Chris Morales, CISO at Netenrich, has held various roles throughout his career before becoming a CISO, including ones advising and designing incident response and threat management programs for enterprise organizations. Morales talks about the skills needed when pursuing the CISO track. Below is a transcribed version of the interview, which is part of a series of conversations by Decipher with CISOs across the security industry.
Lindsey O’Donnell-Welch: You have had roles around cybersecurity engineering, consulting, sales and research. Talk about the transition of making the jump into the CISO track.
Chris Morales: Yeah, actually, the funny thing is, I had to get out of engineering first. At some point, I was there writing code. And back then, when you're developing, there were no standards, there was no compliance, there were no rules. There was nothing. There was McAfee AV, there was Check Point firewall, and it was all people knew, so we had to innovate. I don't know how it happened, but I naturally had this progression where people started asking me to go start doing a lot of work with customers and spending a lot of time with them. Then I realized I didn't want to be in engineering, and they put me in the field and I was sitting there - we had the fortune of having 80 to 90 percent market share - and I sat there with people like Experian, Qualcomm, Disney, Citibank, and we were like “you need to do intrusion detection,” which is what threat detection is today. We're like, “hey, we built these tools.” I remember sitting there, and there was this guy, William Sun who was an engineer at CoreLogic, who said “this is great. How do I use it?” And I remember sitting there going, “I don't know.” I know that sounds stupid. But I realized that the business process modeling network looks like the secure software development lifecycle. I went and learned it, because I needed to figure out how you use this product. I started writing operational process in 2004 and 2005, so I could sell products that we built. And then I realized when someone on the other side was asking how to use them, I was saying how do you use this? And those were the early days of SOC operational process and incident response process. And then we built the managed service around it. And so I started writing operational processes, and I ended up helping build a SOC for Experian, Qualcomm, Disney; only by right of being there first, and no one else knew what was happening.
Lindsey O’Donnell-Welch: Can you talk a little bit about the challenges around the CISO role?
Chris Morales: I actually got offered the role of CISO several times in the past and I said no. Because for a long time, a CISO was just a fuse box; they were hired so they could be fired when something went wrong. They never had budgets, they never had power, they would hire some really smart technical guy. I have friends who got into it, because they would do penetration testing and assessments. And people would say, "You'd be a great CISO." But they were horrible at the job. Because it was a communication issue. They were never taken seriously. It needed to evolve, and it never evolved, but it finally caught up. We just had a bunch of technical people who were not connected to the business and who were not making real decisions, and no one cared. Now it's become part of the business and it has to, but it's still a struggle.
"Over the last few years manufacturing was looking at Industry 4.0 and the industries that used to be the least technology driven, and the most basic, became actually probably the most technology driven."
Lindsey O’Donnell-Welch: How have these perceptions of CISOs changed over time?
Chris Morales: There are - And I didn't make this up, I'm riffing on it, it's something I read at Forrester some time ago - there are like, at least four different types of CISOs. And that's correlated to the type of companies and their perception. So there's different perceptions, and different maturities in different industries. The ones who have had the longest career, sadly, maybe, in my mind, are the ones that worked in industries that were highly compliance driven, and had to do it. And a lot of CISOs sadly drove a lot of it because finance understands fee penalties - like PCI, HIPAA - and they're like, "Oh, I hired you to make sure I pass compliance." They're very non disruptive. They're very much like, "Oh, you just have to pass compliance."
The problem is they call it chief security officer, but I tell people in my team, "we're just risk advisors." We're not here to remove risk, because the business wants to take risk. They want us to help advise them on how to manage it. What's interesting is that will correlate to a lot of the other stuff about the type of industry and things like that. The big thing is the perception of risk of the company, and the people running it and their appetite for it. A good example of that is when some of the recent ransomware stuff has hit, like JBS [a Brazil-based meatpacking company] who got hit and paid $11 million. They literally did not care at all before that event. They heard “digital” and went, "What do we care? We distribute and supply steaks to grocery stores." Over the last few years manufacturing was looking at Industry 4.0 and the industries that used to be the least technology driven, and the most basic, became actually probably the most technology driven. And they transformed but didn't pay attention, because they still don't understand the nature of the problem. So manufacturing, healthcare, retail. Even hospitals didn't think that way. They all have massive networks of massive amounts of data now. They all get hit bad, and that happened because they didn't actually care before. And it became reality. So I say this, because this is an exact conversation I have with every CTO: I ask them, what do you actually care about? What do you want me to manage for you? What are you afraid of? What's your appetite? What's your paranoia?
So everybody's going to evolve out of mandates and compliance, but they're going to always be bitter about it because they're like, "We're doing this because we have to." But lots of people are becoming hyper aware. Like JBS, I promise you, they never want to spend $11 million in one payment again. Whatever cost you thought that was, they now have a hard number. And so then back to the CFO, the hardest thing for most technologists is mapping that to money. And then they're like, "how am I a business enabler?" You're not, you're a risk advisor, but the company wants to take risks. So you have to ask yourself, it's not about saying no, the question is, how do you let people take more risk? Because risk equals more money. How do you take more risk?