SECURITY SPOTLIGHT - A Tale of Two Executives : The CEO & The CISO
Presented by: Matthew Prince , Joe Sullivan
Originally aired on August 3, 2020 @ 12:30 PM - 1:00 PM EDT
The traditional model of the CISO being a technical security leader and the CEO being a business executive does not work for businesses today. Today the CEO and CISO have to be a tag team that lock arms to take the business and technical challenges head on. Learn how, in this episode with Cloudflare executives - Matthew Prince, CEO at Cloudflare and Joe Sullivan, CSO at Cloudflare.
English
Security Spotlight
Transcript (Beta)
So thanks for sitting down to talk about the role of security from the eyes of the CEO with me.
Sure. Thanks, Joe, for having me. So you made a decision at some point that security was worthy of a seat at the leadership table at Cloudflare.
What went through your mind as you thought about that?
I think for Cloudflare in particular, security is one of the core value propositions that we provide to our customers.
So I think that it's always something that has been first and foremost in our mind.
I think as we started to think about bringing on someone particularly for the CISO role because it was such a critical piece of what Cloudflare does, it just made sense that we would embed that role with the leadership team.
And then, as you know, as I think about what the risks are in our business, the number one risk that I worry about is somehow Cloudflare gets hacked.
And so to the extent that I can be staying on top of what's going on and I can make sure that our board is staying on top of what's going on, I think it just made total sense for us to make sure that you were included in all of those conversations.
And so I think that was a uniquely easy decision for us and uniquely aligned with what it was that we were delivering.
But obviously, any company that is touching any kind of technology, which is every company today, may not be their number one risk.
But certainly, I think the events of the last five years have shown that everyone in their top 10 risks has to consider cybersecurity as a threat.
And that means really staying abreast of those concerns. Yeah. It does seem like, as you say, that more and more companies are starting to appreciate this area of risk.
And the data does suggest that more and more security leaders are being invited to a seat at the table.
But when you think about having someone on the leadership team, you probably want more than just subject matter expertise in one area of either opportunity or risk.
What else do you think about with regard to leadership in general?
Well, I think that... So taking it away from security professionals for a second and taking it to someone else who I think most boards would hear from all the time would be the legal counsel that you have.
So your general counsel in a firm.
And I've gotten to work with a lot of really great lawyers.
I've got to work with some mediocre lawyers. And I think that the difference between a great lawyer and a mediocre lawyer is the mediocre lawyer, when you say, here's what we're trying to accomplish, they'll say, here are all the reasons you can't do that.
And that's sort of how they stop. I think the great lawyers say, listen, I understand what you're trying to accomplish.
I understand what the business needs are.
There are maybe 10 different paths where you can get there.
And here's the risk as I see it across all of those different paths. And they understand that their job isn't just to say no.
They understand that their job is to look at the totality of the business, understand that there are going to be risks that you take from time to time, and that you should make intelligent trade-offs that way.
I think that that's a really good way for security professionals to also think about how they're approaching working with a greater management team and working with boards is, you know, the job isn't just to say, oh, my gosh, the sky is falling and everything is awful.
It's to triage what are the top priorities, where are the places that are real risks, to understand that the business still has to operate and at times is going to do things that, you know, may not exclusively be driven by security decisions, but then to help lay out what the map is of here are the different paths we could take to do something and here are the risks that are associated with that.
And I think that that's something that you've really done and it requires you to not just understand and know your field, but to really understand a more totality, a greater totality of how the total business works.
And that's also part of the reason why I think, you know, being on the leadership team and being in the management meetings and sitting in the board meetings, I think that that helps give the perspective that it's not just about, you know, how do I solve, you know, the security challenges, just like for the GC, the GC isn't just about we're going to drive the entire decision of the business by what are the legal risks that are there, but instead it's how do I look at the part of the world that I understand, take into account the rest of the business and then help us go down whatever path makes the most sense given the business priorities overall.
I think that's a great point. For me, I feel like I can make a much better risk decision or a set of recommendations now that I have the experience of being in that executive room, sitting through, sitting through like a discussion about revenue opportunities in different areas, I'm able to prioritize with my team in a fundamentally different way than I could before when I didn't have that context.
How do you think someone coming up in the security field could do more to get that context?
Yeah, I mean, so, I mean, you've got a bit of a chicken and egg problem, but I think that, you know, what we have always really tried to hire for across the entire organization are people that have, you know, a really high degree of curiosity and a really high degree of empathy and, you know, curiosity, want to learn new things, want to take on new challenges, empathy, you know, are able to see problems from different perspectives and, you know, change your mind if you hear facts that are different than what you assumed.
And I think that as a security professional that, again, knows one area incredibly well, you've really got to channel those.
