Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 123
Afternoon Cyber Tea with Ann Johnson 1.20.26
Ep 123 | 1.20.26

The New Reality of the CISO Role

Show Notes
Transcript

Ann Johnson: Welcome to Afternoon Cyber Tea, where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. [ Music ] Today, I'm joined by David Gee, a seasoned CISO and CIO who has spent more than two decades at the intersection of cybersecurity, technology, and risk leadership from HSBC to Macquarie Group. David is now a board advisor, a non-executive director, and author of both "The Aspiring CIO and CISO" and "A Day in the Life of the CISO." David, welcome to Afternoon Cyber Tea.

David Gee: Afternoon, Ann. How are you?

Ann Johnson: So let's start with a big theme from your book. I think it's a great place to start. There's this gap between theory and reality. You have mentored and interviewed many current and many aspiring CISOs. What is the most dangerous assumption you see new CISOs making when they step into the role?

David Gee: It's a really good question. The -- for many people and one of the -- one of the CISOs being from New York, actually quoted saying, "To fail in your first CISO role is maybe normal." And so I think there's a -- this whole idea around imposter syndrome and all of us having to grow into our roles is very true. You know, I mean, because every time you step up into a new role, whether it's a CIO or CISO or anything, there are new dimensions to learn, and so there are things that you don't understand, don't learn, you haven't had the experience or had the opportunity to maybe demonstrate the behavior that is required in that role. And so for me, that's actually part of the growth. And so trying to embrace that and reflect on yourself and how do you then step into and start to be more comfortable in that uncomfortable situation is really part of the growth.

Ann Johnson: I think that's right. I think embracing the uncomfortable is hard for a lot of people, especially when you step into a job like a CISO, and you feel like you're expected to know everything and make all the decisions and be the senior -- most senoir leader. And when people embrace the uncomfortable, you actually give the space for folks to help you along, right?

David Gee: Absolutely. I remember there's one other chapter that I'd highlight with a -- on a book launch I'd been to a few weeks ago, and we had a few different CISOs there. One's the Westpac CISO from Australia, who's the number -- probably second largest bank in Australia, and he said, "I was an accountant who moved into cybersecurity." And people were like, "What?" He'd been in his office 16 years in the Westpac CISO role. And then the person next to him, Catherine Rose, said, "Well, actually, I was a lawyer who moved into regulatory and compliance and then pivoted into being a CISO." So we all come from different backgrounds and -- but what you bring with that is a different skill set. In her case, she said, "I was really great at stakeholder management and logical thinking, but I didn't know the tech. I had to learn the tech or have people around me that were really good at that and embrace the fact that I wasn't great at that side, but I had to learn that side."

Ann Johnson: I think that's right. And Richard is one of my favorite people, by the way. I've known him for -- I don't know -- 20 years. He's a great CISO.

David Gee: Oh, definitely. He's got a lot of humility, and he talked a lot about his team and how being at the front -- in his chapter, he talked about the personal resilience, crew resilience, but also, how do you get the team to understand that when bad things happen, I'm going to be leading from the front. I'm not going to be in the back watching you. I'll be making sure that I stand with you.

Ann Johnson: Yeah, exactly. Well, you have lived this across industries. When you were seeking contributors to your book, what did you find most of them thought the job was going to be? And what did they learn it really demands once they've been in the job 30, 60, 90 days?

David Gee: Well, firstly, I'd say that most CISOs and leaders in the space are kind of shy. Maybe shy is the wrong word. They're busy people. So getting people to want to contribute is hard because they're not outwardly looking. They're so worried about doing their normal job. There's a few basic lessons there and -- that everybody has to understand that you can't please everybody. And so -- but also you can't be seen as the puppet of no. You can't be saying no, no, no to everything. And so, on the one hand, you want to protect the organization, but your job is to help enable the business and not just block things. I often talk about the fact that you can -- got these three constraints. You're there to, number one, defend against the biggest risks. And there's lots of things coming at you. But how do you define what the biggest risk and make sure that you have clarity around that? Because what's on the table, what's on the metrics, what's on the road map may not be the biggest risk. It may be what the regulators asked for or people have pushed you to put on that list. And so having that clarity is important. Second thing, of course, is that whole customer experience piece. How do you make sure that you're working with your business peers and your teams to figure out, I want to be able to improve customer experience in terms of being safe, but also we need to patch these things too and work with the fact that what we do disrupts the business. So how do we make sure that's not lost in the whole exchange? The whole -- to me, the whole DevSecOps, for example, right, is important. People often will just focus on DevOps. And thirdly, then, how do you then balance that in terms of that order, the compliance aspects? Because we don't want to be necessarily getting a high distinction on the compliance, but we need to be making sure that we right-size in getting it right to the right point of being able to pass the test. And again, that order of biggest risks, then customer experience, and then compliance.

