Scott Mathis has been a CPA, information systems auditor, information security and cyber security practitioner since 1995.
He is currently the CISO of RBC Bank US, the United States-based retail banking division of the Royal Bank of Canada (RBC), which is targeted toward Canadian snowbirds, expatriates, and frequent tourists.
In addition, he is the author of Good CISO vs Bad CISO, How to measure any Cybersecurity Risk starting with the Form 10-K. 1st ed, 2019.
Are there any common business roadblocks that prevent security practices from being implemented?
A good CISO is the CEO of their business/cyber initiatives. They take full responsibility and measure themselves in terms of the success of the business/cyber models and how they continue to evolve to reduce threat event probability and financial impact.
They are responsible for right business initiative/cyber initiative/right time and all that it entails. A good CISO knows the context going in (the company business models, business processes, revenue streams, solutions architecture, control environment, threat attack vectors, etc.), and they take responsibility for devising and executing a durable, available and secure plan (no excuses).
A bad CISO has lots of excuses. Terrible corporate culture, weak IT organization, destabilizing politics, not enough funding, stupid executive pet projects, politics, threat of the week, the engineering manager is an idiot, the other bank has 10 times as many engineers working on it, I’m overworked, I’m under paid, I don’t get enough direction, blah-blah-blah. A good Board doesn’t make these kinds of excuses and neither should the CISO of an organization with reasonable cyber defenses and cyber initiatives.
When speaking the language of business to their boards, are there certain phrases CISOs should be using?
Good CISOs focus the board on cyber models and defense initiatives that stabilize revenues with zero down time and a durable technology infrastructure that prevents revenue loss.
Bad CISOs focus the board on how many technical features the security team is building. Good CISOs define good security health checks and metrics that can be executed with a strong effort. Bad CISOs define good security health checks and metrics that can’t be executed or let compliance build whatever they want (i.e. solve the compliance threat of the week).
Good CISOs decompose security problems without combining all problems into one. I keep it simple and clear and relate individual cyber issues to the two statements the board knows best, the Annual (Form 10-K) and Quarterly (Form 10-Q) Balance Sheet and Income Statements filed with the Securities and Exchange Commission (SEC).
The Board thinks in terms of delivering superior value to the marketplace and has a fiduciary responsibility to represent shareholders. To build a board-comfortable security performance health check and metric platform they can understand, I start with the Form 10-K and map the Trial Balance sheet to Business Processes and Revenue Streams documented in the Notes of the Financial Statements.
Per International Reporting Financial Standards (IFRS), all Business Processes and Revenue Streams with their quantitative results are required to be recorded here. Then, I map all Business Processes and Revenue Streams to systems/applications (Routers, Load Balancers, Server Instances, APIs, Data Storage containers and Databases) that support their respective business initiatives.
Finally, I use the FAIR Model to quantitatively and qualitatively assess the event probability and financial impact to the top five Revenue Streams that sustain the company’s business model for superior value and perfect product market fit.
Now you have a cybersecurity risk reporting model that the Board and Executive Management can relate to and leverage for efficient and scalable strategic decisions.
How can CISOs better understand a business’ needs?
Good CISOs don’t get all of their time sucked up by the various organizations that must work together to deliver the right cyber initiative for the business need at the right time. It is not ‘One Size Fits All’ for all business needs. They don’t take all the business team minutes, they don’t project manage the various functions, they are not gophers for project managers or engineering.
CISOs should be part of the product team, and they should manage the security initiative of the product team.
Security and IT professionals are bombarded with news about cybersecurity issues. How can they filter out the noise and determine what issues really matter to them?
Good CISOs think about the threats that are actively attacking their environments. Bad CISOs worry about every possible threat or attack vector feature story, even though technically accurate, written by the press. Good CISOs ask the Security Operation Center team if the ‘hot off the press’ written attack is actively attacking their environments. Bad CISOs assume that any press referenced ‘attack of the week’ is actively attacking their environments.
Good CISOs focus on the actual, local experienced attacks. Bad CISOs focus mostly on the externalities of the threats and never explain the obvious, that their in-depth cyber defenses have not detected an active attack. Good CISOs effectively communicate up the chain and the entire organization when active threats are identified and detected. Bad CISOs focus on ‘threat of the week’ and what they might do after they get into the environment without considering how the attacker might get into an environment in the first place.
When the business is steaming along and wants to introduce new products or services, how do you make sure that security is plugged in?
Good CISOs clearly comprehend and crisply define the target, the ‘what’ (as opposed to the how) and manage the delivery of the ‘what.’ Bad CISOs feel best about themselves when they figure out ‘how’. Good CISOs communicate crisply to product development and engineering in writing as well as verbally. Good CISOs don’t give direction informally. Good CISOs gather information informally. Collaborative new product teams don’t consider Good CISOs a ‘security resource.’ Good CISOs are the security counterpart of the new product team manager.
How could we address the perception of cybersecurity holding back the business?
Good CISOs create leverageable security, FAQs, security presentations. Bad CISOs complain that they spend all day answering security questions for business teams and are swamped. Good CISOs anticipate the serious security flaws and build real solutions.
Bad CISOs put out fires all day. Good CISOs take written positions on important issues (security silver bullets, tough security architectural choices, tough security decisions, threats to attack or yield). Bad CISOs voice their opinion verbally and lament that the ‘powers that be’ won’t let it happen. Once bad CISOs fail, they point out that they predicted they would fail.