How Should We Discuss Cyber With the C-Suite?

How Should We Discuss Cyber with the C-Suite? - Defense in Depth

How detailed do we get in our conversation with business leaders? Do we dumb it down? Or is that a recipe for trouble?

Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our guest Lee Parrish (@leeparrish), CISO, Newell Brands.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor Qualys

Qualys
Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.”

Full transcript

[David Spark] How detailed do we get in our conversation with business leaders? Do we dumb it down, or is that a recipe for trouble?

[Voiceover]You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode, you all know him, it’s Geoff Belknap. He’s the CISO of LinkedIn. Geoff?

[Geoff Belknap]David?

[David Spark] That’s Geoff’s voice.

[Geoff Belknap]Yes, this is me.

[David Spark] Everybody. [Laughs]

[Geoff Belknap]Thank you. Thanks, everybody, for listening. Here I am. Let’s go.

[David Spark] There will be more interesting things Geoff will say later in the show. But let me first mention our sponsor. It’s Qualys. Qualys. Many of our listeners are very familiar with Qualys. We’ll be hearing more from them a little bit later in the show. But I want to talk about our topic today, and I want to read a quote here. “Dumbing down briefings for senior leaders is part of the problem. We can no longer afford tech illiterate leadership,” began the rant of Ryan Moser, who is the chief of intelligence technology at the US Department of Defense. He wrote this on LinkedIn. Geoff, this is our conversation today is at what level do we speak to business leaders. And you don’t want to speak to senior leaders like you do to your own team, and you also don’t want to paint with too broad stroke. So, what level do we need them to be cyber savvy and to communicate with us?

[Geoff Belknap]I think… Now, I think it’s really important before we go any further to sort of separate out… I think there’s a broad generalization here that Ryan makes that might be a little more appropriate to break up between sort of commercial organizations and government organizations. I would 100% agree that some of our senior leaders in government, whether that be military or civilian side, could use a little bit of refreshing in their technology or their technical skillsets.

[David Spark] You’re being extraordinarily polite in the way you’re describing this.

[Geoff Belknap]I’m trying to land the message without it being… I think people will still be upset by this but bear with me. On the commercial side, I find most senior leaders and board members are plenty tech literate for what we need. What we are really missing in my opinion is tech leaders who are business savvy and know how to land a technical message in terms that business leaders can understand and make decisions upon. I think this is a great thing to dive into with our guest and today for Defense in Depth. Let’s do it.

[David Spark] Yes. And by the way, what you just said is something we discuss a lot on this show. I will say that many of these quotes lean in the other direction, but we’re going to address both issues because they’re both equally important here. The guest we are bringing on these how is someone we’ve had on this show before. We’ve had him on the CISO Series Podcast before. He hasn’t been on for a while, and that is my error. It’s being solved right now, Geoff.

[Geoff Belknap][Laughs] Good. Welcome.

[David Spark] He was previously a CISO at another company, but now the CISO over at Newell Brands. It is Lee Parish. Lee, thank you so much for joining us.

[Lee Parrish] It’s great to be here again. Thanks for having me.

How do we make this everyone’s concern?

3:15.291

[David Spark] Jonathan Waldrop of Insight Global said, “Executive briefings don’t need technical details. They need high level strategy. While details are important, the executive team expects the CISO/security leadership to understand the details and imply that understanding to solve the business problem at hand. All right, Geoff, I’m going to start with you or some or other counterpart who speaks very well to the business, speaks at their level is doing that, what is your expectation of the business? And you said that many are pretty cyber savvy. I don’t know to what level you’re referring to. So, what level are we talking about here?

