Every CISO has a unique path to getting the role. But once you’re there, what does it take to be effective?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Christina Shannon, CIO, KIK Consumer Products. Joining us is our guest, Tomer Gershoni, former CSO, Zoominfo.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, SeeMetrics
Ready to automate your security programs? start connecting your environment at seemetrics.co
Full Transcript
Intro
0:00.000
[David Spark] Every CISO has a unique path to getting the role. But once you’re there, what does it take to be effective?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And my guest co-host, she many times has been a guest on the show, but now it’s her first time as a guest co-host. None other than Christina Shannon, CIO, former CISO over at KIK Consumer Products.
Christina, thank you so much for joining us.
[Christina Shannon] Thank you very much, David. I’m super excited to be a co-host today too.
[David Spark] The reason you’re here is because your conversation is what we’re talking about today, but before I bring that up, I do want to mention our sponsor, SeeMetrics. Yes, see the metrics that matter. Sounds kind of cool. Well, it is, and you’re going to want to hear what I have to say about it a little bit later in the show.
So, let’s get to our topic of conversation, which is what you brought up. What do effective CISOs have in common? The role can span a wide range of organizations, each with incredibly unique security needs. But Christina, in a post on LinkedIn, you argued the most effective CISOs find ways to manage risk through a broader understanding of business goals and aligning with those goals.
We have talked about this a lot, and I’m just going to say simple in theory, probably extremely difficult in execution. I would assume you agree. How do you even begin? And we’re going to have a long conversation, but let’s just talk about how does one even begin in that area?
[Christina Shannon] I mean, really look, what I think is that there’s not one path, right, to being a CISO or one strategy that lands in success. And a lot of it does depend on what’s the culture, what’s the industry you’re in, what’s the culture of the company you’re at. But at the end of the day, when you think about what all companies’ goals are that they have alike, it’s companies are trying to increase their revenue, they’re trying to protect their revenue, they’re trying to add customers and keep customers.
That might vary a little bit, but from an 80/20 rule, that’s what all companies are trying to do. So, really, in my opinion, where you start is that as a CISO, you understand that first, and then you line up your protections and all of your other security capabilities around those things that will ensure the company can still grow their revenue, protect their revenue, and add and keep customers.
[David Spark] Excellent point. Well, we’re going to get into this in a greater discussion, and we have a great guest who’s going to help us with this. He is the CSO over at ZoomInfo, none other than Tomer Gershoni. Tomer, thank you so much for joining us.
[Tomer Gershoni] Thanks for having me. Great to be here, David.
What’s the CISO’s role?
2:59.541
[David Spark] Al Berg of Tassat said, “The CISO has transformed from being a senior technology role to a senior organizational leadership team member. While the CISO needs to have an understanding of the technical aspects of the threats faced by a business, he or she also needs to be able to connect those threats with real business outcomes and effectively communicate this information to a wide variety of stakeholders.” And Vishal Chawla of BluOcean Digital said, “Many security leaders are often boxed into their roles as technologists and defenders.
However, I’ve seen a recent shift where a few are enhancing their strategist and collaborator muscles, and those individuals are definitely finding a place at the strategy table with C-execs.” So, I mean, this is practically a theme for our whole brand, the CISO Series, but this whole thing of you are a business executive first and technology executive second because we’ve actually seen many successful CISOs that don’t have technical backgrounds.
Would you agree with that statement, Christina?
[Christina Shannon] Yes, absolutely. I think that you have to tie, whether you’re a CISO, a CIO, any type of technology executive leadership position, you have to tie into what the company cares about and what’s the company’s goals and what they’re seeking from an outcome standpoint. Completely agree.
[David Spark] And Tomer, let me ask you, do you come from a technical background or sort of a business development background?
[Tomer Gershoni] So, I come more from a technical background. I’m an engineer by design, I would say, but I learned throughout the years. ZoomInfo is my fourth CISO role, and I learned throughout the years of how to shift from the technical background or technical nature where I grew up with into adjusting my priorities based on the business priorities, yeah.
