Is the role of the CISO adding to the confusion?

Kim Jones: Welcome back to CSO Perspectives. I'm Kim Jones and I'm thrilled that you're here for this season's journey. Throughout the season, we've been taking the deep conversations out of the conference, or more realistically the conference bar, and have begun tackling complex issues from every conceivable angle.

As we continue our inaugural season, we're examining the challenges surrounding the cyber talent ecosystem. Today we explore the question, is the role of the CISO adding to the confusion? Let's get into it. ​

Kim Jones: my first in-house gig as a civilian after 10 plus years in army intelligence and five years as a consultant, was as Chief Information Security officer for a financial services company. When I first took the role, it had only formally existed in the market space for five years. Remembering that the only two things in the world I know are A, my wife and [00:01:00] son love me unconditionally.

And B, I can be wrong about absolutely everything else. I sought out mentors in the cyber community who could help me navigate my young career. One of the best pieces of advice I got was to figure out where I wanted to end up at the end of my career, road and backward plan to see which path I should start down now to get me there.

In general, cybersecurity folks tend to gravitate to three broad categories of focus. They like playing with leading, if not leading edge technology. They like making money or they like solving problems. Each of these foci has different prerequisites and termination points. Being aware of those prerequisites and termination points helps shape a young professional's progression towards one general career pathway or another.

For instance, if you enjoy technology, you are most likely inclined to pursue a path [00:02:00] into a research and development or r and d role, as most r and d roles require advanced degrees, either going to grad school, straight out of college, working for a company that offers tuition assistance. Or taking a role that allows you to go to grad school part-time will let you meet the requirements of this career path.

Taking a job that requires a significant amount of time on the road, thus limiting, if not eliminating your ability to go to grad school, even on a part-time basis, would be antithetical to these goals. If your objective is to make money, then you're looking at either a, inventing a new technology. B.

Taking a business leadership role, such as founding your own company or taking a senior consulting partner role in a major firm for security technologists pursuing this path, working inside a business line and getting an MBA would be more beneficial in the long run than say, taking a role as a senior penetration tester.[00:03:00] 

If you enjoy solving problems, then you are probably most comfortable heading down a path that culminates in sitting the CISO chair. The prerequisites for such a gig include? Well, honestly, nothing and therein lies at least part of the problem. The CISO is the senior executive who oversees an organization's information cyber and technology security.

Most of us can agree on this definition and can get our organizations to agree as well. That said, we still seem to collectively struggle with most other relevant portions of the CISO gig. So much so that the job description is vague and amorphous on even the best of days. Consider one. While the definition above identifies the CISO as a senior executive, which is usually at vice president or above, [00:04:00] in many organizations, the role is assigned to a director or even a senior manager within the organization.

This can limit the ability for CISOs to influence affairs within their remit. Additionally, in smaller organizations, sometimes the person actually doing the job is not given the appropriate title, further limiting that person's efficacy. In the role. Two CSO reporting structures are absolutely scattershot.

In some organizations, they report to the CEO and others to the CIO. Sometimes they report to the chief legal officer or even to the chief financial officer. I've even heard of CISOs reporting to a Chief medical Officer and a Chief Human Resources officer. In a few organizations, the CISO role seems to be treated as a necessary evil that organizations must place somewhere with no idea where worse, [00:05:00] depending upon the culture and outlook of the organization, that somewhere may be strategically placed either to aid CISOs in the remit.

Or to deliberately limit, if not eliminate their ability to influence outcomes. Three. The scope of responsibilities for a CISO wax and wane with the whims of the CEO usually influenced by the current state of regulatory requirements and trends and liability and risk. Some organizations wish to limit the CISO remit to the tech stack until an event occurs outside of the tech stack that causes harm, such as the Choice Point data breach in 2008.

The industry as a whole attempted to address disconnect within the CISO job description By postulating that there are three types of CISOs, strategic business and technical. Unfortunately, or fortunately, depending upon your point of view, as technology has, advanced, regulation has [00:06:00] increased and data has become omnipresent.

The fundamental need for any CISO to be equal parts strategist, technician, and business leader has become a stark reality.

