Episode #58 Governance, Risk and Compliance - Part 1 with Brendan Smith
“If you can get the trust of the board, you'll be able to ask them to support your vision and your strategy and provide you with the resources that you need to execute your program”
- Brendan Smith
Brendan had a vocational interest in security, across various internet technologies and cryptographic systems, prior to commencing his security career, and maintains his technical interest to this day. He has built high performing teams through authentic leadership, and continues to mentor and coach new entrants into the field, as well as supporting incubators through knowledge sharing.
Brendan's episode is so informative we are going to share it over two weeks - in part 1 we discuss security standards, compliance and engaging with the board.
Links:
Transcript
CP: Hello and welcome to The Security Collective podcast. I'm Claire Pales and today's guest is Brendan Smith. Brendan commenced his security career with a startup bank in the UK, one of the first internet only banks. However, he had a vocational interest in security across various internet technologies and cryptographic systems prior to this, and maintains his technical interest to this day. It's now supplemented by involvement in various industry standards. Prior to his most recent role as the CISO at Australia's largest wagering operator Tabcorp, Brendan worked in a variety of information security roles in the UK and Australia, including developing and leading a large managed security service practice. Recognising the importance of employee engagement and empowerment, Brendan has built high performing teams through authentic leadership, and he continues to mentor and coach new entrants into the field, as well as supporting incubators through knowledge sharing. Brendan, thank you so much for being on the podcast today.
BS: Thanks, Claire. It's great to be here. I'm really looking forward to our discussion today.
CP: I know that we've just heard a little bit about you in your bio, and in recent years you've been involved with standards, particularly focused on ISO 27,000 series. And I hear a wide range of opinions as to the value of these types of standards. And so given the level of insights that you have into this series of standards, how do you think CISOs should you use these particular standards or get the most value out of them?
BS: I think it's difficult, I think there's a common misconception that ISO 27,001 is some sort of a technical security standard, like a NIST or something like that. When really it's not, it's a management standard, it's about how an organisation runs an Information Security Management System. And as such, it's built on the same template and intent as the other ISO standards like 9001 for Quality Management, or 14,001, for Environmental Management. So it's designed to help the management of an organisation. And by that I mean, like the top management, executive and people like that, to use their business context, their risk, and their organisational understanding, to think about some of the why of security, not just the practical how. So how you can get from either Annex A, which is based on 27002 or from NIST. Or if you're in government, you will be using the, you know, the protective security frameworks. So those are the hows you know, how you set up your technical policies and controls. But the ISMS is that overarching thing where we look at why we do certain things and how we're going to manage it. And for that reason, I think it's incredibly useful, because otherwise, there's a chance that the CISOs and their teams can get very quickly dragged down into the minutiae of security, the tools, the technical policy settings, you know, risk assessments, and all of that sort of thing. And while all of that needs to be done, having a management system in place that that overarches the implementation provides a few really key things. It ensures that the security work is fit for purpose for the organisation. It stops key things being missed. And it provides a mechanism for the CISO to give assurance to their key stakeholders, and allows for a calm, proactive and reflective approach to security. So having that management system in place can enable all of those things to happen. And really, from a CISOs point of view, that's what you need.