[David Spark] So, it’s interesting, I never even think about this, but for most CISOs, and I’m saying most here, you’re kind of in a weird way taking an entry-level business role, aren’t you? Because you kind of have all these sort of technical, technical, technical roles, and then all of a sudden, you hit CISO.
And not always the case, sometimes you do, but all of a sudden, whoa, now I have a business role, and it’s kind of entry-level for me in a way. Christina, you’re smiling. Did that happen to you?
[Christina Shannon] Absolutely. Also, I’ve done the CISO role a few times, and I think through trial and error is how I found my way to the post that I made, what certainly wasn’t at the start or in my first CISO role. My first CISO role, or probably even the second, I was still trying to justify technology spend and why I just needed one more tool and how that was going, but I still couldn’t really tell anyone if we were winning, losing, where we were, even on the chart from a risk quantification standpoint.
I can barely say risk quantification. So, I would say I’ve come a long way, and I think it’s natural for a lot of CISOs to have started really technical. They found themselves in these roles because they’re the best person for understanding what bad can happen and how to prevent such or how to limit impact from such, but a lot of times, looking back, this role probably could use a little bit more training in the MBA path.
[Laughter]
[David Spark] Okay, so let me ask you that, Tomer. Prior to getting to the CISO role, so think about all the roles you had prior to that, did you have any business experience? You must have had some because that’s how you got to the role, but where did you start getting the business experience to get you to move to that role?
Like when did that start coming into your sort of training development?
[Tomer Gershoni] I started in security already during my bachelor’s degree studies part-time, and you always try to tie the security processes, security controls into the business controls to allow the business to run while putting the security controls in place. So, that was already during my… And I learned electric engineering has nothing to do with security, but I took those lessons learned during my first role as a student and took them towards later on in my career.
Now, it really, the balance between business and security really depends on the organization. I’ve been a CISO for software and tech companies, and I’ve been a CISO for the Israeli government, who your enemies are other governments, obviously. So, your risk tolerance over there really varies, and the way that you communicate the risk to your peers, to your C-level peers, to the board, is how it ties in the end, the way that the organization will manage the risk.
Who owns this issue?
7:58.925
[David Spark] Raymond Cheng of Decrypt Compliance said, “CISOs need to take a function which is generally not well understood and make it valuable to the CEO. It’s an art, and you must tailor your approach and priorities to the needs of an individual business.” Aysha Khan, Treasure Data said, “CISOs are responsible for monitoring and identifying potential risk within an organization.
Articulate these risks to all stakeholders and build trusted relationships to align everyone on strategic security priorities that can help achieve business objectives.” I mean, both Raymond and Aysha’s comments here are as in line of what the CISO’s role is as could possibly be. I mean, they hit the nail on the head.
So, Tomer, I think what we really want to know is, from all this and the topic that Christina brought up is, how do you know if you’re doing any of this well, as viewed by the business? I guess that’s the real question I have.
[Tomer Gershoni] I think that in general, we are seeing businesses in the last forever, but especially in the last 10 or 15 years, thriving to accelerate and grow faster than ever. And therefore, management of cybersecurity risks become much more challenging than ever. Because if we’re looking into cybersecurity risks and the way that we manage them, they were very slow paced.
You were coming into review quarterly or annually and check progress on whether you mitigated or some progress towards the risk.
[David Spark] Let me cut in and just say, if the business didn’t move and grow, cybersecurity would be a lot easier. Yes?
[Tomer Gershoni] Exactly.
[Christina Shannon] [Laughter] Yeah.
[Tomer Gershoni] I mean, the easier thing to do is just shut down all computers and then you’re safe, right?
[David Spark] No, but just the growth of the company becomes part of the challenge of doing your job.
[Tomer Gershoni] And exactly. And that’s the secret sauce that we as CISOs have to, security leaders have to accomplish, to combine the balance between allowing the business to move as fast as possible, but to provide the business with the risk context of what it means to move in the pace that they are looking to do.
