Join Sean Martin and Kush Sharma for the third and final installment of this conversation as they provide invaluable insights into building an effective cybersecurity team, integrating business functions, and navigating executive-level communication. Discover practical strategies for elevating security within your organization and ensuring its priorities align with broader business objectives.
Guest: Kush Sharma, Director Municipal Modernization & Partnerships, Municipal Information Systems Association, Ontario (MISA Ontario)
On LinkedIn | https://www.linkedin.com/in/kush-sharma-9bb875a/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
In the third and final installment of the series titled "Building a CISO Office: Mastering Enterprise Risk Management and Aligning Cybersecurity with Business Goals," Sean Martin continues his compelling conversation with Kush Sharma. This episode focuses on the critical aspects of team dynamics, project management, and stakeholder engagement in the realm of cybersecurity.
Kush Sharma elaborates on the importance of establishing a well-structured and communicated vision for security operations within an organization. He emphasizes the necessity of setting expectations with security teams before any major project initiation. According to Sharma, transparency is vital. Security leaders must candidly discuss with their teams that not every decision will tip in their favor, but their role is to advocate for security while being adaptable to business needs. He stresses the importance of documenting and following up on risk mitigation measures even if they aren't implemented immediately.
Sharma also sheds light on the concept of integrating business and security functions more seamlessly. He proposes not just embedding security into business but also bringing business personnel into the security fold. By having business unit members work within security teams temporarily, organizations can build a robust line of communication and mutual understanding. This cross-functional approach creates internal champions for security measures and helps significantly cut costs as internal personnel generally have lower operational costs compared to external consultants.
A significant portion of the episode revolves around the nuanced engagement with different stakeholders, particularly at the executive level. Sharma advises CISOs to view themselves as peers to other C-suite executives, prepared to defend their positions and decisions vigorously. It's crucial for CISOs to maintain this executive-level mindset and openly communicate the broader business implications of security decisions. Sharma highlights that making a business case for security and showing tangible returns on investment can secure better funding and support from the executive team, leading to more substantial investments in long-term security measures.
Sean Martin wraps up the episode by touching on the importance of storytelling in cybersecurity. By translating technical achievements and risk mitigation efforts into relatable stories, CISOs can effectively communicate the value of their work across the organization. These narratives help ensure security remains a priority in business strategies and operations, fostering an environment where security considerations are integral to planning and executing new initiatives.
In conclusion, the episode provides essential insights for current and aspiring CISOs on navigating the complexities of internal communications, leadership, and strategic planning in cybersecurity. Both Kush Sharma and Sean Martin offer practical advice and strategies that can help elevate the role of security within any organization, thereby protecting its infrastructure and supporting its growth objectives.
___________________________
Sponsors
Imperva: https://itspm.ag/imperva277117988
LevelBlue: https://itspm.ag/attcybersecurity-3jdk3
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Building a CISO Office: Mastering Enterprise Risk Management and Aligning Cybersecurity with Business Goals | Part 3 of 3 | A Conversation with Kush Sharma | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And here we are. We're back with Kush Sharma. Kush, thanks for keeping this conversation going. Part three. Um, who knew we were going to have this, uh, this nice long, uh, chat. I'm, uh, I'm enjoying myself. Hopefully people are picking up some good nuggets, uh, from your experiences and the stories you're sharing.
Thanks for, thanks for joining me again.
Kush Sharma: No, thank you for the invitation. I appreciate it. Love. Love to be back.
Sean Martin: Absolutely. And for those listening, this is part three. Uh, I'll, I'll go out on a limb and say part three of three parts. We'll try to wrap, we'll try to wrap it up in this one. The first one was all about kind of setting the stage and setting the scope and getting, getting some of the initial requirements, uh, understood and then, you know, Part two, we talked about, uh, yeah, negotiating and, and kind of the back and forth between the different teams and business and ops and, and [00:01:00] finding the, finding the right path forward at the executive level to make sure that they understand what's really going to happen from a business perspective.
