1.1 CISO Competency - Discretion
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
Hi and leave Jackson. Welcome to the fifth of our series of 12
uh, competencies of the effect of sea. So by head Amoroso,
Conference C five discretion Trust. I hope everyone had a happy Father's Day and look forward to today's session to get away, Ed.
Okay. Hi, everybody. We're up to our fifth lecture.
They certainly go quickly. So, uh, I'm looking forward to this one. This is a hodgepodge, Like I've been
teaching forever on DDE.
Some lectures are cohesive, like there's ones
where when I look at the shape of the lecture, look at the shape of the message, it's clear, like, if I were here talking to you about my Kerberos or something, that it has a beginning, a middle and an end, and it's usually at the end. People feel very, very satisfied that there was this topic that we covered. But when I lecture on this on this,
capability or competence here attributes the sea. So which I use the term discretion here,
I find it's all over the map. So I want to give you the preliminary
kind of summer here that
you're gonna see me jumping around a little bit. But maybe it's good metaphor for for the topic there is a
that there's a personality kind of trait or attribute that I believe
is essential in a good C. So
and it's what what my my cousins in Brooklyn would say, you know,
be able to keep a secret. I remember one time hear a story about one of my aunts. My uncles had been out doing something
and and they were newer. And one of the neighborhood folks came and asked my aunt, You know, uh,
something about my my uncle. And she said Nothing. My uncle came back, said they did. Section was Section starts looking for me. I remember. She said, Don't worry, I tell him Nothing. Meaning you know in her mind, you know, she was doing this great thing. She figured he was in trouble.
Kind of the ethos was that you keep a secret. I know it sounds so silly, so
prototypical e my family.
But in this in cease of business, there's a level of discretion that's not in any of the compliance requirements or frameworks.
It's not something you're gonna learn it, Sands. It's not gonna be something you pick up in a lab.
It's gonna be something that you pick up by doing the job, and you should know about it. And I should have what I want to share with you today,
kind of my belief that this is an important comp competency. It's something you should be aware of.
And as you plan out your career, it's something you should think through. But let's read as we always do,
kind of sentence here said Effective. See, Summers exhibited maintain a high level of discretion and trust in dealing with sensitive information regarding threats, investigation, ongoing initiatives. So if you're kind of person who likes to talk a lot and brag and lab and so on and so forth, then you gotta knock it off. Because this is a profession
where the ability to show great discretion
is important, that I'm gonna give you a lot of examples. And like I said, it jumps all over the place. It goes from
it kind of Mafia things to public key cryptography to government information sharing thio old early orange books stuffed all of the above
kind of building this collage that I hope that at the end of our hour here.
You'll understand that. We do have a little case study that touches on this and also have a guest
I'm gonna be speaking more generally about, um, she's She's one of the finest
si SOS and executives and security experts that I know.
So we'll certainly broaden the discussion for her with me. When we get to that portion, I'll leave the last
20 minutes or so
to hear from her. But next 40 of 35 minutes or so,
I want to give you some information and some insight into an attributes that I really do believe
is about as important as your technical ability. Well, let's start with something that's very unusual.
This is a picture of the Raven Night Social Club in Lower Manhattan, Middle Italy. Um, this is where the Gambino crime family and John Gotti in particular,
used to socialize. It's funny, it's a shoe store now,
and I work a few blocks from this building. I was walking by there simply, and I said, Oh, my cast is great and I took a picture, and I remember somebody looking at you, thinking that I was probably FBI or something, taking a picture of the
Old Raven. I've been annual rate recent. Bring this up. Is that the way
security was done in these days from the seventies at a place like A T and T? Then could The Bell system
is that they were engaged with law enforcement to catch these people, and they caught them using telephony.
So it's less about hacking.
But the quote unquote phone companies all documented, like insanely the Bull Gravano's book there, which, by the way, is an amazing book You need A. You're the type of person who
is willing to read a trashy book occasionally. That's a good one. I don't think you got a Peter Maas up is an interesting writer. We invited him to Bell Labs many years ago to get talks. I met him
and thought it was just a really wonderful writer. But he wrote this book about
life in the mob. But any rate, the reason I bring it up
is that these investigators at A T and T were, you know, going after some people where if you were didn't show discretion, you could be killed.
It's so I have to ask you, I want you to take a moment and think,
Would you be comfortable in that kind of arrangement? Would you be comfortable in an arrangement where
you're working an investigation at work,
chasing some hacker or something?
And if you don't show proper discretion,
your safety could be put on at best.
Think about that a minute. How would you feel about something like that? And how would that affect and influence your behavior? Most si SOS, including myself,
have had their run ins like I've had death threats. Personally, I've testified in court to some pretty scary people who went to jail when they got out of jail would send me a little snarky notes. Um,
so there is a reason why when you start doing the sort of job at a more senior level,
you need to look at this picture and recognize that you're antecedents. The peoples of love O R. Your predecessors. Rather they they operate in an environment
where many cases there was great danger. I'll bet none of you have ever considered that he breathing on microsecond
as I t security folks, you know, deploying. You know in point security
that this idea that there could be personal risk, but I think it's an important metaphor. It's something you need to recognize and something that no one will ever tell you unless they've been in the job as I shot. If you if you've done it
and you and you dealt with this issue and you felt kind of that that that fear and rest that comes from this, let me just share with you how how they they caught
John Gotti upstairs from
it might have been the Raven night or one of these clubs.
