Dr. Eric Cole, former CISO and founder of Secure Anchor Consulting, explains how learning to communicate with business language can create a more compelling case for executive buy-in.
Tim Erlin: Welcome everyone to the Tripwire Cybersecurity Podcast. I'm Tim Erlin, vice president of product management and strategy at Tripwire. Today, I am joined by Dr. Eric Cole, who is a former CISO and founder of Secure Anchor Consulting. We're going to spend a little time today talking about the importance of communication within cybersecurity. Welcome Eric.
Dr. Eric Cole: Thank you for having me.
How Communication and the CISO Fits into Infosec
TE: I want to start off with a straightforward question: why is this topic of communication an important part of information security as a whole?
EC: To me, it's so important.
Very often in cybersecurity, we forget that we need to communicate to different people who speak different languages. I know many world-class security engineers spend their day talking to other world-class security engineers, but when you then have to talk to executives, business leaders, and managers, they speak a different language. And if you don't understand their language and learn how to communicate, you're not going to be very effective at accomplishing what you need to, which is securing the organization.
TE: Does the flip side of that also apply? Like if you're in cybersecurity, should you expect others to come to you and speak your language?
EC: Two things there. One, we could make an argument that a CEO or a CFO needs to speak my language. But their job is running the business, and your job is to support them. So technically, you would need to learn their language. The other important part is let's not underestimate how complex cybersecurity is. Many of us have been doing this five, 10 or 15 years. We can’t expect that a CEO is going to invest the time, energy, or effort into doing that. To me, that's really where the Chief Information Security Officer (CISO) comes in. They need to be the master translator who speaks cyber, who speaks business, and who can translate on the fly.
TE: Do you still see CISOs who don't see that as their role? Is that still a problem.
EC: I still run across that. I always use the phrase, “Some, not all, or most, not all.”
There are some that get it. They're spot on. They know that. But what I find is most organizations don't have a technical career track. So, if you want to stay at an organization and you want to make more money and basically get more titles, your only option is at some point to go from a world-class security engineer to the CISO title. But let's face it. If you've done something for 10 or 12 years as a world-class security engineer, you like it. You enjoy it. You love it. And you're good at it. So, all of a sudden, just giving you the CISO title and expecting you to be able to instantly switch and learn that new language to me is not really a fair position that companies put CISOs in.
What I would rather do in companies is if you've been there 10 or 12 years, some of those folks can make the transition, but in most cases, it's better to give them a chief scientist title and pay them as much as the CISO. Because guess what? They're worth every penny. But don't force them into a position they're not comfortable with and they're not trained for.
TE: The other option is that they leave, they go somewhere else. Sometimes, someone wants a third choice.
EC: That's something where, once again, it goes back to communication. It's a conversation you need to have. Either the executives need to initiate it, HR needs to initiate it, or that person needs to initiate it and say, “Listen, I like working at this company, and I do appreciate that. You want to give me the CISO title, but I enjoy technology too much. And I would like to stay in a chief scientist role.” Or they could say, “Listen, I would like to do CISO, but I don't understand the business. So, you need to spend some time sending me to classes, training me, or getting me to understand the business side of the house.”
Speaking the Language of the Business vs. Understanding the Business
TE: I want to pick up on a word you use there. That was just a subtle shift in language that I think is important. Somewhere in this process, we switched from talking about speaking the language of business to understanding the business. What do you see as the distinction between those two? How is it important?
EC: Speaking means using the right terms. For example, I could go in and talk about a profit and loss statements, balance sheets income, and profitability. That doesn't mean I understand. I think that's the transition. You need to get to a point of understanding. Because what'll happen is if you're just speaking the language, you're going to get in that boardroom. You're going to get in front of that executive. And they're going to ask you a question that's outside your script. If you're only speaking the language, you're speaking a script, and all of a sudden, your lack of understanding is going to shine through. And that unfortunately is devastating to a CISO or anyone in that position. Because at that point, the executives basically are going to say, “Okay, they don't really know what they're doing.” And a lot of respect gets lost there.
