The journey for someone to the role of Chief Information Security Officer (CISO) isn’t often straightforward. Take Sandy Dunn, for example. Per SailPoint, Sandy started as a paper delivery kid at 10 years old. She then worked her way through software sales, insurance, and even horses before becoming the CISO of a health insurance provider in Idaho.
All these “entry-level” jobs share one thing in common. They gave Sandy the experience to fulfill a CISO’s multifaceted responsibilities. But don’t just take my word for it. Check out my conversation with Sandy below.
"One skill I think every CISO needs is business acumen."
Joe Pettit: Thanks for taking the time to speak with me today, Sandy. I would love to hear some of your views on the role of the modern CISO. How is it changing, and what are the essential skills that a CISO should have now?
Sandy Dunn: The required skills for a CISO is an interesting question. Every business is different, so really every CISO role will be slightly different with different expectations for where they fit in the organization. One skill I think every CISO needs is business acumen. You need to be able to understand how security fits into that specific business. Having some level of technical skills is important, too. It helps you with effective communication with your cybersecurity team about issues, tools, proposed remediation, and then to be able to explain everything they just told you back to the business or put it into a business context. Technical knowledge will benefit you in understanding the severity of a problem, too (independent of the volume of the voice who is bringing it) and determine if a situation is a one-alarm fire or a five-alarm fire.
"...one of the things I really had to learn and continue to work on is communicating in business terms and not to overwhelm people with technical details and information."
For example, an IT administrator I work with was certain she had a crisis with separation of duty and too many network privileges. We scheduled a meeting to review her concern. Understanding the technical details of the issue helped me to address what she was worried about and provide guidance. (It wasn’t a crisis.) CISOs come from many different backgrounds. They can come from IT, compliance, legal, risk, or general business. To be effective, they build their skills in the areas they have less experience with. Then you have to work on good communication with each of the unique areas. That is one of the things I really had to learn and continue to work on is communicating in business terms and not to overwhelm people with technical details and information.
JP: That's a really good point. You have to know your audience. Consider a Chief Financial Officer. That person would have a slightly different language than a CISO. You need to be able to translate those other languages. If you were looking to build a new security program or even rejuvenate one that you're working with, what are the three or four areas that you would tell organizations to focus on?
SD: When I talk to a business about getting started with cybersecurity, I try to keep the conversation simple. I start with four questions: What do they need to protect? Who do they need to protect it from? How are they going to protect it? And who's mad if they don't—that is, what's the impact? With answers to those questions, you can start building out a strategy.
JP: That last one is important, as well. If something goes wrong, you have to break the incident down, go into incident response, and know how to respond.
"He explained that they were a startup, using their personal computers connected to cloud services without any established security controls."
SD: For impact, I ask, “What is your worst day? What is the absolute worst thing that could happen within your business?” That typically helps people wrap their heads around impact and how to start thinking about security. I had a recent experience was with an acquaintance outside of work where they learned about impact the hard way. He contacted me with questions about the next steps after a recent cyber-attack. Their organization had a business email compromise attack, a scam where someone got into their email system. The attacker understood their business language and inserted themselves into the middle of an email exchange with a supplier and submitted a fake invoice for $49,000. The money was transferred and not discovered for two weeks, and by that time, the money was gone. The CFO of the victimized company didn't know where to get started. My first question was, “What security controls are you using for email?" He explained that they were a startup, using their personal computers connected to cloud services without any established security controls. I provided local FBI contact information and links to small business resources to help him get started with the investigation and cleanup. Losing a large amount of money is a worst day. Hopefully a learning opportunity they use to invest in protecting themselves from future incidents.
JP: That situation is probably more common than any of us think in such small businesses and how they must manage what little resources they have. They can't have a CISO or a dedicated security person. So, a lot of the time, they go in blind, and then they end up in trouble. I think that is a challenge for a lot of small businesses.
SD: Definitely, and an example of how business needs to think differently. A physical warehouse has a smaller attack surface than a network, and everyone recognizes the importance of having locks on warehouse doors and hiring a security specialist to install the locks, fences, and gates as well as paying them monitor warehouse security. They need to think about protecting their network from attackers in the same way, using the same level of caution on their networking and internet connections where the risk of being attacked by sophisticated attackers is more likely and will cause more financial damage.
JP: That's interesting, as well. You talk about pointing systems into the cloud without any protection. Along with that, cyberattacks are changing constantly. What do you see as the biggest threats, whether it's small businesses or enterprises? What do they need to focus on right now?
"When something is not designed to be secure, adding security later is complex and always flawed. We shouldn't be a surprise there are a few problems."
SD: To me, Joe, the biggest threat is the massive amount of vulnerable code in all of our systems that we depend on. Some of it new, some of it old, some of it buried in legacy code which is really hard to fix, and most of it part of the software supply chain we all share. People act like vulnerable systems happened suddenly, but the reality is we have spent the last 35 years developing bad code, building an internet of connected system not designed to be secure, and then bolting security on to it. When something is not designed to be secure, adding security later is complex and always flawed. We shouldn't be a surprise there are a few problems. Most attacks are financially motivated, which is a computer security issue, but it is also a human issue, and people stealing from other people has been around for as long as history, so again, not sure why we are all surprised.
JP: I think one of the things that links all these things together is speed. Everyone wants to be the quickest—especially with businesses. They want to get their products out quicker than the competitors. So, if security is slowing them down, it becomes an afterthought.
