Is it possible to position your security team as a profit center instead of the traditional cost center reporting to the CIO?
Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Michael Weiss, CISO, Human Interest.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our podcast sponsor, Optiv
[David Spark] Is it possible to position your security team as a profit center instead of the traditional cost center reporting to the CIO? Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. And joining me for this very episode, you know him as Steve Zalewski, and that’s the name he goes by. Steve, thank you for joining us today.
[Steve Zalewski] Thank you. It’s a pleasure as always, David. Hello, audience.
[David Spark] We are sponsored this very episode by Optiv. And by the way, this was a long time coming. Optiv, we all know Optiv, and they have many, many capabilities, and we’re so thrilled that they’ve come onboard and are sponsoring this series. So, thank you, Optiv, for being part of the show. More about them later in the show. But first, our topic of discussion. Now, when you worked at Levi’s, Steve, you said many times on this show and to vendors looking to sell to you, “How does your product help me sell more jeans?” And at the time, you were asking the security vendor to see how their product could somehow connect to your company’s business objectives. So, you also asked this question of security professionals, “Can security be seen as a profit center? Is security still primarily an efficiency conversation or has the effectiveness now changed the dialogue on how success is measured?” Give me some more context to that and how you felt people answered.
[Steve Zalewski] Sure. So, the context on why I put it out there was years ago, we talked about being a profit center in some capacity. But it generally meant from an IT perspective that you would recharge your services to the lines of business. So, it was kind of an artificial profit center. And what I wanted to be able to do was to be able to ask along the lines of the vendors which is enabling the business, “Can we get into the conversation around profit protection or loss prevention as truly an ROI measure?” And what I will say is once again, I put what I think is a pretty hard question out there, and we got some very thoughtful responses back from a wide variety of security practitioners.
[David Spark] And very creative too, I’m going to throw that out there, I liked them a lot. And the person who’s going to help in this discussion, and when I mentioned I was going to have him on with you, he mentioned, “Oh, Steve’s going to talk about selling jeans again?” Which I was like, “Yeah, yeah, that’s it, that’s it, that’s exactly it.” Thrilled to have him on the show, it is the CISO of Human Interest, Michael Weiss. Michael, thank you so much for joining us.
[Michael Weiss] Thanks for having me. Glad to be here.
What would a successful engagement look like?
[David Spark] Gary Hayslip, CISO of Softbank Investment Advisers, put out what I think was probably the most popular response, and this is what he did – and by the way, I should mention he did this when he was the CISO for the City of San Diego, “I set it up as a service center and basically departments paid for specific services as a seat price. Those tools that directly touching the customer or supporting a customer’s team were candidates to be “charged back.” I got about 40% of my budget covered by the other departments, and then the rest was focused more on the security stack which they considered to be a sunk cost. Now, you don’t get a full 100% coverage of the security budget but in doing this we gave the executive team visibility into the value of the services we provided to the business, and I know the CFO was very happy with our approach.”
And I’ll add Phil Huggins who’s the CISO for Health and Social Care, NHS England, said, “Business services teams are more likely to value the cyber capabilities, as teams that don’t have to pay for things tend not to value them leading to waste. But also by not charging them the full value, the internal services are still seen as cost effective compared to market solutions by the business services team. ” So, I thought these were wonderful creative ideas. Steve, have you ever done this or heard of this before?
[Steve Zalewski] So, within the IT realm, of which security I will argue is a child of this, this has been done many times. IT is always trying to figure out how do I recharge the business for what I provide as a service. And I think Gary and Phil are spot on. I think for most CISOs out there, this is almost table stakes now. At a minimum, you should do this, because it does get you some relief. But where I was challenging myself and others too is that’s great for services – identity and access management, endpoint protection for my vulnerability – but what do you do around all the attack surface management? Okay? Because what are you doing around the successful social engineering attacks? So, the second half of this is, “Do this.” But what are we doing to be able to demonstrate that the investment I’m making in my SOC or my SIM is returning 10 times the investment on profit protection in reducing the number of compromises that we’re seeing.
[David Spark] Michael, I’ll throw this to you, echoing what Gary said and what Steve said. You can only do a portion of this technique but what more can be done, and do you agree this is a great technique to go down?
[Michael Weiss] Well, I think that there’s a little bit of danger that can come from chargebacks if you’re not careful about how you do it. Because chargebacks mean that the other department is paying for your services, and if they have the option to choose not to use your services, then a chargeback can in fact result in avoidance which is something that you want to avoid. You don’t necessarily want other teams to want to avoid paying you for services that may be very necessary to the business.
