HP and Dell Technologies are two of the world’s largest international computer manufacturers. Their CISOs, Joanna Burkey (HP) and Kevin Cross (Dell), both manage security teams comprising many hundreds of people, and are responsible for corporate security across multiple jurisdictions. The role of CISO is different for a multinational corporation compared to a national company.
Reporting and budget
Historically, the CISO reports to the CIO, and this remains the most common reporting structure. Not all CISOs agree with this because of the inherent conflict of interest between IT and security. Both Burkey and Cross believe it is right for some companies, but wrong for others.
There’s no one size fits all solution to the hierarchy issue, says Burkey. “Every company has a different culture and different value prop; and it is these that determine the right location for the CISO.”
Cross has a very similar view. “There is no right or wrong answer to this,” he says. “It is dependent on the company culture and the business landscape how things should best be structured.” Supporting this, he notes that Dell’s structure is slightly unusual. “I report to a chief security officer who reports to general counsel, who reports to the CEO.” A stronger than usual integration with Legal could be considered important for a firm working across multiple jurisdictions with different privacy and data security requirements.
Budget is always an issue for any CISO – getting sufficient funds to do what is important. One of the weaknesses in having the CISO report to the CIO is that it is still common for the security budget to be taken as a percentage of the IT budget. But security has grown beyond IT alone.
“Cybersecurity is a strategic horizontal in most enterprises,” comments Burkey. “Cyber is important everywhere and it is really important that the funding model and the financial partnerships for cyber span the enterprise.”
Achieving this is complex and governed by the individual business landscape. “I’ve seen different models that can work,” she continued. “Budget could be received from a single source, such as the CFO or CTO, but I’ve also seen CISOs set up shared service models or direct bill models within their enterprise.”
For Cross, budget requests go through general counsel to the corporate leadership. Basically, if he makes an adequate case, he can get adequate funding – it’s a question of collaboration with other business units. His budget is not a percentage of the IT budget, but IT remains one of the business units he needs for collaboration – he may seek some funding from IT if he wants to put a big investment into something like network segmentation.
Making the position work
Whatever reporting and budget structure is in place, it must be workable. What should a CISO do if it doesn’t work?
“These situations do occur,” comments Burkey. “This field is still maturing – we’re still figuring out the right ways to do cyber in the best way. If it isn’t working, the number one task is to get clarity on why it isn’t working. What isn’t working about where I am? That can then lead to the right proposal and solution.” Is it, for example, stakeholders not listening, or a failure to get funding? You cannot fix a problem when you don’t know what the problem is.
The second part to solving this problem is relationships. “Relationships are key,” she said. “You need to get some of these stakeholders aligned with you, hear their input, take their input into your proposal, then use those relationships to push for the change that is needed.” In short, part of the role of the CISO is to make the role of the CISO work.
Cross also agrees that there is often friction between security and other parts of the organization – often caused by different opinions on priority. “If there’s a trade-off, security always loses out in prioritization,” he comments.
For Cross, the key to solving this problem is for the security leader to become a business leader. “I tell all the leaders under me, ‘We are business leaders running a business, and our business happens to be cybersecurity.’ We must have sound security planning. We must do marketing and demonstrate the value of security to the company. And we need to talk in business terms. We mustn’t be Mr. No, delivering scare tactics demanding that people stop what they’re doing. We need to resonate on a business level with company stakeholders on the risks and trade-offs and residual risks and decisions that will impact the business.”
For both our CISOs, making the position work is part of being a CISO. The foundation is relationship management. “I think relationship management, how you build those relationships and collaboration, is the key to success,” said Cross.
Staffing is a major part of a CISO’s job, and a major problem for all CISOs. There are two primary aspects: finding ‘suitably’ qualified people, and building the optimum security team from them.
Security staffing is difficult because demand exceeds supply. But Burkey believes there are long term solutions, and the industry is beginning to adopt them. “Over the years companies have gotten good at bringing talent to opportunity; going to universities, and so on.” But here the supply is limited, and the competition is high.
“We’re not always good at taking the opportunity to the talent,” she continued; “going to the underserved communities, going more actively to the places where people might not be coming to a job fair. That’s another area where I think in cyber we can do more to close this gap.”
She believes the industry should become more open to ‘non-traditional’ talent. “That’s not only people coming from less traditional places, but it’s also people with skills you don’t always think of as cyber skills. In my experience, some of the durable skills like good communication, financial acumen, the ability to articulate risk in business terms versus technical terms are great skills in cyber – and there’s people out there who have those skills. They can learn the cyber parts of the job. So, is the skills gap real? Yeah. However, there absolutely are things we are doing as an industry to close it that I believe are making a difference.”
Cross agrees that recruitment is a major problem that comes down to supply and demand. But retention is an associated problem, with other companies seeking to poach proven experience. He agrees with Burkey in finding new staff from the less obvious sources. “If you’re looking to go find a security practitioner, it may be difficult – but is it easier to hire people with data science, database or It backgrounds, which is really the foundation of what you need in the security person.” People with those underlying skills can be taught security on the job.
Having found the people, the CISO then needs to train and retain them. “We have programs such as job rotations, where people are moving and looking at different security domains and disciplines and learning things in different areas,” he said. “We have a performance development path and plan, where we can grow people through the ranks with certification and other training to provide modern skills – because the world changes around us, and we need to keep revolving.”
