In this part two of the three-part series on The Redefining CyberSecurity Podcast, Sean Martin and Kush Sharma explore the strategic role of the CISO in business transformation, emphasizing the importance of adaptability and early involvement in project planning to build a secure, powerful organization. Listeners will gain valuable insights into risk management, collaboration, and the evolving responsibilities of today's CISOs.
Guest: Kush Sharma, Director Municipal Modernization & Partnerships, Municipal Information Systems Association, Ontario (MISA Ontario)
On LinkedIn | https://www.linkedin.com/in/kush-sharma-9bb875a/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
In this part two of the three-part series on The Redefining CyberSecurity Podcast, host Sean Martin is joined by Kush Sharma to discuss the critical topic of building a Chief Information Security Officer (CISO) office from the ground up. Both speakers bring invaluable insights from their extensive experiences, illustrating key points and real-world scenarios to help organizations navigate the complexities of cybersecurity and business transformation.
Sean kicks off the conversation by emphasizing the strategic role of the CISO in business transformation. He explains that a successful CISO not only secures what the business wants to create but also contributes to developing a powerful and secure business. He points out that CISOs often have a unique perspective, experience, and data that can significantly impact the way business processes are transformed and managed.
Kush expands on this by highlighting the need for adaptability and a mindset of continuous change. He shares that CISOs should view their organization as a business function solely dedicated to protecting assets. He uses examples to demonstrate how missions change every few years due to the rapid evolution of technology and processes, making it essential for security teams to pivot and adjust their strategies accordingly.
Kush stresses the importance of collaboration across different teams—from digital to physical—and notes that a key to successful security management is building a culture that is adaptable and aligned with the business's changing objectives. One of the most interesting points brought up is the significance of involving security from the outset of any new project.
Sean and Kush discuss the importance of integrating the CISO into discussions around business requirements, system architecture, and technology selection. By being involved early, CISOs can help ensure that the organization makes informed decisions that can save time, reduce risks, and ultimately contribute to a more secure business environment.
Another critical aspect discussed is the approach to risk management. Kush describes a structured method where security teams provide options and recommendations rather than outright saying 'no' to business requests. He mentions the use of risk acceptance forms, which require high-level sign-offs, thus ensuring that decision-makers are fully aware of the risks involved and are accountable for them. This transparency fosters a sense of shared responsibility and encourages more informed decision-making.
Both Sean and Kush provide a comprehensive look at the evolving role of the CISO. They make it clear that today's CISOs need to be strategic thinkers, skilled negotiators, and effective communicators to successfully lead their organizations through the complexities of modern cybersecurity challenges. The insights shared in this episode are invaluable for anyone looking to understand the multifaceted responsibilities of a CISO and the indispensable contributions they make to business success.
___________________________
Sponsors
Imperva: https://itspm.ag/imperva277117988
LevelBlue: https://itspm.ag/attcybersecurity-3jdk3
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Building a CISO Office: Mastering Enterprise Risk Management and Aligning Cybersecurity with Business Goals | Part 2 of 3 | A Conversation with Kush Sharma | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And here we are. You're very welcome back. Uh, we're going to continue this conversation because she said so much stuff in the, uh, in the last episode. I didn't want to stop you, but, uh, but there's more to say. There's more to say. And I have many more questions as well. So, uh, for those that didn't catch the first episode, we talked a lot about, uh, Yeah, basically understanding business transformation and developing the business from an operational and technical perspective and the role of the CSO in that and kind of, I think we got to the point of scoping and some budgeting and some business cases and the teams.
Teams involved in getting all that set up. And we started to touch on the, the, let's say the power. I think the, the, uh, the ability for the CISO to really [00:01:00] drive some of that change and, and to really help. The business achieve its targets with those transformations. And it's not just adding technical controls to whatever the business defines, and you started ahead there.
So, um, I would encourage everybody to listen to the first part, because we talk, talk a lot about setting up for this moment where, uh, the CISOs have a very strategic role in, in, uh, business definition and business transformation. So let's, um, Let's get into that. So what, what I wanted to ask as you wrapped up the last piece was
kind of to this point that CISOs and I've said this on the show a couple times now that I wholeheartedly believe and I think some of the points you made in the first part here is that CISOs have a view, CISOs have experience, CISOs have Knowledge CISOs have data. And I think this is that last piece really [00:02:00] matters here to define how best to transform and create new business processes.
So you touched on working with the business to ensure that business risk, enterprise risk is managed. And CISO has a role there. And then obviously adding the technical controls. So my question, I'm going to start, stop here. My question is in your experience, and then you've been great in telling some stories here as well, real world stories, your experience, where has the CISO.
