the same time because they’ll look at that as an example of, “This company doesn’t care about people.” And we often forget companies…the legal entity do not create about you.
It’s people who care about people.
Pay attention. It’s security awareness training time.
9:44.602
[David Spark] How should we respond when staff members have a lapse in security policy? The cyber security subreddit pointed to a tradition used by French companies where those forgetting to lock their screen will suddenly receive an email about bringing croissants for next week. Others pointed to traditions of changing computer backgrounds, changing monitor orientation, or scheduling a party at their cubicle.
These all sound relatively innocuous, but doesn’t this still come down to shaming in an attempt to raise security awareness? How is this different than naming those who fail a phishing test? I’m going to start with you, Ty, on this one.
[Ty Sbano] I equate them a little differently. I think phishing is one of those things that we’ve looked at. And from a metrics standpoint, I know folks want to prove that phishing equates to better awareness. I don’t believe that to be true. I think it’s a falsehood. I’m actually against the whole idea of phishing simulations.
[David Spark] By the way, Andy is cheering that. And just so you know, our other cohost, Mike Johnson, very against them as well. Go on.
[Ty Sbano] I would love to maybe make this a push. Let’s just stop the podcast now and talk about this. No. I think phishing tests are just radically different than say human behavior. So, I think these are all coachable moments. I think phishing tests can be, and you can simulate the coaching. But people locking the screens is so tangible.
And as someone that runs facilities for a company called Vercel right now, I also make it my business to express that five of these unlocked systems during our SOC 2 audit equates to a failure. And so as a salesperson or as a leader, it doesn’t matter what their role is. These are all coachable moments.
Now, if you ask them to buy croissants, that’s one thing.
My experience at a bank… Someone said, “I like Barbies and Cheetos,” and they sent it to the entire security team. Lesson learned. I’ll never forget. I’ve also done it to my own team where we take photos, and we place it as their background. What’s funny is sometimes they just keep it there, and it backfires on us because we made funny faces.
And so I think when you look at these types of controls, those human behaviors, for me, it’s a conversation. And sometimes it’s I leave a note, and I lock their screen. And they come back, and they go, “Oh, no. I just did it yesterday.” It’s a friendly reminder to lock your screen when you’re walking away, unattended, in any location.
“Do not rely on the software to do this for you. Your friendly CISO, Ty.”
[David Spark] All right. Andy, I throw this to you.
[Andy Ellis] So, I’m somewhat where Ty is, and I’ve evolved over my time. And entertainingly, I literally have this example in my book. I often get to say, “Oh, my book addresses this.” In this case, I literally have two paragraphs on this in my book. It’s on page 164, for those of you following along.
[David Spark] By the way, the book is called “1% Leadership,” for those of you listening.
[Andy Ellis] And the chapter is actually one of the chapter titles I wish I could take back and change it because I want to say that culture is a garden of the flowers that you celebrate and the weeds that you tolerate. And this is a practice that is both a flower and a weed, and so you have to be very, very careful.
When you start pranking your employees… Like let’s say the three of us start a company, and we’ve got this company. We’re doing whatever it is. Ty goes out to lunch. Ty leaves his screen unlocked, so I then walk over and send mail to all of us which says, “Hey, champagne is on me after the next all hands.” Great.
That’s fine. Because the three of us have a tight knit culture. We know each other. Ty kind of knows it’s in jest.
But now let’s imagine that we just hired someone brand new into the team, and they’ve started, and they leave themselves on screen saved. And they haven’t even met you yet, David. And I walk over, and I send the same message from them. That’s a very different experience they’re going to have. They now do not trust me.
They don’t trust this entire environment. It becomes a very different model. So, culture is very different in small tight knit organizations from growing ones, and so you have to take into account who your organization is.
We used to do that when I was at Akamai in the early days. Oh, absolutely. We would say, “I’m buying coffee for my team.” You’d send out whatever it was. And after a while, we realized that we were too big to continue doing that at scale, so somebody in my team created little business cards that said, “The info sec fairy was here.
