The role of a chief information security officer demands technical knowledge, but it also requires soft skills of leading and influencing – especially over the past year as cybersecurity has grown in visibility for companies. So how can CISOs get their security message across to boards, the business, employees and the security team? Joining episode 53 of Cyber Security Sauna are two CISOs, Erka Koivunen of F-Secure and Chani Simms, co-founder and managing director of Meta Defence Labs and founder of SHe CISO Exec community, to discuss communication and the role of emotional intelligence in promoting a culture of security at every level.
Janne: Welcome to you both.
Chani: Hi, thanks.
Erka: Thanks, Janne, for having us.
So can you tell us a little bit about yourselves and your CISO role? Chani?
Chani: So, apart from being the managing director of Meta Defence Labs and SHe CISO (SHe CISO is a volunteer work that I do), my day-to-day tasks involve being a virtual CISO and a DPO for SMEs. I’m currently looking after about 10 clients who I’m the virtual CISO and DPO to.
I’m also a cybersecurity consultant. I’m also an ISO 27000 auditor. So I conduct ISO 27000 gap assessments, implementation projects, and I also get heavily involved in Cyber Essentials. It’s a UK government funded framework. I’ve been an assessor for about three to four years now at Cyber Essentials. I’m also an assessor for IASME framework. I do audits, I help them implement.
I also train and mentor a lot of people in the industry, as well as my team.
I have to say, that sounds like the perfect complete package for a CISO.
Chani: It helps me a lot.
Erka, tell us a little bit about yourself.
Erka: Nothing as impressive, I can guarantee that. So I’ve been working with F-Secure a bit over five years now, and four out of those, I have been the CISO for the company.
Prior to F-Secure, I worked for ten years in the Finnish government, in the national CERT as the head off the CERT, Computer Emergency Response Team Finland. Before that I was working for a telecommunications provider as head of their CERT functionality.
So I’ve being on the kind of darker side of information security through my whole professional career. Not in the sense of doing any offensive, but dark in the sense of seeing and meeting organizations and people who have been hit hard with security incidents. So I’ve been helping them to recover.
Now I’m doing mostly admin stuff. Now I’m trying to convince our shareholders and the board and the executives that everything is pretty fine, actually. And with a bit of additional investment, things are going to be even better.
So I need to kind of adjust a bit from the kind of negative side of me, which says that everything is going to be rotten, to the place where I can confidently say that things are actually improving.
But this is actually what I love about security, is that we get people from very different backgrounds doing the same thing. And I think that everybody brings their unique point of view to what we’re trying to accomplish here.
Chani: You were saying that my profile is impressive, but yours is the same because that’s the experience I don’t have. So I come from most of prevention and getting your IT right. You’re what do you do when it happens, kind of.
Erka: Yeah, only kind of burning remains present.
Last year changed a lot of things, with the remote working and everything like that. Has it changed the role of cybersecurity, do you think?
Erka: From my point of view, anybody who approached this work by being a naysayer, by being the kind of a preventer of nice things, they probably have been sacked already. So every organization who all of a sudden had to enter remote working mode, they had to start opening up, going to Zero Trust models and accepting that people carry laptops and material at home. And if the CISO tried to prevent the business from doing that, they probably were getting in the way of business.
Does that match your experience, Chani?
Chani: Yeah, I agree with Erka. I mean, any security person who complains about, okay, we can’t do this, this is the only way, or my way or the highway pretty much approach, is not helping, because you need to be the enabler. You can’t be the security police who says, oh, you can’t do this. We can’t do this. You have to be the enabler.
So you need to look at where the business is heading, how can the business continue in a disaster or pandemic situation, and then try and find options that can work for the business. It’s looking at what you have, looking at the resources, and then finding solutions to kind of let the business continue. Because that’s what our job is, business continuity.
Erka: And definitely there is no security that would be on or off. There are many aspects of security. There are many ways and many places in the timeline, even, where and how you can provide security.
So instead of flat out denying the company from adopting more agile and flexible technology, you can steer the business owners to thinking that what if you let go of this security control, can you then make up for the omission later on in the lifecycle of that threat?
But that’s then no longer a technical conversation. And there was a recent study F-Secure conducted [with Omnisperience] that showed that emotional intelligence is increasingly important for CISOs in communicating with stakeholders. And that the idea of that purely technical role of a CISO is sort of becoming obsolete. Does that match what you’re seeing?
