Artwork for podcast 401 Access Denied
401 Access Denied Podcast Ep. 112 | Prioritizing the Protection of the Brand for CISOs with Myrna Soto
Episode 1127th August 2024 • 401 Access Denied • Delinea
00:00:00 00:50:01

Share Episode

Shownotes

In this episode, Joseph Carson interviews Myrna Soto, former Global CISO for Comcast, about the changing role of CISOs. Myrna shares her journey into cybersecurity and highlights the importance of business relationships and brand protection. She also offers tips on communicating with the board and staying informed. Tune in for valuable insights and practical advice!

Connect with Delinea:

Delinea Website: https://delinea.com/

Delinea LinkedIn: https://www.linkedin.com/company/delinea/

Delinea Twitter: https://twitter.com/delineainc

Delinea Facebook: https://www.facebook.com/delineainc

Delinea YouTube: https://www.youtube.com/c/delinea

Transcripts

Joseph Carson:

Hello, everyone. Welcome back to another episode of the 401 Access Denied Podcast, brought to you by Delinea. I'm the host of the show. My name is Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, and it's a pleasure. I'm always excited about episodes. We're bringing amazing guests on to talk about really top trends, topics, things that's really making a difference in the cybersecurity industry.

None other do I have an awesome guest for you today, which I'm really excited to talk to and learn, because one of my favorite things is it's always educational, not just for the listeners, but also for me. So I'm really excited. So Myrna, welcome to the podcast today. If you can give the audience a little bit of background about yourself, how you get into the industry and maybe some fun things about yourself.

Myrna Soto:

Absolutely. Well, first off, thank you for having me today. I've been looking forward to this for quite some time. Finally, the stars aligned, and you and I have this opportunity to chat. So I'm looking forward to it. So as you mentioned, my name is Myrna Soto. My background, I've had the pleasure of being in the technology space for a little over 30 years. I always hate to say that number out loud, but it's the truth. Of that 30, about half, a little more than half was spent dedicated in the area of cybersecurity.

So I had the pleasure of being the global CISO for a number of Fortune 100 organizations, of which we'll talk a little bit about later on. But most notably, I was the global CISO for Comcast Corporation for about a decade and had just an incredible journey with that organization, building a practice, sustaining a practice, and getting a ton of notoriety for the group and for the company in the space of cyber. Since then, I like to say I'm retired, but everybody that knows me well says that that is just a farce.

Since then, I'm doing a number of things. I have a portfolio of activities that I do right now. Primarily, I serve as a board member for a number of organizations. I'm a board member for four publicly-traded organizations, three of which are considered critical infrastructure, and those listeners that are attuned to cyber understand what that means, that critical infrastructure has a very strong hold in the topical areas that we're going to be talking about. So it's a great mix of portfolio for me. Then, I have the pleasure of serving on a number of privately-held boards, and in full transparency, I'm a board member for Delinea, which is just an incredible organization, happy to be a part of and to keep engaged and involved closely within the cybersecurity space, both from the provider side and then, of course, from the consumer side with some of my public boards.

Last but not least, I have an advisory firm where I advise and consult a number of clients. Usually, these consultation practices are done either at the CISO level or at the executive management committee level, where I'm advising boards and executive suites regarding their cybersecurity risk fabric, risk type of strategy within their organization and get to tie all those things together now. So definitely not retirement, but it's a great chapter right now.

Joseph Carson:

It sounds like you get to choose a lot of things that you enjoy doing, which is always good. That's always the part, is that we should be really focusing on doing the best things we enjoy and making the most out of it as possible.

Myrna Soto:

Indeed. Indeed, and I frequently note the fact that the options that I've been able to take advantage of, having been doing operations for many, many, many years, now move to strategy, still with a finger and a pulse on operations, I think it's a great tie-in. I'm very lucky to be able to do that.

Joseph Carson:

Absolutely. Fantastic. The big topic for today's episode is really using all your vast experience, especially the years of being in the CISO and being in the forefront, especially during a time when that was really taking off, becoming important role, to now, as your time, you're spending a lot of time on the executive board side. So a little bit of both sides, which I'm going to really use that knowledge that you have today. It's really how CISOs can be successful, what things you need to be measuring. What strategies should they be prioritizing?

So that's the main theme of today's episode. Then, also, what's the best way to communicate with the board, how to get their support to do the things that you really need to be successful. So what was your journey into being a CISO like? It was really in the early years of CISOs becoming established. What was that like at the time?

