January 22, 2025 • 39 mins
Greg and Josh pull back the curtain on the pitfalls and strategic voids left by frequent CISO transitions, which can leave companies vulnerable and scrambling for continuity. We shed light on the arduous onboarding process new CISOs face, taking months to assess existing security frameworks and the ripple effects this delay has on strategic initiatives. Our conversation also addresses the growing legal responsibilities that lie with corporate leaders and the potential fallout from negligence in cybersecurity leadership roles.
Beyond the boardroom, Greg invites us into a world where creativity meets cybersecurity, sharing his journey from novelist to CISO and the lessons learned along the way. We emphasize the importance of cultural fit and ethical leadership in fostering an environment where CISOs can thrive rather than being treated as expendable. This episode is not just about understanding cybersecurity; it's about recognizing the human element in protecting and nurturing those who hold these critical roles.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to this episode of Cybernomics where we
talk about the intersection ofcybersecurity and the economy
finding the hidden costs ofcybersecurity.
I am your host, josh Bruning,and today I'm here with Greg
Schaefer, who is the principalat vCISO Services, owner at
Second Chance Publishing andhost of the Virtual CISO Moment.
(00:23):
And host of the Virtual CISOMoment.
Greg, welcome to Cybernomicsand congratulations on being the
number one podcast incybersecurity.
Speaker 2 (00:32):
Well, thank you for having me, josh, and yeah, I was
pleased to hear that.
It's from a million podcasts, Ithink, and quite honestly I'd
not heard of them before.
But anytime somebody has you atnumber one, I'm fine.
I'm ahead of Steve Gibsonsecurity now, which made me feel
good.
Speaker 1 (00:51):
Yeah, yeah, and I've been following Steve for a long,
long time.
When I just got intocybersecurity he was like my
go-to podcast.
But you know what?
Oh gosh, yeah Me too, I mean,he, him and Leo were just
wonderful and I can't believethey're still doing it all these
years later.
Yeah, but I think that they'rereally really, really technical.
(01:12):
They go so deep into stuff thatI wonder if they didn't hit
number one for that one reason.
It's mass appeal versus beingvery technical and very niche.
Speaker 2 (01:22):
Well and that's what I try to do is the virtual CISO
moment podcast.
It's just about tellingpeople's stories and giving
advice to small and mid-sizedbusinesses, and I found that as
as I'm sure you have too it'slike people like to tell their
story, so I always have thegreat job of just sitting back
and asking questions and thenlistening, and I get to learn so
(01:43):
much from people, and I thinkit's a human element that really
helps with the podcastpopularity.
Speaker 1 (01:51):
Yeah, yeah, which.
I think you've put your fingeron that pulse.
And I'm not a technicalsecurity guy, right, I come from
the sales world, I come frommarketing, I come from people,
the people side of cybersecurity, and that's something that's
ticking up and it's somethingthat we those who are really
(02:11):
good at communication or some ofthe soft skills don't get as
(02:31):
much recognition.
But I think that you're one ofthose people in cybersecurity
that has put your finger on thatpulse.
You're super easy to talk toand I love having a podcaster on
the show, because when twopodcasters get to talking, we
never run out of anything totalk about, for better or worse.
Speaker 2 (02:48):
So thanks again no, you won't have any dead air.
It's like that's for sure, andI mean information security and
cybersecurity.
It is such a people-drivenbusiness.
It's all relationship-driven.
Those who are in sales incybersecurity are the most
successful because theyunderstand that the sales come
(03:08):
from relationships, not theother way around.
Speaker 1 (03:10):
Yeah, and you're always selling cyber.
Speaker 2 (03:12):
Always selling cyber.
Speaker 1 (03:13):
Internally, externally, everything, but
today what I'd like to talk toyou about is just for fair,
being transparent and fairwarning for everybody who's
listening to this.
It's not a new topic.
We're not going to be talkingabout something groundbreaking
or groundshaking here.
It's something that's beenrevised over and over again and
(03:33):
kind of rehashed, but I like totake the temperature of this
particular topic every year orso, which is the downside of
firing the CISO.
Or, in other words, what arethe hidden costs of terminating
the CISO and is that even aproblem going into 2025?
(03:55):
One of the main problems ofcybersecurity and of businesses
is the tenure of the CISO istypically around 18 months.
That doesn't give the CISO alot of time to do a lot of
things, and it seems a bitunfair, and I think that has
changed over time.
So I'd love to get your take onwhere are we today with
(04:15):
companies retaining CISOs, andis this as big of a problem as
it always has been?
What do you think?
Speaker 2 (04:22):
Well, I think that, historically, one of the reasons
why you have that sort of churnrate and there are various
numbers, but we'll land on 18months for now is not
necessarily so much the companyside as much as it is the CISO
side sometimes.
And what I mean by that is thatsometimes, well, let me
(04:42):
predicate that by saying thatthere are some folks out there
and I'm probably going to make afew people upset, but there are
some folks out there who are inthe CISO role who don't need to
be in, and their motif is theygo into an organization, they
find a problem and they find asolution, a technical solution.
(05:06):
They implement that technicalsolution.
They sell the board ofdirectors on the technical
solution.
They implement the technicalsolution.
The technical solution doesn'thave quite the ROI that was
expected, but by that point intime, where are we at?
We're at 18 months.
They've now gotten theirexperience and they go and move
(05:26):
on to the next organization.
I'm not saying that that's allCISOs, but that is part of the
issue out there.
It's not necessarily you don't?
It's, I think, without havingactual stats in front of me, I
don't think that there is like abig issue of CISOs getting
terminated in 18 months, withthe exception of if they
(05:49):
obviously were in charge of aprogram that had a breach, that
had something to do with theirlack of skill or lack of duty
paying attention to it.
But regardless, we do have thischurn still and it is still
there.
But, regardless, we do havethis churn still and it is still
there and it has some seriousramifications upon the business,
not only in the recruiting areabut also in the security area
(06:11):
as well.
Because if you don't have thatcontinuity we'll probably talk
about this more in depth but ifyou don't have that continuity
of leadership, sometimes youjust have all these different
priorities that every 18 monthsyou focus on priorities that,
every 18 months, you'd focus on?
Speaker 1 (06:28):
Do you think that businesses have a false
expectation when they hire CISOs, in thinking that maybe the
CISO will help to drive revenue?
Is this something that couldexplain the reason for the churn
?
Speaker 2 (06:41):
I don't think that a lot of businesses think
necessarily that the CISO willhelp drive revenue as much as
that.
They expect the CISO tounderstand revenue and also
understand costs and they wantthe CISO to be able to explain
risks, not in pretty coloredcharts like we do with heat maps
(07:01):
and all that red, yellow green.
They want quantifiable numbersand it's very difficult for some
CISOs to be actually able to dothat.
They'll just say that hey, youknow this company over here, a
large company, had a breach andit cost them X millions of
dollars or whatever, and we needto avoid that.
Well, they don't equatetogether.
(07:23):
What that company lost isn'tnecessarily what we would call
cost exposure is.
So the more successful CISOunderstands the business aspect
of the costs involved, won'tjust propose a tool to fix
something just because that'sthe latest and greatest tool
(07:46):
that's out there.
They also know how to speakbusiness language.
They also know how tounderstand risk in terms of the
overall organization.
So you have to remember theboard of directors.
They're not just dealing withcybersecurity or information
(08:07):
security risk and, as a sidenote, I tend to have to say this
all the time I'm one of thosewho believes that the correct
term for the field isinformation security and that
cybersecurity is the technicalsubset.
So that's why I say both.
So that's why I say both.
(08:45):
But there's a lot of otherrisks that the board of
directors have to deal withAnd-informed decisions.
So how can they do that?
They have to understand therisk environment, not only from
the info and cyber side, butfrom the business in general,
and that's kind of a rarity outthere as far as your typical
chief information securityofficer.
Speaker 1 (09:00):
Yeah, one of the things that business leaders may
often overlook is theinformation gap going from one
CISO to another.
Let's say there's a CISO that'sbeen let go.
