The Seven Habits of Highly Effective CISOs

there we go all right welcome everyone I uh very grateful you're here um today I want to talk about uh seven habits the seven habits of a highly effective Chief information security officers um this is a topic that is uh special to me um it's born out of firsthand observation of a lot of SOS out there and for starters I use the term ciso uh in this literal sense uh but also um as you know sort of a placeholder for individuals who have the highest job title uh that involves respon overall responsibility for protecting the assets of your organization so so by that definition just to sort of level set with with everyone in attendance here how many

cesos are there two three thank you how many former seos recovering s too thank you how many aspiring s actually the minority oh thank you so so fantastic we have a pretty sort of even even uh room and so for the the former and current cesos please you know hope be honest I I would to you to nod or disagree and uh have a conversation and for those of us in the aspirational column uh this is going to be my contribution of what it takes for us to be effective so I'll start off by doing some level setting and uh and then you know we'll go from there so why should you listen to me right um first of all because

you're here uh let's face it um um and you might as well but more importantly because you know in my 11 years working in information security I have got to Shadow quite a number of seos so essentially as a consultant uh you know our engagements involved going into an organization and at the cisos behear you know sort of helping them set up a governance program or interacting with a cross-section of the organization and so you get a pretty good sense or at least I have gotten a pretty good sense in many organizations of how they function how it is is um perceived within sorry how the seource group is perceive in it and how the rest of the organization

perceives the C so the C so and his group and so so that has sort of provided me with with this nomenclature um that I'm going to introduce here and at least an observation and that is I've observed what I refer to as the scapegoats um that's one mode of operation of SOS and the other mode of operation I I term performance so let me illustrate um the scape gos but before before going to that illustration let me use one last analogy just to sort of you know bring this make take this home so I liken um sort of my experience as being involved having the opportunity to participate inot in a disident on the pregame you know

motivation speeches of a lot of coaches right so if anyone's professional sports Enthusiast um before you go into the arena the coach gives the team a ra you know a b CME so I've gotten the opportunity to listen to many of these and so this is where I'm this is what I'm drawing from and this is from where I've made the observation about the skape looks and and the performance so I am I have been known to Shadow AKA talk a bunch of these performers um on LinkedIn on Twitter I get um every saw few messages from people saying hey I just wanted to check my profile and uh so I I have I have a very intense

Fascination in reconstructing what it takes to be sort of effective in your role and and why so back to illustrating the scapegoats essentially they their mode of operation is born out of that deeply held sense that it's not a matter of if it's a matter of when the breach is going to happen right so we have this meane that's very common in our community right and that's the mode of operation of the scape mentality it's they they they behave and their sort of their Outlook is reconciling against that moment that moment of breach how am I going to look how is my team going to the performers on the other hand they they lean forward so they acknowledge um

that moment but it's always incidental uh they see themselves as you know being present to provide protective Assurance for the organization to do what it needs to do so if the organization wants to go left they say okay in order to go left you know this is what you need you need a b and c and and that that that's these aren't fixed labels they more sort of preferences kind of like personality types um I've seen the same so operate from both hes at different points in time so what's the inspiration why is this important right the last week talked about the importance of the why this is my why so the inspiration from this for this talk for me was my mother

so my mother is a pediatrician uh she walks in she works in public health and in early 204 um she she and her team from the ministry of Public Health they came up on a very star statistic so 45% of children in Bayo which is a city about a village quite frankly about 50 km from the capital city of Cameron 45% of the children under five were died now now think about that for a second so as a result of this uh the chief the local Chief thought it was witchcraft so he put out an AP you go for which doctors you know within neighboring Villages and you know the C of you know which doctors

coming to reinforce kept increasing and my mom and her team they went in there you know to sort of try to figure it out now at first the chief was hesitant to give them permission because he was like whoa I'm not going to be responsible you know if you know the evil forces come after you he you know he didn't want to be responsible for that so it took some some you know a lot of uh negociation but finally um you know the chief gave them permission you know to to and figure it out to use their white magic as you called it reference to medicine so they went in there and immediately they set out to

find out to find out the children that weren't dying the positive demons what were they doing differently right and so they found you know the children within that population group and they wanted to get very closely they tried to figure out you know what they ate what kind of families they came from and all that kind of stuff and what they found out two things that jumped out of them relatively quickly and this is a condensed version of of you know some some quite a bit of time but what jumped out at them were two things a those children on average had a smaller number of siblings right so they they were smaller families and B those children