Myrna Soto:

So I will admit that my journey to become a CISO was not ordinary in any way, shape, or form, and I know that some of the listeners have probably heard this before regarding the importance of being a very business-centric technologist and a business-centric executive to be an effective CISO. In my journey, I actually started my career early on in the business. I was actually not in the technology space. Longer story for another podcast, how that pivoted to joining the technology sector and being part of a leadership group in technology.

But the early days of my career were not in cyber, and they were not security. They were more in product development, software engineering, and integration. Through working through a number of organizations, one in particular that was in the financial services industry, quickly learned that security in that industry was everyone's responsibility. So in a way, there was a significant amount of security experience that my technology experience would be able to provide, but I became a CISO kind of by accident.

date myself, this was back in:

Joseph Carson:

Oh. Yeah.

Myrna Soto:

It was before we even called it cyber, to be honest with you. But he asked me to take it over, and I was very hesitant. I kind of thought that it was a dead end, and, "Oh my God. This is going to be terrible." But it was one of the best career moves that I ever made that I didn't make for myself. I like saying that, because I was kind of forced into the role. It was incredibly insightful that the reason why I was asked to take that role was because I already had very strong relationships with all of the business leaders in the organization, and they felt that for me to culturally change the way people looked at security and was engaged in security, that that would be a very successful trade.

Hands down, it was and created an opportunity for me in the cybersecurity space ever since. So I truly believe that my journey as a business individual, then a tech individual, then security, kind of blending those three type of competencies really made a big difference. It was really about managing business-related relationships so that I could have support. When I wanted to make a change or force a piece of technology that we felt very strongly about that would improve our risk posture and our ability to defend the organization, it really came down to having these businesspeople rally around it and feel that they were a part of it, it wasn't a mandate, it wasn't a push down, et cetera. But that's my journey. In my last CISO role at Comcast, we kind of built upon that, and we even had what we call ISOs at the time-

Joseph Carson:

Oh. Yep. Yep.

Myrna Soto:

... and new organizations have them, as well, where there was a business liaison into very large business leaders and competency areas to bring that mesh together and that prioritization together. I think it's been a very healthy practice that many organizations have adopted.

Joseph Carson:

Absolutely. I think that's a really huge, important area, is that we're not there just to focus on technology and focus on securing organization. It's really important for CISOs to have that business understanding and business... because ultimately, we're not there just for the sake of security. We're there to support the business value, and it's really important to be aligned. I think that's also why we're seeing a lot of the rise of the BISOs, as well, who are really focused, business information security officers who are focused. Organizations who have so many lines of business, that is really a challenge for one CISO to kind of be across all and also to have relationships into each of those different lines of business.

You find even things like pharmaceutical companies that might have hardware, they might have software, they might have chemical, bio, different divisions, and they need to manage them separately. So having people that understand each of those businesses is critical. That was actually one of my own lessons, as well, because for many years, I always assumed that I was a cybersecurity professional. But I realized very quickly that that's my skillset. It's not necessarily what I ... The result of what I do is about helping organizations become resilient. It's about understanding, how can you help the business be successful? How can you help the employees be successful?

Because ultimately, that's actually how you measure security, is the organization be able to continue providing services. Your background is that it's a really perfect mixture of having the business understanding and having a good understanding and great understand from the IT perspective and then moving into security, because it just becomes another area of that protecting resilience for the organization. What were some of your top strategies or priorities? How did you look at your day-to-day? What would your day-to-day activity look like? Who would you interact with within your organization? So what would that turn into?

Myrna Soto:

So day-to-day was never the same. Day-to-day was never the same. Every day was a new day. While I sat in seat as the global CISO at Comcast, we had 54 different businesses, so to give you kind of the landscape.

Joseph Carson:

Wow. That's a lot.

Myrna Soto:

A lot of people don't realize that about the organization. I mean, it is a massive conglomerate. Most individuals know the organization for video distribution, high-speed data, et cetera, but we had ... I still say we. Once part of a team, always part of a team. We bought NBCUniversal. We had broadcast stations. We had media outlets. We had theme parks. We had retail. We had so many different things and things that nobody even knew that the organization was behind. So for me, I was very fortunate to have built an organization that had tentacles into all of these different businesses, managed a 24 by seven Security Operations Center that kind of governed and managed the entire enterprise and what we call the service delivery network that served about 26 million customers.

