What do we want the Board and C-Suite to know about cybersecurity? If you could teach them one thing about cybersecurity that would stick, what would that be?
Check out this post and this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our guest Phil Huggins (@oracuk), CISO, NHS Test & Trace, Department of Health and Social Care.
Got feedback? Join the conversation on LinkedIn.
Thanks to our sponsor, Proofpoint
Full Transcript
David Spark
What do we want the board and C-Suite to know about cybersecurity? If you could teach them one thing about cybersecurity that would stick, what would that be?
Voiceover
You’re listening to, Defense in Depth.
David Spark
Welcome to, Defense in Depth, my name is, David Spark, I am the producer of the CISO series and joining me for this show is, Geoff Belknap, the CISO over at LinkedIn. Geoff, thanks for joining us.
Geoff Belknap
Hey everybody and thanks for having me.
David Spark
He’s back on his good microphone. He did one show on his, not as good, microphone, but he’s back on the good one.
Geoff Belknap
And the good voice is back everybody.
David Spark
We also have a good sponsor for today, Proofpoint and thrilled to have Proofpoint joining us. It’s actually been a long time coming, we’ve been chatting for quite some time and very excited that they’re joining us. More about Proofpoint later in the show. Now, the tease for today’s episode, that I set at the very beginning, actually comes from, Helen Patton, who’s the advisory CISO for Duo Security. And she asked this question, on Linkedin, of the cybersecurity community and my feeling is that all C-Suites and boards, they have some varying knowledges of what’s going on in cyber and, given the recent attacks, their interest and eagerness to know more is key. So, I’ll ask you, Geoff, to set us up, what do you think they need to know to make your job more effective?
Geoff Belknap
I think the thing we always talk about here is, it is the CISO’s job to help the board understand how to contextualize cybersecurity in the context that makes the most sense to the board. And that’s really every security professionals job to help make context available to the people that are helping make the decisions, and help protect the entire environment. But I think this conversation is especially poignant because, as things are always changing, it’s good to understand what you should be informing people with to help them help you.
David Spark
Well, to help us through this very conversation is a guest that we had on the other show that I was so happy to have on. I said, let’s get him on Defense and Depth, it is the CISO of the National Health Service, Test and Trace Program, Phil Huggins. Phil, thank you so much for joining us.
Phil Huggins
Thanks for having me, Dave.
How do we go about measuring the risk?
00:02:15:19
David Spark
Christopher Zell, CISO for Wendy’s said, quote, “We are function of risk management, and that ultimately we are here to protect revenue.” And I should have mentioned that these quotes are, essentially, answering that question that Helen had of, what do you want the board to know? And quoting the book, Cybersecurity is Everyone’s Job, Eric Lankford of Birdville ISD said, quote, “Don’t be afraid to ask questions. Nobody expects you to understand cyber as well as you understand finance or operations,” and again, referring to the board of the C-Suite, “But everyone expects you to mitigate risks to the business and cyber risks are real. Your job depends on how well you address the real risks of an often-unfamiliar subject.” I think that very last line is key there. They are dealing with understanding risks that they don’t normally understand and that’s tough to make decisions on isn’t it, Geoff?
Geoff Belknap
Oh yeah, the only thing I disagree with here is, I do think boards are capable of understanding cybersecurity as well as they understand finance or operations and I’ll be specific here, because I think there’s a caveat. Obviously, they’re not going to understand the technical nuance as well as they might understand finance or operations, but, cybersecurity as Chris pointed out here, really is a function of risk management and you can effectively boil most of the concepts in cybersecurity down to just how we’re understanding and gaging risk and making informed decisions about that. I’m hoping our guest here has something to say in a British accent that supports that assertion, ’cause that makes it more true.
David Spark
So, could you deliver on that, Phil?
Phil Huggins
I can always deliver on a British accent. So, I think the board have a difficult job. It’s a highly specialist and technical area. Most of them don’t come from this area. In fact, vanishingly few people at board level have any technology experience, let alone cyber. But that said, we’ve been going through digital transformations now, for what, 15 years? It’s incumbent on the board to understand the business they govern, and I think the excuses of, “I don’t understand,” are starting to wear a bit thin, frankly. I think it is absolutely our job to help, it is our job to be the specialists, who can bring that knowledge to bear, to translate it into the business, but they really do have to meet us halfway. And I think with many boards, stepping forward into technology is something that scares them and I think that’s going to be a challenge that might take a generation to fix.
