2840: The CISO's Journey: Balancing Risk, Resilience, and Business Growth

[00:00:00] In January we began 2024 with an unprecedented cyber security event called the Mother of All Breaches.

[00:00:10] And that massive data leak encompassed 12 terabytes of information, including over 260 billion records organized over 3,800 folders.

[00:00:22] And what made this event different was it wasn't a singular incident, it was rather a compilation of numerous breaches including data from major platforms from LinkedIn, Twitter, Tencent, Dropbox and so many more.

[00:00:36] So this got me thinking in a world where cyber security threats loom larger and more complex than ever before.

[00:00:43] How do leaders navigate these turbulent waters to not only protect but also enable and drive forward their organization?

[00:00:51] And this is a question I wanted to explore today with Jim Dogget Chief Information Security Officer at Samperous.

[00:00:58] And here's a career spanning over 35 years in leading cyber security and risk programs.

[00:01:04] And Jim has been at the forefront of redefining what it means to be a CISO in today's digital landscape.

[00:01:11] So from coaching emerging CISOs to implementing visionary strategies that extend beyond traditional security measures, Jim's going to be bringing with him today a wealth of experience and insights into building resilience forward thinking cyber security frameworks that empower businesses.

[00:01:30] So our conversation today promises to shed light on the evolving role of the CISO, the critical balance between enabling businesses and ensuring security.

[00:01:41] The critical balance between enabling businesses and also ensuring their security and the strategies that can help these businesses harness the full power of the digital infrastructure so they can enjoy systems success.

[00:01:55] That is the plan, but before we get today's guest on I need to pay the bills. We've got a huge podcast hosting fee to pay for when we're releasing 30 episodes a month and this month I've partnered with a company called Kiteworks.

[00:02:09] Now legacy MFT tools are dated and lack the security that today's remote workforce demands so companies that continue relying on outdated technology though they put their sensitive data at risk.

[00:02:21] And in a world where digital threats evolve daily the need for a secure modern solution has never been more pressing while enter quite works to be kind of security and efficiency in manage file transfer.

[00:02:32] And Kiteworks isn't just any MFT solution with its Fed Ram moderate authorization awarded by the Department of Defense since 2017.

[00:02:41] Kiteworks sets a new standard for security so please step into the future of manage file transfer with Kiteworks you can find out more information at kiteworks.com to get started that's kiteworks.com to get you started today.

[00:02:56] So book a look and hold on tight so I can beam your ears all the way to Houston Texas where Jimmy's waiting to join us today.

[00:03:05] So a massive welcome to the show Jim can you tell everyone listening a little about who you are and what you do.

[00:03:12] Absolutely, you know this will be I think a great great session off we'll see where it goes but I currently in the CISO at Semperus a company that focuses on one of the larger risks in my mind and security realm today which is resiliency area of active directory

[00:03:31] and we get into that later if we get time but that's what I've been my historically I have been at many large companies from AIG as a CISO to Kaiser Permanente a large healthcare entity is a CISO and for that JP Morgan and then I spent a long career at EY.

[00:03:50] So been doing this a long, long time I will have to admit I'm a reformed bean counter or auditor if you want to call it all that so I transition my world from decades of doing audits to technology to security which I think actually has been very interesting path.

[00:04:08] Wow incredibly cool I've seen to recall on this podcast. I think how far back would be going here maybe last summer I was trying to a guy called Simon Hodgkinson he was over in the UK do you know him or is it just a completely different office and different market no he is one of our advisors at Semperus Simon is and the interesting fact is I will be within tonight here in Houston.

[00:04:34] No coming down for we've got the rodeo starting and we've got the barbecue part of that cook off and we've got a session tonight several CISOs here in Houston that he's hosting that I'll be attending with.

[00:04:48] Fantastic how about that please tell me you're gonna get a radio down there you're gonna make something happen we are definitely going to do all our best to see if we drag them even if we have to hold on to get him to go.

[00:05:00] Well so well make sure you say hello from me hopefully I'll remember being on here last year but one of the reasons I would invite you on the podcast today is with your extensive experience in cyber security.

[00:05:11] How do you distinguish between leadership and management in this field and why is the distinction critical in today's digital landscape because I'm seeing so much at a moment about CISOs for example drastically leaving the field and there's a lot of pressure that seems to be happening now at the moment.

[00:05:28] Yeah there's I think there's an evolution of CISOs if you went back 15 20 years almost every CISO was surely a technical individual I'm not trying to talk down any of them and that but largely it was a role where they put a plan together for the projects together executed on them and that was that.

