CISO Confidential: What Separates The Best From The Rest

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
>> ANNOUNCER: Please welcome Chief Executive Officer Trellex Brian Palmer. >> BRIAN PALMER: Let's face it, we're in a different era. So much has changed in the past 30 years. We've gone from small audiences, nobody would listen to us. Nobody felt we were important. Nobody believed we mattered. And then all of a sudden, we reached a point where we are the most important figure, arguably in an entire industry. They say things magically changed overnight, but it is not true. Hearts and minds shifted one era at a time, thanks to incredible dedication, stubborn persistence, a commitment to a craft, and a unique, if not heroic, ability to build a community. You might even say an army. I am talking, of course, about Taylor Swift. Now, I don't know how many of you have kids, but while I may be the CEO of an amazing company, being a dad is without question the role I am most proud of. One of the greatest parts about being a dad is learning new things from your kids, developing an appreciation for the things they love. For years now, I have been listening to and developing an appreciation for Taylor's music, thanks to my daughter. Taylor really does deserve every ounce of the fame she's earned. She's incredible. So, not too long ago, I was in the car with my wife and daughter, heading to a hike out in Utah, when they decided to quiz me on Taylor's different eras. We had a blast. The long drive went by much faster. I held my own, put up a respectable number of right answers for a Swifty dad, but it got the wheels spinning about what I wanted to say here at the RSA Conference. Because, if you think about it, a CISO is a role with its own eras. When Steve Katz, who we recently lost, he was a trailblazer, mentor to many, and all-around great guy. He will be missed. When Steve was hired by Citigroup in 1995, the role of CISO was very much in its debut era. Nobody had a clue who we were. Nobody cared. One, maybe two folks in your entire company knew your name. Your office was probably somewhere near the computers, and if you walked into the C-suite, people thought you were there to fix the printer. And I was one of those early CISOs, for PepsiCo, in the early 2000s. I felt that invisibility, but I also felt the pressure, albeit working with much less sophisticated tools compared to those we have today. Before I joined PepsiCo in the late 90s, I was a special agent with the Secret Service. I was on the job when the first email threats against the president started happening. And talk about less sophisticated tools. I was the guy who had to drive out to AOL headquarters to figure out the source of the threat. I remember sitting in the waiting room, thinking it was taking as long to get in the AOL building as it did to get online. Everybody remember that? But it really was the dawn of a new era, really the first era. The CISO role was born. Then, around 2002, things changed. It was no longer the debut era. CISOs had demonstrated some value, but nobody knew what to do with us. It is like Taylor's Red era. Is she country, or is she pop? With cybersecurity, the questions were, who should the CISO report to? Where do we belong? Are we IT? Are we corporate security? Nobody really knew. This was also when we first started to see CISOs becoming risk-focused, because this was when the era of regulatory compliance really began. Think back to how dramatically things shifted when Sarbanes-Oxley was passed in 2002. All of a sudden, companies started talking about controls and compliance. SOX is a classic example of government regulation working. It pulled cybersecurity professionals out of irrelevance and into the spotlight. Not quite center stage, but definitely no longer invisible. Remember, this is on the heels of the I love you virus and the Melissa virus. The world of cybersecurity shifted, and the CISO role morphed in response. And a lot continued to change during the mid-to-late 2000s. Attacks became more frequent. They became more complex. Nation-state actors started playing a more central role. And attacks became more expensive. All of which meant, if you were a CISO, your phone started to ring a lot. And look, by the time Taylor reached her reputation era, she was fully on the scene, no different than CISOs. And who better to kick off our reputation era than my good buddy, Kevin Mandia, who found himself on the cover of Fortune. And, Kevin, please connect me to whoever your photographer is. But in less than 20 years, we went from invisible IT guy to magazine covers. It is pretty impressive. Cybersecurity professionals are fully in the spotlight, for better or worse. Which brings us to today. Look how much has changed. I am of the opinion, or heck, I really know for a fact, a CISO is one of the most important roles within an organization. And I'm not just saying this because I tell people I was an invisible star way back in the debut era, but I like to think about Trellix as the official sponsor of the CISO. In anticipation of coming to the RSA conference, I asked my team to conduct another edition of our research, The Mind of the CISO. We surveyed 500 CISOs and got some incredible data. 96% said they set strategy and have overall responsibility for their company's cybersecurity program. Frankly, there is a bit of an imbalance between the amount of responsibility and the amount of organizational authority. We know that CISOs generally have few direct reports, but routinely present to their company's board of directors. In other words, incredibly limited resources pitted against incredibly high visibility. You think about Taylor Swift. The Eras tour led to a 20% uptick in concert sales and contributed $5.7 billion to the U.S. economy in 2023 alone. She is somebody who plays an outsized role in