The role of the modern CISO is more than understanding the technical side of the business. In fact, the role consists of even more than understanding the business side of the business. When I spoke with Ian Thornton-Trump, he was able to shed light on how important effective communication and team-building are to the overall success of a modern CISO. His insights can be valuable to any person currently in a CISO position and also to anyone looking to embark on the path to becoming a successful CISO.
Joe Pettit: Great to have you here, Ian. I would love to hear about your journey into cybersecurity and ultimately how you became a CISO.
Ian Thornton-Trump: My journey began with military service. A big part of my life was around the Canadian forces, and then I did some work with law enforcement. What I saw certainly from the law enforcement perspective was a digital evolution of criminality and cybercrime. There always seemed to be some component of crime that related back to technology, be it a harassment investigation or some of the darker things that occur on the web. In 2015, I was offered the opportunity to join a startup in Edinburgh, Scotland. That is how I ended up as the CISO of Cyjax Limited. I have always been interested in the idea of being a security evangelist and talking about what the issues are.
My thoughts have moved now more into the leadership, management, and strategic issues that cybersecurity is going to face in the next three to five years. So, when I had the opportunity to either work for a giant financial corporation in the deputy CISO role as the head of architecture and internal security consulting, I took a moment and realized that it maybe was not going to be what the future should be for me, because obviously the larger the institution, the more likely it's going to be a lot more conservative. I'm a bit outspoken on some issues, so I didn't want to be constrained. That is why I chose to join Cyjax. They are very supportive of all of my extracurricular community support. For example, they encourage the work I do for CompTIA, The Beers Farmers, and for even other brands in the industry.
When I think of the topics that I like to talk about and write about, it was a natural evolution. Along the way, I had some really great mentorship, some really great leadership from bosses above me. That inspired the confidence to just sort of metaphorically grab my parachute harness and jump out the plane.
JP: That is an interesting story, and it leads nicely into the next topic that I would like to hear about. You are a modern CISO in the sense that you have technical skills along with communication and leadership skills. You understand the challenges of being in a high-profile position in the industry as well as sharing your knowledge and information. While those are prominent as part of your role, what hidden skills would you recommend for a CISO to have in order to be effective?
IT-T: As a person moves up the management tree, thinking strategically and being mentally aligned to the direction of the particular business are very important. For example, if the business is embracing digital transformation, your team needs to be up-skilled and prepared for that. The next part of the mission there is to make sure that the right tools are in place. Understanding what tools and foundational components are required to deliver a digital transformation exercise successfully and securely is vital.
A really important part of the job is to put yourself out there. We used to look at the CISO and even the compliance team to a certain extent as almost back-of-house resources. Now, they need to be pushed forward. They need to be in those meetings where the organizational goals and aspirations are realized and discussed. If you're a CISO and you're not talking to the project management office, legal counsel's office, the procurement team, and even sales and marketing to understand what they are doing, that can leave you as an outsider. If you schedule your vulnerability management program so that it doesn't impact quarter closes and the sales efforts, you can really become a trusted leader with the organization instead of an outlier. Doing that incorrectly can lead to potentially difficult interdepartmental relations within the organization. It's been a huge journey of starting to see the organization from other departments’ perspectives. That's probably the biggest concern.
The challenge of the future is trying to explain, in relatively easy-to-understand terms, what is at risk within the organization as well as what you are doing to protect your customers, your supply chain partners, and even your employees Because it's not just about protecting the business anymore. It's about protecting everything to do with the business. We saw this during the digital transformation and the pandemic. All of a sudden, the IT support team was effectively supporting hundreds of branch offices of remote workers using technology that they may not have been trained on. They may not have even had a level of comfort with the technology, and they may actually have identified key technological problems with your own infrastructure as a result of that sudden digital transformation. When you look at it, you have to behave like a multitasking CPU that can track all sorts of different initiatives and programs within your business as well as try to insert security in a kind and compassionate and effective way to lead that business and protect every component that goes into that business.
JP: It's a tough job, that's for sure. The communication part is so important because there are going to be so many things that you need to translate to people that don't understand cybersecurity. One of those things is cyberattacks in general. Based on your experience, how are those cyberattacks changing at the moment? What are the biggest threats to companies, and how do you actually communicate that with the rest of the organization?
IT-T: I think there's going to be a huge transformative moment. When you consider that the average exploitable vulnerability being exploited by commodity-level actors is five to seven years old, that is astounding. It indicates that asset management is probably one of the key areas where things are falling apart. We've built this sort of house of cards, and we're not managing it to success. We're forgetting about parts of the business and letting them atrophy. So part of it is getting a grip on that infrastructure and effectively managing it. The other key area to understand is that we're in a very dynamic space right now with all of the different challenges that the businesses have.
A more forward thought is to strategically consider what's around the corner. For instance, how is 5G technology going to impact your organization? Is it looked at as an opportunity space for your organization, or is it something that is fearful for the organization? You need to be in the room where the compliance issues are discussed around that in order to make sure that whatever the business is considering buying meets your security requirements.
