Conversations with CISOs: Interviews with Our CISO Advisors Rinki Sethi and Lucas Moody
There’s no question that the role of the CISO is changing and who better to discuss these changes than thought leaders in our field.
We spoke with our CISO advisors Rinki Sethi, VP & CISO of BILL, and Lucas Moody, SVP & CISO at Alteryx, about the challenges of navigating cybersecurity regulatory scrutiny and measuring program effectiveness and the opportunities presented by new AI and Cybersecurity Management technology.
Here’s what Rinki and Lucas had to share about effective cybersecurity management, business outcome reporting, AI advances for CISOs, and everything in between.
What Are The Top Challenges CISOs Today Are Facing?
“One of the toughest challenges that CISOs are facing today is the heightened regulatory scrutiny on cybersecurity. We're living in kind of a time where there's more scrutiny on security spend as well. You see a lot of companies that are having to prioritize the risks that they're tackling while living with more constraints. And so now we’re figuring out, what do we prioritize? How do I spend my budget in the right ways to make sure that we've got coverage on the security risks at the company? I think that a Cyber Management Platform could really help CISOs navigate this complexity and figure out: “Where we where should we be spending our dollar to get the best bang for the buck in terms of driving risk down?””
“CISOs are dealing with a number of new challenges over the last few years; we can start with the obvious. The technology in the adversary landscape is changing significantly. The tools that bad guys have access to are getting better. And so this kind of technology equity, we're seeing on both sides of the fence. We're seeing it on the adversary side, and we're seeing it on the defense side. That's making it really tough for CISOs that have to defend their companies against these threats.
Part Two, the regulatory climate that we're in is changing, and it's changing much faster than it used to, and that's causing the need for CISOs to have to really lean in and think about their programs in a more profound way. And then, of course, we're all trying to do more with less, right? Ever since the pandemic, the economics of driving security for large enterprises has gotten harder. We're looking at cost optimization. We're looking at doing more with less we're looking at doing all of this within the framework of having a tougher adversary in a more difficult regulatory climate. Those things coming together is creating a world where CISOs really have to think about how they going to drive these these programs.”
How Do You Think New Regulations Will Impact The CISO’s Role in The Future?
“I think it's been really interesting seeing the regulatory environment change and the scrutiny around cybersecurity programs. In some ways, it's actually really good because there's so much awareness around cybersecurity. Now I think back to about 20 years ago when I started my career when nobody knew what cybersecurity was. Nobody cared about it. Really, nobody wanted to talk about it. There was absolutely no board visibility around this stuff. And fast forward to now, everyone knows about it in the company, and it's in the news all day, everyday. Folks are talking about cybersecurity, and this regulatory scrutiny, to some degree helps, because it's not us championing from the ground as security practitioners that there's a need for cybersecurity or this is important. But on the flip side, too, now there's a lot more pressure on security teams and executives, not just around your reporting requirements. It's around making sure that you have the right data bubbling up at the right time, to your board, to your executives, to ensure that you can take action at the right time. So the regulatory landscape is changing quite a bit, and I think over the next decade we'll see it change even more so.”
“How will the regulatory environment impact CISOs in the future? Well, it already has. CISOs are currently having to navigate around what the regulatory world is throwing at cybersecurity practitioners with the recent SEC guideline changes last year. CISOs really had to lean in to think about: How are they framing out their business so that they can effectively tell the story around what's happening within their business with very tightened time frames? And I think, as regulators and as lawmakers continue to get better educated around cybersecurity, so too will the requirements for those who practice security to uplift their programs and to be prepared for tighter turnarounds on disclosures and informing regulators. I believe the downstream engagement with regulators only gets more frequent, more profound, and more time-consuming. And so having a tight business around your cybersecurity program is going to be an even more key element as we roll into the future.”
When It Comes to Board Presentations, What Advice Would You Give Other CISOs?
“Having reported now to so many boards, every board is made up of different types of folks, and every board has a different level of understanding. Even within a board, the individuals may have different understandings around security. I think it's really important to baseline what is the understanding around security, what you think is important to share back to the board members, but also, what do they want to see? A lot of this has to come with: “Here's what we're going to share as a baseline in terms of metrics every quarter, what you should expect from me, and why it's important.”
But then also, a lot of it is around transparency and making sure that you're sharing some of the stories, some of the incidents, what you've learned from that, how you're making your program better— whether it's improvements to products and tools that you might have or process or things that you're doing around training. It's really important for the board to understand what are the key risks you're tracking. I recommend having a set of metrics that you consistently share with the board that are meaningful, and then pairing that with some of the stories around how you're improving your security program through some of the incidents that you may have seen.”
I hear this a lot. There are a lot of CISOs that frequently ask the question: “What are you taking to the board? What should I take to the board? You know, I'm in a different vertical than you. Does that mean what we present to the board should be different? Is it the same? Help me better understand that?”
Ultimately, as CISOs, we've got to think about the things that make the most sense, the risks that make the most sense to present to a board, and the outcomes that make the most sense to present to a board. You know, the key measurements that are most relevant to the board helping to shape directionally where the business is heading. That said, there is a lack of standard in terms of what this content should be, which is why we have been working alongside companies like Onyxia to figure out “What is it?” What is the standard template for the content that makes the most sense for the board, or cybersecurity committees, or your audit committees, or your executive teams?
