Pending legislation mandating cybersecurity representation at the top levels of an organization in a relatively young field and understanding that field are testing the bounds of practical cybersecurity leadership.
Today’s guests are Richard Brinson and Rachel Briggs. Richard is an experienced executive, board advisor, and global top 100 Chief Informations Security Officer. He has been providing strategic guidance to many of the world’s largest global organizations for over 20 years with core expertise in cybersecurity, technology infrastructure, and enterprise architecture. Richard leads Savanti’s cybersecurity practice, helping large organizations to transform and modernize their security functions for the digital age.
Rachel is a leading expert on security and has advised governments and multinational corporations on security, resilience, terrorism, and responses to extremism. She is an Executive Advisor with Savanti and founder and CEO of The Clarity Factory, which provides and arranges services to its clients including research, consultancy, and thought leadership.“There’s a language problem and a relevance problem in the boardroom.” - Rachel Briggs Click To Tweet
- [1:35] – Richard shares his background and what Savanti is known for.
- [2:30] – Rachel works with Richard and his team on thought leadership products.
- [4:01] – Organizations reach out to Savanti and don’t know if what they are doing is right or wrong. SISOs seemed to be coming and going.
- [5:35] – There were 6 key factors that were causing this churn in the industry.
- [6:50] – The supply in demand problem for cybersecurity leaders is one issue in retaining professionals as SISOs.
- [8:45] – For every three years, a company is really only moving forward one.
- [10:05] – Rachel shares data that shows the importance of strong cybersecurity and leadership that does it right.
- [12:37] – It’s not just about security. It’s actually part of a good business model now.
- [14:03] – When cybersecurity isn’t a part of leadership, the board's understanding creates a problem with delegating and solving problems.
- [15:20] – Richard is a board advisor on many organizational boards to help with this lack of understanding.
- [16:48] – There are fewer than 100 SISOs with effective boardroom expertise.
- [18:02] – When speaking with SISOs and others in leadership, things are lost in translation.
- [20:28] – We tend to just expect people to be good communicators but it is a skill that needs to be trained.
- [21:43] – There are leadership training companies that organizations can work with to coach a leadership team.
- [23:30] – SISOs can and should be taught to communicate effectively in the boardroom and that should be something the organization provides.
- [25:20] – There is pending legislation that will mandate the requirement of cybersecurity in leadership, but Richard shares some possible problems.
- [27:04] – Savanti helps demystify this problem with communication.
- [28:42] – For smaller companies who cannot afford a full time SISO, fractional SISO roles that are usually virtual are offered by Savanti.
- [31:18] – If an incoming SISO does not have the support of the board, they cannot be effective or successful.
- [32:50] – The turnover rate for this role is quite high.
- [34:02] – Companies who aren’t willing to implement recommendations or bring in a qualified SISO leads to a number of costs and risks.
- [36:02] – Changing SISOs so often is destabilizing.
- [37:35] – With solid security, a company can take more business risks safely.
- [40:03] – Regulations can be helpful but not helpful in many ways.
- [41:52] – If you are considering a role as a SISO in leadership, round yourself off as a business leader with effective communication skills.
- [43:53] – You can read the recent report that Richard describes by clicking here.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- The Future of Cyber Security Leadership Series
- Savanti Website
- Richard Brinson on LinkedIn
- Rachel Briggs on LinkedIn
Richard and Rachel, thank you so much for coming on the Easy Prey Podcast today.
Rachel: Hey, thanks for having us.
Richard: Yeah, thanks, Chris. Great to be here.
Richard, starting with you, can you give us a little bit of background about who you are and what you're currently doing?
Richard: I'm delighted to. Richard Brinson. I'm the CEO and co-founder of a company called Savanti. We are a boutique cybersecurity consultancy focused really on cybersecurity strategy, leadership, and running large-scale cyber transformations for large enterprises.
Background-wise, about 20 or 22 years in security. I started off as a self-taught ethical hacker, if you can imagine what one of those is, and then moved into a little bit of forensics and various other things before working my way up through the corporations. For the last eight, nearly coming on for eight-and-a-half years, I've been doing CISO roles largely for Savanti customers.
I've been a CISO at some very large organizations, including Unilever, Sainsbury, and a bunch of others in the FTSE 100. That's kind of me.
Great. Rachel, can you give us a little bit of background as well?
