Time
54 minutes
Difficulty
Advanced
CEU/CPE
1

Video Transcription

00:00
you know, it's funny listening to Leafs a competency in finance administration. This is like the thing that I was always the weakest at my entire career. This is something that
00:11
you know, as I took on management responsibility, I realized how important it Woz and how bad I was at it.
00:18
So keep that in mind as you. As we go through this, you'll see some of the things that I tried to do,
00:24
um, in my own, learning to understand how to be a better
00:28
administrator. It's one of the big surprise is when you get into
00:32
leadership roles and management roles in cyber security.
00:35
It's not all about security. Architecture were about moving to zero trust or about selecting the best
00:43
authentication vendor.
00:46
Much of your success will hinge on your ability to be
00:50
competent administrator, and I'm gonna guess a lot of the people listening here
00:55
didn't didn't get attracted to what you do right now because you wanted to do administration. I certainly did a computer scientist.
01:02
Next thing I know, I'm sitting in budget meetings trying to figure out how to,
01:07
um, make my slice of the pie bigger or perhaps more accurately,
01:11
you know how to keep others
01:14
from making my slice of the pie smaller.
01:17
If you didn't learn how to do that,
01:19
you could have your pocket picked pretty easily. So for those of you who are just joining us for the first time this week, I'll just summarize. You know, we picked 12 competencies. We decided we'd go through them is group.
01:33
Um The way I do it is I show you pictures. There's no technical
01:38
component here, which was a challenge for me again. That's that's what I d'oh. But that'd be fun. We just have no no technologies, pictures and analogies
01:49
that allow us to discuss broad topics, broad conceptual topics.
01:55
I'm also gonna see if I can
01:57
turn off my email. I know that's my My email was dinging last time. We'll try and figure out a good way to, uh,
02:06
to make that go away. We'll see if that that that works at all.
02:12
But any rate, um, we do know there's no, uh,
02:15
technical just pictures. And also, I put a book suggestion on every
02:21
every charged, but I tried that. Give you at least, I don't know, two or three or four,
02:28
um, suggestions
02:30
for her books
02:31
that, um that you might consider, you know of interest. You. I hope some of you will go out to consider buying somebody. So it's that kind of a thing.
02:43
We go through 12 of them in the end. The cadences. I lecture a little bit.
02:46
Then we have a case study that we've shared with all of you. You should have the case study with 12 parts.
02:53
There is an sort of optional,
02:55
um,
02:57
invite that you've gotten to come to a moderated discussion session
03:01
if you're interested in digging deeper into the case study. So I hope you'll do that.
03:07
I think there was a group that met last week. Um,
03:09
and I think it was probably a good discussion. And then I usually try and bring a guest. And then we had a good guest coming for today and cancel about 10 minutes ago. I had an emergency. Wouldn't come back
03:22
next one of the future sessions. With 12 totals, we have 11 opportunities to meet some guests. So one of the next 10 we'll have him back and just complements the discussion.
03:34
But, um,
03:35
I hope you find it useful. Try to make this a little different than anything you may have gotten before, because most training from a C. So perspective is around the substance, much of which you're already pretty familiar with. Um, I don't need to teach you
03:52
the difference between compliance and security. Yon yon yon. You already know. You know, I'm not gonna waste your time with that, but we take you through some things that a little different. I had the great opportunity in my career to become an officer and a large company where all of my peers were not security people. They were
04:09
executives. I was felt like an impostor because I really don't think of myself as an executive. I got exposed to some of those amazing executive training you could ever imagine. Including going off the business school, Columbia toe, learn.
04:24
Um, you know, business administration. So I do have some training here, and I'm gonna share it back with you. For many of you, this is like nothing you're you're used to seeing in the context of
04:35
cybersecurity, um, management leadership.
04:40
So let's go to ah, our first sort of chart here
04:45
and just make this statement here. The broad statement that
04:48
um, if you want to be an effective C. So you better develop an understanding of corporate finance and administration, period,
04:57
even if you hate it.
04:59
I thought I hated it. Turns out that there's some things that are very pleasing
05:02
and very interesting about this. As all shared today. I have a feeling you're gonna find today's discussion.
05:10
I think you'll find it fascinating again. The left for a lot of you
05:14
be so far off the reservation
05:16
from what you're used to talking about, and I want to apologize in advance that I'm gonna bump into
05:23
and perhaps collide with
05:26
a few topics that might be somewhat uncomfortable. We'll get to them,
05:30
But I wanna warn you in advance that my my purpose a times for
05:35
you're being willing to step up to an uncomfortable topic.
05:40
It's just so that you can learn. I want us all to be better at this. I want our field to expand.
05:46
Let's face it, every sea so is viewed as him competent by the CEO for any other job your CEO views you fear. See, So our views
05:56
your boss. Here she is the sea, so as being incompetent for any job other than cyber security in the company. Hate to tell you, but that's the truth.
06:04
Um, until we rectify that,
06:08
that will remain. So We've got some work to d'oh
06:11
as a community to develop,
06:14
but I would consider to be a world class executive skills. So let's start
06:18
with a picture here.
06:21
Um, this is the whiz kids.
06:25
So back right after, uh,
06:29
World War Two, Um,
06:31
this is a group of people who
06:35
they come out of the U. S. Army
06:38
and
06:39
it had some training in the Army in doing
06:43
what? What later became known as statistical control or, you know, basically using data
06:49
as the basis for,
06:51
um, business management. Now, for me personally,
06:56
this idea of statistical control
07:00
kind of appealed to me when I first sort of heard about this. By the way, will comment on this picture a little bit. I hope you're staring at the picture is probably something that jumps off the page. We'll get to that in a minute.
