Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
SoftBank’s CISO Role with Gary Hayslip image

SoftBank’s CISO Role with Gary Hayslip

S1 E42 · CPO PLAYBOOK with Felicia Shakiba
Avatar
101 Plays7 months ago

A  seemingly harmless email can steal your data or even lock you out of your computer.  So why take that chance?  Join us as Gary Hayslip, a seasoned Chief Information Security Officer (CISO), reveals the critical role of cybersecurity leadership in combating cyber threats.  In this episode, Gary emphasizes the transformation of CISOs from technical experts to strategic leaders within the executive team. He discusses the importance of integrating CISOs into organizational strategy, as well as the ethical considerations surrounding their reporting structures. Tune in to gain insights into the challenges and solutions in cybersecurity and discover how modern organizations can empower CISOs to protect against evolving cyber threats and strengthen their overall cybersecurity strategy.

Recommended
Transcript

Introduction to CPO Playbook Podcast

00:00:01
Speaker
I'm Felicia Shakiba, and this is CPO Playbook, where we solve a business challenge in every episode.

The Growing Importance of the CISO Role

00:00:14
Speaker
100% of Fortune 500 companies employed a CISO or an equivalent role in 2023. If a company is unfamiliar with the role of a CISO, a Chief Information Security Officer, it risks lacking the strategic leadership necessary to safeguard its digital assets and infrastructure from increasing sophisticated cyber threats. This oversight can lead to vulnerabilities in security, potentially resulting
00:00:43
Speaker
insignificant data breaches, financial losses, and damage to the company's reputation. In an era where cyber resilience is a key component of business continuity, a CISO plays a critical role in maintaining trust and confidence among stakeholders, customers, and partners by demonstrating a commitment to security.
00:01:03
Speaker
Failure to recognize and empower this role can leave organizations unprepared in the face of potential cyber crises.

Introducing Gary Haislip, CISO at SoftBank

00:01:11
Speaker
Today, we will learn all we need to know about a CISO from Gary Haislip, Chief Information Security Officer at SoftBank Investment Advisors.
00:01:21
Speaker
Gary, welcome to the show. Thank you for having

Responsibilities and Skills of a CISO

00:01:24
Speaker
me. Gary, what is the CISO rule? An acronym for Chief Information Security Officer actually do.
00:01:35
Speaker
Each business that has one uses them differently. It isn't like they're a set example. There's some type of foreigner of this role is pretty much found in every organization today that conducts business using technologies or services connected to the internet. So the role itself is very buried. I like to look at it as they are business executives that managed risk using technology, people, processes, and that's their core role for the company.
00:02:05
Speaker
and how has the role evolved during your tenure in cybersecurity?
00:02:10
Speaker
What I've seen is it used to be extremely technical and it used to be one of those roles that would be buried down in the hierarchy of managers and stuff filed within a company. Over the years though, as technology has become more integrated within businesses, the role itself has become more visible. And as attacks and threats and stuff have impacted businesses and operations and revenue,
00:02:38
Speaker
their role has really become more visible. And what you're finding now is organizations now, when they hire for somebody for that role, they just don't look for someone to have technical knowledge. They're also looking for people to have soft skills. They can be partners. Can they integrate with other departments that are non-technical? Can they operate in a business environment? And so you're seeing their role ship dramatically, honestly, over the last five years.

Ethical Concerns in CISO Reporting Structure

00:03:04
Speaker
In many organizations, you might see security roll up into a CIO, Chief Information Officer. So how is this role different and why is it important at the executive level?
00:03:19
Speaker
Reporting to the CIO is actually common today. About 60% of the CISOs still report to CIOs, but many now are reporting to CEOs, CFOs, CTOs. It's pretty much across the game, but the other reporting to some executive.
00:03:34
Speaker
There are concerns that with the CISO and reporting to a CIO, because the CISO's mandate is to monitor or remediate technical risks and the CIO's job really is to use technology to provide services on a daily basis. So it's kind of like one is providing services and the other one is managing the risks of those services.
00:03:57
Speaker
So if you've got someone that's supposed to be managing that risk, how do you report to the person that's causing that risk? And so there's been some discussions that sounds like that's an ethical issue that really shouldn't be happening. And in some sectors like financial services, if you're regulated, it's actually supposed to be split. The security executives cannot report to the IT executives. They are supposed to be separate because they're worried about that ethics issue, about that management of risk.
00:04:24
Speaker
But outside of that, pretty much almost all CISOs report to either the CIO or one of the other executives. And the other part of your question of why is this becoming more important now at the executive level?

