EPISODE 076 — Translating Security for Your C-Suite  

Is your cybersecurity program seen as a roadblock or a launchpad for growth? In this episode, Dave Edminster, Practice Director of Cybersecurity Services at EVOTEK, unpacks how security leaders can reframe their role, transforming cybersecurity from a necessary cost into a powerful business enabler. 

Tune in to learn how to translate “invisible success” (a.k.a. the absence of incidents) into a compelling narrative of ROI for your executive leadership and board.

Show Notes

• 00:41 – Security as a Business Enabler 
• 02:33 – Building Inherently Resilient Systems 
• 03:53 – Strategies to Reframe Security Away from Cost Center 
• 05:46 – Renaming Security Teams 
• 07:30 – Balancing Innovation and Security 
• 10:02 – Communicating the Value of Security to Stakeholders 
• 12:11 – Communicating Non-Financial Security Impacts 
• 13:53 – Evaluating the Need for Cyber Insurance 
• 17:51 – Demonstrating the ROI of Security Investments 
• 19:37 – Metrics that Create a False Sense of Security 
• 20:44 – Marketing Successes vs Deep Technical Skills 

Transcript between Nabil and Dave

Topics Covered: Changing how we perceive cybersecurity, integrating technology and processes, effectively communicating the value of cybersecurity, and how the latest cybersecurity leaders are using communication to excel their success. 

This transcript has been edited for clarity and readability.

Nabil Hannan: Today we have with us Dave Edminster from EVOTEK. Dave, welcome to the show. As we get started, can you tell us a little bit about yourself and where you are today professionally?

Dave Edminster: I am the practice director of Cybersecurity Services at EVOTEK.

That means that my team is responsible for delivery in cybersecurity architecture, cybersecurity engineering, and we also do work within my practice area of executive advisory components. We do have other practices that focus on that within EVOTEK.

I’m post-sales delivery, so that is what I’m responsible for.

0:41: How should organizations rethink security beyond a cost center, and what guidance can help reframe its perception today?

Nabil: Given what you do on a day-to-day basis, I’m sure it’s no surprise to you that people often view security as a cost center. What advice do you have for people on how they should think about security as a whole? And more importantly, is there any guidance you have on how to reframe the perception that’s out there today?

Dave: Yeah, it’s always a challenge when leadership sees cybersecurity as a place where money disappears, and questions what benefit it’s bringing.

We’ve all known for many years that prevention is going to be more successful, bring more cost savings, and be more cost effective as a preventative form than it is after the fact. We talked a fair amount about pre-cybersecurity incident versus post-incident.

It’s going to be a 10X cost increase at minimum for an event after the fact. If you are preventing it, you know it’s going to be far more cost savings.

Now that’s easy to talk about, but it doesn’t necessarily resonate with leadership all the time because you’ll have leadership that will sometimes ask: Where is our money going? What are we spending it on?

Cybersecurity is one of the ways you help prevent that, not to mention actually preventing the loss of data, preventing a breach and all the money that might go with it.

02:33: Beyond reputational damage, what broader impacts can data breaches cause, and what approaches are working to build inherently resilient software, hardware, and processes against security issues?

Nabil: With that being said, and the perception of security being a cost center for many companies today, are there things other than the reputational damage itself, that you can have from a from a data breach? Are there other things that you think people are doing well today to basically build software, hardware, and processes for businesses in a way that are just naturally more resilient to security issues?

Dave: I think, to a point, a lot of the industry is converging in ways. There’s obviously API integration and technology integrations; acquisitions are affecting that. There’s far fewer tools today that are standalone and just do their one job and don’t talk to anything else.

I mean, with the advent of SIEM, SOAR, and everything related to it, everything’s going to talk together. I think that’s a convergence story where the technologies and the processes all need to work together better and that actually can result in an increase in efficiency and increase in effectiveness and can be a reduction in cost.

If an entity is looking at the big picture and rationalizing those tools, I think that’s, for lack of a better word, synergy, that can come in and inform the programs too. I think that’s where you start to see infrastructure teams and security teams and maybe data analytics teams, depending on what’s going on in the client environment. They need to start working together and not being so siloed. I think the tools can help inform that, and then the processes can too. Ideally, it’s a better together story.