Been successful in not just securing what the business says they want to create, but actually helping to create a business that is powerful and secure.
Kush Sharma: So CISOs, if they're [00:03:00] taking the mindset of being a business leader, uh, so whenever I work with clients or whenever I'm the client myself. I've always thought about my organization as a business function, and my function is to protect the assets of the organization. So, from a digital perspective, and then work with my counterparts in the physical realm, uh, to collaborate with them.
So if we look at it, um, on building an organization, looking at the mission, driving towards the mission, whatever that mission may be, then we need to restructure the security organization to meet those objectives and those objectives change. And so you might, um, you know, have a specific plan for 2 years or 3 years.
I think more than 3 years is very difficult to achieve because technology and processes change so fast these days. But if [00:04:00] you, if you're running towards a mission. And you put all your, you know, allocation towards that, uh, and prioritize those. And then two years later, the mission changes from the business perspective, you need to change and you need to pivot and, and ramp down certain projects and then ramp up other ones.
And so if you're, if you could get your mind into a state of change, that change, it will happen frequently, and I'm okay with that. And when it comes, I'm just going to reprioritize, and I'm going to implement, and I'm going to provide the guidance to the leaders that they, that they require. Now, sometimes that guidance is, well, I need more funding because I completely changed the direction, and now we have to look at a different area, which we may not have expertise in, but we need to build it and wrap it up.
either through internal or external. It could be, uh, uh, you know, looking at the specific technologies, right? So we were, uh, [00:05:00] focused on, let's say, in our previous episode, we talked about M& A and we're looking at technologies to protect the M& A. But if the M& A is coming to a closure or maybe the deal doesn't go through, They're not going to want to spend not one extra cent after that announcement is made.
And so everything needs to shift to some other party. And so maybe that technology doesn't suit. And we have, we can't repurpose it 100 percent towards that other initiative. It's something else, let's say an OT, for example, right? It's a completely different domain of security, which different technologies and different ways to do things.
So you have to be adaptable. You have to have the mindset. Every day I walk into this office, every day I come to work, something could change. And when it changes, I need to change myself. I need to communicate that to my people. They will get frustrated, but they have to get into that mentality. And so that, that building of that culture, let's call it from a [00:06:00] security perspective, from the old way, no, we can't do that.
No, it's not going to work. This is too complicated. Well, we don't have enough controls. You know, everything's all out in the open. So these negative messages Resonate into the environment and into the organization, and hence they come back to you in the form of no resources, no money, no respect, etc. No trust.
So we have to change the mentality, uh, to say, Okay, if the request comes to us, we're not going to say no, but we're not also going to say yes. Blindly, we're going to investigate and get back to them with some options, and they can choose which option they would like. We would provide a recommendation obviously, but if they want to take more risk and they have a larger risk appetite for a specific business unit and they want to get something to market, well, we're going to lay it out to them and we're going to say that we do not recommend this.
However, it is an option for you to take and you're the one that has to decide and you have to [00:07:00] sign this piece of paper, which is called the risk acceptance form. And you have to, you know, go to your VP and make sure your VP is aware and they have to sign it. I don't want a junior person to sign it. So I always make sure it is someone on my level, on the C suite level.
Or perhaps one below and then you would also want to make sure that ultimately whoever is responsible in that business unit or in infrastructure like the CIO, for example, whoever they get a report every month saying that this is all the things that you signed off on right through your VPs or senior VPs.
And so they're aware and many times what happens is they're not aware. And so then when we tell them, well, you just implemented the software and we gave you three options. Uh, we don't want to delay it. So we're not going to stop it as security. However, we're going to tell you option one, highest risk, These are the controls you need to put in place.
We've done our analysis, you know, negative, [00:08:00] whatever. And we recommend you do it in six, six months to one year, whatever the timeline is. We're going to come audit you after that. We're going to come back and look at that compliance. Option two, put in, you know, reasonable amount of controls, a little bit of extra cost for you right now.
However, less remediation work down the line, right? So instead of six months, it might take you three. So you could, and then the last option is, no, we're going to put in all of these recommendations that we've given you and it might delay the project by a month. And so whatever that tally comes to, right?
So you have an option. Once you decide on the option as the business person, as a business representative, or the IT representative, or the OT representative, et cetera, and you understand it, and we're going to explain it to you, you're going to sign off on it, because it's not my risk to bear. My risk to bear as a CISO?
is the security tools and technologies that I'm implementing and the processes that I'm implementing to help the organization. So if I put in multi factor authentication, well, well, [00:09:00] that's on me, all of the change management, the training, the way that people log in and all of the disruptions that would happen in the beginning, because people are not used to it.