There's an old lady who lived upstairs,
Um, and what they would mafia would be wandering around the streets down Lower Lower Manhattan
on the 18 tea from
operative. The security teams there
and the FBI
would do surveillance, and they would see them kind of occasionally going into this this
We weren't quite sure why they were going in. There was nothing in there,
and they'd come out 15 or 20 minutes later
and they realized after they did a look up. But there was a little Italian lady who lived upstairs, and
what they did was they got a court ordered wiretap on her phone,
and that's how they caught these guys with telephony, with wiretaps with a combination of
an old fashioned sort of police work.
Uh, and that's how they caught these people.
And if you were doing security
in telecommunications back in seventies, this is the kind of thing that you would likely be involved in
again. We don't see too much of this now. And if you were doing a similar sort of thing
with hackers on the Internet, I doubt that you'd be staring at a scary face like this guy, Sammy the bull worrying about your personal
But it was much more personal. And if you go back and look at Kevin Poulsen's writings back in the 19 nineties when he was hacking,
remember the half Rick, these radio program, you know, and one a Porsche. What he did is he broke in to the Pac Bell switch,
redirected. I think it might have shared the story with you at one point, redirected the 800 number off to Devon Elrond made calls,
but what Kevin Poulsen was also doing back in that era and the reason he understood that
Tak Bell system is that he was climbing through the window into a pack, valves building
and literally leaving notes for the security team on their desk. Now, admittedly, is a hacker. He's not saying me the ball like this guy with a bunch of murders under his belt.
But I just want you to understand that when I say discretion is important here, it's I'm not telling you. Don't gossip. Don't be so you know, be well and keep secrets. Not that
it's that when you're doing security, you're dealing with malicious activity.
You're dealing in some cases with very serious criminal activity. Nation, state activities. People mean business.
So if you're gonna do this is an executive,
you need to develop a skin understanding. There's a time when you need to learn to exercise considerable discretion.
That's good in the next one.
Now, if you share a generation with me, these books, this rainbow Siri's will look very familiar. Um,
this is the in my opinion, I think if there were
kind of ah foundational documents for our discipline, these air them. So the 19 seventies, um, the federal government realized that computers were gonna be the way they kept secrets,
they hired Miter Um,
and I guess it's funded miter
miters in FR. D. C. A federally funded research and development center for the United States.
They funded miter to go in and figure out how they could
protect documents and do confidentiality and protect secrets on computers.
And this whole rainbow, Siri's popped up a bunch of different documents that laid out
guidelines for what you do. And the reason I think this is an important thing to take a look at is it was all about confidentiality. 100% about that. It was all about keeping secrets. How do we keep and maintain secrets in government
like the obsession then waas secrecy, confidentiality, prevention of the disclosure threat that is our route. That's where we come from.
And, you know, it's funny the way that this will work to the root of most these documents is that military security model, which is all about
clearances for people and classifications for documents.
Now, I don't think there's a person on this call right now who works outside of government,
who would consider, you know, their workplace to include some rich kind of structure around clearances, classifications and so on. You tend to have more need to know. And then there are level orientations like there might be
the CEO and the CEO is direct. Reports have access to certain things, like earnings information in advance of a call or, you know, certain types of
in a critical business documents that they would have access to that others wouldn't.
So there is some sort of a level hierarchy, and then there's the need to know categories that are kind of based on project. So if you work in this project, you see these documents work on this project works in others, we have some of that.
And what does this mean? It means that in all of these environments of government or commercial,
you have to learn to be quiet, right? You can't be working on a finance team
doing cybersecurity and blabbing about earnings. You could bring the whole corporation under. Ah, you know. And there's some legal proceedings. If you went off and you you talked about something that you had access to, and as a security team, which you will learn as the security executive, what you will learn
is you basically have access to everything.
So what does that mean? I mean, then you better learn very quickly.
You know how to compartmentalize and how to respect the level hierarchy that exists. And these documents are where most of that was invented. So it might, er they recognize that
when you had a secret clearance, you could read secret stuff,
but you couldn't read top secret stuff.
So they went, huh? You can't read up
the coin, This motto No read up.
And then they noticed. You know, if I have secret information, I could put it in a secret safe,
but I can't put it in an unclassified safe so I can't write down no right down.