And we’re seeing that all over with the rapid adoption of DevOps or post-COVID with many businesses moving into online or remote work, the risk exposure, attack surface even increases. And now your challenge as a CISO is how you translate these technical details of remote management risk to a business risk and allow the CFO, the CTO, even the CEO with the understanding of what it means to work remotely, as an example.
[David Spark] I’m going to come back to you because by the end of this episode, I want to know how either one of you finds out if you’re doing a good job and if the business ever tells you, Christina, let me see if you can answer that question.
[Christina Shannon] So, in terms of how you measure success or not in terms of the CISO role, I really look at it as, again, it depends on where you’re at. Because like what I would say for Fortune 50 company, you’re going to probably have a different model than you’re going to have a midsize 2, 3 billion a year company.
At the Fortune 50 company, you’re going to have probably a governance committee and you probably have a defined risk tolerance. And so then you have a way to measure your effectiveness as an organization because you probably have an organizational risk management arm too, where every function’s getting together, you’re reviewing the top risk for your function, and then you’re measuring those against your risk tolerance.
[David Spark] But is there ever a day, like you think about in sales, you make a big multimillion dollar sale with some client. That is a defined win. I can put a stamp on it. We all know. A, does security ever get to enjoy the glory of that win? Or is there a moment there is a moment of a win? Now, it can be stopping an attack and communicating to the rest of the business, “Look what we did,” or “An attack actually got through, but we minimized the damage so much that it was just a blip on the radar.” Are there moments like that that you can point to?
[Christina Shannon] Yeah, just to call out an example, right? If you’re a data analytics company, or you do even in the world of AI, if the sales team’s getting that new deal, that may mean that you’re able to successfully navigate through your third-party risk management, your data privacy processes, you’re able to demonstrate that each side has capabilities to manage the confidentiality, integrity, and availability of the data.
[David Spark] Tomer, close this one out. What are those moments? I described a couple of examples. It could be that or something else. You were kind of smiling when we were talking about that.
[Tomer Gershoni] About a decade ago, when I started the security program in HP software, I named the team Security and Trust with an objective not only to do security, but to do security in the sake of building trust with customers. Two years later, HP software became this first company in the world or first business in the world to be ISO 27034 certified…34…focused on application security.
And we were able to close deals because of that. And we are able to accelerate the way that our sales folks are closing deals. And especially when you deal with enterprise customers and our sales folks in the audience knows what it means to close sales with enterprise customers. This is extremely meaningful.
So, we were not only able to do security, but we were able to do security in the sake of building trust with customers and closing deals, and that’s what important to the business in the end.
[Christina Shannon] I have one more example of a win. I wanted to add on to it.
[David Spark] Go ahead.
[Christina Shannon] So, my example would be business interruption, right? Ten years ago, five years ago, really the focus on cyber attacks was on how do you limit the impact from a data breach. Today, I think it’s relevant to say the first focus should potentially be on how do you limit a business interruption?
If you have a cyber attack, how do you make sure that it doesn’t reach your crown jewels, that it doesn’t stop your operational processes, right? So, I would say an example of a win would be starting there. It’d be identifying how does your company make revenue, how does it add customers, and then finding the technology that supports those processes, and then putting the wrapper around them or the security enclave.
It used to be called a DMZ, right? To make sure that those environments are protected. And then add on your 90%-plus asset coverage from a laptop, desktop standpoint with your ADR, and you combine those things, you can have high confidence that you will limit a business interruption. I would call that a huge win for most companies today.
Sponsor – SeeMetrics
15:21.573
[David Spark] Before I go any further, a big thanks to our sponsor and brand-new sponsor, and that is SeeMetrics. Now, SeeMetrics, let me explain what they are. They are a data fabric platform that transforms disparate siloed data from all corners of your organization. With SeeMetrics, organizations continuously measure and prioritize risk, seeing the full – this is key – context.