[David Spark] But also pick and choose security services like one team saying, “Eh, you know what? We don’t need a VPN,” or “We don’t need password management,” or something.
[Michael Weiss] Exactly. Or we don’t need to do threat modeling on this release. Maybe you’re not the best suited to make that decision if you have what amounts to sort of a conflict of interest there. If it’s going to cost you money every time that you do a threat model, maybe you do it less often, and is that really the best thing for the business? So, all I’m saying about this is that it’s something that needs to go with a great deal of care. Typically, when you think of the way it works in IT, if some other part of the organization pays you less, they typically then get lower productivity as a result. And so there’s something that’s much more a synergistic kind of relationship there than you would have when you’re talking about security. It can be very dangerous to ever be in a position where the security team is working at cross purposes to the other parts of the business.
What’s the return on investment?
[David Spark] Simon Goldsmith of Ovo said, “For security, it’s a question of level of alignment with business goals. Example – either reacting or building the potential for more resilient business performance.” And Phil Huggins again, the CISO for Health and Social Care at NHS England, said, “Business services have a clear external customer, but cyber capabilities have the business services as a customer.” Aldo Febro at Willow Health said, “If you’re working for a vendor/supplier, the end customer often has compliance requirements before signing a deal. In this case, security is a part of the sales cycle.” And lastly, Lior Yaari of Grip Security said, “Certain security solutions can position themselves as cost savers. For example, SSO, passwordless, and automated-offboarding vendors are saving time on support tickets for offboarding and password changes.” So, I’ll start with you, Michael, on this. Cost savings, aligning with compliance, aligning with the business services stuff – this seems totally the way to go, and also just sort of basic advice we often give on the show of what are the business needs.
[Michael Weiss] Oh, absolutely. And actually, Phil and Aldo obliquely reference something that’s kind of important here too. This return on investment is somewhat dependent on the industry. You take a look at those two, they’re both in healthcare. Steve is about selling jeans, as we’ve talked about numerous times. For me, I sell retirement plans. People are generally not that concerned about the security of their denim, I mean, as long as everything’s covered, but they do worry about the security of their money. And in fact for me, I have a much easier time, I suspect, than Steve ever did in terms of drawing the connection between what we do in infosec and selling retirement plans and being able to demonstrate the connection in terms of the return on the investment.
[Steve Zalewski] So, I’m going to riff on this which was what I found so heartening is we had four different responses on how to measure ROI. And so that gets back to measurement versus metric. I found it very good that these are all different ways that we have been able to be successful in attempting to manage the cost. But what again we’re looking at here, and I really like the “Hey, there are security groups who, for the company itself, depending upon the company, they’re actually part of the deal.” And so therefore they’re saying, “We made the deal because of our security capability; therefore, we’re more R&D than we are a cost center under the CIO.” Huge transition. Great option.
But the other thing that you see here is what is the business? It’s the business objectives not the business service or the line of business itself. And so I think we’re starting to tease out now what we do today as standard and where we’re trying to mature ourselves to think about profitability. Because what’s good enough security? Ultimately, we’re trying to manage what’s good enough for the cost to maximize the profit and to protect the social contract we have with our consumers. And so that’s where when you’re saying, “Are you a profit center?” is you’re understanding not, “I need more and more and more,” but “What is the true return on investment?” and profit and consumer protection are the two ultimate arbiters of that.
Sponsor – Optiv
[Steve Prentice] With companies moving to the cloud, a number of processes that used to exist behind the firewall must now be updated, including managing accounts and authenticating users. So, what happens when CISOs start to feel the pressure to get this done coming from the board but don’t feel they have the skills to do it? Ralph Martino is a practice director in the cyber security and protection at Optiv.
[Ralph Martino] The pressure they’re getting from the board is typically to decrease their risk, increase their security, and do that while they’re trying to lower the overall cost. And with the enterprises moving over to the cloud to manage their identities, there’s a need for us to kind of look at how we’re going to govern an on-premise active directory system that’s been in place for about 20 years.
[Steve Prentice] One of the ways Optiv helps in this regard is to teach CISOs how to do it through workshops.
[Ralph Martino] From the workshop, you’ll have a roadmap that then gets you to achieve those objectives of increasing the security, decreasing the risk, and lowering your cost.
[Steve Prentice] Sometimes, the identity modernization solution is closer than it appears, it just needs an outside expert eye to guide CISOs toward it.