And they coined that motto and put it together into this model that guided the way they protected secrets in the military for about 25 years.
secrecy and protection of these, these confidential,
um uh, documents and confidential data is so at the root of this job,
and it's something that is not easily laid out. How do you How do you teach someone that when they go to a board meeting and they hear something that really ought not to be repeated
to not repeat it or maybe you have to repeat it. That's why I call it discretion. I don't say don't ever talk about sensitive stuff. I said you have to exercise good, solid discretion based on the situation based on ethics based on the corporate sort of ethos
in situations like this. So So what that means is that you know where in the previous case I was sharing that,
You know, you wanna have a good sense of discretion because they're in the old days, your safety could very much be on the line. You can have
no your life put at risk if you're not very quiet and careful about what you talk about or don't talk about in this case with the Orange Book, very different. You know, this is more about respecting
the information classifications organization and making absolutely certain that you're following a set of procedures that make good sense. Now, I've got a few questions here that I want you to ask yourself
in the context of
kind of your own way. You go about things, so So we'll go through these well, asking each question. I want you to just
take a moment and ask yourself
whether these air things that that you do. So when you're
in a security role and you're passing along some sort of information, I don't mean silly information, like, you know, a J here. You know, Joe, word Mary got promoted. That's that's not what I'm talking about. I mean, something that substantive Like, for example,
that, you know, the data center outage
that happened last week may have been malicious
and that there could very well have been an externally initiated half
that caused the data center. Did you be down for two hours or something? You have someone in your team tells you that?
Well, when you're decide that you're gonna go repeat that,
do you habitually ask yourself who really needs to know this?
Like, I don't want to share that data just to show my power.
Where the gods support to sort of deal in information is one of the great criticisms we have when we share with government, particularly problem in a political setting
that a lot of times it's not. Who really needs to know this information, But who can I impress
by sharing this information? If you say I'm gonna share this because the person who hears this will be impressed that I'm very important to know this. Then you are in the wrong role. That is not the way to operate as a chief information security officer, a. C. So in contrast to someone
who must always ask this question
before I share this,
does this person really need to know this?
So that's number one
Do I need to write this down? It's kind of funny. We watched all this stuff with Robert Mueller and,
um, Jim Comey to people that I've known. I've known for some time when I left A T and T
um, I started doing some board consulting,
I went and gave a board talk and the sea. So who's there? Asked if I would share the stage with someone
former government guy who's gonna talk threat. Before I talked back, I said, Of course I went pretty well, and we were gonna actually tag team and maybe do some more. But then he got busy because the person was Robert Mueller, who was 52 in the front end of that presentation. So we didn't continue or start a business together. Anything but a right
this idea of Do I need a record of what's going on here? And I put ask a lawyer, because a lot of times you would. But that's also a discretion kind of issue. I often
would would have this habit of of writing down things that I thought would later be something important.
So just take a moment. Ask yourself, Do you do that
about this question?
Before you share something you're about
share with some individual,
whether it's an email or uh
something you just verbalize. Do you return the ask yourself Gonna get email is the most important
kind of medium for business communications, so there's an important one as you exercise discretion is a C. So
when you go to top something out in an email, do you ask yourself, Would this be okay
if this were published in The New York Times? Yes or no? Now I think this is good practice for anyone
set aside being a C. So. But it is super important for security executives to ask themselves this question
every time, all the time that they're sharing information and we're gonna hear from our guest a little bit. But I have a feeling she'll probably
have a couple of things to say about this. She she's been at this so long. I think she's probably seen people make this mistake
all the time. Tapping out e mails that really should never been codified
Have I respected the principle of least privilege in Sharon?
So here's a case where there is a foundational design principle that's so useful and important for our industry
that you could apply to your human interaction. These privilege means
maybe I gotta share something with you. But I want to tell you everything you know. If, for example, on the day in the data center case, let's say I I suspect
there might have been something malicious in what caused the data center average,
and I have to go talk to my
you're one of my one of my teams about deploying something into, to, say, support an incident response.
Well, maybe I have no choice but to tell them that we suspect it may have been malicious, but do I have to tell them who the rumor is that it might have been? What the reason or what do they need many motivation? Probably not
In fact, that's probably, though
most overused piece of information, particularly with boards that I've ever seen. This idea of somebody saying Who did this? And then you spend a lot of time gabbing and
you know, but dropping names of potential hacking groups, and you may not really know. But you're doing that just to serve the board's curiosity and
sort of voyeurism and wanting to know who would ever come after us. Why are they coming after us? And you may have no idea. But the point is this principled least privilege. I think it's spectacularly important
as you go about building out
personal program of how you share information with the team during cyber security incidents,
and then this is one I really do want you to think about. I'm even gonna pause here and let you think about this for a minute. I want you to reflect.
If I were to come up to your peers
and give them your name and say,
Is this somebody that I can trust with this piece of information? What would they say?
Would they say absolutely. You know, she's amazing, Comptel or anything,
and it's gonna stay there or would they go?
I'm not sure that somebody I necessarily want to share this information with, Maybe in a prior engagement you went and you shared with somebody something that you should not have shared, You know, something that they had no need to know,
but that you were sharing Justine a boastful manner or two.
You wave your tail feathers saying, Look what I know.
if you are that person,
then you really do need to think that through, because that is not a good attributes for any chief information security officer.
This, um, nice woman here, um,
is the wife of one of the most spectacularly important computer scientists who've ever lived that you've never heard off. And that's his picture there.
