In this episode of the Exabeam Podcast, the host, Steve, and guest Chris Ard, discuss the more human aspects of the CISO role, effective leadership, and how complacency can be a dangerous quality.
Work-Life Balance
The first topic we covered was finding a work-life balance that benefits you and your family. Chris spent twenty years working for Microsoft, traveling all over to companies with major security breaches and helping them control the situation. Although he learned a lot and loved his job, he realized he barely spent any time at home, and when he did, he was always on calls. We discussed how easy it can be to settle into a role that you enjoy, but then end up remaining in your comfort zone. Once Chris acquired a new job did he find himself growing once again and spending more time with his family.
Good Talent, Bad Breaches
Spending two decades assisting different companies, Chris picked up on an interesting discrepancy between the talent and the security breaches. While breaches happen to everyone, some seem completely avoidable or like a mistake. As we talk about, many companies hire talented, intelligent people—and yet these preventable situations occur. Chris weighs in that many times, leadership can influence the strength of the security. If a CISO is willing to accept cookie-cutter systems as oppose to implementing a more holistic approach, their security can suffer.
M&M Model
Chris outlines a great metaphor for the condition of many security measures—the M&M model. The team has built a hard exterior with a soft interior, meaning, once an advisory has breached the initial wall, its free to move about in that environment with no obstacles. Listen on to hear more about how this happens.
Bad Actor Residency
We also speak on how it can sometimes take not just weeks, but sometimes months or even years to detect bad actors. We point to reasons why adversaries can remain in an environment for so long, and how teams or companies can overlook root causes.
CISO’s Ownership of Breaches
In today’s episode, we also pull outward to look at the hiring and firing system of CISOs and how it may not be the most effective system. When there is a breach, the CISO often takes the blame—but so much so that they end up having to leave. The issue with the CISO leaving is that they can never learn where things went wrong for that program and work towards growth. Listen on to hear about the teams Chris has encountered that do not get rid of their CISOs and how this effects their security overall.
Invested Leadership
The extent to which a leader makes an effort with the rest of the team has a surprising impact on how well that team performs. From sitting down with junior analysts, to receiving less filtered information, CISOs can transform how their team handles a crisis just by getting to understand them and their concerns prior to that crisis. Additionally, we touch on the commonality of leadership being pressured to alter assessments to fit certain initiatives.
Marathon or a Sprint?
The intense schedule of any CISO causes us to ask if this job is really a marathon or a sprint. In a way, you have to maintain the energy for daily tasks like a marathon, but in other ways, you burst towards the finish line while trying to stop a crisis. In thinking about the CISO burn out rate, we debate on how more problems can arise if one side is neglected, or if the team communication breaks down, leading to wasted energies. Hear about our different opinions on the matter in this episode.
Pen Testing and Compliance
A great point that Chris brings up is the failures of the pen tests,
