CEOs, CISOs’ CTO’s and other c-suites are meeting at SINET’s Global Cybersecurity Innovation Summit in London this week. Cipher Brief CEO & Publisher Suzanne Kelly, who is moderating a session on the global cyber influence of Russia, China, Iran and North Korea, also had the private sector in mind when she talked SINET Founder and Chairman Robert Rodriguez about what CISOs want most.
Kelly: I thought we’d talk a little bit about CISOs and what they're really looking for today - is it better relationships with C-suite executives, is it having more resources, getting better information? What do you think tops their list of concerns?
Rodriguez: I think it's three things. It's building trust that leads to better relationships and communications with their Board of Directors, in particular being able to articulate their concerns and needs as a risk executive that helps enable the business objectives. The CISO has evolved over time and the last 5-7 years have witnessed this maturity. More specifically, the continuing rise and evolution of the 21st century CISO as more of a risk executive and business enabler. Secondly, CISOs desire to be at the highest level of thought leadership amongst the highest level of their peers, to share best practices, information and learn from one another and continue to build on their network of trusted professionals. Lastly, they desire for entrepreneurs/vendors to be more of a partner and less of an annoynance. They are overwhelmed with the number companies constantly calling, emailing or flying marketing gimmicks into their office via drones, etc. and this has caused the 21st century CISO to become more recluse.
Kelly: When you talk about trust, CISOs need trust with the CEO – we’ve heard that repeatedly. What does it mean? Given the evolution of the threats to business today, why do you think there are still barriers to trust?
Rodriguez: I do think there is trust, but I think I would go back to what Ronald Reagan said: trust but verify. You’re seeing an increase - although not dramatic, but slight – where CISOs are sitting on publicly traded boards of directors - kind of a cross balance and check. I'm also seeing more CISOs aspiring to those positions. One of the things that we do at SINET is an invitation-only board of directors CISO workshop where the conversation is all about ‘how do you close the communication gap, as an example, with a non-technical 70-year-old board member, on these difficult, complex matters? How do you articulate holistic enterprise risk across all the business lines, versus compartmentalized risk? What type of metrics and measurements are you using to evaluate risk, not only within your shop, but all the departments? Because to really understand risk holistically, you need to have a picture of everything that you're touching and cyber has become like the air we breathe, it touches everything. Unlike other things like blockchain, autonomous vehicles, robotics, etc. The job is complex. And how does the company benchmark in the industry or the sector? Are you giving me too much money or not enough money to do the job?
Kelly: It's really interesting that CISO's are aspiring to board seats, it’s a fascinating dynamic, but for those who aren't, what kind of cooperation should they be expecting from the C-suite and what level of support should they be getting, even indirectly, from boards?
Rodriguez: The cooperation piece again is building that relationship and trust. CISOs have varying strategies to achieve cooperation, support and buy in. Some will fly from Silicon Valley to Chicago just to have coffee with a board member and to educate them on the matter at hand in anticipation of the next board meeting so that their case is known upfront and not in real time. There is only limited time in these meetings and if you are able to educate the BOD on a certain topic that ultimately leads to a better understanding of the matter and eventual support of increased budget, more hires, work force development, then these strategies can and do work. This isn’t complicated. Relationship building is just a fundamental thing of human nature. And really, the big piece of it is the word trust. Continuing to build relationships with these board members individually and then collectively in the room, can lead to increased communication and trust.
Kelly: Are there other ways that CISOs are coming together to share threat information these days, given that there's been a bit of running up against a wall with Washington when it comes to understanding how to share government information with the private sector? What about business to business? What are you seeing?
