Episode 4: Threats Are Sexy, Vulnerabilities are Scary with Chris Hodson
Hello, and welcome to What the Hack is a CISO anyway. This podcast will help you in your journey to be a better CISO. It's supported by Sysdig, the company on a mission to make every cloud deployment reliable and secure. I'm Rayna Stamboliyska, EU Digital Ambassador, covering the intersection of tech, security, and policy, and the CEO at R Strategy. In this week's episode, I'm talking to Christopher Hudson.
Rayna Stamboliyska:Chris, thank you for being with us.
Chris Hodson:It's a pleasure, Rayna. Thank you for having me.
Rayna Stamboliyska:So you have a long history in the security industry. You've covered Rose, leading security architecture and design at Visa Europe, at Waitrose, or Lloyds Banking Group. You then made the jump to being, CISO for companies including Contentful, Zscaler, Tanium, and Cyberheaven. And you've also been a board member for the Chartered Institute of Information Security and the curriculum advisor for CompTIA. So today, you decided that you need a new adventure, and, you're an advisor to fast growing companies around security, an investor, and also the author of Cyber Risk Management, Prioritize Threats, Identify Vulnerabilities, Apply Controls for Cognpage.
Rayna Stamboliyska:Oh, boy. You've been busy.
Chris Hodson:Well, right now, you I I should hang around with you more often. That makes me sound excellent. And, I I don't look old enough to I but, no. It's been a it's been a fun ride over the last kind of 20 odd years. And, yeah, the shift from kind of end user world to start up, and now I'm lucky enough to advise start up organizations and do a bit of writing here and there.
Chris Hodson:So yeah. Thank you.
Rayna Stamboliyska:Well, thank you. So 20 something years. So let's go back to where it all started, the origin story. So how did you get into this? What inspired you, you know, to get your hands on security?
Chris Hodson:It's a great question. I could give you, like, a kind of textbook answer and say, oh, from the age of 5, I've always known that I wanted to work in security. But let's let's not go there. I don't know. I didn't know that I was gonna kind of get into security.
Chris Hodson:I went through the very kind of I I suppose if you think about the academic path in the UK, got to 16, 17 years old, and then it's kinda like, what do you wanna do? And I had a real passion for sort of language. My mum was a a linguist, like, in Russian and French. And and and while I didn't have that passion, like, the English language always fascinated me. Do you know what I mean?
Chris Hodson:And so I went into kind of a year of my a levels, studied English, realized, you know, the family didn't have a lot of money, and university back in those days was quite expensive. So, right, I need to kind of get a job really and and kind of find a vocation and something that that I enjoy. And, computers, how they operate, gaming, initially, like most children, I was I kind of started there and then started to think about not only did how do computers work, but potentially how did they break, you know, who would be probably a a better way. And I'm not saying that that was, I suppose it was. It was formative, and it was sort of like the the genesis of what I went on to do, but started in a very technical route.
Chris Hodson:So I know there's lots of debates and possibly we'll we'll cover this today around does a CISO need to be technical. I've always been super technical. So I started in I sort of landed very luckily in an IT role at a law firm, which happened to be sort of 2 minutes walk from where I lived. And it was one of those really small kind of IT and security shops back before security was even a thing. You just did some stuff.
Chris Hodson:Right? You did provisioning. You did some form of hardening. So I learned software development. I learned some scripting.
Chris Hodson:I mean, I'm showing my age here, but we're talking kind of Delphi, like, Nobel NetWare, kind of, like, early stage stuff, software development. And I kinda realized I didn't wanna be a developer. I didn't wanna be a coder. It wasn't me. I used to see ADHD, but I get I get too frustrated too quickly.
Chris Hodson:So when I went into systems engineering, and, you know, I did like, a lot of people back in the day did my, MCSE, like, Microsoft certified systems engineer. And you reach a point with that kind of kind of core process where you can either go into electives in databases, messaging, or security. Certainly for the 2,000 MCSE anyway. And I thought, heck, I'll do I did 2 of them. But I I I kind of really much preferred the security side of things to start to learn about, like, proxy server architecture.
Chris Hodson:I started to learn about principle of least privilege, like, all the fundamental things that even now, like, 25 years on, you know, we still have as core tenants of what we do. And then I I think the reason that I got to see so relatively young, I did lots of consultancy and contracting roles. You know, you mentioned a few of them there. You know, I spent some time at Lloyds Bank. I spent some time at Deutsche Bank.
Chris Hodson:You know, moved over to Visa and got to meet so many different stakeholders and people who were candidly way more qualified to do their job than than I was. So, so, yeah, that's like an unplanned, like, unwieldy intro into my career. But, yeah. And 25 years later, and I'm now sort of sat here hopefully providing some value to people, like, building and selling security solutions and and trying to separate snake oil from, like, paying incredible solutions.