had a more balanced diet they ate more you know VAR types of foods now what's important to note here is that in this community there's subsistence community so they they do a lot of farming and they they grow mainly a root called casava it's very versatile in a number of ways you can eat it so you can make quite a bit of things with and so armed with this sort of with this crunch this information what they did was they identified um a group of mothers which they hope they term m in French we can be transmigrated as mother of light but these are were like beacons beacons within the community so elderly some of

the more elderly and more respected women and they taught them on what constitutes a balance diet so they said you know bring in a little fish bring in a little meat and these are all things that were local you know to them not you know things that they needed to we expense to get and so they train these women and these women in turn organized danger eatings so the women would decide they would sort of rally around other groups of women and they would assign responsibility okay you bring fish GRE me so it wasn't burden too burdensome on anyone individual and then they had you know they had daily feedings and they waited you know the group of children

beforehand and after 10 weeks the results were dramatic um I I wish I had a chart to show you but they kept data about and so what happened was two things a you know these children because they had you know focused eating you know someone feating them as supposed to them fighting fighting with their siblings around the same they had more nourishment and B you know they had more diversity of nourishment and so at the time of of after 10 weeks at the time of my mother and a team leaving they quickly identified you know that the problem solved right malnutrition and so it's funny there's actually video footage of the chief you know rallying

the village and the entire Village you know thanking and honoring my mother and her team um and and basically you know proclaiming the white man's magic is better than their verion of magic so what's the underlying theme Here the underlying theme Here is positive de who are the rock stars within our community and what are they doing right and what I'm about to present is sort of my humble perspective on on that matter and if any of this sounds familiar um you know is because it is right people are actively doing that so has anyone ever heard of the it process Institute yes no so I I I encourage you to check it out um it is an organization

entirely devoted to understanding what you know those beacons of Excellence are within our community U within different it organizations and and they do a lot of Publications centered around around you know what your observations are so why is all of this important well it's pretty important for the same reasons that leadership is important right so I have to be care I have to do attribution on this slide this is from an outfit named CSC uh Consulting and they they came up with what I think is you know a really brilliant illustration of you know what leadership provides and the different types of outcome so what you're looking at as a matrix if you will and it always starts with Vision on

the left and then the things that can flow as an offshoot of that Vision so you have skills incentive structure the resources and an action plan now when all of these things come to you know come into perfect alignment you get change you know you actually get positive change now going down sort of through the middle there um well diagonally um if there's no skill if there's Vision with no skill then you get a situation where it can be confusing or you know just a lot of anxiety when you get Vision without any incentives you get into you know sort of disbelief people don't people don't buy it when you get vision skills and incentives with no resources there's

stagnation now is any of this resonating with with anyone in your organizations and you know the ways in which we waffle so this is why it is important this is why leadership matters and this is why sort of I think it is imperative that as an organ as a as a community rather you know we sort of discern between we sort of come up with some some way to sort of work the soft skills what soft skills are important that people need to have and bring today I mean all of this assumes a certain underline Baseline of competence when it comes to skill set right these are about you know those those more Nuance skills

that we need to have in order to affect change within our organization so the next uh chart that we see is our people process and Technology right again when these come into alignment in perfect dream you know there's success right and who influences this who influences this at the organization more than anyone it's the CES right the is ultimately responsible for the alignment of people processing technology and and so you look at the different permutations um way you have good technology and no process and good process sorry without you know the right people you know receive poor adoption um how many people can relate to that right um when you have good people good technology and no

process right inconsistent operation and and my favorite is actually the the last one you know where you don't have any and you know have defenses but is this resonating that can anyone understand is there a doubt in anyone's mind as to why this is important for us to come up with a nure if you will for the skill sets that are required and the mindsets that are required to effectiv se so any questions so far fantastic so assume that we're all Bo and so we're going to move forward so in terms of ceso responsibilities um what we've seen um historically there sort of a shift from an evolution if you will from that technical seeso the seeso

