One day you want to be a CISO. What area of security you begin your studies? Or maybe you shouldn’t be studying security.
Check out this post for the discussion that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Evelin Biro (@wolfsgame), CISO, Alliant Credit Union.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Qualys
[David Spark] One day you want to be a CISO. What area of security should you begin your studies? Or maybe you shouldn’t be studying security.
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. Joining me for this very episode is the one, the very talented, Mr. Steve Zalewski. Steve, make that noise you make.
[Steve Zalewski] Hello, audience.
[David Spark] That is the noise Steve makes. Our sponsor for today’s episode is Qualys. You know Qualys, qualys.com you would find them on the interwebs. But you’re going to hear more about them later in the show. But first, Steve, I want to talk about our topic today. On LinkedIn, Ashish Rajan, who is the host of the Cloud Security Podcast, asked this question, “What roles are the quickest to a CISO or Chief Information Security Officer role?” Now, he put it into a poll offering the three choices of Red teaming or pentesting, Blue teaming or cloud security, or a GRC role. Overwhelmingly with 71% of the votes, GRC role won out. The limited poll though generated a lot of conversation, and we’ve heard the question before of, “What path should I take if I want to be a CISO?” And what we learn from this is there is definitely not one path. Is there, Steve?
[Steve Zalewski] Absolutely true.
[David Spark] And you can’t even count the number on one hand. There’s a lot of paths.
[Steve Zalewski] There seems to be as many paths as there are CISOs.
[David Spark] Hmm, that’s a good way of putting it. What did you learn from this discussion?
[Steve Zalewski] So, in looking at this, what I found interesting in the whole conversation is I found it good that GRC won out.
[David Spark] By a lot.
[Steve Zalewski] By a lot. And it’s an informal poll, so let’s not put a lot into it. But what I thought was interesting was there’s definitely in the industry a realization that governance, risk, compliance – not audit – but the realization that security is a risk function, not a technical function, is you’re starting to see the pendulum swing. And while a lot of people say that, I would still say 80% of the industry is primarily technical. So what I found was the Red team/Blue team as technical expertise, while it’s the minority in the poll, I think is still the majority of CISOs.
[David Spark] Interesting point. Well, let’s get into this discussion, and you introduced me to our guest, who I’m very excited to bring on the show. It is the CISO over at Alliant Credit Union, the one and only Evelin Biro. Evelin, thank you so much for joining us.
[Evelin Biro] You’re welcome. Thank you for having me.
How do we determine what’s most important?
[David Spark] Christopher Zell over at Dell Technologies said, “None of the above,” referring to the poll, “I do not see an advantage in coming from only one infosec- or even IT-related discipline. A CISO is much more than Red/Blue/GRC. Also, would you really want to be thrust into a CISO role quickly?” which was the question that was being asked in the poll. And Lital Asher-Dotan of Hunters said, “Shortcuts to a CISO role sound like a very bad approach to me,” echoing Christopher Zell. Lital goes on to say, “This is a role that blends together technical understanding with good knowledge of the business and the ability to manage people and processes.” And lastly, John Overbaugh, CISO over at ASG, said, “The reason none of these are the quick path is because the CISO role requires totally different skills than the technical roles.” So, a lot of them are saying it’s not just so much one path, there’s a lot more to this story, and you don’t want to walk into this quickly. Do you know any CISOs that got there very fast, Steve?
[Steve Zalewski] Yes. As a matter of fact, Colin Anderson who was the CISO at Safeway. He was actually promoted early in his career and was considered a young CISO and grew into the role.
[David Spark] How did he deal with that?
[Steve Zalewski] He would talk about, and we had these conversations, which was it was difficult because the “C” in CISO as Chief is not a technical chief but a business chief in large corporations when you get to the VP or SVP title. Therefore, he didn’t have the relationships with his other business peers, and some people were not happy that he was promoted early in his career. They didn’t feel that he had done time in grade and really had built the relationships with the business and with his peers. And so he talks about the difficulty he had to overcome to be what you’d call the youngest kid in the block, to be able to have the same respect that your peers have with each other.
[David Spark] That’s kind of a struggle. Evelin, I’m throwing this to you. Do you know anyone who’s gotten into the job quickly? And can you succeed going in quickly or it just becomes more of a struggle?
[Evelin Biro] There is no fast path or one choice of skillset to become a CISO. Of course, as Steve just showed us, I’m not suggesting that one cannot become a CISO very quickly, I’m simply stating that successful CISO requires a broad array of skills to be successful and valuable to the business as you, David, made the point.