But both CISOs agree that recent history has provided some assistance in recruitment: the expansion of remote working. “It opens up avenues around the world to be able to attract and hire people from different locations that maybe we weren’t able to before,” comments Cross.
“During the pandemic, I think a lot of companies realized the art of the possible, in a way that we might have been slower to recognize in the past,” adds Burkey. “HP is very supportive of talent. We call ourselves a school for talent. We’re very supportive of finding and taking care of and retaining good talent. I certainly have those options in the tool belt to hire and source remotely – and I think in cyber that’s going to be around forever now.”
Developing a team
A good security team isn’t just a question of numbers – it’s about a good balance of specific attitudes and aptitudes. Diversity is the buzzword. “Diversity of thought is a massive benefit in cyber because the attackers are coming from everywhere,” explains Burkey. “You don’t really want an associate base that all looks like each other – you’re not really going to be representative of the forces out there that are attacking you.”
Would she take the diversity principle so far as to employ an ex-hacker? “Under certain circumstances, yes, absolutely,” she says. “A reformed black hat is going to have a different view on how a company might be compromised than people with other backgrounds. I think it is a way that a program can have an additional layer of robustness. It’s no more important nor less important than the view of a career pentester; but the more ideas and the more thoughts you get on the table on where your company is really at risk, the stronger your program is going to be.”
Cross agrees that a strong security team requires a mix of qualifications and technical skills with different personal skills and social origins. “We have embraced diversity at Dell, both throughout the company and within the security team. As an international organization we employ people from different locations and cultures.”
Within his global team of 600, he has deeply focused specialists – who might, for example, pentest products. “But we also have the less technical people who can make the engine run. People that can do technical writing, people that can do program management, people that can help with marketing.” He refers to his statement that cybersecurity is a business. “We need the full range of skills that any business needs.”
Being a great CISO
Becoming a great CISO depends on many personal characteristics. These include ‘personality’ (the type of person); attitudes (often set by good advice during personal development); and experience (often reflected in the advice the CISO gives to others). We try to examine all of these with our CISOs.
Burkey says simply, the most important personality trait for a CISO is, “The ability to communicate.”
Cross agrees, but starts with ‘honesty and integrity leading to trust’. Then he adds, “You need to be able to communicate, need to be able to collaborate.” But he also adds, “The most important one is just being level-headed – level-headed, pragmatic, and thoughtful.”
People turn to the CISO in times of stress, looking for direction during a breach or intrusion or some other security incident. “You cannot be a person who is super stressful and panics easily. People rely on you to be a steady force able to make sound risk and business decisions and work calmly with other stakeholders during a crisis.”
The best advice Burkey ever received came a few days into her first people management role. Her own manger said, “What made you successful to get this role is not going to make you successful now that you have this role.” The implications are widespread – but fundamentally, it means you must continue to learn and evolve in any new environment. “It was profound,” she said, “and I have found it applies to literally every role that I’ve taken at HP.”
The best advice Cross received is almost identical: ‘What got you here won’t get you there.’ “It’s the world,” he said. “The world changes around you. Security changes, threats, technology, all those kinds of things. You must continue to evolve and learn, or you’ll become obsolete. So, you have to continue to evolve skills in order to be successful in your career path as you’re going forward.”
The best advice received is often passed on as advice given. “I have done that in many, many mentoring relationships,” says Burkey. “But at the same time, I would urge emerging leaders to hire good people, and then trust them to be the experts that made you hire them. Empowerment and enablement are two of the greatest things a leader can do.”
Cross has two pieces of advice for the emerging leader. The first reiterates one of his recurring themes in this conversation: “Understand that you are a business leader. You have to represent business values and function as a businessman.”
The second has been less commonly heard in this series. “Your health is just as important as anything else,” he said. “All these leadership positions, especially in security, are typically short duration type positions. There’s high turnover with lots of change with high stress, and you must be fit to fight. So, your mental health, your physical health, your emotional health are all important. You have to actually take time out to be fit.”
We like to finish these conversations with an eye to the future: what are the most concerning threats expected in the coming years? Both CISOs said ‘supply chain attacks’.
“The attacks are going to get even more asymmetric,” said Burkey, “and by that, I mean attacks that can target one vector but then have many victims. SolarWinds and Kaseya were great examples.”
She believes the best defense against these attacks is greater visibility. “There are many things we can do in supply chain, beginning with visibility and the deployment of transparent tools on assets that let you see the reality on the ground.” SBOM is an example.
Cross is specifically concerned about ransomware linked to supply chain attacks; but is generally concerned that the attackers are simply becoming more sophisticated and more brazen. “There is a better and bigger criminal economy and underground that is incentivizing more bad guys to do more destructive things, and we need to be aware of this.”
He is worried that defenders will suffer incidents they should have been able to prevent because they’re too focused on nation state attacks which they probably won’t be able to stop anyway. “So, while we’re looking for the cutting-edge kind of stuff that we need to focus on going forward,” he said, “we really have to overemphasize on the basic foundational things that we must not ignore. We’ve got to be really good there.”
Related: CISO Conversations: Honda Aircraft, Bombardier CISOs Discuss Getting Started in Security
Related: CISO Conversations: Steve Katz, the World’s First CISO
Related: CISO Conversations: The Difference Between Securing Cities and Businesses
Related: CISO Conversations: UW Medicine and Sentara Healthcare CISOs Talk Healthcare Security