Making Security Real in the Context of Business
Our guest today is Shamla Naidoo, a managing partner at IBM Security. With a career spanning over three decades, including 20 years as a CISO, Shamla has excelled in a variety of positions, from engineer to executive.
Shamla joins us with perspectives on why security teams need to effectively communicate with their organization’s board of directors, the best ways to make security indispensable to a business, and why those communication skills are critical to the success and security of an organization. We’ll learn about the unique way she goes about building her teams, and why she believes there are opportunities in cybersecurity for just about everyone.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 169 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.
Our guest today is Shamla Naidoo, a managing partner at IBM Security. With a career spanning over three decades, including 20 years as a CISO, Shamla has excelled in a variety of positions, from engineer to executive. Shamla joins us with perspectives on why security teams need to effectively communicate with their organization’s board of directors, the best ways to make security indispensable to a business, and why those communication skills are critical to the success and security of an organization. We’ll learn about the unique way she goes about building her teams, and why she believes there are opportunities in cybersecurity for just about everyone.
So I started as an engineer, started my first job right out of high school, went into the workplace and learned what I needed to know on the job. Very generous people taught me what I needed to know to get the job done, and then I continued to get more education, get more exposure, and learn more technology, et cetera. So I became an engineer, did application development, I did database design for a long time, and then I actually also did network design and engineering. So I built some very, very large global networks, but that journey really was as an engineer.
How do I get to security? Security was not a freestanding profession. It was not an independent role. You had to secure the technology you built. So if I was in development, I was writing code. I had to figure out how to write the code in a secure way so it didn't get compromised. I had to build networks in a secure way so that an intruder was kept out. That actually led me to learning how to do my job, whatever that job was with an eye for security.
So I came to the U.S. in 1998 and all of a sudden this topic of security is really big, it's really important and people are talking about it as expertise that was lacking in the field. Well from being an engineer and having done this, I happened to have a little bit more knowledge on security. As a hands-on engineer with a lens on security that actually gave me a little edge, I went into that area specialized in security and here I am — I spent the last five years at IBM, four of those as the Global CISO for IBM. I spent the last 20 years being a CISO for many, many large organizations. I leveraged that early knowledge with the engineering skills and of course I'm a trained economist, so learned how to make the right kind of business decisions, balancing investment returns with risk and reward and here I am.
I'm curious about your time when you were an engineer, as you described that, was security on other people's minds? I'm thinking of some of your colleagues who are also doing the similar kind of work, or did you have some sort of sense that was important beyond what was expected at the time?
Well, at the time security wasn't something we talked about specifically, but I happened to experience an intrusion into a network I was responsible for very, very early in my career. That intrusion accelerated my learning, it accelerated my opportunity to harden and lock down the network. Because I learned what adversaries could do, I learned that I could be used as a launching point for someone to get into someone else's network. So for me, it was more just doing my job in a slightly better way. It was really not on the minds of people generally, it was more about how do I make the network I designed and built where there was an intrusion a little bit more hardened and a little bit more secure so that I get the right business outcome without having the intruders and others in that environment.
Now, what is your day-to-day like these days? What sort of things take up your time?
So today, having been in technology for 37 years, having been a CISO for over 20, I spend my time with mostly C-suite executives, especially CEOs and board directors, helping them to think about how to combine the security strategy with their business strategy and making sure that they're getting good, solid, secure business outcomes. So that's what I spend most of my time doing.
Well, let's explore that together. I mean, when it comes to CISOs communicating with the folks in the boardroom, what's your experience been there? What sort of recommendations do you have?
Well, my recommendation is first, these are not two separate parallel topics, business strategy and security strategy are not parallel topics. If they are, they never converge and therefore in the boardroom, CISOs have to talk in the context of business. If we don't leverage the business strategy for what we're doing or why we exist, I think we lose the C-suite executives. They align when they understand how what we do either benefits the business or how it might harm or hurt the business. So CISOs really have to be talking about the topic of security in the context of business. And that means making it real for those who are listening. If you want them to support what you're doing, there has to be a very clear view on what business benefits my job brings to those people in the room.
Give me some examples of how that plays out, I mean, what are some successful techniques for communicating that to a board?
So I will say that the most important characteristic that a CISO can have is to understand their business. What do I mean by that? First understand how you make money. That is front and center of every C-suite executive’s mind, how do we make money? How do we run a successful business? So market share is important, et cetera.
The second thing that's important, I think, to the C-suite is how do I serve my customers? How do I serve my customers by bringing them innovation, better products, better services? How do I help them to make their businesses more successful?
