Time
59 minutes
Difficulty
Advanced
CEU/CPE
1

Video Transcription

00:03
Hello, everyone. And welcome back to 12 competencies of the effect of sea. So competency three business,
00:09
uh, with Ed Amoroso just really looking forward to this and take it away.
00:17
Thanks. Leave. Hi, everyone. I see people still
00:21
logging in here. Looks like little popcorn thing. People jumping on, so we'll give it a 30 seconds or so. But this is the third in our sequence. Amazing how quickly it goes you've gotten to done. And
00:35
I went up to number three in our
00:38
see so competencies
00:40
that today's is all about learning the business. Um,
00:45
you know, let me tell you story back in the 19 eighties, But remember Bell Laboratories? There was a group run by a guy named Al Fredericks. I knew him because we both taught
00:56
at Monmouth University. For a while, I was teaching software engineering,
01:00
and, um,
01:00
he was running a group called Reliability Engineering for networks.
01:07
I remember thinking that that was an unusual
01:10
thing that you would have. Reliability is a separate
01:12
kind of group, and ultimately it got merged. It didn't make a lot of sense tohave
01:18
a reliability group,
01:19
you know, separated and eventually they didn't have a group there was a large organization, then remember in the nineties
01:26
watching
01:27
organizations that were created in a lot of businesses around quality. Remember that you'd have a
01:34
like a quality master,
01:37
and he'd sit around and try to be more Japanese and, you know, have
01:42
these processes introducing quality to your product after you built it on that duck didn't seem to work out too well, either, Eventually folded into
01:52
need quality from within a given a time. Right now believe it's possible to get the mute button. Yeah, that's great. That's great news. A little bit of noise there,
02:01
Um, if
02:04
today we live in a time when I think it's considered perfectly normal
02:07
to build something or to join a business or to become part of something and then overlay security onto it
02:15
and I don't think it worked for liability, I don't think work for quality and I don't think works for cybersecurity either. I think
02:22
Do you want to protect something if you want to be effective at dealing with,
02:25
um, meaningful and advanced cyber attacks, cyber threat that it has to come from within, it can't be something that you overlay and that'll incense be the topic that will spend some time on today. I have some material I want to take you through.
02:40
We've got the third part of our case study, and then I have my friend Howard Israel,
02:46
who were going to interview in the last 20 minutes or so. Howard's awesome was He's got government,
02:51
He's been a sea. So he's does consulting work. He's kind of been all over the place, and he'll have some really
02:57
interesting
02:59
perspective for us on this issue of when you're trying to protect something.
03:02
How important is that? Something Because he's done it all on day, We'll have some meaningful guidance, I think, for all of you.
03:12
No, Um,
03:14
let's read in a sense, the
03:16
way starting to these with kind of a statement that I think these 12 statements, I hope our are somewhat
03:23
meaningful. Try to make them
03:24
to be the kind of thing that you know, you know, tape up on the wall for, say, basically the effective. See, So the dumpster maintains the domain specific expertise. Now, that's gonna be something we're gonna spend time on today.
03:38
How important is it for you to understand business ops and methods functions Or can you just roll your truck in on B A one size fits all see? So it is a It's a point of debate in our industry. It's something that I suspect a lot of you will have some sort of opinion about.
03:58
I think you'll see what my opinion is.
04:00
Shouldn't surprise you that for someone who stayed
04:03
31 years in one place, that I think some domain specificity and your expertise
04:10
is is meaningful. But I may be wrong. We're gonna look at a few different models here and try and understand what
04:17
you know. What would be the optimal means for for doing this. Now I think that it turns out that there's really three
04:25
approaches that any of you listening any of you participating with us here might take it. I wrote, see so. But it could be any security
04:33
position in the organization where the running into the response they're doing forensics or doing any of the things
04:40
that we all do to protect the enterprise. There are three kind of approach is that you can take
04:46
to the business that you're part of. The first is you can say I have my generic concept.
04:54
But what I do
04:56
is Aiken Taylor it
04:58
from one place to the next. I just you know, I have my approach. There's some things that are similar. It sort of doesn't matter what the business is. Aiken Goto a bank. Aiken, go to a retail company. Aiken, go to AA transportation firm. I could even go to government. And as long as I Taylor a little bit,
05:16
it's okay. One approach and I'm gonna show you a very famous executive
05:21
who had that general concept I first learned of him many years ago. I remember reading a case study on him. Business school, Columbia.
05:31
Um, so we'll talk about him and we'll talk about the pros and cons of that approach. And I bet that sounds familiar to a number of you in our world and security.
05:41
We all know that we're all just like one hack away from getting fired. It's not fair, but it's the way we're treated. People view us as unfit for any other job in the organization. Feel like how those weird security people, um and and hence we all stay very close as a community.
05:59
And if you get fired, it's easy, get another job, and it's not unusual to see somebody first working in a bank and then working over here and then working over there, and they take their generic approach from one to the next we'll get. We'll talk about the proposal there. The second is the hired security gun.
06:15
That's where you are really good at a thing
06:18
and you're there for a specific purpose. You're there because there is a weakness and you're being rolled in. Maybe you're a compliance type. You're joining an organization that's having significant regulatory issues. So you're brought in and it's that the capability, the one thing that you can do
06:39
that is important. I'm going to show you an example of somebody
06:42
who embodied the right way of doing that.
06:46
And then we're gonna look at kind of the more common thing we see in cyber security, which is
06:53
the domain specific. See sewers. Our security expert,
06:57
you know, we'll look at the automotive example, and again we look at the pros and cons. I'm gonna take you through some typical sorts of questions that these people would ask
07:06
in the context of their day to day work and then Finally, we're gonna talk about Look, I rig it here with all these nice Was soft words integrated involved, committed security executive. I'm not trying to buy us the thing. I'm just saying that if you do stay in one place, you're gonna learn it more. You might hate working there,
07:25
but if you the longer you stay, the more you're likely to understand and probably better protected now you might also the longer you stay, you might be less willing to look at new approaches. You might be, you know, dug into one ditch, you might be
07:41
focused on one approach you always do, and you're not open to new ideas,
07:45
concepts. I get all that. You could be a totally in a rock,
07:48
and that's probably the biggest con to staying in one place and kind of learning environment. You might just on a rock. So So these air, the three approaches I've seen in almost four decades of staring at cyber security will go three to them. So first I want to take you through this guy. His name's how Janine
08:07
and that book there is a
08:09
good one.