Rachel: Thank you Chris. I'm Rachel Briggs. I'm an executive advisor to Savanti. I've been working with Richard and his team on our thought leadership products. What we're trying to do is to use the excellent practitioner knowledge of the whole team at Savanti working for a combined, probably, many hundreds of years with clients on their cybersecurity needs and trying to distill that along with industry-leading research to provide a roadmap for the industry on solving some of what seemed to be very complicated wicked problems that, as an industry, we're struggling to disentangle.
We're trying to make sense of what's going on. We're trying to offer some practical solutions for practitioners, which is very much the spot that we're in. This draws on the last 20 years of my own experience working in and around various different bits of the security industry and with a real commitment to how really good insight and research paired with practitioner knowledge can help to improve and help our industry move forward.
For each of you, is there something about why you decided now that there was a need for cybersecurity leadership and having those discussions?
Richard: I think it's from what we were seeing. We keep getting contacted by large organizations who are saying we've got a problem with cybersecurity in that we don't know if we're doing the right thing. We often get involved to come and have a look and say, “OK, with our experience, this bit's going well; this bit is not going well.” The one thing we were seeing consistently is this revolving door of CISOs of cybersecurity. There's kind of like two different sides. One is the companies that seem to go through them very, very quickly. Is there a particular reason why a company goes through them quickly? The second thing we were seeing was individuals who were going through jobs pretty quickly.
Two potentially different causes, but we wanted to really understand what the problems could be, and we want to understand if there's things that the organizations can do themselves to keep their leaders for longer, support them better, and have a more successful journey. If there's also things that CISOs themselves can do to maybe become a bit more business aligned, a bit more focused on not just the techy side of it, but actually how do you be an enterprise leader at the same time as earning in cybersecurity.
That was kind of the reason we got into the research because we were just seeing it again and again so we wanted to document why and then use that to both educate companies and security leaders themselves on what could possibly fix this issue.
Let's talk a little bit about it. What were some of the good things that these companies were doing? What are some of the bad things that the companies were doing? Why was there this churn in CISOs?
Richard: We've kind of termed this as the perfect storm, which is slightly overused cliche, but it kind of summed up well. The perfect storm—we felt there were kind of six really key factors that were making up this incredible churn. The churn itself is causing companies to stand still in an industry which is moving really quickly, effectively going backwards. We can dig into them in a lot more detail, but effectively there are six. The first is the threat is ever increasing. The job is not getting easier; the job's getting more difficult. More nation-states are going after private companies. Just the size of the increase of cyber crime was huge. That was item number one.
The second one was low boardroom understanding. Many, many boards who are taking a keen interest in it still don't really understand how to manage cyber risk. They don't really understand, you know, the challenges involved. They don't really know what they need from a leader and therefore it's quite hard for them to support those leaders because they really are bringing someone in to fix it, which is quite different from any other C-suite role where you wouldn't bring in a CFO, for example, and say, “Hey, you just go and fix the money for us. Don't let us know about it. Just make sure there's no problems there.” There's definitely low boardroom understanding.
The third key factor is around the scarcity of talent, and we know that cybersecurity has a supply-and-demand issue right across the whole breadth of it. In particular, there is a big lack of people who have had a career in cyber, who would be an SME and cyber operator, that also then have that level of business understanding and are able to lead, take the seat around the C-suite table and go toe to toe with any other C-suite. There's a real lack of talent in the market.
Number four was the spiraling salaries. Again, very well-documented CISO packages are getting higher and higher. We're hearing about them being more than CFOs in some companies, which is crazy, but that means people are moving a lot. People are getting offered lots more money to make a move. If they're not getting the support from the company, from the organization they're in, if their board doesn't really understand it or support them, then they'll jump and they'll take a 50% pay raise to go to the next job.
Number five was around what we call hero mentality within the CISO community, and over half of the CISOs that we spoke to, the majority described themselves as transformation CISOs. If everybody's transforming, who's doing the steady state? Who's actually just keeping us moving forward and not ripping it all up and kind of starting again.
The final part of this jigsaw of the perfect storm was the average tenure of CISO is 2.3 years. It's very, very short compared to 4.6 years for a CIO. I think it's 6.9 years for a CEO. The average CIO will go through—unless they start at the same time, which is unlikely—three CISOs in their tenure, and a CEO will go through four, which is kind of crazy.The average CIO will go through—unless they start at the same time, which is unlikely—three CISOs in their tenure, and a CEO will go through four, which is kind of crazy. -Richard Brinson Click To Tweet
All those things coming together just means there is no stability. The reality in companies is that every three years, they're probably only moving forward for one of those because when somebody's leaving, when they're hiring, the first nine to 12 months of the CISO role, they're probably understanding the company, stopping some things, starting some things, not really delivering value. All of that means a lot of companies are going backwards.
