CISOs say stress and burnout are their top personal risks. Breaches, increased regulations, and the tech talent shortage are all contributors to the stress. Sure would be nice for the CISO and the rest of the team to look at a chart that showed the CISO’s stress level in real time.
This week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and special guest co-host Shawn Bowen (@SMbowen), CISO, World Fuel Services. Our guest is Meredith Harper (@mrhciso), svp, CISO, Synchrony.
This episode was recorded in front of a live audience in Chicago at The City Hall nightclub for the opening night of Evanta’s Global CISO Executive Summit.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Cisco
[Voiceover] Biggest mistake I ever made in security. Go!
[Meredith Harper] I had an opportunity to talk to my board about a security breach that we were having, and I talked to my board before I actually told the CEO.
[Voiceover] It’s time to begin the CISO Series Podcast, recorded in front of a live audience in Chicago.
[David Spark] Welcome, everybody, to the CISO Series Podcast. My name is David Spark. I am the host and producer of the CISO Series. And joining me on my left is my guest cohost, Shawn Bowen, who’s the CISO of World Fuel Services. Let’s hear it for Shawn.
[David Spark] We are available at CISOseries.com. I do want to mention our sponsor for today, who is the sponsor of this event that we are having right now in Chicago, which I’m going to mention in a second. Cisco is sponsoring, so let’s hear it for Cisco for making this all happen and bringing us together in person here. So, we’re recording on front of a live audience in Chicago as part of the Evanta Global CISO Executive Summit. First time this group has been in person. You’ve been to these groups before, yes, Shawn?
[Shawn Bowen] Yes.
[David Spark] You have.
[Shawn Bowen] This is my third Global.
[David Spark] They let you in a third time. All right.
[Shawn Bowen] They don’t let me in.
[David Spark] You barge in. I understand. So, one of the things that Cody said just because we got on… He’s having the question of the day. He asked the question, “If you had a private jet and you could go anywhere in the world, where would you go?” I know your answer, which I want to know. But I’m questioning why it specifically had to be a private jet because I do know that other airplanes do take you to locations in the world.
[Shawn Bowen] Yeah, I don’t care where it is. I just want to jump out of a plane. I just want to…
[David Spark] What’s the highest elevation you’ve jumped out of a plane?
[Shawn Bowen] 18,000.
[David Spark] 18,000 feet. Most planes go up to what?
[Shawn Bowen] Anything above that you got to hold oxygen.
[David Spark] You got to hold oxygen.
[Shawn Bowen] Yeah, which I’m trying to do. There’s a place in California that’ll let me do a 30,000 foot jump.
[David Spark] That’s the altitude most plays go at, right?
[Shawn Bowen] Yeah, around there.
[David Spark] 30,000. How long would you be falling at 30,000 feet?
[Shawn Bowen] About two and a half minutes. You’d probably free fall for four minutes under canopy.
[David Spark] How many jumps have you done?
[Shawn Bowen] Just 104.
[Meredith Harper] Just 104.
[David Spark] Nobody is counting here.
[Shawn Bowen] That’s not a lot. That’s not a lot. In that skillset, people have thousands. And so I got to work my way up there.
[David Spark] All right. Well, we have hope for you that your parents will be more proud of you one day.
[David Spark] All right, let’s bring on our guest today. Very excited to have our guest today. It is the CISO for Synchrony. Let’s hear it for Meredith Harper.
[Meredith Harper] Thank you. I’m so happy to be here. It’s exciting. Let’s get in it.
What’s the best way to handle this?
[David Spark] So, there is a significant disconnect between companies’ increased commitment to diversity and inclusion and the day to day experiences of women of color. This is according to research from McKinsey as quoted in SC Magazine. For example, “Although more than three-quarters of white employees consider themselves allies to women of color at work, less than half take basic allyship actions such as speaking out against bias or advocating for new opportunities for women of color.” Now, I can see how this disparity happens. Unconscious bias is prevalent. People want to do the right thing, but they simply don’t know what it is, or their seemingly nonoffending behavior is a series of micro aggressions. So, Meredith, we spoke about this earlier, and you spoke to the minority’s need for accomplices, not allies. Explain to me what’s the difference, and how do you turn an ally into an accomplice.
[Meredith Harper] For me I think that accomplices in my opinion are the ones who actually get into the planning with you. So, we had talked about it a little bit before. That I want the person that’s going to be ten toes down. We’re going to make the decision together. We’re going to decide we’re going to be handcuffed together. We’re going to bust down those doors. We’re going to do it together. Allyship to me is it gives you the ability to step in and out of the space. Whereas accomplices, once we plan it and we choose to do it and attack it, we’re in it together. So, we’re going to bust it down together. We’re going to deal with it together.