So my day-to-day would be very, very driven by current circumstances. Right? Are we currently experiencing a high volume number of alerts and events in the service delivery network? My interchange could be with my operations leader in that capacity, to dealing with our governmental affairs group, because we were actually influencing regulatory frameworks for the industry, to working directly with my chief risk officer for the corporation to run our risk posture. So the day-to-day varied a great deal.

I will say that outside of event-driven activity, because it will happen, outside of event-driven activity, my role was really about being a risk executive for the organization, to the point you made before. Managing priorities of the advancements that we would do technologically and procedurally, we're always overlaying that with the priorities of the business. When you have 54 different businesses, those priorities will fluctuate a great deal. It wouldn't surprise anyone that obviously, the higher-revenue-generating businesses, the larger entities that had a lot of consumer-facing and publicly-facing circumstances would drive a lot of the priorities.

But one thing that I coined it many, many years ago and had every single member of my team carry this kind of mission statement is our goal was to protect the brand, full stop. Right? Protecting the brand could range from external security protections, to data classification, to identities and privilege access areas, et cetera, and really building a very analytical framework so that we could be very much educated on what the value proposition would be when we would adopt something, or to modify a procedure, or to adjust a policy.

So it really varied a great deal, but what I enjoyed the most is working with the different business leaders over time, which I felt was one of the ... it was a great ... I mean, it just, it validated all of the energy that we put in when I would have business leaders call me and say, "Hey. I want your team in this product definition meeting," or, "I want your team in this merger and acquisition discussion," or, "Hey. I want your team." The top of the top is when I would have business leaders speaking about the importance of cyber and protecting the brand without any influence. It was just like feather in the cap.

Joseph Carson:

That's fantastic, because I think, to your point, is that ultimately, we are there ... I've heard different variations, the brand protectors, to the revenue protectors, to the resilience side of things across how security is being measured today. I think you brought up a really important point, is when you get the business being proactive, that's really when you've made the change of not just doing security for the sake of awareness, but also doing it for actually, it becomes a part of the culture and DNA of the organization.

When you get to the organization having a security culture, that's where you get the business being proactive. They start reaching out, and they start wanting you involved in things like acquisitions of organizations or deploying new technologies or new services as new lines of business. They start being proactive, and the more proactive you get, the earlier you get security involved in that process, one is it saves a lot of pain later for many businesses. Because putting security on with the ... That's why I always like when ... talked about security by design. I really like that emphasis, and I also like ... My preference would be security by default. It's the default option, but security by design is important kind of starting point of that journey. The other thing you mentioned-

Myrna Soto:

I'll add to that. I apologize. I just wanted to ... But I will add to that, that that is kind of the precipice of getting the support that you need. Right? When you've built that culture, and you have the business leaders kind of thinking about security and outreach, now, when you're looking for resources and financial support, and you're trying to build a portfolio of activities to continue to increase the security landscape and to manage the risk posture, now, it doesn't feel like you're out there on an island by yourself begging for dollars and resources. You have that kind of relationship and that synergy. Just changes the dynamics.

Joseph Carson:

It becomes a shared responsibility in the end, as well, because ultimately, it's not ... Because a lot of times in the past, it's been finger pointing, "That's IT or security's problem. They have to deal with it," but we have to get over that historical assumption. It's not an IT, and it's not a security problem. It's a business problem, and we all have to have shared responsibility. We all have to work together. I really liked when you said that the business leaders and those who you were providing services to became advocates. That was a massive turning point even for me, when I realized ...

I remember doing, many years ago, it was the security awareness trainings, and I realized that actually, if the message is coming from me, sometimes, it's seen as from somebody else. If I can get people within the business to communicate it, and that was really the starting point of, we sometimes call them cyber ambassadors or security advocates. It's really those within the business who share it with their peers. They listen more. It's coming from somebody within the same vocabulary, the same communication, same speak.

I always find that that was much stronger message than it was coming from security, and if you get those advocates, if you get those ambassadors, that's where you really start realizing that yes, to your point, it becomes easier to get the resources and budget. Because they start realizing that it's helping them be successful, it's helping them be resilient. That becomes a major, major difference, especially for a CISO going to the board and being able to show that there's none of the silos anymore. It's about collaborating. It's about working together.

Myrna Soto:

Indeed. Indeed. My biggest advocate was the head of HR. He was just amazing. He would do videos for awareness, and you'd hear him on stage and make these comments. But to the point that you were just making, and I know we want to talk a little bit about the board dynamic, which is critically important today, is when those business leaders are now speaking on your behalf, when they're in presentation mode to the board, that's another really big step in building that shared collaboration, shared responsibility. It no longer becomes that team's responsibility alone.

