CISO stands for Chief Information Security Officer. So why do we sometimes pigeonhole their duties under “just” cybersecurity?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and John Underwood, vp, information security, Big 5 Sporting Goods. Joining us is our guest, Mike Lockhart, CISO, EagleView.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Scrut Automation
Full Transcript
Intro
0:00.000
[David Spark] CISO stands for chief information security officer. So, why do we sometimes pigeonhole their duties under just cyber security?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO series. And you’re in for a treat today, everybody. I have a guest co-host, none other than John Underwood, who is the VP of information security over at Big 5 Sporting Goods. John, say hello to the audience.
[John Underwood] Hello, audience. Nice to be back. Appreciate it, David.
[David Spark] That is John’s voice. You’ll hear more of it during the show. But first, I do want to mention that we are available at CISOseries.com, where you can find all of our wonderful programming, and if you haven’t explored it yet, please go check it out. Our sponsor for today’s episode is Scrut Automation. Stay aware, stay ahead, and stay compliant. More about all of that a little bit later in the show. John, our topic of discussion is something you brought up on LinkedIn, and I’m going to start off and just say, wow, people are really passionate about this subject that I didn’t think was that big a deal but boy, was I wrong. You pointed out that cybersecurity is just part of a CISO’s responsibilities, while vital information security also holds a lot of other domains – things like governance, risk management, business processes, data protection, resiliency, physical security, and sales enablement. So, first of all, why did you put this post up? What was the trigger? And what do we miss when we don’t think about this role of the CISO more holistically?
[John Underwood] I don’t know, I was working one day and I took a break, went on LinkedIn, and I just kept seeing these posts about cybersecurity this, cybersecurity that. And it was really focused at CISOs from vendors. Other CISOs were talking and it just kind of got to the point where, like, if we take a step back and we look at what we do, it’s not cybersecurity. Sure, it’s a component of what we do, and it’s very important. And a lot of the industry and our peers outside of information security and cybersecurity see it as cybersecurity. But we need to educate the business, we need to educate our teams, we need to educate ourselves, and just not forget to include some of those other areas when we’re communicating. I know we’re not missing those when we’re doing the job, theoretically, but we need to bring other people along. Just let them know that we’re more than just this little thing here. There’s business processes involved. Yeah, I’ll leave it there for now.
[David Spark] Well, we’re going to get into this because you’re not the only person who’s passionate about this, and it was a shock to me, the response. And our guest also passionate about the subject, so that’s why he’s here to join us. He is a CISO himself over at EagleView, none other than Mike Lockhart. Mike, thank you so much for joining us.
[Mike Lockhart] Thanks for having me, David.
Why is everyone so confused?
3:07.603
[David Spark] Gabe Silva over at Manasec said, “There is a huge push for cybersecurity and the term has been marketed so much that I’ve come across some clients who don’t know the difference between InfoSec and CyberSec. This greatly affected how they previously viewed their security program.” And Linda Rust of SecuriThink said, “Let’s not confuse strategy with communication. Information security is my focus, but the vast majority of humans outside of our area understand the label cybersecurity more quickly. When I communicate, I also aim to meet my audience where they are. Without that, there’s no hope of guiding anyone to what I’d like to explain or show.” So, John, Linda, I think, agrees with you, but also I think might have been pushing back a little bit. But I kind of agree that I think more people understand this cyber concept rather than the greater sort of InfoSec concept that you sort of spelled out at the very beginning. Do you agree in that respect that sort of the general public understands that?
[John Underwood] Yeah, yeah. So, just to go back to my post. To me, it was kind of a lighthearted like, “Hey, remember, guys. Remember, this is who we are. This is what we do.” And so I don’t think that I was drawing a line in the sand and saying, “This is the way things ought to be, like my way or no way.” It wasn’t that at all. So, Linda’s response to me, that pushback was basically saying, “Hey, let’s not confuse the communication with the strategy. And let’s start where the user is or let’s start where your audience is and then bring them forward.” And I 100% agree with that. You need to meet your people where they are because our job really is to build bridges, to help influence the strategy of the organization, to influence a risk. If we can’t own it, we can at least influence it. And so in that regard, I 100% agree with her.
