Originally aired on August 3, 2020 @ 12:30 PM - 1:00 PM EDT
The traditional model of the CISO being a technical security leader and the CEO being a business executive does not work for businesses today. Today the CEO and CISO have to be a tag team that lock arms to take the business and technical challenges head on. Learn how, in this episode with Cloudflare executives - Matthew Prince, CEO at Cloudflare and Joe Sullivan, CSO at Cloudflare.
So thanks for sitting down to talk about the role of security from the eyes of the CEO with me. Sure. Thanks, Joe, for having me. So you made a decision at some point that security was worthy of a seat at the leadership table at Cloudflare. What went through your mind as you thought about that? I think for Cloudflare in particular, security is one of the core value propositions that we provide to our customers. So I think that it's always something that has been first and foremost in our mind. I think as we started to think about bringing on someone particularly for the CISO role because it was such a critical piece of what Cloudflare does, it just made sense that we would embed that role with the leadership team. And then, as you know, as I think about what the risks are in our business, the number one risk that I worry about is somehow Cloudflare gets hacked. And so to the extent that I can be staying on top of what's going on and I can make sure that our board is staying on top of what's going on, I think it just made total sense for us to make sure that you were included in all of those conversations. And so I think that was a uniquely easy decision for us and uniquely aligned with what it was that we were delivering. But obviously, any company that is touching any kind of technology, which is every company today, may not be their number one risk. But certainly, I think the events of the last five years have shown that everyone in their top 10 risks has to consider cybersecurity as a threat. And that means really staying abreast of those concerns. Yeah. It does seem like, as you say, that more and more companies are starting to appreciate this area of risk. And the data does suggest that more and more security leaders are being invited to a seat at the table. But when you think about having someone on the leadership team, you probably want more than just subject matter expertise in one area of either opportunity or risk. What else do you think about with regard to leadership in general? Well, I think that... So taking it away from security professionals for a second and taking it to someone else who I think most boards would hear from all the time would be the legal counsel that you have. So your general counsel in a firm. And I've gotten to work with a lot of really great lawyers. I've got to work with some mediocre lawyers. And I think that the difference between a great lawyer and a mediocre lawyer is the mediocre lawyer, when you say, here's what we're trying to accomplish, they'll say, here are all the reasons you can't do that. And that's sort of how they stop. I think the great lawyers say, listen, I understand what you're trying to accomplish. I understand what the business needs are. There are maybe 10 different paths where you can get there. And here's the risk as I see it across all of those different paths. And they understand that their job isn't just to say no. They understand that their job is to look at the totality of the business, understand that there are going to be risks that you take from time to time, and that you should make intelligent trade-offs that way. I think that that's a really good way for security professionals to also think about how they're approaching working with a greater management team and working with boards is, you know, the job isn't just to say, oh, my gosh, the sky is falling and everything is awful. It's to triage what are the top priorities, where are the places that are real risks, to understand that the business still has to operate and at times is going to do things that, you know, may not exclusively be driven by security decisions, but then to help lay out what the map is of here are the different paths we could take to do something and here are the risks that are associated with that. And I think that that's something that you've really done and it requires you to not just understand and know your field, but to really understand a more totality, a greater totality of how the total business works. And that's also part of the reason why I think, you know, being on the leadership team and being in the management meetings and sitting in the board meetings, I think that that helps give the perspective that it's not just about, you know, how do I solve, you know, the security challenges, just like for the GC, the GC isn't just about we're going to drive the entire decision of the business by what are the legal risks that are there, but instead it's how do I look at the part of the world that I understand, take into account the rest of the business and then help us go down whatever path makes the most sense given the business priorities overall. I think that's a great point. For me, I feel like I can make a much better risk decision or a set of recommendations now that I have the experience of being in that executive room, sitting through, sitting through like a discussion about revenue opportunities in different areas, I'm able to prioritize with my team in a fundamentally different way than I could before when I didn't have that context. How do you think someone coming up in the security field could do more to get that context? Yeah, I mean, so, I mean, you've got a bit of a chicken and egg problem, but I think that, you know, what we have always really tried to hire for across the entire organization are people that have, you know, a really high degree of curiosity and a really high degree of empathy and, you know, curiosity, want to learn new things, want to take on new challenges, empathy, you know, are able to see problems from different perspectives and, you know, change your mind if you hear facts that are different than what you assumed. And I think that as a security professional that, again, knows one area incredibly well, you've really