Leadership Related Articles

EPISODE

From Technical Expert to Strategic Leader: Gary Hayslip on the CISO's Evolution

Gary Hayslip

29 minutes

Jul 14, 2024

Subscribe on Apple

Subscribe on Spotify

Subscribe RSS Feed and More

From Technical Expert to Strategic Leader: Gary Hayslip on the CISO's Evolution

Interview Highlights

In the fast-paced digital landscape of today, the role of Chief Information Security Officers (CISOs) has emerged as a linchpin in safeguarding organizations against cyber threats.

In this episode, Gary Hayslip, a seasoned CISO, delved into the evolving nature of this critical role, emphasizing its transition from technical expertise to strategic leadership.

Here, we explore the invaluable insights shared by Hayslip, shedding light on the multifaceted responsibilities and challenges faced by CISOs.

The Dynamic Role of CISOs:

Hayslip underscores the diverse nature of the CISO role, which varies across different organizations.

No longer confined to the realm of technical expertise, CISOs are now regarded as business executives tasked with managing risks using a combination of technology, processes, and people.

With technology becoming increasingly integrated into businesses, the visibility and significance of the CISO role have soared, necessitating a broader skill set beyond technical prowess.

Reporting Structure and Ethical Concerns:

Traditionally, CISOs often reported to Chief Information Officers (CIOs), raising concerns about conflicts of interest due to the inherent differences in their mandates.

However, Hayslip highlights the importance of integrating CISOs into the executive team, irrespective of their reporting structure, to ensure effective collaboration and alignment of security strategies with broader business objectives.

Moreover, in regulated sectors like finance, separating the reporting lines between security and IT executives is deemed crucial to mitigate ethical risks.

Title and Perceptions:

The significance of the "Chief" title in a CISO's designation cannot be overstated. It symbolizes not only a mark of maturity but also underscores the executive-level responsibilities and accountabilities associated with the role. Externally, the title enhances the organization's credibility and signifies a commitment to cybersecurity at the highest level, thereby instilling confidence among stakeholders.

Cross-Functional Collaboration:

Effective collaboration across diverse departments such as IT, legal, HR, and compliance is paramount for CISOs. Developing strong partnerships and fostering a culture of collaboration enables CISOs to align security strategies with broader organizational goals, ensuring a cohesive approach to risk management.

Navigating Regulatory Demands:

The proliferation of regulatory requirements, particularly in sectors like finance, poses both challenges and opportunities for CISOs. While compliance mandates necessitate rigorous adherence to standards, they also serve as catalysts for innovation and resilience. CISOs must stay abreast of evolving regulations, collaborate with stakeholders, and implement robust frameworks to ensure compliance without stifling innovation.

‍

Integrating AI in Cybersecurity:

Hayslip advocates for a balanced approach to integrating Artificial Intelligence (AI) tools in cybersecurity, viewing them as both a risk and an opportunity. While AI offers immense potential in enhancing threat detection and response capabilities, it also introduces new challenges related to ethics, bias, and data privacy. CISOs must develop comprehensive strategies for AI adoption, encompassing policy development, staff training, and risk management protocols.

Advice for Aspiring CISOs and Organizations:

For aspiring CISOs, Hayslip emphasizes the importance of acquiring diverse experiences spanning technology, risk management, and business operations. Cultivating essential soft skills such as strategic thinking, effective communication, and cross-functional collaboration is equally crucial for success in this dynamic role. Additionally, organizations seeking to hire CISOs are urged to focus on candidates' potential for growth and alignment with long-term strategic objectives, rather than rigidly adhering to checklist qualifications.

Conclusion:

In an era marked by relentless digital transformation and escalating cyber threats, the role of Chief Information Security Officers has never been more critical. By embracing strategic leadership, fostering cross-functional collaboration, and navigating regulatory complexities, CISOs can effectively safeguard organizations against evolving cyber risks while driving innovation and resilience. With insights from seasoned leaders like Gary Hayslip, the path to success in cybersecurity leadership becomes clearer, paving the way for a more secure digital future.

Official Transcript

100% of fortune 500 companies employed a Cisco are an equivalent role in 2023. If a company is unfamiliar with the role of a C I S O A chief information security officer, it risks lacking the strategic leadership necessary to safeguard its digital assets and infrastructure from increasing sophisticated cyber threats.