who's sort of you know the the config worries about systems and systems and configuration settings more so than anything else to Now sort of a more strategic role where where the ciso gets invited you know with other Executives to sort of contribute to what iic direction of the company right so the holy Grill according to a a ciso friend of mine the holy Grill according to him is he'll know he'll he he have arrived the day when his threat intelligence information is on the same vein as the marketing intelligence of information so in other words he wants to get to that point where you know when the organization is considering considering what lines of business to get into and

you're doing your strategic SWAT analysis you know your Str Mak opportunities and threats he wants them to look at the information that he provides on car with marketing intelligence I think that's a very worthy aspiration and I I submit that you know to the rest of the community with this question you know about about that for aspiration really so from a cisos desk who are the people that matter right or who are the people that sort of consume the cil's attention um you know this is a a simple mind map that illustrates my observation of who those clusters of people are you know you have the attackers you have the cisos boss they have the their staff and then you have

the business units you know the people people over on the other side as they call them and then the customers these people who consume the stuff you know the product or the services that the organization um is producing and then you know quite frankly you know the accessors you know internal and turn off and and in my observation and I'm you know I'm looking at the ru T to those individuals who raised the hand earlier as a current and former cesos um in my observation the more scap the seos that operate from the operation of scapegoat they tended to spend a disproportionate amount of their time focused on attackers and assessors and then those that were more

strategic in spending your time those performers as I call them tending to spend a lot more of your time on business units and customers does that resonate absolutely can you give a little more detail about what you're calling accessors right the question so these are internal Auditors these are qsas um you know people who who basically come into the C's environment and tell them how good they doing does that make sense I'm sorry AIG there you go the aigs of the world so with that with this panoramic you out of the way I'd like to go into uh what I observe to be the seven attributes of performance or the seven attributes that sort of push people um

individuals more towards the performer um part of the Continuum than the scate and the first one is serious play so this is sort of um this is from young you know the famous psychologist whose contribution to society was the notion that we all have archetypes right we all have different uh different parts of our self and what's really important to note here is that the seos that are that are performance you know that are for performance they Orient they sort of integrate their inner child with the adult so they they sort of have a healthy dispat they have they sort of have passionate in a healthy way from your position they have a healthy a sort

of healthy distance away from the gravity of what your responsibility is so I I'll give you an illustration so one of uh the sees that i i i u sort of motivated just talk he he referred he said to me once he goes Franklin you know I see myself as The Bodyguard of of VIP it's my responsibility to make sure that you know he stays alive she stays alive and inevitably I know that there's going to come a point where shs will be fired and quite frankly I could die or if I don't die you know my VIP will die and I have to and and let's pause for a second and think about that statement

right I mean that invites the full gravity of sort of having to save this person's life or die in the process I mean that's pretty W now a performer on the other you know same circumstance and his mindset his or mindset is more of look my job is to protect this individual I have no control whatsoever about when shots will be fired so I'm not going to dwell on that what I will do is essentially you know prepare myself the best way I can and have my my my um guard my prot my a my VIP a wear protective vest and and then that enables them to what they need to do and and so I don't have to be on edge all

the time so it's sort of a it's sort of a healthy sort of distance away from you know the gravity of what your role implies so what's important to note here before I move on is notice the lack of ego right that's the p differentiator is ego so take out the ego and you get the now how many I mean how many can relate right to the sort of prevalence of very ego driven conversations within our community right that's re question un someone has a joke comment to that all right so the next skill um that differentiates performance from skateboards is that of focus um so performers are able to tackle on take on one thing at a time and and focus here

you know is particularly important because we live in you know the area of big data right um we have Twitter which show some people are like to be this we have so many things that you know delou you know our attention me that grapple for our attention and so it's almost like the ability to filter the the noise from the signal is way more important than any other skill that we could have at this point in time and and the example I have here is I was sitting in the the seeso delivering you know an end of assessment or an end of report and while while sitting in his office we kept getting interrupted you know every

five or so minutes with some new emergency and each of them sounded pretty you know pretty important to me if I were him I would have definitely said okay Franklin hold on I have to go address this but he just sort of had this you know you know attitude it was going to be okay and so at the end of The Briefing you know I said help me understand like you think those those things are pretty important and he pulled out a do not do list so how many people maintain and do not do this I see to other I mean this is how sort of militant he was about protecting his time and his focus and the point of