Chani: Yeah, let me give you a bit of background about that. So I think I’ve been in the industry now I’m coming to about 19 years in the IT industry. So I came from IT background.
I always practiced…if you watch my TEDx Talk, you will see how I grew up. And I have had the approach where you prepare for the worst and hope for the best. And so I apply that in security as well, and also the zero trust approach. And that’s, that’s how I’ve been as a child, that’s what I’ve been taught to do. Trust no one. I think that’s growing up as a kid and my father was a police officer, he was always very protective. And for me, security is kind of natural. And I try and do the same thing when it comes to companies.
Some of the frustrations I’ve had being in this industry was that lot of the problems at workplace happened, lack of leadership, lack of confidence, lack of self-esteem. And that comes from not understanding yourself.
So if people can’t understand what they’re going through, their feelings, they won’t be able to react, respond to situations properly. Sometimes ego gets in the way, sometimes their own insecurities get in the way. Now, when you don’t know how to respond to things properly, things can go wrong. Conflicts can happen.
Then looking at empathy and compassion, where you need to be able to understand the other person’s perspective or put yourself in their shoes. If you don’t learn how to do that, then you don’t understand the other people. So how do you manage relationships then?
Because if someone comes attacking you verbally or whatever, if you’re going to go on defense mode attacking back, not actually trying to find out why is this person reacting this way, why are they saying these things? How do I feel? How am I going to respond to that reaction? Those are really key areas that you need to go into.
So if you don’t understand any of these things, you can’t manage relationships. Our business is all about managing relationships, your customer relationship, your staff, your stakeholders, all of that.
That is emotional intelligence. Understanding yourself, understanding how to respond to things, understanding how other people feel and managing those relationships. It’s a skill that you can learn, and it’s not something you can just go on a week course like you go on a CISSP bootcamp and then master. It’s a lifetime. Some people get that naturally. Some people don’t.
So I’ve I felt this in my career. I was bullied at work. I was being treated differently. I’ve had people telling me names, calling me names. That’s because they don’t understand me sometimes. So I felt that we need not just cyber security professionals, we need emotionally intelligent cyber security leaders. That’s why I go on about this all the time.
Erka: In school, my minor actually was for psychology and leadership. It actually helped me understand how organizations work, how people as part of the organization either function or don’t function. And what is it that I could or my team could help the organization to improve, so that the commitment across all the levels of the organization to security goals improves.
And it certainly helped me to tailor my communications so that I can be better understood. I can’t expect to go to a business leader to tell about a technical threat or a vulnerability or some configuration error, and expect that they inherently understand that this is important to begin with, or what to do with that. So I need to translate that into what does it mean for them? And if I request something from them, how does the investment pay back in the future?
So that type of “walking in somebody else’s shoes” kind of approach is what is being required.
Still somehow we call these “soft skills,” like they’re somehow less important than the hard technical skills. And I’m not sure if that’s fair.
Erka: They are the ones that actually make you effective.
Chani: Make you a leader, as well. And I think every security professional should think of them as a leader, because you have to convince the board, you have to convince your teams that there is a threat, there is a risk, and that we need to look at things. So if you’re not heard, then, you know, there’s a problem with your communication then, right?
So leadership comes with a lot of soft skills, communication and assertive communication as well. And also the way you communicate, the tone, the context of things also really matters. So those things you can’t master easily.
And if you look at a neurodiverse person, for example, their brain works different ways. So they might be really good at understanding a threat and looking at a stream of logs, and then look at finding anomalies and things like that, or really good at hacking. But they may not be good at talking to people.
So how do you now bridge that gap? So the leaders who are managing them or the people who are working with them need to understand each other. And that person also needs to find ways of bridging that gap where if you can’t talk properly when it comes to explaining things, then you have…you find someone in your team. I call it the complementary buddies. If you have a skill where you are not really good at, you find a buddy who can complement that weakness, right? And help you.
It’s the same with my teams, where we first start with SWOT analysis, for example. We will find out what are our weaknesses, what are our strengths, and then we find people who can help each other. So that’s collaborating.
