The Cyber Security Podcast from PwC UK: What’s on the minds of CISOs? New responsibilities, future risks and hiring talent

Subscribe to our cyber security podcast series

The Cyber Security Podcast from PwC UK covers the latest developments in cyber risk, resilience and threat intelligence. In each episode we’re joined by special guests to give you practical insight on how to improve your cyber security and create a more resilient business.

Subscribe to our podcast on:

Transcript

Introduction by our host Abigail Wilson: Hello and welcome to this episode of The Cyber Security Podcast from PwC UK. Today, we are looking at the changing role of the chief information security officer, or as it’s typically known, the CISO. I’m excited to be joined by two guests with a wealth of experience on this topic. Kevin Storli, CISO for PwC UK; and Phil Venables, CISO for Google Cloud.

Kevin, Phil, it’s great to have you in our virtual studio.

Kevin Storli: Thanks, Abi.

Phil Venables: Thanks, it’s great to be here.

Before we dive into our discussion, I understand that a CISO’s responsibilities can vary across organisations. For our listeners, can you tell us what the role of the CISO is, and what this role entails? Kevin, it would be great to hear your thoughts first.

Kevin: Thanks Abi. If I could summarise it, I would say that the CISO is the trusted advisor. And what that means is, he’s looking at security from a risk perspective so he plays a little bit of a chief risk officer role. He is also playing it from a technical perspective. How he responds to incidents, how he looks at threat intelligence, how he implements technology within an organisation, but he is also, I equate to chief learning. How do you educate the organisation on the threats, the pitfalls, what not to do, how to be secure, but also driving the change. So he also becomes the change officer in a lot of ways, because security is always ever evolving and you need to constantly drive change throughout the organisation, but ultimately to me, he or she becomes a trusted advisor to the executive board.

Phil: Just building on that, I think that’s right. The other thing as well, and you hit this in the question as well, the role does shift depending on the organisation you’re in, and the industry you’re in, as to whether you are focussed on product security versus the protection of the assets of the corporation. It also varies across sector, depending whether you are in government, finance, energy, healthcare, telecoms, there’s all sorts of different nuances to that role. I think increasingly as well the CISOs are picking up more than just classic information in cyber security and they tend to now also include many other risks that they oversee, including many other technology risks. But I think the main responsibility of the CISO, as Kevin says, is really to be a trusted advisor and the focal point for the information protection programme for the organisation.

Thank you both for summarising. We often talk about the role of the CISO in an abstract way, so it’s great to hear your perspectives. So a good place to start our discussion would be to hear a bit more about yourselves. Over the course of your careers, how have you both seen your role change? Phil, why don’t I come to you first.

Phil: Like a lot of people of, should I say, of my generation a little bit, having been around for a number of decades didn’t necessarily start and go into a CISO career track. A lot of us have come through engineering and related backgrounds. I had my first CISO role 25+ years ago, when it was mainly focused purely on IT security and very engineering centric. And certainly over the years, I’ve seen my role change quite significantly, to include more engagement with business units on matters of business risk and strategic risk for the company. And also, as I mentioned in the review of what a CISO does, also included a lot of other different types of operating and technology risk.

And so I think the role has changed for a lot of people over the years, to just become a much broader part of how the overall enterprise manages risk, not just how the technology risks are managed.

Kevin: Yeah and from my perspective, I entered security through more professional services. So, a lot originally from a pen test perspective, then really dived into identity and access management, and specifically around the implementation and deployments of those technologies. Then shifted into a CISO role and as Phil has said have seen the changes as the CISO role had traditionally been within IT and how it shifted to become more mission critical, in changing to reporting to the COO, or potentially to the CFOs in certain organisations, and now even to the CEO directly, but I also see the evolution and the change, combining the CISO role with a broader technology role. So for like myself, I play the PwC UK CISO role, but I also have a global CTO role and I do see that there will be more changes to this kind of hybrid role going forward.

Abigail: Thanks, it’s really interesting to hear how both of your careers in cyber security, and of course roles as CISOs have been quite different. We’ve discussed in earlier episodes of this podcast, what organisations are doing in the wake of the COVID-19 pandemic. And our own research has shown that they are focussing on business resilience and strategy. It sounds like CISOs are going to need to be more involved in these conversations moving forwards.

As the role of the CISO evolves, how do you think they can find a balance between shutting down security risks, which has been their focus historically, and enabling the organisation to achieve its goals and of course deliver these commercial benefits?

