What it Means to be an Honest Broker
As a former CISO in Hanover Insurance Group, Brian Haugli shares what it means to be an honest broker in the context of security leadership, which might be better described as an agent of trust and transparency for a business. Brian and Steve Moore talk about strategies for delivering the right message to executives and the Board, the learning opportunities that come with candor and the honest truth about managing the inherent stress of the position.
Advice to future or current leaders
One big feedback I would give my younger self is don't focus so much on one area or another. Really be open to the ancillary spaces within security. Looking at human behavior, looking at the legal side of things, and pulling that information in to help round you out.
Is there a core of bad leadership in information security?
Not everyone is born to be a leader. It's something that you're born with that type of a capability. I think you look back at like type A/type B personalities. A lot of security folks are the type B, and there's nothing wrong with that, but I think there's a different level of getting leadership out of that that isn't as natural for them as somebody who is a type A, an outgoing type of a person. I don't think there's bad leaders in InfoSec. I just don't think there's enough of them.
Transitioning on a small team vs large team
On a smaller organization, you're going to wear more hats because there's just not enough people for that work to go around.
The larger organizations, what I learned was I could sit down a team or four or five analysts, teach them in one or two hours how I would do something. And now, I've multiplied my capabilities by five. And that's much more effective than me trying to do that individually.
The smaller teams, smaller orgs, they are struggling with being able to address this and I think that's where I want to find a niche for developing some work and some support and driving insight and guidance to these groups because they need help.
The start of Side Channel Security
We saw the need that small and medium businesses, nonprofits, VC-backed software firms, don't need a CISO full time but still need that kind of guidance and expertise. We started by supporting a nonprofit ... realizing the questions and the concerns were the same things that we had heard from our peers in larger organizations or our own organizations at the time. It just built upon itself.
Where are people most ignorant as it relates to information security and running a good program?
I've got a bit of a mantra that I can't defend what I don't know exists and that's really asset identification, asset allocation. Being able to answer what is your business obligations? And what are your business objectives? Can you identify the things that keep you running and could you tell me what a bad day looks like?
You have to make them understand that your new reliance on technology and you storing all of this data and/or allowing access to these systems equates to your ability to provide services to your customers, whatever that is then. Those are usually ah-ha moments for folks and it's a good one to be there for because you can quickly help them realize what their concerns really should be from a security standpoint, but then quickly get them to how do we tackle this? How do we make this not an issue any longer? How do we mitigate that risk?
What is an honest broker when delivering a security message to the ELT or the Board?
I think it's just about transparency and integrity. Security, the definition of security, is confidentiality, integrity, and availability. As the CISO, your ability to obviously protect those things is one aspect. Your ability to showcase and embody the integrity of what it is that is being expected of you. Turning that around and then being able to explain that in terms that honestly chances are nontechnical person and somebody who definitely doesn't understand information security is going to understand.
Do they always really want the truth?
Everybody always wants the truth but what they want is to make sure that you're not positioning as if the sky is falling on every conversation you're having. It's about talking about the level of risk at an appropriate level. What most senior leaders really want to hear is that you've got it under control. What you can do is be completely honest in the fact that you don't know what you don't know and then promise that you're going to go figure it out and come back to them with something.
What are things that we forget to do?
I think the thing that gets missed a lot is that security doesn't exist without the business. We're not in the position for the sake of a company or an organization.
What’s the worst archetype of a CISO?
I think there's a major difference between the CISO who has a real technical understanding of everybody on his team or her team and those who came through the CIO track or the business track. I think you can just be much more effective as a leader if you understand all the roles that your team members are capable of and doing. And I think that's one thing I've differentiated myself on is I've done just about anything that anybody on my team is I'm charging to do.
Is CISO a good job?
I feel like some days it can be but I keep volunteering and keep pursuing them so there's got to be either there's something wrong with me in that respect or it's not actually as bad as we think about it.
Is there any time where you go and you present this messaging and leaders of membership don't want to hear it?
Hearing about a risk is difficult for people to comprehend and maybe even be able to accept. Take the approach of positioning the best idea that you pay me to bring you. There's really no reason to get into an argument or really try to hammer on something that a business owner doesn't want to tackle.
Any lessons or any observations in terms of doing more with less?
Biggest thing I learned out of the military was the concept of BLUF, bottom line up front. So, just position the idea that is the most impactful, the key term or concept that you want that person or that group to walk away from, just put it right up front. Get there, put it out there, speak to it, and then, build, if you have the time obviously in the presentation slides or whatever material to be to actually do it. Build out from there. But drive at least the one thing that you want them to know right up front.
Exabeam - Website
Side Channel Security - Website
Steve Moore - LinkedIn
Brian Haugli - LinkedIn