There are a lot of CISOs in the industry we think, oh, let’s go and get this technical knowledge. Technical knowledge, you can just go on a weekly course, do some work and then you can be an expert within months. Whereas soft skills, it’s not easy. You have to develop over time. So I think soft skills are really important in terms of managing relationships. Security is not just technology. It’s people, process, technology.
If I made you shortlist what are the most important emotional intelligence-related skills that a CISO needs, what would that list be? What are the key things?
Chani: For me, I’m not just saying this is important. This is my struggle in life, things I’ve had to go through. If people knew me 10, 15 years ago, they wouldn’t know who I am, because I was completely different, insecure, lacked confidence, doubted myself, and will go and confuse the hell out of people because my communication skills were not that good. So emotional intelligence was one of the key things that helped in my life. Then the assertive communication skills, that really helped.
And then being a leader. Now to be a leader, you can’t just go and boss around people. That’s not being a leader. You need to start within. So if you’re not confident, you can’t go and tell people to be confident. So you have to find yourself, you first, and then kind of develop that approach. So your self esteem, confidence, all matters, and values. Your principles, they really help you in terms of making decisions.
So a lot of things I had to consider. How could I be a better leader? How could I be a better person than I was before? And that’s how I looked into a lot of leadership skills, communication skills, emotional intelligence. So to sum it up, those would be the three things I would say are really important.
Makes sense. Erka, what does your shortlist look like?
Erka: Well, I guess I can boil it down to one topic, which I believe I have been getting better. Being less egoistical helps. Like 15 years ago, it was quite a lot about me being the best around the house and understanding the threats, the technology, the solutions, the best. And then telling everybody else just follow my lead.
Now, I try to put myself in the background as much as possible. And whenever I need to go to speak to troops or write something with my name, this is for the team and for the benefit of the company and the organization as a whole, rather than me being on an ego trip.
All right, well, what about the other side of the communication? Is the audience listening? Like now that business leaders and boards are generally starting to recognize the importance of cybersecurity, is it now easier to get them to understand and approve investments that need to be made and sort of the initiatives that need to happen?
Erka: First of all, you can’t order anybody to just be interested. The board and the executives, they need to understand why is it that they will need to pay attention to security.
So there’s a great difference in being a leader who knows that this is a tick box thingy. That you have to ask cybersecurity related questions, act as if you would be listening to answers and then move on without learning anything.
And then there are, lately I’ve seen extremely positive signs of the boards and the executives actually wanting to understand and wanting to do something to improve security. Possibly it is due to the improved understanding that there might be negative consequences. So the board members, they might even risk personal liabilities if they fail to properly risk-assess the state of the company.
And CEOs might find that either they get fired or the company will suffer from their actions or most often times inactions. A decision not being made is a decision in actuality.
Chani: I would like to add something to that. Firstly, the ego. I think ego is a big relationship killer. Again, that comes because of your sometimes problems within us. And then when someone says we take it wrong and then the ego kicks in, and then-
Erka: Yeah, I’ll show you.
Chani: Exactly. So it’s nice to have a little bit of ego, but I think you need to be able to identify when you’re making decisions. Is it my ego making the decision or something else?
So I think you need to have…You have to justify with facts rather than just saying, oh, this is what I feel I want to do. And I’ve had people, a lot of people who also do that. You propose a solution and then first thing, I don’t like it. Why you don’t like it? So there should be facts and justification around that.
Even when my team comes up with saying certain things, if you’re criticizing something, come back with constructive criticism. Tell us why you don’t like it, and tell us how you think it should be fixed, rather than just saying no, I don’t like it. So that’s not very helpful to the business.
Well, that’s the thing, it’s not just about the CISO‘s ego. It’s also about the people you’re talking to. It’s about the board members or management groups or whatever. So how do you talk to these people without making it about the ego?
Chani: Now, when you’re a CISO, you need to look at understanding your business. That’s really important. What is the business doing and where is it planning to go? And then you need to look at the leaders. Who owns the business? What are the expectations? What are they trying to achieve and what their personality is like? You need to get to know these people.
When you understand the business strategy, I think then the CISO…something I look at is what can kill your business today? Is it regulation? Is it breaches? Is it people? What is going to stop your business from continuing, or delaying what they need to do to achieve their goals?
And then finding, okay, these are the things say, for example, GDPR. When it was introduced, suddenly you need to look at how much personal data you have in your systems, how much sensitive data you have in your systems, and how are we processing it. Who’s processing it? Where is it transferred to? And are we managing the rights of the data subjects that we collect these data from? There are a lot of things you have to look at.
