Sign-up for the latest Lookout news and threat research
When pitching to your board of directors, security should be treated like any other business unit. On this week’s Security Soapbox, our host Hank Schless is joined by Paul Simmonds, CEO of the Global Identity Foundation and Former CISO of AstraZeneca, ICI and Motorola Cellular Infrastructure. They discuss how to cut through buzzwords and turn security into a business enabler.
Hank Schless 00:09
Hi, everyone, welcome to the security soapbox. I'm your host, Hank Schluss. And today we're going to talk about how to demystify security and certain marketing buzzwords as a way to win friends and influence people, especially when it comes to that board of directors at your company. Ultimately, it's the job of the seaso to present to the board and secure approval for their initiatives. And to help us explore this, I'm really excited to be joined by Paul Simmons who is CEO of the global identity Foundation, and actually wrote a blog for lookout recently on this exact subject. Previously, Paul was the global CEO of AstraZeneca, ici and Motorola cellular infrastructure. He's also the director of the Cloud Security Alliance in Europe, and co founded the Jericho forum. He's been recognized globally for his leadership and global implementations in security, and his free time, he works as a British canoeing level three kayak coach. So Paul, welcome to the show.
Paul Simmonds 01:04
Thank you, nice to be here.
Hank Schless 01:05
It's a pleasure. You know, getting through that list of accolades takes a while. So we're excited to have you on board with us here. So before we get into today's subject, and go over this thesis about it being on the CISO, to get the board aligned with the company's security strategies, could you tell us a little bit about yourself? How did you get into security? And why did you really decide to make your career out of it,
Paul Simmonds 01:25
nothing is ever planned, I don't think and at the birth of the Internet, sort of late 80s, early 90s, I was working for an organization called jet. A stands for the joint European tourists, it's an experiment with nuclear fusion reactor. And, you know, it was a really interesting place to work. Because no one had ever done nuclear fusion before. It wasn't technically possible to do it until computing game to the point that it was powerful enough to control a reaction, the sun, basically a sun on the earth in real time. So serious physics going on. Not that I'm a physicist, I'm an engineer by training. As part of that, we implemented an email connection to what was then the academic network, the internet didn't exist, so that our scientists could use this thing that we called email. And then the scientists said, Well, there's this thing called the World Wide Web. And we said, What on earth is the World Wide Web, we better nip across to our sister organization in CERN, speak to this guy called Tim Berners, Lee, and say, okay, so explain what this web thing is. And basically, the concept was that we built our own websites, so that we could share with the scientists around the world to add their individual organizations, the results that were coming out of the reactor. And at that point, we were connecting an experimental nuclear fusion reactor to a nascent Internet, what could possibly go wrong? So we needed security. But you know, firewalls existed in theory. So we ended up writing our own because that was the culture. And the rest is they say, is history,
Hank Schless 03:00
going from nuclear fusion to leading cybersecurity efforts for some of the biggest organizations in the world seems like a very natural progression. So that's a pretty cool background to have. And, you know, looking at your resume, obviously, there's some pretty recognizable names on there. So tell the audience a little bit about what it was like to head up security for such well known companies, as I mentioned, you know, AstraZeneca, Motorola, cellular infrastructure, et cetera.
Paul Simmonds 03:25
It's a bit of a double edged sword, if I'm going to be completely honest from Jeff, because of what we've done conducting this experiment of nuclear fusion reactor, I got headhunted by Motorola to head up part of their cellular division, building GSM networks, because again, we were building them and throwing them out the door like nobody's business. And then obviously, that role expanded to being a global role within, you know, the entirety of cellular infrastructure. But any of those companies, because they're household names, you get a lot of attention, you get a lot of name recognition, there weren't that many of us around what I call real CISOs. There were lots of people who were doing sort of IT security, but actually doing a CISO or a C. So like, role, there were very few of us around in the early days. So we would go across to you know, some of the conferences like DEF CON, and Blackhat. But with that, of course, you've got all the vendors wanting to sell you stuff. You want people to doing case studies with you, and everything else. So you sort of have to hold yourself at arm's length. But they were the guys with funding at the end of the day. So big companies comes big funding and comes a team of people to make a difference. And obviously, over time, as security became more important, those teams got larger and larger.
Hank Schless 04:37
Right, right. Absolutely. Let's bring it back a little bit. You know, as I mentioned at the start here, you did write a blog for us a little while ago and in there. I thought it was interesting that you mentioned that while the the technology that security solutions are providing is very important. A lot of times it's best to avoid sort of those techie or buzzwords when you're trying to secure that funding for your project. So So, with that in mind, what do you think is the most effective way to convey how security can really be correlated to profitability or maybe the profitability of those solutions? When you're talking to either C level execs or to the Board of Directors?