SD: That is the needle we need to move, making sure discussing security is not an afterthought discussion. On a podcast last week, I was asked about a news article discussing the U.S. federal government giving itself a bad grade around the quality of their security. Obviously, bad security anywhere is terrible, but I think they were surprised when I focused on the positive, which is they did an audit. Auditing security controls is an example of people moving forward from security discussions as an afterthought and developing better practices. Auditing controls should be part of programs, and it should drive behavior within the organization as long as it's not box checking. Box checking just adds bureaucracy and can actually do more harm than good.
JP: Exactly. In fact, my next question is about compliance. So many organizations satisfy compliance at a basic level, assuming that security will take care of itself. Obviously, that is the wrong attitude to have. What advice can you give to those organizations that confuse compliance with security?
SD: It's important to recognize security controls are situation-dependent, being compliant, and being secure are not the same thing. Compare adding security controls on a network to adding security features to a car at an auto manufacturing plant. If someone asks what security is needed for a specific car, the first question should be, “What are you trying to protect?” Then you evaluate the level of protection required to meet that specific purpose. For example, a car built to protect a family on a road trip will have different security features than a car built to protect the leader of a country. You have to understand the problem before you start applying the right security controls in the right places and for the right reasons.
JP: That’s a really good example in terms of how to look at the business. When thinking of formal frameworks, what advice would you give organizations on where to invest most of their time? I know it depends on the industry, but I'd love to hear your thoughts on it.
"All the various tools an organization uses should help an organization prioritize, keep a direction, and focus towards a target."
SD: I am a heavy adopter of frameworks. Metaphorically, a framework can act as an organization's global positioning system. It helps an organization understand and measure the state and comprehensiveness of its security program. It also allows a company to compare its progress compared to that of others. It's important to recognize a framework is a tool, and following a framework doesn't mean an organization is necessarily secure. All the various tools an organization uses should help an organization prioritize, keep a direction, and focus towards a target. It's a guide.
Building from a standard framework is very helpful in a heavily audited environment. It helps provide one central list of all an organization's controls, which can be cross-mapped to other control frameworks for any audit question specific to a different framework.
JP: I agree, and I think it's great that there are different frameworks that can apply to different industry verticals and organizations of different sizes. That leads a bit onto the next question, as well. When communicating a security investment with stakeholders, what advice could you give CISOs to get buy-in?
SD: It's a great question. The difficult challenge is getting buy-in without a significant security incident at your organization or in the news headlines at another organization. The business security investment should be strategic by building on the overall IT strategic investment. Then you get buy=in with solid numbers and data which align with the business strategy.
There are some great tools, and it's easy to be smitten by an amazing dashboard or a promise of a "single source of truth," but tools do not fix a broken process. Much of the work to fix a broken process happens in the trenches with a pen, a notepad, or a favorite text editor.
I was drawn into the technology field because I loved technology. I was just a nerd and was fascinated with it. I have really come full circle, and I recognize that something as simple as knowledge management is critical to the success of a business, especially around cybersecurity. Really look at how cybersecurity is communicated to people in the organization. Do they know what security practices they should be following? Can they solve a problem or find answers to security questions themselves? Then look within the cybersecurity team. How is the organization's cybersecurity knowledge being shared? Is it captured for reuse, or is it lost until the next crisis?
JP: That makes sense. Quite often, employees are considered to be the weakest link, which isn’t fair because they should be the strongest allies. What training, do you think should be offered to team members, whether within the security team or just in the organization in general? What should be those main areas of focus?
"I have never liked that “weakest link” statement..."
SD: I have never liked that “weakest link” statement, either. I think it is a negative view of employees. My experience has been investing in security awareness for employees benefits the organization and it benefits the employees. Of course, annual awareness training to refresh the basics for all new employees but also adding other training throughout the year will really embed cybersecurity into an organization's culture. We plan employee-focused events for October's Cybersecurity Awareness Month and monthly topic-specific, employee-friendly videos throughout the rest of the year. The topics include how to protect their information, their families, their financial data. If we build better security practices focused on what employees care about, they bring those skills back to work.
I also work to break down any barriers between cybersecurity and the rest of the organization and focus on effective communication. If someone doesn't know something around security, I'll own that. That's a failure on our part. If someone did something maliciously or intentionally, that's a different conversation. If something happens by accident or because someone didn't have the information, that's a failure on my part. I need to look at that and understand what I need to improve. Is it missing in the onboarding training? Was it the style of communication? Was it too technical? Did I fail to break it down to an understandable point? One of the areas of improvement we have been working on this year is revamping policies, standards, and guidelines into human friendly language.
You want to engage people and build the human firewall. My experience breaking down barriers and engaging people has been positive. I have found most people do care, and they want to help protect their organization. Yes, there are some rotten apples out there, but the number of people who care and will help you secure your business far exceeds the number of people who are malicious or who have ill intent.
JP: What you've described is great advice in terms of trying to build that positive security culture where people take ownership of what they're responsible for. If you can build that culture, it's only going to have a positive effect on the organization. That leads to the last question I have. Is there anything else that you have worked on directly with your team to build that positive security culture within the organization at large?
SD: Embedding cybersecurity with the development and testing teams. Again, focus on breaking down the barriers. The reason I embed cybersecurity with them is to build trust and have open conversations. The outcome is transparency, collaboration, and building security into the development process with a solution that meets security objectives and development objectives.
JP: Thanks for chatting with me, Sandy.
SD: My pleasure. Thanks for having me.