We'll come back and dig into each of those a little bit. For Rachel, what are some of these issues in respect to CISOs? Is it an advantage to have CISO that has lots of experience? What's the drawback if you can't find a CISO that has the experience you're looking for in the salary range that you can afford and that you aren't afraid is going to leave you after 30 minutes?
Rachel: Undoubtedly having both the right person at the top of that function and a really well run function pays dividends. What being well run looks like in practice is quite another question, but if you look at, for example, data that comes out of the insurance industry, which is probably one of the most comprehensive data sets that we can rely on. It speaks for itself.
The companies that they describe and classify as cyber experts, they simply have fewer breaches. When they have a breach, they respond to it quicker and more effectively, and they're less likely to go under as a response to it. Undoubtedly doing this and doing this well is really important. It's a competitive edge for organizations. One of the things that we talk about in the paper is the fact that we're starting to see the investor community asking questions about cyber capability now. They recognize that if they're going to put their own money into companies, one of the most important factors is how well that cyber function is run.
It's not the only thing they're looking at, but they recognize increasingly that this is not just a clear and present risk and danger for corporations, but that the data on the number of organizations that can be very severely impacted or even go under as a response of not having the right capabilities in place, not understanding how to respond to it, is just too big a risk.
I don't think it's any surprise to us that the investor community is reaching the top of their question list now because not only is cyber really important, but I think it's one of those touchstone issues, isn't it? If you're getting that right, you are probably getting other things right as well, because so few companies really, really get it spot on. Having that right capability, having the right leadership is a non-negotiable.
Delivering that in practice is quite another thing and it's proving difficult, but I think the evidence is very clear. Having good leadership and having the right capability is not just a good thing to have. It's kind of mission critical for companies these days.Having good leadership and having the right capability is not just a good thing to have. It's kind of mission critical for companies these days. -Rachel Briggs Click To Tweet
One of the other interesting things is that this isn't just important in and of its own right. What we're starting to point to is the huge sort of business value of a great cyber function as well. Stage number one is getting a good kind of cyber protection in place, but the companies that are really flying in this space are not just protecting themselves; the cyber function is enabling them. It's non-negotiable, but it's also starting to be a real business value-add and, as I said, something that investors are really, really keen to look into and dig deeper on these.Stage number one is getting a good kind of cyber protection in place, but the companies that are really flying in this space are not just protecting themselves; the cyber function is enabling them. -Rachel Briggs Click To Tweet
I think, to me, it makes sense that this is top of mind for investors. Investors are usually kind of leading market moves. They're trendsetters. They're looking for things on the cutting edge. It's kind of the inverse of that where the problem is that boards are usually made up of people that have been in their industry for 20, 30, or 40 years. They're kind of, “I've been here. I've done that. I know what's going on,” and they're kind of set in their ways, and this whole new cyber thing is just a fad. “I don't need to worry about that.” Is that kind of a challenge with the existing board?
Rachel: I'll defer to Richard, but I think one of things that the research shows us is there's no question whatsoever that boards are concerned about this. Study, after study, after study shows that the vast majority of board members who are surveyed count cyber as being one of the top three things that they're concerned about, which is kind of extraordinary, actually.Study, after study, after study shows that the vast majority of board members who are surveyed count cyber as being one of the top three things that they're concerned about, which is kind of extraordinary, actually. -Rachel Briggs Click To Tweet
They also admit they don't really understand it. They don't know what good looks like. They don't really understand what they should be recruiting for. As Richard said earlier, they then end up kind of delegating it down to the CISO to just get on with it in a way that they wouldn't do for any of their other core business functions. There's certainly a lack of understanding on most boards.
We're starting to see some quite interesting things happen in the regulatory space. The SEC has put a number of proposals but haven't ruled on them yet, which would see boards need to report much more clearly on incidents, report whether they have expertise at board level, and be more transparent about what their capability is within the organization. Australia has put in place some quite stringent regulation in this space, which board directors face personal liability.
I think there's a number of things that are in motion that may well force the hand. I think what we're dealing with is maybe a generational transition at board level and a need amongst boards to recognize there's a new set of skills and there's a new set of talents and expertise that need to come into the boardroom for most companies to be match fit in the 21st century.
