Click here to listen to the audio
Watch the podcast interview with Preston Rich and HALOCK Radio host Terry Kurzynski on CISOs, teaching security, and Duty of Care Risk.
TRANSCRIPT
This is the HALOCK Security Leadership Podcast.
I’m your host, Terry Kurzynski, and I am joined by Doctor Preston Rich. Do you go by doc? Go by Rich? Doctor Preston?
Preston works.
Preston.
So, you know, Preston, in kind of doing a little research for this podcast, and it looks like you’ve been either associate professor, adjunct professor, visiting professor at, like, over a half a dozen or more organizations. So tell me tell me, how did that how did that start? How did you get into that?
Well, when I graduated, when I got my MBA, I was looking to be an adjunct somewhere because I was actually working on my PhD and writing my dissertation. So I felt, well, I have an MBA in strategic leadership. Let me go and teach. And the only place that would hire me at the time was a community college. I went to the community college, and, one of my professors let’s talk about relationships.
One of my old professors that I had when I was ten years before when I was getting an associate degree, Randy Waterman, she said, hey. I remember you. And she hand-walked my resume to the dean of business. And she said, I’ve known this young man. I’ve taught this young man. Give him a shot.
And, it was usually, they hire adjuncts in the fall. I was actually hired in the winter, which is in between the two falls. Yeah. And I was put on and, I was an adjunct.
Doctor Linda Marable gave me a shot at Richland College and well, it’s called Dallas College now because they put all the campuses together. And I started teaching the business department, Principles of Management and Principles of Supervision. And, I did that for from 2008. I did that for twelve years. I went to, Richland College.
I taught at Dallas College, then I went to Collin College because I actually live in Collin County, a little further north. And, I actually graduated from a yes. I actually graduated from, a Dallas college called Eastfield when I got my associates.
Okay.
So I went to Collin College, and I had, applied several times.
And one day, a lady, she looked at I called to say, hey. I see this advertisem*nt here for an adjunct for management. I put my application there four times. Nobody’s called me. Do you know the dean or somebody, anybody?
They gave me a number to Doctor Christine Delatorre, and she called me. She said, hey. I heard you wanna teach here. Go ahead and apply. I said, I have four times. And she goes, what? So she goes back and looks in the archives, and quite frankly, the they changed systems from one system to another so all the resumes didn’t come over. They were going through a conversion. So she went in and pulled out my resume and gave me an interview, and I started teaching there.
And then after that, after, you know, about twenty twenty I mean, I well, in that time frame, I earned my PhD and graduated in 2014, and then I started I still kept teaching there, but my whole goal was to go to a four year university. And it was in 2020, right before the pandemic, where I said, I’m resigning for from all community colleges, and I’m gonna apply for some four year universities. And I applied and got picked up. Parker University, then DeVry, and then Grand Canyon, and then Purdue.
So, well, what I’m getting is a lesson in persistence because you, you didn’t give up on any of those pursuits.
Yeah. Yeah. Persistence and, you know, building relationships. You know?
So you gotta understand about building relationships with people. I mean, again, and the whole reason I got into it was because I was Yeah. Sitting as a student in one of my professors’ classes who happened to still be at the school when I went to the job fair to say I wanted to be an adjunct. So they gave me my first my first kicks into the door, and then I just been doing it ever since. Well, let me get into some of the curriculum stuff.
So I know you mentioned, you know, business material, business major kind of, you know Mhmm.
In the beginning. What in the last, you know, ten years, it sounds like it’s been more, you know, you and I talk more cyber and information security related. Give me an idea of what that curriculum looks like and, you know, that’s being taught now.
Well, I’ve gone I run the gamut. I’ve usually, you get into business and technology business and info technology courses.
Yeah.
And when you knew, they start giving you networking courses. Right? So, hey. I want you to do the networking course. And then what I did what I used to do is when I was Do you mean networking people or networking and computers and technology?