This oversight can lead to vulnerabilities and security potentially resulting in significant data breaches, financial losses, and damage to the company's reputation. In an era where cyber resilience is a key component of business continuity.

A Cisco plays a critical role in maintaining trust and confidence among stakeholders, customers and partners by demonstrating a commitment to security. Failure to recognize and empower this role can leave organizations unprepared in the face of potential cyber crises.

Today, we will learn all we need to know about a Cisco from Gary Haislip, Chief Information Security Officer at Softbank Investment Advisors.

Gary, welcome to the show.

Gary Hayslip: Thank you for having me.

‍

Gary, what is the CISO roll an acronym for Chief Information Security Officer actually do?

‍Gary Hayslip: Each business that has one uses them differently. It isn't like they're set.

For example, there's some type of former of this role that's pretty much failed in every organization today that conducts business using technologies or services connected to the internet. So the role itself is very varied. I like to look at it as they are business executives, that manage risk using technology people processes, and that sort of core role for the company.

‍

And how has the role evolved during your tenure and cybersecurity?

Gary Hayslip: What I've seen is it used to be extremely technical. And it used to be one of those roles that would be buried down in the hierarchy of managers and stuff fell within a company. Over the years though, as technology has become more integrated within businesses, the role itself has become more visible. And as attacks and threats and stuff have impacted businesses and operations in revenue, the role has really become more visible.

And what you're finding out is organizations now when they hire for somebody for that role, they just don't look for someone to have technical knowledge. They're also looking for people that have soft skills, they can be partners, can they integrate with other departments that are non technical. Can they operate in a business environment? And so you're seeing the role shift dramatically, honestly, over the last five years.

‍

In many organizations, you might see security roll up into a CIO, Chief Information Officer. So how is this role different and why is it important at the executive level?

Gary Hayslip (03:19): Reporting to the CIO is actually common today.

About 60% of the CISOs still report to CIOs, but many now are reporting to the CEO, CFO, CTOs. It's pretty much across the gamut, the other reporting to some executive. There are concerns that with the CISO and reporting to a CIO, because the CISOs mandate is to monitor remediate technical risks and CIOs, job really is to use technology to provide services on a daily basis. So it's kind of like one is providing services, and the other one is managing the risks of those services.

So if you've got someone that's supposed to be managing that risk, how do you report to the person that's causing that risk? And so there's been some discussions that sounds like that's an ethical issue that really shouldn't be happening. And in some sectors, like financial services, if you're regulated, it's actually supposed to be split.

The security executives cannot report to the IT executives, they are supposed to be separate, because they're worried about that ethics issue about that management of risk. But outside of that, pretty much almost all CISOs report to either the CIO or one of the other executives.

Gary Hayslip (04:31): And the other part of your question, why is this becoming more important now at the executive level? The big thing about somebody who was in the CISO role, cybersecurity impacts the business. How are you going to deploy it? How are you going to use it? Yeah, whether it's cloud whether it's on premise within the business within their own data centers, cybersecurity impacts, you do not do cybersecurity without causing some type of change, to protect the business, some type of change to protecting revenue streams, some type of change there to help an M&A process that's out of impact.

And that kind of good or bad to the business, you want to be talking to executives, you want to be part of the executive process, they want to have insight into what you're doing, and what projects you're working on. And while you're doing things, and at the same time, you want to have that type of contact, so you can get things done.

And the reason I say that is, one of the biggest things that CISOs have a problem with is business culture. The organization itself will push back on change that you're trying to do, the organization that you're trying to protect, they don't want to change, they like doing things the way it's always been this way.

I don't want to make changes; I like doing it this way. What do you mean, the SEC says you have to do this? What do you mean, you want to go in and do ISO 27,001, I don't care. This is the way I've always done it. And I've been here five years, why should I have to change? So you need that executive, kind of those executive connections, to make to get things done. And at the same time to kind of give you the bullet shield, to fight off all the stuff that's going to be thrown your way, but also to help you as a business executive understand culture, and how you fit into it. And how you can build trust and how you can partner with your non-technical executives in the other departments, your non-technical stakeholders that you have to serve that you have to provide services.

