Those reports on security procedures for the business are falling short. No one is reading them. What good are security controls if your staff doesn’t know about them or adhere to them? Is it time to hire a marketing manager for the security team?
Check out this post for the discussion that was the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Laura Deaner (@b3dwin), CISO, Northwestern Mutual.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor IANS Research
[David Spark] Those reports on security procedures for the business are falling short. No one is reading them. What good are security controls if your staff doesn’t know about them or adhere to them? Is it time to hire a marketing manager for the security team?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And listen, everybody, who’s joined me. Why, it’s Steve Zalewski. Steve?
[Steve Zalewski] Hello, audience.
[David Spark] Our sponsor for today’s episode is IANS Research. They actually do some really cool, creative, and impressive valuable research. You’ll hear more about that later in the show. Steve, today’s topic comes from Gabriel Friedlander of Wizer, who threw out the suggestion of needing a marketing manager for the security team. Someone to digest all this information and then disseminate that information. Now, while getting extra headcount to hire such a person would be awesome, and honestly, I think it’s kind of a luxury at this point where everyone’s hiring, but the reality was that security is going to need to take this role on themselves. So, the discussion became really “How can we tell our story better?” What do you think? First of all, do you truly think that having a marketing person is a luxury or could it conceivably be a need to have or a pretty nice to have?
[Steve Zalewski] When I saw the marketing manager, I thought yes, but don’t we really need a PR manager? Because marketing is we’re trying to sell something; PR is we’re trying to get people to understand the value.
[David Spark] Yes.
[Steve Zalewski] And I think this is a value proposition, not so much a sales opportunity. And so what I really thought when I saw this was do we need a PR manager, so that way people actually see the value of what we do as opposed to a marketing manager? And I think the answer is unequivocally at this point yes, we do.
[David Spark] Hold it. I’ll just briefly ask, and we’ll get our guest’s response on this. This is internal communications is really what it is. Is this kind of a nice to have or should we really bump it up as to this is a critical position? What do you think?
[Steve Zalewski] I would say it’s becoming critical, that many of the CISOs when we talk with them, they talk about their security awareness campaigns, and then they talk about how they’re trying to report value to the leadership team or to the board. All of those conversations really come back to, well, how good is your public relations? How good are you at getting people to understand your value proposition? And so that’s where I’m coming to the conclusion which is I think for many CISOs at this point, it’s going to be important to understand public relations, and how you introduce that into your organization is for you to decide, but it is really becoming a critical component of your resource organization.
[David Spark] Very good point. All right. Well, to help us with this very conversation, excited to have her onboard, it is one and only CISO of Northwestern Mutual, Laura Deaner. Laura, thank you so much for joining us.
[Laura Deaner] Thank you so much for having me. I’m excited to be part of Defense in Depth and I love this conversation. This is going to be fun.
How important is this issue?
[David Spark] Sarah Moffat at the National Institutes of Health said, “In a world where everyone is competing for our attention, having a marketing/comms person on the good side could not be a bad idea.” Kendra Ross, an entrepreneur, said, “Just like we get a specialist security architect to design our secure networks, we need specific marketers to help with our messaging and communication.” And lastly, Omar Khawaja who is the CISO over at Highmark Health said, “Marketing talent can improve many areas of the security program – reporting, user behavior, engagement with IT, onboarding processes, budget asks, board communication, etc.” Steve, I think Omar’s comment right there kind of shows the value of having a communications person, and I think we’re going to start referring to this as a communications person. This value bleeds in many, many areas. You can definitely amortize this cost. What do you think?
[Steve Zalewski] I would say anytime you take an IT person who’s all about technology and doesn’t really see the value of marketing or public relations, he or she is just thinking, “Do as I say, and I will secure you.” I think we’ve realized we’re run that course, and that we see all of the challenges with having a technologist try to work with an organization that is not technology based.
[David Spark] Mm-hmm. Laura, I throw this to you. What do you think? I really like Omar’s last comment here – by the way, I like the other ones too – but it’s like, “Hey, look how much benefit we could get out of a communications person for security.”
[Laura Deaner] Yeah. I know Omar, so I really appreciate that quote.