Computer networking. No. OSI model. Got it.
This is a router. This is a switch. This is the firewall.
So I was teaching that, and I saw that there was a hole. There was a gap there. So they were I was teaching them about firewalls, but I’m like, well, do you know what this firewall is supposed to do? They were like, well, no. I we don’t know. And then I started introducing ports. And then I said, well, they need to know about ports. And I talked to my folks. I’m like, we need to put something more in here about common ports and why you do this and why you do that and controls. And it went from there to, yes, do controls to well, first thing you need to do is figure out where you’re risky.
Well, how do we do that?
Well, we need to have a risk assessment. And then that whole thing from the middle of semester to the end, I tied security into every piece of my networking assignments. And so the dean said, you really like security? I’m like, yeah. So he started giving me security classes. But it was a thing where what we’re missing is that we tell the students that information security is very important, and we tell them IT is very important. But we never tell them there’s a difference between the two.
Yeah.
There’s a difference between the two, and they work together in a symbiotic relationship. However, you need to ensure that when you’re implementing networking, you’re implementing security with networking. And as we’re going faster and faster and getting more products and more products out there, we need to be able to you should not be able to deploy in IT infrastructure without considering security.
Let me ask this question.
So I’ve been in cybersecurity since the nineties.
And Mhmm.
You know, early on, there was, know, there you had, you know, kinda networking people. You had application dev guys. Maybe you still had mainframe and mid-range guys around. You know, they all had their boxes, and the security guy was responsible for security. We all know that that doesn’t work. Everyone has to have and think about their integrated security component. Everything we do has to have security.
But from your perspective in the schools, when did that mind shift? You know, did you witness when that may have happened? Where and or has it even happened in the schools, I guess?
It hasn’t happened yet, Terry. I hate to tell you that, but it hasn’t happened. I mean, we have courses. If you don’t have a particular professor that has actually been in the field to actually do that, they don’t get that piece. You know? The students don’t get that piece. They’re straight what the syllabus says, which I go by the syllabus, but I have to integrate the security into it. And, basically, that hasn’t happened yet, but I do have some appointments with some course developers to say, hey. The next time you guys edit this course or review this course for additions, let’s talk about putting security in. And it’s very refreshing to see schools like Purdue and Grand Canyon saying, yeah.
We I well, they can see the light in the tunnel, but they don’t know how to get there. So it’s more of a thing where then I take off my security hat and put on my my organizational management PhD hat, and I say, okay. Here’s the structure of the organization. We need to change the structure of the organization to foster information security or cybersecurity, whichever one you choose, to be just as important to the organization as HR. It’s a staff function. It’s not a line function. Much like HR is a staff function, overarching.
And Yeah. One of the CEOs I can’t tell you the company. One of the CEOs came to me and said, why do you make it seem as though cybersecurity is so important like HR when really it’s just something that’s under IT? I said, well, if one of your people goes out and violates HIPAA or violates a civil rights act, or civil rights law, what happens? He says, well, we get sued, and we lose a lot of money. I said, okay. If somebody breaches your organization and breaches your network and steals your data and shuts your data out and forces you to pay a ransom to get it back, what do you have to do? He says, I probably have to pay a lot of money. And then when you get your data back and your customers find out that you were the reason why their data is breached and they sue you, then what? And he sat back, and he got it. He went, wait a minute. Security is in everything. I’m like, that part. And it’s no longer a thing where you can shove us under the IT line as a line item to say that we well, that’s just that’s IT. The Colonial Pipeline situation was one of the major issues and one of the major events in our history, recent history where we saw that, Terry.
Yeah.
I, nerdy.
The silo of duties.
Is that what you’re saying?
Right.
It’s the silo of duties, but, you know, this is the reason why I like this podcast because you’re talking about a new concept. You’re talking about cyber leadership.
K?
Cyber leadership is a new concept that needs to be built on in the schools. And you asked about, well, how do we integrate that in the schools?
