How CISOs Follow The Money

And How They Don't

Add bookmark

Seth Adler
08/26/2020

The Crown Jewels, Internal Dollars, Funded Adversaries, VC Money, Value At Risk, Business Alignment shared as options of how to follow the money. Also suggested are a few ways to protect the organizations by not following the money.

The Crown Jewels

Finding and protecting the organizations crown jewels has been the primary objective for global corporate enterprise cyber security executives. The objective certainly makes sense. Find what they’re looking for and defend. And of course, that still is a primary objective. But as the CISO title was created and evolved, a defensive posture was not enough. As University of Wisconsin-Madison CISO and CSHub Board Member notes, “when you're looking to find the source of the problem, sometimes it is simply finding where the resources are, and that becomes an avenue to get you to the source of the problem.”

And we move into 2021, Bob and his colleagues of course continue to expand the perimeter of the primary objective. When asked how to track key objectives, CSHub Board Member Jamal Hartenstein suggested, “Follow the Money.”

Business Alignment & Business Enablement

When I said Follow The Money to SPX Corp CISO, Lisa Tuttle, she smiled and responded, “That relates to what allows my business to grow. If my business is focused on acquiring more companies, that's where I'm going to put my resources and my security focus. If my business is really focused on connected devices, then, I'm going to get embedded with those engineering teams.”

Tuttle showcases a remarkably forward facing and leaning security posture and stance. Yes- she is happy to follow the money. And for her, the money is where the business is going and how the business is growing. Business alignment and business enablement aren’t simply terms for Lisa; it’s how she operates her business to support the greater business.

As a well-balanced executive, Tuttle also has an update to the old ‘crown jewels’ axiom. Digital transformation makes the collective of your complete data- not just the crown jewels- a crown jewel in and of itself. She’s focused on “protecting exponentially increasing amounts of data.”

Well-Funded Adversaries

CSHub Board Member and Commerzbank CISO, Tom Kartanowicz goes another way with it. When I say Follow The Money, he name checks, “The finance department as well as moving the business forward,” but then mentions well-funded adversaries.

Kartanowicz says he’s focused on, “Who has the resources, the time, the motive, and the money to do bad things to you. It could be industrial espionage, it could be nation state and it could be disgruntled employee. And if they happen to have a motive to do things with some resources- yeah, your life will get much more complicated.”

Like Tuttle, Kartanowicz has a forward facing and leaning security posture and stance. He’s not satisfied with his current systems, processes, procedures and knowledge. He’s going beyond threat hunting. He’s hunting the hunter.

Let The Future Forecast Your Cyber Security Budget Now

Beyond your organization and the adversary community, another suggestion is to look at what’s happening in the venture capital space. When I say Follow The Money to CSHub Board Member Kayne McGladrey – that’s immediately where his mind goes.

Kayne posits, “If you want to see what your new product features are going to be in the next 12 to 18 months, see where the VCs are spending their dollars. If we've seen something consistently in the past, in the past 10 years we've seen $30 billion of investment inside of cyber security.”

McGladrey is a gadfly for cyber security leaders to forecast budgets based on the newest in new technology. Whether the CISO in question is a bleeding edge, leading edge, fast follower or back-with-the-pack type executive is up to them. Any which way you slice it, you should be able to see where you are spending money in the future based on where venture capitalists are putting their money now.

Value At Risk

Venture capitalists are well know for their return on investment. But VF Corp, CISO and CSHub Board Member, Parag Deodhar advises against allowing your cyber security business to be judged on ROI.

 “Of course, we're looked upon as a cost center. We are looked upon as money going down the black hole, nobody knows where so much money is going down on tools, on techniques, on people, on services, and so on.” And with a dollop of sarcasm, Deodhar adds, “There's no tangible benefit coming out of all this.”

He’s speaking generally as well as communally. A cyber security consciousness still does not extend too far outside of the walls of the cyber security operation. It’s better than it was- and the pandemic has actually helped in some ways for some global organizations. But while the CISO has gone from the Department of No to the Department of Know to ensure business enablement, a similar reciprocal understanding has not yet necessarily equated.

And so, Deodhar suggests putting the cyber security spend in terms that the business can understand. Not ROI, VAR- value at risk. “Instead of looking at the security ROI, look at value at risk. What is the value at risk? What is your risk appetite? What are you trying to protect? That is the money that you should spend on security.” Business colleagues, C-Suite executives and Boards still do need cyber security executives to connect the dots. Parag points to the fact that the onus is on the cyber security executive to explain how the budget spend reduces the possibility of data exfiltration or falling prey to a ransomware attack as examples of the value at risk and the need for budget to defend that value at risk.

Sometimes Don’t Follow The Money

A couple of the CSHub Board members suggested that at times, not following the money is just as valuable. If the objective is to ‘simply’ follow the money, the complete field of vision available is not being used. CSHub Board Member and SF District Attorney CISO, Herman Brown points at that “you're limiting yourself in what you're looking for from a threat perspective. Follow the money is a very good first start, but there's a lot of threat actors out there, and they're not all in it for the money- they're in it for political gain, they're in it because they want to disrupt your business.”

CSHub Board Member and Horizon Power CISO, Jeff Campbell suggests that there are some folks out there who are following the money and thus it might be cogent to steer clear of them. “People are getting paid premium dollars for simply whacking ‘security specialist’ at the end of their title. They might have done maybe two years and they're getting paid premium dollars.” We’ll leave that there.

Facilitating the mission or strategic plan

The CSHub community is steadfast in sharing that cyber security does not exist on an island. So whether the focus is on the Crown Jewels, Funded Adversaries, VC Money, Value At Risk, or even not following the money- CISOs really have only one thing to do- facilitate the mission or strategic plan of the organization

CSHub Board Member and University of Tennessee HSC CISO, Dennis Leber puts it succinctly, “If I do something in security, I justify that back to that mission statement or a strategic plan. I can then show you the risk. I can then show you how it aligns to enabling or facilitating that strategic plan. And it's a lot easier to have a conversation with the chancellor of the university of why I need money.” 

RECOMMENDED