07:11
But, um,
07:12
I'd sort of grown up in the laboratory. I'd grown up in and around
07:16
computing
07:18
where it felt very natural to collect data and and to make decisions based on that,
07:25
um,
07:26
and and And that seemed rational to me. It seemed like as you would manage, I became a supervisor, and I thought collecting data and making rational decisions was the right way to go.
07:41
And this idea of human judgment,
07:44
you know, humans are fallible. Those of you who kind of followed the discussions around artificial intelligence now, no,
07:51
that their theories that suggest that
07:55
where the last few 100 years, we've depended on human being human judgment
08:01
as the basis for decisions,
08:03
you might suggest that perhaps Google could make a better decision for you. You know, if you say, who should I marry?
08:09
You know, my parents told me, Oh, follow your your heart. Follow your judgment.
08:16
You know, pick based on what you think you're
08:18
But maybe Google would say something different. You know that. You collect all this data and telemetry
08:24
and judgment is made
08:28
that knows better for me.
08:31
Then what I would know.
08:33
Um, listen to a lot of people lecture on that, obviously is a computer scientist very steeped in artificial intelligence and discussions around that.
08:43
And even back when I was in working, they sent me off to Columbia Business School.
08:48
And, um, I was attracted to that concept, that quality from some data collection. So on your studious
08:56
remember, one of professors took me aside and, you know, I was always up, sort of studying never down in the bar or with the group
09:05
kind of learning and drinking. I thought business was the scrub
09:09
sort of thing. We collect data. I remember, she told me,
09:11
and the business is done down in the bar room. We're human beings and humans,
09:18
you know, work together and drive toward initiatives based on experience and judgment and subjectivity and feeling and
09:26
and on and on and on and on.
09:28
Maybe that's right. Maybe that's wrong, I don't know. But I tried to close the book a little bit more and and loosen up
09:35
and and I do think that there are some
09:39
some really, uh, benefits to stepping away from
09:43
pure statistical control. But nevertheless, this group here whiz kids is a good book that John Byrne's book
09:48
is interesting.
09:50
Um, these were people who basically had come out of
09:54
the World War Two, and this is Ah, Ford Motor Company picture and the little circle. There's Robert McNamara Now, the first thing I know you've noticed these air, all white males, that there isn't a diverse face in the picture.
10:09
Um,
10:11
and that's completely unacceptable. 9 1919 50 something
10:16
that this picture was taken. But think how many people of color, How many women, How many diverse opinions are not in this picture.
10:26
And you can only imagine the decisions that come out of a group like this,
10:31
You know, they're gonna be finishing each other sentences. Not that they're wrong and not this anything evil. There's a just a the way the time's worth. Then you would never
10:41
in any Fortune 500 company
10:45
have a training class. This is the executive training class at Ford Motor Company and the circle there. And McNamara he became the president of Ford Motor Country 1960.
10:56
Um, you would never have a picture like this anybody today, any one of you would look at this and say, there's no diversity there. Crazy. This is doesn't look,
11:05
you gonna get bad decisions there
11:07
and I'll get to that in a minute.
11:11
But at any rate,
11:13
these folks helped to create
11:16
essentially something that would be called scientific management. Using statistical and quality controls and data collection, and and producing
11:26
sensible,
11:28
data driven decisions around how you manage an organization.
11:35
Now I think for all of us doing information security,
11:39
that sounds pretty good, doesn't it, right? I mean, that's the kind of thing that appeals to our mathematical sensibilities. And I
11:48
My doctoral dissertation was essentially applied mathematics,
11:52
so
11:54
I'm very taken by the idea of collecting data,
11:58
but I'm not sure it's right, and we'll get to that in a minute. But some of the faces his R. J. Miller, who became the, uh, basically the dean of the Stanford Business School,
12:09
Ed Lundy and a lot of others are in this picture. And this became the face of the Ford Motor Company in nearly sixties butts. Interesting. That's a couple of side notes on that. In the sixties, Ford saw a few rogue kind of opinions from managers who are rising, who
12:28
challenged the very vanilla sort of
12:31
similar concept that that that this group was producing. One of them,
12:37
um, really pushed leadership to do some things a little bit differently, and they had a hard time with the, wrote a book called On a Clear day you can sell, actually. Was General Motors. Uh, Lee Iacocca rose from the Ford ranks. The other guy was General Motors. Very similar picture. General Motors. And he was a DeLorean
12:54
John DeLorean challenge the status quo. It
12:58
at General Motors. Ah, Lee Iacocca challenged the status quo. It Ford actually built Mustang. He was more successful.
13:07
DeLorean actually left General Motors to go
13:09
build a car for Marty McFly I or something. But any rate,
13:13
I think it's important as you develop your own style of management and administration and information security
13:22
that should go back and understand a little bit about how these types of individuals these groups,
13:28
um, helped to invent some things, much of which is reasonable,
13:33
you know, collecting data,
13:35
being data driven and so on. I will. Most of us would consider that to be very reasonable, given example,
13:39
um,
13:41
I had a, ah, a client of mine that a coach
13:45
who a few years ago was having some problems of budget back in 2016.