What controls will, will do what to the, to the operations and what risk is left, if any, that, uh, the team will need to, to, uh, sign off on. And where I want to take things next, Kush, is, uh, kind of, you mentioned, you, you, You put folks on, somebody's going to own the CRM. Somebody's going to own legal process.
Somebody's going to own a sales and distribution from a security perspective, understanding those systems and those applications and those business processes, and really having that relationship with each of those business units and functional teams to ensure that. They know what's going on so that they can identify the risk and put the right controls in place and talk through that stuff With those business teams what I want to take take us to now is [00:02:00] all those folks coming back together Assuming they do Under you in some one or more meetings I'm presuming where each shares I'm assuming shares Their stories, their updates from the conversations they're having, the projects they're implementing and the security program updates that follow.
I suspect that there are some commonalities across different projects that there are each working on. There might be. So one person might have, well, we just did that last quarter. Here's how we proceeded with that project. You might apply this learning to your project and move things forward faster. So.
Talk to me a bit about how that, that team of Functional security leaders, I'll call them. You might have a different term for them. How do they come together? How do those conversations sound? When are you involved in them? [00:03:00] To help drive your vision for security ops in the CSO office and what do you take out of it?
I'm asking a lot there. So what does it sound like? Where do you drive? Where do you listen?
Kush Sharma: I think, uh, if it's a larger project, like a digital transformation, right? There's lots of, um, budget is onboarding of people, et cetera. It could be hundreds, many thousands of people. So in those larger scale ones, you need to set that structure up immediately. And so. You know, like larger financial institutions and, you know, let's say fortune 50 or whatever.
They have the business information security officer, right? So, uh, they have the Bezos. Already in place, but, you know, when you're doing a brand new implementation, it's. It's usually something new in a certain area, or they're revamping and write all the old stuff into something new, and so they might not have that structure.[00:04:00]
So you have to educate the executive that, listen, if we're transforming all the business, and then obviously the underlying infrastructure, security is part of the infrastructure. Because they usually forget about that. Um, or they under budget for it. And so you need to be, if you're hired into an organization as their first CISO or a new CISO to take on like these larger project, cause it's a different skillset than a normal CISO, uh, then you need to make sure that they're aware that the team size will increase during the project.
So that usually is supplemented by consultants, right. Uh, contractors. And so you would, you would, you would have to set that expectation saying, okay. In order to do all this, we have x resources, we're going to go to y resources internally, so our opx is going to increase. However, in order to get this done in this very aggressive timeline, uh, we need external parties to come in that are experts, [00:05:00] sharpshooters, they're going to do all this.
specific work for us. This is how the team structure is going to be set up. It's going to be focused on the business and focused on the, on the three objectives. Let's say there's three of this transformation or the company's objectives. One is a transformation, one is a merger, and one could, you know, be something else like, uh, something, a new law is coming in.
They have to comply to it. So maybe those are the three priorities and how we're going to support and help those. And so that all has to be broken out and explained first. To them to set the expectations that that we we need business people. We might have to get, you know, transfer and second people from the business to to our group.
A lot of times I do that, which is the simplest way. And then you get the stakeholders buying because you're taking someone from the business unit, bringing them into security, educate them, train them on security. They're going to work with you for a year to 3 years. And they're, they're already, you [00:06:00] know, influencers in their group.
They're already the ones that will tell the story. It's not technical security people. And so if you could convince that one person, and if you could, um, have that person understand technical topics in a way that they can explain it. right? Because they're not security people. You've done your job well, and you're going to be successful because they're going to be the champion for you.
And they are from the business. They know everyone. So if that person from the business is telling their colleague is telling them, no, no, they're okay. These people are okay. Um, I know why they're doing it. I know the reasons. I know what happened if we don't do it and they'll be the ones that are champion.
So actually you don't have to okay. You don't even have to be out there on the ground level and on the executive level. You just have to worry about the C suite level, right? And making sure that, that there's no misperceptions, miscommunications, uh, political agendas, right? That have gone haywire. Um, so you got to worry about those [00:07:00] type of, uh, kind of issues.
