Jim Doggett, CISO di Semperis, condivide le sue intuizioni sull'evoluzione del ruolo del CISO. L'assalto quotidiano ai cyberattacchi non solo aumenta il rischio d'impresa, ma mette anche a repentaglio i dati più importanti di un'azienda: quelli relativi all'azienda, ai dipendenti, ai clienti e ai partner. Oggi più che mai, al CISO viene chiesto di comprendere il business del cyber senza avere molto tempo per implementare piani di protezione dell'infrastruttura dell'organizzazione. È necessario un equilibrio tra l'essere un leader tecnico e commerciale, e Jim può condividere le storie della sua carriera di successo per illuminare gli ascoltatori.
Welcome to RSA Conference 2024. We’re here recording live from Broadcast Alley in Moscone West. This interview is sponsored by Semperis. Semperis. Semperis. Semperis. I’m your host, Adrian Sannabri, and joining me today for this interview is Jim Doggett, the CISO at Semperis. Thank you so much, Adrian. Thanks for joining me. Oh, it’s a pleasure. So talking about CISOs today. Yes. That’s what we’re talking about. So the evolving role of this, role of the CISO in the business of cyber is the headline we have here. And it’s it’s been a really interesting role over the years. Right? You know? It’s, and it still continues to be. It’s, I think probably one of the most versatile roles roles or wide roles depending on the company. Like, a CISO at a vendor, can be very different than a a CISO at a, you know, maybe a retail company or something like that or a CISO at a Yeah. Small company versus a big company. You know, for you know, what what, where where do you see this role going? You know? Where where is, you know, and maybe a little insight on, the trajectory in your experience. Absolutely. Again, I probably need to go back just a little bit of history. Yeah. I’ve been doing this a long time. And, yeah, I completely agree with you. The evolution of the role has been actually, not even small. It’s dramatic. Yeah. It when I first started, it was a largely a CISO role was largely purely a technical role. Yeah. Yeah. You worked under a CIO typically, and your job was to just do security and not report on it, not try to understand how it affects the business. You were just purely there. You found something was wrong. You wanted to fix it. Yeah. And then as we started to evolve, all of a sudden, we don’t have enough budget to do it all. So then all of a sudden, risk got added into that equation a bit. Yeah. Yeah. So all of a sudden, you have to balance. We can’t do everything. So now we put together plans. Yeah. And we’d risk base them and then try to sell them to the board and senior management, and we sort of made it to that next level. And that brings us up to where we almost are today, but I think now it’s taken the next step where the CISO role is almost becoming a business role. Yeah. You’re now not again, I the last role I held at a large corporation as a CISO, I did no technical work at all. Yeah. My it was a political role. It was a selling role. Yeah. But I spent all my time trying to understand what the business was trying to do and then where I had where from a security we could support that business as opposed to, you know, putting guardrails around and not letting them do that. So to me, it’s very different, and it does require a different skill set. I mean, you have to learn at the the CISO level now is how do I explain things purely in English or not in business terms. And that just, that’s not easy to do, and it’s a very different role. And politically, you’re playing I hate to call it games, but it sorta is. Yeah. You’re spending all your time saying, well, I need you to do this. I’ll do this for you, and it becomes almost a game at that point. And all at the same time, you still didn’t have that team below that you gotta get all the technical work done. Right. Right. So it’s it it’s the evolution has been really fascinating to me, and it’s a it’s actually more fun now. And it it’s not evolved in a vacuum either. The The importance of cybersecurity to the business has increased quite a bit as this role has evolved. Right? No. It is. And it’s not only has it evolved, but also I think the recognition. Yeah. By the the boards and the companies that it is that important has finally grown. And, again, you can hate or not hate, but it all these major cyber incidents are what’s causing this. Yeah. Yeah. It’s a there’s a good you take advantage of every people say thanks to ransomware for you know? No. In our company, especially, that is I I would if it wasn’t for ransomware, I would not have joined probably Semperis. Really? I grew up in a world where and then, again, Semperis is into Active Directory. I grew up in a world where I didn’t worry about Active Directory. Yeah. It was just a piece of, infrastructure that worked, and I never thought about it. Right. That evolved over time to now if that infrastructure goes down and the whole company goes down. Yep. Yeah. And, you know, the CISO role, you know, I think, another thing that we used to see is, somebody maybe down at a director level would get the CISO role. You know? And, again, that’s that’s another thing that’s evolved where, you know, we we do actually see, CISO roles at the executive level now more often. Yep. And, you know, like you said, more of that business enablement role. So, yeah, what you know, let’s talk about that a little bit. You know? You you mentioned political, but, you know, how how can the CISO role help the business? How can it be, less of, like a loss prevention or or a fraud group. Right. You know, more, you know, assisting sales, assisting, the the company grow and sell more. Yeah. That’s to me, it’s I would I would characterize it almost as enablement. In other words, if you could take away a risk that something bad will happen Right. Then, hopefully, then the business has the confidence to take risks and head in new directions to grow the business. If you’re worried about security the whole time and that something may go wrong, then all of a sudden you’re not doing that. Yeah. A good air a good probably the best example I can give of that would be resiliency today. Mhmm. And, again, historically, CISOs didn’t worry about keeping the business going. They worried about theft of data. Right. And that we now you’ve got ransomware where resiliency keeping the business operating is big. That is a huge issue to again, I don’t care which business you go to within a company. They all care about that. Yeah. Especially when you think about you know, let’s take a hospital or a a healthcare