Richard worked alongside boards and is a board advisor for many of our clients. I suspect he may have some more insights to add on that.
Richard: Just to briefly add, I think Rachel's covered a lot of the answer there, but for me, when I talk to a lot of non-exec directors in particular who have been around for some time—let’s put that in the plainest terms—cybercrime for them has come up through the ranks really, really quickly into a board-level discussion without having matured as a corporate discipline.
I think that in itself has caused challenges around how do we effectively govern this new kid on the block from a boardroom point of view when we don't really know how to manage the teenager in the room, or whatever you want to call it? It's probably comparable to parenting teenagers in some way, I would imagine.
Is that some of the challenges that the people who have the cybersecurity industry experience don't have the boardroom and the business experience, and that you kind of have that push and shove because we're going to look down on you because you don't know how to run a business, but we also need you here because there's things that you know that we don’t?
Richard: I think that that's a huge part of it. We work fairly closely with some of the executive search firms on data and research. Russell Reynolds, who is one of the big exec search firms, had a view that of those CISOs who had that boardroom experience, the sort of subject-matter experts who could really stand their own in the boardroom, there’s probably less than a hundred in the world and most of them are in the US, according to Russell Reynolds.
That makes it a challenge if the Fortune 500 companies all need CISOs and there's only a hundred in the US or a hundred in the world. You definitely have a talent shortage.
Richard: Part of what we wanted to do in creating this series—and by the way, this is the first report of probably four. One of the things we wanted to do is how do we change that balance? Not everybody needs a boardroom level top 100 CISO and clearly they're not going to get it.
What can we do creatively to bridge that gap in the meantime? It's probably a case of both educating boards, but also educating CISOs on what good looks like, and maybe it's not one person's job to do that thing. Maybe it's multiple people's jobs. Can we bring people from the business in to supplement CISOs in some of the gaps they may have? That's some of the motivation for doing this research.
Rachel: I think I would just add to really compliment what Richard just said. One of the phrases that kept coming back to me as we were interviewing CISOs, CIOs, CTOs, CEOs and others, was the phrase that whether it was told to me or it occurred to me was lost in translation. You’ve got two different types of people that speak different languages.
Part of the challenge here is finding a way for them to connect. You've got boards who just know cybersecurity is important, but don't quite know what good looks like or what questions to ask to figure out whether they've got good or bad. You've got some really excellent CISOs who fly at board level, but as Richard said, they're very limited in number and the rest are struggling to articulate themselves, articulate the role of the function, and kind of bridge that gap.You've got boards who just know cybersecurity is important, but don't quite know what good looks like or what questions to ask to figure out whether they've got good or bad. -Rachel Briggs Click To Tweet
As one […] who we interviewed said to us, and I'll probably paraphrase him terribly, but he said something along the lines of, “CISOs coming in and they just don't know how to communicate at board level.” He said, “I think it's because a lot of times, they don’t know how to be relevant at board level.” There's a language problem, there's a relevance problem, and I guess part of what we're trying to do is to put out there a set of ideas and some practical solutions that might in and of itself help to bridge that gap somewhat and translate what both sides need.
It's funny that you used that phrase about kind of lost in translation. I recently did an interview with Alyssa Miller, who's a CISO, and that was one of the things that she talked about on kind of why she got the role because she could translate things in a way that made sense to the board and made sense to the marketing department and different business units. She had that skill set to be able to communicate technical things in a non-technical way.
If you have lots of people with the skill, but not the ability to communicate, is it the need for almost board business training, boardroom training, for high-functioning cybersecurity professionals?
Richard: Yeah, we think that's definitely part of the solution. Actually addressing communication is a real thing and so often overlooked as something that we just expect people to be good communicators these days. You actually have to be very proactive to be a good communicator and that's not always understood if you've come up through a technical subject matter-type route because you've never really had to do that to any significant extent with people outside of your department so much. I definitely think about training communications.
We're seeing a lot of use of mentors even with very large enterprises. We have a client who has 300,000 plus employees. They have a CISO and they've even hired a CISO mentor, not because they thought their CISO was lacking, but they really wanted additional translation skills and capacity to that side of the role so that it wasn't just a complete distraction from the day job as well. You can get sucked into that and you can spend all your time trying to translate stuff to the board and actually no time getting stuff done in your own department. There's got to be some balance with that as well.
