Security vendors want to engage with CISOs. Yet many choose tactics that seem blatantly insulting. It might seem obvious that asking a CISO if they care about security does nothing to ingratiate yourself, but we still have inboxes full of these types of messages. So what can a vendor do that will actually make a CISO want to respond to a message?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is our special guest, Jeff Hudesman, CISO, Pinwheel.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Balbix
Full Transcript
Intro
0:00.000
[Voiceover] Best advice for a CISO. Go!
[Jeff Hudesman] So, we all know how important it is to build strong relationships with departmental leadership as well as key ICs [Phonetic 00:00:07] as a CISO, but there are also some other things that are really important as a CISO. You want to create company culture of security, get endorsement and buy-in, and also it’ll help with interdepartmental incident response.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series. And joining me as my co-host, it’s Andy Ellis, he’s the operating partner for YL Ventures. Andy, say hello to the nice audience.
[Andy Ellis] [Foreign Language 00:00:46].
[David Spark] Andy and I were both in Israel recently, but once again… We were also both in Denver. We missed each other in Denver literally by a day, and we missed each other in Tel Aviv, literally by a day.
[Andy Ellis] So, where are we going to miss each other again next?
[David Spark] Oh! We are going to be, actually – we’re recording this before Black Hat – but we’re both going to Black Hat. I hope to see you at Black Hat, Andy.
[Andy Ellis] I hope so and I will be there for, I think, Monday to Friday, so there’s a good chance it’ll happen.
[David Spark] Yes, okay, so we will see each other. All right. I do want to mention our sponsor before we jump into that. Our sponsor is Balbix – automate your cybersecurity posture. Very cool stuff they’re doing. More about that later in the show. All right. Now, we are releasing this episode after Black Hat, we’re recording it beforehand, and you’re doing a whole talk about inclusion, and I just want to tell you a quick story that I had at BSides Las Vegas, a number of years back.
I was there recording one of my Man on the Street videos, and there were a bunch of guys that were in their kind of own little insular world, and they were saying, “Oh! Oh! You know what you should do? You should shoot a video of this and just say so-and-so and that.” And it’s obviously completely an inside joke and I have no idea what they’re talking about.
And they go, “No, just do it, seriously, just do it,” and I go, “I don’t know what you’re talking about.” And they go, “No, it’ll be funny,” and I go, “No, it won’t be funny.” It’s what you’re talking about. And this right here… And they were, by the way, laughing, thinking they were the bee’s knees and everything, and I go, “This is a perfect example of how people want to stay away from you when you do exactly this, and this is something I do not want to support and promote.
If you want to have inside jokes, that’s great. But if you want to force it upon others, you are going to alienate them.” You’ve seen this, yes?
[Andy Ellis] Oh, absolutely. Although I wonder if in that space, I would have been like, “Sure, I’ll record this,” then as soon as they walked away, press the Delete button on the recording.
[David Spark] By the way, I have people who do this, “Oh, can I mention one more thing?” I’m like, “Yeah, tape is cheap,” or actually there’s no tape anymore. Digital. I’m not going to use any of this but just to make you feel better I’ll hit the Record button. Yes. I’ve done that before. But yes, so I mean, this is a major problem I see with security professionals is it’s a strong way to alienate people, and I must say BSides is a very intimidating event to go to.
[Andy Ellis] Yeah. So, I think all security events can be intimidating. I think BSides Las Vegas is I think the original one, but this is my first time going to Black Hat at all.
[David Spark] Which I am shocked by, by the way. [Laughter]
[Andy Ellis] Right. And everybody is. But in the ’90s when I was in the Air Force we sent one of our lieutenants to Black Hat to learn and it was an awful experience for him. It was a very unwelcoming environment, he had people following him around going, “Fed! Fed! Fed!”
[David Spark] That’s not good.
[Andy Ellis] Not good and then everything I always heard about it there, The Wall of Sheep.
[David Spark] Oh, yes.
[Andy Ellis] There was this thing. But I had a good friend who’s putting together a panel of diversity micro talks, asked me to come speak about inclusion. I do have a lot of friends that go. So at the very worst I’ll give my talk and I’ll then go hang out with a bunch of friends.
[David Spark] That’s cool. By the way, I have to bring my book where you can finally sign it.
[Andy Ellis] Yes. Absolutely.
[David Spark] Let me ask you a question. How many times do you sign a book and the person’s already read it?
