How CISOs Can Earn Real Influence In The Boardroom With Rapid7

[00:00:04] For years, the big challenge in cyber security was getting CISOs a seat at the boardroom table. Good news, that mission is largely accomplished. But the harder question now is what happens once they're in the room? Well, my guest today, he's going to argue that many security leaders are still speaking to the boards like it's 2014, even though boardrooms have changed dramatically since then. Let's be honest, cyber security awareness is higher than ever.

[00:00:34] Expectations are much sharper. And patience for abstract risk talk and talking in acronyms is beginning to wear a little thin. So my guest today, he's going to help me unpack why modern security leadership is much less about shouting about risk and much more about speaking the language that boards actually care about. And by that, I mean cost, revenue and business outcomes. So my guest is Tom Langford.

[00:01:04] He's from a company called Rapid7. And together, we'll talk about what a security aware board looks like, what types of questions CISOs should expect when they're in that boardroom, and the role of tabletop exercises, how they will become vital for CISOs to show their worth. But on top of all that, we'll have some good fashion fun along the way too. So enough from me. Let me introduce you to Tom right now. So thank you for joining me on the podcast today.

[00:01:33] Can you tell everyone listening a little about who you are and what you do? So my name is Tom Langford. I'm currently the EMEA CTO for Rapid7, but I've been in the industry for a number of years. I describe myself as a twice recovering CISO, being CISO for large organizations, big teams, etc. Been a practitioner formally since 2008, but I've always been into the security field.

[00:02:02] I also run a few other activities. So I run the Host Unknown podcast, not a competitor I'm hosting to add. And I do InfoSec parody rap video songs, if you believe such a thing. Not that I'm trying to plug those here, but we need all the views we can get. And I write and I host shows and I do a lot of public speaking. So if you've got a subject, I've probably got an opinion on it.

[00:02:31] Whether it's a valid one or not is up to you. Well, I almost feel like challenging you to rap the next answer to my question. Whatever happens, you're going to send me a link to this and we'll put it in the show notes. I need to see this. Oh, absolutely. Absolutely. If anybody knows 50 Cent's PIMP, well, we did Host Unknown's CISSP. Is it a radio-friendly version? Yes. Yes, broadly.

[00:02:59] I showed it to my mum, let me put it that way. Okay. She was all right with it. And you must have seen the role of CISO evolve. I mean, for years, the goal was getting CISOs into the boardroom. That was largely achieved. But you then described this as phase two of security leadership. So what changes when access is no longer the problem, but maybe the impact is? Well, I think CISOs are a bit like, CISOs in the boardrooms are a bit like dogs chasing cars.

[00:03:26] Once they've actually caught up to the car and it's stopped and they don't really know what to do with it. And I think that's where we're at. And not only that, not only have we caught up with the boardroom car, as it were, but the boardroom itself has evolved. So they've become a little bit more savvy and probably a little bit more embedded into what they want.

[00:03:51] So without wishing to give, you know, sum up this entire conversation in the next 30 seconds, I think what we've done is we've got into the boardroom. But now we're kind of presenting them with information that is either irrelevant to them or not important to them. And yet we still think we're the most important voice in that room. Yeah, yeah.

[00:04:13] And I was reading before you came on that you've always argued that many CISOs are still communicating with boards in the same way, the same language that they did a decade ago. So what's changing board level understanding of cybersecurity? You said they're a lot more savvy now and a lot more interested. But where are the biggest mismatches between how CISOs speak and how boards listen? CISOs just talk about security.

[00:04:37] And I'm obviously, you know, painting us all with a very broad brush, but we just talk about security, whereas the boards want to talk about business. And I think, you know, there was a study recently and we think we're very good at risk on the whole. Security is pretty good at risk. We've got we've vastly improved how we measure it and how we communicate it, et cetera, in the last 10 years. Boards aren't massively interested in that. And that's something like seven or eight in their top 10.

[00:05:07] What boards are interested in is revenue and operational costs. You know, they want to increase revenue, lower cost, job done. Everything else is kind of secondary. And we do not understand how to communicate in those terms at all. We just tell people that something's too risky to do.

