Skip to content
 
Episode 80

Cybersecurity in the Boardroom with Art Gilliland

EPISODE SUMMARY

Delinea CEO Art Gilliland joins the 401 Access Denied podcast to discuss how a Board of Directors approaches cybersecurity to protect their business. As CEO of a company specializing in Privileged Access Management, Art shares how a Board should consider security from a leadership perspective. We break down what actually goes on in corporate board rooms, and how these decisions affect other business functions. Join us to get the inside scoop!

Watch the video or scroll down to listen to the podcast:

 

Subscribe or listen now:  Apple Podcasts   Spotify   iHeartRadio

Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoying the Cybrary Podcast or 401 Access Denied, make sure to like, follow and, subscribe so that you don't miss any future episodes. We'd love to hear from you. Join the discussion by leaving us a comment or a view on your platform of choice or emailing us at Podcast@Cybrary.it. From all of us at Cybrary and Delinea, thank you and enjoy the show.

Joseph Carson:

Hello, everyone. Welcome back to another episode of the 401 Access Denied Podcast. I'm Joe Carson, the host of the episode, and it's a pleasure to be here with you. Really hoping that you'll get a lot of value out of today's session. It's a really exciting topic for me. It's something that I've been in quite a bit of research recently on, so and I've got an amazing guest to come back on the show. No other than Art Gilliland, who is the CEO at Delinea. So, Art, you want to give us, audience, a little bit of update and background about you and what you do, and then we'll get deep dive into the topic?

Art Gilliland:

Sure. Great. Thank you, Joe. I really appreciate you having me on the podcast. It's good to see you again. So, folks, my name is Art Gilliland. I'm the CEO of Delinea, which is a privilege access management technology. I've been in the security industry for about 24 years or so. Tripped over it on accident at a startup back in sort of the very late '90s, early 2000s and kind of fell in love with it and been here ever since and worked in big companies and tiny companies, and now here, running Delinea.

Joseph Carson:

Fantastic. One of the important ... Today's topic is a critical one. I mean, it's something that's been in the foreground and a lot of discoveries of media. It's a lot of discussions, and it's really about the importance of cybersecurity at the boardroom level. You have a lot of interactions with boardroom. I'm assuming you do that on a frequent basis.

Art Gilliland:

Yeah.

Joseph Carson:

I just want to get, are you seeing it become more important? Is it becoming more discussed at the boardroom level? What types of discussions are they having? Can you reveal some of the insights of what does happen when you discuss security?

Art Gilliland:

Yeah. Absolutely. No question. So, I mean, my background here, obviously, I've been a CEO twice, and I've been on a couple of different boards, one public board and one private board. I will say over the last, probably five to seven years, security has really raised up to a conversation that you have. I think what I would say is we talk about, in my current board, we talk about security not just because we are a security company, but we talk about it as a risk mitigation and risk management in our audit committee. We talk about it in the general board session, probably every session. Definitely in the audit committee, we talk about it every session, which happens once a quarter, but for the broader board, we probably have a section on security every six months or so.

I think the driver of that is just how disruptive it's been. I think ransomware in particular has really raised the profile of security. It's not just about stealing customer data and having that be a problem for your customers. That's super important, but it's also the fact that now, they're disrupting operations as well. So, it's the risk to reputational loss, but then it's also, it could stop the company from functioning until you're able to pay. So, that level of disruption has really raised the profile of the discussion around security and how do you mitigate for it, how do you ensure for it, all of those different things.

Joseph Carson:

Absolutely. Yeah. We look at some of the incidents over the years, especially those ransomware cases, they can stop a company from running for weeks, even months. If you take the financial cost of turning your business off for two to three months, it can have a serious toll on the finances of the business itself. Some even businesses struggle to survive as a result of that. What type-

Art Gilliland:

Yeah, I mean, I think for larger companies, they tend to be a little more resilient, but for a smaller company, I mean if you stop operating for a couple weeks or a week because you're held ransom, I mean it can kill the company. So, I think that's definitely something that's on the minds of people that are not only running these companies but also that are governing them through the boards.

Joseph Carson:

Absolutely. At the boardroom level, what types of strategy discussions happen? What's the strategies that the board is expecting, or what types of things do they expect to measure? What data are they expecting to hear? So, because one of the things I do find in some of the research we've been doing is that there usually is a bit of a misalignment into how we measure cybersecurity in the business and how we expect to translate that to the board. So, what things do you see in that level?

