Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 64
Afternoon Cyber Tea with Ann Johnson 11.29.22
Ep 64 | 11.29.22

Evolution of the CISO

Show Notes
Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea," where we connect with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what is top of mind for executives and other key security stakeholders. I'm Ann Johnson, and today we are going to discuss the role of the chief information security officer and how it's evolved for almost 30 years since its initial inception.

Ann Johnson: And I'm joined by my longtime friend and colleague Charles Blauner, who is currently an operating partner and CISO-in-residence at company-building venture group Team8. Charles is also the president of strategic advisory firm Cyber Aegis and an advisory board member for vArmour, Cyware and many more high-impact companies. Many of you know Charles. He is an internationally recognized expert on cyber resilience, information security risk management and data privacy. Charles has had an incredible and prominent career in cybersecurity, including being a CISO and information security leader at many companies, including JPMorgan Chase, Deutsche Bank and Citibank. Welcome to "Afternoon Cyber Tea," Charles. 

Charles Blauner: Oh, thank you, Ann. I'm almost slightly embarrassed to have heard all of that. Either that or I'm just feeling a little bit older. But I do really appreciate the conversation today, and thank you for the invitation. 

Ann Johnson: Yeah, I - you know, Charles, when I hear my bio these days, I actually have the latter thought. I'm like, oh, wow, I must be old if I've done all that. So it's just the reality of our stage of career, shall we say. 

Charles Blauner: Yes. No, and I'm quite appreciative of the journey, so I should just accept it and be happy with it. 

Ann Johnson: You know, I think you're a bit like me. I always try to pride myself on being a lifelong learner. And it feels like you are the same, based on the conversations that we've had over the years. 

Charles Blauner: One of the things I always told my team when I used to work was to think about every day as sort of a new challenge and get up every day thinking about what you can do better today than yesterday. And the reality is that our adversaries are constantly learning and constantly getting better. And if at one moment in time, you're the best in the world and you stop learning, you're not too far away from being the worst in the world within a very short amount of time because it's just changing. So it's just innate in the kind of job we've had, environment we've lived in - constant learning is a survival skill. 

Ann Johnson: I think that's a really great way to put it, and I'll make this last comment before we get into actually the heart of the podcast - is - in cyber, you're forced to be a lifelong learner. So it's something that I enjoy. But I suspect people who are driven to this career are also folks that have this innate ability to be a lifelong learner, and it's something that they're trying to achieve. 

Charles Blauner: I'd agree. I mean, it's not an easy career, especially as you start thinking about becoming a CISO. It's not an easy job to have. So you're going to only do it well if you've got a passion for it, which means you're going to have that passion, in this particular case, to continuously be learning. And I think part of that is also - we've also been a very tight community. I'm very proud of being part of a CISO community and things - been very supportive of each other. And so it's not just learning, like, in the book sense and reading. Mostly constantly learning from each other, which, again, sort of brings us back to this afternoon because we have to be constantly learning from each other in a very broad sense. 

Ann Johnson: We do have to constantly be learning. And, you know, CISOs have this - today, it's like a different role, right? You have all these responsibilities. You own the company security strategy, you own the operations, you own risk. You're constantly thinking about assessing and resolving known vulnerabilities and, by the way, unknown vulnerabilities. You're keeping pace with new technologies. You're doing readouts to senior leaders and the board of directors, et cetera. And I know the CISO role actually didn't start off this way. It was much more narrowly defined, and it's dramatically evolved - one of the most dramatic evolutions actually in a role that I've witnessed. So I know you were in the industry when the CISO role first came to be. Can you share with us some of the history and the evolution of the role from your perspective? 

Charles Blauner: Sure. So in a lot of ways, Steve Katz, who's a good friend of both of ours, became the first CISO in 1995. Citibank, back then, had an event in 1994 - young Russian broke in, stole a bunch of money. And there was this realization that this is a business issue. And so I had actually been working for Steve. He was my boss at JPMorgan. He left to go to Citi to become the first CISO in 1995. And I joined him together with others like Rhonda MacLean, Bank of America, and I was at JPMorgan shortly thereafter. But back then, it was not a business function. Back then, the idea of the CISO's job was basically keep off the front page of The Wall Street Journal, The New York Times, stay out of trouble with the regulator. And you had a very sort of narrow focus that was really about protecting the data, especially in banking, because of things like the Gramm-Leach-Bliley Act, which was one of the first times the word customer privacy came up in U.S. law. 