[David Spark] And I think most agree with that specifically. If there was a good starting position – because I do want to address the question that Ashish brought up which I think it has validity because it comes up again and again and again – do you think there is a good starting position even though there is no one path? Where would you start to do you think if your ultimate goal is to become a CISO?
[Evelin Biro] I don’t think that starting position for a CISO role that comes in 10 or 15 years of one’s career is as important; however, I would suggest that having a technical background is important in understanding and absorbing difficulties and complexities of technical positions and security risks. So, I would, from the college perspective or the higher education perspective, I would agree or suggest, recommend having a technical degree, or at least having some technical understanding of relatively complex issues from the technical side.
Can there ever be agreement on this?
[David Spark] Jacques Ackermann of LexisNexis said, “Definitely not any pentesters, that’s for sure. You don’t get taught the dark arts of management and how to navigate the minefield of a boardroom in an OSCP course.” And John Overbaugh again, CISO over at ASG, said, “Only half joking here, but the closest role to a CISO is probably an ethical hacker who specializes in social engineering. The CISO has to help profit-driven business leaders look at security as well as IT as a profit-making investment.” Evelin, I want to take John’s comment. We are in agreement there is no one path, but this ethical hacker has some aspects to it that are of great value to the business, two aspects, and I think is understanding the malicious intent, and B, understanding the economics of it. Those are two things that usually take a security professional a while to understand if they’re purely starting just from the technical level. What do you think?
[Evelin Biro] I would agree with you absolutely on that. I think that those two values which they will bring into the position are highly important for being a successful CISO. So yes, I would agree that that would be a very good starting position or a position.
[David Spark] Yeah. And from there, how would you want to grow? Like, say that was you. How would you like to grow from that point?
[Evelin Biro] Technical positions usually are very easily translated in the other technical positions. So going into the penetration testing, going into the application security testing, network security, that is all great. What I’m finding to be lacking in a technical position is the softer side on GRC, which we have 70+% on, and that is understanding the governance, understanding the risk management, understanding the compliance requirements of the organization from the perspective of security. So, I would say that that – I don’t want to say it’s less technical, but it is – aspect of the organization is probably the next step that ethical hacker should also conquer.
[David Spark] I like that. Steve, what do you think of this ethical hacker as a good launch pad?
[Steve Zalewski] Yes. Because the answer to all the questions are yes because there is no wrong way.
[David Spark] We’re just looking for kind of a really good starting point. I just think this is an intriguing good starting point.
[Steve Zalewski] Right. What I would say is yes, it’s a great starting point, and can we ever get agreement on this? Absolutely, as long as everybody agrees that I’m right and you’re wrong, then we can get absolute agreement on this. Okay? And I think part of this conversation is a realization…
[David Spark] All listeners! Did you hear that? Steve’s right, you’re all wrong.
[Steve Zalewski] Only on this particular one, and only if you agree with my result. Evelin obviously is more right, okay? There’s no doubt about it, so I’m going to put that right out there too. So, therefore, that’s my argument, and I’m sticking to it. No, here’s where I was joking on that whole conversation is will there ever be agreement? This is the same kind of conversation we have which is are we safe or are we secure? What it really is coming back to is what are the expectations of the company…have on you as their definition of a CISO? Because I know CISOs that have a team of one. I know CISOs that have a team of a thousand. How can you possibly have a consistent agreement or view on what the expectation on the CISO is when you have somewhere between one and a thousand? It’s just not possible.
It’s one of the reasons why I say is the CISOs have to step up. If you want to be a CISO, if you’re doing it for the money, okay. If you’re doing it for the title, okay. If you’re doing it because you believe it’s the right thing to do, okay. But in every case, you now have to know what it is that your own personal expectation is of that role and to verify that with the company. And as long as the two are aligned, however you got there is fine, but if they’re misaligned, that’s when you’re in big trouble.
Sponsor – Qualys
[Steve Prentice] Qualys has been in the vulnerability management business for almost 20 years, helping to span the gap between IT and security operations, broadening support for the entire path from asset discovery through to vulnerability management through to patch management.
[Scott Clinton] So, we have the end-to-end process built on this 20 years of experience and technology. It’s also built on 20 years of data that we’ve been collecting and shared across this entire platform.
[Steve Prentice] But their services also provide database solutions which as Scott Clinton, Vice President of Marketing, states comes at a crucial time.
[Scott Clinton] They help automate and address the skill gaps that many CIOs and CISOs are struggling with today. They’re often trying to find the right people for the right job. Not having those people in place certainly introduces more risk to the organization. Helping to automate as much of the process as you can based on rich data helps them to address many of the repeatable tasks and lowers the overall cost associated with the skill side of it.
