CISO Talk Ep 23: The Changing Role of CISOs
[Musical intro]
Mitch Ashley: Ryan, welcome to another episode of CISO Talk. My name is Mitch Ashley. I’m CTO with Techstrong Group and also, principal with Techstrong Research. My partner in crime, Matt Newfield, is off today. I think he got a call on the bat phone that he had to take so he is otherwise occupied.
So, let’s get to our topic today. I think it’s a great time to be talking about it ’cause we’re all living it in so many ways. The topic is – how the changing nature or changing role of the CISO – I mean, a lot of jobs have changed in recent history, but I can’t think of any that’s changing more than a CISO’s job. Well, let me first introduce our esteemed panel of guests – repeat guests. Glad to have you both back.
Appearing, again, in – let’s see. What position are you playing? Are you playing center or guard this game here, Mike Rothman, with Security – I can’t talk.
Mike Rothman: Goalie. The fat guy’s always the goalie so, that’s me.
Mitch Ashley: You just like all the equipment. That’s why you like goalie. Tell us –
Mike Rothman: I like the big gloves.
Mitch Ashley: Introduce yourself for the few people who might not know you.
Mike Rothman: Mitch, Anthony – nice to see you guys. I’m Mike Rothman. I’m President of Securosis, a security-centric research firm, and I’ve been doing this for way longer than I care to admit. But this is actually a topic that is near and dear to my heart, and I’ll start telling stories and stuff, but it’s really nice to see everybody coming around about 10 years after I started kind of making this pitch. So, this’ll be a great conversation.
Anthony Johnson: Very cool. That’s where we’re trying to catch up.
Mitch Ashley: Anthony – of course, Anthony Johnson with Delve Risk. Great to be talking with you. Introduce yourself, Anthony.
Anthony Johnson: Anthony Johnson. So, managing partner at Delve Risk. We’re a market research organization. Formerly, I was a CISO at a number of organizations like J.P. Morgan, Fannie Mae, GE, et cetera. But love being in the community and just kind of engaging in these things and I’m pumped about the chat today.
Mitch Ashley: Thanks, both of you. It’s always good to be talking with you – whether on camera or not. So, you know, there’s so many avenues we could go down here and so many dimensions of how just security in general has changed as a job and as part of the organization. I guess, maybe to start it out with, it seems to me, one of the biggest is that everything involves security because everything is digital. I mean, we’ve gone all digital for all experiences.
We still do in-person things, but as we’ve moved everything to a digital experience, user – whether it’s partners or customers or employees – whatever it is – so, suddenly, everything is about security, and now, it’s a board room discussion, not just in the backroom of the network organization like maybe when you and I started, Mike, [Laughs] way back when.
Mike Rothman: Anthony’s a young guy. So, he’s –
Anthony Johnson: I just look – I mean, I got the gray so, I just look young. I just got good skin.
Mike Rothman: You gotta understand – you’re with like, two certifiable old guys here. So, you need to be –
[Crosstalk]
Mitch Ashley: You just figured out the technique. When Mike or I don’t know the answer, we just kind of give the old beard chin stroke – so, the old guy stroke.
Anthony Johnson: Love it.
Mitch Ashley: Jump in, Anthony, talking about how things have changed for the CISO and what’s driving it.
Anthony Johnson: Yeah. So, I think what’s really interesting is that when you look at where a lot of the security leaders started in their career, they started off in the back server, managing infrastructure kit, and it was, “Hey, we’re gonna deliver the goods. We’re gonna make this thing work.” Even if they weren’t involved in the developer side, right? They were just – they were trying to make things run.
But nobody actually told them – told us – that in 20-30 years, this is gonna be the most important function to make the world operate. Like, I think we would have all laughed and like, “Oh, the internet? The internet’s a cool thing, but is it really gonna be the most groundbreaking technological innovation ever?” ‘Cause that’s a huge, huge statement. And then, to say, “And you, person, are responsible to protect that.”
That’s actually really terrifying. And so, I think you found security leaders that went from being this geek to making things work to now saying, “Okay. Now, I’ve gotta protect and connect the entire life blood of my company, my community, my nation.” And it’s a big set of shoes to fill and it’s been constantly changing.
Mike Rothman: It sure is. And I guess I would put this into the category of things that we needed to be careful about when we wished for them, right? Because, again, all being kind of experienced guys doing this for 20-25 years at this point, there was a time – and I know it’s hard for everybody to remember – but there was a time when people would be like, “Security? What’s that? And why am I paying for that again? And what is this little token I have to use to get into my remote access here” and all of those things from the old days.
And we would constantly be winging when we would get together and drink some beers – maybe a lot of beers, maybe even stuff harder than that – on that front, to kind of ease our pain, ’cause nobody cared. And we couldn’t get any funding. And it was very difficult to do the job because it was marginal. We were marginalized from that perspective. And what we have now is not that problem.