Are there programs out there for—even if it's not even necessarily CISOs or cyber security—that you're aware of that help people kind of learn how to communicate on a C-suite level? Those little mentors here and there that do that?
Richard: I know a couple of executive leadership training companies. I've worked with one in particular that I've taken into a few different clients, but there are small boutiques and a bit like us that are probably 30, 40 people, all ex-senior people. These ex-professional sports people actually are part of their coaching because of the type of mindset as well.Actually addressing communication is a real thing and so often overlooked as something that we just expect people to be good communicators these days. Click To Tweet
They've been quite effective and I'm sure there's a few of those type companies out there, and maybe we need to formalize that a little bit more. Make recommendations about or even mandating using the use of some of the companies like that to help get it right.
Rachel: I think the other thing is the communications challenge. I am at the pointy end right now for the CISO community because of the speed at which this change is taking place and a group of people suddenly find themselves interacting with the board that maybe they weren't three or four years ago.
Other parts of the business have dealt with this over the years. This isn't something that's so special to the CISO community. Apart from the things that Richard mentioned, just general kind of leadership coaching and executive mentors and executive coaches and so on. There's a whole raft of professionals who have to learn how to put their head out or poke their head outside of their own discipline, develop empathy skills so that they understand different disciplines within the company. We'll see what they do and find it relevant to them, communication and so on.
I think it's a broader leadership challenge, and I think it can be really helpful to think about it in that way and recognize that it's not necessarily a special set of things and needed by CISOs. I think one of the things that's really important to recognize, as Richard said, is that communication isn't a dark art. It's something you learn to do. You can be taught techniques for doing it more effectively and in particular settings. I think that's what we're saying, that we need much more within the CISO community right now.Communication isn't a dark art. It's something you learn to do. You can be taught techniques for doing it more effectively and in particular settings. -Rachel Briggs Click To Tweet
I know just coming from a developer background, developers and software engineers communicate with one another in a very specific way, a language that's unique to that community and it doesn't necessarily translate out well. It's not even an issue of this is only a CISO issue.
This is an issue with lots of companies, just with their development teams of being able to communicate better with the marketing department, better with business units, and be able to explain the needs of why the development team might need to spend more time working on cybersecurity or do things a specific way without getting lost in the weeds of, “Let me show you the C# programming that's the issue,” and everyone's eyes just glaze over.
Do you think some of it is the board's need to say, “OK, we're going to bring someone on the board. We just have to figure out how to communicate with them. It may not be the way we normally communicate with the board, but we need to bring these people in and find someone that maybe we don't have good communication with, but we feel comfortable that we can grow into that.”
Richard: There's definitely a need and what will become a regulated SEC ruling goes ahead to have that cyber expertise on the board. The danger with that, everybody else on the board just says, “We've got someone for this now. That’s great. I've got someone hired to look at it internally. I've got someone on as an external divider. I'm going to stand back. These guys are going to talk—guys or girls.” There's even a lowering of the understanding on the board even further because they just don't need to engage on it now because they feel they don't need to. That's clearly a challenge.
What should the board be doing when they're like, “OK, we see this impending regulation coming. We need to get out ahead of this and get cybersecurity representation on our board.” How do they go about finding a candidate in a field where talent is so sparse and you've got the spiraling costs and all these things that we talked about earlier. How do they go about evaluating and finding candidates?
Richard: Really difficult. They don't exist at the moment alone. If this SEC ruling goes ahead and that you need it, the demand is going to go through the roof. You can't just take just the cyber expert to sit on your board because they're going to have a lot more influence than just on cyber matters.
If they're on your board, they're on your board. They're going to be involved in various committees discussing other types of risks. It could even be […] whatever that may be. If they don't exist, there's going to be a real supply-demand issue. Let's see where it goes. What we can try and do is help educate, help advise, and train more people into the role.
Rachel: That's one of the reasons that our next paper is looking at what effective cyber board governance looks like because again, I think it's an area where we just need to demystify a bit and offer some practical suggestions. Boards in the light of what's happening with the SEC in the US, the bloody recent rulings in Australia around this, the fact that where the SEC leads the EU follows and so on and so forth. There will be boards who want to know what are the three characteristics I'm looking for.
What are the five things that can tell me that are proxy indicators that this person would have a reasonable understanding of cyber and could realistically sit on my board as a […] and sort of be that bridge between us as board members who kind of know it's important but don't quite understand it and the CISO who can't quite speak the board language?