[David Spark] I throw this to you, Mike. Let’s just say the general public understanding of this concept of cyber InfoSec. Do you think they think there’s a difference? Do they think they understand all the sort of the mechanisms, as John pointed out at the beginning?
[Mike Lockhart] I don’t think culturally businesses appreciate the nuance of the difference between information security and cybersecurity, and I want to start with the term cybersecurity. Individually, my personal opinion is I think it’s a terrible thing to have in a business. We think about the origins of the phrase cybersecurity. You can make arguments that you can attribute to that to William Gibson, famous sci-fi writer. It came about during a time of incredibly fast-paced change when a lot of organizations were struggling to understand this new technology in front of them, and the people who were finding vulnerabilities and opportunities to take advantage of these new systems that nobody really understood what to do with.
And it stuck early enough that we have now become pigeonholed with this concept of cybersecurity being the hacker mindset or somebody who would break into a system. And I think we do a disservice by not acknowledging the marketing that has latched on to this because it was neat, it was fun, it was a new phrase. But if we fast forward from the dot-com boom, 25 years, I hate to date myself saying that, 25 years forward, here we are now, cybersecurity is a term that no longer benefits us. At the end of the day, we are a information security organization. It is much larger than just what people would consider, what they see in the movie, The Matrix, right? Or the stories about Kevin Mitnick. And we really need to start dropping that terminology. In fact, I actively prevent its use inside of my organization.
And it all comes back to this misconception and this term now that you ask anybody about cybersecurity, you ask them, where does their head go first? They’re going to think of the hacker in a hoodie, sitting in a dark room behind a keyboard. When we talk about information security, it’s a much broader topic that encompasses all the governance and risk management and including the more fun parts of offensive and defensive security, but it’s a lot more holistic. So, I didn’t mean to segue too much there, but I do think it’s important to acknowledge that cybersecurity came about in a time of incredibly fast-paced change. It was very strongly inspired by a lot of sci-fi writers and the day-to-day business of maintaining the risk posture of an organization isn’t really cybersecurity.
Who really cares?
7:43.512
[David Spark] Lance McGrath of Danske Bank said, “There’s a Venn diagram to throw together showing the overlap of the cyber, information, and physical security domains. But I also don’t see why most people outside of my own team would need to know the difference. I use a lot of internal materials branded cyber because that’s a sexy term that gets attention, but my remit is security. Even when I was ‘just’ the CISO and not directly responsible for things like physical security, I still took the same approach. That holistic approach you’re asking for is exactly right. But we also shouldn’t get caught up in the minutia of terminology, particularly when working in an international multi-language environment.”
And Robert Tang of PetSure Australia said, “There’s really no difference except InfoSec also includes physical security domain. It’s all semantics.” And by the way, I would argue because by the way, every physical security item now has a digital component that it’s sending to a database somewhere. So, I think quite the opposite is happening. But I go on to what Robert says, he says, “It’s all semantics and people making things more complicated than it really needs to be. Information security is what people called cyber security 15 years ago. Then the buzzword cyber caught up because it sounds new school. And then all of a sudden, people start calling it cyber security. The industry is already confusing to non-technical people as it is. Let’s not make it even worse.” Well, the cat’s out of the bag. We’ve already done it. But let me throw that to you, John, and say, back to it’s surprising how passionate people are on this subject. This must really hit a nerve with people, this argument, doesn’t it?
[John Underwood] I guess so. I think this is probably, it’s been a year since I posted, but this is probably the post that’s gained the most traction in my LinkedIn history. I was actually surprised because for me, I was just taking a break from work and kind of whipped it out in just a few minutes. And I come back next day and there’s all these comments and reposts, and people were really pushing back.
[David Spark] Yeah, just so you know, over 1100 likes, 100 comments, and 42 reposts. And God knows how many comments on all those reposts too. That’s insane.
[John Underwood] For LinkedIn, maybe. Yeah. I mean, I’m not influencer, I’m not another social program, so I don’t know how vast this is. But for me, this was a pretty big response that I was not expecting, and there were people that came pretty passionate on both sides. Again, for me, it’s not really a line in the sand. But what I have noticed is that when I’m trying to mentor people that are trying to come into the industry, the question is not how do I get into information security, it’s how do I get into cybersecurity? And when we sit down and we start talking about the path to go into maybe being GRC, risk management, some of the other areas that the business might need, people are really unaware that there’s these opportunities out there.
