CISO Panel1

[Music] [Laughter] [Music] welcome back after lunch it's our job to keep you awake so this is the cso panel thank you for coming out this is something that we've done in the past at b-sides and usually at the end of these i always run up and said i'll get you linkedin and create business cards today i have the privilege to be up here and so i'd like to do a kind of brief opportunity to say here's what we're going to do we'll allow each member to introduce themselves anyway although steve is not going to give you what he sent me which is his entire life story i kind of printed out pages and they said send us a bio like boy i'll be in the room next door three hour starts we're in the ilo steve room and then we'll ask each of these folks to introduce themselves 30 seconds a minute or so to kind of you know where they are what they do or something like that then i've got some prepared questions we can roll into do you think that prepared questions working for you or if you got a better one you can interrupt the show and do that but not enough to go in case everybody falls asleep we'll keep answering those questions so that's kind of the ground rules here my name is g mark hardy national security corporation i work as a cso actually virtual cso for three other companies i must do besides a lot of other things like that so it's a privilege to be here i also have a podcast called cso tradecraft and i've totally had a face for radio i just recorded my 75th weekly episode [Applause] uh hopefully it's kind of a giving back to the community if anybody knows how well i can monetize it let me know [Applause] um yeah i just uh i used to be with uh sykes enterprises um just here in the beer camp building in tampa and exited a 25-year degree with sykes last year after securing building individualized and customized security infrastructure for 400 of your top well-known brands from the phone you holding your hand and the console your kids play on the bank that you bank with um so yeah so realistically i had a 25 year career which is unheard of from cso's purely because every single day was different i was really securing 400 companies at once which was which was great and not challenging at all and now i'm with mad mobile we are apple's primary go to market payment provider retail restaurant qr codes all things you guys are looking at and going oh my god we love i used to live in china for a short time and um when i came to the us 10 years ago i couldn't believe you guys were writing checks and then when i went to china and you're buying food from a street vendor on a cart with your phone and nobody carries cash and nobody carries cards and then i come back to the us and i'm like oh my god we've got a long way to go and then that's exactly what mad mobile is trying to do they're trying to put the whole payment processing away from the old pos swiping card um devices and i love the fact that pos stands for point of sale and something else that's what we're trying to do rolando doris from abaco hey uh you know good afternoon everyone hopefully you know we can keep you entertaining now so you stay awake uh i am co-founder and ceo of ava code uh any you guys familiar with avacu we're in local consultant firm we uh you know we provide cyber security and compliance services for you know companies in the u.s south america and europe um me personally i you know i originally from puerto rico so there's a little bit of an accent there which i love there's uh uh you know i'm former accenture i was 16 for 16 you years that help me have some of the i guess discipline and uh rudiment on what we should like working 70 hour weeks as you can imagine and uh you know we started avocado about eight years ago very much focused on uh cyber security then we are the spin on compliance uh adding you know focusing uh cyber security specifically on the standards that are required by the industry all the ones that are you know recommended by the uh you know the the agencies and the uh you know the government so uh i hope we can have a good time today and i hope so yeah next we have christina shannon from catalina marketing welcome okay i don't have a uh you know i was gonna supposed to say i don't have a cool puerto rican accent i got this like twang thing from growing up in ohio and then living in arkansas for 12 years it's working for a little retailer named walmart uh but uh so i got my start i'd say 2007 uh rsa security um it's funny because when i was asked to do a bio for this i was thinking about well i started security and what and it was during a time where hard tokens were the thing no one wanted to use soft tokens and then today it's like right you're trying to you're using push you're using uh maybe not so much wanting to use push but um there's so many different options and when you say hard tokens today people are like what is that so i've kind of aged myself i guess but uh spent uh many years at walmart uh both at working as a partner or vendor and then also working for them uh then did a sit i kind of did a stand over the what i guess is known as the flyover stage or the middle of the country because then i was a cso at a quick trip which i was just telling someone earlier that they're the wawa of the midwest and then uh then was that raymond james a senior security director there then spent the last three years at anchor glass and the cio and a cso role and now i'm at catalina marketing in the cso role catalina is cool in the sense that it's a data-driven company that was one of the reasons why i wanted to go work for them because their whole mission in life is to work with retailers and consumer goods to figure out what they need to do to use data to give insight that you know turns shoppers into buyers so and if uh i'm bored or i get bored easy a little fidgety so if you see me throwing this ball around just ignore me you can throw it up here we'll throw it back [Laughter] thank you very much it i'm dave summitt um wow you know we're talking how long we've been in the field um long enough that i i left moffitt interesting to see 11 months ago i was there for a little over six years prior to that as a cso at the university of alabama birmingham health system from petersburg the bay front health system before that was 21 years with the defense department navy um doing all kinds of work there i really enjoyed that but how i got into security was basically my time with the defense department there's so many things going on that i just absolutely loved and it was during the good years of the reagan administration when we had all kinds of money to do whatever so