The Evolving Role of the CISO and the Security Organization

good afternoon and welcome to our first virtual b sites conference this is actually our eighth annual conference but the first one we've done virtually we're excited to have you here and have a great series of speakers and panelists lined up for you let us know how we did by providing feedback to the link i will put in the chat for the cso track please note that all audio and visual privileges will are not enabled during the talk we have to use the chat to ask questions and these will be addressed at the end of the talk if time permits will take requests to speak with a speaker using the raise hand feature we've had a schedule change and we'd

like to thank sally wright for being so flexible and moving up a position for sally brings with her vast experience from a variety of commercial and government organizations i was chatting with charlie sally before this about the different worlds and especially how large fulton county is and the competing and myriad of challenges she's facing sally is also very active in several boards she's a speaker moderator and panelist at conferences i don't know how she fits that in besides would like to thank sally for sharing her time and experience with us today and especially for being a return speaker sally the floor is yours and once again thank you

okay share and then oh no don't do this to me can you see my slides not yet okay it was doing this before um how about now can you see my slides not yet how about now oh for three dang okay well

now not yet okay i'm not sure what to do the first time we practiced it didn't work and then we did it again and it worked hi um this is jolene from visa mix hi sally hi um are you clicking your share button in the tool bar here on the bottom part so yes so share so and then um you click on the um application okay and then whatever application that you have like powerpoint or can you see it no not yet okay well um so okay let me see let me see what we can do on the back end how about now nope no okay that that this can't be rocket science why can't i

make this work um so entire screen share this how about now yeah i think it's working now okay okay much closer thanks exactly good awesome thank you sorry okay um good afternoon my name is sally wright and today i'm going to share with you information about the evolving role of the cso and the security organization i'm very pleased to be here today i i was talking earlier with the folks about how i was there last year and how much i would really rather be there to see you in person sorry to interrupt but yes we see your browser but we can't see the presentation okay

hmm stop sharing okay so let's turn on screen sharing okay do the application window hit the powerpoint can you see it now no okay so what if we just do it without the powerpoint i'll just walk you through it how about that is that okay the slide deck will be available and we can make that available later on absolutely we can get the link i will post that in the chat for our attendees okay i will do that for you or i can email it to you right now if you'd prefer um

okay um i'm just gonna talk it'll be easier that way i'll send you this the slide deck though um the role of the cso is evolving so is the security organization i am really fortunate to spend a lot of time with csos from fortune 100s on a pretty regular basis i i sit in on on meetings that they have and i get to hear what they're saying and what they're thinking and what they're working on and what they're planning for the future uh also i i get to understand what they're thinking they're going to be doing with or are currently doing with their security teams 21 of csos today report to the ceo 51 report to the cio

and the others report somewhere else the ones that are reporting to the ceos have become the peer of the cio and when they became the peer of the cio it costs a lot of friction between the cio and the cso the cso you know it's really focusing more on the business of getting in new projects and new solutions implemented where the cso is really focused on risk management and security posture the statistic says that if you have a cio with a c cell reporting to them they they they suffer 14 more downtime than um if if they're reporting somewhere else if you have the cso reporting to the ceo the statistics are that they reduce

financial loss by 46 percent now as was said earlier in in in the last presentation the cso doesn't own the risk and the cso doesn't determine the risk appetite either that the company is willing to deal with that's done by the board and all the other c-suite members when csos are working like the guy before me said the cso job is a really super hard job and csos at least from the fortune 100 companies seem to feel like they're a more technical fit um that they're more technically savvy than cios and in some cases i would definitely agree with that because for some reason cios seem to be selected from anywhere in the company uh when you think about

80 83 of the company is managed by computer systems and solutions um it really is the business so they think that a business person might be better personally i came up through the it ranks and was a programmer before i became a cio and then i became a cso at some point built security organizations um and then i became a cio again but i think whether you're cio or cso you still have to know the business security is not a technology problem security is a business problem skills are changing for i.t people as well as csos and current in the current role i'm in i provide support to csos and cios across the nation and i add one uh cso who

was getting ready to present to the board and he showed me his board deck and i was like you can't present this this is terrible you cannot present this it was very detailed full of a lot of acronyms and um it's like you need to redo this it needs to be at the fifth grade level you need to be able to stand up and show them this and them not have any questions because when they start asking you questions you're in trouble um so it needs to be at the fifth grade level he changed his deck he went in he presented he got promoted so i was really proud of him but the see the cso skills they have new

responsibilities they're viewed as a business leader um they're the evangelist for the program of security and they are also the organization's risk leader it becomes very important for them to have the technical understanding of the applications and how from an enterprise level everything looks and be able to see the big picture but at the same time they have to understand how the systems operate the company and and what the major risks are some of the new skills that are needed by cso first the communication skills those soft skills are absolutely imperative being able to say uh before the board or before the c-suite i'm going to talk to you about three things today first we're going to talk

about this second we're going to talk about this and third we're going to talk about this and then talk about those three things and then wrap it up with today i shared with you this and it's going to impact us this way and it's going to save this kind of money and so forth so those communication skills and those soft skills are incredibly important and if you feel if you want to be a cso or you are a cso if you really want to grow and you want to be promoted up the ladder hone in on those communication skills your business acumen is extraordinarily important too you need to know and i always have felt

this that you need to know the business you work in and i've made decisions about where to go to work based on what kind of organization it was at one point in my career i had two offers to be cio and vp for the world's largest conglomeration of nursing homes or to be the vp and cio for the world's largest importer and distributor of fresh cut flowers well i have to tell you i don't want to know anything about nursing homes i think that's depressing but flowers okay so i'm sure you could guess i chose the floral industry i think the other new skills you need are the cyber risk management skills and understanding how bad the risks

really are i know when we got hit with solar winds recently uh it introduced a whole new eloquent way of really hacking and damaging systems by affecting our supply chain into technology it's even if you didn't get hit with it most companies had to respond to it and i know most of the csos that i work with and that i talked to say they spend a lot of time filling out surveys of did they do this did they do that did they do this i think that's an area of opportunity to really fine tune and come up with better ways to manage you really have to have relationship management skills too you have to start you can't

really be the heads down person uh tweaking the system and looking at logs that can't be you you've got to get out there and make sure that you're building a related relationship such that the security considerations are on the front end of decision making for solution procurement for outsourcing in sourcing and so forth and then you really need clarity of thought under pressure so you you know a lot of people operate better when they're in crisis mode so if you can be if you have that ability you're going to do really well the the gentleman before me when he spoke he talked about how the cso is who gets fired not the cio i've seen it where both of them get

fired and sometimes he made a point earlier about how you won't know about your risk because somebody in i.t has stood up something well it could be somebody stood up something that's in a shadow i.t organization or it could be that dangerous most dangerous person who can't spell i.t but once worked in the help desk answering the phone and now they think they're an expert and so they just stand things up and just don't even take into considerat into consideration the security needs and then you also need to have some hands-on knowledge of security technologies if you aren't technical at all it's going to be difficult for you to understand that so i would say for me if i was hiring a

cso i would be looking for someone who did in fact have the security technologies background um i think people management is really important too because these are real high stress jobs that work for csos and then one thing that's incredibly important as a new skill is your executive presence and if you have in mind that you want to be a cso you should consider getting an executive coach that can help you with executive presence for men there are just a few key things like don't have a nervous laugh if you have a nervous laugh stop it um i've worked with one guy who was incredibly brilliant but when he would work with uh work with someone and talk to them he

would say something and then he would laugh and that laughter just took away the credibility of what he was trying to uh articulate and then executive presence also has to do with your personal branding how you look if you want to move up the chain you have to dress just a little bit better than everybody else men are judged on the quality of their shoes a women are judged on everything they wear men are very lucky in that they can wear the same suit five days a week with a different shirt nobody notices but a woman has to have two full weeks of clothes that are high quality um but anyway executive presence is very

important and cyber security is all about business outcomes so experience and understanding the business concepts and processes are the key areas that are suited to move to the responsibility of the cso are governance risk and compliance security architecture and engineering and physical security in my time as a cso i had to become a compliance guru and was the hipaa security officer which meant i probably think i was the only one in the companies that i was at where i actually read the entire uh regulation so boring if you can't sleep at night get that and read it and you will go right to sleep and then physical security uh it's there's a convergence right now a lot of

the csos that i talk to are being asked to take on physical security as well as cyber security and they're no longer called cso they hire one and they become the chief security officer and they um report directly to the board uh these are usually the really large companies and and one of the concerns though with with that convergence is that those two areas cyber and physical security have different personality types um [Music] you know typically someone in physical security is got like a law enforcement background or maybe a military background whereas the cyber security folks usually do not so if you remember the hack when target got hit a long time ago and the hackers came in through the building

system and then just wreaked pure havoc on target that's an indication where you really have to think about physical security and cyber the board of directors and should the cio and the cso both have seats on their company's board i think so but i also think that every board needs somebody with security as their strong suit to be on the board and once again you know presenting to the board it's a key skill and and in that case soft skills are way more important than technical skills being comfortable talking to a group of people now i worked in government and in government they um the board is is not necessarily a fun board to present to so