[David Spark] Great example or great definition. I’m going to want examples in a second. I’m going to ask you, have you had the opportunity, Shawn to be an accomplice?
[Shawn Bowen] So, we were talking about it before, as we mentioned. Coming from the government, they put us through significant more amount of training than I’ve ever received in the corporate world on unconscious bias. To be a leader, that’s one of the required trainings. I think it’s 40 hours of training on it. So, there’s been a lot of that there. There’s a lot of mandatory inclusion, which kind of forces your hand to make sure that you’re incorporating that by part of your design. Then it just becomes secondhand nature because you’re doing it regularly.
[David Spark] Okay. So, going back to you, Meredith, give me an example of someone who is an awesome accomplice. What the heck did they do?
[Meredith Harper] So, it was really excellent. Eli Lilly was the company that I was at before I came here. We had a group of about 500 men across our organization that considered themselves allies. They decided that they wanted to become accomplices, so they actually met with me and said…
[David Spark] Pause. You glossed over that one a little quickly. They just decided they wanted to be accomplices.
[Meredith Harper] They did.
[David Spark] How the heck did that happen?
[Meredith Harper] They had some conversations with me.
[David Spark] Okay, that’s how they decided.
[Shawn Bowen] Were those closed door conversations?
[Meredith Harper] Yeah. So, because they had some conversations with me, some of them took it back to the allyship group of men. There was about 500 that was allies to our women’s network. And they said, “Okay, Meredith, we no longer want to be just allies. Tell us what we need to do. Let us get into the planning with you. Teach us how to advocate in the room. Teach us how to actually be responsible and hold the accountability.”
[David Spark] Okay, we’re getting into the meat of this.
[Meredith Harper] All of that, yes.
[David Spark] What did you teach them?
[Meredith Harper] I taught them that you have to be able to speak up in the room, but you also have to plan it with me. So, for example – if we’re going to go in the room, and we know we’re going to have a really tough conversation where I as a woman might get glossed over because someone doesn’t want to hear my opinion, I have already talked to you before we walked in that room, and you know how you’re going to actually stand up for me in the room to ensure that people hear my voice. We planned that before we got in the room. It didn’t just happen by happenstance.
[David Spark] Very, very good point. Have you been educated that way, Shawn?
[Shawn Bowen] I don’t think that I’ve had it deliberately for specific to minorities or by either sex or race, but the preplanning that strategy before you get into the room is something that is I think natural. So, I think you find where the weakness is. Whether that is because of who’s presenting it or the idea, and you want to pregame that and have a deliberate strategy when you get in there. So, I could say possibly but not directly.
Confessions of a CISO.
[David Spark] CISOs say stress and burnout are their top personal risks according to research from Heidrick & Struggles, as quoted by Susan Caminiti on CNBC. Breaches, increased regulations, and the tech talent shortage are all contributors to stress. Do we have agreement here on that?
[Shawn Bowen] Yeah.
[David Spark] Yeah, all right. “It makes the job that much more difficult when you’re carrying that weight on your shoulders, and then you need to ask your team to do the same,” said Dannie Combs, CISO over at Donnelley Financial. “This is causing many very capable CISOs to leave the role,” said
Matt Aiello of Heidrick and Struggles. Aiello said, “These individuals are mission driven by security. It’s just the pressures are too much for them to accomplish that.” So, Shawn, I’ll start with you – what do you think companies can do to alleviate this pressure and help a CISO better succeed?
[Shawn Bowen] Yeah, so I’ll admit last week’s decision on Uber was not the most fun I think for a lot of us. Especially if you can’t spell law, which I can’t. And so trying to find how…what my liability is has not been the most fun last two weeks for me. There was an RSA briefing from two years from a legal professional talking about the CISO’s legal liability and about Yahoo’s CISO was actually sued and named. Same with Equifax. How the CISOs are being named. I’m sitting there thinking, “Well, all my training is about security, and risk, and business impact. I have zero legal training. How do I learn that side of the job?” And so the question kind of comes as what can companies do is I want my lawyers and my general counsel in the company to attend the class for CISO liability as much as I want to attend it. So they know how I can be better protected. Then the other piece of this is regulations I think are kind of natural.
We’re kind of there. The talent shortage is something that I think we’re all kind of dealing with. For me I don’t feel that that has been so much the stress. I think it’s the external stressors that are coming about of not understanding the risk for the companies from a cyber security perspective. My boss is meeting with the CEO of a very large security company later this week, and he asked me, “What questions should I ask him?” I said, “Ask him what you should know that I’m not providing so that we can have a better relationship. But not only what should you know, what should your direct reports know, what should the board know, and what questions should you be asking me on a weekly basis, or preplanning, or whatever it might be so that we can have a little bit more preemptive thought.” And so I think that helps me a lot because I’m no longer the one person holding the flag or the team that’s holding the flag against the wave of the rest of the company. So, that’s where I’m going with it right now.