13:50
Um, and what he ended up doing was he brought in Cem Cem leaders to his team, added some staff, actually the use in precious head count
14:01
um,
14:01
to bring some people in who had the ability to kind of operated a financial administrative level. They'd grown up in those ranks.
14:09
And I remember the next year he told me that he saw about a 15% increase in his budget just by being in the right meetings and
14:18
grabbing sort of orphans programs and making sure that where it wasn't entirely clear, who had control for this maintenance license or that that it was a sign back to the security team just by having that confident,
14:31
administrative and
14:33
controlled management as part of the security team. So
14:35
So So keep that in mind. Look at those faces there. These are all people who mean business right around finance and admin. That's what they do. These air people.
14:46
You can just sort of see there, uh,
14:48
the resumes. But let's go to the next chart and see what happened, at least to some of them. There's Robert Merit McNamara again
14:56
on the right, sitting there next to Lyndon Johnson,
15:00
and
15:01
things didn't work out so well there.
15:03
Uh,
15:05
McNamara, 1960 became the president of Ford Motor Company
15:09
and write it right after John Kennedy asked him to come over and become the secretary of defense. Kennedy had watched the whiz kids
15:18
at Ford had watched. You know how they transformed management into something that was
15:24
very cold and rational. We didn't call it artificial intelligence because we didn't have computing doing it. There was no Google, but it's pretty *** close. It was about as close as you could get to automating management decision functions again. It's, I don't know anybody's ever really observed or commented
15:43
on how the statistically based decision making processes that were put in place then,
15:50
um, you know, resemble a lot of the things that we all debate today about technology and in our society.
15:58
But Ares Lyndon Johnson is probably the canonical picture
16:03
of the Vietnam era, with McNamara sort of giving him a cold, rational stance.
16:08
Well, that stare and then Johnson, you're rubbing his nose
16:12
with this tortured field because he was getting things from McNamara
16:18
like, we're gonna win this war because we have a better kill ratio than our enemy. Like they're talking about this cold numbers. There's one that particularly disgusting number that was bandied about during that time
16:32
was that the kill ratio of Americans to the economy's won the 2.6.
16:37
So therefore, how could we lose?
16:40
Well, the reason we lose it because they were fighting on infinite War
16:45
and and the Americans were fighting an Internet war are a finite work to get to some end your your you know what came there. But the point is, for information, security
16:56
is that if you go back here to this group,
16:59
I believe that if this had been a more diverse group,
17:03
if there had been some women there of varying backgrounds, people of color, I have a feeling you might not have had that. Now that's a little controversial. But look, this had better not be your leadership team for your information security group. I sure hope it isn't.
17:22
I hope you have a collage of backgrounds, fine people
17:27
who are different than you of different opinion than you have a will challenge you
17:33
and listen to them because they're gonna have a perspective that's gonna make the overall opinion stronger. The idea that this group came up with a cold, rational statistical analysis would lead you sit to success. Nobody questioned it.
17:49
And there you go. You have kill ratios that take you into Vietnam.
17:53
You see the point.
17:55
So I can't emphasize enough
17:59
as you build out your team
18:00
that you need tohave diversity you need, and I mean in every possible way
18:08
you should have people who are from different generations.
18:14
You should have people
18:15
who
18:17
disagree.
18:18
You don't want to disagree on values like, I think all of us should agree that businesses exist, too
18:26
improve society and to provide a good return to shareholders and to be helpful to the employees and to be customer focused, those air values. If you have people say I don't care about customer, I don't think they need to be in the room. You get the point. But I think once you get the values down, disagreement on tactics on
18:45
on the way things go,
18:45
if you're open to that, then you can have that tortured look that Lyndon Johnson has there
18:51
now. The book there, look who wrote that one's right, H r. McMaster. I told you we're gonna get into sort of controversial points here. I mean, he kind of got dumped because he wasn't getting along with the boss. Now, you know, again, up, up, pretty apolitical.
19:06
I've written to Donald Trump, and I've written written advice, and I'm there to help anybody.
19:11
But, you know, you wonder. It's kind of an interesting sort of juxtaposition. Now, if you really want to learn about Johnson, you read Robert Caro's books and see the kinds of things that
19:22
made Johnson successful and sadly, very unsuccessful
19:27
and a lot of things that he did.
19:30
But let's sum, let's talk for a minute
19:33
about what kinds of dashboard or data you should be collecting. Like if this is your leadership team, hopefully a little more diverse and and and you're putting together an administrative dashboard around your business, what kinds of things do you have like most? When I ask that question to the sea says that I coach,
19:52
we sit down. We always have one session we go through and I say, Let's go through the administration team. Tell me about your team. What's your dashboard? And I don't want to hear about, you know, alarms and alerts and volumes into your Splunk and all that stuff set that is I'm not talking about that kind of metrics. I mean, the metrics are now you're in the business and I was get
20:11
Ah, well, I have this much budget. I have this much head can't have this much capital
20:15
and then crickets after that, as if that in some sense, characterizes the entirety
20:22
of the administrative and financial control of an organization. There's so many other things that probably should be looked at setting aside, obviously, the subjective judgment and your look and feel. There's a very popular
20:37
approach years ago called management by walking around,
20:41
and I always thought there was something to that just getting the general sense of what
20:47
What vibe exists amongst team. He can't collect and measure vibe, but some things that do make sense, I think attrition,
20:53
for example, is a really good metric to collect
20:57
meaning.
