In this installment of SecurityWeek’s CISO Conversations series, we talk to two veteran security leaders in the technology sector: Brent Conran, Chief Information Security Officer (CISO) at Intel, and Chris Leach, Senior CISO Advisor at Cisco Systems. The purpose, as always in this series, is to understand what makes a successful modern CISO.
The enduring question for many CISOs is where their role fits best in the organizational hierarchy. It’s an important question. Reporting to the CIO or CEO can be problematic because they have different priorities. Reporting to the CFO, Legal or Audit can be problematic because they don’t usually understand the nitty gritty, down-in-the-weeds function of cybersecurity.
Nearly every CISO has a personal view on the question, usually with some slight variation from others, depending on their own experiences. Brent Conran from Intel has a dramatically different view from most. “Well, I work for myself,” he said. He doesn’t mean it in the normal legal sense. He means it in the psycho-emotional sense. “Once you’ve got that part of the equation figured out – that you’re a going concern in your own right – where you report to doesn’t much matter.”
But he admits it’s a vexed question. He’s been attending the RSAC Executive Security Action Forum each year for the last ten years. “They’ve asked that question every year. Ten years ago, 95% of CISOs reported to the CIO. Today, it’s probably about 55%, with the rest reporting to a range of offices.”
He thinks the solution depends upon a range of factors: the industry you’re in, what you want to achieve as a CISO, the relationships you have. “If you have a good relationship with the CIO, there’s often a lot of benefit in reporting to the CIO. But if you need a lot of independence to do what’s necessary as a CISO, then maybe you shouldn’t report to the CIO.”
Cisco’s Chris Leach is in broad agreement. “When I first started as a CISO, some 20 years ago, I reported to the CIO – and that made sense. But as the CISO role and accountability have evolved, so the reporting structure needs to change as well. Whoever controls the security budget controls the security – and the CIO has different priorities.” CIOs want smooth computing; CISOs want secure computing – and the two concepts are not always fully compatible.
But that leaves a problem, because other officers tend not to have a close understanding of security. “The best reporting relationship I’ve had has been with a COO. The worst was with a CFO – I don’t think CFOs really understand the issues. But in both cases, it was ultimately down to the personal relationships. I don’t think there’s an ideal place until you understand the individuals and the company concerned. But I can tell you this,” he added: “you should never report solely to a CIO. Maybe dual-reporting with somebody else.”
All of this begs some interesting questions: what can a CISO who wants to shine do if the reporting structure prevents it? Well, this is where Conran’s initial comment comes in to play. By ‘working for yourself’, he effectively means it is your life, your career, so take responsibility for it.
“A CISO has to be able to effect change,” he said, “and if you’re in a position where you cannot effect change, do something.” He gave a hypothetical example. If you report to the CFO and it isn’t working, there has to be other C-Suite officers you can talk to.”
Leach takes a very similar view. “If you’re not getting through to the company and you’re having a reporting issue, I would talk to internal audit.” If the problem is reporting to the CIO, Leach doesn’t suggest bypassing the CIO and taking the complaint straight to the board, or even trying to exclude the CIO.
“But I would begin with audit,” he said. “Get their view and see if they’ve had any discussions around this topic with the audit committee and/or the board. Audit understands conflicts of interest. As CISOs, we tend to beat up audit, but audit can be your best friend as well.”
The second question raised by the reporting structure is ‘compliance’. Compliance cannot be ignored. It’s either the law (like CCPA and GDPR) or club rules that must be obeyed (like PCI). The main issues, however, are where should compliance live within the company, and who should own it.
“There’s nothing wrong with requiring compliance with standards per se,” said Leach. “The problem is that there are so many of them. Any single company will likely need to comply with multiple different state privacy regulations, multiple international privacy regulations, national and international finance regulations, PCI and more. There is no single audit that confirms compliance with all of them – and maintaining separate and consistent compliance is a burden.”