Rayna Stamboliyska:Yeah. Which is a full time job on its own. Right? Yeah. I mean, I won't, you know, dispute the sanity of not being a developer.
Rayna Stamboliyska:Also, because I did that choice myself. Right? Yeah. You know, although I could do grips, you know, grip and oak all day long, I think other things are better. But it's interesting because, you know, 25 years ago 20, 25 years ago, you mentioned it yourself.
Rayna Stamboliyska:You got to get your hands dirty well
Chris Hodson:Yeah.
Rayna Stamboliyska:All things considered. Right? Yeah. And so there was this level of technicality that you had to have regardless of whether you had the title. How have the challenges, you know, the problems that we face from a security standpoint evolved in 20 or 25 years?
Rayna Stamboliyska:Because today, you know, if you look at it, today, we have, like, a a specific industry for us. We have cybersecurity. Yeah. You know, we didn't have that 20 years ago. We didn't even have it, like, 10 years ago.
Rayna Stamboliyska:So do we still face the same problems today, or have we done, like, significant strides? You know?
Chris Hodson:Yeah. It's a great question. I think at the core and, again, I don't wanna start, like, a lecture on risk management, but I think at the core, like, the business impact of incidences is probably different today. I you know, if I when I started, you know, having a website god. I'm sounding so old today.
Chris Hodson:But, like, even a company having a website is you know, it was uncommon, should we say, back in, like, 99, 2000. Maybe it was coming slightly more prevalent, but but largely uncommon. Certainly, like, ecommerce platforms for payment, you know, they were they were a select few, a very select few. You look today, 25 years on, I mean, everyone's business is a is a technology business. I don't I think it was Uber that said, you know, hey.
Chris Hodson:We don't you know, we're not in the car business. We're a software development house. I think that probably applies for a significant number of businesses. So in terms of, like, existential impact of stuff going wrong, I think things are profoundly different in 2024. Do I think that, you know, the controls, like a table stakes principles level, do I think that the controls are different today?
Chris Hodson:Not at all. You know, I think, you know, we still need to I mentioned, you know, tongue in cheek, least privilege earlier and various different other ones that we could we could espouse now. But, you know, I think that they're they're as they were. I think there are, like, more contemporary, like, manifestations of how you apply them. But, I think the impact's changed significantly.
Chris Hodson:The breadth of things that, you need to understand as well and how technology, like I said, has been embedded into into businesses is very different. But, yeah, I mean, back then, you mentioned it right now, like, cybersecurity wasn't a thing. Like, literally, I mean, I would go as far as saying, you know, other than, like, financial services and probably academia, other than that, you know, you did some things. I'm not even sure you, like, you did them for security reasons. They would just matter, of course.
Chris Hodson:Like, people had logins. You had a standard build, but I'm not sure that they were necessarily security. I think they were more, like, for functional delivery and efficiencies. So, I think the world's a very different place. I think that cyber is now oh, I'm just gonna sound like a a a Gartner advert, but, like, it really is a top right business risk for for all companies, and I think that's why it's so important for everyone.
Chris Hodson:Yeah.
Rayna Stamboliyska:Yeah. It's I mean, we are still facing the same things. Like, how do you build in trust?
Chris Hodson:Yeah. I think, like, the aggregation of the importance of privacy over the past probably decade, 5 to 10 years maybe, has has really expanded security as well. I think it's slightly opaque now as where privacy stops and where security starts. I think that brings in a much broader set of stakeholders, right, as well. So you've got it you know, it used to just be these technical people with their sandals and socks in a basement.
Chris Hodson:And now, you know, it is business executives. It is legal teams. So, you know, while I came from an insanely, like, technical background, I can see how the role is is widening.
Rayna Stamboliyska:Yep. I'll get back to this technical background because it's, it's an interesting one. It's not a regular one that you see. Right? And you have a lot of people who are leaders.
Rayna Stamboliyska:You know, they present themselves as such, who do not necessarily come with the sufficient technical understanding. But before we got into this, I would like us to get back to your experience with some of the world's biggest companies in the security sector because that's not like a CISO in any sector. There are specific challenges there, both internally, but also vis a vis your clients or your customers. What did that teach you in terms of, you know, human interactions, in terms of requirements, in terms of user experience even? What do you think other sizes, regardless of who their employer is, you know, could learn from this experience?
Chris Hodson:Yeah. I've got a very immediate and visceral reaction to that. There's 2, like, major ones. Firstly, you learn to spin a lot of plates, And I'll explain why. I'm sure every CISO says that, but I'll explain why.