[Geoff Belknap]I think most board members and senior executives understand that cyber security is a thing. They understand the risks – that there could be legislative, regulatory, commercial, customer down sides. And they vaguely understand that, look, ransomware is a thing. Hacking, phishing, SMS, 2FA. They have heard many of these things. Do they understand the technical depth behind them and the nuance? Absolutely not. Do they need to? Also absolutely not. What they need… And I think Jonathan is exactly right from my perspective, is for you, the security leader, to add value to their thinking by presenting them with some strategic options based on what you and your very technical team have determined and come up with. I think that’s… When I say we need a little more executive business knowledge in tech leadership, this is what I mean. If you cannot communicate the technical strategy decisions that you need from your executive leaders in simple terms that relate to those business decisions that they need to make, you need to work on that. That is an area that you need to spend some time on. It is not the other way around.

[David Spark] All right, I’m assuming Lee agrees wholeheartedly, especially with your very last statement there. I’m interested to know from you, Lee, what is the expectation you have when you talk to your business leadership.

[Lee Parrish] Yeah, I agree with Jonathan as well as Geoff that executive briefings, they don’t require technical details. Perhaps sometimes to Geoff’s point… The CISOs may feel like there’s a lack of interest in the details by senior leaders, and that equates to a lack of interest in the topic. It’s not that way. I’ve worked with…

[David Spark] Clarify that. Clarify how you can know that they’re interested in the topic but not the details.

[Lee Parrish] Well, giving you time to brief them is one thing. But I’ve seen a lot of enthusiasm over the last few years on the topic, so it isn’t a lack of interest in cyber security. I think it’s just, look, they have so many things…these executives have so many things they’re responsible for. They’re coordinating quarterly disclosures, earning, acquisitions, divestitures, financials, compliance, pricing, marketing, legal issues, strategy. It goes on and on. Cyber is just one more important part of their responsibilities. So, in this vein, succinct business aligned briefings can be affective for this audience.

[David Spark] But the one thing I’m just trying to get from both of you is… And I’m just sort of trying to understand if there’s a way to quantify it or way to describe it is what is that sort of understanding of cyber security. I know they’re concerned about it, but to what level do they understand it? Geoff, Lee?

[Geoff Belknap]In my experience, especially if you’re working in tech or a very tech centric business where you’re selling over the internet or the internet connectivity is a generous part of your revenue, people understand the basics. And certainly they’re going to look to you to educate them about anything they need to be aware of. But I think anyone that’s in my position that’s finding themselves educated somebody about some new technology, it is incumbent upon you to bring that at the right level. You need to be able to explain it in simple terms, but you don’t need to dumb it down. You need to say…you don’t need to explain exactly how ransomware works. You need to explain this is a variant of malware that can disrupt our business in a variety of different ways. That is a simple way to express what malware is to the business. If you spend time trying to explain to people how droppers work, and the encryption works, and keys, and encryption, and all these other components, you are losing them. And worse than that… I think Lee makes this point…

[David Spark] But there’s a level of describing how ransomware travels that they should know about. Yes, Lee?

[Lee Parrish] I think it’s dependent upon the business. So, making it unique to the business. Security is personal. We want to make it personal for everybody involved. And so if we can equate it to maybe not how ransomware traverses and things like that but maybe if it was to be dropped on this particular part of the business, how could it have lateral movement across other areas of the business. So, the key that I use there is just because you have strong cyber security controls across your organization but you got that one, little window where there’s opportunities to enhance it, that’s where the adversary will come in. And they’ll do lateral movement. So, that’s the kind of discussions I have. Not so much, “This is how it moves,” and things like that. Just specifics on the impact.

[David Spark] So, just to clarify, the idea being, “Hey, we need to make sure the people in finance and accounting are more hardened, that are trained,” things like that?

[Geoff Belknap]We need to have a plan. I think that’s the discussion we need to have.

What are they looking for?

8:43.977

[David Spark] Paul Weizer of USSOCOM said, “Many executive decision makers are not technical, and the cost to transfer that knowledge becomes too great. I believe trust in your workforce with periodic status updates will go further than making everyone in the C-suite a software engineer or data scientist.” I think there’s probably wholehearted agreement here. And this goes back to my earlier question – I think there’s a middle ground to knowing that cyber security is an important thing and being a data scientist and software engineer. What do you think that middle ground is, Lee?

