SECURITY SPOTLIGHT - ‘How Can CISOs Succeed as Business Leaders’
Presented by: Arun Singh, Joe Sullivan
Originally aired on August 10, 2020 @ 12:30 PM - 1:00 PM EDT
Security leaders of today and the future are expected to be not just technology leaders but also business leaders. To be successful as a business leader a CISO needs to master concepts including business, marketing, finance and more. Learn the core tenets that will help you lead your organizations as a business leader in this video -- Joe Sullivan shares his insights and experiences as a CSO.
English
Security Spotlight
Transcript (Beta)
Hello everyone. Welcome to yet another episode of Security Spotlight where we're having all thought-provoking conversations with different folks from security background, professionals, leaders.
And today I'm joined with Joe Sullivan, Chief Security Officer at Cloudflare.
Joe, thank you for joining us. Thank you for the time today.
Arun, thanks for inviting me. Happy to be here. Great. So the topic for today's discussion is how can CISOs be successful as a business leader?
Obviously, the role has been transforming a lot.
And before we get into the meat of the discussion, just to get to know you a little bit more and your journey here, share that with our audience.
So Joe, when you got started as a security leader, one of your very first role that was there, what was that experience like?
Reality versus expectation?
Share that with us a little bit. Sure. I'm going to mention a couple of different stops in my career.
My first experience as a security leader was actually as a federal prosecutor.
And once you get trained up as a federal prosecutor, you kind of walk into your first meeting and you realize I'm meeting with a bunch of law enforcement officers who have guns and who go and make risk decisions all day long.
And they're looking to me for guidance on what to do and where the boundaries are.
And you quickly realize that security is hard. You have to make judgment decisions all the time.
And a lot is weighing on those decisions.
Same thing happened when I moved from government service into the private sector.
I went to eBay and I immediately started running an investigations team.
And when you're running a team like that, they're constantly questions about, is it okay to look at this data?
How far should the investigation go?
What should we focus on? How do we protect our customers? And one thing you realize is that you can't do your work in a vacuum.
You have to understand the broader context of the law, the rules, the impact on customers, and how it all fits together.
And I think every security I've rolled, every security role I've had since then has made me think more and more about my responsibility to kind of zoom out from the issue that I'm working on and think about the broader context.
So yeah, with great power comes great responsibilities, as they say. Great.
Thanks for sharing that. So let's take it in present day context. To say that the role of a CISO has transformed a lot is quite an understatement, take into account the world that is there today.
But a key aspect of it is that the chief security officers, the security leaders have to transform into a business leader role.
And there's a different expectation from them, from their stakeholders, which is the executive leadership team and others.
Share some of your thoughts there as you went into this role, transformed your role into a business leader.
How did you see those expectations change?
Yeah, I think the expectations of security leaders have changed dramatically over the last 10, 15 years.
So I first, after that role at eBay, I moved into more senior roles there and at PayPal and then became a CSO at Facebook in 2010.
And after that was a CSO at Uber and now at Cloudflare. And so looking at what I've seen over the last decade in terms of the expectations of the role of a security leader inside a company, I think they've changed dramatically.
Partially it's as a profession we've grown up and we're doing more and we're doing better inside of organizations.
But more importantly, the world around us has changed and expectations of organizations and their investment in security is much bigger.
There are data breaches, security issues of every kind.
CEOs are held accountable. Boards are asking more questions. There are a lot more regulators looking at cybersecurity.
There are a lot more governing standards.
And so there's just a lot more structure, process, scrutiny from the media and the public, higher expectations all around.
So it's fundamentally changed in the last 10 to 15 years.
And so when I was chatting with you last on this topic, you were mentioning that there are certain chief security officers who are getting into this role.
This is the first time being as a business leader, going, talking to board executive management.
And you were sharing one of those conversations.
Can you give us a little bit of a crux of how that conversation went?
Like if I am a chief security officer, I'm going to present to a board of directors and I call my friend Joe Sullivan and go like, Joe, give me some tips on how I can be better.
What would you say? Well, I mean, it starts with having a strategic vision.
Look, everyone in security has one primary job. That is to manage the risk of a security incident, anticipate it, do everything you can to prevent it.