And then you basically embedded the business into the security function, vice versa. People say, let's embed security into the business. Well, take the business and put them in security, right? And then they can go back and then you have all of these BISOs everywhere, right? You can call them whatever, right?
Um, but they're basically business folks from the business that do finance, that do logistics, like from the plant, right? These are real people. These are not consultants. These are real people from your organization, seconded to you for whatever time you can get them for. And so then also you, in that method, you also save save a lot of money.
So because they're internal resources, the cost structure is much lower than a consultant, probably at least three to four times lower for internal resource, right? Um, then, then, uh, very specialized security consultant, uh, that you have to manage and you have to oversee and they're mostly techies and you can't have them talk to the business all the time on their own, [00:08:00] right?
So now you need a layer of PM and all kinds of people on top of So if you can take this business approach Upfront, if you have the benefit of doing it in smaller organizations, you're not going to have all of that. So you just probably have to be a little bit more hands on as a CISO. If you're in a smaller organization and do it yourself, maybe have one or two people and then get some consultants to help you with the business side.
But the larger organizations, they're, you know, they have these structures already in place. For for everything else. So that's, you know, um, I think your first question. I forgot the other two. You could repeat. I know I like mission is, you know, I like looking up all
Sean Martin: the
Kush Sharma: yeah, that's how that's how I've done it.
Uh, and there's learnings there. It's not like it's been successful. I've done it multiple times. And every time. I iterate, I adjust, right? And every time there's a different political situation, you have to adjust because the model might not work 100%. [00:09:00] So it might work 80%, 90%, but you have to do the tweaks.
Every organization is different. And some, some folks, um, were, you have to know some folks will never be happy. Okay. Never, no matter what you do, no matter how you help them, they will not like your organization. They won't, they don't want to change. And they will be fighting the whole transformation, including your group.
So you have to not take it personally. And sometimes you have to have that thick skin and just, you know, let them vent and let them say what they have to say. And then you deal with the other executives. Because there's no getting through to that group. And if there's no getting through to them, then you have to escalate, right?
So, those are the harder conversations to have. But, uh, you know, you don't want to get there. But if you do, then, then you have to be ready. You have to look at yourself like, uh, you're the C suite. And if there's contention in the C suite, they talk about it. You have to, you have to be able to defend your point and your view.[00:10:00]
You can't go in there like you, that you report to them. No, you're on the same level as them. And that's what CISOs forget many times. You're the CISO. You have to act like C suite, and you have to defend your position. If you defend your position well, The decision may come to what you're saying or it might go to whatever the opponent is saying, right?
The other executive but at the end of the day, you have to realize you you've done the best you can The corporation has made it or the organization or the government has made a decision and now you have to fall in line and even you can't be resisting that because they've understand the risk and you've told them everything and you know, people have signed off on it.
So now you have to get in line and make sure the mission is going the right way. And that even though you disagree with whatever the decision was that you implement it right with a hundred percent of everything you got. So you can't, you can't, you can't say, Oh, you know, I don't like [00:11:00] this. And they should have done it this way.
Well, I'm not, you know, I'm going to take these two people off and put them on this project. Now they're going to fail anyway. No, you can't be like that. You have to, no, these are the best people. We're going to put them on. We're going to make this successful.
Sean Martin: Well, this is you're, you're starting to answer part of, uh, one of the other questions, which is how do you, how do you engage with your team?
That are looking at all the different functions and what I'm hearing as a starting point is understanding your peers perspectives, holding the ground for what your team is telling you, plus your own knowledge to maintain your position and then following the decision. That the, that the C suite makes that to me, that's, that's bringing back.
This is a decision. We may not agree. Here's the plan to, to make sure that we're [00:12:00] implementing it to our best ability, uh, to achieve what the, what the company's decisions, uh, Trying to, trying to get as an outcome. So how, how do you successfully, I mean, this is leadership one on one, right? But how do you successfully get the team to follow along with that?
Um, because they probably see all the next level details of, well, that decision is going to end up being X, Y, and Z, but I guess we have to follow suit. So how do you, how do you bring that back to them?