What we have now is possibly overexposure. But really – and I think where we need to get to in the discussion – and really, in the skill set – and Anthony, it’s an important point that you made – that a lot of kind of – the CISOs that initially took that role ended up looking like technical people that drew the short straw. They were either around for too long, they didn’t figure out how to say “no”, or they didn’t realize what a crap job it was gonna be. But they ceased to be technical people at that point, and they didn’t realize they were playing a different game. And that’s kind of the thing I dangled out there before, right – that I’ve been talking about this for 10 years – is that I actually wrote a book called The Pragmatic CSO in 2007 and one of the things that I talked about there was the fact that you’re not a security professional; you’re a financial professional.
You were at J.P. Morgan, right? So, financial professional that happens to do security. And what I was trying to get across there is that it’s about the business, and you’re playing a different game. If you don’t understand that it’s about either enabling or managing risk on the part of the business, again, you’re just a keyboard jockey, right? And there’s really no role for that at the senior level.
Anthony Johnson: I think what’s also really something to think back on – we can kind of look back and kind of chuckle about it, but if you remember the ILOVEYOU worm, right? Like, we like – back then, when it hit, it was like, “Oh, man. This sucks.” But I remember conversations with people being like, “If they wanted to be malicious, this could have really sucked. Like, this could have been really bad.”
And now, could you imagine if something like that were to truly – it would be rampant destruction just across the world, and things that we look at like, “Well, thank God the hackers weren’t mean” – well, they’re mean now. They’re keen to make money and we’re trying to figure out how we operate in this world where in one jurisdiction, this is totally illegal, and the other jurisdiction, the government quasi condones it because they’re hitting US companies and –
Mitch Ashley: Or maybe funding it.
Anthony Johnson: Right. Or even funding it. And we know they’re agents moonlighting. So, it’s a totally different game from where we’ve gone from 20 years ago to “Let’s just see if this works” to “All right. I think I can make about $700 billion this year” – whatever it is, right?
Mitch Ashley: Well, you know things have changed when you look fondly back at the ILOVEYOU virus and code red. My, how things have changed when – our e-mail server going – being overloaded was the issue. Both of you hit – nailed it on the head – the issue of the CISO has to think and talk business, not just technical jargon. It’s not just protocols and firewalls and blocking and all that good kind of stuff, but it really is a role where you’re at the center point of both, “What do we need to do and how much do we need to do of it?” and also, “What do we do when something happens?”
‘Cause it will happen. Bad things happen to good CISOs right? It happens. So, I’m curious, Anthony, from your perspective, if you’ve lived this in that transition from the technical world to now, you’ve got to deal with as a business person, what’s the biggest gap that you saw in your own experience that you had to quickly look for mentors or other ways to kind of fill?
Anthony Johnson: Yeah. So, it’s interesting. Going to found an organization and software company, I quickly aligned to the whole Maslow’s hierarchy of needs, and really, all of a sudden, in the business context, revenue is food. Right? And security is great, but if you’re starving, it’s a nice to have.
And I’ve caught-en flack for saying this in the past, but there are things that you kind of go up – there are first-world problems – I don’t want to say security is a first-world problem, but there’s a lot of other problems that businesses will suffer if they fail to drive revenue, customer retention, et cetera. And security is gonna be the last thing on the mind of the board when they can’t make payroll, right? But the security leader needs to know how they influence and impact that food collection – that revenue collection. What can they do to add value to it? Or what are they doing that actually slows that down?
‘Cause you constrict the processes too much, and all of a sudden, you have security choking a business, and that’s where I think you see a lot of security leaders running into loggerheads with their leadership teams in a lot of cases.
Mike Rothman: Yeah. Let’s talk a little bit about empowerment, because I think that’s actually a very critical aspect to being successful as a senior security professional moving forward. And the first epiphany to understand is that you’re not empowered to do anything. The fact is – that’s probably not exactly true, but you’re not empowered to do a lot. So, a big part of the evolution from technical professional to manager/leader, is a general concept.
Let’s just call it “persuasion”. Because when you’re not empowered to do anything, you have to be really good at persuading other senior folks in the organization to get things done. And, by the way, in the old days, we – CISOs had empires, right? They had security operations. I guess I probably shouldn’t say “the old days”, right? ‘Cause some folks still have security operations for on-prem things and they’ve got groups of responders and all that.
So, you do have some people, but ultimately, you’re gonna say, “We’ve gotta make changes in these systems” and the folks that run the systems are gonna go, “Get the hell out of here.” And that’s being nice. We talk about the attackers not being nice – when you start to tell some business leader that you’ve gotta take some of their stuff offline because of a potential risk, man, they’re gonna be probably a little bit less nice. And if it’s even compounding, from that standpoint, because, as we continue to move towards DevOps and we continue to distribute our data all over the place, it is those folks. I mean, we can joke and say, “Ooh, DevSecOps” and that’s a load of crap, right?