This is how.
This is called cyber leadership. There is cybersecurity. There is information security. There’s leadership. There’s no thing that brings them together. You do have CISOs, directors of information technology. You have, information technology staff members or what have you, but you don’t have anyone with cyber leadership.
And I’ll tell you where this example was, and you can go look at it. When the Colonial Pipeline was shut down, there were so many things that happened there that I said, judging from the answers that I was hearing the CEO and their representatives say, I said, some things might not have been in place according to NIST 800-82 revision one, two, or three, whichever one they wanted to use. However, what they said was when they got in, they had to they if you recall, they had to go to to a hearing for the House of Representatives Yeah. And for the Senate. And one of the senators, one of the congresspeople asked them, did you feel that cyber do you feel cybersecurity is important? He said his answer was, yes. Why? We spent such and such that much dollars on IT on the IT budget. That was our IT budget. Now to you and I, that still didn’t answer the question. No.
But to the congresspeople, that answered the question.
Why?
It’s because they don’t really understand cybersecurity from a standpoint of how is cybersecurity being run, which goes into one of the courses I teach at Grand Canyon about cybersecurity law and privacy practices and what have you. And we talk about the difference between cybersecurity law or law period and why it’s so hard to catch up with cybersecurity.
Obviously, the SEC is starting to put some things in place, and people are losing their minds. Like, well, we shouldn’t have to tell, and this is an incident. And Well, you don’t have to tell the details of it. You need to talk about how you’re managing it. You know?
Correct. And who’s responsible for that?
Now there’s a lot of people who have the authority to handle that, Terry.
But the people who are responsible for that are the leaders.
And if you’re not well versed in cybersecurity or specifically trained in cybersecurity, a CISO, a you, a me, then they won’t know exactly how to handle that, and they’ll force it under IT and say, go do that CIO.
I mean, don’t you I do a lot of board presentations. Right?
And I get the feeling that and most of them up to the point where, before I met with these boards, I think they look at cybersecurity like almost like a foreign language.
They don’t know what is being said at all.
Oh. And you’re right.
That’s one of the major things that happened with the Target and Home Depot breaches. Both of those breaches well, what research shows is that both of those breaches, there were some precursors, some things that gave them a heads up, so to speak.
But because the tech people folks, for lack of a better word, could not translate that to the business to the c-suite,the c-suite did not was not adequately told about the severity of the vulnerability. They did not understand the severity because we have to I have to believe that anyone who is responsible and who wants to take due care and have and actually do things as far as due diligence, that they would specifically, when you’re talking about boards, take actions to protect the organization. If someone comes to a CEO and says, hey. If you don’t do this, then this will happen. Not in a thing of doom and gloom, the sky’s falling, nothing of that nature. But to translate it to a point where a CEO will understand this means that.
Bingo. That’s right.
Yeah.
Well and I think that’s how we initially connected up was on Duty of Care Risk Analysis (DoCRA).
Right?
Our common interest or, as practitioners is duty of care risk and the Center for Internet Security Risk Assessment Method (CIS RAM).
I think that’s where you and I Kumbaya was over that.
Well and going back to the Target case, you know, Judge Magnussen on that one basically proclaimed that was a plain old negligence case that the leadership, was negligent in its obligations to perform duty of care in protecting not just the customers, Mhmm.
But everyone that could be impacted by how they do operations. You know, that was what he ruled. Yeah.
Right.
Well, that that’s one of the reasons why I’ve done risk assessments, obviously, using eight hundred thirty. But, you know, I really like CIS RAM because of the fact that oh, well, especially on well, we’re just talking about, like, an IG one assessment Yeah. Where you’re actually looking at impact in three different areas.
Right?
So you’re saying impact here, impact there, but impact to reputation or and you look at it like, well, it it might not affect operations as much. It might not affect this as much, but it affects the reputation or the other organization or it might do harm to my to that client.