[Lee Parrish] Yeah, there’s a few levels in between those. I think the key for me in Paul’s post is his idea of periodic updates. I can’t… He’s correct. I can’t even describe how important that is. CISO briefings, they should build off of one another. They’re sequential. They’re constantly layering more and more onto what has been presented in the past. Each briefing is just one chapter in a very large book. He mentions a little bit about trust in his post, and that’s important as well. Senior leaders take time in hiring the right CISO, and in many cases the board is involved. Be it through building the criteria or actually being part of the interview process, along with other stakeholders. You covered this in a previous episode of Defense in Depth. The hiring process does take time for this important role to help ensure that trust. I’ll end with saying look at other large organizations. For example, a professional football team. There is a head coach, but there’s also an offensive coordinator, a defensive coordinator, a special teams coach, a quarterback coach. The head coach can’t do it all. He or she trusts those other coaches to provide competent input from their areas. The same holds true for corporate executives. There has to be trust.

[David Spark] Geoff, I think this sort of trust dynamic is what’s key. It’s not just cyber security that business leaders need to understand. They need to understand finance. They need to understand the accounting issues. They need to understand human resources. So, you’re just one of multiple departments not only of risk they need to deal with but also just understand that universe as well. So, being sort of considerate to that is key I would assume.

[Geoff Belknap]Absolutely. I think security leaders more than ever need to remember that they are business leaders first and security leaders second. You are the security part of the business team, and you need to understand all those things. Like you said, finance and other parts of the business, and how they work. And you need to understand how to relate what you and your team do for the business to the other business leaders.

Sponsor – Qualys

11:26.768

[Steve Prentice]Qualys is something of a veteran in the vulnerability management business, having served its clients for almost 20 years. Scott Clinton, vice president of marketing at Qualys says this length of experience has allowed his team to develop more comprehensive solutions both overall and specific.

[Scott Clinton] One of the big issues we have seen as far as expanding our overall approach to the market is the ability to not just address your internal risk but also your external risk. Often there are individual solutions historically that address each of those. But together, it gives you a true view of your risk. Otherwise you have to spend a lot of resource and overhead trying to integrate that data. And so it really doesn’t end up helping your organization at the end of the day.

[Steve Prentice]It’s not only about the technology. It’s also about helping address the skills gap by automating as much of the process as you can using rich data to help address many of the repeatable tasks and by developing and delivering a fully integrated solution.

[Scott Clinton] The other piece that is important is how we’re really addressing the key needs of the CISOs, which are around bridging the gap between security teams and IT ops teams in a way that each can operate in their existing models and existing workloads, so it’s not disruptive, it’s additive. Those are important points that a lot of CIOs struggle with in trying to address today.

[Steve Prentice]For more information visit qualys.com. That’s qualys.com.

Where are we falling short?

13:01.708

[David Spark] Shari Gribbin of CNK Solutions said, “Leadership ordering single slide bullet briefings upon which to make critical decisions without being able to challenge what went into it is a major reason so many things are falling apart.” And Paul Weizer of USSOCOM said, “Using simple to understand analogies makes for a more pleasant exchange but ultimately undercuts the complexities of many development efforts, leading to unrealistic expectations.” And Bull Holland of BMNT said, “The idea that a person who needs it explained to them simply should be making the investment decisions about it is insane. Clearly, yes. Concisely, absolutely. Simple is for students.” All right, this is kind of the meat of the discussion I want to have with both of you. I’ll start with you, Geoff. Is where is the simple to…like, “This is too simple,” to the, “This is the necessary conversation.” And the more examples you can provide the better. What do you think, Geoff?