Phil: I can kick off on that, I mean it’s kind of interesting, I think many chief information security officers, especially over the past few years have also added business resilience to their remit and the portfolio that they cover. I think that’s a healthy thing, because there’s a lot of trade-offs to be made in many cases between resilience and security. And so I think having the CISO drive resilience as part of broader organisational preparedness, and certainly again, in organisations that had to do a lot of work to transitioning to more flexible and remote working during COVID-19, required a huge amount of support from the CISO to make sure that they were doing that in a secure way, whether its promulgating more depth of remote access, or more video, or more digitisation of business processes to interact electronically with customers rather than kind of physical presence.

The other thing as well is, before and through that, it’s been very clear the role of the CISO and the wider team in delivering these adjacent business benefits of helping the business, and in fact the entire enterprise digitise, to enable them to still connect electronically with the supply chain with customers to reduce that dependency on physical presence. And I think as you look back over the past year, and all the years before that in preparing, you see many successful security teams, who’ve really added a lot of value to their enterprises to help them transition through the past year. It’s been great to see a lot of CISOs really come to the fore during this time.

Kevin: I would echo exactly what Phil said. The pandemic has accelerated the digitisation of the processes and the businesses, and as such you’ve seen the CISO become more at the forefront and really moving into that front office space and embedding security by design in everything that they do. I think it’s important because you shouldn’t really differentiate the front office and back office anymore and the CISO needs to have oversight in both areas, because at the end of the day, if something happens in either back office or front office, it's all brand damaging and so it's great to see how the pandemic actually accelerated the importance of the role of the CISO.

And circling back to how the CISO role is becoming elevated within organisations, do you think CISOs are always ready for the step up in responsibility that comes with this increased profile?

Phil: I think in many cases they are, because I think either CISOs have been hired at an executive level. So certainly now, when you see an organisation either develop and promote from within or hire from the outside, they’re hiring an elevated executive level, and so those candidates are being assessed and often being interviewed by the CEO, the CFO and key board members, as well as all of the risk and technology teams. So I think they’re being prepared and assessed for that. I think for a lot of other CISOs that have grown up through the organisation progressively over many years, I think they’ve sometimes had to fend for themselves. And it’s been kind of by force of personality that they’ve got their seat at the so-called executive table. Or they’ve got that through just long-term adding value to the businesses that they support, but I think now there’s no question that for most major corporations, and especially for critical infrastructure industries, its unquestionable that the CISO is not just C-suite in name, it's actually in their action and their positioning in the organisation as well, which I think again is very healthy for organisations.

Kevin: Absolutely, as the role becomes more critical, you’re seeing the evolution and the leadership filling in, and the talent that’s filling into the CISO role. I would say, and I read this a while back, but one of the studies that I read was, grit is one of the greatest indicators of success. And I think to be successful in the CISO role as it gets elevated, the individual is going to have to show tremendous grit because at the end of the day, security is a natural friction to the agility of the organisation and how they’re wanting to accomplish their goals. And so again, there is going to be a lot of diversity as part of this process in what they have to face, and again the CISO just has to demonstrate the grit to get along with it.

Just to delve deeper into skills briefly, which Phil is an area you mentioned in your last response. Can I ask you both, when you are hiring, what do you both look for, especially as you currently work for very different organisations, and what types of skills do you think CISOs need to recruit for their teams over the next few years?

Phil: I mean there’s a base level of technical skills required. So I think it’s long since gone where the CISO is a purely technical role. As we’ve talked about in some of the previous questions, the CISO is as much a business leader, as a technical leader, but having said that, many of the issues, and many of the challenges, and many of the risk mitigants are technical in nature, especially as all businesses have become digital businesses. And so there is a base level of technical expertise and security expertise that I think CISOs absolutely need to have, but beyond that, the real skills that differentiate security talent and risk management talent at all levels, not just the CISO, is an ability to be curious to have an innate curiosity to look around corners, to spot the failure modes of things, to look for the pressure points in organisations, and again not just technically, but process and cultural.

As Kevin was saying, it’s that grit and persistence that sometimes major organisational change and implementing new types of control, require a degree of persuasion and persistence that you don’t always need in other roles, and that again is important.

The other one is to also look for low ego. This is one of those things where at some level it's tempting to have a high ego, highly opinionated person in the role, but at some level, the most important part of the role is for them to have a low ego, be highly collaborative. To in many cases let some of the other leaders in the organisation take the credit for a lot of the improvements, because that’s improvements in their business, in their area. That degree of the ability to partner and share the credit for things as well as sharing the work is key.