Kush Sharma: I typically, um, try to set expectations before any major project starts. So I sit with the team and the key players on the team and say, Listen, we're going to, I'm going to take the perspective of the team and I'm going to do as much as I can from a security perspective.
There will be some decisions made that right are not in our favor or it's a decision that, you know, is going left and we're going right, but that's the way [00:13:00] it's going to be. But the clear message to them up front is we will, I will support you as a leader and I will at least go and make the case. Which many people don't even do and the fallout of that and the decision that comes out of that is what we're going to live with and I tell them very clearly in some cases, uh, it would make sense and we're going to move forward with our recommendation, right from a global company perspective or a government perspective, but in some cases, right?
There's going to be speed to market or some other driving factor that we need to get this thing out. And then we're going to have to be very, uh, you know, flexible from a security perspective, which means not all the controls are going to make it to production day one. They might make it day 90 or day 180, right?
So we're not going to say, don't do these controls. We're going to say, okay, let's be flexible about it. [00:14:00] And we're going to have risk acceptance, et cetera. We're going to do the follow ups, right? Our team's going to do the follow ups to make sure that they actually put those controls in what they said they're going to put them in after.
So that transparent conversation is vital, right, to have. And many CISOs, because, you know, they have many layers, right? The larger organizations and governments, they have many layers. under the CISO, in the CISO organization. So the, sometimes the message doesn't get filtered down, but, so you've got to have like an all hands meeting with your whole team from the analyst all the way to the VP and say, this is how we're going to, this is the rules of the road.
These are the guidelines, right? We're going to be helpful. We're going to be respectful. We're going to provide our viewpoint. We're not backing down. However, we're going to be understanding of the requirements and understanding of the view of the other person. And just because something goes to production, uh, with, you know, with not all the [00:15:00] recommendation and controls that we, that we have stated, it doesn't mean it's a bad solution.
The functionality is still there and they're gaining market share. They're, they're, you know, maybe they're number one in the first, you know, month or whatever, and their revenue's coming in. Well, that is going to be seen as a positive for security because we helped them through that process and slowly we're putting in the controls after production, uh, after it's gone live in production.
And then we might actually even get more money because they were like, okay, you supported us and we understand the importance of security. So this was your original ask, and I know we cut it, but we're going to, we made some changes. We just made so much money in the first quarter. We're going to give you the full amount that you wanted.
So go ahead and implement that security that, right, that we need. And so a lot of times that happens, and you're kind of surprised sometimes. But yeah, transparency. Now, if there's no choice, like you didn't have that discussion, get the bad news or not favorable news, and you have to go tell your team. Well, you [00:16:00] have to be positive about it.
So you can't go to the team and say, well, they didn't listen to me. No. Well, you're the, you're a CC executive. Exactly. You have to do what the organization would like you to do, and you have to be positive about it. Right? And so you have to look at every positive aspect of whatever the decision is, and you have to communicate that.
And some some folks in your organization will not be happy under the sea salt, but that's okay. You can't make everyone happy. And there'll be some folks that have some questions. You answer them transparent as possible, right? And then then you move on, right? And You know, there's no more discussion after that because the decision has been made.
We give an opportunity for people to give us feedback. So we will, obviously we will take the feedback. We're going to keep track of the feedback. So it's not like our people are telling us something, completely ignore it. And two months later, we're like, Oh, what was that that you told us? Right? No, we keep track of it.
We actually document it [00:17:00] and you, and you come back to it every few months and say, Did we check off any of these boxes right? As this project is going forward, maybe you have and then you go back to your team and say, listen, the 10 things that you have questions on. Hey, four of them we've solved. So that builds credibility and trust within your organization and your people because they're like, Yeah, maybe he did not or she did not get everything, uh, but they're working towards that.
And then they see the incremental progress. And then when they see that, they're like, okay, no, they're, you know, they're doing something. They're always doing something for the team. They're always doing something for the protection of the organization. And so that quickly translates to trust, trust builds confidence, confidence, people are more excited, they're more excited to do a lot more work.
