Steve Gentry: Why CISOs Need to Drop the Chicken Little Mentality & Focus on Being Business Leaders

With all the potential threats to your organization, it’s easy to fall victim to the Chicken Little mentality. But expounding “the sky is falling” only drives you further from your security goals. That’s why seasoned Chief Information Security Officer Steve Gentry believes security leaders must be business leaders first. In this episode, Steve explains this philosophy, the importance of data over opinions, and how to drive efficiency across your organization with SaaS.

Episode Summary

Being a good CISO requires more than just ticking off the standard job description. According to CISO Steve Gentry, the role demands business savvy and a focus on strategic operations. 

“One of my frustrations and where I am on my crusade is to champion the CISO as an actual business leader… It’s not about technology. It’s not about we’ve got to get these vulnerabilities remediated. It’s how do we build a business and a practice that matches what the business objectives are that we’re driving along with the business leaders?”

Over his career, Steve relied on various data sources and tools, recognizing their crucial role in a company’s success. Steve emphasized the need for executives to embrace data-driven decision-making, saying that “to drive alignment, you can’t just use your feelings.”

Steve’s mission is to champion the CISO as a true business leader, shifting the mindset from a “Chicken Little” approach to one focused on business outcomes and objectives. By aligning security practices with the goals of the business, CISOs and CIOs can be seen as valuable contributors to their organization’s success.

Guest Spotlight

Name: Steve Gentry
What he does: Former Chief Information Security Officer at Clari
Connect with Steve online: LinkedIn

Episode Highlights

Business Savvy Is Non-Negotiable for Chief Information Security Officers

“One of my frustrations and where I am on my crusade is to champion the CISO as an actual business leader. We still have that mindset. Even a job description recently, they’re like, we need doers. We need to expect you to be writing out code. Well, am I a CISO or am I an individual contributor? What are you looking for in that role? What do you want? Did you ask your CFO for a company your size if he’s actually doing order management? Where is that line that we have being that shift? So how do I build that reputation? One of them, I need to stop having that Chicken Little approach that you see in a lot of security roles. It’s that FUD we lead with, the sky is falling, everything’s a risk. We got to get this done… that mindset that I picked up as a consultant, which was great, I hear what you’re trying to say. Let’s walk back and find out what your business objective is… I’ve taken that mindset into security. It’s not about technology. It’s not about we’ve got to get these vulnerabilities remediated. It’s how do we build a business and a practice that matches what the business objectives are that we’re driving along with the business leaders? So it’s how do I not have that same mentality and get the CISOs and CIOs of the world to be seen as business leaders? Because we’re talking about the things that matter to a business, and not just about our own individual practice that people really don’t understand a lot of the context too.”

Data Talks, Drives Executive Alignment

“Some people hear it, see I know what I’m talking about. The data that I have is greater than your opinion. But I also like to look at it introspectively, because as we’re looking through our processes, as I’m trying to manage all of the SaaS applications in an organization, as I’m looking at the security, it’s like, okay, if I want to manage risk, because ultimately all risk, whether it’s security, whether it’s people, whether it’s industry, all of it is enterprise risk management. So how am I taking that data and getting rid of my own ignorance? We all have ignorance. It’s whether or not we’re taking the steps to remove that ignorance.”

“We all can have these thoughts about this is why I think we’ve got too many applications or I think we’re overspread here. But to drive alignment, you can’t just use your feelings. If you’ve got your CIO, your CISO coming to you and saying, ‘well, I think this is a problem.’ It’s like, great, I’m glad that you think that. Prove it to me. It’s the trust but verify. I think you’re a smart person, but show me why you think that’s really a problem. Don’t just tell me that it is.”

Clear Data Architecture Improves Security Posture, Efficiency and Achievement of Business Goals

“I’m looking at three different sources just for our applications and none of them match up. Nobody knows exactly what that source of truth is. And so as we’re going through that process, so for me, the security risk of not even knowing where we may have critical data, and the applications and assets I’m trying to protect, and I’m being held responsible to protect, gives me a lot of angst. So if I’m to do my job well, I need to understand our architecture. I need to understand what our footprint is. So how am I driving that? And by doing so, again, it goes back to what we first talked about, what are our corporate objectives? What is it we’re trying to accomplish as a company? Skip my own goals. What is it that the three to five things that the executive team has laid out of this is where the company is going, this is what we’re trying to accomplish. If everything else goes away, these are the things that we need to get taken care of. Based on that, what is the work that I’m doing that aligns to that work? And then how am I protecting or how am I helping drive better efficiency in the processes by getting people the access to the data they need, when they need it, wherever they need it. Especially as we have a lot of beyond port models or hybrid models. How are we enabling the business to actually meet their objectives, but also securing that data that we’ve got out there? So for me as a security professional, as an IT professional, and I do separate IT and security out as two different skill sets, that’s part of my job. But doing so, it has to be done in a way that lines up with what the business is trying to accomplish.” 