There is a strong need to codify what it means to be a CISO as a profession. We already missed the boat to solidify ourselves as senior executives with a normalized reporting structure. The overall lack of systemization within cybersecurity distracts and muddles the profession as a whole with the lack of standardization in the role of chief Information security officer as the cherry on top of the mountain of confusion.

Standardizing the role of the ciso, even if it's weighted according to the size and complexity of the organization, would do a lot to start reducing the confusion within the profession. We as senior cybersecurity professionals need to do a better job of defining what it means to be a CISO [00:07:00] and what requirements are reasonable to expect of the individual aspiring to the role.

The pathway to the CISO chair should be as clear and explicit as the paths to the r and d or consulting career paths with equally precise career prerequisites. To paraphrase Lewis Carroll, if you don't know where you wish to go, any road will get you there. However, if you can determine where you want to end up, the road you need to travel to get to your desired endpoint becomes a lot more clear. Uh, ultimately, the real danger to the CISO career pathway remaining undefined is this, in the absence of definition, we run the risk of the CISO scope being absorbed into other roles and the CISO position potentially going the way of the VP of telephony.

My 2 cents 

Kim Jones: ​[00:08:00] On today's episode, I'm excited to sit down with Pat Ryan. Patty is an OSG like myself, having been a CISO for over 20 years and who has seen the field expand, evolve, and face new challenges.

Today's conversation revolves around examining a CISO's role in asking the question, is the role of the CISO adding to the confusion? Let's get into it. 

Kim Jones: while I've gotten. To know you and appreciate you and your background. Probably most of my audience doesn't, so let's take a few minutes and tell them about Patty, if you would please.

Patty Ryan: I've been a CSO level role for about 20 years. Um, I started in it, but before that was in sports television, in college as an economics major, I. Uh, found my name to it because it paid and an intern in sports television did not. And my father was not gonna pay for anything [00:09:00] more. Um, when I was in it, they were struggling to figure out what to do with me.

Female, non-technical background, operational incentive focus. Very eager to learn, very aggressive when it comes to pushing things forward. A very partnering, uh, I did not fit the traditional business analyst role. I didn't fit an intern role. They didn't know what to do with me. So after about 15 years in it, I had a boss who walked into my office on a Monday morning, mid eight o'clock.

I said, Patty, you're gonna be the chief information security officer. They'll be named at nine and here's the 20th of my people that report to you. I said, that's great, Barry. I could spell Chief Information Security Officer. I had no idea what the job is.

Kim Jones: They didn't even have to spot you the first word. It's good.

Patty Ryan: Yeah, yeah. And it was 20 years ago, so it was even a newer, nondescript function.

But everyone knew if you were dealing with the US government, if you were dealing with finances, you needed a csun. [00:10:00] And then it became a, well, what is that role? And it was totally driven on the organization. It's still to a certain extent, like you said, flexible.

Kim Jones: That's one word for it. So Believe the studies are saying that the average tenure for a CISO right now is two years, maybe two to three years. I am, and I've also done a lot of CISO rotation in that regard, but I did that rotation because I. I was a break fix ciso.

I, I like to tell people, my first boss would say, I'm the third ciso you called after you fire the first one. And the second one quits after 30 days after they see how bad the problem is. And there's a lot of truth to that. Um, but I'm a little unusual in that. You know, that break fix path, yet most of my colleagues, you know, two to three years or three to four years, why is that?

Why are [00:11:00] we constantly rotating versus like a lot of other business people, why aren't we sticking around?

Patty Ryan: It is funny 'cause I've seven years here now and that's the longest I've been in most. I know that para. Dime. It's always as if the first year, you're the shiny penny. Everyone loves your elevator speed. You could do these budgets, you could do all this stuff, but the gloss and the shininess melds away when you don't magically make things disappear, or you're constantly trying to explain to executives who maybe don't appreciate the nuances of the subtleties or just how big the role is,

Kim Jones: Okay, so, so let me push a little bit on that, and this is me playing devil's advocate, not disagreeing with you in terms of depth and breadth and impact to the business and the organization, et cetera. There is an argument that says that about 80% of what you just said applies to CIOs in the environment as [00:12:00] well, and they're not rotating as often.

What's the diff.