[David Spark] He’s been a guest on the show.
[Laura Deaner] I actually 100% agree. Whether we call it PR, to Steve’s point, or marketing, having a team, a person, even a half-person, even if you had somebody half the time, really thinking about your stakeholders as a CISO, what they care about, what they need to understand, and tailoring the communications to them, will go a long way. Absolutely. Omar says a few places but it’s endless. We all know that we have to do regular communications to the population, but if you’re able to actually tailor it to your stakeholders, whether it’s the board or it’s about budget, it can only be a good thing, I can’t see a downside to it. Other than, yes, it is a cost, but it’s well worth it, you’ll see returns.
[David Spark] So, do you think this cost – the same question I asked Steve earlier – it’s not a nice to have but moving up to a critical to have?
[Laura Deaner] I do. I do think it’s critical.
[Steve Zalewski] And I’m going to chime in on that because I’m going to use an example that I had at Levis. When we implemented our single sign-on program, that’s a piece of technology to do single sign-on with a bunch of SaaS apps. Yeah, what we did is we were very careful to try to get people to understand the value of having to only have to log in once through a portal and be able to do everything. When we implemented this, and it took us three months to roll it out, it was really interesting because our CIO and CEO actually came back and told us, they said, “You know something? That program is being highlighted as the most valuable thing IT has ever done for the company.” Not the security team. For all of IT. That people saw the value of single sign-on in improving their ability to do their job. And that, from a PR perspective, was gold. And so when the CIO came back and said, “You know, guys, you made me look good because this is a program that everybody understood.” And when we heard the “This is the best thing IT’s ever done for us,” it really drove home the value of PR.
[Laura Deaner] Yeah. How exciting is that when the whole IT team gets to celebrate that you’ve had that much of an impact on the entire company? 100% agree. If you’re able to do that, and everybody can relate to it, you’ve won.
Why are they behaving this way?
[David Spark] Ashley Chackman of Pocket Security said, “Most people subconsciously ask themselves when reading material ‘How does this involve me?’ If it takes too long to get a response to that question, attention goes out the window for that average person.” And Adrian Taylor of Deloitte said, “If we all think of who the stakeholder is, what’s happening in their world, and why they should care about what’s being put in front of them, then that’ll go a long way.” And Mark van Horik of ProteQtor IT Security said, “Not every marketer has a customer-oriented mindset. Too often the mindset is still too much company oriented.” Now, this is our whole discussion of marketing versus communications internally, but all of these are extremely valid points, and I just want to stress really the first two from Ashley and Adrian of make it relatable because I don’t see how you can succeed at all if it’s not relatable. Can you, Laura?
[Laura Deaner] This one’s tough because in my career, I have been a pentester, and I can tell you that I love creating those 70-page documents chock full of detailed technical speak to show that I know my stuff, right? I loved it, I absolutely loved it.
[David Spark] Laura is super smart.
[Laura Deaner] But over time I knew that I couldn’t give that 70-page pentest report to everyone. Some people would appreciate it. And so some of these points that Ashley and Adrian are making are so valid in the sense that what’s the TLDR, what’s the “too long didn’t read”? Who is looking at my document and saying, “Okay, I know exactly what I need to do”? And it really honestly just depends on what the document is. If it is a true pentest report, why am I sending it to the head of marketing or the head of all of IT? Instead, maybe I can distill that into a nice sizable chunk of information. And it’s the “so what” factor, what is this person going to do with that, and what do I need them to take away, and how is this actually selling my services of pentesting to the team that I’m talking to, right?
And so it’s so important when you’re thinking about all the artifacts that come out of your services as a CISO. What is the point of this? Who do I need to get it to? What do I want them to walk away with? How are they going to receive this? Are they going to say, “Oh, here they come again finding yet another thing I have to fix”? And if that’s the case, maybe a different approach is better. Maybe not a document. Maybe instead just having conversations about it so that they’re really feeling good about it. It all comes down to empathy, honestly.
