Security Profiles of the CISO Vanessa Pegueros – DocuSign

DOCUSIGN CONFIDENTIAL 1

CISO – Step Child C-level

Putting ego aside for a moment…. §  Is it really an effective title? § What other C-level has such a questionable level of authority? §  No common definition of role across companies §  Span of control is variable §  Control of budget is indirect §  Does the title help us accomplish our mission?

DOCUSIGN CONFIDENTIAL 2

With Title Comes Authority… It Depends

Traditional “C” level titles §  CIO §  CTO §  COO §  CFO

DOCUSIGN CONFIDENTIAL 3

Non “C” title but accountable to CEO §  HR §  Marketing §  Sales §  Legal

Newer “C” Titles §  CPO §  CMO §  CRO §  CISO

Real authority and legitimacy comes from a direct tie to Revenue or Controlling Cost

Our function sits on uneven ground

§  CISO primarily deals with a unquantifiable topic: Risk §  Difficult to prove value of something unquantifiable §  Risk will never be quantified in a universal way because it is

personal §  Everyone feels differently about risk §  The feelings are unique to each individual

§ Our effectiveness is totally dependent on the culture and company

DOCUSIGN CONFIDENTIAL 4

Different Companies Want Different Things

§  Small company – The all in one CISO - “I want a CISO who can talk to the Board and program our Firewall”

§  High growth company where security matters – The agile CISO – “ I want someone to go sell security, we just assume you’ll take care of rest”

§  High growth company where security doesn’t matter- The necessary but evil CISO, “ Just get us PCI compliance and we don’t want to see you anymore”

§  The large slow growth regulated company- The auditor front person, “Just get us through the audit”

§  The company in decline or recently breached- The expendable CISO, “we just need someone to fire when it goes bad”

DOCUSIGN CONFIDENTIAL 5

You must understand the culture of the company you are working for

CISO Skills Demanded Have Changed Over Time

DOCUSIGN CONFIDENTIAL 6

1990s 2007 2009 2011 2002 2005

Customer awareness relative to security grows

Ski

ll D

efin

ing

Fact

ors

CIS

O S

kills

Nee

ded

SOX PCI

Advanced Hacking

2012 Future

iPhone

Heartland TJ Max

Distributed Computing

Stuxnet

DDoS against FIs

Technical Compliance

Sales

Law Enforcement

Enforcer

Public Relations

Risk Management? Business

Enablement

CISO Profiles

§  The Tech CISO §  The Compliance CISO §  The Conference Circuit CISO §  The Sales CISO §  The Law Enforcement/FBI/Secret Service CISO

DOCUSIGN CONFIDENTIAL 7

The Tech CISO

§ Was an engineer still likes to get his/her “hands dirty” with tech details

§ Wins the battles with technical acumen §  Stays out of the public eye §  Doesn’t quite understand why the

business doesn’t support the very important security initiatives

§  Feels as though most in the company just “don’t get it”

DOCUSIGN CONFIDENTIAL 8

The Compliance (Risk) CISO

§  Typically a non technical background §  Tends to like to follow the rules, “you are

breaking the policy” § Wins battles based on process and

threat of non-compliance §  That’s not in the policy, I have not idea

what to do

DOCUSIGN CONFIDENTIAL 9

The Conference Circuit CISO

§  Make as many speeches as possible §  Gets on as many advisor boards as

possible §  Great speaker and presenter, nice suits

and haircut always sounds very impressive §  Doesn’t really engage in battles §  Self promotion is a very important factor §  Doesn’t have to time to actually manage

their team/function

DOCUSIGN CONFIDENTIAL 10

The Sales CISO

§  Spends most of time with customers § May or may not understand security §  Talks at customer conferences § Obsessed with closing the deal § Wins battles based on saying, “the

customer wants it” §  Also doesn’t not have time to

manage team

DOCUSIGN CONFIDENTIAL 11

The Law Enforcement/FBI/Secret Service CISO

§  Former Law Enforcement/FBI/Secret Service

§  Has a double life filled with intrigue and mystery

§  Is exciting to the C level §  Creates instant cred with customers §  Not as technical as people assume § Win battles out of fear the opponent may

“disappear”

DOCUSIGN CONFIDENTIAL 12

A New Model

§  The CISO is not a title, it is a function and requires multiple people

§  The functions are equally relevant to accomplishing the larger goals

§  Currently no good org model to accommodate this challenge and the title does not help §  CSO and CISO titles may become more common in a single org

§ Must figure out how to contribute to revenue

DOCUSIGN CONFIDENTIAL 13

Cloud Providers Need all kinds of Security

§  Sales is driving credibility to the Security team §  Having the cool law enforcement leader only helps

§  Compliance is a differentiator among competitors §  Attending conferences is the marketing arm of Security §  Technically executing is necessary to deal with the real

security threat landscape

DOCUSIGN CONFIDENTIAL 14

Recommendations

§  Understand who you are and what you are good at §  Be brutally honest

§  Categorize your company, growth level, importance of security §  Understand what your company wants from you, if not a

match, move on §  Always have plan B ready, you could be fired at any moment

whether at fault or not

DOCUSIGN CONFIDENTIAL 15