Introduction
I make it a habit to learn as much as I can from others, so every week I listen to an assortment of podcasts covering topics such as leadership, communication, techology, security and more.
Here are some recent podcasts that I found interesting and worth a listen, along with some of my own thoughts, based on nearly two decades of experience as a military officer, IT leader, and CISO.
Topics for today’s post include:
- Is it time for CISOs to do less?
- Embracing Constraints
- Learning From a Proven Leader (Darren Dworkin)
Is it time for CISOs to do less?
LISTEN: The Virtual CISO - Episode 29: How COVID-19 Is Shaping Security’s Future With Reg Harnish
I thought this was a good discussion and Reg hit on a number of key issues faced by today’s CISO, along with some sound recommendations.
Let me start by saying that from my perspective, cyber resilience and a strong cyber security program is more important than ever. That said, as organizations continue to realize the financial impact of COVID-19, many CISOs are facing budget constraints and a growing workload (especially in healthcare). More than a few CISOs had an incredible workload even before the pandemic. Then, when it hit, forward progress stopped as we pivoted to address the immediate needs of remote workforce and, in the case of healthcare, major initiatives like telemedicine. Our prior work was put in backlog and we fell even more behind.
So what do we do? As Reg states, this could be the best time to “hit the reset button” instead of continuing the uphill battle of trying to get everything done with even less time and money. While I don’t disagree, I think how much you need to reset depends on how much COVID impacted your program and what you had on your plate prior to the pandemic. In my case, we happened to already be on a path largely focused on initiatives that would support a “perimeterless” security model, a remote work experience, and modernizing our identity and access management approach. Don’t get me wrong, we faced challenges that we never anticipated, but many of these prior initiatives are more important than ever and we’re working hard to accelerate them, not stop them. However, if there are projects on your list that you feel are no longer relevant or priority, there is probably no better time than now to garner support to reprioritize or reduce workload.
Automation can also help with gaining efficiencies – it’s something I’m certainly leveraging too. But, automation should only be used to make good processes faster. Automating a bad process only results in getting poor results quicker. Automating a good process can free up resources to allow you to do more with less. But as Reg states, it’s not always about doing more with less…it may be time to consider just doing less. Take a look at your spend and see if you can identify things that aren’t providing enough value to justify a continued investment. Take a look across your product portfolio…do you have a bunch of Cadillacs when Toyotas will do? This isn’t about diminishing the importance of security, it’s about investing in what matters and maximizing value.
Along those lines, Reg also mentions the concept of calculating ROI for your investment. Depending on the investment, this could mean looking at the value of risk avoidance (e.g. for DLP) or speed to market (DevSecOps). I agree that we have to look for various ways to put our security program into finanical terms that the business can understand. One of the ways I have approached it is by calculating per-user security costs. Consider things such as training and awareness expenses user-based software licensing, user-issued devices, etc. This data point can help with budgeting security costs relative to org growth and can also put security spend in context relative to other per-user costs. If you’re now also furnishing new equipment for at-home workers, these costs may go up and you should be prepared to demonstrate the finanicial impact to your security program. Bottom line, think through your spend in whatever context is relevant to you and the business and see if you can demonstrate an equal or greater value from it. If not, you might consider shedding it and investing elsewhere.
Another topic discussed in this edition of Virtual CISO was reducing the complexity of the security product portfolio. As Reg puts it, you can continue to support a portfolio with many different vendors, or you can have a “single throat to choke”. And, he points out, complexity adds friction. In my experience, those that tend to gravitate towards best-of-breed will naturally have a more diverse portfolio of one-off solutions. In today’s climate, I think it’s appropriate in this climate to ask yourself whether that complexity, friction and the added costs are worth it.
Portfolio rationalization was another initiative I started about two years ago with a focus on removing unecessary redundancies and shifting certain capabilities towards more of a “platform strategy”, investing in technologies that could serve as centralalized ecosystems for other products to “plug in”. This approach can help reduce recurring capital investments and simplify management and integration overhead. While it might not always get you the product at the very top right quadrant (for those that subscribe to that approach), you should consider when you can skip the “best of breed” and make do with “good enough”.
And that leads into the last point I’ll cover from the podcast which is that you shouldn’t do more than you have to when it comes to managing risk. As CISOs, risk management drives a lot (but not all) of what we invest in. In those cases, there are diminishing returns and, once you’ve adequately mitigated a risk, every penny more that you spend is likely wasted and better spent elsewhere. Of course, each organization may have a different risk appetite, but once you’ve met that, anything else is overengineering and overspend.
Reg touched on other points such as the importance of data classification and I highly suggest you give it a listen.
Embracing Constraints
LISTEN: Lead to Win: Unleash the Power of Constraints
In this episode, Michael and Megan discuss how boundaries and constraints can actually create freedom and new possibilities.
One example is the importance of self-imposed constraints around your workday. I certainly have seen my day extended on both ends since March. There’s no longer that clear separation between work and home that was previously defined by a commute. When there is no clear delineation between work and home it’s far too easy to stay plugged in longer than we should. In a day filled with remote meetings, it’s also far too easy to lose control of your day if you don’t manage your time. My day has easily extended by two hours and much of it is simply not productive. From conversations with others, I’m pretty confident I’m not alone here.
Michael and Megan also discuss ways to leverage outside constraints and use them to your advantage. I’ve always looked for ways to turn unforseeen obstacles into opportunities so I found this topic interesting. While I didn’t get a lot of tangible examples that I could easily apply in my current professional situation, perhaps listening to it will get you thinking about how you can turn some of your current constraints into opportunities.
Learning From A Proven Leader
LISTEN: Conversation with Darren Dworkin, Chief Information Officer at Cedars-Sinai
Darren has been a successful Healthcare CIO for years and I found what he’s doing at Cedars-Sinai very interesting – particularly his work with startups in the healthcare space via the Venture Fund program he leads. He also discusses how his IT projects are business (not technology) driven and how he positions IT to make recommendations, not decisions. A good listen for anyone in healthcare IT.
Continue the Conversation
I enjoy connecting with and learning from others, so reach out to me on LinkedIn and Twitter.
