What is the role of a CISO (Chief Information Security Officer)? - Melanie Ensign - Bonus
Download MP3And this is why preparation happens so far in advance of needing it. Right? Because you can't in the middle of an incident. Like, I hate to say that's, like, never waste a crisis. I hate that.
Melanie:I've I'm no one no one is building long term infrastructure during a crisis. They're just trying to put the fire out. Right? I need you to be thinking about, again, what are the long term outcomes that you want to see from this program? Let's build that now so that we can quickly make decisions in the moment and be proud of where we end up.
Kevin:Well and when I say don't waste a crisis, what I mean is that, you know, take those learnings and then, you know, use that to, you know, drive your road map for the next year.
Melanie:I I worry about the popular app use, at least in the security community where I feel like they've defaulted to managing by crisis. You know, as as if we can't get anything done unless we're having a crisis, which you I'm like, you should be incentivized to avoid the crisis rather than just allow it to happen because you don't know how else to advocate for your team. I feel, you know, managing by crisis is not strong management.
Kevin:Also, I think some of us are in organizations which only really allow us to manage by crisis, and that's a you know, maybe a problem at another level of the organization, but that's a real problem.
Melanie:But especially if if you're in an executive position, you either need to, number 1, not take jobs where you're not gonna be able to succeed. Right? Like, being able to recognize whether or not you're in that type of organization or about to join it. Or number 2, it is in fact your job to change that reality for your team before the crisis. Right?
Melanie:I mean, if if you're working for a security executive who can't get budget until there's a crisis. I have a lot of questions about the competency of that security executive.
Kevin:True. Yeah. Yeah. It's either the executive or the organization or some combination of both and probably some combination of both. But, like, yeah, get that motivation happening.
Melanie:I feel like sometimes, especially, like, first time CSOs, you know, especially if they're coming up through with the engineering ranks, They may not be prepared or even aware that you're no longer a security person. You are a business executive. You need to be able to form alliances and relationships with your executive peers in order to get things done. You know? For example, I I've mentioned that we do, like, training with various engineering teams on negotiating with product teams, with other engineering teams, right, to get shared KPIs and to get security outcomes onto a road map outside of your reporting chain.
Melanie:Your your CSO or your CSO, whatever the title happens to be, right, chief secure information security officer or chief security officer for folks who aren't in security, You know, you need to be able to like, you can't, isolate yourself from company politics just because it's unpleasant. It's actually how the business works.
Kevin:It's the job.
Melanie:And if you yeah. Exactly. And I don't think that we've adequately prepared a lot of newly minted security executives for the reality that of this role. Right? It's not about being the smartest security person in the room.
Melanie:It's about being an executive who can get shit done.
Kevin:Interesting. That's an interesting way to frame
Melanie:it. Yeah.
Kevin:I don't know. I'm thinking about this.
Melanie:Like, your chief marketing officer is not always the smartest. It doesn't all doesn't come up with every single, like, good marketing idea by themselves. Right? Their job is to go win the budget and to make sure that execution delivers on that investment.
Kevin:They build and run a team to
Melanie:It's a business unit. So I think more security teams need to recognize if you wanna be treated like a business unit, you need to act like 1.
Kevin:Okay. How are you driving value for the business? What's your ROI? And we we talk in security about that being hard to quantify, but, like
Melanie:But I I think that's true if you're only focused on security ROI. If, for example, you look at something like support tickets, a lot of companies track the cost of individual support tickets.
Kevin:Oh, yeah. Very closely.
Melanie:They know to the penny how much every ticket costs. Right? Well, as a security organization, can we go talk to our customer support team and find out, are they getting a lot of ticket spot security issues? Is there something we can do to reduce the number of security tickets they're getting? Is our login process too difficult, right, to get a secure password?
Melanie:Is account recovery too difficult? That's usually the one that kills everybody, because they put in all these security things and not considered what, like, normal people do to when they use these tools. So if you work with your customer support team to reduce the number of tickets, look at you delivering value to business. Right? And it had nothing to do with code reviews.
Melanie:Right? Same thing with, like, Cisco actually produces a really good report on privacy benchmarking every year where their privacy team works with their sales team to find out how many deals did we close because of a privacy thing that we built. Right? So they can actually get tangible ROI for because of our privacy thing, either something that we built or something that we removed. Right?