Rodriguez: The one thing that I learned in hosting the BOD - CISO workshop - and we will have over 40 global CISOs from some of the largest corporations in the world flying in for this workshop - is that CISOs want to be at the highest level of thought leadership amongst the highest level of their peers.That's what they want.They are invited to many dinners, conferences where they are asked to speak but it is engaging in a trusted environment where they feel comfortable sharing information, knowledge on complex matters or the latest threat that is keeping them up at night. They have become like rock stars. Everybody wants them, right? VCs want to meet them, to introduce their portfolio companies, obviously, the vendors want to meet them and frankly, there is so much noise out there and it's a very populated environment with all the solution providers, and they all want the same Blue Chip customers. Unfortunately, this noise and crowded vendor atmosphere is creating some companies to develop and lead with bad culture and this has adversely affected companies with good culture. The approach I recommend to the entrepreneurs is to go into a meeting with the mindset of being a good listener and partner. Do not go in with the "shiny bullet" approach, build relationships, build trust and if there is not a fit, then walk out of the room. Don’t waste anybody's time.
Kelly: And how are CISOs generally feeling about the information sharing with government? Are there still concerns that the government isn't sharing real time information about threats quickly enough?
Rodriguez: I don’t think that’s an issue like it used to be. They kind of expect this and it is rare to hear them complaining about it, I think they've moved on. Its one of those scenarios where, ‘You know what, you are on your own, in a fox hole taking non-stop incoming rounds with your back to the wall and there is no one to help except your own team and trusted professionals within the industry. So pull up your bootstraps and do what you gotta do to win the fight.' As you know, I'm heavily involved in working with the various governments and am an advocate of supporting and building public private partnerships all over the globe. I don't have problems bringing them together. In fact, one of the things that I do is connect and help build trust between the government agencies and industry, workshops, tech demo days where we will bring in 50 CEOs to present to a CISO and their IT team or organize trips out to Silicon Valley for DoD or the U.S. Postal Service, or other government agencies. I find that when I call the entrepreneurs or the venture capitalists or the corporates for meetings, a lot of people are patriotic and will welcome these opportunities to engage with the government. People deep down desire to serve, they want to help in their own way. Of course, there is also the value add for the entrepreneur to be able to pitch to the CIOs of all the branches for DoD, but still, there’s a sense of purpose.
Kelly: This conference is being held in London. Are there lessons learned with how other governments are partnering with private industry that can or should become best practices for the U.S. or other governments?
Rodriguez: Not because I'm an American, but I think the lessons learned can mostly be attributed to the USA due to their experiences with the development of Cybersecurity policies, information sharing centers and as a whole, having a culture that is more willing to take chances with a continuing desire to innovate. For example, there are eight major banks in America that have an information sharing initiative called the FSARC that was supported by Jamie Dimon at JP Morgan Chase and Lloyd Blankfein at Goldman Sachs and some of the other large bank CEOs and at the time, then DHS Secretary Jeh Johnson. So, big support at the top, information sharing, protect critical infrastructure, particularly in banking and finance. The other thing that I see that's ahead of the curve in terms of the countries, is early adoption of technology. The American CISOs are not as risk averse as the Australian or the UK CISOs and they are more apt to share information within their trusted groups. Although I am observing these other countries continue to evolve at a rapid pace and I am encouraged to see their recent rapid maturity and growth in the Cybersecurity domain.
Kelly: What are some of the corporate or even government threat trends that you think are most likely to register on the radar more significantly in the next six to twelve months? What are the emerging threats that people have their eye on?
Rodriguez: So you have your traditional attacks for financial gain and you have your attacks for intellectual property theft and industrial espionage. I think over the horizon and we're talking about it a lot now, is protecting our voting systems. That's a nation state attack, typically, but then foreign governments can also contract out or they have alliances with hacking groups. I believe the attack on Sony five years ago or so was transformational. This attack by North Korea targeted the destruction and manipulation of data and defamation of Sony’s brand the CEOs character which led to her eventual firing. This was all part of a retaliation effort. Basic propaganda approaches that Russians have used for many, many years and what the Germans mastered during WWII, but now are utilized in the field cyber. When I say defamation, I'm saying if somebody doesn't like the political views of somebody, a presidential candidate for example, they will go after them and try to embarrass and humiliate them. So the CEO of Sony had to step down because embarrassing texts, off-color, which were discovered as a result of the breach. Nobody wants to be in that position.