Cybersecurity leaders need to understand complex cybersecurity principles. They should have a knowledge of risks, attacks, and how to mitigate attacks. But they should also have a good knowledge of how to communicate cybersecurity principles to business leaders in a way that the C-suite can understand.
Kyriakos “Rock” Lambros, owner of RockCyber, based in Denver, understands both of these seemingly competing ideas and how to merge the two. That’s why he and his friend, Matthew K. Sharp, wrote the book: “The CISO Evolution: Business Knowledge for Cybersecurity Executives.” Sharp and Lambros both have MBA degrees and work in cybersecurity. During the pandemic lockdown, they worked together to complete this passion project, and the book that emerged was published in January 2022.
“To be a successful cybersecurity leader, you do not need to invest $60,000 to $100,000 or whatever on an MBA. Let us take what we’ve learned in both of our different MBA programs, combine that with our 40 years of combined experience in the industry, and distill the information down for somebody looking to grow into the industry or even for existing executives – how to be successful as a cybersecurity leader and the how-to of connecting with the business,” Lambros said.
The book fills a gap that Lambros and Sharp saw in industry knowledge.
“Another reason why we decided to write the book is we see a lot of people talk about speaking the language of the business to align with the business. There are a lot of books out there that talk about it, but don’t really provide the ‘how,’ and we hope we’ve bridged that gap in this book,” Lambros said.
So far, the book is doing well, he said. “I mean, you don’t write a cybersecurity book to become J.K. Rowling. It’s not about the money. It’s getting our knowledge out to the industry.”
Being a cybersecurity leader and communicating with business leadership is an ongoing challenge in the industry. Cybersecurity leaders don’t want to sound like Chicken Little, constantly screaming to business leadership that the sky is falling. “What level of information do you present to leadership?” he said. “Because you can’t walk in there and say, ‘Hey, you know we have 137,619 vulnerabilities on the network. And 20,605 of them are high.’ That just doesn’t fly, right? It might be a great operational metric, but it is not a good managerial leadership metric.”
And expecting business leadership to understand tech jargon is just not a good approach, he added. “I was raised in a bilingual household. I left around 1999-2000. My Greek has gone downhill,” Lambros said. “My mom’s English has gone downhill. And now we communicate in this weird, like, Grenglish, but ultimately, she was born and raised in Greece. Greek’s her primary language. I, however, am bilingual. It’s my responsibility to bring my Greek back up to a level to communicate with her, not the other way around. The same for cybersecurity professionals. You’ve got CEOs who have been doing this for 30, 40 years, and they come from a financial background. Well, they’re not gonna learn techno-jargon. They’re just not.”
So, cybersecurity pros need to meet the CEOs on their own levels.
Lambros is a big believer that cybersecurity needs to avoid being the “department of ‘no’.” When a business comes up with a new idea or plan, the cybersecurity department usually is the first to give reasons that it can’t be done or slows the process down significantly. Lambros believes that cybersecurity can work with business to find a way toward “yes.”
“The business is like, ‘Hey, we’re gonna move on without you because, you know, this $10 million contract over here isn’t gonna wait for your bureaucracy to be put into place.’ And more and more the cybersecurity industry says, ‘We don’t have a seat at the table. The business isn’t listening to us,’ that sort of thing,” Lambros said. “Ferrari didn’t put high-end brakes on their cars to slow you down; they put high-end brakes on your car to allow you to drive really fast, safely.”
DevSecOps is one way to get cybersecurity built in sooner, but Lambros doesn’t buy into the jargon. “You can call it whatever code word you want to, but DevOps requires a certain level of business maturity.” Since RockCyber mostly works with smaller businesses, Lambros doesn’t see DevSecOps that often, but he agrees with the concept of injecting security into the product as early as possible, making sure it is safe for users and the organization. “The closer you kind of get to the source, the better.”