Melanie:We were able to close all these deals, or we were able to shorten the sales cycle. Right? So go work with your cross functional partners, figure out where are you actually interacting with meaningful business transactions. And so it it's not like, here's the value of, you know, the vulnerabilities that we found. It's because of our team, we we made more money, and we spent less on support.
Kevin:Yeah. Oh, that's interesting. Maybe I I don't know. I had a project when I was at Stripe, to try to take the, like, security compliance documentation, just put together a packet. So we could you know, when a customer comes to us with their own bespoke security questionnaire, we could, like, hand them back the packet.
Kevin:Be like, all the answers you need are in here. Yes. Please come back to us if you have any questions. Almost no one reads those. I am fairly certain that I was the only person who ever read some of the ones that we received from our vendors, but, like, getting to that point.
Kevin:But also, maybe there's I mean, maybe that's the thing I could have, you know, sold hard around. I got, like, halfway through it and then, like, wound up leaving. But, at least, you know, got them started. And, but yeah. I don't know.
Kevin:Maybe there was also other ROI there that we needed to be more involved in the sales process and, like or where figure out where the sales process was getting hung up on security issues if the sales process was and where we could help there. Yeah.
Melanie:Exactly. I mean and and it's interesting because I think one function that has done this well is, the legal team that deals with contracts. Right? So, you know, especially if you have a large vendor, they have very specific requirements for things like data storage and data security and data transfers. Right?
Melanie:All of the companies that already have those things in place can sign very large contracts with the large customers quickly. Well, quickly. Right? But faster than otherwise.
Kevin:By enterprise software standards. Yes. Faster than somebody has to go put all that stuff in place.
Melanie:Yeah. And so the thing is, like, there are people in your organization who have this knowledge, who have access to these numbers and this data. Like, you just need to go analyze it and put it together and figure out how to create a narrative that is compelling to the business. Right? So yeah.
Melanie:Sure. If you go in there with, like, the Verizon breach reports, so, like, your board meeting, but, like, of course, no one's gonna take you seriously. Right? And it's it's why they're they're all you know, we see a lot of board presentations that are focused on things like how do we compare to our peers. Right?
Melanie:Because particularly in the United States, in areas where we lack regulation, companies are hesitant to stick their neck out in areas where their competitors aren't doing that. Right? And so a lot of boards are like, how do we compare to our peers and and all this other stuff? And and they feel like in a a lot of cases, that's a placeholder for a metric that they would truly care about, which is how is security impacting the bottom line?
Kevin:Well, to tie it back to the incident, like, it sounds like this was an opportunity where, like you said, like, security actually delivered kind of a PR win. Like Uber in a moment where it really needed a win, got one from the security team being able to stand up and say, hey, here's what's going on, Here's what we did. Here's why.
Melanie:To be able I mean, we were able to disclose all of those reports because our team was so thoughtful in the way that they communicated with this individual. They we were proud of what we had to like and I mean, like, we deserve to be proud. We weren't just, like, arrogantly proud. Right? We we we were proud of the amount of time and attention that we had given to this communication if you if you don't wanna see it on the front page of The New York Times, don't say it.
Melanie:If you if you don't wanna see it on the front page of The New York Times, don't say it. Right? That is true, and not necessarily because it's gonna show up in New York York Times, but because if it's on Twitter, some people think it's fact. Right? And and it takes resources to figure out what's even true, and then there's just no way you can rewrite the Internet.
Melanie:Right? So it's just so much better to try to prevent the, you know, the incidents from occurring and to be able to minimize the damage that they can cause in advance.
Kevin:Get it right from the get go as a matter of process and as a matter of policy rather than having to come in after the fact and do cleanup on yeah. How did was, like, was that something that grew organically as you built it, or was that something where you had to actually take a case to your business leaders like you're discussing and, like, sell the ROI of disclosure?
Melanie:So the disclosure piece, I think part of this was a silver lining of all of Uber's, PR nightmares is that we just expected anything could become public. Right? Whether, you know, whether through a researcher or, you know, a criminal investigation, like, everything was fair game. Right? There are so many memes and emojis in my emails because I just expect that a judge is gonna have to read it out loud, and I want it to be hilarious.