[David Spark] All right, I like that. So, educate me, educate my team, and let’s improve the conversation specifically around legal. Meredith, what do you need to make essentially…make yourself or other CISOs better able to succeed?
[Meredith Harper] I’m going to be a little provocative here. I’m of the belief that CISOs should have a seat at the table with the executive committee. I think that we have buried ourselves too long into IT spaces, and the decisions are being made that we now have to respond to. We’re not always a part of the decision making itself. And so I think that’s one thing if we can really think about elevating this role to be a peer of our CIOs and a peer of the rest of these leaders at the table when the decisions are being made. That would help me the greatest because I’m now ahead of it versus behind it and chasing it.
[David Spark] All right, so we definitely heard that. Let me… Actually, can I get kind of applause from this? What percentage of CISOs here feel they do have a seat at the table by applause?
[David Spark] And by applause, what percentage of CISOs feel that they’re struggling to get a seat at the table? Nobody wants to admit to that?
[David Spark] Or everyone is doing fine in that respect. Everyone is kind of doing okay in that. I know this question comes up all the time. Honestly, would anyone here…? Let me ask the question – would anyone here take a job as a CISO if you didn’t have a seat at the table? No one. No one would. Not at all.
[Shawn Bowen] I don’t feel like I have a seat at the table, but I have access to the table. I think that’s different.
[David Spark] Okay, explain the difference.
[Shawn Bowen] So, I do meet with my CEO weekly. There’s a variety of topics – whatever he feels like talking about that week. Then sometimes… My boss knows it’s my favorite meeting to attend because my CEO is a riot. I can raise issues. Where I feel like I’m missing out… I think kind of to Meredith’s point is there are things happening that I’m finding out about. That’s the preplanning that’s missing is how can I contribute that risk picture earlier in the decision making process. I think we’re closing that gap at my company more and more as we educate, but I also think that that’s… I’m still reminding them that we have to think about that.
[Meredith Harper] And the interesting part about that as I was making the provocative statement, I watched the room, and we had people doing this. Like yes, we think that we need to get ahead of it instead of behind it. I think that’s what you’re talking about. Sometimes you have access but not necessarily always at the seat at the table.
Sponsor – Cisco
[David Spark] Our sponsor is Cisco. I want to tell you, the number of emails that I’ve received that misspell our company name and call is the Cisco Series is rather shocking. It does happen a lot. But they’re our sponsor, and we love Cisco for sponsoring us here and sponsoring this event. Let me tell you a little bit about Cisco and what they’re offering these days, because they’ve got a lot. So, how can enterprise security maintain visibility into and control over who and what is accessing their data? An issue CISOs have. How can you securely enable employees, contractors, and vendors to get work done wherever they might be and whatever network or device they may be on? Kind of describes the job. So, how do you know who and what to trust? Aw, this is where Cisco comes in. Cisco Zero Trust can help protect work force, workloads, and workplace. Now, I’m going to give you a URL, and I want you to remember this because it’s a little complicated. Learn more at cisco.com/go/secure. Again, that’s cisco.com/go/secure.
It’s time to play, “What’s worse?”
[David Spark] All right, we get scenarios from our audience that are phenomenal. We love these scenarios. For those of you not familiar with this game, it’s a risk management exercise. Usually just two scenarios, but I have three scenarios here. Please follow along because they get a little involved. I want the audience to vote as well. The goal here is to determine which of these three scenarios is truly the worst option, meaning it’s providing the greatest level of risk. All right? So, here we go. I always have the cohost answer first, so Shawn, you’re going to be up first answering. Meredith, you’re going to either agree or disagree and explain your reasoning with that. I always like when the guest disagrees with the cohost. All right, here we go. This comes from Nir Rothenberg, who is the CISO over at Rapid, and here’s the scenario. You are the CISO of a modern Cloud first company. Your company is acquiring a 200-person company. Now, what is worse? I’m going to give you three scenarios. Scenario number one, the target company is 30 years old, has a security team of two, but they report to the chief risk officer and spend 60% of their time doing operational risk, reporting to the board, and creating evidence for audits. All right? Scenario number two, the target company is pretty modern in the Cloud with containers and all, but no full time security team. They got a VP of engineering and dev ops. They handle security. Or scenario number three, the target company is modern and Cloud first and has a security team of two, but in the last two years the company was struggling and shrunk by 50% investment in security, and IT is close to zero, and the two person team used to be a ten person team before the cutbacks. All right, I know this is involved, but stay with me. All right, which one of those three scenarios is worse?