chain. If their resiliency doesn’t work and you get an outage, how do doctors actually prescribe? How do they treat patients? How do they do surgeries without all that data? And my my time there in the healthcare, the doctors I’ve talked to said the only surgery they would do if their systems were down would be emergency surgery. Nothing else. Yeah. Liability is too high. And that’s interesting because we, you know, we’ve seen, sometimes, business continuity is part of the security team. Yep. And sometimes it’s under operations. It’s separate. So you do you feel like today, it’s important that business continuity, disaster recovery, all that should be under under the CISO? I don’t think it necessarily needs to be under it, but the CISO has to include resiliency. Right. From a cyber attack as one of their key functions. And I’ll even make a case today. It is the most important function they have. Yeah. If someone breaks in and steals data, that hurts. Right. Someone breaks in and shuts the business down. Shuts the business down, it’s a lot worse. That’s when you get fired and sued and Yeah. There’s plenty of great examples to go out in the right now and see that’s happening between SolarWinds and, yeah, you go on and on there. So, yeah, I think it’s absolutely an area that, again, I don’t most CISOs were not trained in the space. They were preventing, detecting, and fixing, but not recovery. Right. And recovery is what it’s all about right now. And, so I’ve got a good friend who’s actually, he’s at a point in his career where he’s looking at his first CISO role. Okay. And he’s he’s basically done the job of a CISO before. And I know you’ve you’ve mentored, CISOs before. So in 2024, what what advice would you give him, going after tackling the CISO role today? First of all, think in terms of what helps the business first. You start with that as the problem. What do I want trying to accomplish? So you need to understand the business, really. If you don’t understand the business, I don’t know how you can do the job today. I completely agree. The second aspect, though, from a business perspective is you’ve got to learn to compromise. Mhmm. Yeah. Historically, CISOs and people that came from a technical world Yeah. There’s a right, a wrong, and no gray in the middle. And you’ve got to learn a whole lot of gray. Known some. Yeah. Yeah. And I’ve replaced several that have that’s how I got hired as a CISO because they could not They’re flexible. Yeah. And you can’t be that. And, ultimately, you gotta remember that security ninety percent of security is not done by the security team. Right. It’s done by the business. Yeah. All you do is you Advise. Advise, do policy, and monitor. Yeah. You don’t actually do the security in general. So yeah. And, just looking ahead, what what kind of emerging trends or challenges do you see integrating cybersecurity with business strategy, and and how should CISOs prepare for some of these challenges? Yeah. To me, it’s a pace acceleration. And, again, everyone wants to talk about AI today. Mhmm. To me, that is it’s just another tool. Right. But it’s a tool that accelerates good and bad. So you it’s not something we can’t ignore, but I advise so many again, a good example is that AI today is all like a shiny ball. Everyone’s sort of driven to it, but don’t forget the basics still. And that’s the problem I think too many companies are doing now is they’re chasing the shot shiny ball, and yet they’re still not patching their systems and doing the basics, which you have to still do. So that balance, I would recommend for CISOs coming up now. You have to reach a balance of that. Yes. You can’t ignore AI. Yeah. To me, that will certainly be a trend, machine learning. You can go through all of these things. The other aspect that I think that all CISOs have to focus on is identity. You just don’t have a choice today because with our perimeter almost gone, there is no network perimeter anymore. With cloud, with vendors coming in and customers coming in, you have no perimeter anymore. So the only way you need to make sure that whoever is logging in as Jon Jones is Jon Jones. Right. And they have the right privileges. And that is, to me, the next wave of all the software that’s gotta come out and all the tools that have to be out there is how do we make sure whoever’s doing work on our behalf is the person they’re doing, and they’re doing the right things. Right. Yeah. I just talked to a CISO, a couple minutes ago before we started, this interview. Yeah. You know, he’s works for a large investment bank, and they’re already using generative AI. And he’s here looking for solutions to to help secure Yeah. Their use for it. So, you know, I mean, it it seems like some of the compromise you’re talking about where, you know, you’re not gonna be able to get ahead of it necessarily. You do what you can, but, you know, you can’t stand in the way the what the business needs to do or wants to do. A lot of the time. We learned so much from cloud. To me, this and cloud are the same kind of end rate we went through. Cloud, we fought it forever. Oh, yeah. You could say what you want, but, I mean, almost every large company out there and even lot of small ones said, we’re not ever gonna go there. Yeah. It was inevitable. And there’s no doubt to me. Yeah. And you just keep going. There’s gonna be no difference here. The only thing is cloud was like a ten year runway before it became acceptable. Right. I think AI is gonna be two. Two, three. It’s gonna be something a little different, but, nevertheless, you can’t fight it. Yeah. As a CISO, you’ve gotta learn how do I help the company use it to its best ability. And here at Semperis, what we’ve just done is put guardrails for the time being. Here’s what you can put in, you can use it, but you needed to talk about it before you start using it. What data are you gonna put in there? Are you putting confidential data that we don’t want in there or not? And there’s things like that that so we’re just taking a practical approach right now. But over time, it will have to accelerate. Yeah. Yep. Alright. Well, thank you so much for joining us on, enterprise security or sorry, Security Weekly. My podcast is Enterprise Security Weekly. Good one as well. So, yeah, pleasure, Adrian. Yeah. Thank you. Very nice to meet you. And if you wanna learn more about, Semperis, you can go to securityweekly.com/semperisrsac and that’s spelled s e m p e r i s r s a c. So Semperis RSAC. Perfect. And stick around. We’ll be back at you with another interview in just a few minutes.