[Ralph Martino] The old legacy on-premise system really can’t control or secure the identity the way you need to have it done today. And a lot of times, CISOs can typically make that shift happen, and they don’t really even know it. And it’s really having the focus on digging in and understanding what the possibilities are based on the capabilities you have to move that identity control plane from active directory but into the cloud.
[Steve Prentice] Modernizing your identity control plane from AD to the cloud is complex. Optiv has a roadmap to control tool sprawl and navigate the journey to Azure AD. Check them out for more information at optiv.com/iam-microsoft.
Who’s making money here?
[David Spark] David Matousek of John Hancock Financial Services said, “As part of cyber security strategy, clear outcomes need to be defined. These outcomes will measure the value cyber security provides the enterprise.” Pretty basic. And Ori Eisen of Trusona referenced the Eastern medicine technique of paying when you’re well, but not when you’re sick. I hadn’t heard about this, but he suggested, “Security should get paid soft dollars every month there is no breach/incident.” Very creative there, you’re nodding your head. What do you think of that, Steve?
[Steve Zalewski] That’s just it, which was you’re paying proactively, okay, and no incidences. That’s the real challenge that we have. It’s not paying for single sign-on or paying for vulnerability management or paying for my malicious malware. It’s if there’s no incidents for 90 days. I’ve saved a lot of money, because we know how expensive incidences are. So, I really like that kind of reverse psychology here. Which was you’re paying me to prevent incidents. And that gets back to what’s the true metric. How does it make my bonus? And I always argue that’s the ultimate metric. And now we’re talking about bonus and the thing that everybody really thinks about. So, I really liked Ori’s comment, I thought it was great out of the box thinking.
[David Spark] Michael? Getting paid for no incidents, what do you think of that?
[Michael Weiss] I think it can work really, really well. I mean, on the…
[David Spark] I would love to see a company do this.
[Michael Weiss] I would too, but there’s a real danger, and I talk about this a lot.
[David Spark] You’ve brought up a lot of danger. Well, this is what happens when you work in insurance.
[Michael Weiss] Yeah, something to that effect. It’s that you will get the results that you measure. And one of the real dangers is that you have to be super careful about what it is you’re measuring. I mean, as an example, if all that we’re measuring on is how many incidents you have, there’s sort of cross purposes here, where there’s some incentive to not see incidents. I don’t think that Steve would ever do this; I certainly wouldn’t do this. But just thinking in terms of how you measure this, it’s very hard when you’re measuring the absence of an event. You’re saying, “Well, we aren’t hearing any dogs bark, therefore there are no dogs in the neighborhood.” It doesn’t necessarily mean that they aren’t there. And worse yet, is if you put your fingers in your ear, you may never hear the barking, and there are dogs all around. So, if you’re measured on events not happening, you have to make sure that you are preventing the events themselves and not what may be the measurement of the events.
[David Spark] That is a very good point.
[Steve Zalewski] So, I love this, so what Michael’s really saying is figures don’t lie but liars figure.
[David Spark] Oh, so you can game the system too, right?
[Michael Weiss] Exactly. We all do it. Let’s be honest, that’s what happens. If you’re measured on something, whether you like it or not, you’re just going to be incented to find a way to follow the rules of the game, whatever those rules may happen to be.
[David Spark] Let me throw this out at both of you as a side note. Have you found yourself writing presentations, reports to make yourself look a little bit better?
[Michael Weiss] Of course. We’re humans, right?
[David Spark] Yes.
[Michael Weiss] When it comes time for you to be evaluated, you’re going to try and put your best foot forward.
[David Spark] Right.
[Steve Zalewski] We are performance, right? This is business. Business is performance. Performance is metric and you got to make yourself look good, right? That is also part of how it’s done, it’s part of the politics of leadership. So, there’s no shame in it, it’s what you’re doing. My point being is but how many thousands of hours are you putting into this? And how much extra effort when we could be working smarter? And my challenge here, why I was laughing was, well, what happens if you take a look at your risk profile, and you manage your risk profile to the key business processes and maybe there are no incidents against those key business processes, which is what the company has chartered you to do. There may be other incidences, but if they’re low risk or low value, who cares? Right? It’s a risk conversation. So this is, in my mind, really starting to drive back to are you putting the right risk profile in place that you want to be measured against? And so therefore, when it looks like it’s quiet, as long as you can demonstrate it’s quiet against the key processes that you’re responsible for, declare success. That is perfectly fair and reasonable.