it was he pre-committed about not doing certain things during certain periods of time in other words he ran his organization and this his words in periods of Sprints and then jobs so the Sprints are you know to get things done you know the sort of either augmenting the maturity level of a process or being strategically focused and introducing a whole new Direction and a new Ser of initiatives that need you know sort of to be put into processes of technology so that those were the Sprint periods the jobs were sort of you know the more P keep the lights on kind of and during periods of Sprint he had literally a laser likee focus I mean nothing was

going to sort of detract his his his attention now two things came you know came to mind as I as I you sort of observed that situation one was the fact that his teams became a lot more resourceful um because they knew they couldn't counter you know which was I mean I think this was absolutely amazing is okay we can't count on Theo to attention so we got we going to have to look for a way to figure it out and then the second thing that came to mind you know quite frankly well came to mind much later in conversation with rendy my mentor was a line from Vengeance and samel L Jackson has a very famous line in there where he

goes until such a time you know that the world is coming to an end we shall move as if it intends to continue spinning right I'm trying to paraphrase it but the point here here is you know let's go back to to the story of the kids from Bay right people aren't dying people aren't dying it's let's maintain perspective and let's keep focus on what's really important so we can accomplish the mission of organization can you give maybe some Al some examples of that to-do list to- list you focused on you know the Grand Mission of the to-do list um staying focused I should say but else did you see on it excellent so the question was

for those in the back of room the question was what are some of the things that want not to do this that se that I mentioned to patch it right um and this is I'm glad you asked that question because I I sort of have this repertoire this list of questions that I asked a lot of C that I I give an opportunity to interact with and one of the questions out there is what takes up your time that you wish did not right like what are some of the time drains for you and patching is huge this resource this and funny enough internal audit interactions internal audit was was all we had basically a blocked amount of time he

wasn't going thank so you mean these are things that he would not do during sprs correct these are things that he would not do during me absolutely thank you much so the next trait is that of Bradley pages right and um essentially this is about Jing up you know Spirit of debate this is about you know introducing just the right amount of controversy so that people don't go through emotions so in our community we have a lot of you know standard conversations it's very interesting when you read articles from 5 10 years ago and you see that they they're equally applicable um some of it because the issues are still Salient um but a lot of

it quite franking because you know I attributed to intellectual laziness um you know we just don't push ourselves into sort of grounding it more making things more more more more relevant to the to the current time and so this SE so that I inspired this this um this this bullet point or this tree I have never met anyone the ability to sort of bring emotion out of anyone and this guy so he has he has what I call Page rattling questions that he uses as devices to make people think and I'll give you an example so one of them was he asked his team he said if um the company hired a screenwriter from olwood and they were about to do a movie

about our team what role shall we be assigned right I mean and that's sort of like from Left Field it inspires a whole new way of thinking about the department and the role that he want to be another question he asked was you know if your mother were to be designed you know this system or some particular process what would she do and the point here you know because the the the emotion can kind of get out of hand but the point here is emotional content not anger right so you don't want to get people angry and detract from the position of what you take the the the intent what you want to do is J up just the right amount of of

sort of emotional fervor that people can stay away from sort of like the you know the patterns the patterns of thinking and the patterns of conversation and and actually have meaningful di especially when it comes to interacting with business students because they try to have as little to do to do with as possible as as a c so they they sort of perceive the it Security Group as you know we we have to deal with just tell us what to do when your do it kind of thing um and so bringing it home to them make it relevant and make it it resonant um um an effective device is R you know the cage R and and you know just to

pause it for a second and and sort of bring this all back to bring us all back in we're going in so these are all mindsets right these are these are you know sort of devices that are applicable different tactics with different variables within your specific environments so there are tactics that go along with this but as as I as you listen to this I want you to sort of switch the variables to your environment and figure out what set of practics work but it's more important to retain the sort of the mindset behind the the traits does that make sense all right the next trait is empathy um this is you know quite be one

of the most prevalent quite in a lot of ways um the most important one next to um the one about synthesize having a health expression in your job in your job TI and this is important for a couple of reasons the biggest one being you know as you ascend up the corporate ladder um if you're not careful um you sort of get a you sort of become you know have an un unrealistic impression of what really happens where the level needs to go people tell you what they think you want to hear and if you're not if you don't deliberately you know try and and sort of follow the division knowing what's happening at the