got to channel those. And by the way, and this isn't different advice than I would give, you know, someone in their legal career, somebody in their accounting career, like you, of course, you're obviously experts in that, but really it's how do you get a broader sense of what else is going on in the business. And I think, you know, at some level that's, you have to be curious about those things. If you sort of roll your eyes whenever the CFO talks, then there's no way you're ever going to be successful in that. If you roll your eyes every time the product manager talks, if you, again, make yourself in a position not of being in service to the overall organization, but instead just being the person who points out all the risks, it's harder to include you in those conversations. And the reality is that really to start to learn these things, you have to get in those conversations. And so, again, you've got a little bit of a chicken and egg issue. I think the other thing, and I think this is true across just about every, you know, technical role, including security, which is, you know, you can be the smartest person at your particular field, but if you can't figure out ways to communicate clearly to people who are not in your field, then it becomes extremely difficult to be in those conversations. And so I think things like, you know, if you're early in your career, or even if you're in an established role, finding ways to try to be a teacher in terms of explaining what it is that you do, teaching people who are maybe outside of your field what it is, spending time writing, and taking real feedback about times when your writing isn't clear. You know, it sounds like totally cliche to sort of, you know, you just set up your own blog and write about things that you're interested in. But I think that figuring out how to just communicate with the rest of the organization is one of the most important things. I mean, I was, you know, I studied computer science and law and business, you know, and went to a lot of school. But by far, even in my job, the most important sort of time that I spent in school studying things was actually in English literature. Because I think it helped me be a better communicator across the organization. And fundamentally, like that's every executive's job is how do I communicate clearly what it is I know. So, you know, I wish, I guess I wish that more people on our technical teams would have taken more humanities courses. Because I think that, or done those things that are kind of exercises in how to be clear and very concise communicators across an organization. I think you're exactly right. I've heard quotes about like leadership. I hope you think I'm wrong. You're going to say at some point. Natalie, you're going to say at some point. I think you're right on the specific point about the importance of communication. I remember hearing a quote that said something like 70 or 80% of leadership is communication. And it might even be a higher percentage. And I think it's particularly the case for someone in the security leadership role, because it's a very technical discipline. And talk about people and their eyes glazing over. It's when the security leader starts talking about the details of identity and access management that the business leaders just like don't really want to get bogged down in which single sign on and how to deploy it. They want to understand cost, risk, opportunity, efficiency for employees. And so you've got to find the words that they'll connect with. Yeah. And I mean, I think that's something that you and I have worked on is what is it like when you present to every board meeting, how is our sort of security posture changing? And we have a relatively technical board. But I think there's and I do this across all of our teams. Like we have a rule that there's just no acronyms in anything that the individual vendors don't matter, lead with the problem. Like, what is it we're trying to solve? Like, here's the problem. And then we have a solution that comes behind that and then make it as tangible as possible. And I think that at some level, all of communication is storytelling. And sometimes when you say that, people hear story and they think you've made it up. But it's actually what it is. It's just getting people to really internalize what it is that you're saying. And the more that you can make that incredibly concrete and specific. And again, the more that you can be not the person who's just saying, oh, my gosh, the world is falling and we have all the pointing out all the problems, but instead saying, how can we as an organization and how can we as a business make smart decisions that take security into account and recognize that I'm part of a greater team? Again, I think that the thing that really differentiates people in this, it stops being technical acumen pretty early on. And it starts being much more of the actual communication and empathy and curiosity. I'd like to go deeper on this kind of communicating about risk in two specific areas. One is like you talked about the need to understand the business opportunity when you're explaining the risk. And the other is an area of security that I think is starting to develop right now. I would say in 2020, the Cool Kids CISOs are very focused on how do I quantify risk? And they're embracing a bunch of different actuarial type models to try and find a way to communicate better with the other executives. And I have to admit, I'm a little bit cynical about them because I don't see them actually capturing the business opportunity side of the equation well. So taking some of these models of risk, if I came to you and said, there's a 47 percent likelihood of a problem in this category of our security if we don't spend this much money, is that a compelling argument to you? You know, again, I think that it's that that's starting to, again, be the kind of bad lawyer where it's where again, I like I think it's better to say, listen, we as a business are I know what the resources we have are. I know what the risks are. I know what's going on. And how how can I help you? You get you get through that. So, you know, and sometimes I think that that might be, you