Select Page

Bryan Kissinger Answers Your Business Minded CISO Questions

CISO Interviews, Bryan Kissinger

Bryan Kissinger, CISO for Trace3, recently presented “The Business Minded CISO.” Bryan’s presentation generated lots of great questions, which he graciously answered below. If you missed his presentation or would like to watch it again, you can view it below.

How do you overcome the "just good enough" mentality with regards to securing one’s environment?
Great question. You need to negotiate where you can accept “good enough” and fight battles where you need a top-notch solution. As an example, I was fine with a “good enough” MDM solution on mobile phones. By contrast, I wanted the best DLP, SIEM and firewalls we could afford. I earned credibility among the budget allocators by going cheap in some areas and going for the best in others.

Which business metrics should a CISO prioritize?
Managing your budget and demonstrating ROI for security investments are the most important. I always try to give money back at the end of the fiscal year, which earns you trust and credibility with your senior leaders. Another important metric is efficacy of your security tooling. For example, be able to prove that your EDR platform catches a high percentage of exploits and performs as expected.

Should companies combine the cybersecurity and privacy functions?
Privacy and security could come together in a single role or department. If they don’t, these interdependent functions must be closely aligned. I have always worked very closely with my privacy counterparts. In one of my roles, I had responsibility for both privacy and security and, while it was a lot of work, it provided me with a full picture.

How do you define a successful hire?
I like to hire “athletes.” They don’t need to know everything about the role, but have to be energetic, passionate, willing to learn, and be a team player. You can teach smart, energetic people anything. Find a candidate with those qualities and then take good care of them. Most managers make the mistake of propping up low performers. Do the opposite. Spend the bulk of your time motivating and taking care of your best people. The poor performers will end up leaving anyway.

How do you address the board following a breach?
You address them honestly, accurately, and calmly. Most boards know it’s not a matter of if, but when, you will have a breach. The board wants to see you have the situation under control and that you have a plan. Don’t be afraid to ask for help and keep them in the loop as you make progress on remediation.

What do you recommend CISOs do to manage the data exfiltration risk posed by personal cloud storage?
Apply outbound security controls to prevent data leakage to these sites. The web isolation platform I implemented had the ability to prevent users from attaching or uploading files to these sites. Also, endpoint DLP and web isolation solutions prevent leakage based on policies and rules you implement.

Should a CISO report to the CIO, or maybe the BOD?
I discussed this on the call however the answer ultimately depends on the company’s maturity.

Business Minded CISO

If you enjoyed this webinar, be sure to visit Second Thursdays for other great cybersecurity webinars.

RELATED POSTS

Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before he...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue a life in the...

What Is Zero Trust Anyway?

What Is Zero Trust Anyway?

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Our Sponsors

Kiteworks
DarkSquare
Share This