08:11
I have a lot of respect for how your name, but I think it's a terrible book
08:16
and sometimes you know, teaching a long time. And people will laugh when I'm recommending terrible books.
08:22
But I don't mean terrible in the sense it is written badly or that it's not entertaining.
08:28
I consider terrible because I agree with stuff he saying in there like Look at the cover picture of him sitting there at the chair.
08:37
He's got his paperwork. This was a tough, no nonsense business manager who ran a conglomerate,
08:43
but conglomerate means is, Look at the picture here on the right from Fortune magazine my cold. These were all companies that were part of I t t in the seventies while I was still in high school. A canteen. Avis Levitt Banking
08:58
Hartford In these I T. T Cos remember I t. T meaning telephone and telegraph. So it had that also had the Sheraton, you know, the hotels which gets spun off. That was 30 years later, but
09:13
the idea waas Janine's concept in his book,
09:18
and by the way, he says, the purpose of managing is to manage which I does a computer scientist. I don't like them. I don't like that definition that seems so circular to May. But he meant results. You there for realities? *** it. And he was a tough dude And you brought the numbers in. And that was the idea. If the numbers were good, didn't matter. But his feeling waas
09:37
you could manage Continental
09:39
Banking and Hartford and Sheraton
09:43
the same way.
09:45
So HR is the same
09:48
finances the same. They didn't have I t. But like computers and electronic data processing,
09:56
they would have called that they're all the same sales, Same management of same reporting, the same
10:03
the board room, the same You wear the same clothes. You put the tie on your read reports. What the hell's the difference? That was the concept.
10:11
I'm very popular in the seventies and what was different. It was different and the customers are different.
10:18
I'm certainly the Your solution to their problem was a little different. Technology was different, The evolution was different.
10:26
And for May I think this is the most important things. But if the customers are different
10:31
that I can't think of anything
10:33
that would separate two organizations more than having you know, fundamentally different customers with different purposes what they believe them but nevertheless,
10:43
this was the idea.
10:45
And he would have said that cyber security
10:48
could be done the same for all these companies. And look, I'm I'm suggesting that there's a lot of you on this, cause a big group today
10:56
that would agree with that. And maybe you're right. I'm not. Sits right around. I'm just saying that that idea that
11:05
you know what Cyber scared? Yeah. You build a set of policies, acceptable use policies, acceptable use, and
11:11
you are all filtering. And two factor authentication. What's the difference? You're in a university. You're in a bank, you to factor. You're in a, um, insurance company or retail. What's the difference? A few things. A little different. I don't worry about card. Readers
11:28
in a university have to worry about that, you know, at Home Depot. But
11:33
for the most part, this guy, How Janine would have said would say all the same,
11:37
Um,
11:37
hear the questions that a person like this would typically ask, Like when you go to a review with something like this,
11:43
he'll ask a question like, How was this decision made?
11:48
It's a very generic question. I could attic of you say something whether your briefing him on I T T or Sheraton or one of the banks doesn't matter, I can ask that question. It's generic, and I can do that in cyber security to you could be the type person
12:03
you can ask generic questions like What is our policy? Are we enforcing part? You know, that kind of thing Or here's what what were the major obstacles? And I bet some of you recognize these questions from one size fits all managers you may have had. You've had people who become your supervisor.
12:20
They roll in and annoying about the team. They may not even know anything about the company, and the first thing they say are Tell me what are the major obstacles and, you know, they don't know anything more than to ask that general question. But
12:33
it might be an awesome question. Maybe nobody's even asked it before,
12:37
you know, it could be that this is exactly what you need. An outside perspective coming in a know what metrics are you tracking any meeting your goals again? These air non domain specific points that could be made,
12:52
Um,
12:54
who are your key contributors and are they happy very common question that might be asked
13:00
in the context of a conglomerate. And and then finally, how can I be more helpful? Your successor? Let's face it, people who roll in and this kind of constant are tailoring
13:11
what they bring to your environment. So they are gonna make an effort
13:15
to tailor the generic concept to your more specific environments. So see, so that the sides that you want to be able to move from one domain to the next
13:26
had better be good at things like this.
13:30
You might be in a chemical plant,
13:31
and you might not even know how to balance an equation.
13:35
You know, a chemical equation and you're there dealing with PhDs and chemistry were making things that could blow up the earth.
13:41
And you're asking them about you know what, Uh,
13:45
what are your key to your key contributors and you? Are they happy? You know, you don't have much depth there, but you do learn and you do learn Taylor
13:54
so pros and cons to this kind of thing. We're gonna look in our case study today.
13:58
You'll see that we put our hero in a situation where
14:03
she's talking about one of her friends takes a job in a very domain specific area and has a real challenge there. So we'll come back to this in a minute.
14:13
Now, over here in the bottom left, you'll see Lou Gerstner. Gerstner,
14:20
I think, one of the better executives we've seen them the last 40 years.
14:24
Gerstner had been in the consulting world. An IBM brought him in
14:28
at a point where they had not only reached the top of their S curve for things like this. Here's an old high b m. 3 70 I love this picture, this nerdy dude for two reasons. One, he's nerdy and look what he's doing. But second, I would probably wear this and like it's funny how men's fashions from the 60 seventies eighties nineties
14:48
he's wearing probably what I would have on
14:50
today to lecture to. You probably had same glasses,
14:54
maybe a little different keyboard monitor here but itself. Funny, but what girl star studded was when he came in to IBM.
15:01
He
15:03
it was, he was. He was there to be the hired gun. Let's go back here. Remember, the what we're looking at here now is a hired gun here for one specific purpose.
