Leadership in Cybersecurity

Listen to learn how to assess your company's security needs and communicate cybersecurity to your executives.

SecurityMetrics Podcast | 46

Leadership in Cybersecurity

"How do I navigate this market, serve customers, and protect my brand reputation? At the executive level, that's the stuff they're thinking about. That trickles down to security objectives and initiatives. As a security leader, if you're in the head of your executive - what they want to do and why - then you can speak that language and drive better security."

Maintaining strong leadership is essential in cybersecurity. A good leader needs to know how to navigate their company's security needs, as well as communicate those needs to their executive level.

Christian Hyatt (CEO & Co-founder risk3sixty) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss the in's and out's to being a successful leader in cybersecurity.

Listen to learn:

  • How to assess your company's security needs
  • Communicating cybersecurity to executives
  • Tips to navigate internal politics
  • What is inside the Five CISO Archetypes eBook

Resources:

Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide

Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide

[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.

Transcription of Leadership in Cybersecurity

Hello, and welcome back to the SecurityMetrics podcast. I'm Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. Very good show today.


But before we hop into that, I wanted to let you know I'm going to be at HIMSS, with Heft. If you've seen the the news podcast that we put out, you know who Heft is. He is great. He and I are not just gonna be there.


We're gonna be at the booths. Come talk to us. Have a good time. Let me know if you're gonna be there, what time you're gonna be there.


We'll arrange to meet you. Also, I'm going to be at TRANSCACT and at WSUS. Just dropping in towards the end of WSUS conference. Any of those, just let me know, and I would love to connect with you, have a coffee, whatever.


So, also, today, cannot be more excited about this guest because he's going to talk to us about leadership in cybersecurity. I think it's very important. Topic, his name is Christian Hyatt. Christian is the CEO and cofounder of Risk three sixty where they help organizations assess, build, and certify security and privacy programs.


Based on his experience as an entrepreneur and from working with hundreds of organizations as a consultant, Christian brings a unique perspective to cybersecurity, privacy, and what it takes to build a successful business. Also, keep an ear out for the five CISO archetypes ebook that he's gonna talk about. It's kinda towards the end of the program. Christian, thank you for joining me today.


Thanks so much for having me.


So, we're we're talking about leadership. And I think that leadership in security in general, doesn't get the attention that that it needs.


And in considering who do I talk to about leadership and security, your name just was was top of the the heap for me. And so I'm really excited to to talk about this with you. And you came back with some some conversation, you know, potential for me saying security is all about business objective alignment. And I thought that was such an important concept. I wanted to lead with that. Can you tell me what you mean by that?


Yeah. I think when a lot of people think about cybersecurity, the natural thing to think about is the technical stuff, either the compliance side of the business or pen testing or the latest tools and technology, because that's just the way most of us are grown, where we grow up through the business thinking about those technical concepts being subject matter experts.


And then because now I'm a CEO at risk three sixty, which is security, advisory firm, and I'm interacting with security leaders as a consultant. I have this kinda new perspective where I'm realizing what's happening at the executive level of the types of conversations they're having are business focused, which ultimately drives security initiatives. And that's a piece of perspective that I wish I had earlier in my career because there is a reason that businesses decide to spend money on security or adopt security policies.


And I I narrowed it down to really three primary reasons, and we can dive in these if you like. But Yeah. It's really to reduce risk. So companies wanna reduce risk, stop and breach, protect their, their reputation.


That's kind of the most intuitive reason that companies wanna do it. And I think most security people operate off the assumption that that's the primary business objective, but it's not. The the second reason companies often wanna do security is for cost or complexity reduction. And you can think about this in the world of, a really heavily regulated company that has to comply with the SOC two and ISO and PCI.


All of their engineers are bogged down with constant audits, and they can't actually do any product development.


So in that case, maybe the executive wants to reduce complexity.


And that's maybe where you come in and you harmonize all your security frameworks and you make regulations a little easier. And then the third reason is revenue generation.


Especially me, we have a lot of high growth technology clients, and the primary reason that they wanna do security is because they want to instill trust with their customers and prospects.


And that sends them down a path of, of obtaining security certifications or building out programs.


So at the executive level, that's the stuff they're thinking about. How do I, navigate this market, serve customers, protect my brand reputation? And that trickles down to security objectives and initiatives. And as a security leader, if you understand if you're in the head of your executive and what they wanna do and why, then you can speak that language and hopefully, you know, drive better security.