[Steve Prentice] They have also introduced a concept called “true risk.”
[Scott Clinton] And this true risk scoring is what we’re talking about and how we are quantifying risk in a very transparent way such that organizations can see exactly why and how that risk is being calculated and understand, unlike many other solutions with that transparency, how they can better justify prioritization between security and IP ops.
[Steve Prentice] For more information, visit qualys.com.
What aspects haven’t been considered?
[David Spark] Jonathan R., CISO of Lightspin, said, “It helps to be deep in areas that matter for wherever you end up. I’d say GRC is probably applicable, but to be fair, those folks usually aren’t as technical as you need to be,” and both of you brought up that issue. Keith Price who’s with Envision Pharma Group said, “Industry sector will also determine the path. Tech business? Tech CISO. Financial sector? MBA CISOs do very well. Cyber business? Red, Blue, Purple, Orange experience plus how to schmooze. And Rich Friedberg of Live Oak Bank said, “A BISO role often has the most scope coverage. If structured as such, you may very well be operating as the CISO for a particular business unit or division.” I really like this take overall, and I’m going to start with you, Steve. The ones that come in eager to understand the business before they even understand cybersecurity, specifically mentioning the BISO role, that was a very interesting take. What do you think? Have you, by the way, seen a BISO cross over to a CISO?
[Steve Zalewski] Yes, I have seen that, and I think we’re going to see more of that. The challenge when a BISO becomes a CISO is if they’re primarily been brought up on risk and risk management. It’s just like any other job. If there’s a technical component to it, you either better have a strong team there to support you so that you can be intelligent in having the conversation when it’s necessary, or you better acknowledge that that’s a weakness that you have and understand how you’re going to manage that weakness. Because just like a CEO to the board is everything to everybody, he’s got to be an expert in it all. So, how good is he at managing the expectations of the role and understanding where his strengths and weaknesses are?
And so that’s why I think more and more the BISO side of the role is actually more and more important as the CISO role, and we talked about this earlier, becomes more of a business expectation, not a technical expectation. But I will, on the other hand, say but for the foreseeable future, 80% of the CISOs have got to have a technical background because at some point if you work for the CIO, there’s an expectation of technical expertise, and also that your program has good foundational technical capability.
[David Spark] Evelin, again, it’s a very interesting angle to be within the industry itself because industry-specific issues become so unique. I’m thinking about one CISO we’ve had on, Deneen DeFiore who is the CISO of United Airlines. And man, the airline security issues are so, so different than like, Steve, where you worked at Levis, and where you work, Evelin. My feeling is if you didn’t really understand the airline industry even if you were spectacularly technical, it just wouldn’t work, would it, Evelin?
[Evelin Biro] Yes. Actually, Deneen is phenomenal leader, I know her personally, we worked together in GE, and she’s amazing. Now, from the perspective of what you said, different industries require different CISO, absolutely right. I work in financial industry and there are very specific requirements which I need to be a master of, including the regulatory space. This separation of BISOs versus CISOs, I personally think it shouldn’t exist necessarily. CISOs are BISOs, and BISOs need to be CISOs. Too many acronyms there, but I think that is the golden point of where we want to be. Every CISO needs to be versed sufficiently for supporting the business, and that is really their role. I’m seeing CISOs as leaders and risk managers, as strategists, visionaries, and politicians, and not really technicians. One of the things that I’m noticing in a lot of job requests or job descriptions for CISOs are these incredible requirements for technical needs, including configuring the firewalls. And what is missing there is their…
[David Spark] Let me ask you – when’s the last time you configured a firewall yourself?
[Evelin Biro] Exactly. If I have time to do so and to configure a firewall, I cannot have sufficient time to be a visionary, to be a strategist, to work with the business.
[David Spark] But let me ask you – the last time you configured a firewall, wouldn’t the setup today be completely different, and you’d have to relearn the damn thing?
[Evelin Biro] Exactly. And all of these technicalities which are still required in job searches seem to be ridiculous for the requirements of what we are expecting from CISOs. That is what I’m finding to be still a little bit strange in the industry, that we are having expectations of a CISO as a business leader on the technical side, yet we are requesting very technical requirements. So, I find that to be a little bit strange. Where CISOs are not technicians, they are visionaries.
[David Spark] What about this – and I’m going to throw this out to both of you and I want a quick answer – is it possible to not be a technical CISO but have a deep love and appreciation of the technology, but you couldn’t physically put your hands on a darned thing and actually fix anything? What do you think, Steve?
[Steve Zalewski] Yes. It’s what an architect is.
[David Spark] Okay.