David Spark
So, you made the comment about, they need to come meet us halfway, and we talk a lot on our shows about the importance of a CISO is to know the business. So, what is the halfway you want the board and the C-Suite to come to?
Phil Huggins
So, I need to be able to say to them, I understand your business, I understand what you’re trying to do. At the moment, I’m in a government healthcare environment, it’s about the mission. When I’m working for a large financial services business, it’s about the revenue, it’s about the product’s success. I need to understand what’s important to them. That’s where I come to them. They need to understand that when I’m coming to them, that’s what I’m talking about. I’m not a specialist ivory tower guy, sitting there trying to spend their money. I am, but, what I’m actually trying to do is I’m trying to deliver the things that matter to them. And if they can’t make the connection between the things I’m doing and the things that matter to them, some of that’s on me, I’ve got to make that translation, but some of that has to be on them; they’ve got to be open to the idea that security is about delivering what they want, not just spending their money.
Geoff Belknap
I find that to be so true. A lot of what makes us impactful at our job is helping convince the board that, I’m not here as the chief technical nerd, I’m here to help leverage my skills against the same mission, or goals, that you have.
This is not just a security issue.
00:06:08:21
David Spark
Jonathan Folwer, CISO over at, Consilio, said, quote, “Our ultimate purpose in the organization, at least in the private sector, is to protect revenue.” I’m going to want you to address that comment right there, Phil, but, going on, Jonathan says, “Securing users, data, and hardware, software is just one aspect of that protection.” And Rob Duhart of Google, said, quote, “We exist as partners to accelerate the delivery of digital value and revenue versus restrict decelerate value.” And I think this is really a continuation of what you just said, Phil, is that we are here to be part of that revenue generating process that the business is and I’m sure that gets lost when they keep seeing cybersecurity as a cost center. Yes, Phil?
Phil Huggins
Absolutely. I think sometimes we don’t help ourselves because I see us as protecting value, we’re there to protect the value of the organization. In a business, that’s going to be revenue, in other places, that will have different measures. That value is the value we have today, it’s the things we do today, the things we’ve earned already, but, it’s the things we do tomorrow. And I think one of the challenges we often have in security is that we value the current value, we focus on the protection of what we’re doing now, and we can harm, sometimes, that innovation, that change, that new value generation and they’ve got to be treated equally. For the businesses or the partner, they’ve got to see us stepping into the future of value generation, but they want us to keep them safe. Ultimately, the board wants protection, that’s what we’re there to give them.
Geoff Belknap
Yeah, I feel like the protection is really important, but I think you’re hitting the nail on the head here. As much as it’s about revenue, it really is about enabling the business to achieve it’s mission. And sure, for a for profit enterprise, ultimately the mission is to generate some revenue and some profit but, more broadly than that, you’re there to provide something of value to an end user, or a customer, or a member, and part of doing that is doing that in a way where that member, or customer, or whoever it might be, feels safe in their interactions, feels like that you’re organization will be there in the long run, that it will protect the data that they’re entrusting with you, and all of that is about protecting this board spectrum of, not just the board members, but also your customers and your vendors. And I think that part is overlooked when we’re thinking about talking to the board.
David Spark
Is there a way that you demonstrate how you are actually protecting the revenue? What way does that come across, Geoff?
Geoff Belknap
I think for me it really just comes down to, relationships matter and building relationships with your board, and your executive team, helps them understand that beyond any chart or spreadsheet that you’re going to share with them, helps them understand that you are aligned to the mission, that you think about it the way that they think about it, that you might be practicing your craft, which looks relatively new to them, at their spry age of about 72 and half year old, white males. But it’s those relationships that help them see that you’re not just coming from it an angle of, what’s the most amount of money I can spend on a new toy? But, what’s the best way to protect our organization’s mission and our organization in general?
David Spark
Phil, when you’re talking about reducing risk and managing protecting the business value, are you saying, “Well, if we don’t do anything, this is what we’re exposed to. If we do this, we can reduce this risk and deal with that.” And do they comprehend that conversation?
Phil Huggins
They do when I’m able to put that in direct terms that they understand.
David Spark
And how tough is that for you to do?
