In this CISO Master Class, you will learn the key pillars of successful ECRM implementation: people, process, technology, and engagement. Tune-in to discover how these elements can drive organizational growth and competitive advantage.
Guest: Bob Chaput, Founder and Executive Chairman of the Board of Clearwater Security
On LinkedIn | https://www.linkedin.com/in/bobchaput
Website | https://clearwatersecurity.com/
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
In this episode of the Soulful CXO, Dr. Rebecca Wynn welcomes Bob Chaput, the founder and executive chairman of Clearwater Security. Who shares his wealth of knowledge from his extensive experience in cyber risk management, and having worked with Fortune 100 companies and government agencies. You will learn the evolution of cybersecurity from a tactical, reactive approach to a strategic, risk management issue that boards of directors now recognize as existential. How to align cybersecurity strategies with business goals and objectives. How to speak the language of risk management that resonates with the board. How to overcome the challenges companies face when implementing enterprise cyber risk management programs and offered practical steps for overcoming these obstacles. And much more!
________________________________
Resources
ECRM Third-Party Risk Management Standards, Policies, and Procedures: https://bobchaput.com/ecrm-third-party-risk-management-standards-policies-and-procedures/
Bob Chaput (Books): https://www.amazon.com/stores/Bob-Chaput/author/B08N6VKCMC
NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
Internal Control-Integrated Framework: https://www.coso.org/guidance-on-ic
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
________________________________
For more podcast stories from The Soulful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
CISO Master Class: Unveiling the Unexpected Game-Changer | A Conversation with Bob Chaput | The Soulful CXO Podcast with Dr. Rebecca Wynn
Dr. Rebecca Wynn: [00:00:00] Welcome to the Soulful CXO. I'm your host, Dr. Rebecca Wynn. We are pleased to have with us today, Bob Chaput. Bob is the founder and executive chairman of Clearwater Security, where he has worked with board members and C suite executives at numerous organizations, including Fortune 100 companies and government agencies.
He dedicates his time to educating industry leaders through various mediums, such as articles, presentations, Teaching a YouTube channel and webinars, his insights on cyber risk management have been widely published, including 2 books. Enterprise Cyber Risk Management as a Value Creator, and Stop the Cyber Bleeding.
Additionally, he serves on numerous boards and is active in the professional organizations such as Chime, HIMSS, (ISC)2, ISACA, and ISSA. Bob, great seeing you again. Welcome to the show.
Bob Chaput: Thanks very much, Rebecca. [00:01:00] Pleasure to be with you.
Dr. Rebecca Wynn: Bob, can you tell us a little bit about your career journey? How did you even get into the field of cybersecurity and obviously becoming the executive chairman?
Bob Chaput: Yeah, it's really, beauty is in the eyes of the beholder. I'll say it's interesting, but we'll let let your listeners judge that. I actually started my career as an educator. And back in those days we didn't really have computer science as a major. We we signed into the Dartmouth timesharing system and punched our we entered our programs and put them out on punch tape.
And that was the exciting world of cybersecurity. I taught for a number of years, and the interesting thing was I watched many of my graduates go off and begin jobs as computer programmers, earning twice as much money as I was earning as a teacher. I decided I would throw my hat in the ring.
I went to work for [00:02:00] GE joined their financial management program. I was a computer programmer And for those who have some history to them, we'll recognize the language COBOL did programming in COBOL and Fortran, Pascal languages like that. And I found that so fascinating while they're paying me to do this.
I was enjoying it so much. I progressed for the ranks at GE ultimately became a Vice President, Chief Operating Officer in GE information services left there. I went to work for Johnson & Johnson as their head of an organization called Networking and Computing Services, with responsibility for global voice video data networks, data centers, etc.
Just rewinding for one moment. When I was at GE, early in my career, my first exposure to security was commercializing what had been an internal GE [00:03:00] disaster recovery facility and selling those services to outside companies, and I was the operations manager there. And then jumping back to Johnson & Johnson, incredibly enough, in 1993, there was not a chief information security officer at J& J.
I built the program. Made the proposal to the board of directors and ultimately embarked on a program to bring someone in and do that work. And since then, I've been involved largely in health care, in privacy, security, cyber risk management. And among other things, and that ultimately led to the formation of the company.
So throughout my career, which I count now in four decades, it, has always been an element of the work that I have done. And most recently for the last 15 years, a great focus of mine in the building of Clearwater Security.