[Geoff Belknap]I think that this is a great topic because… And I think Lee was referencing… You and Lee were talking about this before. There are a bunch of levels in between data scientist and CEO in terms of technical understanding you need to have. When it gets to the executive committee or to your board, you do need to be presenting a simple set of options that they need to choose from. For most things. But before you get there, in between there, between…whether you’re directly reporting to the CEO or not, you need to be having a group discussion with the details so that nuance is not lost about these decisions. I think a great example is if I go back to ransomware, you cannot present an option to a board or an executive team that is, “Should we prevent ransomware or not? And should we invest in preventing ransomware or not?” It is not that simple. There are so many things that you do as a security team today that work at reducing your exposure to ransomware, and you need to have a discussion about what of those things is worth investing, what things you’re already doing so that you’re not oversimplifying the discussion. I think Albert Einstein once made a quote that goes something like, “Everything should be broken down into the simplest terms possible and no simpler.” And I think that’s really important. It’s like you can simplify some things down to very simple terms, but there is a line where you go beyond it and you lose all the context. I think we as technology need to be really aware of where that boundary is.

[David Spark] Yes, because you could actually get to the point of condescending actually.

[Geoff Belknap]I think it’s condescending. And then you’re just missing the real important context of the decisions that you’re making if you bring it too high an altitude.

[David Spark] All right, so, Lee, I’m looking for that sweet spot of conversation. Again, any examples you can provide of how you’re communicating that is high enough but not too low.

[Lee Parrish] Yeah, I think to Bull’s comment, I think it’s natural that our audiences are going to have varying levels of competency when it comes to cyber security. That’s never going to go to away. My undergraduate degree is in philosophy, and I had an interest in ethics. One of the disciplines within ethics is called communicative ethics. It’s not the same as affective communication. Instead it deals with the ethics of communication or our duty as a communicator and a listener. It goes beyond the obvious of being truthful, and not interrupting, and respecting confidentiality. It clearly states that there is an originator and a recipient. And the responsibility for clear and understandable messages rest with the originator. So, in this case it would be the CISO. You have to know your audience in order to communicate to them in a way that he or she will best understand it. The duty lies squarely upon us, not the senior executive. So, the goal is to help them understand so that proper decisions can be made. One of the things that I do is if I know I’m going to give a strategy presentation to the corporate executive board or corporate executive team, I will do several variations of that strategy presentation. And I’ll go to the chief HR officer separately, and I’ll cover all of the labor aspects of the strategy in more detail. I’ll say what roles are important to the security program, where do we have gaps, things like that. Then I’ll go to the CFO, and I’ll talk about the finances – what can we capitalize, what is op ex, when will each initiative hit. Then I’ll go to the CIO, and we’ll talk about the technical components of the strategy. So, in doing this, whenever I get to the executive session and I’m doing the presentation with the CEO and all of his or her direct reports, there’s a bunch of head nodding from the direct reports. They’re saying, “Yeah, Lee shared this with me. I’ve seen it. I’m good with it.” And it makes the decision process easy for the CEO. That’s what we’re trying to do is be ethical and make it easy for the listener to understand what it is that we’re trying to accomplish.

[David Spark] No surprises is always…

[Lee Parrish] No surprises.

[David Spark] That’s the key. I like it. You really detailed out what we’ve said many times on the shows is that the CISO has to be kind of the great translator. Yes, Geoff?

[Geoff Belknap]It really does. I think it’s a role that… And I think Lee put this really well, but I’m going to paraphrase what you said here in that you as the CISO, as the technology leader, need to make sure that you are communicating in terms that can be understood. It is not incumbent on the receiver of your message to get smarter to understand what you’re saying.

Whose issue is this?

