In today’s current climate, is the role of the CISO still worth it? It seems like with an increasingly complicated threat and regulatory landscape, the position carries a lot of potential liability. Do the upsides still outweigh the risks?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our guest, Phil Davis, attorney, healthcare cybersecurity and privacy, Hall Render, and a former CISO.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Sonrai Security
Start a free trial today! sonrai.co/ciso
Full Transcript
[David Spark] In today’s climate, is the role of the CISO still worth it? With an increasingly complicated threat and regulatory landscape, the position carries a lot of potential liability. Do the upsides still outweigh the risks?
[Voiceover] You are listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series, and joining me for this episode, talking about the role of the CISO, is an actual CISO and he happens to be your cohost for this episode. You’ve heard him before. You’re going to hear him again. Now, if you don’t want to hear it again, I would highly recommend stopping.
It’s Geoff Belknap. He’s the CSO over at LinkedIn.
[Geoff Belknap] Hey, everybody. I always wonder about these buildups. I’m like, I’m never going to be able to live up to the hype that you build.
[David Spark] That wasn’t much hype. I was more telling people that if they don’t want to listen to your voice, they should stop listening.
[Geoff Belknap] Please, parents, take your children out of the room. Geoff Belknap is about to speak.
[David Spark] Javi, let me ask you, I wonder if, like whenever there’s those warnings about taking the children out, this is that sensitive nature. Has anyone stopped and gone, “Alright, children out, parents are going to listen to this only.”
[Geoff Belknap] I assumed that stuff was solely so that the middle schoolers like me at that age were like, “Alright, stop. Everybody pay attention. This is gonna be…”
[David Spark] Exactly. It’s not for the parents to do anything. It’s for the kids to perk up, essentially. Our sponsor for today’s episode is Sonrai Security. The first cloud permissions firewall. Yes. Spanking new from them. More about exactly that. And you’re going to want to hear about this because it’s damn cool.
That is coming up a little bit later in the show, but let’s get to our topic at hand, Geoff.
On the CISO series, we talk a lot about the CISO role, how to become one, how to manage as one, but lately we’ve seen a lot of doubt. We’re seeing more conversations about if someone should want the role in the first place. And as Sean Martin of ITSP Magazine Podcast pointed out on LinkedIn, the role certainly seems to carry a lot more responsibility these days.
That’s become entangled with some very real legal liability that many organizations and specifically CISOs haven’t accounted for yet. And I’ve, by the way, I’ve had conversations with people who’ve become CISOs like, “Well, I didn’t negotiate that.” Yikes. So, is the juice worth an increasingly fraught squeeze?
Now, Geoff, you are a CISO. I’m sure that you have to talk very positively about your role, but I’m sure you’re recognizing this is becoming an increasing problem. Yes?
[Geoff Belknap] It is. And you know what, everybody? We should just give up, take our ball, and go home. It’s not worth it. Now, look, I think the best way to think about this is the way I had a friend of mine relate it to me, who was a general counsel, and he said, “Look, this is just the maturity stage of the role as a real C level role, which everybody has wanted and screamed about wanting for a while, this comes with it.
Liability is part of it. If you think general counsels, CEOs, and CFOs don’t have crazy amounts of liability, both personally, professionally, and career-wise, you’re living in a hole. So if you are afraid of this, I think it is time, uh, like some of the commenters later in the show, to think about other roles that are similar, that are not quite the same role.
But otherwise, you need to get used to the fact that a high impact role comes with high downside as well.
[David Spark] That is a really good point. And we couldn’t have picked a more perfect guest for this discussion because this is a person who has been on multiple sides of this issue. And actually, I don’t think we’ve had a guest who has this very unique share of experiences. So he’s a former healthcare CISO himself, but he is actually now a cybersecurity and privacy attorney for Hall Render.
It is Phil Davis. Phil, thank you so much for joining us.
[Phil Davis] Hello. Wonderful to be here, Geoff and David. It is an absolute pleasure.
What are the complaints?
4:34.630
[David Spark] Jeremy Pickett of MixMode said, “I don’t think anybody is qualified for the job.” They’re speaking about you, Geoff.
