William (Bil) Harmer

It used to be a CISO had to know programming, network architecture, and how to read a vendor contract.

Now understanding the goals of senior executives is the key skill, IT managers have been told.

“If CISOs can learn one thing, it’s empathy,” Bil Harmer, chief evangelist and CISO at SecureAuth said during a panel Monday, on the first day of the CISO Forum Canada 2021 conference.

“Learn what the startup is thinking, what the CIO is thinking, what the finance guy is thinking, what the CEO is thinking. You want to know what they’re thinking and why they are thinking,” he said. “And then you can put their wants in your world.”

Harmer was a member of a panel asking whether the CISO today is a technical leader or compliance expert.

Panelists agreed the days of the CISO as strictly a technical leader are gone.

“It’s a business role,” agreed Harmer. But he added, don’t discount the importance of the ability to translate the technical to the business side. “That probably one of our key aspects — how do we talk to the business about what we’re doing.”

For some INFOSEC leaders years ago “security was purity. It was a higher level, almost religious experience — ‘We’re going to have perfect security — and we became very closed. Now we have to open up and understand the business.”

“We have to compromise in what we deliver,” he admitted. “If it [security] is too expensive, it’s not good for the business. If it’s not usable people go around it.”

Risk and enabling business will always be at odds with each other, he added. “You’re always pushing the business. No one wants to spend more money building a product than they have to. Look at startups. Startups aren’t going to put money into security [in their products], simply because there is no product yet to deliver, no customer, no product stream. So why are they going to put it in? So how do you balance the risk? By building the hooks [in the product for security] on the premise that you will be successful.

“I tell startups if you’re not at least building the hooks and the fundamental basis for a good solid security program in your product, you’re telling investors you do not expect to succeed. That turns it around.”

The fight between minimizing security risk, meeting compliance obligations and helping the business is never-ending, said Pinsky. “My job is a facilitator.” The business wants to push a product or service out, but IT’s job is to remind others there are PCI, ISO or NIST requirements to be met. “Then it’s our job to pull in the right stakeholders from around the organization and ensure we maintain that — but at the same time allow the business to push itself forward … It’s a lot of educating different areas of the organization, helping them understand the business must keep moving forward but the other pieces are balanced.”

As for who the CISO should report to, there was no disagreement: Only to the CEO.

“When you report to a CIO there’s a massive conflict of interest,” Harmer argued, because the CISO reports on the gaps in the infrastructure — which the CIO designs. That criticism (or honesty) “will always affect you come compensation or bonus time. Even in your career path,” he said.

One last observation: Harmer noted that for some CIOs, designing an organization’s infrastructure has become easier as more applications move into the cloud. As a result, they’re changing careers.

As for who the CISO should report to, there was no disagreement: Only to the CEO.

“When you report to a CIO there’s a massive conflict of interest,” Harmer argued, because the CISO reports on the gaps in the infrastructure — which the CIO designs. That criticism (or honesty) “will always affect you come compensation or bonus time. Even in your career path,” he said.

One last observation: Harmer noted that for some CIOs, designing an organization’s infrastructure has become easier as more applications move into the cloud. As a result, they’re changing careers.

They’re becoming CISOs.

https://www.itworldcanada.com/article/empathy-is-now-a-key-skill-of-a-ciso-conference-told/464447

"There was so much chaos during the first few months of the lockdown that every CISO will need to go back and review all of the access and changes that happened," said Bil Harmer, who is the chief information security officer (CISO) and chief evangelist at computer identity security software maker SecureAuth.

"When there is chaos and change, the threat actors will be there looking for ways in."

He predicted that companies "will begin putting more and more focus on digital identities and a continuous authentication methodology that will allow them to adjust access on the fly as the landscape or the user behavior changes."

Bil Harmer, chief information security officer/chief evangelist, SucreAuth in Irvine.

"The hybrid model will not go away, there is far too much upside for companies in it.  From 48 extra minutes per day per employee in productivity to reduced footprints in the office (desks, power, coffee, etc), this is a model that will continue.

"Companies will begin moving to Secure Identity as the first line of defense.  They will begin putting more and more focus on digital identities and a continuous authentication methodology that will allow them to adjust access on the fly as the landscape or the user behavior changes.

"This will allow the user to move around the physical world and have their authentication and authorization adjust as they do to keep them within the acceptable risk profile." 

In the gunslingin' world of cybersecurity, there are threats everywhere. It can sometimes feel as dangerous to run a modern business as it was to run a saloon in the shadiest part of the Wild West.

Actually, the parallels between the cowboy days and modern cybersecurity issues are aplenty — and one need look no further for proof of that than HBO's standout series Westworld. 

 Article published on Tuesday October 22, 2019 in Belfast Telegraph, UK.

Tech supremo Bil Harmer keeps a treasured photograph of an east Belfast terrace.  it shows four generations of his family, each standing in front of the same wall of the house at Moorfield Street where his father was born.

This week he'll be paying his regular visit to his dad William's old home when he returns to Belfast as one of the keynote speakers at Big Data Belfast.

READ MORE