Securing a Cybersecurity Organization
Episode 826th September 2019 • The New CISO • Steve Moore
00:00:00 00:42:15

Share Episode

Shownotes

Securing a Cybersecurity Organization

Chief Information Security Officer of Netskope, Lamont Orange, talks with Steve Moore about the unique differences between working as a CISO for a private company versus doing it on the vendor side of things; securing a cyber security organization.  As cyber security becomes entrenched in the business cycle, other business functions have expanded their interactions with security teams. That said, the understanding of what a CISO does hasn't always followed the same trajectory. How do we as security professionals, help our organizations interact with our security teams and help them understand the role we play in an increasingly at risk world?  

 

The major difference between being a CISO for a vendor vs private organization 

Working for a vendor, you have a direct line into change and solving the problems that really need to be solved.   Working with a private organization, it's everybody's opinion and no one knows really what you're talking about.   Lamont encourages everyone to spend time in both worlds because when you're working for a company, you're in a particular vertical so you have ground floor opportunity to understand all the challenges, whether they're business challenges, technology challenges, people challenges, you really get to understand the industry in which you're working and serving some of that.  

 

How did Lamont get his start? 

He has had the opportunity of serving in a consulting capacity to organizations. That gave him more of that, that multi vertical multi industry perspective. Lamont wanted to give back and go to an organization where he got to grow something from the ground up, watch it grow and watch it be something really valuable and a differentiator to the business.  He also wanted to see what the opportunities were on the vendor side because it seemed very intriguing and an opportunity was presented. What he found is that the language barrier is gone. The challenge then became to take all of that industry expertise and all of that business knowledge and apply it to a way where he can lead the vendor side.  When you're on the vendor and product side, you get to effect masses of companies. You get to interact with so many different thought leaders and coaches. You get to make the industry better from the solutions and tools perspective that we have to offer. But you're also growing people’s careers at the same time discussing the path that you've gone through.  Find opportunities to speak. There's just so much goodness in it that helps you grow as a professional also. There are so many lives that you can touch from a career perspective and making a difference and how we deal with our adversaries.  

 

Figuring out how to share in the security community 

When you look at our adversaries, they're definitely sharing. They talk about the latest way they use and abuse. We need to do some of the same thing. “This is what was effective with this particular adversary.” “This was what was effective in this particular vertical because this is how we do business and this is what's effective”. Those types of conversations are priceless and we need to figure out a way to have more of them.   

  

What is change management? 

There'll be changes in infrastructure. There'll be changes in operating model and there's a board that we have to go through to get the changes approved.  We implement those changes. If we start going back to fundamentals and what's happening in cybersecurity, what's happening with the role of the CISO and the CSO and all the technology players, we are back to the basic definition of change management. Not only do we have to adapt to change, we have to embrace it for what it brings.  We have to look forward to what the positives are with this change. We have to demonstrate to others why this change was either good or is not the best plan of attack, and then we adjust. You don't want to have a stagnation in anything that you do because it either becomes boring or you become complacent. What this is showing us is that our industry is neither boring or complacent.  It is very dynamic and we need to figure out how to manage that. 

 

What change are you excited about? 

Lamont is excited about the movement to cloud.   The industry as a whole, it's a new operating model. We've so long looked at all of these different solutions that we've cobbled together to keep filling gaps of whatever the threat landscape brought to us with this movement. Now we get to take a fresh look and if we are at a point where we have a seat at the table, we get to walk with the business and actually consult with them and talk to them about what this new paradigm that they want to go into will really bring.  With our fresh look, we can say that we're really looking to enable you to be able to take away some of this friction cause we don't have all of these different hoops and a different control frameworks and the whole let's lock it down mentality anymore. We know that you need to be open and now we need solutions. We need to look for those solutions that will allow the openness.  

 

What advice would you have for a new CISO? 

you got to build relationships.  Just keep it simple. Security needs to be a friend of the business. It needs to be a partner to the business. We need to build those relationships in order to show how we cannot be a pimple in the path to progress, but be that progress, be that innovator and progress.  

 

Is there a difference between authority and influence as it relates to the movement of the cloud? 

The dynamic is definitely changing to influence. Influence is much stronger than authority. When you breed influence through an organization, you're creating the emissaries of the division and you're getting consensus around that. Once you get the spirit of how you want to move forward and making sure all decisions map to that, you won't have to use your authority.  

 

How are challenges different for large vs small organizations in moving to the Cloud? 

The challenges are different.  The larger the organization, the more politics, the more structure around, we've always done it this way. There's more teachable moments that have to be identified and teach that organization, team, individual, why you're looking at it from this particular perspective. In smaller companies, there's less politics. There are more consolidated functions and one or two individuals which makes it easier to influence across those teams. The smaller companies are more nimble too.   

  

What is the change that is happening to security leaders? 

Over the course of the profession, the security leaders, we've all tried to center this activity of security and really believe that we can manage it from a central perspective. In many cases before this disruption really started to occur with the disruption of cloud, there was all these different types of disruption. We are now trying to decentralize and bill those influences and emissaries and the different groups within dev ops. 

 

What is the definition of the new CISO? 

The modern CISO is really going to look to embrace change management and actually have a roadmap to how they are going to embrace this change. Whether that's moving to the cloud, whether that's moving to hybrid infrastructures and looking at this in a way where it's as a positive restart for our profession and a restart for all the complexity of controls and processes and policies that we've put in place to make it something less friction to the business and realizing that we're in the business of managing risks and realizing that control frameworks are just that.  They're a framework. In many of these new paradigms and structures, the control frameworks when applicable may actually cost the business something in productivity.  Page Break 

 

Resources: 

Exabeam – Website 

Steve Moore – LinkedIn 

Lamont Orange – LinkedIn 

Netskope – Website 

Follow

Links

Chapters