Dr. Rebecca Wynn: You really have seen [00:04:00] cyber security from its infancy and a lot of ways through where it is today.
And when we look at the journey, it's interesting that it seems like it's taken a lot of ebbs and flows and it seems like we're never getting anything right. I didn't say anything, but it seems like we have a challenge when we talk about like cyber resiliency, trying to work security into the enterprise and doing it in a thoughtful manner.
What great lessons have you learned over the years and words of wisdom? Can you give us?
Bob Chaput: Yeah, I'll draw what I think. And we'll leave it to the listeners to decide, is a great analogy of sequence of events. And in, my career, early on, as I went to work in my first programming job at GE, I reported in ultimately to a group that was called data processing.
And, then it graduated to become electronic data processing (EDP). And then it became management information systems, and then [00:05:00] management information services. It. And then ultimately I loved George Forrester coined the expression a number of years ago, business technology. And so we've seen the evolution of the role of someone who used to be a manager of EDP to ultimately a vice president or senior vice president.
I believe the same thing is happening as it relates to the role of Chief Information Security Officer (CISO). Many organizations had a, probably the director of infrastructure. And part of his or her assignment was information security or security to the extent it existed. And we've seen that change to, from a manager to a director to ultimately the sea change that's underway now, and where I think it's analogous, is the evolution of the CISO role to ultimately earning a seat at the table, as they say.
Dr. Rebecca Wynn: Now, it seems like we've been saying, try to earn that seat at the table for a long [00:06:00] period of time. And even when you look at Fortune 100, 200, 500, they have a better track record. Still not always that great. Not all of them seems like they have a CISO as part of the board, but definitely medium, small and startups. I, I think over the years we've seen a shift to left now, it seems at times where someone who is a security engineer for one year, they might give that title. Why do you think that's constantly being a challenge for us really to be our own and not part of embedded under IT?
Bob Chaput: Yeah I think it's in many parts related to the analogy that I just painted between the evolution of the role of the Chief Information Officer (CIO). To the evolution of the role of the CISO, and it has been, I think, for a long time, a lot of spot welding, a lot of whack a mole, a lot of let's implement the current, controls du jour. [00:07:00] Because that seems like a well published list that somebody put out there. So it's been very tactical. And what we're seeing now, especially as cyber risk, and I'll come back to this, the board's responsibilities, forget IT and cyber security and all that stuff for a moment, what it boils down to, boards of directors have three core responsibilities.
Talent management, also known as hiring and firing the CEO strategy. And then finally risk management. So the board has long had a responsibility for risk management. Cybersecurity was never, treated as a risk management issue as compared to today for many organizations, it's an existential risk. So what I think we've seen with that.
With that change in that evolution is recognition by the [00:08:00] board that we need someone at the table that's not going to come in and talk to us about the phishing test results, the vulnerability scans, the threat du jour's, we need someone at the table who's going to be able to come into us. They come to us and talk about the risks that we're facing, the investments we need to make to mitigate those risks.
And I'll add something that perhaps we can talk about further. Someone who can think beyond managing the downside. Someone who indeed can think about what are our cyber opportunities. What might we do to manage the upside? So I think this combination of factors has led to the need for the evolution of the role.
And I'll make one other comment. In my career at GE and Johnson & Johnson, and it was first at GE, as the role evolved in both of those [00:09:00] organizations, decentralized, lots of operating companies all over the world, Every one of which had a director of IT. In my work at GE, I was reporting to the Chief Information Officer in one of my roles.
We spent a lot of time, moving people who were good, honest, hardworking people out of those director of IT roles and hiring and bringing in people who were more strategic and people who could sit. At the C suite table and present articulately to the board of directors. I then went on to Johnson & Johnson and we went through the exact same thing.
I think this evolution is happening right now. You alluded to it a moment ago in cyber security and all industry sectors.
Dr. Rebecca Wynn: Yeah, I agree with you. I use the COSO framework quite a bit personally. But I would tell you, I, it seems like I am an anomaly out there quite a bit. When you talk about. Middle sized [00:10:00] and startup companies, a lot of times they just want to know how many vulnerabilities you process today.
And I'm like, that's not what you should be focused on when you talk about strategic alignment. And when you're thinking about stakeholders and you think about board directors and venture capitalists and private equity and where you need to go and where you really need to do dollar outline. A lot of people don't know how to tell that story.