Patty Ryan: I think it's a partnership. It also responds for privacy heads and lawyers and business heads. Um, I think because most of the world considers it to be still in the hands of the CIO only, yes, the CIO kind of gets morphed into this, must also understand all about security, but that's not the only thing.

How many SaaS applications happen without it? That you've got a business going directly to a third party provider and they're not really aware of it.

Kim Jones: So.

Patty Ryan: It's easy to pigeonhole people to say, since it involves a server, it's an IT thing. It's really not anymore because it's how the server's being used and the pervasiveness of the data, how it's flowing.

Kim Jones: Okay. That's true. But I, I guess what I'm trying to get at Patty is the stressors that you mentioned in the cyberspace, you know, are, are very real. There's a lot of those stressors that are it brethren have as well. Yet, they're not burning out and [00:13:00] popping after every two to three years.

So what's the delta there that's causing us to rotate?

Patty Ryan: Interesting. Uh, if you look at anything that a CIO is battling cost effectiveness, efficiency, driving the business, and a lot of times they're picking solutions that the mortgage has is immature cloud for yours. We, we didn't, if we didn't have the cloud security alliance. Or things like that, we would still be working with open permissions.

Anything could be accessible to the internet and would be more of a field day. It takes time, for sure. A lot of times the CIOs are dealing with this. Gen AI can change the world. That's wonderful, but how are you going to make sure that it's actionable, secure access? It's supposed to test it properly, like a normal, mature IT asset. And so I look at it as a. Idea of the CIO is continually with the CISOs trying to [00:14:00] bring the business and the infrastructure along to a point where it's safe to move forward in a specific way. Some of that involves security, but some of that involves availability's. True Dr. How you could be handles. So it's not, it's similar because what you're dealing with is.

Cutting edge for a lot of ways. And how do you use the cutting edge when it's not? You have to actually spend the time not implementing, but crafting and designing, and that's stressful. If the business is saying they want something to go tomorrow.

Kim Jones: You and I have done this for maybe a day and a half. Um, we've been talking about these problems and these challenges for about a day of that day and a half. I guess my question is, what do we need to do differently to keep us from burning out and, you know, solve the interaction? I mean, there's an argument that says. We are a young profession, and that's fair. Um, compared to, you know, uh, one of my guests, you, [00:15:00] you know, Larry Whiteside, one of my guests, talked about the CIOs being pulled up at that level versus us trying to figure out what we want to do coming up hard, Scrabble, et cetera.

We're now getting the attention. At the board level, but we're still not necessarily prepared for that attention or to respond to it. So I, I, I guess what I'm really looking for, Patty, is what are we doing wrong as a profession that isn't preparing our next generation to tackle these problems that you and I have been dealing with for the bulk of the time of the profession?

So what, what can we do better? Talk to

Patty Ryan: It, it, it's, I, I think the, what? Lemme stack up here. I wish. We looked at security and staffing and training that is hiring the perfect individual, but hiring talent that's gonna grow over time and can think for [00:16:00] themselves. I think we have done ourselves a disservice. Racing to 20 certification means that they can get a, a junior first level job.

We don't have those anymore. People are too scared. For people to be human in the security space, humans genuinely make mistakes.

Kim Jones: Yeah,

Patty Ryan: They're the weakest link and will always be the weakest link, but we, our profession rushes to perfection or the, or assumption that your, my job is to prevent something from happening.

My job is to minimize the impact and ensure speed you recovery and effective communication If. When actually something happens. And if we started as a co, as a profession, realizing that all the corporations that just wanna make things go away, have to be taught, have to be trained. And that [00:17:00] message, to your point, I don't care if it's client server, a, cloud gen, ai, it's all the same.

We have to architect and walk with our business partners. The hard fact of the inevitable. Let's make sure we have a plan, acceptable risk levels, crisis management. Let's get organized so that we're worrying in the moment about how to minimize things and not what to do.

Kim Jones: Yeah, I like that. I mean, I, I remember one, one of the last larger CSO roles that I took, uh, I was sitting in front of the board and the board said, so you're telling me we're never gonna be briefed, right? And I said, no, that's exactly what I'm not telling you. And anyone who sits in my chair, who tells you that is lying to you.

