“If you want to have a good culture, you’ve got to first start with your security teams, and they need to have a good culture, so investing in them, retaining them, having internal training, external training, career pathing, all those things are important.”
Lindsey O’Donnell-Welch: What is important for building out a security culture in a business?
Rick Holland: It is all about people. There’s this tendency to buy the newest technology, or the flashiest whatever at RSA or at BlackHat in Vegas. But, you know, if you want to have a good culture, you’ve got to first start with your security teams, and they need to have a good culture, so investing in them, retaining them, having internal training, external training, career pathing, all those things are important. Because I think if you don’t have a good culture, within your security function, you’re gonna fail at having a good culture more broadly, across the entire company, because it’ll be kind of obvious, if your security team is not bought in, that no one else is going to get bought in. So I think that’s a really, really key component.
I probably learned things the wrong way when I was a lone security person – I was kind of proud to be the Department of No Guy – And my CIO, who was my boss at the time, gave me some really good feedback in talking about enabling people, and helping them do their job, that they’re just trying to do their job, they’re not a security expert like you. And I think that’s really, really key still, to this day. How are you going to have a positive culture, a security minded culture, if you’re super negative about your customers, your partners, your colleagues? And having technology that is transparent, understanding that managing passwords is a pain in the butt for people, having empathy for these people that we’re trying to protect I think is really, really key to having a strong security culture as well.
Lindsey O’Donnell-Welch: When you’re looking at kind of building out an effective cybersecurity program, are there a couple of critical steps that you would say are most important?
Rick Holland: Yeah, I think the first one is alignment of the program to the business itself. We don’t do security for security, we do security for our business, or our nonprofit or whatever the kind of organization is that we’re trying to protect, and understanding what the goals and objectives are for that company or organization are really really key and then translating that into this security program. I’ll give you a this specific example there; one of the things that I’ve been talking about for years, it’s more applicable to public companies, but it still applies to private is public companies have their SEC filings, and one of the SEC filings is a Form 10-K. And that Form 10-K has a risk factors section, and it usually has between like eight and 20, 10 to 15, something along those lines, risks that the company has to the overall business. And there’ll be things like supply chain, whether some places maybe gets hit by wildfires, or hurricanes or whatever, but being able to have a business discussion, and being able to understand what the risks are to the business and how you can try to mitigate those risks from a cybersecurity or physical security perspective, as well. And if you look at retail – with Black Friday – if you look at a 10-K from a public retailer, they’ll probably have things in there about their employees, their rewards program, and how that is key for loyalty and maintaining stickiness with customers. So if you’re coming into a new program, looking at a Form 10-K, or just the annual report; knowing what the business is focused on, where the business is going to grow, and then mapping it out to people, process and technology, and how you can give visibility into risk, how you can then mitigate risk, it’s almost a blueprint for the from the program, it’s the top-down blueprint for the program. But it also lets you critically talk in terms of “business cares about,” right. I’ve seen a lot of prediction stuff, and suggestions for 2023 planning right now. But most of it is focused on hey, you need to invest in API security, or you need to invest in cloud security. Really, what we need to be doing is investing our time in understanding the business goals for 2023. And then figure out what people, process and technology is needed to give visibility into risks, and then mitigate them. Is a business expanding into a new region of the world? What are the threats there? How do you protect employees when they’re there? Is the business rolling out a new piece of software that’s going to generate 20 percent of the net new revenue for the year? How do you secure that? So I think the Form 10-Ks, if I was with a public company, I’d be listening to the CEO’s quarterly call every quarter. And now if you’re not a public company, you still have a risk committee of some sort. So being engaged with the risk committee, understanding the risk, but that’s another place you can go if you just don’t have access to the public filings there. So that’s where I like to start as a hey, let’s just make sure I’m aligned on what the business objectives are, how I can do that.
The other part, to me, again, goes back to the people, which I think is the most important part of the people, process and technology. How are you going to recruit people? Don’t always try to recruit unicorns, it’s a highly competitive market, don’t have these ridiculous job descriptions, that act like they’re for inexperienced people but really, you need 10 years of experience to get the role. Have a mix of experienced people and very junior people that you can train up, and then do creative things, remote working, flexible working, I’m going to give you a SANS class every year, or whatever the case may be, have an actual curriculum to try to maintain these folks. And I think it’s the most painful thing in a program when you have someone you’ve invested time in, and they leave prematurely; we know everyone’s going to leave at some point. But if you invest and you lose somebody at a year to a year and a half, well, perhaps you could have gotten another year out of them. And you know, that can be quite material, right? If you have to ramp up, learn the organization all over again, learn the tools, and all that sort of stuff. So I really think it’s what’s the overall corporate strategy? How do you map to it and be able to talk in terms of business concerns? And then how are you going to staff the people needed to act on all the promises that you’re going to make to the business about helping secure and minimize risk?