[Geoff Belknap] Directly to me. Thank you, Jeremy. I appreciate the feedback.
[David Spark] “The responsibility means having a clear anticipation of things you cannot reasonably know. The best CISOs, similar to their subordinates, effectively communicate upwards the risk of doing or not doing.”
Shawn Riley of Telos Corporation said, “I’ve sat in the CISO seat twice, and most offers for employment are CISO roles, but I’d much rather be a chief cybersecurity scientist. Not only does it pay the same or more than I was paid as a CISO, it’s significantly more enjoyable without most of the downsides.
Everybody wants to be the CISO, and I’m happy for them to do it.”
So Geoff, this is really interesting. It’s like, I think the first thing that Jeremy mentioned, it’s like, well, nobody knows what could happen, but that’s true for any job. In anybody, nobody knows it. But yes, he says, you know, security people just try to communicate what’s going on, which again, I think this similar, the finance person’s trying to communicate their issues.
The CEO is trying to communicate their issues. Everyone’s trying to communicate from there, but Sean brings up an interesting thing saying there could be much more attractive jobs in cybersecurity than CISO and we kind of all assume CISO is the most attractive from the financial side or the prestige side, but there could be other options here.
[Geoff Belknap] The job of the CSO or the CFO or head of sales is not to report on what’s going on and let somebody else take action. It’s for me and my role to help the business be as successful as possible. And in my case, driving outcomes that are positive for the business from the security leadership role.
If I’m the CFO, I’m not just creating spreadsheets and handing them to the CEO and going, good luck with that. It is for me to be a disciplined, rigorous manager of the financial state of the business and help make good decisions about how to drive success for the business. So, where the CISO role might have started as the senior most security person, technologist, etc., in the business, it has definitely evolved from there.
And I think this is where Shawn’s point is really relevant. There are now other jobs other than CISO that are very, very senior level. I, for example, in my leadership team have a chief security architect who would be probably equivalent to what Sean is saying here, the senior most technologist or the architect for all the infrastructure that we build and operate.
That person is not a CISO, but is a very, very senior leader in my organization. There are other roles if the accountability and the responsibility and the liability are too much for your personal risk appetite.
[David Spark] That’s a good point. So I’m going to throw this to you, Phil. And say that being that you were a CISO yourself, I’m going to ask, why did you leave it? Was it the fear of the risk? And, and then you went into law, like did any of this play into your decision making?
[Phil Davis] I don’t know that it played into my direct decision making, particularly because in my experience, being in a healthy organization doesn’t necessarily come with a lot of the organizational risk, right? I think there’s still the regulatory pressures, the outside pressures, but when you’re in a healthy organization, you don’t necessarily feel like you’re unsupported.
And I think that’s, that’s kind of the undercurrent to a lot of the complaints is that I don’t feel fully supported in my organization and well, I’m lucky enough to not have had that. I think in my calculation and kind of moving over to the legal world, I, I certainly developed a passion for supporting CISOs and helping them build programs that are defensible when they are under that type of a microscope, and that’s something that I try to do as a part of my practice, but I would really encourage CISOs out there to lean into this.
These skill sets that I think technologists view as politics or political, the ability to communicate within your organization. I think one of the key skill sets of the CISO role to be successful, as Geoff mentioned, is not necessarily being the smartest technologist in the company. Right? It’s the ability to communicate the purpose of security to your organization, right?
That what is the purpose of your security team? And a hint is that it is not to prevent all breaches, right? The purpose of your security team is to, uh, certainly reduce the amount of breaches that the organization has, but also to mitigate the impact of breaches when they occur. And so being able to communicate that effectively in the organization is important.
Is one of the core key skill sets of being an effective CISO.
Who owns this issue?
9:40.528
[David Spark] Michael Scheidell of Security Privateers said, “The CISO should not take on more responsibility than the authority they have. If they don’t have the authority to affect the change necessary, then they should not be held responsible for the consequences. When evaluating a position with a new company, make sure that the responsibility and the authority balance.” This is all key.