[00:05:46] It just isn't today there's a huge expectation from board levels to senior management that it will actually manage risks so in my mind from a leadership perspective now there's a big difference today and I think in the past it was more management.

[00:06:03] So to me the leadership aspects are things like setting the vision how much security do we want how are we going to achieve it are we going to straw arm it are we gonna negotiate are we gonna work with the business things like that.

[00:06:15] I think it also their role today is they have to establish a culture of security and that what I mean by that is if I go back to AIG we have probably 7800 people in the security group.

[00:06:30] I did honestly I probably did know direct security myself what I did was enable and establish the vision where we wanted to go and I had rely on my lie tenants to put the actual projects together and actually execute on those so to me a CISO of today is a politician risk officer a visionary coach all those kind of things but you know

[00:06:59] way down the line you're going to see a security execution data person and it's interesting you say that the evolution of the CISO roles so curious if we dig a little bit deeper on that how have you seen that role with the CISO evolve from primarily focusing on building and defending digital infrastructure to almost being a key and able in advancing business propositions because I'm back in my IT career the boardroom didn't quite get the value of cyber security of something that they may need.

[00:07:28] They may not need but obviously with the breaches we're seeing this year already is eclipsing last year how are you seeing this role of old.

[00:07:37] Yeah, again as I think as I started to get into it I think it's a far less technical role than it's that first and foremost I think you're a risk officer today we have to accept that we can't fix everything y'all lived in a world in the past where it was black and white either it's secure or it's not and we said we had to fix it if it wasn't we created it.

[00:07:57] And the only question is what order we focus on today I think much of security is about which ones do we need to fix which ones can actually hurt us the most and especially with this ransomware what's going on today where

[00:08:14] the penalty for a security breach can be much greater than even it was in the past and I'm not saying the theft of data is not good it's really bad but I'd rather have my data stolen that I would be out of business.

[00:08:26] And today that's a reality of security so yes I think the role as we've been forced to evolve I think also boards expect more of us today even if you're SEC registered company now in the US at least anyway you've got an hour.

[00:08:43] And now rules that require you to and you have liability if you don't deal with security at the board level so I think that it's forcing us to become part of the business.

[00:08:55] I think another piece of it which always find interesting is that the way we got money at least I got money in the past is sort of fear uncertainty and doubt all that kind of stuff where you sold that you know if we don't do this something bad is going to happen.

[00:09:11] And as a result we got you know you do the fear you get more money you do more fear you get a little more money I don't think that exists today I think today you actually have to demonstrate efficiency you actually have to show a return on your investment maybe of what's out there so it it it's required you become more of a business person if you will then you are a pure technician.

[00:09:34] Still got to have the technical skills your team you can't do security without having technical but at this point in my career technical skills are way way down the role line of what I have to deal with day to day I hire people who I trust that have the skills will educate me as I need to.

[00:09:50] It's interesting how tech teams have all been on that journey where originally they might have been perceived as business blockers the guys that always say no to becoming the people that deliver efficiency and become the business and able is generate business value so can you can elaborate on how I see so could maybe harness the power of that digital infrastructure that every business needs now to drive business success and are there any key strategies that stand out for doing just that.

[00:10:18] I think there's a lot one is I think as the security group you've got to realize today you were a cost center not a revenue center which has been always the case.

[00:10:29] The ultimate decision on what a company does lies with those that make the money so it behooves us to get their endorsement or their support so that the money comes a lot easier so again negotiation skills sales skills

[00:10:47] learning to talk only business no technical talk at all I mean that's the last thing a business person wants to do and I'm not talking about a technical IT person who's your business for it I'm talking about the business the people that actually you know generate the cash for the company the sales people and other teams like that the manufacturing team whatever it may be so yes I think that we are great enablers if we actually listen to the business and understand what could go wrong.

[00:11:15] Here's a couple of examples maybe I can even give you that I've thought about anyway from a business enablement.

[00:11:22] Our entire sales team anytime they go to a new potential customer the customer rightly so today worries greatly about how secure we are all the sudden you're worried you know do you have you have malmau where embedded in your code if I give you confidential information will you protect it adequately and they actually want answers to that.

[00:11:44] And I will tell you now it's not something most security groups like doing but we have to we can't the business can't answer those correctly we have to help them answer those questions so we get involved with the customers and give them that assurance that oh yes we're protected here's how we are it will go as deep as you want.

[00:12:02] We've got a team at a very small company separate but we've got a team that that's what they do now this part of our security team that helps them enable it so things like that all where we absolutely all.