She's holding his picture. That's James Alice.
And you may not know this, but when with Diffie and Marty Hellman originally put together and reported on the basics of public key cryptography in the you know in the literature 1975 their landmark paper on public, he's cryptography
and then later reversed Jimmy Aaron Edelman implemented much of it, codified it in there
algorithm for generating public and private keys
and defeat Hellman later codified much of the protocol infrastructure
in the concept of Diffie Hellman Key Exchange, where two entities that are
unknown to each other in advance other than to agree that they're using a similar scheme,
um, can share a secret without 1/3 party. Members of the just amazing contributions of thes people in the 19 seventies and I'm on my great
sort of personal prides in this business is I didn't get a chance to get to know what with Diffie and spend some very, very quality time with him.
Learning from in
brought him to spend time in my lab.
We interviewed him, he noted. A conference aced around, and it's just a wonderful, wonderful man.
Um, you know, we live in an era where there aren't too many heroes.
That's what I was one of mine with Diffie.
But, um, after Whit Diffie published and was basically heralded with Marty Hellman and others is having introduced this amazing inventions.
It became known much later
that the man in the picture right there, James Alice, had actually stumbled onto the basics of public key cryptography long before
Diffie Hellman had done their work as much as a decade earlier. Maybe less than a decade, I want to say maybe six years.
James Alice had been working in more places in the U. K Post office as a technologist mathematician,
and then he went back to G C H Q, which is where you had originally been. When he came back to the job, his boss, Fred Williamson, had to find him something to Dio and said, Why don't you go work on the
he exchanged, you know, secret sharing in the man and little issue of sharing secrets with us
It would be sort of like
me asking you to go
solve the weather. NP complete problems are actually whether there's a shortcut like it was a famous unsolved problem. Almost kind of a sarcastic joke
to go work on the problem. Sir James Alice
had actually been reading some papers from Bell Laboratories from World War Two,
where an engineer we don't know who it waas had proposed that
if you introduce him lying noise over a phone wire
and you remember what the noises,
then that noise can travel with the phone signal
and be subtracted off on the other end
and it seems like such a trite, obvious thing. But something about that
sort of caught James Ellis is fancy. And you read that paper over and over and over again
and came up with the concept of a public
and private key
where you you crypt with public decrypt private key blub about vice versa and get all the beauty,
mathematical elegance that comes with that spectacularly wonderful idea.
And he showed it to his boss to page paper. And if you're interested, it's a paper called
Non Secret Encryption by James Alice. If you Google that you could read it, it's great. Read I was make my grad students at N Y. U and Stevens read it every semester I make the read that, um
But it was you wrote this paper and it was in
just spectacular. Everybody looked at it with Oh my God, this is incredible. The problem waas two problems. One of those classifieds, he couldn't talk about it, and two computers in 1968 or nine were like they would get tired multiplying,
and he had these complex mathematical operations that had to be would have had to have been implemented. He didn't know what they were. Wasn't the mathematician did he come up to ski?
So some number of years later, Clifford Cox was a young man who just finished his mathematics
training at Oxford or Cambridge. Centrally fast
join G. C H Q. And happened to be having tea with,
um, Ellis and or Williamson. And they told him about the scheme.
And Clifford Cox said, My God, I know just what to do there. It turned out he'd been just doing his his graduate work in
prime number theory. Go figure. And we all know that the essence of much of this public key cryptography
is around the idea that when we take two prime numbers, if I multiply them together, it is a spectacularly difficult problem to figure out whether it's a product of two primes. It's an NP problem where the only way to solve it is divide by two, divided by three divide by five to essentially do brute force, which is the end
essence of N P.
membership like problems that live in that in that category,
have no shortcuts, which make them beautiful for cryptography because the only short cut dad is to give one of the primes and divide, which is essentially giving you one of the keys.
So So it turned out that Clifford Cox And by the way, if you Google Clifford Cox be better to Google James Ellis because he does not spell his name Sio Eckes. He spells it a different name, different way. And I've had my graduate students good with me.
I had the bursts are called me up and say, Would you have to stop
asking your students? Thio
Google that word So but Clifford Cox was also part of GC Excuses all classified. You get the point.
So these air guys who implemented basically the Diffie Hellman our essay and public key cryptography years before
Diffie Hellman reported on this.
But it was classified, so indifferent. Hellman reported their stuff one. A touring award became world famous. Everyone on the scholars heard of these folks. None of you heard of James Alice
it probably was very tempting for James Alice to go blab
for Clifford columns. You know why not go out? Hey, listen more.
And actually, there was one time when it was blabbed a little bit.
Bobby Inman was the director of the National Security Agency, 1979.
And Inman was speaking at the big computer conference at the time, which, ironically I think was called the computer conference were very imaginative and naming conferences then
somebody asked him a question. They said, Keep your minds 1979 So subtract back,
you know, 40 years,
four decades. I want you to go back. So for those you're under 40
before you were born.