So for a CISO, you need to look at understanding your data sets and where the business is planning to go. And then what are the kinds of regulations that are going to be governing you, laws and regulations?
So that could be a starting point. Now, if you don’t comply to these laws and regulations, can your business operate? No. And so in, in terms of business owners, they’re invested in more customers, more investors, in staying away from fines and regulation problems. So those things are really important to them.
So as a CISO, we need to look at how do we comply with these regulations? What do we need to do in terms of security? So that could be complying with GDPR. And GDPR has a very big security area where your systems have to be secure by design and make sure that they have privacy by design systems implemented. So that means, okay, if you want to comply with these things, you need to do this kind of work. If not, then we are not going to be compliant. And then looking at how can we now use that investment to benefit the business?
So they are kind of like business-driven business investments. That means you’re using your security to build trust with your stakeholders, your customers, and it could be going into something like a certification saying, hey, we’ve achieved these milestones. Now we are demonstrating that we are actually a trusted company you can work with. You don’t have to worry about your data going to other people anymore because we are taking responsibility to protect your data.
So giving that trust to your stakeholders. And investors or business owners like this approach.
Erka: I mostly have experience in working with our own board. And the chairman of the board is the company founder, an entrepreneur who has cybersecurity at heart. So I really need to respect the fact that there’s a person who really knows what this company is all about, understands security technology, understands security threats.
So I better not underestimate the board members. And the members in our board, they want to understand, and they want to also show that they can improve our thinking. So here’s again where the ego-less approach helps. So I can’t go there assuming that this is going to be the performance of my life, don’t interrupt me while I’m talking. I better kind of take the approach that I will be offered lots of places to improve, and I will get lots of opportunities to clarify what I meant with that obscure statement that’s in my slides.
We’ve been experimenting with ways to report security to the board. We currently have a list of five-ish questions from easy to more difficult that we go through with our board. The easy ones are for us to identify what are the actual assets that we want to protect, description of how we are actually protecting them, and whose responsibility it is.
The nasty questions come after that, and the most nasty one is that, how do we prove that the controls we have in place are effective against the threats that we know? That can’t be boiled down to traffic lights showing that green is good and amber means something to improve. So we need to describe what is it that we have done in order to test and subject our assumptions to healthy criticism. And did our assumptions survive when put to the test?
So that type of a storyline has proven to be useful. The board understands way better the choices that we have made. They are ready to support us even when some choices that we have made turned out to be wrong, because they understand the path we took.
These sound like very different conversations from sort of the other side of the business, the business side of the house. So can you tell me, what do those conversations look like? We talk about how CISOs need to be enablers of business. So how do you do that? How do you influence different owners of different business units or functions to take security into consideration in their operations?
Erka: That is most visible in our dog fooding approach, where we as a company, as an IT department, we are utilizing our own solutions. We want to provide feedback on how does it fit to our own purpose. And if we are not satisfied with some aspects of the offering, how does it reflect to the wider realities in the market? So that type of co-design partnership I find quite useful. And I take great pride in being the most vocal and critical end user of our products and services.
Chani: I look at laws, regulations and all these contractual requirements in three ways. Documentation, evidence, and accountability. You always have to maintain those three things. When I go into even talking to the board or a C level, I ask these questions: Is this process, whatever you’re doing, is it documented? Do you have someone accountable?
And the owners, asset owners sometimes. And then, can you show evidence? Because when the law comes to bite you, those things really matter. You need to be able to prove yourself that you’ve done enough, your due diligence to avoid a fine.
Then, coming from being a techie to entrepreneur and consultant and CISO, DPO, all those things, something I’ve really hated in life was selling. I still don’t think I do that job well.
It’s an acquired taste.
Chani: Yes. But I think entrepreneurs are pretty much people who solve problems, right? CISOs also need to think like entrepreneurs. You need to sell what you’re trying to say to the world. And it’s pretty much that. And if you don’t have that kind of skillset to convince the board, then no matter how nice a solution you present them, if you’re not doing the right communication and giving the facts and details to convince them, you lose.
So if you are a CISO, you also need to think like entrepreneurs. How to show them the problem and then say this is the solution that we suggest, or a few options of different solutions.