One of the other key benefits is that it forces engagement up. So it strengthens the proposition that security is an organisational issue, and not just an IT issue. And I know, pretty much every CISO tends to get challenged by that particular paradigm. So it supports the enterprise governance framework that the CISO will have put in place or or will be putting in place. ISO 27,001 does come in for a fair amount of flack. And yes, I've heard the difference of opinions as well. But really, it can be applied to any size or type of organisation because it's not really prescriptive in that sense. Initially, at Tabcorp, we used to certify a subset of systems and business units, but we continually expanded it by, you know, firstly, ensuring the whole organisation was compliant even though we only certified part of it. And then generally, extending our certification scope progressively. And, and what you can find is that if you're running your security operation with the strong governance, risk management strategy, technical controls, you're probably already 90% compliant. So you might as well get the credit for it, get certified. We had to address the mindset that we had BAU to security on one side and certified security on the other side. And to me, that's a false dichotomy. You should have one security management system and manage your whole enterprise accordingly. And we know from the continuing morphing of ransomware attacks that we've seen recently, that lateral movement and escalation within an organisation is a key objective of cyber criminals. And you need to make sure that as much as possible, you have a common approach to security across your organisation. Now, of course, you can have different levels of technical controls, depending on the threat analysis and the value of the assets you're protecting. But you see, you must have the same governance structure, in my view. The hard part really is the documentation and the attestation. And that's a common criticism. And everyone remembers doing 9001 Quality Management Systems back in the day, lots of processes in big lever arch files that never get looked at again, till they get dusted for the auditor. And that can be a real risk with 27,001, too. So it's really important that you treat it as a framework for your BAU management system, and not as something that's just academic and esoteric. And if you do that, then I think most CISOs would find that it's actually a really useful tool for them.
CP: You were talking there about how important or how valuable these standards can be for upper management. And I know some of the key achievements in your career have been around governance and strategy and, and engaging with boards and gaining their support. And I think most CISOs struggle with this in terms of getting time in front of the board. And when they do, how do they best articulate the value of investments and the strategies that they're proposing. And I've been asking a lot of people this season about board engagement and ROI, and I'm interested in your experience in engaging boards and getting them to support your vision.
BS: Yeah, I was extremely fortunate in my last role that I had a CEO and a board who really understood the value and the importance of cyber, but it was never something that I took for granted. And so I always wanted to make sure that I used that time to inform and to educate beyond the you know, the standard or the normal, you know, here's our list maturity rating, or here's our list of incidents. It's important that you include that sort of stuff into your presentation materials, of course, but the dialogue has to be broader. It has to be really up to date, and it has to be current, and more relevant. In my experience, boards are very sensitive to news cycles. So things like the Prime Minister's announcement not so long ago about the state based attacks on Australia, generated a lot of interest and a lot of discussion in the board meetings. You've also got to remember that a lot of the non executive board members are on several boards, not just yours, and they're getting security briefings from your peers in different organisations, and in fact, in different sectors, and will likely, hopefully, hopefully, get briefings.
You know, I've had situations where they'll come along and say, well, I've heard you know, over at, you know, company X so I've heard that we're doing this. Or I've heard about a program, you know, the program that they're doing there. And you know, are we doing something like that here? So, you know, you've got to be fairly aware of that as a possibility. You've got to be ready for the curveballs that come through, of course. I had a bi-annual reporting cycle. And so I had, you know, two opportunities a year really to answer those questions. You really want to try and answer all of those conversation points at the time. Sometimes, it's really hard not to get derailed and end up talking about something that, to you, seems quite immaterial. You know, I remember one meeting spending quite a lot of time talking about our antivirus software. But to a board member, it might be just crucial that they understand that you've got that particular item under control. And that may be because of the experience they've had in another organisation.
Of course, you've also got to know when to confidently state that you can't answer a question you're not able to, or to do justice to a conversation topic in the time available, and be prepared to take that action item away and report at the next risk committee or board or whatever. Never try and bluff your way through and even worse, you know, never not stick to the facts. If you can do that, then you can get the trust of the board and you'll be able to ask them to support your vision and your strategy and provide you with the resources that you need to execute your program. In fact, the one question I was always asked amongst, you know, everything else in all my presentations was, do you have the resources that you require? And I think that's because that's one of the you know, the key obligations of a board is being able to make sure that they are providing the resources to manage the risk within their organisations.
If you're reporting to the CIO as I was, they'll probably be in the board meeting with you. And although the report was mine, and I delivered it, I always made sure that CIO had reviewed and we discussed it, and there may be other stakeholders that you should have reviewing your message as well, including perhaps, you know, your Chief Risk Officer. But one of your key advocates in the board meeting might be your Managing Director. And that was, that was certainly my case. Because as an executive, he had a much closer and day to day understanding of our challenges and achievements than that of the other non executive directors. And for that reason, it's important to have a good working relationship with your CEO. And always, always make sure they're aware of and supportive of the message that you're going to deliver to the board too. So no surprises, even if it's bad news.