It’s not ‘We’re all going independently and fighting each other.’

03:53: What strategies and starter techniques can reframe security teams from roadblocks and cost centers to business enablers?

Nabil: There’s also this perception that security teams are always the team that comes and says no, and they’re often treated as just a blocker instead of a business enabler. What are some strategies you’ve seen work well to change that particular perception, not just it being a cost center, but changing the perception of security always being a roadblock?

And are there certain techniques that you typically recommend people to start with, given your experience in doing so?

Dave: You can start in several different ways, but I like it when you can actually start to break down those silos and barriers between teams.

If you’re talking to leadership, I think it’s really key to let leadership know, if you’re in a cybersecurity role, that you don’t see it as the ‘department of no.’ You see it as an enabler.

This is the department that has to help us all work together.

I like to say, from a leadership perspective, we can’t be the reason business doesn’t function. We can’t. I find leadership tends to resonate with that messaging.

You’ve got to really walk the talk then, and talk to the other teams, go to infrastructure, go to those other teams and work proactively with them, not just get a change request and say no and then send it back.

Mature your team members into giving meaningful responses. It can’t just be no and we’re done. It can be “I can’t do what you’re asking. Please tell me more about what’s going on and I can try to help you find a solution that will work.”

05:46: How much impact does renaming and repositioning security teams (e.g., “offensive” to “proactive”) have on organizational culture and perception?

Nabil: There’s a trend that I’m starting to see in the industry around security teams, and it’s around how they’re naming themselves. We’re starting to move away from naming of the team that often seems very harsh, like offensive security team often comes off as very aggressive in nature, and I’m seeing more and more teams renaming themselves to something like the proactive security team.

I’m curious from you, how much of an impact do you think just renaming and repositioning what your function does has on an overall organization, especially from a culture perspective?

Dave: I think it can be helpful, but it’s got to be thematically true for everybody in the role. It can’t just be now we’re the ‘Department of Success’ or the ‘Department of Unicorns.’ Everybody has to buy into this.

As a leader, you’ve got to make sure everyone understands that we’re going to be the enabler here. That means you’ve got to be proactive with working with other teams.

This actually loops back to what we’re talking about earlier too: there are no technical roles now that are just someone sitting in a basement at a desk doing a job, not working with a machine, or if you will, not working with people. They’re all people jobs.

I think maturing our own team members to understand that and proactively work in a cooperative way is key. And I think that goes back to the thematic change. If you’re going to change from, say the ‘Department of Cybersecurity’ to the ‘Department of Enabling Cyber Success,’ you’ve got to have everybody walking that same talk.

07:30: How can organizations balance innovation and agility with strong security, and what recommendations enable teams to innovate while staying secure?

Nabil: There are two competing forces when it comes to thinking about security. I believe the core belief people have is, if you focus too much on security, maybe you’re limiting yourself from innovating and being able to be more nimble and agile in what you’re doing. What recommendation do you have for people on how they should think about that? That challenge of two completely opposing concepts. And second of all, how do you think we can enable organizations to both innovate while staying secure?

Dave: I think it’s a better together story. If we’re talking, say, application development that tends to be done in its own world, getting an application functioning, and then security becomes an after-the-fact when there’s a finding: a scan, a pentest, a vulnerability or something, and then the security team should be working with the developers to fix that.

We all know that developers are not measured by fixing vulnerabilities. They’re measured by features and getting those features out the door.

So, they’re absolutely in conflict.

I think it’s helpful if you can get involved in the conversation earlier so you can educate that developer, or developers, and have some knowledge yourself from the cyber side, such as how is this going to impact your workflow? If we can shift left in an effective way early, it should reduce friction. It should actually make their job easier.

If we communicate that to them as a developer, or a team, saying, ‘Hey, if I’m involved early enough here, we can avoid some landmines right away so you’re not talking to my team months later going, ‘Why am I trying to fix this thing?’ I just need this program to work.’

I think that’s true of any infrastructure, any application, any of those functional components of the business like talking with cybersecurity proactively, cooperatively.

Again, I don’t, I want to go back to the, IT can’t be the department of no, that’s the department of no, but.

Nabil: A common thing I’ve been talking to a lot of people about is the concept that if you’re a business that is being successful and is also secure while you’re being successful at what you’re doing, often there’s nothing to show for the success of your security efforts.