[Steve Zalewski] If you think of it as enterprise architecture is the ivory tower – do as I say not as I do.
[David Spark] Because I can’t do.
[Steve Zalewski] Because I can’t do.
[David Spark] There you go.
[Evelin Biro] I would agree with Steve on that point. I would also want to add that being open-minded as a leader and even without sufficient understanding of deep technicalities that might be required, that is why at the end of the day we have a team which have such a deep technical expertise, CISO can be successful.
[Steve Zalewski] I’m going to add one more point to this too, and I think it has to do with the blending of, yes, enterprise architecture and the ivory tower of technology, and then being a CISO or a BISO, which was being the business leader or the organizational leader for security. Which is many of the problems we’re having is that our perimeter, our ability to manage what is a predefined problem, is moving on us continuously, and it’s growing. So, this conversation of can you address a firewall. There’s some CISOs that can in a small enough organization, and they don’t have any enterprise firewalls and they’re using SecurEd [Phonetic 00:20:01] stuff, it’s possible, right? It’s not probable, it’s possible. But I think the larger problem for all of us is we are going through such an expansive growth of what our perimeter looks like and what our challenges are, that to Evelin’s point, we’re spending a lot of time now just trying to get a handle on how we are going to expand our risk perimeter and be able to measure it, never mind focus on some of the technical tools on a specific component.
What is everyone complaining about?
[David Spark] Andrew Cardwell of UL Solutions said, “A CISO is generally a short-lived, thankless, and stressful role. Why do it? ;)” and we also have a little winky emoticon there. Dr. Richard Diston of The Real Security Doctor said, “Nobody should ever aspire to be a CISO. It stands for Career Is So Over,” I had never heard that term, is that a common one? I don’t know, “Total poisoned chalice in most organizations.” And Mark Reister of Newfold Digital said, “It’s never the role. It’s the person and the passion for the role, plus the networks you have built and become part of. There are thousands of paths on this journey,” which we mentioned at the beginning, “…and many opportunities to burn out along the way.” I love that line! So, I’ll start with you, and I want you, Evelin, to conclude this segment. Steve, a lot of them are saying, “Why do you even want to do this? There’s so much heartache involved in this.” But I want to hear both sides of the story here. I want you to argue me out of being a CISO, and I want you to argue me to be a CISO.
[Steve Zalewski] Sure. So, being a CISO is easy if…
[David Spark] Big “if” coming up.
[Steve Zalewski] …in your life, you wanted to be a firefighter or a policeman or in the military where you have an inbred need, ability, want to be a hero, to do that heroic thing to save lives, to save people. Okay? You’re wanting to be a CISO. You want to be Incident Response. You love that. There’s a lot of IT and security people that thrive on that, “I am going to save the day.” That’s why you want to be a CISO. That’s why you want security is because you’re driven by that type of heroic value proposition.
The challenge with that is it only goes so far. So, why do you want to be a CISO? Is, well, but if there’s a fire or a flood every single day, you can only sustain your team and your ability to be heroic for so long, in which case you burn out. Plus the executive team doesn’t want heroic then, they want the fires and the floods to stop. So, how do you prevent them? And so then what I do is when I present it that way to audiences, everybody says, “Why would you want to be a CISO?” There’s no way to be successful. There’s no common metric. There’s no common way of evaluating risk that you can demonstrate that you’re going to be successful. You are set up for failure, and you just want to fight the heroic fight. That’s the yin and the yang of the position.
[David Spark] Evelin, why do you want to be a CISO and not be a CISO?
[Evelin Biro] It’s kind of funny what Richard wrote and you just read, that comment of, “Nobody should ever aspire to be a CISO.” The CISO job is really… It’s thankless. It is stressful, it is political, it can be quite lonely and siloed, and it can be supported majority by your team. However, I actually find CISO role to be helpful. Yes. I don’t have to hear thank you for it. But where I am getting the passion for my job is really also from my team members. The amazing fearlessness of my teams, of my colleagues to really protect the members, the customers, the patients, and their data without ever being said thank you. Just that selflessness of working day and night, as Steve said, there is constantly something happening. But actually achieving something which in the best instance can be nothing. If nothing happens, everybody’s happy with us. Nobody kind of bothers us, nobody asks anything. What I’m saying, “us” meaning a CISO and security organization. But so much work goes into helping from behind our customers, our members.
[David Spark] I always say that if you just knew how much heavy lifting was going on in the background to make nothing happen.
[Evelin Biro] Yes. And that is the amazing part because sometimes we as security professionals spend so much time fighting, and then we get in the board meeting, and we get not mentioned. And somehow, that is a good thing that we were not mentioned.