[Shawn Bowen] Being Cloud first for me, the worst is the first one. Largely because it’s just an older mindset, and they’re not looking at modern technology, so there’s a skill uplift. And then there’s also the auditor function, which is just garbage.
[David Spark] Their auditing stuff is garbage.
[Shawn Bowen] Yeah, the fact that they’re targeting everything for audit compliance.
[David Spark] Well, no, they do operational risk, reporting to the board, and creating evidence for audit.
[Shawn Bowen] Yeah, but no real IT security risk components of it. So, I don’t trust those people that are just going to read a book and tell me that I’m wrong.
[David Spark] Okay. All right. Which one do you think is worse, one, two, or three? Do you agree or disagree with Shawn?
[Meredith Harper] I have to say I agree with him on this one. We can spend our time chasing audits and providing evidence, but who is actually doing the work?
[David Spark] All right. Now I am going to go to our audience here. I am going to ask them by applause how many people think number one is the worst scenario of the three? By applause.
[David Spark] All right. No, hold on. Don’t listen to her.
[Shawn Bowen] I want to know who’s disagreeing.
[David Spark] I want to know, number two. This is the target company that’s pretty modern in the Cloud with containers and all but no security team whatsoever. How many people think that’s the worst?
[David Spark] Not a lot of people are agreeing with you here. Hold on. Scenario number three, the company is modern first but lost all this investment. The ten person team got cut down to two. Who thinks that’s the worst?
[Shawn Bowen] Aw, I think that’s the best. [Laughs] I could see how number two is bad because of recent acquisitions turning into incidents. You can name a handful of companies, hotels, etc.
[Meredith Harper] But they might not have the security staff in the organization, but we can hire it. We didn’t say that part. It said they didn’t have it.
[Shawn Bowen] I think if you think… I won’t name companies but companies that recently acquired companies and then found out eight months later that they were affected… Because that’s a lot of digging. I understand why people would pick number two. You guys must have great auditors that you like.
[David Spark] Well you can see them, they applauded.
[Shawn Bowen] I know.
[David Spark] Just moments ago.
[Shawn Bowen] I can see why they did it.
[David Spark] You can wrestle them later.
[Shawn Bowen] They like auditors apparently.
[David Spark] All right, we have another “what’s worse” game here. This one is from Jared Mendenhall who is the CISO over at Impossible Foods. Scenario number one, your company has no procurement, vendor management process. Everyone in the organization has been given executive authority to purchase and use whatever software they want without approvals from legal or security or fear or reprimand from leadership. There is a lot of squirming going on in this audience right now as they hear this. That’s scenario number one. A lot of you are thinking right off the bat, that’s the worst. Hold on, you haven’t heard number two. Your company has an overzealous procurement and vendor management process to the point where nobody can buy or use anything. Even credit cards are highly scrutinized, minimizing shadow IT, which sounds good. But here’s the rub, as a result critical investments for security are stuck, and leadership isn’t budging. Shawn, which one is worse?
[Shawn Bowen] Number one. Number two… I just mentioned earlier…
[David Spark] Critical investments are not being made.
[Shawn Bowen] I came from the government. It’d take us years to procure shit.
[Shawn Bowen] I’m used to number two. No, number two because having dealt with where you just uncover things and you have data in places where you’re not anticipating… You have people that have left the company that still have access, etc. I’d much rather be worried about that than not being able to get things in in a timely fashion. Because you can put some mitigating controls in place for not having things.
[David Spark] But let me also mention that people are also… The business may not be able to move because people can’t…
[Shawn Bowen] That’s not my problem. My problem is securing the business.
[Shawn Bowen] Yell at procurement. No, no, I get what you’re saying. But I’m saying if I’m introducing security to…that’s enabling it. But I don’t own the procurement process.
[David Spark] All right, all right. Throwing this one to you, Meredith.
[Meredith Harper] I would have to say number one for me though.
[David Spark] Number one being the worst?
[Meredith Harper] The worst. Because, again, especially if you’re dealing with certain types of data, I can’t have that data all over the place and not know where it is. Secure connections, don’t know what’s happening there. If I think about the contracts that are being signed, if anybody has the ability to sign a contract, I can have a supervisor sign a 12-million dollar contract. I just… To me, that is worse to me to not have that insight.
[David Spark] And the critical investments?
[Meredith Harper] I’ll let the business leaders work through that. I just think to not be able to know that insight, that’s tough for me.