And Aditya Sarangapani of WNS said, “As a former CISO myself, and someone looking to get back in the saddle, the enormity of the task is not lost on me. Given the current environment, CISOs tend to have more responsibility than authority. This has now become too risky for the gains it offers and may negatively impact people’s aspirations for the role.”
And I also want to quote Gene Spafford, or Spaff, who’s at Purdue University, an instructor actually. And he has been notably quoted in saying, and I’m just paraphrasing that if you’ve got responsibility, but not authority, it is time to update your resume. That is not a good combination. So this is something we hear a lot from CISOs is having the authority in that there is an imbalance.
A, are we seeing that change or is that the case, or is the lack of authority being protected by DNO insurance? I mean, like where, where do we land on all of this?
[Phil Davis] I don’t think any of our listeners would disagree with the statement that security is a team sport. The CISO is certainly accountable for improvements to the security program and ensuring that the security function is matching what the business needs from the security function. But all executives all the way up through the board are a part of the security accountability scope.
Right? I think there’s been obviously an increase in cases where CISOs have been singled out by, uh, regulators or the government and various enforcement actions. And, although there are limited examples of this. In those instances, there are usually several facts that, that lead to there being a lack of overall organizational governance around decision making.
How, how statements get made to the public or how actions get taken or how, how certain legal determinations, uh, are made within the organization. And I think as a CISO, one of the biggest pieces of advice that I have now, in kind of the current climate, is that automated processes and collective decision making processes are your friend.
And these are things that, as a matter of policy, you write in and say, for example, in healthcare, right, I was a CISO in a healthcare organization, we had a healthcare breach review committee, right, which, by policy, the role of that group was to make a group determination decision. About whether or not something rises to the level of a reportable breach.
I think that’s kind of a corollary that would help a lot of CISOs out nowadays to have a group that they can go to report out to all the facts, right? You don’t wanna withhold anything when you’re providing information to these groups ’cause that can get you into some trouble, but you…
[David Spark] So you’re saying not just a team sport, but team authority, if you will. I’m kind of hearing that.
[Phil Davis] Exactly. I think where CISOs can help themselves out is allow themselves to sit into that advisor position by documented policy to advise the organization about what happened and allow the appropriate decision makers like the legal department, compliance departments, make the legal determinations about what happens next.
[David Spark] So Geoff, I, I’m sure through your history in working in security and former CISO roles as well that there has been sort of an ebb and flow of this sort of responsibility and authority sort of grid matrix, however you want to put it. How have you seen sort of behavior change as that sort of, that balance changes?
[Geoff Belknap] I think it’s a great point. What I would say, what Phil is saying, maybe another way in that, as we get more and more clarity about exactly what you might be liable for or what your responsibilities are as a CSO, and which, by the way, might change depending on what vertical your organization is in, whether it be healthcare or government or in my, my space enterprise and consumer technology, you are responsible for various different things.
Stay in your lane. Your lane is big enough, uh, as it is to be the accountable and responsible security executive. You don’t need to be veering into privacy or legal. Like, you need those people to be your partner, but you don’t need to do their job for them. That, I think, is where a lot of risk exists for CISOs today that might be doing a little bit too much.
And then I think really to the heart of, again, coming back to the point that we’re making here. Build partnerships, work as a team. Yes, I am responsible and I have liability for a great many things. That can be a daunting challenge. But for example, I have a fantastic legal partner that I work with, who’s the head of cybersecurity policy for the organization.
Their responsibility is to make sure that I get good advice and that I make well informed good decisions about whether we’re going to handle something a certain way, whether we’re going to have to do a notification, whatever that might be, I, the expectation, because my org supports us well, and we, we’re very thoughtful about this is not that I will do this all by myself.
The org recognizes that I, there is a great amount of responsibility and expectation to come with the role, and then we have to support that. I think going back to rounding us out with what’s path said, if your organization doesn’t get it. And I don’t mean doesn’t get it in terms of they don’t give you enough money or enough headcount.
Spoiler alert, nobody gets enough money or headcount. But if your org doesn’t get it in terms of how to support you, that they won’t let you talk to legal, that they won’t give you exposure to the other executives, then it’s probably time to take a walk.