Phil Huggins
It’ll depend on the organization. If I can talk about an investment program, if I can talk about a product launch, if I can talk about the mission, an operational mission, and I can specifically say, “This is a week out, we’ll not be delivering for a week, or, that product goes to market a month later, or, this investment, you’ll get 20% less return on it because we’re going to be cleaning up forever.” Those are the sorts of things that give them a sense of where the costs are and it can’t always be about the cost, but that drives them towards an understand of some of the downsides. But I would say, a lot of this is about trust, any executive going to a board has to be trusted by the board. And I can turn up, to any board and tell them how much problem they’ve got, and, if they don’t know me, if I’ve never delivered for them, if I’ve not been consistent in what I’ve done, I’m just another voice, I’m just another guy turning up and telling them what to do. And there’s a large part of this is about how the CISO builds trust with that board, so that it’s not about, “Did you calculate the right return on the investment?” It’s about, “We trust you when you say, this is where the return on the investment is.”
Sponsor – Proofpoint
00:10:56:17
Steve Prentice
Every CISO strives for ways to break down barriers between security and the business and one of the things they can look for is a better understand of the users. According to Brian Reed, who’s on the cybersecurity strategy team at, Proofpoint, information protection has been following data around, but should really be following users around and better understand the psychology of what they do and why they do it.
Brian Reed
I cover security awareness training and, in my opinion, the focus here is completely wrong. We get focused on stopping clicks through phishing prevention and phishing awareness, that’s not really the problem, instead of measuring clicks, we need to measure critical thinking. It’s not so much about the click, but it’s measuring the resulting action and wouldn’t it be great if we could actually understand our users enough and communicated with them well enough to say, “Hey look, you’re one of our top attacked people and you’ve got a lot of privileges. We’re going to give you some additional tools, some additional training and some additional process support to help you out.” So, I’ve been tearing through the metrics from the Verison data breach investigation report from this year. Verison notes that, 85% of breaches involve a human element and 61% of breaches involve credentials. The end goal for attackers is credentials and personal data. So, we need to do more to understand how users are using, or not abiding by the rules you have in place, for credentials and personal data.
Steve Prentice
For more information visit, Proofpoint.com
How do we make this everyone’s concern?
00:12:34:24
David Spark
Sol Bermann, CISO over at the, University of Michigan said, quote, “Cybersecurity is a shared responsibility that must be risk-based. Don’t just look to the CISO and security team to be the only ones to do the work.” Jody Denner of GSA said, “Everyone plays a role in cybersecurity.” And, Mike M of JP Morgan Chase, quote, “It’s important to invest in training and building a security culture vs buying the latest gadget.” I think a lot of this is just a continuation of what we’ve just been saying, Geoff, but this is really pushing home that it isn’t an us versus them, or, we’re in our ivory towers, it’s like, we’re just leading this charge, yes?
Geoff Belknap
Yeah, and I think the charge is cultural change. So much of this is the two things and I think Sol’s point really brings out the other point we’re trying to make. Which is, yes, security is a shared responsibility. Security is not the only orgthat is responsible for security at your organization. Security is the org that leads that and, ultimately, becomes accountable and hopefully responsible for it, but, everyone has a part to play. If it’s only me or Phil doing security at the organization, the organization is going to have a security failure, that is just the end of it. And then I think, I’ll just say, I think Mike’s point is also really important, we still need to convince people that IT and security are not just the two org’s, or the two teams, in your organization that are there to spend your money. Yes, security is certainly a very capital intensive and a resource intensive practice, but it is not a practice with the sole purpose of just spending capital on resources. We’re there to align with the mission and I think Phil made this point really well, we’re there to align to the mission and we need to build those relationships so people understand that and don’t just make assumptions.
David Spark
Phil the thing that I’ve noticed, my wife was actually just doing some security training for her company and, one of the hard times of trying to get everyone on board with understanding it’s shared responsibility is they get the, “Well, you’ve got to do this for the business, you’ve got to do this for the business,” and it just seems more of a requirement rather than an understanding. How do you take something from, I just have to do this for the sake of doing this, to the, oh no, I understand this intrinsicially and that’s what I do it?
Phil Huggins
That is one of the big unsolved questions we have, hunting around the edges of our security practices. How do we actually get people, who are non-specialist, to understand the subject? How do we get them to change their behavior? I like Kevin Shielder here in the UK has a great saying which is, he wants people to care, not be aware.
David Spark
Good line.