[Shawn Bowen] I think the liability that comes with number one also is just a nightmare.
[David Spark] Oh, good point. All right, now I’m going to throw this to the audience. All right, audience, by applause, scenario number one, is that the worst?
[David Spark] All right. Let’s go the second one. How many people think scenario two is the worst?
[David Spark] A respectable showing on that. All right, I thought it would be fully swayed the other way. Not the case.
[David Spark] Someone yelled vendors clapping.
[Shawn Bowen] It’s all the vendors.
Why is everyone talking about this now?
[David Spark] All right, I am sure many of you saw this because this was totally make the rounds. So, Brian Krebs uncovered a very disturbing trend of fake CISO profiles at fortune 500 companies being created on LinkedIn. These bogus profiles have proliferated as legitimate to outlets like cyber security vendors who scrape this information for the top 500 CISO list. So, a lot of bogus CISOs made that list. So, trying to turn these off is not easy because once reported, a fake profile often takes time to remove as the accused party is given a two-week window to arbitrate. If they don’t respond then it can be taken down. But that delay just provides the time for more sites to scrape the information. Krebs says this bogus profile creation calls for better verification tools like what Twitter does. So, I will start with you, Shawn. I don’t know the answer to this, so hopefully you do. What do you think the motivate is for this behavior, and what kind of damage can a fake profile do to a CISO and their organization?
[Shawn Bowen] Well, first, I don’t know if I should be happy or disappointed that I wasn’t faked.
[Shawn Bowen] Because I’ve been working hard to get my name out there, future job recruiting. And I didn’t even get faked.
[David Spark] Well, yeah, impersonation is supposed to be the highest level of flattery.
[Shawn Bowen] Come on. So, I’m a little annoyed by that. The motive…I’m going to pull from my military experience, is information warfare. Someone spoke about it at a conference. I don’t remember his name. but mental malware, and I really like that term of we’re trying to manipulate peoples’ beliefs and understandings. When you’re able to adjust, it’s harder to correct someone’s thoughts than to introduce a new thought. And so when someone is able to manipulate and create new CISO profiles that are able to infiltrate different scrapings and get contacts, now they can start impersonating. We talked about the impersonation of interviews that were happening in the past. I think this is just kind of next level of CISO representation. Particularly you get a photo. You do deep fakes, etc. And so I could see where it could go from there. I think it’s an interesting attack vector. In my off time, it’s something I enjoy. That game of chess that information warfare is. The damage will be interesting because I think it’s… If they’re able to represent the company as myself or someone else as a CISO, particularly if you’re talking about some of the higher profile companies where people actually know of them since I know every one of you in here knows where I work… They’re not big names. I get a little bit of obscurity. But some of the bigger names, as I look around and look at some of these names where we’ve seen them…
[David Spark] Can I ask, did anyone have a fake CISO at your company created that was not you? Anyone in the room? No one? No? Nobody here? Okay, go on.
[Shawn Bowen] Yeah, so you look at some of these bigger names that have either been high profile incidents or something along those lines… I could see some representation being done by a threat actor to manipulate that information which can affect stock. It could be potential smishing or whatever it might be when there’s… It could be tied to part of their long-term campaign where they take down that company. And so I think there is potentially significant damage. I don’t know how much of that is actual reality. I worry about FUD [Phonetic 00:25:23]. I don’t want everyone freaking out just because there’s a fake profile. But at the same time, what’s the potential.
[David Spark] We’ve seen this play out in other ways. Meredith, what do you think the damage can do to a CISO and an organization? What’s your…? I really like your answer, Shawn. Where do you see it?
[Meredith Harper] The reality is is that we don’t know who is doing this. We don’t know why they’re doing it. And in terms of the damage, I think his answer was appropriate in terms of that piece. But the other part is we could think about the fact that I’ve had people reach out to me and say, “Hey, I saw you on this top 100 list.” “Hey, I saw you on this top 50 list of CISOs. Do you want to come talk to us about coming to my company and doing this kind of work?” So, how can is misrepresent? So, I think it’s more damage for the actual individual because sometimes it can misrepresent folks, that they might not even really have the skillset that this company is looking for. It may puff up what they look like on LinkedIn versus what they can really bring to the table if they went through that process. So, I just think the damage could be individual. But his answer was appropriate.
[Shawn Bowen] All right, I’ll take the job. If someone is going to pump up my resume and get me a better job, I’ll take it.
[Meredith Harper] Then you damage the company. Then you damage the company.
[David Spark] You need more people lying for you.
[Meredith Harper] Oh, wow.
[Shawn Bowen] My resume is not that good.
Why are we still struggling with cyber security hiring?