Sponsor – Sonrai
15:48.535
[David Spark] Before I go on any further, I do want to tell you about our awesome sponsor, Sonrai Security. Picture this, if you were a classic video game player. Do you know what’s more old school than blowing on a Nintendo cartridge to make it work? You know what I’m talking about. What I’m talking about in the world of cloud permissions is manually creating individual policies to achieve least privilege in your cloud.
That gets old after maybe a handful of users and a handful of apps. Leave those old habits in the past and lock down access to sensitive permissions and services without disrupting DevOps with a single click with the cloud permissions firewall, you can easily restrict excessive permissions from human and machine identities, quarantine unused identities and restrict specific regions and unused services with Continue maintaining this level of security by automatically enforcing policies as new accounts, roles, permissions, and services are added to your environment.
See how easy it can be to achieve least privilege. You want to do it? You can start a 14-day free trial for Sonrai’s cloud permissions firewall at their site at Sonrai.co/CISO. Go check it out.
What’s the CISO’s role?
17:43.340
[David Spark] Aditya Sarangapani, again of WNS, said, “It comes down to corporate culture in how much autonomy the CISO has. Many organizations still view the CISO as an IT systems administrator, rather than someone who can influence and enforce policy.” That’s a very good point. Even if you as CISO can influence policy, you are still limited by other factors which you cannot control.
Derek Nugent of Difenda said, “The CISO needs to report directly to the CEO. Quote. This is a hotly debatable topic. We’ve been holding a whole episode on this, you know, where they report a while ago, but let me continue what Derek said, quote, I continue to see this change starting to happen more and more, the ability for career growth and to understand the business in more detail, along with having a true voice at the table will help solve some of the challenges you mention.”
So I think this gets a lot. I’m going to start with you here. Phil, I think this gets a lot to what we’ve already been saying. Like if they don’t get it in terms of your responsibility, that’s key, but the getting it may or may not necessarily mean the CISO has to report to the CEO. What are ways, I guess.
Then organizations can communicate. We get it. And the, the sort of, there’s sort of a two way understanding that we appreciate you, you appreciate us. We’re going to take care of you. You’re going to take care of us. Like what are ways we can get to that point?
[Phil Davis] That’s a great question. I think a lot of the ways that CISOs can help themselves get to that point in their organization is to be able to, as Geoff mentioned earlier, communicate that they are there. The security team is there to support their business function, right? To make sure that they’re a champion for their organization’s business back to I.T.
Back to security and also vice versa, right? Selling the benefits of being secure, being compliant to the business so that they get that we’re here for them, right? I think one of the main messages is that, that a security leader can go to its other executives, right? Even if it doesn’t report to the CEO, I think you can still deliver this message effectively that the organization is not necessarily here to be secure, right?
We’re there to, to provide a service to our customers, right? Or to provide a valuable function.
[David Spark] And I’m interested to hear what Geoff has to say, but I want you fill in. So it’s like, we, we talk about that a lot on this show. Can you communicate and again, make any, you know, example you want, and maybe something you’ve actually done in the past, but, you How do you make that super clear?
Like, Hey, you’re running this new service. We noticed this new behavior. This, if this goes out of control like this, we’ve got serious problems and you’re not going to be able to succeed with this. So this is what we need to start doing. And let me explain what the security team would have to do. Like, I’m assuming that’s how it goes down again.
[Phil Davis] Yeah, you certainly don’t want to be the sky is falling person. However, I do think storytelling is, is a valuable tool in the tool belt, right? You want to be able to, to follow that thread, right? If you see a vulnerability, you want to follow that through all the way to where it may end up, right?
Which is a lot of risk to the business, but bringing things back to business viability, business function, ensuring the business can continue to operate. I think just by being able to tell that story, the other leaders in the business, which helped create that culture around security for you, the other leaders will latch onto that and they’ll realize, Hey, my CISO gets it.
They understand why we’re here. They’re not here to stop me. They’re here to enable me.