know, that maybe that's useful. But my next I am on my next 10 questions are going to be how to calculate, you know, 42 percent and and and what what's really going into that. So, I mean, I think my level of skepticism probably goes up unless I can actually understand what's what's going on. And I don't need to understand it at the level that that you or anyone on your team does. But but at least I've at least got to be able to to to feel like, you know, that that we're making what are smart, prudent decisions. And so I think if you came to me with that, I'd be pushing why, why, why, why, why? And and I think that, you know, if if the if the answer at the end of the day is because I followed some vendor risk assessment guide and came up with a number that actually really hurts your credibility pretty quickly. So, you know, I think you've got to have you've got to bring the people along. And if it's just if it's just a scorecard, I think that that's that's that that that would not resonate particularly well with me. So thank you for thank you for not doing that. Right now, the other side of that equation is understanding the opportunity side. A lot of CISOs have grew up in security organizations that were kind of off on the side and they didn't they didn't have the opportunity to to learn the business side of the business to learn how to read a a P&L statement or something like that. How do you recommend that they if they if they have that innate curiosity, how should they start? I mean, I think it's going to be different for for everyone. You know, I think it's it's sometimes, you know, finding ways outside of outside of sort of the job that you're doing to to have the freedom to learn about new things can be can be really useful. So, you know, the first company that I started, you know, I was I was always sort of bluffing my way through through through trying to figure out what, you know, how to read a balance sheet and an income statement, how all those things when people talk about EBITDA, I'd be like, I don't know what that really is. And, you know, for me to get comfortable with that kind of in my role, I mean, I took the very expensive path, which was, you know, go go to business school and actually study these things. And I and I think that that's, you know, while it's really sometimes easy to kind of roll your eyes at at MBAs, I think that if if more CSOs had MBAs, it would make it would make some of these things easier, because basically what you're learning is that you're learning a language and that language of business is the way that the various components of business actually communicate together. And and you've got to kind of know that language. So that's that's a very expensive path to doing it. But I think that, you know, just taking taking even just a good online course in accounting and understanding, you know, what those what those components are and why they matter. There are so many good there are so many good examples of that that are that are out there now. And I think that there are good ways of kind of demystifying some of of the some of the sort of finance and accounting terms, which end up, again, being just the shorthand to how how how different parts of the organization can communicate together. And and so I think, you know, again, if you're really curious, you can you can find those. You know, one of one of the professors that I had in business school was a guy named Mahir Desai, who's written a bunch of kind of, you know, one book is really like how finance works. And it's just a very good kind of layman's explainer on how how this fits together. Is that another sort of more popular book on called The Wisdom of Finance, which actually takes various sort of stories that we're all familiar with and then uses that to explain the business terms that are behind that. And so I think that if you are if you are genuinely curious, you know, you've got to actually go out and do some of the work. But the good news is there are lots of resources out there that can help kind of demystify this. And and and if you do develop that language, then that helps you then much more efficiently communicate with the rest of the organization. You don't you don't need to be able to kind of close the books of a public company, but but you probably should understand, you know, how to read it, how to read a P&L. You don't you don't need to, you know, know how to do all the filings that that the general counsel does. But you should be able to understand kind of the basic ways, you know, of how how the legal requirements and regulatory requirements fit together. And again, I think it's not not radically different than, you know, the sort of languages that that a technical kind of career path like being like being a CISO is is also has. And so in the same way that that that that we that you should be helping bring the rest of the your management team along to understand your world. You know, hopefully if you're at a supportive organization, you'll also find people who are curious and empathetic and want to explain a little bit of of their world to you as well. That's exactly what I found personally. I did take one of those kind of four hours how to like read the financial documents of a company classes a decade or more ago. And it got me it got me a little bit comfortable with the acronyms and things like that. And then what I found was that the other leaders in the company were excited if I showed up and started asking them questions about their world. So that if somebody shows up, you know, another senior executive shows up and starts asking me questions about security, that that's really empowering for me. And so what I've done is kind of sit down with those other executives. Yep. One interesting thing that I see with some CISOs is they like to joke kind of deprecatingly about themselves as like the C in CISO is a soft C. You can't really hear it because they put themselves down. They don't feel like they're really part of the leadership team of their organization. And my response is usually, well, it starts with you acting like you deserve to be there. And I'm curious your perspective on that. Again, I think that management teams are