We all discuss what needs to be measured, but we are overlooking the key part of how to do this efficiently without taking away our security subject matter experts, the SMEs, from their main job, and that would be securing our organization. There’s so many different measurement needs – readiness, frameworks, projects, security programs, products, and our own security policies.
So, how can this be done in the most efficient way? When you plug into SeeMetrics’s platform, you gain collections of metrics and boards that result in your own custom story and prioritized roadmap, including goals, progress gaps, and critical issues. You ensure your policies are enforced across the organization and see which thresholds are not met.
SeeMetrics is an agentless platform that quickly integrates with your security stack so you can start getting insights within minutes. Ready to change the metrics game? Take SeeMetrics’s test drive today and get a sneak peek at its capabilities. I’m telling you, you’re going to want to see this. How do you do it?
Just go to their site. It’s seemetrics.co. Simple as that. Go check it out.
How do we determine what’s most important?
17:15.597
[David Spark] Nick Reva of Snap Inc. said, “The approach is dramatically different when you have a 220-person engineering security organization with hundreds of in-house services and curated hand-picked vendors. What it really takes is a deep contextual understanding of the industry you are a CSO in, the norms of the company, and hyper-effective leadership skills, and very effective prioritization and communication.” Aditya Sarangapani of WNS said, “Each organization and each industry are different and unique in many respects.
Unless you understand what the business does or wants, you can never be effective. For example, I did not have to explain risk to the underwriters but had to understand what they do and how it impacts the business before I came up with the cybersecurity risk.”
So, both Nick and Aditya bring up the issue of these like ISACA groups that are out there. So, they have these groups that are specific for industries like airlines and retail, which I’m sure, Christina, you’re involved in that, and also healthcare for that matter. But I think about your company, Tomer, and that you own 90% of your marketplace.
So, going to your direct competitors actually might not be the most helpful thing. So, where do you go to to find CISOs who are most aligned with the business model you have?
[Tomer Gershoni] So, first of all, I’ve surrounded myself and my staff in senior leaders that has vast experience in each one of their domain, whether it’s in IT or enterprise security or whether it’s in product security or software security, data security, and DevSecOps processes. Each one of the leaders in my team has vast experience in their own domain, and I encourage them to challenge me as much as possible.
So, that’s my first reach out. The second reach out would be to CISOs in the tech or software or data industry where I know that I can reach out, consult about challenges on how to protect, as an example, customers’ data. What are the best practices to do that? Data security in general is a quite emerging domain and the controls over there are pretty early-stage controls that we put over there.
[David Spark] It’s ironic given that all we’ve been doing is securing data, but it is quite…
[Tomer Gershoni] Exactly, exactly. But you’ve had the impervious of the world, which has been there for about a decade or more. But if you look into cloud data and how you manage identity and access management of data, it’s extremely immature controls. And there is a lot of work that needs…a lot of work, a lot of best practices that needs to be put over there.
Now with AI and data generated by AI agents, that’s even increasing the challenge even further. So, what are the controls that you put over there for securing data that is generated by AI agents?
[David Spark] Christina, are you capable of looking at other security leaders and either telling if they are good at their job because again, there’s so much you can see, but I mean, you know if they communicate well and/or do you lean on sort of other CISOs who are in like-minded industries to help you?
And do you find any kind of synergies there and that, “Oh, what they do does work in my environment, and I can do that too.”
[Christina Shannon] Absolutely. So, I would say that ever since my first CISO role, when you first get into it, you don’t know from A to Z, here’s what a successful CISO does. You’re really just trying to figure out how do I not get my company in the news, right? And so from a very young age, whether it was getting threat intel, whether it was going out to some of these research publications like Verizon, DBIR, I’ve always gone to who’s done something more, and if able in the industry, but I’ve also looked at what other industries are doing it well, if my industry is not exactly setting the bar.
And so I would say, yeah, between the community, right? LinkedIn and different sources and CISO peer groups, I’m always looking for how others are solving problems to enable a work smarter versus harder type model.
What must a security leader be able to do?
