“The sad reality is, too often, our answer for security culture is teaching people not to click on emails. Why? Because it’s something simple to test. It’s very hard for me to test for behaviors which resulted in a Log4j vulnerability in a supplier that’s three rings removed from us.”
Lindsey O’Donnell-Welch: So a lot of it comes down to relationships and connections.
J Wolfgang Goerlich: Yes, absolutely. As the CISO community has gone through this journey from hardening technology to protecting businesses, we have had a lot of back and forth about what is the right relationship. We still argue at conferences about where the CISO should report. We still have conversations around what CISOs should tell the board. But you can always tell where someone is in the journey in terms of questions like “how do I talk to the board? What should I tell the board? And how can the board teach me?” And as you get towards that question, “what am I learning from the board and our interactions,” that’s when you know you’re speaking with a CISO who is well on their way to establishing relationships and becoming a seasoned polished executive.
We’ve witnessed the growing capability and competency in our field in terms of interacting with the executives and the board. We’ve had the back and forth in terms of where we should report. We’ve jostled about on how to structure our teams. So as we’ve deepened our understanding of the business, the business is deepening it’s understanding of cybersecurity.
So we’ve reached this point where we went from wanting to sit at the table to now having a seat at the table. What does that mean? I don’t know that we’ve really determined what that means. Suppose you’ve got a seat at the table, and your company is doing something inappropriate, and now there’s a blowback because of these activities, and that blowback reaches the CISO. What do you do? I don’t know that we’ve really thought through what it means to have a seat at the table. We’ve been so focused on getting the seat. Now that we have it, it’s going to be the decade of figuring out what we do with it.
Lindsey O’Donnell-Welch: With the SEC’s mandates about having the board of directors better understanding cybersecurity, I feel like that’s almost accelerated CISO involvement; do you have any thoughts on where the role of CISO is going?
J Wolfgang Goerlich: We need to find new fundamentals for what it means to do security. A lot of our existing fundamentals were based on an ownership and a control model. It’s my computer, it’s my employee. And a lot of our previous security controls were based on a smaller subset of known things: Because it’s my computer, I know how many computers I have, because they’re my applications, I know how many we’ve installed. Now, granted, we’ve all struggled with that in the past 20 years. But that was our industry’s fundamental assumption. When you look at third-party risk and supply-chain risk, and when you look at the fact that a lot of our employment models have moved towards including contractors, consultants, and B2B relationships, and you look at the supply chain becoming a supply mesh. The reality is, we now need to secure things that we don’t have visibility into, that we don’t have the ability to enumerate, that we don’t own, that we don’t have direct control over. So while the CISO today has to be technical, we need to know our craft as leaders of our craft; the CISO today has to establish and maintain governance. And our governance model is no longer just within the security team or the IT function. It’s embedded throughout the organization. It is this diffusion of who owns technology, who operates technology, who has the right to bring what equipment in and to do what they need to do for their jobs, this diffusion has upended our assumptions. This proliferation that we’ve all been through, and accelerated by the pandemic, means we need to find new fundamentals and new ways to enforce security. It means, in many ways, that enforcement is going to be through culture, not through the application of technology.
Lindsey O’Donnell-Welch: Speaking of culture, how can you cultivate a strong security culture in a business and where do you start?
J Wolfgang Goerlich: Part of the challenge is, “what is culture?” And as CISOs, we need to understand the big picture – Culture with a capital C – but we also need to understand the lower level components that drive it. So if you’re going to say culture is a series of behaviors that upholds our values, okay, that makes a lot more sense. And of those behaviors, there’s a subset of those which may or may not only uphold our values, which may either create additional risk for organizations or reduce risk. So if we take that approach of enumerating behaviors, we can build an intuition around the behaviors we need to foster, and we can start understanding which relationships we need to create in order to get those behaviors. That’s how to cultivate a strong security culture in a business.
The sad reality is, too often, our answer for security culture is teaching people not to click on emails. Why? Because it’s something simple to test. It’s very hard for me to test for behaviors which resulted in a Log4j vulnerability in a supplier that’s three rings removed from us. Meanwhile it’s very easy for me to send a phishing email to one of my colleagues and ask, “did they click or not?” So the challenge today with security culture is it often starts and stops at the phishing level. We really need to broaden that.
I’ll give you a good example. Back to third-party supply-chain risks, one CISO that I know has built his supply-chain management program and third-party management program as a culture program. So what that means is, he has spent a lot of time understanding what the frontline business managers and decision makers view as their responsibilities, how they make decisions about what software they’re going to use or not. He’s spent time simplifying those conversations, not as an “it depends” conversation, but as a “do they have this or that” conversation, a black or white conversation, which is incredibly important when we’re talking about transferring knowledge. And he has equipped and maintained the readiness with those people so that when they’re talking to a vendor, they can ask questions like, “What is your security posture? Are you doing multi-factor? What are you doing for this, that, and the other?” I don’t mean a list of a thousand things. I mean the top two or three things that drive the most risk, presented in a black-or-white way. And that’s allowed him and his team to let the business make many of those purchasing decisions. And by the time the decisions get to his third-party risk team, he’s not having to go and say “no, no, no, don’t buy this or pull that out or unplug this,” which is where many organizations are. By the time it gets to his team, it’s more, “yes your answers passes our governance, we’re good.” This approach frees his team to go the deeper with fewer vendors. So that exemplifies the approach where I think the CISO is going.
The CISO role is moving away from “we control everything and security is our discipline” to creating effectively a volunteer firefighter approach, whether it’s volunteer people who are within the organization, are making the right decisions, are exhibiting the right behavior, to reduce the risk, to drive the culture forward, and are doing so within the context of the business. So it actually is in line with where the organization is going, not working against where the organization is going.
Lindsey O’Donnell-Welch: What are the most critical steps for organizations in building out this culture, and then also leading into an effective cybersecurity program?
J Wolfgang Goerlich: For a lot of people, it begins with understanding other people’s realities, and understanding what they do, be that an operations person who I want to make a smart decision about a financial transaction or a product owner who I want to make a good decision about what third-party software to use. It begins with really listening and understanding.
Part of that is establishing a security champion and advocate program. Often we think of security champion programs as championing security on our behalf within that business function. So understanding the hidden benefits and barriers to a new security control through the lens of a security advocate champion. Start with listening, then creating an advocacy and champion program.
Third, we do risk evaluation, risk ranking, and prioritization. When we look at this, it is not only through the lens of what we’re trying to protect, but also through the lens of what we’re trying to prevent. This is where threat intelligence comes into play, and where the great work of groups like Talos comes into play. Oftentimes, we get really stuck in thinking about what our tech stack means to our organization. We struggle to consider what it means and looks like from a criminal perspective. Our ability to put the controls where they really matter from an adversary perspective is incredibly important.
And the fourth step is figuring out which behaviors address the risks we’ve highlighted and establishing metrics for those behaviors. It’s vital we aren’t limiting behaviors and metrics to something easy. But behaviors like purchasing the right software, onboarding people correctly, writing code that’s secure, whatever those behaviors may be.
Follow this process to make sure our priorities are really reducing risk without overburdening our workforce. That’s how we foster culture. That’s when we strengthen and deepen relationships. And ultimately, that’s where the CISO role is evolving to protect and secure our organizations.