[David Spark] Yeah. How do you communicate to the team, Geoff? I mean, to the team, the greater company in general, like, Oh, we’re going to make you succeed here.
[Geoff Belknap] It’s less about how you communicate, uh, one specific idea. It’s more about how you act, how your team acts, how it makes decisions. It is really difficult for you as a leader to get involved in every decision and say, Oh, there’s reputational risk here, or there could be a breach here because the rest of the business, whether they’re in sales or marketing or legal are dealing with risk every single day.
Everything they do might fail. Everything they do might kick off a political firestorm, or there might be a boycott, or there might, the product might not land. So if you show up and you say one more thing, if you make this choice, it might go bad. You know, you’re talking to a product leader is like, yeah, every choice I make might go bad.
I might be out of a job next week because of these choices or the business could succeed. And I think instead of thinking about your job as a security leader to show up and tell them everything that might go wrong, it’s to help analyze all the information you’ve got and help provide a perspective and make choices about.
How you build protective choices into the infrastructure, how you build the process by which you design and ship products or whatever the services that your organization provide. And it’s sure that you’ve got multiple layers to catch problems in the process and not just at the very end and make sure that you’re showing up going.
Instead of, Hey, here’s all the things that might go wrong saying, I think this is going to be great. I’m here to ensure your success. I’m rooting for you. And, you know, let us know how we can help. I think that’s a subtle change about how you approach those problems, but it makes a big difference in terms of your credibility.
[David Spark] Let me then tag with this question. How do you know you’ve done that? Right? What is it you hear that makes it clear? Like, Oh, I got through
[Geoff Belknap] The number one thing that you are going to hear and see are people coming back to you and your team to re-engage and have the conversation again. Nobody wants to go to the DMV. You go to the DMV because you get a letter and you’re like, you don’t show up to the DMV, you’re going to jail.
Nobody wants to come to security if it feels like the DMV. They don’t want to deal with the cops. They want to deal with the paramedics, the doctors, the people that are going to help them be healthy and go on their way and live a long and happy life. I think if you think about yourself less as the police and the executive function policing the policies and more about the person that is helping the organization be healthy and successful.
Just a mindset shift for your team is going to make a big difference in terms of your relationships with the rest of the business.
What’s the most critical issue?
24:12.226
[David Spark] Aditya Sarangapani, again of WNS, said, “It comes down to corporate culture in how much autonomy the CISO has. Many organizations still view the CISO as an IT systems administrator, rather than someone who can influence and enforce policy.” That’s a very good point. Even if you as CISO can influence policy, you are still limited by other factors which you cannot control.
Derek Nugent of Difenda said, “The CISO needs to report directly to the CEO. Quote. This is a hotly debatable topic. We’ve been holding a whole episode on this, you know, where they report a while ago, but let me continue what Derek said, quote, I continue to see this change starting to happen more and more, the ability for career growth and to understand the business in more detail, along with having a true voice at the table will help solve some of the challenges you mention.”
So I think this gets a lot. I’m going to start with you here. Phil, I think this gets a lot to what we’ve already been saying. Like if they don’t get it in terms of your responsibility, that’s key, but the getting it may or may not necessarily mean the CISO has to report to the CEO. What are ways, I guess.
Then organizations can communicate. We get it. And the, the sort of, there’s sort of a two way understanding that we appreciate you, you appreciate us. We’re going to take care of you. You’re going to take care of us. Like what are ways we can get to that point?
[Phil Davis] That’s a great question. I think a lot of the ways that CISOs can help themselves get to that point in their organization is to be able to, as Geoff mentioned earlier, communicate that they are there. The security team is there to support their business function, right? To make sure that they’re a champion for their organization’s business back to I.T.
Back to security and also vice versa, right? Selling the benefits of being secure, being compliant to the business so that they get that we’re here for them, right? I think one of the main messages is that, that a security leader can go to its other executives, right? Even if it doesn’t report to the CEO, I think you can still deliver this message effectively that the organization is not necessarily here to be secure, right?
We’re there to, to provide a service to our customers, right? Or to provide a valuable function.