15:15
Lou Gerstner hired gun by the board, Break up IBM. That's what he was told.
15:20
Get in there and break the place up is the mess. You're good at that. He had specialized in that
15:28
and he came in and started, you know, essentially measuring the landscape, visiting around. Everybody knew why he was there. But as IBM explained to Lou Gerstner what they had you see this thing up here in the rough that you're in the right? This is a diamond in the rough. A picture from the Internet somewhere.
15:46
Um, he found a lot of diamonds in the rough, and in particular
15:50
you found their their global lifecycle management teams, a k a white shirted,
15:58
you know, tie wearing sales people, men and women,
16:03
Um, who were amazing, who knew their customers who were embedded in the environment or business, like, who are intelligent, hardworking.
16:11
Problem was being born by mainframes anymore. You know, we're there. Buy PCs and the world had changed so much
16:18
into the nineties that cursed there,
16:19
you know, originally was there, break it up. But he looked around and said, My goodness, we've got an amazing business here.
16:25
and essentially created IBM Global Service is, which is what drives the company today. He went in for a specific purpose and realized
16:34
that he had to adapt. He found these diamonds in the rough,
16:40
and IBM is a strong company today. I I still don't know how many of you were either work with or for around Ivy EMS ecosystem, but I've always considered it a fine company, but maybe no stronger than it is right now, with
16:55
emphasis on cloud emphasis on a I. There would be no IBM if it weren't for this hired gun would come in. And rather than just stay on track with what he had been hired to do, he was a flexible enough executive to adapt to the situation and create an environment and IBM that I think has been pretty good sense.
17:14
Now let's get back to cyber.
17:15
This is the classic kind of concept. Here is a pretty decent book here on automotive cybersecurity. There's a few,
17:22
um,
17:25
look, here's a can bus.
17:26
Um, you know, this is this is the kind of thing that you look at
17:30
when you're examining automotive architectures. I read this stuff because I think it's fun. And I've seen the power of having a cybersecurity expert
17:42
in a car company. You know, there's some really darn good ones. General Motors got a pretty good one.
17:48
Ford and other companies have really good cybersecurity executives, these air product people. Maybe you might know Jeffs over GM, Jeff Best, Miller and others. These are people who are brought in because they have the ability
18:02
to do not just the security work, but because they get all this. If somebody shows you this diagram and says, Look, here is a
18:10
low B W proprietary control centric, the high VW standard based data network for streamlining
18:18
an automotive e architecture.
18:21
I'm kind of hoping maybe had a little bit of training
18:25
an industrial design of automotive mechanics. If you don't,
18:29
you're gonna have a little bit of trouble because you're just not gonna follow what's going on. You're not gonna want to know what a powertrain is. You're not gonna what chassis is, you're gonna know the difference between infotainment and 60 and so on and so forth
18:41
these air specific things that are necessary. It's not an easy thing to be a generalist and just walk in and say, Oh, I used to be in a bank But yeah, I can apply what we did in banking to this automotive back plane. That's utterly ridiculous. If you do that, here's what happens.
18:59
There's the picture of Mr Charlie Miller and his partner,
19:03
you know, hacking that minivan in ST Louis. Remember, the article came out wired. By the way,
19:10
Um, I thought that was a bad as irresponsible things I'd ever seen. Look, I try Lee Miller is amazing.
19:15
And for four white hat hacking, but that hacking could have been done on a road track. Instead, it was done on a live highway.
19:23
And if it were me, I would have arrested all of them because you could have killed somebody for sure. You drive a car off the road here. This is, you know, somewhat off the terrain. It's behind this building. But if you read the article, they were out on a live highway for a portion of the testing.
19:40
Um, if they'd done everything in a parking lot, I'm for that. That's why I showed this picture, because I think this is a responsible thing, but
19:48
being out on a live highway, don't do that. But nevertheless, these air, you know, fantastically talented hackers.
19:55
And if you want to be able to stop Charlie Miller,
19:59
you better understand this stuff. You can't be a generic, just kind of roll in and, you know, apply the stuff. I didn't do it and you know it. Five other places. Why? Why do I really need to know about cars? What's the big difference? Well, there's a big difference. This is what you're up against. These guys were smart.
20:17
They're probably as capable as
20:19
any human beings at tampering with technology. And if you want to go up against them, you better be *** good. They hear the kind of questions you're gonna be asking if you're this pre sort of person on notice.
20:30
Italicize your expert. So when you roll in as a hired gun,
20:36
you usually don't feel like you're even part of the team. It's like who's your expert on D. N s?
20:41
You know, And the epic D. N s is the example. Is that something that the universal across all all cos you always gonna be N s issues that matter. I don't need to know about your corporate database, but you're gonna have to deal with the n s or what are your policies for identity access management In the emphasis on you,
21:02
we're back here. Remember,
21:03
How was this decision made? Much more detached, much more cold, much more. And then at the bottom. How can I be more helpful? Seared tailoring. Generic. This is not tailoring. Generic. This is you rolling in.
21:18
You're basically you know, there's another one. What were your compliance issues over the past 3/4? Also not the last three decades.
21:26
I'm your 10 going to tend to have a very short term focus when you roll in to make sure that the next generation is up. You know, autonomous vehicles
21:34
are free of security issues. You're not there to make the culture better. You're not there to make the company great for the next 20 years. You're there to make sure that these guys can't drive your car in a ditch, you get points. So again, very tactical. And then I'm not being pejorative here.
21:51
If I'm building a rocket to go to Mars and you asked me to bring a security person in, then *** it, I'm gonna bring somebody in. Who's smart on that domain area I want somebody knows rocketry. And when somebody knows spaceflight on, somebody knows broad communications are, you know, in in space and so on.
22:10
And I don't care
22:11
that you've been in five banks the last three years and maybe a word that's great. If you're that's applicable, go for it. But he isn't like who are your Lennox experts? And then, finally,
22:22
this is the most important
22:25
question that you would see from someone like this. And it's Here's how you can be more helpful to me
22:33
rather than reverse. You see the difference there
22:37
and back here I had.