Charles Blauner: So you had this very narrow function. It was basically keep out of trouble. And if you were lucky, in banks once a year, you met with the board for about five minutes. It was the law, and that was good. And if you were lucky, you might get a really tough question about one of the board members' personal credit cards. But the world changed, and over time, we started to really think about this as a risk management discipline. And instead of just thinking in a black and white world and keeping out of trouble, it became much more nuanced. And we really started to think about risk tolerance. 

Charles Blauner: And what the CISO became was a risk manager. And today, more often, the CISO is talking to the board on a regular basis. In many industries, you will have had a board-approved risk tolerance statement or two that is built on cybersecurity, information security. And it's become a regular conversation. And if you're lucky enough, you'll have one or two board members that know the space, and you'll get real good questions during that conversation. And so it really has evolved to being a risk manager role. And it has evolved to the role where the board knows you now. But there are a few challenges in the evolution. There's one challenge around the scope of the job, and that is over years, sort of information security morphed into cybersecurity. And while they're related and similar, at least in my personal opinion, they're not the same. And the scary part is that CISOs will often be held accountable for aspects of cybersecurity, for example, things like technology resilience or the execution of patch management, for which in an organization, they're not actually the responsible party to actually do the job. 

Charles Blauner: And so what used to be a tight alignment between the CISO's accountability and responsibility has actually drifted where they're not completely aligned anymore. And I think that's a challenge. In more modern organizations, we're overcoming that, and a lot of organizations we haven't yet. But in the long run, I think for a CISO to really be successful, you have to take, actually, two more steps. You have to evolve from being a risk manager to really - to be a business enabler, all right? It's good to help the company manage risk and allocate its security resources to protect it in the best possible way. And that's critical for being a successful CISO. But if you wanted to be a great CISO, think about the great CISO who can sit down with his business partners and say, if you're in a consumer-oriented business, let's say, I can improve net promoter score by 10%. Or if you're in a data-oriented business, I can help you unlock the financial value of data that historically, because of regulatory reasons or privacy reasons, you may not have been able to monetize before. And so that kind of conversation changes the value proposition a CISO is bringing to the organization. 

Charles Blauner: The other dimensional change, I think, that's really necessary - and I think you have to give a lot of credit to the Bank of England for this - is I think we have to think moving from just sort of the technical aspects around security and really being more of an operational resiliency framework to this. And that's not too different from what we've historically thought about as CISOs and security people. But where it is different is the lens that you place on it. And now you're placing a lens on it where you're thinking about your key business processes as the first question and then understanding, what are the security issues? What are the resiliency issues, etc. aligned to each of those key business processes? And if you make that step, again, similar to being a business enabler, now you're completely in the ballpark of the business, the C-suite. And if you become that business enabler, if you're thinking about operational resiliency of the company, it becomes very natural for the C-suite and the CEO to think of you as part of that core team. And in the end, I think that's where the CISO needs to be. And that's sort of the happy place from an evolutionary perspective. 

Ann Johnson: I think that that's really good perspective. And I heard your reference to the Bank of England, who introduced operational resilience guides - I don't know - four or five years ago that actually a CISO at a bank in London gave me to read at the time, just to get, you know, more familiar with the topic. And this was on the heels of Maersk - right? - having an outage, which, of course - again, that event changed the landscape for CISOs. So as you think about - and I know there's things you can't talk about, right? But as you think about - you're in the thick of the CISO evolution at JPMorgan Chase, at Deutsche Bank, at Citibank. What were some of the key paradigm shifts you saw? And in addition to what you've talked about, what were some of the surprises along the way, those a-ha moments that you said, wow, we could have or should have been thinking about this. Or, wow, I'm surprised this is in my remit. 

