Six Things Every CISO Should Do the First 90 Days on the Job

 

Dominic Vogel: Hello everyone. Welcome to another wonderful edition of the Cyber Security Matters Podcast. I'm your host, Dominic Vogel, and joining me as always, is Mr. Huggable himself, Christian Redshaw. Christian, how are you doing today?

 

Christian Redshaw: Apparently I'm just a big teddy bear.

 

Dominic Vogel: That you are my friend. That you are.

 

Christian Redshaw: I'm doing good. How are you sir?

 

Dominic Vogel: I'm doing very well. Very, very well.

 

Christian Redshaw: Who is today's guest today and where does he hail from?

 

Dominic Vogel: Our guest today is Michael Doucet. He is the executive director from the office of the CISO for Optiv and he's based in Ottawa, Canada, our nation's capital. We're really looking forward to the conversation with him. Today's episode is sponsored by Optiv as well as Telus, and we're really looking forward to the conversation with Michael. So we'll take a brief pause here and we'll welcome Michael aboard.

 

Christian Redshaw: Let's do it.

 

Dominic Vogel: Michael, thank you so much for joining us today on the Cyber Security Matters Podcast. How are you doing?

 

Michael Doucet: I'm doing great and thank you for having me today.

 

Dominic Vogel: Awesome. Well, Christian and I are really excited to have this conversation with you and you're based in Canada, so we're fellow Canadians that way, which is always nice to have a Canadian on the show. But I thought maybe we'd start with you sharing a little bit about your personal narrative, so the career stops you've had along the way, just so our listeners of viewers can get to better know you.

 

Michael Doucet: Sure. Happy to discuss that. Prior to coming to Optiv, I spent 30 years with federal government. Most of my federal career was in public safety, policing intelligence. Couple of highlights of my career with the feds, I represented Canada at the National Security Agency in Fort Meade, Maryland for a couple of years. That was a tremendous highlight. Being CIO, CTO of the RCMP and others were an incredible journey for me. And from that I came to Optiv roughly four years ago and within Optiv, I'm the executive director of the office of the chief information security officer with Cross Canada responsibility to talk to organizations about their cyber programs.

 

Dominic Vogel: Amazing. Some of your background pedigree, that's absolutely amazing, the journey you've had so far. And I'm curious to know, what was it after your very successful federal career that drew you to Optiv?

 

Michael Doucet: Well, thanks to you Dominic. That's an interesting question and an easy answer. What drew me to Optiv was, Optiv is a pure play cybersecurity integrator with over 400 partners in providing our services and products to customers. So the fact that all I do day in and day out is cyber and talk to folks about their cyber programs, and we have a deep bench supporting us in doing that at Optiv. So it was just for me, a natural fit, moving forward.

 

Christian Redshaw: Amazing. I think we're talking to the right person.

 

Dominic Vogel: Yes, I believe we are.

 

Christian Redshaw: So Michael, my question is related to cybersecurity. Our show is called Cyber Security Matters and so that's my question to you. Why does cybersecurity matter? How are organizations being affected and what kind of threats are they facing?

 

Michael Doucet: Thank you for the question. Cybersecurity absolutely matters without question. Just about everything we do in our daily lives is reliant on technology. When we go fill up our cars at the gas station, we are incredibly dependent on operational technology to get a set gasoline. And of course, as you know, there are numerous threats against us. People that want to do us harm, organizations that may want to do us harm, whether there's state actors, employees that do the wrong thing because we haven't trained them properly, competitors, hacktivists and so on.

 

If we had this conversation 30 years ago, you would maybe tell me that you thought that the cyber threat was academic and we didn't live it every day. Today we live it every day. We're reading about in the newspaper and we used to talk in the industry about stopping our organizations from being hacked and saying, "We're not going to get hacked." Today, the way we look at it is, we prepare for that day because it's not a question of, "Will we?" It's really a question of when and how prepared we are to respond to that hack or that outage or that ransomware, whatever that might be.

 

Christian Redshaw: Very good answer. And we often refer not 30 years, but 27 years ago. Dominic always says it's not 1995, so your cybersecurity shouldn't be at the 1995 level. Apparently that was a major year in the history of cybersecurity. So then my next question is how do you rationalize cybersecurity at the board and executive level? Typically, how do you approach the cybersecurity conversation at that level, michael?

 

Michael Doucet: Oh, thank you. I love that question because boards are alive to cybersecurity, without question. And whether it's a not for profit, a profit, a government, we're alive to cybersecurity and really the organization cares about what the board cares about, what the executive leadership team cares about. And in approaching our conversations with board level, we've got to speak their language at the end of the day and if we go back 27 years, maybe we didn't speak their language way back when. They maybe didn't invite the techies or the business leaders of the CISO programs to talk to them.

