Hello friends,

Summer is right around the corner! This is a season of change, of anticipation, of knowing that there’s a new rhythm of life approaching.

There may be no industry on earth that has the pace of change of cybersecurity. The cat and mouse dynamic perpetually requires fresh thinking, new technologies, and new approaches.

The same is true of roles and leadership. This week we will dig into one of those dynamics- the relationship between security with the business and the requirement of CISOs and security leaders to more deeply integrate ‘upstream.’ Ultimately, this is the shifting left of leadership.

Cheers,

Brad

The shift left of the CISO

When I speak with security leaders that are considering making a move, I hear a common set of frustrations:

• Fatigue around battles for budget- both people and technology

• Not getting sufficient support from the business for changes that are necessary to harden security (e.g. patching, retiring legacy systems, etc)

• Executives that don’t understand security or the importance of the function

• Being put under IT, which prioritizes efficacy, uptime, and releases over security, and trades security budget for tools and consultants

Nobody wants to feel like they are given a job but not the tools to be able to succeed.

However, when I speak with executives, I often hear these concerns about security:

• Tool and budget increase requests that lack a clear business case

• Explanations and articulations that don’t indicate an understanding of the business or business priorities

• Being the department of ‘no’- shutting things down without offering alternative suggestions

There is merit to both sides.

I will not suggest that security leaders can single handedly get senior leadership to ‘find religion’ on the importance of security, or change company culture.

But, in many cases, they can do better. And they can effect positive change. Their job is not to run a security department; it is to optimize a company’s security posture in light of business decisions around risk tolerance.

The concept of ‘shift left’ has been oft-discussed the past few years as the problem of security being at the end of the line (vs. upstream integration) became incredibly clear. And so the ethos has been to embed proper security practices (and tools) upstream in the actual development process. Hence the rise of DevSecOps.

Similarly, there has been a burgeoning realization that security posture will always be handicapped unless modern security practices can be embedded upstream into the business on multiple additional fronts, for example:

• Training and awareness to address human vulnerabilities

• Design and configuration of environments; secure cloud migration practices

• Decisions to retire vulnerable legacy assets and technical debt

• Prioritization and automation of patching

• Budgeting processes that appropriately weigh risk

It is not a revelation to say that security leadership must play a role in evangelizing the value and role of security, and build relationships with stakeholders across the business in order to earn credibility and trust.

What does get lost is the nuance of what it takes to do so, and the skills to look for in a CISO, based on the company’s size, maturity, risk posture, risk appetite, and willingness to change.

If the leadership appetite is there and the degree of security improvement required is large, the job of the CISO is at least as much a change leadership role as it is a technical security role. And all CISOs benefit from the ability to understand and connect with the business, lead change, and influence people.

I spoke with Lisa Gallagher, former MD at PwC about this topic. She coaches and supports CISOs in their own development journey, and noted that there are simply not enough talented security leaders out there to meet the demand, particularly ones that have balanced leadership skills and technical skills. So she works with companies and the security leaders to build their business and leadership skills. She also noted how critical it is that security be able to get out of their own swimlane and understand the broader picture around data is used by the business and the data governance needs across the organization.

Here's our rundown on leadership skills required by CISOs in this environment. The relative importance of these skills will depend on a company’s context and security posture objectives. Nobody is perfect. Business leaders should think about the right mix for their own context; security leaders should objectively think about their strengths and weaknesses relative to what’s needed to be successful.

• Ability to measure and articulate risk

• Ability to deeply understand business economics

• Storytelling

• Relationship building

• Strategic planning

• Development of vision and strategy

• Change leadership

• Systems thinking

• Large scale program management/ leadership

• Clarity of communication

• Confidence and presence

• Ability to balance and weigh priorities

• Ability to form a cohesive and trusting culture

• Ability to screen and identify top talent

• Persuasion/ selling abilities

• Clarity of written business communication

There are some universal truths in play here. Great CISOs have the technical chops to build and improve a security program, but also have a keen sense of what they don’t know (gaps to fill in around them), humility (which supports a realistic view of the environment and is foundational to trust), an ability to rapidly cycle learnings, a desire to get out of the security pillar and build relationships across the business, and the ability to rally others in their cause.

How do you see the business side of security evolving over the next 3 years? I’d love to hear from you.

Tools, resources, and useful things from the internet

🛠️Fantastic database of AI tools- this list is growing every week (The Rundown)

🔷Speaking of which, here’s a cool one: AI generated documentation of processes (Scribehow).

🦹‍♀️Guidepoint releases an excellent monthly rundown of ransomware activities, malware, frequency. The running report list is here.

News

🤖Google unveiled a flurry of AI-focused releases to all of its products this week. Here’s the announcement. And the meme.

🏠NSA has released a series of best practices for securing home networks. Share with your family!

↗️Levels of job satisfaction reached all time highs in 2022. We are also seeing less churn in the security workforce as well.

💣Cybercrime, particularly crypto theft and ransomware, account for half the funding of North Korea’s missile program (CNN)

↘️The long awaited shakeout in cyber tech companies is coming (WSJ)

🚪Is the great replacement starting to happen? IBM announces that AI will be replacing upwards of 8K jobs. (Bloomberg, registration required)

🖥️Friends don’t let friends use Wordpress. If you are, or you know somebody that is, stop, please just stop (Hacker News)

🤝Folks that got impacted by the layoffs in big tech are being hired by startups- might this accelerate innovation? (WSJ)

Jobs to check out

This week we are featuring well-paying IR roles.

💼Piper Companies. VP of Incident Response (Remote) 220-280K base + bonus.

💼Cruise. Staff Security Engineer, Cybersecurity Incident Response (San Francisco, CA). $197-290K.

💼Capital One. Manager, Cyber Incident and Event Management (McLean, Boston, Richmond, Plano, or NY). $197-225K.

💼Sony Pictures. Senior Manager, Incident Response (Culver City, CA). $128-171K.

💼Live Nation. Manager, Incident Response (Hollywood, CA). $126-158K.

💼Freddie Mac. Cybersecurity Incident Response Lead (Remote). $126-188K.

Events

💼Thotcon. Chicago. May 19-20.

💼BSides Seattle. May 20.

💼Secureworld Atlanta. May 24.

💼BSides Buffalo. June 3.

💼Gartner Risk Management Summit. June 5-7.

💼ExploitCon Portland. June 7.

💼Rocky Mountain Infosec Conference (RMISC). Denver. June 7-9.

💼Secureworld Chicago. June 8.

💼BSides SATX. San Antonio. June 10.

💼BSides Boulder. June 23.

Stat of the week

$30M

Cost to Dish Network from their February breach. Ouch.

Crux is building the talent platform for cybersecurity. Check us out.

Thinking about your next move? Join our network.

Want help with your hiring needs? Reply to this email to drop me a line