You left your screen unlocked. Rather than sending out messages or whatever, we just wanted to remind you to lock your screen, and we locked it for you.” And we would leave that on their keyboard. And I don’t know that it had a massively different effect, but it changed our relationship and who we were that we were no longer the draconian people coming by and doing hazing.
Sponsor – BackSlash Security
14:26.290
[David Spark] Before I go on any further, I do want to tell you about our brand new sponsor, and that is BackSlash Security. So, imagine if your car’s check engine blinked for every possible issue. Low tire pressure, a smudge on the windshield, or even just a little dust on the dashboard. You’d be overwhelmed, right?
But at least with a traditional car, you probably know how to handle most of those issues. Now, imagine that car is electric with a whole new tech stack under the hood. Suddenly the complexity skyrockets, and those alerts become even more confusing. That’s exactly what’s happening with application security in today’s cloud native world.
Traditional tools are designed to check every potential vulnerability in your code and third party libraries.
They often flood you with alerts, many of which are false positives that don’t actually affect your app. BackSlash Security simplifies your AppSec and gives you clear visibility into real risks. Filtering out the noise. Now, their advanced technology deeply understands application code flows in all their dimensions.
This enables them to introduce cutting edge features to the traditional tools such as reachability analysis, phantom package detection, and most importantly package upgrade simulation along with AI powered remediation. Now, with BackSlash, your security teams can zero in on real threats, and your dev teams get the insights they need to fix issues quickly and efficiently.
You got to go check them out. So, just go to their website. It’s backslash.security. Couldn’t be any simpler. Go check them out now.
It’s time to play, “What’s worse?”
16:23.167
[David Spark] Ty, I know you’re familiar with this game. We actually recently found out that three-quarters of everybody agrees with what Andy says here. I like it when people disagree. No pressure.
[Ty Sbano] I disagree. I disagree vehemently.
[Laughter]
[David Spark] Disagree.
[Andy Ellis] I actually look at it as it’s not me against you, it’s actually me against whoever put together the question. Because 75% means that a large chunk of questions, about 50% of them, only had one answer. And so people agreed with me. And 50% either answer would have worked, and so 25% agreed with me, 25% did not.
[David Spark] Yeah, they’re a lot… And this happens often, I know, with Mike Johnson. When he plays this game, he goes…he says, “They both stink.” He goes, “I’m just going to go with one and argue it.” And that was his attitude.
[Andy Ellis] Yeah, so that’s the way we should look at it is that you should take whatever the number is and double whatever the disagreement rate is, and that’s the success rate of getting to a hard question.
[Ty Sbano] I’m going on record, I disagree with this math.
[Andy Ellis] Excellent. Okay, good.
[Laughter]
[David Spark] All right, here we go. This comes from Nir Rothenberg, who is the CISO over at Rapyd. Andy answers first here. Scenario number one, your GRC manager has to ChatGPT for every compliance question that needs answered. That’s scenario number one.
[Andy Ellis] Okay.
[David Spark] Scenario number two, your GRC manager talks to a big four partner for every compliance question he needs to answer. Which one is worse?
[Andy Ellis] Oh, that’s easy. The second one is worse because you’re getting the same quality of answer out of both of them. The second one costs you a heck of a lot more money.
[David Spark] Okay. All right. So, because it’s just going to cost.
[Andy Ellis] It’s going to cost more money. Both cases… The reason for that is if you go talk to a big four partner to get an answer about your business, you’re getting the stock answer from the big four playbook. That stock answer that ChatGPT already has, it’s just as irrelevant to your business in whichever one you’re getting it from.
But one of them is more expensive for you to keep spending money with.
[David Spark] All right, that’s a good point. All right. Do you agree or disagree, Ty?
[Ty Sbano] They’re both bad. The first one is they’re using ChatGPT for all their answers. Maybe they’re getting a knowledge check, or maybe they’re training a ChatGPT model. I’m giving them a little bit of space.
[David Spark] Hold on. I just want to throw something out back at Andy. I forgot to say you’re saying the second one is worse because it’s bad, but whose to say that ChatGPT is going to be right? It could be far more costly.