Art Gilliland:

Yeah, I mean I think the reality is as boards are becoming much more educated about how to talk about it, I mean, I think part of what is important in the discussion around this when you think about as a CISO or as you're growing up as a CISO, what is the board's job? I think it's important to keep in context what their job is. Their job is not to run the company. Their job is to provide oversight and governance to make sure that we're thinking about risk in the right way, and we're allocating our resources to manage it.

The reality is it's not about stopping everything that's impossible. So, the board is really there to ask questions about, what is your strategy? Have you thought about the risks to the company effectively? Then, give us an update on your progress towards getting to a place where you think as a company's, as leadership team is appropriate balancing of risk and cost and all of those things.

So, obviously, for certain regulated industries, it's a much higher bar or a much, I guess much lower risk tolerance. Then, other companies have a higher risk tolerance based on what the damage of a security incident could be. I think that's one part of it. So, that's part of what they're doing is, what's your plan? How are you tracking against your plan? What are the metrics that you think are appropriate? Then, there's a discussion around if those are adequate or not.

I think the other is then, what are the mitigating things that you're willing to do? So, big topic obviously now in the boardroom is cyber insurance, and how do you manage ... One, how do you get it? How much is it going to cost the organization? Then, are there things you can do to lower the cost but increase the protection of a cyber insurance event? So, that way, you think about averaging out the cost of a cyber event through insurance payments and others. That way, the spiciness of an actual event gets sort of flattened out, things like that.

Joseph Carson:

You can mitigate potential damage, so you do. You kind of level it off, so it's not such a big extreme at one go so ...

Art Gilliland:

Yeah. I think people are assuming that a cyber event is going to happen. So, now, insurance just helps you sort of flatten out the damage of an individual event, and so your company can tolerate that fluctuation and cost, if that makes sense. So, I'll pay $1,000 a month because I can't tolerate a 50,000 or $60,000 event. So, how do I make sure that I can sort of balance that out? I think that's why a lot of companies start to look at cyber insurance today.

Joseph Carson:

Absolutely. I remember years ago, some larger companies ... because cyber insurance wasn't something that was so common. Many large organizations, what they would do is they would take out ... almost become their own type of insurance company. They would take out cyber captives and take money aside and invest it. So, all of a sudden, they can leverage that when they need to. That money would grow over time when they don't have incidents, but it's almost like they've become their own insurance broker in some regards and that-

Art Gilliland:

Yeah. Yeah, self-insuring against these kinds of events or something. Yeah, no. I think that's ... Again, large companies can self-insure in a lot of different ways. I think smaller companies just have a much harder time doing that, being able to do that.

Joseph Carson:

Absolutely. Absolutely. One of the big concerns I had last year was when we did ... We did our own research and cyber insurance as well, and one of the concerns was coming back was that some companies were taking cyber insurance as an alternative to security. That was a big concern for me because it's the financial safety net part of it. It's not the ... and the research came back and showed that companies who got cyber insurance became victims. Almost 80% of those who surveyed had used their cyber insurance policy. Even half of those who'd used it once had used it multiple times. That was quite shocking that we're looking at cyber insurance as almost like an alternative to security, but it should never be that. It should be complementary. I mean, when you're talking about cyber insurance, what type of approach do you take when you're looking to get insurance from cyber attacks?

Art Gilliland:

Yeah, yeah. So, look, I think the reality is the way that I think about it as a CEO and as a person managing a company, cyber insurance is a way to level out the potential burst of cost. It is not a replacement for the security programs we have. I mean, our business, because we provide security to customers, we have a pretty low tolerance for security risk because of that. So, we invest pretty significantly in making sure that our infrastructure is secure, that the processes we run around our infrastructure is secure, that we reference check our people, and we do all those things because that trust that our customers put in us to protect their most sensitive secrets is super critical to our business.

So, insurance for me is really more about helping us deal with any kind of burst of expense if we had to deal with an event, but I definitely don't want to use it. I think just having a security event of any significance would damage. Now, every company is dealing with security incidents all the time. We get attacked a lot, and so it's just, how are you managing the blocking and the stopping and the mitigation of those things in real time in your environment? So, that's kind of how I see it. It's a way to help manage the financial impact, not a replacement-

Joseph Carson:

Alternative. Yep.