Paul Simmonds 05:15
Yeah, I mean, the first thing is no buzzwords, it is as simple as that. I mean, the one thing I've learned is that every industry has its own set of buzzwords and language. And I don't think security is unique in that the oil industry, trust me has far more buzzwords than Security does. And so the challenge is, understand that everyone has their buzzwords, and every area that speaking to the board will have their, you know, this is what this means. And you just cannot assume that anyone else understands those. So the challenge is, how do you do it as far as language is concerned, as opposed to content, because you know, they're there for a reason. They're clever people. If you can explain the concept, then you stand a chance of actually getting the support. So the two things is you need to be able to demonstrate ROI, return on investment. And you need to be able to demonstrate how your proposal is going to benefit the business. And it is almost I hate to say as simple as that. But it is almost as simple as that. You know, to do that there are lots of ways to do it. I mean, when I worked for ici, my boss's boss, when he had to present to the board, he used to bring us all in, get us all into a room and said, This is what I'm going to present to the board. And basically, it was a no holds barred critique session against what he was going to present to the board. With the aim of making sure that there were no buzzwords, nothing that you didn't understand, natively, we literally drilled out of that presentation, anything that could be misunderstood, anything that couldn't instantly understood, and everything else. And it was a very salient learning experience as a young executive, I suppose, of Actually, could I explain this to the person next door? Can you get it down into a soundbite? And can you make sure there are no complex words or no complex concepts in there. And if you can do that, you at least stand a fighting chance of getting support.
Hank Schless 07:17
Right? And you know, the last thing you want to do is make someone feel excluded from the conversation. Because they don't get what an acronym means. I think you're right. I think that, regardless of whether it's security, or anything else, you need to help people understand that there's going to be value out of this, it's going to benefit the business. And so can you think of a time maybe when you were met with some pretty serious resistance on the project, maybe because it wasn't really perceived as worthwhile, or didn't really, you know, to your point seemed to hit those two key points of ROI and benefit to the business.
Paul Simmonds 07:48
Like any other meeting, especially in large corporates, it's about doing your homework. So generally, if you go into the board and get rejected, actually, it just means you haven't done your homework properly. It is almost as simple as that. If you are going to interact with the board, actually, the majority of work is done prior to that presentation, ensuring that people are briefed, objections are understood, understand, you know, where the broad priorities are, at the moment, do we have that kind of money as discretionary spend or non discretionary spend in some cases, because ultimately, if you go in and say, like, I need x for this, and he go, actually, the share price is tanking at the moment, we're not spending any money on anything, then wait your time. Unless it's really urgent and you can persuade them, it's really urgent, then it isn't worth doing it. So you need to understand the politics, you need to understand what's going on within the business. Totally. You need to understand objections, you have to be prepared, you know, where you do have people are going to object, you have to understand why they're going to object, what grounds they're objecting on, and how you're going to counter those objections. And preferably, you've actually addressed them offline first. So that once you walk into that meeting basic, you've got your ducks in a row, because they've been briefed. The paper is simple. Again, you know, with boards, it's very simple. If you can't get it on one side of paper, they won't read beyond that, especially if it's a technical subject, that they're not overly interested. So it's got to be on one side of paper, it's got to be agreed beforehand, people have got to understand what the issue is. And then you stand a fighting chance of getting support and budget,
Hank Schless 09:30
right. And sometimes a fighting chance is only needed to really make it work. So to shift a little bit here. One thing that I love to ask people in the sort of the executive suite in that leadership role, what do you think with today's work from anywhere climate? What are the top two challenges for CISOs? You know, in this climate,
Paul Simmonds 09:48
I suppose, and it's an overused cliche for a lot of people. This is a very new paradigm. And so the challenge is, how do we enable the business and provide security In this mixed work, let's call it a mixed working environment. Lots of people had VPNs, lots of people had the ability to dial up from home, but then, obviously connect over the internet. When the internet came pervasive, then you had Bring Your Own Device and all the other challenges we've had. But you know, what we've been doing over the last two years is very different, which is, you know, can we get everyone at home, because I was a C, so through the SARS epidemic, I had some of my people who literally were on death's door during that, and we did the exercise. And we said, look, we cannot, at that point in time, we could not have supported the entire business going home, we just didn't have the dial up capability, we didn't have the leased line capability, we didn't have the internet bandwidth, on our stuff to make it work. We're now living in this new world where actually, you know, internet is ubiquitous everywhere at home, you know, people generally have got better PCs on their desk, and they have at work, if they got one at work anymore. It's all laptops, why? Because people are working anywhere. So for me, the challenge is how you enable the business in that environment. And for me, the big issue is how do you collaborate in this new environment, because you know, beforehand, it was easy. We got everyone in a room, and we put a whiteboard up, and then we generally screenshotted the whiteboard afterwards, and everyone took away a copy, it is still inherently difficult to replicate that kind of collaborative environment, especially at the start of big projects, especially if it is a joint venture project of some description. And the challenge is how you do that in this environment.
