Note from the editor: Javvad has left AT&T Cybersecurity, but on his last day he penned a final blog, recapping the awesome tweet chat we had with all star CISO's. Here is Javvad's heroic working-the-last-day blog:
On 18th April 2019, @ATTCyber gathered a panel of CISOs (and recovering CISOs) for a tweetchat to discuss some of the questions that we’ve always wanted to put to senior security folk.
The virtual panel consisted of Thom Langford, Quentyn Taylor, James Gosnold, Andy Rose and Raj Goel; with participation from many others.
To see the whole discussion thread, search for #SecurityTechTalk on Twitter for 18th of April. Below I’ve summed up some of the key discussion points around each questions.
What advice would you give to people wanting to become a CISO? What skills should they develop?
The first question was geared up around the skills needed to be a successful CISO. Most of the answers revolved around non-technical skills that a CISO needs.
Multitasking! Even now I'm doing email, writing a report and am expecting a call. #SecurityTechTalk
— Andy Rose (@AndyRoseCISO) April 18, 2019
(reposted with hashtag) #SecurityTechTalk
— Thom Langford (@ThomLangford) April 18, 2019
The ability to communicate effectively as well as see beyond the question that is being asked and look at what it is that is actually required.
Also, being able to laugh at the absurd and obtuse helps. pic.twitter.com/yaDXPquoRZ
Other than that spending time/networking with peers in other areas such as ops, finance, commercial, legal. Also very importantly sales - if your org sells stuff of course. This is the point of the business after all.#SecurityTechTalk
— James (@JamesGoz) April 18, 2019
Another thread of thought was assessing whether the role of CISO is the right one for every security practitioner.
SO many roles in security - find what you love and do that in a security context. Don't think that CISO is the best job because it's the most senior - other roles can get similar rewards #SecurityTechTalk
— Andy Rose (@AndyRoseCISO) April 18, 2019
100% agree
— Raj (@RajGoel_NY) April 18, 2019
Pick the job that fits your talent, skill sets and management model.
Some CISO's are powerful & effective, some are glorified talking heads, and many will be sacrificed at the altar of undefined risks
Life after CISO
While some practitioners are looking to become CISO’s - the longer term question is what does life after being a CISO look like? Is there a clear career path beyond?
It’s not very clear, some stay as CISO’s, some may try their hand at other things. Like many senior positions, there may be a shortage of clearly defined paths to take, but that doesn’t mean there aren’t a plethora of alternative opportunities that exist.
When I was at Forrester I used to speak to CISOs about this - the vast majority wanted to stay as CISOs! #SecurityTechTalk
— Andy Rose (@AndyRoseCISO) April 18, 2019
A2 - I do see CISO's who've switched to Security Architecture, and I'm aware that roles as CIO or CRO are attainable, but depends on the organisation #SecurityTechTalk
— Andy Rose (@AndyRoseCISO) April 18, 2019
Assuming it’s continuing in business/technology then I guess CIO/CTO would be the logical progression. #SecurityTechTalk
— James (@JamesGoz) April 18, 2019
A2 on #SecurityTechTalk
— Thom Langford (@ThomLangford) April 18, 2019
Join for the money, stay for the view I say!
Also, being a CISO opens doors to other opportunities such as advisory or board positions that help grow your skills even further. Pro bono positions with charities let you experience other orgs. pic.twitter.com/85oeR4k6vJ
A2 - when someone knows the answer to this can they let me know ? Asking for a friend #SecurityTechTalk
— Quentyn Taylor (@quentynblog) April 18, 2019
Money money money
We asked the panel where should a CISO prioritise their budget.
A3: #SecurityTechTalk
— Thom Langford (@ThomLangford) April 18, 2019
Training, Travel and Compensation. If you have the right people in the right place with the right skills you can overcome virtually any challenge. Everything else is just a tactical challenge requiring multi year OpEx.
Who doesn't like a conference? pic.twitter.com/OyHyqgibbE
But mainly spend your budget on training your people. They are your only real asset #SecurityTechTalk
— Quentyn Taylor (@quentynblog) April 18, 2019
Staff training & development.