We really want to unpack that and we want to make sure that there's a good understanding of the practical steps that boards can take in a demystified, simple way that can help them too. As Richard said, if this goes through, the demand is going to go through the roof and there will be no shortage of people queuing up to take those seats on board-coveted positions.
Watch this space, but that's what we're working on at the moment. Something that can be somewhat of a practical guide for boards who are trying to make sense of this without that depth of knowledge and expertise as a starting point themselves.
Do you see with the smaller businesses where there's been the rise of the fractional CFO and, “I can't afford the $150,000 to $250,000 or more that a CFO might cost, but I still need more experience than my accountant can provide.” Do you see a role for fractional CISOs?
Richard: We more than see it here. We do it for a number of small-to-midsize organizations. We call it virtual CISO on the basis that it typically is remote and it's typically fractional. We've been supplying virtual CISOs to companies for probably seven-plus years and have learned a lot through that process as well. I think one of the learnings is actually there has to be a minimum commitment, which is more than any detailed commitment for companies to make a real difference.
I think when we started offering them, we were doing anything from a minimum of two days a month, but we realized in a fairly short time that two days a month is really not enough to do anything because you're not just there for governance, you're there to actually enact change. There's a very limited amount you can do in two days a month.
We now won't take one of those engagements unless it's at least six days a month. It just sort of gives you the minimum feeling for even at a fractional level if you are not engaging at least six days a month, you really struggle to get stuff done because you can't make the changes quick enough and push the organization along.
It's a big thing. We're seeing lots of companies starting to offer the same sort of service, but it means different things to different people. There's a very big difference between a security technology reseller selling a virtual CISO and a strategy company selling a virtual CISO.
It's sometimes kind of a partnership role between maybe the CIO and the fractional CISO so you have the CIO to implement things that come up in the discussions, but you have the fractional CISO that has the experience and the ability to communicate with the board a little bit better?
Richard: That is a workable solution. Again, the virtual CISO levels that we're seeing going in are not necessarily the board-level people. They're sort of X information security managers who had a mid-level management job who are going into a medium-sized enterprise there, virtual CISO. The more SME understands the day job a bit better and helps to build a plan and hold people's feet to the fire, but not necessarily doing that at board-level communication particularly.
Got you. Kind of on the flip side, if you bring in a CISO who doesn't have support of the board, are they actually able to implement things?
Richard: In our experience, no. That was definitely one of the findings for companies that go through CISOs pretty quickly. We know large companies that have had four in four years. I think the most we saw, which was quoted by another search firm, is that one of their big clients had four in 18 months. They were extremely worried about going to market again because they didn't know what they wanted and they didn't know what they needed. They were scared of a bad hire or another rehire that didn't work out.
That tells you something about the organization more than it tells you about the candidate, where the organization is not ready to provide the right support, or is not the right environment, or cannot create the right environment for the CISO to be effective and therefore you're going to get to this very quick place where the CISO says either, “I've got no money, or you're not letting me change anything, or you're not supporting me, or you just don't care about this enough to allow me to influence other people.” We do see that.
Once you get in that place, you've got the, “Hey, I can take my skill set elsewhere for better pay, so I'm not willing.” There's almost like a lower tolerance for friction.
Richard: Totally path of least resistance. “Why am I going to sit around here and do this job, and I'm going to really slave over this and make hardly any progress, where I can just move on and take some more money again and get more support?”
The board may have the same view also. “This person's a little difficult to work with. Maybe we can just get somebody else. Let's just get rid of him and bring someone else in.”
Rachel: You raise essentially a really good point, which is that this isn't a one-and-done. It's not just about fixing CISO leadership. It is also about having the right people and the right knowledge and expertise at board level. It is also a conversation about talent and how we sort of get more folks into the pipeline and up through the pipeline. It is also a broader and complicated discussion about what effective risk management looks like in cyberspace.It's not just about fixing CISO leadership. It is also about having the right people and the right knowledge and expertise at board level. It is also a conversation about talent and how we sort of get more folks into the pipeline… Click To Tweet
It's finding ways to unravel all of those four things and fight the good fight on all four fronts, if you like. One without the other three is not going to bring us a sustainable solution to an area of business, which is just getting more important all the time.
With respect to it being more and more important all the time, and this podcast is substantially about risks, what are the risks that these companies that aren't going to bring in a qualified CISO, or aren't willing to implement their recommendations, or bringing in the CISO who isn't qualified putting themselves under?
