Risky Business: How to Win Over Your Boards of Directors

Hank Schless  00:09

Hi, everyone, welcome to the Security Soapbox. I'm your host, Hank Schless. And today we're going to talk about how to demystify security and certain marketing buzzwords as a way to win friends and influence people, especially when it comes to that board of directors at your company. Ultimately, it's the job of the CISO to present to the board and secure approval for their initiatives. And to help us explore this, I'm really excited to be joined by Paul Simmonds who is CEO of the Global Identity Foundation, and actually wrote a blog for Lookout recently on this exact subject. Previously, Paul was the global CEO of AstraZeneca, ICI, and Motorola cellular infrastructure. He's also the director of the Cloud Security Alliance in Europe, and co-founded the Jericho forum. He's been recognized globally for his leadership and global implementations in security, and in his free time, he works as a British canoeing level-three kayak coach. So Paul, welcome to the show.

‍

Paul Simmonds  01:04

Thank you, nice to be here.

‍

Hank Schless  01:05

It's a pleasure. You know, getting through that list of accolades takes a while. So we're excited to have you onboard with us here. So before we get into today's subject, and go over this thesis about it being on the CISO to get the board aligned with the company's security strategies, could you tell us a little bit about yourself? How did you get into security? And why did you really decide to make your career out of it?

‍

Paul Simmonds  01:25

Nothing is ever planned, I don't think, and at the birth of the Internet, sort of late 80s, early 90s, I was working for an organization called JET. It stands for the Joint European Torus. It's an experiment with a nuclear fusion reactor. And, you know, it was a really interesting place to work. Because no one had ever done nuclear fusion before. It wasn't technically possible to do it until computing came to the point that it was powerful enough to control a reaction, the sun –– basically a sun on the earth in real time. So serious physics going on. Not that I'm a physicist. I'm an engineer by training. As part of that, we implemented an email connection to what was then the academic network –– the internet didn't exist –– so that our scientists could use this thing that we called email. And then the scientists said, “Well, there's this thing called the World Wide Web.” And we said, “What on earth is the World Wide Web? We better nip across to our sister organization in CERN, speak to this guy called Tim Berners-Lee, and say, okay, so explain what this web thing is.” And basically, the concept was that we built our own websites so that we could share with the scientists around the world, to add to their individual organizations the results that were coming out of the reactor. And at that point, we were connecting an experimental nuclear fusion reactor to a nascent internet. What could possibly go wrong? So we needed security. But you know, firewalls existed in theory. So we ended up writing our own because that was the culture. And the rest, as they say, is history,

‍

Hank Schless  03:00

Going from nuclear fusion to leading cybersecurity efforts for some of the biggest organizations in the world seems like a very natural progression. So that's a pretty cool background to have. And, you know, looking at your resume, obviously, there's some pretty recognizable names on there. So tell the audience a little bit about what it was like to head up security for such well known companies, as I mentioned, you know, AstraZeneca, Motorola, Cellular Infrastructure, et cetera.

‍

Paul Simmonds  03:25

It's a bit of a double edged sword, if I'm going to be completely honest. Because of what we've done conducting this experiment of a nuclear fusion reactor, I got headhunted by Motorola to head up part of their cellular division, building GSM networks, because, again, we were building them and throwing them out the door like nobody's business. And then obviously, that role expanded to being a global role within, you know, the entirety of cellular infrastructure. But any of those companies, because they're household names, you get a lot of attention, you get a lot of name recognition, there weren't that many of us around –– what I call real CISOs. There were lots of people who were doing sort of IT security, but actually doing a CISO or a CSO-like, role, there were very few of us around in the early days. So we would go across to you know, some of the conferences like DEF CON, and Black Hat. But with that, of course, you've got all the vendors wanting to sell you stuff. You want people to do case studies with you and everything else. So you sort of have to hold yourself at arm's length. But they were the guys with funding, at the end of the day. So with big companies comes big funding and comes a team of people to make a difference. And obviously, over time, as security became more important, those teams got larger and larger.

‍

Hank Schless  04:37

Right, right. Absolutely. Let's bring it back a little bit. You know, as I mentioned at the start here, you did write a blog for us a little while ago and in there I thought it was interesting that you mentioned that while the technology that security solutions are providing is very important, a lot of times it's best to avoid sort of those techie or buzzwords when you're trying to secure that funding for your project. So, with that in mind, what do you think is the most effective way to convey how security can really be correlated to profitability or maybe the profitability of those solutions, when you're talking to either c-level execs or to the board of directors?

