Is Our Understanding of who Owns Risk Driving CISOs to the Edge?


Manage episode 266620086 series 2643387
By Steve Moore, Exabeam and Steve Moore. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

In this episode of The New CISO Podcast, the host Steve Moore, and guest Gary Hayslip discuss the difficulties veterans face when transitioning to the business world. They also converse on how to remedy security failings, and how risk ownership mentally and physically impacts CISOs.

A Challenging Transition for Military Personnel

After serving in the military for however many years, enlisted personnel receive one class on how to transition to civilian life. While the class teaches how to format resumes, it doesn’t provide the amount of support military need to adjust to a new lifestyle.

When you are in the military, everything is organized and planned out for you, from your day, to your week, to your month, to your year. You always understand what you need to do, and what path to follow.

When that type of strict structure falls away after duty, many veterans feel lost. They enter a new world filled with so much uncertainty. Suddenly, they have nothing planned out—they don’t even know what they’re doing the next hour.

Overcoming Fears

In order to overcome this anxiety, Hayslip stresses that you must begin planning your civilian life while during your tour—and more than just in the last six months of your time. He suggests planning out civilian life as early as two years ahead of time. If you start early, you leave room for any road bumps you may encounter.

Moore and Hayslip recognize that this transition is a period of intense personal and professional growth. Oftentimes, vets can feel helpless, wondering how they will provide for their families. Hayslip suggests that military can rely on what they already know: community and mission.

We discuss on today’s episode what Hayslip means by discovering a new community, one that connects them to a broader purpose and to others. We also talk about finding a new mission, and how this can help transitioning vets find themselves again.

How Non-vet Employers Can Help

As a non-veteran, Moore asks how employers can help their recently hired vet-employees. Hayslip suggests that veterans need to be provided guidance, but also a level of flexibility. Military personnel need to understand how much room they have to move. We deliberate on the nuances of steering vet-employees, and how to communicate the level of risk they are allowed to have.

The AAR Process

In broadening the topic from veterans to cybersecurity companies in general, we discuss the proper and most effective way to process an AAR.

Hayslip emphasizes constant documentation and how AAR needs to be information and solution focused. This includes as much data and documentation as possible.

In addition to data and documentation, Hayslip advocates for providing opinion and experience. If you offer why you made a specific decision based on previous experiences, then the team leader can have a better context to what happened. The leader can focus on why your decision worked one time and not another.

What doesn’t work for AARs

However, we believe that sometimes the process of an AAR becomes muddled.

Hayslip points to when blame enters the equation, the AAR becomes ineffective. If one group is blamed in particular, then no one learns what actually happened. It also leads to people shying away from honesty. Moore highlights how bad leadership uses an AAR as a weapon against the employees, which only breeds mistrust and inefficiency.

Hayslip offers his solutions to combat a toxic environment surrounding an AAR, such as breaking the teams down into small groups and facilitating self-reflection. In this episode, he dives into why this strategy works and how best to remove blame from the situation.

A Mission vs. a Mission Statement

We also touch on what we believe is the difference between a company mission and the sometimes corporate-sounding mission statement.

Hayslip acknowledges that a mission statement is an attempt to get different groups of people focused in the same direction. But does a bland, emotionless statement do the trick? Not always. He points to focusing on purpose—what is the purpose of this company, other than to survive? He challenges businesses to remove the capitalistic goals for a moment and ask themselves what their purpose is. What does their product do for society? As your company evolves, so should your mission statement to reflect that change.

Hayslip also proposes a way to structure mission statements with subsets, such as an action statement. He delves into why multiple statements help clarify the goals of each team, and of the overall company. Listen to the episode to hear the additional statements!

Inclusive Culture

Facilitating a more inclusive work culture in companies and cyber security teams can only benefit everyone involved. Hayslip offers ideas such as a “Lunch and Learn” or visiting other departments in order to grant more visibility to all parts of a company. Listen on to discover how these events helped bridge relationships with other teams, how it relates to the mission statement and what came of inclusivity.

Risk Ownership

Towards the end of the episode, we touch on how the idea of risk ownership impacts CISOs mentally and physically.

Moore and Hayslip ask the question: who owns the risk? Many CISOs feel the responsibility falls solely on their shoulders, leading to a high stress level and burn-out rate. Hayslip jokes that the pressure could give you an ulcer—and it has for some leaders. However, risk is also made up of many things that those leaders cannot control. While the lack of control exasperates the stress for CISOs, it’s also important to understand that if you can’t control everything, then risk is not all on you. As Hayslip says, risk ownership is for the whole company.

The Essential Guide to Cyber Security for SMBs

Lastly, Moore mentions Hayslip’s recent book, The Essential Guide to Cyber Security for SMBs. In his book, he covers how many SMB’s believe they don’t need cyber security because they think they are too small. However, Hayslip puts forth that if you are on the internet, you are a target, especially SMBs. Check out his book to find out why!


Exabeam: Website

New CISO Podcast

Steve Moore - Linkedin

Gary Hayslip - LinkedIn

The Essential Guide to Cybersecurity for SMBs

CISO Desk Reference Guides

63 episodes