And by the way, and this isn't different advice than I would give, you know, someone in their legal career, somebody in their accounting career, like you, of course, you're obviously experts in that, but really it's how do you get a broader sense of what else is going on in the business.
And I think, you know, at some level that's, you have to be curious about those things.
You can't, if you sort of roll your eyes whenever the CFO talks, then there's no way you're ever going to be successful in that.
If you roll your eyes every time the product manager talks, if you, again, make yourself in a position not of being in service to the overall organization, but instead just being the person who points out all the risks, that's some, it's just, it's harder to include you in those conversations.
And the reality is that really to start to learn these things, you have to get in those conversations.
And so it, again, you've got a little bit of a chicken and egg issue.
I think the other thing, and I think this is true across just about every, you know, technical role, including security, which is, you know, you can be the smartest person at your particular field, but if you can't figure out ways to communicate clearly to people who are not in your field, then it becomes extremely difficult to be in those conversations.
And so I think things like, you know, if you're early in your career, or even if you're in an established role, finding ways to try to be a teacher in terms of explaining what it is that you do, teaching people who are maybe outside of your field, what it is, spending time writing, and taking real feedback about times when your writing isn't clear.
You know, it sounds like totally cliche to sort of, you know, you just set up your own blog and write about things that you're interested in.
But I think that figuring out how to just communicate with the rest of the organization is one of the most important things.
I mean, I was, you know, I studied computer science and law and business, you know, and went to a lot of school.
But by far, even in my job, the most important sort of time that I spent in school studying things was actually in English literature, because I think it helped me be a better communicator across the organization.
And fundamentally, like, that's every executive's job is how do I communicate clearly what it is I know.
So, you know, I wish, I guess I wish that more people on our technical teams would have taken more humanities courses.
Because I think that, or done those things that are kind of exercises in how to be clear and very concise communicators across an organization.
I think you're exactly right.
I've heard quotes about like, you think I'm wrong, you're gonna say at some point.
I think you're right. On the specific point about the about the importance of communication.
I remember hearing a quote that said something like 70 or 80% of leadership is communication.
And it might even be a higher percentage. And I think it's particularly the case for someone in the security leadership role, because it's a very, it's a very technical discipline.
And talk about people and their eyes glazing over, it's when the security leader starts talking about the details of identity and access management that the business leaders just like, don't really want to get bogged down in which single sign on and how to deploy it, they want to understand cost, risk, opportunity, efficiency for employees.
And so you got to find the words that that they'll connect with.
Yeah. And I mean, I think that's something you and I've have have worked on is, you know, what, what is it, like, when you present, you present to every every board meeting?
You know, how is our sort of security posture changing?
And we have a, you know, relatively technical board.
But, you know, I think there's there. And I do this across, you know, all of our teams, like, you know, we have a rule that there's just no acronyms in a thing that, you know, the individual vendors don't matter, lead with the problem, like, what is it we're trying to solve?
Like, here's the problem. And then we have, you know, a solution that comes behind that.
And, and then make it as tangible as possible.
And I think that, you know, at some level, all of communication is storytelling.
And sometimes when you say that, you know, people, people hear story, and they think, you know, you've made it up.
But it's actually what it is, it's just getting people to really internalize what it is that you're saying.
And the more that you can make that incredibly concrete, and, and specific, and again, the more that you can be not the person who's just saying, oh, my gosh, the world is falling, and we have all the, you know, pointing out all the problems, but instead saying, how can we as an organization and how can we as a business make smart decisions that take security into account and recognize that I'm part of part of a greater team?
I, you know, again, I think that the thing that that really differentiates people in this, it stops being technical acumen pretty, pretty early on, and it starts being much more of the actual communication and, and, and empathy and curiosity.
I'd like to go deeper on this kind of communicating about risk in two specific areas.
One is, like you talked about the need to understand the business opportunity when you're explaining the risk.
And the other is, is an area of security that I think is starting to develop right now, I would say, in 2020, the cool kids, CCS, CISOs are very focused on how do I quantify risk, and they're embracing a bunch of different actuarial type models to try and find a way to communicate better with the other executives.
And I have to admit, I'm a little bit cynical about them, because I, I don't see them actually capturing the business opportunity side of the equation well.
So like, taking some of these models of risk, if I came to you and said, you know, there's a 47% likelihood of a problem in this category of our security, if we don't spend this much money, is that a compelling argument to you?
Yeah, again, I think that it's that that's starting to, again, be the kind of bad lawyer, where it's where, again, I like, I think it's better to say, listen, we as a business are, I know what the resources we have are, I know what the risks are, I know what's going on.
And how, how can I help you, you get you get through that.
So you know, and sometimes I think that that might be, you know, that maybe that's useful.
But my next, I am on my next 10 questions are going to be how to calculate, you know, 42%.
And, and, and, and what what's really going into that.