Can you walk us through maybe a framework or something like that? We could, use to try and be more successful in having those conversations.
Bob Chaput: I think there are a number of things that, the CISO or the aspiring CISO needs to do. But I'll start out with something really basic and fundamental.
I alluded to it earlier on. And it's know your audience. Know what's on the mind of, and I'll start with the board of directors and no disrespect, skipping over the C suite, but I'm an advocate of seeing the CISO role move way out from underneath IT and into someone more [00:11:00] strategic in the business, if not the CEO.
The Chief Financial Officer (CFO), Chief Risk Officers, someone along those lines. So notice streets back, don't mean to skip over the C suite, the very important part of this, but I would go directly to what's on the mind of the board of directors and those quarterly meetings or the interim meetings that they had.
And those, there are three things that I mentioned before. Number one, talent management. Number two, strategy, and number three, risk management. That's a good opening point right there. Because the board has always worried about risk management, probably the first way for a CISO to hook the board is to be able to get engaged in risk management conversations in the way that they speak about risk management.
So how do you do that? If you are a CISO or an aspiring CISO, and you've not already done so, join their club, join the [00:12:00] National Association of Corporate Directors, join the Digital Directors Network, and there are many other organizations out there, and begin to attend and listen to the kinds of things they're talking about, because cybersecurity, cyber risk management, is has evolved and emerged to be a big deal, obviously, master of the obvious, as I can be, and the boards are talking about it, and these represent forums where people can begin that conversation.
Beyond that, let's put that in a category of hopefully, A suggestion that's useful to people. Oh, and by the way, I'll put in a plug. If you are a CISO today and you have aspirations at some point in life to retire, there's wonderful work to be done as a member of the board of directors. So if you want to begin to think about post [00:13:00] 40, 50, 60 hour a week day job, and begin to think about contributing to an organization at the board level, sign up for these organizations, start drinking the Kool Aid and you'll kill two birds with one stone, future career planning, number one, and number two get connected with the board.
So where I would go in terms of some of the things that. You really need to think about there. There are multiple steps.
My number one is governance. If you don't have the right governance in place, Starting at the board level and working your way down, and here's a simple, but very practical, useful three tier model. There's a committee on the board. If they're not clearly visible in terms of who's responsible for risk management, or more specifically cyber risk management, help identify that group, modify their work [00:14:00] responsibilities in the form of a charter if it doesn't already exist.
From there, go down to your C suite, call that level two in a three tiered structure, and then finally, make sure you have a cross functional team of people who are responsible for the operations of your cybersecurity program. One of the things I had the pleasure of doing at a company I failed to mention called Healthways.
Was to help break down the silos that existed privacy team, security team, legal team, worried about compliance and regular regulations and things like that. And there was all kinds of finger pointing, never collaborated together. And so governance. And that three tiered, three tiered structure I mentioned will enable you to engage everybody in the organization.
So that's one of many things you can do. And that's my opening bit. The second thing is to establish some [00:15:00] guiding principles. And I'll refer again to the National Association of Corporate Directors. They, in connection with the Internet Security Alliance, have published probably four or five versions of a strategy book that basically, a strategy document, that basically outlines a principle based approach to cybersecurity.
Adopt, look at some of those principles that are out there. Don't take them wholesale. They may not fit your organization, but think about what fits on in your organization, in your team. Another thing, and I'm going to stop at three for now. For me, the building blocks of your cybersecurity program comprise three.
Number one, adopt a framework, number two, adopt a process, and number three, adopt a maturity model. [00:16:00] The framework is all about, as is articulated, I'm a huge fan of the NIST approach to cyber risk management. The first one I would recommend is the NIST Cybersecurity Framework (CSF). Been around for a long time, is being widely adopted across the globe, being widely adopted in all industry sectors, and use that as a tool to create the alignment between your business goals and objectives and your I'm going to call it ECRM, Enterprise Cyber Risk Management Program and Cyber Security Strategy.
I know that's a mouthful, but you need to have business goals and objectives driving and ultimately causing your cyber security program and cyber security strategy goals to be aligned, tightly aligned. So I would really encourage you. to adopt the NIST Cybersecurity Framework. In terms of a process, there are [00:17:00] ISO processes, there are COSO processes, there are the NIST process.
