Security Boulevard Exclusive Series: What I Learned About Being a CISO After I Stopped Being a CISO
In this series we’re talking with former CISOs to collect the lessons they’ve learned about the job after they left—either to work as start-up founders, consultants or vendor executives. The goal is to take the wisdom they’ve gained from broader exposure to other security and business leaders and deliver those lessons back to CISOs who are still in the hot seat. We hope the current crop of CISOs can take some insight from their former compatriots and use it to up their game while they’re still on the job. Read more about the series here.
Lessons From Guy Bejerano, Co-founder and CEO of Safebreach
One of the biggest challenges CISOs and CSOs face today is that they’re tasked with ensuring the very important outcome of protecting business assets without being handed the authority or organizational ownership to fully assure that outcome.
“This challenge can be frustrating,” said Guy Bejerano, a security veteran with tons of past practitioner experience.
Bejerano started his security career leading information security and red team operations in the Israeli Air Force and then moved over to the private sector as CISO of Ness Technologies and later CSO of LivePerson.
“I had an opportunity to build security teams and security organizations from the ground up for about three and four companies,” he explained. “Different verticals, different areas.”
Nowadays he’s the CEO of SafeBreach, a breach and attack simulation platform company that he co-founded in 2014 to help enterprises validate their security controls.
Since moving into the vendor space, he said his opinions on security haven’t changed drastically, but they have been reemphasized and enhanced by viewing problems from a different angle.
Since he moved out of the CISO role he’s increasingly been convinced that these security leaders must do a couple of key things to become more effective at reducing risks, gain more credibility within their organizations and really take the reins to control their destiny as security executives.
Cutting Through Vendor FUD is Crucial
The fear, uncertainty, and doubt (FUD) that security vendors peddle has been a longtime thorn in the side of CISOs, but Bejerano thinks it’s grown worse than ever.
“Vendors throw FUD at CISOs all the time trying to promote their products through the fear of the worst that will happen,” he said. “You hear lots of talk about zero-days, APTs and the unknown—but it’s more confusing than helping.”
Cutting through the FUD is crucial to CISO success for two major reasons. First, because when FUD drives security strategy, it often distracts the CISO from objectives that should be set by business priorities instead. That’s a big mistake as the profile of the CISO grows in the enterprise. Bejerano said that in the four years since he left the job, CISOs are getting more exposure to the board.
“There’s a lot more expectation from them to drive the entire risk equation in the organization and the budget around security is going up, so there’s an opportunity to change things,” he said. “You have that on one hand and on the other hand there’s a lot of vendor fatigue from CISOs.”
When CISOs let vendor FUD drive their strategy, it hurts their credibility within the business.
That leads us to the second reason why CISOs need a good BS meter when it comes to FUD: In a lot of cases the hysteria is masking some inadequacy of the product being marketed.
“We see it over and over again that there’s a huge difference between how these vendors position their products and what’s going on in reality,” he said.
This leads to poor-performing products and no accountability—another credibility killer for CISOs and their security teams.
As he explained, the CISOs he works with who he admires the most and who are most successful in their organizations are the ones who find meaningful ways to cut through the hype and make sure the vendors they pick fulfill their promises. This is step one to ensure these leaders have credibility when they step up in front of CEOs and boards to ask for money, support and so on.
Data-Driven Discussions Get Things Done at the Board Level
Which leads us to Bejerano’s next important lesson. To gain the kind of authority within an organization necessary to effect meaningful security change, CISOs have got to find better ways to gain influence at higher levels of the business, he said.
With perspective away from the job, he believes one of the key ways to do that is to let metrics, KPIs and other important data drive the discussions that CISOs have with business executives.
“Being more data-driven, more predictable and building KPIs that are business-centric is super critical,” he said. “CISOs need to be much more like a CFO. They need to show ROI from all the investments they make in technology, they need to fully understand the risk exposure of the organization, and be able to show security efficiency over time.”
This means finding ways to answer questions such as how well security investments are doing over time, measuring the reduction or increase of risk as a result of the introduction of new technologies or processes, and so on.
It’s Important to Take an Adversary’s Point of View
Bejerano admitted that, like a lot of CISOs today, he used to view cybersecurity world “from a very defensive position.”
As he explained, it’s hard to flip that lens around and view an enterprise’s position from the adversary’s perspective. But he increasingly believes it is important to do so.
“It’s not easy to look at the offensive side of the fence because hiring people today with a red team skill set or hacking skill set is not easy—it’s not easy to hire or to retain,” he said.
However, he believes the best CISOs focus on ensuring that they’re probing their technology the way attackers do and that they’re challenging defensive assumptions they may have made in the past to ensure that it fits into today’s threat realities.
“The first time a lot of CISOs find out whether their assumptions are right or not are when an attacker comes at them,” he said. “My first advice is don’t wait—challenge yourself, challenge your assumptions on a daily and continuous basis.”