J Wolfgang Goerlich, Advisory CISO for Cisco Security, talks about why relationships are so important for CISOs when interacting with organizational leadership teams. Below is a transcribed version of the interview, which is part of a series of conversations by Decipher with CISOs across the security industry.
Lindsey O’Donnell-Welch: Can you tell me a little bit about your own background, and really how you got into security at a broad level?
J Wolfgang Goerlich: I like to tell the young people that the way I got into security is no longer legal. It makes it sound much more edgy than it is. But the reality was, when I got into this discipline, I was handed a hospital's network system. There was no HIPAA and there were no guidelines. This was a time when digital transformation meant taking away typewriters from very cranky, very busy, overworked nurses, and convincing them that the computer was okay. As we know, much has changed since the 90s. My career started the same year Hackers was out - so every time that Decipher has done a Hackers episode, I've jumped on that, and always loved that conversation - but as you might imagine, you think that security is fighting the bad guys, and skateboarding inside data centers, and running circles around clueless federal agents, only to find out that it is a lot more people, paperwork, and PowerPoint.
Lindsey O’Donnell-Welch: What motivated you to go down the CISO track?
J Wolfgang Goerlich: If you fast forward several years, I was at a financial services firm. And I was very intrigued by the security aspects of engineering. I came at it very much from a technical discipline: how do I do good engineering? And good engineering I define as something that is both operational and resilient against attack, either accident or adversarial. I brought this mentality to the financial services firm, after previously being VP of a consultancy where we specialized in high-speed, high-security networking. This meant I was heavily involved with security from a technical perspective.
Now, around that time, the SEC was mandating business continuity and disaster recovery, and I got involved with that discipline. It was very eye opening to me to understand how all this technology we were talking about, all the nuts and bolts we were focusing on, all of it was actually delivering business value. Continuity and recovery asks: how do you tie any one particular piece of IT up to a business process, up to the organization's mission objectives? That entire exercise was incredibly eye opening. And that was really the time when I recognized I wanted to do more from an executive level and a business level in cybersecurity, and less and less from the technical level.
Lindsey O’Donnell-Welch: Can you talk a little bit more about that business value - understanding the risks and what needs to happen within a business - and how that plays into the role as well?
J Wolfgang Goerlich: Historically what we secure is based upon technical understanding. But as we all know, organizations make a living from providing usable technologies to the workforce, which means trade-offs in security and often a reduction of security controls. By many in our profession, that's seen as being an irreconcilable difference. It's either securable or it's usable. But suppose you don’t think about security as "I want to prevent this particular exploitable flaw from occurring," but rather you think of security as "I want to enable the business, which means I want to prevent threats against business processes which will have a material impact." Suddenly, we open up the conversation quite a bit. We no longer have to lock down every single port. We can focus more on opening what makes sense and having good responsive and recovery capabilities. This leads to what we call resilience today. I'm going to accept a certain amount of risk and I'm going to counterbalance that by being very quick to respond, by having multiple redundant and reliable systems. The shift in perspective many CISOs went through, say between 2010 to 2020, was really one of shifting away from trying to protect the technology and shifting towards protecting the business.
Lindsey O’Donnell-Welch: When you talk about that shift, during that time period, has there been any sort of accompanying shift in how CISOs are perceived overall by organizations’ leadership?