I'm gonna make it damnably hard. I'm gonna limit the blast radius and I'm gonna find it as quickly, as efficiently as possible. But anyone who sits here and tells you, no, I'm never going to be breached, is a liar. And we need to understand that.

Patty Ryan: and, and [00:18:00] also I think there's this whole evolve, the proof of the value of a CISO brings as these KPI metrics. I non.

Kim Jones: Translate that for people who may not understand KPM like I do.

Patty Ryan: Keep performance indicators.

Kim Jones: KPIs.

Patty Ryan: So for me it's a, you know, yes, we do monthly phishing simulation. I don't track the click rate. I'm trying to instead understand what's driving the clicking and how do I minimize the impact to the local endpoint to triage it properly. So what do you do to minimize that? 'cause someone is gonna click.

Kim Jones: Yeah.

Patty Ryan: it just takes one,

Kim Jones: Yeah.

Patty Ryan: so it's, it's in fact, la Last week I was in some executive meetings and someone challenged me on the, uh, I guess the norm, the acceptable norm for clicking KPIs, you know, success of actually sacrificing your credentials. [00:19:00] I, I had to kind of talk the person through why, even if I knew, I don't care.

Kim Jones: So how do we get, let me back up and start that question again on my end. So if I were to reflect back on what you just said, uh, it, it seems like we and the business are looking at the metrics we're asking for at best operationally, if not tactically. We're not thinking about them strategically. We're not thinking about the pieces and parts necessary to be better at what we're doing.

How do we drive that conversation or if we lost our agency to the point where we

Patty Ryan: we have to, we have, we have no choice. We have to drive it. You have to be stubborn and continue to push it forward because the, uh, the trade off is just too immensely horrible. Um, you know, I think it's really [00:20:00] taking the cyber is risk. Information security is about risk. You would have a conversation with finance about financial risk tolerance.

Kim Jones: Mm-hmm.

Patty Ryan: You have conversation with legal about risk tolerance. You never have a conversation really around cyber for businesses to understand what's acceptable risk thresholds or not.

This is how best to leverage, or, let me understand long term where you're going so I could build an architecture the same way.

Security. Are we moving to point of care devices? Are we continuing with big analyzers? Are we gonna be working more with third parties to develop ASAs? Are we doing, tell me what we consider the roadmap to be? Where do we wanna be five years from now? So at least I have a framework to and tell you, these are the risks you are gonna have to deal with and let's start discussing it now.

Lot of, I don't, I don't know if it's, they can't, they [00:21:00] can't formulate that message or their business isn't hearing them and not open to hearing them. But we have a disconnect with the CISOs and executives throughout, throughout the world.

Kim Jones: Agreed. Agreed. Okay, so let me shift the conversation a little bit. Um, about, shoot, probably 15 years ago, um, a uh, former, now late CSO once wrote an article in CSO Magazine about the three different types of CISOs that are out there. And recently, Forrester just published a report saying that there aren't three different types of CISOs, but there are six different types of CISOs out there.

Do you agree that there are multiple types of CISOs? Why or why not? And if you do agree, or even if you don't agree. Are there certain basic [00:22:00] fundamental characteristics, traits, or to use my favorite phrase, knowledge, skills, and abilities that all CISOs should have if they want to succeed? Talk to me.

Patty Ryan: One. I do think that every, there's gonna be different types of CISOs based on people's personalities. There are people that gravitate to the technical, the people gravitate to the operational people, gravitate to the strategic. I don't see the person in the role. I. As being something that needs to be cookie cutter.

I do see the firm needs to have a structure so that everything is still dealt with whether or not they give it to the title of the CISO or not. There's functions that need to happen in an organization around protection, around risk, and as long as it's covered and there's a harmonious team across, it doesn't necessarily need to be in the ciso.

Kim Jones: So let me let, I'm gonna push on that a little bit. I would agree with you. [00:23:00] Except for that, a word called accountability, so my concern is you're absolutely right. I, you know, the absolute structure, as long as everything is getting done, you know, really doesn't matter. The title doesn't matter. You know, the positioning doesn't necessarily matter though I do believe you can place these two low in the organization so that you can't impact change.

But the issue gets down to accountability. And accountability is becoming a more visible concern given the one prosecution and the second ongoing litigation here in the us. Around the roll. So the regulations are beginning to hold the CISO's feet to the fire, uh, at least here in the States. And if our feet are gonna get held to the fire, now we have an issue of, well, yeah, I'm just a technical, I.