Software Onboarding and Offboarding Is A Big Opportunity for Efficiency

“Onboarding and offboarding is one of them. It’s something we get audited against. It’s one of those things that when people have accesses for too long, it’s a big risk factor. If you have someone that’s pissed off after an exit from the company, and if we’re not getting rid of their accesses. But ultimately as we’ve gone to a more distributed model out there for organizations and these other teams are responsible for access management, this is where it goes in the shared responsibility model. You guys can do the administration of your new tool. You need to build new workflows. You need NetSuite to do something specific. Fantastic. Go ahead. Let us handle the identity management portion of it. Let us handle these aspects and show you as it ties back. One, because it makes the audits better, which when you’re in a SaaS application, those audits are used as part of the customer due diligence. So it involves the sales process. You don’t want anything to slow down that sales process and show up on the audit report. So what are those things that we’re doing that are inaudible? So onboarding and offboarding is one of those things.”

Spreadsheets Set You Up to Fail at SaaS Management

“As the chief customer officer, if you were looking at NPS scores and you send out these things, but you just do them once and okay, that’s it. Wait, we got our NPS score. That’s what we’re going to base everything off of for the next 10 years. It’s a regular process. When we’re having these conversations and we’re talking about our application, SaaS companies in particular have a tendency to be very fluid organizations. But companies, even some of your more traditional shops, if you start going into healthcare or financial services, they still are doing a regular purchasing process. They may be more rigid about it, but for SaaS applications, most companies in general are pretty fast flowing. You build that spreadsheet out, it is going to be incorrect and inaccurate before you’re done even collecting all the data. Some vendors going to be offboarded before two days after you got the data from finance. So they’ve already taken out the system and now you’re trying to track down an owner and then by the time you do that, three weeks later they’re like no, we got rid of that app. And you spent three weeks of time.”

Third-Party Risk Is about Risk Governance, Not Security Questionnaires

“How most companies are running third party risk management is security theater. Plain and simple. It’s all about have I reviewed that they have a SOC 2, have I checked that their financials are solid? That they’re going to be a vendor that’s going to be around? That is not third party risk. That is you have taken a point in time data that there’s no clear context behind it. So when I look at security third party risk management, it’s how is this vendor playing into my overall risk as a company? Do they have confidential data? Is it customer data? Is it internal data? And if it is internal external data, how am I protecting that information? Even if it’s a SaaS product, what am I doing? Is it behind multi-factor authentication? Am I using any type of security keys to protect this? Do I have it white-listed so it can only be accessed through a ZTNA tool? A zero trust network access tool. Or a VPN? How am I protecting it?”

“Because ultimately when people think of third party risk management, they’re thinking about the security questionnaires. I have had security questionnaires that were up to 800 questions. Literally 891 is my largest questionnaire that was sent to me and I sent it back and said, there’s not a chance in hell I’m filling this out… Why are we spending all of our time and effort on part of the process that has no bearing on our internal company because we have no control over it? And what are we doing on the things that we can control?… This is where third party risk management needs to go back to that data governance. What are those things that we care about and what are we doing about it? What’s our responsibility versus what the SaaS company’s going to do? I can’t do anything to change Zylo’s security program, but I’m still going to use you as a vendor and I’m going to put my gates and controls around it to make sure that I’m keeping myself as protected as I can.”

Start with Small Steps, Starting a SaaS Management Program Takes Time

“If you’re going to take the time to set up something like Zylo, are you using the data out of it? Because we get caught up in finding the next… We’re like crows. What’s the next new shiny that I can find and bring back? And it’s like, no, no. How do we stay focused? And I know I’m talking about being diligent of trying to pay attention all the time, but there’s also that you’re trying to look out here while still focusing on this, as you’re doing these different things. And so it’s how do you stay focused on the data that you’ve got and using the tools that you’ve got and using the insights that you’ve got out of these tools. Zylo is giving you this information that says you have this redundancy. What are you doing with it? How are we going and providing that data? How are we driving that efficiency? Instead of just saying, ” Oh, great, I got a report, I can tell you, but have you done anything with it?” And I know it takes time. And this is what I want to set expectations of people. With any tool that you set up as you’re going through an environment, you’ve got to go through that process. You’re going to refine that data. Whether you’re talking about setting up a GRC tool, you don’t go turn it on and add in all of your compliance things at the first. You go through like, we’re going to add our SOC 2, we’re going to add our ISO 27001, we’re going to add PCA. And you do it in steps. As you’re taking that data, it’s the same thing. Okay, we’ve implemented a SaaS management tool. Here’s the first milestone that I want. And so it’s not just about the implementation.”

Top Quotes

6:14 – “My crusade is to champion the CISO as an actual business leader.”

16:47 – “If I’m to do my job well, I need to understand our architecture. I need to understand what our footprint is.”

19:15 – “Show me why you think that’s really a problem. Don’t just tell me that it is.”

27:49 – “You build that spreadsheet out, it is going to be incorrect and inaccurate before you’re done even collecting all the data.”

31:36 – “How most companies are running third party risk management is security theater.”

43:25 – “If you’re coming in and you start pulling your Chicken Little shit, you’re going back to the kid’s table. Everything is not a risk.”