Chris Hodson:Like, you know, if you work in financial services, you know, large manufacturing technology, and I I I may I I may not be popular saying this, you kind of I found any way, and my friends would say so, you kind of have dedicated functions. You know, you mentioned architecture and design earlier. There's GRC, there's SecOps, there's, you know, various other functions under security. You move to startup world or technology vendor world, should we call it, and you kinda don't have that. You know, there is there is this aggregate security function, which, you know, is is often quite small.
Chris Hodson:We can talk about how it evolves and and divests as as things grow, but largely, it's quite small. So you can go and I think this is why quite a lot of people kind of move from end user world to vendor world and it doesn't work for them is, you know, you're suddenly doing 15 things and and one day it could be strategy and it could be incredibly interesting. And, Jonathan, as as correct as I can be in what I'm saying. But other days, it could be, you know, you're the person at the keyboard. You know, you're on a CLI, and you're reconfiguring a VPC in AWS.
Chris Hodson:Like, that's the the polarization of stuff, and that doesn't appeal to people. You know, there are very attractive things about working for vendors and equity and the opportunity of a massive upside. But there's also this, like, Swiss Army knife approach that you need to take to to security. So that's that was the first observation I had. I came over and I was like, wow.
Chris Hodson:This is crazy, and I'm not sure if I'm gonna hack it here and stuff, but turns out it was okay. The other major one, and I think this gets overlooked, and especially today, 2024, this is this is, like, one of the most important things. You're part of these companies' supply chain. Right? So if you're let's say you're a start up organization of, doesn't matter, 100, 500 people, You know, if you have customers who are a 100000 users or, 500000 users, the expectations of you as a supplier are that you have commensurate security to the organization doing business with you.
Chris Hodson:And I feel that from a from a CISO perspective is is a real messaging challenge internally. Right? Because if you're building a company, like efficiency being lean, reducing the costs of the goods that you sell, they're all, like, profoundly important things. If you then go to your leadership team and you're bored and you're like, hey. You know, we need $200,000 for a CSPM.
Chris Hodson:Hey. What does this thing do? Can we buy it next year? And you're like, well, you know, not really because, you know, this company requires we have that level of visibility or we must have 24 by 7 IR and ability to do x y z. They're just things that I I feel if you're 2 people in a garage, you don't need to care about if you're not in cyber.
Chris Hodson:And I said, I I think some of that's changing with, you know, legislation. But that's they were the 2 biggest things I think to me were, you know, number 1, you had to know everything to a surface level. And then the second one obviously being the the expectations on you, irrespective of size, that you you've got everything together, really.
Rayna Stamboliyska:So do you size those need to be technical? I mean, if we look at security at product driven companies, especially cybersecurity products, they're I mean, that's like a rhetorical question. Obviously, they have to. You know? They need to know and operate things directly.
Rayna Stamboliyska:But is that still a requirement in, say, end user businesses? Like, do I need to know the nitty gritty detail of a CICD pipeline for me to be taking, you know, good decisions, as a leader, you know, a cybersecurity leader for a bank, for example, or for a retailer.
Chris Hodson:Yeah. I don't know. If I was gonna answer that question as an exam question, I'd probably give you a slightly different slightly different answer. I think you have to have the passion for technology, and you have to have the passion for the industry that you work in. And I'm talking longevity here.
Chris Hodson:If you're gonna be a CISO for 15 years, I think you've got to enjoy what you do. I'll say this because I wrote it somewhere, and I can't remember where. But I don't know many CFOs who don't have a finance background. Like, I I just don't. It seems far like, it seems crazy to suggest that you'd be CFO of a multinational company and you don't understand numbers.
Chris Hodson:But I think technical gets misappropriated. You know? I think people assume with technical, yeah, that you need to understand how to do, like, input encoding on various different, like, languages. It's it's not that, and it's not reciting the OWASP top 10 in detail. And, you know, again, it's not looking at linting in Terraform, but I do think you need to understand how those things form part of what your business does.
Chris Hodson:To use your example of CICD pipelines, I think you need to understand why your company has them and what could go wrong with them. And and I know lots of people will say, well, look, I delegate a lot of this stuff. I have a head of sec ops, and I have someone who does it. That's wonderful. But in my experience and, you know, I've had some fair amount of analysis with peer groups and and friends and other people.
Chris Hodson:You know, if you're in those executive conversations, security is so much about selling the org and the value of what you're doing that often you only get one chance to explain to the head of people, you know, why they can't keep background check information for 5 years and there's people who might want that. And it's a really bad example I've given off the top of my head, but I I think you have to have a broad understanding of the technical domains that you're working. Because if you don't, how would you reverse engineer metrics? Yeah. Like, how how'd you possibly say, hey.