And then when they do more work, we're pumping out more outputs, outputs come out, right? Business is happy, infrastructure is happy, etc. And they see the executive see [00:18:00] everything that we're doing and how fast we're doing it get again goes back to them the trust and then the confidence cycle continues over and over again.
And then you see elevation, then you see elevation in your role, usually get more responsibilities. So, for example, I was doing traditional cyber, then I was given forensics in one of my experiences. Then I was given privacy operations. Then they asked one of the experiences they told me to do physical security.
So it wasn't about the task, right? It wasn't about, Hey, take this unit. It was okay. Whatever we're giving this executive, they're figuring it out, even though it's not maybe their area of expertise. And then they're, uh, delivering on what the outcome is. But not only that they're automating things because security people like to automate things, making more efficient, right?
Less, less. More, you know, technology versus, uh, human beings, uh, in the, in the day to day task, right? Because it's very difficult to do those tasks these days. So then you're saving money, [00:19:00] you're thinking of new ideas, you're working with them, you're taking on the additional responsibility. Now the additional responsibility translates into what?
More intelligence gathering for you as a CISO. Now, I always say, yeah, there's a CISO, but we're, our business is actually intelligence gathering. At the end of the day, this is what my feeling is. So we're good at that, right? We're getting, we're getting, we're, we receive the information, translate it, then we push it back out, right?
Here's our alert. This is what happened. Someone's trying to hack us. But that intelligence comes from various sources. It can come from the physical security world, from the data world, from the business world. So you have to be smart. And, and, you know, say, okay, if I got access now to another 100 feeds for physical security, I got access to all the data information from the data team.
Now I've got access to operations technology. I got access to, let's say all the HVAC system information. Well, I would be, I would be like. Why would you even take that data? Now you could correlate, [00:20:00] and you could, and you could look at, and make your systems more intelligent, right? Those outputs are more intelligent and more integrated.
So if someone, let's say, is standing outside a plant, I don't know. Let's say it's a water plant. For example, when I used to do water, they're standing outside the water plant for X amount of time. And you, and you got your SIM or your SOAR hooked up or your data lake hooked up to the CCT TV cameras and the feeds coming in.
And the cameras are very intelligent these days, right? They have sensors. They're not actually old school cameras. They're actually sensors. So now it's going to flag. And it's going to come into your, uh, operation center, right? So they'll get it and then you'll get the SOC will get it. Then you correlate that with Potentially facial recognition.
And it's okay. This person, this person, not an employee, right? You could tell that immediately. This, this person, the contractor, they were supposed to leave yesterday. Why are they here today? That that's like real time data you can get, right? If you put together [00:21:00] different information systems that you already have access to.
So you could start becoming more intelligent and then you say, hold on, send out the, send out the security guard right now,
Sean Martin: like,
Kush Sharma: well, why is that? Yeah, he's a vendor. We understand that we know who it is. But they're supposed to leave yesterday. Why are they back? Right? Did they not finish the job because the contract's finished?
So you hook up all of these different systems together to get the data and then you can make some real world, you know, real life, real time decisions that are, that are tangible. And then you take these examples that you built as a CISO and you go to the executive and you say, this is what I did last month.
This is what I, we just, this is the data that you gave me. And every time you give me more data, Um, I could see more, and when I see more, I could build more use cases. I can, I can correlate all kinds of different data together. Now, these are all the scenarios that I found just in one month. Now, if we didn't find these things, [00:22:00] maybe this person would have gone into that plant.
and cause some problems. Who knows? You know, right? So these are real life use cases that you, that I usually present and I dumb it down, right? You got to make it simple. You got to simplify it, but you have to be able to take practical examples of what's actually happening with the investment that they made.
Right? Millions and millions of dollars of investment, but CISOs forget to go show them that their return on investment is XYZ. And when they see this, that you're catching fraud, um, you're stopping attacks, uh, you know, executive impersonations, Disinformation campaigns, all of this is in the realm of the CISOs with all the tools, right?
