Solution Spotlight: Simone Petrella talking with Lee Parrish, CISO of Newell Brands, about his book and security relationship management.
Dave Bittner: Hello, everyone, and welcome to this N2K CyberWire special edition. In today's Solution Spotlight, N2K president Simone Petrella speaks with Lee Parrish, CISO of Newell Brands, about his book "The Shortest Hour: An Applied Approach to Boardroom Governance of Cybersecurity. Here's their conversation.
Simone Petrella: Good afternoon. Welcome to Solution Spotlight where we talk about some of the most innovative strategists shaping the future of cybersecurity leadership. And today I am joined by Lee Parrish, CISO of Newell Brands and author of a recently published book, "The Shortest Hour." Thanks for joining today, Lee.
Lee Parrish: Not at all, it's my pleasure. Thank you for having me.
Simone Petrella: Well, to start us off, I was hoping you could tell us a little bit about your leadership philosophy when it comes to building cybersecurity programs throughout your career and now at Newell Brands.
Lee Parrish: Certainly. I've been doing this for about 23/24 years now. And I think if there's one consistent theme across all of the companies I've worked for and the strategies that I've built, it's been a focus, a hyperfocus, on the people, the people aspect of the cybersecurity program. So one thing I mention a lot to people and I mention it in the book as well is as CISOs, we all have the same access to technology as every other CISO. The security vendors are not selling to some of us and not others. I mean, we're all on a level playing field. And when it comes to processes and policy and things like that, again, we're all on the same landscape. Nobody has an edge in that area. We have access to research firms, analysts, frameworks, cybersecurity frameworks, all kinds of things. We can get policy templates. So, again, we're on an equal playing field. The true differentiator in a cybersecurity program then lies in its people. And as a result of that, I spend a lot of time selecting the right people, selecting people who are curious and people who like to dive into unintended use cases for technology and things like that, people who are curious. And then once they're on board, just supporting them as best as I can. It's all about making sure they're engaged, they're doing the work that they find challenging and not just looking at a screen all day, and just being nice. So that's what I've been doing consistently over my career.
Simone Petrella: And that always resonates with me as a recovering consultant where we focus so much on people processing technology. And I'm a huge advocate that people are kind of truly the long pole in that tent. In the companies that you've worked with or the organizations that you advise, obviously the budget and the sophistication of some of those enterprises can be very different. And so when it comes to selecting people, what's that consistent thread that you have maybe leveraged throughout that journey to focus on the people? Because I'm sure there have been organizations where you have unlimited operating budget to actually spend on salaries and you can kind of build the best or buy the best. But then what happens when you're just looking for that curiosity and fostering them? Or is it a balance between the two and it's been that way no matter what organization you've supported?
Lee Parrish: Yeah, I think there's always a challenge in bringing on new folks, getting the budget for small to midcap companies, you know, maybe the budget's not there. For large enterprises, there's certainly not just an open checkbook, but they scrutinize the spend as well. So what you want to do is make sure that when you do get the funding for that, you fill that chair with the most optimal resource that you can find. And I know there's debates in social media and professional networks where they say there's a shortage of cybersecurity experts or some say no, there's all kinds of people applying for cybersecurity jobs. What I've seen in my career and recently in the last 10 years is the resumes that come across my desk are usually people who have one to three years of experience. And so if a CISO has a strategy to fill let's say 15 roles in their cybersecurity program and their strategy is I want to fill these with people who have eight to 10 years of experience, that may not be realistic, not in today's environment. Unless you're willing to pay overmarket for those folks and have them work remote 100% of the time, pay them an exorbitant amount of money above comp ranges, you're not going to find those people. So what I've done is I seed the team with three/four cybersecurity experts -- people who have that level of experience -- and then the rest of the team I fill with people who are -- maybe they don't have a lot of experience in cybersecurity, maybe they don't have any experience in cybersecurity, maybe they came from IT or something like that. But it's all about professionalism, the personality. That curiosity is something that I continually look for in people. People who are willing to engage and build relationships is important to me. We're an extension of the business, we enable the business, so as a result we have to work with the business. And if we have people who are resistant to building relationships and just want to work kind of off on their own, that typically doesn't work too well. So I look for people who have high personalities, very curious about things. And they inject into the team -- the experts will provide them experience and lessons learned from a career of doing this. But the young, new in their career cybersecurity people, they can challenge what has been done before and ask questions -- well, why do we do it that way? And it kind of in the middle there brings out a lot of good innovations, that's what I've found.
