Managing Risk While Building Trust in a Post - Breach Environment
The New CISO - A podcast by Steve Moore - Joi
Categories:
On today’s episode, Charlie McNerney discusses shared responsibility in cybersecurity, the idea of trust, and how diagnosing a problem before treating it has aided him in his career. Early Retirement and Intellectual Income After working 25 years at Microsoft, Charlie retired early. Six months later—after getting a boat and a dog—he found himself bored and seeking, what he calls, an “intellectual income experience.” After a phone call from a friend, Charlie ended up consulting for Expedia Group, and eventually came on as a full-time CISO. Listen to the episode to hear more about what an intellectual income is and what it means to Charlie. Shared Responsibility In setting up Expedia to understand what they need in a CISO, Charlie had to encourage them to question if they understood their risk posture now, and who was responsible for risk. He delves into how a company can value risk and actively try to understand it, as the Expedia Group does, but still wonder who certain tasks fall to. Charlie relays how imperative it is to convey that everyone shares the responsibility of risk. We discuss the importance of recognizing how anyone can impact risk and how the security team needs to articulate this to the rest of the company. Trust in a Company Charlie also touches on how every company is at risk nowadays to hackers or breaches, as every company is now a tech company. As a result, trust in the company, for the customers, supplies or between the employees is so important. In order to be effective, the security needs the support and trust from the rest of the company, especially from company boards. If boards can value the trust in the company and understand how that impacts finances, then the security can be more effective. The Medical Model for Security Charlies believes in following the medical model in his approach to cyber security. What he means by this is to copy the way doctors tackle illness: symptoms, diagnoses, treatment, recovery. If you treat a problem before you diagnose, it leads to malpractice—the same applies to security. When you discover symptoms, you need to put the security risk in terms of their transactions, not in terms of risk. Charlie encourages the CISO to not sensationalize and scare people until you actually know what’s going on. Building Trust During a Crisis As we’ve discussed before on this podcast, having a playbook before there’s a crisis is imperative. What Charlie points out is also making sure everyone is aware of the playbook and comprehends it before a breach. His advice for a CISO during a breach: focus on data and not feed into fear. In addition, it’s important to communicate properly with other teams within the company. Liston on to hear what Charlie believes security teams need to convey to other departments in the business. Competition and Cooperation Charlie reflects on what advice he would’ve given his younger self. To him, when you’re younger and trying to understand your position in the company, you can get competitive with yourself and others. When you’re in that competitive mindset, you miss out on the cooperative mode. Charlies delves into how focusing on a title can lose relationships that you will need later. He shares his advice for how to be collaborative with others and how to have better emotional intelligence. Listen on to hear more about why cooperation is better than competition in the workspace. Being a Respectful Leader and Finding Respectful Leadership In this episode, we converse on how you need to love what you do and how even if you enjoy your job, if you hate your boss, you’ll hate your days. Charlie disagrees with the mentality of living for the weekend. Hear what else he has to say on the significance of work culture. Legacy in Leadership Charlie brings up being...