Charles Blauner: Well, there's so many potential things there. I mean, from paradigm shifts. I mean, I think there've been a few - and I'll tie them to two sort of primary axes. I mean, one is I think there's been a radical shift in the nature of the threat - right? - where you went from when the early days, it was a bunch of young kids who were getting whistles out of Cracker Jack bottles to hack the telephone system for free dial tone to sophisticated criminal organizations to nation-state actors and now to a point where you've got actual criminal organizations that are as good, if not better, than a lot of nation-state actors. And so you have one piece of pretty radical change, and then you sort of layer on the various technology changes. I mean, when I started, security was RACF on a mainframe. You didn't even think about firewalls back then. So the first radical change was networks. And then you think about the next radical change, distributed computing. And now cloud - or public cloud is the next thing. And each of those things have driven radical changes in the underlying security technology. 

Charles Blauner: To me, what's - I'm not - and I'm not sure whether this is more interesting or scary as an observation, looking back on it. If you think today with all the change in every dimension in our system and you think today, what are the two problems that we most deal with? And again, this is Charles' personal opinion. It's identity management and vulnerability management. And if I go back to 1974, the very first security product of any scale was an identity management problem product, RACF. And that just makes me think about - through all the changes that we've gone through, in a lot of ways, we're still dealing with the same fundamental problems. We're just moving them from technology environment to technology environment. 

Charles Blauner: I think to me, the hopeful thing today is - it's only been in the last couple of years, and I don't want to thank criminals for anything ever. But the radical rise in ransomware, for the first time outside of regulated industries, has made security a board-level topic. And I think that's also a tectonic shift, especially for CISOs. And so that's why the last sort of tectonic change, honestly, is still evolving, and that is the personal liability challenges around a CISO and whether that's going to change the relationship - and this we don't know the answer to yet - between CISOs and CEOs and boards of directors. 

Ann Johnson: So let's talk about that for a bit. I know my good friend Bret Arsenault actually spends time with his peers, helping them with those board-level presentations because he's quite adept at it, right? But this isn't something that comes natural to a lot of CISOs. If you think, a lot of CISOs early on - right? - had really technical backgrounds or maybe engineering backgrounds. And there are CISOs I've met recently that came from law enforcement backgrounds. And a lot of these folks aren't - necessarily haven't been trained or equipped with the skills to doing a board-level presentation. What is your advice to those type of CISOs - how to best prepare or resources for them to get ready to talk to the board? And what message should they be landing with the board? 

Charles Blauner: Couple of important things in that question, Ann. So the most important thing, the biggest challenge the typical CISO has when they go to the board is they talk to the board as if they're talking to a bunch of CISOs. It's often hard for a person to change the sort of framework that they're operating in. And one of the challenges today for CISOs is, to be successful, you've actually got to be able to operate in a lot of different personas. And when you're talking to the board, you have to understand the persona and the language that they use. If you, as a CISO, go talk to the board about encryption or key management or authentication, you may get one board member - if you're lucky - excited. But most of the boards will either take their phones out, or their heads will tilt backwards as they take a nap. They don't get that. It's not their framework. So you have to understand the framework of how your board speaks. If you're talking to a public board, they have a risk management oversight accountability for that company. And so the framework you should be talking to them about is risk management and risk tolerance. 

Charles Blauner: So, for example, if you are custodial of data, you should be talking to them about, are you in or out of the company's risk tolerance around protecting customer data? And if you're not, you can talk to them about why and what you're going to do to fix it. But you shouldn't start with a technical conversation. And that's true for any audience that you're talking to. And that's the challenge for a lot of folks. If you've come from - I grew up really technical, and the first couple of times I talked to a board, I learned really hard that the words I was using they didn't understand. And so very quickly, I sat down with my CEO and said, help me understand how they think about things. And it changed the way I spoke to them. 

Charles Blauner: So one good thing for CISOs to really think about as a survival tactic is find a friendly board member, right? There's someone on your board that has either got an interest in your space, more or less. Seek that person out, and use it as an opportunity, A, to educate that board person and get an advocate on the board but also to learn, if you aren't there already, how does the board think? What do they really want from you? They don't want detailed metrics. They want to understand risk. They want to stand - that you understand the risk and that you've got it covered. 