Chris Hodson:How's your organization doing? Here's our monthly report on the efficiency and the effectiveness of security in our company. I feel to some degree, you need to be technical. Yes. For however unpopular that might be right now.
Chris Hodson:Yeah.
Rayna Stamboliyska:I mean, you yeah. You can't be completely disconnected. Right? If it doesn't matter if you do GitOps or FinOps
Chris Hodson:Yeah. Yeah.
Rayna Stamboliyska:You know, or understand what the difference between the two is. The question is, why do people do phenops with you, you know, in in your organization? And, you know, whatever technical question that might be, but but the question is you need to understand the words and the reasons behind those words. Yeah. I agree with it.
Rayna Stamboliyska:I mean but and it's interesting because today, you look at fast growing companies and investments, and I'm yet to see a serious uptake, if you like, from a lot of investors on the due diligence, like on the cybersecurity due diligence. Yeah. Right? It it gets kind of passed over, like, do you have security measures in place? And everyone was like, of course, we do.
Chris Hodson:Yeah.
Rayna Stamboliyska:And it you don't really get the opportunity to kind of dig into it and ask, you know, further questions. So when you do this, when you work with those either companies or, for example, investors, what do you look for there? How do you know that a team, you know, or an initiative within within a company is going to deliver in the right way?
Chris Hodson:It's a great question. I if I may, I will say I don't think it's exclusively like an investor due diligence thing. I think third party risk management is of all of the domain. We can talk about super technical stuff today, but of all of the domains, that process of tire kicking is just so fundamentally broken. And I say this as somebody who has given out crappy questionnaires and received crappy questionnaires, right, of they're these I was having a conversation with Clyde this morning about this, but I shouldn't say anymore.
Chris Hodson:But, yeah, they're very close. Like, do you have a policy for x, or have you had a pen test? Or, you know, very binary, very closed questions. Right? I think it's much more about, like, the how than the what, really.
Chris Hodson:You know? So I I I'll I'll give you a great example. I was having a conversation this morning about a company extending Isoscope. It was just like an early conversation. But, you know, should we should we do this?
Chris Hodson:And and you kind of you speak to these startups and start to I do anyway. Try and explore the why of what they're doing. Because if you feel that that is a faster way to close deals and you genuinely feel that by providing an ISO, sir, or a SOC 2, sir, or whatever you've got, you're going to accelerate sales. That's like a demonstrably, like, positive outcome. Right?
Chris Hodson:If you if you feel however, if you're using an extended ISO scope as a security measure, I think that's crazy, to be perfectly honest. So I I try and work with companies and get them to shift from, like, this very just perfunctory approach to security assurance. Try and think about the stuff that they care about. I don't wanna say top down because that's just such a a a trite statement, but, like, get the leaders of that company to to sit with you where possible and and talk through things that are just not palatable to them. Do you know what I mean?
Chris Hodson:Like, certain types like, you're not gonna go to the level of talking about, like, scattered spider and specific TTPs, but saying, like, what is completely unpalatable to you from a risk perspective? Like, losing this database or being down for 4 days or whatever it is, and so trying to build up a set of controls, people, and and and sort of technology that that mitigate the the likelihood and and sort of impact of that happening. I think some of it, and this is where it ties into investor. It's just experience. You know, I think you meet people, and I'm gonna divert slightly into, like, cyber companies that we've found as in if they're worth investing in.
Chris Hodson:But you just you see commonality in responses as well. Like, I think some of the best security conscious organizations don't talk to me about, hey. We've got this technology for this. They talk to me about how security is is sort of part of what they're doing. You know what I mean?
Chris Hodson:And and they identify areas where potentially there are gaps today in what they're doing and how they're looking to plug those. But, I'm hoping I'm seeing a lot of startups in this space, so fingers crossed we improve it. But, you know, the spreadsheet based way of doing due diligence has to change. And something that that I've kinda stood by for a long time, I try not to ask of my vendors things that I wouldn't answer myself, which and I will pick on financial services now. That doesn't apply to them.
Chris Hodson:Like, getting a 400 question questionnaire is is not really giving anyone a meaningful position on on risk and exposure, I don't think.
Rayna Stamboliyska:Yeah. I think I think you're triggering a PTSD for a lot of people right now. Me including. I mean Sorry. No.
Rayna Stamboliyska:I mean, the extra spreadsheet with the 400 questions. Oh my gosh.
Chris Hodson:What the where does it put? Do you know where it goes? Do you know where sorry to interrupt you. She's so passionate about this.