One of the things that that I think is, a huge gap that I see is that lack of understanding of what drives, the the security lead leader or, a lack of understanding of the language that they're using because it tends to be business focused. And like you said, security efforts are not, should not be IT, focused IT led. They should start, with the leadership.


How do you bridge that gap between the c level and the people who are actually implementing the security posture?


Mhmm.


I think as a security leader, a lot of times, you are the the translator between those two audiences.


Because at the executive level, they they often have a a general understanding of risk and why security is important, but they don't have a deep understanding of that. They're they're more concerned with some of the business objectives that I just laid out. Whereas the security practitioner, their mission is to implement security. And sometimes there's they don't understand the why behind that.


So one of the things that I try to do is tell each party the why. So if I'm talking to the executives, and and there maybe there's challenges that they don't understand or risk that they don't understand, I'll explain to them the why behind it. So what's the risk? Why do you care about this from a business perspective?


What are the potential negative consequences or the positive consequences of implementing security? And translate it into their language. And the same thing with my team. So if I bring the team down, I try to give them all those perspectives and say, hey.


Here's what the executives are thinking and why they're thinking that. Here's what the customers and prospects are thinking and why they're thinking that. And that's that's why we've chosen to prioritize these initiatives in this way. And a lot of times, just explaining the why, gives people enough information to go do the how enthusiastically.


And it takes a little time as a leader just taking the time to step back and explain the why because sometimes we start at step z instead of step a. We're trying to tell people what they need to do. And for me, I'm all about context. So if someone can give me the why, I'll I'll enthusiastically go after the mission. But if I'm a little lost as to why we're even doing this, I'm I'm a little less enthusiastic about it. So for me, that's what I try to do try to translate back.


Absolutely agree. I I know when I was, earlier in my career when I was the hands on person doing you know, starting on the help desk and then going to to, you know, doing the the actual hands on keyboard work that that's involved in IT and security. If I didn't know why, I would often forget that there was a how that had to be done. Like, putting those things together in my head, if there's just a list of rote things and I think this is common to a lot of people. What are your what am I supposed to do today?


If I don't have context for it, then then you're kind of leaning on checklists that may or may not be accurate. You you're you're missing things that that perhaps, if you understood the context, as you're going about doing your work, you might put these ideas together in a cohesive way rather than a a checklist y way. And I see this in in customers that are trying to do compliance without understanding that it serves security. Do you see that as well?


Oh, yeah. For sure.


I think it's so easy to fall into the trap of, like, the compliance check the box thing. Just because, like, my mission is to get SOC two or PCI or whatever. So you do whatever you need to do to make that happen as a compliance analyst. And sometimes, you don't zoom out and say, well, can I do this in a way that would actually reduce risk or there would be other net gains or fulfill other missions that are going on at the same time? A classic example, of this for me is policies.


So, pretty much every security framework and every compliance framework requires that you have security policies.


Now if you're treating that like a checklist, like, you'll just download some policies off the Internet, you'll, adopt them, put a chainsawog on it, and then hand it over to the auditor and say, look. We have policies. But if you're thinking about it from an organizational change perspective, the way I describe policies is they're the written articulation of management's intent and strategy. So if you can grab those policies, that's that's your opportunity as a compliance analyst to take that to leadership, get in front of leadership, and say, hey.


Look. Tell me what you wanna do and why you wanna do it. And it'll make them think about it, write it down, and then you can help them go carry out their mission. So little things like that, I think it's a huge missed opportunity as a compliance person if you just treat it as a check the box because maybe you can escalate it and and get some visibility with leadership.


Maybe you can drive some organizational change. There's a million initiatives that might be going on, and maybe you can help serve those purposes too. So, I I agree with you. There's definitely a huge gap, but I would encourage all the analysts to use those compliance initiatives as as opportunities to to serve the business beyond that.


Hundred percent agree with you on that. One of the the things that I I personally, I I guess, struggle with is when somebody asks me, do I have to have this in order to be compliant with this?


Because it cuts out the conversation about security. So, sure, there are ways to let's let's take p PCI for example because it has a very good framework on if you do these things, you will be PCI compliant and and then you'll be able to continue processing checks. I mean, excuse me, processing credit cards. Right? So and that's the goal of of many, merchants is I just wanna be able to take credit cards. What do I need to be able to do to get this this, attestation that lets me do that? Right?