About the mission, objectives, and obligations, the central fundamental core concept of the CIS RAM?
Yes.
As opposed to being one side of as far as, you know, on in which this I I’ve used, you know, eight hundred thirty a lot. That has its place as well. But the reason why and, usually, when I do it, I take that piece right there and go over with the executives to say, I want a business I don’t want an IT person answering that. I want a business person answering that because I wanna see how does someone having a how does someone having a lost laptop affect your mission, your operation I mean, your objectives and then your obligations?
Yeah. Yeah.
And when they always get to the data part, I sit and watch, and they go, woah. If our data’s gone or compromised, then how do we then protect our customers? I’m like, that part. They’re like, oh, man. That’s, and then there it goes up.
Right?
The severity goes up, and all of a sudden, they’re like, oh my goodness. And then when they go down through the controls, obviously, using the spreadsheet go through the controls, it’s glaring. There’s a red nine sitting there like, oh, wow. It didn’t affect my mission, but it affected my obligations. Well, since that one’s a three and this two and this three and three is nine, so now you they’re like, oh my.
And I hate to say it like this, but it’s beautiful for executives to see red, yellow, green. That’s just what they that’s, you know, that’s what they say as a result. They’re used to seeing that. You know? Am I good? Am I not good? That’s only are we good? That’s right.
Good, what the problem, and what do we need to do to get to good?
Right. Right.
And you have to have but see, Terry, and I know you’ve been in as long as I have. You probably longer. You see both sides of security. Right? Yep.
You see the person that comes from the we’re locking everything down. You know?
This guy, he used to work at Tays, and now he works at Safeway. And the scanners won’t work. Why? Well, our new C our new system locked everything down, and you’re like, what? And they go in and they implement the controls or what have you or the policies and procedures without doing a risk assessment. Because Well, and that balancing the business need.
Right? That part.
It’s a thing where you wanna do common sense information security. Right? You wanna make sure that you’re protecting the right thing. You are putting the money. I mean, you I always tell my students, if you have a Lamborghini and you have a garage and you have a Datsun B210 sitting out, And in the garage, you have the Datsun B210 sitting in in the garage with the steel door, cipher lock, plus a guard standing outside and a Doberman at the back door. That’s over secure.
And but your Lamborghini is out on the curb. So you have the tools and the resources to secure something, but you’re securing the wrong thing. And I asked them, well, if I stole your B210 if I stole your B210, how would it affect you? Oh, well, if I stole your Lamborghini, how would that oh, that would cost me this. I would lose money. I would do this. Right. So it would make sense to put the security on the thing that it value you it that you value the most, that is the most valuable to the business. That’s the part, Terry, that the CEOs never seem to get because, one, usually, the security people are buried under the CIO. And in a lot of colleges and universities, they’re buried under the CFO. As a matter of fact,the CFO runs IT. And a CFO only thinks what? Dollars. How much can we get by with maybe one percent or two percent less than you spent last year, right, versus what’s needed to actually get to an acceptable level of risk. And, you know, let me take this back to the college theme because Okay. How much of this under this governance kinda risk management, getting to an acceptable level of risk, reasonable controls, burdensome controls, all these concepts of that are actually fairly kinda, you know, newer as far as in in the lifespan of what cyber security has existed. These are recent, you know, in the last five, ten year type concepts.
How much of that is even discussed at the universities right now for the kids? Well, I can tell you for my I can only speak for my class and for our in the classes that I teach.
Yeah.
It’s not so much written into the curriculum.
Yeah.
It is written into some assignments, but it’s nothing unless it’s a risk assessment class, there’s nothing that’s highlighted to say, you need to be thinking about this security. We don’t see that much because of the fact that the developers and the professors you gotta understand where we get our professors from.
Right?
So a lot of the professors that are there are old school computer scientists. Well, some of the professors that they’re old school computer scientists, and they’ve been teaching in classes.
DBA?
Yeah.