point you know at the point where the roets a road you can quite you can lose lose a lot of and so a lot of times the CES so's job is about managing expectations with with that you know panoramic view of stakeholders right and you can't manage expectations effectively if you don't of keep a pulse on what's going on Within These different communities right so for any of the cesos or that that raised their hand initially um I imagine you came up from so sir what What U track did you came up through network engineering rank the network engineering so as a ceso um do you think it's important or to what extent um do you do you think it's

important to sort of go back to meet the network engineering teams and get a real sense of what's Happening you're welcome to contribute so so he's he's shaking his modding and saying all anyone else care to contribute like what kind of stories they have about making sure that they they stay grounded you t-shirt yes sir please thank you at my company uh instead of traditional KN we have a sort of group of people three different shifts 24 hours uh they're sort of on permanently they're all in one room so they're all working on problems all the time so I spend time in there sometimes sort of get a sense what they're dealing with how they're dealing with and I find it

very helpful it kind of it often shows that what I thought was going on is totally wrong right and and this is I really appreciate that because this is precisely um what I was hoping to to get out you know in this point is because especially as an assessor right and I go into an organization as an outsider and I go talk to the people at the points of acceptance of credit card data and the things that they tell me are going on are quite frankly you know completely different from what you know the ciso or the director of the pro told me was going to I mean it's it's almost like are you even

in the same company but but a lot of times you know we've come to expect that and it's I don't mean that in a condescending way it's just people have different sensibilities and so if drives home the importance of you know seeking grounding influences because as a ceso um you really have to make sure you can manage expectations of the next trait is one of the two big measurements so keeping score right so um this I mean that there's a lot of documentation out there this Publications which I'm not going to volume by reverting about you know how a metrics program should work you know there's a very famous book you know how many people have heard of or read Andre

Jack jacket you know yeah so so there's lots of really good guidance out there about about metrics so how I want to sort of incrementally um you know submit something to to you consideration is this story about a ciso who does her best to mimic Wall Street so the way Wall Street reports are are done she does her best to report her security program that way so in addition to to sort of doing out information about how they did this quarter she basically relays that back to how they did you know in a similar period last year and this I mean she got so much resonance so much traction from my executive Le in that way because she's sort of speaking

their language Right This Is How They This Is How They communicate they say how and and she gives you know factors that attribute to what different what disparity you know exists between the now and the same period last year so what I what I just like to submit here is that it's not so much important what the measures are as what the trend lines indicate and what the story is for for those Tres so the next one uh that I've seen that really separates the performers from from the scapegoats is uh you know what it's about the medich effect right how many how many people have heard of the medich effect when read the book the

medich effect so so this is about basically combining different disciplines to come up with a hole that is greater than the sum of his parts right so I mean you see a nerding uh gentleman holding in a drag yeah it's awward I me it's very awkward to get you know the infos set team to go spend time with the marketing people um it's which is which right um and there's a meme that's an hashtag because there's actually a meme um within our community for awards right so the point is let's Embrace that as a community let's Embrace sort of that diversity of of of discipline so and the goal here to burst out of our

patterns so I have here um a creative backpack and this is something that quite frankly I learned from this specific SE so and I encourage anyone to to to reach out and get some and essentially it allows for creative thinking and creativity and Innovation to use that term is born out of creating new associations and that's exactly what these cards do so for anything you're thinking about and this is quite literally what she does she whips out a bunch of these at random and then reads them and then tries to apply them to their situation so I just did the same thing and the first one says do the unexpected right so so that provokes a

moment of thought what would be unexpected about this new strategy or this new product or this new process that we're trying what will be unexpected and what's actionable by Frank unexpected is if people are surprised you know be positive of course then they're more engaged so that that could inform sort of you know that that notion um there's one about ask what if um there's one about simplify you know how could we simplify this word you know and and essentially what you know what I'm hoping to accomplished by this by talking about this straight is highlighting how if you tackle things we all have thinking patterns we all have action patterns and if you expand that a

little further our organizations have thinking patterns and organization have organizations have patterns of action um they're not evident a lot of times but they exist and so how can you create just the right amount of entropy um just the right amount of um dissonance so that Cal combustions can happen and and so one of the things that I really invite this community to do um and I will be doing the same kind homeo is to for us to spend some time and think about people from different disciplines that we can invite so for example next year bides what if we had a track right that was devoted to you know epidemiologists or or just a wide open