22:40
How can I be more helpful to your success? Here's
22:44
histories like, Dude, here's what I need you to do.
22:48
Um, and we've all seen that in what we do. A security experts. How many of you say Listen,
22:53
I don't give it. I don't want to hear your story. This is what you need to do to make sure that I can secure this corporation. We've heard that 1000 times.
23:04
When somebody says that
23:07
they're basically living in this world somewhere there in this idea that will come and gone. The security person. You want me to fix this place than do what I say? How many times do I hear that?
23:18
What about coaching? See says They say they brought me in here. I sat down with the board. I sat with my vanish. I said, You know what? You don't have enough here. You don't have enough budget there. You don't have enough people here. If you want me to do this thing. I need this many people this month and I hear them saying you
23:36
to the business me to the expert
23:40
over and over and over again. And I think that part is kind of wrong now again, I said earlier from going to Mars if that person, that young lady, is smart. But that young man is smart, and they could do the job that I can overlook some of that stuff because if you're really, really capable, you're Jeff mass A 1,000,000 you know, automotive,
24:00
then. Dude, I want you. You could come in,
24:03
you know, uh, and, you know, throw water over everyone. I don't care. I want the best. And that's the essence of bringing a hired gun. You want somebody who's capable in order to stop that. Now, let's go back. So we said the third type here is this integrated involved, committed
24:22
executive that somebody who
24:23
the sides am I'm in this for the long run. I'm you know, you become part of the business and you're going to,
24:30
um, you know, really learned the way. And this is a man I knew for some time. He was my boss.
24:36
This is Ed Whitaker.
24:37
So I worked for him for a few years,
24:40
and then Randall Stephenson took over an 18th. You became my boss there, but Ed Whitaker was quite an inspiring and for me, terrifying guy I know, other people said not terrifying. I was scared of him.
24:52
You see the picture of the cup here? I love this picture because I have a story there. One time,
24:56
um, he was giving a talk in front of all the managers,
25:00
and I went there and I went down to the floor. One of the guys I knew was going to be giving a talk, So I muscle my way down nearthe stage. This was by the way, when I say talk to managers, I mean
25:14
filling up Ah ah, Hockey Arena in Texas. It's a 30,000 managers is no big deal it up,
25:22
you know, half a 1,000,000 person company. So
25:25
So it was a big thing. It was like you read at a basketball game or something. I got down to the floor and Ed Whitaker was mulling around. Who's getting ready to give us talk? It was sort of bumper to bumper like you'd see in a cocktail party
25:37
and and I was making my way across
25:38
and I saw this see the hand in the cup. I saw that,
25:42
and next thing I knew, somebody pushed me. And like in slow motion, I think I bumped his shoulder and I saw, like some blue liquid. It might have been grape juice. I don't think it would have been wine, but it looked like Why
25:55
pop up? And I think it might have gone on this shirt and I thought, Oh, no. So I just did a hard left,
26:02
huddled my way out of there, ran back up to my seat. To this day, I bet he wonders who the jerk was, who bumped that drink onto his shirt. But at any rate, this is Ed Whitaker looking at
26:12
and really listening to someone. That's what he was about.
26:17
He was at A T and T for 40 something years, and when I madam I'd been there for 22 or 23 years. I stayed 31 he was like, out of 23. Is I used little baby, You haven't learned anything. Talk to me when you hit 40 and he believed that
26:33
that you cannot
26:36
understand something unless you stay there and commit to it.
26:41
You violated a little bit because government asked him to go in and take over General Motors. That's what this book was about. I don't want to tell you a story about what he did when he got the General Motors. I think it's just classic Ed Whitaker.
26:53
He gets the GM. GM had been the classic sort of place where executives you'd probably been to the Red centre in Detroit. I've been there a bunch of times and I love GM. I think they're wonderful company and well managed and pride of our country,
27:07
but they've gotten a little bit hierarchical, so to speak, at least according to Ed in his book.
27:14
So when he got there he realized that the executives ate their lunch up in the executive dining room and everybody else ate down in the food court at the Renaissance Center in Detroit.
27:25
It's like his first day or something. And Ed Whitaker famously love Mexican food, was from San Antonio.
27:33
Um and and he loved that kind of food. So he goes down
27:37
at lunchtime, he goes down and he gets tray and any goes and gets his food,
27:41
and he walks up to one of the tables and bunch of GM workers. And he basically says, Hi, I'm Ed. You mind if I sit down
27:48
and you just see everybody's mouth dropped wide open? Because this is their CEO.
27:53
You know, the brought in to help bring the company back.
27:57
And he did that every day for lunch
28:00
and he'd sit down and listen to people
28:03
and he'd asked, um, tell me about yourself. What makes you love this company? Why do people buy our cars? What are we doing wrong? What are we doing right?
28:15
It's an amazing, amazing story. I mean, look, I told you I was sort of
28:21
nervous about the guy because he would sit there, listen to your briefing
28:26
and then
28:26
you wouldn't say a word. But then he'd asked this question like,
28:30
Well, our customers like this and you would been preparing, like for six months for this presentation. And there was a one thing you forgot to ask yourself, like the customers care.
28:41
You know, it was kind of a guy just so cut right to it. But here's typical kind of questions that a person like this would ask
28:48
you becoming the sea so taking, Let's say you've been in I t. And you've been in operations. You've been there 16 17 years. I've good friend over a TD. Ameritrade Jose Dominguez, who
29:00
was in ops for almost two decades, then promoted into the sea. So position and he'd been there, knows the place. And when he steps into the security role, he's not going to say, Tell me about your business. Tell me about our business.