CISOs in the Executive Team: Challenges and Impacts

00:04:37
Speaker
The big thing about somebody who is in the CISO role, cybersecurity impacts the business. However you deploy it, however you use it,
00:04:45
Speaker
Yeah, whether it's cloud, whether it's on-premise within the business, within their own data centers. Cybersecurity impacts. You do not do cybersecurity without causing some type of change to protect the business, some type of change to protect new revenue streams, some type of change to help an M&A process. That kind of impact, that kind of good or bad to the business, you want to be talking to executives. You want to be part of the executive process
00:05:13
Speaker
They want to have insight into what you're doing and what projects you're working on and why you're doing things. And at the same time, you want to have that type of contact so you can get things done. And the reason I say that is one of the biggest things that CISOs have a problem with is business culture. The organization itself will push back on change that you're trying to do. The organization that you're trying to protect
00:05:41
Speaker
They don't want to change. They like doing things the way it's always been this way. I don't want to make changes. I like doing it this way. What do you mean the SEC says you have to do this? What do you mean you want to go ahead and do ISO 27001? I don't care. This is the way I've always done it. And I've been here five years. Why should I have to change?
00:06:00
Speaker
So you need that executive con, those executive connections to make, to get things done. And at the same time to kind of give you that bullet shield, the fight off all the stuff that's going to be thrown your way, but also to help you as a business executive to understand culture and how you fit into it and how you can build trust and how you can partner with your non-technical executives in the other departments, your non-technical stakeholders that you have to serve, that you have to provide services to.
00:06:28
Speaker
So it's really critical, CISOs will have to be part of the executive team to be effective, and they will report to some executive, whether it's the CIO or whether it's some other C-suite member. It's become quite common today that it's going to be somebody with a C in the title.
00:06:45
Speaker
So it's about making that shift at the top in order for the activities or responsibilities in order to really take place. My second question or follow-up question to that is how does the title of CISO as opposed to a director or a VP of security really influence the perceptions both within and outside the organization?
00:07:10
Speaker
Oh yeah, peers of mine that are trying to get the title to try to get the chief information security officer role. Honestly, what is happening is that there's a career progression. If you get into cybersecurity and the more you progress and the more senior you get to the point where you're a manager or a director, and then eventually you're up for the CISO title.
00:07:31
Speaker
I look at it as you mature as an executive until you finally get the CISO role. And it's an acknowledgement of the business that they're taking cyber seriously. It's an acknowledgement of the business that you are an executive and at that level of maturity. You get it both positive and negative. You get the remit that you're going to make change, that you've got the budget, that you've got people, but you also are going to be held accountable.
00:07:58
Speaker
You also, if things go wrong and it's failed through negligence or something on your end that you didn't do things right, you will be held accountable. Which means it's probably going to be a resume generating event. You're going to be calling out. You'll probably be going out the door because it's part of earning that title.
00:08:15
Speaker
Why it's important on the outside, I have found when you're dealing with vendors, when you're dealing with customers and suppliers, when you're dealing with third parties, there's a big difference of I'm just the VP of information security, or I'm the chief information security officer. If you're the chief information security officer, it's like you're the CFO, or you're the chief operating officer, or you're the CEO. It's a title, it's a letter of, I guess you could say a mark of maturity or an executive mark,
00:08:44
Speaker
of where you're at. If I look at a company and they've got a CISO, I know from a standpoint within the company that their security programs mature enough to the point to where the board and the C-suite has acknowledged that we need somebody with that title. And they typically will have directors and officers insurance. They typically will be reporting to the board.
00:09:08
Speaker
They will obviously have some type of budget, some type of security team. For me, it is when you start getting to that level where you have that title, there is more of a business executive mentality around