And then furthermore, when you talk about the bridge to the business, it's been tough. The CISO role is an interesting one in that it's a highly technical role, but it's something that's pervasive to the business. If you don't do security, right? It impacts the entire business. And what we've seen historically is, there's a lack of transparency, there's a lack of collective understanding around what the security teams are doing and what impact they're making. Why are they doing the things that they do? And half the time, it sounds like jargon to anybody else outside of the security organization when you're talking about what is it you're trying to achieve. So it’s important to find a way to frame what your security organization is doing and find a clean way to consistently present that back to the business. So telling the same story over time to help better educate what security is all about is important. In this case, repetition doesn't ruin the prayer.”
How Do You Recommend CISOs Ensure The Most ROI from Their Program Budget?
“When you look at the security landscape right now, there's so much innovation happening, which is really exciting to see as a CISO. And sometimes, when we talk to our teams, and especially our technical teams, they love playing around with some of the new innovators, and so all of a sudden you end up with a lot of security products, and you're looking back at, am I reducing risk? Are we learning something new in terms of how we might be changing our program in the future? You get to a point where you start looking at everything you have in your environment, and you're like, are we reducing risk, and are we spending our money in the best way possible?
And to be honest, there really aren't good ways to go and look at that. And when you look at other industries, whether it's IT or engineering, there's products that have emerged right that now look at kind of effectiveness of your products. Are you leveraging them to the best extent possible? How can you reduce costs, or how can you gain efficiencies? It's a ripe area for disruption in cyber to provide CISOs with the way to go and make sure that you're running your program most effectively. And are you getting the best ROI from the tools and the ways that you've implemented the innovations that you have in place?”
“If you think about the job of a security practitioner, in this case, a security executive, it's hard. We've got a massive security stack that enables security across the board. It helps us understand what's going on in our enterprise, what's going on in our product ecosystem, what's going on in the cloud, what's going on on-prem and, furthermore, because we have this technology sprawl, it's hard to manage the effectiveness of all these tools.
Oftentimes, we don't even have the time to hop and really measure the effectiveness of these tools, whether the ROI that we got on day one matches the ROI that we're getting on day 365, being able to get to answers around whether or not the costs still make sense for the risk reduction that we initially got, it's a really hard endeavor. Just managing a security program over time is not an easy thing. If you're talking about measuring the effectiveness of a program in one day, sure, in a point in time, it's an easy thing to do. But running a business is something that is dynamic, and it changes on a day over day basis, so finding a way to really measure the effectiveness and the return on investment of your technology stack on day one, on day two, and onward, is really critical. And this is what we mean when we talk about standardization. There's a lot of things that need to be standardized, but standardizing how you measure the effectiveness of your technology stack is super critical and super important.
And guess what? Not a lot of us do this very well. So I think it's one that requires additional thought, additional approaches to figuring out how this is solved. And I think one of the paths is a Cybersecurity Management Platform. Another path is to functionally create a group that manages this on your behalf. But you’ve got to think about what is the level of investment you'd be willing to make in that.”
How Would You Like to See AI Being Implemented to Empower The CISO?
I would just love something like a ChatGPT that I can go to to say, “What should I be worried about today? What should I be looking at today? What do I need to focus my time on?” From a risk perspective, I think that would be a game changer or even something that says, “Here's the news for the day. Here are things you should be worried about. Here's what your program is looking at.” And so I know how to prioritize my time within the company. So I feel like we need a CISO Assistant of some sort that helps us with the “Here's what you need to know for the day, and here's how you should go spend your time.”
“AI is going to impact every single vertical within security, whether it's in the space of governance, whether it's in risk management, whether it's driving compliance, whether it's in securing our product platform. If it's an enterprise, AI is going to touch each one of these verticals in very profound ways, in sometimes in ways that we're not even predicting yet. AI is going to make a massive impact in terms of how we engage with our customers; AI is going to make a massive impact in terms of how we identify bad things that are happening within our ecosystem; AI is going to do a great deal in helping us better to manage risk and understand what the critical risks are that we need to care about. And so I, for one, am super excited about how AI is going to continue to make all of the things that we're trying to do to manage risk better, and then, I'm also excited about the things that just aren't that obvious yet in terms of how they're going to impact security.”
Why Do You Think a Platform Like Onyxia Is So Important for CISOs?
“One of the things we talked a lot about is the need for standardization around metrics and automation on how we're bringing data to a CISO. Every quarter it's a manual pull from my team. I believe Onyxia’s platform is something that CISOs need, and it's going to disrupt and hopefully help standardize what CISOs are doing for boards. Hopefully, Onyxia will become the new standard that you have to have so that everybody's like, “Oh, I pulled the data from and from Onyxia to present it to the board,” and that's what board members and executives will start expecting you to do.”
“I think all CISOs need to figure out how we are going to effectively manage our security programs. And there are a million ways to solve this problem. But if we want to standardize, if we want to create a path to where we're measuring the most important things consistently as you progress through the evolution of running the security business, I think it's critical that we find the right ways to measure things consistently over time. I believe a platform lends itself to that — to getting to that outcome and to getting to that outcome effectively. And so we, for one, organizationally, are super excited about finding a way to invest once and then get consistent results in how we talk about the value of our business. And so for us, the platform play is the way to get there.”
We are so grateful to our advisors for taking the time to share their thoughts and unique perspectives with us. Check out Rinki and Lucas’ full interviews in our video library. We look forward to sharing even more insights from our advisors and CISOs in our community very soon!
In the meantime, if you want to share any of your thoughts on the topics above, or learn more about Onyxia, don’t hesitate to connect with us on LinkedIn, book a time to tour our platform, or drop us a line at [email protected].