[David Spark] You know, Steve, this reminds me. I’ve written two books myself and honestly did not have a well thought out marketing plan in the end of them. It was one of those things – and everyone who’s written a book has run into this nonsense unless they had great foresight to build out a marketing plan – you’re done with it and it’s like, “Oh, crap. Now I need to explain why people should read it?” It becomes this afterthought that really is extremely critical part of the whole communications, and it needs to be built into the front end. Yes, Steve?
[Steve Zalewski] So, yes. But I think it also becomes more basic, more was really good at talking about what’s in it for me. And I think that’s really what your PR or your marketing or whatever is. Look – for your constituents, what’s in it for them? Why would they care? And I used to talk to my team, and I’d say, “Look. People will only care for one of two reasons. Either it makes their job easier, or it gives them more bonus. And if it isn’t one of those two things, they don’t care.” There are some people that will do the right thing just because they believe, but for 80% of the population, what’s in it for me? Make my job easier or make it more likely that my bonus pays out.
If you just look at those two things, and you set your PR around that, you’re going to cut to the chase, and you’re going to really understand what it means. Because people don’t like to be talked down to. People have listened to all of this kind of market-ecture stuff of leadership explaining to them why they’re treated like five-year-olds. And I always say, “Knock it off, man. Treat them as adults. Be really clear about the two things they care about.” You do it that way, you clear the decks, and you start to get really good at understanding the value proposition.
Sponsor – IANS Research
[Steve Prentice] No CISO or security expert can go it alone. There’s always more that needs to be known and there’s never enough time to research it on your own. Zach McMahon is Territory Leader at IANS Research, and he knows this and that’s why his organization and team are standing by literally to take your call to become your mentor and advisor whenever you need it.
[Zach McMahon] CISOs can’t be everywhere, so having a resource like IANS not only helps you develop and empower your own people, but it also lets you know that when you’re not there, your team’s tapping into some of the very best minds in the industry to drive the program forward. We’re doing over 5,000 of these Ask An Expert calls a year, so we’re very fortunate in that IANS doesn’t have to guess what the security community needs. When a new service or resource comes from IANS, it’s because someone asked us for it, we created it, and now the whole IANS community gets to benefit from it. So, it’s really the community fuels itself from a content and resource generation perspective in a really unique way. And that’s really critical. I think we can agree there’s arguably no function that needs to be more judicious with their budget and resources than CISOs, and so IANS brings them a trusted partner who can help them pressure test strategy, get deep in the technical weeds, and then also provide truly vendor-agnostic guidance for the high stakes purchasing decisions that they’re forced to make, and that’s really hard to find elsewhere.
[Steve Prentice] For more information, visit IANSresearch.com.
What are they doing wrong?
[David Spark] Ron Craig of Kortext said, “Once you overwhelm, you fail.” Nick Sifniotis of Diamond Hand Software said, “Security doesn’t mean very much if you can’t engage the stakeholders.” And Edward Gardner of New England Safety Partners said, “Policies longer than a couple of pages get ignored.” Calling out your 70-page document, Laura, there on that one. Let me get this last quote here. Mark Gilman of Signify Health said, “If your workforce members don’t know who you are, what you do, what’s required of them, and how to engage your services, then you’re just doing security in a vacuum and will never build a security culture.” That kind of nails it on the head, Steve, and really sums up what you were just saying in the last segment. Yes?
[Steve Zalewski] Yes. And my quick talking point is lipstick on a pig, okay, is not a long-term way of getting your constituents to do the right thing. And too often, it’s lipstick on a pig.
[Laura Deaner] I’m not sure I can say it any better, Steve. You know I use “lipstick on a pig” constantly because I am so fortunate that I have an amazing group of security practitioners that work on my team.
[David Spark] Oh, I thought you were going to say you had a lot of lipstick and a lot of pigs.
[Laura Deaner] I have a lot of lipstick, but I don’t have any pigs, sorry. I live in Brooklyn. If I have a pig, we have another story we’re going to talk about here.
[David Spark] City of New York’s got an issue with you.