 

But today, when I talk to a board and boards vary in composition, but typically there are lawyers, there are accountants, and then subject matter experts in the vertical of that organization, I want to talk their language. I want to talk risk. Boards are all about risk. And how do we quantify the cyber program? How do we quantify the threats that they're preparing against? We quantify that by talking about risk, talking the language that they will understand and really informing and educating them as well. I'll just make one other plug for the boards is, bring them into your environment. I've run tabletop exercises, cyber exercises with boards so that they could see, cyber is a team sport and the whole organization responds to threats, not just technical people, somewhere within the organization.

 

Christian Redshaw: Very, very well laid out there. So a couple of follow up questions, Michael. What, in your experience, should an organization look like that's healthy when it comes to IT, relating to cybersecurity and relating to executive leadership of the board? How does that work together in a healthy way?

 

Michael Doucet: What I love about that question is that you've parsed off IT and cyber. Sometimes people think of them as the same thing and they're really not. And as we're talking IT, cyber, executive leadership, the organization, I think once again we have to look at cyber from the aspect of, it's a team sport. And I have a particular bias here and I'll tell you that I think anything we do well in cyber, has positive ramifications on the IT program, whether it's patch management, vulnerability analysis, so on and so forth. So really nobody can afford to sit in their corner and do their job. We've got to come together and once again, as you're talking IT, cyber and so on, I find in very progressive organizations the governance of the cyber program is really important. How do you bring those elements into the cyber program? And once again, how do you demonstrate that team play and we all have the same goals moving forward.

 

Christian Redshaw: I love how you're illustrating that team sport and it shouldn't be siloed, but yet there is a differentiation between IT and cybersecurity. And if we broaden that out now, outside of those groups, and look at that concept of risk and enterprise risk, how do you see cyber inter-playing and fitting into the enterprise risk picture of an organization when it comes to financial risk, strategic risk, product risk, environmental risk, all those other enterprise risks? How is that successfully being managed and how should that be done?

 

Michael Doucet: It sounds like there's not enough risk there. Well cyber is a risk to the organization. Once again, we have to quantify that risk to the organization, but to compare cyber risk to market risks, to competitor risks, however we do that, you basically start off with a risk matrix or a dashboard or a risk registry at the senior level. And typically if you've got a chief risk officer, that chief risk officer reports to the board potentially through a risk committee and cyber is a risk, you quantify cyber as a risk. And I can tell you, I've operated in some organizations where cyber is a tier one risk to that organization because with cyber, where the system outage as a result of a cyber breach, they could in fact be out of business. So once again, when it gets to that level of attention within the organization, we can now mobilize to lower that risk. We're never going to get it down to zero. We know that but it's our ability to understand the risk, understand where some of the gaps may be, but more importantly, respond to a cyber event.

 

Dominic Vogel: Michael, I want to ask you, just maybe diving onto the cyber risk leadership or chief information security officer type leadership for organization. I know you were talking for larger organizations, many of them will have an internal CISO, but what about the smaller organizations? And as you were mentioning earlier, where we are today, every organization is pretty much a tech company. They need some level of understanding of cyber risk management. How do smaller companies go about getting that level of cyber risk leadership when they can't find those types of people to hire internally?

 

Michael Doucet: Great question. And if we look at small business, number one, they may not be able to get the personnel, but they need to nevertheless understand this risk to their business. In Canada, we have a number of resources to help small business, whether it's through public safety, whether it's through the Canadian Center for Cyber Security, to help them input together a cyber program. And you can be a two person organization, quite frankly, you could be a storefront and have your cyber plan, maybe a backup to your laptop, maybe a generator, maybe whatever it is that will allow you to continue your business. So from the smallest organization that needs to understand what this risk is, take healthy steps to understand and quantify their cyber risk right up to the largest organization that has an executive level CISO. I think it's important and you cannot minimize the fact that if I go down, I may be out of business.

 

Dominic Vogel: I appreciate that insight, Michael. And one final question for you as we're running out of time here, but back to what you were talking about with boards and a board of directors. In your mind, how would you go about bringing greater motivation for a board of directors to take security more seriously? One of the things that I know is still rampant today is that a lot of board of directors will either just pay lip service to cyber security, i.e., they talk about it once a quarter kind of thing, but nothing beyond that. Or after a data breach or after some large security incident, then everyone wants to start paying attention to it. And how do we move boards to being a bit more mobilized, shall we say, around cyber risk management and also moving away the marginalization of it not being an IT issue, but truly like Christian, you were saying earlier, a true business risk.