And we all think that we just have all these controversies around government surveillance, whatever. Back in 1979 the hand goes up.
Then somebody says Director Inman
well, the work of Helmet and defeat Hellman make it more difficult for an essay to spy on citizens. Take a moment. Think about that one.
So the question had been, you know, will
will be harder for an essay to spy on us.
Eso eso in men.
He pauses and he goes. I laughs, he says. Oh, well, Public key cryptography shouldn't be a problem. We've known about it for well over 10 years,
and right there in the front row, our in those audiences with defeat going 10 years, I just invented it five years ago, four years ago.
So def he starts nosing around, asking for an essay in other places but big community doing
crypto in the seventies. Eventually, somebody says James Alice. So if he gets on a plane with his wife,
fly over to the UK and and he makes friends with James Alice who, by the way, never said a word about it lonely. The closest thing Ellis ever said was he said something to the effect of You did more with it than we ever would have.
That's what he said. I can't you Americans did more than
we would, so there's like it closest he ever came to an admission. But I got to tell you, this dude right there that is a that's the patron saint
of showing discretion.
Never said a word kept his mouth shut because classified,
you didn't talk about classified information. A Z years pick progressed clean to the eighties
into the early nineties.
Um, there was a lobbying effort at G C H G, where a lot of people are saying, Come on, for God's sake, you know, let's let's give these guys credit where credit's due
in the mid nineties. I don't know. Somebody retired and died or quit or something. Who is blocking the whole thing?
And they made a big decision. All right, we're gonna finally give this guy credit.
Now. They were gonna do a website right mid nineties and just was brand new technology. What happens? James Ellis dies before he gets any credit.
So there's his widow holding his picture, obviously, many years later.
And I gotta tell you, I think it's for si SOS. This guy is somebody that we should probably name an award after. Like how long? Thought that once a year we should give an award to the Sea South
who exercises the best discretions in his or her dealings in our industry. And I would call it the James Ellis Award because this is a guy who's
the guy knows how to keep his mouth shut. He probably would have been somebody that
John Gotti would have hired. Just kidding. Let's get it an excellent. So here's the opposite end of the spectrum.
This is way over on the other end. And look, I am not a ah guy criticizes Greenwald,
you know, and the sort of libertarians who believe that information always must be free. My dad is a libertarian.
He never saw you know anything that Ralph Nader every day that he didn't love and Glenn Green won't come from, that is, does a Sanji and all these other guys.
these are people who are well meaning There's no I don't think there's anything evil here. There's a lot of people probably don't like Glenn Greenwald, probably a lot of people who revere him. But as they see, so you're going to have to determine
where you stand on all of this. And I'm just telling you that there's things that you can't be sharing with reporters.
You could be the most liberal minded person on the planet who could
have a T shirt that says all information must be free, you know, because it's cheaper to do so. Information needs to be out there.
Um, secrets are bad. You can have that ethos. It's perfectly fine.
All were willing to admit that I have some tendencies in a direction myself, but when it comes to work,
you can't do it that way. You know, this is this this idea of
ah, free press that makes I think the United States such a wonderful place to live.
You can't be sharing with a free press things that our company secrets companies have the right
to secrecy. And everybody would agree with that. Right? You have a fight with your spouse?
Does everybody have a right to know the details of your quality? Your quibble with your spouse? Of course not. It's utterly absurd to even suggest that.
So all of us everyone on this call
that there are cases where information
should reside with its owner and that nobody else has any right. But there times when
you do have to go share like there's this idea, like the
Daniel Ellsberg case, you know, are all these. You know, you could argue a son's. You could argue Bradley Manning or whatever
that you know. These were whistleblowers and that they're sharing information because there's something going on that's ethically inappropriate.
And I got to tell you as a security person,
man, and you're gonna come up against these things all the time. I don't mean ethically inappropriate in the sense that you know you work for a company as bad ethics. If you do, then you oughta quit,
but you will hit on situations occasionally where there's an investigation going on
that is part of the investigation.
You might hear that
some sort of surveillance is gonna be directed in an individual by your team, and you'll have to decide whether that's appropriate enough. And God help you if you have no policies and God help you if you have a poor relationship with your lawyers,
because that's where thes kind of subtle discussions must occur that must
predetermined. You don't want to be making the stop up. What's going on. That's not a good thing,
but by the same token, there will be some termination that's gonna have to do you need. So look, this is important. It's a good buck. I think it's something you probably want to read.
Whether you like Glenn Greenwald or not is important
The whole LosAngeles sort of case is something that I think you should have an opinion about,
But what I would like you to accept, regardless of where you live in the
the spectrum of handle information is that's very organization. You gotta learn to keep some portion of the organizational information, Quiet periods.
Now, this is something off that Ah, lot of you don't manage.
Probably something the company called Records and Information Management. And that's how you handle the records in the company. The documents, your info.
Um, I've been amazed in my consulting work and how many companies, large banks and others
have somebody sitting in a cubicle, you know, tapping away, you know, in obscurity, seven levels down from C. So
I'm not even in the sea, says organizations controlling the ribbon policies on. You may not call it that they called something else. But
I see that all the time.