Charles Blauner: And that's towards the last part of your question, Ann, which is what do they really want to hear in the end? This is Charles' personal view. Boards really want to hear sort of three things. They all want to understand what you're - where we are within our risk tolerances, and if you're not, why? They want to - and whether you believe it or not, they want to have a sense of what the threat landscape looks like. Boards really do want to understand about the stuff that they're reading in newspapers happening to other companies and how you're learning about it and how that impacts your company and your industry and the ecosystem that you're a part of. So helping the boards understand the threat landscape is what's probably the second most important thing. And then helping them understand the big pieces of your strategy for how you're protecting the firm and where you are in execution of that strategy. You can't get into that detail level with a board. You'd never have that much time. But you want to give them the key snippets and help them understand. Like, for today, as an example, you just probably want to take some time out of a board meeting and talk about how you're thinking about supply chain risk and how you're going to manage the security aspects of supply chain risk. 

Ann Johnson: Which I think is incredibly important. And, you know, we - it's not a joke, but we use it as a meme in the industry that your board wants to keep you off the front page of The Wall Street Journal, right? That's the most important thing to them. And you just validated that things that are in the news, they want to make sure that - it may not be just about keeping you off the front page of the paper, but make sure your organization is protected by it because that's their only basis. They're not security folks, right? They just read the paper. They see an event, and they're like, hey, are we protected for this? It's a reasonable - it's a very reasonable question. 

Charles Blauner: Yeah. No, I mean, being close to the board is just like everything in life - there are good things and bad things, right? The good things is being close to your board is really important because culture often starts top down in an organization, and you want the board on your side with respect to a risk management culture, right? But being close to the board also has its bad sides because every time something shows up in The Wall Street Journal, most CISOs are getting emails from a whole bunch of their different board members saying, what is this? Does this matter? Does it impact us? And so every time something shows up in the press, it takes time out of a CISO's day responding to just random emails and calls from board members. And so that's always been the thing. 

Charles Blauner: And to the point about sort of keep me out of the press - it's less about the press directly, but it's more that when you're in the press, something bad has happened. Your customers' data has been disclosed, and that's never good. Or critical business operations didn't get delivered, or services didn't get delivered, and that's never good. And that's really what they want to avoid. The press is the secondary outcome of it. It's sort of the external sort of flashing red light. But it's the data, it's the services, that in the end they want to make sure have the right protections. 

Ann Johnson: Yeah, and I think that's what's important. It's not that your board is hyperfocused on, hey, this is in the press. They're hyperfocused on, do we have the right controls to make sure that our customer data or our business operations aren't impacted? And I think that's the positive way to look at that. And I do think that building a relationship with your board and having a regular cadence with them and giving them regular updates will make those conversations - give you an opportunity to educate the board - right? - and to give them the information they need so they have a level of comfort in your security program all up. 

Charles Blauner: Yeah. No, I think that's exactly right because it is incredibly valuable, and in the end, the point of every conversation between the CISO and the board members, whether it's one-on-one or in a full committee or a full board, is to give them comfort that you know what the risks are and that you're managing them, right? What boards hate, what management teams hate, are surprises, unexpected outcomes. And so you want to give them that calm sense that you understand the risks. 

Charles Blauner: I think it's very important, though, for a CISO to balance that message because there's a big difference between a CISO going into the board and saying, listen; I've got it under control. I understand what the risks are, and we're managing the risks appropriate to the business' risk tolerances. That's a good statement to make. It's another statement for a CISO to go into the board and say, I've got this under control. The bad guys aren't going to get in. You don't have anything to worry about. That's a self-defeating statement because - the thing I always told my board was, I'm going to build the best security program I can, and I'm going to do everything I can to manage us within the risk tolerances which you, the board, have approved, but I'm never going to promise you that the bad guy is not going to get in. I'm going to guarantee you that, at some point, the bad guys are going to get in. And what you need to be counting on me to be able to do is to detect that bad guy and manage the event before my customer data is harmed or before my operational environment is harmed. That's what success looks like. 

Charles Blauner: The bad guy getting in shouldn't be - our side, viewed as a defeat because that's an impossible goal to attain. And so you want to give them assurances, but you don't want to give them a false sense of comfort. And that's a tricky balance line for CISOs to play. 