[00:05:26] Or, you know, here's a really interesting security stat about why it's so important that you give me more money, which does not fly well in the face of lowered costs. It's such a good point you raise there, because as you said, CISOs have long walked around thinking that the risk that that that risk is the board's primary concern. But of course, they've got so many other things to worry about. That's far from what they're thinking about.

[00:05:53] But why does that matter in how security leaders frame their message and how should they better frame their message to put it in a language that the board understands? Yeah, the phrase I've often used and this interestingly, an old colleague of mine, he actually emailed me this and said, you know, you were right. Which I have to say, I felt very validating. But the phrase I always used to say was, this is what security needs to do to help the company sell more beer.

[00:06:23] Just because at the time I was a big beer drinker. But, you know, and sell more beer, sell more widgets, sell more time, you know, whatever it is, whatever the product is. And there's two things that came out of that. One is that, one, you need to know what your business actually does. It's you're not there to to make your business the most secure business. You're there to help it sell more beer.

[00:06:50] End of story through the judicious use of security. Otherwise, you know, kind of what's the point of view? But that is the primary goal. You know, and if you don't understand that, if you have not read the company report, if you don't know what the basic financials are or the basic business model is, you cannot achieve your goals because your primary goal is to help it sell more beer. Now, the thing my colleague sent to me, my ex-colleague sent to me was,

[00:07:15] I think it was the Asahi Brewery shut down beer production because of a cyber attack. Wow. So they literally could not sell any beer. So that was why that was what made me, you know, finally, yes, I told you I was right. So so that's that's a I think that's a key point that we always forget. And I think, you know, we have this other phrase that I use like special flower syndrome.

[00:07:43] We think we're the rose in the bunch of carnations. We think our voice is the most important and it's not at all. You know, we're a carnation in a bunch of carnations. There's no question about that. We are we are a voice. We are an important voice. But so is everybody else there. But everybody else is actually understanding what they're doing in order to help the business sell more beer, whereas we are hyper fixated on security.

[00:08:10] And I'm curious for the conversations that you're having and everything that you've seen. What does that security aware boardroom look like in practice? And also, what kind of questions should CISOs be prepared to answer when that kind of awareness is real and they can't just bamboozle them with acronyms and security phrases? Yeah. Yeah. Well, that's that's just it. You know, we throw in these TLA's and 4LA's into our business, you know, and it's just not important. And we become irrelevant.

[00:08:38] But, you know, the the ideal outcome of a board meeting should be them asking us more questions than we're telling them facts, you know, because that's how we are educating them. And that's how we're telling them about, you know, what we are actually doing. You know, there should be something like a 55, 45 or 60, 40 ratio of questions to what we're saying, questions from the board to what we're saying to them. It should be definitely in that in that proportion.

[00:09:08] And I think one of the key challenges that CISOs face is that they don't understand that language of the board. They don't understand what it is that they're looking for. The basic question is that we're asked being asked is how secure are we? You know, are we going to go to jail? What's the ROI of what you're doing, i.e. the risk of incarceration? You know, if if you get this wrong, are we going to prison?

[00:09:35] You know, and and let's face it, they're not going to prison. That stuff rolls downhill. You know, and we've seen that time after time after time. Right. We only have to look at the latest LinkedIn updates after a major breach to see that that happens all the time.

[00:09:55] You know, but but answering basic questions like that in a way that they understand and in a way that then they can relate back to reducing their overall costs or maintain, you know, maintain or increasing their revenue is so important. And we were talking before we started recording today. They are the industry that we both frequent can be quite gray. And the industry does lean heavily on risk frameworks, audits, compliance standards, etc.

[00:10:22] So have you seen these tools help security mature? And most importantly, where do they fall short when conversations turn to cost control, revenue growth? Because this is what the business listens to. Yeah, that's right. I think like I said, I think security has a very I'd say almost ironically, a very good understanding of risk. We know we know about, you know, residual risks.

[00:10:48] And, you know, we know we know what our inherent risk is and are, you know, untreated and what the controls do. And we've got the spreadsheets and the GRC tools that break that all down, etc. But ultimately, what that comes down to for the board. And I was once it was once said to me that when talking to the boards, treat them like Labradors and use primary colors, you know, which was I know what how it was meant. But actually, yeah, keep it simple. Keep it simple.