[David Spark] Practically every CISO we have on our shows on the CISO Series is hiring. It’s a question we ask on every single show. Everyone is in desperate need of talent. In an article on CSO Online, Mary Pratt outlines a series of new strategies CISOs are taking for hiring such as… I’m going to mention two. Stop creating job descriptions for the “ideal candidate” and pair it down to what are the basic tasks you need done. Stop describing the person who just left the position, because, well, heck, they didn’t start that way when they came in. Second is think about recruiting IT workers. Now, it’s not as hard to recruit an IT worker as it is a security pro. This is what Travis Gibson, CTO and CSO for Big Brothers and Big Sisters of America did. He actually filled 20% of his positions following this strategy. So, I will start with you, Meredith. What new strategies are you deploying to find cyber talent?
[Meredith Harper] So, we’re looking in unconventional places. I think that we always go to the normal job fairs, things of that nature. When I start to think about the diversity lens on this, if I want to look for a certain type of talent, I need to go where that talent is. If I want to look for black tech professionals, I’m going to go where those black tech professionals are. So, those are new strategies that we’re employing across the board that we haven’t necessarily employed in terms of the target and intentionality of what we’re doing as it relates to recruitment. I think the other part is when we send these recruitment teams out and we have them talking to certain demographics that we want to recruit within our organizations, we’re looking at how do we make the recruitment team reflective of the demographic that we’re looking for. So, we have to make sure that they can see themselves in these roles long-term. Typically the recruitment team is the first team that they see, so we’re leveraging that as well to be able to use our talent to be able to draw talent.
[David Spark] Shawn, what are you doing?
[Shawn Bowen] Coming on your show regularly. [Laughs]
[David Spark] I know you’ve hired one person.
[Shawn Bowen] Two. Two.
[David Spark] You hired Dustin Sachs [Phonetic 00:28:45] through the Friday show, Super Cyber Friday.
[Shawn Bowen] Yeah.
[David Spark] Who else did you hire?
[Shawn Bowen] We had Clib Ziarno [Phonetic 00:28:50], and then we’ve also had Dwayne Grand [Phonetic 00:28:54] actually submit his resume. And then he withdrew because he took another job. But I’ve had a couple candidates. They’ve deliberately reached out and said, “Hey, I heard you on the podcast. I heard on Friday that you’re hiring. What jobs are you hiring for? Are you hiring for this type of job? Here’s what I want to do.” So, thank you.
[David Spark] Well, you’re welcome. I love to hear that we’re an avenue to get people hired. That’s awesome.
[Shawn Bowen] But I think that’s part of what I was joking around about. I think that there is a desire for people to work for leaders that they look to. I won’t say look up to. I don’t know if I fit there. I look at a lot of you in this room, what you post on LinkedIn. I make sure I try to do whatever algorithm hacking I can do to make sure you show up in my feed because there are a lot of good contributors here in this room. There are a lot of good contributors listening that I learned from. And the opportunity…when I’m at a conference, I seek them out. “Hey, I’d love to talk with you. I just have a couple questions about something you posted like three months ago, six months ago.” Meredith and I were joking around, there’s some people in here that I know their name, and I feel like I know them because they’ve posted things. They’ve changed jobs, and they have no clue who I am. But that same type of concept happens with some of the recruiting where people are looking at the culture that is at least being somewhat represented by what you’re doing on LinkedIn or wherever you’re posting. Because I think LinkedIn is a great platform for that. Other than that, I understand what they’re talking about with the job descriptions. It’s hard because I don’t think people read the entire job description.
[David Spark] Let me give you a reference on that. People have heard me say this. I put out a job listing for the CISO Series for an associate producer. I got about 45 resumes back. In it, I said one of my requirements was attention to detail. Another thing I said was, “Go to the CISO Series site and acknowledge you actually went there.” That’s a pretty low bar to clear, right? All right. Of the 45 resumes I got, 6 actually did it. Of those six, only three spelled my company name correctly.
[David Spark] Two of them called it the Cisco Series. I gave those three people interviews, and I hired one of them. And he’s amazing. Shout out to Aaron Diaz, our associate producer.
[Shawn Bowen] I was going to say, “Which one?” Yeah ,but I think that’s one of those things where sometimes you put a job description…because we have constraints with HR. I know I deal with it. I can’t put five job descriptions out, but I’m looking for five potential profiles where… So, I can list ten things, and I want you to have three of those ten. And so I try to write it a way where I’m saying, “Here’s the potential skillset I want you to choose from. Tell me which ones of these you have.” Because I can only place one post, and obviously I’m not writing it like that. it’s a little bit more formal. But I think that’s one of those things where there needs to be a little bit more deliberate action on the application. It’s too easy today to just click apply. And particularly if LinkedIn has the little in symbol.