[Laura Deaner] Yeah. Chickens maybe but not pigs. But my team, their output is amazing. They have so much to say, obviously, and they have such great points. But if we are losing the audience or if they just can’t stand it when we’re coming at them, we’ve failed, I totally agree. We do the phishing simulations just like everybody else do them, but you know what we really want to do instead of catching them on the phish? We really want to incentivize them in embedding security culture into everything they’re doing. And so we hand out challenge coins. We have all kinds of ways that we participate in competitions where you get on the leaderboard. We feel that incentivizing instead of naming and shaming is a way better way to get people to feel excited about the output. And honestly, without a communications person, if we want to call it marketing or PR, doesn’t matter, but without that group of people to help make that really tangible, I don’t know how well it would be received if we just handed challenge coins to people. We need a marketing plan around that before people get excited about embedding it.
[David Spark] Speaking of the culture aspect, and my apologies for not remembering which guest said this, but they were talking about when they’re doing phishing tests, sometimes people will post in the Slack channel, go, “Hey, watch out, I got this,” and they didn’t know it was something, “I got this message from so-and-so. Watch out for this kind of message.” Not saying that it was a phishing test, just saying, “I got this weird message.” Now, that may screw up your test to see if each individual falls for the phish, but that’s part of the company solution. If one person reports it, warns everybody else, and everybody doesn’t fall for the phish, that’s still a good stat.
[Laura Deaner] Absolutely.
[David Spark] Does that stat ruin your measurement or no, you’re like, “That’s part of the solution”?
[Laura Deaner] Yeah, it’s interesting you bring that one up because I’ve had a debate on this. I don’t particularly like it when someone tips off someone else that it’s a simulation, to your point.
[David Spark] They didn’t say it was a simulation. I don’t think they knew it was a simulation.
[Laura Deaner] Exactly.
[David Spark] Just it was a phish.
[Laura Deaner] If they say, “Hey, this is weird, and I’m worried about it,” I think we’ve won. We’ve won the battle of embedding security into everything people are doing because they’re taking either the learnings or something that we’ve provided to them, that tangible chunk of information, and saying, “This looks suspicious.” That’s a good thing. I don’t think it’s bad for someone to report it in Slack, Teams, whatever they’re using, unless of course they’re saying, “Hey, watch out. We got a new phish. It’s a simulation. Don’t fall for it.” Right? Because then, yes, that definitely messes it up.
[David Spark] But isn’t that kind of the same thing though regardless, Steve?
[Steve Zalewski] I’m going to push back a little with Laura. Which was when I looked at Levis, and we had creatives. We did not have knowledge workers. We had people thinking about, “How do I sell jeans? What does fashion look like?” And our philosophy that we used to say was, “Look. If that’s your audience, then as long as they see the value in what you’re trying to do from a personal perspective, then whether they get together and game the system or not, it doesn’t make any difference because you’ve got everybody now on the same team.” And what I used to say is, “Look. What we wanted was not to be able to talk about phishing campaigns, not to be able to talk about the technical stuff.”
The challenge was we had moms, we had daughters, we had families that were doing design that they would then get their credentials stolen, their credit cards, their personal PII. And we used to say, “When that happens, call us. Call the Help Desk. Talk to any security person. We are here to help you put your life back together when something got stolen. And we don’t care whether it was personal or professional, we’re here for you.” And that became so when you did phishing campaigns, if they were talking to each other and saying there’s a phishing campaign coming, I’m like, “Awesome.” Because then everybody when they see it is sensitive to it. But the real key was, “Look. Eventually everybody is going to make a mistake. We’re your friends. As long as you pick up the phone and give us a call when you know you made a mistake, that’s all we care about.” And everything we’re doing is to get us to that point.
[David Spark] But isn’t that the whole point of the defense in that you really only need one to catch it for all? And if you have one, even if it’s a phishing test, that one person catches it for all, then that benefits everybody, right?
[Steve Zalewski] Yes. Because if one person sees it and reports it, the goal always for me was, “Look. Everybody is going to click. It’s inevitable. If I want to, I can get you to click.” So, what I want everybody to do is when they realize they made a mistake, let me know. And if you can prevent somebody from making a mistake by letting people know that there’s a campaign coming, well, that’s also helpful because everybody is now working as a family. Because today it may be a phishing campaign that I initiated, tomorrow it may be a legitimate campaign that is a real phish. And they are all talking to each other and telling each other, “Don’t click on this when it comes through.” I’m like, “That’s success.”