29:14
So tell me like when he's learning, getting ready to do the security worker, I'd like to talk to our people and not just the managers,
29:22
you know. That's that again is pure Ed Whitaker. Our people. I always felt like that's something that I tried to emulate. I'm about 1/10. As skillful as he was, I talk too *** much. He would sit and listen
29:37
and actually remember and know howto listen to an answer
29:45
and get from it
29:47
the kind of nugget that was necessary to make a great decision. There's this
29:52
movie I remember Winston Churchill
29:53
in some movie. He is making a decision about what to do World War two and he goes down except gets on the sun. What their subway there underground and a bunch of people in all my guys of the prime minister's on. They're all bunched around him. I think it might have been contrived scene, but I love the scene. Reese is. What do you think should we fight?
30:12
And they're like, We want to fight like I've been been telling him, Just
30:15
give up. You know why? Why fight what's purpose? But when he talked to the people, listen to them and look them in the eye, he could see what they were all about. And when you're doing cybersecurity, that's the idea.
30:27
I know what you're securing, what's important. What are people doing? What's the culture? Here's another question. What do we believe in our company where we about
30:37
and when you understand that,
30:40
then rolling out, you know, user behavior Analytics may or may not make any sense. You know darn well intuitively
30:48
the Eubie ain't gonna fly. You know, for a bunch of developers of Google, they're gonna think you're crazy running some sort of monitor. But if you're in a bank where there are, let's see Runa Contact Center place. That's very predictable, man. You better be running u B I R u E B a what you call it. It's an amazing, effective control, but it's got a match.
31:07
The culture had people understand what people will like. What they won't like another example
31:12
a do our customers like what we do. I mean,
31:18
I don't know how many times,
31:19
you know, I don't hear this as someone's deploying.
31:23
Ah, piece of security. You know where the ideas we've got to cut our risk. We need our customers to use two factor authentication. And then you ask, what will our customers like that?
31:33
And even well, too bad
31:36
you know that this is the risk.
31:37
Maybe you decide anyway that it's in their interest to do it. But at least understanding what the is obvious example to factor be the point.
31:48
And then finally,
31:49
what I would consider to be
31:52
the best question of all that any sea so can ask of the business.
31:56
It's what factors can I influence my team influence
32:01
to help drive our future success? Like if there was one thing that she should taped to the wall, it should be that that should be the question
32:10
that every morning you get up. If you're in the job and you're figuring out how you can
32:15
drive a more successful, you know, team and approach strategy, we'll hear from Howard in a minute.
32:22
Ah, little bit about this. But that, to me is kind of the essence of it. I had the capture it in one
32:30
phrase. It's that it's how can I influence? What factors can I influence to help driver future success? Which means you better know something about the business. Now look, each of you will recognize yourself or your manager
32:45
in one of these three types, and yes, there are hybrids, but we know that there's a lot of
32:51
she says that go from one thing to the next with a generic approach that they Taylor. They're generally pretty successful because you're clever people,
32:58
but they're pros and cons.
33:00
They're the hired guns, he says. Very technical, very compliance. Vary this very that domain specific. They understand cars or something, or factory automation. They roll in, they do there. One thing that may stay a long time. They may not, but they're focused in their domain.
33:16
And then third. They're the people who really are part of the business
33:21
who stay a long time who learned the culture. And the downside is maybe they don't have as much diversity of experience. Maybe they're not exposed to as many different ideas. Maybe they do follow into a rock
33:36
just kind of breathing the exhaust of the other managers and people that can happen.
33:40
So they're pros and cons to each one. You, as you plan at your career, because again, that's what this course is about playing your career in this area that figure out what you want to do. Now
33:52
let's go through our case study here.
33:54
Um, again, I hope you guys all had a chance to go through it. Let me walk you through the basics of this limb when we're done. I'll ask Howard
34:04
Thio to join us. I know he's on and we'll ask, cowered a little bit about his career and his thoughts on the examples that we went through. But in this one, I have Emily being asked about this question.
34:17
You know, like what you're asking, whether skills is a C so easily transferred from one company to another. Somebody asked that question,
34:27
and Emily says, I won't tell a better story about someone she doesn't about this person or colleagues. She calls him Roger.
34:34
She says he'd been in a bank, you know, it doesn't see some have been with. They're a bunch of career pretty comfortable
34:40
but a bunch of things going on at the bank and this and that. And he realized that it was time to maybe think about other options. So head on her calls him and says that there's a manufacturing for
34:52
that makes these complex electronic systems for engines and airplanes, and they've never had a C so and a board member knew the guy and it brought him in and before you know what, they offer a bunch of money. He comes over and he becomes the sea So for this company that makes engines and airplane parts or something made all that up. But,
35:13
um,
35:15
so he gets there
35:15
and a realizes there's the's air ridiculously complex products. Like up here. I talk about ring lasers. Maybe they're doing
35:22
like ring laser gyro for advanced inertial measurement or something on an airplane. It's really complicated stuff,
35:31
and and unfortunately,
35:35
there'd been some potential security issues at that level not, you know, broad kind of compliance issues but
35:43
issues with the actual Elektronik devices. And put there'd been some rumblings of malicious foreign actors trying to infiltrate the design manufacturing process. And what happened was there's a big managers meeting coming up
35:57
after he'd been there, freight, eight months in the job, and he was asked to give a presentation. We got really nervous and thought What?
36:04
These are a bunch of engineers as an engineering culture,
36:07
and they're going to ask some complicated technical questions here,
36:13
and he's thinking, man, this is this is this is not gonna go well. So two weeks before the meeting, he gets a call from the head hunter, and apparently the bank where he'd been
36:22
working was begging for him to come back and literally twice the salary
36:29
twice.
36:30
And they say And and I pointed out, he left the bank on very good terms. They they actually had had some trouble and, you know, they were trying to entice some leaders to retire to save money. So he left on very friendly terms
36:43
and whatever terms the headquarters move that have been canceled, everything back to normal, he could go right back to his bank at twice the salary.
36:52
And in the back of his mind is this meeting in two weeks where
36:55
he's not entirely sure he can answer the questions that are gonna come up
37:00
now. He'd taken the job, and we all know we all teach our kids. When you take a responsibility, you don't just walk away from it.