There's like, let's say, anumber of weeks to a number of
months between finding a newCISO.
(09:21):
Let's say you're going in as aVC, so, and you've got to pick
up the pieces left behind by thelast CISO.
What are some of those piecesthat you have to pick up, where
you're talking to the businessleader and saying, look, these
are some things that were leftundone.
They incur further costs.
(09:42):
There's more cleanup than wethought, so can you give us a
little bit of a rundown on whatare some of those hidden costs
left in the gap between CISOs?
Speaker 2 (09:55):
Well, when a new CISO comes on board, they don't want
to immediately pick up whateverthe previous CISO was doing,
unless it's a project that isconsiderably long and has a
defined end.
That's one thing.
That's more tactical at thatpoint in time.
But strategically, the incomingCISO needs to work more on
(10:19):
understanding the environmentfirst in order to determine the
correct strategic directionsgoing forward.
So you have a new CISO comingin and it's the same thing in
the virtual CISO world.
It's just that it's on asmaller scale, smaller
businesses and we work with morefolks.
But the general approach iswell, first let's figure out the
(10:40):
as-is of the organization.
So the CISO comes in.
There's going to be some timeto figure out.
Where are we at?
They're going to look throughdocumentation.
They're going to look throughaudits.
They're going to talk to allthe business leaders.
They're going to look at anyevents and breaches Hopefully
there weren't any, but obviouslythat happens or near breaches
or incidents.
They're going to get a feel ofthat.
(11:01):
Now, that's all going to taketime.
So let's just say okay, youhave a CISO that leaves in the
beginning of the year.
Well, the recruiting process inand of itself is going to take
quite some time.
So let's just say you're luckyand you get in a new CISO six
months later.
Now that new CISO is going tospend the first 90 to 120 days
(11:22):
let's just say as a round figureso at least like three, four
months, getting to know thelandscape.
So you talk about the cost oflosing a CISO.
You basically have lost almosta year of strategic work.
So then the CISO comes in andfinally figures out everything
that's going on and then thatperson can then start to
(11:44):
determine their direction andtheir methodology, their
strategy.
They have to try to startselling their strategy in order
to solve the issues out there.
Now that might mean abandoningsome of the strategic
initiatives that the previousCISO had done before.
But the new CISO coming inshould never take at face value
that we're going to.
(12:04):
We're going to if there was astrategic plan and it was
already planned out that laterin this year we were going to do
X.
Now you need to put a hold onthat and just say well, at the
very least the CISO needs tounderstand the why behind it,
and chances are the CISO mightagree Okay, we want to do that.
And you talk about cost to thebusiness.
We want to do that and you talkabout cost to the business.
(12:27):
So you've lost 10 months now,let's say, of significant
information security strategicplanning.
You've lost the recruitingdollars that go in.
You've lost the.
I mean, how much does it costto recruit a CISO?
I don't really know what thenumbers are, but it's a
percentage of salary and CISOsare kind of expensive nowadays,
(12:48):
you know.
I mean, you know 300,000 plusper year.
That's not cheap.
So lots of expenses involved,without a doubt.
Speaker 1 (12:59):
Yeah, yeah.
Not to mention, you know, inthat time you might get breached
and you know you may be heldliable in a court of law for
whatever happens after thatbreach or what happened before
that breach.
Because I don't know if the lawstipulates an amount of time
that a company may have to finda new CISO.
Maybe there's a grace periodwhere they give you like six
(13:21):
months.
If you didn't have one, Atleast you've been looking for
one Maybe they give you a pass.
If you didn't have one, atleast you've been looking for
one.
Maybe they give you a pass.
But do you know anything aboutthat?
Uh, I don't.
Do they give you any kind oflegal leeway while you're
looking for a cso?
If you were to get breached.
Speaker 2 (13:33):
I've never heard of something like that.
I'd be surprised if there isthat because it's like you're
responsible for the security ofyour companies and your
customers information,regardless of whether or not you
have a CISO in there.
I mean the company isresponsible and how you
determine that, how you makethat happen, that's really on
the C-suite and the board ofdirectors.
(13:53):
Now, talking about CISOprofessional liability, that's
an interesting area right nowbecause there have been last
year and year before a couple ofCISOs that have faced legal
action and repercussions becausea trial found that they were
negligent in their duties, whichnow has gone to the point of
(14:17):
like, well, what kind ofinsurance should they be
carrying?
Whether it be like professionalinsurance personally, or if
they're part of the company'sprofessional insurances that
they have for for directors andand officers and and and such,
and that would be part of thecompensation package.
It's a.
It's an interesting situationbecause I've seen and heard that
(14:38):
there's some the idea that someCISOs are perhaps not wanting
to stay in the field becausethey feel now that, oh, this is
becoming where we're becomingnow the scapegoats and then that
becomes a nobody wants to workunderneath that.
I mean, you want to work in ateam environment.
You don't want to work thinkingthat you're going to be blamed
for something?
That was one of the firstquestions I asked in one of my
(15:01):
CISO interviews back when I wasdoing that full time, before I
started the virtual stuff, and Ireally wanted to get a feel.
It's like it was for agovernment agency and I'm like,
well, if there's another breachbecause they had one before they
didn't have a CISO that's wherethey were hiring me.
If you have another breach,it's like, are you just trying
to hire someone so that you canfire someone if something
(15:23):
happens?
Speaker 1 (15:23):
And.
Speaker 2 (15:24):
I was convinced that that was not the case.
Speaker 1 (15:27):
That is the case in so many companies and this is
something that I talk, thatCharles Payne and I talk about a
lot.
Charles Payne is the I don'tthink he's a CISO anymore.
I think he's a retired CISO.
But he's pretty young to be aretired CISO.
Do you ever retire?
I think he's a retired CISO buthe's pretty young to be a
retired CISO.
Do you ever retire?
But we talk a lot about the CISObeing a scapegoat and the first
(15:50):
time he and I had talked aboutthis we were in New York City.
We were driving in an SUV.
We were back at the back of anUber XL with a bunch of
cybersecurity folks leaving aCISO event, going to another
event, and this topic came upand said the CISO is a scapegoat
.
And there was another CISO inthe car who just disagreed
(16:12):
vehemently and was like couldn'taccept, in my opinion, couldn't
accept that the CISO is ascapegoat and can be reduced to
such.
That is a very degrading termand when you've dedicated your
life to this thing and you'vewanted to be a CISO for your
entire life, you've worked 10,20 plus years to get there.
(16:34):
To be reduced to a scapegoat.
I know is painful, but in a lotof cases, it's true, and I
think that you know asking thatquestion before you're hired.
I mean, how do you even bringthat up?
How did you ask that question?
You don't just go hey, are youhiring me to fire me?
Actually, that's exactly what Idid, oh, great.
(16:57):
Okay, I ask that.
Speaker 2 (17:09):
But really, one of the ways that you can figure
that out is you look at thecompany culture.
No matter what job that you'reinterviewing for, and
particularly as you move up thechain of command, so to speak
and it doesn't have to be justInfoSec you really need to
understand the culture, andthere's a difference between
(17:32):
being a scapegoat and beingresponsible for your actions.
Being a scapegoat is you're theone who is blamed, no matter
what happens.
Being responsible for youractions is okay.
I made a mistake that caused abreach.
I therefore then deserve to befired.
I'm not fired because I'm ascapegoat.
I'm fired because, somewherealong the line, I messed up in
(17:56):
my responsibility.
I mean, there's a reason whyCaesars have paid a lot of money
.
They have a lot ofresponsibility.
And again, I go back to what Isaid in the beginning of the
podcast.
I think that there are some outthere that don't really
understand that aspect of it.
It's not to say that you'renever going to get breached and
that you have to get to thatpoint.
That's impossible.
I mean anybody who says, well,you have to get to a point of
(18:19):
never being breached, that's notgoing to happen.
But what you have to be able todo is understand that you have
enough compensating controls inplace, enough processes in place
, and you can demonstrate.
It's like well, we have triedto reduce the risk by X, y and Z
and yet we were still breached.