[00:12:14] The other part is understanding what the risks are I think for the business a great example again of that is resiliency historically speaking I don't think that we focused heavily on resiliency because it was an IT that resiliency was you know a fire burning down that building a hurricane or a flood or whatever it may be or whatever it may be but with the advent of ransomware all of a sudden resiliency is a real deal.

[00:12:43] If we get ransomware it puts us out of business and that is a resiliency issue that we are accountable for so I think helping the business understand that risk and say well what do we got to do to fix that how do we understand what systems you need up first how do we help you.

[00:13:00] How can security turns of what could prevent it or even more importantly to recover from quickly to minimize damage those kind of the talks I think the business side of the house will be quite interested in.

[00:13:16] In your view then how should a modern C so approach their role to not just protect but also extend and enhance the business plans of their organizations because for the outside looking in it feels like it must be an incredibly delicate balance.

[00:13:31] I think it is I mean we do have a responsibility to be secure to help the company become secure at the same time we have a responsibility not to get in the way of the business being successful.

[00:13:44] And at least I've adopted a philosophy long ago is for my me and my teams are that we don't say no lightly in other words the easy thing to do is I want to do this and we just say no because it's not secure you can't do that anymore.

[00:13:58] You have to have to say well we can't maybe do it this way we can't allow you to have you know all your customers to come right in and get to our crown jewels but here is an alternative or here some alternatives we could work out and.

[00:14:13] We'll work with you to make sure it works and we'll directly work with your customers to make sure that interaction works so to me that's the business enablement where you it's almost an attitude and again comes back to leadership in the culture you set.

[00:14:27] Where he is again you as a C so we're not going to be the person always talking with everyone who has a problem in the business you've got to trust your lie tenants and the others so you have to establish that culture so that they'll be ready to answer in the same way that you do I mean I hate to call it but it's politics here to a large extent and we we always like to say stay out of that but you can't are the business now.

[00:14:51] And you mentioned leadership there so I'm curious how can see so I was already see so listening effectively maybe reframe that relationship with the board and the leadership team to actually be seen as an integral part of the overall business strategy because they need to be right in the heart of this.

[00:15:07] Absolutely is I find it sort of interesting because I think our of it we're getting this is one of those rare occasions when we're getting out from the outside to degree regulations throughout the world now are starting to require the job.

[00:15:20] Require that boards are educated and I even have people on their boards that are security knowledgeable will call it back in my day that was just not the case you be really happy if you found someone who's just a former CIO good technical skills enough to understand what's going on so I think our that is being helped from the outside the other is again it cut this to me comes back to what your relationship is with the business.

[00:15:50] Are you a technical person trying to explain to them why they have to do something or else or are you have you have you developed that ability to talk in business of here's what an impact your business could be is this something you're worried about or not and let them form the conclusion so that you can say well we can help you with that into me it's it's it's it's ultimately doing a lot of the same things but you're having to sell it first and get there by and and to do that you cannot do it and talking bits.

[00:16:19] And talking bits and bites or you know even into ransomware the technical aspects of that you've got to talk to it in their business terms a great example is say ransomware if this application here where that was a hospital now.

[00:16:33] If you can't doctor acts if you cannot reach your medical records how does that impact your ability to deliver patient care.

[00:16:41] And that's why we'll focus today on something called active directory because if it is not up and running you actually cannot get access to any of your clinical systems and in turn that can impact your business so what we're trying to do is to help you make sure that doesn't happen through a ransomware attack things like that I think you just have to sort of change the conversation.

[00:17:01] 100% with you and just to bring to life everything that we're talking about here are you able to share any examples of how decisions made by C sums can maybe directly contribute to a business profitability and sustainability because huge topics right now be great to bring it to life with some examples.

[00:17:19] I'd agree with you there to get the one I gave you earlier is understanding the things like resiliency today again that's fairly new to C so at least in my opinion it is I

[00:17:30] We worried about stopping the bad guy detecting the bad guy not on how we recover it in an efficient time.

[00:17:38] The recovery with someone else's problem so I think from a business perspective understanding that resiliency is a great entree into it and again I think it's understanding then from a role perspective how do you become valuable to them?

[00:17:54] How do you help them get confident that something is not going bad if something bad happens we're here and we've actually practiced.

[00:18:03] And that's another great example of resiliency requires you to actually do table tops and do recovery exercises as much as they're boring and they're take up your time in the business if you haven't practiced it's very difficult to do and again that's things that at hospitals positions understand they understand if they don't practice their trade they are.