Because you’ve got the developers, you’ve got the ops folks, the security folks, maybe, at the front end of the process can have a say. Maybe if kind of the brown stuff hits the fan, they get involved from that standpoint. But, for the most part, not so much, right? So, what we have to do to evolve as leaders, as security leaders, is to start to really understand how are we going to persuade these folks to do the right thing from a security perspective while continuing to achieve what they have to on the business, which, again, leads back to the second point, which is – if you don’t understand your business, it’s really hard to persuade somebody why being secure is in the best interest of their business, right? So, it gets back to this idea that you have to be a professional in your business that happens to practice security.
You have to be very effective from a persuasion standpoint because these folks don’t want to do what’s in their best interest from a security perspective, and we’re not empowered to do anything until we are. And when we are, that is a very bad day, right? That means something has gotten out of the cage. Some bad stuff is happening and now, we’re trying to figure out what is where – and typically, Eastern Europe or South America is kind of the answer to that question, which, again, very, very bad days.
Mitch Ashley: So, Mike, let me challenge you on that – and I know, Anthony, you’re gonna jump in so, I’ll let you jump in in a minute, too. I want to challenge you on that from this aspect. One of the things that actually works in our favor, ironically, is every business executive knows – or at least heard of – ransomware, and they know they don’t want to have that. And the board is now looking at the CISO to say, “We’re okay, right? Do you need more? I’m not giving you unlimited budget, but I don’t want you coming back and say, ‘Well, I would if I would have just spend this extra, we would have had that ransomware.'”
My point being it is coming to us as in “I don’t want to have this problem. You need to do what you need to do.” I’m not saying you’re wrong/you’re right, but that’s changed. So, that advocacy doesn’t have to be FUD anymore. It can be, “Okay. Well, then this is – “
Mike Rothman: It’s not, Mitch. But what I found is that talk is cheap. And when you sit with any senior executive, board member, CIO, “Oh, security. Oh, security.” And then, when it comes time to actually make the fundamental changes that are required to truly be secure – a little bit less interest on that front, right?
So, if I can write a check and make the problem go away, that’s great. And hey, what does that check need to be, right? Our problem isn’t funding anymore, right? Our problem is skills. But ultimately, our problem is change and transformation, because doing security consistently, having an organization that is security aware, is hard. It’s hard.
Anthony Johnson: I think I’d like to throw out this piece here. Most security leaders, I think, struggle with being able to articulate how an EDR gets the business from 10 percent wallet share to 12 percent wallet share. Most security leaders – actually, if you ask them, like, “Hey, how does your company make money?” I remember having this conversation with a CISO last year who’s in financial services. I was like, “Hey” – coaching this guy, and I’m like, “How does your bank make money?”
And he’s like, “Oh. Deposits.” And I’m like, “What do you mean?” And he actually didn’t know where or how the bank made money. And when you are talking to somebody as a business leader who’s been doing this for 20-30 years, someone’s like, “Hey. You gotta do this. It’s gonna be really, really important and it’s gonna save us a big risk.”
And I’m like, “Okay. How?” You know when they’re bs-ing and don’t know what they’re actually trying to advocate for. And so, those security leaders who actually meaningfully understand the business – not just “We take deposits, but we actually make money by doing custody. We make money by doing this. We – ” there’s all these aspects, and you have a different risk posture for different lines or sub-segments of the business, then you’re going to be able to have a more meaningful conversation with those business leaders like, “Man, you get it. Okay. What do I actually need to do to make sure that custody and asset management is gonna be good? Because that’s very, very different from what we’re gonna do on the consumer side here.”
So, going back to Mike’s point, it’s about understanding the business, but really understanding the business. It’s the difference between having kids and raising kids, I think. It’s like, you can have kids, but it’s different to raise them. And you have to be able to raise them and invest in that business that way.
Mitch Ashley: And once you know that Anthony, now you can say, “Now you know what’s at risk, right? We need to protect this revenue because it’s whatever percentage of our business, high growth areas or whatever.” By the way, those are all things on your annual report and umpteen financial disclosures as well as internal documents. So, it’s not like it isn’t available. But knowing that now gives you a connection to the business to say, “Okay. This is why – what we’re protecting. It’s not just the deposits, the things in the safe.”
Deposit box don’t operate that way, but literally knowing that, at least start up a credible discussion.