(18:40):
The CISO, that can demonstratethat they should be fine, unless
the culture is one that islooking to fine folks to punish
or even fire if anything goeswrong.
If financials are off and theydon't meet their profits for the
quarter, does that mean thatthe CFO gets fired automatically
?
Well, maybe it does.
If the CFO mismanaged somefunds or investments or I don't
know, mismanaged the budget, butit doesn't.
(19:00):
If sales were down, well then,does the director of marketing,
do they get fired?
Or chief marketing officer dothey get fired?
You see what I'm saying.
The director of marketing Dothey get fired.
Chief marketing officer, dothey get?
You see what I'm saying?
It's like the culture has to bein place that that assigns
responsibility based on anaccountability they have to
match.
You can't have accountabilitywithout responsibility, and a
(19:20):
lot of times that's whatscapegoat is you, you, you're,
you're assigning accountabilitywithout giving responsibility
and, in some cases, authoritywhere needed.
That never works.
Speaker 1 (19:32):
Yeah, I've got the sense that there aren't a ton of
companies that are out herethat are just terminating CISOs
or using them as scapegoats.
I know that it exists.
I can't put a number on it, butI have a sense that it's a
minority of companies that wecan collectively call evil
corp's.
You know, that's doing allkinds of shenanigans and maybe
they need scapegoats and fallguys and people who are
(19:53):
expendable.
But let's say you're workingfor one of those evil companies
evil corporations that are inthe minority and that's a I'm
being hyperbolic there.
They may have good reasons whythey're evil, giving them the
benefit of the doubt.
But let's say you're a CISO,you're going into this situation
and maybe they're not up frontthat you can ask them point
(20:16):
blank am I here to be terminatedor am I here as a scapegoat?
They may say no, but they'vegot their fingers, you know,
crossed behind their back.
What are some of the markersthat you would look for to tell
you that this company doesn'treally take the CISO seriously
and doesn't really want to givemuch power to the CISO?
Speaker 2 (20:35):
Well, I think it's all about how the CISO interacts
with the other levels ofexecutive management and vice
versa.
And we'll start there withexecutive management, because
it's very rare that a CISO is atrue chief I once heard I wish I
could remember who to attributethis to, but he probably stole
(20:56):
this quote from somebody elseanyway.
But the quote is essentially ifyou don't report, if you're a
CISO and you don't report to theC-suite or the board of
directors, or to the CEO or theboard of directors, then you're
a chief of nothing.
And most CISOs they report inup to some level.
Some will report to the CFO,some will report to the chief
(21:18):
risk officer, which I think isthe proper place for it, if not
to the CEO.
Some report to the CIO or theCTO, which I think has their own
set of problems as far as aconflict of interest.
So definitely reportingstructure, just looking at that
and understanding thatbeforehand could be a red flag.
But just because a CISO reportsto a CIO does not necessarily
(21:41):
knock that job out of contention, I don't think.
But then and I did this and Ifailed actually just to be
completely transparent in thejob that I was thinking about I
failed in analyzing the culture.
I didn't want to see thingsthat were right in front of me,
(22:02):
and that was the lesson I tookaway.
So when I'm interviewing, I'mseeing interactions between
folks that would be part of mypeers or part of all that I was
reporting to the CIO.
That position was, and I didn'tlike what I saw, but I wanted
that position so bad, I wantedthat CISO title with this
government organization so badthat it kind of blinded of
(22:33):
blinded, and so I think that therisk there is for the applicant
is you have to make sure thatyou're able to keep your eyes
wide open and be objective aboutRemember, when you're
interviewing, you'reinterviewing them as well too.
You have an opportunity to seetheir culture, and then you know
you can get into some other redflags.
Look at budget numbers, ask forbudget numbers, and how much is
(22:53):
actually?
What kind of funding will youhave?
What kind of staff will youhave?
What kind of expectations?
Why did the last CISO leave?
That's always a great questionfor any position.
Why did my predecessor leave?
I couldn't ask this in this onebecause there was no
predecessor.
I was the first, but I thinkthose would be some of the
questions to ask.
Speaker 1 (23:14):
Do you think it's more cost effective for
companies to how do I say thisdelicately?
Do you think it's more costeffective for a company to have
a CISO that's expendable, thatwhen something happens they can
let them go and they can sort ofrefresh and wash their hands
clean of any liability, or tohave a CISO who's on board, who
(23:39):
will be there long term, butthey have to purchase a buttload
of cybersecurity insurance.
Maybe the premiums are higher?
Because let me just give yousome context.
The premise is some may feel andsome may disagree with this
that the reason that CISOs maybe expandable is because of the
(24:01):
rising costs of cybersecurityinsurance, where, if the CISO
recommends you buy cybersecurityinsurance, not only are you
paying for the CISO, but you'realso paying for the insurance
policy.
The premiums are ridiculous.
So if something goes wrong,instead of relying on the
cybersecurity insurance company,you can fire the CISO and then
(24:26):
you're without security foranother six months to a year,
but you're kind of outpacing thecost of what it would be to
actually just implement somecybersecurity insurance.
Does that question make sense,or is the premise not right
there?
Speaker 2 (24:43):
No, I understand what you're saying, but I don't
think that that's really much ofan issue.
First of all, if you fire aCISO, the next one you bring on
board, you're probably going tohave to offer more money to, and
so that's going to offsetwhatever other increases you
might have in cyber insurance orother insurance.
Two things, first of all, theCISO community is rather
(25:09):
close-knit.
I mean, I know a lot of peoplewho know a lot of people, who
know a lot of people, and if acompany starts to have a
reputation of firing folksbecause of being expendable, so
to speak, you're not going tohave a quality CISO that wants
to work for that organization.
So they're going to get in likegreen CISOs or CISOs in name
(25:33):
only that really don't have therisk management chops to be able
to work it, which ultimately,is going to put the company more
at risk.
So I guess the way I wouldanswer your question is what
does the company value more,putting aside the fact that, yes
, of course, the goal of allcompanies is to make money and
not lose money, but what doesthe company really value more?
(25:55):
Do they value short-term gainsor losses, or do they value
actually managing risk?
And those that manage risk arethe ones it's going to be more
cost effective to keep the CISOon for an extended period of
time.
I think you know I'm also one ofthose two.
(26:16):
I'm old school, I think thatsomebody leaves a job after 18
months.
That's too quick.
Anyway, you'll have some folksthat say no, it's okay to jump
jobs and all of that.
I come from a time where folksthat say no, it's okay to jump
jobs and all that I've.
I come from a time where, um,just for context, that you were
pretty much expected If you tooka job, you, unless something
really bad happened, you'regoing to give at least three
(26:37):
years there.
That there was just the cultureback then.
So that kind of taints?
My uh uh answer probably.
Again, I'm a dinosaur, I get it, I understand.
But if you're a real, truebusiness leader, you're going to
think about your people first,so this won't be an issue.
You don't want to be someonewho is looking for scapegoats.
(27:01):
Those aren't, in the long run,those aren't effective business
leaders in my opinion.
They're insecure.
They don't know how to manage abusiness.
I think that's my answer.
I don't think I have anythingelse to add.
Speaker 1 (27:18):
All right, so there are two ways to look at this.
Then there's one legitimateroute where a CISO can be
terminated legitimately.
They were incompetent, theymessed up, they screwed up, they
did something, and that incursthe same costs as if you
terminated a CISO for whateverreason.
They're the scapegoat.
And it seems to me that thesecond option, the scapegoat
(27:40):
version if a CISO loses theirjob over that, it will incur
more costs to the business to doit that way.
So what is the moral of thestory here?
Greg, if you were to sum thisall up, what would you say to
business owners who are at riskof losing their CISO?
Speaker 2 (28:02):
It's the same advice that I give to businesses and
that I give to people Just ifyou're ethical in whatever you
do I like to use the term if youhave a heart of a servant,
(28:22):
you're always going to besuccessful.
Now, I'm talking about theemployee at this point in time,
not the employer, but the reasonis because what you value is
service, and everything elsewill come.
I think it's the same thing onthe business side as well, too.
If you practice ethicalbusiness operations, whether
that be in how you treat youremployees, or how you treat your
(28:46):
partners, or how you treat yourcontractors and staff, or how
you just conduct deals, you'regoing to be in a much better
position when all is said anddone long term, because you know
getting biblical here for asecond you do reap what you sow,
(29:07):
and I think that's, I thinkthat's really the summation of
the story.
I think that the more that welayer on these other items like,
the more that the businessstarts to think about a CISO as
being expendable and okay, thisis our insurance policy, we'll
just get rid of the CISO ifsomething happens policy.
(29:29):
We'll just get rid of the CISOif something happens.
You don't want something tohappen.
So why start to plan that way?
Why don't you just encourageyour staff and then the CISO?
As I said in the beginning, ifyou have a CISO who is just
trying to climb up the ladder,they're like, well, I'll join
this company for 18 months andget them somewhere.
And well, if my recommendationsdon't work out well 18 months
they probably weren't expectingme to stay I'll just move on to
(29:51):
something higher wage.
That's not terribly ethical inmy mind as well.
I get it that people shouldclimb the ladder and I have
nothing against that.
But it gets into your heart andwhat is in your heart, and if
your heart's pure and you'reethical, all the other stuff
(30:11):
will work itself out some way.
I don't want that to sound likea cop-out answer, but there are
so many times when you layerall sorts of problems on and the
answers are actually realsimple.
We just can't see it because welayer these problems on top of
them.
Speaker 1 (30:28):
Yeah, yeah.
And just like you did, askingthe right questions, I think,
can go a long way before youeven engage on both sides the
business asking the rightquestions of the incoming CISO
and the CISO asking the rightquestions of the business to
make sure that there's anunderstanding between both
parties.
Okay, great.
Well, you know what I think wekicked that dead horse.
I think it's zombified at thispoint Zombified yeah, yeah.
(30:53):
So I think we have at least Ihave a pretty good understanding
of the hidden costs ofterminating the CISO and just
going between those CISOs andthe various know the various
nuances of CISOdom Great.
I want to talk a little bitabout your publishing company
(31:13):
right.
You are an author, you are anovelist.
How did you a CISO, which I,again, I typically associate
CISOs with being very highlytechnical people, not super
creative.
But I'm also reading this bookcalled Unmasked, about
neurodivergent people and I'mlearning that neurodivergent
(31:37):
people are everywhere, peoplewith autism, with ADHD, who may
seem like the perfect fit for atechnical role because with
those neurodiverse divergentqualities usually come with
mathematical skills, very directskills.
But I'm also learning thatthere are a lot of people who we
may think are just fit the billof, you know, being like a,
(31:59):
like a Sheldon from Big BangTheory or whatever but may be
really well suited and theyapply those energies and those
superpowers to creative things,and you know.
So now I'm beginning to look atthe world a little bit
differently and so I'm seeingthat a CISO or somebody who is
(32:21):
very technical, super smart, isreally good with numbers, good
with math, also moving into therealm of creativity and art and
writing and those kinds ofthings.
So, while I have you on theline, a real live, you know,
twofer, someone who is bothgifted in the engineering
(32:41):
sciences and cybersecurity andtechnical parts and all that,
but also noveling.
How do you go from security tobeing a novelist?
Which one came first?
Are you a novelist at heart ora cso at heart?
Speaker 2 (32:54):
oh, the writing came first.
I I wrote my first novel uh, inhigh school and uh, it's
somewhere in a box, somewhere inmy house what was it about?
uh, it was a very uh it had avery pretentious title called
(33:14):
the Balance of Power and it hadto deal with a Soviet invasion
of the United States Think RedDawn, but done a lot worse.
And I was actually writing itbefore Red Dawn, remember, I'm a
child of the Cold War, so wegrew up distrusting the Soviets,
(33:35):
but the reason for me writingthen is the same as it is now.
It was an escapist from myschool studies.
I was also, I guess I shouldsay I wasn't the most model
student, not from the academicside.
When I was in middle school Iwas measured with a genius IQ.
(33:58):
It was 160-something and my momwas very upset about that
because she didn't want theschool to treat me any
differently.
Speaker 1 (34:07):
I thought you were going to say she was upset about
that because it wasn't170-something.
No, no.
Speaker 2 (34:15):
I'm not a good enough genius, but I could tend to get
bored easily and I also wasmore of an introvert, didn't
like clicks and all that and sowriting provided me an escape.
I was actually expelled fromthree high schools in my four
years of high school, but stillwas able to graduate in four
(34:37):
years, but anyway, I wrote then.
It was just a way to unpack,decompress We'll see some moment
.
One of the end questions Iasked him is like so
cybersecurity is a verystressful field.
What do you do to decompress?
And I love hearing differentstories about what people do and
(35:01):
and so I kept that with me.
So, so the first novel that Iwrote actually started 30 years
ago, ish, and it was therapy forme when I was going through my
divorce, and eventually Irepackaged that and
(35:22):
self-published it in 2014.
So it's been 11 years now, butI would write that as a break
from doing my CISO duties at abank that I was at at that point
in time.
But I enjoy it, and it's notjust fiction.
I've got one book that's beenin development hold for the
(35:45):
longest time, about halfwaythrough as far as novels go.
It's called Fatherhood and it'stackling abortion from the
father's point of view, andthat's a very touchy subject to
talk about anyway.
So I might finish that at somepoint in time.
But you know, this whole virtualCISO thing.
(36:06):
I got into the virtual CISOworld, I kind of had very, very
modest goals for virtual CISO.
My goal as far as salary waslike $60,000 a year was all that
I really wanted to make BecauseI wanted to do it part-time,
(36:27):
because I wanted to spend therest of my time writing.
Well, the business I found outI was a good entrepreneur and
who knew?
I never knew.
I'm like, wow, and the businessgrew and it grew and it grew
and it sucked up my time and Ihaven't had a chance to do as
much writing.
So eventually I'll get back tothat.
So I think it's just balance.
I think life is we do betterwhen we balance and not focus.
(36:51):
And certainly focus on one areaand certainly there there's a
huge difference as you weretalking about in the beginning,
beginning between the technicalside and the creativity side.
I mean you see a couple ofguitars behind me.
It's like I've written songs,nothing that I would term good.
But, you know, it's the creativeprocess.
Speaker 1 (37:10):
There's a problem where you're not good at
anything those, that's theproblem that gets the most
attention.
But there is a problem of beinggood at a lot of things,
because you only get one life tolive.
Speaker 2 (37:20):
Yeah, and I?
I don't know, maybe I'll try tofigure out how to clone myself.
Speaker 1 (37:25):
Hey, if you figured out, let me know because that'd
be great.
I could do with like three orfour clones while I sip
margaritas on the beach and theycan do all the work and take
care of it.
There you go, all right, great.
Well, greg, thank you so muchfor joining me here on
Cybernomics.
I'm super excited to be on yourshow and talk about media and
kind of dig in a little bit moreon the human side of
(37:46):
cybersecurity and how we connectand all that stuff.
If people want to find you,what is the best way for them to
do that and to learn more aboutyour vCISO services?
Speaker 2 (37:55):
Yeah, I think the best way is just to hit me up on
LinkedIn.
I'm pretty active on there.
I never used to be up until afew years ago, but I've realized
the value of the platform and Ilove to engage with folks.
Don't send a connection requestand then try to sell me
(38:15):
something.
Or don't send a connectionrequest and then ask me to be
your mentor.
I mean, let's establish arelationship first.
That's the real value of it.
So Gregory Schaefer is myLinkedIn handle.
I guess you could say that'sprobably the best way to get a
hold of me.
Speaker 1 (38:34):
All right, and check out Greg's podcast, the Virtual
CISO Moment, and you can checkout our episode when it airs I'm
not sure when that's going tobe, but we'll be talking about.
Actually.
That's a really good segue.
What you said don't hitsomebody up and then try to sell
them something.
Form a relationship, form aconnection, earn it and life
(38:56):
will be much better for you.
So thanks again for listeningto this episode of Cybernomics.
Check us out at bruningcomB-R-U-Y-N-I-N-Gcom.
The media side of this businessis just us helping as many tech
companies build thoughtleadership through podcasts as
much as we possibly can.
(39:17):
So thanks again, thanks, greg,and we'll see you in the next
one.
Bye, all right, so we couldstop there.
Welcome to this episode of Cybernomics where we
talk about the intersection ofcybersecurity and the economy
finding the hidden costs ofcybersecurity.
I am your host, josh Bruning,and today I'm here with Greg
Schaefer, who is the principalat vCISO Services, owner at
Second Chance Publishing andhost of the Virtual CISO Moment.
(00:23):
And host of the Virtual CISOMoment.
Greg, welcome to Cybernomicsand congratulations on being the
number one podcast incybersecurity.
Speaker 2 (00:32):
Well, thank you for having me, josh, and yeah, I was
pleased to hear that.
It's from a million podcasts, Ithink, and quite honestly I'd
not heard of them before.
But anytime somebody has you atnumber one, I'm fine.
I'm ahead of Steve Gibsonsecurity now, which made me feel
good.
Speaker 1 (00:51):
Yeah, yeah, and I've been following Steve for a long,
long time.
When I just got intocybersecurity he was like my
go-to podcast.
But you know what?
Oh gosh, yeah Me too, I mean,he, him and Leo were just
wonderful and I can't believethey're still doing it all these
years later.
Yeah, but I think that they'rereally really, really technical.
(01:12):
They go so deep into stuff thatI wonder if they didn't hit
number one for that one reason.
It's mass appeal versus beingvery technical and very niche.
Speaker 2 (01:22):
Well and that's what I try to do is the virtual CISO
moment podcast.
It's just about tellingpeople's stories and giving
advice to small and mid-sizedbusinesses, and I found that as
as I'm sure you have too it'slike people like to tell their
story, so I always have thegreat job of just sitting back
and asking questions and thenlistening, and I get to learn so
(01:43):
much from people, and I thinkit's a human element that really
helps with the podcastpopularity.
Speaker 1 (01:51):
Yeah, yeah, which.
I think you've put your fingeron that pulse.
And I'm not a technicalsecurity guy, right, I come from
the sales world, I come frommarketing, I come from people,
the people side of cybersecurity, and that's something that's
ticking up and it's somethingthat we those who are really
(02:11):
good at communication or some ofthe soft skills don't get as
(02:31):
much recognition.
But I think that you're one ofthose people in cybersecurity
that has put your finger on thatpulse.
You're super easy to talk toand I love having a podcaster on
the show, because when twopodcasters get to talking, we
never run out of anything totalk about, for better or worse.
Speaker 2 (02:48):
So thanks again no, you won't have any dead air.
It's like that's for sure, andI mean information security and
cybersecurity.
It is such a people-drivenbusiness.
It's all relationship-driven.
Those who are in sales incybersecurity are the most
successful because theyunderstand that the sales come
(03:08):
from relationships, not theother way around.
Speaker 1 (03:10):
Yeah, and you're always selling cyber.
Speaker 2 (03:12):
Always selling cyber.
Speaker 1 (03:13):
Internally, externally, everything, but
today what I'd like to talk toyou about is just for fair,
being transparent and fairwarning for everybody who's
listening to this.
It's not a new topic.
We're not going to be talkingabout something groundbreaking
or groundshaking here.
It's something that's beenrevised over and over again and
(03:33):
kind of rehashed, but I like totake the temperature of this
particular topic every year orso, which is the downside of
firing the CISO.
Or, in other words, what arethe hidden costs of terminating
the CISO and is that even aproblem going into 2025?
(03:55):
One of the main problems ofcybersecurity and of businesses
is the tenure of the CISO istypically around 18 months.
That doesn't give the CISO alot of time to do a lot of
things, and it seems a bitunfair, and I think that has
changed over time.
So I'd love to get your take onwhere are we today with
(04:15):
companies retaining CISOs, andis this as big of a problem as
it always has been?
What do you think?
Speaker 2 (04:22):
Well, I think that, historically, one of the reasons
why you have that sort of churnrate and there are various
numbers, but we'll land on 18months for now is not
necessarily so much the companyside as much as it is the CISO
side sometimes.
And what I mean by that is thatsometimes, well, let me
(04:42):
predicate that by saying thatthere are some folks out there
and I'm probably going to make afew people upset, but there are
some folks out there who are inthe CISO role who don't need to
be in, and their motif is theygo into an organization, they
find a problem and they find asolution, a technical solution.
(05:06):
They implement that technicalsolution.
They sell the board ofdirectors on the technical
solution.
They implement the technicalsolution.
The technical solution doesn'thave quite the ROI that was
expected, but by that point intime, where are we at?
We're at 18 months.
They've now gotten theirexperience and they go and move
(05:26):
on to the next organization.
I'm not saying that that's allCISOs, but that is part of the
issue out there.
It's not necessarily you don't?
It's, I think, without havingactual stats in front of me, I
don't think that there is like abig issue of CISOs getting
terminated in 18 months, withthe exception of if they
(05:49):
obviously were in charge of aprogram that had a breach, that
had something to do with theirlack of skill or lack of duty
paying attention to it.
But regardless, we do have thischurn still and it is still
there.
But, regardless, we do havethis churn still and it is still
there and it has some seriousramifications upon the business,
not only in the recruiting areabut also in the security area
(06:11):
as well.
Because if you don't have thatcontinuity we'll probably talk
about this more in depth but ifyou don't have that continuity
of leadership, sometimes youjust have all these different
priorities that every 18 monthsyou focus on priorities that,
every 18 months, you'd focus on?
Speaker 1 (06:28):
Do you think that businesses have a false
expectation when they hire CISOs, in thinking that maybe the
CISO will help to drive revenue?
Is this something that couldexplain the reason for the churn
?
Speaker 2 (06:41):
I don't think that a lot of businesses think
necessarily that the CISO willhelp drive revenue as much as
that.
They expect the CISO tounderstand revenue and also
understand costs and they wantthe CISO to be able to explain
risks, not in pretty coloredcharts like we do with heat maps
(07:01):
and all that red, yellow green.
They want quantifiable numbersand it's very difficult for some
CISOs to be actually able to dothat.
They'll just say that hey, youknow this company over here, a
large company, had a breach andit cost them X millions of
dollars or whatever, and we needto avoid that.
Well, they don't equatetogether.
(07:23):
What that company lost isn'tnecessarily what we would call
cost exposure is.
So the more successful CISOunderstands the business aspect
of the costs involved, won'tjust propose a tool to fix
something just because that'sthe latest and greatest tool
(07:46):
that's out there.
They also know how to speakbusiness language.
They also know how tounderstand risk in terms of the
overall organization.
So you have to remember theboard of directors.
They're not just dealing withcybersecurity or information
(08:07):
security risk and, as a sidenote, I tend to have to say this
all the time I'm one of thosewho believes that the correct
term for the field isinformation security and that
cybersecurity is the technicalsubset.
So that's why I say both.
So that's why I say both.
(08:45):
But there's a lot of otherrisks that the board of
directors have to deal withAnd-informed decisions.
So how can they do that?
They have to understand therisk environment, not only from
the info and cyber side, butfrom the business in general,
and that's kind of a rarity outthere as far as your typical
chief information securityofficer.
Speaker 1 (09:00):
Yeah, one of the things that business leaders may
often overlook is theinformation gap going from one
CISO to another.
Let's say there's a CISO that'sbeen let go.
There's like, let's say, anumber of weeks to a number of
months between finding a newCISO.
(09:21):
Let's say you're going in as aVC, so, and you've got to pick
up the pieces left behind by thelast CISO.
What are some of those piecesthat you have to pick up, where
you're talking to the businessleader and saying, look, these
are some things that were leftundone.
They incur further costs.
(09:42):
There's more cleanup than wethought, so can you give us a
little bit of a rundown on whatare some of those hidden costs
left in the gap between CISOs?
Speaker 2 (09:55):
Well, when a new CISO comes on board, they don't want
to immediately pick up whateverthe previous CISO was doing,
unless it's a project that isconsiderably long and has a
defined end.
That's one thing.
That's more tactical at thatpoint in time.
But strategically, the incomingCISO needs to work more on
(10:19):
understanding the environmentfirst in order to determine the
correct strategic directionsgoing forward.
So you have a new CISO comingin and it's the same thing in
the virtual CISO world.
It's just that it's on asmaller scale, smaller
businesses and we work with morefolks.
But the general approach iswell, first let's figure out the
(10:40):
as-is of the organization.
So the CISO comes in.
There's going to be some timeto figure out.
Where are we at?
They're going to look throughdocumentation.
They're going to look throughaudits.
They're going to talk to allthe business leaders.
They're going to look at anyevents and breaches Hopefully
there weren't any, but obviouslythat happens or near breaches
or incidents.
They're going to get a feel ofthat.
(11:01):
Now, that's all going to taketime.
So let's just say okay, youhave a CISO that leaves in the
beginning of the year.
Well, the recruiting process inand of itself is going to take
quite some time.
So let's just say you're luckyand you get in a new CISO six
months later.
Now that new CISO is going tospend the first 90 to 120 days
(11:22):
let's just say as a round figureso at least like three, four
months, getting to know thelandscape.
So you talk about the cost oflosing a CISO.
You basically have lost almosta year of strategic work.
So then the CISO comes in andfinally figures out everything
that's going on and then thatperson can then start to
(11:44):
determine their direction andtheir methodology, their
strategy.
They have to try to startselling their strategy in order
to solve the issues out there.
Now that might mean abandoningsome of the strategic
initiatives that the previousCISO had done before.
But the new CISO coming inshould never take at face value
that we're going to.
(12:04):
We're going to if there was astrategic plan and it was
already planned out that laterin this year we were going to do
X.
Now you need to put a hold onthat and just say well, at the
very least the CISO needs tounderstand the why behind it,
and chances are the CISO mightagree Okay, we want to do that.
And you talk about cost to thebusiness.
We want to do that and you talkabout cost to the business.
(12:27):
So you've lost 10 months now,let's say, of significant
information security strategicplanning.
You've lost the recruitingdollars that go in.
You've lost the.
I mean, how much does it costto recruit a CISO?
I don't really know what thenumbers are, but it's a
percentage of salary and CISOsare kind of expensive nowadays,
(12:48):
you know.
I mean, you know 300,000 plusper year.
That's not cheap.
So lots of expenses involved,without a doubt.
Speaker 1 (12:59):
Yeah, yeah.
Not to mention, you know, inthat time you might get breached
and you know you may be heldliable in a court of law for
whatever happens after thatbreach or what happened before
that breach.
Because I don't know if the lawstipulates an amount of time
that a company may have to finda new CISO.
Maybe there's a grace periodwhere they give you like six
(13:21):
months.
If you didn't have one, Atleast you've been looking for
one Maybe they give you a pass.
If you didn't have one, atleast you've been looking for
one.
Maybe they give you a pass.
But do you know anything aboutthat?
Uh, I don't.
Do they give you any kind oflegal leeway while you're
looking for a cso?
If you were to get breached.
Speaker 2 (13:33):
I've never heard of something like that.
I'd be surprised if there isthat because it's like you're
responsible for the security ofyour companies and your
customers information,regardless of whether or not you
have a CISO in there.
I mean the company isresponsible and how you
determine that, how you makethat happen, that's really on
the C-suite and the board ofdirectors.
(13:53):
Now, talking about CISOprofessional liability, that's
an interesting area right nowbecause there have been last
year and year before a couple ofCISOs that have faced legal
action and repercussions becausea trial found that they were
negligent in their duties, whichnow has gone to the point of
(14:17):
like, well, what kind ofinsurance should they be
carrying?
Whether it be like professionalinsurance personally, or if
they're part of the company'sprofessional insurances that
they have for for directors andand officers and and and such,
and that would be part of thecompensation package.
It's a.
It's an interesting situationbecause I've seen and heard that
(14:38):
there's some the idea that someCISOs are perhaps not wanting
to stay in the field becausethey feel now that, oh, this is
becoming where we're becomingnow the scapegoats and then that
becomes a nobody wants to workunderneath that.
I mean, you want to work in ateam environment.
You don't want to work thinkingthat you're going to be blamed
for something?
That was one of the firstquestions I asked in one of my
(15:01):
CISO interviews back when I wasdoing that full time, before I
started the virtual stuff, and Ireally wanted to get a feel.
It's like it was for agovernment agency and I'm like,
well, if there's another breachbecause they had one before they
didn't have a CISO that's wherethey were hiring me.
If you have another breach,it's like, are you just trying
to hire someone so that you canfire someone if something
(15:23):
happens?
Speaker 1 (15:23):
And.
Speaker 2 (15:24):
I was convinced that that was not the case.
Speaker 1 (15:27):
That is the case in so many companies and this is
something that I talk, thatCharles Payne and I talk about a
lot.
Charles Payne is the I don'tthink he's a CISO anymore.
I think he's a retired CISO.
But he's pretty young to be aretired CISO.
Do you ever retire?
I think he's a retired CISO buthe's pretty young to be a
retired CISO.
Do you ever retire?
But we talk a lot about the CISObeing a scapegoat and the first
(15:50):
time he and I had talked aboutthis we were in New York City.
We were driving in an SUV.
We were back at the back of anUber XL with a bunch of
cybersecurity folks leaving aCISO event, going to another
event, and this topic came upand said the CISO is a scapegoat
.
And there was another CISO inthe car who just disagreed
(16:12):
vehemently and was like couldn'taccept, in my opinion, couldn't
accept that the CISO is ascapegoat and can be reduced to
such.
That is a very degrading termand when you've dedicated your
life to this thing and you'vewanted to be a CISO for your
entire life, you've worked 10,20 plus years to get there.
(16:34):
To be reduced to a scapegoat.
I know is painful, but in a lotof cases, it's true, and I
think that you know asking thatquestion before you're hired.
I mean, how do you even bringthat up?
How did you ask that question?
You don't just go hey, are youhiring me to fire me?
Actually, that's exactly what Idid, oh, great.
(16:57):
Okay, I ask that.
Speaker 2 (17:09):
But really, one of the ways that you can figure
that out is you look at thecompany culture.
No matter what job that you'reinterviewing for, and
particularly as you move up thechain of command, so to speak
and it doesn't have to be justInfoSec you really need to
understand the culture, andthere's a difference between
(17:32):
being a scapegoat and beingresponsible for your actions.
Being a scapegoat is you're theone who is blamed, no matter
what happens.
Being responsible for youractions is okay.
I made a mistake that caused abreach.
I therefore then deserve to befired.
I'm not fired because I'm ascapegoat.
I'm fired because, somewherealong the line, I messed up in
(17:56):
my responsibility.
I mean, there's a reason whyCaesars have paid a lot of money
.
They have a lot ofresponsibility.
And again, I go back to what Isaid in the beginning of the
podcast.
I think that there are some outthere that don't really
understand that aspect of it.
It's not to say that you'renever going to get breached and
that you have to get to thatpoint.
That's impossible.
I mean anybody who says, well,you have to get to a point of
(18:19):
never being breached, that's notgoing to happen.
But what you have to be able todo is understand that you have
enough compensating controls inplace, enough processes in place
, and you can demonstrate.
It's like well, we have triedto reduce the risk by X, y and Z
and yet we were still breached.
(18:40):
The CISO, that can demonstratethat they should be fine, unless
the culture is one that islooking to fine folks to punish
or even fire if anything goeswrong.
If financials are off and theydon't meet their profits for the
quarter, does that mean thatthe CFO gets fired automatically
?
Well, maybe it does.
If the CFO mismanaged somefunds or investments or I don't
know, mismanaged the budget, butit doesn't.