Rayna Stamboliyska:No. It's fine.
Chris Hodson:Do you know where this goes? It just goes into a folder. It'll be Rhinos folder or your company's folder. Do you know a number of times that I've heard of I was gonna say, I have seen possibly I have seen as well, requests for SOC 2 reports, which have value, and I I think they have personally, I think they have significantly more value than an ISO report. But a company will ask for a SOC 2 report.
Chris Hodson:You provide a SOC 2 report, and there are no follow-up questions. It's an auditor's opinion. It's not a compliance framework. Like, it's an auditor's opinion. And yeah.
Chris Hodson:I don't know. We can probably do another 30 minutes on on that subject.
Rayna Stamboliyska:Yeah. It's more generally, we we have that sort of in Europe, specifically, you know, if you're not ISO 27 1, then you don't exist sort of. Right? And which is to me, like, a huge issue because it doesn't say much about whatever you're actually doing in security. Right?
Chris Hodson:No. But, you know, we talked about pipelines earlier in CICD. If we're moving to that continuous approach for shipping software, and I'm desperately trying not to say shift security left because you can punch me if I do. But, like, that has to be the way that we approach all these other things as well. Like, you know, I say and I'm really going hard on ISO.
Chris Hodson:Sorry. It's, you know, it's annual. It's something that, you know, I I know I'm sure everyone is listening now will will kind of agree. Companies have these milestone events before the audit where they're like, oh my god. We have ISO coming up.
Chris Hodson:Let's update our policies. Let's change version 1 for version 2. Let's change the date on this. I mean, probably in terms of an ISMS and in terms of a set of things you should be doing, great. But that can't be your yardstick for how likely you are to be to be breached or the maturity of your security organization.
Chris Hodson:Now you're probably gonna ask me what I think we should do instead. Like, I think that varies, like, company to to company depending on, like you said earlier, their exposure to various different types of risks and their appetite for for data loss and and whatnot. But
Rayna Stamboliyska:Yeah. The feeling I get is that we have misaligned incentives, you know, since we're talking about improvement. Like, the the one thing that makes me scream other than, you know, the 400 questions in a in a Nexo sheet is to go through the questions and see, like, sort of the mandatory. Do you do fake phishing in your company?
Chris Hodson:Yeah.
Rayna Stamboliyska:Like, this is kind of one of the things that makes me really get unwell and very, you know, start raising my voice in, like, unpleasant ways because we have that sort of incantations about how things should be without the actual question about what are we searching to, like, what are we solving for?
Chris Hodson:Yeah.
Rayna Stamboliyska:And, basically so if we push this forward, you know, like, what could we solve for? It's a different way of saying what could we improve, you know, across the industry. So if I ask you, what could we solve for? Like, give me one thing that we must, you know, above all else, because there there is a tone. But, like, what the one thing is for you?
Chris Hodson:Wow. That's a great question. I guess it's gotta be the right hand side of things. Right? And I've I've said this 2 or 3 times before, so apologies to anyone who's heard it.
Chris Hodson:But, you know, if you mentioned, like, from 25 years ago to now and what's changed. What hasn't changed? You have actors, like either people or, like, events that initiate things. You know? So it's an actor who might initiate an event that exploits a vulnerability that causes business impact.
Chris Hodson:Now that's not Chris Hudson. I mean, it is Chris Hudson saying that, but, you know, that's NIST 830. That's ISS, IRAM. That's various different kind of risk management frameworks. And what we do as an industry and certainly as vendors, sorry, all vendors, is we look at threats, and and we look at vulnerabilities.
Chris Hodson:Right? We we we do because threats are really sexy and vulnerabilities scare everybody. And it's happened for the last 20 years, and I don't really know how necessarily, but it sold lots of boxes in data centers and, you know, user based license subscriptions. Where and I will get to answer your question now. Like, where I think we need to change things is take a much more, like, data centric view of stuff.
Chris Hodson:Right? One of the things that actually, like, attracted me to joining Cyber Haven was was that was like an opportunity to, you know, start to talk to CSOs and build solutions that are looking at where does your data exist, where is it moving to, who has access to it. And, you know, I think there are some bragging or morbid. With the exception of data, there are things like especially with, like, self driving cars and various different, like, technology enablement of physical things. There are some things that aren't data.
Chris Hodson:People dying, for example, would be terrible with a technology system. But 95% of the time, it's about data. Right? It's about business impact. So I would just like to see more of that.
Chris Hodson:I would like to see more grown up conversations around if every organization went out there and said, you know, what are the top 5 systems and their associated data that we care about? Start from there. It doesn't have to be technology oriented. Just these are the systems and processes. Give that to the security organization and say, above anything else, make sure these things are protected at all times.