21:00
Do we have attrition or people leaving? Are they staying or we go People quitting either Happy,
21:04
you know, maybe even having some quality of work life. Sir, days we asked people,
21:08
you know, What do you think? Do you enjoy working in our group?
21:12
If your manager right now,
21:15
ask yourself when was the last time? Yes, the whole team. Just that very simple question. Yes or no?
21:22
Do you enjoy working in our team yes or no? If you could do that anonymously, you will serve a monkey or something.
21:29
You should look and see what the answer to that is.
21:33
If 67% say no, you've got a problem and it's not because of statistical controls. It's probably because of the vibe
21:44
and something you're doing wrong. Now maybe 90% say yes. I'm very proud to say a brag E guy, but I'm pretty sure that I had high marks,
21:52
you know, as I was work my years as a as a C. So in that area, do you enjoy being in the group? I think most people say yes, and it was backed up by a very, very, very low. Most non non measurable attrition rate,
22:07
very small. It's a people who have opportunities, and I usually encourage that was used a promotion or something to either another group in the company or in a another one's fine but attrition and sort of quality work. Work like through through surveys are important. I think there's all these other sort of Jason issues like
22:26
absences and stuff,
22:27
you know, and sickness, and I certainly look at that, but they're also a few other things that I think are worth measuring. I think
22:34
promotions are something to measure. Like how many people
22:38
you know per year are able to go home and talk about promotions, and we'll get to that in a minute.
22:44
We're gonna talk a little bit about flat organizations versus hierarchical ones, but at any right, you know, they're poor, low Lyndon Johnson sitting there so tortured. I think you need to come up with your own theory of how you how you deal with,
23:00
Um, you know that that's sort of a problem. Now, um,
23:03
let's take a few lessons here. I mentioned earlier Fine. Eight versus infinite War. If you're If you're a big fan of Simon cynic, you've probably seen his
23:12
YouTube videos on Finite versus Infinite War. I think I strongly recommend them as a C. So
23:19
you are fighting an infinite war.
23:22
So let me say that again
23:25
as a cease. In fact, as an enterprise security team,
23:27
there is no end of your game that you're getting to. You follow because you do this for a living. If you're doing forensics, you doing managing a sock or you're doing security training, there's no end of the game. You're managing an infinite game. You're enabling the business. You're creating
23:48
a capability and a support function
23:51
that allows the business to achieve its objectives, which are the ones I said earlier to make society better. To make customers happy,
24:00
to allow families toe have, ah, living to support their life and make just make things better. What else could be the purpose? There's no end to any of this. Business is an infinite thing,
24:11
and that's why Lyndon Johnson is so tortured there. He's missing the fact
24:15
that there is no fine. Ain't nobody wins, there's no winner or loser. We're all in this together. So the sooner you can adopt that, that understanding that, as you do cybersecurity, that this is an ongoing, ongoing, forever sort of thing. It's not
24:33
my goal. Next year is the following me a high five and we did it.
24:36
That's ridiculous. It's not that. So learn that very quickly.
24:41
Um, I already said about diversity of opinion. I think that's something that I hope you've written down already.
24:47
That's probably the most important message we've made so far that if you don't have a diverse group, you're going to make colossal mistakes in both strategy and tactics from a security perspective.
24:59
So make sure you have a good, solid,
25:02
well rounded group that is not afraid
25:06
to bring you bad news or that understands that you will not only listen
25:11
the news, that might not be great, but that you're willing to take action that might go against, you know, any number of things you remember last week,
25:18
we we talked through a case study where our hero had to decide on a decision and sight on, you know, whether to go to the management team
25:29
and explain that a mistake had been made.
25:32
You know, contrary to what she said would be the case being honest and going back, you know, perhaps putting her own job at risk.
25:40
And I think that that's the courage that's required to be a good leader. Have people really want to follow which doing? And then finally, I think there's something called accepting the inevitable. Like there are times
25:53
when your team, your security team, is going to fail.
25:56
You're going to get a bad audit. You're gonna have to go explain that you've been broken into. You're gonna have to deal with the fact that data was lost.
26:06
You're gonna have to deal with the fact that there was an advanced, persistent threat from a nation state, and they've x fill traded data.
26:11
The reason that's important is because we've seen way, way, way too many companies
26:18
unwilling to accept that or admit that or report that it's a real problem in cyber spirits. Why we don't have good information. Sharing people won't talk about when there was an issue. You have a Lyndon Johnson. They're demanding to not be the first president to lose the Vietnam War,
26:36
so that these air some basic lessons that we can learn from other leaders that are almost never brought forward in the context of information security. I'll bet this is the first information security course in the history of Earth
26:52
that, you know, used Lyndon Johnson is the basis for,
26:56
you know, any sort of discussion. By the way, what the operating system was invented at the instant those guys were talking right? There's anybody know UNIX, right? That's when uh,
27:06
the labs guys broke off from Multex and started the UNIX project in the mid sixties,
27:12
so it's kind of funny that the operating systems that you guys were all watching me on right now, whether it's Windows or Mac OS or Android or IOS or whatever
27:23
on certainly Lennox, they're all derivatives. Direct derivative descendants, you know,
27:30
at the colonel system call an application level to an operating system indented while those two guys were talking there. Think that's interesting?
27:38
So here's another, um, another a bit of advice.
27:45
This man, Robert Moses,
27:48
is in my mind
27:49
the greatest builder, or at least urban builder of all time,
27:52
without exception
27:56
where the word great just means
27:59
X extra ordinary. Not wonderful, Perfect, friendly. Awesome, but just extra ordinary, different. Let me talk about him a minute.