the music industry. But the same can be said about CISOs today. They have a disproportionate impact on their organization. They play a much bigger role. And so I think what we are seeing now is a shift into a new era. It is why I believe this conference is a watershed moment in the history of cybersecurity. Because a new era is upon us. Taylor is moving into her new Tortured Poets department era, and we get to name ours too. The team here at the RSA conference nailed it with possibility. I think this is the era of possibility, and let me tell you why. More than 80% of the leaders we spoke with experienced an increase in the number of cyberattacks they faced in the past six months. I mean, how often have we been hearing this? It is staggering, and it keeps getting worse. You think to yourself, does it ever end? So we asked point blank, what would most improve your organization's capabilities to defend against this new wave of cyberattacks? It wasn't LLM models, algorithms, or machine learning. You might be surprised by the answer. The number one answer was industry peers sharing insight and best practice. I've been ringing this bell for a few years now. There is a need for a more collaborative approach to cybersecurity. I talked about it here at the RSA conference in 2023 with the SecOps revolution. The year before in 2022, I spoke about soulful work and the value of community and recruiting great people to join our effort on behalf of the good. I think we in the cybersecurity community need to do a better job of listening to what our customers are saying. Some of us seem obsessed with debating the merits of each other's platform, but we forget it would be better to operate as one open ecosystem because that is what our customers repeatedly tell us they want, and that is what our customers need to be successful. This is the era of possibility because the work we all do will dramatically shift moving forward. So because of this shift, we are going to be the first to do what you ask, to share insight and best practices. It is why I am so proud to introduce our CISO to CISO initiative, a crowd-sourced channel for collaborating with peers, fostering discussions, and sharing best practice. And to launch the initiative, I would like to bring out one of the vanguards of our profession, our CISO at Trellix, Harold Rebus, to chat about where things are headed. Harold? >> HAROLD REBUS: Thank you. Thanks, Brian. >> BRIAN PALMER: So, Harold, you are one of the best CISOs out there. I mean, you are in it every day. You live and breathe this stuff day in, day out. You are in the perfect position to talk about the future of the CISO role. What are you seeing out there? >> HAROLD REBUS: Well, our role continues to evolve. We are charged with managing a risk that is still ill-defined. And in this new era, we take on an even larger role as cyber titans. Let me explain. You see, NATO has recognized five domains of warfare, air, land, sea, space, and cyber. But in the last year or so, a sixth has emerged. And that sixth domain, which is considered to be the private sector, exists largely at the intersection of critical infrastructure and information, or, in other words, where cybersecurity professionals live. >> BRIAN PALMER: A cyber titan. I love that. It's a fusion between being a titan of industry and a cybersecurity specialist. But if I hear you correctly, Harold, the private sector, especially cybersecurity professionals, will be playing an increasingly larger role in the future of global conflicts? >> HAROLD REBUS: That is correct. And that's why when I'm asked what is it going to take to be the best CISO in the future, it's through this lens. Everyone in this room is a cyber titan. >> BRIAN PALMER: Excellent, can you tell me what it means to be a cyber titan? >> HAROLD REBUS: Well, I think about this in two parts. I think about the future in terms of landscape, and I think about the future in terms of archetypes. So, in other words, what does the battlefield of the future look like, and what are the skills you'll need to be successful? >> BRIAN PALMER: All right, so let's talk about the battlefield. What do we need to think about? >> HAROLD REBUS: Well, nation-state actors need to be top of mind. We're going to see an increased use of cyber tactics, timed with kinetic warfare, like we've seen in the case of wiper malware, targeting satellites and telecommunications infrastructure in Ukraine. >> BRIAN PALMER: Interesting you mentioned satellites, because one domain starting to get a lot of attention is space. How important is the space domain today and in the future? >> HAROLD REBUS: That's definitely an increasing part of the future landscape. The idea that space assets will require protection. The attacks of the past will be nothing compared to what we will face in the next 10 years and beyond. For example, I think about the potential of a wiper malware attack against a Mars-based colony that could isolate humans far away in our solar system. Almost all organizations are reliant on space assets in some way. Most current research says that the attack surface isn't well protected, and CISOs have limited knowledge of the domain. But these are issues someone in this room will face one day. It's not sci-fi anymore. It's real. >> BRIAN PALMER: Talking about sci-fi, Gen AI kept popping up all throughout our research, but you're going to hear so much about it across this conference, we're not going to pile on. But definitely check out a copy of our Mind of the CISO research to understand how cybersecurity leaders are tackling the emergence of Gen AI. But when it comes to Gen AI, the piece we're all forgetting is if people are doing less work in the age of AI, it means the work they are doing is so much more important, Harold. >> HAROLD REBUS: To your point, and this gets to another key element of the