CISO here, and I've got a technical background and [00:24:00] that's all the company wanted me to do, versus there's, you know, an, an issue and I'm gonna take us way back in time. Uh, you remember choice point and, you know, one of the arguments by the CISO that was made is that, hey, you know, this was a physical breach in terms of process where the data came in from a request and we didn't validate.

That's not my job. And everyone pointed their fingers in the other directions, and you know as well as I do, that dog just ain't gonna hunt particularly today.

Patty Ryan: No, I, I hear where you're, I, I see where you're going with that. And you know, I'm the first one to say, my biggest thing I do is communicate my job up, down, sideways, is to ensure everyone is fully briefed, especially the executives and what they need to know and why. My team is, is focused on where they need to go to support the business.

'cause I understand the business needs and I understand the [00:25:00] strategic imperatives and I need to be able to communicate formally or informally with anyone. And I boo. I do see there are CISOs that are there to get a really strong technical CISO with that communication overlay. Has been difficult. Those are a rare breed, and I think that's because a lot of technical executives have never thought to invest in soft skills, but I also think corporations have never allowed them or considered an important.

Your job is, again, this in the back to make sure that something runs appropriately, that there's redundancy and that you make everything work.

Kim Jones: So let, let me shift gears slightly one more time. Actually, I lied. It'll be more than one, but I'm gonna shift gears at least right now. You mentioned something earlier on called Burnout and it's of, you know, we've been at conferences very recently that have talked about that. I, um. [00:26:00] I admit freely, I am the first person to say I understand the realities of burnout.

I understand that burnout is a real thing. I understand that if we're not careful, it will sneak up on us. So I don't want anyone listening to this podcast to think that I don't believe that burnout is a real thing. That said, I unfortunately. Have a, you know, different perspective as, you know, someone who's trained as a soldier and spent a lot of time soldiering on different levels of stress, et cetera.

You know, I, I, I, I used to tell people the story of what I was doing in my twenties and saying, you know, nothing I do today. You know, you, you compares, you know, in, in that regard, you know, as my friend used to say, nations don't rise or fall and people don't die based upon. What I do today, so [00:27:00] I don't have, and, and this is me admitting my own fallacy here, I don't have the frame of reference mentally or emotionally to understand the pressures that people are under right now from a burnout standpoint.

Now, not understanding that doesn't mean I don't accept it. What I'm trying to figure out is how the hell did we better prepare people for it? Because I look at the folks coming out saying, this is happening, this is happening, this is happening. And I'm like, that's the gig. You know? That's the gig you signed up for Patty.

It's the gig I signed up for Patty. So are we lying to the next generation and telling them that's not the gig, or are we not fully preparing them or both? I just wanna figure out how to make it better. So talk to me.

Patty Ryan: Uh, and and I also think as we get more detective technologies, as we get more configurations, as we get newer technologists. And more interconnected. [00:28:00] Yes, there's gonna be more stuff happening. A lot of, lot of bells and whistles, a lot of noise.

Kim Jones: Shocked. I am. Yes.

Patty Ryan: You know, my biggest thing has been reassessing for myself. 'cause I did burn out. I burned out bad and I had to come back with the idea that if you're gonna stay in this job, which you love,

Kim Jones: And I hope you take, no offense at my characterization, we've been, yeah, we,

Patty Ryan: No, no. It's a What do you love about it?

Kim Jones: Yeah.

Patty Ryan: And I don't love the running around thinking everything's on fire. That's not an effective cso.

Kim Jones: Agreed.

Patty Ryan: You know, you, you are trying to temper and really get an understanding of livable, actionable items as well as acceptable risk and you sleep. And that's, I think, part of the issue.

I had a, so a colleague once told me a story about a CISO [00:29:00] who all of a sudden became obsessed with USB drives and was trying to get, it was about 10 years ago, and.

Kim Jones: Okay.