21:56.103
[David Spark] Peter Geday of ManageXValue said, “A CISO, like all other executives, need to focus on resource allocation and prioritization decisions. From a technical perspective, they can identify many opportunities to improve their protective capabilities – proactive and reactive – given the potential threats, attack surfaces and threat actors.
However, in order to define priorities, they need to be able to link all this information into the business “so what” question, whatever that “so what” question should be. So, this requires an understanding of what the most problematic risk events and their business impacts are. So, sort of a classic sort of look at risk, if you will.
Jamie Walsh of Archer Integrated Risk Management said, “I think the statement that ‘one has to shift from focusing on tech tools and outputs’ has caused a lot of reactions. I think your point is to elevate beyond them – the tech tools. As CISO, you cannot get beyond that if you don’t have great leaders on your team selecting and managing those tools.
So, Christina, two things here. One is just sort of a basic understanding of how you need to approach risk from Peter. And then Jamie saying, “You can’t think the tools are going to do your job for you.” But at the same time, we like to buy tools that do jobs for us, don’t we? Yes?
[Laughter]
[Christina Shannon] Yes, we do. We’ve spent millions and millions in many security programs, most of us have, on tools trying to find that easy button. Look, I would say that I like both of those comments. I think they’re both spot on. I think as CISOs evolve, with maturity, you get to a point where you start looking at it similar to…
I look at it similar how I look at leadership. It’s like people won’t work for you until you work for them. Well, the C-suite really, these folks don’t have any time to really go and learn the NIST CSF, right? So, it’s really figuring out how you translate really technical type terms and topics into things that resonate with them, such as asset protection and risk exposure to those assets.
So, I really think to be successful as a CISO, you might start out with the NIST controls framework and the pretty colors to show maturity, but once you’re tying those to assets, that’s really when you’re being effective, I think, or you’re moving that needle towards more effectiveness because you’re going to have an audience that understands what you’re saying.
And they’ll be able to support your investments and understand what they’re going for versus just signing a check.
[David Spark] So, Christina brings up a great topic – moving the needle towards effectiveness. So, there is no on/off button on being effective and not being effective. It’s level of fluidity. So, let’s talk about just moving towards that direction. Tomer, what are the things that let you know I’m going in the right direction?
[Tomer Gershoni] Put yourself in the CEO seat. Okay, you’re running a multi-million or multi-billion business, and you’re managing all kinds of risks. But in the end, as a CISO, as an advisor to a CEO or to the board of directors, you need to put yourself in the CEO seat and think about what are the cybersecurity risks that they will care about.
And then you need to set expectations with the CEO, with the C-suite, with the board on where you think the business should focus from a cybersecurity perspective. Build your goals, build a strategy, build your plan, and start executing against your plan, and set metrics that will support that plan.
For example, when I started the role specifically in ZoomInfo, one of my goals was to improve breach readiness. And I set metrics that will support that goal, like number of events that we’re detecting, as an example. And I was leveraging those metrics to demonstrate the management, the leadership, that we are making progress there.
Now, security, as you know, it’s not a one-day transformation. It’s not that you’ll buy a tool, and it will do this magic, and boom, the risk is gone. No, the reason…
[David Spark] By the way, vendors would like you to believe that that is the case. [Laughter]
[Tomer Gershoni] Yeah, well, that’s wishful thinking. Yeah, exactly. And it’s a marathon. And you need to set up metrics for that marathon in a way that will allow you also to build confidence with the leadership and check with them that you’re meeting their expectations. Therefore, my recommendation in the end will be to build your metrics that will support that confidence.
Now, confidence is a qualitative metric, but in the end, you want to set up quantitative so it won’t be arguable. So, set up the quantitative metrics that will, in the end, allow you to build that confidence and track them consistently in a way that will allow you to demonstrate progress, hopefully not lack of progress, and set up those and track them consistently.
Those are, by the way, not necessarily risk-based metrics. Those could be, as I said, event-based, business-based, code productivity-even-based metrics, like how do you reduce the number of vulnerabilities that developers generate and demonstrate them to the leadership in a consistent way to build the confidence with them.
