Legal BlackBook

TM

SEPTEMBER 2018
INTERVIEW: TOM KELLERMANN / CARBON BLACK, INC
A CALL TO EMPOWER CISOS
And why they should be joined at the hip with the general counsel.
Tom Kellermann is the chief cybersecurity officer at the cybersecurity software company Carbon Black, Inc., which went public in May. Kellermann has an impressive resume, but his early foray into information security began far away from where he is today. In more ways than one. “I grew up overseas as a hacker,” he says. How did the prodigal son return to the fold? “I had a college professor who turned me to the light.”  
     He’s been on that path for more than 20 years now. Kellermann “earned his stripes” (as he put it) at the World Bank, where he was a senior data risk management specialist. Among his credentials, he’s a certified ethical hacker (CEH) and a certified information security manager (CISM). “There’s a lot I don’t know,” he says. “And I know what I don’t know. And that’s really what differentiates people in cybersecurity. There are no experts.” The best you can do is recognize your limits, he adds, and “you have to constantly be learning.” The beauty of his position at Carbon Black is that he gets to learn from the thousands of CISOs he advises as part of his job, and from the various government agencies, including the FBI and the Department of Homeland Security.

CyberInsecurity: Tell us about your current job, because it’s not the standard chief information security officer (CISO).
Tom Kellermann: I advise the chief information security officers of Carbon Black’s customers. I do so as a pro bono service. That’s my No. 1 role. My No. 2 role is that I develop our threat intelligence strategy, and I run the intersection of threat intelligence between our 83 managed security service providers and incident response partners around the world, and our internal predictive analytics. If we see something new, we share it with them. If they see something new that we haven’t seen, it becomes part of our matrix and enhances our products’ capability to protect assets from attack. And lastly, I’m on our three-person committee that oversees the security of Carbon Black. We practice what we preach.

CI: Does Carbon Black have a chief information security officer?
TK: Yes. And he’s got everything under control. A lot of cybersecurity companies don’t use their own cybersecurity capabilities to defend themselves. And a lot of them don’t even have CISOs.

CI: Why is that?
TK: I don’t know. I guess it’s easier to have those chief information officers (CIOs) acting as CISOs. But it’s strange.

CI: How has the CISO role changed over the past few years?
TK: It’s become much more important. Boards are demanding overviews of their security now, not just to align with standards and regulatory regimes, but because they’re very concerned about the impact of a cyberattack. Cyberattacks have become the No. 1 risk facing businesses around the world, according to the World Economic Forum. That said, there’s still a corporate governance crisis in American publicly traded companies, because a majority of them have yet to elevate the CISO to his or her proper level of authority in the organization or to segregate that person out of IT. There’s a lot of miscalculation and cultural dissonance in companies when they force the CISO to report to the CIO. It’s much like having your defensive coordinator report to your offensive coordinator in football.  The offensive coordinator cares about resiliency, access, efficiency. The defensive coordinator realizes that all those initiatives exacerbate the attack surface. An offensive coordinator will always go for it on fourth and one, and a defensive coordinator will be like, “Please kick the ball.”

CI: Let’s talk about the background of a CISO. After the Equifax breach, there was a lot of talk about the fact that the company’s CISO was a music major. Do you think CISOs need to have tech backgrounds?
TK: Older CISOs—those 40 and older—never had the opportunity to study cybersecurity in college because it was not a course in college. In terms of a computer science background, I think all CISOs ought to have certifications like CISSP, CISM, CEH, etc. Those are more important than what you studied in college. That said, there is a tremendous difference, in terms of the level of aptitude and strategic thought, of CISOs specific to where they came from. People who were trained in the U.S. military, specifically the NSA or the Air Force, and did cyber are very capable folks. People who performed cyber crime investigations for the FBI or Secret Service are formidable. People who earned their stripes in the financial sector, like on security teams at big banks, are very capable folks. Those are the categories that you should be looking to hire from. Pedigree is really about where they were trained on the job and what certifications they have, versus what they studied as undergrads.

CI: What are the key skills that the job of a CISO requires today?
TK: From a skills perspective, they need to be well versed in network security, application security, computer forensics and penetration testing. They need to understand how to build a security operations center (SOC), particularly if they’re working for a Fortune 1000. They also need to be able to translate the technical babble of cybersecurity into the language of risk management and brand protection. They need to be able to speak effectively, because most of the time, when you engage with the boards of directors and the C-level folks, their eyes roll back in their heads if you go down the rabbit hole of telling them the bits and bytes, trying to explain to them why you need more resources or authority.