They’ve been teaching in classes for twenty years, and I don’t wanna take anything from them. They have several publications and journals or what have you.
Great. But I was doing it today. So I’m bringing it to my students to say, let me tell you about this. So how much to answer your question, how much of it is in not much unless you have a professor that has direct experience with that? And I do know some of my colleagues who have direct experience with it because we both work together.
You know?
We’re the folks that are the CISOs by day and college professors at night. You know what I mean? So we don’t do that. However, the Grand Canyons, the Purdue’s, those colleges and universities are always querying us to see how they can develop courses that meet the student where they are and then provide the student what they need to get a job when they leave. And that’s the key, Terry.
So let me let me ask. This is a very, very important question that I guess I wanna make sure that I understand what’s happening in universities, but also just to let our viewers know that I think this is a problem. How much in the compliance and standard space is being discussed?
And there’s a very, very so is there any awareness at all talking about and I think there probably is. But even in the professional space with my clients, I see this confusion all the time and that say the HIPAA security rule. You know, one of the first requirements is to perform a risk assessment and perform ongoing risk managements, and, of course, you get on to all the controls, etcetera. Clients literally think like that. They view it as another control. They don’t understand that the risk assessment Right. Is meant to figure out to what extent you implement the controls Right. Or which ones do you need to even implement at all because you may not have, you may have an acceptable level of risk.
Right.
The word reasonable and appropriate is right in the standard. Right. So okay. So I’ll tell you why. So I do a lot of third party vendor evaluations for clients as my role as a CISO. And I have clients that the first thing they do is send me a SOC 2 report. They’re like, wham. Here I’m compliant. I’m good. I’m I mean, I Right. And I’m you know, I wrote an article about this on LinkedIn.
Security and compliance, two different things. Yeah.
Secure compliance is not security. Okay? If you implement the correct security, you will comply with several different, regulatory agencies or what have you. The issue comes in specifically when you talk about the HIPAA rule or PCI DSS or any of those is because the clients don’t see the value of a risk assessment because of the fact that when it is delivered to them, it does not relate back to operational objectives. So we’ve done as an industry, we’ve done a really poor job in performing our risk assessments.
And I think that’s why you and I couldn’t buy out over DoCRA and CIS RAM because of that new language that we’re able to provide the executive management team.
What I’m hearing is risk assessments, we haven’t done a good job in really communicating to the business side. That’s why they got disinterested in risk assessments in past years. So I think you were kind of explaining to me what do you do to solve that?
And I know, again, we’ve come by out over week have, come together over Duty of Care Risk Analysis (DoCRA) and how that’s performed. But what have you done for risk assessments to keep the business engaged?
Well, the first thing I do is I use, obviously, the CIS RAM tool, which I find that to be very, very, very, I don’t know, easy for us to actually display to the business. What I do is when I do risk assessments, the first part of my risk assessment of CIS around is with the executives.
Okay.
I don’t include any of the tech guys, tech guys, girls. And I go over asking them, the business folks, what is your number one, define your mission, define your operational objectives, and define your obligations? And then I go into helping them to understand the inherent risk criteria, and I break it down based on the asset classes that are listed on the RAM worksheet, and they start to see how it works.
It’s a thing where, for example, I would say, if you lost your all your access to your devices or your device was compromised, what impact would it have on your mission? What if and they were saying, oh, that would be devastating. Well, would it be devastating, or could you buy another one and come back up? And they’re like, oh, well, I guess I wouldn’t. Then when I get the data and it’s a let’s say it’s a school.
It’s a higher education. Yeah.
It’s a higher education.
Then all of a sudden, it’s wait a minute. If they get my data, then that affects my campus, that affects my operations, but most of all, it affects my obligations because they I have donor info. I have this info. I have that info, and I am obligated to a lot of state, local, and federal regulatory agencies that say you have to do this. So if my data is gone, the overarching damage that will go forward is catastrophic.
