Former CISO on what boards are getting wrong about data protection and privacy

Former CISO on what boards are getting wrong about data protection and privacy

Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, a global content resource examining big themes that will impact the C-Suite and executive boardrooms worldwide. Today, we’re exploring the future of privacy, and I’m thrilled to welcome Sue Bergamo to the program. Sue is an executive advisor, former CIO, CISO, and global technology strategist from Microsoft. She sits on several boards, is host of the Short Takes podcast, and author of “So, You Want to be a CISO: A practical guide to becoming a successful cybersecurity leader.” Sue, thank you so much for joining me today.

Sue Bergamo: Thank you for having me. It’s a pleasure to be here.

Kornik: First off, Sue, let’s talk about the state of the CISO. As you point out in your book, which I mentioned in the intro, “So, You Want to be a CISO,” the position is really in a state of flux right now. So, talk to me a little bit about where the CISO is right now and how it’s changing, and if you think it will continue to be a critical part of the executive team going forward.

Bergamo: I like to use the term evolution because we’re in a position that I hope will evolve to a better state in the future. Just like the CIO role about 20 years ago it had to go through some ebbs and flows and finally, it came out at the end of the tunnel in a much better spot. Everyone was very much aware of what the CIO needed and wanted to do which was really around our back office applications for our infrastructure that run our corporations.

The CISO role is going through that evolution and unfortunately, right now, it’s in a really ugly spot. I’m hopeful that it will come out a little bit better. What’s going on in the industry is the SEC’s cyber disclosure rule that came into effect late last year, which basically said the CISO does not need to report to the board, but the board and the executive team need to be aware of cyber incidents. So, what ended up happening with that—and I can go into more elaboration around two CISOs that were charged with felonies for material breaches that happened in the past—but what happened with that is that—this is my opinion based on what I see and what I know—executive teams decided that CISOs weren’t really needed. A lot of the CISOs said, “We’re not going to put up with these personal liabilities.” So, a lot of us left our positions and then there were a whole bunch of us that lost their jobs because the SEC, the cyber disclosure rule, talked about awareness. They didn’t put the CISO on the board, but they talked about awareness with incidents.

So, what has transpired is—and I don’t mean with this with any disrespect to SecOps managers—but inexperienced, from a CISO perspective, SecOps managers secure the operations people will put into the role of head of security. Sometimes CISO, but mostly head of security because they deal with incident response. Now, the dirty little secret in most organizations is that when an incident occurs, the SecOps manager has a major role in that breach, defending against the breach, but they’re really there to tell the CISO where the threat is coming from. They are not there to lead the band. They’re only there for a very specific focus. So, I see this convergence of inexperienced people and cyber criminals and we’ll see what the future brings, but I do hope that when this evolution comes to fruition the CISO will be put into a much better position, much better light with the executive team.

Kornik: You mentioned those SEC decisions and regulations. I don’t know if you want to expand on that at all or talk more specifically about where CISOs find themselves between a rock and a hard place right now.

Bergamo: Yes. There’s really three types of CISOs. There’s the very inexperienced one that’s just coming into the role, not really sure what they’re doing. Again, it’s not a dig. They have to learn and they’re going to learn the hard way. There’s the middle-of-the-road, as I call it. They’re more experienced than the inexperienced ones, but they’re still trying to find their spot in the position. Then there’s the experts who were exiting. So, a lot of CISOs on the inexperienced and middle-of-the-road side, believe that our jobs are really about the technology, and that is so far from the truth. The experienced ones know that we follow something called the triad, it’s confidentiality, integrity, and availability. We do that, we accomplish the triad through people, process, and technology. People obviously are employees, process is security frameworks and controls, and then the tech. Once you get the tech up and running and optimized for efficiencies so it’s giving you the data that you need in order to defend your companies, the tech is the easy part. It changes all the time, but that’s the easy part. It’s the compliance frameworks that take the majority of our time and if you ask any experienced CISO, they’ll tell you, once the tech is installed and optimized, we spend the majority of our time on compliance and data privacy. The newbies, as I refer to them, sometimes we have to explain this to them and explain why compliance and data privacy are so important.

