We’re continuing our Conversation with CISOs thought leadership series with one of our first advocates and CISO advisors, Chris Roberts.

Chris is a recognized authority in the cybersecurity landscape and has made significant contributions across the spectrum of industries dissecting maturity, risk, and how to affect change.

What does Chris think about the challenges CISOs are facing, successful security program management, and what new AI advances mean for the CISO role? Check out his thoughts below.

What Are The Top Challenges CISOs Today Are Facing?

“I think when we start looking at top challenges in the industry, a lot of it comes down to data. When we start taking a look at how we process information, you know, many, many years ago, we had a little amount of information. We can make some very good informed decisions of it and bring out some intelligence. We take a step back today and we're overwhelmed with the volumes and the quantities of data that we have. So how do we make a more informed decision on that kind of data? And it can be anything. It can be everything from threat intelligence, everything from business intelligence, everything from technical knowledge, everything from indications of compromise, et cetera, et cetera, et cetera. It is literally finding that proverbial needle in a haystack and going, “Okay, how can I action that?”

You know, if you take a step back and you look at the industry as a whole, and you look at a lot of us as a whole, we're under constant attack. And so understanding where to prioritize my time and my efforts, and then on another hand, understanding where to prioritize my financial responsibilities — let alone juggling the business aspect of things — and going, “Hey, how do I now take what I see as technical and cybersecurity-related issues and translate those to business issues?” There is so much that we have to do around data and analytics that having a platform that helps me understand not just what's coming in and what's coming at me, but how is my current technology performing? How are my current vendors and suppliers performing? As I start looking at, you know, endpoint detection and systems and network and integrity and data detection, all these other areas I have to deal with, having something that helps me understand what's going on in the context of what I have to deal with is invaluable.”

How Do You Think New Regulations Will Impact The CISO’s Role in The Future?

“I think the SEC rules are an interesting response to what the CISOs and leaders have been clamoring for, which is more accountability, more responsibility. That in itself is fantastic, but in some ways we ourselves have to also be enabled to enact upon what we see and what we do. And there's still some work to be done on that one. As a CISO, advice to other CISOs would be for a moment, take a step back and go, “This is what the SEC is looking for. This is what regulatory compliance, legal fiduciary requires of me. How able am I to hold my organization to these rules and regulations?” I just did this several months ago and I ended up building a risk register. A lot of companies have it, a lot of companies think about it, but when you sit down and you actually list out the risks and then you have the conversations with legal, covenants, compliance, and the other teams and go, “Hey, here's where we're at.” You get a good baseline as to where we think we are versus where we are.

I think the advice for newer CISOs is to really take a step back and go, “How much am I willing to accept this journey inside the organization I'm in? How much is the organization willing to actually buy into what we need to do?” And if they're not, “How do I actually protect myself and the organization?” We had a fantastic conversation the other evening about this one where we talked about individual liability, personal liability, directors and officers insurance. So as a CISO, it isn't just walking in and negotiating your salary and your conversation. It's now walking in and going, “Hey, if I am being held accountable, what protections are in place if everybody else doesn't do their job? Because at the end of the day, the accountability falls on my shoulders, but if other people are not enabled to do their jobs or they just flat out don't have the incentives to do them, how do I gain that protection? How do I enable them to work?”

When it Comes to Board Presentations What Advice Would You Give to Other CISOs?

“When we go before the board or advisory board or any other leader in the business, we have to talk their language. We've spent too many years walking in and expecting people to understand us and it's failed spectacularly. Absolutely, amazingly, we've failed. So a lot of the times, we've really got to go in and do a bit of a mea culpa. You know, I've worked in too many organizations where the network team doesn't talk to the security team, don't talk to the DBAs and nobody talks to the engineers and goodness knows we don't want to talk to the business. That's got to stop. You know, we have to go and talk their language.

So it has absolutely nothing to do with the technology. It's all to do with communication and collaboration. It is walking into those board-level conversations, but it's walking in with the knowledge as to what they expect. The last couple of boards I've worked with, I've sat down beforehand, sat down with either the board president or quite honestly, the chief of staff to the boards (who understand how these work) and gone, “Hey, what do they care about? What do they focus on? Who are the individual people on the board? How do they care? How do they interact?” We're social engineers at the end of the day, that's part of our job.”

How Do You Recommend CISOs Ensure The Most ROI from Their Program Budget?