Anthony Johnson: It is. Now, I do think there is a bit of a gotcha that we’ve painted ourselves in as industry professionals. And here’s what the gotcha was – is that 20-30 years ago, we actually had to prove or demonstrate that we were experts at everything before anybody took our credibility seriously. So, we said, “You know, we’re gonna do all these talks. We’re gonna talk about all these things.”
And so, a lot of tech or security leaders back then were actually afraid to ask questions about the business because they would come across like, “Well, you don’t know what you’re talking about. Your credibility’s gone.” You fast forward, and we continue to exacerbate that behavior of being like, “Oh, I’m an expert at tech. You do the business and I’m gonna separate it.” And that’s not the way that we can actually survive as an industry _____.
Mike Rothman: That’s right. Because everything is tech aware at this point. So, Mitch, I want to capitalize a little bit – or highlight, a little bit – the thing that you alluded to but didn’t necessarily say it specifically, and that’s this –
[Crosstalk]
Mitch Ashley: No, I didn’t.
Mike Rothman: – idea of –
Mitch Ashley: [Inaudible] the boat _____.
Mike Rothman: – credibility, right? And you know, it really is built based upon doing what you say you’re gonna do in a way that folks understand. Again – just being general technical people, we tend not to want to get into sales. We tend not to want to do marketing. And, again, when you get to this point – you’re in CISO Talk, right?
So, this is a CISO level type thing. You are having to sell your agenda, right? You have to market your achievements from the standpoint of saying, “This is what I accomplished for the business.” Maybe it is getting in the way of ransomware. Maybe it is responding to something before you had a big problem.
Maybe it’s kind of keeping systems up and running under constant attack. Whatever it is, it’s nice to talk about it around the dinner table and say, “Wow. Look what a great person I am.” But that doesn’t help you in the boardroom. So, you have to start kind of building up but capitalizing and taking advantage of that credibility, because as you guys like to say – “Bad things happen to good CISOs”, right?
You’re gonna need that credibility. You’re gonna need to have made deposits in the credibility bank because, at some point, you’re gonna outstay – something’s gonna go South. And what you don’t want is to be being that you’ve outstayed your welcome and you’re welcome go find another job at that point.
Mitch Ashley: You’re welcome very much.
Anthony Johnson: Well, let me just add this one last piece there, right? Like, it’s almost like – I always call it like, the “curse of the brilliant” right? I talk to a lot of – most of our customers are software service companies trying to sell their enterprises, right? And so, I talk to some really, really great founders of some really cool technology companies, and a lot of them are like, “Yeah, but once they see it, they’ll figure it out, and then, they’ll understand it, and they’ll get the value of why they gotta buy it.” I’m like, “No. You actually have to simplify this down. You have to sell this.”
And so, a lot of times, really smart people – smart technologists – they assume that other people are equally as smart and be like, “Oh. Well, once I show you the protocol, you’ll totally get it and then, we’re just off to the races. Just sign the check.”
Mitch Ashley: [Inaudible] obvious.
Anthony Johnson: You’re like, “That’s not really how this works, right?”
Mitch Ashley: But you have to do that without talking down or belittling or making people feel – nobody – especially in the boardroom – likes to be – feel like they’re dumb. So, you have to communicate simply and clearly, but not condescending – or at least people take it –
[Crosstalk]
Anthony Johnson: And that’s a skill. That is a definite skill, right?
Mike Rothman: Well, it sure is. And let’s talk a little bit about unicorns, because what we’re talking here – and Anthony, to your point about having to – in order to feel like you contributed and feel – you have to know everything about everything, right? And in today’s techno world, it’s hard for me to know anything about anything, and this is what I do for a living.
[Crosstalk]
Anthony Johnson: [Inaudible] two new quadrants yesterday or something like negative
Mike Rothman: Yeah. But whatever it is. It’s very difficult to stay on top of all of these things, and it’s also very difficult to understand and be so business-centric and understand exactly the knobs of the business and all that. And you know what? It’s okay to partner. It’s okay.
Whether you’re the top or they’re the top or whatever it is, you tend to, in some cases, sometimes, you can find a unicorn, right? Or maybe you become that unicorn where you’re able to transition from really understanding the technology to really understanding the business, and that’s fantastic, right? Those are the folks that make high six and seven figure deals now because they don’t come along very often. In a lot of other cases, you gotta partner up. So, if you come from a technical background, you have to be able to find somebody that I call “Mister or Ms. Fixit”.
And they’re the folks that understand how to get things done in the organization. They have the relationships. They’ve been there for many years, and they know, in a lot of cases, the proverbial bodies are buried from the standpoint of being able to get things done in the organization. And, in a lot of cases – especially if the security team is broken after a big issue or something’s just not working – they’ll bring fix-it in to actually run the team. And I’ll tell you what – they don’t anything about security.