28:11
So this is a guy who,
28:12
you know, came out of
28:15
school in the early part of the 20th century
28:19
and was committed to urban planning and urban improvement.
28:23
He ran for governor. Nobody liked him. It's kind of a sour face. It wasn't gonna be well liked. So instead, he he kind of got into the business of creating the authorities. Like you may be familiar with the Port Authority if you live in the
28:38
New York area and people had always thought that authorities were these things that were made
28:44
to build a bridge, collect tolls and then just end when they were done. And he realized that there were things that could be
28:51
done, you know, through these authorities, where he would be the leader that would allow him to have spectacular power.
28:59
That book right there. The Power Broker by Robert Caro
29:03
If you are a manager or your budding manager,
29:07
then I want to tell you that you must read that book.
29:11
I believe it's one of the most important books maybe ever written
29:15
on the topic of power.
29:18
Um, and you'll see so many opportunities to learn
29:22
through, You know, Robert Moses. And through Robert Caro's chronicling of Moses, Robert Caro spent most of his time on Lyndon Johnson. But this was a book he wrote the seventies.
29:33
Um, E very famously said, for example, that power doesn't corrupt power reveals, and I believe that think about your own boss at work.
29:45
My suspicion is
29:47
that through ascension to whatever position your bosses in
29:52
he or she
29:53
has revealed themselves to you, it didn't corrupt wth um,
29:57
they are who they are. It reveals who they are
30:02
And that's something you should know about yourself.
30:04
That who you are
30:07
will become more clear to your team. The people work for you
30:11
as you ascend through the organization. If you think you can hide who you are, forget it. Your team knows exactly who you are. If you think he can kind of push, something's off to the sides of weaknesses. You think you haven't hope nobody notices. Forget it. They all notice just a CZ. You notice those things
30:30
in your own boss, our bosses.
30:33
So Robert Moses He's the sky
30:37
who essentially steamrolled through New York City building roads,
30:42
projects and other things were one, for example, is the something I use all the time to go see my beloved New York Yankees? That's the Cross Bronx Expressway.
30:52
So he decided that needed to build the Cross Bronx Expressway in fifties,
30:57
and he built a plan,
31:00
and he barreled through some neighborhoods in the Browns that were very functioning neighborhoods
31:06
and just destroyed the East Fremont being one of the examples
31:11
chronicled in the book, a beautiful chapter in there that you should read in this funny I'm telling you, read a book on real estate to learn how to do cybersecurity. But I'm not kidding. This is
31:21
there's something there. But what Moses claimed waas
31:25
and listen to this cause is important.
31:26
He said over and over that the end justifies the means.
31:32
Now, I don't know what kind of a manager you are. You may agree with that.
31:36
And for cyber security, really have toe have an opinion about that?
31:41
Is there some pretty weird stuff you condo's? Oh, to secure an organization you need to decide as an administrative leader,
31:49
Does the end justify the means snatching someone's budget, steam rolling across some I t group,
31:56
you know, dealing harshly with your auditors. Kind of leaving a trail of dead bodies wherever you go, as Moses did.
32:04
You could argue Robert Moses was powerful for 40 years because he did that.
32:09
Governors, mayors, other politicians, business leaders, they all essentially were terrified of this man, and he was able to transform New York City into what he wanted. So you was a manager. You read and you learn
32:27
about Moses and you think you look at the mirror. Is that what I want to be?
32:30
I'm not gonna tell you. You should or shouldn't. I'm just saying you should understand how he did it,
32:37
and then you can translate that
32:39
into your own business leadership. I know I did. I was weak when I first got into leadership. I'm a technical person, and I always felt technical people cooperate.
32:52
Research staff work together.
32:54
You have this egalitarian presumption that everyone has the collective best interest in mind. And as soon as I started getting into business management and certainly administration, I realize that's a lot of bunk
33:07
that you gotta toughen up.
33:09
And that guy in that picture right there is a tough dude, man, I'm not saying he was right. And when you read about, for example, these tree mont. And how the people in each trauma treatment suffered just were mistreated and Moses would say, Doesn't matter. It's It's for the he said something like
33:30
Generations from now,
33:31
people will be using this road and just be a minor footnote
33:37
that a few people got tossed out of some old, poorly functioning apartment buildings, you know, in neighborhoods to make way for the future. Maybe he's right, I don't know,
33:46
but it's really, really important to take the time
33:51
to try and learn, and and you need to decide on your own.
33:53
Do you believe yes or no?
33:57
That as a chief information security officer, the end justifies the means, yes or no? And a lot of you will go well, it depends. Or maybe you'd say yes for me, I would say no, like, I don't think
34:08
it's acceptable to make such a statement. But I'd put a little footnote in there and say, Don't lead with your chin,
34:15
right? You should not be
34:17
on innocent,
34:20
ignorant and in some sense gullible
34:23
Thio. Other business leaders in your organization we're goingto essentially, you know, eat your lunch if you don't know how to stand up for what's right for you.
34:34
So this is a tough one for our community, because that's not the way
34:37
we talk about information sharing. You don't start a nice act by saying, Put your put your dukes up and fight.
34:45
You know you don't do that. You you you try to be inclusive and helpful and shared, and try and promote the common cooperative coordinated good.