if you have an opportunity to not be in government i would highly recommend it um the the forward-facing cso is a holistic business-oriented and out-looking role they're making decisions that tie not just to technical controls and security processes but also into ethics independence consumer trust loyalty physical health safety and even national resilience and economic security you know our world shifted when we went into the pandemic and everybody's working from home recently i i was had the opportunity to feel it when my company laptop got hacked and it in fact went across my network and hacked my personal computer and when i contact the helpdesk they are really willing to help clean up the um their laptop because i don't have any

rights to it but my personal laptop i was on you know i had to clean it up myself i was kind of lazy because i'm so busy and i called around to get somebody to do it for me and they're like it'll be five days and i'm like i don't have five days for that so i ended up doing it myself but if you think about it now that the networks are people's home networks are part of what you're dealing with you have to think about what does that mean do you need to change your policies do you really want to be responsible for maybe somebody has their range and it's hooked to the to the internet and now somebody hack in

and go turn your your stove on and burn your house down or turn off your refrigerator or turn off your heating and air conditioning so you really have to think about what what all these changes mean the key attributes for a contemporary cso role i cannot tell you how much how important being a communicator is and being the voice of security that is understood by others so talking at a level of technology that's so low that anybody can understand what you're talking about you're the overseer that enforces and controls policy and that involves with business you have to be technically competent you have to be good at crisis management and and handing handling crisis you have to be good at

financial acumen and know-how and and how to show the value of the money that's being invested in security you have to be a good relationship builder you have to be able to guarantee trust in in the systems and also be risk oriented where you're engaging with the business over common metrics the modern connected cso um 75 of people say that the influence of the cso has improved over the past three years and 90 percent agree that the cso is involved in significant business innovation and decision changes a really good cso needs to keep a finger on the pulse of the technological changes the opportunities the risks helping guide an organization through rapid transformation and also most uh mostly you know the

continuous marketplace disruption so what will the team look like the security team and how is it evolving i know they've got really super cool titles anymore like if i was going to go back and be a little more technical i'd want to be a threat hunter i just think that's the coolest title um but what what are we going to really do we're going to have cyber security position shortage by next year of 1 million 800 000 so that poses how are we going to fill that gap you know they've always had or we've always had a shortage of good security people and security people you get them they don't stay very long they they get enticed away i know i went

through a series of being enticed to go to different universities to build their security organizations weren't even looking for a job and you ended up moving and helping another organization so will artificial intelligence be able to help us save save us from the cyber security talent shortage we have moved to manage services and it's a 56 billion dollar global market 34 percent think that ai defenses will reduce security staff workload but you know anytime you're putting in anything new you have to make sure that you're measuring the right things because if you measure the wrong things the outcomes are not what you want so that's going to be an area where most of the security team

going to need to really be trained in and and you should be learning as much as you can you know the study of artificial and artificial artificial intelligence i remember back in the 80s being told this is artificial intelligence and we have these big meetings at hewlett-packard and at ibm and they would show us artificial intelligence and it just keeps getting better and better and better but is it there yet and when will it be there um the availability of the skilled cyber security workers the best thing you can do is partner with a college or a university or a technical school and use those kids as interns and they don't have to be kids

they might just be new in in the cyber field and try to lure them to work for you and and you might not get to keep them for very long but what you do get to keep of them will be so good that you will really be able to increase your organization's security posture so every friday from noon until one i attend a cyber security session that's put on by georgia tech here in atlanta and sometimes it's the students presenting that are working on their phd phd dissertations sometimes it's faculty from other universities sometimes it's speakers from defcon the last one that i attended that was phenomenal was was done by a person or a professor who

specializes in in dark oh god my mind just went blank hang on a second deep fake i know ever since i had the virus uh vaccine my mind's a little squirrely but uh he specialized in deep fake and he was showing the algorithms of how they calculate whether it's really you or not very very interesting information if any of you end up wanting to sit in on any of those sessions it's free and it's open to the public but absolutely fantastic those are things you need to learn about to be really good at it so the recommendations for the security team for for the future is that you know you large large organizations are probably going to need to maintain

in-house cyber security teams a lot of the folks that i talk to today they are insourcing their managed services so there seems to be a trend of bringing it back in and as we are looking at cloud first or cloud as an offering where the majority of your systems are in the cloud and you think about how that's supposed to really make you more secure and initially it probably did but we've reached the point where you have to purchase so many security tools to manage what's in the cloud that now maybe maybe maybe they'll start to reverse and you'll go build data centers again everything is a cycle and that's that's uh possible also you need to have a security