Well, that's on me. I may, I have to make sure that that's done properly and then done in a very phased approach because multi factor authentication, although it sounds great, It's sometimes difficult to implement, especially if you're in a plant scenario. So corporate is usually easy. People are used to kind of dealing with their phones, but in the, out in the plant, out in the field, they're not used to the phones.
They have tablets or they have no phones, no tablets. They're, they're actually working in a manufacturing or operational technology environment in a warehouse. So their technologies, their way of thinking is different. They look at safety first. And many of them actually are actually like engineers, mechanics, you know, those type of factory workers.
So they don't have computers. They have shared terminals, right? That's a whole different discussion. But, uh, So we need to [00:10:00] accommodate for them as opposed to them accommodating for us. And once you have that mindset and you speak and you understand the use cases very clearly in plant, in manufacturing, in corporate, in finance, in procurement, in sales, all the aspects of the business, not just generic, uh, Use cases, then you could test those and figure out the nuances, prioritize and send it through from a from overall budgeting perspective and prioritization perspective.
If something changes, you need to go back and have the leader sit down on a table. So in this example, we went from M& A, right, to another priority, whatever, maybe it's an implementation of some other software in manufacturing, let's say. So now you've changed completely, right? So now you're going to sit down with your executives.
So whoever is responsible for the M& A, whoever is responsible for that new project implementation, in this case, a manufacturing technology that has to [00:11:00] be implemented in, let's say, a bunch of plants, then you're going to sit down with the CIO, some other stake, the project management office, et cetera, because they usually control the money in the, in the, in the budgets.
And you're going to sit down with them and say, okay, this is what I have. This is what all of you gave me. And now we're repurchased. So we've already spent this much money. It's very simple math. Now we have to pivot to here. These are all the 10 things I need to pivot. So from an org perspective, training perspective, skills perspective, technology perspective, uh, change management, you know, et cetera, the whole nine yards, right?
What do I have to do to go from here to here, lay it out for them? These are the, so you have to be realistic. Because some of those you can actually do with your current budget or just reprioritizing people, right, or thinking out of the box a little bit with no cost, working with other groups, maybe you could do it, like, for free, right, within the internal cost structure.
And so you have to lay that out first. You can't go in there saying, well, you [00:12:00] know, you guys did this, you made a mistake, now, now 10 million or whatever the ask is. You're not going to get anything and you're going to get walked out the room. So what you have to do is say, okay. This is what I, this is what the change is.
This, these are the areas of the change. You talk to your teams, you get the information. And then these are the, out of the 10, I can do, let's say six. Usually you can do a lot of these right by pivoting, or you can just use your operating budget or something. Just, you know, sometimes it can be political, right?
Can't keep asking for money. So you take the six and you say, I can do these six. So when you're telling a room full of executives. Hey, I already have a plan for change. You guys, you know, I don't see a corporate plan yet. I've already made my plan. And out of the 10 areas, I've already figured out six of them for you.
So I need money for four. And then for the four, you can ask for a little bit more because you're not, it's usually techie stuff. So that's going [00:13:00] to cost more, right? You got to get rid of the licenses for the first one, then you have to buy some new tech. In this example would be manufacturing technology.
So it would be a whole different type of tool set for security than a merger. So then you could have that conversation for asking for the more for more money for that specific area, right? The four. And that's, that conversation usually goes well because they're like, okay, first of all, they did the analysis.
They're telling us the areas. They're on point. They're not telling us, you know, give us money for all 10. They're being reasonable. He's saying he could do six with the current, and these are the six that he can do. But these four are for x, and you have to give reasons. You can't just say these four are this much money.
Well, I need money for this because this technology is completely different. And And the current technology we have does not look at these environments, right? Or you're implementing a new system that we have no experience in from security. Neither does anyone in this company. So you're implement, so just like you're training all of these infrastructure people, business people on how [00:14:00] to use the tool, we need to be trained on how to do the security of the tool.
These are enterprise level applications. These are not simple, uh, plug and play, click something on the cloud and it's installed. So, so when you're doing your budgets, X, Y, Z people, make sure 5 to 7 or 10 percent is security. Because we're basing it on all of these other, uh, ERPs that we've implemented, and the average comes out to XYZ.
So we're taking that average here, plus we're adding a little bit, because it's brand new, we have to learn it. There's a little bit of training cost involved in the beginning. Uh, so this is what the cost is. And this is, this is, uh, and if you don't have this much funding for these four, Well, the four of you or the five of you in this room need to prioritize it for me.
I don't own any of this stuff. I'm not implementing endpoint protection. I'm implementing manufacturing solution and we just did M& A. So we need some of the M& A security money to come. We need some new monies for this manufacturing [00:15:00] to come. So you're, you're basically a negotiator and you're trying to get different funding, uh, money from different funding sources so that one executive in the business is not stuck with the whole bill.