CI: That’s quite a skill set. It must be pretty hard to find somebody who matches up.
TK: There’s such a shortage. There’s a 2 million-person shortage across the world of cybersecurity professionals. For CISOs, there’s an even greater shortage. If you can develop a culture of security in your organization, and you can keep your CISO happy for long enough to allow them to work on a five-year plan, then you’re going to be doing all right. But most importantly, as a board member, as a general counsel, as a CEO, you have to give them the bully pulpit. The CISO is more important than your CIO. What people seem to forget is that the dot-com revolution was about building your house online. And the whole construct of search was to be able to find people’s houses online. Then the next thing was the development of applications—mobile apps and mobility—where you could provide information to people based on their experiences online.
  But now we’re at a stage where being able to secure that experience, and secure all of the houses and functionality, is paramount to the sustainability of everyone’s business. Security is a function of conducting business in today’s world, and it is a function of comparative advantage. If you invest less in security than your competitor, you will lose. You must make this a priority in your organization, and to do so, you must pull the CISO out of IT, force them to report to the CEO or to the general counsel, and listen to what they have to say. Please.

CI: You mentioned the general counsel. What role should the general counsel play in working alongside the CISO?
TK: They must become allies. The general counsel is also concerned about risk. The general counsel has authority to make significant policy and procedural changes in the organization. Cybersecurity is never going to be provisioned merely through technology. It’s a cultural phenomenon. It requires policies, procedures, contracts and oversight from Legal at all times. At a minimum, the CISO can educate the general counsel about some of the exposures that are facing the organization currently, as well as the worst-case scenarios or nightmare situations that could face the organization in the future. At a maximum, they should meet on a daily basis for half an hour to an hour to discuss ongoing efforts, tactical implementations and/or events that may have transpired.                    

CI: I interviewed the CISO at Standard Chartered bank a while ago, and she said that they have business information security officers specifically assigned to the various business groups, like the law department, the finance department, HR, etc. These individuals bring the role of the CISO down into the business divisions. What do you think of this idea?
TK: I think it’s an excellent idea, much like a U.S. ambassador does for the State Department overseas—making sure that the business units and the business divisions are in line with the expectations of the security team, and the security team is helping them create sustainable business models. I applaud that effort, and I think it should be replicated.

CI: Do you know of any U.S. companies that have adopted this kind of model?
TK: No. But my ignorance is my own.

CI: Returning to matters of corporate governance, which you touched on, where should the CISO fit in the organizational structure? And who should the CISO report to?
TK: The CEO. The same way the CIO does. But if that can’t happen, then the chief risk officer. And if that person doesn’t exist, then the general counsel.

CI: Why? And why is this important?
TK: It’s important because you need the defensive mindset at the top. It’s important because your brand is intertwined with your ability to protect your digital assets, and 97 percent of your operations are digital, are computerized. And so it helps manage operational risk and reputational risk. One more thing, though: It’s not just about reporting. CISOs need to have their own budget equal to or greater than 20 percent of the IT budget. Because every time the company does something, it’s exacerbating risk in cyber. Every time they build a new app, a new website, or they create a new customer-facing blog, a new project that involves technology—all of these things create more risk. And so that CISO must have an independent budget, and they must report at a minimum to the general counsel.

CI: What about the relationship between the CISO and IT? What should that look like?
TK: The CISO should have the authority to stop, pause or engender an IT project. The CISO should also be able to call upon the system administrators within IT during an emergency so that they can act as part of the security team, given the fact that there’s a shortage of people in those organizations who understand security. And the CISO should be a thought leader.

CI: So the CISO really needs to get around. It’s not OK to sit in your own little lab somewhere. You really have to be in touch with the whole company.
TK: You do. You need to understand the company as well as the head of HR understands the company.

CI: We talked about past changes in the role of the CISO. Are there additional changes you expect or would like to see, going forward?
TK: Now that the General Data Protection Regulation is a reality and is mandating the creation of the data protection officer (DPO), inevitably the DPO will be the career path for most CISOs—unless proactive U.S. companies blend those roles, and the level of authority that comes with them. In 2018, if you want to sustain your business and maintain competitive viability in the market, you have to elevate your CISO and truly give them the resources they need to get the job done. Currently we’re spending 6-8 percent of our budgets on security. It’s insufficient. The norm to sustain your operations and secure your brand should be 20 percent.
Tom Kellermann
Having the CISO report to the CIO is like having a defensive coordinator report to an offensive coordinator in football. 
Currently we’re spending 6-8 percent of our budgets on security. It’s insufficient.