34:54
But as an administrator,
34:57
as as a financial kind of executive in an organization, and some of you may be in big groups, some in government summoned, smaller group. But where we are,
35:07
um,
35:07
you gotta be a little tough here, and that's why I really recommend I recommend all the
35:13
the folks that I coach. Ah, from a cyber security leadership perspective, I always recommend that they get a hold of
35:22
the power broker. Let me give you one more thing that I think is relevant here. That one of the images that Robert Kara paints and in this book
35:32
that I think it's a spectacular carries to go interview Robert Moses. He'd go there and Moses would just talk.
35:40
And and I think Moses was glad that some reporter had finally noticed you're gonna write a book. He didn't know. That would be a kind of a tough book.
35:47
It's a great book, but it's a tough one. Doesn't paint such a rosy picture, But he would go and Moses had this office. It was a big window that overlooked
35:57
a New York City. All the vastness of the bridges, most of things that he'd built and he would go over to the window and Moses would be on the front of the window. And Robert Caro would be sitting in his chair and he'd see Moses and then behind him, this glass and all of Manhattan behind spectacular juxtaposition of the
36:17
the window and then Manhattan and thinning. He would think Moses was looking at it at all the things that he built. I think this is cake.
36:29
I assume that he was looking at things he built.
36:31
But as he listened to Moses Point
36:34
through the glass and talk,
36:37
he realized Moses was seeing the things he hadn't built
36:40
that interesting.
36:42
He saw things that weren't there. That should be there.
36:45
And that's for you as well as you build in architecture
36:51
that you should look at the way you're set up
36:54
and when you're describing it to your team. Instead of describing the things you have
37:00
talk about, what should be there might be interesting.
37:04
I think that concept of the landscape,
37:07
others look and see the bridges that were built, you look and see the things that must be built is really cool when you're thinking about security architecture. I love that that concept of taking from something completely the real estate Robert Moses. I bet you didn't think you'd be listening to that
37:25
today. I told her it was gonna go off on some weird directions.
37:30
But if you go to business school, this stuff Euler and these are the things you'll you'll be. You'll be absorbing and you take back
37:37
to try and apply to cybersecurity. So So keep that in mind that idea. As you look at things, see what could be as opposed to what is now. This is a little closer to home. That's a the anonymous Mass.
37:49
When you're studying business leadership,
37:52
you have to look at anonymous. It's crazy not to take some time to understand how they work because they're pretty effective, right?
38:00
Um, how does anonymous work?
38:02
I guess it's I think it's a bunch of lawyers at the core who kind of rabble rouse and suggest things. And then things that air suggested get done. Maybe, Maybe not,
38:13
because it is a completely flat, egalitarian organizations. There's no
38:19
organizational structure, It's chaos. There's no
38:23
nobody in charge like there's no centralized control.
38:29
There's no leader.
38:30
There's no recognized
38:32
organizational structure.
38:35
And none of this stuff. No centralized anything.
38:38
Do you think?
38:39
Could that work? Look at this guy. Centralized power that didn't want something that happened Boom. He makes it happen. What about these guys?
38:49
How do they make things happen?
38:51
And this is, except closer to home, because we all do security. So we know this group.
38:55
How do they make things happen?
38:59
Well,
39:00
um,
39:00
they make things happen through persuasion. And let's think about that a minute. There's two kinds of organization
39:07
organizational goals and a lot of things in between. The first organizational does something very hierarchical
39:14
where you've got, you know, you bring in makins eerie why, and they tell you write every manager should have six or seven direct reports and those six or seven direct reports should,
39:24
you know, in some sense have six or seven direct reports
39:29
and and on and on and on and on. Um,
39:32
you know that,
39:35
you know, and then you're you have this
39:37
20 levels from the bottom person to the CEO and everybody freaks and goes, Oh, my gosh, this is crazy. You know, the CEO is way up here, and everybody get down there and goes hierarchies all these levels of bureaucracy, whatever. So there's a lot of negatives up. There's a lot of positive, too,
39:57
when you work in a hierarchical organization, you can get a bunch of promotions. You go home
40:00
67 times in your career
40:04
and you tell your spouse she just got promoted. That doesn't stink right, and that's not terrible.
40:08
At the other end of the spectrum
40:10
is a completely flat organization. That's one where,
40:15
you know, instead of having 1 to 7 ratios workgroups, you have 1 to 50 or 1 to 100 or one and an anonymous. It's one to infinity.
40:25
Let's say you have Ah, 100 people in your group
40:29
and you're all flat on dhe. Sort of Galateri in and there's some coordinator.
40:34
How many times you gonna get promoted in your career? I'll be not Manny like if there's some people who work at Google,
40:39
we're listening to our electricity. You would agree
40:44
that, you know it's not as easy in a place like Google to get promoted as it might be. Safer example. Bank of America,
40:52
where you can go from assistant to above, Vice President Thio said. You know all these these gradations of vice president, where you can get some promotions echo. We wouldn't have anything like that. That's why I think the average stay at Google's just a few years because I think most of us naturally
41:09
like the idea of getting promoted.
41:12
Look at you, just do I I liked it. I like the couple times going home and saying, Hey, I just got a promotion and feeling like,
41:20
you know, even if your attack meet a tacky, it's nice. I live in academia,
41:24
then you know people. They they jockey for tenure.
41:30
But then, after you're a tenured professor,
41:32
the little flat I've always thought a big better if there were grades of tenure, you know, there should be 45 stops along the way.