[Andy Ellis] Oh, you mean they bring me the book that they have read for me to sign? Oh, so far that’s very rare.
[David Spark] So, I’m going to be one of those few cases.
[Andy Ellis] You’ll be one of those few cases. I’ve got a couple folks who actually I ran into this weekend at a family event who were like, “Oh, I should have brought my book over.” It was raining, I’m glad they didn’t bring their book over, but they were making plans for me to come up and sign the book they already have and have read.
[David Spark] All right. Well, for those of you who don’t know, Andy wrote a book called 1% Leadership that is fantastic. And if you actually go to Amazon, you can see my video review of it too as well.
[Andy Ellis] It’s a great review.
[David Spark] I’m glad you like it. I hope it sold a few books. Now let’s get to our guest at hand. We had our following guest on when he was the CISO for another company, and now he is the CISO of Pinwheel. It is Jeff Hudesman. Jeff, thank you so much for joining us.
[Jeff Hudesman] Thank you so much for having me.
It comes down to the basics
5:09.399
[David Spark] Rachel Rocha of SAIC explained in a LinkedIn post, “Hardening is the process of securing a system by minimizing its attack surface, and an attack surface is the number of all possible points or attack vectors where an unauthorized user can access a system and extract data.” A really simple and good explanation that will help anyone develop a plan.
So she laid out some good fundamentals to hardening such as default passwords, unpatched software, lack of privileged access controls, poor configuration everywhere, lack of encryption. There are tools to deal with all these issues, yet these issues come up again and again. Andy, do you think organizations are still struggling with hardening their environments and if so, why?
What’s happening that it continues to be a struggle even though the playbook is rather straightforward?
[Andy Ellis] So, I think there’s a number of things, and I’m actually going to start with the definitions that were used here, [Inaudible 00:06:12] the confusion we cause. When we talk about attack surface, we’re talking about the points of entry. When we talk about hardening, we’re talking about all of the steps from the points of entry all the way along an attack path to crown jewels.
So, it’s not as simple as just saying, “Oh, just put up some good walls and make sure those are taken care of.” You sort of have to do a little bit of everything. And one challenge is, unlike the building code in which you can say, “Look, we kind of know all buildings are boxes stacked on top of boxes, and have been for a long time, don’t deviate from that because every time you do, bad things happen,” every computer application is basically re-architected from scratch.
We get a new generation, here’s a new language, here’s a new deployment environment.
And what sometimes is happening, especially in the cloud world where there’s no longer bureaucracy to slow down the deployment of applications, that bureaucracy had a silver lining. It wasn’t there by design, but it meant that it was easier to fix things because you might catch them before they went out.
And now what’s happening is anybody can just go in, click and say, “Hey, [Inaudible 00:07:21] Kubernetes container, I just want to have it running this tiny web server inside it,” and you don’t realize all of the things that normally get added around a web server to make it safe. And so we are sprawling faster than we are cleaning.
[David Spark] Ah. So, the hardening issue is it’s getting ahead of us. Jeff, do you believe that is the issue of why this becomes such a troublesome issue?
[Jeff Hudesman] Yeah. I mean, this kind of stuff should be very basic. I mean, these are very, very fundamental things to security, but just getting folks to do them. I mean, there’s a lot of automation where you can… I mean, the aforementioned tools that exist to be able to keep this stuff robust and strong.
But that’s not going to cover everything, so it really comes down to that information security, like multipronged, several tiers of defense as in awareness and ensuring the folks, like, they know that there needs to be approval processes and they’re working with the security teams. I mean, all of that is important because you have things like shadow IT.
Especially at startups, I mean, I’m currently at a startup, and smaller companies that don’t have these banks that have 500 security professionals. That are still making these mistakes, by the way.
[David Spark] Now, you’re at a startup. Are you completely cloud based? Do you have any servers at all or are you fully cloud based, your company?
[Jeff Hudesman] We are fully cloud based.
[David Spark] Yeah. So, this, I got to assume, something like this has to be disseminated down to all the people who are spinning up services that they need to essentially do all these things. Like don’t use default passwords and don’t leave out hard-coded passwords. All the stuff that’s listed in this.
Is that information disseminated to everyone so you don’t have the sprawl situation like Andy described?
[Jeff Hudesman] Yeah, absolutely. We have hardening standards; we have technical controls to ensure that things can’t go through as they shouldn’t.