Right. And, and, or you as a season was stuck with the bill with no additional funding. So you're trying to negotiate this real time with them and then they'll have their discussions. They'll basically go at it because they're like, no, no, no, I don't have money. You don't have, well, okay, that's fine. None of you have money.
Well, how we can't do it with this level of funding, like it's not going to happen. And if you only give me. You know, if I, if I need 1 million and you give me 200, 000, well for 200, 000 from these four, I could do this one and this one, because that's what the cost is for these two, but the other two cannot be done.
So that means we have to accept the risk. If we accept the risk, we're going to go to the C suite, your bosses, and we're going to let them know that you're going, you're signing off on the risk. So we're going to do the assessment for you and we're going to let you know what the [00:16:00] risk is. And if you choose to accept that, that's okay.
But if there's a breach or if there's an issue later, uh, we're going to be pulling up this document, which we've signed, which you've signed and we've signed that, that you've accepted the risk. And that conversation at the board level is going to come and you're the one we're going to invite to speak on it.
Right. So that very transparent, you know, professional, but transparent. And then they understand that they're taking the risk. And once they understand that. Magically, many things change, right? No, no, no. Well done. We're not taking high risk anymore. Medium medium is good for us, right? Or no. Hold on. It's a manufacturing.
We can't stop 24 seven, not a low risk, right? So put in push. I'll give you an extra X percentage. Go put in these other five controls, right? I'm happy. They're happy. And then the remaining right. We can do slowly, right? So there's 10 controls remaining or five controls or two controls remaining. Okay, well, we'll work with you.
We're [00:17:00] flexible, right?
Sean Martin: So, so that speaks to, uh, which is fantastic. I love all that. Um, that speaks to effectively some system has been You selected, and there's a team already, or at least ready to, either ready to implement or is already implementing the system. Whether it be multiple machines or whatever it is.
Um, how, how have you experienced being involved before the selection of the technology? Before the architecture of the, Of the environment before the deployment of the machines before the configuration of those systems, because my, uh, we talked about this a little bit in part one where you said, depending on what's being deployed, you might have to hire [00:18:00] special skilled people who know that environment so you can.
You can set the configuration for SAP that only uses the services you're leveraging for your business process and turning the others off so you reduce that exposure. Sets the configuration that manages access control in the right way and data protection in the right way based on where you operate your business in the US, Europe, Asia, wherever.
So how, how have you And I don't know if you have any stories you can share where the CISO is up front saying, if we choose this ER, uh, I don't know, customer relations and CRM system, these are the things we need to do. We, we have, either we don't have the experience and we need to figure it out, or we have people who've experienced this and know that this particular version of this brand requires this, this one requires less from us, [00:19:00] right?
In terms of additional controls and additional management in terms of. Of, uh, configuration and reduced exposure settings, things like that kind of rambling again here, but I guess my point is, if we can get ahead of selection and architecture and implementation and configuration, we can hopefully save some, some effort and some risk and some angst on the management side of things for the, for the, uh, for you as a CISO and then for the team that, uh, That's supporting you in that role.
So what are your, what are your thoughts on that?
Kush Sharma: Yeah. So there's two aspects. One is net new. So like a brand new system coming in second is you already have an existing system and you're upgrading it. So to a new version, new functionality, right? New security has to be done. Sometimes there's new, uh, if there's new functionality.
That's been like not there before and then [00:20:00] kind of did it and it's, it's net new to the market. Then there's going to be some learnings there for security because it's a new module. It's a new, maybe they have some AI or they have some something else that they built rational databases, who knows what they've done.
So from, from a existing, uh, use case perspective, so you're upgrading, that's easier because you do the Delta analysis. So first, Um, you look at what you have, obviously, you know, the current system, you know what the gaps are, uh, vendors usually will have a release notes right before, like for upgrade, right?
So it'll tell you. In this, in this example, the CRM system, it'll tell you, okay, in the version XYZ that, that, that's out there that you can try, uh, these are all the releases. So these are all the changes from a technical perspective, security perspective, functionality perspective, right? Business functions.
So I don't, there's, these documents are available, they're, they're quite like technical reads, but basically gives you all the information. So you [00:21:00] extract all that data, you compare it to what you have. When you do the comparison, you'll see a delta and the delta is not going to be exactly one to one for security.
It's not going to spell it out for you. So they have security documentation. So if there's a new API, new interface, new something, they'll have specific documents on that. But a lot of the information will come from the release notes from the business process side. Uh, so for, for example, for security, they might have some new screens, new functionality for how to do role based access or at least privilege or something.