The CISO's Role in Business Operations and Collaboration

00:09:21
Speaker
it. Vice just being manager. For me, the difference between being like a security manager or a VP of Reformation Security and being a Chief Reformation Security Officer is really once you have that C title,
00:09:35
Speaker
You're a business executive and you're treated as such and you're going to be held accountable as such. And it's also the way it's viewed on externally as well. When people look at the organization, they're looking at the company as being mature to the point to where they have C level executives.
00:09:52
Speaker
And so those conversations are being at the top of the organization. Those are the things and responsibilities and knowledge that executives need to have in order to secure the business, essentially. Yes. And that's the reason why
00:10:07
Speaker
I think by the time that you get to, as a security executive, by the time that you get to where you're getting the CISO role, that's where you need to actually start having more of the business, more of the business chops per se, of being able to operate within organizations.
00:10:23
Speaker
I recommend to some of my peers who are getting their first as a role that they have a mentor within the business to help them better understand how to report to the board and be more effective when they are reported to the board and they're going up the ask or something. I also talked to them about there's going to be more expected of you in your communication styles.
00:10:42
Speaker
and the way you do reports and the way that you do budget and the specific things you ask for. There's going to be more that's going to be expected of you when you put your slide decks together and you're briefing the baseline risk of the company and threats and stuff like that.
00:10:57
Speaker
There's things that you can get away with as a manager that you won't get as like a security manager because you're low level and you're buried five levels down. You're not going to get away with that when you're a chief information security officer, because you're a business executive. You're expected to go ahead and have a level of maturity and understand the business and operations and where revenue is coming from. And some departments are more important than others. Some data, some technology is more important than others because they generate money for the company.
00:11:25
Speaker
or there's significant regulatory risk around specific operations or around specific partners or significant contractual risk. You need to know these things as a chief information security officer. You should care about them because your program is going to be intertwined in managing and monitoring for the business.
00:11:45
Speaker
In most executive roles, there is this certain expectation around cross-cultural collaboration and cross-functional collaboration. How do you ensure alignment on security strategies across diverse key departments such as IT, legal, HR, compliance?
00:12:04
Speaker
Yeah, that is, once you're at the CISO role, that is key. In fact, I know numerous CISOs when they interview that the first couple of questions is around technology. They pretty much know from a technical standpoint, it's table stakes. You've got it. Otherwise you wouldn't be there at the table doing the interview. When you're doing the interview, they already expect that you've got the technical things that are going to be needed. The other 70% is all about fit. The other 70% is that are you going to be able to partner
00:12:33
Speaker
with your non-technical stakeholders like legal and compliance in the audit and they're going to ask you give us examples of projects or give us examples of specific things you have done with these other types of departments. It's a very large business focused view of how you operate as an executive.
00:12:52
Speaker
And I spend a lot of time talking with them and mentoring CISOs who are between their first and third roles. They've got their first role and maybe down the road for their second. They're getting more senior or they're in their second role and they just got their first large CISO role. And what's going to be expected of them? How am I going to operate? And I recommend that they take a class or two or have a mentor.
00:13:16
Speaker
who is a business executive, who's not a CISO, but has been a previous CEO or a previous CFO or something like that, been a business executive in a company or two to help you understand how you're going to operate. And what I mean by that is.
00:13:32
Speaker
How do you communicate? How do you work and collaborate with people across the various departments? Are you easy to work with? Do you deliver on time? Can you be counted on to go ahead and take on the hard jobs or the hard issues and to investigate and help remediate problems? Are you like for myself,
00:13:51
Speaker
I can tell you, typically what I do is I may do an internal assessment and baseline where our risk is at and put together a list of issues that I think we're going to need to work on, but I won't rank them. Instead, what I will do is I will pull my peers in from the other departments, from the other business departments, and I will ask their help. And I want the business input on the security risks and things that I'm looking at, and they will actually help me
00:14:19
Speaker
evaluate them and rank them and decide which ones we should address first. And so that way, when I am putting together my sixth, well, 18-month project plan for my team and we know what projects we're doing, they're allying for security, but they're also allying for the business. So we're focusing on the ones that the business says they need first. Who are the people that roll into this role? What are the positions that report to you?