[Andy Ellis] If you’re asking a generic compliance question…
[David Spark] It doesn’t say anything about generic. Just all compliance questions.
[Andy Ellis] Yeah. No, no. But if you… But the answer you get from your big four firm is just as bad as what you’re going to get from ChatGPT. ChatGPT is really good if you ask it basic knowledge questions, which GRC questions often are.
[David Spark] And they are good at screwing things up, too. I go back to you, Ty. Sorry to cut you off. I had to argue with Andy there.
[Ty Sbano] So, the first one is particularly bad because you have someone that is inherently hopefully trending a paid model that is on contract. We didn’t specify free version of ChatGPT or actual paid.
[David Spark] Assume free version.
[Andy Ellis] I assumed the five dollar a month version. That’s reasonable.
[Ty Sbano] These matter to me. And so I think it’s important to recognize are they using free tools or paid tools and honoring vendor due diligence as well. So, that’s one. Same thing goes for the second one, so the big four. But for me, if I’m their manager or their boss and I see this behavior, I’m going, “Aren’t you a knowledge worker?
And are we using ChatGPT to train it so that you can go do other interesting things, or do you not have these answers?” And if they don’t have the answers then they have to go to the big four or ChatGPT. Maybe I just put together a quiz to see if they have some of the basic answers. And if they can’t do that in real time…
[David Spark] Well, this is solving the overall problem, which you can’t do that…
[Crosstalk 00:20:23]
[Andy Ellis] Which we’re not allowed to do. I’m with you.
[Crosstalk 00:20:27]
[Andy Ellis] …the right thing is go get somebody who doesn’t need to ask either of these…
[Crosstalk 00:20:32]
[David Spark] [Laughs]
[Ty Sbano] Yeah, that’s better.
[Andy Ellis] But that’s not the game.
[Ty Sbano] That is not my GRC manager. I will just…
[Crosstalk 00:20:35]
[David Spark] All right, so I don’t know. Which one are you landing on here, Ty?
[Ty Sbano] I think I’m with Andy.
[Andy Ellis] Even primed.
[Ty Sbano] Yeah, even going to the enterprise big four each time, there’s a roundtrip. It’s so inefficiently slow, as opposed to ChatGPT. At least we’ll have an answer in real time for business to keep moving.
[David Spark] But don’t they back up their advice?
[Andy Ellis] Oh.
[David Spark] [Laughs]
[Andy Ellis] Only when they’re making an attestation are they going to back up that conversation. And you’re talking to a partner. First of all, you’re talking to the partner who’s really expensive, not one of the people who work for them. And so you’re telling the partner that you have no idea what’s going on here.
Sure, they have some weird financial incentive to not screw you over with it, but, man, they’re going to hold you over the barrel at some point.
[David Spark] I fear that the compliance question that’s being answered by ChatGPT could be completely wrong and put you in huge regulatory and legal trouble.
[Andy Ellis] So, my experience with ChatGPT… Because I do use it very, very heavily. I practice with it.
[David Spark] But let’s just say 1 out of…let’s say 1 out of 50 times it’s wrong. That could be super costly.
[Andy Ellis] My basic experience is if you ask it a common knowledge question that does not need details it actually will give you.. Look, so many people have written about GRC in the public that it gives you the stock answer of, “This is what the GRC industry thinks.” Now, if you ask it to like… “What is the reference for that?” it’s going to totally lie to you.
It hallucinates on specifics. It does not actually hallucinate badly on generics in well publicized errant fields.
[Ty Sbano] And the more you train it, the better it’s going to get. So, the actual training of the mode by the individual… Because they’re doing it every time.
[Andy Ellis] Right.
[Ty Sbano] So, we don’t know the frequency of the cadence. But the fact is they are tuning that response so it will get better. And so for me, I’m going, well, what’s worse is you’re relying to manual to manual processes, versus we’re actually going to automate this knowledge share for the future so that this person can work on something more value add.
[Andy Ellis] Yeah.
[Ty Sbano] I go, “That’s better.”