41:40
Andi, I think that would be better. You know, each conferring some additional,
41:45
um,
41:47
recognition of your contribution and also having some you know, back and benefit to you. Sum's visible or tangible benefit is to step up. I think that would be better. Five steps to, uh,
42:02
full tenure instead of you Just make the one leaping you're there. But these are different. Starting you have to decide. And again you're probably have an HR lead is gonna decide for you,
42:12
but you can certainly you know, try and err on the side of whatever you think makes more sense
42:16
for me. You're probably gonna be surprised by what I say here.
42:21
But I think a little hierarchy is good on Lee because I think it's good for people. I think the idea
42:27
of giving people a ladder to step up through and to recognize contributions I kind of think is okay. You made discreet. Whatever. I'm not telling you what to do
42:37
you think is right. You may say that's a bunch of bunk, man. You should be flat. You shouldn't have people, you know? Well, that bureaucracy and
42:45
all the authorization and workflow that comes with that.
42:50
But, um,
42:51
you know, these are the two winds of the spectrum Anonymous. And then, you know our friend Robert Moat, Robert Moses here, Moses Anonymous. But you can't get any more different than those two. They really do have
43:06
diametrically opposed kinds of kinds of things. So So really, that this idea of centralized control, I think, is a decision you'll have to grapple with as you plan out your your administration. So let's get to our, uh, case study.
43:25
Let me tell you about this one.
43:28
So this is this was based on some things that I actually seen an experience personally. Are you remember? Our hero is Emily.
43:37
She's talking to a group of CEOs under, uh, you know, full
43:42
confidentiality, Chatham House or whatever.
43:45
Um so So in in our narrative, she's, ah, comfortable sort of sharing with this group, details of what's going on. And somebody asks her, Hey, Emily, you know, uh,
43:57
I'm an I t person, but what's
44:00
what's all this stuff around administration and so on? And she sort of laughs. And she says, I'm let me tell you a story
44:07
that I had to deal with once. And she explained that
44:09
her team was being asked to give back 15% of budget. Now,
44:16
most companies
44:19
that I'm aware of,
44:21
um, generally do something like this.
44:23
I'd like to talk about it because you like to say, Oh, cybersecurity, unlimited budget,
44:29
anything we want to spend. Yeah, I guess if you work for a big bank, maybe that's true. But most of the people listening to me right now would not say
44:37
that they have an unlimited budget and in fact would probably tell me that they have to find some way to
44:43
to make ends meet each each year. Vendors often don't wanna,
44:47
except that
44:51
then there's want to believe that in cyber security, you know, it's always up, up, up, up, up. But in this in the narrative here I have Emily having to give back
44:59
15%.
45:00
So
45:01
she had to get the group together on She did, and she had a good, solid team,
45:07
and her finance manager had just hired a young lady here named Chandni and
45:15
and an Emily noticed
45:17
that Johnny was smart.
45:21
You always you see that? I wish watched for this through my whole career. Still, d'oh.
45:25
When you're in the room
45:28
and you feel a vibe
45:30
from someone, meaning a tough issue pops up
45:35
and someone generally chimes in with an interesting or knowledgeable
45:39
or correct observation.
45:43
And it's not always the most
45:45
you know, the highest ranking curse in the room. Who does that?
45:49
But in the narrative here I had Chinese sort of sitting around the periphery of the room,
45:52
and and Emily noticed that this was a pretty capable person
45:58
and shoes kind of new, and whenever something hard would come in, she'd sort of do, and she was also typing it in making the Excel in Power Point charts for her boss. And then what I have happened is that over weekend,
46:10
Emily's boss finds out, you know, that they've been working on this. Looks at the draft, doesn't like any of the budget stuff that it worked out and said This has to be fixed over the weekend. They had a meeting on Monday and said, You gotta change this. I don't like it. I want to change. This is a disaster.
46:28
So Emily had to work it over the weekend, she reaches out to try to get everyone.
46:31
She can't get her direct report, but she gets China.
46:36
Who says Yes, I'll be happy to help. So Emily works with her.
46:39
The two of them
46:42
fix the program's fixed the administrative components
46:45
and get it looking good. Over weekend,
46:49
Emily sends it to her boss,
46:51
and it looks great. Boss loves it. The and then Monday comes
46:54
and Chinese boss realizes what had happened. She had been unavailable and her ah,
47:00
you know, with a dance competition trip with her girls. And she was checking her phone Bubba block.
47:07
But any rate, they all come back Monday,
47:08
and Chinese work these throw the presentation looks good. The Emily's boss loves that everything's good, but Chinese boss is not happy
47:20
and
47:21
decides that you know it would be good for Chinese. Maybe two.
47:24
Be selected for, ah, rotational assignments in the leadership program.
47:30
It says this is a select group of individuals. Target is high potential that rotate around the company. How convenient.
47:37
So Emily finds out about this, realizes that I've got a really competent administrator here, Johnny.
47:45
Um, and now my direct reports trying to move her, maybe because a little jealousy or something hard to say.
47:52
So I have Emily calling in her direct report. She sits down,
47:57
and then she says, I cleared my throat. I looked her in the eye and I said this stott dot dot
48:02
So what would you do if your Emily
48:06
and that's the case study? What would you do?
48:08
So first thing is, Johnny make any mistake? I don't think so. I mean, it sounds like they couldn't get her her boss.
48:16
You may have been one of these positions where your boss
48:21
is unavailable, but your boss's boss is reaching out to you.