And that is a really important policy because it dictates things like,
how long do you keep documents? What should people keep on their laptops?
I'll bet you there people listening to this call right now
so much *** stored on their laptop that's unnecessary, that it's not funny.
Like I bet you have. If your manager you might have old performance reviews and people doing work in your company anymore,
because you know what you d'oh! It's snapped an image of the last laptop and you start as a subdirectory on the new one. And then you keep nesting that algorithm to the point where
you probably could go find documents that you had 11 years ago,
Um, on your laptop.
And the question is, what's the policy for that? If it's there, it could be stolen.
There could be Social Security numbers in there. If you're in us, there could be credentials in there that could be password in front or whatever.
So who manages that policy Spectacularly important thing from a discretion perspective, it's probably gonna be up that not well codified. If you'd made the determination, you're gonna ask 10,000 people
in your company to see if they could just get rid of 100 gig of *** that they don't need.
Um, that's a pedal bike. And if you think 100 gig is too much than 10 gig, everybody give rid of 10 gig of stuff,
you know, even one gig. Do the math. One gig is what a terabyte. So
if you have 100,000 employees or a 1,000,000 employees,
you can do the math so so alone with sort of the discretionary component here, this important issue of
saving, sharing and managing you know how you handle data
now in the context of cybersecurity that inevitably, information sharing is the topic that pops up. And I just wanted to use *** Clark's picture here because I think he's the father of information sharing a cyber context. I've known him for many years, a very good friend of mine, Um,
and a political guy, you know. So there's some people who hate him and people love them. People in the middle,
you know, I'm a person who respects him. I think he's got spectacular insight and,
you know, whether you agree with his politics, another cares. But on cyber, he was one of the very few
really dug. It was almost like his punishment,
like he was in the Bush administration after having worked for Clinton. And I remember
he got a quote unquote sort of relegated the cyber from his post doing quote unquote real terrorism. I remember
saying one time on his radio programs, talking about the Clark. He was actually interviewing *** Cheney,
and they made the joke that
he said something like, You're a *** Clark,
he said, Yes, she's no, he's doing cyber. Isn't that like PC viruses, and they both had a good laugh about that.
And I remember being pretty annoyed thinking, No, it's more than just PC viruses and *** dug into it. That's when I got to know. Became spent time with me. I spent a lot of time taking him through everything I knew.
He went, visited all the tech companies and got to know them, did the math, took notes, listen,
absorbed it all and came to the conclusion that information sharing was one of the most important things that we should be doing.
And if you go back and look at PDD 63 which he essentially drafted with his team, Paul Kurtz and others, romance
is a spectacularly important document and I believe the beginnings
of modern information sharing as we know it. So I could take a look at you like this book, The fifth domain. It's kind of about cyber.
Um, he interviewed me for this and I told him that I thought the next wave's while ago I said the next wave was going to be not cyber but information manipulations,
and I remember them sort of laughing. And then 2016 happened
by the way circle Trust. That's Robert DeNiro, my chamber guys. That's really what it comes down to. Information sharing. Now let's do a case study real quick, and then we'll get to my guests.
Um, in this case study, you see our hero? Heh. Emily is talking Thio, her friend who says that she had an issue, namely government had come to her and said that there was somebody working for her who was kind of under FBI surveillance. Would she be willing
to kind of share back some information about this co worker and she decides in the case study? No, I'm not going to do that because they said we don't want you talking your supervisor or just sharing it directly back.
And she said, I'm not comfortable with that. They said, Fair enough. They went off. And then after they went off,
this individual starts acting a little weird,
and she thinks her changes
work habits. Something's not right.
And now she's having second thoughts.
And in this case study,
I sort of ask each of you what would you d'oh you know and again, that's an important sort of concept here where government comes to you. There's no playbook for what you D'oh! You have to use your discretion and what I want you to do as you always do. Each each week is go back and dig in to this little case study
and and see what you think. You know what I did? Was the FBI being reasonable asking her to deal with them and talk to her supervisor?
what do you think of her original response where she said no. But then, after this person starts coming in early, acting differently, is that enough to be suspicious? And what would you be? Your advice to Karen, Should she
go back to the FBI and say yes, I do see something unusual here or not. Do you have that obligation?
So that's an important one for you as a group to spend some planets. I hope you don't.
Finally, we get to the highlight of ours discussion here. Wanna introduce my good friend Jennifer buys who I've known forever
and I think is one of the finest
finest in our business. Jennifer has been in the sea, so roll she's been in a variety of senior executive roles. She knows more about risk. Cyber risk management than a human being on the planet.
I think she knows as much about Cyber Security is anybody I know. Um,
so first, I wanna welcome gen to the, uh, to our discussion. Jennifer. Thanks for making some time here.
Jen's on Mute
Leaf. Can you hear me? Okay, but I am back. Okay, Go ahead. Jennifer. I welcome that.
Thank you. Thank you.