So I mean, I think my level of skepticism probably goes up unless I can actually understand what's what's going on.
And I don't need to understand it at the level that that you or anyone on your team does.
But But at least, you know, I've at least got to be able to, to feel like, you know, that that we're making, you know, what are smart, prudent decisions.
And so, you know, I think if you came to me with that, I'd be pushing, why, why, why, why, why?
And, and I think that, you know, if if the if the answer at the end of the day is, you know, because I followed some, you know, vendor, risk assessment guide and came up with a number, that actually really hurts your credibility pretty quickly.
So, you know, I think you've got to have, you've got to bring the people along.
And if it's just a if it's just a scorecard, I think that that's that's a that that would not resonate particularly well with me.
So thank you for thank you for not doing that.
Right. Now, the other side of that equation is like, understanding the opportunity side.
A lot of CISOs have grew up in security organizations that were kind of off on the side, and they didn't, they didn't have the opportunity to to learn the business side of the business to learn how to read a P&L statement or something like that.
How do you recommend that they if they if they have that innate curiosity, how should they start?
Um, no, I mean, I think it's gonna be different for for everyone.
You know, I think it's it's sometimes, you know, finding ways outside of outside of sort of the job that you're doing, to to have the freedom to learn about new things can be can be really useful.
So, you know, I was the first company that I started, you know, I was I was always sort of bluffing my way through, through through trying to figure out what, you know, how to read a balance sheet and an income statement, how all those things when people talk about EBITDA, I'd be like, I don't know what that really is.
And, you know, for me to get comfortable with that, kind of in my role, I mean, I took the very expensive path, which was, you know, go go to business school and actually study these things.
And I think that that's, you know, while it's really sometimes easy to kind of roll your eyes at MBAs, I think that if if more CISOs had MBAs, it would make it would make some of these things easier, because basically, what you're learning is that you're learning a language.
And that language of business is the way that the various components of business actually communicate together.
And, and you've got to kind of know that language. So that's, that's a very expensive path to doing it.
But I think that, you know, just taking taking even just a good online course in accounting, and understanding, you know, what those what those components are, and why they matter.
There are so many good, there's so many good examples of that that are that are out there now.
And I think that there are good ways of kind of demystifying some of of the some of the sort of finance and accounting terms, which end up, again, being just the shorthand to how how how different parts of the organization can communicate together.
And, and so I think, you know, again, if you're really curious, you can you can find those, you know, one of the professors that I had in business school was a guy named Mahir Desai, who's written a bunch of kind of, you know, one book is literally like how finance works, and it's just a very good kind of layman's explainer on how how this fits together.
He's done another sort of more popular book on called The Wisdom of Finance, which actually takes various sort of stories that we're all familiar with, and then uses that to explain the business terms that are behind that.
And so I think that if you are, if you are genuinely curious, you know, you've got to actually go out and do some of the work.
But the good news is, there are lots of resources out there that can help kind of demystify this.
And, and, and if you do develop that language, then that helps you then much more efficiently communicate with the rest of the organization, you don't, you don't need to be able to kind of close the books of a public company.
But, but you probably should understand, you know, how to read it, how to read a P&L, you don't, you don't need to, you know, know how to do all the filings that the General Counsel does.
But you should be able to understand kind of the basic ways, you know, of how have the legal requirements and regulatory requirements fit together.
And again, I think it's not, not radically different than, you know, the sort of languages that a technical kind of career path like being a, like being a CISO is, is also has.
And so in the same way that, that, that, that we, that you should be helping bring the rest of the, your management team along to understand your world, you know, hopefully if you're at a, at a supportive organization, you'll also find people who are curious and empathetic and want to explain a little bit of, of, of their world to you as well.
That's exactly what I found. Personally, I did take one of those kind of four hours, how to like read the financial documents of a company classes a decade or more ago.
And it, it got me, it got me a little bit comfortable with the acronyms and things like that.
And then what I found was that the other leaders in the company were excited if I showed up and started asking them questions about their world.
That if somebody shows up, you know, another senior executive shows up and starts asking me questions about security, that that's really empowering for me.
And so what I've done is sit down with those other executives.
Yep. One, one interesting thing that I see with some CISOs is they like to joke kind of deprecatingly about themselves as like the C in CISO is a soft C and you can't really hear it because they put themselves down.
They don't feel like they're really part of the leadership team of their organization.
And my response is usually, well, it starts with you acting like you deserve to be there.
And I'm curious your, your perspective on that. Again, I think that I think that, that management teams are craving having more understanding of what their, their security risks are.
But, but, but you have to also do the work to make sure that you can communicate the same language.
It's like, if you're, you know, if you're in, if you're in France and you don't speak French, you know, it's, it's going to be harder to have, have conversations if you're in a, in a business organization and you, and you can't at least communicate and understand the sort of various business terms, then it's, then it's harder to to have, have those, those conversations.
