Key Highlights from the Show Conversation:
What's the connection for you between a chef and a CISO?
John: Being a CISO is very much like being a chef. I kind of want to talk about something a little bit about, you know, how I see the intersection of cooking and being a CISO.
You are the orchestrator of something that is for your key stakeholder.
You've got to think about this strategically. And when I came up with this meal, it was what are all the things I need to deliver on to get the outcome. The outcome I wanted was a southern meal.
In order to do that, we have to think about what are all the components of that. Same way we do in the security world, right? You know, we got to think about what's our outcome and you know, I'll use one that resonates with everybody today, AI.
How do we enable the responsible use and secure adoption of AI? And you've got to think about all the things that it takes to do that. So just a little bit of context for those and kind of how cooking and being a cyber security digital defender are really kind of similar but just different outcomes of what we pursue.
What's the biggest challenge for a CISO today?
Loren: I deal with a lot of CISOs who are frustrated because they can't necessarily obtain budgets from their board and they have to report to their board more and more. It's a hard seat to sit in to this day.
They ask, how do I present this to the board of directors in a way that I can attract their attention and is such an investment in our security posture. And one of the things I say to them is did you really look at the business risk? Because people don't understand that when it comes to IT security we're risk managers—just like an insurer.
John: Oh my gosh, you just nailed it.
Loren: It's risk management. What's the business risk? The business risk is your company has four factories. If it gets out into the newspapers tomorrow morning that your factories are all shut down because of a cyber-attack and that you're not producing, what does that do to your stock price? And is it a permanent downshift or is it a temporary one?
So, the business risk even though you know you're saying the limit of the thousand bucks right that could be a $5 billion hit to the value of a company or a $50 billion hit and what are they talking about saving a million bucks worth of IT security infrastructure to expose the company to what could be billions of dollars of risk.
How has the CISO role evolved?
John: Think about 1995, let's call that the start of gen one of security leadership. When you're brought in to solve a technical problem. I'll call that generation 10 years.
Gen 2 (around 2005), you had become business focused. You got to be business minded. No different than the way CIOS went, right? They went from technical to hiring business people to be CIOS, right? People who had more of a financial background who understood business, right? So we had to understand business.
2015 to 2024 we're now in Gen 3. We are now risk managers. But we can't get rid of the technical or the business. We now have to couple that with the risk management. So we have to be all three things. But now we are gen four...