[David Spark] So, it’s a combination of you have the controls in place and people are being educated. Are people sort of adhering to standards, do you find, or they always need refreshers?
[Jeff Hudesman] I think refreshers are definitely important. I mean, as a startup, we have a Slack. I’m very happy that our folks, we know that the core of our business is security. Again, the banks are our biggest customers, so if they don’t trust us then they’re not going to do business with us. So, I’m very fortunate that our engineers will come to me and say, “Jeff, I’m not really sure.
We’re working on a new project. This doesn’t sound right. What do you think the best way forward is?” So, those types of questions I really value because they’re just so important. If someone doesn’t know the right answer, they’re going to be coming to us and find it out.
[David Spark] It’s critical to your brand.
[Jeff Hudesman] 100%.
What’s a great approach from a security vendor?
10:00.104
[David Spark] Many security vendors listen to this show trying to learn how to engage with CISOs. Former guest of this show Fredrick Lee, AKA Flee, who is the CISO of Gusto, provided a really nice list of do’s and don’ts, and I want to highlight a few we don’t normally talk about on this show. He had a lot of big ones we discuss, but these are ones we’ve mentioned maybe a few times but not a lot.
For the don’ts, he said don’t start an email with, “If you care about…” Oy, that’s an insulting one [Laughter] I should say. Also he said don’t disclose existing customers without consent. If you tell me “confidentially” that a customer is using your product, then you’ll probably start sharing confidential data about me as well, should we be a customer.
Now, for do’s, this is what I liked. Understand if your CISO is technical and be prepared for technical conversation. Also be upfront early about pricing. They don’t require exact but they do need to know ballparks. And lastly, tell me about competing products and your solutions’ pros and cons. That’s super important as well.
So, we’ve touched upon some of these in the past, but not a lot. I’ll start with you, Andy, again. What are deep cut do’s and don’ts in cyber sales that are not common big ones, such as don’t sell FUD and do get an introduction from a CISO peer?
[Andy Ellis] So, I have to say I love Fredrick’s or Flee’s entire list.
[David Spark] Yes.
[Andy Ellis] And if you’re in sales and you’re listening to this…
[David Spark] We’ll be linked to this, by the way.
[Andy Ellis] Yeah. Go chase this one down because it is fantastic and I had to think hard about what could I add on top of this. And I think the simplest, and I’ll give you both a don’t and a do, the don’t is don’t rely on your Salesloft sequences. If your Salesloft sequence is, like, send a message and then two days later reply to your message because you haven’t yet heard anything, and then two days later reply to that message, you are harming your brand.
[David Spark] That’s a really good point. That’s a super good point.
[Andy Ellis] Remember – if you get to 3% success rate on your cold calls, you’re excited from a sales perspective, but that means that 97% are failures and are all marketing opportunities and if you market yourself badly, that shows up.
[David Spark] Yeah. It damages the brand.
[Andy Ellis] Right.
[David Spark] Yeah.
[Andy Ellis] From a do perspective, active listening. You should have a bunch of answers in your head that you need the CISO or whoever you’re selling to to believe. And as soon as they believe one, move to the next thing. So, if you’ve got a slide deck of 20 things you want to cover and you pop up the first one and it’s part of a sequence of three slides and it’s obvious that the CISO already believes what you’re going to take them to on slide three, then abort that talk track, jump through, and go to slide four.
But do not have a narrative that you require the CISO to sit through because if you bore them, then you’re not going to close your deal.
[David Spark] Yeah. Don’t sell them stuff that they already agree. In fact, we talked about it with Jeff at the beginning of the show before we recorded. His opening tip spoke to a lot of things we already knew the audience knew, and it was like, “You know what? Skip half of that. Cut to the other stuff.” So, it’s the same idea.
All right. Jeff, I’m going to throw this to you. Again, I’m looking for the deep cut do’s and don’ts, not the classics. What do you think the ones that people are not aware of?
[Jeff Hudesman] Yeah. I mean, I find in my field and especially having a limited budget, a startup, a lot of the times when I am looking for security solutions, I’m actually going to go out and not really engage these unsolicited emails, like Andy was going into these Salesloft sequences. But if there was, there are successful ones.
I think usually I’ll engage with a webinar about a certain emerging security topic. I mean, of course, they’re going to fit in their sales pitch, but as long as it’s done tastefully and it’s actually an educational event, I find those to be very, very useful.
