June 6, 2025 • 40 mins
Charles Payne and Olivia Phillips join us to explore the evolving relationship between CISOs and BISOs, examining how business-focused security leadership is transforming cybersecurity from a technical function to a strategic business enabler.
• BISOs serve as the "Swiss army knife" of the CISO, bringing deeper business knowledge to security decisions
• The BISO role bridges the gap between technical security requirements and business objectives
• Both guests agree BISOs are well-positioned to become future CISOs due to their business acumen
• Quantifying security risks in financial terms changes board-level conversations (e.g., a $50K fix preventing a $6M loss)
• Business silos create hidden security costs when departments purchase redundant tools without coordination
• Transitioning from technical to strategic leadership requires learning to delegate and trust team members
• Strategic security leadership means focusing on business outcomes rather than getting lost in technical details
• AI will likely reshape junior security roles but also create opportunities for professional growth
Connect with our guests on LinkedIn: Olivia Phillips (#simplyolivia) and Charles Payne (#NYLCharlesPayne). Subscribe to the Cybernomics newsletter and YouTube channel for more insights on how security and business intersect.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to this episode of Cybernomics.
I'm your host, josh Bruning,and I'm here today with the one
and only Charles Payne,incredibly knowledgeable,
extremely handsome, good-lookingand charming CISO
extraordinaire.
Charles, welcome to Cybernomics.
Pleasure to be here, josh.
And we also have OliviaPhillips, who is the BISO at
(00:24):
Amtrak, which I learned I justlearned this today that Amtrak
is half government, half union.
I didn't even know that therewere any government, but
apparently they are.
So to talk about the office ofthe BISO and we're going to do a
little bit of you know andwe're going to do a little bit
(00:44):
of you know, wwe, ciso versusBISO today, having Charles as a
CISO, olivia as the BISO, anddoing some comparisons between
the office of the BISO and theCISO.
What is different, what is thesame, what is a BISO?
Anyway, Olivia, welcome toCybernomics.
Speaker 2 (01:00):
Thank you, pleasure to be here.
Speaker 1 (01:03):
All right.
So I've always gravitatedtowards the office of the BISO,
because when I started incybersecurity, my job was to
communicate the IT and securitylanguage to the business and the
business language to the ITgroup.
Business analysts and projectmanagers have kind of taken over
(01:25):
this role.
So in a company like Amtrak, solike these bigger organizations
that are fortunate to have aBISO, what exactly is the role
of the BISO?
Are you that in-between bridgebetween the business and
security, or is it somethingmuch more than that?
Speaker 2 (01:43):
I think it's much more than that.
We work with the cyber team aswell as the business team, but
we also want to make sure thatthe cyber security team is
embedded in the business and toshow value.
Also, I think of the BISOs asbeing the Swiss army knife of
the CISO.
We are going to know thebusiness a little bit more in
(02:04):
depth than the CISO, but we canbring that to the CISO's
attention, especially when itcomes to risks or new standards
that are coming out.
Speaker 1 (02:12):
So is it fair to say that the BISO is to the security
office what the businessanalyst is to the IT office?
Speaker 2 (02:23):
I think they go hand in hand.
Yes, yeah.
Speaker 1 (02:26):
Except you've got a little bit more pull.
I would think it's a seniorposition, correct?
Speaker 2 (02:31):
That is correct, yes.
Speaker 1 (02:31):
Okay, how senior are we talking?
Speaker 2 (02:34):
Well, it's director or senior director position.
But I will be honest, I thinkin the next five years we will
be sitting right next to theCISO part of that C-suite.
Speaker 1 (02:44):
Want to know what I think I think you're going right
next to the CISO part of thatC-suite, want to know what I
think I think you're going totake over the CISO's chair.
I think you're going to sit inthat chair because and this is
something that Charlie and Italk about a lot most CISOs are,
and please don't come after me.
I have a lot of friends who areCISOs and this is not to
disparage anyone, but it's true.
(03:04):
There are too many CISOs thatare not business-focused.
They're more technology-focusedand you would think to have the
position of a CISO you wouldhave to be sort of the executive
type.
But the breed of CISOs that areexecutive types it's becoming
less rare, but it's rarer thanwe want to admit.
But I think that a BISO, beingbusiness focused and in the
(03:30):
security office, that sounds anawful lot like what the CISO
should be and what great CISOsare.
So, charlie, do you think thatthe office of the BISO would
ever replace the office of theCISO?
Speaker 3 (03:48):
So, fundamentally, I don't think the CISO position
will technically go anywhere,but what I think you'll find is
that the BISOs are now the CISOs.
I think what you'll find is thelogical progression from the
BISO to the CISO, because havingthe business context in
conjunction with the technicalargument is very critical to
today's evolving landscape.
Speaker 1 (04:09):
So, olivia, if you were to lose the title of BISO
and became a CISO, do you feellike you would have lost
anything?
Speaker 2 (04:17):
No, I think I would gain quite a bit because I would
be bringing in the businessacumen that I know into that
cyber field, so I would be ableto speak both languages of
Spanish and English.
But cyber, you know ones andzeros to business value or cost
savings.
Speaker 1 (04:37):
Charlie, should CISOs be scared of the BISO?
Is the BISO going to eat theirlunch?
Speaker 3 (04:44):
I would think so.
I mean I came from financefirst before I went into IT and
technology, so my background'salready similar to BISO.
So I mean, maybe I'm biased andprejudiced in that regard, but
I see that the amount ofadvising that I do for other
CISOs that don't have anybusiness acumen I think that the
BISOs are positioned correctlyat this point in time to
(05:05):
actually start to take over someof the CISO roles.
So I think what we'll see nowis a lot of the hirings and the
people that are actually fillingthe CISO positions will be
BISOs and such moving forward.
Speaker 1 (05:18):
Man, I thought I was going to get you guys to duke it
out, but you're both on thesame page.
This is the most boringwrestling match I've ever seen,
because you're holding hands andsinging kumbaya and I don't
think you're going to be on wweanytime soon, but you know what?
This is much better.
I think that having thatprogression from the b so to the
(05:39):
c so and sort of starting thatconversation, is incredibly
important, and I think thatthat's maybe the number one
benefit of the BISO is that it'sraising questions that
everybody wanted to ask, namely,how do we make security a
business function and less of atechnical function?
(06:02):
So, if anything, the BISO role,in my view and Olivia, you can
correct me if I'm wrong the BISOrole is an isolated,
concentrated, business-focusedsecurity job that is telling all
of us what security should looklike, true or false?
Speaker 2 (06:22):
I would agree with that.
Yeah, Okay, great.
Speaker 1 (06:24):
I got one right would agree with that.
Yeah, okay, great, I got oneright.
I passed the exam.
What do I get?
Speaker 2 (06:29):
What's my reward?
Speaker 1 (06:33):
A clap from the BISO and the CISO.
Great.
Can I get you guys to do thatpublicly?
Okay, never mind, yes, okay,well, today is my lucky day, all
right.
So, moving on, what is thenumber one?
And I won't hold it against youif you change your mind later,
but just off the top of yourhead, if you were to say
(06:53):
something, what is the numberone hidden cost of security from
a business perspective, maybesomething that the business
overlooks and, as the BISO, itcould be something that you have
caught, others have overlookedand you've brought it to light.
So what would be that uncommon,unseen cost of security?
Speaker 2 (07:16):
From a business standpoint, it's the business
doesn't talk to the business.
And what I mean by that is thateverybody's very siloed and
what causes issues is theseindividual groups get their own
tools but are the same withinthe organization so it cost the
entire company as a whole somuch more money.
(07:38):
Until, like a true BISO,actually looks at it, who's
supporting all these differentorganizations within the company
to see, hey, why do we have 18different types of VMware?
Why can't we just buy one?
Do like the Costco, buy it inbulk and it would give us
cheaper.
And that's one item that I'veseen as a BISO that it's
(08:03):
communication between thedifferent orgs.
It doesn't happen and the BISOshave to bring those walls down
to open that communication.
Speaker 1 (08:12):
Yeah, does that sound like a risk to you, charlie,
like in the traditional sense ofthinking about cybersecurity or
business risk?
How?
Speaker 3 (08:21):
large is that risk, you know?
So I'll speak to it from likean M&A strategy, so like a
merger-acquisition strategy.
So that's what Olivia is sayingis actually very true, and what
you find is that there's somany different technology stacks
in your organization that itcauses stress to your security
team because now they're tryingto patch stuff that's irrelevant
, that they shouldn't have topatch anymore.
Instead of trying to unify allthe solutions, reduce the stress
(08:44):
for your security team, whichmakes them more beneficial, more
profitable.
They can keep their eyes andthey can focus on stuff that's
more relevant to the business,as opposed to chasing stuff that
was end of life five years ago.
Speaker 1 (08:55):
Who owns that risk, If we've established that it's a
risk?
Is it procurement?
Is it the GRC team?
Is it the CISO's office?
Is it the BISO?
Is it the butler?
Is it the nurse?
Who is it?
Speaker 3 (09:10):
Ultimately, it's whoever gets held, whoever's
holding the bag at the time thatthere's an incident.
Speaker 1 (09:15):
Which typically in a large organization.
Who would that be?
Speaker 3 (09:21):
I mean it could be senior management, it could be
one of the executives, but Imean typically it's going to be
whatever department holds,especially if it's like an
end-of-life tool.
It could be whatever manager orwhatever executive or whatever
staff member signed off on thattool is used, accepting the risk
for that tool even though itwas end-of-life or nearing the
end of its life or whatnot.
(09:42):
So, going back to what Oliviasaid, you should definitely want
to look at buying stuff in bulkso you can always maintain
those service contracts.
Speaker 2 (09:48):
Well, let me ask you, Charles, have you ever had
where people it's pointingfingers, like a risk happens and
it's like, well, why didn't theCISO tell me it's your job to
be the security officer.
You should be aware of thesituation.
Speaker 3 (10:11):
You didn't tell me, so it's technically not my fault
.
I was at a very largeorganization, financial
organization, a bank, and yes,we played the blame game and it
boiled down to as the executive,we can't know everything and
that we have to rely on thepeople that we've hired in those
positions, that we've delegatedthose tasks to, especially when
they've accepted those risks onthe rising chart.
(10:35):
So it boils down to we try tocommunicate risk, we try to
deliver it in a way thateverybody understands, but at
the same token we have to relyon our staff.
And sometimes I fault myself onnot training my staff on what
to specifically to look for,because when I give them
directions, sometimes I don'tgive them the ability to
understand what those directionsmean and I don't realize that
until after there's a problem orafter there's an incident,
(10:55):
because they don't alwaysnecessarily tell me that.
They don't understand what I'msaying.
And that's where I have to stepback and go back into the
business mindset of trying toexplain to everybody this is how
it works and this is how itfunctions, and trying to distill
the technical jargon back intothe business, going back to what
Olivia was saying originally.
That's very difficult sometimesbecause sometimes you don't
know that there's a problemuntil there's an issue or a
(11:18):
conflict.
Speaker 1 (11:19):
So, as a BISO, olivia , if you are looking at a large
company, let's say like a USbank size type company, where,
to Charlie's point, you've gotmultiple levels, right.
So you've got the guys in theserver room all the way up to
the CISO, the CTO, cio, whoeveris at the top, right, and with
(11:41):
these big companies you'llprobably have like 20 CISOs,
right.
Everybody's trying tocommunicate down and people are
trying to scream their lungs outto the top because in you know,
the CISO may have said do notput in watch guard firewalls,
okay, and by the time you playthat game, you know, know, it
(12:02):
gets all the way down.
It turns into absolutelyinstall watch guard firewalls.
So it's not just the silo ofdepartments but it's the silo of
rank and level.
So how would the BISO addressthat to solve that communication
gap for such a large companyand in the frame that Charlie
(12:26):
had just given us?
Speaker 2 (12:29):
So for me it's been communicate, communicate,
communicate, and it's I don'tknow what it is it's been the
last 10 years.
The communication it's notthere where you can just go talk
to somebody.
So it's establishing that trustwithin the business and
security to say, hey, here's thenew policy, we cannot do this,
(12:52):
we cannot implement thesefirewalls.
And explaining why.
Because that's going to be thequestion is why can't I?
Okay, well, here's the reasonwhy.
Here's the risk.
Now, that is, you know, comingfrom the executives, coming from
our CISO, saying we can't dothis.
But it's communicating not justto the managers, senior
managers, but also thedevelopers, the firewall team,
(13:14):
the entire network team.
So you're not just as a BISO,you're not just getting you know
, going, reporting stuff up asfrom an executive standpoint,
but you're also reporting stuffdown to make everybody aware of
the situation and what's goingon, especially when it comes to
policies, procedures, because atthe end of the day, if they
don't know, they can't be fullyeffective in meeting the
(13:34):
security requirements.
Speaker 1 (13:37):
But somebody's still going to be left holding the bag
of apples, the hot potato, andsomeone will be accountable.
Speaker 2 (13:44):
Well, it's also explaining to the service owners
, or the owners or the managers,that they are going to be held
accountable, especially when itcomes to a risk, but then
teaching them hey, you'resigning on this risk, so,
security, our CISO is going tosign on this risk and accept
this risk, but at the end of theday, when it comes to that
scapegoat you're going to be beas a manager, you're going to
become that scapegoat becauseyou're allowing this risk to
(14:06):
continue so how do managers savetheir asses?
Speaker 3 (14:10):
like, don't implement a risk well, I would agree it's
kind of like unplugged from theinternet.
Definitely, I think it's morethan the lines of understanding
completely what the risk reallyentails.
But I mean, I mean there areplenty of softwares and I'm part
of FAIR Institute and FAIRgives you a really great
assessment on what each riskmeans in terms of dollars and
(14:30):
cents and that's really what Ican pay to the business.
I'm like, hey look, this isgoing to cost you a billion
dollars if this risk actuallymatures itself.
If you can accept that, I'mokay going forward.
It's breaking it down to thebusiness and understanding and
explaining to them what they'reasking for really means to them.
And when you talk to them interms of share prices and monies
(14:51):
lost and budgets and bonusesnot paid, it's a different
conversation.
When it's like, oh well, wehave these vulnerabilities that
we have to go fix because thatmeans nothing to them, but we're
taking away your house stipends, we're taking away your bonuses
, you're not getting any morestock options.
This is how much it's going tocost all the shareholders.
When you talk to them like that, when you start telling them
how much bonus they're not goingto get, then it's a different
(15:12):
conversation.
Wait a second, wait a second.
What do you mean?
We don't get our bonuses.
Speaker 1 (15:18):
Do you think that's what's driving all of this?
Is ego, because if people arelooking inward, then you forget
to communicate, and when I'veheard stories of these kinds of
miscommunications, thingsgetting all messed up, nobody
knows who's accountable.
It's because somebody was toobusy enjoying their executive
lifestyle and couldn't bebothered to communicate.
(15:39):
So is it like a psychologicalproblem or is this like a
structural problem?
Speaker 3 (15:45):
Maybe it's ego, but there are so many folks that
just have.
It's a weird dynamic becausewhen you try to talk to a CISO
or another executive, it's likethey seem to be like one of the
most stressed individuals, butthey also put up so many galler,
so many guards and so manywalls that they don't really
(16:07):
have an open door policy.
They have an open door policy,but it's not really accessible
because there's so many walls infront of it.
So it's like they kind of shootthemselves in the foot because
they're they're trying to sayit's my way or the highway, as
opposed to actually truly havingan open door policy where you
can actually communicate issuesand risks and problems.
They don't want to hear it.
That's kind of an issue.
(16:30):
People are like, oh well, ofcourse we want to hear that, and
people will be listening tothis and be like of course we
have that.
Yeah, but can you really go inand say, look, I had a problem
with this, this didn't work, andthen did you just tell them to
fix it?
Or did you stop, sit down, havea conversation and understand
why your watch card firewalls orwhy your other products didn't
work?
What was the implementationissue, what?
(16:51):
And then, instead of justlooking at this technical
challenge of like, if Iimplement this product, what
happens?
I just want it to work did youlook at what happens when you
implement that product?
Did you look at what happenswith the vulnerabilities?
I mean, we've been a we've beena fortigate shop for a really
long time and one of the thingsthat another vendor brought up
at RSA this year, among someother times, was FortiGate will
(17:13):
make some crazy software haveplenty of bugs, but you can't
have any of the software updatesfor free.
They charge you on asubscription model for the
updates.
Yes, you bought our hardware,you bought our software.
By the way, we have plenty ofbugs in it.
We know that they're there, butif you want it to be fixed, you
have to pay us.
It's a service contract.
Speaker 1 (17:31):
Is that legal?
Speaker 3 (17:34):
I'm not sure, but that's what they're doing today.
That's my gripe with them atthe moment.
Speaker 1 (17:38):
Wow, Olivia thoughts.
How into the weeds and thetechnical stuff do you ever get?
Speaker 2 (17:46):
I do not get into the weeds or technical.
I try to be above that.
Being my past experience, I didget in the weeds.
I did all the tools.
I truly understand it.
But nowadays there are expertsout there.
There are people we hire whoare the experts and I can go to
(18:07):
them and ask them.
Give me a high level of exactlywhat this is.
What does it do?
How is it going to providevalue to the organization?
And show me, show me it.
You know, proof is in thepudding, as I like to call it.
Don't just talk about it, Ineed to see it.
And because I have thattechnical acumen, I know what
(18:28):
I'm seeing, I don't have toguess and I can ask the
technical questions, if need be,to fully understand it before
bringing it to someone who isnot technical at all and
explaining what this does.
Speaker 1 (18:41):
I don't know if I want my BISO in the weeds.
I feel like that's a recipe fordeath.
I don't want my heart surgeonpulling my teeth out.
You know what I mean.
So I feel like if you were toomuch in the weeds.
I think that that's the problemis like, when you're in the
weeds and you're in thetechnical role, it requires a
lot of attention and a lot ofdeep focus and you have to get
(19:05):
down there and once you get downthere, it's hard to come up.
It's like jumping into a very,very deep well.
Um, so yeah, I feel like thebiso is like sitting at the top
of the well, looking in everynow and then and hey, what's
this thing?
And then they yell up oh,that's a's a firewall.
Do we need it?
Yeah, all right, thanks, here'sa quarter.
Speaker 2 (19:27):
Yep, no, and I've actually had to learn that
lesson, moving from a technicaldirector to a non-technical
director.
It was definitely like, oh, letme put my hands on the keyboard
, let me do it, and it's likenope, you are the expert, I am
just gathering the informationso that I can make the right
decision and bring that to thebusiness to make the right
(19:49):
decision when it comes tosigning off that, yes, we're
going to purchase this tool andyou know, we're about to give
this company $3 million.
Speaker 1 (19:57):
What was that?
Climb out of the well Like,because now I can picture you at
the bottom of the well.
It's dark Often.
There are lights and serversall around you.
What was that?
Climb out of the technicalweeds into the glorious light of
the business?
What was that, like you know,detaching from the keyboard.
Speaker 2 (20:21):
Very difficult, I will say it.
It took me about probably ayear because I just I had access
to the tools, I had access toeverything, so I didn't have to
ask anybody.
It was oh, I'll just do itmyself because it's faster.
It's kind of, you know, if youhave wives or husbands like they
ask you to take out the trashand you don't do it, right then
(20:42):
and there and they're just likefine, I'll just do it myself.
Speaker 1 (20:44):
Passive, aggressively .
Speaker 2 (20:46):
Yes.
So it took a lot, and it took alot of reading about leadership
and how to become into thatexecutive suite and how you have
to trust the people who aregiving you the information and
allowing them to do their jobs,because that's what they're
getting paid for and I'm gettingpaid for to look higher up from
(21:07):
an executive standpoint.
It was very difficult.
I slid down the well many times, but from my failures, from
disappointments in myself, I wasable to get out of the well and
learn to stay more.
Don't go in the weeds, juststay at this level and let the
(21:29):
experts do their job.
Speaker 1 (21:30):
Expand what happened every time that you were
supposed to do a non-weedy thingand you didn't.
It sounded like it was painfulat times.
So do you have any good stories?
Speaker 2 (21:41):
It was very painful.
I do have a story.
We were having scanning issues.
Unfortunately, our securityteam who do the scanning, they
were sick with COVID and peoplewere like, well, we'll just wait
, it's okay.
And that was another thing wasI had to be think more strategic
than tactical, because tacticalis.
(22:01):
I went in and I'm like you knowwhat?
I have access to the tool.
I'll keep the.
You know I'm thinking of themission.
The mission is still going.
Let me help here.
And it was my manager basicallywas like what are you doing?
That is not your job.
I understand you're trying tosupport the mission and you're
very passionate about whatyou're trying to do because you
see the problem and you want tohave that solution right away.
(22:23):
But it's not holding otherpeople accountable.
You know everybody gets sick,it's okay.
The work is still going to behere.
We're not going to.
You know nothing's going tostop, it's okay.
And that was very hard pill toswallow because it was no, the
mission has to keep on going andwe got to do this and it was
(22:47):
like nope, stop.
I need you to focus on this andthat is your responsibilities.
I understand you want to helpeverybody and be superwoman.
You can't, because you're goingto get burnt out and you're
going to.
You know, then all of a suddenyou're going to be out for a
week.
We just can't have that.
Speaker 1 (23:04):
Where do you think that urge comes from?
Is it like a safety net, sothere's safety in having your
hands on the keyboard and it'sscary to embrace the strategic.
Or is it just you have a herocomplex Like what prompts you to
you know, almost in anaddictive way?
Go back to the keyboard.
Speaker 2 (23:27):
I think it was a hero complex for me, because it I I
dealt with that.
I I dealt with you know.
Hey, we had it was missioncritical.
We had to have this, especiallysupporting um, the government,
as well as our soldiers overseas.
It's that just came up withthat mindset and it and it
wasn't like, oh, look at me, I'mthe hero.
It was I, I, me, I was like Iwas successfully able to do that
(23:49):
and then it was, you know, as Iwas bringing people up and
mentoring other, the youngergeneration and people who I had
worked for me, I had to sit backand watch and learn that I'm
become, you know, I'm becomingthat micromanager, I am becoming
that, you know, even though Iwasn't like, you know, watching
(24:12):
everything they did.
It was I need to step back.
I need them to grow, I needthem to be successful because,
at the end of the day, ifthey're successful, I'm
successful as a leader and ifI'm doing it for them, they're
not going to learn and they'renot going to be held accountable
and be able to get to that youknow stage where they can be
promoted as the next director,which is what has happened
(24:36):
within my organization.
I had somebody work for me fortwo years and was able to grow
them as well as grow myself.
And they have just now beenpromoted as a director, which
brought me so much happiness.
I've just now been promoted asa director, which brought me so
much happiness.
And, you know, and they came tome a couple of days ago and
they were like hey, thank youfor everything you did for me,
because I wouldn't have been inthe director position if you
(24:57):
didn't help me.
Speaker 1 (24:59):
Shout out to that person.
Speaker 2 (25:00):
Yes.
Speaker 1 (25:01):
And I don't know if you want to reveal their name,
but it's.
Every time someone getspromoted to director, a security
angel gets its wings.
Speaker 2 (25:10):
Yes, I do feel that I was.
It just brought me happiness.
I mean, it was more than justgetting a promotion for myself.
It was seeing them, you know,be promoted and seeing them grow
.
Leadership in action yes, holdon, Let me just take my tear out
.
Speaker 1 (25:27):
All right, let's turn to investments.
And, charlie, this is yourforte, right.
And so what does the BISOoffice offer a company that's
going through a merger, or evena smaller company that's getting
acquired?
Does it add anything to thevalue of the company that's
(25:47):
getting bought?
Or you know just I'm guessinghere, just assuming that because
you have a BISO, you'veprobably identified a lot more
business risks than if youotherwise didn't have one.
So does having a BISO, or atleast a function similar to the
BISO, in a company make it moreattractive?
Similar to?
Speaker 3 (26:10):
the BISO in a company make it more attractive.
I mean in essence, yes, they'regoing to know where all the
inefficiencies are.
They're not necessarily going tobe able to address and fix all
of them, because that's notspecifically their job or their
role, but they're probably thefirst person you want to talk to
in terms of trying to addressany of the inefficiencies that
are in the business, because I'msure they've got a list of pain
points that's a mile long atthat point.
(26:32):
So they're going to know whereall the VMware software licenses
issues are, where everyone'susing something different, where
everyone's breaking protocol,where everyone's got their
shadow IT stuff at, and they'regoing to know basically all the
internal secrets that are hiddenthat management might not be
all aware of, because everythingis silent, everything is hidden
away in different departments.
So that'd be like your firstresource to look into to find
(26:54):
out where all the inefficienciesare.
So when you go in for a mergerand acquisition, you would
actually know where to startcutting things out first and
start restructuring from theinside out From that angle,
Olivia, how do you measure thevalue of the b?
Speaker 1 (27:11):
so that is a difficult question, yeah I'm
asking about roi here in cybersecurity, which is totally
unfair.
But, like everyone, maybe I can, maybe I can answer.
Speaker 3 (27:27):
Maybe I can answer it for her okay from a c-sos point
or a b-so again, it's lookingat all the inefficiencies down
my level.
I don't.
I have no clue what they'redoing.
I don't as much as I want toget my hands on a keyboard and
and, believe me, I've found downthat.
I've found down the well.
I've sunk a few times, morethan a a few times, in fact.
(27:48):
I still do it, it's whatever.
Speaker 1 (27:51):
Yeah, what's down there guys, Like isn't there,
like some.
Speaker 3 (27:55):
It's a rabbit hole that you get lost in.
I will tell you that for sure,but no, it's.
But going back, I think thatthe visa has the opportunity to
find all the inefficiencies andfind out where we can improve.
Naturally, I'm not looking atthat because that's not my
objective or goal at the time,but they're going to actually be
(28:16):
able to give us informationthat's valuable and critical to
what we're trying to do andmaintain the business objectives
.
What I do find is most peopledon't know how to consult with
their BSO or their staff andfind out what those are or what
those inefficiencies are,because maybe they don't have
that position in place orbecause they don't have a
trusted network or trusted staffin place.
I think that might be thebiggest problem, but I think
(28:40):
that the best issue or the bestthing that they can do is report
all the inefficiencies, all thebusiness functions that we're
not looking at.
Speaker 2 (28:49):
Yeah, I would agree.
I know for Abiso we're workingto show value and the value is
executive reporting to show eachgroup within the organization
saying and kind of doing that Ilike to call it the high school
grading level, where we show thevulnerabilities, we show
(29:09):
incidents, slas, we show notjust cyber risk but the business
risk, because a lot of peopleare not looking at the business
risks that are within theorganization because of cyber
takes so much SOPs, projects andcomparing that to other
(29:33):
executive reports, seeing ifthere's something where we can
have more of a collaboration ofprojects or we could have.
You know, if there's somethingthat's a vulnerability that's
affecting everybody, maybe wecan come up with a Python script
or something to push it out toeverybody.
So one, you know vulnerabilityis fixed and not having it, you
know, go through changemanagement 25 different times to
(29:55):
patch the same CVE.
I think that's where the valuecomes in with the BISO.
And then you know, also addingthe numbers for the CISO, saying
here's your biggest risk.
We want to make you awarebecause we, you know we need you
to bring that to the board.
The BISOs don't go in front ofthe boards not in most
(30:16):
organizations so we bring it upto the CISO, to bring it up to
the board, letting the board beaware of the overarching
organization risk and you know,kind of adding those numbers
saying if we don't fix this,we're looking at a data breach
that will cost us $6 million.
So I think that's where thevalue of the overall business is
(30:38):
functional.
Speaker 1 (30:39):
You just make sure that information and
communication is as fluid, ascrystal clear as possible, so
that everybody knows what'sgoing on at any given time.
The board is aware of what'shappening, everybody's aware of
(31:01):
the risks and then, when there'stime or when there is an
opportunity to remediate or tofix something, that it happens
quickly and effectively andefficiently.
So your metrics are probably inthe realm of time to XYZ.
How much had we shortened blah,blah, blah?
(31:22):
How many risks have weidentified and remediated within
the shortest amount of time?
Is that fair?
Speaker 2 (31:31):
Yeah, that's absolutely fair.
Speaker 3 (31:36):
Okay, what do you think, charles?
I think that is important.
I think that, going back towhat Olivia said earlier about
the $6 million, I think that byfar is going to give most CISOs
ammunition for the board thatthey never had before and I know
Olivia is kind of like a rarecase, but I know that most CISOs
(31:56):
don't have any way ofquantifying risk or qualifying
any of the risks and what thatmeans in terms of dollars and
cents.
And that's their biggestproblem when they speak to the
board.
The board doesn't want to hearabout specifically how many farm
buildings I know the CISO does,but the board doesn't want to
listen to how many things havebeen remediated, what's been
done.
They want to know why are youcosting us X amount of dollars?
(32:17):
So when you quantify that risk,all these CVEs that Olivia was
just talking about equal a $6million risk to the business.
Does the business want to spend$50,000 to patch the $6 million
risk or they want to accept the$6 million risk?
I think that type ofinformation is very critical to
the board because they areunderstanding if I spend $50,000
(32:39):
, I'm hedging a bet that I'llsave $6 million and that's what
the board likes to understand.
Why are you spending the money?
It's not that we're a costcenter, it's that we're
essentially some type ofinsurance overlap.
We're hedging bets versus CVEsor hedging bets versus
vulnerabilities.
(32:59):
And when you explain it interms of dollars and cents, it's
a different conversation.
So, to go back to what Libbywas saying, when you explain it
in terms of dollars and cents,in conjunction with the
technical information, it's acompletely different
conversation.
Because then it's like oh, wait, wait.
So we saved, so we fixed 10 or15 cves, but we spent you know a
(33:19):
hundred thousand dollars,whatever the case may be, but we
saved the six million dollars.
Or we spent you know fiftythousand but we saved the six
million dollars.
That's.
That's no longer a cost.
That, that's a, that's a riskmitigation strategy or an
insurance policy, if you want to, if you want to qualify it like
that, it's a, it's a pearlpearl.
So at that point in time, it'sno longer a cost center.
Aspect of it it's, it's more ofone lines of insurance and
(33:42):
asset management.
It's a different strategy, it'sa different, it's the same
information, but it's actuallywritten off differently in the
books and accounted fordifferently.
Speaker 1 (33:52):
Yeah, yeah, I think what you're saying is a laser.
So what Olivia is positing issort of the overall, or at least
what she said, what I posited,and assume that I was right that
the criteria for success isfunctional.
But that's sort of the overallview of it.
(34:14):
But if you were to be laserfocused into what does that
really mean at the end of theday?
Which function?
What kind of communication?
What are we communicating then?
To your point, charlie, itseems to be dollars and cents
and risk.
Speaker 3 (34:33):
Correct.
Is that a good summary?
It is the board only caresabout what it's going to cost
them.
Again, when you start talkingabout taking away bonuses,
crashing the stock price oranything that negatively affects
public opinion and or theirstock values or their financial
bonuses, it's a differentconversation.
So when you start tying dollarsand cents risk to the risk of
(34:56):
an incident or whatnot, nowyou're saying, if this, if this
incident actually occurs, you'regoing to lose your bonuses,
it's a different conversation.
Speaker 1 (35:05):
And that's that's the the part that the visa brings
to the, to the board meetingsand to the table that the CISOs
(35:27):
I don't want to say the Bezosfunction, because I'm not
thinking of just like the roleof the Bezo, but the Bezosphere.
Do you think that AI will comefor any jobs, especially the
junior positions that areheavily involved in the
operations of the Bezo?
Speaker 2 (35:45):
I think, yes, ai will be helping a lot of that low I
don't want to say low-hangingfruit but that tier one, help
desk, because it's going to bethose generic general questions
where you know I'm having issuesconnecting to the Internet or
I'm having issues doing this andkind of adding those steps.
(36:08):
But I think it's also going tolose that human factor where a
user can contact the help deskand say I'm having this
difficulty, can you walk methrough it?
And I think that's going to bedifficult for a lot of end users
.
But I think it's also going tohelp with incident response
tremendously.
But at the end of the day and Iknow there's a lot of
(36:31):
conversations regarding AI is itgoing to be more proactive in
protecting your organization oris it going to be your next risk
?
And I think it's going to beboth.
But at the end of the day, it'swho's the stronger developer
developing AI when it comes tobehavior analytics and do you
have the backing to support yourAI infrastructure doing that
lesson?
You know I call it lessonslearned, but it's learning how
(36:55):
your organization works and howit can manipulate.
You know, take care of thosefalse positives and help with
the general.
But I think that's also goingto help support you know the
people.
If you're thinking of a helpdesk like the tier one, we're
going to get rid of those, butwe're going to move them as a
tier two.
And then you know those tier,you know two, tier two people.
(37:15):
We would move them to a tierthree and further up because, at
the end, and that supports them, because, at the end of the day
, we all want to grow, we allwant to change and improve
ourselves individually.
This is the opportunity to doit.
Speaker 1 (37:28):
How does that work?
That's one thing I don'tunderstand with the narrative,
because I hear everybody sayingexactly what you just said in
different iterations, and Ithink it's generally true, where
AI will help people move intoplaces they weren't before.
But how do you take a juniorteam member, junior analyst who
has six months of experience nowyou've got AI on your lap.
(37:51):
Maybe that person is not readyto go into tier two for another
two years?
They just don't have theexperience.
Do you wait two years for thatperson to move in and hold off
on AI while the world movesforward, or do you fire that
person and have the AI taketheir job?
Speaker 2 (38:10):
I don't think even firing the person, because an
organization is investing inpeople and if you invest in
people, that investment is goingto grow and it gives the people
the opportunity.
And I know that personally.
So I've had companies where Iwas a junior in a different role
and I didn't have all theexpertise, I didn't have all the
information, but the companyinvested in me and I was.
(38:33):
I invested in the company andactually gave a profit, a value
of what I was able to turn out,because they took the time to
show me, teach me and allow meto grow into the position that
they gave me.
Speaker 1 (38:49):
Well, I think that that is an admirable
organization.
I'm not confident thateverybody would be as benevolent
.
I think a lot of companies aregoing to see this as a way to
save money and to get rid ofbloat.
We'll see.
I've got my ears to the groundand I think I see a lot of
things in AI and agents thatpoint me to that world where
(39:12):
people will get let go or atleast companies will stop hiring
for those roles.
But I'm hopeful.
I really hope that it doesn'thappen that way.
I hope that it happens slowlyand in a way that allows
everyone to grow and everyone totake part of this AI boom.
If people want to find you,Olivia, how can they find you
and follow you?
Speaker 2 (39:33):
I'm on LinkedIn.
Very easy to find OliviaPhillips, or my hashtag is
simply Olivia, and they can findme and I'm always eager if they
have questions or if they wantto learn more.
I will always take the time topass my knowledge.
Speaker 1 (39:53):
Awesome, Charlie.
Do you want to be found?
You're in San Francisco rightnow.
I don't know where you're goingto be next.
How can people follow you?
Speaker 3 (40:01):
They can always catch me on LinkedIn, just the same.
So my hashtag is NYLCharlesPain, so they can catch me there.
Happy to respond back to thequestions, just the same.
But yes, I'm not sure who I'llbe next either.
Speaker 1 (40:16):
And if you want to find me, look me up on LinkedIn
J-O-S-H-B-R-U-Y-N-I-N-G.
I'm the only Josh Bruning onthe planet.
Nobody dare name your kid JoshBruning, because I wear that
with a badge of honor.
And if you want to know moreabout Bruning Media and what we
do, visit bruningcomB-R-U-Y-N-I-N-Gcom.
And thank you for listening tothis episode of Cybernomics.
(40:39):
And oh, our Cybernomicsnewsletter is out, so subscribe.
And also, we are regularlyposting videos and shorts to
YouTube, so make sure to slamthat subscribe button and give
us a thumbs up.
Thanks for listening to thisepisode of Cybernomics.
Bye.
Welcome to this episode of Cybernomics.
I'm your host, josh Bruning,and I'm here today with the one
and only Charles Payne,incredibly knowledgeable,
extremely handsome, good-lookingand charming CISO
extraordinaire.
Charles, welcome to Cybernomics.
Pleasure to be here, josh.
And we also have OliviaPhillips, who is the BISO at
(00:24):
Amtrak, which I learned I justlearned this today that Amtrak
is half government, half union.
I didn't even know that therewere any government, but
apparently they are.
So to talk about the office ofthe BISO and we're going to do a
little bit of you know andwe're going to do a little bit
(00:44):
of you know, wwe, ciso versusBISO today, having Charles as a
CISO, olivia as the BISO, anddoing some comparisons between
the office of the BISO and theCISO.
What is different, what is thesame, what is a BISO?
Anyway, Olivia, welcome toCybernomics.
Speaker 2 (01:00):
Thank you, pleasure to be here.
Speaker 1 (01:03):
All right.
So I've always gravitatedtowards the office of the BISO,
because when I started incybersecurity, my job was to
communicate the IT and securitylanguage to the business and the
business language to the ITgroup.
Business analysts and projectmanagers have kind of taken over
(01:25):
this role.
So in a company like Amtrak, solike these bigger organizations
that are fortunate to have aBISO, what exactly is the role
of the BISO?
Are you that in-between bridgebetween the business and
security, or is it somethingmuch more than that?
Speaker 2 (01:43):
I think it's much more than that.
We work with the cyber team aswell as the business team, but
we also want to make sure thatthe cyber security team is
embedded in the business and toshow value.
Also, I think of the BISOs asbeing the Swiss army knife of
the CISO.
We are going to know thebusiness a little bit more in
(02:04):
depth than the CISO, but we canbring that to the CISO's
attention, especially when itcomes to risks or new standards
that are coming out.
Speaker 1 (02:12):
So is it fair to say that the BISO is to the security
office what the businessanalyst is to the IT office?
Speaker 2 (02:23):
I think they go hand in hand.
Yes, yeah.
Speaker 1 (02:26):
Except you've got a little bit more pull.
I would think it's a seniorposition, correct?
Speaker 2 (02:31):
That is correct, yes.
Speaker 1 (02:31):
Okay, how senior are we talking?
Speaker 2 (02:34):
Well, it's director or senior director position.
But I will be honest, I thinkin the next five years we will
be sitting right next to theCISO part of that C-suite.
Speaker 1 (02:44):
Want to know what I think I think you're going right
next to the CISO part of thatC-suite, want to know what I
think I think you're going totake over the CISO's chair.
I think you're going to sit inthat chair because and this is
something that Charlie and Italk about a lot most CISOs are,
and please don't come after me.
I have a lot of friends who areCISOs and this is not to
disparage anyone, but it's true.
(03:04):
There are too many CISOs thatare not business-focused.
They're more technology-focusedand you would think to have the
position of a CISO you wouldhave to be sort of the executive
type.
But the breed of CISOs that areexecutive types it's becoming
less rare, but it's rarer thanwe want to admit.
But I think that a BISO, beingbusiness focused and in the
(03:30):
security office, that sounds anawful lot like what the CISO
should be and what great CISOsare.
So, charlie, do you think thatthe office of the BISO would
ever replace the office of theCISO?
Speaker 3 (03:48):
So, fundamentally, I don't think the CISO position
will technically go anywhere,but what I think you'll find is
that the BISOs are now the CISOs.
I think what you'll find is thelogical progression from the
BISO to the CISO, because havingthe business context in
conjunction with the technicalargument is very critical to
today's evolving landscape.
Speaker 1 (04:09):
So, olivia, if you were to lose the title of BISO
and became a CISO, do you feellike you would have lost
anything?
Speaker 2 (04:17):
No, I think I would gain quite a bit because I would
be bringing in the businessacumen that I know into that
cyber field, so I would be ableto speak both languages of
Spanish and English.
But cyber, you know ones andzeros to business value or cost
savings.
Speaker 1 (04:37):
Charlie, should CISOs be scared of the BISO?
Is the BISO going to eat theirlunch?
Speaker 3 (04:44):
I would think so.
I mean I came from financefirst before I went into IT and
technology, so my background'salready similar to BISO.
So I mean, maybe I'm biased andprejudiced in that regard, but
I see that the amount ofadvising that I do for other
CISOs that don't have anybusiness acumen I think that the
BISOs are positioned correctlyat this point in time to
(05:05):
actually start to take over someof the CISO roles.
So I think what we'll see nowis a lot of the hirings and the
people that are actually fillingthe CISO positions will be
BISOs and such moving forward.
Speaker 1 (05:18):
Man, I thought I was going to get you guys to duke it
out, but you're both on thesame page.
This is the most boringwrestling match I've ever seen,
because you're holding hands andsinging kumbaya and I don't
think you're going to be on wweanytime soon, but you know what?
This is much better.
I think that having thatprogression from the b so to the
(05:39):
c so and sort of starting thatconversation, is incredibly
important, and I think thatthat's maybe the number one
benefit of the BISO is that it'sraising questions that
everybody wanted to ask, namely,how do we make security a
business function and less of atechnical function?
(06:02):
So, if anything, the BISO role,in my view and Olivia, you can
correct me if I'm wrong the BISOrole is an isolated,
concentrated, business-focusedsecurity job that is telling all
of us what security should looklike, true or false?
Speaker 2 (06:22):
I would agree with that.
Yeah, Okay, great.
Speaker 1 (06:24):
I got one right would agree with that.
Yeah, okay, great, I got oneright.
I passed the exam.
What do I get?
Speaker 2 (06:29):
What's my reward?
Speaker 1 (06:33):
A clap from the BISO and the CISO.
Great.
Can I get you guys to do thatpublicly?
Okay, never mind, yes, okay,well, today is my lucky day, all
right.
So, moving on, what is thenumber one?
And I won't hold it against youif you change your mind later,
but just off the top of yourhead, if you were to say
(06:53):
something, what is the numberone hidden cost of security from
a business perspective, maybesomething that the business
overlooks and, as the BISO, itcould be something that you have
caught, others have overlookedand you've brought it to light.
So what would be that uncommon,unseen cost of security?
Speaker 2 (07:16):
From a business standpoint, it's the business
doesn't talk to the business.
And what I mean by that is thateverybody's very siloed and
what causes issues is theseindividual groups get their own
tools but are the same withinthe organization so it cost the
entire company as a whole somuch more money.
(07:38):
Until, like a true BISO,actually looks at it, who's
supporting all these differentorganizations within the company
to see, hey, why do we have 18different types of VMware?
Why can't we just buy one?
Do like the Costco, buy it inbulk and it would give us
cheaper.
And that's one item that I'veseen as a BISO that it's
(08:03):
communication between thedifferent orgs.
It doesn't happen and the BISOshave to bring those walls down
to open that communication.
Speaker 1 (08:12):
Yeah, does that sound like a risk to you, charlie,
like in the traditional sense ofthinking about cybersecurity or
business risk?
How?
Speaker 3 (08:21):
large is that risk, you know?
So I'll speak to it from likean M&A strategy, so like a
merger-acquisition strategy.
So that's what Olivia is sayingis actually very true, and what
you find is that there's somany different technology stacks
in your organization that itcauses stress to your security
team because now they're tryingto patch stuff that's irrelevant
, that they shouldn't have topatch anymore.
Instead of trying to unify allthe solutions, reduce the stress
(08:44):
for your security team, whichmakes them more beneficial, more
profitable.
They can keep their eyes andthey can focus on stuff that's
more relevant to the business,as opposed to chasing stuff that
was end of life five years ago.
Speaker 1 (08:55):
Who owns that risk, If we've established that it's a
risk?
Is it procurement?
Is it the GRC team?
Is it the CISO's office?
Is it the BISO?
Is it the butler?
Is it the nurse?
Who is it?
Speaker 3 (09:10):
Ultimately, it's whoever gets held, whoever's
holding the bag at the time thatthere's an incident.
Speaker 1 (09:15):
Which typically in a large organization.
Who would that be?
Speaker 3 (09:21):
I mean it could be senior management, it could be
one of the executives, but Imean typically it's going to be
whatever department holds,especially if it's like an
end-of-life tool.
It could be whatever manager orwhatever executive or whatever
staff member signed off on thattool is used, accepting the risk
for that tool even though itwas end-of-life or nearing the
end of its life or whatnot.
(09:42):
So, going back to what Oliviasaid, you should definitely want
to look at buying stuff in bulkso you can always maintain
those service contracts.
Speaker 2 (09:48):
Well, let me ask you, Charles, have you ever had
where people it's pointingfingers, like a risk happens and
it's like, well, why didn't theCISO tell me it's your job to
be the security officer.
You should be aware of thesituation.
Speaker 3 (10:11):
You didn't tell me, so it's technically not my fault
.
I was at a very largeorganization, financial
organization, a bank, and yes,we played the blame game and it
boiled down to as the executive,we can't know everything and
that we have to rely on thepeople that we've hired in those
positions, that we've delegatedthose tasks to, especially when
they've accepted those risks onthe rising chart.
(10:35):
So it boils down to we try tocommunicate risk, we try to
deliver it in a way thateverybody understands, but at
the same token we have to relyon our staff.
And sometimes I fault myself onnot training my staff on what
to specifically to look for,because when I give them
directions, sometimes I don'tgive them the ability to
understand what those directionsmean and I don't realize that
until after there's a problem orafter there's an incident,
(10:55):
because they don't alwaysnecessarily tell me that.
They don't understand what I'msaying.
And that's where I have to stepback and go back into the
business mindset of trying toexplain to everybody this is how
it works and this is how itfunctions, and trying to distill
the technical jargon back intothe business, going back to what
Olivia was saying originally.
That's very difficult sometimesbecause sometimes you don't
know that there's a problemuntil there's an issue or a
(11:18):
conflict.
Speaker 1 (11:19):
So, as a BISO, olivia , if you are looking at a large
company, let's say like a USbank size type company, where,
to Charlie's point, you've gotmultiple levels, right.
So you've got the guys in theserver room all the way up to
the CISO, the CTO, cio, whoeveris at the top, right, and with
(11:41):
these big companies you'llprobably have like 20 CISOs,
right.
Everybody's trying tocommunicate down and people are
trying to scream their lungs outto the top because in you know,
the CISO may have said do notput in watch guard firewalls,
okay, and by the time you playthat game, you know, know, it
(12:02):
gets all the way down.
It turns into absolutelyinstall watch guard firewalls.
So it's not just the silo ofdepartments but it's the silo of
rank and level.
So how would the BISO addressthat to solve that communication
gap for such a large companyand in the frame that Charlie
(12:26):
had just given us?
Speaker 2 (12:29):
So for me it's been communicate, communicate,
communicate, and it's I don'tknow what it is it's been the
last 10 years.
The communication it's notthere where you can just go talk
to somebody.
So it's establishing that trustwithin the business and
security to say, hey, here's thenew policy, we cannot do this,
(12:52):
we cannot implement thesefirewalls.
And explaining why.
Because that's going to be thequestion is why can't I?
Okay, well, here's the reasonwhy.
Here's the risk.
Now, that is, you know, comingfrom the executives, coming from
our CISO, saying we can't dothis.
But it's communicating not justto the managers, senior
managers, but also thedevelopers, the firewall team,
(13:14):
the entire network team.
So you're not just as a BISO,you're not just getting you know
, going, reporting stuff up asfrom an executive standpoint,
but you're also reporting stuffdown to make everybody aware of
the situation and what's goingon, especially when it comes to
policies, procedures, because atthe end of the day, if they
don't know, they can't be fullyeffective in meeting the
(13:34):
security requirements.
Speaker 1 (13:37):
But somebody's still going to be left holding the bag
of apples, the hot potato, andsomeone will be accountable.
Speaker 2 (13:44):
Well, it's also explaining to the service owners
, or the owners or the managers,that they are going to be held
accountable, especially when itcomes to a risk, but then
teaching them hey, you'resigning on this risk, so,
security, our CISO is going tosign on this risk and accept
this risk, but at the end of theday, when it comes to that
scapegoat you're going to be beas a manager, you're going to
become that scapegoat becauseyou're allowing this risk to
(14:06):
continue so how do managers savetheir asses?
Speaker 3 (14:10):
like, don't implement a risk well, I would agree it's
kind of like unplugged from theinternet.
Definitely, I think it's morethan the lines of understanding
completely what the risk reallyentails.
But I mean, I mean there areplenty of softwares and I'm part
of FAIR Institute and FAIRgives you a really great
assessment on what each riskmeans in terms of dollars and
(14:30):
cents and that's really what Ican pay to the business.
I'm like, hey look, this isgoing to cost you a billion
dollars if this risk actuallymatures itself.
If you can accept that, I'mokay going forward.
It's breaking it down to thebusiness and understanding and
explaining to them what they'reasking for really means to them.
And when you talk to them interms of share prices and monies
(14:51):
lost and budgets and bonusesnot paid, it's a different
conversation.
When it's like, oh well, wehave these vulnerabilities that
we have to go fix because thatmeans nothing to them, but we're
taking away your house stipends, we're taking away your bonuses
, you're not getting any morestock options.
This is how much it's going tocost all the shareholders.
When you talk to them like that, when you start telling them
how much bonus they're not goingto get, then it's a different
(15:12):
conversation.
Wait a second, wait a second.
What do you mean?
We don't get our bonuses.
Speaker 1 (15:18):
Do you think that's what's driving all of this?
Is ego, because if people arelooking inward, then you forget
to communicate, and when I'veheard stories of these kinds of
miscommunications, thingsgetting all messed up, nobody
knows who's accountable.
It's because somebody was toobusy enjoying their executive
lifestyle and couldn't bebothered to communicate.
(15:39):
So is it like a psychologicalproblem or is this like a
structural problem?
Speaker 3 (15:45):
Maybe it's ego, but there are so many folks that
just have.
It's a weird dynamic becausewhen you try to talk to a CISO
or another executive, it's likethey seem to be like one of the
most stressed individuals, butthey also put up so many galler,
so many guards and so manywalls that they don't really
(16:07):
have an open door policy.
They have an open door policy,but it's not really accessible
because there's so many walls infront of it.
So it's like they kind of shootthemselves in the foot because
they're they're trying to sayit's my way or the highway, as
opposed to actually truly havingan open door policy where you
can actually communicate issuesand risks and problems.
They don't want to hear it.
That's kind of an issue.
(16:30):
People are like, oh well, ofcourse we want to hear that, and
people will be listening tothis and be like of course we
have that.
Yeah, but can you really go inand say, look, I had a problem
with this, this didn't work, andthen did you just tell them to
fix it?
Or did you stop, sit down, havea conversation and understand
why your watch card firewalls orwhy your other products didn't
work?
What was the implementationissue, what?
(16:51):
And then, instead of justlooking at this technical
challenge of like, if Iimplement this product, what
happens?
I just want it to work did youlook at what happens when you
implement that product?
Did you look at what happenswith the vulnerabilities?
I mean, we've been a we've beena fortigate shop for a really
long time and one of the thingsthat another vendor brought up
at RSA this year, among someother times, was FortiGate will
(17:13):
make some crazy software haveplenty of bugs, but you can't
have any of the software updatesfor free.
They charge you on asubscription model for the
updates.
Yes, you bought our hardware,you bought our software.
By the way, we have plenty ofbugs in it.
We know that they're there, butif you want it to be fixed, you
have to pay us.
It's a service contract.
Speaker 1 (17:31):
Is that legal?
Speaker 3 (17:34):
I'm not sure, but that's what they're doing today.
That's my gripe with them atthe moment.
Speaker 1 (17:38):
Wow, Olivia thoughts.
How into the weeds and thetechnical stuff do you ever get?
Speaker 2 (17:46):
I do not get into the weeds or technical.
I try to be above that.
Being my past experience, I didget in the weeds.
I did all the tools.
I truly understand it.
But nowadays there are expertsout there.
There are people we hire whoare the experts and I can go to
(18:07):
them and ask them.
Give me a high level of exactlywhat this is.
What does it do?
How is it going to providevalue to the organization?
And show me, show me it.
You know, proof is in thepudding, as I like to call it.
Don't just talk about it, Ineed to see it.
And because I have thattechnical acumen, I know what
(18:28):
I'm seeing, I don't have toguess and I can ask the
technical questions, if need be,to fully understand it before
bringing it to someone who isnot technical at all and
explaining what this does.
Speaker 1 (18:41):
I don't know if I want my BISO in the weeds.
I feel like that's a recipe fordeath.
I don't want my heart surgeonpulling my teeth out.
You know what I mean.
So I feel like if you were toomuch in the weeds.
I think that that's the problemis like, when you're in the
weeds and you're in thetechnical role, it requires a
lot of attention and a lot ofdeep focus and you have to get
(19:05):
down there and once you get downthere, it's hard to come up.
It's like jumping into a very,very deep well.
Um, so yeah, I feel like thebiso is like sitting at the top
of the well, looking in everynow and then and hey, what's
this thing?
And then they yell up oh,that's a's a firewall.
Do we need it?
Yeah, all right, thanks, here'sa quarter.
Speaker 2 (19:27):
Yep, no, and I've actually had to learn that
lesson, moving from a technicaldirector to a non-technical
director.
It was definitely like, oh, letme put my hands on the keyboard
, let me do it, and it's likenope, you are the expert, I am
just gathering the informationso that I can make the right
decision and bring that to thebusiness to make the right
(19:49):
decision when it comes tosigning off that, yes, we're
going to purchase this tool andyou know, we're about to give
this company $3 million.
Speaker 1 (19:57):
What was that?
Climb out of the well Like,because now I can picture you at
the bottom of the well.
It's dark Often.
There are lights and serversall around you.
What was that?
Climb out of the technicalweeds into the glorious light of
the business?
What was that, like you know,detaching from the keyboard.
Speaker 2 (20:21):
Very difficult, I will say it.
It took me about probably ayear because I just I had access
to the tools, I had access toeverything, so I didn't have to
ask anybody.
It was oh, I'll just do itmyself because it's faster.
It's kind of, you know, if youhave wives or husbands like they
ask you to take out the trashand you don't do it, right then
(20:42):
and there and they're just likefine, I'll just do it myself.
Speaker 1 (20:44):
Passive, aggressively .
Speaker 2 (20:46):
Yes.
So it took a lot, and it took alot of reading about leadership
and how to become into thatexecutive suite and how you have
to trust the people who aregiving you the information and
allowing them to do their jobs,because that's what they're
getting paid for and I'm gettingpaid for to look higher up from
(21:07):
an executive standpoint.
It was very difficult.
I slid down the well many times, but from my failures, from
disappointments in myself, I wasable to get out of the well and
learn to stay more.
Don't go in the weeds, juststay at this level and let the
(21:29):
experts do their job.
Speaker 1 (21:30):
Expand what happened every time that you were
supposed to do a non-weedy thingand you didn't.
It sounded like it was painfulat times.
So do you have any good stories?
Speaker 2 (21:41):
It was very painful.
I do have a story.
We were having scanning issues.
Unfortunately, our securityteam who do the scanning, they
were sick with COVID and peoplewere like, well, we'll just wait
, it's okay.
And that was another thing wasI had to be think more strategic
than tactical, because tacticalis.
(22:01):
I went in and I'm like you knowwhat?
I have access to the tool.
I'll keep the.
You know I'm thinking of themission.
The mission is still going.
Let me help here.
And it was my manager basicallywas like what are you doing?
That is not your job.
I understand you're trying tosupport the mission and you're
very passionate about whatyou're trying to do because you
see the problem and you want tohave that solution right away.
(22:23):
But it's not holding otherpeople accountable.
You know everybody gets sick,it's okay.
The work is still going to behere.
We're not going to.
You know nothing's going tostop, it's okay.
And that was very hard pill toswallow because it was no, the
mission has to keep on going andwe got to do this and it was
(22:47):
like nope, stop.
I need you to focus on this andthat is your responsibilities.
I understand you want to helpeverybody and be superwoman.
You can't, because you're goingto get burnt out and you're
going to.
You know, then all of a suddenyou're going to be out for a
week.
We just can't have that.
Speaker 1 (23:04):
Where do you think that urge comes from?
Is it like a safety net, sothere's safety in having your
hands on the keyboard and it'sscary to embrace the strategic.
Or is it just you have a herocomplex Like what prompts you to
you know, almost in anaddictive way?
Go back to the keyboard.
Speaker 2 (23:27):
I think it was a hero complex for me, because it I I
dealt with that.
I I dealt with you know.
Hey, we had it was missioncritical.
We had to have this, especiallysupporting um, the government,
as well as our soldiers overseas.
It's that just came up withthat mindset and it and it
wasn't like, oh, look at me, I'mthe hero.
It was I, I, me, I was like Iwas successfully able to do that
(23:49):
and then it was, you know, as Iwas bringing people up and
mentoring other, the youngergeneration and people who I had
worked for me, I had to sit backand watch and learn that I'm
become, you know, I'm becomingthat micromanager, I am becoming
that, you know, even though Iwasn't like, you know, watching
(24:12):
everything they did.
It was I need to step back.
I need them to grow, I needthem to be successful because,
at the end of the day, ifthey're successful, I'm
successful as a leader and ifI'm doing it for them, they're
not going to learn and they'renot going to be held accountable
and be able to get to that youknow stage where they can be
promoted as the next director,which is what has happened
(24:36):
within my organization.
I had somebody work for me fortwo years and was able to grow
them as well as grow myself.
And they have just now beenpromoted as a director, which
brought me so much happiness.
I've just now been promoted asa director, which brought me so
much happiness.
And, you know, and they came tome a couple of days ago and
they were like hey, thank youfor everything you did for me,
because I wouldn't have been inthe director position if you
(24:57):
didn't help me.
Speaker 1 (24:59):
Shout out to that person.
Speaker 2 (25:00):
Yes.
Speaker 1 (25:01):
And I don't know if you want to reveal their name,
but it's.
Every time someone getspromoted to director, a security
angel gets its wings.
Speaker 2 (25:10):
Yes, I do feel that I was.
It just brought me happiness.
I mean, it was more than justgetting a promotion for myself.
It was seeing them, you know,be promoted and seeing them grow
.
Leadership in action yes, holdon, Let me just take my tear out
.
Speaker 1 (25:27):
All right, let's turn to investments.
And, charlie, this is yourforte, right.
And so what does the BISOoffice offer a company that's
going through a merger, or evena smaller company that's getting
acquired?
Does it add anything to thevalue of the company that's
(25:47):
getting bought?
Or you know just I'm guessinghere, just assuming that because
you have a BISO, you'veprobably identified a lot more
business risks than if youotherwise didn't have one.
So does having a BISO, or atleast a function similar to the
BISO, in a company make it moreattractive?
Similar to?
Speaker 3 (26:10):
the BISO in a company make it more attractive.
I mean in essence, yes, they'regoing to know where all the
inefficiencies are.
They're not necessarily going tobe able to address and fix all
of them, because that's notspecifically their job or their
role, but they're probably thefirst person you want to talk to
in terms of trying to addressany of the inefficiencies that
are in the business, because I'msure they've got a list of pain
points that's a mile long atthat point.
(26:32):
So they're going to know whereall the VMware software licenses
issues are, where everyone'susing something different, where
everyone's breaking protocol,where everyone's got their
shadow IT stuff at, and they'regoing to know basically all the
internal secrets that are hiddenthat management might not be
all aware of, because everythingis silent, everything is hidden
away in different departments.
So that'd be like your firstresource to look into to find
(26:54):
out where all the inefficienciesare.
So when you go in for a mergerand acquisition, you would
actually know where to startcutting things out first and
start restructuring from theinside out From that angle,
Olivia, how do you measure thevalue of the b?
Speaker 1 (27:11):
so that is a difficult question, yeah I'm
asking about roi here in cybersecurity, which is totally
unfair.
But, like everyone, maybe I can, maybe I can answer.
Speaker 3 (27:27):
Maybe I can answer it for her okay from a c-sos point
or a b-so again, it's lookingat all the inefficiencies down
my level.
I don't.
I have no clue what they'redoing.
I don't as much as I want toget my hands on a keyboard and
and, believe me, I've found downthat.
I've found down the well.
I've sunk a few times, morethan a a few times, in fact.
(27:48):
I still do it, it's whatever.
Speaker 1 (27:51):
Yeah, what's down there guys, Like isn't there,
like some.
Speaker 3 (27:55):
It's a rabbit hole that you get lost in.
I will tell you that for sure,but no, it's.
But going back, I think thatthe visa has the opportunity to
find all the inefficiencies andfind out where we can improve.
Naturally, I'm not looking atthat because that's not my
objective or goal at the time,but they're going to actually be
(28:16):
able to give us informationthat's valuable and critical to
what we're trying to do andmaintain the business objectives
.
What I do find is most peopledon't know how to consult with
their BSO or their staff andfind out what those are or what
those inefficiencies are,because maybe they don't have
that position in place orbecause they don't have a
trusted network or trusted staffin place.
I think that might be thebiggest problem, but I think
(28:40):
that the best issue or the bestthing that they can do is report
all the inefficiencies, all thebusiness functions that we're
not looking at.
Speaker 2 (28:49):
Yeah, I would agree.
I know for Abiso we're workingto show value and the value is
executive reporting to show eachgroup within the organization
saying and kind of doing that Ilike to call it the high school
grading level, where we show thevulnerabilities, we show
(29:09):
incidents, slas, we show notjust cyber risk but the business
risk, because a lot of peopleare not looking at the business
risks that are within theorganization because of cyber
takes so much SOPs, projects andcomparing that to other
(29:33):
executive reports, seeing ifthere's something where we can
have more of a collaboration ofprojects or we could have.
You know, if there's somethingthat's a vulnerability that's
affecting everybody, maybe wecan come up with a Python script
or something to push it out toeverybody.
So one, you know vulnerabilityis fixed and not having it, you
know, go through changemanagement 25 different times to
(29:55):
patch the same CVE.
I think that's where the valuecomes in with the BISO.
And then you know, also addingthe numbers for the CISO, saying
here's your biggest risk.
We want to make you awarebecause we, you know we need you
to bring that to the board.
The BISOs don't go in front ofthe boards not in most
(30:16):
organizations so we bring it upto the CISO, to bring it up to
the board, letting the board beaware of the overarching
organization risk and you know,kind of adding those numbers
saying if we don't fix this,we're looking at a data breach
that will cost us $6 million.
So I think that's where thevalue of the overall business is
(30:38):
functional.
Speaker 1 (30:39):
You just make sure that information and
communication is as fluid, ascrystal clear as possible, so
that everybody knows what'sgoing on at any given time.
The board is aware of what'shappening, everybody's aware of
(31:01):
the risks and then, when there'stime or when there is an
opportunity to remediate or tofix something, that it happens
quickly and effectively andefficiently.
So your metrics are probably inthe realm of time to XYZ.
How much had we shortened blah,blah, blah?
(31:22):
How many risks have weidentified and remediated within
the shortest amount of time?
Is that fair?
Speaker 2 (31:31):
Yeah, that's absolutely fair.
Speaker 3 (31:36):
Okay, what do you think, charles?
I think that is important.
I think that, going back towhat Olivia said earlier about
the $6 million, I think that byfar is going to give most CISOs
ammunition for the board thatthey never had before and I know
Olivia is kind of like a rarecase, but I know that most CISOs
(31:56):
don't have any way ofquantifying risk or qualifying
any of the risks and what thatmeans in terms of dollars and
cents.
And that's their biggestproblem when they speak to the
board.
The board doesn't want to hearabout specifically how many farm
buildings I know the CISO does,but the board doesn't want to
listen to how many things havebeen remediated, what's been
done.
They want to know why are youcosting us X amount of dollars?
(32:17):
So when you quantify that risk,all these CVEs that Olivia was
just talking about equal a $6million risk to the business.
Does the business want to spend$50,000 to patch the $6 million
risk or they want to accept the$6 million risk?
I think that type ofinformation is very critical to
the board because they areunderstanding if I spend $50,000
(32:39):
, I'm hedging a bet that I'llsave $6 million and that's what
the board likes to understand.
Why are you spending the money?
It's not that we're a costcenter, it's that we're
essentially some type ofinsurance overlap.
We're hedging bets versus CVEsor hedging bets versus
vulnerabilities.
(32:59):
And when you explain it interms of dollars and cents, it's
a different conversation.
So, to go back to what Libbywas saying, when you explain it
in terms of dollars and cents,in conjunction with the
technical information, it's acompletely different
conversation.
Because then it's like oh, wait, wait.
So we saved, so we fixed 10 or15 cves, but we spent you know a
(33:19):
hundred thousand dollars,whatever the case may be, but we
saved the six million dollars.
Or we spent you know fiftythousand but we saved the six
million dollars.
That's.
That's no longer a cost.
That, that's a, that's a riskmitigation strategy or an
insurance policy, if you want to, if you want to qualify it like
that, it's a, it's a pearlpearl.
So at that point in time, it'sno longer a cost center.
Aspect of it it's, it's more ofone lines of insurance and
(33:42):
asset management.
It's a different strategy, it'sa different, it's the same
information, but it's actuallywritten off differently in the
books and accounted fordifferently.
Speaker 1 (33:52):
Yeah, yeah, I think what you're saying is a laser.
So what Olivia is positing issort of the overall, or at least
what she said, what I posited,and assume that I was right that
the criteria for success isfunctional.
But that's sort of the overallview of it.
(34:14):
But if you were to be laserfocused into what does that
really mean at the end of theday?
Which function?
What kind of communication?
What are we communicating then?
To your point, charlie, itseems to be dollars and cents
and risk.
Speaker 3 (34:33):
Correct.
Is that a good summary?
It is the board only caresabout what it's going to cost
them.
Again, when you start talkingabout taking away bonuses,
crashing the stock price oranything that negatively affects
public opinion and or theirstock values or their financial
bonuses, it's a differentconversation.
So when you start tying dollarsand cents risk to the risk of
(34:56):
an incident or whatnot, nowyou're saying, if this, if this
incident actually occurs, you'regoing to lose your bonuses,
it's a different conversation.
Speaker 1 (35:05):
And that's that's the the part that the visa brings
to the, to the board meetingsand to the table that the CISOs
(35:27):
I don't want to say the Bezosfunction, because I'm not
thinking of just like the roleof the Bezo, but the Bezosphere.
Do you think that AI will comefor any jobs, especially the
junior positions that areheavily involved in the
operations of the Bezo?
Speaker 2 (35:45):
I think, yes, ai will be helping a lot of that low I
don't want to say low-hangingfruit but that tier one, help
desk, because it's going to bethose generic general questions
where you know I'm having issuesconnecting to the Internet or
I'm having issues doing this andkind of adding those steps.
(36:08):
But I think it's also going tolose that human factor where a
user can contact the help deskand say I'm having this
difficulty, can you walk methrough it?
And I think that's going to bedifficult for a lot of end users
.
But I think it's also going tohelp with incident response
tremendously.
But at the end of the day and Iknow there's a lot of
(36:31):
conversations regarding AI is itgoing to be more proactive in
protecting your organization oris it going to be your next risk
?
And I think it's going to beboth.
But at the end of the day, it'swho's the stronger developer
developing AI when it comes tobehavior analytics and do you
have the backing to support yourAI infrastructure doing that
lesson?
You know I call it lessonslearned, but it's learning how
(36:55):
your organization works and howit can manipulate.
You know, take care of thosefalse positives and help with
the general.
But I think that's also goingto help support you know the
people.
If you're thinking of a helpdesk like the tier one, we're
going to get rid of those, butwe're going to move them as a
tier two.
And then you know those tier,you know two, tier two people.
(37:15):
We would move them to a tierthree and further up because, at
the end, and that supports them, because, at the end of the day
, we all want to grow, we allwant to change and improve
ourselves individually.
This is the opportunity to doit.
Speaker 1 (37:28):
How does that work?
That's one thing I don'tunderstand with the narrative,
because I hear everybody sayingexactly what you just said in
different iterations, and Ithink it's generally true, where
AI will help people move intoplaces they weren't before.
But how do you take a juniorteam member, junior analyst who
has six months of experience nowyou've got AI on your lap.
(37:51):
Maybe that person is not readyto go into tier two for another
two years?
They just don't have theexperience.
Do you wait two years for thatperson to move in and hold off
on AI while the world movesforward, or do you fire that
person and have the AI taketheir job?
Speaker 2 (38:10):
I don't think even firing the person, because an
organization is investing inpeople and if you invest in
people, that investment is goingto grow and it gives the people
the opportunity.
And I know that personally.
So I've had companies where Iwas a junior in a different role
and I didn't have all theexpertise, I didn't have all the
information, but the companyinvested in me and I was.
(38:33):
I invested in the company andactually gave a profit, a value
of what I was able to turn out,because they took the time to
show me, teach me and allow meto grow into the position that
they gave me.
Speaker 1 (38:49):
Well, I think that that is an admirable
organization.
I'm not confident thateverybody would be as benevolent
.
I think a lot of companies aregoing to see this as a way to
save money and to get rid ofbloat.
We'll see.
I've got my ears to the groundand I think I see a lot of
things in AI and agents thatpoint me to that world where
(39:12):
people will get let go or atleast companies will stop hiring
for those roles.
But I'm hopeful.
I really hope that it doesn'thappen that way.
I hope that it happens slowlyand in a way that allows
everyone to grow and everyone totake part of this AI boom.
If people want to find you,Olivia, how can they find you
and follow you?
Speaker 2 (39:33):
I'm on LinkedIn.
Very easy to find OliviaPhillips, or my hashtag is
simply Olivia, and they can findme and I'm always eager if they
have questions or if they wantto learn more.
I will always take the time topass my knowledge.
Speaker 1 (39:53):
Awesome, Charlie.
Do you want to be found?
You're in San Francisco rightnow.
I don't know where you're goingto be next.
How can people follow you?
Speaker 3 (40:01):
They can always catch me on LinkedIn, just the same.
So my hashtag is NYLCharlesPain, so they can catch me there.
Happy to respond back to thequestions, just the same.
But yes, I'm not sure who I'llbe next either.
Speaker 1 (40:16):
And if you want to find me, look me up on LinkedIn
J-O-S-H-B-R-U-Y-N-I-N-G.
I'm the only Josh Bruning onthe planet.
Nobody dare name your kid JoshBruning, because I wear that
with a badge of honor.
And if you want to know moreabout Bruning Media and what we
do, visit bruningcomB-R-U-Y-N-I-N-Gcom.
And thank you for listening tothis episode of Cybernomics.
(40:39):
And oh, our Cybernomicsnewsletter is out, so subscribe.
And also, we are regularlyposting videos and shorts to
YouTube, so make sure to slamthat subscribe button and give
us a thumbs up.
Thanks for listening to thisepisode of Cybernomics.
Bye.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.