(19:00):
If sales were down, well then,does the director of marketing,
do they get fired?
Or chief marketing officer dothey get fired?
You see what I'm saying.
The director of marketing Dothey get fired.
Chief marketing officer, dothey get?
You see what I'm saying?
It's like the culture has to bein place that that assigns
responsibility based on anaccountability they have to
match.
You can't have accountabilitywithout responsibility, and a
(19:20):
lot of times that's whatscapegoat is you, you, you're,
you're assigning accountabilitywithout giving responsibility
and, in some cases, authoritywhere needed.
That never works.
Speaker 1 (19:32):
Yeah, I've got the sense that there aren't a ton of
companies that are out herethat are just terminating CISOs
or using them as scapegoats.
I know that it exists.
I can't put a number on it, butI have a sense that it's a
minority of companies that wecan collectively call evil
corp's.
You know, that's doing allkinds of shenanigans and maybe
they need scapegoats and fallguys and people who are
(19:53):
expendable.
But let's say you're workingfor one of those evil companies
evil corporations that are inthe minority and that's a I'm
being hyperbolic there.
They may have good reasons whythey're evil, giving them the
benefit of the doubt.
But let's say you're a CISO,you're going into this situation
and maybe they're not up frontthat you can ask them point
(20:16):
blank am I here to be terminatedor am I here as a scapegoat?
They may say no, but they'vegot their fingers, you know,
crossed behind their back.
What are some of the markersthat you would look for to tell
you that this company doesn'treally take the CISO seriously
and doesn't really want to givemuch power to the CISO?
Speaker 2 (20:35):
Well, I think it's all about how the CISO interacts
with the other levels ofexecutive management and vice
versa.
And we'll start there withexecutive management, because
it's very rare that a CISO is atrue chief I once heard I wish I
could remember who to attributethis to, but he probably stole
(20:56):
this quote from somebody elseanyway.
But the quote is essentially ifyou don't report, if you're a
CISO and you don't report to theC-suite or the board of
directors, or to the CEO or theboard of directors, then you're
a chief of nothing.
And most CISOs they report inup to some level.
Some will report to the CFO,some will report to the chief
(21:18):
risk officer, which I think isthe proper place for it, if not
to the CEO.
Some report to the CIO or theCTO, which I think has their own
set of problems as far as aconflict of interest.
So definitely reportingstructure, just looking at that
and understanding thatbeforehand could be a red flag.
But just because a CISO reportsto a CIO does not necessarily
(21:41):
knock that job out of contention, I don't think.
But then and I did this and Ifailed actually just to be
completely transparent in thejob that I was thinking about I
failed in analyzing the culture.
I didn't want to see thingsthat were right in front of me,
(22:02):
and that was the lesson I tookaway.
So when I'm interviewing, I'mseeing interactions between
folks that would be part of mypeers or part of all that I was
reporting to the CIO.
That position was, and I didn'tlike what I saw, but I wanted
that position so bad, I wantedthat CISO title with this
government organization so badthat it kind of blinded of
(22:33):
blinded, and so I think that therisk there is for the applicant
is you have to make sure thatyou're able to keep your eyes
wide open and be objective aboutRemember, when you're
interviewing, you'reinterviewing them as well too.
You have an opportunity to seetheir culture, and then you know
you can get into some other redflags.
Look at budget numbers, ask forbudget numbers, and how much is
(22:53):
actually?
What kind of funding will youhave?
What kind of staff will youhave?
What kind of expectations?
Why did the last CISO leave?
That's always a great questionfor any position.
Why did my predecessor leave?
I couldn't ask this in this onebecause there was no
predecessor.
I was the first, but I thinkthose would be some of the
questions to ask.
Speaker 1 (23:14):
Do you think it's more cost effective for
companies to how do I say thisdelicately?
Do you think it's more costeffective for a company to have
a CISO that's expendable, thatwhen something happens they can
let them go and they can sort ofrefresh and wash their hands
clean of any liability, or tohave a CISO who's on board, who
(23:39):
will be there long term, butthey have to purchase a buttload
of cybersecurity insurance.
Maybe the premiums are higher?
Because let me just give yousome context.
The premise is some may feel andsome may disagree with this
that the reason that CISOs maybe expandable is because of the
(24:01):
rising costs of cybersecurityinsurance, where, if the CISO
recommends you buy cybersecurityinsurance, not only are you
paying for the CISO, but you'realso paying for the insurance
policy.
The premiums are ridiculous.
So if something goes wrong,instead of relying on the
cybersecurity insurance company,you can fire the CISO and then
(24:26):
you're without security foranother six months to a year,
but you're kind of outpacing thecost of what it would be to
actually just implement somecybersecurity insurance.
Does that question make sense,or is the premise not right
there?
Speaker 2 (24:43):
No, I understand what you're saying, but I don't
think that that's really much ofan issue.
First of all, if you fire aCISO, the next one you bring on
board, you're probably going tohave to offer more money to, and
so that's going to offsetwhatever other increases you
might have in cyber insurance orother insurance.
Two things, first of all, theCISO community is rather
(25:09):
close-knit.
I mean, I know a lot of peoplewho know a lot of people, who
know a lot of people, and if acompany starts to have a
reputation of firing folksbecause of being expendable, so
to speak, you're not going tohave a quality CISO that wants
to work for that organization.
So they're going to get in likegreen CISOs or CISOs in name
(25:33):
only that really don't have therisk management chops to be able
to work it, which ultimately,is going to put the company more
at risk.
So I guess the way I wouldanswer your question is what
does the company value more,putting aside the fact that, yes
, of course, the goal of allcompanies is to make money and
not lose money, but what doesthe company really value more?
(25:55):
Do they value short-term gainsor losses, or do they value
actually managing risk?
And those that manage risk arethe ones it's going to be more
cost effective to keep the CISOon for an extended period of
time.
I think you know I'm also one ofthose two.
(26:16):
I'm old school, I think thatsomebody leaves a job after 18
months.
That's too quick.
Anyway, you'll have some folksthat say no, it's okay to jump
jobs and all of that.
I come from a time where folksthat say no, it's okay to jump
jobs and all that I've.
I come from a time where, um,just for context, that you were
pretty much expected If you tooka job, you, unless something
really bad happened, you'regoing to give at least three
(26:37):
years there.
That there was just the cultureback then.
So that kind of taints?
My uh uh answer probably.
Again, I'm a dinosaur, I get it, I understand.
But if you're a real, truebusiness leader, you're going to
think about your people first,so this won't be an issue.
You don't want to be someonewho is looking for scapegoats.
(27:01):
Those aren't, in the long run,those aren't effective business
leaders in my opinion.
They're insecure.
They don't know how to manage abusiness.
I think that's my answer.
I don't think I have anythingelse to add.
Speaker 1 (27:18):
All right, so there are two ways to look at this.
Then there's one legitimateroute where a CISO can be
terminated legitimately.
They were incompetent, theymessed up, they screwed up, they
did something, and that incursthe same costs as if you
terminated a CISO for whateverreason.
They're the scapegoat.
And it seems to me that thesecond option, the scapegoat
(27:40):
version if a CISO loses theirjob over that, it will incur
more costs to the business to doit that way.
So what is the moral of thestory here?
Greg, if you were to sum thisall up, what would you say to
business owners who are at riskof losing their CISO?
Speaker 2 (28:02):
It's the same advice that I give to businesses and
that I give to people Just ifyou're ethical in whatever you
do I like to use the term if youhave a heart of a servant,
(28:22):
you're always going to besuccessful.
Now, I'm talking about theemployee at this point in time,
not the employer, but the reasonis because what you value is
service, and everything elsewill come.
I think it's the same thing onthe business side as well, too.
If you practice ethicalbusiness operations, whether
that be in how you treat youremployees, or how you treat your
(28:46):
partners, or how you treat yourcontractors and staff, or how
you just conduct deals, you'regoing to be in a much better
position when all is said anddone long term, because you know
getting biblical here for asecond you do reap what you sow,
(29:07):
and I think that's, I thinkthat's really the summation of
the story.