So it's really critical CISOs will have to be part of the executive team to be effective. And they will report to some executive, whether it's the CIO, or whether it's some other C-suite member, it's become quite common today, that it's going to be somebody with a C in the title.

Felicia Shakiba: So it's about making that shift at the top in order for the activities or responsibilities in order to really take place.

My second question or follow up question to that is how does the title of CISO, as opposed to a Director or a VP of Security really influenced the perceptions both within and outside the organization?

Gary Hayslip (07:10): Oh, yeah, peers of mine that are trying to get the title and try to get the Chief Information Security Officer role. Honestly, what ends up happening is that there's a career progression, if you get into cybersecurity, and the more you progress, and the more senior you get to the point to where you're a manager or a director, and then eventually you're up for the CISO title. I look at it as you mature as an executive, until you finally get the CISO role. And it's an acknowledgement of the business that they're taking cyber seriously. It's an acknowledgment of the business that you are an executive.

And at that level of maturity, you get it both positive and negative, you get the remit that you're going to make change that you've got the budget that you've got people, but you also are going to be held accountable. You-also if things go wrong, and it's found through negligence or something on your end that you didn't do things right, you will be held accountable, which means it's probably going to be a resume generating event and you're going to be calling out, you'll probably be on out the door, because it's part of you earning that title, why it's important.

On the outside, I have found when you're dealing with vendors, when you're dealing with customers and suppliers, when you're dealing with third parties, there's a big difference of I'm just the VP of information security, or I'm the Chief Information Security Officer. If you're the Chief Information Security Officer, it's like you're the CFO, or you're the Chief Operating Officer, or you're the CEO, it's a title, it's a letter of, I guess you'd say a mark of maturity or an executive mark of where you're at.

If I look at a company, and they've got a CISO, I know from a standpoint within the company, that their security programs and matured enough to the point to where the board and the C-suite has acknowledged that we need somebody with that title.

And they typically will have directors and officers insurance, they typically will be reporting to the board, they will obviously have some type of budget some type of security team for me it is when you start getting to that level, where you have that title, there is more of a business executive mentality around it besides just being a manager. For me the difference between being like a security manager or a VP of Information Security, and being a Chief Information Security Officer is really. Once you have that C-title, you're a business executive, and you're treated as such, and you're going to be held accountable as such. And it's also the way it's viewed on externally as well. When people look at the organization, they're looking at the company as being mature to the point where they have C level executives.

‍

And so those conversations are being at the top of the organization. Those are the things and responsibilities and knowledge that executives need to have in order to secure the business, essentially.

Gary Hayslip: Yes, and that's the reason why I think by the time that you get to as a security executive, by the time that you get to where you're getting the CISO role, that's where you need to actually start having more of the business acumen more of the business chops per se, to be able to operate within organizations, I'd recommend to some of my peers who are getting their first CISO role, that they have a mentor within the business, to help them better understand how to report to the board and be more effective when they are reporting to the board. And they're going up to ask or something I also talked to them about, there's gonna be more expected of you and your communication styles.

And the way you do reports and the way that you do budget and the specific things you ask for, there's going to be more that's going to be expected of you, when you put your slide decks together and your briefing, the baseline risk of the company and threats and stuff like that. But there's things that you can get away with as a manager that you won't get it as like a security manager, because you're low level and you're buried five levels down, you're not going to get away with that when or a Chief Information Security Officer. Because you're a business executive, you're expected to go ahead and have a level of maturity and understand the business and operations and where revenue is coming from.

And some departments are more important than others. Some data at some technology is more important than others because they generate money for the company, or there's significant regulatory risk around specific operations are around specific partners, or significant contractual risks. You need to know these things as the Chief Information Security Officer and you should care about them. Because your program is going to be intertwined in managing and monitoring for the business.

Felicia Shakiba: And in most executive roles, there is this certain expectation around cross cultural collaboration and cross functional collaboration.

How do you ensure alignment on security strategies across diverse key departments such as IT, legal, HR, compliance?