And so, sometimes on the Internet, you'll see people say, well well, compliance isn't security. And that is true. But as security professionals, if we go in and do a compliance assessment and we see, look, you're going to be compliant, but you're leaving this entire network unprotected.


The I think it's incumbent on security professionals to say, alright. Here's what's going to to bring you into compliance. But also, do you wanna be able to do business? Because these are the the, computers that allow you to actually do business with somebody. You can't even take a payment if you get ransomware on these systems. So maybe you should look at your whole ecosystem and look at it entirely from a security perspective. But, I don't think that everyone looks at like that.


I think there's unique opportunities to make compliance folks look like heroes in certain, areas. And and and a good example, this happens all the time, is we'll be doing an assessment, and, and we're talking about gaps. So you have this gap, and and they said, well, like like you said, do I have to do this, or what should I do about this gap? And then we get into this conversation about, the why behind the gap because you could do the minimum standard. Maybe it'll pass the audit.


But I always encourage compliance and security folks to start thinking about the business objective. And because we serve high growth, tech clients, typically, our clients are are growing super fast. So they might be going from a hundred people to five hundred people over the course of a year or two. So when we're talking about things like network segmentation or access controls or different tools that solve problems, I'll ask them. I'm like, okay. Well, you wanna, solve access.


Sure. You could do a manual user access review, and that would that would pass muster for the audit this year. But what about when you're onboarding and offboarding a hundred people or two hundred people per year? Like, do you wanna do centralized access and identity management?


And is that gonna help you scale your business? Is that really gonna cut cost in the long run? We start having these types of conversations. Now we're a little bit outside we're definitely outside the realm of compliance.


We're into the realm of security and also into the realm of does what I'm doing from a technology perspective support the scale of my business. Now that person who thought they were having a compliance conversation is talk having a strategic conversation about how to support the business, and that's something that they can take to their executives. They can say, hey. To be PCI compliant, we have to manage access.


But I'm thinking that we need to really invest in some technology here because we're gonna go from a hundred to five hundred people over the next year, and we have to do x y z. And and I think those are very meaningful kinda mental shifting conversations away from compliance into supporting the business. And you can you can gain a lot of political, capital as a compliance analyst or security manager if you can have those kind of conversations.


Right. And and on the other hand, I see a lot of people who are in compliance who get very pedantic, with the rules and don't actually take the time to understand the systems or how they work together, for for a customer and understanding the the risk base for all of them, understanding some threat modeling for those systems.


And so you miss the opportunity to really do something positive, for the actual security stance, not just the the compliance efforts.


Yep. This episode is brought to you by the SecurityMetrics guide to PCI compliance. I personally helped with this guide and can highly recommend it to anyone going through PCI compliance. It goes through what the the requirements are and then tells you in the real world what they mean, how to meet them, recommendations from, auditors. So, it's a great resources to get the fundamentals of PCI compliance. You can get it on our website, www.securitymetrics.com/lp/pci-guide.


There's always, like, this balance when you're the auditor. So so we do external audits sometimes, and, I guess there's different schools of thoughts on this. You have one type of auditor that is very, like, I'm an auditor. I don't advise. Like, I go by the framework.


And I I think there's some value in that mindset. I can see that. And then there's the other type of auditor, which which I think is probably the preferred type is when you're more collaborative. Like, you still have a job to do to be an auditor and be independent and all that stuff. But you can also, like, say, hey. I have the benefit of seeing a hundred clients.


You only work in your one environment, and this is what I've seen work well for them and some of the pitfalls.


And that's where auditing can turn into a huge value add because we have the superpower, the secret sauce of seeing hundreds of these environments where most of our clients see one. And there's, like, a special piece of knowledge that we have because of that.


I know that one one, like you said, people who don't like the collaborative type, the their idea is that, well, if you're too collaborative, then you can't tell tell the customer no or you can't fail them. Yeah. I don't find that at all. What I find is if you're being collaborative and really having conversations about the environment together, you don't have to tell them that they have failed something. They see it. The the same time that you see it, every we all discover together that there is something that's missing, and then it gives them the opportunity to to meet that gap rather than it it being a hostile kind of a relationship.