Hank Schless 11:40
I couldn't agree more, I think he got spot on. And it is interesting to think about not just the data that comes from those meetings, and how you share that and how you go about that. But all the build up all the follow up, you know, where where's that data moving? Where's it going? Where am I gonna have to create a new identity? Or, you know, are we gonna have to integrate some new third party system into our infrastructure in order to be able to collaborate with people over in a certain country because they only use a certain, you know, platform or conferencing system or whatever it may be. So it's obviously incredibly complex. So Paul, we're coming up on time here, I have one more question for you, that is about a buzzword because it's the buzziest of all buzzwords right now, and that is zero trust. Now, it's not to say zero trust doesn't have value, it obviously has incredible value as a philosophy, but it is being beaten to death by it seems just about every security organization. So in what you've said already about keeping it simple, speaking to the board, speaking to other sea levels, who may be curious about what your particular organization is doing about zero trust, because they read about it. And they said, Okay, what are we doing about this? How do you keep that conversation simple? And where does that convergence of security come into play? You know, in trying to help with these conversations,
Paul Simmonds 12:51
you know, but where the CEO who's made on the golf course mentioned zero trust, because he comes back and says, What are we doing about 02, he doesn't know what it means. It's just the buzzword he's heard on the golf course, or read in the in flight magazine, the first thing to say is, well, you know, forget about the buzzword. It's, it's not anything, it's a buzzword. It's a concept. It's a philosophy, you know, it is not network, it is not endpoint, it's not cloud, if they know what Cloud is, or an endpoint, actually, they probably know what a network is because they have one at home. Purely, it's an acceptance that your border is irrelevant is what we were telling people back in 2003 with Jericho is your border is irrelevant as a security perimeter. You know, the only reason you actually have it these days is because it provides some decent quality of service inside your area that you want good quality of service. But as we found out during the pandemic, actually, things sometimes work a lot better outside using cloud than they ever did internally. That's the other challenge, I think you'll get from your board members and your CEO, who will turn around and say, Look, this worked really well, while I was at home, why is it working worse when I'm in the office? So the key thing to understand is, is that it's irrelevant to the security boundary, and more importantly, that boundary is inhibiting your business. So from once you get that, and you want to explain that it's a three fold solution. You know, first of all, it's a discussion if you do not have a hard border, a security boundary, then what would that enable us to do? What can we then do? And you know, the obvious one has been all along has been cloud. If you don't have a hardened perimeter, you can then do computing outside your perimeter, which we eventually called cloud and then you have a discussion with the business of so what is your strategic direction? Play the thought exercise with me if you don't have a hardened border, a corporate perimeter, and more importantly, security in it saying you can't do that. What would that enable you to do? Because too often I've had the business come to me and said, Look, we know Security's going to say no to this. But we'd like to do this. And generally we went, No, we don't say no. You tell us why, and why it's important, we'll help you do it. It's having those discussions, it's having those sort of whiteboard exercises with parts of the business that said, if it isn't there, if we're not going to say, No, tell us what you want to do, tell us what that would enable you to do. And then design your architecture based on that on, you know, the assumption that the network is there, because it enables you to, you know, to provide quality of service guarantee, packet throughput, you know, all those wonderful technical bits and pieces, but don't treat as a security boundary, you then can have a discussion that says, actually, if I've got a third party who actually needs to come in and set up a little implant operation in my business, just come in and use our network because it's open. We operate a zero trust network and a zero trust architecture. Therefore, just come and plug your server into our network, just come on, plug your endpoint, your PCs, and your laptops and your Chromebooks into our network, we do not care. It'll just work for you. And you can talk quite happily back home or to a cloud solution or to a shared solution or anything else. And you can start having those discussions with people about how you enable all those things that people have been screaming out to do for ages and ages. And it's incredibly enlightening for the business, we've been perceived as the boys that like to say no, and therefore, actually, people come to us with a fait accompli. But what we used to joke was the Friday afternoon blessing, which is the business is going live with this Monday, we just need you to have a quick look at it and approve it. Thank you very much on a Friday afternoon, because at that point, you cannot say no. So you avoid those discussions by being the people who actually will help you and say yes, and this is how you do it. And zero trust as a philosophy, if implemented correctly, allows you to do that.
Hank Schless 17:06
Of course, that implementation looks different for everybody.
Paul Simmonds 17:09
Absolutely, there is no one size fits all, there is no magic bullet. It is about making sure that your zero trust solution, your your architectural philosophy that is based on zero trust meets your business needs, and more importantly, the business direction, you might be designing for what the business is doing today. But the board actually is charged with looking six months, two years, five years ahead. So unless you understand what their direction is, actually, you could be building totally the wrong thing.
Hank Schless 17:39
That's a really good point. And even if the goal looks like one thing at day one, it could look like something completely different that you know, day 365. So it's all about also being able to adapt that strategy, right? And being able to sort of be agile in it and look at the path that you're taking and make sure that it has alternate routes, you know, in case things change. Alright, Paul. Well, that's all the time we have for today. Thank you so much for joining us. As always, I'm sure our listeners will find this incredibly enlightening. And for anything talks you give conversations you have, are there particular places people can find you on social media or on the web.
Paul Simmonds 18:12
Other than just Googling Paul Simmons and security at Simmons underscore Paul on Twitter, other than that, LinkedIn works just fine.
Hank Schless 18:20
Awesome. Well, thank you, Paul. Really appreciate it. For the listeners. You can read Paul's blog, and other content from lookout on lookout.com/blog. You can also follow our Twitter and LinkedIn @ lookout and thank you all for joining us today. We'll talk to everyone soon