Joseph Carson:

Yep.

Myrna Soto:

I think what many folks, those that interact with their boards, assuming that they have a public board, and even in a private board, they're seeing the board members look at this area very differently than they did 10 years ago, 15 years ago, et cetera. Every board member in America is being ingrained that this is a board-level imperative, that there is liability and responsibility at the board level to make sure that they are governing the organization's strategy and then governing the organization's priorities and risks to make sure that this is a top priority, while balancing all the other things that they have to do to be effective board members to a business.

So I kind of feel like this is a really big renaissance period for CISOs, for security owners, and other technological leadership owners in the boardroom, where it's not just, "Hey. Let's talk about the next fancy digital transformation or the next fancy blah, blah, blah." People are asking, "What are we doing about our data? What are we doing about access? How do we know how effective we are in our security program? What is our relationships?" Right? "What are our relationships with law enforcement, and do we have these opportunities to share knowledge, et cetera?" Super important.

I mean, I remember when I was a CISO, and I presented to my board, I was fortunate that I had a board member who came from the banking industry. Of course, the banking industry has been a leader in this space, and he would ask me some really great questions about the program and would allow me that platform to share what we were doing for the rest of the board. Now, as I sit in the boardroom, now I'm at the opposite seat, I'm leveraging that type of knowledge to assist the CISO and to assist others in being able to bring out their value story and their value proposition so that my fellow board members can appreciate the topical comments. What I've seen over time is I don't have to be the one to ask those questions anymore. Now, others are becoming much more comfortable with the topic and just as supportive.

Joseph Carson:

That's fantastic. I think you just probably reminded me of important area of convergence, as well, is that we can learn a lot. I think one of the areas that we're seeing is the security industry and the financial industry can learn a lot from each other, because in the financial side, they understand a lot about financial crimes, and how to measure it, and how to detect it. There's that convergence, because we're, many times, dealing with digital crimes, and the financial has a component. We've been too separated for too long. I think there's a lot to learn by understanding a lot about the financial side, because they have a lot of the insights.

Myrna Soto:

I agree.

Joseph Carson:

One thing I wanted to ask you about from the board side is that I learned quite a lot last year. There's a big difference between when you're presenting down from a CISO to the organization versus presenting up to the board. I attended a workshop last year with John Chambers, which was very insightful. I really enjoyed it. It was about quantifying risk, the workshop, and one of the things I was asking was about, what was his recommendations about presenting to the board? He said that typically, when you're presenting down to the organization, you have your, basically, slides. You've got your, basically, your summary, what you want to share. You've got your metrics about how you come to those conclusions, and then you've got your asks that you're wanting to get at the end.

John and his counterpart, Michael, were saying when you're doing it to the board level, don't start with all the fluff. He just said, "Get straight to the point, and present your asks. They have the questions. Then, people will ask for context later." So what's your recommendation? How should CISOs present to the board? How should they be able to get ... Because how much time do you typically get, maybe 10, 15 minutes maximum if you're lucky?

Myrna Soto:

Yeah.

Joseph Carson:

So what's your recommendations to communication and to really get the board supporting you in regards to the initiatives?

Myrna Soto:

Yeah. So as you may imagine, my response is going to be it depends, but I'm going to give you a couple of analogies and scenarios. First and foremost, for the organizations that I serve on the board of, luckily, they get more than 10 minutes. Because I make a pretty important topic, and our boards are very much inclined to how important this is. So that's a good thing, but it would depend. It depends on the maturity of the organization, and where are they in their journey? How much exposure has the company had to cybersecurity incidents? Have they had industry incidents for the industry?

In highly-regulated organizations, you're going to see a very different cadence, but John, incredible leader, love him to death, and he's spot on. Right? You have to be able to communicate to the board with less fluff, more of the reality of where we are as an organization. Oh. By the way, I often say don't be a weather reporter. Don't tell me it's not this and this, that, and the other. Give me a very good perspective of how you and the organization believes their posture is as far as defending the organization.

It's not always comfortable for CISOs to come to the board and say, "We have some challenges, and here are the areas where we believe we have some weaknesses," But I would encourage you to be extremely transparent about the reality of your posture. Some organizations want dashboards, and metrics, and reportings, and I do think that some of that is very important. Because there's a look-back period so you can understand, are we any better than we were before? But I would recommend a lot of that's appendix material. Right?

Joseph Carson:

Yeah.