And I, and I think, again, every, every organization is going to, to be different at Cloudflare security is so core to what we do that, I mean, it was just, it was a no brainer, you know, that, that, that, that you would be part of the management team and the management organizations and you report directly to me and, and you, and you present at every single board meeting, you know, different organizations are going to prioritize security in different ways.
And, and, and it, there might be organizations where it isn't a management role.
I think there are fewer and fewer of those that exist just because you know, technology is, is becoming a bigger piece of, of every company and the sensitivity and sensitivities around data are, are only going up.
So, you know, I think that, I think that that, that, that, that that's transitioning.
And I think that the, the great security leaders are going to be the ones who, again, arm themselves with the business knowledge to be able to, you know, speak French to, to the other, the other French people.
And, and, but, but again, there's, there's, you've got to do that work.
But I do think that there's, there's an increasing receptivity to, to making sure that you've got sort of an understanding of what your security posture is, what your risks are and, and how you can, how you can address that.
So, but, but that's, but again, I think that that's very, that's different than, than it, than it would have been even just five years ago.
And so I think that, that that's, that's changing, but the trend is definitely toward this is more, more and more of a, you know, a senior management team role in more and more organizations.
And when you think about security, is it, is it just about managing risk or is, is it, does it play a part in unlocking opportunity?
That's like, when I step back and think about like what happens inside a company, to me, people are wearing one of two hats.
They're either driving opportunity or they're managing some downside risk.
Yep. Yeah. I mean, you're, you're either a, you're either a profit center or a cost center, right.
At some, at some level, I know, I think that, again, I know Cloudflare really well.
And I think one of the things that's unique about us is that, you know, we're building security products.
And so I think we lean heavily on your team to help inform and design and, and sometimes engineer those products.
And I think that the products that we build that are the best are the ones where Cloudflare is the first customer of those products.
And so, you know, I, I, you know, it's something that we've talked about a lot, but dogfooding our own products, you know, Cloudflare being the first best customer of everything that we build is, is important.
If, if you're, you know, if you're a jewelry manufacturer, I think it will actually, maybe if you're a jewelry manufacturer, you know, helping build a better safe is exactly, is exactly what you need.
But, you know, there, there are certainly other, you know, if you're making aluminum cans you know, it would be harder to have the security organization say, you know, here's, here's how we can, you know, build a better aluminum can.
So, so again, I think it depends to some extent on, on the organization and, and what it is that you deliver.
But I do think there is an increased awareness of the privacy and security risks from consumers.
And that does mean that there are more and more organizations where if you can say, listen, if we have, you know, better password security, that's going to increase our credibility with our, with our customers.
If we can have better account security, if we can talk about how we not just, you know, we take your data seriously.
I mean, that just sounds, I mean, that's what everyone says, but if you can say, here's how we take your data seriously, here are the technical measures we've put in place.
Here are the ways that we're making sure that data is secure.
I mean, that I think starts to be something that's going to differentiate brands.
At least I hope that's the case. The piece that I fear a little bit is, you know, there's a lot of talk about how important privacy is and, and, and, you know, it is certainly embarrassing to organizations when they appear in the news because of, you know, some security breach.
What, what I, what I, what I don't know is happening quite yet is that consumers are actually voting based on that.
I think people take, make a lot of noise around it. And I used to teach a privacy law course to, you know, people who are incredibly passionate about, you know, their, their privacy and, and, and they thought they were going to study this and, and they, you know, they were that sort of, we delete Facebook and, you know, we don't use Google.
And, and then I'd say, you know, how many of you when you went to the grocery store used a supermarket shopping card and everyone raises their hands still, and you're like, gosh, you know, that's, I mean, that's tracking you even more than, than, than anything else.
So, so I think it's, I think the world is, is shifting that way.
I think that you can do that. I think in certain organizations, you can, you can demonstrate and build customer trust through kind of exposing the security that you're doing.
And I think that that's a way that it can be positive.
But, but I'm, but, but I don't think we're totally there yet.
I think it's still, it's still going to be, it's still, and I think it's actually good to be realistic about this.
You know, going, going in to your, to your first board meeting and, pounding the table as a security leader and saying, you know, I'm a profit center, I'm not a cost center.
Yeah. Like I think I would sort of take a gentler approach, I think, as I did that.
And because I, cause I, I do think that while we are, we are trending in the direction of the world, taking privacy and security much more seriously.
It's we've still got a ways to go. Awesome. Well, I think this was a bunch of really great advice for security leaders.
So thank you so much for taking the time to do this video with me.
Thanks. Thanks for, thanks for doing it.
And hopefully you're washing your hands often and, and, and, and, and healthy and safe and everything else.
All right. Thank you. Take care. Thanks.