And the final thing I would say is, in many cases, you’re not going to find the perfect candidate for every role. It’s important to actually recognise that in many cases you have to hire people, and train them, and develop them to fill in the gaps, but what you’re really looking for is their trajectory and their ability to do the role as it evolves, not necessarily to fit 100 percent of the criteria of the role as it stands, because I think if you do that, you end up never getting anybody. And often, I think we all look back in our careers, and look at the people we’ve hired and developed, and some of our best people in some of our most critical roles weren’t necessarily the ideal person for that role on paper, but we recognised their innate skills, trained and developed them, and then they became world class in that particular area, because you recognise their trajectory.

Kevin: I see eye to eye with Phil on exactly his response. When I was thinking through this, we typically, because there is a tremendous skill shortage right now in the cyber security market, and you can’t always get the best technical skill sets or the best risk skill sets that are out there. We really kind of fall upon, I call it the ‘kash’ model, knowledge added to skills and habits. And kind of going back to what Phil was saying is that, we always want somebody that can come in, as he said curious, always learning, can pick things up quickly, demonstrate great judgement, is disciplined, can fit into the culture, doesn’t have the huge ego. And we can always teach knowledge and give them the knowledge and give them the right skill sets, but that’s how we’ve approached it too, is we want the right individual that can grow with us, that can learn. But at the end of the day, be accountable and being able to pick things up quickly and become a leader, and that’s what we look for as well.

Phil: And the interesting thing about this, I’ve found is that sometimes your best security people are already in your organisation in another part of the IT or business risk groups. And certainly, over the many roles I’ve had over the years, some of the best security people we’ve pulled out of application development teams, or infrastructure teams, some of the best risk analysts we pulled out of business risk teams, and then cross trained into infosec, tech risk, and cyber, and again because they had the innate skills. The other thing I have found useful as well, and I won’t mention the name of the product, but it’s a security training company that takes a gamified virtual lab approach to training. In one of my prior organisations, we essentially deployed this training, simulated lab environment across all of the technology organisation. And often the people that were high on the leaderboards of these cyber security games, were people from the wider technology organisation, not actually in all cases the information security team.

And so that turned out to be a great recruiting ground for pulling people off the leaderboards and transitioning them from tech into the infosec team. So again, recognising across the board that in most of our organisations even if we are short of talent in the infosec team, we’ve probably got a lot of innate talent in all of the other teams, you’ve just got to find them.

Abigail: So it’s clear that CISOs are really thinking about what skills and training they will need to support them, but of course risk continues to be on their minds. We know that risks linked to the cloud, for example, have been a consistent area of focus over the last few years. Phil, it would be great to hear your thoughts on this.

As more organisations move to the cloud, as we know this is often a major part of the security transformation, what risks do they need to be aware of?

Phil: It’s becoming the case now where I think as all of the cloud providers, especially the hyperscale cloud providers like us and Amazon and Microsoft, and a few others, have really gone past that economy of scale now, where they’re of such a scale that the cloud providers are able to embed a level of security and resilience in the cloud that very few, if any organisations now can sustain. So there is a much higher level of default security controls, whether its encryption, whether its trusted hardware, massive levels of resilience, massive levels of network connectivity, the ability to implement multiple different resiliency models. So as a result of all this, I think a lot of organisations are starting to see cloud as less of a risk in and of itself and more actually as a risk mitigant, it’s their means to increase security and resilience compared to what they’ve traditionally built on-premise. And that’s not because they didn’t want to build those higher levels of default controls, like encryption everywhere on-premise it’s just that the on-premise legacy technologies don’t necessarily have the capability to do that.

So I think a lot of organisations now are seeing cloud as an opportunity to modernise their technology, and in doing so, use a higher level of security default, but having said that, we all see the headlines where customers in various industries misconfigure their environment and leave storage buckets exposed, and so on. And I think one of the things the cloud providers, and this is something we’ve talked about, is the transition from shared responsibility to shared fate. I think the cloud providers are increasingly seeing it as an increased role for them, to reach across that line of shared responsibility and be much more actively supporting of customers, and raising the bar on secured defaults. For example, we default encrypting everything, we default various different lockdowns, so it becomes harder and harder for customers to misconfigure things, but it’s certainly always a, as you transition to the cloud, you’ve got to establish the right governance, the right standards to do that.

And again, the way we think about this, is we often talk about defence in depth from attacks. It’s also really important to think about defence in depth from configuration errors. And a lot of the controls and the support we give to customers are in the recognition of that, but on balance I think now people are recognising that the move to the cloud is not just an opportunity to digitally transform their businesses, it’s an opportunity to step function, and increase their security and resilience.