So, one of the thoughts that I had in this post was if we can broaden the scope, if we can get back to our roots as a security practitioner, we can help influence not only the generation that’s coming, but the industry as a whole. I don’t know how many times I’ve sat down, and to flip the script or to flip the conversation just a little bit, I don’t know how many times I’ve sat down with another executive in my company, and they just have a very narrow lane where they expect us to be and get kind of surprised when I’m starting to ask questions or where I come up with solutions that help them get to yes or get to their answer quicker, get to their whatever the business process may be. It is very interesting to see how passionate people are and where they do and don’t understand the lines to be drawn for information security, especially with this prevalence in the industry today.
[David Spark] Mike, I throw it to you. Why do you think this is hitting such a nerve?
[Mike Lockhart] My hypothesis is that we’re at an inflection point now where the now older generation, I did age myself, but I graduated high school in 2000 and was riding the wave of the dot-com boom. We’re now the people who are leadership. Cybersecurity came at a time, and the cultural aspect I think very much matters, what we considered cybersecurity was just the trying to figure this whole thing out. We were a generation that had no plan. Colleges were teaching this. We were the inmates running the asylum. It was very much figure it out on the fly. We’ve matured institutionally substantially over the past two decades. And what cybersecurity is now is really more of a holistic, full 360-degree approach towards managing digital risk.
John, you mentioning that people are asking, how do I get into cybersecurity? I mentor quite a few college students – Georgia Tech, RIT. We hire a lot of interns from RIT. One of the first questions I get, especially from the freshmen is, what opportunities exist in cybersecurity? The very first thing that I do is reset expectations. It’s not about cybersecurity. Let’s focus on what it is you can do. You can build, you can break, or you can govern. And that’s the holistic approach that gets us away from the phrase cybersecurity and gets us more focused on what we actually do. We understand how to defend, how to be an offensive red team, or how to govern an organization in a very broad spectrum to make sure that we’re managing risk at all facets of the business.
[David Spark] Let me ask you guys, quick answer to this question. Do the overwhelming majority of young people eager to get into cyber believe that cybersecurity is red teaming, and that’s 90% of the job? Do you believe that’s the case or no? What do you think?
[John Underwood] I’ll take this one first. I have mentored probably six or seven people in the past year. Every single one of them wanted to get into information security by red teaming.
[David Spark] Yeah, okay. That answers that. And what do you say, Mike?
[Mike Lockhart] I would echo that as well. When I talk to young kids who are very interested in getting into this field, the ones who take the time to look at my LinkedIn profile will say, “Hey, you did penetration testing for a while. I want to hack into systems.” And they are very excited about it, and I applaud and want to foster that passion. But it’s also a large misrepresentation of what we really do, and it’s fascinating to see the awareness wash over them as you start to give them the larger picture of what it is we truly do on a day-to-day basis.
[John Underwood] Yeah, yeah. It’s all they see in the media. One of the pieces of advice I give people is like, look, if information security or cybersecurity is a building you’re trying to get into as a career, everybody is lined up at that front door of pentesting. Go around the back, find another way in, there are definitely other avenues, and that’s kind of the heart of this post.
[David Spark] We have actually discussed about this a lot on our show. It’s like you want to get a career in cybersecurity, learn how to hack the job of getting a job in cybersecurity or information security.
Sponsor – Scrut Automation
14:52.201
[David Spark] Before I go any further, I do want to tell you about our new sponsor, thrilled to have them on board, and that is Scrut Automation – a leading GRC platform that helps you stay aware, stay ahead, and stay compliant. Three things you want to do in cyber, right? So, let me explain what they do. Scrut Automation liberates growing enterprises from the morass of compliance debt to proactively manage their strategic risk, enabling organizations to build sustainable GRC strategies that effectively govern and monitor their security programs.