Ann Johnson: Yeah. One last comment on the board, and then I want to move to a couple of other things. The one thing that I know boards understand is risk. So if you can frame your cyber - yeah, frame your cyber program and comments in the terms of risk, it's going to be easier for them to understand. 

Charles Blauner: Yeah, absolutely. And in banks, it was easier for it to start that way because regulators made you think that way. And because bank boards - the business of being a bank is managing financial risk. And so it was their lingua franca to begin with. If you were in a consumer packaged good company, it wasn't the board's sort of basic language to begin with. So boards are learning that language. And you've got to help them along that journey. 

Ann Johnson: Exactly. Let's talk about how cybersecurity and CISOs are now really central to business operations, right? Long ago - and I used to say, you know, companies spend more on their coffee budget than they spend on their cybersecurity budget. But that's not actually true any longer. And security isn't an afterthought any longer. It's actually central to business operations. So what advice do you have to CISOs who need to make that transition from being viewed as a blocker to really being viewed as an enabling business partner? 

Charles Blauner: So the most important thing, I think, for CISOs is to really understand the core of how your company makes money. That will drive everything. How a bank makes money - one thing, actually, how a bank makes money is lots of different things. How a pharmaceutical company makes money, how consumer packaged goods company makes money - you really need to understand how your company makes money, right? And you need to understand the key sort of business processes that support that. And so I think that's the first piece of it that you have to do. 

Charles Blauner: The other thing is, with the sort of digital transformation that's underway - to a greater or lesser degree, depending on what industries you are in - that digital transformation creates an opportunity. And risks sort of appear about, how you do the business in this new, digital world? And how do you take the, maybe, non-technical business controls that may have existed? And how do you make those things happen in as frictionless a way as possible but still in a controlled way as possible in the new business world? So that's one piece of it. I think the other piece of it is - I mean, you made an interesting comment, Ann, when you were asking the question about sort of saying no. For years, I always told my BISOs - these were my business information security officers - that you never start out answering a question from a business with no. It's either yes, maybe, let's think about a good way to do it. Or maybe at the end of the question, you wind up at no. But you never start with no. So you have to have a change of mindset. 

Charles Blauner: But you also have to have a change of mindset to seek out opportunities where the kinds of things that security technologies can do, as you're doing a digital transformation of your company, that those technologies can actually facilitate better business. So like, today, my favorite example of this is in any B to C business that's out there. And you are moving from some, let's say, old-fashioned way of communicating with your customers, maybe a brick-and-mortar way of communicating with your customers, to a pure web channel-based way. So you're changing the way you interact with your customers. But the not-so-good CISO, who's not thinking about enabling the business, is going to help his business build a digital transformation with user IDs and passwords, which we all know are not very secure, which we all know have been the state of the world for 50 years and we all know that, in the long run, our customers hate. 

Charles Blauner: Now, the business-attuned CISO might say, hey, if we're changing the way we interact with our customers, let's forget all this old technology. Let's go to a purely passwordless way of interacting with our technology - with our customers. And by the way, we'll improve our net promoter scores. We'll decrease abandoned cart rates. And no one has to know we'll be more secure and have lower fraud, but you can have a conversation about fewer abandoned carts and net promoter scores. And that's a completely business-attuned conversation that's all driven by the digital transformation opportunities that companies are going through. 

Ann Johnson: And I think that, you know, I often say to my team, the answer isn't no. The answer is - how? - which is very similar to what you said. And at the end, maybe the answer has to be no. But at least explore. Try to understand. And try to find a compromise. And try to do the thing that's being asked of you to do. And if it just can't - is impossible, then at least you've made an effort, a sincere effort, with the person who's asking it, right? 

Charles Blauner: So - and that gets - and we get to an interesting sort of conversation, Ann, 'cause when it gets to be impossible, you get to an interesting decision point because the answer is it's impossible to do it securely. And then you make the decision - the business decision - do you do it anyway, right? 