Kevin: Cloud is definitely becoming one, and going back to the agility and resilience that Phil was talking about, a lot of organisations, especially as we’ve gone through the pandemic, are moving infrastructure and applications to the cloud. That’s where we saw a lot of the growth in the huge cloud providers, such as GCP and AWS and Azure.

From a security perspective, I think I would summarise it as two major things I think, visibility and control. And the problem with visibility is that, because cloud is so accessible, anybody with a credit card, can basically go create a subscription, and develop and deploy assets into a cloud. And so we don’t always have that visibility, and I think that’s one of the biggest struggles that we have to work against, and then the control aspects of it. Most likely you are going to go into a public cloud environment and how do you actually control the data that’s in there, going back to what Phil was saying as well, ensuring that the proper controls, and configurations, and settings are in place, but demonstrating the consistent control across such a broad cloud estate, is something that’s going to be top of mind for many CISOs going forward.

And staying with risk, we also know how the supply chain can also be a source of concern for CISOs. President Joe Biden has recently announced an executive order on improving America’s cyber security, which includes strengthening the software supply chain, which will likely have global ramifications. As CISOs will need to respond to this, what steps can they take to ensure that their software is secure?

Phil: I think they’ve got to split software security into two things. First, exactly as you described, a focus on the software supply chain of what external components from vendors or from open source packages come into your software and making sure that has integrity and the right provenance, and you understand where that comes from. Then secondly, it’s the software security programme that looks to make sure the software you are constructing is as free from vulnerability as you can possibly make it. I think those programmes of risk management around software are obviously highly interconnected, but often the processes and the tooling to address them can sometimes be different.

The other thing within the software supply chain, is it's really important to have a framework for thinking about this. And so I’ll give you an example, this is something we at Google publicised recently, called SLSA. This stands for supply chain levels for software artefacts. So if the listeners search for SLSA on GitHub, we published an open sourced framework, that’s based on our internal experience. Google have had a managed software supply chain risk over many years. And it gives people a structured framework, again its open sourced so that people can take it, adapt it. I’ve had to think about mapping the software supply chain and looking at the controls that are required at each step, and ultimately you really want to have knowledge of where the software came from, you want to have a so called hermetic and secure build environment so that you have confidence that the software is being built purely from what you input into it, in terms of source code, and then the output of that results in signed artefacts that your run time environment will only run approved and authentic software that comes out of your secure build environment.

One of the things that you see across the industry is many groups and companies, proposing solutions to resolve software supply chain risk, and I think everybody needs to be careful to watch out for solutions that just address one part of that whole stream of controls that are necessary.

One of the reasons we published this work was, again its open sourced, based on our experience, it’s not aligned to a particular product, but we published that so people can have a resource to really think about this problem end-to-end and not necessarily fall into the trap of only implementing one part of the control framework that’s necessary to mitigate software supply chain risk.

Kevin: And I would add that this should be looked at in various different ways. Number one with the development of software, as Phil had touched upon, just recognising what tools are being used for development, but also very important where the actual code is being stored, how many different code repositories that you might have and securing those repositories as well. Obviously number two is, how do you embed secure development, ensuring that we are not reactive going forward. A lot of the traditional ways of looking at software development and securing the software stack, had always been ‘well perform the pen test’ and ‘do a code review’, but there is definitely a shift now where you need to embed a lot of those controls as part of a dev-ops or CI/CD pipeline. And that's the next evolution of where we need to look at security, ensuring that we are again proactive rather than reactive in that approach.

And I would say lastly as you look at trusted software in your environment, I think a lot of organisations will have to start going down the path of zero trust and looking at the fact that you are always in a breach state and you have to assume that a lot of these suppliers such as a Solarwinds are going to have access into your environment, and to ensure that they have the minimum amount of access, that your network is segmented in a way that if they were to breach through that vendor, there is minimal impact and blast radius as a result of that breach.

Outro by our host, Abigail Wilson: Although software supply chain risk is only one area of a CISO’s responsibility, it sounds like they have a lot to think about and reflect on. It’s of course been great talking to you both about this today, and thank you for sharing your experiences, and of course what has happened over the course of your careers and how the role has changed. I’m sure our listeners would have found it useful. And to you, our listeners, if you would like to find out more about how you can tackle the latest cyber security threats to your business, please visit pwc.co.uk/cybersecurity, and don’t forget to subscribe to receive future episodes of our podcast. See you next time.