A very interesting talk on the effective
behaviors. I gave me a lot of ideas on,
looking back at my career and and good examples to, uh,
you know, on each one of them, you know, just
What did you think? I mean, I know that's not the usual sort of discussion. Is that usually when you and I were doing this sort of thing, we're talking about
a risk or firewalls or compliance. And the essence of this course is kind of guiding the floater on the call who are all you know, folks who do what we do but have aspiration to kind of advance their career.
Um, do you think genuine people and I know they do come to you. I come to you for advice. What?
What do you generally tell people when they think I might like t o get promoted up into that big job? What's what's usually a reaction other than first trying to talk them out of it? But after that doesn't work. What's your
what do you usually offers guidance to people interested in that job?
Well, um, I
I asked him how many people,
uh, they really know who are really good engineer if it would be willing to leave whatever they were doing and come work for them. And
they have to understand that there is a possibility when people change seats, does that the stuff that you're inheriting may have to be refreshed and that you don't have a roll index of people that you call for really important trusted positions like head of identity and connective management.
Then you will be doing that job in addition to the sea, So job.
But you really have to be careful that you either have all the skill sets that are needed to run the so function. And I'm sure bye
following this course, they'll pick up the list
and then you have to know where you can find them. If you don't have them yourself. It's kind of a brutal position, isn't it? We, you and I both have friends and no people who
you have come and gone sometimes for things that they deserve a lot of times for things that don't sit up in your observation that maybe it is a little bit more
a little bit more tough environment than you might find with the typical I T executive.
Absolutely. It's one of them dropped, like the c I O where everything's going smoothly. It's great. And if one thing goes wrong, then it's your fault and all hell is breaking loose. So, um,
they're, uh, in the 19 nineties,
there was a statistic that C I ose changed jobs every 18 months.
Um, now even now is one of the
higher executive management rollover job and see, So is down there in the two year range now as well.
And for a variety of reasons. If you said it's not always that things were going badly, it could be that because there was so much opportunity that if you are a really good so then you have mobility, you know, live in the city that you want to or where the industry that you'd like to work in,
but a lot of time.
because as what you said, that the stress is really hard. You're responsible for everything. It's very hard to keep on top, and the grass is always greener somewhere else. Jen, take us through your your own sort of personal journey. You know,
in your career it's been a
an interesting one,
and I think you've probably seen this position from this many vantage points. Is anybody I know what take us along your journey a little bit and some of the things that you've learned and some of that may be some things that stick out along the way.
Well, I'm reminded of, uh, Dan years remark on hybrid vigor where
people came to the job.
Computer security back in the days when we still call the computer from a variety of fields because there was no
master's degree in,
uh, computer security, there was barely a masters degree in computer science when I started. Luckily, that we had you had such a great program and Stevens where I was able to take a class and security,
uh, when I was in a computer science, but
there were people from law that got involved in, uh,
of computer security people from biology where Dan here came from just because he was using the computers and understood the importance of it. People from,
uh, project management and, of course, the software systems. But they all brought their own
motivation and their own priorities, and they all started to read the Orange Book and started to develop a set of skills and practices that seemed to work of for most people that allowed more standards to be written and more community to gel.
thinking of the first couple of national computer security conferences, which are right after the national computer conference, isn't you're talking about
came along a couple of years after the computer ones, but the first ones were called National Computer Security,
and they really, uh, the government and the party's. He's like minor,
uh, and the universities like Carnegie Mellon who has have been funded for the computer emergency Response team.
We're able to bring
of these practices and groups together, too.
You try to understand what was working and
share knowledge. So we went to a lot of those.
What happened somewhere around the turn of the century is that
so many vendor started to participate in. There are so many conferences that,
uh, have computer security as a theme that the government decided they didn't need to do that. Fostering and shepherding anymore kind of took a side roll.
now we're kind of just left with a lot of competing views. And I think it's gonna be another couple of decades before the job function of a sea so gets even as structured as the job function of the C I O is now and that that changes a lot as well.
You asked about my personal journey. I came from, uh
well, uh, as you did and I was in,
uh, expert systems and software development. And I went into security architecture because that's where the bigger problems were to be solved after A T and T broke up
I became the sea. So because I just happened to be the highest ranking person in computer security after 9 11 when the Elektronik Times
horse came in all the financial service companies and said, Who is your chief information security officer at the time. Maybe two or three companies have one, but he's recognition that this was a high level function that had to be addressed immediately because of terrorism.
You know, from *** Clark. Billy gave the position much more prominent.
So it's not that
companies decided We need a chief information security officer. It came in from the outside, and I think we have to be very cognizant of that, that a lot of times, if you have a first, so being hired in a company, it's because they're being forced to create a position at a high level that they didn't think was necessary before.
That's another thing that makes it hard.
This was at Bear Stearns that that position
Are you aware that you had to after that?
Oh, um, when Bear Stearns died, I didn't leave their stars turn left me, as I always say, I'm him.
I decided I didn't want to stay in a very big company. I wanted to see what was going on. So
there are a lot of different voices in, um,
their security information security. I guess it was started to be called in, and then, you know, now it's all cyber security. But I see all that is a continuum.