craving having more understanding of what their security risks are, but you have to also do the work to make sure that you can communicate the same language. It's like if you're in France and you don't speak French, you know, it's going to be harder to have conversations. If you're in a business organization and you can't at least communicate and understand the sort of various business terms, then it's harder to have those conversations. And I think, again, every organization is going to be different. Cloudflare Security is so core to what we do that, I mean, it was a no -brainer, you know, that you would be part of the management team and the management organizations and you report directly to me and you present at every single board meeting. Different organizations are going to prioritize security in different ways. And there might be organizations where it isn't a management role. I think there are fewer and fewer of those that exist just because technology is becoming a bigger piece of every company and the sensitivity and sensitivities around data are only going up. So, you know, I think that that's transitioning and I think that the great security leaders are going to be the ones who, again, arm themselves with the business knowledge to be able to speak French to the other French people. And but again, you've got to do that work. But I do think that there's an increasing receptivity to making sure that you've got sort of an understanding of what your security posture is, what your risks are, and how you can address that. So, but again, I think that's different than it would have been even just five years ago. And so I think that that's that's changing. But the trend is definitely toward this is more and more of a, you know, a senior management team role in more and more organizations. And when you think about security, is it is it just about managing risk or is it does it play a part in unlocking opportunity? That's like when I step back and think about like what happens inside a company, to me, people are wearing one or two hats. They're either driving opportunity or they're managing some downside risk. Yeah. I mean, you're either a you're either a profit center or a cost center, right? At some at some level. No, I think that, again, I know Cloudflare really well. And I think one of the things that's unique about us is that, you know, we're building security products. And so I think we lean heavily on your team to help inform and design and sometimes engineer those products. And I think that the products that we build that are the best are the ones where Cloudflare is the first customer of those products. And so, you know, I you know, it's something that we've talked about a lot, but dogfooding our own products, you know, Cloudflare being the first best customer of everything that we build is is important. If if you're you know, if you're a jewelry manufacturer, I think it will actually maybe if you're a jewelry manufacturer, you know, helping build a better safe is exactly is exactly what you need. But, you know, there are certainly other you know, if you're making aluminum cans, you know, it would be harder to have the security organization say, you know, here's here's how we can build a better aluminum can. So again, I think it depends to some extent on on the organization and and what it is that you deliver. But I do think there is an increased awareness of the privacy and security risks from consumers. And that does mean that there are more and more organizations where if you can say, listen, if we have, you know, better password security, that's going to increase our credibility with our customers. If we can have better account security, if we can talk about how we not just, you know, we take your data seriously. I mean, that just sounds I mean, that's what everyone says. But if you can say, here's how we take your data seriously. Here are the technical measures we put in place. Here are the ways that we're making sure that data is secure. I mean, that I think starts to be something that's going to differentiate brands. At least I hope that's the case. The piece that I fear a little bit is there's a lot of talk about how important privacy is and and and it is certainly embarrassing to organizations when they appear in the news because of some security breach. What I don't know is happening quite yet is that consumers are actually voting based on that. I think people take make a lot of noise around it. And I used to teach a privacy law course to people who are incredibly passionate about, you know, their privacy and they thought they were going to study this. And then, you know, they were that sort of we delete Facebook and, you know, we don't use Google. And then I'd say, you know, how many of you when you went to the grocery store used a supermarket shopping cart and everyone raises their hand still and you're like, you know, that's I mean, that's tracking you even more than than than anything else. So so I think it's I think the world is shifting that way. I think that you can do that. I think in certain organizations, you can you can demonstrate and build customer trust through kind of exposing the security that you're doing. And I think that that's a way that it can be positive. But but I'm but but I don't think we're totally there yet. I think it's still it's still going to be it's still and I think it's actually good to be realistic about this. You know, going going in to your to your first board meeting and, you know, pounding the table as a security leader and saying, you know, I'm a profit center, I'm not a cost center. Like I think I would sort of take a gentler approach, I think, as I as I did that, because I because I do think that while we are we are trending in the direction of the world taking privacy and security much more seriously, it's we've still got a ways to go. Awesome. Well, I think this was a bunch of really great advice for security leaders. So thank you so much for taking the time to do this video with me. Thanks. Thanks for thanks for doing it. And hopefully you're washing your hands often and and and and healthy and safe and everything else. All right. Thank you. Take care. Thanks, Joe. Bye. Bye.