Webroot CISO Gary Hayslip Discusses Differences Between Public and Private CISO Roles in Techwire Articles

Gary Hayslip, VP and CISO of Webroot and NTSC Advisory Board Member, recently published a pair of articles in Techwire that discuss the nuanced differences between a public and private sector CISO’s roles and responsibilities. His commentary, So, You Want to Be a CISO, taps into Hayslip’s experience as both a federal government and large municipality CISO. He talks about public sector CISO budgeting, working with the CIO, maneuvering through existing departmental relationships, procuring, and dealing with lags in technology investments. His other article, A Career CISO’s 7 Observations on Public vs. Private Sector, compares these two different sectors in terms of how CISOs show value, offer cyber as a continuous service, leverage their respective organizational cultures, and develop the wins needed to establish a foothold within the organization.

Smart Cities: How Data and Visibility are Key

ISACA recently conducted a smart cities research survey in which it asked approximately 2,000 security and risk professionals questions focused on smart cities and their management, risks, and future technology initiatives. As a recovering city CISO, I can tell you that many of the survey questions were typical ones asked about smart cities. One question that caught my eye regarded what technologies were believed to be essential for the “security/resilience preparedness” of smart municipalities.

This question was of interest to me because city environments are collections of disparate systems. I used to joke that cities were packrats: they keep technologies beyond their typical lifespans due to the scarcity of resources needed to replace them. This mixture of legacy and up-to-date solutions can lead to environments with challenging levels of risk. As the CISO of a leading global smart city, I found one of my best assets for managing organizational risks was visibility into the municipality’s operations, data flows and network infrastructure.

I say this in part because, of the five answers available for the survey question on resiliency, “Advance Data Analytics” was the most selected answer in terms of what professionals believed smart cities need to perfect the preparedness of their security efforts. I am sure this is a shock to some. Many would have thought new tech or cutting-edge science would be what smart cities need. In actuality, the use of data analytics to manage scarce resources and highlight anomalous behavior is a better value because it provides visibility.

Data analytics and the technology platforms that incorporate it can be leveraged to orchestrate incident response teams’ reactions to business continuity events and to target efforts for isolating and remediating incidents. These platforms provide substantial visibility, and can give municipal security programs context surrounding risk exposure to their organization, as well as assist in the selection of controls and processes used to remediate threats.

Smart city CISOs and security teams face business operations, enterprise infrastructures and unique datasets related to the use of new smart sensor technologies. These challenges can be managed, I believe, with the use of advanced data analytics platforms providing visibility into how sensitive data, critical networks and citizen-facing operations are stored and used in a safe manner that protects the assets entrusted to them by their neighbors.

CISO Manifesto

Q3 2017

CISO Manifesto is a destination for chief information security officers (CISOs) to share their observations, thoughts, and frustrations. The manifestos are written by CISOs, for CISOs.


10 Rules for Cybersecurity Vendors

Why marketers fail at selling to CISOs… and what to do about it.

garyhayslipembossed Gary Hayslip, VP & CISO, Webroot

San Diego, Calif. – Aug. 8, 2017

So as businesses today focus on the new opportunities cybersecurity programs provide them, CISOs like myself have to learn job roles they were not responsible for five years ago.

These challenging roles and their required skill sets I believe demonstrate that the position of CISO is maturing. This role not only requires a strong technology background, good management skills, and the ability to mentor and lead teams; it now requires soft skills such as business acumen, risk management, innovative thinking, creating human networks, and building cross-organizational relationships.

To be effective in this role, I believe the CISO must be able to define their “Vision” of cybersecurity to their organization. They must be able to explain the business value of that “Vision” and secure leadership support to execute and engage the business in implementing this “Vision.”

So how does this relate to the subject of my manifesto? I am glad you asked.

The reason I provided some background is because for us CISOs, a large portion of our time is spent working with third-party vendors to fix issues. We need these vendors to help us build our security programs, to implement innovative solutions for new services, or to just help us manage risk across sprawling network infrastructures.

The truth of the matter is, organizations are looking to their CISO to help solve the hard technology and risk problems they face; this requires CISOs to look at technologies, workflows, new processes, and collaborative projects with peers to reduce risk and protect their enterprise assets.

Of course, this isn’t easy to say the least, one of the hardest issues I believe CISOs face is time and again when they speak with their technology provider, the vendor truly doesn’t understand how the CISO does their job. The vendor doesn’t understand how the CISO views technology or really what the CISO is looking for in a solution.

To provide some insight, I decided I would list ten rules that I hope technology providers will take to heart and just possibly make it better for all of us in the cyber security community.

So, let’s get started. I will first start with several issues that really turn me off when I speak with a technology provider. I will end with some recommendation to help vendors understand what CISOs are thinking when they look at their technology. So here we go, let’s have some fun:

1. “Don’t pitch your competition”

I hate it when a vendor knows I have looked at some of their competitors, and then they spend their time telling me how bad the competition is and how much better they are. Honestly I don’t care, I contacted you to see how your technology works and if it fits for the issue I am trying to resolve.

If you spend all of your time talking down about another vendor, that tells me you are more concerned about your competitor than my requirements. Maybe I called the wrong company for a demonstration.

2. “Don’t tell me you solve 100% of ANY problem”

For vendors that like to make grand statements, don’t tell me that you do 100% of anything. The old adage “100% everything is 0% of anything.”

In today’s threat environment, the only thing I believe that is 100% is eventually that I will have a breach. The rest is all B.S. so don’t waste my time saying you do 100% coverage, or 100% remediation, or 100% capturing of malware traffic.