[David Spark] It’s a good thing. Isn’t it deflating though?
[Evelin Biro] But it is.
[David Spark] Just a simple, “I want to thank the security team.”
[Evelin Biro] Yes. And I have to admit that our CEO is very sensitive to that, and he actually makes a very conscious effort to state exactly what you, David, said right now, and that is, “Thanks to our information security team for doing something,” and he always finds a story where he can bring information security team into it and basically share with the business why was that important.
[David Spark] That is great, and I want to close on that. That’s excellent. That your CEO brought it to the table, so that permeates through everything. And I love that. That’s awesome. All right. We come to the portion of our show where I ask you, Evelin, first. You already told me what your favorite quote is, you told me that it was Richard’s, which was, “Nobody should ever aspire to be a CISO.” So, here’s my question – when did you aspire to be a CISO, and did you think it was the right thing at the time?
[Evelin Biro] Yes, actually, my role changed. I was a risk manager through and through. I was in IT and security for a very long time. Not to age myself, but just about somewhere 20 years. What inspired me, there was a problem. There was a problem, a significant problem that had to be solved and I just thought that I am person to solve it. I love puzzles, so for me being in security was like one big puzzle. Was it right? I believe so. I believe in the energy that CISO role brings and the protection that it brings to our members, to our customers. So, I believe that that was the right choice.
[David Spark] Curiosity. We hear it again and again and again. That is one of the best features of a security professional.
[Evelin Biro] Absolutely.
[David Spark] Steve, your favorite quote and why?
[Steve Zalewski] So, I am going to go with Mark Reister from Newfold Digital, “It’s never the role. It’s the person and the passion for the role.” And I’m going to go with that one because the CISO role maybe is 15 years old, and we are far from ending the journey on what it’s ultimately going to be. And so I think if you want to be a CISO, to have the title is one thing, but I think the CISO role is evolving, and what you’re seeing are people like Evelin stepping up, with seeing what it looks like today and not satisfied. And seeing where the vision of what the CISO role has to be and how to mature it to the next level. And I would say if that is your passion, and that is what you want to do, then the CISO role is for you because it’s not as the defining crowning moment of your career. It’s as the first step in setting the direction for the next generation of CISO.
[David Spark] An excellent ‘but” for today’s episode. Thank you very much, Mr. Steve Zalewski. Thank you very much, Evelin. Evelin, I let you have the very last word here, so hang tight. Huge thanks to our sponsor Qualys. Thank you very much, Qualys, for sponsoring this very episode of Defense in Depth. Steve, any last thoughts about this topic and our guest Evelin?
[Steve Zalewski] So, I would say this topic is one that even in the last three months has generated so much interest because we don’t know what to do. And so the fact that this topic is so top of mind tells me that it is very relevant a topic and that we’ve got a ways to go. So, continue the conversation, continue to challenge ourselves to understand how we set the expectations for the role going forward.
[David Spark] All right, Evelin, I toss to you – your last thoughts. And by the way, I always ask all our guests are you hiring. Are you hiring?
[Evelin Biro] Yes, we are hiring. We have quite a few open positions.
[David Spark] Excellent, awesome. So, your last thoughts on this topic?
[Evelin Biro] Fast and quickest way to a CISO’s role is really not the point, and I think that there shouldn’t be any. But we also shouldn’t look for the box in which we should put CISOs in and say, “This is what a CISO’s supposed to be.” There are so many different paths, as we already concluded through this podcast, that CISOs can come from, from different industries and different requirements that those industries have. But one thing that is important for a CISO – it is important to be a person with strong leadership skills, with strong management skills, with a strategic vision, to be a visionary as well, and a person that can – a little bit of a politician – but also a person that can speak the business language. There is so much more to CISOs than just putting them in a box of technical requirements.
[David Spark] We hear this all the time; I agree a whole 100%. Thank you very much, Evelin. Thank you very much, Steve. Thank you to our audience. And thank you, let’s say, Ashish Rajan who brought up this question which caused a whole mess of controversy. I think, by the way, he maybe unwittingly did this, but by limiting the answers, it forced everyone to go, “Wait a second! There’s a lot more to this!” which I think it might have been an unwitting, clever thing to do, but if he did it intentionally, double kudos to him as well. So, thank you very much, and thank you to our audience. We greatly appreciate your contributions. If you see a great discussion that happens online, ping me, let me know about it. You can do it on LinkedIn, you can do it through our site, wherever, I’m easy to find, David@CISOSeries.com. Thanks for your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please – write a review. Leave a comment on LinkedIn or on our site CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com. Thank you for listening to Defense in Depth.