TE: We've talked about the importance of communication, but if you're in an information security department today or maybe you're the director and that CISO role is your path, how can those departments really work to service that need to communicate more effectively?
How a CISO Can Facilitate Communication in Infosec
EC: When you're going in and presenting to any executive business leader or anyone in that space, really all they care about are four things: What could happen? How bad would it be? What is the likelihood of it occurring? And what do you want to spend to fix it?
When you're going in and speaking to the executives, remember it's all about money, growing the business. Even nonprofits still have that fundamental theme. So don't go in with 30 PowerPoint slides. Don't talk about false positives and false negatives. Just go in and present. “Here's the risks. This could cost us $5 million. So that's a 90% chance of it occurring. And I want $200K in order to fix that.”
TE: We tend to focus on what could happen, especially if it's a new threat. Here's the thing that could happen, and here's how bad it could be. But we have a really hard time explaining, especially at a business level, the likelihood that it's going to happen.
EC: The magic to me is when you're presenting both sides. From my standpoint, I'm going to an executive and saying, “Listen, we can keep doing what we're doing today. That’s your choice. But just so you're aware, you keep doing what you're doing today, and there's an 80% chance we're going to get hit with ransomware. We're going to have to pay or spend $5 million. Two is you can go in and spend 300K, and we can go in and reduce that risk by 50%. Which option do you want?”
I find a lot of security people when they present to executives or other people are very emotional. They're picking a side, and they take it very personal. So, if they don't get their way or they don't get the requests, they feel very upset and frustrated. And I might take the emotion out of it, make it factual and just give them both sides of the equation. And guess what? I don't care which one they picked because I'm giving them honest information so they can make the best decision for the organization.
TE: Do you think people get emotionally attached to those decisions because they don't have a view of the whole picture? When business leaders are looking at that equation and trying to make a decision about how to allocate resources, it's a tradeoff. They're looking at that big picture of, “Well, if I put the money in this one place, I can't put it somewhere else. And so how do I make those choices?” But I think often from a cybersecurity standpoint, we come in with one thing. We think this is the only thing that needs to be decisioned. Like, they could just give me the money or not. It's not that it has to come from somewhere else.
EC: I definitely think that's a big piece of the puzzle. People that are drawn to cybersecurity are very creative, are very smart and are very articulate. So, in their mind, they know this is the top problem. They know this is the best solution, and they are very passionate about their job. So, they then go in saying, “Okay, you got to trust me. I've done all the work. And just trust me, this is the right solution. And I'm so excited that I was able to come up with it.” But we failed to realize that while they do trust you, the executives or decision makers need a little more information. They need to understand the problem so they can validate the decision.
Examples of Failed Communication
TE: We’ve talked about the importance of communication, and I think we've covered that pretty well. I want to make sure that the listeners understand why it's important. And, and to do that, I thought we might touch a little bit on some examples of where failed communication has a material impact on security or the business. Do you have any examples that come to mind?
TE: I guess at one level, you could go in and pick any of the major breaches. Any major breach that happened in my opinion was a failure in communication. But I'll give one from my personal life early on in my career. I was working at a company, and I believe that they needed a firewall. This was in the 90s. I was convinced beyond a shadow of a doubt that I needed to have a firewall in place. So, I went to my boss, and he said, “Eric, you didn't present any empirical data or information in order to do that.” Being the young cocky person I was, I then went around him to his boss and presented the same information, and that person gave the same answer. And I went around that person. So essentially, I went in without proper communication to everybody in my career chain. After that, I was like, “You know, there’s something I need to learn from this.” So now, whenever I present something and they go, “Eric, I don't think that's the right option or solution,” I always ask a simple question: “What additional information do you need to make a different decision?” What I'm basically saying is that I failed the communication, and I’m asking if they can help teach me what I can do to communicate better in the future.
TE: All right. Well, Dr. Eric Cole, thank you very much for joining us. I think that was a super interesting conversation and hopefully interesting for our listeners, as well. Thanks again for joining us.
EC: My pleasure.