But compliance is also a problem for the organizational structure of the company. “Take GDPR,” he said. “My argument is that privacy is a component of security. But we’re seeing a divergence of privacy and security with privacy going to the legal department. But the lawyers don’t do operations – they don’t understand 24/7 tickets and all those sorts of things we deal with.” So, privacy is taken away from security, but comes back to security to be handled.
“I’ve seen some companies that have a whole separate compliance department,” he continued. “That department does what it has to do, that’s good – but they always have to come back to security for answers or to make any necessary changes. Security is always central to the functioning of compliance. So should compliance be under security and help security, or should it be on a level and make demands on security. I don’t know the answer to that.”
Further insight into what Conran means by taking responsibility for your career comes from both the best advice he has ever received, and the advice he would give to new or prospective CISOs. The best advice came from his father. “Always work yourself out of a job, and you will always have a job.”
He has applied this in different ways at different times. He always looks for people who are constantly seeking to improve their position. He mentors and prepares them. “So, there’s one, two, or three people always ready to take my job – if necessary. But that means that if something bigger or better comes along for me, I can just take it without worrying about my current company. Or if my world suddenly changes, like mainframes get dropped and we move to client/server, or office working gets dropped in favor of remote working, I’ve already worked myself and the company into a position of being able to handle it. Work yourself out of a job, and you’ll always be in one.”
Leach’s best advice is different, but still related to taking responsibility. “The best advice I ever had was simple: never be afraid to vote with your feet.” He expanded on this. “If, as a CISO, you continually raise a hand to escalate issues – and assuming the reporting is to a CIO who has different priorities and ignores you – what can you do? If there is a subsequent breach, it is the CISO who bears the mark of that breach on his CV, forever. What can you do? For me, if I can’t get anything done, or I’m having roadblocks because of a bad reporting relationship, I would leave. And incidentally, I did leave… I did leave one company where I worked for that very reason – because I couldn’t get anything done because the CIO blocked everything I did.”
The advice that Conran would give to newcomers is again related to his central theme of taking responsibility. “What I tell everyone,” he said, “is that you must continuously and constantly learn – and if you do that, you’ll be successful. I get a lot of people who come to me and say, ‘I’m top of class with 99% right.’ I tell them that means you’re 1% wrong, and it might be that 1% that gets you. If you have the personality and aptitude to continue learning, you’ll thrive. If 99% right is all you want, that’s OK, but we’ll find somewhere else for you.”
Leach would simply recycle the advice he received: don’t be afraid to vote with your feet. It implies more than seems obvious. If the CISO is going to take the blame for a failure, he needs to be given the authority to prevent it. Without that authority, for the sake of your career, it might be better to move on.
At this point it is worth asking what it takes to be a top CISO. Conran has little doubt. “Agility,” he said, “and the self-confidence to use that agility. Look,” he continued, “we might be doing something one day, and the world suddenly changes under our feet.” Like the pandemic forcing an almost overnight switch from office working to home working. “We have to be able to pivot, and we have to be able to pivot today.”
Or there might be a sudden and major incident. “A CISO must be able to talk at all levels – like from 40,000 feet and 20,000 feet, and sometimes right down to the ones and zeros – while keeping your hat on straight,” he said. “The agility to interact with all levels of that stack simultaneously is imperative to being successful.”
There’s a related attribute: the ability to understand the business. “Security used to have a technical relationship to the business,” he said. “Discussions mostly came down to ‘yes’ and ‘no’ – mostly ‘no’. That doesn’t work anymore. The CISO must be able to sit down with business in a consultative manner, and say, ‘I understand where you’re trying to go – let me explain the best way to get there. ‘No’ must become ‘Yes, but like this’.”
Asked outright whether the CISO needs to be a businessman or a techie, he replied, “I don’t understand the question. I don’t know how a CISO can do his job if he doesn’t understand technology, and I don’t know how he can do his job if he doesn’t understand the business. An understanding of both is part and parcel of being a CISO.”
Leach has a slightly different emphasis. “It’s more important to be a businessman,” he said. “I’ve been saying this for 20 years. If you think about being a CISO, it’s like being a general in a big battle. You’ve only got a certain number of troops and a certain amount of resources. How can that work if you don’t know where it is most important to deploy them?”