[David Spark] And I’m interested to hear what Geoff has to say, but I want you fill in. So it’s like, we, we talk about that a lot on this show. Can you communicate and again, make any, you know, example you want, and maybe something you’ve actually done in the past, but, you How do you make that super clear?
Like, Hey, you’re running this new service. We noticed this new behavior. This, if this goes out of control like this, we’ve got serious problems and you’re not going to be able to succeed with this. So this is what we need to start doing. And let me explain what the security team would have to do. Like, I’m assuming that’s how it goes down again.
[Phil Davis] Yeah, you certainly don’t want to be the sky is falling person. However, I do think storytelling is, is a valuable tool in the tool belt, right? You want to be able to, to follow that thread, right? If you see a vulnerability, you want to follow that through all the way to where it may end up, right?
Which is a lot of risk to the business, but bringing things back to business viability, business function, ensuring the business can continue to operate. I think just by being able to tell that story, the other leaders in the business, which helped create that culture around security for you, the other leaders will latch onto that and they’ll realize, Hey, my CISO gets it.
They understand why we’re here. They’re not here to stop me. They’re here to enable me.
[David Spark] Yeah. How do you communicate to the team, Geoff? I mean, to the team, the greater company in general, like, Oh, we’re going to make you succeed here.
[Geoff Belknap] It’s less about how you communicate, uh, one specific idea. It’s more about how you act, how your team acts, how it makes decisions. It is really difficult for you as a leader to get involved in every decision and say, Oh, there’s reputational risk here, or there could be a breach here because the rest of the business, whether they’re in sales or marketing or legal are dealing with risk every single day.
Everything they do might fail. Everything they do might kick off a political firestorm, or there might be a boycott, or there might, the product might not land. So if you show up and you say one more thing, if you make this choice, it might go bad. You know, you’re talking to a product leader is like, yeah, every choice I make might go bad.
I might be out of a job next week because of these choices or the business could succeed. And I think instead of thinking about your job as a security leader to show up and tell them everything that might go wrong, it’s to help analyze all the information you’ve got and help provide a perspective and make choices about.
How you build protective choices into the infrastructure, how you build the process by which you design and ship products or whatever the services that your organization provide. And it’s sure that you’ve got multiple layers to catch problems in the process and not just at the very end and make sure that you’re showing up going.
Instead of, Hey, here’s all the things that might go wrong saying, I think this is going to be great. I’m here to ensure your success. I’m rooting for you. And, you know, let us know how we can help. I think that’s a subtle change about how you approach those problems, but it makes a big difference in terms of your credibility.
[David Spark] Let me then tag with this question. How do you know you’ve done that? Right? What is it you hear that makes it clear? Like, Oh, I got through
[Geoff Belknap] The number one thing that you are going to hear and see are people coming back to you and your team to re-engage and have the conversation again. Nobody wants to go to the DMV. You go to the DMV because you get a letter and you’re like, you don’t show up to the DMV, you’re going to jail.
Nobody wants to come to security if it feels like the DMV. They don’t want to deal with the cops. They want to deal with the paramedics, the doctors, the people that are going to help them be healthy and go on their way and live a long and happy life. I think if you think about yourself less as the police and the executive function policing the policies and more about the person that is helping the organization be healthy and successful.
Just a mindset shift for your team is going to make a big difference in terms of your relationships with the rest of the business.
Voiceover: What’s the most critical issue?
[David Spark] Jeremy Pickett of MixMode says, “If a CISO role is to be responsible for any and all security related functions, no dice. The President of the U. S. doesn’t resign because a service member makes a boneheaded mistake, unless there was a provable throughline, right? So, liability should only flow so far up to the person who is responsible, knew how, or should have mitigated an issue…Silos, That works.
So liability up to directors. That’s where it should live.”
So how much do we want to build a business on finger pointing? I think it’s more my feature fear here. Like, I’ll just, I’ll briefly tell you. I remember going to a meeting where we were arguing about something with a client. And there were like 10 people there, and I was just counting the dollars we were wasting over the hour to debate about who was at fault at something, literally cost us maybe hundreds of dollars, and was fixed very quickly.