Charles Blauner: And this is where, I think, CISOs don't always have a good governance process around them for how you make risk-exception decisions. It's going to be completely legitimate sometimes for the security folks and the business folks to say, hey, there's no way to do this, and the business to say, I've got to do it anyway, all right? And so that gets to be an interesting conversation. And the most important part when you get to that no conversation is how do you document the decision-making process around no? Because at the end, at some point, you may wind up going to the CEO or the chief risk officer and say, we disagree; which way do you want to go forward? Because in the end, remember, CISOs don't make decisions. CISOs make recommendations. CEOs make decisions. Someone who owns a PNL, someone who owns a customer, makes a decision. 

Ann Johnson: That's exactly right. And I think that - you know, I'll use an analogy, and then we'll move to a couple other things. I had a lawyer I worked with in a past work life, and what I loved about him is he would talk about over-lawyering, and - but he would always say to me, Ann, that's a business decision. Here's my recommendation. He never hesitated. You know, if it was a hard legal fact, he would deal with that. But 90% of the time, he'd throw me back a recommendation and say, your call - business decision. 

Charles Blauner: Exactly right, and... 

Ann Johnson: And that's kind of, yeah, how I think about the role of the CISO, too. 

Charles Blauner: There's an interesting interplay here because when it comes to risk, it's a business decision. Risk is shades of gray. Sometimes - and using the example you were using with your lawyer - there are decisions that are just cut and dry. You have sort of - in a lot of corporate cultures, sort of this related paradigm where a lot of corporate cultures are based on sort of a security approach where some amount of risk is acceptable. And then you have a series of corporate cultures that have a safety orientation where zero risk is acceptable. Think about the cultures of the airlines where you're talking about decisions about keeping an airplane in the air, or in a hospital and you're talking about decisions that are keeping some sort of technology-driven, life-sustaining equipment going. And this actually becomes another interesting challenge for CISOs, in general, is understanding the sort of culture you're in to understand sort of, like, how you sort of have to balance those things. 

Ann Johnson: So CISOs have a lot to contend with today. There's a lot of burnout. There's a lot of changing your role. What's your advice for someone newly stepping into the role? If you had to give them an initial three-, six-, 12-month road map for a new CISO, what would that be? 

Charles Blauner: Well, I can take that question on a personal level or on a corporate level. I'm going to choose to take that personal because of the way you started the question. What's probably the most important thing for a new CISO - and I think this is true for a CISO no matter how new or long you've been in the role - is the network. CISOs do a very difficult but - and also very unique job. And it's often difficult for people who haven't been in this space to understand what we go through. And so building a network, finding a network that you can be a part of is really critical as a survival thing because, if nothing else, they can give you guidance around things that you need for your corporate life. But if nothing else, they can be a set of free therapists that you need. And whether you believe in therapy or not and whatever method of therapy you choose, every CISO needs a therapist. Most good CISO consultants spend most of their time actually being therapists for the CISOs that they're consulting with. 

Charles Blauner: So three months, build a network. Six months, understand how your business makes money, right? If you're new in a company, if you were a senior person in Industry X and you are getting your first CISO job in Industry Y, part of your six-month goal - understand how your business makes money. And then your 12-month goal, have a defined and articulated strategy that you can sell upwards and downwards. That's something you have to work on from - along that entire time. But you're not ready - if you're publishing a strategy after you've been someplace for three months, your strategy is not grounded in anything, other than maybe some outsider's perspective of what your strategy should be. So build a network, learn how you make money, define a strategy. How's that for three, six, 12 months? 

Ann Johnson: I think that's really good, solid advice because it's something that's tangible, practical, but you didn't give them 50 steps. You told them a few things to do that are really important. 

Charles Blauner: Yeah, they'll have a thousand tiny things to do just dealing with day-to-day work. The one thing about a CISO's job is if you think you can get through a week exactly the way you planned it on Monday morning, you're either insanely lucky or you're slightly delusional or maybe a lot delusional. 

Charles Blauner: One of the things I loved about being a CISO - all the - I mean, I was a CISO almost nonstop for 22 years when I retired. It's hard to do something that long. But one of the things about being a CISO is every day is different. I mean, that's part of what's so exciting about it. It's part of what's so incredible about it, and it's part of what's so difficult about it. But one thing you better get used to - if you are stepping into being a CISO for the first time, one thing I would say is get used to unpredictability. Get used to the fact that your life and your schedule is not in your control anymore. When I first became a CISO, we didn't have cellphones. But I joke today that when I retired as a CISO, it was the first time in 22 years I got to turn my cellphone off. It's a challenge. Build a network. Get some therapists. 