“So ROI is an interesting one, because again, it depends upon so many different factors. But for me, it's looking at the tools and technology we've implemented, and it's turning around and saying, “Hey, let's take endpoint.” Endpoint is a hot one, especially when you start taking, you take augmented or artificial intelligence into playing, there's so many expectations. Sit down with a vendor, the supplier, the manufacturer, and go, “What are you seeing? How are you expecting this to behave in my environment?” And then baselining it. And then as it's implemented, as it's integrated, having a tool or a technology — again, the Onyxia side of things comes into play now — because I can very easily and very quickly look across my entire ecosphere and go, “I see this performing, I see this outperforming, I see this underperforming.” So you can very quickly look across the entire stack of technology that you have and go, how are these working based on the conversations I've had with the vendors?”

I think that's probably one thing as a CISO, and unfortunately, as leaders in technology, we've gone out and we've bought things. We haven't asked all the necessary questions we should have done of the vendor, and it's a failing on our part, unfortunately. The vendor's gone in and said, we'll solve all of the world's problems for you, and they've only solved this much. So I think that's one of those things where that accountability, but doing it with the metrics and having a decent platform that gives me that is fantastic, because now I can go, “This is what you told me, this is what I see, and here are the numbers to bring that up. Now, what are we gonna do about this?”

How Would You Like to See AI Being Implemented to Empower The CISO?

“AI, artificial or augmented intelligence. That's a melting pot of all sorts of things, isn't it? I think a number of different things. There is so much potential out there to help sift through data. And if you take data, you build information, and from that, you have intelligence, and actionable intelligence. That can be a very manual process. I mean, you're taking, literally trying to boil the ocean into literally a cup of tea. As a human, we can't do that anymore. We're just generating so much data. So using an augmented or artificial intelligence, either from a narrow perspective or for a general perspective, and going, “Hey, give me what I need to understand out of this pool, and use it effectively.” That, I think, is where I see it. It's almost that second set of eyes. It's not having it take over. It's using it as a tool to more effectively and efficiently understand what's coming at us. Now, I want two of them. I want the one to tell me what's coming at me, and I want one over here to help me understand that this one isn't lying to me. So I need, I want my information, but I want my who's watching the watchers mentality. I want this one over here to make sure it's not being lied to.”

Why Do You Think a Platform Like Onyxia Is So Important for CISOs?

“This is honestly part of the reason I'm sitting here, and it's part of the reason that it's been fantastic working with Sivan and the team. I remember one of the very first conversations we had, which was like, “Look, when I wake up in the morning, I need to know very quickly whether I can wake up quietly and sensibly, have a cup of tea, and have breakfast, or whether my I’m going have to get out of bed, on fire, and respond to something.” So typically, my first port of call is the BBC. I look at the BBC and see how much of the world is on fire, and if it's changed overnight, great. The world is okay, as okay as it can be. Then the next thing I used to do at a number of places is I would have the teams that worked with me report out, “How's everything doing? How's it doing overnight? Give me the morning, noon, and evening stats.” I'd look at those and go, “Okay, I can get up leisurely,” or “I'm gonna have to get up really quickly and deal with firefighting, or whatever the leadership want to know.”

The nice thing about a platform with Onyxia is now I basically have all of that. I have the ability to look at my BBC, and then I can look at the Onyxia platform and go, “Okay, I can actually crash out for a little bit longer. I can actually have a nice, civilized wake-up in the morning.” So it's having that information to hand. It's having, when the CEO calls up, or when the CFO calls and goes, “Did you see the news this morning about da-da-da-da-da, and how are we dealing with this?” It's being able to very quickly react to that in a meaningful way and give them the information that they want, give them the comfort, or turn around and say, “Hey, we haven't addressed this. Here's our plan to deal with it.” And so it's really nice to have the detection side of it come in, have an understanding as to where our organization is.

You know, indicators of compromise are another one. When somebody comes up and says, “You know, this poor vendor over here has gotten themselves beaten up again, and all of these products now have issues with them.” Very quickly be able to go to the platform and go, “Okay, how are we from a risk perspective? Do we have other issues? Do I have to reprioritize teams? Can I do something?” So it's a very, very good tactical platform to help me understand what the teams need to do next. But it's also a really nice strategic platform that I can use to tell the story to leadership as to where we're going and how we're doing.”

We are grateful to Chris for taking the time to share his thoughts and unique perspective with us. Check out Chris’ full interview in our video library. We look forward to sharing even more insights from our advisors and CISOs in our community very soon!

In the meantime, if you want to share any of your thoughts on the topics above, or learn more about Onyxia, don’t hesitate to connect with us on LinkedIn, book a time to tour our platform, or drop us a line at [email protected].