I’m like, that part right there. So then when we step down, and I let them go.
Yeah.
And then they’re very interested in how everything else pans out. So they go away. I help I sit with the tech folks, and we go down the CIS RAM. And then I when they see it on the worksheet, they go, but why am I more risky device wasn’t as if I’ll if you lost the device, it wouldn’t be as risky. But if you lost your data, it would be catastrophic. And then they look in the CIS RAM, and their entire set of all of the safeguards listed in the number three control is red, and they’re like, oh my. I’m like, that part. And then we get into understanding, and they ask, you know, how do I do that? And I’m like, you need to separate IT from IS, and you need to establish governance and management. Governance is on your side, executive. Management is on their side. And especially in the situation of having a system, like a state community college system, they would I advise them to keep the governance up there with the state system and then push the management of the controls or whatever, the technical part, down to the schools. And I say, as long as you folks meet or exceed a valid, reliable, and defensible standard, you should be good.
So in some instances in all instances, I make them have a risk, a program, and a control framework. And here’s the beauty of that. If they choose or right now, the program framework that they that I suggested to CSF (cyber security framework). But they can change out their risk framework. They can change out their control framework, and all of it maps because of the fact that governance is driving and then validating that the practice of the controls, which is strictly management, are being implemented. And then when they realize, well, you know, hey.
The deans don’t want us to take away their admin access to their labs. Okay. Well, that’s when we get to do the work. We’re doing common sense cybersecurity. I’m like, okay. Well, most of these folks have these servers. Let’s put that on a teaching VLAN that is away from the outside world, and you guys can go and do whatever you wanna do on that as long as you meet these standards. Keep it updated. Let us know when it’s updated. Make sure you have, EDR our the campus EDR client or agent on there, and then go from there. You know?
And those are the kind of situations where you actually have to have a CISO to kinda translate the business and the IT excuse me, the information security without muddling it up with the IT. I don’t care how you use widget. I just want you to be secure.
And so what I’ve heard is that the CIS RAM has helped you with that translation, from from the technical teams to the business. And this might be a good time for our little commercial break real quick.
So our sponsor for this podcast is Reasonable Risk. So I know you have a little bit of familiar familiarity as you’ve seen it, but it’s the only, SaaS cybersecurity risk management tool, SaaS tool, that is based on Duty of Care Risk. So if you’re trying to automate CIS RAM, you wanna get out of spreadsheets, this is the only tool on the planet that can help you do that right now. So I just wanna thank, Reasonable Risk for their sponsorship today, and, thank you for spending time today.
But, let me transition. So you have that’s you gave us good background on all of your campus history. Take me up to more present where you’re kinda seesaw at large for a lot of campuses and maybe some other organizations. Tell me what you’re doing today as a CISO at large.
What I’m doing today is rolling out cybersecurity programs for all of my clients. All my clients are being are having a my model of cybersecurity program implementation rolled out.
Yeah.
They come to me and say, well, we have to we have to comply with HIPAA. We have to comply with PCI DSS. We have to comply with GLBA. We have to comply with all of these people. And my thing what I say to them is, well, the first thing we need to know is how risky you are. The second thing we need to know is do you have a policy to make sure it happen? Do you have the policy to make sure it happens today and the policy structure behind you to make sure you meet it tomorrow and beyond?
And that entails that in turn dictates which controls you have in place. And they a lot of them use NIST 800-71. They use NIST 800-53, and they found that it was a bit difficult. It’s hard. I’m like, well, yeah, it is.
But if you use what I found for my clients when they’re using CIS, and then I mapped it back to the NIST CSF that’s driven that in the NIST CSF that is driven by the risk assessment or the results of the risk assessment, they get it. And so that’s what I roll out. I’m like, hey. You need this. And then all of a sudden, it lights up.