[David Spark] Can you describe a good positive experience you’ve had in sort of your outreach or has any outreach to you ever worked? And if so, how and why?
[Jeff Hudesman] Yeah. I mean, we leverage tools to monitor our compliance with several security frameworks, and a certain vendor sent us an outreach saying like, “Hey, let’s explain exactly how these types of products could assist you with monitoring your compliance and saving a lot of cycles in terms of staying compliant with these frameworks.” And their webinar was fantastic.
It didn’t go too deep into their product. It really just went into that automation and how this is a new way. Because again, even though I haven’t been in… I mean, I’ve been doing security for 15 years but earlier in my career, a lot of this was done in spreadsheets, and now it’s like you have this platform that can dig into all your technology platforms and really give you a bird’s-eye view of your compliance status and that was a huge sell for me.
[David Spark] So, the webinar did a very good show to what the value could be.
[Jeff Hudesman] Exactly.
[David Spark] And essentially, their timing was good in terms of it was something you were looking for at the time.
[Jeff Hudesman] Precisely.
[David Spark] Which by the way, that, you just got to get lucky with. Right, Andy?
[Andy Ellis] Pretty much.
[David Spark] Yeah. There’s no way to do it. Unless you get a lead, someone gives you a hot lead like, “Oh, I was talking to the CISO and they’re looking for some GRT solution,” and boom. But that’s what they all want.
[Jeff Hudesman] But yeah, but looking at Fredrick’s list, I mean, a lot of this is… I mean, I feel like there are a lot of posts on LinkedIn about this. You got that one CISO that’s been a little angry recently, he’s got 50 emails in his inbox saying like, “The XYZ breach just happened. Do you want that happening to you?” And of course we don’t.
[David Spark] It is why we started this whole media channel, the CISO Series. It is literally for that specific irritation is why this whole thing launched.
Sponsor – Balbix
15:46.016
[David Spark] Hey, before we go on any further, I do want to talk about Balbix. They are all about automation and getting greater visibility. Let me tell you about them. So, CISOs at large multinational organizations face many challenges in measuring and reporting their cybersecurity risk. You know that.
And articulating security risk is super complex and involves an understanding of the threat landscape, application and infrastructure vulnerabilities, current security controls, and its impact on the organization. If CISOs can’t articulate the value of the risk to their board, they struggle to get additional budgets for tools and resources which stall security programs.
This is where Balbix enters, a cyber risk quantification platform. Balbix discovers all managed and unmanaged assets such as servers, VMs, Kubernetes clusters, and even those pesky IoT devices that you may have forgotten about. It identifies, prioritizes, and manages vulnerabilities associated with those assets.
All of this data is used to deliver cyber risk in monetary terms that enable you to get support and budgets to improve your security posture. Go check them out. I mean, this is pretty impressive stuff, what they’re doing. Go to their site, balbix.com, and follow them on LinkedIn.
It’s time to play “What’s Worse?”
17:12.685
[David Spark] All right, it’s time to play “What’s Worse?” Jeff, you’ve played this before in the past. It’s been a long time since you’ve been on, you’re going to play again. Now probably one of our most creative if not our most creative “What’s Worse?” submitters.
[Andy Ellis] Osman Young?
[David Spark] Osman Young. You remember, from Setec Astronomy. If you watched Sneakers, that was the company in Sneakers. He’s got a good couple of scenarios for us, all right? They’re somewhat similar but slightly different here.
[Andy Ellis] Okay.
[David Spark] All right, here we go. Scenario number one – you have a very popular, very profitable lawn furniture manufacturer that sells direct to consumers on their website. The company has undergone rapid growth over the last five years and is preparing to go public with an IPO. Then disaster strikes.
The company failed to properly grow its security program along with the rest of the business resulting in security lapses. Attackers break in, lock the main production servers and all backups with ransomware, and demand millions of dollars for the decryption keys. The company is forced to pay out the ransom to resume operations but this wipes out six months’ worth of profits and spooks potential investors.
All right, scenario number one.
[Andy Ellis] Okay.
[David Spark] Number two.
[Andy Ellis] I like that we actually have what that number means in terms of profits, by the way. Sometimes we have scenarios that are just like, “Oh, it’s $10 million.” I like that this is very clearly six months of profit.
[David Spark] Right. But I do say demands millions of dollars for the decryption keys. I don’t give you specifics on that.
[Andy Ellis] Sure, but the six months of profit is what matters.