18:36.416

[David Spark] Dwayne Gran of Converge Technology Solutions said, “When we say it depends, we are speaking from the same page of complexity and nuance with the finance team. As a security leader, I’ll take two steps forward the business case for security, but I need them to take one step toward me.” Ivan Konermann of Wingspan Performance said, “Since almost no business operates without technology, it’s essential senior leaders know more. Too often lots of technical jargon is shared without a clear connection to what’s important to the business. Both parties usually have growing to do.” And lastly, Christine Kleiber of the US Department of Defense said, “We cannot make data driven decisions if we don’t have digital fluency. We cannot outsource our technology competence.” I want to start with that last quote and the line of digital fluency. I think that’s really what I’m looking for here, Geoff, is it’s not about cyber security. It’s just they need to understand that when your information is digitized, these are the ways it becomes vulnerable. Yes?

[Geoff Belknap]Yes. And I’ll call back to what I said at the top of the show, which is, Christine, I feel for you. I agree. On the government side, we absolutely need to steer the conversation to a little more digital fluency and a little less printing out everyone’s emails so that they can read them like they might read any other briefing. In other sectors, I do think there’s a little less digital fluency or technology that needs to be learned. I think Ivan’s quote here gets much closer to the heart of where I’m coming from, which are when your business relies on technology because that technology is essential and strategic to that business’ objectives, you should absolutely expect your executives to understand that technology at a much deeper level. Maybe something matching yours as the CISO when it comes to how to secure that technology. If your business is a, I don’t know, shipping company, I don’t expect that all the executives understand all the detailed security technology you’re using because technology might not be the strategic asset to that business that something else might be, and that’s okay. It’s all about adjusting your conversation to the level you’re communicating at. But I do think Dwayne has got a point here. When you’re talking to a different part of the business, they do need to meet you at least part way. They don’t have to understand what an XDR is versus EDR, but they have to understand that you need some kind of detective tooling to prevent security incidents from getting out of control.

[David Spark] Good point, and way to reference all those quotes there.

[Geoff Belknap]Boom.

[David Spark] Lee, I’m going back to this concept of digital fluency. I really like that phrase right there of…because it doesn’t demand your knowledge of cyber security, but it demands you understanding that all businesses are now a software business or in technology of some sort even if you’re a shipping company because we’re all using computers.

[Lee Parrish] Correct. Yeah, I think it is critical that we need more of this digital fluency and particularly at the board level. I do believe it will evolve. We saw the same thing in 2002 in the wake of the accounting scandals like Enron and others. The New York Stock Exchange said that members of audit committees should be independent and financially literate. Believe it or not, financial literacy among some board members back then was indeed an issue, and we’re seeing that now in cyber. So, there have been proposed SEC rules which would require disclosure of whether any board members have cyber security expertise, and it also explains the criteria for what is considered expertise. So, I believe we’ll see more cyber fluency at the board level in the future, and some companies have already embraced this idea. I think Dwayne makes a good point about taking two steps forward towards the business case.

[David Spark] And having them meet you part way there.

[Lee Parrish] Yeah. And Geoff mentioned earlier a couple times… I believe our industry has been talking about CISOs having a seat at the table with other executives, and I believe we’re well past the point of to move beyond just a mere rally cry and spend more time on discussing how we get a seat at the table. Some will say it’s improved, which it has. But it’s my belief that mostly because of external factors such as regulatory pressures and the onslaught of breaches, which actually forced us to be at the table. It’s true that some companies have invited their CISO into their inner circle on their own, but I feel our industry has a lot more work to do in the areas of understanding finance, accounting, marketing, all those things that Geoff mentioned earlier to be considered a true peer executive. Without the external factors, I would go as far as to say that I really think the CISO role would still be vacant from the boardroom. So, yes, we should keep stepping towards the business side. The more that we do that affectively will draw them in, and they’ll start stepping toward us. We’ll draw them in rather than being pushed in.

Closing

23:42.657

[David Spark] Very good. And that’s where we’re going to wrap up this show. Now we come to the portion of the show where I ask you, Lee, and Geoff, which quote was your favorite. And a lot of choice ones here, I must say. Lee, I’ll start with you. Which quote was your favorite, and why?