For businesses, it’s so you mean to tell me I shouldn’t have this under the CIO? I’m like, no. You shouldn’t. You should have a CISO. Yeah. Because the CIO has all of that to do. Not having any I don’t have anything against the CIO. I used to be a CIO. But, you know, it’s you need to have someone that has a firm focus on the one thing that could be this that the one thing that is so small that can do the most amount of damage. You know, it’s not the fact that a server broke. It’s the fact that someone broke into the server, and now they’re all over your network.
You know?
So I introduced them to MITRE and, you know, the anatomy of an attack using the cyber kill chain. But I relate it back to the business to say, if I took away those recipes to your number one selling consumer good, what damage could I do to you?
Yeah.
Oh, it’s like that? Oh, it’s like that? Yeah. They don’t have to know the technical piece. They just have to understand what the impact is. Right? Right. That it. And the impact based on what they do.
So one customer, they do a lot of BYOD (Bring Your Own Device). You know? And I’m like, well, that’s fine. You can keep BYOD. However, you might wanna roll out a mobile device management process. You might wanna step up your DLP (Data Loss Program). Wait. What’s that? You might wanna make sure you do vulnerability scanning. You might wanna actually use an EDR tool, but it’s their devices.
Now you have a business decision to make. Is it easier for you to use those devices, or is it easier for you to strike a deal with the device distributor and issue those devices out to where you have all the control? And then they start making those kind of decisions and go, well, yeah, I probably need to do that. I’m like, only if it’s important to you. If it’s not important to you, then okay.
It’s so much good information.
You know, with the fact that you’ve been helping a lot of young folks get ready for the working world, I think you’re in a good position to answer this question. So this is the security leadership podcast. What key, skill sets do our future security leaders need to make sure they really hone to be successful in that, you know, director or a manager, CISO role of the future? What, you know and maybe it’s one, maybe it’s two, maybe it’s three. I won’t limit it, but I wanna make it, you know, kind of focused in on what do they really need to have to be successful.
Number one, awesome people skills.
Okay?
You’ve gotta have awesome people skills.
And when I say people skills, I mean, you have to have insight into actually utilizing your emotional intelligence to understand the people that you’re dealing with on both sides of the fence.
Okay?
Number two, you have to have great communication skills. And when I say communication skills, I mean, you should be able to translate up and down the chain. You should be able to take what the executives tell you and translate it to your subordinates or your, two levels below, or you should be able to take the information from the two levels below and translate it to your executives even if they’re not in your line of work, in your functional area, or what have you. You must have a firm understanding of how to communicate in business terms and technical terms, especially as a CISO.
Number three, you need to understand your valid, reliable, and defensible standards. You need to understand what’s happening now. Cybersecurity is very important. Now that’s great to have your CISSP, and you have your this, and you have your that. But as a CISO, you have to consistently go to webinars, and you have to read, and you have to be hip on the regulations, the things that they’re doing in New York, things they’re doing in California. And you think and how does that affect your business? You have to kinda be the expert in the room. So but you can’t make anything happen if you don’t understand how to build relationships, which goes back to number one, people skills.
So people skills, communication skills, and become the subject matter expert (SME) in cybersecurity.
If you have those three things, then I think you’ll be a great CISO.
That first thing, I put those in sequence.
People, communication, subject matter expertise. Because they won’t wanna listen to you if you can’t communicate it correctly no matter how good a subject matter expertise you have.
Right?
No.
You’ll be sitting in the corner by yourself talking about cybersecurity.
Because if I say safeguarding control to an executive, they’re like, what? What does that mean? They sound like the same things to me. You know, how does that affect me? Why do I need to care?
Put in their perspective. Understand how to how to float over into their chair and understand from their perspective.
Well and you know where that comes from.
And that comes from the people skills of being empathetic.
You’re understanding you don’t have to agree with the other side.