[Shawn Bowen] You’re just clicking the hell out of that thing.
[David Spark] They don’t make it possible to add a cover letter. All right, one line of which you’ve stopped doing because it’s no longer affective, Meredith.
[Meredith Harper] So, I’ve stopped defining job descriptions with requirements that are degree only. So, take that out. Sometimes I’m looking, again, for skillsets, not necessarily degrees.
It’s time for the listener question speed round.
[David Spark] I have in my hand here a whole mess of questions I got from this very audience here. I got a bunch of them. We’ve got a little bit of time left. I’m going to try to get through as many of these as possible. They do not know these questions. They have not heard them. So, I’m looking for quick answers, not involved answers. Again, I’m going to say to you make sure you stay on the microphone. All right, here is… I just want to say this first question, he said to you, Shawn, “You’re going to know I said it.” I said the reason you’re going to know he said it is because I’m going to actually read his name. So, that’s going to be the tip off that he actually wrote it. It comes from Brett Conlon, who’s the CISO of American Century Investments. Guess who wrote this one, Shawn?
[Shawn Bowen] Oh, this one is Brett’s question.
[David Spark] Yeah, this is Brett’s question.
[Shawn Bowen] Okay. All right.
[David Spark] All right, here we go. All, right, as a CISO within the first hundred days you can make one change without knowing the environment. What do you do?
[Shawn Bowen] [Bleep]
[David Spark] I know. Don’t worry. We’ll have to bleep a lot of things for you. You did, you let one of those fly earlier, too. All right, Meredith, you answer first.
[Meredith Harper] Hire a chief of staff.
[David Spark] Hire a chief of staff. That’s good. I like that.
[Shawn Bowen] What kind of budget do you got?
[Shawn Bowen] I’m going to overhaul internal audits assessment.
[David Spark] One thing? That’s not one thing. Boo. You’re getting bood.
[Shawn Bowen] Yeah, I’m fine with that. I can’t think of anything better than that.
[David Spark] All right, this one is from Chris McFarland, who’s the CISO over at Abercrombie and Fitch. All right, this should be a quick answer from both of you. One metric to explain your security program. What’s one metric? I know that our CISOs mostly answer.
[Shawn Bowen] Number of privilege access to something. What’s my level of access. I don’t know how to math that out properly but public access to containers or elevated privileges. What percentage per user account.
[David Spark] Okay.
[Meredith Harper] Mine would be control exceptions or risk acceptances because those are punching holes in my security posture.
[David Spark] Aw, I like that. All right, the one that we often hear is MTTR, mean time to remediate. That one we hear a lot. Referencing our last segment we just did, why are we not letting green trained people into the cyber security field? What are we, cyber professionals, afraid of?
[Meredith Harper] So, I don’t know because I’m not afraid. I actually bring what I call the green beans into the organization, and we grow them up into full grown beans. So, I welcome it actually, so I’m not afraid of it. So, I don’t know what…
[David Spark] You’re not afraid of it. What do you think…? And you can point to people in this audience if you’d like. What do you think they’re afraid of?
[Meredith Harper] Well, okay, so here’s what I think. I don’t know if it’s actually an inherent fear, but I think that a lot of times the skillset that we need is really not the entry level. We need that mid skillset and higher. So, a lot of times if I fill my ranks with all of the folks who are green in this industry and in this organization then I won’t have that higher skillset. I can’t sacrifice that FTE for that.
[Shawn Bowen] That’s my fear. I want 20% new to IT and security, 20% new to security but previously IT, and 60% that can mentor that. that’s rough numbers obviously. If I don’t have a strong 60%, it’s hard for me to target that 40%.
[David Spark] By the way, that question came from Deborah Wheeler. Deborah Wheeler, CISO over at Delta. All right, here’s our next question. This comes from Wolfgang Goerlich, who’s the advisory CISO over at Cisco. What business relationship is most important for your security program? One business relationship, what is it?
[Shawn Bowen] CEO for me at least for my organization because of the influence that he has in our decision making going forward.
[David Spark] So, you and the CEO.
[Shawn Bowen] Yeah.
[Meredith Harper] I believe it would be my direct leader, so the chief information operations officer. She runs 60% of the company.
[David Spark] That is your most critical?
[Meredith Harper] Yes.
[David Spark] All right. This comes from David Machlis of Intercast Staffing. He asks, “What’s the most challenging skill to acquire?” And you cannot answer people skills.
[Meredith Harper] Communication skills.
[David Spark] That’s the same thing.