Gary Hayslip (12:04): Yeah, that is- once you're at the CISO role, that is key. In fact, I know numerous systems when they interview that the first couple of questions is around technology. They pretty much know from a technical standpoint, its table stakes, you got it. Otherwise, you wouldn't be there at the table doing the interview. When you're doing the interview, they are expecting you get the technical things that are going to be needed, the other 70% is all about fit. The other 70% is that are you going to be able to partner with your non-technical stakeholders, like legal and compliance in an audit? And they're going to ask you give us examples of projects or give us examples of specific things you have done with these other types of departments.

It's a very large, business focused view of how you operate as an executive. And I spend a lot of time talking with them, and mentoring CISOs, who are between their first and third roles, they got their first role, and maybe down the road for their second they're getting more senior, or they're in their second role. And they just got their first large CISO roll, and what's going to be expected of them? How am I going to operate?

And I recommend that they take a class or two, or have a mentor, who is a business executive who's not a CISO, but has been a previous CEO or previous CFO or something like that's been a business executive and a company or two the help you understand how you're going to operate.

And what I mean by that is, how do you communicate? How do you work and collaborate with people across the various departments? Are you easy to work with? Do you deliver on time? Can you be counted on the go ahead and take on the hard jobs or the hard issues and investigate and help remediate problems? Are you like for myself, I can tell you, typically what I do is I may do an internal assessment, and baseline where our risk is that and put together a list of issues that I think we're going to need to work on. But I will write them. Instead, what I will do is I will pull my peers in from the other departments from the other business departments, and I will ask their help.

And I want the business input on the security risks and things that I'm looking at, and they will actually help me evaluate them, and write them and decide which ones we should address first. And so that way, when I am putting together my 6/12/18 month project playing for my team, and we know what projects we're doing, they're aligned for security, but they're also aligned for the business. So we're focusing on the ones that the businesses say they need first.

‍

Who are the people that roll into this role? What are the positions that report to you?

Gary Hayslip: Honestly, it really depends.

Typically, you're gonna have security operations, which is the normal everyday security operations, and it'll be made up of security engineers, security analysts, people that are pretty much doing the care and feeding of the security tools that you have for managing risk, and for managing the security services that you provide, such as doing patch management and vulnerability scanning, and scanning for insider threat and identity, managing identity, these are all basic things that your team's gonna be doing.

Along with that, there could be other things that can be assigned to you, the network engineering teams that are managing the firewalls, they may be assigned underneath you, or they may be in IT and have a dotted line to you.

Typically, it may manage the firewall security as the ones that are actually logged into them using them at work and go and pull in reports from them and stuff. Sometimes companies will put them underneath security. Governance, if you are a regulated entity, and your CISO has experience in GRC, like myself, I'm a certified auditor, they may put the whole GRC team underneath security, or they may put the risk and governance teams underneath security, just because of how intertwined the security stack is with the IP stack. And a lot of the stuff that the GRC team looks at is IT related. And so they may put it underneath security to have a degree of separation, and there's other things as well.

I- in my current role, I also do physical security, which is a whole different mindset. A whole different mindset, different technologies, different processes. But there are some CISOs that No, I didn't do it and take that on. I've operated in environments where I've had four different teams. And one of my roles, I had a security operations team. I had a governance team, I had a cloud security team, and I had an application security team that worked extensively with our product teams. And I worked a lot with our VP of DevOps, her and I were partnered together in my application security team was actually embedded in her department, and I spent a lot of time. And I did that on purpose to setup trust between our teams. And I spent a lot of time working with her, making sure that our products that we were producing were as devoid of defects as possible, and that we constantly tested for issues.

‍

How have increased regulatory demands, such as those from the SEC or FCA influence a strategic priorities within your role as a CISO?

Gary Hayslip (17:17): The increased regulatory demands, basically, what they do is, for a CISO, if you're in a regulatory regime, you honestly you spend a lot of time going back through looking at your stack, reviewing previous assessments, reviewing previous controls, and making sure that you have things documented. You spend time talking with your attorneys to verify, are you missing anything, you also spend a lot of time looking at new rules that are coming out, or we have an amazing amount of rules that are coming out around data privacy, and not just in the United States all over the world. And if you're an international company, and you operate in a lot of different geographical locations, now all of a sudden, your company with the cloud to go ahead and be innovative.