He gave the example of a Fortune 50 company. He asked the CIO, what were the company crown jewels that needed to be protected. The answer wasn’t this data, or that server or some intellectual property – it was the customers. The CEO gave exactly the same answer. “But if I went to Coca Cola and I asked the same question, I might be told their recipe or something like that. All businesses are unique. But if I don’t understand what each business is trying to achieve – what it’s best at – then I don’t know how I do my job. And most CISOs forget to ask the question.”
Conran adds two other attributes that will benefit the modern CISO. The first is a thick skin. “I cannot make a decision,” he said, “that does not upset a portion of my workforce. Whatever I do, I’m either turning something on or turning something off. Whichever it is, it will mean change, and people simply aren’t wired for change – but you’ve just got to keep your mind focused on the goal.”
The second attribute is a desire to learn. “I read for hours in the morning and hours at night – technical whitepapers, industry trends and developing themes. If you move to a new platform or different piece of technology, you must make the time to thoroughly understand it. Security is like a journey where you’ll never reach the destination. The good news is that you’re never going to finish learning about your job. The bad news is that you’re never going to finish learning about your job. You just have to keep up.”
With an understanding of what it takes to be a top CISO, it is worth asking where the future threats are likely to originate. Conran breaks it into tactical threats (immediate term), and strategic threats (longer term).
“The tactical answer is ransomware and commodity malware. Ransomware is happening across the globe. It’s destructive and a huge problem, threatening trust in the internet. Security builds confidence in the internet. If people were to lose their confidence and no longer trust their bank or online retail shops, then rebuilding trust is something we’re going to have to work on.”
For the longer term, he has a different concern. “If you look into the future, but not so far out, I think Quantum is going to be massive for this sector – and for the Internet. None of our encryption algorithms will work once we have Quantum. None of our security products will work once we have Quantum. And, whoever finally gets there first is going to throw this industry up in the air. We’ll have to work through that pretty quickly to ensure we maintain the integrity of our data and transactions.”
Summing up, he said, “Tactically, it’s going to be ransomware and commodity malware that’s the problem. More strategically but within the foreseeable future, I think quantum computing is going to be very disruptive to the existing security products and standards that we have today.”
Leach is as much concerned about security’s response to threats as to the precise type of threat faced. “I think the biggest problem is that innovation from the attackers is accelerating, and we are not. We cannot continue to do what we are doing – we have a cycle of a 3- to 5-year plan and strategy. If we don’t shorten this, if we don’t go faster, we are in danger of becoming obsolete as individuals. That’s not the role of CISO, but the existing crop of CISOs.”
But there is another problem that stems from within, especially in the technology sector. “There’s an overwhelming number of security product vendors out there. Our constant chasing after the latest shiny object really detracts us from just getting the job done. It’s a difficult issue because we all quite rightly look for new emerging technologies, but there’s so many of them. I cannot operate a bunch of single-purpose solutions in my organization – I don’t have enough people, I don’t have enough budget, and I don’t have enough time. We need to start looking at the interconnectivity of devices, vendors, and what I really think of as a fabric. We need a better integrated security fabric.”
It’s a question of communication between devices. “Take the SIEM,” he said, “which was supposed to solve so many problems. You add a new process, or whatever, and suddenly, you’re re-baselining all over again. So, my SIEM, which was bought to be a problem solver, becomes a millstone around my neck.” The problem, he suggests, is that the vendors are not working together.
His third concern is that security needs to become more resilient. By this he means more than just recovery – for Leach, resiliency involves the anticipation of problems so that they can be avoided or better recovered from. “Resiliency is more than just recovery,” he said. “When we talk about resiliency, people often think it’s just recovery from backups. But no. We need to anticipate failures. The attacks are becoming better, stronger and more specific. We need to be in a position to anticipate and prepare for what the next attacks are going to be like.”
Between them, Intel’s Brent Conran and Cisco’s Chris Leach have painted a picture of the major threats to expect over the next few years, and best practices on how to handle them.