Wednesday Sep 14, 2022

What Is (And Isn’t) a CISO with Matthew Lang

Matthew Lang, former CISO at SECU, former CISO of 3D Systems, and former Chief Petty Officer in the US Navy, comes on down to the Ranch to talk about what it really means to be a CISO. Many folks wear the title of CISO, but the role itself is still often considered a confusing mixed bag when talking about what it entails and who should have this role. Matthew walks through what a CISO is, what a CISO isn’t, and where the bridges between the CISO role and other roles in the company should be.

Timecoded Guide:

[00:00] Defining what a CISO isn’t in order to discover what a CISO is

[06:45] Finding the bridges between CISO & other company roles

[12:12] Getting things clear between CISO, COO, CIO, and CEO

[16:20] Understanding a CISO’s peers & meeting with security points of contact

[24:49] What the CISO role should be & solidifying the CISO definition

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour

What is the CISO not?

The role of CISO, or Chief Information Security Officer, is nuanced and occasionally complicated to define. However, in Matthew’s opinion, the things that a CISO absolutely is not is (1) a BISO, or Business Information Security Office, and on the other hand, (2) someone with no experience in information security. The strongest CISOs Matthew has come across know how to combine information security experience with an understanding of business, all while being guided by a desire to protect the company and prevent incidents.

“The CISO is a preventer of something bad happening at the organization. You can't prevent every breach, it's never going to happen, but if the CISO is involved, he can possibly prevent a merger or acquisition that is not in the best interest of the company.”

Who should the CISO be interfacing with as we bridge in and out of that defined role?

To be an effective CISO, Matt believes that you have to build strong relationships with individuals in departments like legal and HR. Referring to them as security points of contact, Matthew explains that keeping in touch with these individuals can give the CISO the full scope of the company. Additionally, Matthew says that a CISO should always be friends with the COO, or Chief Operating Officer, because those roles have essential communication between one another.

“If your company is large enough to have a chief operating officer, the CISO and the COO should be the best of friends, because they rely on each other more than they realize.”

How does the Board of Directors shape and influence what the CISO is and isn't?

The Board of Directors’ involvement with a company’s CISO can be just as nuanced as the CISO role itself. Matt explains that the largest gaps between a CISO and the Board they have to report to are due to either a weak board structure or a misunderstanding of security amongst Board members. In Matthew’s experience, being thorough in security explanations with transparency about topics that members may not know helps to bridge the gap and develop a stronger and more positive relationship between the CISO and Board.

“I think, personally, CISOs struggle a lot with their presentations to the Board of Directors, because they don't really know what information the Board wants and the Board won't ask them questions.”

What should be the role of the CISO?

While a large majority of the conversation in this episode is about what a CISO isn’t, Matthew defines what a CISO is using the words “preventer” and “leader.” A CISO should prevent risky behaviors that are not in the best interest of a company, and they lead the cybersecurity division of a company through establishing security and governance practices. Overall, CISOs help a business to meet goals and go where it wants to go safely and effectively, like a good brake system on a high-end car.

“There's a lot of different responsibilities a CISO could have, but I'm gonna say the role is cybersecurity leadership. They should be responsible for establishing the right security and governance type practices, and a framework to scale the business.”