They hardly know anything about technology. But they’re really good in the organization and they’re fantastic business people so, they’re gonna be able to find and partner with those technical experts very quickly because that’s what they do. Whether they get airlifted into some far-off land, if you’ve got a factory that’s kind of on the rocks, you got a broken security program – this person comes in, finds the people, builds the program, moves forward, goes on to the next assignment from that standpoint. And that’s okay, right? A lot of technical people get very threatened when business folks come in and start talking business stuff.
“Oh my God. You don’t know anything. Brrr.” You know? It’s like, “Hey. Get over yourself, folks. Get over yourself.” Because if you can’t get things done in the business, you can’t be successful.
Mitch Ashley: I’m gonna swing the conversation another direction. I think something that’s also change for us is it’s not about being secure – it’s implementing security that can be adopted and implemented. So, Matt Newfield, CISO with Unisys and my cohost – he always talks about “You have to think about what is it gonna take for people to be able do what you’re asking them to do or make it transparent so it’s less for them to do?” But that’s true whether it’s a digital experience for a customer or you’re asking employees to use two-factor or something else now that they haven’t used before, whatever it might be. But there’s a human element of it.
We have kind of customers of our own – consumers of security – that we have to think in that mindset, too. I think that’s a new thought, versus, “Hey. It’s tough. We just prescribe this as the policy and you gotta follow it.”
Anthony Johnson: You know, I think that the thing there is that in security, we’re like, “Oh, if you do X, Y, Z, and then, you dance one, two, three steps and then backwards.” We’re like, “Okay.” We almost think we’re giving them technology solutions that they’re going to follow, even though it’s really long. But, at the end of the day, people who are working in the company – other parts of the company, even in your security team – they take the path of least resistance. They’re like, “Hey. I see this is here, but I can get my job done and that’s what I’m being measured on if I just go directly this path instead. So, I’m just gonna do this.”
And you have security leaders who are like, “Well, how come you didn’t do this? That was much more – “. He’s like, “Because you created something that was so painful, I’m now gonna find another way to do it. And if you take away all my options, we’re really creative. We’ll find even more creative crazy ways to circumvent those things.” Hmm.
And it’s not because users are trying to circumvent security. Users are just trying to achieve that outcome – whatever it is that their job, role, mission – whatever it is that they’re trying to get to, and security leaders often think like, “Well, they’re just dumb users.” No. They’re pretty savvy. There’s a ton of developers that work in financial services in finance teams, in accounting teams.
You’re seeing more and more recent college grads that actually have more scripting capabilities than tech teams, and if somebody doesn’t think, for example, that Excel is a crazy powerful application, you’ve not actually seen a large organization. Because there’s so much stuff that we try to like – security controls – we try to apply. But you’ll just have somebody like, “You know what? I don’t need to do that database. I can just bang this out in Excel and then, I’ll just share this over.”
And all of a sudden, three months later, the business is running on this end-user compute thing, and security’s scratching his head of like, “Why’d we lose visibility and no one’s using the database anymore?” Well –
Mitch Ashley: It’s a load code app. It’s a load code platform, right?
Anthony Johnson: It is, right? And so, I think that’s an important piece. One thing I did really want to couch on – Mike, you made a really, really great point of security leaders almost comparing themselves to – security teams comparing themselves to large-scale programs. It’s almost as if we’re comparing ourselves so often against the Michael Jordans. We’re like, “Hey” and business leaders are like, “Hey. We need a security leader for our local team, our local business, but all I see in the media are the Michael Jordans who are just completely amazing, don’t have a flaw, and that’s what I’m expecting.”
You have to know that if you’re a business leader, you’re gonna have to coach them. And as security leader or tech leader, you’re gonna have to be coached and be open to it. That’s the only way to be successful. Unless you’re Jordan, right? Then, rock on. But –
Mike Rothman: So many different threads to pull on that one, Anthony. It’s hard to kind of know –
Mitch Ashley: He shoots. He scores.
Mike Rothman: – should I go this way? Should I go that way? So, you know, the first thing I want to talk about – and any – when you spend a lot of your time with business people as opposed to kind of hardcore security professionals – which I’ve kind of gotten to a point in my career where that’s what I’m doing – you start to learn a lot more about incentives. And I think that’s what you were really talking about – both Mitch and Anthony – about kind of the fact that you can’t make it too hard for folks because they’re incented to do things in a secure way. They’re incented to deliver code.
They’re incented to reduce customer support calls. Whatever it is, “Do things securely” is probably not at the top of their MBOs. And that’s what they get paid on. So, you always default back to one of the most true statements I’ve ever heard, which is “If you don’t look out for number one, you step in number two.”
And that’s actually a critical concept. These folks are gonna act in their best interests at all times. So, again, all wrapping back to the same place – if you don’t understand what their best interests are, how are you gonna persuade them to do these things? If you don’t understand about the role of incentives and using proper incentives to get the behavior that you need, you really have no shop to do this job anymore. So, again, a lot of it just gets back to it’s not brain surgery more.