So, it’s a little bit of a mess out there right now and then you throw in the personal liability. Let me just expand upon that for a moment. We had two well-known CISOs with two public, very public companies—I won’t mention their names—charged with felonies through the SEC which led to the cybersecurity disclosure rule being implemented after the first one. The second one fell into that disclosure rule. That sent shockwaves. Not just waves, but shockwaves through the CISO industry and we’re just sitting here saying to ourselves, “Holy cow.” A lot of us don’t have a lot of support because everybody thinks cyber is our problem and not theirs. It takes a village to defend a company against cyber attackers. Now, we’re being held personally responsible and felony charges, potential jail time, so we’re all saying ourselves, “I don’t think so,” which is why there’s a huge influx of us getting out of the role.

Kornik: Right. So, let’s talk a little bit more about the strategic role of the CISO or where that falls in the organization. Let’s talk specifically about data governance and protecting privacy. How did the companies that do it best do it best? In your experience, do they have chief privacy officers or chief data officers? Is there a playbook that business leaders should be following to really make sure that they’re getting this right?

Bergamo: I wish there was a playbook, but there isn’t. So, I think that’s half of the battle because everyone has a cellphone or a computer, and everyone feels that they know technology and they know data. This is a very specialized field. The CIO—I’ll just say tech and security—it’s a very specialized field. I’ve been fortunate enough to have both roles and yes, everyone always has an opinion on how we can do our jobs better, but this is our craft, and we have all kinds of different education or certifications. There’s no one thing that anyone can point to and no one game plan. But good C-level tech and security executives are well-rounded. We study. We research. We get involved and we understand how to protect data. Now, that AI is coming out, we have a whole new set of technologies that we need to encompass into our program. So, it’s about staying involved and understanding what we need to do to protect the data.

Kornik: When you’re in those conversations with the C-Suite, the boards, and the business leaders, do you think they understand the importance, not just the compliance and the governance aspect of this, but maybe the business importance of data privacy and what that means ultimately to building customer trust in the business and the bottom line?

Bergamo: I do think that everyone understands that data matters and that data is important to running the business. I mean, every business needs information in order to make good decisions and to process customer requests, B2B requests, employee requests. It’s all data driven and so is it given enough limelight? It depends on the size of the company. I do think that the executives and the boards understand the importance of data and how to use it, but I think where they fall short is really in the investments of strategizing and securing the information and giving even the technology or the engineering teams what they need to make sure that that data is sound.

Kornik: Right, and that’s an interesting perspective I would say from the company side. How confident are you that we’ll get this right for the customer, the client, the consumer? Are you optimistic that they’ll be better off over the next several years?

Bergamo: I’m always optimistic. The sun’s always shining in my world, right? Data is the stronghold of every company. From managing the most—my new piece of information all the way to executive reporting. Everybody’s processing information. So, I think with some of the technologies that are coming out either through public cloud vendors or through artificial intelligence, I think that the data and the ability to gather data is just going to be better in the future.

Kornik: Well, Sue, you said you’re an optimist. So, I’m going to leave you with this final question where I ask you to look out a few years. Maybe the end of the decade, let’s say 2030. Where do you think will be in terms of privacy, data privacy? Do you think 2030 is a better place than where we are currently?

Bergamo: Well, we can only get better with time, right? Kind of like a fine wine. So, I’m optimistic that material breaches will continue to happen fast and furiously and finally, our business brothers and sisters will wake up and say, “Oh, I need to be responsible for security too. I need to be responsible to help the CISO or the CIO, or whoever, with my data problems. Maybe I should get more involved.” So, I am optimistic that eventually the tables will turn. I think it’s going to take a little bit more time but 2030, sure, I’ll go with that.

Kornik: Great. Well, thanks so much for the time today, Sue, and the insights. I really enjoyed our conversation.

Bergamo: Thank you, Joe. I appreciate you having me.

Kornik: And thank you for watching the VISION by Protiviti interview. On behalf of Sue Bergamo, I’m Joe Kornik. We’ll see you next time.