One of the most valuable things that I did was to attend the Foundations of Directorship course, that the AICD. My CIO, sent me on it, said there you go, you need to go and do this so that you understand and, you know, what's going on. Only a really small part of that course is dedicated to cyber, which is, you know, a bit damaging to the ego, I guess. But the real value to a technology professional and general manager is to hear how board directors think and what's important to them. And in particular, the discussions on risk and fiduciary responsibility, that meant that actually I went back to my desk, and I ripped up my previous board paper templates. You know, looked at them with some embarrassment, really, and restructured them in a way that would ensure that I was giving the board the information that they needed to feel comfortable with our program.
CP: There's so much in what you just said that I'm not nodding violently in agreement with. The key things for me around resourcing is that it's great that they're asking you if you've got enough resources, and then I guess it's down to the CISO to make sure that, you know, are those resources inside their organisation? Are they using third parties? You know, I think from the board's perspective, they probably don't mind what the operating model is, as long as you feel a level of comfort that you've got the capabilities to service the organisation, no matter how you kind of put that together. And the other comment I wanted to make was, you know, the key things I took out of what you just said, were building trust with the board is absolutely imperative. And you do that through regular conversations and through progress, you know, delivering on what you've said you're going to deliver.
The second one was around coming to the board with a united front. So having that conversation with the CIO, before you get into the room, having a conversation with the MD or the CEO, before you get in the room. You know, so that you're all on the same page. And there's a lot of work that goes into board papers, it's not just write the paper, turn up on the day. There's got to be those kind of pre meeting meetings that allow you to all go in thinking, okay, we know what the message is here, because the ask is X and we want to make sure that we're all in agreement, you know, before we get in front of the decision makers.
And then the last thing I loved about what you said was to educate yourself. So I've also done, I haven't done the foundation's course at AICD, I've done the Directors course, for the same reason. I went to do it not because I want to be a director, but because I wanted to understand how they think and what I guess their duties are. And yes, cyber is a very small component, which is probably a conversation for another day. But it really helped me to understand and shaped my thinking. So when I talk to boards, I know what they're prioritizing. And that's what I took out of the course. And you know, as a CISO to be board ready means educating yourself and doing courses like that, you can do any course, but investing your time and money in a course like that is absolutely key.
BS: Yeah. And to me, it was a real eye opener, that course you know, and I had met with the, you know, board directors before. But doing that course really, you know, showed me exactly what was important and how they were thinking, and it was a completely different way of thinking to what I'd been used to coming up through an IT organisation. And your point about the effort that goes into board packs is valid. You can spend weeks and weeks and weeks on a 10 slide board pack. It is very time consuming to actually build it in a way that you are giving exactly the right information at the right level and you know my CIOs have given me a lot of guidance in that. And I'm fortunate to have had some really great CIOs that I've been working with over the years. But you know, Mandy Ross, Kim Wenn. You know, giving them the pack, and then having them actually tune it for me and teach me as well as what goes into it. The slight challenge with that is, of course, that you know, it gets finished, and then it goes to the executive committee, and then it might go to legal and then it goes to the company secretary to review. And so the lead time can be quite long. So by the time it actually gets to the board meeting, you know, the pack's probably four to six weeks old from completion. And that's why you know, you in the dialog, you need to be ready to actually talk about, well, you know, what actually happened two weeks ago with, you know, company Y going down with, with ransomware, or whatever else is, you know. So you've got to be prepared to be agile and not just rely on thinking you can go in there and read through your slides.
CP: Yes, don't go in there and read through the slides.
BS: No!
CP: In part 2 of my chat with Brendan Smith, we talk through his career and his long tenure at a number of organisations and what that has done for his career. And we also talk about the cultural change programs that he has run at a number of organisations and some of the massive tips he’s had, and Brendan shares his tips with us. Make sure you tune in next week for part 2 of my chat with Brendan Smith.