Art Gilliland:

... in my mind for security infrastructure and security processes.

Joseph Carson:

Yeah. So, one of the things you mentioned earlier during what the boards and what's that communication impact and strategies, you mentioned it a bit about the mitigation side of things. How important is it from a resilience perspective? Because this is really where a lot of misalignments ... One of the things that I would say, we're no longer protecting computer systems today. We're protecting the business, we're protecting society because they're so aligned. They're so dependent and interlinked. What about the resiliency side of things? What do they expect from a business resiliency? What types of things are they looking for when you're reporting back into the board?

Art Gilliland:

Yeah. I'm going to answer your question, but I'm going to kind of go at a little bit roundabout if that's all right, Joe.

Joseph Carson:

Not a problem at all.

Art Gilliland:

I think one of the things that I would say the board cares a lot about and that also we talk about is, how do you practice? What is the practice that you do for the inevitability or for the potential eventual breach that occurs? I think it's really important to do those tabletop exercises. The reason I think that is there's a lot of little details. You just don't think about in terms of communication, in terms of recovery. I think part of that resiliency is making sure that you can respond really quickly and that you have an alternative plan for what you're going to do and how you're going to recover and what those pieces will look like.

I've lived through a couple of different pretty significant breaches in my career as has some of the leadership team not only as an advisor and a helper to companies that do that through my job, but also just as a victim in some of the places I've worked before. Having practice really helps you be resilient, helps you find the pathways, understand what things you need to have pre-prepared as a way to get ready for what could happen to the company. I think that's a big part of the discussion that we have also at the board level around what is the plan? How do we think about that plan? Have do we practice the plan? I think every time you do that, you learn something.

Joseph Carson:

Absolutely. Yep. One of the things, you're mentioning it, but that's for me is the difference between having something like an incident response plan and being incident response ready. They are two very separate things. You can have a plan placed-

Art Gilliland:

Oh, very different. Yep.

Joseph Carson:

... sitting, and you went through, and you've got all the inputs, and you've got the contact lists, you've got the different priorities, you've got how you're going to basically contain, but there's a big difference between being ready, actually having simulated having going through and what it is, what does it mean to, for example, collect disk images of all the machines? Do you have the disk space storage? When you're going into creating things like super timelines for forensics, what time zone are you working off? You're a company that works across multiple time zones, what's your corporate time zone that you want to be actually going to be-

Art Gilliland:

Yeah, what do you snap back to? Yeah, exactly.

Joseph Carson:

Exactly.

Art Gilliland:

It's interesting how a lot of those little tiny details, you don't think about it until you actually practice, and you're like, "Oh, yeah, we got to decide that." It is obviously, I'm sure there's people watching this podcast go, "Yeah, yeah, yeah. I got that," but the reality is, is you're going to find something. You maybe have thought of those things, but you'll find something that you just don't realize, oh, I should have pre-negotiated my PR contract because I needed to find this person. Now, because I'm negotiating real time, I'm going to pay a lot more, or I'm not going to get the terms I want. I mean. there's just so many little details like that go through when these things actually happen that you want to get in front of.

Joseph Carson:

Absolutely. I mean, I think one of the ones I participated in, the last ones was the things that was missing was about how to feed their incident response team. Where are they going to sleep because they're working 24 hours, seven days a week around the clock? Where are they sleeping? Those were things that was not in the plan. It was like, okay, we-

Art Gilliland:

Yeah, of course, not.

Joseph Carson:

Because we practice it nine to five. We didn't practice...-

Art Gilliland:

Especially now when you're in this world where everyone is virtual, doing these ... Like, if when you're in war room situation, it's actually better to be all together. It's way faster. Your decisions get done super fast and quick, and you have open lines. The reality is, okay, now, you have an incident response. Okay, you got to fly 16 people in because they're all the ones that are working on this. Where are they going to stay? How are they going to do this? Where are we going to support them? Where are you going to work?