— Raj (@RajGoel_NY) April 18, 2019
You're only as good as your people
Technical skills
Communication skills
Presentation skills
Dressing skills
Reading contracts skills
And meme-warrior skills
We followed up by asking what security things you wish CISO’s would stop spending money on. The answers were pretty consistent.
Remember don’t buy anything that your IT ops team can’t support - how much infosec kit gets bought and shoved on a shelf as IT ops can’t /won’t support or implement properly #SecurityTechTalk
— Quentyn Taylor (@quentynblog) April 18, 2019
A4: #SecurityTechTalk
— Thom Langford (@ThomLangford) April 18, 2019
Expensive consultants who provide over engineered frameworks and solutions that are wildly inappropriate to the case in hand. A UK charity I know was measured (at great cost) against the NIST framework and encouraged to spend money to address the gaps. pic.twitter.com/f9um8kyWGz
On what ever the big analysis companies tell you to spend it on. ... #SecurityTechTalk
— Quentyn Taylor (@quentynblog) April 18, 2019
Tooling without first identifying the problem? #SecurityTechTalk pic.twitter.com/v2MnuucQVL
— James (@JamesGoz) April 18, 2019
Game of Thrones
Next up, we delved into the position within a company that a CISO should ideally report to.
As one would expect, “it depends…”
A5: #SecurityTechTalk
— Thom Langford (@ThomLangford) April 18, 2019
Anywhere there isn't a conflict of interest. in reality this is the CEO, Board, Risk Committee or similar. NOT the CIO, COO, CFO etc.. The CISO's assessments of risk will potentially be filtered by these folks... pic.twitter.com/dWPMbF25SP
I’ve seen several different scenarios; CEO, CTO/CIO and even CFO. I’m genuinely reluctant to say which is best as it depends on the organisation and the individuals involved. #SecurityTechTalk
— James (@JamesGoz) April 18, 2019
A5. It doesn't really matter. A good CISO will build the connections they need to influence and direct. It's such a cross-functional role that reporting line honestly doesn't matter unless you are using your boss for credibility (which you shouldn't be!) #SecurityTechTalk
— Andy Rose (@AndyRoseCISO) April 18, 2019
Depends on the org CIO is fine if they are a true Chief Information Officer and not a head of IT. No 2 orgs are the same and it is so .org specific #SecurityTechTalk
— Quentyn Taylor (@quentynblog) April 18, 2019
Balance
Being a CISO isn’t just about being a technical leader for an organisation. It’s also about being a people manager. So how does a CISO look after their team and ensure they have a good balance in their lives.
Enforced leave is obviously a known security ‘control’ but clearly ensuring people aren’t overdoing it is important for other reasons.
— James (@JamesGoz) April 18, 2019
Talk 1-2-1about their weekend, what they got up to last night. Some see this as chattering but it’s how you develop bonds and answer the Q above!
A6: #SecurityTechTalk
— Thom Langford (@ThomLangford) April 18, 2019
The CISO should demand it of their team, and provide he required "air cover" to make it a reality, otherwise the team implodes spectacularly and the CISO is constantly hiring and rehiring. The CISO themselves however... pic.twitter.com/1pElmHZyL0
A6 - remember it’s a job. Do your best, have fun and try not to become too emotionally involved. Treat your staff with respect and always put them 1st #SecurityTechTalk
— Quentyn Taylor (@quentynblog) April 18, 2019
A6. You can work flexibly - allow your team to work from non-office locations when possible #SecurityTechTalk
— Andy Rose (@AndyRoseCISO) April 18, 2019
Mind the gap
We see a lot of numbers being thrown about with reckless abandon bemoaning the skills gap. But where do CISOs feel the biggest skills gap lies within their organisations?
Thom doesn’t believe there is much of a skills gap as it stands, well at least not in the way it’s often portrayed.