You just need to be able to be on the other side and see how that executive could have that opinion. You might not agree with it. But if you were sitting in that chair, you need to be able to say, ah, I see how he could say that because he could’ve he or she probably just came from a board meeting and gotten chewed out about an incident that went on that CNN found out about it before she did or he did. That’s the problem. You know, the biggest issue I see from, folks coming up from that, you know, the technical ranks, they’re they’re more junior.
Now they’re putting in leadership roles is they tend to default to what’s comfortable, and they’ll default to starting to talk technical speak, and they’re in front of an executive. And that executive was gonna check out within twenty seconds. They’re gone.
Pretty much.
They lost them. Pretty much.
And so I can’t agree with you more that they’ve gotta be able to understand the business speak and they they sort of lose a sense for who’s their audience.
Right?
Don’t drop into the stuff that you know and comfortable with. You gotta float over into their world, and that’s it.
Right.
Because, ultimately, you have to convince that person to, number one, endorse you. Number two, fund your Yeah. And you fund your initiative. You gotta have a champion in the business. You gotta have champion in the business. Well, you have to be able to answer, well, why? Because an executive will ask you that. I mean, you explain to them about, you know, the threats and the risks and things of that nature, and they intertwine those two. They’re like, a threat is a risk.
No. It’s not the same.
Risk has likelihood and impact, you know, of the threat.
You know?
It’s not a risk yet until you do likelihood and impact.
Right.
That is what you have to translate, and you have to be able to answer the question of, well, it hasn’t happened yet.
Why can’t I worry about that when it happens?
Yeah.
Gotta be able to answer that because they’re spending money. It’s like having the threat of, of a flood in your house.
Right? You know? So the rain is the threat.
The the risk is the basem*nt getting full of water or whatever.
Right? So Correct. Right.
And what is the likelihood and what’s likelihood there?
Well, it might rain. It might not. I don’t have a proper sales and Well an impact.
Let me redirect to another topic that’s pretty hot in the CISO community. There’s a lot of burnout. The average tenure is not getting longer. It’s getting shorter for the CISOs.
Mhmm.
I love to ask the question of, you know, how do you keep sane? You know, what do you do to reset? What do what do you do to, you know, ease your mind and just keep, your sanity in check-in this role? Just describe what, you know, what do you do for fun? You know?
Well, I, I have a thirteen year old child. So I have thirteen year old son. I live in the state of Texas, and the religion here is football. So I spend my time chauffeuring him around, taking him to camps. And, I too am a little league coach. So I go and take off my CISO hat and just go out and watch those kids and have fun and teach them fundamentals of football while teaching them about, you know, teamwork and things of that nature. Integrate that stuff in.
But nothing helps you better than sitting out by your helps me better than to sit out by myself in the wind. Sometimes, I’m an avid cigar smoker, and I like and, I sit down and I get on my after my day is over, I get on my patio, and I light up a nice Maduro and stare at the stars when I can. Because my patio faces do north, so I can stare at the stars and airplanes, and I have my dog out there. It’s the simple stuff, Terry. It’s the way to disengage. It’s not a bunch of people. It’s and I sit out there, and I have fun. I just sit I don’t take any electronics out there. Well, I take my an iPad sometime to watch some of my recorded shows. But after that, I just turn that off, and I might put on some music and set my speaker out there and just decompress.
Do you keep a active playlist going on a on a night, iPod or anything like that?
No. I don’t have an active playlist. They’re pretty good now, the Pandora’s and the Apple Music. Just put the station on and run. Yeah. And then let it run. You know? And then and nine times, that’s it. I’m not really thinking about anything. I’m just, you know, thinking of just sitting out. I don’t even think about the next part of my day. I think about what I’ve accomplished, but I’m a Christian man, and I just, you know, sit and thank God that he gave me another day. So Yeah. That’s it, man.
Mhmm.
Well, Preston, I really appreciate you taking the time out to, to talk with me today. Anytime for you, man.
It’s good it’s good stuff for the world to hear.
So, till next time.
Alright. I appreciate it.
Thank you.
Alright.
I’ll take it easy.