It'll be documented infrastructure. It'll tell you. Oh, this is a new server technology that now with the new system is using. So you have to talk to the infrastructure and and the folks on on those aspects of Okay, well, if this is a new server technology, how do we secure that new server technology, right?
Because it might be like edge computing is different than the traditional client service base. So how do we secure the edge kind of computing platforms now, right? It's a little bit different. So that's number [00:22:00] two. Then the release notes will tell you about all the processes, right? OTC, finance, procurement, sales, whatever, right?
Record to report, business intelligence. So you go through all that, you extract the data, then you understand, okay, well, you The delta of what we have here versus this is, uh, what, you know, X, Y, Z, and from that, uh, looks like, you know, 60 percent of this is pretty much the similar model of security. 40 percent they've introduced some new technology.
And they, or they purchased another product and they've integrated it in. So that model of security is different than the one that they have in their, in their organic solution. So now I have to learn that. So you, you analyze all of that and then you come with some findings and then you figure out, you do estimates, right?
Okay. Well if I do upgrades of, I'm making 50 roles, right? Job functions, AP clerk, whatever, sales distribution manager, forklift operator, whatever it is. Okay, I have to adjust 50 of them because [00:23:00] the business processes that are impacted in the release equal 50 that are live today, right? And they're not implementing the other ones that are coming in.
So my scope is 50. Now in the 50, how many roles are impacted? So how many roles do I have in production right now? Okay, from the, let's say 50 roles, I don't know, making this up, okay, it's 25 are impacted, i. e. in the new release, there's a change in the business process. So something, like if there's five steps, maybe there's four steps.
If there is five, maybe there's seven in the configuration of how you set it up. So then you have to calculate all of that out and figure out, okay, how many steps, how much time does it take to configure that for security, test it, send it to prod, you do the calculation. And then that'll come up with a number.
Then you do a little bit of your subjective math, what I call. Because some of it, it's not all 100 percent just math, like, okay, here's the number. Well, there's some efficiencies there. You already know the product, etc. Maybe you have some training documents you can leverage, etc. Like, so it's [00:24:00] not starting from scratch.
So that's another loop, like, downfall of CISOs where they just, every time there's some upgrade, they don't take the efficiencies into scope and then they give a number like it's a new deployment. And then they're like, what do you mean? Why does it take so long? Right? Um, so, so you calculate that out, do your rough math, send it to them, and then you're, you're on your way.
Now for the net new, it's, it's a little bit different because you don't have the skill sets. You don't have that information. So you'll have based on your experience. So if you're doing CRM But you know, you've done another ERP for manufacturing or whatever. It's pretty much the same idea. It's the same methodology You have to look at the business process kind of map and then extract it through the conversions and then implement.
You have to talk to the vendor because the vendor is the best person that can scope it out for you. And so you go through and do the demo of the security of how that tool works. You understand a little bit, [00:25:00] which model is the following fine grain privileges or role based or however it's set up, right?
Is it read, write access? Like how is it all set up? And then is a web, web based links for security, like who knows what they have, is it analysis? So for the reporting world, you would have like, You know, access to reports and the data in the reports, you're doing data security as opposed to like role based access.
So you take that data security and then you convert it into what is a forklift operator need to see from a reporting perspective. And then you assign those reports, but the reports themselves have to be secure. So you do all of this analysis up front with your team, with the vendor. And what you need to do is provide that information before they go to RFP.
So ideally, you have your standard set of all the requirements. Uh, if it's net new, traditional stuff, right? You make sure you scan, make sure there's, uh, GRC controls, etc. All the [00:26:00] normal stuff, which is like a list and you give it to a procurement and they have to go through the list. Every vendor has to comply.
That's the ideal. In addition to that, you do this exercise. You add in the specific nuances for that application, for that system, whatever, cloud service, whatever it is, because they'll have some nuances. Okay. And so you combine those requirements and hopefully they invite you to the discussion to the table during the requirement stage where they're documenting everything that they want before they finalize it and put it to the street.
Because even if they put it to the street and you're invited as a CISO office during evaluation, Or so that it's still too late because they're sending you proposals based on whatever the RFP said. But if the, if the proper security requirements are not in the RFP itself, you're, you're already, you've already lost, right?
And you're going to play catch up. So what's going to happen is you're going to go back to your colleague and say, what is this? Like you have almost no security [00:27:00] requirements in here. You have to add these 50 things in and then it'll go back to market. They'll come back with a higher price. Right. By default.
And then they're going to say, no, we don't want to do security or you're estimating you're estimating too high. No, I'm, I'm estimating the right way. You didn't invite me to the conversation of the requirements, because then the price comes in as the price. And so that's the first price they see. And when they see the first price, that is the price.