Patty Ryan: Was focusing all the actions and conversations in this firm about USB drives, and it struck me because that was something that they were so overwhelmed that was something they could gling to, to feel they were making some progress and they were addressing some risk,

Kim Jones: It is tangible. I can actually fix this. I can control

Patty Ryan: I can control this. I look at the CSO say, no, you can't. You have to be accepting of the unknown and that you have no idea what tomorrow's gonna bring, but it's gonna be okay

Kim Jones: Yeah.

Patty Ryan: if you stick with the fundamentals, if you accept the fact that something's gonna happen, if you're prioritizing the work and the communication around that.

And you are also building relationships, good, bad, ugly, [00:30:00] across the firm. That's not about. SB, it's about listening. It's about where do you wanna go about, let's have a real conversation about WhatsApp and regulators. Let's, let's just really start getting the facts out. I find when you start to do that, in my role, the stress diminishes 'cause the conversations are different.

They're not angry, they're not reactionary. That's based on fact, and they're actually consistent over time. So it's not a bomb drop in the middle of something.

Kim Jones: Makes sense. What do you say to those? Because. And I'm gonna put my old guy hat on for a minute. It's fits rather well these days, but I'm gonna put my old guy hat on for a minute and I've seen the swing. You, you and I both lived through the swing where way back in the day we thought. That security was just another set of controls to govern, and the focus was governance and assurance in that regard and that the technology was just a means to an end.

And we went [00:31:00] very, very process oriented and we left the tech in the dust and the bad guys got a bit of a leap on us. So instead of swinging back to the middle, we swung all the way to the end that all you need to know how to do is run the tech. And you can be good at what you're doing. And we have forgotten people and we have forgotten process versus swinging back to the middle.

So the folks that we are. Attempting to educate right behind us. Patty, who are coming up behind us, grew up in that. All I need to know how to do is the tech. I sat in an ISSA presentation and saw a very senior engineer, you know, supposedly tongue in cheek talking about you need to, you know, leadership needs to have some pride.

It needs to understand better the technology pieces, et cetera. It's like, well, yeah, I do need to understand the technology pieces. But if this is the way you communicate inside your company, you're not a solution. You are a fricking problem. And you know, and that we stood up in front of a room [00:32:00] full of people in a professional organization and said, this is okay.

So how do we, you know, teach the next generation behind us? To stop obsessing over the USB and have conversations with our constituents that we're here to support, because I am still running into 30 to 40%. And that's a scientific, wild ass guess number of folks who have come up during that period who think that I am either crazy or I'm just an out of date old guy.

How do we educate them appropriately?

Patty Ryan: I, I, I, right now, am taking an effort to do a 360 review of every single one of my team started with my directs, and it was, you had to find people across the organization. I. It was not an IT centric and the questions were strategic high level about about how partnership, et cetera. There [00:33:00] was absolutely not one question that was technical.

It was about how do you integrate, how do you operate, how do you partner, and what are you perceived at as far as a trusted SME.

Kim Jones: Mm-hmm. I like that.

Patty Ryan: from that it becomes a, here's the action plans. Next week I have some meetings with some executive vice presidents who actually participate. They were giddy, happy to participate.

They wanna talk with me about how they're gonna support members of my team going forward with the idea of mentoring opening doors to get them involved in the right conversations. They do believe that they could do that, but that's conscious effort I've taken. There's no corporate directive, but I've recognized a security team.

It's help. Part of my job is helping them transition

Kim Jones: Yes.

Patty Ryan: them change. I,

Kim Jones: Yes.

Patty Ryan: I can't wait for some magic class somewhere and do I know how I'm really doing it? I'm going by the seat of my [00:34:00] pants, but

Kim Jones: we're all in full MSU mode. We all just make stuff up, you know?

Patty Ryan: And it's respected. I've had junior people come up to me saying, my boss just had a conversation with me about things I, not about jobs, but what types of skills do I like? What do I like? So we could start building those. And I said, yes, because my job didn't exist when I got outta college.

Kim Jones: Mm-hmm.

Patty Ryan: Your job may not, you know, a d totally different job may exist in five years.

That you fit into what are the skills you need.

Kim Jones: Yep.

Patty Ryan: And changing that conversation has meant a tremendous amount to take a really stressed out, I don't know what I'm doing. Group of people who are constantly under fire, constantly worrying about things just by their own nature, not necessarily my pressure, but security people tend to be like that.