It’s not even Einsteinian knowledge in terms of how security works. It’s a lot more common sense. It’s a lot more business savvy. It’s persuasion. It’s a lot of these softer skills that a lot of folks don’t say, “Not interested.”
And that’s okay. Just understand you’re probably not gonna be a very good CISO if you haven’t spent a lot of time thinking about a lot of these softer skills and how you can – and get that done – and that brings it around to another important topic that, Anthony, you were just talking about, and I’ll call it the “general management of expectations” right? If you can’t come into an organization and manage expectations – “Hey, I’m not Jordan. You’re not funding me to be Jordan. We don’t need to be Jordan because of the attack surface that we’re dealing with, because of the adversaries that we’re facing, because of the data that we hold.
You know what? Good enough is probably good enough. And this is what we’re willing to invest. And, by the way, do you want to invest at 2X? This is what we can do. If we want to invest at .5X, this is what may happen.”
So, you have to get good at managing those scenarios, communicating those scenarios, and understanding that, at the end of the day, it may make more sense for the business to invest in a new factory. Do we still make factories anymore? Whatever it is – we’re investing in a new system or whatever the analogy is –
[Crosstalk]
Mitch Ashley: Building chip fabs now.
Mike Rothman: Yeah, yeah, you know. Building a fab, right? Than it is to kind of update and roll out a new IAM platform. And you know what? That’s okay.
But you have to be able to communicate, “Well, if we don’t do that, these are the risks.” And then, you make a business decision. It’s really – it doesn’t get a lot more complicated than that. And folks get so bent out of shape. I mean, I can’t tell you how many people call and just bitch at me about, “Oh, I couldn’t get the funding for this. I couldn’t get – ” well, guess what?
Your business is struggling and you gotta focus on kind of rebuilding the front-end of this thing or else you don’t get to play anymore. Right? So, a lot of that stuff is luxury. And, Anthony, you were talking about that before.
Anthony Johnson: Yeah. And I want to say one additional point on that, right? It’s like, if you look at where we’re at now – just as a kind of society with people having their quite literal pick of the litter of roles and jobs, if a security leader makes the life of the development pipeline too hard, you’re gonna have developers who are like, “Hey. I can actually make more money on a platform kit code-based process that I understand – it’s smoother, less friction – I’m not getting beat up. Someone’s not yelling at me every day.”
So, like, we – it’s this ecosystem now of where you’re gonna have business leaders say, “Hey. Security, you’ve made this so painful. We’ve lost top developers.” That’s a whole different ballgame here, right?
Mitch Ashley: Lost sight of what’s important, right?
Anthony Johnson: It is. And you have to strike that balance, because we’re not just protecting the corporate assets. Now, we’re protecting the corporate mission. We’re protecting the revenue streams, employee satisfaction, how they work – I mean, if you look at most end of the year employee surveys, they include questions like, “Do you think that the technology you use enables you to do your work more effectively?” And every time there’s a “No”, that tech team needs to really, really think about, “Okay. Why is that? What are we doing? Are we adding too much friction?”
Maybe it’s enough friction. But once it gets into the too much, it’s a rough world here.
Mike Rothman: You bet. And –
Mitch Ashley: Well, you both brought up a really great topic, which is something that’s in our world now is the world of software and creating software. We don’t just get to build hard exteriors for soft interiors, right? You’re protecting things from the outside. How much do CISOs have to think about – Mike, you mentioned DevSecOps, but think about the whole software that we’re building, and is it secure? Are they just gonna rely on the software teams to do that?
How do we look at it – how to create a strategy where we’re not gonna be blindsided because something got in there, somebody wrote some vulnerable code, whatever it is?
Mike Rothman: Yeah. I think it’s the general acknowledgment that every company is a tech company. Every company has – most – once you get to a certain size, right? Once you get to a certain size, you’ve got software. You’ve got developers that are dealing with that software. And part of the purview of a CISO is going to be that, in effect, product security operational aspect.
So, you have to get good at assessing risk, right? Because it makes sense, I’m gonna use a number of different components, right? That’s this whole idea of microservices – is the idea that I can compose these applications using open-source libraries, using pad services, using a variety of different components – you know, cloud native capabilities that make it easier and faster to build, develop, deploy a lot of these applications. And that means my risk is no longer just stuff that happens within my world that I control.