You don't want to see two prices. One price is without security and one price is with security. Well, that's, they're never going to do it. They're going to say, you get 2%, go do what you can, right? Make sure it's secure. No, it's not going to be secure. I don't even need to look at anything. I'm telling you, it's not going to be secure and I'm then going to prioritize for them which controls I need to put in based on costs.
This one, this one requires this much effort to configure and put into the system as an automated control. I have this many people on my team and on the project. And this is my budget. [00:28:00] So then you break it down even further. You could, Hey, prioritize the controls. These are all the ones that we're recommending to put in.
This is the cost. These are the technologies we already have. So no cost for those, but these are the new stuff that we have to put in. And here's the cost. And I cannot put all these in, like there's 150, I'm making this up. Let's say 150 controls in total, right? Across the board. Then I could only put in 50.
So I'm, these are the core ones like MFA and stuff we have to do. Passwords are encrypted. Like there's no choice in those, right? So you have a baseline. So out of the 50, let's say 20 are baseline. I'm, I'm just hypothetical here. So 30, you guys tell me which ones you want, right? Configured and set up. I recommend that you do these in this order, but you tell me which ones.
And then again, we go back to the conversation of, well, you're going to sign this, you know, risk acceptance form and, um, you know, we need you, like, without signing it, we're not going to approve. We're not giving the okay, you could still go [00:29:00] without us, even if we don't, even if we say we don't agree, we don't, you know, we don't agree to go to production and we think this is too risky, you still have the option.
So that's one thing you see those forget that at the end of the day, it's their system, they want to implement it. So do we want to stop it? No. Um, but we do want to implement base controls to protect the organization as common sense measures, right? Can't just say no encryption for passwords. That would be ridiculous.
So we have to have that, but then they have some options on the configuration of the controls of role based access, privilege access, who gets, who gets to see what from a reporting perspective, that's all variable. And so that's, if they want to show cost centers of plant A to plant B, okay, no problem. But then when the plant managers see the different pricing and the cost structures, right, and they're then they're going to come to you and saying, right, or vendors have access, and then they see, oh, vendor, [00:30:00] vendor A gets 20, 10 percent less than vendor B.
Well, that's going to cause major problems in your organization. And, oh, that group gets paid more than us, right? Because now they have access to more of the HR reports, let's say, because we're not putting in specific controls, right, on that level. So, these are the things you have to advise them on.
They're not going to know. You think you, they know because you're doing the security and your people are in the system clicking buttons. But you have to tell them, well, if we go with this cost effective model. Right, which we did not recommend, but you want to go forward with the way we can make this work is you have to give access to multiple cost centers.
The plants in this region will have access to all right to see all the data in the plants. So, country, all plants together. So, whether you're from plant 1 or plant 50, they all see the same data because. That costs less to build. If you want every plant segregated, well, that's going to cost me more money.
I have to do [00:31:00] every single roll times 50. Now, does it even make sense to do that from a business perspective? So that's how it all loops back into kind of the initial discussion of, you know, how much, how detailed do you want to actually get into the authorizations?
Sean Martin: Yeah, and that's just off. There's so much more too.
Talk to me a little bit about, um, I think we touched on, we didn't call it pot, the product requirements document, but the business requirements, and I think we touched a little bit about on the, uh, the user stories and the use cases. Because that, to me, that defines this is what the users are going to do.
This is the outcome we want to lead them to, right? Payment of cash or whatever. I can't remember some of the things you talked about in part one there. Um, There's a starting point and an outcome in the middle of a bunch of stuff happens, [00:32:00] um, which determines what part of the systems you deploy, how they're configured, what, what parts you disable, um, how you, how you tune the, and configure the operating system underneath it to, to support those things.
What type of network you set up to, to, uh, allow the communications where you put your data. All those decisions are driven by how. Something works. The, the use case from A to Z, achieving that outcome in the most efficient and and successful manner. You wanna our onboard customers, you don't wanna, you don't wanna have delays in a bunch of hoops and jumps that they have to, to make you wanna, you wanna do the assessment, get the data in there, get the process through, get the approval done, and onboard 'em.
Um, so my, my question to you is, as a ciso, how do you. How and where do you get involved in the product [00:33:00] requirements and the use case and the user stories? To kind of get a picture of here's, here's how this thing looks. Here are the systems. Here's the network. Here's the data storage. Here's the data transfers.
Here's our access and authorization stuff, which you touched on. Now, how do you get involved in that to say, do we really need to. Collect this data. Do we really need to send that information from plant a to plant z? Uh, do we need to make that data available to partners like this use case says? Um, so do you get involved in that level?