Richard: I think fundamentally, if you're talking about what we'd call a bad CISO hire, effectively, and that leads to a number of costs and risks, I would say. Just to sort of qualify that a little bit, when we say a bad CISO hire, we don't necessarily mean that the people are with bad intentions, but it just hasn't worked out for the company. What we would say is a bad CISO would leave the organization in a slightly worse state or a worse state than when they found it relative to how the industry has moved on.
It doesn't mean they haven't made any progress, but they haven't made progress at a quick enough pace just to keep up. We sort of look at those types of scenarios and there's clearly the cost of the bad high financially, which we estimate to be at least $10 million for a typical enterprise or organization.
That includes the cost of the CISO for a period of time, but it also significantly includes projects, which either get stopped by the new CISO before they've delivered value or get started because they have wanted to introduce some new stuff that they'd worked with before and maybe those don't even see to fruition after they left. We estimate that to be about 25% of the actual security budget per year being wasted.
There's a financial cost for this. There's a huge cost on the team that sits underneath that who typically we don't see as much churn with. We do see that it is certainly different to other departments because security is still a huge supply-and-demand issue, but we don't see the same level of churn at the next level down the director level, typically within businesses.
For them, it is quite destabilizing. We know a lot of those level directors and companies who've had three, four, five different CISOs in as many years and that is just crazy. Different priorities every year, can't finish everything off, turning right then turning left, it's just very turbulent for them. That's another cause.
Rachel mentioned earlier, but there is an opportunity cost as well with all of this churn, which is we see cybersecurity as a differentiator these days. If you do it well, not only do you protect yourself, but you have better capabilities in your procurement processes. When you're building tenders, you are able to demonstrate a high level of maturity, which will support your investments and any investors coming in.
There are lots of things that CISOs and security teams are doing to drive even top-line revenues, whether that includes reselling of security services that they're using, that they've built internally, whether it's working with the marketing teams to exploit data in a more effective way, but without breaking any privacy laws or without risking the data any further.
I'll use an analogy. You don't hire a bodyguard so you can stay at home. You get a good bodyguard and you can go and work in dangerous places. That's the sort of analogy we've been using for doing well. This can be a really good thing.
Almost if you have a good cyber security team, you could take a little bit more business risk than you might otherwise be able to.
Richard: Absolutely, 100%. From a risk point of view, I think if you consider that the churn is causing companies to be spinning the wheels for much of the time and from our research, we felt that the typical company that had this problem was spinning the wheels for two out of every three years. They're effectively going backwards in that time while the industry is moving forwards.
It's only a matter of time before this is laid bare in some significant ways, particularly with the regulation coming around. Openness of reporting and so on, we're just going to see this problem laid bare.
Rachel: It's the ultimate asymmetry. You have companies that are kind of either standing still, or spinning round in circles, or going backwards in the worst instances, but the bad guys are charging ahead full force. It's kind of the ultimate asymmetric threat really. We're not making it easier for ourselves. We're making it easier for them. Why it's just so critical to get this right is there isn't a minute to spare.
How long do you guys see before things start to stabilize in terms of the right people that can be at the right companies affecting change, meeting the growing threats, communicating well with the board, salary stability, a 10-year stability. How long do you say from now until that happens?
Richard: I'll go first, Rachel, if you don't mind. If—there’s a big if in front of this—we do all the right things and we've got views on what those right things need to be, including building a new generation of leaders, including educating the boards, including finding creative talent gaps creative ways to fill the talent gap, including companies taking a really pragmatic view to risk management, and developing a toolkit so that everyone can speak the same language and knows what good looks like and how to report and all that sort of stuff.
Assuming we do all of those things right, for me, it's at least 10, if not 20 years before we're in a position where the typical enterprise is in a good place.
Rachel: I would agree with that wholeheartedly. We've talked a little bit about the ways in which regulation can be unhelpful as well as helpful, and it remains to be seen sort of where things settle down with the SEC. I think one way in which regulation can be helpful is that it does provide an external jolt to the system. How we then ride that is really important in helping to steer things in the right direction if that's not mixing too many metaphors.
I think how we shorten that timeframe is another way of asking the question. Regulation could be a positive influence on that if it's done well and we respond effectively. Then development from the bad guys. It feels like the pressure is on as much as it should be internally now. I think we do also have to look externally at whether it's regulators or advisers who might just help to quicken our pace slightly. I think Richard's right. We're in this for the long haul. It's a marathon, not a sprint, if you might put it that way.
