Joseph Carson on lessons he's learned (the hard way) on communications with the board.
Dave Bittner: My guest today is Joseph Carson, chief security scientist and advisory CISO at Thycotic. He joins us to share his story of a boardroom presentation gone wrong and how it served as a wakeup call for how security teams need to communicate and consider their role within the overall organization.
Joseph Carson: So myself and the CISO - I was doing the penetration test myself. And it was with actually - with a power station. And some of the vulnerabilities we were finding were quite significant, at least to our viewpoint. So myself and the CISO - we get down. We discussed about, you know, how we wanted to communicate what things we thought were going to be important for the board to hear. And it was really - one of the major things was - it was the budget review. So the CISO had some plans and goals in order to get certain budget available for upcoming strategic plans and projects and priorities. That was for the following year.
Joseph Carson: So we got together, and we looked through, basically, the vulnerability results. We wanted to align with technologies and solutions that we thought would reduce and mitigate those problems. And we sat down. We basically got together our plan. We went through some of the major items that we had identified. And we put together a presentation. And we communicated quite, you know, strong and how we wanted to approach it. You know, we came to a - an agreed conclusion, and that was pretty much it. And, you know, we'd set out how we wanted to position those items to the board.
Dave Bittner: And how did the board react?
Joseph Carson: Not exactly to our expectation. And we were actually quite shocked. So one of the things was when we did the penetration test itself, we'd find major vulnerabilities, such as things like default passwords. We'd find unpatched systems. We looked at, you know, human errors, supply chain integrity failures. And background checks were not being processed. And when we went to the board and we presented it, we went in, and we were talking about, you know, cybersecurity. We're talking about the human failures and threats and, you know, the increased landscape and looking at other major breaches that had occurred that same year. And we talked about, you know, fear of not doing something. We talked about the importance of the solutions. And we really went in, basically going and talking about how it was important to invest in the security solutions, how it was important get this budget in order to really make sure we had the right technologies in place.
Joseph Carson: And one became - we presented. And right afterwards, the board, you know, said thank you. You know, we appreciate your time. And, of course, later, you know, after we finish that time, they go off. And they convene to have their discussions privately, and then they come back, and they present back to whether, you know, you got your accepted budget. So the time passed. And we came back. The board came in and sat down. We were actually quite shocked because the board came back, and they said your budget request has been declined. We deemed the threats and the vulnerabilities that you had raised as low-risk. But we'd like to speak with you privately afterwards.
Joseph Carson: And we were quite shocked. We thought we'd done an amazing job. We thought we'd presented very clearly the threats and very clearly, you know, the issues that you hear in the media and the news. And we thought without a doubt that our plan was going to get the right budget. You know, we were getting attention of the board. The board was listening. And we thought this was the time where we'd really get the reaction and the budget in order to really make the needed improvements for the forthcoming year.
Joseph Carson: Afterwards, the CEO and the CFO came down. And we sat down, having a side meeting to talk about what happened. And I think this was the most important realization, and it was when the CEO had said, your presentation was great. You really conveyed the threat landscape. But there was one major thing missing. You never talked about how you're going to help the business. And they said that, we know how important cybersecurity is. We know how important it is for the business to, you know, improve and invest in the right areas. However, we really need it to work. And that's why we're having this conversation.
Joseph Carson: And for me, it was the best timing because when you get that scenario, and you get a CEO and a CFO coming and being so absolutely direct and honest to you rather than just letting that meeting go and not getting what you needed - we really sat down because they knew the importance, and they really wanted to be successful. And they said to us, you know, when you come in, you presented just like everyone else has presented, you know, on the news and when you hear at these events and all these executive briefings that they've had for - on the cyber threat landscape.
Joseph Carson: But they sat and said, the most important thing that was missing - was, how are you helping the business be successful? Every other presentation from the other businesses, whether it being engineering, innovation support and sales, they came in, and they presented their business plan. And we came in and presented, you know, fear. What we really needed to understand was the return on investment. How are you helping your peers be successful? How are you helping them do their job? How are you helping us reduce the risk of the business? What is the cost of doing something? And what's the cost of doing nothing? What's the gap that we're having? Are we covered with insurance? Do we have the ability to survive if we actually have such an attack that you talked about? We need to be successful. We know how important it is, but we need you to approach this in a different way. It needs to be a business-first approach. And it needs to be based on risk.
Joseph Carson: And there was a big realization. We've set - and actually, you know, when you realize that this is what you needed to hear. This was the CISO getting the wake-up call that how we've been communicating cybersecurity and threats to the executive team and to our peers for years has been the wrong approach. And we really needed - and it was this wake-up call - it was this alarm bell ringing - that we realized that we needed to change our approach.
Dave Bittner: When you look back on that, thinking back knowing what you know now, why do you suppose there was that gap from your side? Were the - the information you were presenting was the business case. Did you consider it to be self-evident? What were you thinking?
Joseph Carson: It was more self-focused. We were focusing on what our needs were, not of what the business needs were. We were focusing on the tools and, you know, the technologies that would help us do our job. But we weren't aligning that with how it was helping our colleagues be successful, the ultimate people who we're actually protecting and making safer. We had not considered their feedback and their input into our needs. And this was the biggest gap. The gap was that we were basically focusing on ourselves as a silo. And what we needed to do to be compliant with regulatory needs and as well as what we needed to be able to do to reduce the threats as we've seen it.
Joseph Carson: And what we realized was that for too many years, we've been going down this technology-driven path. And we've been seen as, you know - in the cybersecurity area and IT security, we've been seen as the enforcers. We've been going to employees and saying, this is how you need to be doing things. And no, you can't install that software because it has this risk. And you need to patch this system. You need to change your passwords. We've been enforcers. And it's the time where we realize when we had that meeting that we actually - we're doing it the wrong way. We, as the CISOs and security officers and security operations admins, we need to be doing more listening. And one thing that we haven't been doing is listening enough to our colleagues, to the other peers in other departments, to the employees and the customers within the business that we're actually providing services to. We weren't listening to the board. We were actually communicating and enforcing a message.
Joseph Carson: And what we realized was that it was more important for us to sit and listen to an employee and asking them, what is it exactly you're being measured on? How, you know, can I help you be successful in your job? How can I help you be more efficient? How can I help you win and actually get your bonus and be able to meet your metrics that you're measured on? And that's what we need to be doing. And then looking at how we can actually add security into the existing job rather than saying, you know, to employees, don't click on these things. You know, stop clicking on links. Stop opening attachments. Because in many businesses, that's actually their job. And we have to understand about well, how can we make sure that since that is what they are doing - how can we make sure they're doing it safely with reduced risk but at the same time, making sure that they're able to stay productive? And that's what we need to be changing in our going forward. So the CISO in 2019 needs to start doing more listening and a time of aligning how we can help the business be successful.
Dave Bittner: That's Joseph Carson from Thycotic.