track you know where we invited an epidemiologist a clown and say you know um a pilot right what could we learn from those disciplines and I encourage everyone to sort of spend some time and think about that for for woman you know and and in fact I dare say the dream of M first us to just have these different disciplines that interact with and so of see what emerges and and my solution is only when things will happen and then the next St is that of sharing right um so all these different Works um are not important unless you know they're communicated and communication and sharing is one of the most ignored pieces of advice um but

it's still it's nonetheless incredibly important and the goal here is to you know on that Matrix of stakeholders you know your well my M doctor sometimes you want to share what's happening you want to you know provide s situational awareness you want to bring it home to them you want to sort of have these moments where people at any given point in time understand what the organization is doing and how your role and theirs sort of intersect so I have a a ciso who inspires this and actually out of here in Las Vegas and literally this gentleman could brief the janitor with the janitor walking or if he he ran by the janor and and he would talk about

things like SCA you know talk about the industrial controls and how relevant it is for how important it is for the janitor to save part the room where the controllers are because you know that they can turn off the light or I mean he he he literally has a message you know you know for anyone and everyone and the effect of that from obervation is that people would hear a story on the news and they immediately reach out to like oh yeah I saw a story and it was about this you know company that this situation where they got reached and it sort of brought it back home and he was is in many ways like can moveing build

more for the importance of protecting the company's assets so this is about sharing right and we all know that uh sharing is caring right so um with that I really want to thank you all for lening I'm watching inting and everyone's attention is still up here because that's that's what is led up to this moment right so what I'm trying to do is share share what I've learned and I really look to you you know feedback on this current fory so you know does that resonate um aspired you know is this something are these things that we should devote time to work on ands and and you know that's that's that's the story as far as sharing is concerned so

with that I will uh open up two questions and comments yes sir the one habit that you didn't get into that I have found to be a key is listen active listening um all too often we come into a situation where we we have the answers uh we know how to secure this we know how to secure that we know what the risks are blah blah blah and because we come in with a prean solution um we don't see how it's complet appropriate in situation because we haven't taken the time to person to understand to put ourselves in the shoes of the other individual absolutely so Point well accepted right so how how are we sort of

incorporate this into into the talk but your I mean your point is well received right you know and I think it so did everyone hear the gentleman's comment about the importance of listening as a so so how I would sort of incorporate that or implicit in the point about empathy you know is this but you're absolutely right it deserves emphasis all its own because that is there's a there so I appreciate that any any others yes sir Franklin um we talked about empathizing and I agree completely and but I find one area having come into the ceso role from a technical background I can't I find it very hard to empathize with folks in the

roles that I previously held um I have a great example we're making a firewall PR change one of the institutions and the current firewall engineer was telling me how long this was going to take and it was going to take weeks of prep time and and I it was and and you're in that situation and this is a 20-minute job and just you want to push him out of the chair and just say move let me do it right any advice so um I don't know that it qualifies as advice but I do have commented right so and um I'll just give it to you straight so the comment was did everyone hear the comment okay so

what I what I do have to say about that is is the following so I've read there's um I forget the elant way to phrase it but here's the concept the concept is we often evaluate people in roles that weally have by the time when we were at our best in that world and we're sort of looking at them now and we're thinking why does it take you five minutes why does it take you 2 days to do what I could do in 20 minutes what is you know is is we often forget a lot of times is that before it took us to the point where we took 5 minutes to do that job we had the suck

period right and so and so what and nonetheless I mean that doesn't there was a such a thing as competence you know that that people need to have and there's such a thing as you know business needs to get done all I'm introducing is just that for consideration right um to what extent is there a sort of a both Fe that as a seil you can nurture in your team right so I imagine I'm get the feedback from my world class Mentor over here about you know my suckiness during this the suckiness factor during this this talk right and and so if she were evaluate me based on where she is now I mean that would be unfair but but if she

you know she puts that in and that's that's what I have to I any other comments or questions is there a name for that phenomenon I I forget there's a very elegant name i i Su period right I just BL on it but the gentleman's name is wait no remit setting so r a m i t s e t h i and write to blog and one of the the seven old books that he wrote is um but if you if you look up this name the book is about how as it professionals we should prevent ourselves from becoming sort of um so in the book he talks about 3 days automation Asia for outsourcing and last