Joseph Carson:

It does have a big toll in mental health as well. I've seen most of the people I've seen working in incident ... in resiliency is that thinking about even therapies and post-traumatic stress and stuff because these are people that's working that, not knowing if the company's going to survive or if they're the blame sometimes. Maybe they didn't configure some security control correctly or something. So, it is important for us to...

Art Gilliland:

It's interesting you bring that up. Our chief revenue officer, a guy named Dave Castignola, he was the point of contact for the RSA breach. So, he literally was the leader of the team of almost 200 people that, when they were going through that process, and he said a lot of the initial stage ... I mean, people thought the company was going to die, and so they went through this sort of really emotional process to try to save the company, and it takes a big mental toll, for sure. He tells a lot of really interesting stories about that and about the sort of results after and how people had to deal with that, what is essentially PTSD after those kinds of breaches.

Joseph Carson:

So, if we can go back into the boardroom side as well, who do they go to for advice? What is their kind of go to for ... Some might sit in multiple organizations boards. Some might be designated to one company. Where do they go for advise or for how to make sure that they understand they're doing the right thing or the best practices? What's their advisors and consultants ... where do they go for that?

Art Gilliland:

Yeah. I mean, I think what I am seeing for sure is that a lot of boards are adding somebody to the board with security experience. So, for example, on Delinea's board, Myrna Soto is on our board. She is a CISO, been a CISO before, and now, she participates in boards. So, she's able to provide what I would call trusted, sort of separate from the company advice on and evaluating our process and our risk management skills and those things. So, I think a lot of boards are adding that skillset to the board. So, I think that's one place where they'd go and what they look for in that process.

They definitely are also asking auditors. So, whether it's PwC or E&Y or KPMG or all of these different audit companies also have security backgrounds, and they're getting advice from them. I see some boards doing that as an alternative. Then, the last area that I think has been pretty important and has been an evolutionary change inside of companies is that sort of independence or separation for the CISO. So, the CISO being able to report back to the board and have a separate and distinct relationship with board members outside of the chain of command and I think-

Joseph Carson:

Yep. That was interesting.

Art Gilliland:

... those are the three areas where I see the board getting its security advice, if you will.

Joseph Carson:

Yeah, that was interesting as you mentioned that because one of the of things we looked at in the research recently was about where people thought that the CISO should report into because it's always a big debate.

Art Gilliland:

That's a hot topic, oh, for sure.

Joseph Carson:

It is a big debate in the industry. We're always going through this. Reporting into the CIO, is that conflict of interest or do organizations have a risk officer? Because ultimately, security is all about risk reductions. It's about resiliency. Is that the right place, or if the board and the CEO wants to get something as a priority, do things move faster? Maybe they're falling a bit behind on their security strategy. Does that mean that the CISO should report directly into the CEO or also have the seat at the board level table? What's your thoughts on where ... Just interesting to see where you think that this falls into. This is always a big discussion.

Art Gilliland:

Yeah, I know. Look, I think there's trade-offs everywhere, to be honest. I think for a company like ours, we're not going to have a chief risk officer. I think, one, we're just not of the scale that can manage it. It's also, that's not a part of the sort of core of our business. We're not a regulated industry. We don't deal with that level of challenge. So, I will say that when I talk to customers, and I talk to a lot of customers, the vast majority of customers still have the ICSO reporting through the CIO or the CTO. I agree with you. It's a little bit of the fox watching the henhouse kind of thing because there's a lot of security controls in there, but the reality is that so much of our infrastructure and the integration with the security controls is still IT-centric. It's just faster and more efficient to have those functions be together.

So, I think it's important for the CEO to recognize the challenge and have a relationship directly with the CISO and have the CISO be able to report independently of their chain of command. I think that is the most important thing to maintain, but for me, and where ... Our CISO reports in through the CIO, and the CIO then helps to think about infrastructure more broadly, but I also meet with our CISO on a monthly basis to keep track of the pieces and in fact, probably much more frequently than that in the time we're now. Just to make sure that we're on track with the projects, we've decided that we're keeping pace with the project design that we came up with and what improvements we need to make because the CISO's job in our company is not only the IT infrastructure and making sure we're protecting that, our internal guts, but also our product security and making sure that we're tracking to the metrics that we've committed to on the product security, that we have a responsible disclosure policy where when people send us vulnerabilities, we respond appropriately. So, there's a whole bunch of security elements that go into sort of how you secure an enterprise like ours.