When you’re doing things correctly, nothing happens. There’s no actual tangible thing you can show and say, oh, because of my cybersecurity investments, I have these new features that are also enabled, or these new things that I’m able to do faster. It’s more because I’m secure, nothing happened. And that’s why we didn’t end up on the front page of the news, or we didn’t have our data breached, or we didn’t have our customers compromised somehow.

10:02: What are effective ways to communicate the value of security investments to different stakeholders?

Nabil: With that being a challenge, what are some effective ways to communicate the actual value from the security investments you’re making to the different stakeholders?

Dave: A large part of it, I think if we go back to the optics discussion again. We’re not in the news. We don’t have our data going out somewhere. We don’t have a regulatory component.

If we talk, say worst case scenario, ransomware, the money involved is tremendous. The outage is tremendous; the data leakage is tremendous. And then when you remind leadership at times that if you’re a publicly traded company, this is going to affect your SEC filing. This is going to be something you will have to report. It’s going to be something that insurance is going to be impacted by.

It’s this whole snowball effect that if I’m cybersecurity, if we’re cybersecurity, and we’re doing it well, it’s avoiding all of those financial impacts, those optics impacts. I mean, if we’re going to be blunt, there are some people who may lose jobs over a breach of significant enough size. There are individuals that will have skin in the game.

Additionally, depending on what rank they’re at within the C-Suite, they can be held personally accountable for a number of these things in terms of how the federal government has looked at some breaches. If they declare it is gross negligent on the part of a CISO or someone along those lines, there are some CISOs that are in jail today because of those kinds of findings.

Again, money always talks.

There’s a big part that it’s like, hey, individually, you have skin in the game, and ideally, you’re doing the right thing for the right reasons. You’re protecting your own user base. You’re protecting your customers in that you don’t want their data being leaked.

I mean, is somebody going to lose a mortgage, or is somebody going to have a record or personal information, or identity theft as a result of these things? I think we need to be good stewards with all the data we have both for our own employees, but for our customers too.

12:11: What practices effectively communicate non-financial security impacts to C-level executives and boards?

Nabil: Are there any specific practices you’ve seen where it’s very effective in communicating that specific non-financial loss or damage, and how to articulate that effectively to different types of like C-level executives or board members?

Dave: Yeah, I think it depends on the audience you’re speaking with, but telling them of the legal findings at times and saying, hey, these people have been found personally responsible for some of this. They’ve been personally fined for some of this. That starts to get people’s attention.

Something else that I find if you’re trying to move into a culture of security with an organization from top to bottom and having everybody be aware of cybersecurity, I’ve seen a number of times now where individuals, employees, have lost paychecks because of a breach of some sort. Any number of ways that goes about.

And depending on the nature of the breach and the state that you’re in, your employer may not be required to make that right, depending on how it went.

I’ve seen a couple of times where someone has lost a paycheck, and the employer made it right, even though the employer was not the one that was responsible for the breach, per se. Then that same person lost another paycheck and the second time the employer did not pay them. So they’re out. And that got their attention very quickly.

That was the moment that those team members were attending trainings, they were listening to cybersecurity, they were taking it personally because they now personally have skin in the game. It’s not just, the business will take care of this; this is a corporate problem. No, this is a personal problem.

13:53: What role should cyber insurance play in a cybersecurity strategy, and how do you view relying on it for breach protection?

Nabil: If I can extend that a little bit, I would love to get your perspective on how many people often think of cyber insurance as being what’s going to protect them in the case they have a breach. What’s your opinion on that type of a point of view, and how do you envision the role that cyber insurance plays as part of the cybersecurity strategy?

Dave: It’s a must-have, for one, because everybody is at risk for an event of some sort. It’s another protective layer. But we always have to remind everyone insurance, one, is not there to prevent something from happening of any kind of type.

It helps you bring things back to an operational state somehow. It doesn’t undo the damage. So, it’s not a preventative barrier. It’s a necessary function.

But I think a lot of organizations, if they haven’t gone through tabletop exercises to understand what a breach could be like, what really can invoke insurance; when does it come into play?