Now with Scrut’s super flexible GRC platform, security and risk professionals can gain visibility into the risk posture, monitor controls in real time, and showcase proof of compliance with industry frameworks without stretching the security budget and in alignment with the organization’s business goals. You can’t spell it out more plainly than that, can you? So, you I’m sure are interested in this. If you’re not already doing it already, or you want to do it better than you currently are, go check out what they’re doing over at Scrut Automation. Their website is scrut.io. Check them out.
What’s the CISO’s role?
16:08.009
[David Spark] Robert Turney of iSelect said, “As someone who has practiced information security for a long time, when cybersecurity became a thing, I was not a fan, but in today’s world, this phrase is easier for people to grasp,” like I was bringing up earlier, “and understand the concept at a high level, and it’s used interchangeably in common language,” I would probably agree with that as well. “As long as practitioners know the full scope of security, I say embrace the cyber!” So, he’s just going with the flow. Michalis Kamprianis of Hexagon Manufacturing Intelligence said, “Titles are titles, and based on the nomenclature of the organization, they do not necessarily reflect someone’s job or responsibilities. The highest-ranking security person in an organization with responsibility for the strategy, security risk management, and who presents to the board/CEO is de facto acting as a CISO, regardless of reporting lines or titles.” So, they all said, you know, “To hell with you, John, with regards to information security and cybersecurity. We’re just going with the flow with whatever it says. We’re just going to do our job.” But Mike, I’m going to take this to you. I mean, I guess those of us in the industry, we love to argue about this, but look, if the people want to latch on to cyber, let them do that, but I know what my job is. Is that a good enough answer for you? Or you’re like, “No, I’m pushing back on this”?
[Mike Lockhart] It’s good enough. At the end of the day, you have to pick your hills to die on. The role of the CISO, from what I have experienced in the two years that I have now been in the seat, is to nail the basics. The basics for most organizations are patching, identity management. We can throw a few other things in there, but the table stakes that any organization should have. But the other two components that are critically important to the role of the CISO is to drive effective risk management, understand risk for an organization, organize that risk in a way where you can have informed conversations, and to acknowledge that the people that you’re going to be working with, your executive leadership team, your board, your investors, are likely not going to view the world in the lens that you view it. And having to meet that where they want to work and presenting risk in a way where they are going to understand and appreciate the data you’re putting in front of them and getting that consensus to drive institutional improvement in an organization. That’s the hardest part of a CISO. It’s not the true security work. It is the consensus and communication with other executive leadership and board leadership.
[David Spark] Good point. John, what say you? Do you say that this whole argument you put out there is bunk and everyone should just cool it?
[John Underwood] [Laughter] I think regardless of which side of the line that you stand on that I drew, I guess I agree with Mike. The job of the CISO really is to influence the organization, to identify the risks that the organization faces, and then help influence, close those gaps, and let people understand what the risks are. That way, you can make an informed decision. Whether you’re going to close that or accept that doesn’t ultimately usually end up on the CISO’s seat, but your job is there to influence and help make that company as secure as you can with the authority that you have. So, that comes down to conversations and communication, not bits and bytes.
What do most people think it is, and what’s the reality?
19:43.740
[David Spark] This is what we’ve been talking about, all right, and Bob Turner of The Cyber Hero vCISO Network said, “On our best day, our organization’s cybersecurity, information security, physical security, and personnel security programs must converge with network architectures and operations and must work together.” That is a really nice summary right there. “Our most useless day is when we are not putting in our best effort, doing all of them, or failing at least one of those. We need to keep our eyes on the prize, doing what is needed in securing information and making the networks resilient enough to assure leaders and users that data and systems will be there when needed.” That’s a pretty nice summary right there. I’m going to throw it to you, Mike. Would you kind of agree with Bob’s statement right there? Like, hey, we can have all these semantic conversations, but heck, we all need to work together.
[Mike Lockhart] Yeah, he’s absolutely right, and we can even get a little bit more generic than that. The hardest part for me as a CISO is to step back and let good people do good work. My role on the day-to-day basis is to help them understand the why we’re doing a thing, to make sure they have the right support, air defense, firefighting for them, resource collection. All of those things are critically important to the role of a CISO. I don’t want my people to be in a position where they have to stress or worry about the why behind the thing. They need to be fully supported and really feel like they can go do the good work they need to. I don’t need to worry about the networks, the systems, all of the nuance and detail there. It is really about translating that risk model into a roadmap and a strategy for those teams, giving the tools and support that they need, but letting them go do good work. And my role is to act as external defense for them at the executive leadership level, the board level, customer interactions.