Phil Huggins
Yeah, it’s a great line. It’s not enough to tell people that security is important, it’s for them to understand it’s important, even if they don’t necessarily understand the detail. Again, if I had an easy answer, I’d be making a lot more money than I am and I’d be out consulting on it. But, I think a lot of this is about understanding what security gives the mission or the job that they are doing. I’m working in a healthcare environment, it’s all about patient outcomes. So, if I can articulate why there is a direct line between some of the work we’re doing in security and the outcomes they can give their patients, absolutely, we would see more understanding. Whether that sticks or not is another matter, and that’s another conversation.
David Spark
Well, to quote my co-host from the other show, Mike Johnson, he has said, one good tell tale sign is if people start asking you questions about their own personal security or, like a good gift to give to all your employees is their own password manager, ’cause then they can deal with their own personal security, once they start getting that, then they slowly can start to see the value to the company. Geoff, yes?
Geoff Belknap
Yeah, I think that’s dead on and I would never disagree with, Mike.
David Spark
I am pulling that quote out. I never disagree with, Mike.
Geoff Belknap
Let’s be clear, I didn’t say which Mike. We’ll just let that hang out in the air there, I love you, Mike. I think it’s really important for people to care about their own security. I think in this day and age, it’s really hard to imagine convincing people to do the right thing, but I do think, ultimately, that people will do the right thing if they understand again, that context, why does this matter? And a great example I often quote from, Bob Lord, is that you don’t have to teach people medical science for them to understand you can’t drink a bottle of whiskey and a sheet cake every day for dinner, that will have some impact on your health. At some point, sure, enjoy, maybe not an entire sheet cake or an entire bottle of whiskey, but enjoy yourself, do what you need to do, but you have to balance that risk out and I think people inherently, when you can break things down to simple terms like that, they understand that it’s all about risk and you’re doing this to manage some risk, you can’t just go wantonly about your day and about your job without there being some managed risk. I think the thing that we, as security professionals, don’t always do, to our credit is, we don’t always think about that user experience; what is it like? Is it painful? Is it annoying? Is it so far beyond any stretch of the imagination? A reasonable thing to ask that people don’t want to do it, then they don’t want to learn why. And we have to bring it in and think about, how do we add the right amount of friction to somebody’s day, so that they can both understand and think that that’s an appreciable or reasonable amount of security to add? And that really is the magic. Phil and I would be off making billions of dollars if we had the secret formula for that.
David Spark
You got a business idea, guys.
Geoff Belknap
That’s it, Phil, we’re going into business now.
How important is this issue?
00:18:15:12
David Spark
Joel Caminer of, New York University, said, “Not understanding cybersecurity is not an option for board members today.” He continues by saying, “Don’t be distracted by headlines and other company’s breaches, but use them as use cases and learning opportunities about your own company.” And, Tod Johnson, of, Cynet Security, said, quote, “Stop asking your security team about where your company is protected. Ask them where your company is at risk, and fix that.” I really like this last quote, Phil, in that it also addresses that common question of, we’ve heard the C-Suite and the board say, which is, are we secure? Which is a difficult, if not impossible, question to answer.
Phil Huggins
It’s crazy. It’s that question you don’t want, which is, when are we done? If there’s one thing I’d want boards to know is, we’re never done. All we are is, we’re further up the mountain, or we’re further down the mountain, but, we’re going to be on the mountain as long as we have a company to run, as long as we have a business to run.
Geoff Belknap
Yeah, I think there definitely are board members that are coming new to cybersecurity. They’re, like, “Well, we’ve invested all this money, when will this be finished?” And the answer is always more education about that security’s not an end state, it’s a process. It’s an operational thing, it’s, like, we paid taxes last year, why do we have to do it this year? Well, it’s a process. I think in this case the really interesting thing is, I want to underscore Joel’s first quote here, not understand cybersecurity is not an option for board members. It is certainly an option for you not to understand all the nitty gritty details and understand all the nuance involved in what you read about ransomeware or anything else that’s in the press, but, it is not an option to not ask, “How do this impact our risk as an operating business? How does this impact the risk to the goals that we’ve set out for ourselves?” Because, at the end of the day, well again, Joel is dead on, you shouldn’t be distracted by headlines, we should be asking ourselves questions as board members, or, as executives involved in operating a company, “How does this impact our ability to reach our goals? How does this impact our customers or our members? And, what, if anything, do we need to do?” And certainly, I’ve a lot of peers that get frustrated by how many questions they get from executives by what’s in the press, certainly none of my executives, I love each of you, please continue to send me questions, but it is a thing where we need to have that discussion about whether we’re protected or not, because the landscape changes so much it is not a good thing to do to sit comfortably and go, “Well, the team handled the last one, they’ll probably be able to handle this one. Don’t have to worry.” I want people not to be worried like Phil said earlier, because I’m not calling them, right? I want them to be ready for, if I’m calling them, it’s important and we should talk, but I want them asking those questions when they need to.