[David Spark] Well, you’ll see, and it relates to the… That’s why we said that specifically. All right. Scenario number two – you have a relatively new security vendor that specializes in AI-powered log monitoring and intrusion detection. Over the last five years, the company has seen rapid expansion as its product has developed a solid reputation for being very effective, and the company is now preparing to go public in an IPO.
Then disaster strikes. The company failed to properly grow its internal security program along with the rest of the business resulting in serious lapses. Attackers break in, lock the main production servers and all backups with ransomware and demand 200,000 for the keys. The company is forced to pay out the ransom to resume operations, which was only a week’s worth of profits, but the embarrassing story plays out for weeks in cybersecurity headlines, blog posts, and podcasts.
Potential investors and customers are spooked. Which one’s worse?
[Andy Ellis] Oh, this is really good. Because if we started with these at the same level of monetary damage, it is very obvious that it is worse for this to happen to a security company than to happen to a lawn furniture manufacturing company, right? The reputational damage far outweighs the cost there.
So, now the question is what if you dropped that cost functionally to zero.
[David Spark] Two hundred grand is a drop in the bucket, and a week is all.
[Andy Ellis] First of all, if you’re profitable pre-IPO, wait, who are you? [Laughter] If I was going to nitpick a thing, it would be profits here.
[David Spark] Yeah. So, it’s only a week off and only 200K for the ransomware.
[Andy Ellis] But I’ll actually be honest. I think it’s worse for the second. I actually think that the security company having this kind of a breach is worse because that is what you are selling to your customers and you’re going to have to spend far more in fixing and changing things. The lawn manufacturing company just sort of gets to say, “Oh, this kind of sucks, damn hackers,” and move on.
[David Spark] But it is six months.
[Andy Ellis] It’s six months but you are going to spend more than six months of your profit as that security company building such an ironclad program that you can now convince people that you are trustworthy. Like, that might actually be good for you in the long run, but in the short run, I think the harm to you is actually greater.
Because if I’m buying lawn furniture, I don’t care about the ransomware, I just care that the furniture shows up.
[David Spark] Right. [Laughter]
[Andy Ellis] I’m buying a service that monitors my logs? I care about that forever. But I like this one. Osman Young, this is a really good hard one but I’m going with the second situation is worse.
[David Spark] All right. Again, Osman does a great job. All right. Do you agree or disagree here, Jeff? What’s your take?
[Jeff Hudesman] I completely agree. I mean, we hear about all these retailer breaches and they’re terrible and there’s tons of PII access, potentially payment card information, but people get over it. I mean, there’s fatigue, there’s just like an influx.
[David Spark] Sadly, I think you’re way too right on this. That’s the sad thing. People don’t really get too upset about this anymore.
[Jeff Hudesman] They get that email saying like, “This was disclosed.” Maybe they’ll change their password, maybe they won’t, and that’s that. Again, obviously, there was a pretty substantial monetary implication. But Andy’s exactly right when it comes to security. I mean, when you have a security company and it’s like their literal job is to preserve the confidentiality, integrity, and availability of information, and then there’s a major lapse.
And not just a lapse where, I mean, all companies get breached and we understand that, but this was due to just not scaling their security team properly. I think that could be potentially door closing or just have long-lasting effects on the viability of this company.
[David Spark] Well, like the lawn manufacturer. What if it came out that they weren’t really cutting lawns?
[Jeff Hudesman] Yeah, exactly.
[Laughter]
Maybe you shouldn’t have done that
22:45.163
[David Spark] A high school in Illinois responded to a system error by resetting every student’s password. Now, instead of getting everyone to change their password on the next login, they changed everyone’s password to “Ch@ngeme!” which a couple of odd characters in there, but it was the same password for everybody.
And as Matthew Rosenquist, CISO of Eclipz.io, noted, “Chaos ensued as students were able to access any other student’s files, student emails, papers, and assignments. It exposed every student’s account,” referencing a TechCrunch article. So, it took a full day of parental complaints for the school to recognize their mistake and the school said that over the weekend they would update the process to offer a unique password change.
All right. I’m going to start with you, Jeff, on this. Here’s my challenge. If something like this happened in your environment, how would you handle it? Let’s say you were the IT administrator for the school network, how would you handle this sucker?
[Jeff Hudesman] So, this is prior to using “Ch@ngeme!”? This is just like there was a problem and how would I… Or the “Ch@ngeme!” happened and now I have to respond?