My risk actually is very much extended to all of these different – and that’s why you get companies like Snyk that are just killing it right now because they help you understand, for all these components that you’re using, what are the vulnerabilities, what are the risks – kind of what it is that I have to address. And, again, so what we’re really talking about here – to kind of wrap it back around, Mitch – is that it used to be fairly discreet in terms of what this job was, right? It was very much a “Keep the bad people out, make sure my folks don’t do too much stupid stuff, and be able to clean up the mess once it spills.” Well, that’s kind of a 2D type of problem. We’re dealing – on a bad day, it’s probably five different dimensions, because there’s so much stuff that’s outside of your control.
You’ve got the ability. You’ve got developers and operations people and business teams that are actually weaponizing – not weaponizing, but they’re building tools that could be used as weapons, right –
Mitch Ashley: Yeah, they are.
Mike Rothman: – as a way to get at our data. So, the job has also become much more complicated. And yes, we’re talked about in the boardroom. Yes, we can usually get the funding for the stuff that we need if we can make a proper business case for it, but yes, the job has gotten a lot more complicated. And for some people, they’re like, “This is awesome. I’m not just kind of sitting there trying to figure out how to optimize my firewall rules. I’m trying to figure out how to architect a successful and secure business operation moving forward.”
And for somebody like me, that’s awesome. The harder the problem the better. A lot of other people are like, “Oh, I yearn for the days where it was like a rogue firewall rule knocked down a box and we had some outage, and I was able to fix that in 10 minutes and be the hero.” Sorry. We’re not in that business anymore.
Mitch Ashley: You’re such a romantic about it.
[Laughter]
Anthony – so, let’s wrap up on this topic, and feel free to jump in on the last one, too. So, one of the things that occurred to Matt Newfield, our co-host, is he, like some other people, went from CISO to some other title that incorporates both CISO and CIO – or the CIOs are starting to report to CISOs. Be careful what you ask for, like you said earlier. Why is that happening? Is that a good thing or a bad thing? What do we think about that, Anthony?
Anthony Johnson: So, this is definitely a topic that I get in trouble on so, let me just preface it with –
Mitch Ashley: Okay. I didn’t do that – I didn’t ask you first for that reason.
Anthony Johnson: It’s really great. I actually think that most CISOs are not mature enough to have and drive the conversation with the board. They just haven’t had the full remit of the P&L. They don’t have the full visibility and they’ve been locked in that microcosm of security so hard – where CIOs have had more time, number of years of exposure to the board, and they’ve been able to be groomed and grow to do that. So, I think putting a CIO underneath a CISO actually will be a big challenge in so much that the business will suddenly say, “Hey – why are we not getting this business throughput?”
The CISO now is responsible for delivering features faster, and what’s gonna be the priority for them? Features. Get it out the door. And security becomes that second hat. So, I think that having a peer collaborative – almost a challenge type of function – is one of the best situations, where having it – the CISO over the CIO is a bit more of a risk for the business of itself.
Now, a CIO over a CISO – I think that can work if the CISO has that event to the chief risk officer or something like that. Again – I would say the same thing. Most CISOs – there are very few that I think are actually mature enough to directly report to the CEO because they don’t understand the business. They don’t understand what they’re really drive value, and they think that “We’re just trying to save the world and make it safe.” That’s nice.
After our customers are – after we have revenue, after we’re growing, after we’re doing these things, then we need to be secure. It’s like charity things for companies. It’s a luxury.
Mike Rothman: It’s interesting in that – at least the folks that I know that kind of came out of the security world and have become either CIO – or, more likely, CTO – and CTO is an interesting kind of title now, because, again, we’re not really building huge technology organizations anymore. We’re trying to harness how technology can enable the business. So, to me, that’s more of a CTO type of role. But whatever we call them, to me, it gets back to leadership. So, I can look – and Matt’s not here so, I’ll actually say a nice thing about him, which I would never do if he was actually on the call.
Mitch Ashley: Make sure he doesn’t listen.
Mike Rothman: Exactly. Hopefully, he won’t listen. But when you sit with Matt and you – and I’ve known Matt for a long, long, time – he’s a leader. So, it doesn’t surprise me that he’s kind of transcended the CISO type of role and is taking on more responsibilities. Sometimes, it’s physical security; sometimes it’s more technology operations; sometimes, it’s CTO/CIO type of thing, but that has to do with being a leader as opposed to your general skills at doing security, right?
[Inaudible] – nobody gives a shit about that, right? I mean, you know, it’s just – yeah, it’s important, but it’s not gonna move the needle of my business unless you’re in the security business. But if you are a leader of people and you can rally your team to achieve objectives over and over again very consistently, there’s a lot of room in all organizations for people with that kind of skill set. And I think that’s really kind of the decision as we – as security professionals – start to face down what our career paths need to look like. There’s an infinite amount of opportunity on the technical side of the house – and I would also say there’s a similarly infinite opportunity on kind of the leadership side of the house, too – but you kind of have to choose. Unless you’re a unicorn, it’s really difficult to be really good at both.
Anthony Johnson: Okay. Let me try and couch it this way, and then, I think this would really be a fun exercise to do with a lot of CEOs, actually – if you said, “Hey, CEO of any large company/medium-sized company, you can have, on the one hand, 0 percent growth and 100 percent security or 5 percent growth and a 5 percent risk that you’re gonna get breached.” Most CEOs are gonna say, “We gotta grow the company.”
Mike Rothman: Most?
Anthony Johnson: There might be somebody out there who’s like, “Ah, you know, I’m just gonna run the _____, right?” I’m just trying to play optimistic, I guess, but like –
[Crosstalk]
now, most CISOs would be like –
Mitch Ashley: The false dichotomy, I’m sorry, but go ahead. No, go ahead. No, I understand your point.
Anthony Johnson: Most CISOs are going to say, “Hey, lock it down. We don’t need any new customers. We’re gonna be 100 percent safe” and every business leader’s gonna be like, “I get it, CISO – “
Mitch Ashley: That’s your last meeting with the CEO, by the way.
Anthony Johnson: Yeah. That’s it. That’s exactly it, right? Because they don’t get what business they’re in. They’re not in the business of security.
You’re in the business of finance, health care, insurance – whatever that is. And so, when you look at it from that tradeoff, put it on a scale. Those business leaders are like, “Listen, 20 years ago, I cash in my 401K, started this business. I was at 100 percent risk. I’ll take a 10 percent risk to grow the business at 20 percent.” Whatever that is. And –
Mike Rothman: They don’t have a choice, right? They’re there to – in a lot of cases – grow the – unless I mean – I can’t think of one situation where somebody would kind of say – and it all gets back to managing risk, right? It gets back to leading people. It gets back to understanding what business you’re in, and it gets back to appreciating the technical disruption that every organization is undergoing right now. And if you can’t be a partner with the folks that are driving that transformation, if you can’t help them understand kind of what is gonna happen to corporate data based on some of these decisions in a way that understand relative to the business, and if you can’t lead a team that’s gonna be asked to do a lot of really difficult things in not a lot of time – usually when all hell is breaking loose all over the place – it’s not the right job, right?
And that’s okay. It really is. What’s not okay is to fool yourself and spend a whole mess of time in a situation that’s gonna make you unhappy and you’re not gonna be very good at, right? Because that gets back to the wasted time thing. And I don’t know, you get to a certain age, right, Mitch?
Anthony’s a young guy, but you get to a certain age where you’re like, “You know, time actually is really important.”
Mitch Ashley: Do I really want to do that?
Mike Rothman: And a lot of the time that you spend doing a job that you hate, it’s totally wasted time.
Mitch Ashley: Well, I think the point’s spot on. I mean, if you’ve been a CIO, you know that is not an easy job either, and the life longevity of CIOs isn’t that great anyway so, be careful about doing that. I’d really make sure I was setting myself up for success and not just the next CIO to get fired. But I think it’s really good advice. You know, guys, it’s been a blast.
It’s been fun. I wish we could share a digital beer right now, but we may well do that when we see each other – hopefully at RSA or somewhere soon. Anthony, appreciate you joining us today. Any parting thought? Any words of wisdom to leave us with?
Anthony Johnson: No. I think the last thing I would say is that while it’s super tough, if people are open to getting the right coaching, the right mentoring – they’re like, having those open conversations and willing to learn, they can grow to what their – mostly, I believe, that most people can grow to what their company needs. Not this – you’re not gonna be Jordan. Just set that aside. But you can be what your company needs to be successful, and you’ll get a lot of satisfaction doing that personally, and you can grow people in the same way.
So, I think that there’s a light. You just have to kind of be willing to learn.
Mitch Ashley: Mike – Yogi Berra of security with your great sayings.
Mike Rothman: My great analogies. Just go into it with your eyes open and understand what you’re being asked to do. And if that isn’t in alignment with who you want to be, what you want to do, how you want to spend your days, don’t wait until you fail at a job in order to call that out. And that’s just about being honest with yourself and really, just having that difficult internal dialogue to say, “This is what I enjoy doing every day” and do that. Don’t make it – don’t over-complicate it, right?
If you don’t like what you’re doing, do something else. ‘Cause, again, all we have is time, and when you squander that time, it’s gone. You don’t get it back.
Mitch Ashley: Mike Rothman, Anthony Johnson – thank you again so much and thank you to our audience for joining us today. We hope you check out another episode of CISO Talk. They’re available online for replay, and join us for one of our live roundtables. We have some great stuff coming out. So, Mitch Ashley signing off and, on behalf of my co-host, Matt Newfield, we hope you have a great day. Be safe. Be secure. We’ll talk to you soon.
Mike Rothman: Thank you.
[Musical outro]
