Aug 6, 2020
In this episode of the Exabeam Podcast, the host, Steve, and guest Chris Ard, discuss the more human aspects of the CISO role, effective leadership, and how complacency can be a dangerous quality.
The first topic we covered was finding a work-life balance that benefits you and your family. Chris spent twenty years working for Microsoft, traveling all over to companies with major security breaches and helping them control the situation. Although he learned a lot and loved his job, he realized he barely spent any time at home, and when he did, he was always on calls. We discussed how easy it can be to settle into a role that you enjoy, but then end up remaining in your comfort zone. Once Chris acquired a new job did he find himself growing once again and spending more time with his family.
Good Talent, Bad Breaches
Spending two decades assisting different companies, Chris picked up on an interesting discrepancy between the talent and the security breaches. While breaches happen to everyone, some seem completely avoidable or like a mistake. As we talk about, many companies hire talented, intelligent people—and yet these preventable situations occur. Chris weighs in that many times, leadership can influence the strength of the security. If a CISO is willing to accept cookie-cutter systems as oppose to implementing a more holistic approach, their security can suffer.
Chris outlines a great metaphor for the condition of many security measures—the M&M model. The team has built a hard exterior with a soft interior, meaning, once an advisory has breached the initial wall, its free to move about in that environment with no obstacles. Listen on to hear more about how this happens.
Bad Actor Residency
We also speak on how it can sometimes take not just weeks, but sometimes months or even years to detect bad actors. We point to reasons why adversaries can remain in an environment for so long, and how teams or companies can overlook root causes.
CISO’s Ownership of Breaches
In today’s episode, we also pull outward to look at the hiring and firing system of CISOs and how it may not be the most effective system. When there is a breach, the CISO often takes the blame—but so much so that they end up having to leave. The issue with the CISO leaving is that they can never learn where things went wrong for that program and work towards growth. Listen on to hear about the teams Chris has encountered that do not get rid of their CISOs and how this effects their security overall.
The extent to which a leader makes an effort with the rest of the team has a surprising impact on how well that team performs. From sitting down with junior analysts, to receiving less filtered information, CISOs can transform how their team handles a crisis just by getting to understand them and their concerns prior to that crisis. Additionally, we touch on the commonality of leadership being pressured to alter assessments to fit certain initiatives.
Marathon or a Sprint?
The intense schedule of any CISO causes us to ask if this job is really a marathon or a sprint. In a way, you have to maintain the energy for daily tasks like a marathon, but in other ways, you burst towards the finish line while trying to stop a crisis. In thinking about the CISO burn out rate, we debate on how more problems can arise if one side is neglected, or if the team communication breaks down, leading to wasted energies. Hear about our different opinions on the matter in this episode.
Pen Testing and Compliance
A great point that Chris brings up is the failures of the pen tests, and how we can improve them. Oftentimes, the pen testing is so restricted that it fails to foster a realistic crisis-situation, leaving the team out to dry when there really is a crisis. As we point out, some companies would rather appear solid now, only later to be proven wrong, than to look weak upfront and solve real issues.
Along with this pen testing is the idea of compliance. We perform the test annually in order to comply with industry standards, but as Chris says, we need more. We need more to motivate us to do well than just compliance—we need meticulousness and hard work.
In this episode, we also discuss the importance of always pushing to be better. Chris highlights that CISOs get good at their day jobs, but they don’t always push themselves to learn better crisis management when an incident does occur. As the landscape is constantly changing, we must change along with it in order to be able to assess new types of threats.
While the security does not bring in revenue, they certainly can help prevent revenue loss by allowing the rest of leadership to focus on their goals. That’s why it’s important to explain what the team is doing and why it’s important to the rest of the company.
When transitioning to a new position, Chris stresses the importance of not just getting to know your team but also other executive leaders. Reaching out to a peer and getting to know him/her facilitates better communication and a. professional relationship overall.
A CISO’s Role in a Board Meeting
Lastly, Chris took us through his journey through board meetings after joining a new company as a CISO. He discusses how much time he was given to present, and how the attitude of the board members towards the significance of cybersecurity shifted overtime.
Additionally, Chris imparts his advice on advancing in your company and learning to enjoy the process.