Um, and the threat intel people and the SOC people and the threat hunters and the pen testers, etc. All of these people together as a holistic team forensics, etc. You paint that picture that no one else can paint. [00:23:00] No one else can provide the, the end to end. Uh, okay, this, this is what's happening here. And this is the impact over there.
And when you do that, they're, they're going to be like, Oh, we need to definitely keep the investment in security. By the way, how much more do you need? Cause we want you to actually go over here and look at this problem that we have now. So I've been in many circumstances where. They give me a responsibility that's of areas I have nothing, like nothing to do with cybersecurity, right?
But it's not the cybersecurity, it's the intelligence gathering, it's the way you think, it's the way you make things more efficient, it's the tooling, it's the questions that you ask, right? So you take whatever problem they give you and you're providing a solution. And many cases I've taken it on, provided the solution, right, took six months, a year, two years, sometimes, depending on how big the problem was, fixed it, and then gave it back to them, right?
Because I don't want to do that. It's not my area. And so then that, that builds a lot of trust. And then you get whatever you want for your budget after [00:24:00] that, just ask for whatever you want, you're going to get it.
Sean Martin: I love the stories, Kush. And, uh, yeah, like we, we, we went full circle, I think. Yeah.
Kush Sharma: Yeah.
Sean Martin: Right.
Yeah. You bring it back to
Kush Sharma: Yeah, you got to tie it all together, right?
Sean Martin: Exactly. Because if
Kush Sharma: you don't tie it together, it's like a high level theory discussion that we have at CISOs, but you got to actually put it into practice. Yeah. And you have to understand the impact of what you're doing on 30, 000 feet, but how does it get to zero, right?
do you, and then negative, if you're going into the ocean. So how, how does that whole thing work? You got to understand that and the impacts to everyone in that whole circle, the whole supply.
Sean Martin: Well, what struck me is the, uh, the, the storytelling, right? If you can relate it to, well, tell it in a story that they can relate to and they can see.
Uh, the, the, the value to them [00:25:00] from the work that you've done. Um, and even the, in the individuals that you bring in, the BISOs that, uh, the join your team that then go back to their, their own departments and communicate back to them the results of, of their, their particular programs. I think all of that helps to feed security back to the business.
So they start to think about. That as their guess what defining the next innovation and the next transformation and the next the next business opportunity They're going to pursue in the next Plant they're gonna stand up in the next country. They're gonna target in the next whatever it is, right? It'll be top of mind to them because they've heard it from you.
All right. Well here here we are Let's let's wrap here. I think a nice a nice part three. I still have many questions, but that's just me But it's not the last time you'll be here. I suspect Hopefully you'll come back for even more [00:26:00] We won't, we won't make it a part four, but, uh, topic, as you know, we, uh, I don't know, we spent maybe an hour the other day kind of walking through some of the stuff that you have available to, to, uh, speak to.
And I think we ended up with no, no lack of. No lack of opportunities and topics to explore sectors and different parts of the program, uh, different parts of the life cycle. I mean, we, we add all kinds of things we can talk about. So I think there's a great start with three parts. Um, and hopefully everybody enjoyed, enjoy the conversation.
And, uh, like I said before, it got some nuggets from it and, uh, encourage everybody to listen to all three, uh, roughly 40 minutes each. So I sort of, I sort of bites to chew, uh, While you're driving or something, Kush, thank you so much. Been a pleasure, my friend. Thank you, sir. And thanks everybody for listening and watching, uh, to [00:27:00] these three parts of building a CISO office from the ground up, uh, with Kush Sharma, uh, here on Redefining Cybersecurity.
Stay tuned for more on the channel and, uh, who knows when, uh, when Kush will come back. And if you have a, if you have an idea for a topic, a problem you're trying to solve, you think, uh, we can, we can tease out a bit. Let me know in the, in the comments. Otherwise, uh, Christian, I will pick from the list and, and hit the next one.
All right. See you all on the next episode of redefining cybersecurity.
Kush Sharma: Take care.