Michael Oberlaender joins host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies. Michael is a globally recognized thought leader, author, publisher, and speaker. With three decades of IT experience—two of those decades in full-time security leadership roles—Michael is an expert at aligning security to business goals. Michael’s new book, GLOBAL CISO - STRATEGY, TACTICS, & LEADERSHIP: How to Succeed in InfoSec and CyberSecurity, was published in in February, 2020.
Michael and George discuss the motivation behind the new book. There are plenty of books on programming, coding, security operations, and other IT topics. Michael saw a need for true leadership books that told the holistic IT leadership story from beginning to end. The book offers a new perspective to a market that is experiencing mega breach desensitization and discusses the global landscape of cyber security.
Michael wrote the book for aspiring leaders, security professionals, students, and people from other professions who want to engage with a CSO. The book took five years for him to pen. Michael reflects on the process by confessing, “It is indeed a lot of work. I started working on this book in 2015, and then leveraged the new breaches like Yahoo … new attacks, new regulations like GDPR, CCPA, CSL, and new technologies such as Cloud and IoT, for example.”
George asks Michael if he enlisted coauthors to help with the book, to which the answer is no. “I think if you want to provide your insights, your lessons learned and your expertise and your own viewpoint on how these things work and what should be done, I don't think that I wanted it to be filtered by others for either political correctness or, hey, this is not by the book or not in my experience. Now, this book is 100% pure me, clean and simple and direct to the bone and no BS.”
Next, Michael details the book-writing process, which took place in between his day-job duties—including evenings and weekends.
Michael’s first book, C(I)SO - And Now What?: How to Successfully Build Security by Design, was published with good reception in 2013. However, his goal with the new book is to:
Further, Michael explains, “The first [book] is an executive summary, so to speak, while the new one is the flesh to the skeleton, but they are both written completely independent from each other. They both provide great value in different viewpoints and both prepare you for a successful Global CISO role.”
The book provides a CSO roadmap that includes strategy, tactics, and how to structure technology.
Michael goes on to explain that few organizations have a solid security strategy. His “security by design” involves robust architecture solutions and coding guidelines. In fact, his strategy is so solid that it is still effectively in play at the global entities Michael adapted solutions for throughout his career.
While the solutions aren’t cheap, Michael poses the question, “Do you want to pay now or later? And let me assure you, it's way smarter to spend now in a controlled fashion with the strategic and tactical approach that takes the necessary steps and requirements into account. [Otherwise] you have to react or respond to a major crisis and do your design then. It is likely way more expensive, more stressful, and probably not as secure and robust.”
Still, he knows security strategy adoption isn’t always a common goal across the C-suite. Several chapters in his book are devoted to how to effectively communicate with decisionmakers and executives, offering tips on finding various solution paths and when not to take “no” for an answer. Michael then briefly walks through his career path, highlighting the unique opportunities he took advantage of along the way.
Building a solution and convincing the C-suite to implement it take two different skill sets. Michael explains each side before offering advice on how to approach executives. Discussing profit opportunities and what happens if a breach hit the media are two suggested strategies. Additionally, CSOs must directly report to the CEO in order to be most effective.
“If you focus on the technical side alone, you'll not only solve at best, a very limited subset of the issue, but you lack the full and complete business side. And how about contract security or compliance or third-party risk and mergers, acquisitions, divestitures? How about competitive advantage that a secure and well-managed company can reap rewards for? It's a lesson learned over decades of experience. Security is the chief subject at the CEO, CFO, CRO or CLO and board level. And so the CSO or CISO needs to have the seat at the same table.”
Michael uses prolific, infamous breaches in his book to demonstrate what went wrong and what would have been a better security solution. One of the tips he offers is to know your adversary. In order to beat an enemy, you must know their strategies and methods.
When planning isn’t made during the regular course of business, it’s not just the enterprise that suffers. Public money bailouts affect us all, and Michael laments over the brokenness of the system and how regrettable it is that we’re not learning from the past, doomed to repeat the same mistakes over and over again.
“I think companies and organizations were ill prepared to this pandemic and would be ill prepared to any other major risk in the same way, shape or form. They have not done the detailed planning and the full analysis and the preparedness testing, otherwise they would not have to scramble to get it done now under immense time pressure and with their back to the wall.”
As the podcast comes to a close, George and Michael explore the future of cyber security and discuss the issues that block its effectiveness today. While there are promising technologies on the horizon, such as AI and ML, a security strategy doesn’t work unless a cultural shift is made. Michael doesn’t mince words when musing over the greed and short sightedness of today’s corporations.
“Unless we change the incentives for the corporate executives and the boards by setting cybersecurity goals and objectives for their bonuses … we will see an endless cat and mouse game that favors the attackers by design. That's the issue.”
To listen to this and past episodes, click here.