If you looked at the problem this way
[David Spark] I’m going to set these few quotes and say there were a few people that were not going along with you, Steve, on this. And they were just like, “It just can’t happen.” I’ll start with David Dimston of IBM Marketing, and he said, “Everything under the IT sun tries to position itself as a profit center, and nobody outside of IT believes it. So, stop trying. Instead, it’s an operating cost that sooner rather than later will pay for itself.” Hence the return on investment. And Tony M. said, “I’m not sure how you could justify it as a profit center if it doesn’t directly generate revenue and earnings for the business.” And lastly, Ori Eisen again from Trusona said, “The only problem is that you will be asked to show ‘growth’ and there is a point where it will not be possible.” So, I’m going to start with you, Michael, on this one. They all make good arguments; I’ll just stay there.
[Michael Weiss] Yeah, well, okay, I’ll throw in my thoughts on this. I think there’s a difference between being a profit center and being a team who can demonstrably prove that you’re essential to the business. So, I mean, you listen to what Steve was talking about earlier, really, maybe you call it risk avoidance, right? But the ultimate point is to demonstrate that the bottom line for the business is better with you than without you. Do you call that being a profit center? Do you call that being a cost center where your costs are being offset against reduction in cost elsewhere in the business? I mean, at that point, it’s kind of splitting hairs. In the end, what you’re doing is you are helping to ensure that the company is fiscally better off with you than without you.
[David Spark] Steve?
[Steve Zalewski] Well said, Michael. That should go up on everybody’s board as common sense that we remind ourselves of. Now, what I want to do too is David Dimston from IBM – here’s the thing, he’s right. This is how IT has tried to position themselves as value. And as long as the CISO is under IT, that bias, unfortunately, he has to fight against. But one of the things I’ve said is – wait a minute, IT is measured on efficiency, right? Be as efficient as you can, take your dollars away, make you be more efficient. Security more and more is being measured on effectiveness. How effective am I at managing my attack surface and limiting the attack effectiveness? And that’s where we’re having to say so by saying we’re a profit center, right? That’s where Michael’s going too is we’ve got to manage the risk, we’re better off with you than without you. But the key is because we’re not talking about how efficient are you in managing the 18 security tools you’ve deployed, but how effective are you at managing the ransomware attacks that everybody else is getting and we haven’t gotten one in six months? That to me is looking at the problem the forward-thinking way. Leverage what you had, identify with IT but then separate yourself from IT. And I love Ori Eisen’s from Trusona.
[David Spark] Yeah, I wanted to get to that, about the whole thing like how you show growth here.
[Steve Zalewski] So, here’s the skinny from me, which was good, so what’s good enough security? How much more risk can I accept to spend less on security and maximize my profit? And so what I love about Ori again is so let’s talk about the insurance policies that security effectively is, right? Just like the chief risk officer looks at all of his finance insurance policies and everything else, we’re one more. So, what Ori is saying is so how good are you at really having that conversation and finding that knife’s edge on what’s enough security for the company to maximize profit. And so I really like that because there will come a point where you’ll realize we can’t get the ROI any higher. But it’s the same for selling jeans, right? Cost of goods sold. Or same thing for insurance – how much can I jump the premiums before the regulators then realize we’re taking too much profit because we’re not paying out enough pennies on the dollar? That’s a great conversation to have. That’s exactly where we should be.
[David Spark] All right.
[David Spark] This brings us to the end of our conversation, and I’m eager to hear from both of you, and there’s a lot of good quotes in here. Which quote was your favorite and why? And I’m going to start with you, Michael.
[Michael Weiss] So, I liked Simon Goldsmith’s statement about alignment with the business. I think that a lot of security teams miss that, and if you lose sight of aligning with the business, you set yourself up to be the enemy of the business. Not on purpose, but accidentally. And what that does is it leaves your team marginalized and worse yet, then they become demoralized, they become bitter, and then they go and look to be elsewhere, and no one’s effective in that environment.
[David Spark] Is your security team liked by your business?
[Michael Weiss] Yes. In fact, it is critical to me. When I hire people, what I’m looking for is people who pay attention to why the company is trying to do what they’re doing, understand what their goals are, what their motivations are. And the point is not to put the “no” in innovation, the point rather is to find a way to get to yes in a way that reduces the risk to the business to an acceptable level. That’s what it’s about.
[David Spark] That is a theme we hammer many times on this show. All right, Steve. Your favorite quote and why?
[Steve Zalewski] I have to give it to Ori Eisen. I will make a shout out.
[David Spark] Which one? We used two quotes from him.
