We Need More CISOs To Speak Up
On September 25th, I was privileged to offer opening remarks at the 5th Annual SecurityWeek CISO Forum, Presented by Intel. My comments were brief, and while they are not groundbreaking, they do represent such important reminders for all of us that I thought I would share and expand on them in this format as well. Here’s the gist: big, boring (not really) platform companies need CISOs – and CISOs need them to listen. The decisions platform companies make have profound impacts on every single CISO on the planet.
To properly set this up, I need to admit something. That is, awareness of the existence of the CISO role, much less its influence on technology decisions, was not well known to many tech giants even five years ago. Some business and technology leaders understood, but most did not. The reason is pretty obvious if you put yourself in the shoes of platform companies – we are often (although not always) an ingredient supplier to end solutions. Companies like this frequently do not deliver complete solutions, and so we often interact with companies that do – not the end customer. As such, CISOs were often not in the obvious influence path for “ingredient” tech companies. But as security outcomes became more in focus, and the role (and responsibility) Intel and other platform companies have in improving security outcomes became more clear, it became unambiguous to most that CISOs are critical for technology adoption.
Many of us have now seen the light (broadly about five years ago). Thankfully. I can only speak for Intel, but we should all breathe a collective sigh of relief that CISOs are sought out and listened to in order to guide technology roadmaps. Now Intel routinely engages with CISOs for input on our directions, receive checks our assumptions, and even ideate on innovations. Not only do CISOs approve security technology roadmaps for the companies they represent, not only do they consume what we produce, but they also are on the front line of the war on cybercrime. They have the absolute best sense for what has a hope of working. It might be obvious to you, but it wasn’t to everyone at many tech giants not so long ago.
So began our journey of engaging with and seeking feedback from CISOs. Honestly, though, it was and often remains difficult to gain mindshare to get and keep the attention of this group for the technologies that reside in the foundation of all computing.
CISOs are busy people, fighting fires, making decisions, hearing about the latest innovations from the most groundbreaking start-ups. So, making time to listen to platform companies is hard – especially if you think you’ve already said what you have to say, or if what you have to say seems obvious to you. It must seem like taking the time to eat right or go to the doctor. It’s much more exciting to speak to the latest AI or blockchain start-up, or the latest solution provider whose product claims to fix all that ails enterprise than it is to sit down and discuss patching strategy, hardware roots of trust or other “boring” topics from tech giants. I get it.
CISOs need to change their priorities here though – for all of our sake. It’s every CISO’s responsibility to speak, to speak loud, to state the obvious, and repeat yourself if necessary. That’s your responsibility. It’s the responsibility of platform companies like Intel to listen and act as a result. If we both commit, we both win. If we get distracted, if we prioritize the latest shiny object, if CISOs don’t aggressively pursue providing their insights – we all suffer. And I do mean all of us, like all consumers, all governments, all business.
The decisions platform companies make – especially hardware platform companies – have profound impacts on security outcomes. Why? Because, to state the obvious, platform companies provide the basis of downstream use cases and solutions. Put another way – other companies build solutions that sit on top of our foundation. And certain platform companies have immense market segment share. If the foundation is strong, solutions built on top of it have a hope of being strong. If the foundation is weak (defined in many ways), solutions built on top have little hope of being strong.
In closing: if your enterprise has the opportunity to engage with platform companies like Intel, Microsoft, or Cisco – do so. Take the time. Every time. Whatever you tell us – keep telling us (saying something once is sometimes not enough). While on the surface it may seem as though we move slow (not Intel!…other companies), while it may not be on topics that are the most exciting compared to the latest hot AI start-up (transistors can be exciting!), while it may seem at times like we do not listen (even though we do) – your time could not be better spent.
Thank you again to SecurityWeek for allowing Intel the opportunity to partner on the 2019 SecurityWeek CISO Forum. Thank you to all the CISOs who committed to attending – and thank you in advance for your help in shaping the future of security platforms.