[00:18:24] They actually have a hard time doing their job you go to any business kind of unit to do that so I think that there's a whole lot that we can do in from an example to help to enable the business I said earlier about helping customers.

[00:18:38] I mean as I say I've got two people on my team all they do is interact with our customers in answering their questions on security and risk.

[00:18:45] Does that improve my security rarely but it enables us to actually sell more product because a lot of a lot of companies let's say get comfortable with you know you're selling them or product and how many examples of their been where there's been a problem as a result of some product that you put in your environment and by the step malware in it and it it it it hurts the business so I think we can I think those kind of things are what we have to do and it's more of how we can do it.

[00:19:15] We think about it historically speaking again we take this beautiful this framework or whatever framework we used we lay out all the categories we do a maturity model of what it is and I will tell you now the business couldn't care less about any of that we needed internally but the business really doesn't all they want to hear is that nothing bad is going to happen that's going to interrupt my business or

[00:19:37] possibly the need of lose customers the reputation or lose something as valuable we get find and all that kind of good stuff depending on what group it is so I to me it is a very different role in a different approach we have to take as a C sort of that.

[00:19:52] And before you came on the podcast today I was doing a little research on you and I was really about how you another passion close to your heart is mentoring future C so so based on your experience in mentoring up and coming C so any key advice that you would give them about balancing the technical aspects of so be security with the business strategy because I said a few months ago is a tricky balance any advice around them.

[00:20:17] Absolutely the biggest lesson that I learned and again I've mentored several folks that have become C so the hardest thing was to then was to teach them what I call gray.

[00:20:29] Everything in security technicians perspective everything's either block away is secure or it's not if it's not secure we got to fix it so you have to teach gray and say help them understand that we can't fix everything at once if so your job will be gone anyway so you don't

[00:20:46] it's really not where we are the key is what can hurt us the most today and even today's time as I talk around the country talking to C so I find it amazing that I hear this all the time is that well I agree with you this area you're talking about probably is a big risk to us but unfortunately we've already got our budget this year

[00:21:06] and we can't change it at this point maybe next year we can start considering these other things so they're treating it like a tool that is as opposed to looking at it for a risk because if it truly was a risk that could impact my or my company's position you would think that from a risk perspective I would be more than willing to rotate what I'm doing is secure how I'm spending my money but apparently a lot of folks don't feel they have that power yet or that ability to influence the company say we're going to put this project in the future.

[00:21:36] So I think if you want to take a look at the budget on hold and put this one up be that AI be it in my world it's ransomware and how to attack that because I consider ransomware a higher risk than someone breaking in and stealing marketing data or some other data that's out there all bad but again we have to make choices today so I think the biggest lesson for CSOS today number one is you've got to balance it and not act like you're trying to fix everything.

[00:22:05] I don't say never but I'll say rarely say no and never say no unless you've got an alternative answer it's not their job to fix the problems we identify they may have to execute on part of it but the coming up with the idea what's there to me is entirely less rest in our realm if we want to be successful.

[00:22:28] Fantastic advice and if we dare to look ahead into the future January was a pretty scary month alone for breaches are profile breaches but are there any emerging trends or challenges that you foresee in the integration of cyber security and business strategy and how should see so be preparing for some of these challenges.

[00:22:48] Clearly again the will look at the big elephant room here is AI is I think a big one bad guys are already using AI to do a better job of fishing and everything they're doing it yes we need to use it what I would also say that was.

[00:23:03] We are security people love shiny balls and we love to run tool and I believe AI to some degrees there and all I'm saying this is that.

[00:23:12] Don't drop what else you're doing to run the AI is the biggest risk out there because today I can't tell you a documented risk of a major incidents that's happened in the world with AI yet it will talk so we do need to plan for but don't drop everything else you're doing.

[00:23:29] I could go to anyone here is the list of the podcast and security perspective and probably say.

[00:23:35] What causes most of your problems too much access or programming techniques fishing it's the same thing that a bit around for long time it's the basics so you can't not do the basics and run to these silver shiny balls that are out there and that's the biggest worry of some of these things.

[00:23:55] We lose focus on what really is causing it bad guys are not dull they go towards the easiest route they could get to get in and they're not going to use their what I call black belt come to say don't need to while wasted here when I can.

[00:24:11] I can get in a much easier way so I think that's a piece of what I would just caution folks on I do say that again the concept of identity I think is going to.