Ann Johnson: I think that sounds right. And also, it leads into this, the CISO can sometimes feel like they're responsible for everything, but they actually own nothing. So how does the CISO reset these expectations? How do they make the role sustainable and communicate with their boards, with their leaderships, and even convincing themselves that they actually need to focus the job in a way that they're effective?

David Gee: We all struggle with that, right? We want to take on more because we recognize that if -- let's take an example. If things screw up in that world over here, it could be, you know, this new AI projects. If we don't get engaged in that, actually, when it does screw up, it's going to be our fault, and we blame, so, but the way to think about this is actually that this is being a team sport, and I think data security is a great example. I remember doing my past roles where you'd sit there with a CIO or CISO or a chief data officer and all the C-suite people and say, "Okay, so we've got this data security issue, and who owns this thing?" And they'll point to each other and say no, well likely you're wrong. It's all of us. We need to own parts of this. And so if you're the chief data officer, you own the classification piece, and I'll help you with identification, and we need to protect that, detect that. And the chief information officer or CTO needs to make sure all of the backups and the restoration process. So there's a bit of a team aspect to this. So how do you make sure that across the world, you know, the whole spectrum of that business and technology side, people understand that you can't do this by yourself as a CISO? You have got this title, but actually, you know, you will fail if you just rely on myself to do this role and my team. It needs to be everybody in that risk culture embracing this whole piece.

Ann Johnson: I think that's right. You've also written about -- it's a good segue into how you've written about defensive CISOs, right? They're protecting the environment and also strategic CISOs. As leaders mature and as they learn to operate, why do you think so many still struggle to be durable long-term CISOs?

David Gee: It's a really tricky one. I think this -- the environment, if you look at the environment, okay, the environment's harsh. The regulations coming out are definitely challenging, and you get -- an incident could actually invoke three or four different regulations, okay? So -- so it's not easy for the CISO to deal with that level of stress. At the same time, from the top down, from the boards down, do boards get it? Do boards really understand that? And I go to a lot of board briefing sessions, and I was in one a few weeks ago where there's a -- here in Australia, there's a thousand board members, and I was looking around the room and thinking, actually, on the agenda, it's all AI and cyber and maybe a little bit of green energy, okay? So three topics. But around the room, most people are trying to understand this because they actually got a non-technical background. And so to me, the CISO gets asked the wrong questions often, or the CIO gets asked the wrong questions to answer. And so we often will be dealing with favorites of -- or funky things that may not be the biggest risk to deal with. And so I think the CISO being that technical person, having that technical background is important, but then, you know, the board needs to be convinced that you understand their strategy, the business strategy, and then how do we risk buy down and how do we make these trade-offs between we're making this business transformation in the next two or three years or four years, and we need to take this business risk of not making these changes to legacy. That's a hard trade-off, and for someone to articulate that and for them to understand that is tricky.

Ann Johnson: I think that's right, and I do think that what you said really resonates, that there's so many regulatory issues coming for the CISOs that it's sometimes hard to think more strategically when you truly are in defense mode and also trying to make sure you're compliant. Let's talk a little bit about the future of the CISO role, and we'll touch on regulation again, of course, but I recently wrote about what I call the CISO imperative, which is how the role is changing from one of control to one of influence, especially when you think about AI and the regulation we talked about and resilience that are reshaping landscape. Building on what you've seen in your own journey, how do you think the CISO role needs to evolve from here to stay relevant?