Simone Petrella: Yeah. I think one of the most operative words that I just picked up on that you said is the idea of having a strategy to begin with. And i know from personal experience, I've worked with a number of colleagues and companies where the strategy is more just, we have this many openings and let's fill them as quickly as possible. And there hasn't been that thought put into, is it a team of eight to 10 years of experience with a high salary cap, or is it something that we're going to kind of round out with smaller ones. What do you think -- my first question is, why is it so hard for us as an industry to kind of like wrap our heads around that strategy? Rick Howard and I call it kind of like the moneyball approach, right? If you're like building a team, you have to sort of think about the constraints of the budget you have and then what are you going to build and how do you think about those positions and those players before you actually start putting people on the ground. But why has that been so hard for us? And my second kind of corollary to that is, what are some of your recommendations to your peers and those coming up in the field to maybe integrate that into more of their own program development strategies across cybersecurity?
Lee Parrish: It is a challenge. I think that a lot of times -- I think it's much better now than it was in the past. In the past, most of -- I will say many -- of the security leadership were comprised of people who were very technical and didn't have a lot of business acumen. They were hands on keyboard. And when the need arose for someone to take a CISO role, the logical selection was somebody who's been involved in it, and that usually was a technical person. Even then, people understood what business was, they understood finance and maybe could even read a balance sheet or things like that. But when I talk about business skills, I'm talking at the same level as your peer leaders. So the same level of experience in finance and strategy and operations as your peer executives would have. Not just a glancing understanding of business, but a deep-seated expertise -- not expertise. A deep-seated knowledge of finance and all of those other business domains is critical. So I think that kind of was the issue before. I think a lot of times as CISOs, we jump into something, we're given a budget, and we say, okay, what do we want to do and let's go forward and build this. That's not the time to actually think about that. You should be thinking about that before you get the money and before you even start talking to vendors or before you even do an interview. The analogy that I use quite a bit is, when you go into a car dealership to purchase a car, you don't walk on the lot and say show me everything, I want to see SUVs, I want to see electric cars, I want to see compact cars, I want to see sports cars, I want to see electric. No, you already have an understanding of some of the models that you want to see and you probably have an understanding of the price range you're probably going to pay. It's the same thing for cybersecurity. You should already know what it is that you want, who you're going to talk to, and kind of sort of know how much you're going to pay. As far as the people aspect goes, I would say one of the things that I like to do is to make a quad chart, and in the top right corner would be things that we absolutely need in our cybersecurity program from an expertise perspective. And then it also means at that level where we have gaps. So, for instance, if we need threat intelligence, let's say, we have a high need for threat intelligence in our organization, and currently on our team we don't have any resources that have that level of threat intelligence, that falls in that top right corner. But in the bottom left corner, if it's a nice-to-have kind of skill that we're looking for, and we already have people that have that, I'm going to focus on hiring for those roles. I'm going to prioritize on the roles where we have a gap in the skillset on our current team and we have a high need for that skill. So that's kind of the way that I've done it. Before I even give the strategy to the CEO, what I'll do is I'll go to each of the individual leaders -- like I'll go to the CFO and talk about budget. And I'll go to the CIO and I'll talk about technology and I'll talk about how the security solutions I'm proposing may interoperate with what's already in the environment. And for the chief HR officer, I talk about that strategy of skillset gaps versus what we need, what level of expertise we're looking for, geographically where are we going to place those individuals that makes sense in the overall program. It's like a chess match. You just want to make sure that the whole strategy fits together. And you don't want to have people on the team that have all the same skillsets. Like you don't want a bunch of people who are really good at threat intelligence and then they don't understand other domains within cybersecurity.
Dave Bittner: We'll be right back. [ Music ]
Simone Petrella: It really hits on another theme that obviously is part of what you implement in your own leadership roles but also is in your book that is I know geared towards independent directors but probably just as helpful for existing CISOs. And it's that kind of theme concept around security relationship management and how do you build a relationship with your peer executives, other stakeholders in the organizations. And your examples just really illustrated how important that is. But that takes a lot of time and effort. Can you walk through like maybe some examples or stories of just like how you kind of learned to navigate those waters and maybe some things that you've learned that have helped grease the skins when it comes to that relationship building in management as you kind of build and execute on your cybersecurity program?