Now, I have seen them report to a chief risk officer. You typically see that in regulated industries that have a chief risk officer. I have heard of CISO's reporting directly to the CEO. I'm personally not a fan of that because I think while security is important, I think I add less value to that process as a CEO. I think there's just more effective and more efficient places that it should be. Doesn't mean I don't care about it. Doesn't mean I don't lead on it, but it's not a direct function that I'm going to manage.

Joseph Carson:

Yep. That's very similar to the, actually, results that we got back from the research itself. It was very aligned to that, and that most did believe that the CIO was the right place as long as they have the autonomy in order to make sure that they're able to report back what the right things are to do.

Art Gilliland:

Sure. I mean, the interesting thing that I've seen, Joe, just as an aside to it is the evolving skillset of the CISO, and I would say that-

Joseph Carson:

That was another interesting ... That was another part of the research that we were actually looking at. What was the skill ... The traditional ... So, we're just going to ... We keep going back on that, is the traditional background of the CISO was very technically. Their background's technical, not business. So, I'm just curious to see where you see the skillsets-

Art Gilliland:

Yeah. I think historically, I would say they came from two different places. There were certain CISOs that grew up through what I would call the IT world. Obviously, when I started 24 years ago, they were all network admins because that's really where security was. It was firewall security, and that was the only thing that security was. So, you saw a lot of that skill. So, a lot of the CISOs in the early days were this network security admin, that kind of skillset, or they came up through the technical ranks.

The other pathway that I saw come in is the audit and compliance side. So, they were policy CISOs more, and so they had technical CISOs. You had policy CISOs. That was kind of the beginnings of those functions. What I started to see probably about 10 years ago is companies rotate in more business-focused CIO types, and they'd rotate through that. I think the reason that that started happening, and I can think of a couple of different specific people, which I won't name on the podcast because I didn't ask their permission, but they were given a tour of duty through the CISO role primarily because they understood the business processes so well. They understood the infrastructure processes really well. When you think about the security challenge, it's understanding how to keep operations running but also understanding where all the potential connections are.

Joseph Carson:

Absolutely.

Art Gilliland:

So, I think you started seeing what I would call more business minded, still IT people, still CIO kinds of folks but much more business centric folks. That allowed the CISO to be more risk-centric because I think in the early days, the CISOs were the no team. You can't do that. It's going to create risk. Can't do that. That's going to be a problem and I think-

Joseph Carson:

The enforcers. Yeah, the enforcers.

Art Gilliland:

... the rotation in of those sort of more business operations minded folks were like, "We can do that, but if we do it this way, it'll be safer." So, it's much more about a business enablement function and less than a just sort of stop all the bad stuff from happening kind of world. That approach towards risk balancing, I think, is the CISOs that I see mostly today.

Joseph Carson:

Yeah. We're seeing the rise of the BISO, which is the business information security officer, where it's more of a person who they might have good technical competency in the background, and they might have come from a compliance and auditing background but from a technical perspective. Maybe they were PCI, or maybe they were a NIST or ISO compliant. So, they come from that background, but they're really focused around, how do they help business outcomes? What is the business resiliency? So, it's more of focus around that alignment between where security is no longer just about stopping incidences, but when incidents happen is what's the actually domino effect on the business, and how they make sure that they can actually keep those dominoes from falling to keep the business running? So, the BISO is something that we've seen on the rise absolutely. We find that actually, the research that we've been conducting shows that actually, organizations have a much better cybersecurity strategy when they align better to the business outcomes and business measurements.

Art Gilliland:

Right. Yeah. I might look at, I think it's the reality is it's a risk balance, right? You need to understand what it is you're trying to enable, what it is the business is trying to accomplish. I think if you balance that and you sort of augment the security elements around to keep those things going, keep that stuff happening at the speed that you need to be able to move in a business context, those are the best CISOs that I've seen. I do think that having a business context will bridge from the technology, I do think because security's still very technical in general, and I think it's important to either be technical yourself or have a real trusted technical number two because I think you got to weed through a lot of the noise of the security technology companies-

Joseph Carson:

Love the noise.

Art Gilliland:

... because we come up with all these cool whiz-bang things, and you got to be able to make that bridge to, okay, that's cool, but do I care? I think that combination of one-two being technical enough to understand what they're talking about and then much more centered on what the business requirement is, I think. is key.