I was thinking, do we really need to do this? And so I fear a finger pointing culture is bad. So what is the culture we’re trying to do if we’re not doing that?
[Geoff Belknap] I think the reality here is, and Phil put this very well, the accountability for security rests at the CISO, full stop. The accountability for the entire company rests with the CEO. Full stop, and it kind of goes down to the departmental leads. If you’re not comfortable with that, do a different job.
We can debate what accountability means, and certainly different organizations and different leaders have different ideas. I can tell you I’m very comfortable that having one security mistake by any, even like an entry level intern will not result in me being terminated. If I felt like that was the case, I would definitely, uh, take a walk like Spaff suggested.
But that’s just not the reality of how this goes. Now, is it fair that regulatory and enforcement agencies might pick on the CISO and bypass the board and other executives? No. But I have also made peace with the fact that for me personally and professionally, I have insurance, I have the support of my organization.
I have people that were, are not interested in watching me hang out to dry, even though it might be very unfair to me while the regulatory agencies figure out what we have all known for a decade is that accountability doesn’t work in a very cut and dry way. That being said, we are watching a role and a function evolve right in front of our eyes.
And if you don’t like watching sausage be made, you might want to turn away while we figure this out over the next couple of years. A
[David Spark] Phil, close this out and please bring and circle us back to our original discussion like, well, is the CISO job worth it? I guess if you have a point, a finger pointing culture, it’s not worth it for any job right there.
[Phil Davis] I think like a lot of leadership positions, it takes a special kind of person to be able to manage and thrive under the environment that a CISO finds themselves in frequently. And if you have that kind of thriving under pressure metal to you, I think being a CISO is certainly worth it. It’s a very, very rewarding career path to go.
There’s a lot of opportunity to bring others up, uh, underneath you and allow them to develop and grow and succeed in this field. Uh, as Geoff mentioned, it’s still very much a. An evolving discipline. And for those who want that kind of an environment, there’s no better path. I will say that if you have that, that makeup to you, there’s also a lot of opportunity with the accountability and the spotlight that gets put on CISOs.
There are a lot of eyes on you both during and after a security event in your organization. And I think that can be used as an opportunity, right? How you respond in a tough time can be just as influential or even more harmful. influential than how you act when things are smooth, right? When there’s no trouble in the air.
And your job at the end of the day is to guide the organization through those issues and make sure that they know they’re in good hands. And that their interests are protected by their security team.
[David Spark] We’ve heard that a lot. It’s a sign of a great CISO is not that they never have breaches. A guy, a sign of a CISO is. when something does happen, how they handle it, and watching them. That’s one of the things that we hear again and again. It’s the watching of the company when the thing goes bad and how well it’s handled is what actually emboldens trust, even if they had a bad incident.
[Phil Davis] Yeah, and speaking as a lawyer, right, as we come in on, on clients bad days, how you respond and the actions you take and doing the right things and doing them the right way goes so far and goes, it helps to mitigate that, that reputational risk. I think that a lot of us face. Whenever we’re going through risk assessments and evaluating what happens in the event of a breach, right?
If you respond well, we’ve seen a lot of that risk be mitigated. And so kind of drives home the point of, yeah, there are certainly bad days as a see. So there’s bad days with any job, but how you respond and how you lead your team and your organization through it that speaks volumes.
[David Spark] We now have come to the portion of the show where I’m going to ask both of you which quote was your favorite and why. And I will start with our guest, Mr. Phil Davis. Phil, please tell us, which of these quotes was your favorite?
[Phil Davis] I’m going to give my award of best quote of the show to Jeremy Pickett. The CISO role is responsible for any and all security related functions, no dice. The president of the U. S. doesn’t resign because a service member makes a boneheaded mistake, just because of the extremity of the example there.
[David Spark] That’s a good point. Like, yeah, you, you can’t know what everyone’s doing at all times and telling them no at any given time. Geoff, which is your favorite quote and why?