00:14:46
Speaker
Honestly, it really depends. Typically you're going to have security operations, which is the normal everyday security operations. And it'll be made up of security engineers, security analysts, people that are pretty much doing the care and feeding of the security tools that you have for managing risk and for managing the security services that you provide, such as
00:15:09
Speaker
Doing patch management and vulnerability scanning and scanning for insider threat and identity managing identity These are all basic things that your team's going to be doing Along with that there could be other things that could be assigned to you the network engineering teams that are managing the firewalls
00:15:26
Speaker
They may be assigned underneath you or they may be an IT and have a dotted line too. Typically, IT may manage the firewalls. Security is the ones that are actually logged into them using them at work and pulling reports from them and stuff. And sometimes companies will put them underneath security.
00:15:41
Speaker
governance. If you are a regulated entity and your CISO has experience in GRC, like myself, I'm a certified auditor, they may put the whole GRC team underneath security or they may put the risk and governance teams underneath security just because of how intertwined the security stack is with the IT stack. And a lot of the stuff that the GRC team looks at is IT related. And so they may put it underneath security to have a degree of separation.
00:16:11
Speaker
And there's other things as well. In my current role, I also do physical security, which is a whole different mindset. A whole different mindset, different technologies, different processes, but there are some CISOs that go ahead and do it and take that on. I've operated in environments where I've had four different teams.
00:16:28
Speaker
In one of my roles, I had a security operations team, I had a governance team, I had a cloud security team, and I had an application security team that worked extensively with our product teams. And I worked a lot with our VP of DevOps. Her and I were partnered together, and my application security team was actually embedded in her department.
00:16:51
Speaker
And I spend a lot of time, and I did that on purpose to set up trust between our teams. And I spent a lot of time working with her, making sure that our products that we were producing were as devoid of defects as possible when we constantly tested for issues. How have increased regulatory demands, such as those from the SEC or FCA influenced the strategic priorities within your role as a CISO?
00:17:18
Speaker
The increased regulatory demands, basically what they do is for a CISO, if you're in a regulatory regime, you honestly, you spend a lot of time going back through, looking at your stack, reviewing previous assessments, reviewing previous controls and making sure that you have things documented. You spend time talking with your attorneys to verify, are you missing anything? You also spend a lot of time looking at new rules that are coming out or we have a,
00:17:45
Speaker
an amazing amount of rules that are coming out around data privacy and not just in the United States, all over the world. And if you're an international company and you operate in a lot of different geographical locations, now all of a sudden your company went to cloud.
00:18:00
Speaker
to go ahead and be innovative. And now you've got all these new data privacy rules coming out saying, hey, that's great, you want the cloud, but we want our data to stay in our country. You have to collaborate with IT and now figure out what the technologies that we've got selected, how do we go ahead and meet the regulatory needs that these new needs that have come up or data needs to be located in specific stuff, but still also help the business be innovative. I do think there's a cost.
00:18:28
Speaker
And it's fine because companies need to pay that cost to be more resilient or they go ahead and be able to meet the new requirements that come out. But whether you like it or not, no one meets new regulatory requirements without spending something. You're going to do some type of cost, whether it's hiring people, new technologies, new processes, just a documentation alone of documenting how you're doing things with a new requirement. There's always some type of cost.
00:18:54
Speaker
And it does, it pushes back all the teams, but it requires the CISO that collaborate with stakeholders.
00:19:00
Speaker
because you are going to go out and find out, Hey, are we meeting these new privacy requirements? Do we need to make changes to make sure data is co-located and new geographical regions? Hey, are we getting the right reports? The auditors are now going to ask because our regulations have changed. And so all of these things you were continually reviewing, that only happens every once in a while. No, you are looking at these things easily every six months. We're reviewing these things.
00:19:28
Speaker
And I know some that are looking at it on a quarterly basis, just because of the size of the company, the type of data that they manage. So they're not going to get caught. They're afraid of the fines. So they're going to do what they need to do. So yeah, the regulatory, it's not for free. Companies are going to meet it, but it's going to be possible.
00:19:47
Speaker
You've mentioned before that a balanced view of AI and cybersecurity viewing it as both a risk and opportunity.