[David Spark] Well, no, no, no. The “Ch@ngeme!” thing happened, how would you respond. Like, somebody else did this.
?
[Jeff Hudesman] Yeah, yeah.
[David Spark] No. Granted, you would do what you’re supposed to do, make people just change their password on their next login.
[Jeff Hudesman] Of course, yeah. This was, yeah, an absolute catastrophe.
[David Spark] Yes.
[Jeff Hudesman] And just even before I get into how I would respond, this is something that I always push at companies of Pinwheel size as well as similar, security needs to own IT, and that could be a whole different debate for another time, especially for companies of our size. Because IT really, it is security.
Every decision has major security implications.
[David Spark] So, this happened under your watch.
[Jeff Hudesman] So, this happened under my watch.
[David Spark] How do you handle it?
[Jeff Hudesman] I mean, I think everybody would be… The Google or whatever system this is, I think it’s Google, G Suite, which would be completely locked down and then there would be just individualized flow. But then there would also have to be the incident response process would have to initiate which students may have viewed PII of other students, I think legal would need to get involved.
So, this is a really big mess and something that doesn’t seem like the IT folks of this district really took into account.
[David Spark] All right. So I like it. The first thing is lock everything down so nobody accesses anything.
[Jeff Hudesman] Exactly.
[David Spark] For a short period of time, yes. All right. Andy, this happened under your watch. How are you handling it?
[Andy Ellis] So, I just appreciate that the person who did this left instructions for what to do about them in the password that they chose for everybody. You should change that person. That’s mostly just humorous, I’m not a big fan of firing people. But let’s be real clear. First of all, account provisioning and bootstrapping is one of the single hardest problems in IT.
How do you get somebody who is new to an environment, who you don’t have some way to reach out [Inaudible 00:25:44] their password so that they can get started? Always a hard problem. Account resets makes it twice as hard. Then this is a normal problem in schools. Less so I think in high schools but certainly in middle schools and some elementary schools.
I’ve heard a lot of stories of things, like, this is the norm. You have a password you can’t change and every student has the same password. We’re indoctrinating kids into, “Oh, you should just do this,” until at some point, they rebel like they apparently did in high school and said, “Oh, I have everybody’s passwords.
Let me go see what I can do with them.”
[David Spark] [Laughter] Because high school students don’t cause mischief, do they?
[Andy Ellis] They’re high school students, right? So, honestly what I would do, I would take everything Jeff did, and I would actually add one more thing, which is I would actually bring the incident postmortem to the entire school base. I would actually say, “Look. Here’s the harm that we caused, here’s why it’s a hard problem, but here’s things that got exposed, examples of them.” But this is a prime opportunity to teach these high school students how hard cybersecurity is and how important it is.
[David Spark] Very, very good point. Now, here’s my other question is in your scenario where you have to just lock everything down, how much of a nightmare is it to getting everybody back onboarded again?
[Andy Ellis] I mean, it’s a pain. You basically have to do some form of physical outreach to every student. Like you’re going to take passwords and print them out and then walk them to each student and say, “Here’s your new password.”
[David Spark] Well, if you can get them all in the same building, that’s actually quite a boon for you because you could just hand them to everybody.
[Andy Ellis] You could just hand them to them. At least it’s not like you’re dealing with a global company where you might have people…
[David Spark] All over the world.
[Jeff Hudesman] Do these students not have personal email addresses or are we talking about elementary school which, I mean, they probably don’t.
[David Spark] No, but these are probably the school email addresses, yeah.
[Andy Ellis] Right. And I think most people when they’re setting up school accounts don’t think about the fact that their kids might have… Honestly, I think by the time my kid’s in high school, you should make sure the kids are getting personal email addresses.
[Jeff Hudesman] Mm-hmm.
[Andy Ellis] But high schools are worried about kids using those to circumvent.
[David Spark] So, actually, the better setup for this, Jeff, is if everybody upon registering registered with a second email address, not just your school email address but personal email address, it could be solved that way, yes?
[Jeff Hudesman] Exactly.
[Andy Ellis] Right. But it requires you to then take the onus on you as the school system to educate the kids who haven’t already done that. Like, my kids had domain names before they were born. That’s a very different level of tech support than many families might have. This could be an urban school district in Illinois, low-income families that this may be the first email address the kids have had.