[David Spark] Excellent. And that is a great place to conclude this conversation.
Closing
27:45.216
[David Spark] Now, I’m going to come back to you, Tomer, and ask you, of all these wonderful quotes, which one was your favorite and why? And you can just kind of summarize like, “I like what so-and-so said because of this.”
[Tomer Gershoni] I really like Nick Reva from Snap on it really takes this deep contextual understanding of the industry you’re a CISO in. About, I would say, 15 years ago, before I started my CISO career, I was in cyber, but it was before my CISO career. One of my managers gave me a tip of do not get in love with your ideas.
And I’m embracing that and taking that from one position to another. And although I manage security for multiple organizations, and you know what are the best practices, what are the foundations it takes to lead security for an organization, you always need to adapt yourself and adapt your practices to the organizational culture, the DNA, the priorities, the business needs, and set up the practices that you have in your experience or gain in your experience and adapt them to the organizational DNA and the business objectives.
[David Spark] All right. Very good. And Christina, your favorite quote and why?
[Christina Shannon] I have two, so I’m cheating a little bit, but I like Nick’s quote because he is right. And I think it was a great callout that if you’re a CISO starting at a Fortune 500 or a big software engineering firm, you’re going to have things a little bit more scripted, that you’re going to have a lot more maturity in what you’re walking into.
So, you might have more of a committee versus you’re the CISO going and providing the communication to the CEO and CFO of what they need to be aware of and what you’re doing about it. I would say, on that though, is I spent half of my career in those types of companies. What you assume in those worlds sometimes, at least my experience, was that someone is doing that, right?
And so you’re in all these teams and then you forget to talk to each other, and then the CISO sometimes thinks that they have somebody that’s doing that for them. And I’ve seen a few times where the C-suite still doesn’t know if they’re winning or losing, if their assets are protected. And it’s just because the processes are there, the people are there, but it’s remembering to communicate up to those who need to hear it most, right?
And then also too, I really liked what Peter said. I think that obviously everything that we’re doing when we’re leading teams, whether you’re a CISO or a CIO, is you’re looking at resource allocations and you’re looking at prioritization. And at the end of the day though, it really does come back to what are you doing to show risk quantification?
And then I might be stealing someone else’s quote, but the “so what” really to me is, is why does the C-suite care? Why does the CEO care? Why does the CFO care about what it is that you’re bringing them? I think that’s spot on in terms of what you have to do to be effective.
[Tomer Gershoni] One additional point that I would advise is that CISOs or security teams in general has the perception of the big brother or the security police. I would advise to go and there’s no [Inaudible 00:31:19] what. We are monitoring the company; the company wants to run. And in certain circumstances, yeah, it’s inevitable [Phonetic 00:31:24] to be captured in such a way.
But I would try to push effort into building relationships with different stakeholders in the organization and be not the security police, but more of a community police, if you get what I mean. Be part of the company instead of someone from this side and develop this trusted advisor relationship with different stakeholders in the company.
As a CISO, or even your direct reports in the team, develop those trusted advisor relationships so you can leverage that for better success.
[David Spark] Excellent. Well, I want to thank you, Tomer, and thank you, Christina. A huge thanks to our sponsor, SeeMetrics. See the metrics that matter most. Just go to their website, seemetrics.co. Let me quickly ask you, Christina, Tomer, are you both hiring? Yes?
[Christina Shannon] Yes.
[Tomer Gershoni] Yes, definitely.
[David Spark] Okay. So, I’m assuming you have a jobs board at your site. And can people contact you directly, say, “Hey, I heard you on the show. I’m interested in this position”? Yes, Christina, Tomer?
[Christina Shannon] Yes.
[David Spark] Awesome. So, by the way, we’ll have links to their LinkedIn profiles on the blog post for this episode. Thank you very much, Tomer. Thank you very much, Christina, for stepping in as the guest co-host for this very episode. And thank you to our audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.