Myrna Soto:

And it's-

Joseph Carson:

It's the end. It's the end. If you have questions, we can cope with that.

Myrna Soto:

Exactly. Exactly, but I would recommend presenting where you are from a cybersecurity posture, and what does it mean to the business? There are many different controls that we, as security professionals, care very deeply about, because we understand the domino effect of weaknesses. We understand the domino effect of different vectors that could become problematic for us to have vulnerability, respect. Trying to get your board to understand that domino effect and all of those different ... is very difficult. I think you have to keep it at a macro level, but with the appropriate asks and the appropriate planning.

In other words, it's fine to report that maybe it's cloudy in this area of the business, but, "Here's what we're doing about it. Here's where our priorities are." By the way, some of those priorities need to be process-related. Right? So we want to manage how many technological investments that you're going to present to say, "We're doing X, Y, Z." Now, we need those, full stop. Right? The, logically, the more advanced our programs are, the more automation that exists, the more data and the analytics exists, the more important it is. But don't overwhelm your board with just technology, because what they're hearing outside of the boardroom is a massive amount of spend and not enough residual value.

That will lead you to the other component. You have to find a way, and again, depends on the company, the maturity, the industry, the sector, all of that, how do you articulate that residual value proposition? "If we do the following, we will improve our posture by X, or we will improve our ability to respond, or we will improve our ability to recover." I think that's a really other very important aspect when we think about our journey in security. We had the protection mode. We had the detection mode, and then we had response. I like to call it containment. Right? How quickly could we contain an event?

Joseph Carson:

Yeah.

Myrna Soto:

That's actually more important to me, as a board member, than whether or not I'm fully patched across the enterprise or if I have certain endpoints that kind of fall out of the control sector. So I want to know, how quickly can we detect? How quickly can we contain? Some of that, presenting to the board that you are open to the third-party assessments, I think, is super important. That third party could be one of your technology partners.

Joseph Carson:

Absolutely.

Myrna Soto:

I'm very aware that Delinea has had an opportunity to assist customers to say, "Here. Let's do an assessment of how you're managing privilege access. Here's how you can present the changes via technology implementation and process." So I think those are really important for the board members to understand.

Joseph Carson:

Absolutely.

Myrna Soto:

But last but not least, talk to them in business language. What does it mean? When you're able to articulate a scenario, what it means to the business, even if it's as simple as, "We are down from being able to operate for X number of hours-"

Joseph Carson:

What does down mean? What's the impact of the business? Does that mean the service we're providing doesn't continue? That service probably has a dollar figure tied to it. So you can calculate, "If we're down for X days, this is how much the business will lose from that."

Myrna Soto:

That's right. That's right, and turn the conversation. Yes. It is about securing. Yes. It's about defending. So turn the conversation to resiliency so there is that kind of gravitational lead-up to resiliency. But I do feel, and I have to say this, this is not a commercial, but I do feel that many CISOs, I say CISOs, CISOs, other leaders in the stack have a huge opportunity to talk about kind of the root cause of issues. Right? So we have incidents with a root cause and out of all of the breaches, you end up coming right back to an access issue. Right?

Joseph Carson:

Yep.

Myrna Soto:

If you were able to manage that access, you could immediately share with your board, "I can prevent this by X percent, because the access route will be managed, contained, restricted, opened up for business, et cetera." I think there's a huge opportunity to talk to your board in that context.

Joseph Carson:

Absolutely. Absolutely. I think if you can look at, even look at the Verizon data breach investigation report, it shows over the last 10 years of cumulative, of all of the incidents that they have analyzed, one third of those comes down to identity-related compromise.

I always love when Jason Haddix talks about the Ubisoft breach, that basically, the massive cost to Ubisoft of that breach was resulted from, basically, a stolen credential that was sold on the dark web for something like 10 bucks.

I mean, that's, it comes shocking that that entry point leads to a massive impact to the business. One of the lessons I've learned over the years is that I was fortunate enough when one of the industries I worked in was into emergency services, and this is how I always relate to the impact, is I worked for the ambulance service for many years. To your point is that when somebody calls the emergency number, how quickly can you get an ambulance to that person? That becomes, basically, a massive service level, and on average, if the ambulance didn't make it to that person in 21 minutes, this is always something that's always ingrained in my head, these SLAs, 21 minutes was a massive difference between the likeliness of that person dying and surviving, 21 minutes, ambulance getting to the scene of an accident.