But then if you can't prevent it, make sure that you have the processes and people in place to respond well to it.
I mean, that's just the core job.
We set up a bunch of control frameworks, what have you, to kind of make sure we're thinking about security and anticipating all the risks.
And then we try and reduce them.
And if we fail, we respond. So every security team is doing a version of that.
But there's more to the job than that. And there's also ways that you can do that job better.
And so that's what I focus on when I talk with other security leaders.
I try and ask them to step back and think about what is the company that you're part of?
You can't, like, not all security teams are the same. And their mission isn't the same because their companies are different, or their organizations are different.
So for example, if you're in a consumer-facing business, then you have obligations to help think through the impact on the consumers.
If you're in a business-to -business context, you have different factors to think through in terms of expectations of customers.
And if you're in one company, the crown jewels that you need to protect might be intellectual property.
And if you're in a different company, the crown jewels might be customer data.
And so you really have to look at your environment and build a customer strategy.
And then the third part of it is you need to inspire the company to want to do security well.
And that's, like, the general counsel is there to champion the rule of law inside the company and kind of best practices there.
And same thing with the CFO in terms of financial discipline.
And it's your job to be the champion inside your company around doing the right thing around security.
And so that means coming up with a strategic vision that doesn't just bring your security team along, but brings the whole company along.
And so I think about it as part one, yeah, let's figure out what the risks are with my team.
But don't stop there.
Start talking to the other executives at the company and learn what they care about.
Learn where the company is going so that you can together make good security decisions.
My favorite thing is when another leader at the company steps up and does the right thing on security and my team and I didn't have to say anything about it.
That means that we've set the right culture and expectations.
And if I can get someone else to do the security work, that's great because there's plenty more security work that my team and I can do.
Yeah, you create that awareness and then it's kind of a force multiplier within the organization, right?
But as you're talking about the different stakeholders, different audiences, one thing that the security leaders of today have to be very cognizant about within an organization, within their organization, is that there are different target audiences that I'm talking to.
I'm talking to a CFO, I'm talking to a CEO, I'm talking to some other executive, and it's very different language, very different narrative that I need to have.
All right, so what are your thoughts on that?
Yeah, this is a great point. When I started out, I remember when I first became a CSO, I thought I was doing a pretty good job after a couple of years.
And then I worked with an executive coach and she worked with me to understand kind of how I engaged with my company and my team.
And she said, Joe, you spend 95% of your time inward facing, focusing on your team and 5% out engaging the rest of the leadership team.
I want you to flip it. I was like, what? But my job is to make sure my team handles each little thing really well.
And she said, you've got to trust your team more.
As the executive, you need to get out and understand the business more and understand your executive partners because you're a group of, you know, the executive team is a core group of people who run the whole company.
And each of you needs to understand how all of the different parts work to do your part well and to steer your team into that, you know, that bigger thing.
You know, it's not, you can't build just the wheels of a car without understanding how they connect to the, you know, to the rest of the vehicle and where that vehicle is designed to go.
You have to understand how all the parts fit together and security is, you can't do it well unless you understand what the risks are that the company is willing to take and what are the areas that the company wants to prioritize and be perfect at.
And you're not going to learn that just inward focus with your team.
And so this is a topic I spend a lot of time on thinking about after that coaching experience.
And I've really tried to turn myself around and engage with the different executives at my company.
And it was hard in the beginning.
I remember feeling like these people are so important. They have big responsibilities.
You know, the CFO, you know, has to get all the numbers right. And they got to stay on top of and work with sales to make sure that, you know, their projections for the future are right.
And they need to make sure that we all know what can be in our budget and what can't.
And I don't want to take up that person's time.
But then I realized that if they understood my world and I understood their world, we'd both do a better job.
And so I started spending time with my CFO, my general counsel, the CTO, the CIO, and building relationships.
And it started to pay dividends very quickly.
One is I understood their world and it made me a better leader of my team because I could tell the team what to prioritize.
But it also meant that when I had to talk to the other leaders about security issues, we had a relationship of trust built through time working together.
I was recently doing a session mentoring some less experienced CISOs.
And one of the pieces of advice I gave, one CISO said, I'm having trouble engaging with the sales team because I just keep asking them to do security things and they don't really want to do them.