[00:11:16] And it doesn't necessarily mean, you know, you have to use the red, amber, green all the time, etc. But you can start to measure. You can start to present in terms of, you know, members of the board. You don't have to worry about this stuff. We've got this covered. We're doing well here. We don't you don't you want to find out about it. You just ask. We'll tell you about it. These are the areas that you need to focus in.

[00:11:41] And I think, you know, a lot of times when we throw out whatever it is, you know, the the colors, you know. So so how how secure are we? Oh, we're an amber. Well, how do we measure that? Well, you know, is that good or bad? I don't know. I don't count in colors. You know, that that kind of principle. You know, it it doesn't answer necessarily the key question. How secure are we? You know, it's well, that depends on what what what the sort of question you're asking.

[00:12:10] If we go into this market, if we go into this space, if we continue to do this activity, not very secure, massively profitable, not the most secure. That is a that's a decision the board has to make. You know, if we go in there and talk in absolutes there, you know, you can't you know, this activity is highly risky. I highly recommend we don't do it. Well, they're going to just say, well, what do you know?

[00:12:35] You have no idea what this business is trying to do and, you know, what we're willing to to stake to be the first to the market or to to, you know, take the biggest stake or whatever. And for any CISOs listening to give them a valuable takeaway, maybe they're listening to our conversation. We've just delivered that light bulb moment and they're thinking, OK, I need to go in that boardroom. I need to be linking security decisions to cost reduction and revenue generation.

[00:13:02] But what does that look like in concrete terms for them? And you shared the beer example, which is great. But is there any other examples of how a security investment can be explained through that profit and loss lens? So, yes, I think so. So there's a there's a couple of things. One firstly is and I mentioned this before. And again, I'll start from the broader topic, which is understand the business. What is it that your business is trying to achieve?

[00:13:28] You may think it's, you know, getting consultants in front of clients, but actually the founders of the business may think it's something different. So one, make sure that what you're trying to do is aligned to that. I think secondly, bringing things down to financial values is useful. An example I gave was or an example I use and one that actually happened to me was many years ago.

[00:13:54] We had a problem with laptops being lost and stolen. I mean, it was a it was a very it was a great company, but laptops were being left in bars. They were being left in in pubs. They were being left in the office where they were being lifted, you know, all sorts. And we actually looked into, you know, like everybody. Remember the old venerable laptop lock lead? You know, we all had one of them. Right. And the business hated them. Yeah. Because, you know, at the time it was like, well, locking it.

[00:14:24] The whole point of a laptop is you can lift it up and go and you can just go and go and meet with people and do stuff. And if it's locked to the desk, it's just an extra barrier, et cetera, blah, blah. And so our argument was, no, no, it's a valuable investment. I even did a really good demonstration of why it was actually a useful piece of tool, piece of kit, et cetera. And then when I ran the numbers, we were just throwing money away.

[00:14:47] The amount of money we spent on laptop lock leads, because, you know, frankly, they get lost to, you know, or you end up with one key and you can't issue a lock lead with just one key. Right. You've got to have a key as well, et cetera, et cetera. So we were spending, I think it worked out at about $300,000 every three years on, you know, laptop lock leads. The value of the lock lead of the laptops we lost was a little less than $300,000.

[00:15:18] Yeah, exactly. And they weren't being used. They weren't being used. It's not like, you know, we were saving more money because they just weren't being locked. They weren't being used. It was a massive problem. So it was just like, okay, we've completely, by actually driving down to the financials of this and running the basic numbers, we can work out what is a valuable exercise. And we need to do the same with the board as well.

[00:15:48] It's kind of like, if our investment of, or your investment of X in security, this is how it's broken down. This is what you get for your money. And these are the, you know, the potential costs that it's saving, et cetera. It's a bit like when you get your council tax bill, they actually now break it down into, there's this much on roads, there's this much on police, there's this much on the, you know, on your bins. And that's actually quite useful because when you break it down like that, it becomes more manageable.

[00:16:17] It becomes more of a, oh, I see it's including that. And oh, I get this for it, et cetera. So just start to break down the numbers. And I guess I'm being deliberately vague here because it depends. You know, I said I would talk like a politician and then you could, you know, I'll answer all questions like a politician.