Phil Huggins
I think we could help ourselves by being better at giving feedback when we’re doing with our programs of work and I think this is a common thing I see with CISO’s, we spend huge amounts of time and effort producing a risk based case of why we should run a security program. We run the program, we deliver, probably 80, maybe 90, if we’re lucky, percent of the things what we said we were going to do and then we say we’re done, but, what you don’t see is the CISO going back and saying, “I’ve just run all that assessment I did to get the money again, to show you what you got for your money.” And the problem is, that CISO then lasts another six months, next guy comes in, does the same big piece of work, finds a new set of risks and from a board members perspective, someone who’s been there six or seven years, they’ve been around this cycle, they’ve seen people pump money in and they don’t really know what they get. And I think we need to be better at our feedback loops, we need to be better at demonstrating our effect.
David Spark
An excellent point to wrap up on, Phil. And thank you very much. We have come to the portion of the show, Geoff and Phil, where I ask you, what was your favorite quote and why? And I will begin with you, Geoff, what was your favorite quote and why?
Geoff Belknap
Oh, there are so many good ones here. But I’m going to have to go with Joel’s quote here, not understanding cybersecurity is not an option for board members today. And again, I’ll just underscore, understanding cybersecurity does not mean you are now a PhD in computer science, it just means, you have to understand how this stuff impacts the risk to your operating business and it is just not an option to understand how it fixes all in.
David Spark
Good point, Phil, and I do like that quote as well. Phil, your favorite quote.
Phil Huggins
I like Eric Lankford’s view of the world, cybersecurity is everyone’s problem. Absolutely. Almost all cybersecurity is delivered by people who are not in the security team. At best, we can influence it. So, let’s understand that, let’s take it on board, we need to understand that we might be in a leading position, but we’re not necessarily in a doing position. And sometimes, we need to give other people the opportunity to show some leadership in this space.
David Spark
Excellent point. Phil, Geoff, thank you so much. Phil, I’m going to let you have the last word here, but first, I want to thank our sponsor, Proofpoint, thank you, Proofpoint for sponsoring and coming on as a phenomenal sponsor of the CISO Series, we greatly appreciate it. Available at, P-R-O-O-F-P-O-I-N-T, dot com. Just the way it sounds. By the way, unlike many other tech companies where I will say the name and then I have to spell some bizarre combination of vowels and letters that you would never assume that would go in that direction, but Proofpoint is spelled the way you think it is.
Geoff Belknap
Thank you, Proofpoint, if for nothing else, then for adhering to the laws of the English language.
David Spark
We appreciate it. Geoff, any last words?
Geoff Belknap
Again, thank you, Proofpoint for using spelling and grammar, but most importantly, Linkedin is hiring, feel free to take a look. Not only are we hiring for Linkedin and the security team, which we are, but for a great number of jobs, stop by, Linkedin.
David Spark
Where would one actually go about finding these jobs on, Linkedin?
Geoff Belknap
That’s a great question, David, and where they would go is, Linkedin dot com, slash, jobs.
David Spark
Seems obvious, like, the spelling of our sponsor.
Geoff Belknap
Seems like something everyone should know.
David Spark
Exactly. Alright, Phil, I always ask our guests, are you hiring. Are you hiring?
Phil Huggins
I’m hiring, the whole UK health sector is hiring in security at the moment. We need huge amounts of people, but I’m going to plug something. I did this on the other show, I’m going to plug the UK National Cybersecurity Center. They produce fantastic content, guidance, standards, whatever it might be. Really usable, not just the big fussy frameworks.
David Spark
It works on this side of the pond as well.
Phil Huggins
It works everywhere. What they do have, given what we’ve been talking about, is the cybersecurity board toolkit and this is both for CISOs to talk to boards and for boards to understand CISOs. It’s a great ersource. Go and use it.
David Spark
Thank you very much. I will link to it on the blog post. Thank you, Phil, thank you, Geoff. Thank you audience, as always, I greatly appreciate your contributions and for listening to, Defense in Depth.
Voiceover
We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.