Everything else we do must follow those two objectives. If it doesn't, frankly, the C-suite and the CEO just don't care. Because at that point, what you've really done is you've taken your strategy and you've made it operational and you've made it less relevant and you've made it less essential. So unless you talk about it in the context of how we make money, how we serve our customers, then security is really just an administrative function within administrative and overhead costs and while you'll get support for it, I think you miss the strategic investment, you miss the strategic engagement for how security might make our businesses better.
That's really an interesting insight to me. I mean, I hear some folks who've described how one of the challenges for security professionals is that if they're doing their job correctly, well nothing happens and it can be tough to just stand in front of the board of directors and say, “we did our job, nothing happened, please continue to give us money and funding for the things that we do.” I mean, it sounds like you're suggesting that there are better ways to frame it than that.
I think if the CISO wants to be a serious corporate executive, then we have to be where business decisions are made. So we have to be able to tell our story not in terms of everything that went wrong or everything that could go wrong, but how do we take the security strategy and help our businesses to lean into the risks that cybersecurity might pose to the company. As we digitize our businesses, there's going to be a larger digital footprint, therefore a larger footprint for operational security and other disruption.
The question really is how do we allow companies to lean into the opportunities — the business opportunities — that come out of that digitization effort? How do we help our companies to become more innovative? How do we help them to build and make better solutions, better services, better products for our customers? How do we introduce automation, robotics, and how do we leverage new technologies, whether that be artificial intelligence or blockchain or quantum computing.
I think there's so much in the way of innovation that businesses can leverage in order to go forward much faster and much more successfully, but the risk of the security issues and concerns that threats against our business from a digital perspective slows us down. I actually think that CISOs have the opportunity to help businesses to accelerate the adoption of new technology, accelerate the adoption of innovation, and to lean into the risk management because with every risk comes enormous business opportunity.
We have to be able to balance the risks and, frankly, we have to be willing to own the risk, reduce the risk, make it manageable so that the rest of our companies, the rest of our corporate executives, can continue to accelerate the journey of improving our businesses, building better, smarter products that serve our customers better and therefore give us either a bigger market share, or that makes us more financially lucrative and successful.
Well, I mean, talking about risk, I mean, let's touch on threat intelligence. I mean, what part do you think threat intelligence plays in evaluating an organization's risk profile?
Look, the more you know, the smarter you are, and the more you know, the more you realize how little you actually know. So in my mind, I think threat intelligence is about telling me what I should know, what kind of threats might come at my company, and how do I manage those so I can be prepared for it. I can be knowledgeable about the actions I take. I can be more structured in the prioritization of these actions that I need to take but knowing, I think, makes us more powerful. So threat intelligence, no matter where threats are happening, no matter where the threat actors are acting, knowing that allows us to be more proactive. It also allows us to be more targeted in the actions we take.
As opposed to trying to look at the entire environment and manage the risk across the entire environment. I think when we know what the threats are, we can be more targeted, we can be more surgical, which means that we don't have inefficient use of our resources — we can be judicious about how we use our time, how we use financial or other technical resources, but especially how we use our digital footprint.
As a leader in cybersecurity, how do you go about setting your organization's priorities? How do you go about determining what you're going to spend your resources on? Both the time of yourself and your employees and also the financial resources.
As the CISO, I think in my mind, I would always be listening very, very carefully for what is your CEO saying the company's strategy is? How do you actually expand that strategy into the component parts that will help you to figure out well, what are the technology opportunities and what are the threats against that technology that might make the strategy fail? Then my role as a CISO is to say, how do I not make it fail? How do I take the appropriate actions at the right time? How do I put enough resources against those risks in order to make sure that the business doesn't suffer?
So for me, it's always about knowing what the CEO is trying to accomplish with the company, how do I fit in, how does the CISO strategy fit into what they're trying to do? How does the CISO and team and the resources help the company to lean into whatever that future vision and strategy is?
So, to me, it's really important to understand the direction of the business, to understand what we're trying to drive toward and then understand what the cybersecurity threats might be that will impede getting to those objectives. Then taking action proactively to make sure that those outcomes actually don't happen, or that they happen in less serious ways. So I think the risk management perspective is an extremely important strategic area for CISOs. It's not just the operational aspects. We also have to know how we combine that business strategy, our security strategy, and how do we create better outcomes for the company.
Now that doesn't mean we always have to count it. It doesn't mean we always have to measure it because sometimes you're not going to measure all the bad outcomes that you prevented, but I think the idea is when companies are successful, there's an assumption that everyone in the chain of command has done their job and done it well. So that's how I think CISOs should be getting their success metrics, that's how they should measure accomplishments, that's how they should determine whether they have contributed to the organization's future and strategy sufficiently.
What is your strategy for assembling your own team? How do you put together that group of people who are going to help you accomplish your goals?