David Gee: Look, it's increasingly tricky. I made a comment at this keynote last night that actually I've seen two banks in Australia where they've actually split the CIO role into two, and they put the CIO over here looking after cyber and infrastructure and engineering and the chief data officer looking after AI, data, and digital. And so influence becomes more important because you're no longer in the same line, okay? So at the same time, I really reinforce the fact that in this AI era, your job as the CISO is not actually to be a spectator. Your job is to be in the game, and which means you need to be thinking about saying, "I want to be making sure that I'm onboarding all AI. I'm working with the business people to not be reacting to their requests, but actually making sure that I'm the person helping." There's a thinking around, from the NVIDIA -- Jensen Huang earlier this year said IT will be the HR department of AI in the future. And what he meant by that, I think, was actually that you will onboard, that you will make sure that they come on. They're recruited the right way, trained the right way, and not have this sort of shadow AI thing happening. So that whole responsibility that you see in HR policies for people would be duplicated around hiring, firing, recruiting, promoting, being counseled. All that whole process is what you should be saying, "I want to make sure that humans and AI work well together." How do I help orchestrate that both in the ecosystem for vendors, but also within my own organization? Because there will be conflict between humans and AI bots. They don't work well together, or there's maybe some sabotage, or we get so concerned these bots tend to slow down. So how do we make sure that happens well, and then how do we become oversight for that versus being a spectator on the sidelines?

Ann Johnson: Yeah, and I think that's right. I think that CISOs, it's becoming, in a lot of ways, a much bigger role, but I also think if CISOs really embrace a leadership aspect versus if we must do everything aspect of it, they become more effective, right? It's about who they surround themselves with.

David Gee: Yeah, and it's hard to do that because you need to be in the game, but also then not trying to take on all things on your shoulders because that's a false paradise in a way. And trying to get that balance right and working with your peers.

Ann Johnson: Exactly. So you've worked closely with a lot of boards over the years. What changes are you seeing in how boards perceive cybersecurity, and how does that change how the CISO is prioritizing in their role?

David Gee: I think boards are afraid of cybersecurity still. I think that's probably the position. I'm hearing more and more board members -- and you see this in the sessions I go to, where they look on stage and there's the board members from three companies, and actually, I know two of them have been hacked in the last four or five years. So they kind of get the aftermath, they kind of get the incident. And so they kind of understand that, actually, this is a bad thing. Now, the tricky part, of course, Ann, is that then what do you do about it? How do you then provide that guidance, direct the organization in the right fashion? So, for me, I think it's a challenge. In this AI era, it's a challenge because the threat landscape, you'd say, has doubled. There's lots of new attack vectors and controls -- I'm going to call them controls -- that are continuous now and may not exist in your current format. So how does the board understand that? Because the board sees the upside around AI and AI productivity and all that promise. So I think there's a real interesting challenge for board to get that and embrace that and try to get their arms around it.

Ann Johnson: That makes a lot of sense to me, and it also brings me to a question I wanted to ask you about AI. What do you think CISOs today should be thinking about how they integrate AI into defense and also potentially into their governance models, given we do have a proliferation of AI across companies, right?

David Gee: We have to do that. I think we've all seen, in the last few weeks, these Anthropic examples in thirty companies, where it's gone from reconnaissance through to escalation of privilege through to lateral movement. And so, to me, evaluating is good thing. And so, to me, it's a -- and portfolio aspect to this. So I think the portfolio pieces, okay. Look at agentic AI to take manual toil out of your system. Take that savings and put it into things like the SOC and penetration testing, other areas. But it's great, you're not going to get a new set of new budget or new set of resources. You need to then work around, "How do I take what I have in my pot and make it better? And I can't wait to -- and it'll be too slow because it's been proven from the Anthropic example that they're going to use AI against me, but I'm still thinking about how to apply it." So accelerate that process. Twenty-twenty-six will be a true focus around accelerating that process and then applying all AI and agentic AI to my processes to play catch-up so we can start to be maybe on the front foot.

Ann Johnson: Yeah, I agree. I think it's pragmatic application today. Where can you get the most value out of agentic AI and applying it there. And where do you have the biggest gaps also? So let's talk about mentorship in the role of the CISO because we do need to prepare for the next generation of CISO. The CISO role is becoming more complex. There's more demands on it. We're long past the days where the CISO needs to be the most technical person in the room. They also need to be a business person. They need to be a regulatory person. They do need to understand the future. They need to understand threat actors, etc. You have written about -- and I love the way you talk about this. You've written about a mentorship deficit. I would love to unpack that idea. What do you think is missing, and how do we start to fix it?