J Wolfgang Goerlich: It's interesting, in the past 10 years, the conversation has gone from, "we need to have a seat at the table and we need to speak to the board. How can we speak to the board and what would that look like?" Then we had a period of time where CISOs wondered, "what is the right slide template to convince the board or the executive team to do something? What are the right colors? What are the right numbers?" As we've matured, we've recognized it isn't the colors. It isn't the numbers. It's the relationships. It's the way we frame the story. It's the way we lead our organization. And we see that reflected in things like Cyentia's Security Outcomes Study. I mentioned I was originally from a BCDR perspective. So when I saw people who had really good BCDR were two to three times as likely to report strong relationships with their peers and with their executives, my old confirmation bias kicked in, and my heart grew warm. If you can talk about the business and what the business cares about? If you can talk about what it means? You're going to have better relationships, of course, and this Security Outcomes Study data makes perfect sense. However, Cyentia then repeated the question for incident response and found strong correlation with executive relationships and peers. And then we repeated that with SASE, and with zero trust, and with endpoint detection & response. At a certain point in time, I had to stop and I thought, "wait a minute, there's no way that the endpoint agent is allowing the CISO to have better conversations with executives and peers." What I believe is happening is that savvy executives have and build great relationships. Savvy executives tell great stories founded in data and stories which result in action. They don't focus on what's the right number, what's the right color. Savvy cybersecurity executives, through relationships and communication, build strong security programs.
"The sad reality is, too often, our answer for security culture is teaching people not to click on emails. Why? Because it's something simple to test. It's very hard for me to test for behaviors which resulted in a Log4j vulnerability in a supplier that's three rings removed from us."
Lindsey O’Donnell-Welch: So a lot of it comes down to relationships and connections.
J Wolfgang Goerlich: Yes, absolutely. As the CISO community has gone through this journey from hardening technology to protecting businesses, we have had a lot of back and forth about what is the right relationship. We still argue at conferences about where the CISO should report. We still have conversations around what CISOs should tell the board. But you can always tell where someone is in the journey in terms of questions like “how do I talk to the board? What should I tell the board? And how can the board teach me?” And as you get towards that question, “what am I learning from the board and our interactions,” that's when you know you’re speaking with a CISO who is well on their way to establishing relationships and becoming a seasoned polished executive.
We’ve witnessed the growing capability and competency in our field in terms of interacting with the executives and the board. We've had the back and forth in terms of where we should report. We’ve jostled about on how to structure our teams. So as we’ve deepened our understanding of the business, the business is deepening it’s understanding of cybersecurity.
So we've reached this point where we went from wanting to sit at the table to now having a seat at the table. What does that mean? I don't know that we've really determined what that means. Suppose you've got a seat at the table, and your company is doing something inappropriate, and now there's a blowback because of these activities, and that blowback reaches the CISO. What do you do? I don't know that we've really thought through what it means to have a seat at the table. We’ve been so focused on getting the seat. Now that we have it, it's going to be the decade of figuring out what we do with it.
Lindsey O’Donnell-Welch: With the SEC's mandates about having the board of directors better understanding cybersecurity, I feel like that's almost accelerated CISO involvement; do you have any thoughts on where the role of CISO is going?
J Wolfgang Goerlich: We need to find new fundamentals for what it means to do security. A lot of our existing fundamentals were based on an ownership and a control model. It's my computer, it's my employee. And a lot of our previous security controls were based on a smaller subset of known things: Because it's my computer, I know how many computers I have, because they're my applications, I know how many we've installed. Now, granted, we've all struggled with that in the past 20 years. But that was our industry’s fundamental assumption. When you look at third-party risk and supply-chain risk, and when you look at the fact that a lot of our employment models have moved towards including contractors, consultants, and B2B relationships, and you look at the supply chain becoming a supply mesh. The reality is, we now need to secure things that we don’t have visibility into, that we don’t have the ability to enumerate, that we don’t own, that we don’t have direct control over. So while the CISO today has to be technical, we need to know our craft as leaders of our craft; the CISO today has to establish and maintain governance. And our governance model is no longer just within the security team or the IT function. It's embedded throughout the organization. It is this diffusion of who owns technology, who operates technology, who has the right to bring what equipment in and to do what they need to do for their jobs, this diffusion has upended our assumptions. This proliferation that we've all been through, and accelerated by the pandemic, means we need to find new fundamentals and new ways to enforce security. It means, in many ways, that enforcement is going to be through culture, not through the application of technology.
Lindsey O’Donnell-Welch: Speaking of culture, how can you cultivate a strong security culture in a business and where do you start?