So a couple things — we took a slightly unusual approach for a typical large corporation and I'll talk specifically about my time at IBM as the CISO. We created small, cross functional teams, very agile. The team was made up of five to seven people, and the teams stayed together. We would keep the teams together and the work would change. So a team was expected to deliver small outcomes. So we take our big problems, break them down into smaller problems, break them down and refine them into as small a problem as we can get it, and then go solve those small problems. So we didn't have large long-term projects.
So take the big problems, break them down into small ones and then allocate, or each team will pull whatever small problem they think that they can fix end-to-end and they would address the problem, fix it end-to-end.
The idea here was for us to distribute the work in ways that allow us to have consumable outcomes immediately. So a team would take a problem and they would solve that problem. By the time they started and ended, they would be a solution that our end users could use or a solution that we as a security team could use, but regardless, it had to create an outcome that was consumable and that was tangible regardless of how small it was. What we did then is we said all of those small problems that we've solved will ultimately combine to create solutions for some of our big problems.
But the idea is for us to get speed. Speed is the currency in the boardroom, every CEO wants to know how quickly can you get this done for me? Our objective was to create these small solutions very quickly. Every two weeks, we delivered something and something that was consumable. No project ever lasted us more than 90 days. If the problem couldn't be solved in 90 days, that means we didn't refine it sufficiently, or we haven't broken it down sufficiently. So the idea is for us to have a very dynamic team, dynamic work environment, constantly delivering business value, even if it's in small chunks.
What guided the makeup of those small teams, how did you assemble those groups?
So cross-functional basically, we said who are the people? What are the skills? What are the skills needed to solve problems? We didn't build a team with a particular problem in mind. We said, which are the teams sufficiently, people had to be curious, they had to be willing to listen and learn from others who are experts. They had to be willing to bring their best self and their whole self to work, bring all the skills you have and be willing to learn from others and create a profile for both learning as well as teaching. When you were teaching others about your expertise, you had to be willing to learn from others about the expertise, and what that helped us do is to create those small teams and have them very high performing, have people learn from each other constantly, while they also are delivering work that was consumable.
So, I think the idea here is when we attract some of the smartest people is not to tell them what to do. We attract the smartest people, we develop leadership skills but we also want to listen and learn from those experts, versus I hired the smartest person and then I tell them what they need to do and how they should do their jobs. Well, I actually want them to tell me how they should do their jobs because really they're the experts.
What's your advice for folks who are just getting started in cybersecurity, people who are interested in pursuing a career?
Well, I think the cybersecurity field is just so vast and so open right now. We constantly hear this conversation about a lack of security skills. What I think people have to think about is this is not a specific narrow field. This is a very wide field. You can do most any job with a cybersecurity lens. If you want to be a communication expert, you can be a communication expert. You can go out there and tell people about cybersecurity. You can tell them about the threats. You can tell them about the threat actors. You can tell them about the benefits of taking various solutions and implementing it, et cetera. So if you want to be a communication specialist, you can do that.
If you want to be a hardcore backroom engineer, building and designing the best solutions, you can go do that as well. If you want to write policies, want to sit down and write, well you can do that too. So I think that this field has so many different angles and perhaps we haven't done a good enough job of explaining that or making it visible to the people out there. So the way I look at this, I think that as we are trying to solve this skills gap, as we try to elevate our cybersecurity IQ, both in the field, as well as outside of the field, we should be a little bit more open to how we tell the story, but how we attract talent, where we attract talent from. If we are looking for the pen tester, or we are looking specifically for the person who's doing vulnerability management, that narrows this field in a very artificial way. I think we have to be more open and recognize that this is a field that's broad, and whether you're selling the dresses in the store or whether you are running an online marketplace, there's opportunity in every field for some measure of cybersecurity activities, and some measure of cybersecurity input and contribution.
So we have to be able to take every field, open it up and make it available and visible as to what those cybersecurity opportunities are, we have to be a little bit less traditional about how we attract people into this field, how we develop them, how we explain what the jobs are. I do think that this area is right for job creation, economic development, as well as elevating the cybersecurity posture of the companies that will hire such people. We have to be less prescriptive about what skills we are looking for in people. It cannot take five years to create five years of experience in an individual, we have to be a little bit more targeted. In some way I think our training and training opportunities should be more vocational and less three year or four year degrees. That's the first thing.
The second thing is if we don't understand our business, if we are not serious business leaders, then CISOs will quickly become relegated to the backroom operations. So if we want to remain essential and relevant, we need to coexist and we need to converge with business leaders, or we have to contribute business value.
Our thanks to Shamla Naidoo from IBM Security for joining us.
Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.
Thanks for listening.