THIS is it, you’ve finally cornered the CEO in the elevator for 30 seconds, you’re standing there like a teenager on a first date and you’re wondering what the hell they’re thinking, what are they doing, AND how to strike up a conversation…
THIS episode is for you. We’re taking the time to identify a willing (or gullible) C-Suite, doing a little threat intelligence gathering on them, and then sneaking up on them in the digital realm, bundling them (hogtied, bound, and carrying them in a hessian sack) into the studio.
We’re grilling them about their life, what they think, what they’re doing, what they’re focusing on, and what they had for breakfast…
The logic here is several-fold: we are ALL in this together and we ALL need to work together, so what better way than to gather folks, talk about some common challenges, and listen to how each approaches it?
How do they work through data, information, intelligence, decision processes, and learn? Sounds like something we can ALL relate to (and likely would benefit from hearing and discussing).
Tune in – we’re going to be doing these on a regular basis!
See you in the dark!
Name: Woody Groton & Kevin Burns
What they do: Woody is the CIO while Kevin is the CISO at Draper.
Noteworthy: Draper is a non-profit engineering innovation company that serves the nation’s interests and security needs.
⚡ Build relationships with your partners.
As Woody and Kevin point out, the private sector is missing out on a lot of potential because they’re not doing outreach and are not proactive enough about developing relationships with their partners. Woody explains,
“As we say, in emergency response or emergency management, it’s always better to exchange business cards before the disaster, not during the disaster. So it’s the same thing. Develop those [relationships], and they certainly want to help.”
Kevin adds that you also have to think about the long-term success of your company and make sure your staff is also on board with those relationships.
“You have to make sure that they can continue with those relationships when you’re gone. And then you’ve got to think about what the ages are of those persons in the FBI so that all this continues for the success of Draper — not for my success but for Draper’s success.”
⚡ Automation is the future, but the human element is necessary.
Risk management teams should use the right tools to handle all security-related operations. But having good people on those teams is far more important. Woody explains,
“It’s just really good to have those people — like you, Chris — that have that security mindset, and they’re always thinking about it and are able to use the tools. But they also have that human factor that puts it all together. And like Kevin said before, it’s so much better to retain someone than to have to go out and find new people. It’s not just the cost but the training and everything else.”
⚡ How to bring everyone under the same umbrella
Before talking about security details, you need to encourage open conversations with your partners. Show them why you’re there and that your main goal is to help them. Kevin explains,
“You have to tell those business folks, ‘We want to make sure you are successful because I know that if your people aren’t billing, I don’t make any money. So I want you to be successful and what you’re telling me to do might not be the most secure thing in the world, but I’ll give you something that’s secure. I will give you something that will work. I promise. Just let me help you.’ That’s what you have to leave off with, and then you can get down to the security details about keeping all that information safe, but you better lead with, ‘I’m here to help,’ or else they are just going to tune you out.”
You Need to Integrate Cybersecurity into Your Whole Business
Woody says, “People ask about the role and responsibilities of a CIO. Well, I think a lot of us will say that 40% of it, or maybe even more, is cybersecurity now. We still have an SO, and that’s his focus, but it’s gotta be a big focus of mine too because cybersecurity really should be inherent in everything that we do, and it should be integrated from the very beginning.”
How to Carry an Effective Message to the Board
Woody explains, “We have an enterprise risk manager, and we have our categories of risk, what we’re doing to try to bring that risk down, and how that’s going to affect our investment. That’s the other piece the board is looking at because it costs money. Cybersecurity is expensive. It’s, ‘You guys just always want more money. You always want more money.’ Here’s the reason why. This is why we need to look at DLP, or this is why we need deep packet inspection, or this is why we need XYZ. […] Again, getting back to the board, keep everything in terms of risk, because that’s really what they want to focus on. What is our risk? What is our tolerance, and what are we doing about it? For some things, it might be that we have to accept that risk.”
Give Your People What They Need to Be Successful
Woody says, “Leadership is being a servant leader and providing them with the tools and resources they need to be successful, and then that success reflects back on the organization. So that’s a big part of my leadership style — to not micromanage and not be toxic, but to just understand that they are there to do their job and give them what they need to do it.”
Kevin adds, “There’s the nuance part of the conversation. ‘Hey, look, what do you need to work faster that will benefit you as opposed to you going outside the realm of good conduct?’ to Woody’s point. ‘Why get yourself in trouble? Tell us what you need. What do you need? A high-performing computer? Do you need a big, huge cluster somewhere where you can go out and try some of the things you want to bang away at to be really innovative?’ Let’s give them what they need so that they can go around and be successful.”