AG Automation and and um consumer something about um basically our skills becoming more and more widely available commoditization I'm sorry commodation commoditization there you go that's the term the commoditization of our skills as things get automated as things get outsourced and and as you know more and more of our skill become demonetized what can we add and I will that that's you know that's something we to be thinking about and but that's the name that's the G this concept fortitude any any other questions really nice comment appreciate that any other comments jokes I'm sorry they're called creative wackpack so and and another another um thing that I learned from from this daily that I use is a book called um lateral thinking

that maybe not be the name of the book but the author's name is Edward toono um so d e and then space b o n o so Edwardo he he I mean he acts his poetic about you know wearing different hats it's called six hats thinking and it's about a concept called L you know basically introducing entrop and he literally talks about you know wearing you know green hat looking looking at the same sort of circumstances you know from a creative perspective how can I you know make something out of nothing and then looking at it from the perspective that we and our team get to aware about which is what is wrong with this you know and

being up into that in terms of what's wrong and then looking at it in terms of what's right and invariably by doing that you sort of come up with this incredible incredibly comprehensive you know and and a lot of it also has to do with developing the capabilities so as I mentioned and it's very important to me become successful up here that you retain these are mindsets right so the capabilities that go away with these mindsets um don't have to all come from your team right um You can develop them you can develop them by you know interacting with the marketing folks for example or their accounting folks because they they specialize in a certain type of thinking according to

Edward I think it's the I but it's the more facts and figures you know they want to see concrete compar and then the marketers they're more green hats they want to you know they see black fields and they want to you know more so so and to sort of come back to your your question you know something the way you know someone is sort of know bullshitting you um the notion of how can you you know how can you look at it different from the perspective of you know what if you were put walk in that you that any any other questions or comments yes

sir so point I didn't hear you so I just want to repeat it to make sure the question is are is there any notion is there any do I have any comments about how a compan can discern if they have a bad or good SE that that's a way okay so um yes I do I have ideas so I talked about my repertoire of questions that I have um for SOS that I'm fortunate to interact with one of the questions that I always ask them would you your bonus right and I've got a very wide range of answers one day I went to you know work with someone to sort of publish things because it's very interesting to me you

know how how you know sors perceive themselves you know compared to how you know rest of the organization perceives sors so to sort of come back to your question um how does an organization know if they have a good or a bad s so my submission or at least my contribution to that question be you know research right so research organizations exist like four five1 like Garden like four stuff they have incredibly comprehensive documentation about you know what types of cesos makes sense for what types of organizations um what types of organizations makes where where it makes sense in the C to report to and so essentially I would answer your question as follows research

and then B um and this is sort of drives to the heart of what I hope emerges as a maturation of this process you know to what extent does your ciso EMB embody the perform TRS um and I imagine there's going to be some maturation that this will have to go through um to incorporate you increased emphasis for listening um but but to what extent does you see so assuming a certain level of Competency right and Bing these dists and I hope that's yes sir I don't know uh if you still have time but U it interested me when you said you asked them you know what do you want your bonus to be based on um

I'm big driving behavior but at the same time as a ceso you're not producing Revenue You're The Bodyguard as a bodyguard I you just know by how many of your cin will get shot or how how would you want so the question is you know you want to know what they what these C have responded to to to the question about you know how would you you know what would you Bas your V on do you want to answer that or you actually yes if you are producing Revenue you're just not aware of it but you have tracking it take a look at how many of your customers have evaluated your security posture as an aspect of being willing to

do business with you that is how you cont track the added value that you're bringing to your business look at that as a percentage overtime look at that as an absolute over time start tracking it if that value is decreasing you're not adding enough value to your business if that value is increasing you are adding increasing value to business as security becomes important to your customers um you you get security surveys from your customers track who those customers are uh track successful engagements with them track engagements that fall apart track customers that you lose understand why you lost them most security a part of why you lost them simple basic business metrics that you should be

collecting uh that are the most important metrics you can possibly collect because they inform on exactly that issue how effective are you being at meeting your customer needs and bringing value into the business thank you well said so one last comment there's an emerging subculture within our community right that uh I well I don't call them they call themselves The quants anyone ever paid attention to and they believe everything is a data problem um everything just means you don't if you don't know the answer to a problem just means you don't have the data yet and you need to find so with that I thank you again for your and your attention I'm very [Music]

[Applause] grateful what