We tend to worry.

Kim Jones: Hang on. I can do this again. Hang on. You text us, really?[00:35:00] 

Patty Ryan: Um, but that again, helps that generation change the perspective on the role. I'm not gonna grade you about how many tickets you answered.

Kim Jones: Mm-hmm.

Patty Ryan: I, I'm assuming you're doing that, your job or else I will have an issue that will be presented to me and we will talk about it. But right now, let's talk about the holistic picture of your skills and what you're trying to do and what security is.

And that's a conversation that many firms are too need to have. And in some cases, it's gonna be a bomb blown into the middle of the HR process.

Kim Jones: So may have asked this before, a little less directly. I'm gonna be direct about this. I got two more questions for you. The first question is three things, three skills that every ciso, regardless of background, position, et cetera. Anyone who is fulfilling that role regardless of title needs to have or develop.[00:36:00] 

Patty Ryan: Number one is listening. We don't listen, we come with solutions and we're supposed to come with solutions and we don't necessarily authorize questions and sit in the business issues and understand the business problem.

Kim Jones: We're supposed to come with solutions to the right problem, so, but we have to listen to figure out what the problem is.

Patty Ryan: Correct. And that's partnership and listening. And I think the other thing is the soft skills communication and partnership. Um, you solutions are come together, cross-functional teams. That sounds very. You know, stupid. Some to some people. What do you mean? I know what I need to do? No, you don't. You know, um, I also think an appreciation strategy. A lot of cis don't think strategically. They don't, and I, there is an issue with that.

Kim Jones: stop being kind. The vast. The vast majority. Of CISOs, don't think strategically. The vast majority of CISOs have a [00:37:00] great operating plan that they put the word strategy on, that isn't forward looking. It's just figuring out how to get the next widget.

Patty Ryan: You know, it it exactly. And that's the two to three year time horizon I've had. If I did, um, ask me anything recently and someone asked me what would I would expect if I started in a new role for the first 90 days, what would your output be? Said? I kind of, I'd know where the bathroom is.

Kim Jones: Yep.

Patty Ryan: Um, would've had meetings with all the senior executives that understand existing business plans and strategy.

Kim Jones: Mm-hmm.

Patty Ryan: I would've met with everyone in the security team to understand roles, responsibilities, frustration points, et cetera, and I would've started conversations, I would've started a form with executive leadership to start some type of security governance that doesn't exist today.

Kim Jones: What is one thing that we haven't talked about that you would like to mention, discuss, or [00:38:00] have my audience here regarding this issue?

Patty Ryan: One of my concerns right now and kind of relevant kind of not is. The fact that we as organizations need to be more CISOs, need to be tighter connected. I look at the cuts of the federal government and ciso. I look at the re imaging of the federal government, which good or bad or ugly, it just is.

And that's making the CISOs to be far more reliant. On peers, which again gets back to what information are we sharing? What are their skills? What are we looking at?

And that's gonna be a whole other paradigm shift that's gonna become greater as we look at the geopolitical changes that are happening.

Kim Jones: Yeah, no agree completely. You know, for me that boil on what you said, it's it's community. And the challenge that we have is we, uh, as you said earlier, not only are we not asking those questions. We're not [00:39:00] necessarily recognizing as a cadre of CISOs, this generation and the next, that those are the questions that we're being paid to ask and that we're being paid to answer. So,

Patty Ryan: Yeah, I agree with you on that one.

Kim Jones: I agree a thousand percent.

Patty, as usual, this has been a blast. I've had so much fun and I really appreciate the perspectives. I hope you have enjoyed yourself as well.

Patty Ryan: A nice way to start the week.

Kim Jones: and that's a wrap for today's episode. Thanks so much for tuning in and for your support as N 2K Pro subscribers. Your continued support enables us to keep making shows like this one.

If you enjoyed today's conversation and are interested in learning more. Please visit the CSO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show notes. [00:40:00] Tune in next week for more expert insights and meaningful discussions from CSO Perspectives.

This episode was edited by Ethan Cook, with content strategy provided by myON Plot, produced by Liz Stokes, executive produced by Jennifer Ivan, and mixing sound design and original music by Elliot Peltzman. I'm Kim Jones, and thank you for listening.