I don’t know of a single CISO that believes that anyone does 100% of anything so don’t waste your time trying to sell that to me.

3. “Don’t make me specialize to use your tool”

Don’t tell me your solution is written in proprietary language and I will need this module or this application to read the data correctly.

I have limited funds and a small team. I need a solution that will integrate with my current security suite and it’s easy for my staff to implement, manage, and create reports. Better yet, I like modular solutions that can grow with my organization as we mature.

So, don’t hit me with an extra bill each time I want to add a requirement or use a new service, just incorporate it into one bill that I can budget for and defend when I go to financial management.

4. “Don’t bring me overcomplicated solutions”

This is a big issue. To all vendors, if the technology that you want to sell me takes four sales engineers to explain it to me and several hours to demonstrate then it’s way too complicated for me and I am not interested.

I am dealing with issues 24/7, I typically have small teams and not enough funding so I am not going to dedicate one staff member to just use your solution. True, you can make the case that it’s an awesome security technology. However, the more complicated and time consuming the technology, the more resources get consumed in trying to make it work and my teams don’t have that time.

Bring me something that is elegant and easy to use, reports that are intuitive and easy to configure, and it integrates whether through API or scripting with my SIEM and other toolsets – I would give a body part for this usability.

5. “Don’t try to shortcut my procurement cycle”

As a vendor, when you are dealing with governments or large organizations remember our procurement cycles are not fast. Some organizations are better than others but understand it takes time.

Also, understand when you deal with a CISO for a government agency and they tell you they are working on the issue for you, don’t go behind his/her back and start harassing their procurement for the purchase order so you can meet your numbers. To me that immediately kills any relationship and trust we may have had and I will request a new vendor.

Again, government procurement cycles are longer and take time. It’s all about the relationship don’t screw up a long-term relationship to make a quick buck.

6. “Do be a partner to me, for I value partnerships, not technologies”

As a technology solution provider, if you want to do business with me as a CISO, I want a relationship.

I partner with all of my vendors and expect to speak with you more than just once a year when it’s time for renewal. I like to work with my vendors and make suggestions to improve the product and help the customer community. If you’re not interested in that, then don’t bother calling me or better yet don’t expect me to renew with you.

7. “Do give me three unique value propositions for using your technology”

Vendors, please understand when you are talking to a CISO we are dealing with a large number of threats, projects, audits, politics, budget issues, compliance requirements etc. So for sanity’s sake, keep your pitch simple.

Don’t go into the weeds, focus on 2-3 key value points about what your solution, platform, hardware etc. can do for us to help reduce our stress overload and provide visibility into the issue you are trying to solve for us.

8. “Do know what problem you are trying to solve”

From the previous statement above, KNOW WHAT PROBLEM YOU ARE TRYING TO SOLVE!

Please know what the problem is, why it’s a problem, why it’s going to get worse if not remediated, and how you can take that problem and turn it into a good news story for me so I want to work with you.

9. “Do automate, it is the future”

Please tell me how I can automate your solution, again with small teams and limited resources.

I am on the lookout for how I can reduce risk to my organization through automation using AI, UBA, SDN, and other technologies so I can concentrate my teams and our resources on those areas that are impactful to my stakeholders.

If your solution is a standalone technology that must be manually operated, you are five years late. The threats we currently face are happening so fast that the survival of my networks is based on what I can automate.

10. “Do bring platforms, not individual tools”

My last point I want to make is that as a CISO when I am looking at technology to assist me with a security gap I tend to look for a solution that is a platform. I don’t like to look at one-offs.

I have enough issues and technology to manage so I would much rather look at a platform solution. Show me something that helps me solve several security control issues and it is mature enough to grow with me over time. I know there are companies that have their niche and all they do is one small thing very well. Eventually, someone is going to add that niche to their platform and even if they don’t do it as well as you it will be enough for you to lose market share.

Just understand I am trying to remediate as many issues as I can with limited funding so I will look for platforms more often than not to do this effectively.

So, there are my ten rules. Some of them are annoying issues that I really hope my next sales call takes to heart and some of them insight into how I source technology when I am researching a requirement.

“Oh, and no cold calls…”

As a CISO, I will normally talk to my peers first for ideas on how to remediate an issue. I will also research solution ideas from the forums of professional organizations that I am a member of and I will contact research providers such as Gartner, Forrester or boutique research firms that specialize in areas I focus on such as TechVision.

When I am ready, I will reach out to a trusted partner to bring in a technology that I am interested in or I will directly contact the company. I typically like to be contacted via email first, even though I get huge amounts of correspondence, I try to let vendors know if they are in a technology that I might have a need for and, if so, I will request a meeting.

Again, most CISOs have limited time and are dealing with numerous issues across their organization, cold calling one of us will normally get your number blocked and we will definitely not reach back out to you.

One of the main reasons is cold calls to me are interruptions, you are breaking up the flow of my day and interfering with what I am trying to accomplish. I would much rather talk to you at a professional event or via email from one of my trusted partners.

As I end here, I hope some of you find this information of value and I really look forward to seeing what our community has to say in return.

Please provide your points of view for the betterment of our community, I think improved communications between the security executives of organizations and the technology partners who serve them would greatly improve our community and increase our ability to innovate and respond to the threats that put our organizations at risk.

Stay tuned for the Q4 2017 edition of CISO Manifesto.

Gary Hayslip is Vice President and CISO at Webroot, and Co-Author of the book CISO Desk Reference Guide: A Practical Guide for CISOs

(This story was written when Gary Hayslip was CISO for the City of San Diego, Calif.)