J Wolfgang Goerlich: Part of the challenge is, "what is culture?" And as CISOs, we need to understand the big picture - Culture with a capital C - but we also need to understand the lower level components that drive it. So if you're going to say culture is a series of behaviors that upholds our values, okay, that makes a lot more sense. And of those behaviors, there's a subset of those which may or may not only uphold our values, which may either create additional risk for organizations or reduce risk. So if we take that approach of enumerating behaviors, we can build an intuition around the behaviors we need to foster, and we can start understanding which relationships we need to create in order to get those behaviors. That’s how to cultivate a strong security culture in a business.
The sad reality is, too often, our answer for security culture is teaching people not to click on emails. Why? Because it's something simple to test. It's very hard for me to test for behaviors which resulted in a Log4j vulnerability in a supplier that's three rings removed from us. Meanwhile it’s very easy for me to send a phishing email to one of my colleagues and ask, “did they click or not?” So the challenge today with security culture is it often starts and stops at the phishing level. We really need to broaden that.
I'll give you a good example. Back to third-party supply-chain risks, one CISO that I know has built his supply-chain management program and third-party management program as a culture program. So what that means is, he has spent a lot of time understanding what the frontline business managers and decision makers view as their responsibilities, how they make decisions about what software they're going to use or not. He's spent time simplifying those conversations, not as an "it depends" conversation, but as a "do they have this or that" conversation, a black or white conversation, which is incredibly important when we're talking about transferring knowledge. And he has equipped and maintained the readiness with those people so that when they're talking to a vendor, they can ask questions like, "What is your security posture? Are you doing multi-factor? What are you doing for this, that, and the other?" I don’t mean a list of a thousand things. I mean the top two or three things that drive the most risk, presented in a black-or-white way. And that's allowed him and his team to let the business make many of those purchasing decisions. And by the time the decisions get to his third-party risk team, he's not having to go and say "no, no, no, don't buy this or pull that out or unplug this," which is where many organizations are. By the time it gets to his team, it’s more, "yes your answers passes our governance, we're good." This approach frees his team to go the deeper with fewer vendors. So that exemplifies the approach where I think the CISO is going.
The CISO role is moving away from "we control everything and security is our discipline" to creating effectively a volunteer firefighter approach, whether it's volunteer people who are within the organization, are making the right decisions, are exhibiting the right behavior, to reduce the risk, to drive the culture forward, and are doing so within the context of the business. So it actually is in line with where the organization is going, not working against where the organization is going.
Lindsey O’Donnell-Welch: What are the most critical steps for organizations in building out this culture, and then also leading into an effective cybersecurity program?
J Wolfgang Goerlich: For a lot of people, it begins with understanding other people’s realities, and understanding what they do, be that an operations person who I want to make a smart decision about a financial transaction or a product owner who I want to make a good decision about what third-party software to use. It begins with really listening and understanding.
Part of that is establishing a security champion and advocate program. Often we think of security champion programs as championing security on our behalf within that business function. So understanding the hidden benefits and barriers to a new security control through the lens of a security advocate champion. Start with listening, then creating an advocacy and champion program.
Third, we do risk evaluation, risk ranking, and prioritization. When we look at this, it is not only through the lens of what we're trying to protect, but also through the lens of what we're trying to prevent. This is where threat intelligence comes into play, and where the great work of groups like Talos comes into play. Oftentimes, we get really stuck in thinking about what our tech stack means to our organization. We struggle to consider what it means and looks like from a criminal perspective. Our ability to put the controls where they really matter from an adversary perspective is incredibly important.
And the fourth step is figuring out which behaviors address the risks we’ve highlighted and establishing metrics for those behaviors. It’s vital we aren’t limiting behaviors and metrics to something easy. But behaviors like purchasing the right software, onboarding people correctly, writing code that's secure, whatever those behaviors may be.
Follow this process to make sure our priorities are really reducing risk without overburdening our workforce. That’s how we foster culture. That’s when we strengthen and deepen relationships. And ultimately, that’s where the CISO role is evolving to protect and secure our organizations.