Joseph Carson:

Being able to translate it effectively is really the key there.

Art Gilliland:

Yeah.

Joseph Carson:

I think so you mentioned a little bit about one thing we're great in the security industry is creating buzzwords. What's the buzzwords in the boardroom at the moment? Are we hearing a lot of-

Art Gilliland:

Oh, God. There's so many. I think the one that hits the most now is zero trust. I think everybody's talking about this idea of zero trust and what is it, and how do you get it? Depending on which vendor you're talking to, they're pivoting it towards what they care about. So, I think the board is trying to get their head around what is that, and does that need to change the way we approach security or not? So, I think that's the big one.

Obviously, boards are hearing and reading in the newspaper about AI. I think that is another big topic, and how is it going to impact us? How should we think about it? I think companies like ours are all playing with and investigating, is it valuable? How do we use it? What are the threats it could create? So, I think obviously because of ChatGPT, that's in the news a lot. So, boards are going to ask about that, but definitely on the security side, zero trust is the buzzword for sure in my mind. So, that's been a big topic of conversation.

Joseph Carson:

Okay. Yeah, we always hear the buzzword bingo. There's always ...

Art Gilliland:

Always on.

Joseph Carson:

They're always-

Art Gilliland:

I mean, it'll be interesting to see what RSA, what obviously going into the RSA conference here in a little bit. RSA always has a theme, and that'll be the buzzword bingo for this year.

Joseph Carson:

That's one of the things I always enjoy doing is when I go to the expo halls, I do buzzword bingo. I walk to booths, walk to halls. I'm always checking to see what's new, what's interesting and-

Art Gilliland:

One year, everybody did cloud. One year, everybody did analytics. I mean, we'll see what this year is.

Joseph Carson:

So, absolutely.

Art Gilliland:

Yeah, it'll be AI most definitely.

Joseph Carson:

I'm pretty sure. This is the challenge, is the definition of AI is very broad as well. I want to get us into is that in reality, what is it? Is it automation? Is there any self-intelligence coming out of it? Is it just algorithms? Do you need human intervention at the end as well? Does humans need to understand and make the decision ultimately whether there's a mitigation factor or whether something needs to happen or something kinetic at the end because, yeah, that-

Art Gilliland:

Yeah. No, I think for us, I think it's, how do you build stuff into your product that help humans make decisions faster?

Joseph Carson:

Absolutely.

Art Gilliland:

Some things that are really rote and you can set a policy for, that's like threshold alerting. People call it AI, but it's probably just threshold management. I do think machine learning and getting the product to understand choices that a human has made in a certain circumstance can automate response faster, I think that's valuable to build into products, and so we try to do that. True AI in a security product, I think, is still a fantasy. That's the marketing language that people wrap around it, but it really is about decision making faster because it's all about speed and response.

Joseph Carson:

Completely agree.

Art Gilliland:

People set policies and evolve those policies as you learn more so ...

Joseph Carson:

Yeah, really for me, it's the machine learning aspect of things. It's the deep intelligence. It's about getting into natural language understanding. Those are the fundamentals, I think, where the technologies are really making a difference, and they need good algorithms. It's the algorithms, sometimes we're referring to as the AI is the algorithm, but it really comes down to how much good data are you putting in to get the right answers to the questions you're asking it.

Art Gilliland:

Right. I mean, I'm excited about the potential for it, for sure. I mean, look, we've been messing around a little bit with chatGPT, and can you write connectors, and can you do some code building? I think what we've come to is those kinds of systems are really good at building the scaffolding or framework of code, but they're not very good at the detail. So, can we use those things and those tools to help accelerate the beginning parts of it, and then have our folks focus on the fine details? So, I think there's still going to be a lot of experimentation. There's going to be a lot of work around how you leverage in what you do, but I think it's exciting. I think there's some real opportunity to accelerate and make technology easier and faster and more human language readable. So, expand the number of people that can actually interact with it.

Joseph Carson:

That's a great point.

Art Gilliland:

That, to me, is a super valuable thing if we can leverage it correctly.