Ann Johnson: I think that's really important. I think the network is important because burnout is high. And your friends, that network - whatever that form takes, it's going to help you with that burnout. It's also going to help you understand you're not alone, right? The challenges you have are the challenges that your other CISO peers have, and talking to them is going to go a long way. 

Charles Blauner: Yeah. And there's so many opportunities. I mean, industries form networks. Cities form networks. I was just in San Francisco this week. FBI, Secret Service run a network of, like, hundreds of folks out in the Bay Area. Different private equity companies run networks for the CISOs of the companies that they have. Venture capitalists run networks. I mean, there's so many opportunities for CISOs to jump into a network that if you're not part of a network, that's honestly your own fault today. There is nothing that prevents you from getting connected to networks because there's so many opportunities for them. I agree, Ann. It is so critical for people. 

Ann Johnson: Thank you, Charles. Thanks for your thoughtfulness. And I know you're busy. You have a lot going on. So thanks for joining. But can you share a bit with our listeners on what you're working on right now? What projects are top of mind? 

Charles Blauner: Most of what I do right now is spending time with so many different startups. I get to work, I think, today with 14 different early-stage startups and helping them sort of come to market. I think that the thing that comes top of mind for CISOs to sort of think about is we always talk about ourselves as sort of being risk managers. But a lot of CISOs have traditionally sort of been very conservative. I think if there's one lesson the last couple of years has taught us, it's we don't need to be as conservative as we think we needed to be and still survive. I think I would tell all of us to be a little bit open to taking risk in a managed way. And then the last thing I would say for CISOs - it's good to take risks. Just protect yourselves from a personal liability perspective. The world has gotten very strange in the last year. 

Ann Johnson: There's absolutely no doubt about that. And I want to thank you for sharing your incredible insights. We also like to send our listeners off with one or two key takeaways about how you think we can overcome the challenges the industry is facing right now and why you're hopeful about the future of cybersecurity. 

Charles Blauner: So I'm hopeful about the future of cybersecurity because one of the great things about doing what I do with early-stage companies is there are so many smart people thinking about these problems in so many innovative ways. And the energy that that community brings, I think, is a source for me of huge optimism. The other thing that I think I've seen - and I was involved in starting this with the FS-ISAC five years ago. But I think there's more and more realization around the need for collective defense at every level, whether that's corporations being members of ISACs or CISOs being members of networks. I think that sort of push towards collective defense would be the other thing that would be the thing that leaves me with this sense of optimism looking forward. 

Ann Johnson: That's incredible. And I've told you this before. I'm always optimistic because I know that for every - you know, the thousands of attacks that we block versus the one that actually makes the news, and that happens every day. And that's what keeps me optimistic. Thank you again, Charles, for taking the time to join me today. I know you're busy. 

Charles Blauner: Ann, thank you so much for inviting me to spend the time with you today. It was an absolute pleasure. 

Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea." 

Ann Johnson: So I've known Charles Blauner, and I've been lucky and fortunate to know him for many years. And he always has such incredible insights and high-value details to share with an audience. I was thrilled when he agreed to be on "Afternoon Cyber Tea" and talk about the role of the CISO and talk about the challenges today. It's a fantastic episode, and thank you all for listening.

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, CVP of Security, Compliance and Identity at Microsoft, oversees the long-term security investment and partnership strategies helping organizations become operationally resilient and unlock capabilities of Microsoft's intelligent cloud and next generation AI. From the way we tackle cyber threats to the language we use, Ann encourages the industry to get outside its comfort zones to expand how we address the evolving threat landscape.
Schedule: Tuesdays
Credits: Executive Producer is Bruce Bracken, Co-Executive Producer is Greg Ormsby, Producer is Rob Petrillo. Production Manager is Max Solomon, Scheduling and Administrative Support is Annalisa McBride, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft