Effective CISOs: Technical vs Operational

Opening

Mike Krass: Welcome to What's the Problem, the podcast where we dive deep into the most pressing issues facing cyber and data security leaders today. Each episode, we're joined by a guest expert who will share their insights and their experiences on the challenges that they're currently facing or seen in the world of security. Whether you're a seasoned veteran or a new leader to the field, this podcast provides valuable info and some strategies to get your organization to the next level. So join us as we explore the ever evolving landscape of cybersecurity and discover new ways to tackle problems that keep us up. This is What's the Problem. I am your host, Mike Krass. Let's get started. Today, we are joined by the one, the only Grant Elliot of Ostendio.

Conversation

Mike Krass: Grant. say hello to our listeners.

Grant Elliott: Hi, everyone. Great to be here.

Mike Krass: Glad to have you, sir. Now, our first question is always the same. For all of our guests, Grant, can you tell our listeners why you're qualified to talk about security?

Grant Elliott: Sure. So I, about 10 years ago, founded a company called Ostendio. Ostendio is a cloud based security management platform. And we help organizations build, operate and demonstrate or showcase their information security programs. Prior to that, I spent a number of years as both the Chief Operations Officer and Chief Information Security Officer of a digital health company. I had my fill of going around and completing security programs, conducting security audits and demonstrating risk assessments to our various clients. Many of which were in the healthcare space, so providers, payers, pharmaceuticals, etc. So a lot of experience living in this world.

Mike Krass: The CEO and the Chief Information Security Officer. That's interesting, Grant. I think that's actually a great jumping off point for our discussion today. We were talking offline, and you said that we should be hiring more operational CISOs instead of technical CISOs? Why would you say something like that?

Grant Elliott: Yeah. And first of all, this is not to bash anyone with a technical background. I think it's really interesting because, when I talked to lots of CISOs, the kind of conclusion I've come to based on my background is that 85% of the challenges today on operating an effective security program tend to be administrative. Technology has evolved today at an amazing rate, where the tools that we have available to us are significantly more sophisticated and easy to implement than they ever have been. In fact, some of the challenges we have today are not necessarily the complexity of the individual tools that we work with. It's really just how many there really are and how many we’re operating. This actually kind of conveys a logistical challenge more than a technical challenge. One example to give on this is, if you're old enough as I am, to think about encrypting a laptop. When laptops or desktops first came on, you actually had to pay for additional services to basically encrypt. Many laptops weren't encrypted when you bought them. You had to buy additional software. And as a result, many laptops weren't encrypted. Well, today, every single laptop that you buy, just about, seems to come with encryption software. And so it's not something that people necessarily need to think about today. And so I think, when building a security program, the biggest challenges are operational.

Mike Krass: And I believe that the company you're building and the product at Ostendio is focused on operationalizing security. Did I get that correct?

Grant Elliott: Absolutely. I think of it more like project management. We like to say we’re the Salesforce for security. If you think about how Salesforce works today, Salesforce doesn't sell for you. But what Salesforce does is it makes you more… it manages the operations of selling. It makes you more efficient.It gives you more access into the structure of the data of your sales cycle. Used effectively, Salesforce is going to make your sales organization better. It's an analogy we have for our Ostendio platform. The platform itself doesn't make you secure. But if you use, you build out, and you operate our platform the right way, it’s going to help you build and manage your security program. We're not the tool that's basically managing your access. We're not the tool that’s encrypting your data. But we are the tool that is helping you operationalize and track and manage and organize all of those solutions.

Mike Krass: What's the consequence of not thinking about operationalizing these solutions? Like, what happens if somebody, a CISO, says “Not now. Whatever. I'm not really worried about that. I've got this. We're covered.” What are the consequences for not taking the approach that you're suggesting?

Grant Elliott: Well, I think the challenge if you think about the, the kind of typical profile of going to an IT person. Typically people get into IT because they're smart. They like solving problems, but they always have this idea that they could build a solution. So they can write software for that, they can code this, there must be a tool to implement for that, or they can solve things through some sort of a technical solution. That can attest to why they got into that space to begin with. And what we tend to find is that, in organizations at the executive level, the first place to look at to implement a security program tends to be the IT team. Because IT security is clearly a critical part of information security. And so it's a logical place to start with. But as an organization grows, or as the security challenges become more, you start to realize it's not about encrypting your database, it's not about SSO, it's not about endpoint protection. These tools are all necessary and have to be in place. It's about the operational management of making sure those tools are in place, making sure they’re effectively utilized the right way and making sure your team in the organization is tracking and managing that set up. Some of the biggest challenges we have with business continuity is not the fact that organizations don't have backups, it's that backups fail. And they don't have mechanisms in place to check that they're doing restoration verifications, etc. If you're looking at a Target, that happened a few years ago. The issue and the reason that Target were aware or were able to identify how long ago that attack had taken place was because they actually had implemented software to track and manage that type of exploit. But no one was actually managing the software. There was no one actually going into the tool and checking that exploit was actually happening. So you can implement as many tools as you want. You can download as much software as you want. You can buy as many sophisticated cyber tools as you want. If you don't implement them the right way. If you don't track and monitor that they've been used the right way, they are not worth the money you've spent on them.

Mike Krass: I feel like I missed a big question earlier, when we introduced this topic. Operational CISOs versus technical CISOs. What kind of percent split do you see in your experience today? Like how many are operational versus more technical focused?

Grant Elliott: Yeah, it's definitely that the majority are technical. And that kind of goes to the point that we mentioned earlier. If you think about how that pathway evolves, typically it comes out of IT security. So it's logical that that happens. And I'm not trying to suggest that a technical CISO can't become an operational CISO. I think it's just important to have that distinction to understand that 85% of running a security program is operational. Only 15% is the technology itself. And so if you have or you put someone in that role who's only focused on the technology, you're gonna have gaps. I speak to CISOs all the time. And it's really interesting when we talk about, especially organizations that haven't gone through extensive audits, and you start asking them where their security operation actually is. They'll typically tell you what all the technical tools they have in place. They’ll talk about the fact that they have encryption. They'll talk about the fact that they’ve got endpoint protection, etc. When you start asking where are you in terms of onboarding and offboarding new employees? Where are you in terms of conducting background checks? Where are you in terms of basically simulating phishing exercises within your organization? Where are you on basically tracking and managing change control software releases? You start going through the basic control standards of a typical audit. You start to realize that a good portion of it is just basically administrative controls to ensure that the technology or whatever solution you have in place is actually working. And we have a saying that we use that’s “A big part of operating a security program is ‘Do what you say and say what you do.’” So step one of any security program is to write it down. You have to basically write down policies and procedures. You have to write down this specific process that you follow to do validation, to do audit checking, to do assessments, to do vendor risk management. You have to write all that down. Because when an auditor comes in, what they're going to do is basically audit you against what you say you do. Not necessarily look at just what you do. And the only way that you can determine whether you're doing enough is to basically write down what you're doing and measure against it. And form Information Security standards, for example. And all of that work is incredibly administrative. There are tools out there that claim to do that. Implement our software, set up a few configurations and a few integrations that we automatically generate yourself to report. Information security doesn't work that way. The reason those tools exist is because there's so many technical CISOs and CTOS out there. And CTOs are easily sold on technical solutions. They want to believe that technology can solve all their problems. And if someone can basically offer them a technical solution that claims to make the problem go away, they're really susceptible to that sort of sale. But the reality is the reason operational CISOs are more effective is that they realize that there's a huge amount of administrative work that has to be put in place, a huge amount of organization that has been to be in place, a huge amount of tracking that has to be put in place to make sure that the entire organization, not just the IT department, is doing everything they need to do.

Mike Krass: I think I heard you say this earlier. I just wanted to make sure I heard you correctly. You said this with all the confidence in your voice. You believe that if someone's a technical CISO, there's no reason why they could not invest in themselves and get or seek training and counsel and coaching and become an operational CISO. It's not a chiasm that's uncrossable, right? You really believe that could be crossed if the interest was there?

Grant Elliott: Of course, generally speaking, technology requires some degree of intelligence. People that go into software development or go into IT, they're not necessarily easy fields. So people who operate in those fields are smart and capable. They're intelligent. As I said, I'm not trying to diminish anything. There's some amazingly, incredibly talented technologists that operate out there. It's more of a mindset change. The question comes down to…They're more than capable of understanding operational requirements. The question is, do they want to? I'm a big believer of the Peter Principle. The Peter Principle is where you promote someone to their first level of incompetence. We do this a lot within large organizations. We identify people and say, “You're really good at the job you do. You're so good at the job you do, we're going to promote you.” And then maybe they're good at that job, maybe they're not. And if they're good at their job, we promote them again. And then we keep doing that until the first time that they're not good at a job. And then what we do is we don't promote them. We just leave them in that role because they're not good enough to be promoted. And the problem is not that they're doing the job so badly that you're going to fire them. You get them to the level of incompetence and keep them there. That happens a lot on the IT side. Because, typically speaking, you get someone who's a good software developer. You get someone who's really good with IT configuration. And then you promote them into management. And maybe they're not such good managers. So you definitely have that segment of people who are always going to be on the IT side. Who always enjoy playing with technology. That's really what they enjoy. But there's obviously a lot of those folks that absolutely can evolve and develop into management. And so those are folks that have that kind of management layer, that management thinking who want to broaden their horizons beyond just IT. Absolutely, they're more than capable of viewing this as an operational perspective. And there's more benefits to this as well than just operating the security program. There's the communication with executive management as well. I think one of the big challenges that technical CISOs have today is they find it very difficult to articulate value to the CEO, to the board. Because, again, they're talking about implementing technology. They get very geeked out on some of the solutions that they want to implement. Whereas an Operational CISO starts looking at things like ROI. Starts looking at things like risk value. Starts looking at things like availability and uptime. They look at things in a way, like using matrix and business arguments, that the CEO and the board can resonate with better. And so it tends to be better. Again, not only are they better at, for the most part, operationalizing and implementing and running a security program. They're better at getting the business case and getting the funding and basically articulating to executive management the success of what they're doing.

Mike Krass: Yeah, it helps recall things when there's a story associated to it. You were mentioning earlier in our conversation, the administrative side. That's basic things like onboarding and offboarding employees. Onboarding and offboarding vendors. We've actually had the experience here at MKG Marketing where, working with a security company, we didn't get offboarded on some of their systems that had sensitive information. Our working relationship had concluded. We had no active contract together. Yes, we had a master service agreement in place with some basic language around, you know, “For the next three years, we agree not to share everyone's secrets with all of our enemies, foreign and domestic.” We've had that happen to us a few times where security businesses forget about that step of the operation. We are finishing work with this vendor, like MKG. We're going to work with ABC corporation. So we'll bring them onto these different systems and platforms. And then people have just kind of forgotten to take us off. In fact, we've actually written to them and said we actually just took away our own access. You might want to double check that we did that correct. But just an FYI. In one example, we had stopped working together months ago and nobody took us off any of your systems. A lot of access is available to us. And they always say, “Oh, thank you so much.” But when I think of the administrative side that you were talking about earlier, that's a story that stands out to me because it's happened to us multiple times where we did the right thing, and just took away our access. But not everyone will do that.

Grant Elliott: Yeah. And that's a big part of it. You pick a great example. That's a big part of what our platform does. We'll start off with every client, which is: what data do you have? Where's the data? And who has access to it? You have to ask those three questions every single time. And when you start understanding what data you have, you start to realize you have a lot more data than you think, especially in today's cloud based world. Again, it used to be that all of our data was a single parameter. We had that kind of castle moat mindset. All our data was in central servers. So as long as you kept the bad guys out, then it wasn't so much of a problem. But as we evolved into a situation where all of our data is in all these cloud based servers. I'm not just talking about production data and AWS or Google Cloud. We communicate through Slack. We have productivity tools that we use to basically manage information back and forth; communication platforms for sending messages back and forth. And we're sharing sensitive data across all of those tools. And then every single new employee that comes on has to be onboarded to all these tools. And then when they leave, they have to be correspondingly offboarded to all these tools. There are tools that manage them, that single sign on. They're not tracking and managing the authority. The person who is managing your one login administration account is not the person who should be authorizing Joe, who's just joined the company, as a contractor to get access to your production data. That has to come to him with some sort of level of authorization on it. And then vice versa, when Joe says that he no longer wants to work for you, can you go to one place and basically know every single system that Joe had access to? And then somewhere else to manage the process for basically moving him? Especially given that, again, if you are using something like one login which controls access to those tools. What are the shadow IT? What is the project management account that Joe signed up to on his own? And how are you basically tracking that type of stuff? Now, every layer that you do this, there are some great products out there that will provide some element of that solution. I like to equate security with being like a large colander. And every single hole in the colander is another potential security vulnerability. And there are multiple products and great solutions out there that will plug one or many of those holes. So the question is who's defining the size of the colander? Who's defining where those holes are? Who's defining how big those holes are? And what the priority of those holes actually are? If you put that colander in water, there's no point in plugging one of the holes above the water level, if you know one of the holes at the bottom is still leaking water. All of that is administration. All of that is not technology. And so you need organizations and you need CISOs that understand the operational impact of doing this across HR, across legal, across procurement, across marketing, across the organization. Not just basically coming out of IT.

Mike Krass: Well, Grant, this has been a very enlightening conversation. I really appreciate your time today.

Outro

Mike Krass: For our listeners, that's a wrap on this episode of What's the Problem. I hope you found our conversation with Grant Eliott to be insightful, informative, and actionable (most importantly). Remember to tune in next time for more discussions on the latest challenges in the world of security. Also, I just want to give a quick shout out to our host MKG Marketing. MKG is focused on helping security companies get found, drive leads, and close deals. So if your cybersecurity firm is struggling to generate leads or closed deals, let us help you. To learn more, visit our website at mkgmarketinginc.com