 

Michael Doucet: Great question and I think we really have to look at our board. We have to look at the composition of our board and we have to educate them and make it interesting for them. And I'll give you an example. Earlier in my career, one of my colleagues made the statement that senior management within our organization did not understand cyber. And I challenge that in that, have we been able to explain cyber to them? Have we been able to explain it in their language? And I will never be an advocate of the sky is falling type of discussion. I want to look at cyber as a business enabler and depending on where the organization is, if we're in acquisition mode, it's really important that we do a cyber assessment of companies we're acquiring. We don't go through an acquisition, then plug in two disparate infrastructures.

 

So make it about the business, make it about the business strategies and make it a value added. And quite frankly, don't just go to the board looking for money. I think that's a failing strategy. Go to educate, go to maybe bring them in, as I said earlier, into a tabletop exercise. One stark lesson for me one time was when we did a tabletop exercise with the board, the reflection from the board was, this was a whole of organizational response, it was communications, it was legal, it was regulatory affairs, so on and so forth. The trigger was technical. The response was all of the organization. I think that excites the board.

 

Christian Redshaw: One last question for you, Michael, while we have you on, I want our listeners and viewers to really get their money's worth here. So I'm asking all of my cybersecurity questions that I can think of here. It's said that you inherit the security weaknesses of your suppliers, vendors, strategic partners. A, how much do you agree with that statement or disagree with that statement? If you agree with it, B, why is that the case? And C, how do you effectively manage your third party risks?

 

Michael Doucet: Okay. I'll answer that by saying, not only do I agree with that statement, but I would make it a little bit stronger. In fact, I would say that I sign up to the security weaknesses of my partners. And if I'm signing up to those security weaknesses, I have to understand what they are. I have to have a third party risk program that I go through some sort of vetting as I'm bringing business partners along. And don't forget, the [inaudible 00:15:34]. People that want to do us harm are tremendously motivated to go after our business partners to go after the large cloud service providers. They have very, very, very good cybersecurity. But if you can get in, you get into literally thousands of organizations.

 

So I think absolutely we have to sign up to those security weaknesses, we have to understand them and we have to manage them. But one other small point here is, in our organizations today, we can have a tremendous amount of shadow IT, where staff sign up to services that the CISO, that the CIO don't know about. We've got to stop that because that signs us up to weaknesses that we're not even aware of.

 

Dominic Vogel: If we could stand, I'd probably give you a standing applause right now.

 

Christian Redshaw: It's not practical for us to do that.

 

Dominic Vogel: The wisdom and the insight you've laid before us and our listeners and viewers today have just being astronomically powerful. But thank you very, very much for spending time with us today on the Cyber Security Matters podcast. Very grateful for your time.

 

Michael Doucet: Thank you very much and thank you for the insightful questions. That was amazing. So I really appreciated my time with you this afternoon.

 

Christian Redshaw: Thanks Michael.

 

>Dominic Vogel: Amazing, Michael. Thank you again so much. And Chris and I will take a momentary break to mention our sponsor, which, spoiler, is Optiv for today's episode. And so we'll take a quick commercial break and we'll be right back.

 

Recorded advert: Optiv is the cyber advisory and solutions leader delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk integration and technology solutions. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit optiv.com.

 

Dominic Vogel: This week's episode of Cybersecurity Matters is brought to you by Telus Business. It's that time of year when organizations set their sites on plans for the upcoming year. If you're developing your 2023 cybersecurity business cases and budgetary plans and are looking for data on which to build the foundations of your ask, download the Telus Canada ransomware study today. It shares insights on how ransomware is impacting Canadian organizations like yours and details the tools you can use to effectively protect your business. To get your free copy, visit telus.com/ransomwarestudy. Telus Business, cybersecurity that works for you.

 

The truths that Michael laid out there were quite... Not only were they self-evident, but they were incredibly powerful the way he laid them out. Being a long time since I've been in awe of a guess, but just how he was speaking, the demeanor, everything that he had to say, was incredibly powerful. You can tell that he was the type of individual that could command the attention of a suite of executives or board of directors.

 

Christian Redshaw: Definitely. You could tell that he is drawing from a deep well of wisdom and experience. And I think for me, starting with the end and then working backwards, a couple of things, you inherit the security weaknesses or, as he said, sign up for the security weaknesses of your partners and vendors. And cyber criminals would like nothing more than to get access to thousands of potential targets through vendors, through supply chains. I think the other thing for me too was, you're speaking the language of risk to boards. You have to speak to them in their language that they understand so that they can understand cybersecurity and be able to do something about it.

 

Dominic Vogel: Absolutely. It was just an exceptionally engaging conversation. We're very grateful to Michael for joining us today on the podcast, and special thank you to the sponsors for today's episode, which was Optiv and Telus. And as always, we want to extend a special thank you to our loyal listeners and viewers who join us each and every week. If you did happen to miss a previous episode, do check out previous episodes on the Cyber Security Matters YouTube page and or on your favorite podcasting platform.

 

Until next time, be well be safe. We'll see you again next time on the Cyber Security Matters podcast.