And I suggested, why don't you next time you go meet with the head of sales, ask them, how can I help you?
You know, and this CISO did that and then emailed me a few weeks later and said, our whole relationship with sales has changed.
And the reason was because you're building a relationship that goes two ways.
And a lot of time in security, we fall into the trap of being the team that only shows up to ask other people to do something.
And we never show up to ask people to help if we can help them.
And you got to turn it around because at the end of the day, that's all we're here for is to help the rest of the company.
And yet we were suffering from a brand deficit in that regard.
Yeah. And so when I look at it, you touch on a really good point that the security professionals and security leaders, they cannot be just custodians of risk anymore.
They have transformed their role into business growth, enabling business growth and things like that.
And as we are, I'm thinking about bringing these audiences together.
I can imagine like to a CFO, a security leader going and saying that I'm not a cost center.
The money that you are investing, I'm saving your money somewhere else.
Is that how the conversation with different audiences should be or?
Yeah, you're exactly right. I've learned this.
So I've had the good fortune of managing a lot of different types of teams over the years.
So I've managed product and engineering groups and even teams that worked on real estate and a team that managed the front desk of our offices.
And in every context, you have to think about what is the role of that team and in supporting the growth of the company.
And you also have to think about as a security leader, you have to think about your audience.
And so you mentioned the CFO.
Let's talk about engaging with the CFO for a second. I got a really good understanding of how to talk to a CFO when I managed a fraud team.
Because when I managed a fraud team, we had very good success at taking the fraud rate down to say 40 basis points.
And the CFO said, okay, I've given you $500,000 to invest in your team.
And you've taken it down to 40 basis points. I will give you $500,000 more if you could take it down to 30 basis points.
And I went back with my team and I was like, we could double our head count and budget here if we could get to that result.
And the team was like, oh yeah, if you can get that much resourcing, then we could really have success.
There's a lot we could do. And the CFO gave me the money and I gave back to the CFO double that money by savings and reducing fraud.
And it taught me a simple lesson.
The way the CFO thinks is I will spend $1 to turn it into $2 over and over again.
The problem a lot of us in information security have is we don't have that direct correlation between if you spend money on security, you see the savings concretely the next day.
It's not as explicit as sales or something like that.
Give me $1, I'll turn it into $3. And so in the fraud context, I could take $1 and turn it into $2 in savings and everyone could measure it very clearly.
In information security, it's a little bit more difficult. There's some frameworks and theories out there right now in risk where people are getting more granular, but I haven't seen any that just are totally convincing to the CFO.
But fundamentally, at the end of the day, when you're talking about the CFO, it's about dollars.
And so you've got to figure out how to articulate why a greater investment in security will actually lead to savings and we can quantify risks to a certain extent and we can talk about the different ways.
And then we can show the CFO that each dollar is spent as well as possible.
So that's how you talk to the CFO. But your CMO isn't thinking like that.
So if you're talking to someone on the marketing team about security, you're talking about something different.
And so to step back, we have, I think, a really good security team here at Cloudflare that I'm proud of, that I've been the leader of for two years.
When we talk about our team to ourselves and to anyone else at the company, yeah, the first thing we talk about is how we're focused on identifying and reducing risk, like I talked about.
That's our bread and butter.
That's what we do. But we also talk about, for our team, we talk about two other things.
Number one, we talk about innovation. We know in a place like Cloudflare, innovation is an important word.
This is what the company lives for.
Half the company is product and engineering, building new things for our customers.
And we're a security company. And my team can be the number one customer and help innovate on our products.
And so we talk about, use Cloudflare to secure Cloudflare.
Let's dog food every new product.
Let's get in the weeds. Let's tell all the product and engineering teams how we think it could be a better product.
So that's a pillar of the identity of my team, that we care about innovation.
And then we have a third leg in our security stool, which is sales enablement.
I mean, we all come to work every day at Cloudflare and hopes that we can build products to sell.
And so I think a security team needs to recognize that and fit in the context, the broader context of we're a company that is building products to sell to customers or give away in some cases to customers.