Again, I'm a huge fan. Public domain information, all for free. NIST Special Publication 800-39 the overarching document on cyber risk management with some ancillary documents that tie into it, including my favorite subject How to Conduct a Comprehensive Enterprise Wide Cyber Risk Assessment, NIST Special Publication 800-30, adopt a set of processes.
It doesn't have to be NIST, it can be ISO. I'm a huge NIST fan. And then last but not least, the maturity model. If the maturity, if the framework is about helping you articulate, what you're going to do, the process is about articulating how you're going to do it. And then finally, the maturity model is all about, are we getting better [00:18:00] at this year over year three fundamental things. There are many more recommended implementation steps that I could provide, but I'll stop and take a breather on those three for now.
Dr. Rebecca Wynn: That's a great initial steps to take to go ahead and walk through that. And it's interesting when you talked about companies, and you talk about the governance, risk and compliance.
Every time I've done an assessment of company, and they said, oh, but our governance, risk and compliance (GRC), they're fine. Don't bother look there. That's the first place I look and I find out it's not all that great. They have policies and procedures are out there. No one's read they're old. They're outdated.
The GRC department generally as a whole are clueless of what's going on with the rest of the business. And because they don't talk business when we cybersecurity as well, too, . The businesses want to grow very quickly in today's world.
They want to go hyper speed and we're playing catch up, unfortunately. [00:19:00] And those can have ratifications when, if someone does not have an enterprise risk management program or cyber security risk management program, and then they go to say, we want to go implement that. They're going to immediately get pushback because you're going to say, what is the amount of time and effort?
And what are you asking us to do again? How. Should they try to overcome those objectives? Strategically, I should say that was not those objectives, but those complaints.
Bob Chaput: Yeah, that's a great question. I've had the over the course of the last 18 months, the great fortune to work with an organization called IANS Research, the Institute of Advanced Network Security and in their business model involves bringing in folks like me to comprise their faculty.
And we have an opportunity to work with organizations that are noodling through many of the [00:20:00] issues that we're talking about my standard. One of my standard opening questions is tell me about your GRC program. What's the state of the art? Invariably, the responses go along the lines of, it's maturing, it's a little wobbly, we've had a lot of changes, a lot of people have put up a GRC program as window dressing, and there's not a lot that's really happening underneath it.
And to, overcome some of the obstacles of getting started, I would go back to some of the things I said a moment ago about governance guiding principles alignment of business goals and objectives with what you're going to end up with in your cybersecurity strategy. And things like that. For me, [00:21:00] the, whether it is you're a freshly minted CISO, you've taken on a new assignment or you're in an organization and you're really trying to resurrect and breathe new life into whatever has been happening previously, I would say you need to think about this.
As it is, it's big and initiative of anything else your organization is undertaking, this is not a project. It doesn't have a start date and an end date. It's typically transformational. Many corporations have embarked on over the last 20, if not 30 years, major digitization programs. And some more formally than others.
But for those that have done it right. They have regarded it as a transformational program, and like any other [00:22:00] transformational program, for me, in my experience, there are five key capabilities that need to be developed and mature. Number one, I mentioned governance. Number two, people. The right people with the right motivations and the right quantity of them to pull this off.
Number three, process. Number four, technology. That's classic, right? People process technology and then the last but certainly not least is engagement. And now let me touch on those. I talked about governance. I talked a little about. So the next thing in line is people. Lots of organizations are struggling with the right number of resources and the right caliber, quality of people in their organizations that's always an issue.
I want to come back to a matter of a change in thinking about cybersecurity [00:23:00] as purely a cost center and begin to think about it is more of an investment center. I have so many sidebars here. Let me do one more sidebar off that sidebar. This goes back to the beginning of my career in 19, I think it was 85.
The famous Harvard Michael Porter, the genius of marketing, an individual from Deloitte published a paper, the exact title of which was some, I can't remember, but there's something along the lines of, use information for competitive advantage. We're there now. Okay, let me rewind from the sidebar and I'll come back to that.
What we need to do if we're going to justify more people and the right people in the organization is we need to start change our, changing our thinking from purely playing defense. To playing offense and sitting at the table and contributing to those strategy [00:24:00] conversation, process. I talked a little about process.
I won't belabor that. You mentioned policies, procedures, practices, et cetera. How many of them have we both seen that are sitting on the shelf? They're like the best kept secrets in the organization. Nobody knows where they are or what they do, how they work. There's lots of work that organizations can do around that.
