The Top 3 Things They Want You To Know
by Josh Fu, Principal Security Engineer, Cylance
Living in Minneapolis is ‘pretty excellent’. Yes, it’s winter eight months out of the year, but we thrive in it. There’s good food, drinks, and events, and it only takes 20 minutes to drive anywhere. What’s even cooler is how many big companies there are here. I recently went to BrrCon, a free, technical cybersecurity training day sponsored by several of the large companies headquartered here, such as Target, 3M, and Medtronic. One of the first sessions of the day was a panel of Chief Information Security Officers (CISOs) addressing some of the most pertinent topics in our industry. They spoke on three major topics:
- What are you most concerned about?
- What key traits do you look for when hiring someone?
- How do you work with your company executives to ensure the security of your organization?
What are you most concerned about?
The CISOs were most concerned about the same thing: the human phishing target. IDs and passwords socially engineered from an employee are the easiest ways to get into an organization because of human emotion, so they strongly believed that education and technical safeguards are really important. They found that geopolitical conflict due to additional sanctions can increase these external attacks from other countries. What happens is that people in these other countries still need to make money, so these adversaries increase attacks to try and gain access to funds or intellectual property. In addition to compromised credentials from external threats, inappropriate credential usage by insider threats was also a concern to the CISOs because insiders often know where the crown jewels are kept.
What key traits do you look for when hiring someone?
Being a good hire is less about your encyclopedic security knowledge than it is about who you are as a person. When posed this question, the CISOs listed these traits:
Contributor, trustworthy, transparent, has integrity, good work ethic, diversity, and humility as a leader
The skills to do the job were secondary to these traits. One of the CISOs shared a story from early in his career in which he took a risk, choosing to be direct with the company’s leadership. A major incident had occurred, but he was transparent about the situation and willing to show them the bad stuff. This decision demonstrated he could be trusted, even when issues involved personal risks.
How do you work with your company executives to ensure the security of your organization?
Executives want to hear what is happening, but in a way that is relevant to their home and children in plain, simple English instead of insecurity and tech jargon. Analogies are especially helpful.
For the most part, many executives don’t quite understand why their company is being attacked, so CISOs need to help them understand that this problem is not going away and that this is not a return on investment discussion. This requires changing their thinking and helping them understand that these attacks are a business model.
It’s often easier to answer questions posed by the board about external factors. The C-suite, however, is often the bigger challenge. The biggest question that CISOs must constantly answer is, “Are we good [from a security perspective]?” The answer is often, “We’re doing everything from an investment standpoint, but people are making money” because it is the truth, but it also leaves a little doubt.
Their notes to vendors
The CISOs provided some helpful advice because technology is part of each of their security strategies. Vendors need to provide information that CISOs can take to their executives, but the CISOs all said they’ll almost never answer a cold vendor email. They talk to each other and will take a meeting if the vendor is referred by their peers.
While I cannot truly understand each of the decisions that CISOs must make every day, I found their answers to be insightful, and they challenged many of the assumptions I think most people make about what they care about. To learn more about how Cylance can help you answer the “Are we good?” question, please reach out to us at firstname.lastname@example.org. Thank you very much for your time and think about how you can help meet a CISO’s needs today.
About the Author
Josh Fu, CISM, CISSP, is a principal security engineer at Cylance, an artificial intelligence company focused on cybersecurity. Josh has experience as a channel manager and consultant in cloud infrastructure and as a technical account manager and sales engineer in cybersecurity. Josh founded the west coast chapter of the International Consortium of Cybersecurity Professionals while he was living in San Francisco and has presented in front of industry audiences and conferences around the world and for groups such as ISACA, ISC2, MGTA, IANS, and SANS.