Because to me, if we can. Reduce the exposure and therefore reduce the number of controls we need. Um, then we're saving money or saving time for the team, putting those controls and monitoring to make sure they're in place and everything. So what, what are your, what are your thoughts on [00:34:00] any, any experience there to really get, get in down and dirty and say, let's, let's build this thing securely.
And let's just not put controls on what the use case is already.
Kush Sharma: Yeah, I think so from a CISO perspective. Ideally, you wouldn't get into that level. Um, you would have your team and then they would be involved. So what you would have to do, at least what I've done is you take the project team members. and you, you basically align a resource to the business process.
So for example, you know, someone's going to do all of the finance processes, right? And someone's going to do all logistics and we're going to assign one person for all OT and then another person for infrastructure. And then obviously one person for all security matters. So you assign, uh, your security folks as functional experts.
So they can get trained up on the [00:35:00] process and for me, I mandate them to read all of the business process documents so they understand the actual business process and how it works and how we make money and how compliance works, etc. And the nuances. So once they get ramped up on their business process, so one person would do like all logistics, one person would do all manufacturing, all finance, all procurement, sales and distribution will be another person, etc.
Or one person could do multiple areas. So now they understand that they would actually be involved in those weekly, daily meetings with the teams. So one person would be assigned to the data team, for example. So that person, their only job is really to understand everything the data team is doing. Every tool they're going to put in, how they're going to design it, is it centralized, which countries the data is going to be in, etc.
All right, so we'll have these folks also, we'll have someone dealing with legal, with government affairs, you know, et cetera, et cetera. Change management, so, so the idea is to make the life simple for the other teams. Which is they only [00:36:00] go to one person and then how we deal with it internally. That's our, that's our issue to deal with, but they only have one person.
And then that person usually is more senior and they get expertise in that area because they're working with them for years and they understand the processes and their build trust. And then they're reading the process also. So in the daily discussions and the weekly discussions, they're raising those questions that you raised.
Well, hold on. If we have five data sets now and you're trying to put it into one, where is that one going to be is the question we would ask. And I'll say, oh, USA. I go, oh, but we know from legal that there's, we are in five countries and the regulations are different. You're not actually allowed to do that.
And then they'll be like, what? Because we're the, we have to try to be the integrators, right? We're like the security team or the CISO's office. really should be like the, like Amazon. Okay. The requests come in, we get all the information, collect the Intel, and we close into a [00:37:00] magic, magic box. And then two, three days later, you get whatever you ordered to your doorstep, all packaged, right?
You just open it, boom, you're ready to go. So you have to think of it that way. So whatever's coming in, magic happens, goes out, and that's how you have to run it. So no one sees what's happening in the middle, which is the hardest part. The logistics of the whole thing and the operations of the whole thing is the hardest part, right?
So it's not, we
Sean Martin: want to, we want to, we want to show that we're smart. So we want to share all that stuff, right? So,
Kush Sharma: so we're actually gathering all the intelligence across every team, across every function. Because that's, CISO has access to do that. And then we're providing daily, weekly, monthly on all levels, right?
So from a technical operation all the way to the C suite with the, with the CISO, we're, we're basically funneling all of that information and then providing the recommendations in natural language, right? In [00:38:00] real time. And so we're building the relationships and the trust on every single level by doing it this way, right?
Because we're speaking their language. And if there's, if there's something that we can do, we do it. And if there's something that we cannot do, we're transparent about it. And we say, this is, you know, we understand you're modeling your business process like this. However, if you do it this way, this is what's going to happen when we build the security.
So. If you want three steps in the process, that's no problem, but you have to understand that in order to build it like this, we have to give more access to these people that are in this middle box because you only have three boxes here instead of the 10 that was there before. So you're going down to three from 10.
That means we, if If we take the old model and build the security, it's going to be redundancies, it's going to be excessive access, people change rules all the time, they don't remove it, et cetera. There's going to be a lot of issues and that [00:39:00] complication of everything they have to do is difficult to control.
We're trying to automate the security, we're not trying to do manual work. So, that means you're going to look at every cost center. That means you're going to look at every plant in your company code, right? So legal entity. That means every sales and distribution person in the Midwest is going to get access to these five reports, right?
This is how the new world will work. Now, we're not talking top secret or anything, right? Just normal operations. And so that give and take happens on on that level, and then once there's some agreement and sometimes the CISO has to come down to that level to navigate those conversations for the technical people and have a discussion with that director or VP, and then go back up and when the decisions are made, basically you present and say, here's how it's going to work.