‍

Paul Simmonds  05:15

Yeah, I mean, the first thing is no buzzwords. It is as simple as that. I mean, the one thing I've learned is that every industry has its own set of buzzwords and language. And I don't think security is unique in that the oil industry, trust me, has far more buzzwords than security does. And so the challenge is, understand that everyone has their buzzwords, and every area that… speaking to the board will have their, you know, “this is what this means.” And you just cannot assume that anyone else understands those. So the challenge is, how do you do it as far as language is concerned, as opposed to content, because you know, they're there for a reason. They're clever people. If you can explain the concept, then you stand a chance of actually getting the support. So the two things is: you need to be able to demonstrate ROI, return on investment, and you need to be able to demonstrate how your proposal is going to benefit the business. And it is almost –– I hate to say –– as simple as that. But it is almost as simple as that. You know, to do that there are lots of ways to do it. I mean, when I worked for ICI, my boss's boss, when he had to present to the board, he used to bring us all in, get us all into a room and said, “This is what I'm going to present to the board.” And basically, it was a no-holds-barred critique session against what he was going to present to the board, with the aim of making sure that there were no buzzwords, nothing that you didn't understand, natively. We literally drilled out of that presentation anything that could be misunderstood, anything that couldn't instantly be understood, and everything else. And it was a very salient learning experience as a young executive, I suppose, of, actually, could I explain this to the person next door? Can you get it down into a soundbite? And can you make sure there are no complex words or no complex concepts in there? And if you can do that, you at least stand a fighting chance of getting support.

‍

Hank Schless  07:17

Right? And you know, the last thing you want to do is make someone feel excluded from the conversation because they don't get what an acronym means. I think you're right. I think that, regardless of whether it's security or anything else, you need to help people understand that there's going to be value out of this, it's going to benefit the business. And so can you think of a time maybe when you were met with some pretty serious resistance on the project, maybe because it wasn't really perceived as worthwhile or didn't really, you know –– to your point –– seem to hit those two key points of ROI and benefit to the business.

‍

Paul Simmonds  07:48

Like any other meeting, especially in large corporations, it's about doing your homework. So, generally, if you go into the board and get rejected, actually, it just means you haven't done your homework properly. It is almost as simple as that. If you are going to interact with the board, actually, the majority of work is done prior to that presentation, ensuring that people are briefed, objections are understood –– understand, you know, where the broad priorities are at the moment: “Do we have that kind of money as discretionary spend or non discretionary spend?” in some cases. Because,  ultimately, if you go in and say, like, I need X for this, and they go, “Actually, the share price is tanking at the moment; we're not spending any money on anything, then wait your time.” Unless it's really urgent and you can persuade them, “it's really urgent,” then it isn't worth doing it. So you need to understand the politics, you need to understand what's going on within the business. Totally. You need to understand objections. You have to be prepared, you know… where you do have people who are going to object, you have to understand why they're going to object, what grounds they're objecting on, and how you're going to counter those objections. And preferably, you've actually addressed them offline first. So that, once you walk into that meeting basic, you've got your ducks in a row, because they've been briefed. The paper is simple. Again, you know, with boards, it's very simple. If you can't get it on one side of paper, they won't read beyond that, especially if it's a technical subject that they're not overly interested in. So it's got to be on one side of paper, it's got to be agreed beforehand, people have got to understand what the issue is. And then you stand a fighting chance of getting support and budget,

‍

Hank Schless  09:30

Right. And sometimes a fighting chance is only needed to really make it work. So to shift a little bit here. One thing that I love to ask people in the… sort of the executive suite in that leadership role, what do you think with today's work-from-anywhere climate? What are the top two challenges for CISOs, you know, in this climate?

‍

Paul Simmonds  09:48

I suppose –– and it's an overused cliche for a lot of people –– this is a very new paradigm. And so the challenge is, how do we enable the business and provide security in this mixed work… let's call it a mixed working environment. Lots of people had VPNs, lots of people had the ability to dial up from home but then, obviously, connect over the internet. When the internet came pervasive, then you had Bring Your Own Device and all the other challenges we've had. But you know, what we've been doing over the last two years is very different, which is, you know, can we get everyone at home? Because I was a CSO through the SARS epidemic, I had some of my people who literally were on death's door during that, and we did the exercise. And we said, look, we cannot, at that point in time, we could not have supported the entire business going home; we just didn't have the dial-up capability.  We didn't have the leased line capability. We didn't have the internet bandwidth on our stuff to make it work. We're now living in this new world where actually, you know, internet is ubiquitous everywhere.  At home, you know, people generally have got better PCs on their desk than they have at work, if they got one at work anymore. It's all laptops. Why? Because people are working anywhere. So, for me, the challenge is how you enable the business in that environment. And for me, the big issue is how do you collaborate in this new environment, because you know, beforehand, it was easy. We got everyone in a room, and we put a whiteboard up, and then we generally screenshotted the whiteboard afterwards, and everyone took away a copy/  It is still inherently difficult to replicate that kind of collaborative environment, especially at the start of big projects, especially if it is a joint venture project of some description. And the challenge is how you do that in this environment.

‍

Hank Schless  11:40

I couldn't agree more. I think that is spot on. And it is interesting to think about not just the data that comes from those meetings and how you share that and how you go about that. But all the build up,  all the follow up, you know. Where's that data moving? Where's it going? Where am I gonna have to create a new identity? Or, you know, are we gonna have to integrate some new third party system into our infrastructure in order to be able to collaborate with people over in a certain country because they only use a certain, you know, platform or conferencing system or whatever it may be. So it's obviously incredibly complex. So Paul, we're coming up on time here, I have one more question for you that is about a buzzword because it's the buzziest of all buzzwords right now, and that is zero trust. Now, it's not to say zero trust doesn't have value, it obviously has incredible value as a philosophy, but it is being beaten to death by, it seems, just about every security organization. So in what you've said already about keeping it simple, speaking to the board, speaking to other c-levels who may be curious about what your particular organization is doing about zero trust, because they read about it. And they said, “Okay, what are we doing about this?” How do you keep that conversation simple? And where does that convergence of security come into play, you know, in trying to help with these conversations?