Technology, obviously, there are everything from the strategic, the GRC solutions, to risk assessment, risk management solutions, all the way down to the SIEMS and other tools that we use on a day in day out basis. The last one I'll spend a moment on is engagement. I alluded to it before. This is a team sport, ladies and gentlemen.
This is not the responsibility of name the most senior person, Chief Risk Officer, the CFO, the CISO, the CIO. This is not one [00:25:00] person's responsibility. This is a matter of collaboration and working together and so many different ways to to be engaged. So how do you, cause engagement to happen?
I don't know. I'm old fashioned. We used to do things called management by objectives. And my compensation at the end of the year was somehow tied to the things that were written in that plan. How about writing something down about cybersecurity, privacy, risk management? There are other things that can be done to facilitate engagement.
I'm sure you've encountered the same thing. In how many cases do we go into the typical IT organization and say, who owns this application? Who owns the CRM system? Who owns the enterprise risk risk, not enterprise risk management, resource management system, PeopleSoft, etc.? And it's [00:26:00] usually the poor CIO who raises his hand.
Wrong. I'm sorry. The assignment of those information assets needs to be placed in the hands. of the business leaders who lead those functions that are being facilitated by those information assets and the risks associated with those information assets need to be assigned to those people as well.
That's just touching the tip of the iceberg on how we address the matter of engagement. So those will be my five things, classic governance, people, process, technology, and engagement.
Dr. Rebecca Wynn: And where should this sit for companies that have an enterprise risk management? I know one of the things it's is it under, if we have a risk officer underneath them, is it underneath legal?
Wait a minute. Risk is us. It's not you as cybersecurity. And now you're trying to have enterprise cybersecurity risk management. Wait a minute. What are you doing? People who are going to run into that little bit of a [00:27:00] catfight. How do you suggest that they go ahead and work themselves out for the betterment of the business?
Where should that really sit? Is it under enterprise risk management? Is it a subset?
Bob Chaput: In the ideal, the, again, I'll use the acronym ECRM enterprise cyber risk in the ideal. It's the ECRM program is use whatever man metaphor you're trying to use. It's a sub ledger. It's a sub routine call. It's part of enterprise risk management in terms of that final work product.
That doesn't mean that. The chief risk officer is all of a sudden going to be slogging along, trying to get this done along with the rest of their key responsibilities. This goes back to the matter of it's a team sport and collaboration and work within the organization. But in the ideal, as an organization develops its strategy, part of strategy development is risk [00:28:00] assessment broadly from a business point of view.
For example. But talk about the Ukraine war as a business risk to a lot of organizations who ended up notwithstanding the horrific effect on the country of Ukraine and all the people there, but from a business point of view for businesses that were operating effectively in Russia, boom, wipes out a big part of their P& L, right?
On the other side, that's a downside risk that those organizations experience. On the other side, think about the oil companies. There was a boom and for many oil companies, that was a, an upside. It wasn't a risk. I prefer to choose the word opportunity. So the, point is that as you're building your business strategy.
You need to do risk and opportunity assessment. And we know from risk assessment 101, we ultimately think [00:29:00] about assets, threats, vulnerabilities, controls, likelihood, impact, et cetera. All of those elements can apply equally to what our cyber opportunities may be. But back to the point, it should be in a mature organization, part of an enterprise risk management program.
If we're wallowing a bit with enterprise cyber risk management, let's be real. There are many organizations that really don't have a strong enterprise risk management. In that case, then CISO, if you're in charge to get the ball rolling, you step out and begin to build the ECRM program with the hope that later you can tie it, dovetail it back into the ERM program.
And again, don't take the full burden of responsibility. Get that cross functional steering committee, working sleeves, rolled up group of people together. We're going to help build a program for you.
Dr. Rebecca Wynn: [00:30:00] Our time has totally run short. I want to thank our guest and I want to thank everybody for showing up for today's episode.
Please check out the description. You'll have all Bob's contact information and resources. We'll have links to the information that we discussed here today. So you'll have that. And please make sure you like. And subscribe and share the channel and please go ahead and subscribe to the Soulful CXO Insights newsletter available on LinkedIn.
Bob, thank you so much for, sharing your insights and your wisdom with us today.
Bob Chaput: My pleasure. Thanks for having me.