AI in Cybersecurity: Risks and Opportunities

00:19:56
Speaker
Could you elaborate on how you approach integrating AI tools while managing associated risks?
00:20:02
Speaker
In 2013, I was part of a group of CISOs that went before Congress that go ahead and brief about the weaponization of AI. Back then they were concerned about AI being used as a weapon. Now think about that, it's like 11 years ago and now we have AI, whether it's apps on your phone or your search engine that you use when you go on the internet, many of the new security tools and IT tools we use today are now being AI integrated.
00:20:29
Speaker
Whether you like it or not, there's going to be an AI bot or an AI assistant. My company is AI friendly and we're investing in AI companies and we're working with AI. And as a security executive, originally last year, many of us were pushing back and say, Hey, there's just too many unknown risks. You just got to say no, no, no, and just not do it. To me, it's like being an ostrich sticking your head in the sand to heighten because you're not going to stop it.
00:20:55
Speaker
Whether you like it or not, it's being integrated in so many different apps and so many different technologies. You can't prevent it in the business. There's so many free things that are popping up on the web now that your employees want to use. You're not going to be able to stop it. And so what comes down to when you have a prevalent technology like that, it's more of, okay, there's an acceptance piece of, all right, we're going to see it. It's here. Let's figure out how we can manage it and deal with it.
00:21:21
Speaker
And so that comes around to, all right, let's put policy in place on what it's for. What are we going to use it for? What are our use cases? And let's educate our employees on how to use it safely. What we recommend for them on how to use it, what to do with it. Let's provide them training and start training them. And not only that, let's make a decision that we're going to go ahead and go with a specific platform.
00:21:47
Speaker
We chose OpenAI's chat GPT version 4. We're looking at it from a security standpoint. There's many others that are out there, but that's typically what you'll do is you'll select a couple of different tools. Typically, it'll be ones that you're paying for, that you are able to control. You'll put the other policy procedures, you'll train your staff. And then the next piece is the fun part for a security team.
00:22:11
Speaker
How are we going to manage it? How are we going to make sure people are actually following process? They're actually doing, not doing stupid stuff with our data. That's where unfortunately the technology is catching up. There's a lot of security startups now they're just coming out. And this is what I look at is systems have to be comfortable about leaning forward.
00:22:32
Speaker
In our environments, part of the job is the fact that the technology is never stagnant. The risks that we deal with are not stagnant. They're constantly changing and you have to be comfortable working in a fluid environment like that where you're managing risk and managing technology.
00:22:48
Speaker
So the next piece for AI is, all right, company's gonna use it, you've put everything in place, you've trained the staff, they're being innovative, that's fine, they can do their piece. Now my team has to do theirs, and my team is, we're gonna monitor, we're gonna manage that risk. We're going to go ahead and look at startups, we're gonna look at security tools that are out there that are using AI to help us see Gen AI across the environment, how our people are using it,
00:23:17
Speaker
If there's new tools that pop up, we're going to call them on it and say, hey, you need to bring that through TechReview. We need to take a look at it. We need to understand the risk. And if it's approved, then you can use it. If it's not, we're going to block it. If people are using a tool and, hey, we think there might be questionable here, we want the ability to do a pop up and say, hey, pursue it to our policy. Remember,
00:23:42
Speaker
only this type of data, only this process. Don't forget, you know, you're trading and then let them go on about their business. So we have to do that maintenance and that management piece. That unfortunately for Gen AI right now is still relatively young in the security field, but it's growing exponentially fast. November last year, I knew two security startups that were doing Gen AI monitoring.
00:24:05
Speaker
as of today, I know it doesn't. It's that fast, how quickly. And these are companies that are in stealth and they get funded 5, 10, $15 million coming right out of stealth and they're building this stuff quickly. And they're not just doing it for dev teams.
00:24:20
Speaker
that go ahead to who are dealing with the big LLM models. They're dealing it for CISOs who are doing cyber operations. It's a new technology dealing with new threats that you're just going to have to accept. And so I look at it as how CISOs are facing. It is cyber risk is risk. It's still the same. The risks are still there. The issues that you have with insider threat, the issues that you have with protecting data, protecting privacy.
00:24:46
Speaker
They're all there. They're just in a different package. You just need to understand it, train your staff, put policy together so the company understands what it's doing and to be able to monitor it and then report to your executives so you can make decisions on what you're going to allow.