Question for the board
28:32.232
[David Spark] If you’re a retiring CISO looking to get a board seat, chances are you’re not qualified for the position. That’s according to a recent study by IANS Research, Artico Search, and The CAP Group. In an article by Victor Dey on VentureBeat, they looked at public information of CISOs at the top 1000 companies and graded them on InfoSec tenure, broad experience, scale, advanced education, and diversity.
Only 14% scored well in four out of the five variables and were deemed ideal candidates. Now, on the other side of the equation, The CAP Group found that 90% of 3000 companies they looked at lacked a single board director with cybersecurity experience. These organizations conducting the study are recommending CISOs to boards using this methodology.
Andy, do you agree with it? If not, what is the best way for a public company to find cyber expertise to sit on their board and what are the variables they should consider?
[Andy Ellis] So, look, I’ll be really honest. I think that this research is problematic in a lot of ways.
[David Spark] I can see a lot of bullet holes you can shoot through this sucker, yes.
[Andy Ellis] Man, I could, like… So, they take five categories, first of all, to say, “Oh, should you be on a board?” Let me tackle the first three because I actually think the first three are pretty good. All right. What is your tenure in InfoSec? Yes, yeah, if you’re going to be on a board and you’re coming here, you should have some longevity, some deep well of experience.
[David Spark] This is the one time where X number of years means something.
[Andy Ellis] Probably means something, like, I’m hoping they’re not straight X years, but great. So, we’ve got your experience in InfoSec. Then they have your broad experience which I assume is a proxy for have you been in more than one industry, are you bringing value to that level of the board. And scale – have you always worked in a 300-person company because if so, you’re not getting on a Fortune 1000 company’s board.
Okay. Those three are good but they said only 14% made it to four of the five variables. So, let’s look at the last two variables. So, one of them is advanced education. Like, really? In this day and age? It doesn’t matter. In fact, arguably I don’t know that you want the advanced education, what some people may bring.
But is somebody in a PhD in computer security more qualified to be on a board than somebody who only has a bachelor’s degree?
[David Spark] Well, an MBA with a CISO is kind of attractive though.
[Andy Ellis] So, an MBA could be, especially if you had somebody who did not have broad experience in accounting disciplines prior. Like, I could see that. But the reality is if all that you have is an MBA, that’s not actually really relevant to being on a board unless you have been using all of the skills across it.
But now let’s tackle the fifth one, and it’s a really politically charged topic, they say diversity.
[David Spark] Yes.
[Andy Ellis] And look, I’ll be very honest. I have talked to all of the major board recruiters and what they’ve all told me is if I would like to be on a public company board, I have to come in via internal recommendation because they’re in general not recommending candidates unless they are women or persons of color, preferably both, and I’m neither, and I think that’s a problem.
Because they’re saying that basically you have to be perfect on their scale unless you’re a woman or a minority, in which case, well, it’s okay if you’re not quite good enough. And I think that does really an injustice to the many amazingly qualified women and people of color out there. I know people who are women and people of color just as qualified as I am to be on a board and there should never be a question when they get a board seat that they were less qualified than I was.
But this study says, “Oh, there’s a good chance they got it and they were less qualified.”
[David Spark] So, up until now I thought you were the most qualified person, so now I know there are others just as qualified as you, Andy.
[Andy Ellis] And more so. I have some great friends who are on boards, some of whom are White men, many who are not, and they’re amazing, they bring value to those boards. And so I have a problem with this because it’s trying to reduce it to, “Oh, here’s this simple thing,” and then saying, “You’re not qualified.”
[David Spark] So, okay. What are the variables – and then we’re going to go to Jeff on this, who is not that close to retirement right now – so what are the variables that should be there?
[Andy Ellis] So, I actually like those first three – InfoSec tenure, broad experience, and scale – and I would actually put in business experience. I’ll be honest. I think if all you have ever done in your career is security and you have made it to the CISO level but you did not do product, you did not do anything with sales or marketing or finance, I think that’s going to make it a really hard uphill slog for you.
[David Spark] Would you think a CISO that’s been on both sides of the aisle in terms of CISO for an organization then CISO for a vendor or a CEO for a vendor too?
[Andy Ellis] Oh, if you’re a CEO for a vendor, absolutely [Inaudible 00:33:35] CEO. If you’re a CISO for a vendor, the question is what is your job as CISO for the vendor? Are you just, “I’m securing things, I know a little bit of sales support,” or are you the marketing arm of the vendor, right, where you can make a credible claim that you’ve been a significant part of the go to market, you understand the challenges of everything from brand generation to lead generation to getting QFAs?