37:07
So I have here a the end. That's, um, you know, Well, Emily says. Well, after discussing it with his spouse going through all the pros and cons of staying versus going comma, Roger decided that it would be best to that. Hence our discussion.
37:23
So again, I with the T A's, if you guys decide to go off and have the discussion here, some things I think you should think about,
37:32
like, first off, was it right for Roger to go from banking to manufacturing? If you don't understand how they make the *** things?
37:39
I don't know. Maybe they were happy enough tire of. But was it the right decision? Does it matter that you don't understand those gadgets, And then second, does that management meeting really matter Would have been fine from to get up in front of the other group and say I do.
37:54
I've been here eight months, I don't know. A ring laser gyro works wedding more than I know how. You know we got a man in the moon,
38:01
you know? But maybe he brings an expert with them to the meeting. Who can answer that question? I don't know.
38:07
And what would be the pros and cons of going right back to the bag?
38:12
The do you think he
38:15
it would be warranted to go? And then finally, what would you know? You know what decision do you think? Uh, Roger made. What does this tell you
38:24
for me? I have a feeling Roger would have quit going back to the bank after all.
38:30
Eight months away from a place you like that? Could you double your salary? They want you back. You like that There. You got a tough meeting. Why wouldn't you go?
38:37
But again,
38:38
you know, it's not the kind of thing you'd expect from him, right? Ed Whitaker? What would he have done
38:45
if he committed to go to that manufacturing firm? And he's asking during those eight months, these questions tell me about our business.
38:54
Like to talk to our people.
38:57
What do we believe in it? Our company? Do our customers like what we do? What factors can I influence helped drive our future success?
39:05
Would he then quit?
39:07
I don't know. Just thank you
39:08
that these are the kinds of things that as you plan your career,
39:13
you've got to get to make make some decisions. I'm not gonna do it for you. You know, Mom, Dad talking before you have to do it, you have to decide Who are you looking mirror
39:22
and and figure out. You know, when you take a job,
39:25
are you a hired gun? Are you a generic? You can tailor the one thing in the next doesn't matter
39:31
or you someone who you go into Uncle when you join a business. But that's where you're gonna bay and you're gonna commit to it and stay,
39:39
which again has its own calm. So so that's the essence of the case. They hope you'll read it through. And even if you don't participate in the ta run sessions that again, you get the invites to,
39:52
and I hope that least some of you are participating in
39:55
Take these back to your group that a couple of you sent me notes. And I do think,
40:00
um, though the question's been do you think these case studies would be good for group meetings? Anything? Oh, my God, Yes, like, there's 12 of them here.
40:09
And, you know, even if you just you don't even have to use the material here. If you just with your team and maybe leaf in the guys from Cyber, he could even help you coordinate something. But if you wanted to just sort of outline the essence of this story, you get the point here.
40:25
Your team didn't tell them story, and then ask them, What would you do? You know, what do you think it makes for a nice lunch and learn you buy the pizza and you tell the story and let people
40:38
I have the discussion. So I think that would be a fine idea. So so that's our case study. Now, look, I saved some time here.
40:45
Howard. Howard is Howard, can you hear me? They have you on you able to hear. Hear me, Howard.
40:52
Ah, Here. You just find it. Can you hear me? I shook. And where you called him from our
40:57
I'm calling from downtown Brooklyn, New York. Ah, that sounds pretty good. You know, I went and I gave a talk at Mobile Iron World or something, and it was in East Williamsburg and I went east. I didn't know there was an East Williamsburg. I thought that was like Bed Stuy.
41:14
So you want a subway? I'm walking is like, this
41:17
kind of very eclectic warehouse that had been turned into a conference place
41:23
and I thought I was in the wrong place in Brooklyn. Um, looked like such a great neighborhood, but I got there, and, uh, it actually was kind of a cool place, but, uh, welcome to Brooklyn, right?
41:35
Thanks.
41:36
Well, how would listen? Let's start. I have here. You started your career. You government, you worked at N s a guy's picture that will building there You spent time you and I knew each other Bell labs for a while you sat in the sea, so roll for years and financial service is
41:51
Look, we're doing amazingly successful job there. And now you're helping customers as an executive of fire, I
41:58
Well, first question, what's been the secret of your success? Like as you've gone from one job to the next, you you have his broader perspective as anybody I know. I know you were listening to some of that what you think and do any of those profiles match
42:14
behaviors that have helped you in your career?
42:16
Um, I think some of them have. I want I want Exactly.
42:22
Um um,
42:24
describe that that I have any kind of secret to my career, to be honest with you, other than just just going in and trying to do the right thing for my my company from my customer.
42:37
Um, And when you are C So when you're working security or any other level of security, you know you have many, many customers,
42:45
and it's a challenge to balance needs across all of
42:50
or the
42:52
the the range of customers and customer tights that you have to deal with.
42:58
So
42:59
I try to be try to be flexible. I try to listen.
43:02
And I tried to sit, you know, walk in the shoes or student, sit in the situation that the people who I'm dealing with
43:12
are wrestling with their issues and problems and try to understand it from their point of view.
43:17
And and I tried to be helpful,
43:20
and that's that's what I just tried to do every day. Is there a gigantic difference between government and business use? You've been in both like can you? Can you take techniques that you learn?
43:31
I got one more thing
43:32
and drag and apply them in commercial.
43:36
You know, there's many differences from from an actual employees working point of view, but in my view from Intersect point of view, there's no difference whatsoever. I mean, out through the organization are to protect certain things within an organization, regardless of
43:53
off with that organization is named or called the world with their purposes.
43:58
That's interesting. I would have guessed that there would be because the threat environment is so different, like in a government environment that you'd probably like, for example, if you need an organization to do a better job. Encrypting
44:12
seems like a be easier to do that, like an intelligence community than, like in again. You worked in banking, but maybe banking is it might be similarly
44:22
like the typical bank as well. Aware of threat, as you might find in an intelligence firm, have we progressed to that level of awareness?