yeah i left there and i kind of took some time off we may talk about we may not but it was a period i realized that everybody anybody in security can get to a position where you start burnout i was in a burnout period and i just did i got to get away from this for a while clear my head because i know there's there's there's actually believe it or not guys there really are is life outside of cyber i found that out this past year and i've absolutely enjoyed this last year so i started my own company after i was out for a while on consulting and advising and absolutely loving doing it there now take taking the shameless plug that you did for your podcast i started a podcast this year too three-point cyber and i will hit you up after down here take that take that sponsorship away from me that's enough for everyone absolutely yeah we're actually before we talk we're probably going to do some work not anymore but well with this this panel is is for you and so it's an opportunity to talk to some seasoned professionals from different backgrounds different career paths who have found themselves working the role of the sea so a lot of times we think of a cso it's sort of being kind of the apex job that we get to normally like where do you go after see so another cso right more than a vc so it's compared to following on and saying let's be the ceo or founder in some cases it works out pretty well but you know what we want to think about though is making this your question answer but i want to start out with the first question which everybody asks but i'm not going to ask it it's going to be amazing see we're not going to ask what keeps you up at night what did you do this past year that helps you sleep better at night so we're actually trying to turn that into a sort of a positive thing which is another way of saying what's working really well out there that you see from exercise yeah no i think i think finding that uh you know work-life balance is important um you know yes we working a lot hours but you have to you know be able to to disconnect to a certain extent right um but i think the most important part from the professional side is you know understanding that you have done everything that you can right you know cyber security is all about managing risk and he's never going to be 100 correct you know there's always going to be risk you're going to have to deal with that you're going to have to manage it and uh and being able to say yep i've done everything that uh that i can if something were to happen you know i'm not the first one i'm not gonna be the last one right i have everything in place to deal with the situation and when you're able to reach that point very much oh no i may be a little bit more anxious than you because for me [Music] i entered into uh our i think that um i like keep football analogies right so i like nfl football i'm a cincinnati bengals fan uh i love them i know i even went all the way out there because i thought they might not ever get back say very good but anyway you see a lot of the defenses in football they'll do these fancy defenses live four three three four and then they and then they'll still miss the tac they'll still miss the tackle that enables like a 60 yard bomb right and it's like it's because they missed the tackle and like what i've discovered or what not discovered what i've a pattern i'm seeing as you see more cloud explosion is you see people stop taking inventory of their software and their hardware it's like so asset management's gone out the window i feel like a lot of companies that have gone cloud first uh and so what we did was uh looking back it was kind of a blessing in disguise we had what we thought was a major incident uh couldn't figure out uh we used product terminology couldn't figure out what was hiding the product right because the product wasn't what attackers go after attackers go after systems and uh i was like well this is his product right but all the stuff under it no one knew so we put forth an exercise to go and figure out what's it what's across 32 clouds subscriptions and uh get it documented and now we're working to make it dynamic but it's one where you can't really have a detection or response strategy or an endpoint you know strategy if you don't know what you got right you can't even really quantify what your uh your investment should be until you know what you got so i would say that i feel i was able to sleep a lot better at night because we went through an exercise to get better at asset management and every company is the same no matter how big they are 160 000 people and 4 billion revenue across the globe is where we exited 2021 we had we had no no asset management track no and two breaches they're in our sec filings um but you know our problem was we couldn't get our own way um at the first breach we couldn't get out our own way we knew we had to fix couldn't fix it fast enough so what makes me sleep better at night and what keeps me up is i changed jobs i was offered two opportunities and they were vastly different i moved away from it so i don't report into it and i go to a company that doesn't have a c i went to a company that doesn't have a cio because we're an afghan shop but unfortunately now what i found is we don't have asset management and things like that so we've got a lot of work to do so now i'm wearing two hats and i'm the i'm the de facto cio as well as the ciso and now i have to write the ship based on the experiences that i have and the good news is my board and my my ceo who i report into are bought in and that's the biggest thing what helps me sleep at night is my executives are bought in and i don't work for it that's really cool they thought sometimes real quick i turned my computer off at 10 o'clock good [Laughter] wake up have breakfast cut that podcast great job if you can do it so we're talking about different reporting structures and ultimately ceo is responsible for the organization and so from your perspective kind of like self-reporting here what are the top metrics the ceo should use to measure cso effectiveness that is to say how would you like to be measured by the big boss and held accountable yeah i think the ultimate kpi is don't get breached right without a breach that's uh that's the ultimate one and i think you know that's uh it's it's an interesting question because what we find in the industry is when it comes to cios and cesos there's a lot of folks that don't talk the business language and translating you know what is going on from the security and compliance standpoint to the business language of a ceo or cfo is very hard so