The moment cybersecurity insurance is involved, the entire game changes. And now the organization has to focus on trying to restore services if they have an outage. They also have to preserve evidence. So if you’ve got systems that have been breached, or evidence of breach, you actually, from a cybersecurity perspective and a legal perspective, can’t necessarily restore those. You need to keep them in the state they were in when the breach occurred.

There’s an additional cost multiplier that hey, if you need an organization to get back up to operation fast, you may be rebuying all new infrastructure to do that while cybersecurity insurance is investigating the nature of the of the breach, because their job is to find out what happened and what they are liable for from a cost perspective.

You end up with this interesting part where I think leadership thinks, in some organizations, we can just invoke cybersecurity insurance. They’ll pay the ransom, or they’ll pay us, and we’ll get back up and operational while we’re doing this. No, it’s like everything goes on pause for a while, so can your business keep operating while cybersecurity insurance is pausing your business? That’s a real struggle I think most organizations are unaware of until they have either had to go through it, or they’ve worked with a partner and actually gone through these exercises to understand, prepare, and build a runbook for this.

Nabil: I think another piece there that people often overlook is your cyber insurance premium and coverage has a limit. The damage itself may exceed whatever limit you have of your cyber insurance coverage. So you may still have challenges beyond once the cyber, even if, let’s assume the cyber insurance company pays out your claim, there may be still loss and damages that you have to deal with because it wasn’t covered in the limit of the of the claim itself.

Dave: Exactly. And we all know those premiums are likely to go up even if nothing has happened. There are some cases where an insurer will go through the process payout like you’re saying, and then we’ll drop coverage. They’ll say, all right, we’ve had it. We’re no longer going to cover you. You need to go find new insurance. And in a rare few cases, I can think of one some years ago, where the insurer just opted not to pay.

They said, yeah, you’re invoking it, and that’s within your right. We’re going to deny the claim, and you can go ahead and sue us, was their approach.

I think that also can be a framing moment for leadership to understand that you’re not guaranteed to get, just like you’re saying, all the money that is required for this incident.

You may not get any if they’re going to just say, yeah, we think it’s a better choice for us if you just sue us.

17:51: What methods effectively demonstrate the ROI of holistic cybersecurity investments (e.g., cyber insurance, SOC, EDR/MDR, technologies)?

Nabil: If we shift perspective a little bit, organizations are making all these different investments, whether it be cyber insurance, security operations, EDR/MDR, and all these technologies to help have a more holistic cybersecurity initiative.

What are some methods you’ve seen work effectively when trying to demonstrate the ROI of the security investments that are being made?

I know it’s a hard question to answer because it really depends on the situation, but I would love to know from you if there are certain things you’ve seen that have been used very effectively to show the return on investment for security.

Dave: I think a lot of it can be the consolidation, because there’s typically been sprawl of tools. So, if you can invest wisely, and continue to reinvest, because no organization can sit statically, there is no done with cybersecurity. It’s always a moving target. So how do we go further? How do we do more with less? How do we improve efficiencies?

That’s always going to be a good talking point. But because it goes back to what we talked about at the very beginning about optics, about ‘we’ve been successful and haven’t been done in the news,’ that itself is an ROI.

I will always go back to a ransomware incidents when they occur, because those are going to be 15, 20, 25 times the cost.

If we’re going to use analogies, I might use medical as one. If you can prevent cancer, it’s going to be a better life experience for you. It’s probably going to cost you less than if you let cancer grow to something terminal and have to deal with it then.

And it may still not work.

19:37: Which ROI metrics in cybersecurity create a false sense of security due to poor context or misuse?

Nabil: Are there things you see people try to use as an ROI, but it’s actually giving them a false sense of security because they’re not really thinking of the metrics in the right context?

Dave: I’ve seen in my career what we kind of call blinking light syndrome: the newest, latest, greatest something that’s flashing and interesting, and a leader or a cybersecurity individual may say, I want that tool. It may be a great tool, but if it’s not something that’s integrating with the other tools in your stack, or it’s not rationalized, how useful is that tool?

Are you just spending money on a tool that’s not doing what you need? Did you buy too much of a tool? You don’t necessarily need the giant biggest, latest, greatest tool if you’re not using 90% of what it can do, or you don’t need it. Why spend that much money on it?

