In this episode of The New CISO, Steve is joined by Tom August, a seasoned CISO with over thirty years of experience.
First starting his career as an accounting intern, Tom has since had an incredible journey where he not only wrote the CISO Handbook but created a risk-management methodology. Today, he shares what he's learned from his years in the cybersecurity industry and the importance of storytelling. Listen to the episode to learn more about Tom’s unique transition into cybersecurity, the inspiration behind the CISO Handbook, and selling your “why.”
Listen to Steve and Tom discuss how to captivate executives without fearmongering and navigating hard conversations with the broader organization:
Meet Tom (1:55)
Host Steve Moore introduces our guest today, Tom August. Over his decades-long career, Tom has worked across multiple industries, from healthcare to military defense to financial services.
A lifelong fan of electronics, cybersecurity became a life-changing move for Tom, despite having an initially unrelated start.
Tom’s Take (5:30)
Steve presses Tom on what it was like watching the famous John McAfee and his team work when Tom was an accounting intern.
Tom saw they had an organized methodology and plan when handling a security breach and appreciated being brought in. A wide-eyed college student, Tom was fascinated by everything he learned and wanted to do more.
The Move To Financial Services (9:07)
While building out the security program at a financial organization, Tom had the opportunity to be mentored by one of the original CISOs, Micki Krause. Recognizing that Micki is a trailblazer in the cybersecurity industry, Tom appreciates that he learned technical skills from her and how to communicate with chief executives.
After being challenged by Micki, Tom was encouraged to write security books, leading to the CISO Handbook.
The CISO Storyteller (15:50)
To Tom, every CISO needs to be a storyteller, though few have mastered that. Often CISOs will speak to executives using different buzzwords and acronyms versus adequately explaining the problem they are trying to solve. To combat this, Tom urges listeners to work on their communication skills.
The IT Audit (17:07)
Tom led many audits and learned many facts about the organizations. Tom had to present a lot of research to international executives as a result.
Although Tom can’t share much information about this time, he acknowledges that specific cultural differences made it challenging to tell the story of the problem at hand.
A Lever of Influence (27:55)
Due to his mentor relationship with Micki, Tom learned a simple but valuable risk-management methodology. Tom decided to take that further by meeting with executives individually to see what they cared about in terms of risk.
As a result, Tom ensured that he could meet the needs of his organization. By the time he met with the board, there were no surprises about his security plans.
Improving Our Stories (36:50)
Steve presses Tom on why so many CISOs lack comprehensive storytelling skills, which Tom credits as their need to be correct. Recognizing that CISOs have good intentions, Tom also understands they can miss the bigger picture.
If you are a CISO, you should know why your problem is compelling, and if you can sell that, the “where, ” “when,” and funding will follow. The main thing is not to be confusing with your delivery to maintain captivation and promote clarity.
Risk Vs. Compliance (44:46)
Due to his accounting background, Tom understands that auditors are well-intentioned but limited due to their checklists. Knowing that risk does not follow the rules, Tom explains that compliance is not always the most helpful approach.
Risks are difficult to quantify and require everyone involved to be on the same page about the next steps.
The Modern CISO (49:55)
To Tom, being a new CISO means you are a fantastic listener, business partner, and someone who understands both risk and compliance. And, of course, you need to be a good storyteller who knows how to put everything together.
Links mentioned:
LinkedIn