future landscape, we can't forget about people. We have to make sure it's all hands on deck. The battle for talent is ongoing, and organizations need help to attract top talent. But I do think we're making good progress, and I think the future is bright. >> BRIAN PALMER: There are some great initiatives, like CISO's 50% by 2030 and our Soulful Work campaign. The partnerships we have with the World Economic Forum, ASEI, Gotera, and the National Cybersecurity Alliance that all aim to bring more diverse talent into the industry. There is no doubt we need everyone we can get. And more importantly, you can do what I truly believe is purposeful and mission-driven work. Our industry is not a cliche. You are making a difference in the world when you join us. So, Harold, talking about people, what skills do you think we need to focus on in order to be successful? What will separate the best CISO's from the rest? >> HAROLD REBUS: Well, I think about the future, I think there are really three key skills that we need to keep in mind. The first is being an architect. Being an architect means deep domain knowledge, technology skills, and the ability to fuse business and technology priorities. >> BRIAN PALMER: Okay, got it. What else? >> HAROLD REBUS: Second, you'll need to be an operator. Being an effective operator means a couple of things. First, you'll need to speak the language of your business. You'll need to understand business operations, the revenue sources, the industry norms. To be a skilled operator also means you need to know the lay of the land. That is to say, you need to know what's going on in the world. I read at least five publications every morning. I look at international affairs, global politics, conflicts, elections, anything that could rock the boat. I try to stay as informed as possible. >> BRIAN PALMER: Okay, so architects one, operators second, what's third? >> HAROLD REBUS: Third and most important, if you want to be successful in this new era, you need to be a connector. Being a connector means being independent, yet credible member of the executive team. It means being an agent of change, somebody that is able to effectively communicate the story of risk and be able to use risk to your advantage. You have to be able to communicate outside the organization, often with regulators, policymakers, and customers, or on a huge stage like the RSA Conference. Lastly, I would recommend that we all crowdsource our defense and response strategy. For example, I have a dozen other CISOs on speed dial in case I ever have a problem. I strongly encourage everyone here to do the same. So let's build our community, and let's start sharing. >> BRIAN PALMER: Absolutely, Harold. We know from our research that as threats become more complex, the need for collaboration goes up, and CISOs can't rely on their experience alone anymore. We all face firsts in this role. We can learn from our collective knowledge. Thanks for joining me, Harold, and thanks for everything you do for Trellis. >> HAROLD REBUS: It's been my pleasure, Brian. Thank you. Take care. >> BRIAN PALMER: Look, as CEO, I just hope other CEOs understand how important Harold's role is. I am thankful every day for the work his team does, and I tell executives all the time, the next time you're in a meeting with your CISO, just say, thank you. Because Harold's right. If we're heading into this new reality, we need CISOs to talk with other CISOs. We need more community in the world of cybersecurity. The bad guys are ahead of us on this one. There were always clear lines of demarcation between them. For years, hacktivists, criminal gangs, and nation-states stayed in their respective lanes. But those lanes recently became blurred. At Trellix, we call this phenomenon shadow syndicates. Sure, it may be a den of thieves, but these shadow syndicates have obvious economic incentives, and the bad guys have quickly morphed into a single mercenary force when it serves their interests. Why is it the case that the bad guys figured out community works to their advantage long before we did? And I want to leave you with an image. If you watch the Eras tour, which, after this talk, I'm sure everyone is going to do on the flight home, there is a moment where Taylor switches into her Evermore set and a forest grows out of the stage. Well, remember how I told you I was driving in the car with my family, listening to Taylor on the way to a hike out in Utah? We were on the way to Fish Lake National Forest. If you ever go, you will find what is called the Trembling Giant, or sometimes Pando. Pando is Latin for eye spread. When you first see it, it looks like a forest of Quaking Aspen trees, beautiful shades of green and yellow and white. But in reality, those 47,000 trees are not individual trees. They are all part of one shared root system. Pando is, in fact, the world's largest single tree. We are one organism in cybersecurity, and we are heading into a new reality of being cyber titans. Taylor has her army, and so we need to build ours. But you have to remember how she did it. Taylor is a figure of outsized influence in her industry, and as we now know, so too are CISOs. But Taylor's success comes from her incredible ability to connect with the world around her. All of her fans say the same thing. Taylor says what I am thinking. To be a CISO of the future, to be the best, you have to be in the mind of the people you are protecting. You have to anticipate your adversary's attacks, and you have to be a cyber titan. Thank you, and let's enjoy the conference.
Info
Channel: RSA Conference
Views: 1,139
Rating: undefined out of 5
Keywords: rsa, rsaconference, rsac, information, security, cybersecurity, infosec
Id: ABGsvsePdEY
Channel Id: undefined
Length: 22min 13sec (1333 seconds)
Published: Tue May 07 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.