Find the right tool for the job, find the right tool for the client ecosystem, for your ecosystem, and then go through a tools rationalization. See where you’ve got gaps and see where you’ve got overlaps, especially if it’s in an area that’s got mergers and acquisitions because you’ve probably inherited some technology that’s being used somewhere that overlaps with something else.

20:44: Are top security leaders succeeding more through communication and internal marketing than deep technical skills, and what guidance would you give new CISOs on how to get started with that skill set?

Nabil: Is there a shift you’re seeing today? Because I’m seeing this type of shift, but I’m curious what your experience has been where I’m recognizing that some of the best security leaders are actually best at what they do not necessarily for their deep technical promise, but more because of how effective they are at communicating and marketing both themselves, the program that they’re building, and what their team is doing.

Dave: Absolutely.

Nabil: I’m curious what you’re seeing out there and any guidance for people who are going into new CISO roles and executive roles, running security initiatives, how they should approach getting started?

Dave: I agree with that. In my own career path, it’s moved from a deeply technical role to something that’s more athletic, if you will, instead of being, and I see this in a lot of areas, instead of somebody who’s a really deep subject matter expert in one area, we’re like athletes, someone who has done a fair amount in lots of different technical disciplines because they can stitch together the bigger picture and see how this interacts.

They’re the kind of team members that will often engage quickly and they’re like, yeah, I don’t know that technology specifically, but I we can pick it up and run with it and learn.

But it’s also been the communication part, because I think this has been true in IT and security for years. You’ve got to be able to communicate to people, be it to either people submitting tickets and requests, but also C-level and leadership and boards, because you’ve got to help them understand what’s going on in the ecosystem and why it matters.

If we get too technical with the C-level executives, they’re just going to gloss over it.

You’ve got basically a paragraph’s worth of content to talk to them, and if you haven’t really conveyed something meaningful at that time for them to pay attention to, it’s not going to change.

I believe very strongly in the collaborative approach and that athletic approach from an expertise perspective.

Effective communication is going to make you better at your job and better at communicating with the organization as a whole; why it’s important and how to be successful. You know how to consolidate this concept to something digestible and get investment.

Nabil: Before I let you go, I have a couple other off-topic items than what we’ve been talking about so far. The first one is EVOTEK is a partner of NetSPI’s. Can you share with us a little bit about what EVOTEK is doing with NetSPI today?

Dave: My practice specifically is around cybersecurity services, but we have our other practices, which are networking, we have data center, and we have platform.

So there’s areas where I think the NetSPI tool can apply to many of those.

We’re using it from either a discovery perspective on my team when we can do a POC to see what it can show from an attack surface perspective, so that shows value from our side. My team gleans information from that, but the client also sees the valuable data that comes out of that kind of tool, and its ease of deployment is a big part of it.

Anyone that’s done a POC and POV and it takes weeks, knows that if you don’t get it done quickly, it’s going to stall. I like the fact that we can do a POC in a couple of days and get something meaningful. That’s something we on the EVOTEK side are doing with NetSPI.

Nabil: Love it.

Then my last question for you is, we like to get to know our guests and what they like to do outside of security and their day-to-day jobs. Anything you want to share about what you like to do for fun outside of your work?

Dave: I’ve been involved in Brazilian Jiu Jitsu for a few years now.

I actually find that it’s kind of become my therapy and my meditation because once I’m there on the mat, I don’t have my phone with me, nobody who’s not in the school at that time can get a hold of me. I’ve got 3-4 hours where cybersecurity and the world’s crises can’t interrupt me. I can just focus.

But also, for me, it’s a life lesson: get comfortable being uncomfortable.

And Brazilian Jiu Jitsu will definitely do that to you. It will help you understand that you can endure more than you think you can physically at times.

I’ve also been playing lacrosse for about the last 10 years, both indoor and outdoor lacrosse. I think I kind of focus on some physical activities when I’m not doing work because it’s a very different use of my mind and body when I get the chance to do that.

Nabil: Love that. Well, thank you so much for being here. It certainly was great having you and hopefully we get to hang out again sometime soon.

Dave: Yeah, I look forward to it. Thanks for having me.

Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence. If you want to be a guest or want to recommend someone, please fill out this short form to submit your interest.