[00:16:38] What I think are the important point to remember though is, but I think by, by breaking it down, you can then relate it to those day-to-day activities that are going on and say, yes, we, we cost you, waking this up, 1.5 million pounds a year.

[00:16:55] But did you know for that, you don't get, you know, your inboxes reduced by so-and-so you, you say, will you save at least an hour a day on, on email? You save this, you do this, you do the other. Carefully not to go into that whole vanity metrics of we block a thousand million viruses at the gateway, you know, well, why do I still get viruses?

[00:17:20] But, you know, by being careful to not go into that, but you can also sort of show, you know, we've saved this amount of time, which equates to this amount of money because we were able to do activity X or activity Y.

[00:17:35] Do you bring it down to that so they can see, oh, so actually we have reduced cost because the amount of time you have saved or whatever is a lot greater than that 1.5 million pounds or whatever that we've invested in you. And I know you're also a big fan of tabletop exercises for CISOs to help them demonstrate value to the boardroom.

[00:17:58] So how do those exercises shift the conversations with executives and what does it reveal about the, about things that those dashboards and reports and all those things often miss? So I think the big caveat with tabletop exercises, they're fantastic. They will take you a long time to get the right people into them. You know, it could take you 18 months to get board members involved in a tabletop exercise, for instance, or executive leadership.

[00:18:26] It's quite challenging, you know, they're all time poor, et cetera, but start small, build up. It could be initially a PowerPoint deck of here's a scenario and so on and build up from there. But nonetheless, what they do is they do, they're a complete shakedown of what you know and more importantly, what you don't know. You almost want every tabletop exercise to fail in one way or the other because it's shown you where you've got it wrong.

[00:18:57] And the value of a tabletop exercise is, well, it's many fold. Firstly, as I said, you're taking your documents and you're stress testing them. You're actually, you're instant response, you're whatever you want to call it, you're stress testing it.

[00:19:11] You're also showing that just because you have a response procedure, just because the board says, oh, we'll be OK, there's always going to be something, a little, I guess you call it a little bit of, you know, connective business tissue that you didn't know was there.

[00:19:33] And so, you know, when something happens and you say, oh, well, the production facilities will only be running for the next two hours because of X and the leadership goes, well, why? Surely we've got so-and-so said they've done, they've got recovery in place.

[00:19:52] She said, yeah, but they've only recovered 90% and that 10% didn't take into account whatever, didn't take into account, I don't know, refilling the generator every 24 hours. It's a poor example, but do you get what I mean?

[00:20:09] It allows you to really explore the nitty gritty of something and also shows the value of you really focusing in on those details and understanding it and understanding the core business process. I remember years ago, quite early in my career, and I was asked to, you know, work out the data flow of certain types of data, primarily, I think it was PII, personally identifiable information across the company.

[00:20:38] And I thought, ah, I'll get that done in a few days. I think like two months later, I was like, what? I am so lost. So hang on, it goes from here to here and then there to that. And then it goes to, so, and the data from India then goes to the US and then it sits in the US, but then we archive it back in India because of a law and da-da, all that sort of thing.

[00:20:58] And that very convoluted sort of set of processes that all make sense and is all done automatically underneath, what it takes is one little break and you realise that actually you're working off old data. You're working off yesterday's data, not today's data. And that in certain environments can be catastrophic. So it's what those exercises do is really grind out every single possible issue you could face.

[00:21:28] And finally, if we look ahead and CISOs do start to begin thinking much more explicitly about profit and loss when making those big cyber decisions, how does that change the role of the CISO or the traditional CISO? And are there any additional skills or mindset shifts that are becoming more important for those leaders who want to remain relevant at board level?

[00:21:49] Yeah. So I have always, and I often get, you know, I'll say ridiculed because I know certain people will be listening and I'm going to tell them I told you so. I've always sort of been ridiculed, partly because I'm one of them, that CISOs needn't be massively technical. Yeah. That's not where they need to be. And the key response I get, but they need to know the technology so they don't get the wool pulled over their eyes. It's like, what?