[Andy Ellis] Right. And maybe I can just replace this person with a Slack bot that connects to ChatGPT.
[Ty Sbano] And if they only use ChatGPT, we’ve already replaced them.
[Andy Ellis] Right.
[Ty Sbano] That’s the thing is if that’s the value add is that they prompt ChatGPT…
[David Spark] Then you don’t need to hire a compliance manager. You can hire an assistant to type in requests.
[Ty Sbano] You don’t need an assistant. You need a microphone.
[David Spark] Or you can just dictate it. Yeah, that’s a good point.
Hey, you’re a CISO. What’s your take on this?
23:01.314
[David Spark] We’ve been hearing about the need to build dev ops culture in cyber security for years or maybe security into dev ops culture. One or the other. But, heck, we’ve been trying to make DevSecOps a thing, which Mike Johnson is not a fan of that term. But this isn’t as simple as rolling out static and dynamic application security testing tools.
As Santosh Kamane pointed out in a piece on LinkedIn, this requires a cultural shift to offer software controls designed to have minimum productivity impact on developers. Align those at the C-level on building secure and resilient products across their entire production pipeline, improving change management program, and defining fixed responsibilities around code reviews, credentials, configuration management, and so on.
I will start with you, Andy. In your own experience, what are the stumbling blocks for embracing DevSecOps or dev ops with security as it should be, and where have we made progress? Because, again, this is not the first time we’ve brought this up. This has come up again and again. So, maybe… I’m going to lean on the where have we made progress?
[Andy Ellis] Oh, I want to start with the fact that we fundamentally have missed progress on the most important thing, which is the greatest lie that dev ops ever told us was that security was responsibility for security in the development pipeline. No. Let’s talk patch management. You have developers whose job is to upgrade software, whose job is to write new features into software, whose job is to build compatibility into software.
And when their third party software vendor says, “By the way, you need to fix this thing,” which is patch, upgrade, or do integration, all of a sudden it becomes security’s responsibility to make sure that thing happens. That is complete and utter bovine excrement. And we need to stop accepting that that is a security function.
That is a dev ops function. Our job is to make sure that the dev ops folks are doing their job.
We should not care about individual vulnerabilities that are not incident class. We should care about do they have an SLA, yes or no. If they don’t have an SLA, boom. We’re done. We should just report this is a team that does not care to report whether or not it fixes anything. If they have an SLA, what is it, and how often do they meet it?
Like 85% on your SLA seems totally fine to me. If they can hit that, great. That’s the extent of our job. Do you have a process to do the operations of development and security is part of that? Where a consultant that can help you get better… And I do see more and more security teams focused on that.
Like, “Oh, there are application security testing tools that we can buy for you and make available to you, but it’s your responsibility to use them, not ours.”
[David Spark] Ty?
[Ty Sbano] Bovine excrement. I’m still processing that word.
[Andy Ellis] We’re not allowed to say the short version of that because then the editor gets cranky at me because they have to beep me out.
[Ty Sbano] [Laughs] Fair enough.
[David Spark] No. You can feed that into ChatGPT to figure out what bovine excrement is.
[Ty Sbano] Oh, I’m very familiar. I’ve been shoveling it for years. So, for me, I believe if you’re still saying DevSecOps or any iteration of that, you still don’t get it, and that’s the disservice that’s happened here. It’s just dev ops. I came to this conclusion about ten years ago. I was in this wonderful financial institution, Capital One, and it was very quick and easy to learn this lesson.
Why are we creating additional documentation sites? Why do we think we’re special? Why do we think we have to put the word “secure” in front of the software development life cycle? I’m sorry, yawl. We still don’t get it. And for the folks that have gotten it, they’re just showing up with the teams.
They’re actually showing up to the standups, the huddles, the actual brainstorming and the design thinking sessions to help with a lot of the threat modeling and risk assessments. While I believe in the concepts of security champions, I’ve done it many times, currently at a stage where I go, “Yeah, but the security team should be able to start to build these partnerships with these collaborators.” And to Andy’s point, many of the not full stack engineers…many of the talented engineers that have to care less and less about infra should be enabled to then have these questions and go, “You know what?