And that means really good security products that we help sell. And so my team spends a lot of time on sales enablement, whether it is going and getting security certifications that show people our commitment to security or getting out there and doing a customer call to explain how our security systems work so that customers can trust us.
And so when we talk about our team, we talk about doing security well, but innovation and enabling the business.
And that's the culture of the team.
And when other teams inside the company see that, they're excited to work with us.
And that means that if they're excited to work with us, then they're more likely to do the things we ask them that help reduce risk.
And it's a virtuous cycle.
Yeah. So that is so far away from what it used to be, where it was just security leaders and professionals just looking at identifying risk, mitigating risk, to now you're talking to CFO, talking about cost savings, to head of engineering product, I can help you build products faster, not just faster, but better products.
So all of this is a massive transformation. And for, as you mentioned, you coach a few CISOs who are getting into this role.
Let's talk a little bit about preparing for this role from two aspects.
One, that what would be your advice to CISOs or security leaders who are coming into this position and transforming the role?
And second, maybe lend a few examples of your own experience that when you were preparing for this kind of a role, maybe it was a better communicator, but maybe it was learning their business a little bit more.
What steps did you take? Yeah, those are important things to think about. So let me start by saying one of the dangers that I see in a lot of the security profession is that people get siloed.
We're very intentional on our team to not let our employees get siloed.
But I see it too often in resumes of people in security that they started out as an incident responder or in a SOC, and then they worked their way up to running a detection and response team, but they've never thought about infrastructure security or product security, or even some of the compliance frameworks.
So to me, step one is try and make sure that in your security experience, you are a little bit nimble and worry less about taking a fast path to the top and learn and take interest in all the different aspects of security around you, because once you get to leadership, you're expected to understand them all.
But then that's the basics, right?
You understand security, but you also, like I said, need to understand the business.
And so that's where I think you have to get outside of your team and your organization and really do different things.
Myself, I've, like I remember when I started having to interact at my first company with a bunch of other business leaders, I learned that they lived their lives in PowerPoint and slides.
And so I went to home, I think I went to Office Depot and took a course at night for a couple of weeks on how to do PowerPoint well, because I just didn't want to like, I was showing up with these very basic presentations, and I couldn't figure out how to get slide transitions to work or whatever.
And I just needed to learn it. And then a year later, I did the same with Excel spreadsheets, because as you start to manage teams and budgets, you need to understand how that work.
And then a little bit later, I took a class on understanding balance sheets.
And because if you work at a company, you need to understand where your budget fits into the bigger picture.
And so I've continued over time.
And funny anecdote, last summer, I was doing some recruiting for my team. And I reached out on a business social network to a potential candidate, and she responded and said, I'm not available or interested right now.
And I said, why not? And she said, because I've decided to put my security career on pause to go get a master's in business.
And I said, why is that? And she said, because I don't think you can be an effective security leader without understanding the business and being able to put it in context.
And I thought, she's spot on. And she and I had some conversations after that.
And she's been helped, she's helped do some CISO mentoring with me.
And the thing I realized is that after spending my adult career in this profession and inside companies and leadership roles, I kind of have like the equivalent of an MBA from life.
And I think that a lot of people in the security profession could really benefit from thinking through and looking at the course catalog from an MBA program and taking some of those classes because you really do need to understand and put security in the context of the business.
Yeah, the nimbleness aspect is so important in any role.
But I think the role changed that security leaders are going through.
It's so seismic that the nimbleness is so key.
So a couple of other things that I wanted to ask. One is that, okay, now I understand the audience.
I've prepared myself by knowing a little bit more of the business tools.
Now I step in. I've got the background, I have learned some tools and I step in.
What would make me an effective business leader as I get into the role?
Sure. Over the course of the last few months, as we've been going through COVID times, my team is all remote.
And one of the things we as a company started to do was some fireside chats where we'd bring in outside experts to talk to the company.
And that was just to keep our education and development going and keep us engaged in things other than the daily job, even though we were all kind of like sheltering in place in different places around the world.
And we started doing that for my security team as well.
And one of the interesting things was I had a CISO speaking, and she's a very impressive CISO who also has grown into now running product and engineering at her company.
So not just the security team, but all of technology.
And I asked her a question like this, what is the skill that you have that's a superpower that you were surprised would be so valuable for you?