Erka: And I guess worth noting in this context is that security managers or security officers, oftentimes they get carried away. They are there to build the perfect security, regardless of whether the business benefits from that. And regardless of whether the leadership might be actually willing to accept a greater level of risk.
The mission to get the best and most shiniest and brightest security for the company might be a misplaced objective if the company and the organization is not willing to follow you. And if you are good at selling, you also understand when something that you are trying to sell isn’t going to convince the potential buyer.
Chani: Yes, exactly.
Erka: And you tune your message accordingly. It doesn’t pay off to be a Lexus dealer in a town where nobody can afford to buy it.
Chani: So I think trying to solve the problem is really important. You have to first identify what is the problem here, and then giving them a few solutions.
So that would be your approach to the business side of things as well, like when you’re talking to a business unit or a function?
Chani: Yes, I am always looking at the problem. I have this, within the company, this I learned from Toto Wolff. You probably know the Mercedes Formula 1 team principal. I’m a big fan of that team. Not because of who they are, but also the way they’ve won over the years and the approach they take.
They have this see it, say it, fix it approach to things. So when you see a problem, you have to say something about it, notify the right people and then address it and try and fix that option. So that’s how I approach life in my business as well. If you see a problem, say something about it, get that fixed. And then you’re not going around gossiping, ranting and then saying, this is not working, complaining. You stop all of that. Here’s the problem, say it, and fix it.
And also not blame the people, blame the problem. So that avoids toxic cultures. So if you start going around blaming people for problems, then that’s where the toxic cultures can start, and blame gaming. Rather than blaming a person, blame the problem. We’ve got a problem here. We need to get that fixed. So that way people don’t feel like they’re being attacked personally.
So how you can do this is if someone makes a mistake, don’t go blaming them and firing them. That’s not going to help anybody. But kind of look at how can we fix this problem? Is it a problem with the skillset? A lack of training, or is it ego like you said? Then send them on to emotional intelligence training.
A lot of CISOs out there are working very hard to build up that security awareness and that positive organizational security culture in their organizations. Especially in this day and age when we’re all remote and building or enforcing cultures is very hard in the first place. How do you as a CISO support that, the positive security atmosphere in an organization?
Chani: Something I’ve noticed is that when you go into a culture, you need to understand the people. I always have the people process, then technology approach to things. If you go with a magic box, there’s no magic box to fix your security problem.
You have to first look at your people and understand how you can empower them to do the right thing in terms of security. it’s a matter of sometimes just clicking on the wrong link or the wrong attachment, and then boom, you’ve got ransomware now to deal with. So if your people are your firewall sort of, the first line of defense, then you can stop a lot of the attacks. This is not even thinking about technological controls.
So it’s really important that CISOs also understand the people in the organization. And when you want to get them involved in your security programs, they need to feel invited. They need to be kind of rewarded in some ways, and also they need to want to do that. Not like saying you must do this. If you give rules, people are really good at breaking rules. So you need to have that buy-in from the whole organization.
And then also simplify things. Because we are very good at confusing because we are techies and that’s what we know sometimes. And we will go with our fancy security words and people are like, you’re on a different planet, I don’t understand you. Right? I mean, I was doing a talk the other day, I was talking about patching. And then this lady from the audience came back and asked, “What is patching?”
And it just blew my mind thinking, oh my God, how stupid am I to think that people know what patching means? So things like that. Because it’s in our nature to know these technical terms, doesn’t mean that everyone else understands. Go and spend time with your accountant, for example, and try and understand what kind of vocabulary they use. Spend some time with your chairperson and try and understand what vocabulary they use.
So it’s a matter of not just going with lots of sticky security terms and systems and technology. Just trying to understand, simplify things. How do you simplify things and get that message across to everyone?
It’s not about impressing your peers, talking about the most complex quantum computing solution. There’s a time and place for that. It’s about how do you get your message across to a wide audience? If you can do that, I think creating that security culture is much more effective rather than just “Here’s the security policy, you need to comply with this sign here.”
And on that note, we‘re going to wrap it up today. Thank you guys for being with us today.
Chani: Thank you.
That was the show for today. I hope you enjoyed it. Please get in touch with us through Twitter @CyberSauna with your feedback, comments and ideas. Thanks for listening. Be sure to subscribe.