This is where I’m going to phone our security friends.”
Because this topic just became a little bit more interesting as opposed to, “Oh, there’s a CVE on this component. We have the latest one. We’ve tested it works. We’ve moved it. Cool. Moving on with our lives.” It’s not a whole conversation. It’s not talking about SLAs. I think that’s the part of the game that we kind of end up in is that security thinks we’re special, and we have to really stop thinking we’re special because we are not.
We’re here to help ensure quality, and control, and compliance. But we are not here to make the company a ton of money. We’re here to avoid the loss of cash, and currency, and efficiency.
[David Spark] So, by the way, these conversations about making developers responsible for security, I remember having these conversations years and years ago. Hearing the two of you, it sounds like it hasn’t stuck with anybody. Is that your feeling?
[Andy Ellis] No, because the problem is we don’t need to make the developers responsible for security. We have to make the development executives responsible for the security outcomes of their organization. The whole model of when you get told as a CISO, “Go work with the engineering managers,” you’ve already lost.
This is not the engineering manager’s problem, it’s the engineering vice president’s problem. Until they say like… And I’ve seen CISOs. I’ve had this conversation where I get told, “Well, what is the SLA that info sec mandates?” And I’m like, “I don’t care.” Like, “You want to sell into this vertical.
I can help you out by doing the industry research to tell you you need to have a 7-day critical, a 30-day medium, and a 90-day low SLA in that industry vertical. Do you want to sell that vertical or not? They’re like, “Well, are you mandating that?” This is not me. This is you want to sell to that. It’s your responsibility to meet the features that that industry requires if you would like to sell into that industry.
And this is an executive problem, not a developer problem.
Is this partnership feasible?
29:18.437
[David Spark] Do CIOs and CISOs need to have a tense relationship? I mean often their objectives are not in line, but it’s still common practice for a CISO to report to the CIO. Where does this tension come from? CISOs often push for more timely patching on medium level patches, more robust MFA solutions, and security controls on APIs, pointed out David Gee on a piece on CIO.com.
I’ll start with you, Ty. What actually makes for a good relationship between those two roles? Have you ever reported to a CIO yourself, or are you currently? And where does it become toxic?
[Ty Sbano] I am not reporting to a CIO. And sadly for this question, I have not worked in my capacity as a CISO where a CIO exists. In fact, I think it’s a natural path for a lot of CISOs to start trendline towards the CIO role because we actually have a natural skillset already that allows for the care and the feeding of all of technology.
So, I think a lot of folks that are CISOs that manage IT start to engage in this area. But I believe we’re on this collision course now where the CIO role is actually more in question than ever because what is the value add versus the engineering team that is delivering on the value and maintaining.
But I think the CIO functionally as part of the CISO role is that odds and ends of someone that’s building and deploying versus someone that’s doing the compliance checks that doesn’t always care about your deadline that you stated and your resources that are hindered due to vacations, holidays. No one gives a crap about that.
That’s the challenge in the natural dichotomy of these relationships. So, I think CISO versus CTO or CISO versus the other…at the end of the day, we are the same team. It’s the company name. And I think that’s the part that you always have to rally behind is that just because my role is to inform and guide does not mean I’m trying to stop or hinder you as an individual.
We are literally the same team and trying to accomplish whatever our company’s mission is together.
[David Spark] All right. Andy, have you been in the situation where you’ve reported to a CIO?
[Andy Ellis] No. I had a peer with the CIO, but I was still one step away from the CEO. We both worked for what we often jokingly called the vice president of miscellaneous who owned like five different very weird and distinct groups. I actually think… And I’m going to be really honest, and I’m going to throw myself and a lot of other people under a bus.
We were never CISOs. If you don’t report to the CEO and you are not in the CEO’s staff meeting you do not deserve a C in front of your title. And I’m right at the front of that. I had that C in front of my title, and I never reported to the CEO. And a lot of CIOs never reported to the CEO. The big challenge is the CIO and the CISO are basically flip sides of the same coin.
