Lessons Learned from the “First CISO” Part 1
The New CISO - A podcast by Steve Moore - Joi
Categories:
Early Days of Security at Morgan Steve first began working in cybersecurity at JPMorgan, then known as Morgan Guarantee. He recounts the attitude towards CISOs in the 1980s, where many people didn’t really have a concept of cyber security or what it looks like. When Steve started, he had to change access rules and work against the resistance to PCs and Apple technology in banks. Listen on to hear his stories and how he overcame skepticism towards cybersecurity. Building an Active Community One of the many amazing experiences Steve tells is how all the data security officers from the NY banks would get together every three months. They would spend the morning eating donuts and drinking coffee, but also exchanging contact information, discussing what was going on in the field, and brainstorming together. Before Twitter—or even just internet—the CISOs would connect over breakfast and help each other out. In this episode, Steve recounts how 12 officers from different banks helped him make a deal with a difficult vendor. A Board Presentation and its Lessons One of the best, and most valuable stories Steve describes is in the early 80s, when he and his team discovered several PC viruses. When he told his boss, Steve had to stand in front of the Board of Directors with zero prep work and explain what computer viruses were and how they can impact Morgan. In under three minutes, he had acquired $400,000 to implement antivirus techniques. In this episode, he relays the incredible story and the life lessons he learned about communicating with executives and why being transparent is best. Effective Explanations Steve puts forth his theory on how most executives view themselves and how this influences the way in which you need to explain cybersecurity matters. He urges CISOs to go through everything carefully and logically, and to rehearse your explanation beforehand. He says your explanation needs to pass the “grandma test” before you speak to an executive. Listen to the episode to discover what he means by this. Steve also illuminates why a lot of security people struggle to explain themselves. He points to who they surround themselves with and how they need to shift their thinking when speaking to leadership. Unrealistic Expectations and Stress on CISOs In this episode, we also touch on how studies have shown that CISOs tend to have high levels of substance abuse, divorce, physically poor health all from stress, as we’ve discussed in previous episodes. Steve believes the problem is in how we define what goes with the job. CISOs go in afraid of being fired after a breech, but the industry hasn’t accepted the fact that a breech will happen. Every CISO gets fired at some point, but Steve states that you should get fired for doing the right thing, not the wrong thing. He encourages CISOs to come into the job by being clear about what’s feasible and what’s not. To explain that there’s no perfect cure, but we can reduce risk, and build trust and credibility with the executives. Most of all, don’t make promises you can’t keep. On this topic of the relationship to executives, Steve encourages CISOs to get to know the leadership before there’s a problem or breech, so they know who you are when it happens. Let them know why you’re there and what’s important to them, not to you, by focusing on business risks. Present these risks as you understand them, their impact, and the ways you can potentially mitigate. To help buffer personal stress, he explains why the ultimate risk is on the business itself and not on you, and how who you are isn’t the same as what you do. What Steve Loves about the Job While there are many stresses to the job, Steve brings up what he loves most about it. He feels stimulated by the constant challenges and loves the cybersecurity community. Listen to the episode to hear more about why this community means so much to him and why, in...