A7: #SecurityTechTalk
— Thom Langford (@ThomLangford) April 18, 2019
Uh oh, this old chestnut. Please, enough of the skills gap. Companies need to put their money where their mouths are and start training, graduate, return to work and apprentice schemes. Also, working better with HR. Biggest gap is in expectations pic.twitter.com/11GgeUjhZ6
Fixing stuff. Solutions. Seems to be a lot of people able to tell you you’ve got problems but less to take ownership, control of those and fix them.#SecurityTechTalk
— James (@JamesGoz) April 18, 2019
Personal skills and basic IT skills. You get people for interview who are awesome technically but can’t explain how a DNS request works - that’s 2 issues not knowing and not being able to explain #SecurityTechTalk
— Quentyn Taylor (@quentynblog) April 18, 2019
Andy Rose summed up the responses in this tweet
A7. interesting - looking at the answers the skill shortage is both technical and soft skills. So that's most things then... :blush: #SecurityTechTalk
— Andy Rose (@AndyRoseCISO) April 18, 2019
Security Awareness
How important is security awareness? And which methods of awareness are the most effective?
User awareness is critical AND A BANDAID until the infosec industry improves.
— Raj (@RajGoel_NY) April 18, 2019
We don't teach users to NOT stick their fingers into electrical sockets because electrical sockets are designed safe.
Software is built unsafe by design.#securitytechtalk
A9 remember too that *every* piece of interaction is user awareness. Awareness of what and to what end may be best left to the user but it all counts. #SecurityTechTalk
— Quentyn Taylor (@quentynblog) April 18, 2019
As well as my answer to Q8, look up the Van Halen Brown M&M anecdote, that may also sow a seed/idea in how to get people interacting.#SecurityTechTalk pic.twitter.com/wkFIjlCiDH
— James (@JamesGoz) April 18, 2019
A9: #SecurityTechTalk
— Thom Langford (@ThomLangford) April 18, 2019
User awareness is like crowdsourcing your security programme. Get a lot of people to do a little bit of work and that will help loads. It leads to a security culture that is self supporting and policing.
Doing it right though is much harder to achieve pic.twitter.com/BgKrR3Sv8a
A9. Absolutely essential if you want to transform security at a firm. Proudest moment was attending a meeting with a SAAS provider and I didn't have to ask a single security question - all the business folk asked those questions unprompted! #SecurityTechTalk
— Andy Rose (@AndyRoseCISO) April 18, 2019
A9 working out what behaviour you want to change and focusing on how to effect that change. Everything else is cargo cult mentality - marketing teams are good at changing behaviour talk to them #securitytechtalk
— Quentyn Taylor (@quentynblog) April 18, 2019
That turned out to be a unanimous yes.
What the future holds
Finally, we wanted to do a little bit of crystal ball gazing to see what the future holds for a CISO. Will there be a significant change in the job, or the skills needed to effectively carry out the job.
Are used to think this but I think that is most of the threats of become virtual I think the physical security will essentially boil away and only the cyber area will remain relevant.. #SecurityTechTalk
— Quentyn Taylor (@quentynblog) April 18, 2019
A10 - I suspect roughy the same as today. The beat may change but the tune remains the same. Yes the technology will change yes the threats will evolve but in reality the job will fundamentally be the same as it always was. #SecurityTechTalk
— Quentyn Taylor (@quentynblog) April 18, 2019
I’ve heard it said that disciplines like psychology will become ever more relevant which is an interesting thought. #SecurityTechTalk pic.twitter.com/ACRZRSlDLy
— James (@JamesGoz) April 18, 2019
A10: #SecurityTechTalk
— Thom Langford (@ThomLangford) April 18, 2019
Ideally it will be a wholly business role, with less emphasis on technical skills and more on actually making the security team benefit and contribute to the business. A seat at the grown up table would also be good. pic.twitter.com/CCOkS6ByeV
Q10. Still crucial, but security will be more integrated into normal business processes. More reliance on AI and ML for SOC and data analysis type roles #SecurityTechTalk
— Andy Rose (@AndyRoseCISO) April 18, 2019
All wrapped up
And that brought us to the end of the hour. We were grateful to our panelists for their time and lending their expertise. Check out the full conversation on twitter #SecurityTechTalk, and we look forward to seeing you again at the next AT&T Cybersecurity tweetchat.