For someone who's maybe at a director level and seeing this as an opportunity of, since this isn't a one-year or two-year, it's all going to be solved. This could be a career goal, a legitimate viable career opportunity for someone that they think can get themselves in a position over the next five years where they could take on that role. What sort of things should they be looking at in growing their skillset to be able to advance into this role?
Rachel: I would really encourage anybody who's in that position and sort of looking upwards and considering their options to think about the stuff which is around communications and leading through influence.
Some pejoratively call the soft skills, which actually are some of the hardest skills and some of the most critical in a business environment. It's about rounding yourself off as a leader, in particular as a business leader, understanding how you communicate effectively with people who don't do what you do for a job, have a different set of priorities to you, and after all in many cases, often competing priorities for this particular profession.
I think those are the areas that are most important and there's a reason why we put communications as item number one on the agenda in this paper because, if you can't communicate, you can't really do anything else. As one of our interviewees told us—I think it was a chief technology officer—he said, “You can fight as many hackers blindfolded with one arm tied behind your back as you like, but if you can't communicate to the board why cybersecurity matters, you can't get the budget you need, you can't get the investment you need, and you can't do your job.”
I think for CISOs, those are the types of skills that I would be looking to invest in if that were my career path.
Richard: I think in the reports, we go into quite a bit of detail around what are the habits of highly successful CISOs and drill into those quite a bit with recommendations both for organizations and also for individuals of what they can do to improve the chances of success, if you like.
As we wrap up here, we've referred to the “report” a number of times. Where can people find the report?
Richard: They can find it on our website, which is www.savanti.co.uk. We can put it in the notes for you to find it. It'll be under thought leadership, but there's a nice big banner to it on our home page right now. This is the first of four that we're doing. The research that we embarked on actually gave us so much more data than we were able to put into one report.
The first one sort of outlines the, outlines the problem and the perfect storm and then goes into details of what a good CISO looks like, effectively, and what their characteristics are. The second piece will be going into effective board governance of cyber, as Rachel alluded to. Then third and fourth piece, we'll be looking at both the creative solutions to bridge the talent gap and also what does a toolkit look like or what does a toolkit need to look like so that CISOs and boards can speak the same language and really sort of catalyzed that whole communications process and effectiveness and so on.
It sounds like an incredible series that sounds like a lot of those things will apply outside of cybersecurity and CISO, but any department that may have communication issues with the board.
Rachel: It's really an interesting observation, actually. I've spent a lot of the last 20 years working with the folks who head up physical security within corporations, and it was fascinating to me coming into this part of the security organization and finding that actually many of the challenges that CISOs are struggling with are things that I have seen Chief Security Officers on the physical security side of things. I think your observation is really smart and there's much to learn for those who have a technical leadership role within an organization beyond just CISOs to take from the work we're doing, I hope.
Any final thoughts before we close out here?
Rachel: Just one thing, really, which is to encourage folks to take a look at the paper. We would love feedback. What we're trying to do with this work, as well as put great ideas out there that can have some practical impact is also build a community of CIOs, CTOs, and others who want to be part of the solution for our industry.
If you've got feedback, if you'd like to be interviewed for our next piece, if you think there's a piece that we should be writing that we haven't mentioned, get in touch. The best way to do that is [email protected]. Join our community and get involved.
Can people reach out to both of you on LinkedIn, if that's more convenient for them?
We will make sure to include links to your LinkedIn accounts.
Richard: That's right.
Richard, any final thoughts from you?
Richard: For me, this problem isn't going away anytime soon and without wanting to start preaching around how we fix this at grassroots level and in the schooling kind of arena, we do definitely need more support from the education community to push this forward. We would love to see business schools talking about cyber, and teaching cyber, and how to effectively manage cyber risk in business courses, not necessarily MBAs.We do definitely need more support from the education community to push this forward. We would love to see business schools talking about cyber, and teaching cyber, and how to effectively manage cyber risk in business courses, not… Click To Tweet
Likewise, we would also like to see more CISOs doing business courses. If you're an aspiring CISO, listen to this, or a business school thinking about your next MBA content or next business course content, then we'd love you to help us with this problem.
Those are a great start to addressing the issue. Richard and Rachel, thank you so much for coming on the Easy Prey Podcast today.
Richard: It's great. Thanks for having us, Chris.
Rachel: Thanks, Chris.