And that’s really truly the day-to-day work for a CISO is making sure your customers are comfortable with the business that they’re bringing into the organization for whatever purposes they’re bringing it. Especially if you’re a SaaS platform. They’re trusting you to be data custodians. I have to deal with what our private equity sponsors are looking for, making sure that their portfolio companies are well-managed. I have to deal with the motivations of the executive leadership team who has revenue targets to meet, and they have sales targets. And all those things are the role of the CISO. But the most important thing for me is not that component. The most important thing is making sure that I communicate why we’re doing a thing to the organization. I give them the tools, support, trajectory to execute well, and then I can let good people do good work and not interfere.
[David Spark] You nailed it on the head. John, all you have to do is add to that.
[John Underwood] Yeah, no, it sounds like, Mike, what you’re talking about, if I could sum it up, is business enablement. You’re enabling your people to do their jobs, you’re enabling your business to do its mission, and I think that’s great leadership.
[David Spark] Well, then let’s put a darn button on it right there.
Closing
22:35.722
[David Spark] All right, we’ve come to the point in the show where I ask both of you, which quote was your favorite and why? And I’m going to start with you, Mike.
[Mike Lockhart] I have to say that Gabe Silva from Manasec’s quote was the one that stuck the most with me because he was very much on point with calling out the term has been marketed so much. And that really is a pain point that we have when we use the term cybersecurity is the marketing aspect around it now. We’ve all been to RSA, we’ve been to other security conferences. Cybersecurity has now become a marketing term and no longer encompasses the true work that we do.
[David Spark] That is a good summary right there. That’s the headline. John, your favorite quote and why?
[John Underwood] That was actually really good. Honestly, I think I’m going to go… There’s two. One of them was Linda. Linda had the let’s not confuse strategy with communication and the follow-on there. I think she’s absolutely right. We need to meet the company where it is. We need to meet our customers and our employees where they are and enable them to move forward and bring them forward, bring them where we think they need to be. My second favorite quote was Mike’s. You can build, you can break, or you can govern. I love that. I’m going to start using that.
[David Spark] Excellent. Build, break, or govern. That’s a nice summary. Well, you get kudos right there, Mike. All right. Well, that brings us to the very end of the show. I want to thank our sponsor, Scrut Automation. Remember, they will help you show proof of compliance while at the same time being in line with your organization’s business goals. Isn’t that the whole point of all our security programs and compliance programs as you try to work together? Well, check them out over at scrut.io. All right. Either of you have any last thoughts on this discussion? John, anything last to say?
[John Underwood] I think however you embrace the job is good. The bottom line is that you’re identifying risks. You’re protecting your organization, your people, and your product. So, I think all in all, it’s a fun conversation. But at the end of the day, it doesn’t really matter all that much. Just embrace it and do the job.
[David Spark] Just embrace it and do the job. That might be the headline right there. All right, Mike, if I remember correctly, you were telling me that you’re going to be starting an intern program soon. Actually, you may have started by the time this episode airs. If someone would like to get involved because we have a lot of people interested in InfoSec, and would like to get involved, InfoSec, CyberSec, physical security, all these things we talked about, GRCs, they reach out to you, I’m assuming?
[Mike Lockhart] Yep. They’re welcome to reach out to me on LinkedIn, or they can send me an email at [email protected].
[David Spark] All right. And any other last thoughts on our topic today?
[Mike Lockhart] I want to leave on this one. For the first three months of being in a CISO role, I questioned what the heck I decided to do. The next three months, I was finally starting to get my feet underneath me. But the most rewarding part about being in the CISO role has been the opportunity to empower and build teams, and finally step back. And no longer worry about doing the work myself, but give good people the right tools and resources, and watch them succeed and flourish. And that part has been so incredibly rewarding. All the stress that comes along with the CISO role can be a lot, but that part right there makes every single day worth it, and I couldn’t ask for much more.
[David Spark] That’s a high note we can end on. I like it. Thank you very much, Mike. Thank you very much, audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.