Two top leaders from the CISO community, Larry Whiteside, Jr. and Katie Arrington, got together to discuss lessons learned from the CISO Fantasy Phish Bowl on cybersecurity. This was a fun and, as appropriate for the Halloween season, kind of freaky conversation on how CISOs must lead their organizations through business growth in a time of extreme cyber danger. Below is just a small sample of what we're certain you'll find to be a highly worthwhile conversation!
I've learned that just because I love a team--the Steelers--I should not rely on their defense (laughs). I’ve learned that I need to look at the value of what the return on investment is on my players that are starting on my team in my league every week, and not on who I really, really like. So I've learned a lot.
I've been playing fantasy football since the early 2000s and it's interesting, but what I've learned in playing for so many years and in different styles of leagues is that for every league you must adapt your style. Because your drafting style does not carry across all types of leagues. And when I think about that, it's the same thing in cybersecurity as it relates to building a team. The way you build a team must adapt to the industry and the organization that you're in. And so for me when I went into this league and I utilized the same drafting style that I did in my money league, I didn't really get what I was hoping to get because other people were drafting very differently than what I'm accustomed to based on the other leagues I've played in. So I think it's important to think about it that in context of when you're building a security team that you can't be figuring how you build your team in one place is just based on, this is how I've always done it.”
I think as CISOs, we’re going through a revolution of our capability. I look at the CISO’s job and the CISO is like a conductor, or a coach, right? They should have some technical background, some capability … But when you look at the CISO and what their role is, it's translating all the different languages that are spoken within a company, from profit and loss to security to Information Technology, information assurance. Because none of those are the same. It’s really funny that people lump them all together. There's compliance, there's supply chain risk management, there's a whole a whole mix, and the CISO is the one person who can translate between all of them. That’s the uniqueness about that capability and why they're so critical. You know, the coach is the most critical point on a football team, right? The coach sees the strengths and the weaknesses of all the players. He also sees the strengths and the weaknesses within his assistant coaching teams, and he has to know when to put the right people in. But he never does anything other than put the right people in. And that's the CISO’s sweet spot, as we're the coach and we know when to get involved but we also know when to step back and let the Special Teams take over.
That’s an interesting point you bring up, because I think a lot of CISOs sometimes get too deep into the weeds. You never see coaches going down and lining the punt up to show the kicker how to punt. You never see coaches going down and showing the quarterback how to throw. You have a quarterback coach who you literally give instructions to and say hey I don't think that the execution here is aligned to my expectation and you then help better align and communicate that to the coaches… Our leaders, they're important to us to say, “Hey, this is what I need. Here are the outcomes I'm expecting. Right now you go execute and if you have a challenge with executing, that deserves a conversation let's figure out how we can better align to make sure that that happens or I find someone else who can execute.
The paralysis through analysis is a real thing. We will sit in a room and talk about meeting to meet and then meeting about the decision we made to go over, ‘Are we sure that’s the decision we want to go with?”I have been in organizaitons where it’s like moving a tanker to make some of the most simple decisions on the planet. And you look around the room and … we're talking about millions of dollars if not hundreds of millions of dollars at risk here but because this thing of cyber (risk), and the nuance of the adversary is so nebulous to the business, that it takes them so much to make a decision. And we're sitting there as a CISO like really? This is pretty simple to me. But they go round and round the Merry-Go-Round on which direction we're going to go.
It's funny. Most of the time, the easiest way for me to help them make the decision is if I can tie it to a control or some aspect of regulatory need, right, that if we don't do this, the regulators are going to get after us. And that tends to be the only thing that helps drive the decision. it's the equivalent in football right hey we are guaranteed to lose this game right if we don't do these things there's going to be major repercussion across our brand and across all sorts of things
Corporations need to understand that if you’re moving through CISOs really quickly and your CISO is in the room and nodding their head and saying all is good, you have the wrong CISO sitting in the room. There’s always a problem. Because we're in electronic warfare. Once we plug one hole there's going to be another hole to find… No matter who the adversary is, just think of The Art of War: The best way to defeat anybody is from within. Our adversaries know that but I don’t think that the executive level actually understands that. When you talk about cybersecurity and what you need to be able to provide it, it may be more expensive than they think it should be but (it’s necessary).
The next war is going to be won or lost in the non-kinetic Cyber field. Period. End of story. When you have hospitals getting ransomware, school districts getting less when you're watching kill net go after pipelines
I'm a former CISO in the critical infrastructure space and having had that role for two years made me more fearful of what power means in this country than ever before. It's like when you see something you can't unsee it? I can't unsee what I learned being a CISO in critical infrastructure and it scared the bejesus out of me.
Larry Whiteside Jr. is Co-Founder and Executive Vice President of ICMCP. With 25 years in information security serving in multiple leadership roles, he is currently the Chief Information Security Officer at RegScale, a company that delivers freedom from (digital) paper via RegScale's real-time Governance, Risk and Compliance platforman. He was previously CISO of an organization that supplies cost effective electricity for Central Texas, manages water supplies and floods in the lower Colorado River basin, provides public parks, and supports community development in 58 Texas counties. Larry is a seasoned executive having served as CISO and in several other leadership positions in the private and public sector. A dedicated security professional and sought after speaker, Larry is an active member in of various organizations, including Information System Security Association, Cloud Security Alliance, and multiple industry based Security Committees committed to strengthening security in the public and private sector.
Katie Arrington is a former member of the South Caroline House of Representatives and the CISO of the Department of Defense. She has overseen massive critical infrastructure projects in the public and private sectors, and grown her own business as an entrepreneur. She has substantial experience and capabilities in cyber strategy, policy, enablement, and implementation across a wide range of domains, including DoD, Federal, Healthcare, and State. She acquired her experience in cyber over the past 20 years with Booz Allen Hamilton, Centuria Corporation, and Dispersive Networks. She has had the unique experience of working at a large business, small business, and non-traditional contractor for the government. She attended Canisius College in Buffalo, NY.
Subscribe to our newsletter for a curated digest of the latest news, articles, and resources on human risk and evolving phishing threats in the ever-changing landscape.