I did consulting a big banks and, uh
um, larger companies, pharmaceuticals and things. I went into academia created Ah, after his degree and system security engineering for Steven's Institute of Technology. I did a lot of research, government research and my own research, wrote books. And
generally, um, I just see what the spectrum of the, uh
uh, field waas
so that I could make an informed choice coming back in.
When I did go back in, I went into enterprise risk management because, uh, the chief risk officer, we're just starting to realize that they needed dedicated health in cybersecurity as well. So there is a path even beyond. So for those of you who are looking to become sees those now,
most critical aspect of the pieces job from the court. From the point of view of the C suite today, does that risk management function And
visioning the right defenses? We always know where provisioning defenses. But are we really identifying the assets to be protected and understanding are risk profile so that if we do get attacked, at least we're not surprised because we knew that risk was there and there was a high probability that
something would occur because of our knowledge of our current state,
at least if you're not surprised to see so you can stay in a good position.
So, um, so from risk management, I, uh,
which I spent another
for five years doing,
I came back into consulting and started my own
for company called Frame Cyber. That has risk management software that those risk managers can use.
And I still am consulting with that software.
I actually ended up using the tools and techniques from my consulting practice to build software.
I think it's, um,
having gone through that stage, you know, being in I t. And then being in a position of responsibility and security, doing a lot of research coming back through,
uh, two consulting again. I do a lot of expert with consulting as well, so I really get to see things from a bird's eye view and how
tools and techniques and practices are being judged in the eyes of the law. Um, I would say that
all of those experiences
brought back into any kind of
cybersecurity management role are helpful.
Jenna's risk is risk management, something that you
just sit down and learn. Is it something that you that requires a period of apprenticeship like I've heard you many times talk about. The importance of this measure is very inspiring to May cause you're so capable in this area,
I always kind of gives me a feeling of inadequacy because I
was kind of feel like why? I know some of the basics.
What advice? The APB for somebody who says yes, January mismanagement spectacularly important. What should they go? Do I know you? You organize a conference, for example, and there may be I know you've written a number of books and perhaps, um, some courses you recommend. What would be your guidance for someone who buys into the idea
that doesn't know exactly.
We had to get started.
I would say
Earth read a couple of very important books, like Against the Gods, the remarkable story of risk that talks about how risk
is managed by the risk management community that really grew up in the finance side of the House
and all of the principles and practices that we use and cybersecurity are adapted from a discipline that they call operational risk.
So if you, you know, take out 101 course in operational risk, we'll have the background that you need to approach risk management in cyber security.
A couple of conferences that are dedicated and there are two into cyber security risk management issues
metric on. And you're a con,
unusual in that for a very small niche field. If you said, you know, not a lot of people know a lot about it.
There are so many opinions on what the right way to do it is on. So when you go to one of these conferences, you will see some company get up their present, their cyber security risk management program and say, This is working for us. Everybody should do it this way, and there will be 20 different opinion on what that is.
So remember, if you're going into risk management, research is part of your job.
Not only historical research, but
finding out how other people are adopting the
A risk management principles,
however, security because you're you're really
taking it up at this stage as you go along because every company is different, every cent of risks is different. Your information classification will be different. As you pointed out, earlier information classification is key,
and there is not a standard way to do that. So,
um, it is, uh, it's, um
I find it very interesting and challenging, and that's why I'm spending a lot of time in that area right now. I think it's the green field of
Peter in Cyber Security,
the platform that you've built that frame cyber take a moment to share what what it does and and maybe give people a little information about where they could be in touch with you.
They practice your website if they might want to learn more about it.
You're a frame fiber is one word. The word frame in the word cyber. It's taken from the work framework,
but frame cyber dot com is where you can see more about it.
What I've done with frame fiber, if I've taken the major information sources that people need for cyber security, risk management and put them all in one
piece of software
so that you don't have to go to eight different systems to go looking for your events, looking for your issues in your metrics and the things that people need when they're going to make a risk. Punishment decision.
A lot of companies have bits and pieces of these models in other systems, like they may have ah GRC system in Archer, and they may have an issue management system in their environment. But they, when they do risk management, they have to get data fees from a bunch of different places.
So I use cream Cyber not just for my consulting and for sharing with other consultants and companies, but for teaching,
um, at the graduate level in cybersecurity so people can really understand and see at a glance
what you need in front of you. If you're going to make a cyber security risk management decision,
that's it. In a nutshell.
Can I assume that your website would be the right place to go if they have some interest?
Four. And they're a contact of field and, you know, happy to answer email. You can get to me. Agenda frame cyber dot com. Well, that is wonderful. Jen, I want to thank you for spending some time and sharing your wisdom with the team. Um,
your career has been just exemplary. And I appreciate you share with the folks here and for those beyond the cult. I think we have our next lecture on Thursday.
So, uh, look forward to, uh, you know, an hour with you then and
Leaf and General, I'll go ahead and go closer then. So thanks. Everyone will see how their next goal.