Then, you have the ... to what services that ambulance can provide, the detection, the capabilities of remediation to provide. Then, there's another SLA of getting that person to the emergency room. How quickly can you get them to the emergency room? Then, of course, that's the, basically, what's the operation procedure to get that person into stability? So I always use those scenarios. Even the fire service, as well, have the same thing, is, how quickly can that detector detect smoke?

If you can detect smoke earlier before the fire happens, then you minimize the impact that that ... the damage you can have from a fire. So you can always get into, is thinking about, from a business perspective, is, what's the potential business impact, or what's the impact of the service you're providing, and leading to that. "If the business was down for one day, here's the amount, and here's our confidence level of our current capabilities, is that we can detect it within an X amount of time. So therefore, likely, the business could ..." Even ransomware cases I worked on, a large transportation company, the impact of ransomware to their business was that they had a business complete stoppage for one month.

Myrna Soto:

No way.

Joseph Carson:

They could not provide any services for one month. So that was their financial cost to that business, was one month of services, and that runs into the millions. Then, you get into, they had partial services for two more months, meaning that they couldn't provide a lot of the full capabilities. So there's that hard financial cost, and absolutely, what you're ... If you can lead with that, that's ... If you can have more resiliency, you can reduce that time down. If you have better detection, you reduce that cost down, as well.

Myrna Soto:

Agree.

Joseph Carson:

That's really, I think, what you're mentioning, is the business understanding helps you narrate that to the executive team. It helps you communicate and get the point across. So if you can talk in business terms, it's a huge advantage for CISOs.

Myrna Soto:

Yeah. You summarized it perfectly, and I would encourage CISOs to have those conversations with their board. It could very well be a combined effort with whoever is managing enterprise risk and kind of having these scenarios and a pulse check. I mean, we assume a lot. As security leaders, we assume a lot, and it will vary by industry. It will vary by maturity. It will vary by impact on the regulatory frameworks, et cetera. I can easily say that for one of my organizations that I serve on the board on, we've had this discussion and basically built the thresholds to say, "We cannot have an outage of X period of time. We cannot have this function be out of service for our customers, and this, that, and the other."

That provides the context for boards to understand, "Okay. Well, that little chart with that mean time to detection, and the incident rates, and this, and the other, yes, very important, but what does it mean to me? Does it mean that we would be in trouble if we had an incident?" So having that type of conversation and then having your board members and your executive committee react to their tolerance thresholds. Right?

Joseph Carson:

Yes.

Myrna Soto:

Don't be surprised if someone may particularly say, "Well, I'm okay if we had a 12-hour incident." None of my companies would've written that, but I'm just saying, there could be one. But the reality is that things are going to happen. We know that the resilience is the most important item, but then, you're going to have to address, which I know everyone that's listening, this is what they do day to day, you have to address, "What are the things that we can do to minimize our probabilities?" I will go back, and the statistic that you just shared, thank you for sharing it. It comes down to access.

I mean, we could do a thousand different things, but if we're not managing our access to some of the most critical functions, applications, I'll call it machine-level accounts, it doesn't necessarily have to be a human being, that really has such a large swath of increasing your probabilities of being successful and that being in that incident range to begin with. I think that that's a really good way, because board members will hear things like, "This is a war we're never going to win." Well, okay. I think you're right. We're never going to win, but we have to be prepared. We have to manage our risk profile and our probabilities.

Joseph Carson:

Absolutely. How much does it take for the business to survive-

Myrna Soto:

That's right.

Joseph Carson:

... and continue, and how much are you willing to put aside in those situations? So you're going to get the financial safety and that of cyber insurance, or cyber... or other mechanisms to help you make sure you've got enough to cover the cost. You look at the average cost. It's like in the millions. We look at some of the larger breaches, it's in hundreds of millions. So there's a massive financial impact if organizations do get breached.

I think also important, when you talk about those initial compromises, many organizations, they sometimes overfocus on the front door of the organization, the initial access. But when we look at, actually, the majority of the major impacts to organizations is on the internal of the networks. They don't segregate, let's say, you know, users from privileged users. They don't have a good separation of duties in that area. Ultimately means, when that initial access is breached, organizations sometimes make it too easy for the attackers to move around, to laterally move, to elevate privileges.

That's the big area that causes the most damage, is when they gain access to higher-level accounts that has access to sensitive data, that allows them to exfiltrate that data out, to deploy malicious software, and to bring the organization to a complete standstill. To your point, I really like when you mentioned the domino effect. It's literally is that. That initial excess is that domino first falling. But what's the last domino, and how big is that domino when it falls? What type of financial impact does that domino that falls at the end have to the business?