strategic plan and you need to visit it on a regular basis you need to be thinking about what the security posture should be and what level of risk your organization is willing to to take and and that needs to be revisited on a pretty regular basis and as a the security teams some of the things that you're going to need to know more about are cloud misconfigurations a lot of the cost today is is driven by that gonna need to know more about synthetic media and how deep fake and related technologies really been used to augment social engineering i think disinformation will end up being a huge area of opportunity for us in the future you um

you know that it negatively impacts the the political system here in the united states you know that sally that lives in atlanta will get an article online that has the same title but different content than what goes to sally's sister sue in tulsa oklahoma because of my zip code it's going to say lean one way and what my sister is going to get will lean another way and consequently the division of the united states is underway i think we'll be called on to fix that if you have an opportunity to watch the social dilemma on netflix it's very eye-opening about what's going on with social media and i think we can look forward to that

kind of effort really starting to come into play in our systems that we manage and that we have to be looking for there were fourteen thousand six hundred and seventy eight deep deep fake videos online as of september to 2019 um a lot of money is being spent on that 96 of all the online deep fake videos are pornographic in nature which is not a surprise however 68 million dollars was spent by darpa on deep fake protection technology in 2018 i can only imagine how much higher it is now and then i think it's really interesting when you're watching deep fake in the algorithms and they show how easy it is to put somebody else's

head on somebody else's body and how you can really see that but when they're doing just the mouth so that the example that i i was looking at was obama and they had replaced his mouth so what was coming out of his mouth looked like it was him but it was not him so really going to be interesting to see how we grow in the future and then um cloud tools you're going to have to be in the security organization definitely a an expert with security cloud tools um 909 million records were exposed due to misconfigured cloud security in 2018 alone that's a long time ago so just imagine how much it is today and then the internet of things are

going to really usher in a new era of cyber physical threats so as we're thinking about what's going on and how it's impacting us um if the internet of things is controlling all of the stoplights in the uh in a smart city that's a good thing i would think however if the wrong person starts letting everybody through the exact same time the car crashes are going to really be interesting and if your car is communicating um through um a sensor to somewhere then somebody could turn your car off while you're driving down the highway i mean the the the the interesting things that are going to happen and that we'll have to take care of

as security professionals is just going to grow and grow and grow and grow so we can look forward to that and then the regulations are also causing lots and lots of issues for security folks and will continue to do so if you think that you are secure because you have met compliance regulatory and commercial compliance you probably need to think again but it can be where we're hampering the systems to the point that nobody can work so i think that's an area that we will continue to work on the gdpr and how it protects um privacy in other countries is something that i think we will end up with sooner than later the fact that you can

contact companies and tell them to get rid of your information is something that i think we would all like to see happen so basically what i shared with you today is how the cso job's going to change and how the team with the cso is going to change no longer be doing operational security things but you'll be working on risk and governance and being the evangelists of the challenges that we face today you have to think which ones will last into the future and which ones will only be part of the transition to the future and it was a pleasure talking to you today i will give you the slide deck the slide deck has the references

for all of the documents that are reviewed to prepare this information and i will also share with you the 2020 security trends 2025 security trends that the company that i work with just put out it's really really well done so with that um i'll hand it back sally thank you so much you always present just a wealth of information and it's it's kind of tough to know where to start but we got a couple of questions one of them is what was your journey to become a cso so um i was working for usa floral products in tampa and they went out of business and when they went out of business um i decided to move back to my home state

a single mother with small children and um i had sisters there who said they would help me so i went to work at oklahoma state university and the only opening that the cio had was for the cso and he said i'm gonna make you deputy because you're gonna succeed me as the cio but i've got this i need this practice built out so i built that out and um that's how i ended up in the security field and the first thing i did was go to sans training and back then they had a boot camp where all day long they flipped powerpoint slides and then at night you got to hack it was so great everybody brought laptops and

hacked each other loved it i fell in love with security so that's when your passion bloom for security then yes so there's a question of how different was your experience from the private sector versus government okay so the private sector when you need to do something you say we're going to need to do this we're going to do it by this date you guys that's what we're doing okay in the government sector you say perhaps you would consider and then you tell them what you need them to do so that it becomes their idea it's not your idea it's their idea and then they'll do it how fast was change between the private sector and the government sector how how

quickly could you get things done in either environment so in the private sector if i said i was going to do an i.t reorg of the entire i.t organization i could plan it in and implement it within maybe three months in the government sector you could plan it and you could implement it in a couple of years with them fighting all the way because they didn't want to do what you know what was no you know a lot of folks in uh government go in with the attitude that this is going to be a great gig i'm going to work here until it's time to retire and i'm done and when i first went to