David Gee: Has to start with us. I mean, to me, it's about this sort of wanting to share and understand this community there, and the community is there to help you, but, you know, we know that when you're a CISO, it's a really lonely role, right? You've got to make these decisions. You've got to then not be able to show your stress. And so mentorship is important because when you're trying to learn to be a CISO, how do you have that -- learn that maturity, that poise, that ability to -- and these sort of soft things that you learn come from making a mistake. And so, to me, when I started writing about this, Ann, I started writing two books at the same time. Actually, my first book, "The Aspiring CIO and CISO," was sort of my whole stories around becoming a CIO and CISO and how I got there and how do you build yourself to there. And then, as I was writing that book, I thought, "Actually, this is kind of -- I like this, but actually, how do I get other stories?" That's not just David speaking, but others. And I thought maybe I'll get 10 or 20. I got -- I ended up with 20, 28 people contributing. But so -- it was then -- how do you then weave all these stories together so they can start telling -- I said, "Look, I really want to make sure that if Ann is providing a vignette of stories to me, I want this to be the -- not a glossy corporate affairs thing, but more around what you wish someone had told you at early in your career." And it could be different stages of your career. And so, to me, mentorship happens at all levels, not just for the newbies, but also in mid-levels, and even senior people need to learn in others. And so that's important to reinforce and give us courage to know we're doing the right thing, or just validate that we're on the right track. Because we are often working in the dark with very little information or incomplete information, and very demanding stakeholders that want it now.

Ann Johnson: What do you wish that you had learned earlier in your career that someone had told you?

David Gee: Gosh. Probably many things. One thing I reflected on my book, and I see this in people I work with, good CISOs and good leaders are good at priority management. They're really good at picking out what's really important, one, two, three things to do today. Now, to me, priority management and time management are not the same things. Priority management is more strategic. It's more figuring out these are more important. Time management is all around just tactical, trying to get, like, through the day and get the most out of your day. They are related and subtly related, but to me, the priority management piece around figuring out and being very mindful about that, Ann, I think is important because the mindfulness and reflection helps you get to the clarity in your mind around what three things I must do today, and then I can go home or try to go home. That's important because we, at this era right now, we're just so busy looking at our phone, looking at our devices, reading media materials, and not allowing ourselves to be bored, to have time to think about things. I think that's really the key. When you have that ability to think about things and reflect on what's important, you can often make the right decisions.

Ann Johnson: I completely agree, and I do think that being able to focus on what's important and understand what's important is probably the most important thing because, you are, as a CISO, it's chaos at times, and you really have to show leadership through that chaos. Do you think the mentorship gap we have today is a pipeline problem? Do you think it's a cultural problem? Or do you think it's just that people are so busy they don't have time to mentor?

David Gee: I think all the above. Definitely, people are very busy. I had a diagram in my book, and I talked about a day in the life of the CISO, and how all these things coming at them -- incidents, regulatory, different demands -- and there's probably one in the corner here that says "coaching, developing your team." And I often would say -- when I did keynotes, I'd said, "Actually, you know what? These other things -- finding ransomware attacks, third-party attacks, different things -- they're getting all your attention. All right?" Stakeholder management. How do you carve out time for your teams to build your teams? And, you know, that sort of thing is really important. So, to me, grow with your team, because you're only as strong as your team. And so I have a little algorithm I learned in my career, and which was as a leader, you come in, and you carry the team, okay? You can't always get a chance to rebuild it all from scratch. So let's take an example, right? So, Ann here, Ann works for me. Ann is really good. Out of 10, Ann is probably a seven to an eight out of 10, okay? On a good day, she can be an eight. My job is to make sure Ann is always operating at the best level she can. And then she works with David. Now, David is probably a five or six out of 10. I'll try to coach David to be a six. Maybe figure out whatever points that it can reinforce to actually make him an eight or seven if possible. So to me, as a leader, it's very simple. I've got to coach individuals to be the best versions of themselves and make sure they have great teamwork because if they have great teamwork, my algorithm, that mathematical formula, ends up with more output, more outcomes, right? However, if I get a star player over here, John, now, John's nine out of 10, but he's got really bad behavior. It's a minus sign, okay? So he doesn't add to it. He adds only his own piece only as an individual contributor. Now, going forward, I can see that the world we live in will be Ann, David, and John working with bots, David, and a bot Ann. And again, how they work well together and making sure there's a positive multiplication there and that the actual AI agents being coached as well to be their best version. That's leadership in the future. How do we get all these parts to work together and get great outcomes?

Ann Johnson: I love that. I used to say that -- and I say it occasionally now, but I find, I must say, as much that you can't put things into people that they don't have. You can make sure you're pulling everything out of them, all the skills, talents, aptitudes they have, so that they absolutely can be performing at their best. And that's your job as a leader, is to help people maximize their performance.