Joseph Carson:

Absolutely. I've had the same experience as well. It creates a great outline or initial structure that needs a lot of personalization put into it, needs a lot of modifications to make it to the point where it becomes really usable, but it's great at creating that outline, that framework to start with.

Art Gilliland:

Yeah. I think so. I think it's quite good at that.

Joseph Carson:

Fantastic. So, what are key takeaways would you have for anyone who's listening in that might be getting into a CISO position, or what types of skillsets or resources you think might be good for them to be able to communicate to the boards better or to prepare? What things do you think that you would recommend those getting into those positions should start?

Art Gilliland:

So many things. Look, I think if you are an aspiring CISO or you're moving into that role, I think one of the most important things you can do is join the communities. Engage with other CISOs. Make sure that you have that friend network that you trust that you can share confidential things with in real time. I think that, to me, that building that network of connections, I think, is super critical because you guys need each other, and it's a community of folks that are going to help. So, that would be step one.

Step step two is when you're interviewing for looking for these jobs, I would be testing really closely how much access you think you're going to be given and what that hierarchy is going to feel like when you're there. It's less important who you were put to. It's more important what that dynamic is going to be when you're in there. So, access to the CEO, access to the board, I think, is super critical to be able to do your job effectively and hold the organization accountable. So, I think making sure you feel comfortable with that.

So, those would be two big things off the top of my head. I think the last thing that I would just offer up is your world is super technical and detailed and down into the regulations and your mapping to controls and things like that. Your board doesn't think like that. They want red, yellow, green lights. They want to know progress towards success. So, being able to, in an effective way, encapture all of that detail that you have and provide it to the board so they can focus in the right areas is super critical. So, whether that is taking classes on writing or communication skills, it's a super important part of your job because you have about 15 minutes to help communicate effectively what you need in those boardrooms. There are some boards that will spend more time. If you have an hour on the board agenda, that's too much because people will stop paying attention. They just will.

Joseph Carson:

Yeah, because it's not what they do every day. Yeah.

Art Gilliland:

They're not the experts. When you have an hour, you're going to fill it with stuff that can ... they're already thinking about board number two or lunch or who knows, whatever. I don't mean that in a pejorative way, but these boards are super effective and intelligent people. It's just the tolerance for that much into the guts of a company isn't what their job is. Their job is governance. So, helping them govern through, are you on track, are you thinking about the right areas of risk, putting it in big animal pictures is a super important part of your job, and then managing all that detail underneath it with your team.

So, those are the big things, I would say, is understand your network and build that. Make sure you understand the dynamics of your access cause that's going to make it so you can be successful or not in the company. Be able to communicate super clean and clear, and then build a team that can help you manage the details. Those would be my pieces of advice.

Joseph Carson:

I think that's fantastic actually. So, I think that's probably so valuable. A lot of people will get, those listening in, really great insights and really help them understand about more things. If they are good in certain areas, it at least gives them areas to the can enhance on. Obviously for me-

Art Gilliland:

Yeah. Everybody's going to know where their skills are. You got to build around your skills, and if you're not that writer person, make sure you have one. Find somebody/

Joseph Carson:

Find somebody who can help you.

Art Gilliland:

Exactly.

Joseph Carson:

So, this has been awesome. This has been really ... It's almost like a little bit of a sneak peek into what happens in the cybersecurity at the board level and some of the priorities and some of the areas of focus. So, thank you, Art. It's been fantastic.

Art Gilliland:

That's my pleasure, Joe.

Joseph Carson:

This is really insightful. I think that for those who are aspiring CISOs, this is a much-watch episode now, for sure.

Art Gilliland:

Great. Well, thank you very much. I appreciate being invited to the show. I like doing it.

Joseph Carson:

Absolutely. We should have you more often. I think it's been a while since we had happy you on.

Art Gilliland:

Happy to.

Joseph Carson:

So ...

Art Gilliland:

Yeah, happy to. Happy to.

Joseph Carson:

So, I'll take advantage of that. So, for everyone, great having Art on. Definitely tune in every two weeks for the 0 1 Access Denied Podcast, really bringing you amazing, talented guests and insights and resources to really help you map out your path to a great future and to a hopefully a safer society. Let's make sure we reduce and to make the world a safer place. So, thank you. Take care. Stay safe and all the best.

Art Gilliland:

Awesome. Bye-bye.