How the role of a CISO has changed | Cyber Work Podcast

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

I want to turn from your specific roles and responsibilities to uh the more philosophical notion of the Chief Information Security Officer see so you you came to us to discuss some certain ways that the role and the perception of the Cecil role has changed pretty recently uh to put your words back at you csos today are facing new challenges and increasing workloads consisting of more paperwork time spent on risk assessments going from two hours to 30 hours per assessment and growing privacy regulations at the same time csos are being held more accountable for the security actions or inactions taken by the business the struggle is only going to get harder given the new mandates and requirements laid out in the Biden Administration cyber strategy so let's start with the comparatively distant past what was the Cecil role like when you started and how has it changed in the meantime as regards expectations and responsibilities yeah you know the CSO role is kind of a unicorn when I when I started yeah if you ran into somebody who had that title they were traditionally you know a Fortune 50 maybe in banking uh most of the rest of the security practitioners out there were managers or directors part of the I.T team but you didn't see Executives uh as much and you really didn't see security being anything more than kind of like the utilities we need to do it we need to do just enough but at the end of the day it wasn't really in business enabler um I think for a lot of us as we got in security it was also technical skills were a must you know no one was looking to hire a CSO or a director of security that couldn't also come in and do some work you know so the security and uh I think you know even my role at witness which is the one of the first startups I started at it's uh now variant I was employed 20 something and along the way you know I started pitching the idea of hey we need a dedicated security role because some of our customers have this and spent a lot of years in the CEO's office really advocating for you know at least a director to level role and you know that eventually happened but even still it was kind of like what a lot of folks were supposed probably experiencing today but for sure 10 years ago where I still reported to the CIO the CIO took care of all the contract stuff all the other things and and I was much more just a part of of his or her team uh and we didn't have visibility you know the board didn't care what was going on as security it was the same thing as facilities does it work great um I think today the role has evolved to the point where those technical still skills they're important depending on the size of the organization and I think technical skills is really can you hold the level below you and maybe two levels below you accountable you know when you say hey I think we need to implement this and they say well that's not possible you know can I interpret that and go I disagree or okay let's talk about how to make it possible yeah it's not about you know I can't log into AWS and create an instance that's not my skill set but I know enough to ask the questions and maybe be annoying and to get to the root of the answer so I think technical skills are important but they're no longer going to get you into that role the business skills and the soft skills are so critical to success and I do think um I believe that's a lot of how I succeeded in in my role is I had a background in public speaking and doing some other things and so I was able to you know go in and at least have conversations where my motive was for the right reason and help the business understand but today you know folks are looking for you know Educators they're looking for for can you teach other teams what what we need to do why we need to do it can you translate a really hard requirement into something that every user in the company can understand at a minimum when to ask questions uh communication I think I you know I say communication probably in every answer because ultimately you know what we do interrupts business we slow things down we create more work for other teams it's it's just part of the job and unnecessary is a necessary you know part of our job but you know we really have to communicate the why you know especially with Engineers we need to do this um and then the partnership side of that so I think soft skills are really really critical risk management is definitely increased you know I've worked at a lot of orgs where we didn't do risk assessments because we just fixed all the problems because it felt like the right thing to do well that was back in the days when there was eight or 16 Solutions on that slide yeah right yeah yeah yeah yeah you're not you're not making number 17 and it has to be a whole book yeah right and so now you know there's a plethora of of controls and approaches and um you know GNA is still you know a big area that we have to control as far as what things cost um and and how we execute on them so I also think you know agility and a real understanding of how to break a problem down is kind of a critical uh need nowadays you know I know when I talked to you know our customers when we talk about how they're solving their problems uh there's no one fit answer for everyone but you know once you can align your Solutions and align what your strategy is to how the business succeeds you start getting a lot more people listening and then I think ultimately having the thick skin that most of us have just to be able to share a message maybe it didn't get heard say it again in three months a different way maybe a different way in six months you may have to chip away but the more you have those cases where you show that hey you know I had a good idea yep we chose to go another Direction let's figure out why and you know sometimes that's on us too and I think that's to me that education part of being able to say you know I don't think I explained that the right way you know I went into an executive's office said hey this is a risk and you know Executives that's their whole job the CEO deals risks every day and so an unquantified we're at risk to him doesn't matter or doesn't matter yeah of course there we go this matters because and this is how this impacts our business so you know that communication side is just such a critical component of success today oh that's great um yeah I know it's it's interesting like you said that uh uh when you started it was you were you were pretty much asked math to not to speak you know like if it's working then we don't need to hear from you and now it's it's sort of the opposite like you need to tell us like help us understand what to do next kind of thing so yeah well you know there was plausible deniability for a while now that board of directors are held accountable and CEOs accountable it is a little bit different but you know that head in the sand approach was very prevalent when I started have you seen work bites the new security awareness training series from infosec our team produced this series with three e's in mind making security awareness training entertaining engaging and educational just go to infosecinstitute.com free to learn more about this hilarious office comedy and hey let us know what you think about it

Info

Channel: Infosec

Views: 1,128

Rating: undefined out of 5

Keywords: CISO, Infosec, Chief Information Security Oficer, Immuta, Cybersecurity Job, Cybersecurity Career

Id: 2fbEDx7Uv34

Channel Id: undefined

Length: 7min 11sec (431 seconds)

Published: Tue Aug 01 2023