Why does this still happen?
[David Spark] Ram I. of Docr Australia said, “This should have been part of Security Awareness 101 a long time ago,” the “this” being essentially our whole discussion of having a marketing or communications person for security. “Marketing, or communications, combined with the right incentive would certainly drive change,” referring back to what you said, Laura, it’s all about the darn incentives. And the incentives can take many, many forms. I was with a group of security professionals in Newport Beach yesterday, and I brought up this whole subject, and wow, they just talked about the different incentives and how they’re fighting for them. And some of the incentives were for developers in finding bugs, stuff like that. But man, they threw out some really nice things out there, like giving away iPads and stuff, and people really fought for them. And you think, an iPad to find a critical bug, a few hundred bucks is totally worth it, right?
[Laura Deaner] Absolutely.
[David Spark] You’re nodding your head.
[Laura Deaner] Yes. It’s totally worth it. I think even making it as part of your goals, if you’re a developer, how many security bugs you’ve found, I think is totally appropriate. And making it a part of your compensation incentives. Why not? If you were able to close out a certain amount of security bugs as part of what you normally do as a developer, I think that’s a great incentive. We should all think about doing that in different aspects of the roles that make up an organization. So, developers, one, obviously. A sys admin who has maybe very high privilege on certain accounts, making sure that that person is checking in the password, checking it out, following all the rules. Those kinds of things should be embedded in every type of workforce plan that an employee is doing. And that’s really, in my opinion, how you’re going to change security culture to be embedded.
[Steve Zalewski] So, Laura, I’m going to ask you a question as a peer CISO here. Which was 10 years ago, even 5 years ago, security awareness training, we basically took the opinion that it’s new, everybody doesn’t know, we’re here to train you, we’re here to help you, we’re going to give you “get out of jail free” cards all the time. And I would say at this point, especially in the last three years, that security awareness training is now an expectation on everybody that works. If by now you’re not aware of cybersecurity and the issues, then kind of I’m like, “There’s an accountability component now.” Which is no, it is not “get out of jail free” card. There’s an expectation that there will be punitive consequences if we catch you wanting to be – what do you want to say? The weak link on purpose, you don’t want to step up, “Oh, I didn’t know. I’m sorry. Let me out of jail again.” And I’m curious for you which is where are you seeing that balance? Are you starting to look at accountability on people as opposed to simply giving them encouragement to do the right thing?
[Laura Deaner] Yeah. I love this question, Steve. Thank you. I’ve thought a lot about it, especially in the past two CISO jobs that I’ve had. Because I am a nice person and I like incentivizing, but unfortunately, I know how the world works because I’ve been on it long enough to know that sometimes people just simply need some kind of consequence. In one of the roles that I…
[David Spark] Carrot and stick. Sometimes it has to go to the stick.
[Laura Deaner] Sometimes it has to. It’s unfortunate but in one of the CISO roles I’ve had, I had a wonderful partnership with HR. We put in a great workflow where if there was a three strike system, that’s fine, but three strikes and you’re out, unfortunately. But what was around that was just a lot of support and a lot of documentation, for the manager especially, to have the right conversations when the behavior was putting the entire company at risk. And so that’s the kind of language we had to wind up using, and of course, it would be different if you’re a global company because there’s different languages you should use in different parts of the world. But we had to do this in order to actually get people to take this that seriously. So, I totally agree with you, Steve. Yes, 10 years ago it was get out of jail free. No, it’s not like that anymore. You know why? Because the stakes are higher.
[David Spark] That is a good point to close on. The stakes are higher, a lot higher, and you just have to look at the news now, and you know that very issue. All right. We’ve come to the point, there’s a lot of good quotes in today’s episode, and I will start with you, Laura. Which quote was your favorite and why?
[Laura Deaner] I don’t want to pick one. All right. I’m going to go with my good friend Omar, so “Marketing talent can improve many areas of security program – reporting, user behavior, engagement with IT, onboarding process, budget asks, board communication.” I 100% agree with Mr. Omar. I use my marketing team for the same thing.