Because that initial access might be a stolen credential or a compromised password, but that domino at the end might be your ERP system. It could be a third party. It could be your entire, say, if you're a law firm, it could be all your intellectual sensitive notes on your clients. So what's that thing you're protecting, and what's that thing that's right at the front that can lead to that?

Myrna Soto:

Yeah, and I'm going to predict, I don't do this too often, but I'm going to predict that as I look at kind of the ... We're talking board level interactions and this, that, and the other this way. I want to make this statement. I'm going to predict that with the recent disclosure changes that the SEC is requiring of companies to do, there are a number of things that are going to happen. One is just the fact that there is a mandatory disclosure on materiality, there's a mandatory disclosure on describing your program, I predict two things.

One is, not yet, because there hasn't been enough time, but I predict that there are going to be, I'm going to call them pundits. There's going to be entities out there that are going to be reviewing the descriptions of cybersecurity programs in their case, and they're going to basically say, "Hey, company X, Y, Z, what are you doing about access? What are you doing about credentials? What are you doing about rights of privileged users within your organization and," you mentioned it, "third parties," right, "the third parties that actually interact, et cetera."

So right now, there's a varying level of detail in the program summary that is being pushed out there. That's okay, because there's no reason for you to give your external adversaries too much information that could be weaponized against you. But I do predict that there's going to be a little bit of a tug of war on asking questions around these things, and the reason is that as companies continue to disclose incidents, and companies continue to disclose that the root cause was what we just said, a credential that was harvested, compromised, lateral movements within the organization, and the ability to penetrate certain systems, it's going to have this cycle effect to say, "What are you doing about this control point?"

Joseph Carson:

Absolutely.

Myrna Soto:

The second prediction that I have is there's going to be a little bit of a tug of war around the degree of information that the board is going to ask for. It's going to go from my recommendation of keep it macro, keep it business-centric, and then there's going to be the firefight where there's a problem. They go way down into the weeds, and the boards are going to be asking very specific questions like, "Well, how did we let that happen? How didn't we let Joe Smith, privileged access user, how did we let that credential do as much as it did for as long as it did without knowing about it and without being able to contain it?" Right? Now, I predict that those are going to be some of the things that are going to be pushed full. We'll see what happens with some more SEC-related disclosure requirements. For the listeners that are out there, this is a hard topic. Right?

Joseph Carson:

Yep.

Myrna Soto:

Because we have users that do a ton of work for our organizations that have elevated credentials, and they feel very strongly they need these credentials to do their jobs. The last thing that we want to do is have them feel that they're being handcuffed.

Joseph Carson:

Reducing productivity so they can't do their job.

Myrna Soto:

Exactly.

Joseph Carson:

Sometimes, that's a cultural, behavioral change sometimes. They can still do their job, but it might be just through a more controlled method.

Myrna Soto:

That's right.

Joseph Carson:

I think one of the things, two massive rising trends that I've seen in the industry is the identity security posture management, which is a massive area of organization wanting to know, what is our current posture of managing identity? So that's a converging of multiple technologies, privileged access, to GRC, to IGA, to all of those converging ITDR, coming to get people to, what is our current posture today?

Then, the other area of massive growth I've seen becoming a big topic is data security posture management, is, "Okay. Now we can focus on identities, is, what's our current status on data?" It's not just about thinking about data encryption, and data privacy, and data security, but it's ultimately understanding about, what is the valuable data? What's the assessment we have, and how do we make sure we protect that?

So those are two areas I'm seeing on the massive rise and being very topical, because it is a converging area. But they realize that it's all about in the world we live in today, where it's moved from bring your own device, to bring your own office, to bring your own identity. That's, how do we protect the valuable resources for organizations? It's all about understanding the identity and access and understanding the data, and how do you make sure that people can stay productive but in a safe way?

Myrna Soto:

That's right. That's right, and the correlation between identity and data, not only from data collection, utilization, et cetera, but that correlation of the, and I'll use the term heuristics ... Right?

Joseph Carson:

Yep.

Myrna Soto:

... the, why is this identity actually either utilizing, extracting, moving, whatever you want to call it, this layer of data elements, and that that should be an opportunity to monitor and understand a little bit more and learn the analytical behavioral elements of the variety of credentials and identities. I think that those two areas are critically important for any program, and really, if we think about where our infrastructure is going, has gone and continues to go, those elements are going to be critical for us for the next decade or so.