48:27
That happens
48:29
if your boss's boss reaches out to you
48:32
and you can't find your boss.
48:35
You got some decisions to make, right?
48:37
You have to decide whether
48:40
Hey, do I have a
48:43
problem here? And in this case, you know, you did what she did, What needed to be done?
48:47
How about Emily?
48:49
Um, was acceptable for her toe work with
48:52
this person two steps down. Well, I'm what you gonna dio is an emergency.
48:57
But maybe the more important thing to the business administration component here
49:01
is that when you get somebody who's really good in this case,
49:06
this young lady, why do you let that person comes? Um
49:09
and I think that's something you ought to think through. Most of you
49:15
would consider
49:16
technical staff to be untouchable and to be,
49:22
in some sense, your franchise staff. You know what I mean? Like that. You go into your sock and there's a superstar there, or you go into the compliance team and they're superstars. But then you go off to your staff team team doing
49:37
day to day business administration,
49:39
and you barely give them a nod. There. No peak performers there. Right? You just see them as that's your quote unquote staff.
49:47
They do budgets. They do admin, blah, blah, blah.
49:51
Well, I'm recommending
49:52
that that's not the way it should go. Like, I like the idea that this young lady is being
49:58
recommended for the leadership program. But you can see in the case study she's new to the security team,
50:04
so probably not a smart move to let her go.
50:06
If it were up to me, I know what I would do. I would say Forget it, she's not going anywhere. Let's let's let's work with her for awhile And yeah, maybe in a year we could move her. But I think we should
50:16
take advantage of the fact that we've got somebody pretty good here.
50:20
When was the last time you
50:22
used some of your business capital to keep a staff manager who was not part of your day to day cyber security protection team,
50:30
but rather somebody who's doing power points and doing budget? You probably don't, and I'm recommending that you should think that through.
50:38
You know, maybe that's not such a good idea
50:42
to devalue that, in fact, that if there's one thing sort of on all of this, we go back to this
50:47
statement the effective see so
50:51
develops an understanding of corporate finance and administration
50:54
to successfully manage budget and resource is translated. Power has the power to manage your budget resource is, and frankly, to deal with competing business unit requests.
51:08
That's where Robert Moses and Lyndon Johnson and Anonymous and all these thesis these these that the whiz kids at Ford and and so on. That's where you learn. That's where you developed an understanding.
51:23
But how you deal with competing requests from your peers is the biggest shock for May
51:30
on becoming an executive that my friends, my peers, people who were in Jason organizations
51:37
might be out to grab your stuff.
51:38
And it's just alligators being alligators. There's nothing bad about it. It's just the way you do it
51:45
right when when an alligator, you know, scoops up onto the side of a bank and opens its mouth and then eat something, is the alligator being evil? Or is that an alligator just doing what alligators? D'oh.
51:58
Well, when you get into business administration as a C sores and executive working in this area,
52:06
you gotta toughen up and you gotta be a little bit of an alligator, you know, hence
52:09
I show you these guys and I show you those guys. And I show you this powerful guy and also show that weird strange, you know, kind of totally different
52:21
approach to business administration. So So I hope that you will take that into, ah, account as you plan your own career were able to quit a few minutes early today because our guest let's postpone. But I can give you a few minutes back on your calendar. But
52:37
again, to close the second competency here for administration
52:43
is something that I don't think many of you pay enough attention to. I recommend that you D'oh! I hope you read the books that I recommended here. And by the way, I love the chat. This time I been sort of watching. Um, well, that's a really good points here from people. I'm glad you guys read the case study and
53:00
looks like some really wonderful points in here. About
53:05
about so on and so forth and things that you're doing. I see people enjoying the books that
53:10
here wondering doctor mode. So any books recommending a running operations? Yes. The best one is called engineering and operations in the belt system. and you can go buy it online. It's out of print. It was printed in seventies and it talked. People like me how to run the operations in the old Ma Bell network.
53:30
And don't laugh
53:31
because you might say, My gosh, what could I possibly know from learned from that? But it was most powerful corporation for about 70 or 80 years, so I think that's that's when I would recommend that you go back and look at I like books that have been around for a long time. Um, I think it's hard to find books that come out
53:51
and are immediately good.
53:52
They have to be around for a little bit, too,
53:54
really demonstrate that they have something foundational we can all learn from. So listen all of your awesome thanks for your participation today and we will see you. But see, I I I think
54:08
same time next week. There's one week where I am in Europe, and we are think we have one week where we do a different day.
54:17
But I think next week will be back here same bat time. So everybody have a really wonderful weekend, and we're looking forward to seeing you at our next session. I'll turn it back to leave. Too close.
54:30
Thank you. Add. I really appreciate it. I learned a lot and I love the chatter that's going on here. If you guys didn't see, uh,
54:37
Mark number one of our senior mentors that's also running our TA session. Put on awesome list of books that throughout this course that had recommended
54:49
s so pleased you look at that and we'll see you next week. Same time.
54:52
Thanks so much.

CISO Competency - Finance & Administration

This is the second course in Ed Amoroso's Twelve Competencies of the Effective CISO, which focuses on the CISO Competency in Finance & Administration. An awareness and understanding of corporate finance and business administration is essential to succeed as an exec. This includes expertise in competing for budget, resources, staff, and more.

Instructed By

Instructor Profile Image
Ed Amoroso
CEO, CSO, CISO of TAG Cyber
Instructor