[Geoff Belknap] lot of good ones here. I’m going to go with Michael Scheidel from security privateers. The CISO should not take on more responsibility than the authority they have. And I think I might be. Thinking about this a little bit different than Michael, but I think this kind of goes to the point I was making earlier.
You don’t have to do everything. It takes a village. You have partners. Let, you know, let the other folks in the organization understand that it’s not just you that has to do all the security work. Even if you are ultimately accountable for security in the organization, we can only succeed when we all work together.
And I think CISOs that understand that and build relationships upon that foundation are going to feel like it’s worth it. On
[David Spark] Excellent point. Well, this was a really good discussion. Uh, let’s just get the final answer. Phil, is a CISO job worth it? Just give me a yes or no. By the way, you’re on the stand. I don’t want anything in between.
[Phil Davis] Yes, your honor,
[David Spark] You’re good. And by the way, I just got the title of your honor. Awesome. Geoff, is it still worth it? Yes or no?
[Geoff Belknap] advice of counsel? I have been, uh, no. Uh, look, yes, it is, it is worth it. Both especially worth it for organizations as we continue to move in the future. Data technology and information security are only gonna continue to increase in importance and for people that I think, as Philip put it very well, have that very strange and unusual mix of ability to work in chaotic and not completely defined situations and make the best of it.
It is an. An incredibly rewarding role to have and I, I definitely have thought about walking away, but I, I just can’t see myself doing that. Feels, feels rewarding all the time.
[David Spark] That is excellent to hear. All right. Quickly, is there any way you can tell us the story of why you jumped from CISO to a lawyer in one minute? Phil.
[Phil Davis] maybe not in one minute, but I will say that having been on kind of both sides, if you will, I think there’s a certain appeal to being able to look at how a lot of different organizations are solving a lot of the same problems. Issues and stand in their corner. And like I said, help them create good defensible programs.
Because when you’re able to create that program and all the documentation is there, a lot of times you’ll see that you’re able to withstand the scrutiny that, that a lot of us in the CISO seats have, have feared in the past. So the drive to get behind a lot of different organizations and help them rather than maybe just looking at things through the lens of one organization, uh, that was, that was a big drive of, of getting out of the CISO hot seat and into the, uh, I guess it’s not a cool seat as a lawyer, but, uh, maybe a little cooler
[Geoff Belknap] Lawyers, the coolest job you can have. And I’ll say, because I think Phil can’t say this, the jokes are better in the law profession than the CSUN
[David Spark] yeah, there are not a lot of good cyber security or CISO jokes like it’s it’s really slim pickings. It’s bad. All right. Huge thanks to our sponsor. That’s Sonrai security. Check out their cloud permissions firewall at Sonrai.co/CISO. Sign up for the 14 day trial. Let me thank my co-host, Geoff Belknap.
Thank you as always for being awesome on the show and having no legal advice ever. I’m let, let me just point out Geoff’s legal advice is awful. Don’t ever recommend going to him for any legal advice. Am I, am I good on that?
[Geoff Belknap] Yes. And let me just remind you, I am not your lawyer and I’m not a lawyer. Phil is your lawyer.
[David Spark] Phil could be, let me say, could be your lawyer. I don’t think he’s all of a sudden take it on all our listeners as clients. Um,
[Phil Davis] there.
[Geoff Belknap] sure this is all legal advice. Uh,
[David Spark] all right. So he once was a healthcare CISO. He is now a cybersecurity and privacy attorney with hall render. Go check them out for all your legal needs. It’s Phil Davis. Phil, thank you so much for joining us today. Any last words?
[Phil Davis] No, no last words. Thank you both so much. This was a blast. Come see us. We’re hallrender.com. Happy to talk with you. Reach out to me on LinkedIn. Love to connect with, with all the listeners. This has been such a blast.
[David Spark] And by the way, was this recording billed?
[Phil Davis] It was not.
[Geoff Belknap] so generous,
[David Spark] Thank you so much. Thank you everybody. We greatly appreciate you listening and contributing to Defense In Depth.
Voiceover: We’ve reached the end of Defense In Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please, write a review, leave a comment on LinkedIn, or on our site, CISOseries. com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to Defense In Depth.