David Gee: And I think I Ann, it's interesting, I talk about in my first book is that in cyber or in technology roles, we focus so much on what I call skills and knowledge, right? We focus so much on accreditations and doing courses and learning things. And skills and knowledge are really important early in your career, but to get promotions, it's all about your experience and behavior. How do you have the growing experience and doing a road map for a strategy for the next two years, or an architecture road map for that, or supporting doing a fusion center in two countries, or whatever it is? And that experience, plus the behavior, and actually saying no to things or saying no to your board or saying no to your boss. That behavior piece is what makes good leaders. And so, how do we combine the traditional skills and knowledge with the experience and behaviors that are really confounding and making you a great leader?

Ann Johnson: Completely agree. Let's do couple more questions. As you advise boards now and you advise leaders, what advice are you giving CISOs who are sitting in the chair that are trying to elevate themselves from being just an operational leader to really having strategic influence? What do you tell them?

David Gee: It often depends upon that person, and what I see is perhaps some difficulties and deficiencies there, okay? Because it'd place to place, but I think clearly a lot of CISOs are sometimes maybe afraid to tell their board that this risk appetite won't be green, that actually that things change or they're looking for some sort of this rating and that's maybe impossible to achieve because the whole world may change with new threats or new AI threats or whatever it is that are occurring. So to me, often we'll talk about having courage and conviction to be bold in your predictions, but also then give yourself an out, right, to say, "Look, we need to make sure that we get here and we have bold metrics that take us in the direction that we want to go to, because these metrics will help drive behavior." But we all, at the same time, also have to make sure that we understand that we need -- from a team sports stand, we need the whole team to work on this stuff; otherwise, it won't work. So give yourself a bit of a break here because you can't take it on your shoulders by yourself. You need others to come on that journey with you. So that, to me, is the whole risk culture, right? The whole risk culture things. All of us, not just my team. And so trying to reinforce that, I think, will help us get that in the right journey and the right destination in the end.

Ann Johnson: I think that's great. So, David, I constantly tell people I'm a cyber optimist, and I am. I am optimistic about the current and the future of the industry, and I love to close every episode with optimism. So you have seen the challenges of cybersecurity up close for decades. What gives you hope about the next generation of cybersecurity leaders?

David Gee: The new leaders coming through are smart. The new leaders coming through are wanting to learn and learn from others, I think, which is important. They're wanting to get input, which I think is going to help them grow. But I think this whole paradigm will be completely challenging for many to be successful in. So I think there'll be definitely some self-selection around saying, "Well, this is not what I want to do. I'm going to self-select out." And so this is very Darwinian, I think, and I am optimistic. But also then realistic around thinking there will be winners and losers here, but I think if we have the, you know, sort of broader attitude to how we want to succeed and succeed with the team and help support them, because we will fall. We will fall, and we will need to catch ourselves and our teams. We can actually succeed in the long term. So it's going to take real team effort.

Ann Johnson: David, thank you so much for joining me today. I know your insights are going to bridge the practical. They're going to help people think more strategically, and they're really solid lessons for our listeners to take away, they can use to shape the next chapter of their career.

David Gee: Thank you, Ann. My pleasure.

Ann Johnson: And many thanks to our audience for tuning in. Join us next time on Afternoon Cyber Tea. [ Music ] You know, as I was thinking about guests for Afternoon Cyber Tea, David came to mind because he has been a CISO. He's written books on the topic. He's shared a lot of his experience on the topic. And I just wanted to make sure the audience could get insight from a really practical CISO perspective about what the job really is, not the technology, but the job. It's a great episode, and I know the audience will really enjoy it. [ Music ]

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, Corporate Vice President Cybersecurity at Microsoft, talks with cybersecurity thought leaders and influential industry experts about the trends shaping the cyber landscape and what should be top-of-mind for the C-suite and other key decision makers. Ann and her guests explore the risk and promise of emerging technologies, as well as the impact on how humans work, communicate, consume information, and live in this era of digital transformation. Please note, the opinions expressed by guests on this podcast are their own and are not endorsed by, nor do they necessarily reflect opinions of, Microsoft or Ann Johnson.
Schedule: Tuesdays
Credits: Executive Producer is Charlynn Settlage, Producers are Rob Petrillo and Greg Ormsby. Production Manager is Max Solomon, Scheduling and Administrative Support is Katie Zwart, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft