Being a CISO requires you to be the team’s incident commander. You need to be willing to tackle problems and risks with good leadership. Users are looking up to you to help solve problems effectively. You need to guide these people so they won’t get compromised.
Join us as we talk to Brent Deterding about what it takes to engage your people as a CISO leader. Brent is an Executive CISO whose mission is to enable Afni and its global workforce to support their clients securely and confidently. Learn how to make your users the frontline of the company. Discover how to properly calculate risks to get the most bang for your buck. Finally, find out why cybersecurity is so important, especially in this time and age.
—
Listen to the podcast here
Brent Deterding On CISO Leadership
And Calculating Risks
Here in the show, we are bringing you top experts in the industry to chat about all that’s interesting in keeping our world secure. Speaking of keeping the world secure, we are excited to welcome Brent Deterding to the show. Brent is the CISO at Afni after spending over nineteen years at Secureworks, spread across multiple security leadership positions. Also, a long-time SANS contributor.
—
Brent, welcome to the show.
Thanks from me.
Let’s get this out of the way upfront. You are a relatively new CISO. How is it going so far?
It is awesome. I wish I had become a CISO years ago. I hear retired people saying, “If I had known how great retirement was, I would have done it years ago.” I tend to feel that way about being a CISO. I like it. I love it. When you think about becoming CISO, you get all of the stats. You know that 78.5% turn to drugs or alcohol to deal with stress. They don’t sleep. They have an eighteen-month tenure. I don’t care because that’s not going to be me. They all look at you like, “Let me know how that goes.” I feel the same way as I did years ago when I got married to my lovely bride. They were like, “You think so now.” It’s been many years and I still love her, and she’s great. I’m going to keep her at this point.
Being CISO is going to be much the same. It is entirely how you approach the role. There’s a lot of learned helplessness in this role. There’s a lot of a spirit of eh-or like, “It’s Friday.” I reject all that. I love the gig. I know where all the bodies are buried, or at least I know where some of them are buried. I’ve done the incident thing. I handled that. I’ve dealt with politics and whatever else. It’s great. I also interviewed specifically for the right culture and organization that I wanted to go to. That was a big deal for me. It took a long time to find that. I interviewed her about a year before I found the right fit and a place where I could succeed. I’m happy to be here. It’s a good place, team, user, and everything.
As a CISO, you need to interview for the right culture and organization you want to enter.
I loved when we were talking before the show. You said something that I thought was interesting, where you said as a CISO, you are the incident commander, which is independent of rank and title. It’s just being the IC. You’re the boss. It’s, “This is what is happening.” From your words, you do anything. You tell people what to do. We even laughed at the notion of you being the wolf from Pulp Fiction. You’re not here to be nice. You’re here to solve a problem, and then after the problem is solved, we can all get back together and be people again, but this is the issue at hand. Being relatively new in that position after being someone who has reported up to that position, what was that transition like?
The incident commander role is extremely comfortable for me. I worked in operations for fifteen years, managing thousands of firewalls, handling all of the company, and all that. Back in the day, everyone blamed the firewall for everything. By de facto, you became the incident commander for a whole lot of incidents. It was a very comfortable role for me to slide back into. What I loved about it as a CISO is that all the things you do and the relationships you establish lead up to the moment. It gives you the trust that when it sounded to be that incident commander guy, the wolf, when as soon as I say, “You do this,” independent of rank, everyone defaults.
Everyone respects your leadership. No one tries to interrupt it. When we come back down from the incident a little bit, we’re able to say, “Remember me? I’m not difficult to work with. I’m pretty easy.” It works well. For me, a big part of that leading up to any incident was enabling the business. Every time I’ve turned around, I’m saying, “How can I enable you? How can I make this work better? How can we do this more securely?” That yields benefits when the chips are down, and you’ve got to do the incident commander thing. That helped me a lot because people were like, “I got it.”
He’s one team wondering if we’re on the same team. We’re all trying to protect the business. It was very comfortable for me to go, but I’m not convinced that every CISO is comfortable doing that, which means that if they’re not, they need to find someone who is. You can hire that with incident management retainers or things like that. It could be a member of your team, a project manager, or someone who is able and willing to take control of the situation and do the right things needed to be done. It is a learned skill.
You’re also trying to corral the most chaotic cacophonous thing that there is in the world, which is people. That’s been an interesting bugaboo for our industry who thinks what is in it for them. As a data point and what you need to consider as a CISO, there are hard and fast binary 1s and 0s things, and then there is the most fluid weirdo thing out there in the world as people. For your thoughts, as you are rolling into this position, what do you think of the people?
I always take a positive attitude toward things. If you listen to a whole lot of CISOs, you get CISOs in a row, and 98% or 95% of them are going to tell you how their users frustrate them at every turn because people are people, and people do some things that we might put it in the category of stupid. That happens. I choose to focus very much on the benefits my users grant me. They are an outstanding first line of defense. They give me early warning of things. Does every single one of them? No, but do enough of them? Yes. What I do is I reward that. I acknowledge it, reward it, and put them on special email distribution lists for cyber figures and campaigns.
Even the ones that might do the things that we might call stupid, I still try to talk to them, engage them, and make sure that they understand why we’re doing these things, what impact it can have, and list their health. I want my users to be the frontline guerrilla warfare people throwing homemade monologue cocktails at the enemy and telling me about it and raising a flag because the earlier I get that stuff, the better things are going to be.
The more I engage my users, don’t talk down to them, and don’t hate on them, the more engaged they’re going to be, the better I am enabling my business. There are a wide variety of ways to do that. Do we still have to deal with it if someone does something amazingly stupid? Yeah, we have to, but we deal with it in a positive, constructive mechanism. I choose to look at my users as outstanding assets, as opposed to people I must work around.
How do you quantify that? That’s one of the things in your position. You’ve got to sit in with the rest of the executive leadership team and roll this information up to the board. When we’re talking about things like behavior and culture, is that something they’re asking you to quantify? If they are, how do you do that? This is the most beautifully chaotic and horrifying part of what you do. How do you do it?
It is absolutely my job to quantify risk. Not all systems necessarily do, but I take the approach of quantifying things in financial terms. I look at various risks and say, “The annualized loss expectancy is X.” Certainly, our users and people play into that as those technologies, attackers, and all of these things. It may be a little bit imprecise, but at the end of the day, what me and my company do is to get our risk down to an acceptable level. The acceptable level is going to depend on the organization. I look at every dollar that I spend on every initiative that I do and I answer two questions. 1) How is this enabling their business, and 2) Is this the best bang for the buck? I don’t want to spend $10 to fix the $5 problem. If I can look and say, “I’m spending $3 to fix a $30 problem,” that’s a good buy for me.
If it’s a cliché, it’s not one I’ve heard before, but I love the idea, “I’m not going to spend $10 to fix a $5 problem.” That’s amazing.
If you labeled the episode that stuck my name on it, that’s me. That’s fine. It’s the fundamental web. Users enter into the risky equation, but I don’t have a line item that says, “Users present this much risk.” Users may or may not. I like to put technology and processes in place that both advance security and enable them. For example, one thing that I want to do or am moving towards is passwordless authentication.
As a CISO, look at your users as outstanding assets instead of people you must work around.
I’m selling it internally as an efficiency game. I know what percentage of the time I help this spends on password stuff. I know how frustrating it is to have to change your password every X days or whatever. I want to eliminate that. I want to increase the efficiency of everyone within my company. If I had a password list, I’m also against phishing-resistant multi factor authentication. I’m increasing the security, but I’m enabling my business at the same time. That’s a win-win for me. It’s worth the money every day.
You love people. You are leaning into investing in this, and I am all with you on this. One of the tragedies is that people are always named as the weakest part of this thing, but there are things that do need to be managed. From your perspective, running a team of teams, what are the biggest weaknesses in the human element? Where do you find yourself focusing or focusing on the teams that roll up to you in order for you to present your information to the rest of the ELT and the board and say, “Here’s what’s happened. Here’s what we need to do?”
It goes back to my overall goals. I made sure that my team and everyone aligned with enabling the business. I asked my team to do the very same thing that I do, which is, “For any given activity that we’re doing, how is this enabling the business?” I try to focus very much on that. I know that is working when I have people come to me and are like, “I hear you are the yes and how guy, not the no guy.” I was like, “That’s awesome.” They’re like, “But,” then they canceled the meeting with me. I was like, “Why did you cancel?” “Paul on your team already hooked me up so we don’t need to talk.” My team is doing the same things that I would have done being yes and how, not no.
When we’re all focused on enabling, then what happens is not only me but my team becomes a linchpin to success within the organization because we get to know that everything that we touch works well because we have a great amount of insight to IT and security. Security is confidentiality, integrity, and availability. We focus a lot on user behavior, people, politics, what people are incentivized by, that technology, the risk appetite of the company, and the attackers out there. We have a very broad scope of things that we know.
When we bring that to an IT project, a new vendor onboarding, or whatever with the goal of enabling the business, then good things happen just because we’re there. That applies to my team. That is an infectious culture of enabling the business and getting stuff done. It starts breeding. It feeds off itself inside. It’s a virtuous cycle.
I love the idea that they come to you with the notion of you’re the yes and guy, then they ask you something, and then you immediately say, “Yes and.” That being said, is there a value to saying no, either from your side or your team’s side, when you are bringing something to them, and they think sometimes no is better. That’s the weird thing. I feel like we’re in this position now as everyone’s trying to get along and make things work. Where does no come into the equation on either side of the equal sign for you?
No, comes in all the time, but it is not my call in many cases. For example, we will look at onboarding a new vendor. This vendor would have programmatic access to some silly amount of data. I can put a dollar figure on our risk for that. I go to the business owner and say, “This is the risk. Do you want to accept this on behalf of the company? If you do, great. If you don’t, okay.” If your response is like, “How can we cut that risk?” “Yes, how. We can.” At a certain point, I don’t necessarily care or have the viewpoint of whether we should or should not do this as a company. All I can do, I can shine a light on the risks that we face and say, “Is this worth it?”
People can decide, based on whether they own a business, P&L, and their portion of the business, whether they want to accept that risk. The answer may be, “Yes, absolutely,” or, “No, I’m not signing up for an expected $3 million of risk to enable this that solves twenty minutes of time a week or something.” I’m trying to get other people to make this same calculation, “Am I spending $10 or am I incurring $10 of risk to fix a $5 problem?”
I want to encourage that type of analysis and behavior for everyone because we can do whatever. The fact of the matter is that if they can cut me out of the loop and get stuff done anyway. People have to want to involve the CISO or security because we are going to enable them to do things better, faster, and more securely. Otherwise, let this go around us, and then it’s my problem to deal with, try to find and figure out. I want people to come to me because I’m helpful and my team is helpful, not avoiding me for being if I don’t find it.
You have grown up through the ranks, and you are now in the position as a CISO. When you look out onto everyone that’s involved in what you’re doing, how much time do you spend looking through their eyes compared to looking through your eyes? You’ve got to see it from multiple angles, but you haven’t been one of them, for lack of a better term. When you bring that into the boardroom, do they appreciate the idea that you were a foot soldier or an enlisted man before you became an officer?
It certainly does. The biggest thing that I think it gives me is a very good BS detector and a good way to look at and be like, “I have not done this particular thing. I defer to you, my team, or him over as the experts on this, but I’ve done very similar things at scale a lot. I’m confident that we have this technology to make tab A go into slot B. Let’s make this happen.” My background enables me to confidently state what the technology can do and that I can work with people on the process. That is frequently the case. Whether you’re talking to vendors, technology, or whatever else, we have the technology to do what we need to do.
Generally speaking, technology is relatively simple, but human beings, all of us, take simple things and make them apart. I focus a lot on making simple things easy, which is not a technology problem. That is a people and a process problem. That’s how I tried to focus my time on not doing the technology things because I have a lot of people that can do the technology things. My value to my organization is much more infrequent the leadership, people, process, and translating, so of the tech speak to business speak.
Don’t spend $10 to fix a $5-problem.
I’m a marriage counselor in many regards. You see people down, and you’re like, “What statements do we both agree with? What do we both disagree with?” Find the differences. At the end of the day, a big chunk of what I do is translate. I feel like from Office Space, I’m on people in person, but at the end of the day, that’s the deal.
For those of you not born in the ‘70s or ‘80s, please check out Office Space, so you know what he’s talking about. It’s the perfect analogy. When you are sitting across the table from the board members or the rest of the leadership team who are not specifically involved in the technology side, do they get it? How much time do you need to spend giving context around what you’re talking about, or is it just boiling it down to data points so that you’ve got your twelve minutes of a lot of time, and then we move on to the next thing and the next corner of the spreadsheet?
One thing that I love about my orientation, in particular, is that we are a privately held company. We don’t have a board that I report to, but I sit down once a month for an hour with my ELT. What I generally find is that every board is different, and they want to know a different amount of things. I can have started with what I thought they would want to hear, which was a relatively high level of business terms, and all that. What I find is that they have pushed me to go deeper in the weeds, to teach and explain more to them about how some of this stuff works and why it is important, which is cool. It’s fun for me.
A takeaway for me is that I’ve talked and listened to a lot of people talk about this. There is no standard golden board report, ELT report, or anything else. It is a little bit dependent on what they want to know or what they want to hear. With that said, I will say that boards, in my viewpoint, are a little bit different than my ELT. My ELT owns their profit blocks or sections of the business, so they are less on the governance side and more on the execution tactical side.
However much they want to know, I’m absolutely willing to go there and talk about it. My initial foray into it is always high level. I answer four questions every single month. Those four questions are, “How confident are you that we are not compromised right now? What are we doing to ensure that we don’t get compromised? What do we do to get compromised? How much is it going to cost?” Every single month, I answer those four questions on top of my mind. We can talk about eating any level of detail that we want, but at the end of the day, that’s what impacts the business. That’s what I talk about.
I’m still going to ask the next question, but I want to do a follow-up on that. You’ve got those four questions. In your mind, when you come in, and now we’re going deep inside baseball, this is what a CISO does when he or she walks into this meeting. How much time do you have in your head? I have four questions. I’m going to give you 90 seconds on each. Do you come in Clooney and Pitt in Ocean’s Eleven with your thing nailed down, or are you ready to lay it out however long they want to talk about it or something else?
At first, I started with, “This is the couple of things I want to talk about.” For the first month or two, that works, but now that is being their pre read section. I get my ELT some preread so that they want to get down into the details. I covered some of the high stuff in the preread. When I hit that hour with him, we’re talking about relatively specific things, and we’re always talking back to, “How do we enable the business? What is risk reduction? What do you want my priorities to be?”
The good news is, according to the actuarial tables, you only have about twelve months left to have to do this. That’s not how it works. When we talk to people who are potential Hall of Famers, they play and do this gig for a long time. Most of them do it for 1 or 2 teams only. They don’t bounce around that much. We could do this forever and also consider this the official, unofficial invitation to come back for a repeat episode. You are in an interesting position because it is a privately held company. There is no board.
It is different, but when you look around the room, how much different would it be if there were more people in the room coming from a security background? That’s not necessarily what’s happening with special devices, but anymore, everything is security. Knowing that the people sitting around the table spent at least some time dealing with a SOC or a Security Team, is it better or worse the same?
If it were a board, it would be far better. The SEC has proposed rules out there. It’s very similar to the Sarbanes-Oxley years ago to require functional cybersecurity expertise on boards of directors for publicly held companies. There are some other things associated with that that are debatable. The presence of a qualified technology expert on the board with functional cyber security expertise is, in my opinion, a good thing. For me, I’m dealing with my ELT. That’s fine and great. If I were dealing with a public board, it would be dramatically helpful to have a cybersecurity person on the board, not just so I have someone to pell around with and talk to. The fact of the matter is for most organizations, cyber risk represents, if not the biggest risk of them having an extinction-level event.
T-Mobile made $500 million, and Equifax, all these people are big. GDPR is over in Europe. That’s going to come to the US in some form or fashion for national data breach requirements. The penalties for GDPR go up to 4% of your revenue. It is a big number. There are tiers of penalties, and you have the potential for criminal liability, especially in terms of negligence. The old CISO for Uber is being criminally charged. Their directors from Fukushima got a $97 billion settlement ruling against them.
They try to collect $97 billion from poor people, but that aside. There’s a very real and large risk to almost every organization from cyber. You need the techie people, but that has to be addressed from a governance level, the board, or the ELT on down. Where people have failed to self-regulate, now the SEC, laws, and everything else are coming in to be the regulators because in the absence of self-regulation, attackers and advertisers have been doing the regulation.
Technology does what needs to be done, and it’s relatively simple. But humans take simple things and make them hard.
They have been effectively saying, “You will do this or you will pay.” Every single experience at the board level will be critical to advancing their practice. This is why years ago we had Enron, the big financial mess. In response, they said you have to have functional financial expertise on your board of directors. It worked. Years later, we have dramatically more transparency. It doesn’t necessarily fix, but we do have a lot better transparency in financial reporting and investor risk acknowledgment.
It is good to get some security entities at the governance level as opposed to, “We have plenty down there.” Go talk to a lot of technical security practitioners. They will tell you exactly how to fix their company. The knowledge of how to do this is not a problem. It is the ability to make the technology work for people, enable the business and sell it. That is a CISO leadership problem. That extends up to the board.
When you come in and you’re asking her, “Why does she have this giant bruise on her forehead?” It’s because I’ve been banging my head on my desk because I told everybody how to do this, and it still happened.
The add-on to that is I have a talk that I am doing, saying, “Are we overspending on cyber security?” The very typical answer is, “We need more budget. We have a labor shortage. We have all these shortages.” I reject that. We need better leadership of existing resources. That means budgets and people.
Let’s move over to the leadership corner. Let’s talk a little bit specifically about what’s happening in your house. What’s on your Spotify playlist? What are you reading? What are you cooking? Are you gardening? Do you ride motorcycles? What’s happening in the Deterding household?
I would love to have hobbies again. I have a ten-year-old who is very large and a lineman in football. I have a very active four-year-old. My wife and I are also foster parents and have a fifteen-month-old. The fifteen-month-old coincides with the peak pain in the butt age. He’s cute, but he is a force divider.
Did you do this on purpose to have this much chaos, so you have to always be in a state of, “What is happening?”
My general approach to life works all over the place. I tend to be prepared for a lot of different things, emotionally, physically, etc. When my phone rings on a Sunday saying, “We were experiencing deck.” I go, “That’s fine. We are doing this.” My wife and I are a team Deterding, “There’s nothing that team Deterding can’t do. We give and take and make it happen. A lot of this is working with my kids and in foster care and all that. Music has always been a great thing for me. I listened to a lot of music. I enjoy hunting.
You can’t say, “I enjoy music.” I asked specifically what’s on your playlist. You’re not going to hurt my feelings. It could be Slipknot or John Denver. Probably not Mariah Carey. That might hurt my feelings.