work for that organization i did an analysis of service hours or service number of service years and training and the average length of service was 13 years and the last time they'd had training was 13 years so it's just different thank you great really great people though i mean it's just that's that's the more of the mindset that's the culture and the mindset thank you for your insight into that so i scribbled down a series of of you know tidbits of notes i'm just going to pick a couple out of it as the cso moves up and obviously becomes sea level you talked about executive presence and executive coaching branding people are mostly at a security

conference are here for the technical aspect we love the technology we have a passion for it so can you explain why why would we want an executive presence what's what's so big about these soft skills that's how you're going to be able to be promoted and get moved up if you want to be promoted if you're just a techno weenie and you want to do that then that's great but if you have any aspirations for moving up to uh management whether it's the cso or whether you want to be cio or you want to be ceo you have to have those skills and um if you go and look at your linkedin profile and you have some crazy picture on your

linkedin profile and but you really want to be on a board you want to be on a secure you know hold a security position on somebody's board and you want to do this because hey you're thinking you're going to retire and in fact i have a friend who's on four boards she makes 400 000 a year and she probably works two days a month okay so getting on a board is a really important thing well your executive presence has to be reflected in your linkedin profile so if you have a picture that is not professional and i'll use one of my friends as an example he was working for after he worked for me he was my teaching assistant

at the university of alabama in birmingham we taught cyber security classes and taught kids how to hack each other we had a great time but he went to work for the nsa when he left working for me and then he worked there and he kind of burned out and he decided he wanted to open his own firm he contacted me and said will you do references to me and i said our recommendations absolutely i will but you have to have a linkedin profile so he goes out and he gets a picture made and that girl must have been beautiful that was shooting the pictures because he came out with a picture that would be great for match.com

and so i went and looked and i said i am not referring anybody to you go get your picture mate again get some really ugly dude to take your pictures so that you don't have the come heather look i know that sounds silly but it's true another a deputy cio one of the organizations that i'm familiar with contacted me and said sally will you help me will you mentor me and i'm like you know that's kind of what i'm doing for a living and i know you have an 89 million dollar budget so you probably should just go through the company i'm working for and sign up for uh services and he says well you at least look at my linkedin

profile and so i'm like okay i will and i go look at it and he's like this i hope you could see my face because i mean now that's how it was lips pursed arms just a real tight negative looking pictures dude nobody's going to want to hire you if you look like that stop it so that is your presence on linkedin is incredibly important and when people are looking for new employees or when they're looking for board members or they're looking for somebody mentor students they're looking at linkedin they're not looking at your resume now that's not to say that your resume doesn't have to be beautiful too but they're looking at your linkedin and

it should adequately reflect who you are or who you want to be next there's a man locally called larry burkhalter and he's called mr linkedin when ibm bought linkedin they tried to hire him to work for them because he knows more about linkedin than anybody else if you get a chance to sit in on one of his presentations i encourage you to do that he'll give you tips on what to do like i didn't know when you updated where you were working um that it would send out to everybody that you know or you're connected to it i have 8 thousand that i'm connected to so when they all congratulated me my my inbox was just flooded with

congratulations sally congrat so those little tips you need to know about um anyway i highly recommend that and then you're getting a coach getting somebody that can help you maneuver through how to grow professionally and how to um you know be the best you uh it's really important and people that are real technical never think that that's something important but it is there could almost be this idea that having executive coaching or maneuvering other aspects of the business takes away from you as a technologist say that again that doing executive coaching you're spending more time working on your image than the actual content you'll be more fluff than delivery and no you're not like living with them you're like talking to

them once a month for an hour so no no it's not something that i would have ever considered until i was at the cso level but the reality is sometimes you just don't know how to maneuver and i'm going to do a presentation in a few weeks on uh on a book called how women rise that focuses on the 12 things that they need to do to get held and you know some of the things are very important for the males as well because particularly technologists are introverts for the most part and i had one cso that they're grooming him to become the cio and he he wanted to know should he be asking for

um the physical security thing and i'm like should he be asking for that organization and i said absolutely he's and he's like yeah well i don't know well if you don't ask they don't know you want it and they'll give it to somebody else because you did not ask for it so these are just things to help make life easier for you to help you become the best you did that answer your question yes sally thank you so much for your time and we apologize for any technical difficulties as soon as the slide deck is available we'll share it out and you have me thinking i need to change my avatar yes you do i'm sorry but

for something like this is fun but for your linkedin profile you want something really um that would attract people who want to pay you money to be on their boards thank you for your advice and