[00:22:18] These are supposed to be your team? This is your team that you've built. Why would they be lying to you? You don't need those skills. That's what you have the team for. And I think the key thing is, the key skills we need is an ability to communicate, build relationships, play nicely with others, understand the business, translate from technology to business, you know, technology problems to business problems. Act as that interface.

[00:22:47] Do exactly what the CFO does or the COO does. The CFO is not necessarily the best accountant in the company. The CFO may not necessarily understand every single taxation law in every single country they operate in or every single, you can tell I don't do finance, but, you know, whatever rule or whatever.

[00:23:10] What they understand is that big picture and they know that they've got a team that they trust to tell them the truth and to tell them what's going on. It's the same with the CFO. Interesting. I did a workshop with a close friend of mine about five years ago, I think it was actually. And so it was BC, you know, before COVID. And when we asked the question, how technical should CFO be?

[00:23:37] And then the second question was, what skills should a CFO have? Now, nothing was in extremes, but it was very clear that a CISO, you know, on a scale of zero to 10 was at like 7.58. Should be technical. Absolutely must be technical. What were the skills a CISO should have? Relationships, management, leadership, business ability, et cetera. You can't have one without the other. Do you know what I mean? It was very clear that got to be technical, but they actually have to have this.

[00:24:07] And that's not to say they're mutually exclusive, but I think the important skills are the ones that allow you to speak to the business, understand what they're saying and know how you can communicate back. And also alter the strategy, your security strategy to support that business that you now understand with more clarity. Love that. And a perfect moment to end on. But before I let you go, you've shared your insights today. I want you to leave one final gift for everyone listening.

[00:24:37] I always ask my guests to leave a book, song or film that you would recommend. What would it be and why? I think film. My family and I are very much into films and filmmaking and things like that. It's directed by Terry Gilliam of Monty Python fame. And it's called Brazil. And it's a film from the, I think it's the late 80s, maybe even early 90s.

[00:25:03] And it's about a sort of totalitarian dystopian state and the banality of the decision making that goes into utter human cruelty. And how actually how one person tries to make a difference in that all in the name of love. And it's hilarious.

[00:25:28] I mean, it has like a terrorist plumber played by Robert De Niro, for instance. You know, that sort of thing. Yeah, it's both hilarious and terrifying in equal measure. And it is one of my absolute favourite go-to films. An absolute cracker as well. And arguably more important now than ever. But that is another podcast. It's another podcast.

[00:25:53] And for anyone listening, they want to check out your podcast, your rapping videos, or learn more about Rapid7 and everything in between or connect with you or your team. Where would you like me to point everyone listening? Oh, let's see. Rapid7.com, HostUnknown.tv, TomLangford.com. That's Tom with an H. And TomLangford.photography if you want to see one of my personal passions. Awesome. Well, I will add links to everything there.

[00:26:23] Anyone listening, I would urge you to check out some of those. I'm going to try and include one of the videos as well to the blog post associated with this. And as I said at the very beginning, the world of CISOs and IT and security and boardrooms can be quite a great topic. But you've really brought it to life today with a lot of humour as well. So thank you so much for sitting down today. Thank you very much. Wow. Not only was this conversation somewhat of a timely reminder that access alone does not equal influence, boards are listening.

[00:26:53] But they are listening for business clarity, not security theatre. So if you are a CISO, a security leader, or in fact anyone trying to connect cyber decisions to real world impact, I think there was so much here to reflect on. Especially around profit and loss and tabletop exercises and what modern leadership in security actually looks like. And not only that, we prove that it doesn't have to be a grey boring topic. We're able to have an engaging, fun conversation.

[00:27:22] And as always, I'd love to hear your take on this. Are you seeing CISOs adapting fast enough to this second phase of boardroom engagement? Or is that gap still wider than most people admit? Or are you a CISO that find yourself in that boardroom and have just had a light bulb moment? Whatever it is, please drop by techtalksnetwork.com. Let me know your thoughts on anything we discussed today and share your story with me. But that is it for today. I need to go check out Tom's videos there. They sound quite entertaining.

[00:27:51] And I will be including so many links to his work there. As you could tell, an incredibly engaging talker. So there are so many podcasts and videos that he does. I'll be including about six or seven different links to those. So check those out. And I will meet you all again same time tomorrow. Speak to you then. Bye for now.