‍

Paul Simmonds  12:51

You know, where the CEO who's maybe on the golf course and someone mentioned zero trust, and he comes back and says, “What are we doing about ZT?” He doesn't know what it means. It's just the buzzword he's heard on the golf course, or read it in the in flight magazine. The first thing to say is, “Well, you know, forget about the buzzword. It's, it's not anything. It’s a buzzword. It's a concept. It's a philosophy, you know; it is not network, it is not endpoint, it's not cloud”–– if they know what cloud is, or an endpoint. Actually, they probably know what a network is because they have one at home. Purely, it's an acceptance that your border is irrelevant is what we were telling people back in 2003 with: “Jericho as your border is irrelevant as a security perimeter.” You know, the only reason you actually have it these days is because it provides some decent quality of service inside your area that you want good quality of service. But as we found out during the pandemic, actually, things sometimes work a lot better outside using cloud than they ever did internally. That's the other challenge I think you'll get from your board members and your CEO, who will turn around and say, “Look, this worked really well while I was at home; why is it working worse when I'm in the office?” So the key thing to understand is that it's irrelevant to the security boundary and, more importantly, that boundary is inhibiting your business. So, once you get that, you want to explain that it's a three-fold solution. You know, first of all, it's a discussion if you do not have a hard border, a security boundary, then what would that enable us to do? What can we then do? And you know, the obvious one has been all along… has been cloud. If you don't have a hardened perimeter, you can then do computing outside your perimeter, which we eventually called cloud, and then you have a discussion with the business of, “So what is your strategic direction? Play the thought exercise with me. If you don't have a hardened border, a corporate perimeter, and, more importantly, security in it saying you can't do that, what would that enable you to do?” Because too often I've had the business come to me and said, “Look, we know security's going to say no to this. But we'd like to do this.” And generally we went, “No, we don't say no. You tell us why, and why it's important; we'll help you do it.” It's having those discussions, it's having those sort of whiteboard exercises with parts of the business that said, “If it isn't there, if we're not going to say no, tell us what you want to do, tell us what that would enable you to do.” And then design your architecture based on that –– on, you know, the assumption that the network is there, because it enables you to –– you know –– to provide quality of service guarantee, packet throughput –– you know –– all those wonderful technical bits and pieces but don't treat as a security boundary. You then can have a discussion that says, “Actually, if I've got a third party who actually needs to come in and set up a little implant operation in my business, just come in and use our network, because it's open. We operate a zero trust network and a zero trust architecture. Therefore, just come and plug your server into our network. Just come on, plug your endpoint, your PCs, and your laptops, and your Chromebooks into our network; we do not care. It'll just work for you. And you can talk quite happily back home or to a cloud solution or to a shared solution or anything else.” And you can start having those discussions with people about how you enable all those things that people have been screaming out to do for ages and ages. And it's incredibly enlightening for the business. We've been perceived as the boys that like to say no, and therefore, actually, people come to us with a fait accompli. But what we used to joke was the Friday afternoon blessing, which is: the business is going to live with this Monday; we just need you to have a quick look at it and approve it, thank you very much, on a Friday afternoon. Because at that point, you cannot say no. So you avoid those discussions by being the people who actually will help you and say yes, and this is how you do it. And zero trust as a philosophy, if implemented correctly, allows you to do that.

‍

Hank Schless  17:06

Of course, that implementation looks different for everybody.

‍

Paul Simmonds  17:09

Absolutely, there is no one size fits all, there is no magic bullet. It is about making sure that your zero trust solution, your architectural philosophy that is based on zero trust, meets your business needs, and, more importantly, the business direction you might be designing for what the business is doing today. But the board actually is charged with looking six months, two years, five years ahead. So unless you understand what their direction is, actually, you could be building totally the wrong thing.

‍

Hank Schless  17:39

That's a really good point. And even if the goal looks like one thing at day one; it could look like something completely different on, you know, day 365. So it's all about also being able to adapt that strategy, right? And being able to sort of be agile in it and look at the path that you're taking and make sure that it has alternate routes, you know, in case things change. Alright, Paul. Well, that's all the time we have for today. Thank you so much for joining us. As always, I'm sure our listeners will find this incredibly enlightening. And for any talks you give, conversations you have, are there particular places people can find you on social media or on the web?

‍

Paul Simmonds  18:12

Other than just Googling Paul Simmonds and security, @simmonds_Paul on Twitter; other than that, LinkedIn works just fine.

‍

Hank Schless  18:20

Awesome. Well, thank you, Paul. Really appreciate it. For the listeners, you can read Paul's blog, and other content from lookout on lookout.com/blog. You can also follow our Twitter and LinkedIn @lookout, and thank you all for joining us today. We'll talk to everyone soon.

‍