Lee Parrish: Yeah. It started whenever I first got into cybersecurity. So this was back in the late '90s, early 2000. I was awarded a position as a CISO at a company and I was very excited. And so I reached out to peers in the area who were CISOs. I was trying to garner some information on some tips and best practices and things like that that I could incorporate into my new role. And there was one person who was very nice and set up a day worth of discussions and things like that. So I went to his office and introduced myself, and we started talking about the role of the CISO and how it's so important -- and we walked around the office and we ran into the vice president of corporate security, so the physical security. And he introduced me to that vice president and we talked for a minute about how important cybersecurity was. And then my host said, actually, I don't think we've never met in person, my name is so-and-so. And I was kind of taken aback a little bit. And then we met the CFO. Same thing happened. It was, we've not met, my name is so-and-so. And I thought to myself, how can somebody be effective in this role and not have a strong relationship? Now, it's gotten a lot better over the years. This was 23 years ago, 24 years ago. But it planted a seed in me. And I thought to myself, if I'm going to do this and do it right, I need to build relationships across the business. And so at that time I said, I'm going to go and get an MBA degree. And whenever I was telling my friends about it, they asked, are you getting out of security? And I said no, I'm getting an MBA so I can do security better -- you know, I need to speak their vernacular, I need to understand what's important to them. So that was the initial seeds that started. And then over time it culminated into a very structured program that I call "security relationship management." And that is tracking my relationships across the company and externally as well to make sure that I'm nurturing those relationships and I'm giving them the time that they need to be effective. You know, we spend so much time with relationship building -- and personal, in our personal lives, we don't tend to track those too much. I mean, with our spouses and our partners and our children and members at church or our pets even. You don't really need to track a lot of that stuff, it's just natural. But as you move into the corporate world, and there's hundreds and hundreds and thousands of different relationships, if you're not tracking those and understanding the key stakeholders and the interactions that you have with those folks, you're not going to be successful. So that's kind of the genesis of security relationship management.
Simone Petrella: Yeah, it's an incredible story. And I can speak firsthand, I've spent a lot of time kind of brokering, I'd say the translation role, between kind of security leaders and then HR in particular when it comes to people and how to identify those priorities, everything else. And it definitely requires a level of nuance. And I don't think it's only the responsibility of those of us who are on the security side. I think there's kind of that executive responsibility for all those other stakeholders in an organization to kind of think about how security impacts what they do as well. And I say that to pivot into, what inspired you to write this book? Because if I have it correct, really, "The Shortest Hour" is meant to help inform new directors on boards to understand how they can actually conduct and not only ask the right questions as they execute cybersecurity oversight, but also understand enough to make some real actionable decisions out of that and evaluate where things are. So can you talk to me a little bit about what inspired you, and what are some of the things that you hope directors who have an opportunity to read this take away from it?
Lee Parrish: Yeah, absolutely. I was blessed very early on in my career, where I was surrounded by leaders who were very engaging and they wanted me to participate and they gave me invitations to participate. I realize that a lot of listeners who are CISOs may not have that same level of support and they have to fight their way in. So I do realize that I was very blessed early on. And throughout my career, again, I've been extremely blessed. In every company I've worked for, there was an opportunity for me to present to senior leaders and to the board of directors and to committees as well in an unfiltered way to be able to explain risks and not be toned down by leaders and things -- well, don't say that. They were very open. So that's the baseline. I mean, if you don't have that, the game is over. But very early on, I was interacting with some very, very serious people on different boards. So it was retired admirals and generals from the military. It was CEOs of Fortune 10, Fortune 100 companies.
Simone Petrella: Not an intimidating bunch at all?
Lee Parrish: Not at all. And there was a White House chief of staff, a US presidential candidate, all of these different folks and my very first time working with a board. So I learned very quickly. And it was really nice to be able to have that experience. And then as I moved throughout my career, I had experiences with working with a board not just in a presentation format, but actually like one-on-one, to be able to fly to a location and meet with a new director who's coming on board and giving them an overview of the cybersecurity program and what to expect. I've been asked to assist in special projects for the board that required a lot of confidentiality and things like that. I've been able to work very closely with the chairpersons of the committees in which I've reported to. So access and then that deep relationship has really helped. And so about three years ago, two and a half years ago, I was thinking, it would be nice to kind of give back to the industry and kind of talk about my experiences with working with boards, as well I've seen an opportunity with how boards are providing oversight to cybersecurity programs specifically. It's a systemic risk. It always falls on either number one or number two on the enterprise risk management programs for every company I have been a part of, and certainly probably for the ones of your listeners. And then I looked at my experiences. And I know they vary because of surveys and things like that. And other CISOs may say, no, I speak for an hour every month. Others will say, no, I don't speak at all except for one supplemental presentation I put in the documentation. So I just kind of took an average and I said, well, it's about 15 minutes then. If it's 15 minutes a quarter speaking to the audit committee or the technology committee or something like that, and there's four quarters in a year, that's an hour. So that's the "shortest hour." I believe that one hour a year is not enough time to talk about something as critical as cybersecurity. And so I started writing. And as I was writing, the SEC proposed some regulations about disclosure. And I thought, wow, this is really timing out to be really good, because that's what I'm talking about. And December of last year, I finished the book. It was published by Taylor & Francis with CRC Press. And went through the editing process and it just launched last week. So it's been a great journey. I really enjoyed doing it. And hopefully people will enjoy it and provide good feedback.