This is the business model. That, that was, this is how data is going to work, or this is how we're going to have centralized finance, and we're going to have centralized [00:40:00] finance in two countries instead of five. Okay, if you have centralized finance in two countries, this is what it means. All of these, all of these job roles were taken and put into one area.
These process, so this is not nothing to do with security. You're talking about change management training. You're talking about process efficiencies and what the business has decided, or what infrastructure has decided. Right. They're going to build a data center, one in Europe and one in North America.
Okay. That's a huge difference in what it was before. So the security is going to change. Our model, our thinking is going to change, right? Because now you have, instead of decentralized, you have centralized. Now we have to put a lot more controls in that data center because we have, you know, two data centers instead of 10, let's say.
So, excuse me, so then you take that to the executive and then beside it, you say, okay, this is what decided, this is how the security will work. This is what you decided, this is how the security will work. This is the cost of that. This is the cost of that, [00:41:00] risk, high, critical, high, medium, low. Our budget equals XYZ, so you put a line, right, you have the 10 things or whatever comes out to be 100 things, and you say, okay, 60 percent of these can be done with the existing budget because of these step changes.
Putting we're going to put in a change request for these 40 percent for these other, you know, 40 percent of changes. And then you explain to them why, right? And it's not a security decision. Nothing to do with us. We're telling you the impact of what decision was made in the business. Many times they've reversed the decision because security has come to the table and provided that, that guidance and advice.
And they'd never seen it that way. So like, hold on, hold on. Uh, we don't want all these people, uh, in these, uh, 25 plants in this country to see everything because we have, uh, legislation there for that country and how we process that we're not allowed to do that. From a business perspective, Oh, okay, well, this is what [00:42:00] the VP of manufacturing told me, right?
Like, I know I read the documents, but this is what the decision was. So, so then they'd be looking at that person and say, why is this decision? So, a lot of times you'll see in those conversations, and very respectful conversations, where they're just pointing out facts. And we're not pointing out this is wrong or right.
We're just saying this is the decision and this is the impact for security. And then they'll have that discussion and many times I've seen reverse decisions come out of that. No, we can't do it that way. We have to do it this way. And then, right, you're seen as a trusted advisor, then you're connecting the different parts together.
So you're basically telling the business in that country, go talk to legal. Ideally, this would happen before it goes to executive, right. And any kind of presentation. So you sort out these issues between the executives first, but if some, some decisions, just very controversial, political, they're not going to get resolved.
[00:43:00] So security would bring those up and say, we need a decision X, Y, Z, C suite. This is the contention. We've already spoke to these two business lines. They can't come to agreement. These are the five things they agreed on. These are another five they don't agree on. I cannot move forward with security. And if you don't give me my information by this date, right, it's going to be X another 1 percent cost because my consultants are be rolling off.
So if I keep them for another two months, the cost is going to come to the project. So you have to lay all that out and that takes some time. So the C zone needs to be doing the business side of that. Okay. Give me all the facts. Give me all the figures. Understand the impacts. Let me talk to the executives.
Let me try and negotiate things and then come up with the impacts and the budget. So your team gives it to you, you vet it with them, right? Make sure they're not just telling you stuff. You have to really go hard at your team. And then when you're comfortable with the numbers, then you go back one more time.
Hey, this is what it is. We're going to have to present. We're going to be late. I'm need to ask for another percentage. And [00:44:00] in order to do that, I have to bring this up. So have you thought about this or does someone else right need to make a decision? And so sometimes it's just, you know, they're stuck. So you go and then the decision is usually made within a week.
Usually. Like it's pretty fast, right? Executives are not going to waste time. They'll talk amongst themselves. They arrive at some kind of compromise. Boom, you get a decision made. And then maybe instead of a percentage, you're, it's half a percentage or a quarter percentage that you have to go ask for, right?
It's okay with us. I mean, it's however you want to do it. Like it's not, we're not here, but that way you're also Influence on some of the decisions from an organizational perspective and strategy perspective.
Sean Martin: Absolutely. Well, you've, uh, you've injected about 100 more questions in my head. I'm envisioning a part three, um, to this, uh, to this conversation.
I'm, I can keep [00:45:00] rolling. We can, we can, uh, pause, let people chew on this and, and, uh, pick it up again. Or we can, we can schedule another one. It's up to you.
Kush Sharma: Uh, yeah, we could. We could pause and do part three. All right. Yeah, I don't have many meetings this afternoon, so it's okay.
Sean Martin: I'm enjoying this and, uh, I think we'll do one more if you're, uh, if you're good.
Kush Sharma: Yeah, I'm good. No worries.
Sean Martin: All right. So, uh, we'll pause here, everybody, and, uh, stay tuned, have some, uh, let's take it down to the team level conversation next, and, uh, so stay tuned for part three.