Chris Hodson:I most CISOs, and I'd love to hear from the audience, I think most CISOs out there would feel that that is 10 x better than what they get today, which is new project gets initiated, and you establish that on the fly every time you recommend a set of controls. The business stakeholder says that sounds expensive. What's the next one down? It should never be that conversation. It should be right.
Chris Hodson:Okay. This is article 9 GDPR data, consequently, specific European example. But, you know, I have a zero tolerance to this either being altered or removed from our environment right with build controls. So I think it's that. And I think it's a technology solution.
Chris Hodson:I just think I'd like to see that happen. And by consequence of doing that, it's moving security to something that other business units truly are getting involved rather than just having your monthly or quarterly audit committee update. You know, you're truly you're truly getting people involved. So I don't know if that answers your question. I feel that's a bit of a crap answer.
Chris Hodson:But
Rayna Stamboliyska:No. I mean, I do not pretend to be, you know, the the truth teller or something. And I mean yeah. No. No.
Rayna Stamboliyska:And there is no right or wrong answers to that question. Right? But it gets me into because I think it's it's good that we are starting to talk about the future. You know, we've explored the past, we've explored the present, and I think it's hugely, immensely important for us to build tomorrow. Right?
Rayna Stamboliyska:Because that's what we are doing when we do risk management or whatever, you name it, resilience or whatever. So I have, like, a ton of questions here, but let me start with this one. How is the CISO role going to look like in, say, 10 years? Right? What I mean there is my perception is that we have a lot of administrators, a lot of managers, but not so many leaders that are result oriented as well.
Rayna Stamboliyska:And there are a lot of misconceptions on cybersecurity leaders and the challenges surrounding them. Where do you see us going in 10 years' time?
Chris Hodson:It's it's a great question. The short answer is I don't know. I think, you know, it's interesting we were talking about metrics a moment ago. I think the security leader of the future will have that balance, will have that ability to take the very technical information that they're given within their security organization and find a way to appropriately, like, translate and kind of communicate that to business leaders. I think that is something that's still today.
Chris Hodson:And we can talk another time around what is a CSO and what is the difference between a CSO and a head of infosec and a security manager. But I think really acting as that quarterback between what the security function is doing and how that is adding meaningful business value, I think I think that we'll see for everything I'm saying today about, you know, hey. I believe that being technical is a massive advantage here. I want people to stop thinking that it's one or the other. You know, they're really not mutually exclusive.
Chris Hodson:I know some amazing CISOs out there who but they have that thirst for, you know, that constant curiosity for how technology is changing. You know, they're looking at the ways that the explosion of nonhuman identities. They're looking at AI. They're looking at not only that side of it, but also the impact of, you know, regulatory and legislative changes and how that impacts cyber. I think the CISO is gonna become be careful, but I don't sound just like I'm regurgitating LinkedIn here.
Chris Hodson:But I think they are gonna become more embedded within the leadership team of companies. I'm sick of hearing that that security should be on the board. I when people say that, I'm like, I don't know how much they know about how boards are constructed, but, you know, like, a CEO gets to represent the company on a board quite a lot of the time, and it's not, you know, having a seesaw waving their hands there talking about, you know, Log 4 j is probably not not the right way of doing it. But, you know, they are gonna get closer. I think they're gonna get more face time with those individuals.
Chris Hodson:I think we're gonna be much better at reporting metrics probably as well. I'm actually preparing a talk for something later this month on, like, how to apply consistency and commonality to the metrics that security teams present because, you know, leadership changes, the security team changes, boards change. But, you know, you wanna make sure that from company to company, the table stakes of what good security means. And it's it's obviously contextualized to a company on the levels that you go to, but there should be in the same way that you have, like, I don't know, like, a kite mark sometimes for, like, physical things that are produced and manufactured. Having some kind of consistent attestation and assurance, I think we will get down that line.
Chris Hodson:I think security teams or CSOs will be more involved in that. So better metrics, staying on top of what we're doing. I think as well, you know, we have this post COVID, this kind of hybrid or largely remote. Some people will say that, you know, we're now coming back to a return to office in some companies. But, you know, the CSO getting getting more involved in how they can effectively and efficiently manage their function in a hybrid fashion.
Chris Hodson:I don't think too many CISOs got training on that during I certainly didn't like, no no offense to anyone. It's no one's fault. You know, I think that is quite important as well. So it's it's difficult. I think I need to they've got the worst of both worlds, quite frankly, right now.