[Steve Zalewski] I know. And so once again I’m going to break the rules, and I’m going to say both. Which was security should get paid soft dollars every month there is no breach or incident, and the only problem is that you’re asked how to show growth. What I like about that is both of Ori’s quotes really are getting to you should be paid when you’re doing your job. And there will come a point where you can’t be any more effective, but that’s always a moving bar. And so I really, I got to give it to Ori because both of his really were out-of-the-box thinking that I think are helping people turn the corner to ways of looking at what a profit center is.
[David Spark] Well, I think security would love this because just think about in that, this is an opportunity where security can be cheered, be recognized, be lauded for its success, where it’s really, really hard for people to see how great a job security is doing at any given time. We all know that they can be lambasted when the you-know-what hits the fan. And this would turn the tables if you could get everybody onboard. That’s the hook.
[Steve Zalewski] Well, if you don’t start, you’ll never get there, right? And so a lot of what this question for me was was to test with my peers where their thinking was on this.
[David Spark] How could you do specifically the pay when things are going well? How could you do like a test case of that? Where would be an area for that? Because I love this concept.
[Steve Zalewski] Which one were you talking about?
[David Spark] The first quote from Ori, like paying security for not having issues. Again, assuming we stay within the barriers that you mentioned, Michael, as in we’re not cheating ourselves here. We’ve all agreed on how things are going to be measured and we’re using effective tools and stuff, and we’re actually measuring incidents. What’s a way that we could test pilot something like this? Steve, what do you think?
[Steve Zalewski] One way would be – and I’m very much on incident response based. I get right out to what’s really bad isn’t the normal people that are not following the rules. It’s the attacks in. Which was how many months have I gone without a SEV 1 incident? How many months have I gone without a SEV 2 incident? How many months have I gone without a SEV 3 incident? Because those incidences are well described in your IR plan, and that ultimately is the key metric for me because that’s when you lose a lot of money, and that’s when the team is going to get hammered, because your bonuses are going to be impacted. If you’re spending a lot of time with the executive team going through incident response, I guarantee you there’s going to be a lifecycle event with you and other members of your team. So, that would be a very simple and clear way that I would be able to set expectations on effectiveness not efficiency.
[David Spark] Excellent point. All right. This comes to the end of the show. I want to thank our sponsor, Optiv. Thank you very much, Optiv, for sponsoring this episode. If you’re looking for security solutions, they are kind of the sort of one-stop shop for many of these things. Check them out at optiv.com. As we close, I always ask our guest if they’re hiring, so make sure you get an answer for that, Michael. But first, you’re going to have the closing comment, Michael. Steve, any last thoughts?
[Steve Zalewski] Again, I have to say thank you to the security practitioners for responding to this.
[David Spark] Great responses.
[Steve Zalewski] These – I’ve asked some very difficult thoughtful questions in these last couple of months. And the caliber of the thinking that’s going in really is showing me that people are wanting to get security to where it needs to be, kind of next generation of maturity. And so again I have to say thank you. We couldn’t do this show and have these hard topics without the folks out there that really are committing the time to think through what we’re asking and giving us this kind of great feedback to have these conversations.
[David Spark] Excellent. Michael, any last thoughts, and are you hiring?
[Michael Weiss] So, last thoughts, this is actually a great set of topics. I love thinking about what can make us more effective. We’re often, as a part of companies, marginalized. We aren’t noticed unless things are going wrong. So, it’s nice to think in terms of other ways of thinking about how we can measure our effectiveness as a practice. But to your other question – am I hiring? Absolutely I’m hiring. I’ve got five open positions on my team, and I would love to have more people in the pipeline for me to talk to.
[Steve Zalewski] And Mike’s a great boss so for anybody out there, I highly recommend you take a look at Mike’s position, I’ve known him for years. Excellent boss, excellent leader, cares about his people.
[Michael Weiss] Thank you, Steve.
[David Spark] You will find a link to Michael’s LinkedIn profile on our site, CISOSeries.com for this very episode. Thank you very much to my guests, to our sponsor Optiv, and to our audience as well. For as Steve has said, and I have said, and Michael’s noticed, your phenomenal contributions. And for listening to Defense in Depth.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOSeries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines Week in Review. We’re always looking for fascinating discussions for Defense in Depth. If you’ve seen one or started one yourself, send us the link. We’d love to see it. And when any of our hosts posts a discussion on LinkedIn, participate. Your comment could be heard in a future episode. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com. Thanks for listening to Defense in Depth.