Hundred percent. Yeah. If it if it could happen, it's like you don't wanna be the gotcha auditor. Like, they shouldn't be finding out something for the first time on the audit report. Right.


You know what I mean?


Yeah. It should be, like, over the course of conversations, you're probably arriving at conclusions together, And then they feel like, okay. I've learned something here. We had a miss. Let me go fix it.


Yeah.


And and that's typically a lot more positive experience than, you know, you got an audit report, and you're like, what? There's a finding here? I don't know where that came from. I disagree. So that's, like, one one of those techniques that auditors have to kinda manage, I guess, over the course of their career.


I agree. I agree. And I think that in the end, the general security of an organization is elevated by that type of approach. But because, you'll get people calling you all throughout the year saying because you you were in that trust.


Right? We together have found out something. When we found out something was negative, we together set reasonable timelines for it to be fixed in order to meet, you know, the the the goals of the organization. And then you'll get a random call in the middle of the year saying, hey.


I'm thinking about this. Is is that crazy, or is this a good direction to go with this?


I love that. Yeah. You you get a call from your clients, and they're they're wanting a little bit of advisory. You know, the the other way I I'm I'm thinking about this right now for the first time. The other way that I think auditors can help, clients is helping them see around the corner or communicate with their leadership team. Because often, when I come out to do audits, the person that you're interacting with most is usually a manager level or maybe even analyst level.


And and their task is getting you audit evidence, setting up walk throughs, helping with the day to day. And and you might tell them that there's findings along the way, and and they'll ingest that.


But then what what I've had happen to me is they won't escalate it themselves. You know? So by the time the real decision maker, the real executive sponsor of the project learns about the finding, they feel surprised. And then as the auditor or the security assessor, I'm I'm like, I told you this a month ago. Like, that never made it to you. So I find a lot of the value that I can bring to the table is helping the compliance team navigate their own internal politics.


Yes.


And say, hey. Look. This is probably not gonna be received well without the context. Let's schedule a meeting and, like, just tell them what's up so everybody knows. And and and and that's, like, one of those experience things too. Like, it it is a hard job necessarily to help them navigate their own communication pathways. But But if you're really good at your job and you're a compliance craftsman, then then you can you can start thinking about those things as well.


I I think that comes back to what you originally said where if you know the language and the intent and the focus of the business people, then then you can serve those needs better as a compliance and security person. But if you are at maybe, more of a starting point in your career, may have had less opportunity to communicate with these people, you don't know that language. You don't you don't know how to to share bad news or or get budget for things that you know are an issue. And so, like you said, when you've seen hundreds of organizations and different issues that they the challenge that that they that they meet, then you can help actually give them phrases and and and concepts that set them up for success with that conversation.


So so at risk three sixty, we have this one of our core values is craftsmanship.


And I and I, I I was listening to YouTube, and there's this book, I think, by a guy named Steven I think Pressfield is his name. Probably have that wrong, but it's called Going Pro. And one of the things that, when I when we talk about the core value of craftsmanship, we talk about how anything is interesting when you get into the nuance. So most people don't dream of being a compliance professional, typically. But you get into it, and then you get really good at it. You get into all the nuances, all the chess pieces that have to be moved, helping people navigate internal politics, knowing all the frameworks, combining that with security. And all of a sudden, it gets really interesting.


Mhmm.


And this book, Going Pro, talks about that. It talks about how, and and we should all take this to heart, how you're not just a compliance auditor. Like, you're a professional. And you should take being a professional, a craftsman that's creating a work of art.


And if you think of that, for anything that you work on, but especially in compliance, when you walk in the door, you kinda you kinda, you know, got a chip on your shoulder. You're like, alright. I'm gonna help these people navigate this, have my eyes open. I'm listening.


I'm trying to be empathetic. I'm gonna make sure my writings are tight. And then all of a sudden, you're a rock star. You're great.


You're a trusted adviser. You're thinking about business stuff. You're not just the you're not Jen, the PCI auditor. You're Jen, the person they call when they're thinking about making a big decision just to get your perspective.


And that's when this job becomes fun. Yeah. Yeah. Because you're like, well, let me think about the other hundred of our our environments I've seen.


Let me think about how I'm gonna be able to navigate this. And and you become really valuable to every organization you work with. So I don't always meet that, but that's kinda what I aspire to do for any client that I'm working with. And for our team, I always kinda give them that pitch too.