And now you got all these new data privacy rules coming out saying, hey, that's great. You want the cloud, but we want our data to stay in our country. You have to collaborate with IT, and they'll figure out with the technologies that we've got selected, how do we go ahead and meet the regulatory needs, that these new needs that have come up, or data needs to be located in specific stuff, but still also help the business be innovative. I do think there's a cost. And it's fine, because companies need to pay their costs to be more resilient, or the ability to hit and be able to meet the new requirements that come out.

But whether you like it or not, no one meets new regulatory requirements, without spending something. You're going to do some type of costs, whether it's hiring people, new technologies, new processes, just the documentation alone to documenting how you're doing things with a new requirement. There's always some type of costs, and it does- it pushes back pn the teams, but it requires the CISO that collaborate with stakeholders, because you are going to go out and find out 'Hey, are we meeting these new privacy requirements? Do we need to make changes that make sure data is co-located in new geographical regions? And are we getting the right reports? The auditors are now going to ask because our regulations have changed.

And so all of these things you are continually reviewing. This only happens every once in a while. No, you are looking at these things easily every six months, or you're reviewing these things. And I know some that are looking at it on a quarterly basis, just because of the size of the company, the type of data that they manage to lay out they're not going to get caught, they're not- they're afraid that the fines, so they're going to do what they need to do. So yeah, the regulatory it's not for free. Companies are going to meet it. There's going to be possible.

Felicia Shakiba: You've mentioned before that a balanced view of AI in cybersecurity, viewing it as both a risk and opportunity.

Could you elaborate on how you approach integrating AI tools as well as managing associated risks?

Gary Hayslip: in 2013, I was part of a group of CISOs that went before Congress, the DOJ had brief about the weaponization of AI, back then they were concerned about AI being used as a weapon.

Now thinking about that, it's like 11 years ago, and now we have AI, whether it's absolutely your phone, or your search engine that you use, and you go on the internet, many of the new security tools, and IT tools we use today, are now being AI integrated. Whether you like it or not, there's going to be an AI bot or an AI assistant, my company is AI friendly. And we're investing in AI companies that were working with AI as a security executive.

Originally, last year, many of us were pushing back and say, Hey, there's just too many unknown risks. You just got to say, no, no, no, and just not do it. To me, it's like being an ostrich sticking your head in the sand that heightened because you're not going to stop it.

Whether you like it or not, it's being integrated in so many different apps and so many different technologies, you can't prevent it in the business, there's so many free things that are popping up on the web now that your employees want to use, you're not going to be able to stop it. And so what comes down to when you have a prevailing technology like that, it's more of okay, there's an acceptance piece of Alright, we're going to see it, it's here, let's figure out how we can manage it and deal with it. And so that comes around to Alright, let's put policy in place on what it's for, what are we going to use it for? What are our use cases, and let's educate our employees on how to use it safely. What we recommend for them on how to use it, what to do with it, let's provide them training, and start training them.

And not only that, let's make a decision that we're going to go ahead and go with a specific platform. We chose open AI Chat GPT version four, we are looking at it from a security standpoint, there's many others that are out there. But that's typically what you'll do is you'll select a couple of different tools. Typically, there'll be ones that you're paying for that you are able to control, you'll put together policy procedures, you'll train your staff. And then the next piece is the fun part for a security team. How are we going to manage it? How are we going to make sure people are actually following process they're actually doing not doing stupid stuff with our data. That's where unfortunately, the technology is catching up.

There isn't a lot of security startups now they're just coming out. And this is what I look at as CISOs have to be comfortable about leaning forward. In our environments, part of the job is the fact that the technology is never stagnant. The risks that we deal with are not stagnant, they're constantly changing. And you have to be comfortable working in a fluid environment like that, where you're managing risk and managing technology. So the next piece for AI is, alright, company's going to use it, you've put everything in place, you train the staff, there'll be an innovative, that's fine, they can do their piece.

Now my team has to do theirs and my team is we're going to monitor, we're going to manage that risk, we're going to go ahead and look at startups, we're going to look at security tools that are out there that are using AI, that help us see Gen AI across the environment, what our people are, how our people are using it. If there's new tools that pop up, we're gonna call him on it and say, hey, you need to bring that through tech review, we need to take a look at it, we need to understand the risk. And if it's approved, then you can use it. If it's not, we're going to block it.