Chris Hodson:They need to they stay on top of technology, but also given the increasing prevalence of, you know, security incidents, cyber attacks, get more involved in the business as well. So, yeah, it's very much a tough time tough time to be a very exciting time, but a tough time to be a to be a CISO.
Rayna Stamboliyska:Yeah. I mean, there is this allegedly Chinese curse, you know, may you live in interesting times, which which I love really, because it's so polysemic. It says so many things in just a short sentence. So it's interesting because you and I, we're in sort of the same position of advising people with very different, incentives and goals. Right?
Chris Hodson:Yeah.
Rayna Stamboliyska:And, like, how do you encourage your clients to think ahead around security? Because, again, you know, the the the bad oracle. Yeah. You know? We it's it's always on us.
Rayna Stamboliyska:Like, oh, don't be such a doom and gloom. You know? And you're like so how do you do that?
Chris Hodson:I'd suggest, anyway, the organizations. I think I write some of the you know, buy a Starbucks loyalty card or other coffee places are available. And what I meant by that was have regular conversations with, you know, not just the the very vertical lines of management that you think are important, like your your CTO, your CIO, but, like, understand and and try and stay on top of where the organization is going, I think, is super important. Again, that may sound obvious, but if you can understand business strategy, security function can start to get on top of, you know, potential issues and got you as much earlier in the in the life cycle. So I think that's that's really important.
Chris Hodson:Not all organizations, in fact, most don't have the luxury of, like, a dedicated innovation function. They just don't. I've been lucky enough to work in some of them, and they've been they've been great. But really trying to champion the benefits of carving out a percentage, depends on the industry, but 5 to 15% of a function's role to be looking at technology, to be looking at future trends, to be looking at the art of the possible because it's so much easier if you're proactive on that, and you've already performed some level of of kind of due diligence on things that that could happen. And, yeah, just involve security.
Chris Hodson:The thing I found enormously detrimental to a lot of companies is people outside of security making the decision if security needs to be involved. I see that happen. It's like a perennial conversation. Right? It's like, oh, we didn't involve security because this doesn't touch what you do.
Chris Hodson:Let security let the the seesaw be there. You know what I mean? I don't know if you agree, but qualify.
Rayna Stamboliyska:Oh, yeah.
Chris Hodson:I think that will help. That will help companies. That will help companies enormously. And depending on size as well, I've seen this be hugely successful in financial services at the moment. Really look at the value of, like, business oriented security lines.
Chris Hodson:So, you know, the role of the the buy sell or the b sell, you know, have somebody who just learns that business unit. So they've come from a security background. I've seen lots of people from, like, the TPM, technical project manager kind of role really thrive in those environments. So it's almost 5050 between understanding security and understanding the business unit. But that just puts them on the front foot to be able to identify risks and issues pretty early on.
Rayna Stamboliyska:Yeah. I mean, you need to understand the business that Yeah. You know, to understand the frictions and to understand whatever. And I have a, like, sort of a final question towards the future again, always towards the future. So what for you would be the risk that needs more attention or the most attention.
Rayna Stamboliyska:Or, like, is there a black swan event that you could imagine would affect Zeizos and that they should consider? So as a reminder, a black swan event is is a metaphor to describe an event, you know, that comes that nobody has anticipated, that has major generally negative impact.
Chris Hodson:Yeah.
Rayna Stamboliyska:And we badly rationalize it afterwards because we have the benefit of hindsight. Right?
Chris Hodson:Of course. Yeah. I completely agree. Philosophically, I could say if I knew it wouldn't be a black swan. But no.
Chris Hodson:I don't know. But no. No. I don't I don't know. I mean, I've been asked this question a few times.
Chris Hodson:Like, you just you look at some of these things, which are the, you know, the the 0.01% and no one has them in their threat model. Right? Like, just just just no one does. And I think that's where I honestly thought as you asked me that question, I thought you were going down that path and you mentioned the word risk. I really think the biggest risk is that we don't consider risk truly.
Chris Hodson:I mean, if you take, you know, some some very specific industries who I don't know, do quantitative analysis and understand it very well. But, you know, we do the individual components. We have teams looking at threat hunting. We have teams looking at vulnerability. We have teams looking at GRC.
Chris Hodson:But, like, really, like, institutionalizing the importance of risk management as a as a discipline because then you can include those events. You can include, like, US east one of AWS going offline, and consequently, you don't have access to any of your s three buckets. Now most organizations, in my experience, are gonna consider things like that. They're not quite black swans, but they are highly unlikely, events to happen. And and and candidly, companies don't build controls.