And I'm like, think of it this way because, like, that's when it becomes fun.


Yeah. I and it is the most fun job I've ever had. And like you said, I don't I don't meet that for every client. But what I find is if I don't, there's there's some kind of interpersonal thing that I think that customer would be better served by the personality of one of my colleagues.


And then I'll say, look. Let's, let's give you someone who maybe understands your background and speaks your language a little better. I always would love to be that person, and I try to meet that. But I recognize that I'm not that for every every person that I meet.


Hundred percent. I've I've told, my team. I I've I've been fired off projects many times. Not not not a ton, but it has hundred percent happened, especially early in my career where it was just, like, not a great personality match.


I have this I remember this one time where, we had a a, what I'll call, negatively, a babysitter. You know, it was one of those clients. They just have a guy sitting in the room with you all the time. Yeah.


Mhmm. And they just now they just wanna monitor the auditor. And I had a brand new staff with me who was new to the company, and I was kinda telling them a little bit about the company. I was like, oh, this is a great career, decision.


This is a great company, and here's why x y z. And I didn't think twice about the fact that this person sitting in the room with me was overhearing this, but it turned out that they had some major turmoil going on in their company. So he kinda took it offensive that I was bragging about my company when his company was having some major problems. Oh, no.


No. We we were just unaware of. So, needless to say, come to the end of the project, he he basically said, I don't want Christian back on the project because he took that offensively. And that was the first time I had ever heard about it.


It really caught me off guard. Oh. So whenever we have, team members that you know, they're they're great team members, but maybe they'll have a client that, you know, for whatever reason, it just isn't a good fit. And I always tell them that story.


I'm like, look, man. Everybody gets kicked off a project at some point in your career. If you're in it long enough, you just have to, like, put your ego away, do what's right for the client, and do exactly what you said. Maybe maybe find someone who is the good fit to go serve that client.


So Yeah. I I know. If you ever kick off a client, so okay about it.


Yeah. There are people who who approach things in a very different way than I do, and some people want something very, very different, and I'm okay with that. So, what I like, about our conversation and when I listen to your podcast, which which you put out every week, that's, that's a lot, is is that you really do talk about the c level, the, the the organizational leadership.


And I think you have a an ebook on, five CISO archetypes.


I would love to hear more about that.


Yep. So, my podcast is Tuesday morning, Ryan. The our spin on it is we're we talk to security leaders and executives, every week. So I I'm in the position where I'm just listening. I'm trying to learn from these folks. So it's pretty humbling because these folks just had, like, crazy lessons and and things to teach.


So I think we're about seventy episodes into that as of this recording. And, from listening to all those folks, and then we've done, like, a thousand security assessments. We started noticing these patterns, in terms of personality types of security leaders. And then on top of that, the business objectives that were driving security initiatives.


So for fun, I put together a lunch and learn. We do, like, a weekly lunch and learn, at risk three sixty. So I put together a lunch and learn saying, hey. Here are the five CECL archetypes that I've identified.


Here are the three business objectives, and here's common org structures to support those. And it was pretty well received because I think our our consultants were like, man, I can think through my clients and see how, like, this executive fit this personality type and how that influenced them to behave in this manner. So, I ended up writing an ebook on it. And what the ebook is, it talks about the five CISO types.


I put together, a self assessment. So if you're kinda curious which which leadership style you might have, and I also put together an assessment so you can kinda review your, organization and see what your business objectives might be. And then also, like, a a diagram, a RACI diagram of potential work structures based on those two things, packaged it up, and it's all free.


So if anyone googles that, they can probably find it and download it and have a look.


Find it on the risk three sixty website?


Yep. We have a resources page for there's tons of free videos and templates and downloads that you can have. So if you if you either Google five CISO archetypes or go to our resources page, they can see all the material there.


Excellent. Well, I sure appreciate your time today coming and talking to me about, leadership. I think I think leadership as a, compliance expert, as the as the third party is sometimes overlooked.


But in my experience, it's one of the most important aspects of a successful, third party assessment.


Absolutely. Thanks so much for having me, Jen. I appreciate it.


Alright. We'll talk to you again soon.


Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.

Get the Guide To PCI Compliance
Download
Get a Quote for Data Security
Request a Quote