Do you understand the whole MarTech pipeline? That’s value.
[David Spark] Jeff – A, do you have thoughts about this? I know you are far from retirement age. Am I correct on that?
[Jeff Hudesman] We don’t know that. I mean, maybe some of my equity of my startups will go to the moon and I can retire maybe in a couple weeks, fingers crossed.
[David Spark] Let’s hope that’ll happen.
[Jeff Hudesman] But yeah, I mean, I happen to agree with everything Andy just said. I think these disciplines, these five attributes are very important, and the addition of what Andy as said as well, business risk. So, I was fortunate enough to be on the Risk Committee at DailyPay. It was not nearly just cyber risk but it was also just financial risk and all sorts of other operational risk, so I think that was absolutely paramount to my understanding [Inaudible 00:34:47] my “board qualifications.” But I think the biggest flaw in this is kind of how they determined this 14% number.
I mean, it looks like within the article they were talking about how they scanned LinkedIn profiles.
[David Spark] Yeah. It was all public information.
[Jeff Hudesman] Yeah. I have a hard time believing that folks, and Andy included, folks that were CISOs of Fortune 100 companies don’t have these skills. But again, I could be wrong.
[David Spark] Yeah. There’s a lot of – that’s the thing – there’s a lot of CISOs out there that choose not to be public figures.
[Jeff Hudesman] Yeah.
[David Spark] Plenty. Andy, throw some advice to someone at Jeff’s stage. So, this is your second CISO gig, right, Jeff?
[Jeff Hudesman] Correct.
[David Spark] Your second CISO. So, many years down the road when he decides to retire from the CISO field, he may want to do something like this. What could he do at this early stage to set himself up so he would look attractive on these variables?
[Andy Ellis] And the real simple answer that I would give is network with your board. They are desperate to hear your advice on things. And so if you just made a regular appointment to talk to them, talk to venture capital folks, and just say, “Hey, I’m here.” Understand what’s going on so that when they say, “Hey, I see there’s this thing out.
Do I need to worry about this?” That you’re like, “Oh, here’s what you should worry about at the level of a board.” Right? Don’t give them advice about a CISO. Give them the advice of should a board director care about this? What questions should they be asking of their CEO? Become a trusted advisor so that at some point when they’re like, “Oh, we need a new board member and we want someone with cybersecurity experience,” they’re like, “Oh, I know a guy,” or “I know a gal,” like “I know a person that would fit this because they talk to me all the time and I love the things they say, they were helpful to me as a board member.” So try to find that sort of board advisor position, it’s just an unofficial one.
That’s how you network is by giving to people now and at some day in the future, it may pay back.
[Jeff Hudesman] Great advice. Yeah, thank you.
Closing
36:55.562
[David Spark] All right. Well, that brings us to the very end of our show and I want to thank our sponsor Balbix. Remember balbix.com to learn more about your risk management or to get more quantification around your risk as well. Any last thoughts you have on today’s episode? And Jeff, I let you have the very final word.
Andy?
[Andy Ellis] So, yeah, I loved a lot of our conversations here. I just want to point out I actually just published a mini eBook, I know I always talk about my hardcover book, but I have an eBook on the first 91 days of a CISO’s career journey that just came out last month. So folks should take a look at that if they’re anticipating changing jobs or becoming a CISO soon to understand how do you structure that early engagement because a lot of it is also relevant to conversations we had here about the board and other things.
[David Spark] Excellent.
[Andy Ellis] So, Google First 91 Day Guide for CISOs.
[David Spark] I know you’ve been working on those. Jeff, any final words? And the question we always ask our guests, are you hiring. Are you hiring?
[Jeff Hudesman] We are hiring at Pinwheel. We are making a fairer financial system, as we like to say. We’re doing a lot of hiring. It’s a real exciting place to be, so please check us out at pinwheelapi.com.
[David Spark] Very, very cool. All right. Well, thank you very much, Jeff. Thank you very much, Andy. And thank you to our sponsor, Balbix. We greatly appreciate our audience too. We greatly appreciate your contributions. Send in more “What’s Worse?” scenarios. I challenge anyone to be more creative than Osman Young.
That is my challenge because right now he hands down, most creative “What’s Worse?” scenarios. So, who’s going to topple him? Who will be the one? I hope it’s you who’s listening right now. Thank you very much for your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.