If you know people are using a tool and we think there might be questionable here, we want the ability to do a pop up and say, Hey, pursuant to our policy, remember, only this type of data, only this process, don't forget your training, and then let them go on about their business. So we have to do that maintenance and that management piece. That unfortunately for Gen AI right now is still relatively young in the security field, but it's growing exponentially fast.

November last year, I knew two security startups that were doing Jim AI monitoring, as of today. I know it doesn't, it's that fast, how quickly, and these are companies that are in stealth, and they get funded $5/$10/$15 million coming right out of stealth, and they're building this stuff quickly. And they're not just doing it for dev teams that go ahead and who are dealing with the big LLM models. They're dealing it for CISOs who are doing cyber operations. It's a new technology dealing with new threats that you're just going to have to accept.

And so I look at it as health CISOs are facing it is cyber risk is risk. It's still the same. The risks are still there. The issues that you have with insider threat, the issues that you have with protecting data protecting privacy, they're all there. They're just in a different package. You just need to understand it. train your staff put policy together so the company understands what it's doing, and to be able to monitor it and then report to your executives. So you can be Make decisions or what you're going to allow.

‍

What advice would you give to someone aspiring to become a CISO, especially considering the broad skill set required for the role? And perhaps, what advice would you give to organizations hiring assessor?

Gary Hayslip (25:15): It's funny because I've written books around this question. So who it's, I can speak to it probably for an hour, for someone aspiring to do it.

I would say, you need to put the time in, it normally takes about eight to 10 years, before you get your first role. And that's average, I would also advise him to get experience in software or product development, get experience in networks, especially cloud networks, and on premise networks, and also get experience and risk management. All of these things are heavily tied into a single role.

I would advise them that there are also critical soft skills, as well as some strategic thinking time management, effective writing and communication skills, you're going to need all of these, the more senior you get, going forward a CISO role for a business that is hiring, would tell them that not all CISOs are the same. Each of us comes through our career path differently. So do not look at just what is needed now for the role. But also, I would suggest to them that they look at the next 18 to 48 months where they see this role going within the org, and what type of security executive they think they would need to be able to fit that in to be able to fit that role. Too many times I have seen executives, I've seen recruiters and companies, they want 100% of what's in the job description.

But when you go in depth with them, there is really only one or two requirements that are critical. And the rest are nice to have. What I would say to these businesses is know what your critical assets are, and understand that it's okay, if you are going to hire a CISO that can do 80% of that. That's the reason why they have a team. That's the reason why they have a peer network. That's the reason why they have mentors.

You hire yourself a good executive who has experience, they're going to be able to go ahead and learn those other things, once they get comfortable in the job. And they're working with stakeholders in their various departments.

Very rarely do you get anybody that brings 100% to the table. And honestly, those unicorns that you bring in 100% of the table, you're probably going to lose them in the next 18 months, because somebody else is going to steal over me. I honestly would go for somebody that has that 60 to 80%. And that's going to grow with you with the business, because you're giving them a shot, you're giving them a chance, they're going to get there the business, they're going to get established, they're going to grow with you, and add you more towards their career path. They're gonna stay with you longer.

Felicia Shakiba (27:44): Gary thank you so much for enlightening us on what this role is and what it entails. And I'm sure you've added so much value to people's day just having them listen to this episode. I appreciate you being here. And thank you so much.

Gary Hayslip: This was a lot of fun, I really enjoy talking about the role and especially helping more people come into it. Those of us that are senior like myself, within the next five to 10 years, we're going to be stepping out and doing other things.

There's a big discussion in our community right now about leaving a legacy about making sure that the next C class of CISOs the next group of security executives, have gotten the experience have been mentor, and they're ready to step into those roles as we transition ourselves. There's a bunch of us that are taking it serious. We're writing books on and we're talking about it we're mentoring, because we want to leave it better than what we've held it and it's really important to us.

Felicia Shakiba: That's Gary Hayslip, Chief Information Security Officer at Softbank Investment Advisors.

Gary Hayslip

Chief Information Security Officer for SoftBank Investment Advisers

Gary Hayslip is a Chief Information Security Officer at SoftBank Investment Advisers. Hayslip brings this wealth of information technology, security leadership, and risk management experience.