The Biggest Challenge Facing CISOs Today – and the Key to Winning

In a recent episode of Agent of Influence, I talked with Miles Edmundson, a 30-year veteran in the IT and Information Security space. Miles started as a security consultant, was Carlson Company’s first global Information Security Manager, worked for the largest crop insurance company in the world, and served as both the CISO for Ceridian as well as the US CISO for Equinity. His last 12 to 14 years have been in the financial services industry. I wanted to share some of his insights in a blog post, but you can also listen to our interview here, on Spotify, Apple Music, or wherever you listen to podcasts.

“Exploring” the Network Neighborhood

To start, Miles shared an interesting story about how he first stumbled into and became interested in cyber security.

He was curious about how networks worked and saw an icon on his desktop that said, “network neighborhood.” He clicked on that and it took a while to populate, but he started to see over 2500 different systems. As he was looking at them, he realized he was seeing the entire client server system for all of Weyerhaeuser, his employer at the time. It became clear to him that there was a consistent naming convention by location, job title, etc., and so, within about 30 minutes, he was able to find the CFO’s machine and access sensitive information, including executive salaries. He reported the finding to their IT team, but this was the beginning of his career in cyber security.

Miles shared this as a lesson to security teams everywhere that exposing sensitive information doesn’t always require having a very high degree of skill. There’s a misconception that you have to be super skilled to break into systems, but in many cases, there are simple misconfigurations that can cause a lot of these problems and don’t require a lot of skill for someone to break.

Where to Focus When Starting a New Senior Level Position

In the early 2000s, Miles made the transition from consulting to being a practitioner, first joining Carlson Company as the Global Information Security Manager. He was the only person on this team in a brand new role and his budget the first year was $100k, which was already earmarked for a specific project. He was at Carlson for three years and by the time he left, the department budget had increased to $3.5M.

I’m always curious to ask CISOs and senior cyber security leaders about how they start in a role and prioritize areas of focus. Miles has two key areas of focus when he starts new senior level positions, which are obviously dependent on audit findings, regulatory issues, number of employees, budget, and more:

  1. He always wants to see org charts to know who’s who and how to reach out to different people so he can start trying to build relationships with people.
  2. He also wants to see any audit reports or regulatory reports to understand the underlying issues the organization needed to focus on.

Keys to Relationship Building

Relationship building is extremely important, not only for your personal success, but also the success of your team and entire company.

Miles shared a story from the book, Good to Great by Jim Collins about people who are excellent in their field. One of the people highlighted was a hotel housekeeper, who when interviewed, didn’t say she was a housekeeping person at a hotel chain, but rather that she was a representative of her company, and she wanted to ensure that people were having a wonderful time at her facility – and she was doing all she could to make that happen.

When Miles was asked what he did at Carlson Company, he would often say that he helped promote world understanding, because Carlson was a leading player in international travel and he thought it was critically important for people to know that the world is much bigger than his local area.

Miles also cultivated relationships by asking questions – and listening to the answers. He didn’t tell.

He was very conscious to be a good representative of his organization, his company, his state, and his country.

Biggest Challenge Facing CISOs Today

Keeping up.

Miles believes the biggest challenge facing CISOs is simply keeping up with all the requirements. In many respects, the role is responsible for juggling a number of different items all at the same time, and receiving constant requests from regulators, compliance teams, auditors, and customers. And CISOs have to meet these requests all while being constrained by budgets, personnel, talent, and more.

In addition, CISOs are effectively on call 24/7/365.

Advice for CISOs

Over the years, Miles has subscribed to a couple quotes that he shared that could be good advice for many things.

The first was from Teddy Roosevelt, President of the United States from 1901 to 1909, and he said, “Do what you can where you are with what you have.” Miles noted that you can only do so much with what you have – and so, do that.

The next quote is from Winston Churchill during World War II, and the paraphrased quote is, “Never, never, never give up.” This served Miles well in his career and he passed it along as advise to senior leaders.

To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.

Is your organization prepared for a ransomware attack? Explore our Ransomware Attack Simulation service.