[Lee Parrish] I really liked Ivan’s thoughts that both parties have growing to do. Communication involves two or more people, each with a responsibility to the other. And his recognizing that it isn’t solely an issue for the recipient is how I believe we’re going to move forward and make progress on delivering affective briefings. So, really good job from Ivan on that one.

[David Spark] Very good. And Geoff, your favorite quote.

[Geoff Belknap]Yeah, a lot of good meat here. I really like Ivan’s quote. I’m going to go with Paul’s earliest quote here, that many executive decision makers are not technical, and the cost to transfer that knowledge becomes too great. You’ve got to trust your workforce, and you’ve got to give them periodic updates. And that’s going to go further than making everyone in the C-suite an engineer. I think that’s true. Many times it is our job as security leaders to educate executives about what metrics they should be asking for and what regular updates we plan to give them so that they can become more informed over time.

[David Spark] Have either of you actually had a C-level executive just really, really jazzed about cyber security, and they start asking you tons and tons of questions because they do want to get in the weeds?

[Geoff Belknap]I think where tons and tons is relative, absolutely. I’ve had people want to know more and want to dig in. Honestly I think my current general counsel and my previous general counsel were two people that I wouldn’t have expected to want to get into the weeds on things more and were always interested to talk more about it.

[Lee Parrish] I had an interview with a board of directors…the chairman of the audit company. And in that meeting, we talked for three and a half hours. He was so engaged on cyber security and wanted to dive really into the weeds. Now, I understand that that’s rare, but it does occur. There are people out there that really want to know more.

[Geoff Belknap]Either way, nothing attracts amazing technical talent, somebody like Lee Parish, to your organization like having a board member that’s that engaged in the topic.

[David Spark] That is a good, good point. Well, that comes to the very end of our show. Thank you very much, Lee. Thank you very much, Geoff. As you know, Lee, we always ask at the end of the show are you hiring, so make sure you have an answer to that question. Again, I want to thank our sponsor, Qualys. Qualys if you didn’t already know how to spell them. It is kind of a tough one, but they’re very well known in the industry. Check them out at qualys.com. Thank you so much, Qualys, for your support. They’ve actually done a lot of stuff in the dev sec ops area, whether you like that term or not. You have dev ops. You got to be interested in that as well. So, thank you. Geoff is always hiring I will say for him. And if you’re not going to get a job at LinkedIn, there’s plenty of jobs to be had that can be found on LinkedIn. Anything else to add, Geoff?

[Geoff Belknap]No. Well, I’ll say the thing I usually say, which is hey, many of your accounts including LinkedIn.com have 2 FA enabled for free. If you haven’t turned it on yet, take a minute and go do that.

[David Spark] I have 2 FA turned on.

[Geoff Belknap]Good man.

[David Spark] Lee, are you hiring?

[Lee Parrish] I am, yes. We have several roles across multiple domains within cyber security that are currently open at Newell.

[David Spark] Well, we will tell our audience go check them out. And please mention that you heard us on this show. And who knows, Lee may very well respond to that. Or put it in the bin. No, people say that when they say they hear it on the show, they speak very highly… Anyways. Anything else to add on this topic or your company or anything else? Why they would want to work with you?

[Lee Parrish] Yeah, it’s a fantastic company, great culture. Everybody is really, really friendly. My last word I guess is for the audience, and that is keep posting, keep debating, keep sharing. That’s the only way that we’re going to advance the cyber security industry and the role of CISOs. So, keep it going.

[Geoff Belknap]And keep listening to Defense in Depth.

[Lee Parrish] That’s right.

[David Spark] Aw, you stole my line there, Geoff.

[Geoff Belknap]Boom! I’m all over the place today, David. You can’t keep me contained.

[David Spark] Hey, audience, we greatly appreciate your participation, and we appreciate you also listening to, as Geoff said, Defense in Depth.

[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.