Lessons Learned from the “First CISO” Part 2
Episode 3217th September 2020 • The New CISO • Steve Moore
00:00:00 00:38:38

Share Episode

Shownotes

On today’s episode, we continue our conversation with Steve Katz, the first CISO, and discuss the importance of understanding yourself, your role, and the company for which you work.

Marketing Yourself Within the Company 

 

One of the things that Steve stresses is that you need to be able to market yourself and the role of CISO to the rest of the company. It’s only in your best interest to know how to articulate why cybersecurity matters and how it impacts the business. In order to do so, you must first understand the company and its products, because only then can you effectively explain how your position can help the business. Listen to the episode to hear more about Steve’s thoughts on business relevant security. 

 

Your Mission and Foundational Principles  

 

One question Steve always asks CISOs is if they have read the company’s mission statement. Steve believes it’s a big problem to ignore the fundamentals of a company. Additionally, he advocates for every CISO coming up with a mission statement for their own team, and to align that mission with the company’s mission. He recounts how coming up with 5-10 foundational principals changed the group mindset, provided clarity to the work they were doing, and overall, change the culture of the team. 

The Citi Breach and the First Time “CISO” was Used

 

Steve recounts another incredible tale about how an enormous breach at Citi led to the solidification of his role as CISO, and of the coining of the term. He joined the company when they were experiencing a security issue and were losing valuable bank customers. In this episode, he relays how he had to meet with top 20 customers to ask them questions about security, and to answer their questions. He was expected to keep only 50% of those customers after his meetings. He came back with all 20 customers. Listen on to discover what questions he asked them, and how he managed to maintain their trust and business relationship.  

 

Know Yourself 

 

We discuss the importance of knowing yourself as a person and how this affects your abilities as a CISO. Steve encourages you to understand your strengths and weaknesses—and to hire someone who can compensate for the areas in which you struggle. He admits that he excels at identifying talent and getting work done efficiently but can’t handle details. He is honest with us today to encourage you to be honest with yourself and to act accordingly. 

 

The Customer’s Perspective 

 

Though briefly touched upon, Steve reiterates that you must make an effort to keep in mind the customer’s perspective. In this regard, he hired only multi-lingual regional officers who could therefore explain the security problem in the local tongue. This made them a friendlier face that welcomed a more trusting relationship.  

The C’s of Finding a New Job

 

Steve also runs through his criteria for the job search, which he calls The C’s. The C’s include challenge, commitment, chemistry, culture, clarity and compensation. What he means by this is how challenging the job is, how committed is the company to resolving issues, what the chemistry is between you and the person you’re reporting to, the workplace culture, clarity as to what success looks like, and lastly compensation. He stresses that compensation is the last C to prioritize. Listen to the episode to hear Steve expand on The C’s and why compensation is actually the least important criteria.

Meetings with Vendors 

 

When it comes to meetings, Steve believes that vendors need to do their homework, be clear, and need to get to the point. He shares a humorous tactic on how he got vendors to sell quickly and effectively. He also tells us what the one question is that he asks at every vendor meeting, and why you need to be extremely cautious when planning a live demo. Check out the episode to hear Steve’s tactic and the question he always asks. 

The Evolving CISO Position 

 

Steve believes that the CISO will evolve into two positions: a Chief Information Risk Officer who reports to a Chief Security Technology Officer. He explains that the CIRO defines the what and the why, while the CSTO takes care of the how. These roles speak two different languages and therefore need to separate into two different positions. While one acts as a risk advisor to the board, the other deals with how the team will tackle combatting the risk.

Steve discusses why he thinks its imperative to separate the roles and how, by not doing so, you will erode your authority and legitimacy with the board. He explains that he already sees this split occurring and that you should take some time to reflect on what your strengths are and gravitating towards either the CIRO or CSTO position.

 

The New CISO to Steve

 

Lastly, Steve talks about what the new CISO means to him. He believes that the challenge is greater today than ever before and how leadership is now taking a real interest in cybersecurity. Therefore, the new CISO should redefine and redirect the program, and think seriously about bringing in data scientists to implement AI and ML into the field.

 

Links:

Exabeam: Website

New CISO Podcast

LinkedIn: Steve Katz

Follow

Links

Chapters