um you know even establishing kpis right what is it that i'm going to use as a ceo to measure you as a cso for cio in terms of successful cyber security program it's hard i think i mean obviously not getting rich is one uh being able to maintain you know a a information security management system that is monitored and that is up to date you know only on a regular basis uh getting any certifications that you know uh are meaningful for the industry you're in that's another one um and uh i would say you know the one that is coming up very very very uh uh you know quickly for many companies being able to maintain your semi risk insurance and i think many of your contracts are attached to being able to have insurance and many of your insurance policies now are going to require uh your company to be able to comply with certain standards right and you know and that that that's meaningful for the ceo because that's business right i don't have insurance i don't have a contract i lose revenue what's going on here right if i told a ceo i don't have a asset management i don't have access control i need opt i need this and that is like what you're talking about right i mean that you're getting lost so so it does those kpis have to be very much business driven kpis business driven kpis other thoughts i would say um along those lines uh you know the incidents and if there was financial impact right metrics around incidents and then what was the uh was it a surveillance and was it a low impact was it what was the monetary impact i'd also say fishing metrics and then tie that to training right so does the trend go up or does it or does the trend get better when they do training after they've clicked on the link right for the next exercise um i think trending on vulnerability management i don't think that you go to a ceo and you try to get them to understand what a vulnerability is as much as you well you do at a high level but you get them really to see if the trend is going up or down right i mean ceos know what applications are they know what systems are they at a high level right and so if you say you know most of the infrastructure most of the things we have is you know more vulnerable than not they get that and i get the exposure from such um i also think that i think probably the most valuable for a ceo is doing a penetration test that that tests basically can you reach their crown jewels whatever the crown jewels are for that business and then having some kind of because ceos like charts and uh i had once one tell me once he only deals in numbers so they like pictures and so it's like basically showing it to them how many you know for that x like i like doing the internal penetration test right give them a basic set of credentials and one role i had it was like see it was manufacturing so i was like see if they can get to our production can they shut us down and they got there within a day and that was the only thing i could do to convince a ceo that had the highest risk tolerance i've ever seen to spend on cyber but it worked right so i'd say do metrics that work that are tied to your business yeah i think um i think it could be from a ceo perspective you're i didn't care all the technical stuff that's going on in your program yeah quite frankly they don't they don't really care what kind of levels your people are they just want to know are am i secure and where is my risk area so for me the most effective way to measure the effectiveness of the program is is by third party assessments you can do all your own assessment all day long which is really needed and i would do that all the time but to have an independent someone come in the ceo can take that report back and look at it goes a long way that's a good point and my perspective also on that is how has security enabled the business to be more successful typically we think of security as a tax or a friction a draft and i think our goal is an effective ciso is to be able to go to the ceo and said look we've been able to do better faster maybe cheaper but the point is we can do things that we could not do otherwise if we didn't have an effective security program in place and therefore when you do run into something that impacts the business such as mfa or whatever to be able to demonstrate there's a huge difference in terms of the benefit to the organization versus the momentary oh i got to learn a new thing and when i've got my executives trained that within a month of arguing first they're going to be defending it saying i want to do it and so that's how human nature is is that they will people will tend to object to change but then after they'll defend what they're doing and so you can take advantage of it so it rolls all the way back to the buy-in the executive buying you can't get your executives brought in if you don't understand the business um my ceo asked for a 90-day plan in my first week the mythical 90-day plan right um and i evaluated the environment so there's no way i can deliver a 90-day plan i'm going to give you a rolling 30-day plan because i've got a lot of to fix measure me on the difference i'm making right and then i'll come back with a 90-day plan then i'll come back to the two-year plan and push it from there i just wanted to comment on that so i got the same right my current role it was like i want to see your 90-day plan so then you whip out what you do is you do qualitative risk assessment so you look at the nist framework you're looking at cis and then you're interviewing right that's really what you're doing and then and then we happened so i you know based our plan off of those because that's what i had and right with the understanding that i don't know what i don't know then we had a major incident investigation and uh we went back to go answer all those questions and the dancers looked a lot different so yeah it's interesting when you're just doing a paperwork drill yeah cmmc migrating from oh we have to inspect and prove it to oh just self-certified we'll see how that works how can you deliver a 90-day plan if you don't know the business and learn the business so how do you how do you your how does your ceo measure you learn the business develop metrics that match the business and then produce on those metrics and make a difference how many of these how many of you work for the board or work for legal i work for the board and the ceo nice so where i work is a major competitor to walmart we both my colleagues here we both our signature blocks say legal i'm a staff level threat hunter nobody wants to get my email and the interesting thing about reporting through legal as i'