44:31
That's hard to say. You know, different organizations have different maturity levels, and that's something that you kind of learn when you move around a little bit and you go to some organizations that maturity levels are
44:45
are fairly advanced in some areas and not advanced in others and go to another organization, maybe even the same industry, and it could be completely turned around. Or sometimes you see that the maturity levels are very low, and that's kind of creepy when you think about it, because all of these organizations they all have
45:05
very strong requirements and needs our protection.
45:08
Well, what was the relative importance like, Let's go back to ah financialservices. How important was it for you to have a pretty good working knowledge of
45:20
how things work that you know the bank in order to
45:23
just serve as a C. So or could you do it without, like, could I don't know much about banking. It's a little time on a board, but what could I roll in and do it? Or do you really have to know a little bit about financial? So So I think you have to learn about what the business is about, what their high buttons are
45:43
and and what their major major concerns are, and you have to learn the business, and you have to learn the language of the business to be able to speak to people. I think that's critical. And every business has has their own particular language.
45:57
Um, the industry. Seven language businesses have their own language, terminology and accidents, and in time I started roll or a new position. You know, I spend the first year or two just learning the language, the acronyms and the terminology, even though they may be using generic terminology.
46:16
Sometimes
46:16
there's a there's a different twist to it in terms of the way they use it.
46:22
Um, that's unique to them,
46:23
um, in in the meaning. So you gotta learn the language because the idea would speak that language, and you need that to gain credibility. I mean, a lot of the stuff that senior senior in plastic people do is is based on having trust in credibility with the people you're working with.
46:44
I remember there was a big,
46:45
probably member that said back in the nineties or late eighties, there's a big thing about the way that the Japanese and Asians to business is a lot around trust and gaining trust and learning. The people you deal with before you do business with them.
47:01
We looked at that is something like completely foreign and new, and you think about it
47:07
and we do the same thing. I mean, you don't know. You don't do business with people you don't trust, right?
47:15
I mean, it was silly, but we thought this was something innovative. And it wasn't. It was strictly intuitive.
47:21
So So you gotta gain trust. I mean, you have to build credibility and gain the trust of the people you're working with. Whether their senior people, executives, managers of business units or their staff for their middle managers or the people right on the front lines. You know you have to build credibility and trust
47:39
among that entire rage.
47:43
You know one thing that ah topic that comes up all the time and you alluded to it a minute ago. This idea that we need to learn the business, learn their hot buttons, kind of learn what's important to them and use the language that's common to them.
47:57
Um,
47:58
do you think there's ever a time when
48:00
we need to try and push businesses
48:05
and business units from every sector's toe, learn a little bit more about what we do? Like I I know I've dealt with finance teams my whole career, and they forced me to learn what that guy is and learn what
48:19
you know. DPP Czar on new service is and learn what
48:22
you know. Margin acceptability is for, you know, different types of things that we do a blob of all these, these things that you learn
48:30
to do finance and that And then when we roll into the cyber security,
48:35
it feels like we're obliged to translate all our stuff
48:37
in the business terms and they won't learn what a sim is learned. What you know when we do some basic analytics, and we want to use reference things that are meaningful to us. Even think it's simple terms like false positive. Say that to a board and they're gonna look at you like you're crazy. You're crazy. Will know what that is in your career. Have you seen any progress there were?
48:58
People are at least
48:59
willing
49:00
toe listen to people like you and I and learn our terminology instead of forcing us, though, is used business language.
49:06
You know s O it depends. It depends like that's useful if you're working with like me. But, uh, if you work with a finance group with the head of finance or accounting that controller, I mean, that's language that they speak. Most people, even in a financial company or bank and company.
49:24
They don't talk about things like that on a regular basis.
49:28
They talk about things. That operation,
49:30
like the firm I used to work for, Podesta hosted a trading platform.
49:35
So, you know, it was very helpful that I knew and understood how trading worked. I mean, I treated stops previously for many years, so, you know, I understood the fundamentals. It was extremely useful that I actually grew up, Um, because my dad worked on Wall Street his entire life, so I was very, very familiar with them.
49:53
The way the exchanges worked,
49:55
What did ask was in the terminology used on Wall Street. So it's easy for me to fit in because I could speak their language from day one, and I understood what they were talking about and that that could I could quantify or translate really, my security concerns and issues and needs
50:15
into language that they understood.
50:16
Like, you know, if if this issue in a trading system where one trader can actually do trades on behalf of another trader So this issue of accountability there, right,
50:30
And as long as you maintain accountability about who did what when you know the chain of accountability is maintained,
50:38
you put that in terms that they understand. They get that.
50:44
But if I talk about that abstract Lee
50:47
not in context off the day to day problems and issues that they deal with,
50:53
it just goes right past them, right? They don't They think I'm talking about something Ivory tower like right? I love that example. I mean, like you and I would be examples of people who,
51:06
if we went into,
51:07
you know, uh, Ford Motor Company to do automotive cybersecurity.
51:14
I wouldn't know much about it, you know, they'd be using terms that I wouldn't know how to use. And
51:21
I think your example of, you know, having your dad. You know,
51:23
as your kid kind of you absorbed some of that culture.
51:28
That's a huge issue. I really do think that's important. I I'm always amazed at you. And I both have a lot of friends.
51:36
We've been able to go from one industry to the next induction life. May. I don't know how they do it.
51:39
We'll have to ask him some time, but they bloody really, really successful that maybe it's just that they're made amazing, smart, possible. You know, I think this could be a learning curve. You know, I think it would be hard for someone like needed examples report about Ford Motor of GM before
51:58
I think it's hard to go into industry. If you're an avid walker biker and you don't know in the car, you don't underst air. The operational aspects of maintaining a car purchases car, you know through its entire life cycle your disadvantage to go into that industry. Okay. However,
52:16
I I haven't
52:17
another the other started the issue. The problem is, you see and I called industry prejudice where you see, for example, jobs put out in the pharmaceutical world Industry force for Intersect. People must have pharmaceutical experience
52:35
in hospitals or health care. Must have health care, experience financial banking.