[00:24:24] Everyone needs to be thinking of identity today in in terms because you think about it perimeter everyone talks now there is no perimeter which is largely true we let everybody in our systems so the question is.

[00:24:35] How do you validate who they are what they are and also what are they doing which is sort of transforms to.

[00:24:43] We're a little less worried about who's getting in because we can't even verify who it is we're a little more interested in what behavior they're doing so how do we should shift our security systems over time to more behavioral so you know you log in normally from eight to five your time and all of said it three in the morning you're logging it is that a problem.

[00:25:05] All of a sudden new access has been given to you which is pretty high level it is that something we should be thinking about it's more things like that it certainly I will help with that she learning will help with that and just good all the fashion stepping back and.

[00:25:20] Consider what you go wrong and how you how you deal with that I think is going to be a big piece of that.

[00:25:27] I think it's a powerful moment to end on today but of course I can't thank you enough for coming on here and sharing our insights but I'm going to now ask you to share one final gift to everyone listening because someone with 35 years of experience leading cyber security and.

[00:25:41] Risk programs at global organizations but the question I've got to ask that is what is the soundtrack to that career is that a song that means something to you that maybe we can add to our spotify playlist I always asked my guest this question but what song would you like to leave us with and why.

[00:25:58] This is sort of interesting because I as I think about it it's going to be a British song which well.

[00:26:05] Surprise I'm not saying surprises me but I find that interesting just based on where where where I'm talking to you from today but yeah anyway so I would say it's going to be a rolling stone song right now and it's you can't always get what you want.

[00:26:19] And if you continue the lyrics on you can't always get what you want but if you try sometimes it just might find you get what you need.

[00:26:28] Those to me are words to live by it in compasses a lot of things I think that are society wise need to be focused on today want it talks about if you try sometimes so.

[00:26:39] Effort still is what how you win the game in my mind it's not about talking about things it's about doing and getting things done and then a lot of times you got to learn you got accept what you get.

[00:26:50] And maybe it's really I could say it's not always a bad thing sometimes it's a good thing you just don't realize it right now so me that's one of my all time favorites and it's actually if you go up to my music listing room you will see that boat up on the wall.

[00:27:05] I love it and I can't tell you how hard it was for me not to burst into song as you were reading the lyrics out there.

[00:27:13] As you're talking me from Texas I wasn't sure if you're going to go with easy top or something like that about a stone's classic absolutely brilliant and for anyone listening just want to find out more information about Samperys anything that we talked about today and maybe even connect with you all talk to a member your team well do you like to point everyone listening.

[00:27:30] You can always find under James dog it under LinkedIn probably the simplest way to go it or go to the separatist calm S E M P E R I S dot com and you can find all this there as well.

[00:27:46] Well we covered so much there from talking about the traditional C so role versus the modern C so how they can harness the power of digital infrastructure and reframe that C so relationship with leadership and the board and help make businesses make decisions for business for the business to incredible insights and also left us with an absolute killer tune which will be going on our Spotify playlist at the end of this podcast but more of that in just thank you for sharing your story tonight.

[00:28:13] My pleasure and I appreciate you inviting me today this is always fun.

[00:28:17] I think it's clear that the role of the C so is more critical and complex than ever before and in an era where digital threats can derail companies almost overnight I think Jim's expertise and approach they offer a beacon for navigating these challenges with both foresight and resilience and the journey from being a technical expert to a business unable and a visionary leader yes he's fraught with obstacles but as Jim was trying to get the job done by the company.

[00:28:43] I'm a shared with us today is also filled with opportunities to redefine impact of cybersecurity and how today C so can leverage that unique position that they find themselves into not only protect but propel their organization into a secure and prosperous future.

[00:29:01] That's just me a might take away having listened to Jim today I'd look for you to share your thoughts with me by joining this ongoing conversation about transforming challenges into opportunities in the ever evolving world of cyber security and business it is a complex space but share with me your experiences by emailing me tech blog right to outlook dot com Twitter link to an Instagram at nilc use insights questions pictures to come on the show whatever it is remember this is not a mon

[00:29:31] blog this podcast I want it to be a dialogue it's not just about answering questions but sparking that broader discussion on the pivotal role of cyber security and shaping the future of business.

[00:29:42] So let me know what insights you're going to be taking away from our conversation with Jim and how maybe they might even influence your perspective on cyber security and leadership

[00:29:52] but where I tell them now I'm afraid so I'm going to rest these vocal chords now prepare for tomorrow's guest and hopefully you'll join me again but thank you for listening and until next time don't be a stranger.