I think that the more that welayer on these other items like,
the more that the businessstarts to think about a CISO as
being expendable and okay, thisis our insurance policy, we'll
just get rid of the CISO ifsomething happens policy.
(29:29):
We'll just get rid of the CISOif something happens.
You don't want something tohappen.
So why start to plan that way?
Why don't you just encourageyour staff and then the CISO?
As I said in the beginning, ifyou have a CISO who is just
trying to climb up the ladder,they're like, well, I'll join
this company for 18 months andget them somewhere.
And well, if my recommendationsdon't work out well 18 months
they probably weren't expectingme to stay I'll just move on to
(29:51):
something higher wage.
That's not terribly ethical inmy mind as well.
I get it that people shouldclimb the ladder and I have
nothing against that.
But it gets into your heart andwhat is in your heart, and if
your heart's pure and you'reethical, all the other stuff
(30:11):
will work itself out some way.
I don't want that to sound likea cop-out answer, but there are
so many times when you layerall sorts of problems on and the
answers are actually realsimple.
We just can't see it because welayer these problems on top of
them.
Speaker 1 (30:28):
Yeah, yeah.
And just like you did, askingthe right questions, I think,
can go a long way before youeven engage on both sides the
business asking the rightquestions of the incoming CISO
and the CISO asking the rightquestions of the business to
make sure that there's anunderstanding between both
parties.
Okay, great.
Well, you know what I think wekicked that dead horse.
I think it's zombified at thispoint Zombified yeah, yeah.
(30:53):
So I think we have at least Ihave a pretty good understanding
of the hidden costs ofterminating the CISO and just
going between those CISOs andthe various know the various
nuances of CISOdom Great.
I want to talk a little bitabout your publishing company
(31:13):
right.
You are an author, you are anovelist.
How did you a CISO, which I,again, I typically associate
CISOs with being very highlytechnical people, not super
creative.
But I'm also reading this bookcalled Unmasked, about
neurodivergent people and I'mlearning that neurodivergent
(31:37):
people are everywhere, peoplewith autism, with ADHD, who may
seem like the perfect fit for atechnical role because with
those neurodiverse divergentqualities usually come with
mathematical skills, very directskills.
But I'm also learning thatthere are a lot of people who we
may think are just fit the billof, you know, being like a,
(31:59):
like a Sheldon from Big BangTheory or whatever but may be
really well suited and theyapply those energies and those
superpowers to creative things,and you know.
So now I'm beginning to look atthe world a little bit
differently and so I'm seeingthat a CISO or somebody who is
(32:21):
very technical, super smart, isreally good with numbers, good
with math, also moving into therealm of creativity and art and
writing and those kinds ofthings.
So, while I have you on theline, a real live, you know,
twofer, someone who is bothgifted in the engineering
(32:41):
sciences and cybersecurity andtechnical parts and all that,
but also noveling.
How do you go from security tobeing a novelist?
Which one came first?
Are you a novelist at heart ora cso at heart?
Speaker 2 (32:54):
oh, the writing came first.
I I wrote my first novel uh, inhigh school and uh, it's
somewhere in a box, somewhere inmy house what was it about?
uh, it was a very uh it had avery pretentious title called
(33:14):
the Balance of Power and it hadto deal with a Soviet invasion
of the United States Think RedDawn, but done a lot worse.
And I was actually writing itbefore Red Dawn, remember, I'm a
child of the Cold War, so wegrew up distrusting the Soviets,
(33:35):
but the reason for me writingthen is the same as it is now.
It was an escapist from myschool studies.
I was also, I guess I shouldsay I wasn't the most model
student, not from the academicside.
When I was in middle school Iwas measured with a genius IQ.
(33:58):
It was 160-something and my momwas very upset about that
because she didn't want theschool to treat me any
differently.
Speaker 1 (34:07):
I thought you were going to say she was upset about
that because it wasn't170-something.
No, no.
Speaker 2 (34:15):
I'm not a good enough genius, but I could tend to get
bored easily and I also wasmore of an introvert, didn't
like clicks and all that and sowriting provided me an escape.
I was actually expelled fromthree high schools in my four
years of high school, but stillwas able to graduate in four
(34:37):
years, but anyway, I wrote then.
It was just a way to unpack,decompress We'll see some moment
.
One of the end questions Iasked him is like so
cybersecurity is a verystressful field.
What do you do to decompress?
And I love hearing differentstories about what people do and
(35:01):
and so I kept that with me.
So, so the first novel that Iwrote actually started 30 years
ago, ish, and it was therapy forme when I was going through my
divorce, and eventually Irepackaged that and
(35:22):
self-published it in 2014.
So it's been 11 years now, butI would write that as a break
from doing my CISO duties at abank that I was at at that point
in time.
But I enjoy it, and it's notjust fiction.
I've got one book that's beenin development hold for the
(35:45):
longest time, about halfwaythrough as far as novels go.
It's called Fatherhood and it'stackling abortion from the
father's point of view, andthat's a very touchy subject to
talk about anyway.
So I might finish that at somepoint in time.
But you know, this whole virtualCISO thing.
(36:06):
I got into the virtual CISOworld, I kind of had very, very
modest goals for virtual CISO.
My goal as far as salary waslike $60,000 a year was all that
I really wanted to make BecauseI wanted to do it part-time,
(36:27):
because I wanted to spend therest of my time writing.
Well, the business I found outI was a good entrepreneur and
who knew?
I never knew.
I'm like, wow, and the businessgrew and it grew and it grew
and it sucked up my time and Ihaven't had a chance to do as
much writing.
So eventually I'll get back tothat.
So I think it's just balance.
I think life is we do betterwhen we balance and not focus.
(36:51):
And certainly focus on one areaand certainly there there's a
huge difference as you weretalking about in the beginning,
beginning between the technicalside and the creativity side.
I mean you see a couple ofguitars behind me.
It's like I've written songs,nothing that I would term good.
But, you know, it's the creativeprocess.
Speaker 1 (37:10):
There's a problem where you're not good at
anything those, that's theproblem that gets the most
attention.
But there is a problem of beinggood at a lot of things,
because you only get one life tolive.
Speaker 2 (37:20):
Yeah, and I?
I don't know, maybe I'll try tofigure out how to clone myself.
Speaker 1 (37:25):
Hey, if you figured out, let me know because that'd
be great.
I could do with like three orfour clones while I sip
margaritas on the beach and theycan do all the work and take
care of it.
There you go, all right, great.
Well, greg, thank you so muchfor joining me here on
Cybernomics.
I'm super excited to be on yourshow and talk about media and
kind of dig in a little bit moreon the human side of
(37:46):
cybersecurity and how we connectand all that stuff.
If people want to find you,what is the best way for them to
do that and to learn more aboutyour vCISO services?
Speaker 2 (37:55):
Yeah, I think the best way is just to hit me up on
LinkedIn.
I'm pretty active on there.
I never used to be up until afew years ago, but I've realized
the value of the platform and Ilove to engage with folks.
Don't send a connection requestand then try to sell me
(38:15):
something.
Or don't send a connectionrequest and then ask me to be
your mentor.
I mean, let's establish arelationship first.
That's the real value of it.
So Gregory Schaefer is myLinkedIn handle.
I guess you could say that'sprobably the best way to get a
hold of me.
Speaker 1 (38:34):
All right, and check out Greg's podcast, the Virtual
CISO Moment, and you can checkout our episode when it airs I'm
not sure when that's going tobe, but we'll be talking about.
Actually.
That's a really good segue.
What you said don't hitsomebody up and then try to sell
them something.
Form a relationship, form aconnection, earn it and life
(38:56):
will be much better for you.
So thanks again for listeningto this episode of Cybernomics.
Check us out at bruningcomB-R-U-Y-N-I-N-Gcom.
The media side of this businessis just us helping as many tech
companies build thoughtleadership through podcasts as
much as we possibly can.
(39:17):
So thanks again, thanks, greg,and we'll see you in the next
one.
Bye, all right, so we couldstop there.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com