52:39
They're famous for requiring that kind of experience. But but my view is that in Vasek is is more of a core capability of functionality. Much like financial Bina finance, person or accounting person is or loyal lawyer.
53:00
It's irrelevant, you know?
53:00
Yeah, Yeah, I think that's exactly right. So hey, listen, you you work a fire, I ness You deal with a whole range of different clients, that nasty question as you roll in and out and you see that the topic of our course here, CyberRays around careers
53:19
and, you know, being a great manager and being someone who
53:22
who leads teams effectively
53:24
as you looked around and dealt with problems and people bring you in to help
53:29
well, you know, percentage. I know you're not sitting there doing the math, but how often or How not often is it
53:37
that you see problems in an organization that aren't so much technicals may be driven by bad human decisions or
53:44
poorly run organizations, or just things that,
53:46
you know, we're not led by by groups or managers who know what they're doing.
53:52
Um, you see them more often than than then you want to. Sometimes it's just a matter of circumstance, like some people don't even know what, like have it got into the situation. They say, Well, it was a policy that someone put down, you know, three c Sosa go or where we got into this situation, You know,
54:10
Um
54:12
and we can't even tell you how we got here because the people who got us here, how long gone, right? We just know that we're we're at right. So it's almost disheartening sometimes to see, um,
54:23
sometimes the difficult
54:27
situation that in issues that come up
54:30
almost almost because of sometimes is negligent. Sometimes it's it's no, there's no owner for it. So things just fall by the wayside. Maybe maintenance, maybe the the soundness of the architecture. Er, you know, because they used to have an architecture group, but But they cut it, you know, five years ago
54:50
so that the architecture is kind of going Harry and Wild and people just do things
54:53
without any control or any sensibility in this desert variety of reasons and problems, sometimes bad decisions. Sometimes it's accident. Sometimes it's just, you know, the half life for attrition, of the way things degrade over time.
55:10
You know, Howard, I'm sort of monitoring the webinar chap here, and there's a lot of commentary, and I'll remind people if you do have a specific question, got a few more minutes here with Howard,
55:21
you know, go ahead and tap it in. I'll try and read it. But I know there's a least a few people that are calling in from
55:28
quite a distance, you know, the Middle East and Europe and so on and so forth.
55:34
Howard, did you think all these things apply equally across? Um,
55:37
you know, like it if you all the things we've been talking about. If you pick them up, move them
55:43
to another country, mention Japan earlier. But
55:46
you think there are differences culturally, but like like the the big example is like with the genie PR.
55:53
We know that in the U. They're from very specific opinions about privacy and how security is done
56:01
Comparison to the U. S. Do you have? Do you think managers need to adjust
56:06
based on where they're doing their work? This geographically and regionally?
56:09
Um, absolutely. There the Rangers, in cultural interpretation that I've seen throughout my career are unbelievable. Like, for example, one of the companies that worked for was UK company. So there was a lot of UK and you cultural
56:28
bias and Trump's have had two things in the operation
56:30
and just the way they conduct business. Uh, you know, I give you a little little trivia. The company I work for, we guess would come in, You know, they'd bring them up to, like, for example, the executive conference rooms, and they give them coffee and tea with China and silver.
56:46
And I'm like, really in like it. That's the way we do things. I never saw this the United States before, You know that company and that was their style. And that's what they like to do and do that and all their offices globally, because that was their way. Um, and as you may remember,
57:04
well, is that Belle leads. I work for five or six months overseas in Taipei. Thai wine.
57:08
You know, that's just the opposite spectrum of what what we're used to in the Western civilization and in that sense, sometime in Singapore and more recently in Mexico. So you get to see things, and you have two would definitely adjust to the culture the way things are done in terms,
57:28
all aspects of
57:30
business, in terms of relationships, in terms of the way you even present yourself, like in Asia. When you present your business card, it's customary to do it with two hands, not with one hand, that's considered an insult.
57:44
And, you know, when I worked in next ago, we'd walk in every day and Theo administrative people would come up and give you a hug and a kiss on both your cheeks. I'm like, Wow, this is crazy. I mean, I thought it was crazy, but that was the culture test of what you do it and you adjust.
58:01
But it's important to understand
58:04
if that's the way they do this. One little thing,
58:07
Um,
58:08
the way they do business in a conference room and in a meeting,
58:13
you gotta understand that that there's differences in the way they do business at that level as well. So you have to expect that you have to accommodate that. One of the first things I do, for example, with the Mexico was I just immediately apologized to everybody in all my new co workers
58:30
because I said sooner or later I'm gonna make a mistake and make a fool like this apologized right up front. I'm gonna say something that sounds silly or absurd
58:38
or biased, you know, uh, you know, or two pro American versus Mexico whatever. So I just flat out just just distorted. That's hilarious. That's a great idea. How? But let's first of all, if somebody comes up and gives you a kiss on two cheeks in Brooklyn,
58:55
that means you're about to die. So that a good thing. But my listen, Howard, thank you. I really appreciate you joining and sharing your perspective. Um, a lot of nice comments here in the chat people really enjoying what you have to say. So? So thank you. And for the folks on the line, I hope you've enjoyed our third class. Um,
59:15
we will.
59:16
No one. The next one is here. I know a couple of people have been asking about the link for the replays. And Leaf will, uh, the cyber team will make sure that you get the links
59:29
for the for the next sessions will make sure that all of you have access to that. But it looks like our next sessions on June 6th. So one week from today,
59:37
we will be we'll be back. Same time, same place and again, Howard. Thanks, man. Thanks for joining and thank all of you for your time and we'll see you next week.

CISO Competency - Business

This is the third course in Ed Amoroso's Twelve Competencies of the Effective CISO, which focuses on the CISO Competency in Business Operations. Modern CISOs must have in-depth knowledge in optimizing the increasingly-complex, connection between security and business operations.

Instructed By

Instructor Profile Image
Ed Amoroso
CEO, CSO, CISO of TAG Cyber
Instructor