Advice for Aspiring CISOs

00:25:02
Speaker
What advice would you give to someone aspiring to become a CISO, especially considering the broad skillset required for the role? And perhaps what advice would you give to organizations hiring a CISO?
00:25:16
Speaker
It's funny because I've written books around this question, so I can speak to it probably for an hour. For someone aspiring to do it, I would say you need to put the time in. It normally takes about eight to 10 years before you get your first role.
00:25:31
Speaker
and that's average. I would also advise them to get experience in software or product development, get experience in networks, especially cloud networks and on-premise networks, and also get experience in risk management. All of these things are heavily tied into a system role.
00:25:47
Speaker
I would advise them that there are also critical soft skills as well as some strategic thinking, time management, effective writing and communication skills. You're going to need all of these, the more senior you get going for an ISISO role.
00:26:02
Speaker
for a business that is hiring, I would tell them that not all CISOs are the same. Each of us comes through our career paths differently. So do not look at just what is needed now for the role, but also I would suggest to them that they look at the next 18 to 48 months where they see this role going within the org.
00:26:22
Speaker
and what type of security executive they think they would need to be able to fit that role. Too many times I have seen executives, I've seen recruiters and companies, they want 100% of what's in the job description, but when you go in depth with them, there is really only one or two requirements that are critical and the rest are nice to have.
00:26:42
Speaker
What I would say to these businesses is know what your critical asks are and understand that it's okay if you are going to hire a CISO that can do 80% of that. That's the reason why they have a team. That's the reason why they have a peer network. That's the reason why they have mentors. You hire yourself a good executive who has experience. They're going to be able to go ahead and learn those other things once they get comfortable in the job and they're working with stakeholders in their various departments.
00:27:13
Speaker
very rarely do you get anybody that brings 100% to the table. And honestly, those unicorns that you bring in 100% to the table, you're probably going to lose them in the next 18 months because somebody else is going to steal over me. I honestly would go for somebody that has that 60 to 80% and that's going to grow with you with the business because you're giving them
00:27:33
Speaker
a shot, you're giving them a chance. They're going to get there in the business. They're going to get established. They're going to grow with you and add you more towards their career path.

Preparing the Next Generation of CISOs

00:27:43
Speaker
They're going to stay with you longer. Gary, thank you so much for enlightening us on what this role is and what it entails. And I'm sure you've added so much value to people's day, just having them listen to this episode. I appreciate you being here and thank you so much.
00:28:01
Speaker
Thank you. I have to admit this was a lot of fun. I really enjoy talking about the role and especially helping more people come into it. Those of us that are senior like myself, within the next five to 10 years, we're going to be stepping out and doing other things. There's a big discussion in our community right now about leaving a legacy, about making sure that the next class of CISOs, the next group of security executives have gotten the experience, have been mentor, and they're ready to step into those roles as we transition ourselves.
00:28:31
Speaker
There's a bunch of us that are taking it serious. We're writing books on it, we're talking about it, we're mentoring, because we want to leave it better than what we found it. And it's really important to us.

Conclusion and Further Insights

00:28:50
Speaker
If today's episode captured your interest, please consider sharing it with a friend or visit cpoplaybook.com to read the episode or learn more about leadership and talent management. We greatly appreciate your rating, review and support as a subscriber. I'm Felicia Shakiba. See you next Wednesday and thanks for listening.