[Meredith Harper] It’s not.
[Meredith Harper] No. Because I see people as more development and actually building up a team. That to me is a people skill. Communication skills are different for me.
[Shawn Bowen] Critical thinking. Because I believe that our education system doesn’t teach people how to learn.
[Meredith Harper] Good point.
[Shawn Bowen] They teach the how to pass a test. I need to throw… Apollo 13 problem. I need to throw a bunch of things on the table and then figure out how to put that together. I don’t think that we’re teaching people that as well. We’re teaching people how to connect the dots, how to build a website, how to code, how to connect routers, whatever it might be. We just teach them how to do it. We don’t teach them how to figure it out.
[David Spark] Okay, so let me go to this… How can people best demonstrate people skills, communication skills, or critical thinking? If I’m a candidate and I want to demonstrate that I can do any of those, what’s the best way to demonstrate? Because you can’t really put it on a resumes.
[Shawn Bowen] Yeah, so for me when I’m interviewing, I normally ask a question that’s got either an impossible answer or there’s an…
[David Spark] Like the Kobayashi Maru test.
[Shawn Bowen] Yeah, kind of. And no matter what their answer is, my immediate follow up is can you think of a better way or something along those lines. And normally if I have someone that quits after five seconds or like, “No, that’s all I can think of.” Like, all right, you’re not willing to put in effort to get the job. Why are you going to put in effort when you have the job? But if I have someone really trying to come up with ideas… I tell this story a lot. One of my deputies 12, 15 years ago, he had the stupidest answer to one of my questions, which was, “Why is a manhole cover round?” And his answer was, “So it doesn’t pop tires when cares drive over it.” And I’m like, “What the hell?” But the thought process he put behind it and how he came up with it made that he’s willing to think of an outside the box answer to a question. He was one of the best guys I’ve hired in 20 years.
[Meredith Harper] I’ve done it asking a question around failures. I’ve asked candidates or even folks who report to me like, “Talk to me about your most greatest failure, and what did you do to get yourself through that?” And how they explain it and talk about their thought process of why they actually failed… Because a lot of times they have a lot of good reasons why they failed. Their thought process was sound, but it was still a failure. So, for them to be able to talk to me about it and then let’s talk about what you could have, again, done differently, then it gives them the ability for them to share with me how they can now see the error of their ways. “I learned from that. Here’s how I could have probably did it differently.” Then they don’t continue to make those mistakes in the future.
[David Spark] All right, very good. Very last question. I want quick answers even though it’s a pretty global question. It comes from Deborah Wheeler, CISO of Delta, again. How relevant, whether up, down, or out, will the CISO role be in ten years? Is it going to be splintered, going out? More, less? What’s it going to be? Quick answers.
[Meredith Harper] I think it’s going to be more, but hopefully I’ll be retired.
[Shawn Bowen] My daughter is almost three, and my son is almost one, so I’ll still be working. I think that you’re starting to see some of it in the trust officer. I don’t think that that’s the next progression of a CISO. But I think as we become more digital providers, we’re going to have to incorporate a lot more in our offering. Not just the defense but also building in secure products. And so I think there’s going to be a lot of changes there. I do see elevation in decision making, but I think that that requires us… A lot of us say we want a seat at the table. I don’t think a lot of us are prepared for a seat at the table.
[David Spark] That brings us to the very end of this show. Thank you very much.
[David Spark] I want to thank Evanta. I want to thank Cisco for sponsoring. I do want to remind everybody the web address, cisco.com/go/secure. Thank you so much for sponsoring. I do want to also thank my guest, Shawn Bowen, over at World Fuel Services, and Meredith Harper, over at Synchrony Financial. I’ll let you both have the last words. I’ll start with you, Shawn. You are still hiring, yes?
[Shawn Bowen] Yeah, we’re always hiring. We’re also hiring for regular IT jobs as well. We have a lot of identity and some of the devices, lots of things around IT.
[David Spark] So, this is for the people listening, not the people in this room, right?
[Shawn Bowen] No. But if you are hiring… No.
[David Spark] Yes. All right. Meredith, you’re hiring, yes?
[Meredith Harper] Yes, we are. Always. Come our way.
[David Spark] Come your way. And you hire green people.
[Meredith Harper] We do.
[David Spark] The green beans.
[Meredith Harper] We do. I want the green beans. I do.
[David Spark] All right. Awesome. And before we close out the show, I do want to mention that Evanta and the global CISO community are excited to see you, all of you CISOs, next year for the 2023 summit. It’s going to be in Nashville, Tennessee on September 11th through the 13th. So, save the date. Thank you very much. We greatly appreciate you participating and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.