Melanie:Right? So, you know, these we just by default, we expected to constantly be under the radar. Right? Or, sorry, to be under the spotlight. And so we couldn't fly under the radar.
Melanie:And and when you assume that somebody is always watching you, it does change the way that you behave. Now if we think about it from a privacy perspective, it sounds creepy. But from a comp from a transparency perspective as a company, it's really important to just, you know, to just be prepared. Like, communicate and treat people in a way that you're not worried about this becoming public.
Kevin:Well, also, it sounds like you were able to communicate in a way that you were totally willing for this to become public without being defensive, which is I think, like, when I think about the kind of conversations that I have had with especially legal is like the classic people who will get cold feet. They're like, very aware that oh, yes, all this stuff could become public. And we don't want it to become public no matter how good a job you've done. And so Yeah, I was
Melanie:we had some of the smartest, most experienced security counsel that I have ever worked with, both in house and outside counsel, were fabulous. And so that that played a lot into it. Right? The fact that we had a fully supportive legal team that was that understood our perspective that, like, buried bodies are expensive and stressful. Like, we don't want to have buried bodies sitting around the company.
Melanie:Right? And so, you know, like, I I I always tell our clients, I'm like, you know, if you have skeletons in your closet, the best thing you can do is pull them out and teach them how to dance.
Kevin:Okay.
Melanie:And do it
Kevin:now. Okay.
Melanie:Right? Because, I mean, just think about, like, anytime you're trying to, like, keep a secret. Like, how how many people do you have to trust to keep that secret? Right? And there there are going to be some company secrets like intellectual property, that are worth that effort.
Melanie:And then all of the other secrets, why? Why why spend money, time, and energy when, you know, trying to keep that a secret when the reality is is you if you're just more thoughtful in the way that you communicate. I mean, it's it's interesting to me that, you know, there's so much put into risk management, in some of these companies and, you know, particularly on cybersecurity teams. And I'm like, the words that come out of your mouth demonstrate how well you actually understand the concept of risk management.
Kevin:It's not just financial risk. It's not even reputational risk the way risk management people understand it. It's like, relational risk.
Melanie:Yeah. Well, and even, like, the the risk of a misunderstanding can be incredibly costly. Right? Eve even if you are really trying to do something good. Right?
Melanie:Maybe maybe it's not anything malicious. But if you didn't communicate it clearly, now there's a huge misunderstanding and a blow up on the Internet that you have to, you know, diffuse. I don't know. Could we have spent, like, 4 more minutes carefully crafting that message so that it was clearer?
Kevin:So it sounds like some of the work was, like, having you embedded fairly closely with these engineering teams who were doing bug bounty triage to help them sort of craft the message and craft the relationship. And with that, you know, keep that north star in mind of, like, the relationship that you wanted to have with the researchers on an ongoing basis and, just a little support.
Melanie:Yeah. Well and I I think you can really divide the value of of my role sitting so closely with those folks in being one, I was a constant reminder of thinking about those those long term outcomes. Right? But, also, I could just be a sounding board for them to go, does this say what I think it says? You know?
Melanie:Like, how's getting a second opinion of you because because, again, if we're thinking about, should this become public, it's gonna be read by more than just somebody with, like, technical background. Right? How will this read to a journalist? How will this read to our bike later? How would this read to a customer?
Kevin:I we are in the habit of doing that. When I was at Akamai, you would just start on an informal basis, you know, pass the laptop around. I'm gonna send this email. Does this look hinky to you? And it made a big difference.
Kevin:Yeah.
Melanie:I do that. I'm a communications professional, and I have people in my life and on my team where I'm saying, can I get a gut check before I hit send on this? Because I I need to make sure that it says what I intended to.
Kevin:And then building processes which support that in the organization and the organization giving people the time to take that extra 4 minutes rather than, you know, measuring them on how many bug bounty tickets they closed this sprint and yeah. All those
Melanie:things. And, I mean, that that's a crazy measurement just in general because fewer tickets isn't necessarily a good thing.
Creators and Guests