There’s a band out of Austin named Reckless Kelly that I liked and Black Stone Cherry. I liked a little bit more modern blues, like Kenny Wayne Shepherd. I’ve been doing a lot of that. I enjoy Chris Stapleton, but I liked him more when he was with the SteelDrivers, which is a bluegrass band. My theory is that if you are a normal human being, you cannot listen to bluegrass and not smile. You may not want to listen to it for hours, but if I’m put on bluegrass, people are like, “I’m good.”
I feel like guitar, generally stringed instruments, are the driving force behind team Deterding.
There is a lot of music in my house. We’ve been going to the Macarena dance because there was a dance in Fortnite. My kids are like, “No, you’re doing it wrong,” I’m like, “I was doing it the right way the heck before you were ever born. I don’t want to hear it from you. I know what’s up.”
Cyber risk represents the biggest risk of having an extinction-level event. It’s important to have a cybersecurity person on your board.
Let’s move on to shameless plug. Tell everybody what’s going on with you, with the company where they can find out more information about everything that’s happening.
I love being a part of Afni. It is a business process outsourcing. We run call centers in the Philippines and elsewhere, but a big chunk there. We’re pretty awesome at what we do. I enjoy talking to other competitors. I talked to their CISOs because security is not a trade secret. The better we all yet, the better we all are, and I liked that. I like to make security a differentiator for us in the sales process. With my background with the vendor in front of sales, I’m credible in that room and in operating in a sales cycle. I enjoy talking about how awesome my team is and how great our security is. That helps us win business, so I’m all about it. That’s fun.
Imagine an executive leader who’s giving credit to the rest of the team and talking about how awesome they are. I didn’t even know what to do with that. Do you want to throw me a website of the little Twitter plug or any of those sorts of things?
I post a little less often than I would like on LinkedIn. I tend to throw things out there. With my email, I like to throw things out that I may or may not believe, but I’d throw it out and see what is willing to engage and beat it up. I might be right, wrong, or learn something, but hopefully, one of those things. I definitely do not like the echo chamber of, “You’re totally right. I agree.” I like to throw things out like a big controversy. Give me someone who say, “No, I disagree.” “Cool. Let’s talk.”
The final question, and this is my non-sequitur, that you were utterly unprepared for because you have no idea. Would you rather do something with style, grace, panache, or aplomb?
Panache is my style. No matter how stupid I look or whatever, I’d rather go at it real aggressively and figure out what I did wrong and do it again.
This is hard-hitting journalism that we’re bringing you on from the show. Brent Deterding brings you the answers and honesty, saying, “I do it with panache because that’s my style,” which are two of the choices. That’s it. We could get more ridiculous, but now everybody’s saying, “Please tie this off. No one knows even what you’re talking about anymore.”
Thank you for joining us. For more information on all that’s good in the world of cybersecurity and everything that is keeping the world tight. Imagine we’re talking about humans, the impact that they might have, and what’s going on. You can find us on LinkedIn and Facebook, and ElevateSecurity.com. You can find me at @PackMatt73. Brent, if people look for you anywhere, specifically, where should they go or just look you up on LinkedIn?
LinkedIn is where I live.
This is it for this show. All we ask is that you subscribe, rate and review. We got all the cool stuff coming up. We have got a stack of guests who are letting you know. Do you know who’s not the worst part of cybersecurity? People. See you next time.
Important Links
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- LinkedIn – Brent Deterding
- Afni
- @PackMatt73 – Twitter
About Brent Deterding
Brent is an Executive CISO whose mission is to enable Afni and its global workforce to support their clients securely and confidently. For over 20 years, he was a security practitioner with a security vendor specializing in threat detection, incident response, and security strategy. His efforts helped hundreds of organizations detect, respond to, and mitigate attacks. Brent is a spirited and thoughtful conversationalist who does not shy away from challenging topics. Known for holding and defending some controversial opinions, he will gladly debate his views with you. Both Brent and his wife of 20 years share a passion for adoption, foster care, and leading youth.