[David Spark] There’s a lot you can do with them, which is what he’s saying, and it seems a lot longer than the list he presented. Steve, your favorite quote and why?
[Steve Zalewski] So, I’m going to go with Ram, Docr from Australia, saying, “This should have been part of Security Awareness 101 a long time ago. Marketing combined with the right incentives would certainly drive change.” And I think it’s what we were talking about at the end, which was we need PR, but the reason why we need PR is not where we were 10 years ago, to get people to understand something new. It’s more about driving consequence at this point, to being part of the solution, and not just sit there and be able to complain or simply be part of the problem. And I think that’s the transition, that when we’re looking at PR, is PR not for PR’s sake but PR because we are now wanting to institute more consequence into the expectation of an individual. So, what’s in it for me is now, “Well, how does it make my job easier? How does it make my bonus? And it allows me to keep my job.”
[David Spark] Well, we’ve come to the end of the show. Thank you so much, Laura. I’m going to let you have the very last word here, but first, I want to mention a huge thanks to our brand-new sponsor IANS Research. Check them out. Check out what their latest research is and check out to see what surveys they’re doing right now; you could participate in something. So, go check out their site and participate in research and learn more about their education as well at IANSresearch.com. Steve, any last thoughts on today’s conversation?
[Steve Zalewski] I want to thank the audience for their responses here because I think this is another one of those inflection points that we talk about here on Defense in Depth. Which is we’re reaching an inflection point on the value of PR and around control friction in our responsibility as security practitioners. But more interestingly, the responsibilities we’re now having to place on our constituents, and the fact that those consequences have now got to be [Inaudible 00:28:43] if we’re really going to take it to the next level.
[David Spark] All right, good. Laura, I’m going to assume you’re hiring. Are you hiring?
[Laura Deaner] I am.
[David Spark] Everyone’s hiring.
[Laura Deaner] Have you met a CISO that isn’t hiring? I’m just curious.
[David Spark] It happens every so often and it’s usually much, much smaller organizations, nothing of the size of your organization. But yeah, pretty much everybody’s hiring. But I ask this question to just reaffirm to our audience who many of them are looking for new jobs, looking for their first job, that there are opportunities out there. And it wouldn’t hurt to say, “I heard you on Defense in Depth,” right, Laura?
[Laura Deaner] That’s right. Absolutely. Bonus points for sure on the interview process.
[David Spark] Definitely bonus points, for sure. Stroking people’s ego always helps, it always does. I’m assuming you have a job board on your site.
[Laura Deaner] Yes, we do, we do. It’s a careers part of our main website, northwesternmutual.com. Plenty of things to see there. If you don’t want to be in security, we still have lots of hiring.
[David Spark] Why you wouldn’t I don’t know. Any last thoughts?
[Laura Deaner] Yeah. My first and foremost – thank you so much for having me on, this has been so much fun.
[David Spark] You were great.
[Laura Deaner] I feel like I’m amongst friends, so the camaraderie is much appreciated. Thank you, Steve. This is great. Always love talking to other CISOs, loved your insights, really appreciate it. Thank you, David, for having me on and it’s great meeting everyone. I think my last point is just whether you hire someone or you yourself become the chief marketing officer because you’re also a CISO, what’s really important is practicing empathy. A lot of us CISOs have technology backgrounds, I learned this the hard way, I have lots of scars to show, but empathy is so important. What is the point of the relationship you have, what are those stakeholders you really have to influence, what are they scared of even, right? They may even say like, “I really want to ask you about my personal security, and I’m too afraid to ask you.” You can have such a great win just making that connection with them. So, practice empathy, think about how they feel, and think about how you can tailor your communications that way.
[Steve Zalewski] Here, here. Well said.
[David Spark] Excellent point. A nice wrap up right there. Laurie Deaner who is the CISO over at Northwestern Mutual. We have a link to her LinkedIn profile if you want to reach out to her and tell her awesome she was on the show, I recommend it. That would be the way to butter her up when you go to apply for a job at Northwestern Mutual. Thank you, audience, we always greatly appreciate your contributions. If you see an amazing discussion that’s happening online, let us know about it, we would love to turn it into an episode. So, as always, thanks for your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please – write a review. Leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.