Joseph Carson:

Absolutely, and everything's moving to just in time. We just in time everything, just in time infrastructure, just in time code, just in time access. It's all moving to as we need it, a bit like the logistics and supply chain industry move to just in time. As people need it, we add more resources, just like electricity is. The more you need, the more they can provide. That's where organizations are getting to, because it was much more of that you're not overspending. You're just consuming just as much as you need to from a resource perspective.

It's been awesome having you on. I would like, for the audience, to ... What resources do you use? Is there any books that you recommend or ways of how you keep up to date? What resources do you recommend the audience in order to help them find what's something of educational or that they can leverage to be successful in their career?

Myrna Soto:

So I'm an avid reader of any security-related newsletter. We get bombarded by many of them, but I'm an avid reader. I spent at least an hour a day just going through kind of recent posts for the various periodicals that all of the listeners on this podcast will be familiar with. But to add to that, I spend a lot of time educating myself, and I would encourage the readers to do so, as well, is read about things that the National Association of Corporate Directors puts out regarding cybersecurity. You don't have to be a member to get access to some of the publications.

Also, be very familiar with the enterprise risk management principles. I do think that that's an area where a lot of CISOs can interact, the principles of ERM, the way your company articulates ERM to the board, and to be able to weave yourself in there if you're not already in there. But last but not least, I've had a number of, and I won't name one, because then I'll hurt another, but a ton of really great CISO books this last year and a half.

Joseph Carson:

Absolutely.

Myrna Soto:

It's always great to understand what people have been able to manage through in their lessons. So for your listeners, I think, though, there's a plethora of data. I think if anybody went to RSA, they saw the publication, and they were able to pick up on this, but current ... I read the Homeland Security Newsletter, super important for me, because of my critical infrastructure pieces, to understand what's happening, what the intelligence is there. Those of you that are part of the ISACs, again, another very consumable method of knowledge sharing. We're not short of those opportunities. But last but not least, there's nothing more powerful than collaborating with your peers. It really is the most-

Joseph Carson:

Absolutely.

Myrna Soto:

It's most-

Joseph Carson:

Networking. That's actually been one of the things, is, for CISOs, having a good community and network around you is so critical, and having people to go to advice. Even for myself, there's always people I've met over the years that I'm always going to. If something that I know that they have experience of, had knowledge of in the past, then I would go to them. I think it's one of the most powerful things.

I remember sitting around a table with law enforcement, and it was all about parents and children and law enforcement, how they can protect kids at school. I think one of the things that came to mind, I was put on the spot, what would ... piece of advice I would leave the audience that would make a difference tomorrow. It was not to be afraid to ask for advice. It was one of the things, and I think that's key today, still, is have people you can go to who are your mentors, who can give to you. The community is what provides that. I think it still exists, and it's still very powerful. I think most of us, even myself and you, we probably have peers that we've worked with over the years that are our go-to people.

Myrna Soto:

rd to doing a few more before:

Joseph Carson:

Absolutely. If anyone has any questions or would like to contact you or reach out for advice, what's the best way for them to contact you?

Myrna Soto:

Best way to reach me is on LinkedIn.

Joseph Carson:

Fantastic. So we'll make sure that ... Well, if it's okay, we can put your LinkedIn onto the show notes at a later stage.

Myrna Soto:

Awesome.

Joseph Carson:

So many thanks. It's been awesome having you on and really enlightening. For me, this is an area that I want to learn more about, is more that kind board interactions, more about how to be successful, and just learning from awesome people like yourself. You've been a rock star in the industry and really setting that ... For people out there that's aspiring to be a CISO, that you're really showing them that that's a journey that they can go on. So many thanks for being on the show.

Myrna Soto:

No. Thank you. Thank you, Joe, and thank you for all you do. This podcast is amazing.

Joseph Carson:

Many thanks. It's a pleasure, and for the audience, this podcast is created for you. Delinea have enabled me to deliver these podcasts on a biweekly basis, so every two weeks. I think we're close to, well, over 115 episodes now, so it's pretty amazing, and with over 350,000-plus listens over the years we've been doing this.

So really want to make sure that we're continuing to bring awesome guests on to share their experience, share their knowledge, to help take you on a journey to help you be successful. So again, tune in every two weeks. Subscribe to the podcast. Go and take a look at us on the website. Check out all the other resources we have. Stay safe. Take care, and all the best until the next show. So all the best, and thank you.

Myrna Soto:

You, too.

Links

Chapters

Video

More from YouTube