And she responded, writing. She said, writing has been critical for my success.
And I would expand that out to say communication. So much of our job as a leader is about communication.
I think the two most important skills for an executive in the security profession are good risk judgment and the ability to communicate.
We have to inspire our team. We have to engage with other executives.
We have to articulate risk in a way that other people understand.
We have to learn the language of the business. We have to learn the languages that all of the other leaders speak.
Too often, we fall into security acronyms and forget that we're speaking with people who don't know what IAM or SIEM or any of those, all of those things mean, and they don't care and they don't want to learn them.
And so we need to go to, if we're going to bring them along, we need to go to their space and speak their language and communicate well with them.
That is so true, Joe, because now that you're saying it, I almost realized that in my social circles, like through social media, LinkedIn and others, I don't really see that many CISOs penning their thoughts down or writing an article that, you know, there are a few that write really well, but you're right that a majority of the security leaders should be having that skillset of writing really engaging aspects.
Yeah, we just have a tendency to go to what we're comfortable with, which is kind of the language we use with our teams.
I got trained the opposite early in my career.
As a federal prosecutor, I was standing up in front of juries trying to explain complicated cases to people who weren't subject matter experts, especially when I started doing technology cases.
If you're trying to explain the theft of a trade secret or something like that to someone who doesn't understand an industry at all, you have to figure out how to take it up to a higher level.
And I think that's a critical part of what we do, especially when you start talking about talking with the other executives, your company, and even more so when you're talking to your board.
Yeah. So the other thing I always feel from a perspective of what keeps CISOs up at night, right?
And I think we all now understand what keeps CISOs up at night from a perspective of oh yeah, of course there shouldn't be a breach.
My company should become the headline in tomorrow's newspaper and things like that.
But what keeps CISOs up at night as a business leader? That's a very different question, though.
Well, to steal a line from the musical Hamilton, I think it's to be in the room where it happens.
The most important part of risk judgment is having the context and being involved when the decisions are being made.
The worst case scenario that happens in security too often is a big business's decision is made without security being factored in.
And then you're invited at the last minute and you've got to figure out how to bolt on security solutions.
And it can be in the launch of a new product.
It can be in a merger and acquisition context.
It can be as simple as the decision to terminate an employee. There are security implications from all of those decisions.
And if you're in the room when the decision conversation is happening, you can influence the decision.
You can prepare everyone for the security risks and you just get to a much better place.
And so what I see, like if I'm able to be in that room, my team can be much more effective.
And the CISOs who don't get invited to that room, they don't have as good a risk judgment and they're late to the game.
And I think to your earlier point, like if the security leader has done the job well and you have made each one of your executives an advocate of security, so hopefully even if you're not in the room, the right decisions are being made, right?
So that's critical. Okay. In the last minute that I have, because we started this conversation on a very personal note with you sharing your background in security, how you got started as a leader in security, looking back at that journey, what would be one advice that would you give to yourself in that situation when you're starting out in that journey?
Or one thing that you would change either way that you look at it? Yeah, it's something I touched on earlier.
It's that courage to go out and communicate and engage with the other business leaders.
Like we can't say security is just a risk and it's not as important as everything else.
Security is as important as everything else to the success of a company.
And we have to believe it and we have to show it in our actions by having the courage to say, I'm going to schedule time.
I'm going to have a recurring one-on-one meeting with our CFO and I'm going to have a recurring one -on-one with the general counsel.
And I'm going to have that with the CEO and don't wait to be invited.
I think that's the part is we all hope, okay, they'll realize there's a security issue and they'll invite me to the meeting.
No, they won't. When you see that that meeting's happening, you invite yourself.
That's the thing that it took me a while to get the courage.
And if there's a security related meeting happening at my company, I'm showing up whether I was invited or not.
So be proactive, be courageous, be bold, kind of what the new security leaders have to embody.
Absolutely. That's great. Such a positive note to end our conversation.
And Joe, thank you once again. Always pulse of wisdom that I get from you every time I talk to you.
Thank you for taking the time and thank you for joining us.
All right. Thank you. And thank you everyone for joining us.
We'll be back with one more episode of Security Spotlight very soon.
Thank you.