This never should have been two different jobs for a very long time until you get into the product world where you probably need security that’s outside of IT focused on product safety.
But the challenge is that CIOs got focused on the 80/20 rule because the CFOs made them into a cost center and said cut, cut, cut, cut, cut. And so CIOs stopped doing governance. And CISOs starting showing up. As security professionals, you said, “Well, if you’re not going to help us build our first website to bring in revenue,” this is 20 years ago, “then I guess I’m going to help the engineering team that’s doing it with security.” And all of a sudden you have this separate function that always should have been an IT function that was doing security advice, security operations, and then at some point security governance.
All that should have been on the CIO. I wrote a piece that’s on CSO Online, sort of the counterpoint to this one, titled “The Death of the CIO.”
[David Spark] Yes, we talked about it in a previous episode.
[Andy Ellis] Right. We talked about this. I think that CIOs are going to be going away over the next 20 years because almost every startup that I know that’s a small business has nobody on the CIO career path, but their head of security is basically already their CIO. And some of them are exploring different options for it, but there’s never going to be space for a CIO in these businesses because they are technology companies.
They don’t need a separate CIO. They’ve already got a head of engineering.
[Ty Sbano] Yeah, I think we’re seeing the trendline towards the chief data officer or your citizen data scientist, but data in itself I think is transforming a lot of businesses and the mantra and the mentality of understanding your data lifecycle or your data model is much more critical than saying, “Look at all of our business systems that are wrangled together with all these whizzy wig if this then automation, and no one actually knows how to manage any of it.
And we’ve got these crazy contracts, but the CFO told me to choke down the price points. So, that’s my job, and that’s what I’m going to do.” CISOs already do that.
[Andy Ellis] Yeah.
[Ty Sbano] And so I don’t know if we’re going to see this iteration, especially the later stage startups, and that’s kind of where I’m at, as often. But I am a confident believer in the CDO, and data literacy is something that we really need to opine much more upon as CISOs because you have these interesting conversations based on risk.
But if no one is showing up with the concept of data or being data driven, of what is the amount of users, how exposed to the internet is this going to be, I think these are facets that are super critical to a lot of our logic driven discussions or risk based discussions.
[Andy Ellis] Yeah. If you’re a CIO or a CISO and you want to preserve your job in the long run from that impending CDO you should be hiring a reference librarian right now to be your information architect to basically give you the ability to help people manage data. Because just like CIOs ignored security, CIOs and CISOs are basically ignoring data architectures.
Closing
[David Spark] There you go. What a great point to conclude our discussion. Guys, both of you knocked it out of the park today. Thank you so much, Ty and Andy. Andy, as always, thank you. Greatly appreciate it. Please go check out Andy’s Discord channel. Just I think contact you directly through LinkedIn?
[Andy Ellis] Yeah, just contact me on whatever social media platform you can find me on. I’m on most of them.
[David Spark] Yeah, he’s also on Twitter, @cssdaoandy as well.
[Andy Ellis] Yeah.
[David Spark] He still uses that. Or X. I still can’t bring myself around to saying X. Do you? Do you say it like that, Andy?
[Andy Ellis] No. I generally say Twitter.
[David Spark] Yeah. Ty, any last words? Vercel is the company. Want to make a plug for Vercel or anything else for that matter?
[Ty Sbano] Yeah, the main thing I’d like to offer everyone if you haven’t checked out Vercel or if you’re a front end engineer building in the React ecosystem and you use things like Next or Svelte, you should probably avoid the painful path of self-hosting and just choose the easier secure by default path.
[David Spark] And a huge thanks to our sponsor, and that would be BackSlash Security. Remember, you look for them for the most accurate code analysis and open source analysis for efficient and complaint AppSec teams, even when you’re dealing with extremely complicated apps. Go to their website. That’s backslash.security.
Go check them out now. All right, thank you to the audience. We greatly appreciate all your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows, Super Cyber Friday, our Virtual Meetup, and Cyber Security Headlines Week In Review. This show thrives on your input.
Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to the CISO Series Podcast.