Simone Petrella: You brought up the SEC, so I have to ask -- and I am notorious for going off of my own script, so I apologize in advance. Having been in these roles for the majority of your career and seeing what the SEC is coming out with as far as disclosure of material breaches -- of which there's a lot of questions around what that definition of materiality really is. But then that coupled with annual filings and the requirement to kind of report on maturity of cybersecurity programs, where do you fall on the spectrum of, is this good for us as an industry, is this hampering because it's putting too much handcuffs or potentially scapegoating those of us that have been in cybersecurity and trying to be right all of the time when it's impossible? What's your take?
Lee Parrish: Yeah. There's always been some level of disclosure about cybersecurity. Usually it's in the risk section of the 10-K, and there's a little bit of a blurb about cybersecurity and availability of systems and the capability to deliver services and products to customers and the risk of an attack, cyber-attack. But the SEC, their regulations were more specific to disclosing the different -- more details than we've ever seen before. And so the analogy that I use in the book is, when I was in the eighth grade, I took a math class and we were taking just general arithmetic and things like that and then we got into fractions and division and things like that. And we would turn in our homework. So we would do our homework and we'd turn in the answers, and we'd get our homework back graded. About halfway through the year, we started getting into algebra, pre-algebra and things like that. And so the teacher -- I'll never forget her. I can still see her face. She said, okay, for your homework now, I want you to start showing your work. And of course everybody groans and they're like, oh, gosh. So now it was not just enough to give the answer, you had to show how you came to that answer. And I think the SEC regulations are, show me your work. It's no longer enough to just say you have it, show me how you have it. With that said, I think it's a positive step in the right direction. There were some regulations that were dropped. Some were enhanced and edited. But I think it's a good step in the right direction. I think because it's a new regulation, we're always going to see things out of the gate where we have issues with trying to define materiality. I think corporations have structured programs to determine what is material and what is not. But as it relates to cybersecurity, I still think there's some work to do. I think there is some ambiguity around what a reasonable shareholder is. Is that me buying 10 bucks worth of a stock? Or is it Warren Buffett? Who is a reasonable stakeholder? But I think those will get straightened out. We're already seeing that. Some people initially disclose something and the SEC provided comments and stuff. So we're working together as an industry. I think it's a very positive step, I think it could be better, though.
Simone Petrella: To bring it full circle to where we started and your concept of relationship management, all the more reason to not only look at the CFO and the head of physical security and head of HR, but also your head of legal when putting together these filings.
Lee Parrish: Oh, yeah.
Simone Petrella: I mean, that should be a nonstarter anyway, like that should be a given. But you know, if you didn't have a reason to do it before, you certainly do now.
Lee Parrish: One of my deepest relationships across the board in every company I've worked for has been with general counsel, even my current company. It's just a wonderful relationship. You're talking a lot. You're sharing ideas. You really need that. That's the one relationship that I think has been most beneficial for me in my tenure as a CISO.
Simone Petrella: Well, Lee, thank you so much for taking some time to share some of your experiences with us as well as some of the nuggets out of your newly published book. So congratulations on getting that out there. It's really been an amazing thing to read as I've started to delve into it. And for those who have not had a chance, Lee, I'll let you give one last plug, where can someone go get a copy, their hands on a copy of "The Shortest Hour"?
Lee Parrish: Yeah, so it's available at all the favorite booksellers, you know, Barnes & Noble, Amazon, you can go to Taylor & Francis. It's all over the place. But thank you for the support. I really, really appreciate it.
Simone Petrella: Great. Thank you. [ Music ]
Dave Bittner: Our thanks to Lee Parrish, chief information security officer of Newell Brands. His book is titled "The Shortest Hour: An Applied Approach to Boardroom Governance of Cybersecurity." Lee Parrish spoke with N2K CyberWire's Simone Petrella. [ Music ]