It also includes the basics such as how a company can respond to a security breach. The bad guys continue to victimize everyone. As a CISO, you need to be dynamic in response.
JP: I agree. One of the things as well that is on the radar of a lot of people, particularly in the last 12 months, is supply chain risk management. How do companies typically manage this supply chain process, and what best practices could you share with a CISO for companies out there?
IT-T: Well, you know, the majority of this comes back to the advice about being in the room with the procurement efforts and business organizational strategies as well as all the other business teams. When you look at it, every sort of attack is a supply chain attack. Unless you're manufacturing an operating system, there's going to be vulnerabilities. Being intelligence-led as an organization makes a huge difference. Being aware of what is going on with your top customers. What is going on with your top suppliers? What is going on within your own company? I remember being part of a billion-dollar financial institution, and I was able to figure out the latest divestments that the company was making based on a few public alerts that I monitored. This had a huge impact on cybersecurity and the IT team. That awareness, along with being intelligence-driven, can make it relatively easy for you to gain awareness of what is going on with your customers that could impact your business.
One thing that CISOs can pledge to themselves in 2022 is to gain awareness of not only their own “ship in the ocean” but all of the ships in the ocean that help supply what their organization does so that they can build out on that.
JP: Yeah, definitely. To go a level deeper into this, as well, talk to me about creating a positive security culture. There are so many threats that companies face, whether it’s someone unwittingly holding a door open for an intruder, phishing emails, a supply chain management compromise, or anything in between. What direct tips can you give to organizations or other CISOs on how they can build a positive security culture, not just in the security team but for the whole organization?
IT-T: The exporting of cybersecurity culture and awareness is deeply flawed, and it has been for a really long time. If your cybersecurity awareness program is focused solely on not clicking links, when actually the majority of your employees click links all day long as part of their job, you're going down the wrong path. Threats are not generic anymore. They're targeted. So, if you're thinking that a generic security awareness program is going to protect your organization, I think you're wrong because the bad guys are looking at your procurement function, your corporate counsel's office. They are breaking it down and trying to customize their attempts to breach your organization by targeting the areas of your organization that appear to them as being the most vulnerable.
For instance, in marketing and sales departments that have a high rate of turnover, companies publicly advertise the available roles. As a threat actor, you could go in there and do a little bit of red team reconnaissance. It's pretty easy to detect if certain departments within your organization may be in shambles, and any sort of indication of a lack of communication inside the organization creates a magnet for an attack. That type of knowledge doesn't get covered in cybersecurity awareness training very often, if at all.
Customizing your cybersecurity program based on threat models that are going to be targeting your particular organization is really the way to go, and it is really the way to build an effective security culture. The training has to be more comprehensive, and it has to address the actual types of attacks that your organization is facing. It also needs to underscore why everybody needs to participate and be engaged. This is something that I'm finding the generic cybersecurity presentations really don't cover, don't go into enough depth, and don't really have any meaningful value. People are just clicking through the slides and not really taking anything away.
JP: Yeah. And that can offer a false sense of security. Hopefully, if a company has the right leadership in place, they can use that material to inspire, encourage, and educate the employees. What are the main challenges now that CISOs are facing on a day-to-day basis? Also, looking a bit further ahead, what do you think those challenges are going to be in the next few years?
IT-T: One challenge is building the capacity in your team to deal with both the fallout from digital transformation and the next digital transformation efforts that your company is going to embark on. The high level is to align your security strategy to support the organization's business strategies. This is pretty easy in theory but hard in practice. It means you have to go and talk to people. You have to engage them in a conversation about what is best for the entire organization rather than individual departmental concerns.
The opportunity that a CISO has right now is to look at every day as almost a fresh new slate to begin and focus on continuing to build those relationships. You're going to need friends in the organization if you have to suffer through a data breach. Without those allies, without those key executives who believe in you and who will support you and can rapidly get you the resources that you need, chances are you'll have a miserable time recovering the business effectively.
JP: Were there any other goals you wanted to talk about or discuss that we didn’t cover?
IT-T: Training, training, and more training. As you move up in the ranks, the things that will distinguish you from others is not self-congratulatory actions. It is really about your ability to connect with people that you may need immediately and the folks whom you may need tomorrow. Whether it's an external contractor resource that has expertise in a particular area or within your own organization, figure out what kind of training and mentorship plan you need in order to be an effective problem solver and management team member. Your job is really about managing the organization to success in the areas that you're responsible for, but it's not an exclusive silo.
You can always lend a hand or resources over to another department that might be struggling a bit. No one has everything that they need from the organization. There are always some things that are lacking, so if you can go in and create a cybersecurity program for procurement so that they can ask the vendors the questions that will help the compliance team, the risk team, and even the operational cybersecurity team that you might be responsible for, that's a huge step in the right direction.
JP: That's really good advice. I want to thank you for your time and your insights.
IT-T: Always a pleasure, Joe.