Chris Hodson:Accordingly. You may have some multi region resiliency, and now I'm getting really deep on one specific. But, like, I think risk acceptance is fine. This is the thing that people I I think people outside of cyber don't realize about our CISOs is we're not telling you you have to do all of these things. We're not telling you to spend $6,000,000 a year on our security budget.
Chris Hodson:We're just trying to the best ones I know anyway are trying to proactively say that we believe that, you know, these are risks to your organization. We believe you have vulnerabilities that could be exploited. We recommend that these are controls you can apply to mitigate or remove these risks. Like, if companies say, acknowledged it, gonna accept it, that's fine. I think the problem is that those conversations aren't going on right now in in in organizations.
Chris Hodson:Like, the business doesn't always wanna acknowledge that and doesn't wanna be on the hook for that decision. So I've what I've probably done here quite accidentally is answer the question before with the question answer, but that's where I think the best CISOs moving forward can can kind of help is to act as like the, I don't know, again, the quarterback in that in that conversation and just try and give business stakeholders like the psychological security to say, we aren't gonna do that. And I think in the event of a breach, so long as you have the checks and balances on that, the black swan events very specifically. So I I think the reliance on public cloud just, like, broadly and, again, I don't wanna get all, you know, seesaw on you. But I think, I think, you know, there are so many, like, profound benefits of, you know, being data center less and direct to Internet and and whatever.
Chris Hodson:But depending on where you are in the world, there are only so many points of presence from, like, a network and an infrastructure perspective that I think, state level with enough, you know, time and money you put behind things or even accidental events, they are they are the ones that take companies offline. And I don't wanna call out particular vendors and stuff. We've had in incidents recently of, you know, IT and integrity based downtime that, you know, became a board level conversation in every company, didn't they? And I think we need to get away from them being a discussion after the fact and being a more grown up conversation before things happen. And, you know, maybe maybe you discount them and say, hey.
Chris Hodson:We'll accept that, but go through that process. You know?
Rayna Stamboliyska:Yeah. Yeah. And it's even worse. We are so you know, we we have such a short memory because this has happened before.
Chris Hodson:Yeah.
Rayna Stamboliyska:And yet again, you know, we come back to it and, oh, how come, you know, how could that happen? Well
Chris Hodson:I know.
Rayna Stamboliyska:You know?
Chris Hodson:I said this a couple of weeks ago. It wasn't raining when Noah built the ark. And I think that has a lot of standing in what we do. But it it but that's not true, is it? It does happen when it's raining.
Chris Hodson:This analogy is gonna fall flat now. But, you know, I think that is something Caesar needs to do a lot there with is speaking to their business stakeholders and giving exact but it is a fine line. It's a fine line between scaremongering and providing practical insight. And I think that's something that we as a as a domain need to need to work on.
Rayna Stamboliyska:Yeah. As collectively. Collectively.
Chris Hodson:Absolutely.
Rayna Stamboliyska:As an ecosystem. Yes. As an ecosystem of factors. Yeah. Very true.
Rayna Stamboliyska:What is the one thing you wish you'd have known when you started your career in cybersecurity?
Chris Hodson:When I started my career, I wish I'd known that not everyone was an expert and everybody is learning on the job.
Rayna Stamboliyska:Very true and very humble. I mean
Chris Hodson:It's true. Totally totally true. Yes. I wish I'd know that. Yeah.
Rayna Stamboliyska:Name the easiest thing about being a cybersecurity leader in a large for profit organization.
Chris Hodson:I think the easiest thing is for profit organizations generally have cyber budget and an appreciation of why cybersecurity is important to their business.
Rayna Stamboliyska:Thank you. So you have, like, a magic wand, a cybersecurity wish that can come true, but it's only 1. What would that be?
Chris Hodson:If I had a magic wand, I would wave it over MFA being enabled everywhere.
Rayna Stamboliyska:Yubikey or
Chris Hodson:I I'd take I'd take anything. Like, I'm not one of those people that says SMS is, you know, we shouldn't yes. Definitely.
Rayna Stamboliyska:Okay. Works for me.
Chris Hodson:Eberfe everywhere. I think it'd be would it not be a great like, it's that that would be a wonderful place to start, I think, if if and I'd love to see how the number of incidents dropped if we did that.
Rayna Stamboliyska:Well, thank you. This has been wonderful, and thank you for reminding me and us that, you know, in cybersecurity as elsewhere, what counts is what's get what gets counted. You know? Yes.
Chris Hodson:Brilliant. Well, thank you for having me.
Rayna Stamboliyska:Well, thank you for your time and for the great conversation. What it means to be a CISO today, but also tomorrow. And that's all for this episode of What the Hack is a CISO supported by Cisley. I'm Rynas Stamulayska, and I'll see you next time.
