Why do C-suites instinctively fire the CISO when a breach happens?

Chris Sienko: 1:10

CyberWork and InfoSec would like to introduce you to our new Cybersecurity Beginner Immersive Boot Camps. They're designed to help you gain and enhance your expertise in the cybersecurity field. Join our live interactive virtual classes led by InfoSec's highly skilled instructors, who will guide you through the material and provide real-time support. And, as part of InfoSec's Immersives training, each student will have access to career coaching aimed at helping them start or switch to the cybersecurity field. You heard that right. We aren't here to just teach you the concept of what a security professional does. We want to prepare you to enter the job market with a competitive edge in six months time. Now I've told you about InfoSec certification boot camps, and if you're trying to hit your next career target and need a certification to do it, that's still your best bet. But if you're an entry-level cybersecurity professional or want to be, or you're switching your career and want to experience a career transformation, infosec's immersive boot camps are designed to make you job-ready in six months. To learn more, go to infosecinstitutecom. Slash cyberwork all one word C-Y-B-E-R-W-R-K and learn more about this exciting new way to immerse yourself in learning with InfoSec.

Chris Sienko: 2:17

Now let's begin the show Today on Cyber Work. Jonathan Gill, the CEO of Panacea, joins me to talk about the stress-filled role of the Chief Information Security Officer. Jonathan notes that the most challenging parts of a CISO's role, especially the CISO of a large, complex company, is the lack of full view of the organization's assets and points of vulnerability. Jonathan tells us how Panacea is working to create a trusted and validated system of record to ensure accurate and good-faith recordings of actions, strategies and decisions to accept or mitigate business risks. All this and a discussion of the CISO as one of the story makers in the C-suite today on CyberWork.

Chris Sienko: 3:04

Hello and welcome to this week's episode of the CyberWork podcast. My guests are a cross-section of cybersecurity industry thought leaders, and our goal is to help you learn about cybersecurity trends and how those trends affect the work of infosec professionals. We'll also leave you with some tips and advice for breaking in or moving up the ladder in the cybersecurity industry. My guest today, jonathan Gill, became CEO of Panacea in 2021 after a successful career at both niche startups and large-scale cybersecurity vendors. He was inspired by the company's missions and values, while recognizing that continuous controls monitoring has the potential to transform enterprise security by addressing the root causes of breaches. His previous roles included VP EMEA at RSA Security. Evp of Global Sales for Veracode and GM EMEA for Talent Outside of family and work.

Chris Sienko: 3:48

Jonathan enjoys spending any spare time playing golf, keeping fit, road cycling, and is a keen photographer any spare time playing golf, keeping fit, road cycling and is a keen photographer. So Jonathan is joining us today to talk about a couple of key things that he thinks might be good tactics strategies to strengthen the role of the CISO, the Chief Information Security Officer, and hopefully avoid some of the persistent burnout that that role seems to be inevitably paired with. So, jonathan, thank you so much for joining me today and welcome to CyberWork.

Jonathan Gill: 4:17

Thanks, chris. I appreciate the invite and the important work you do, and it's a pleasure to join you.

Chris Sienko: 4:23

I really appreciate that. I appreciate the nice words. It always feels great. So, jonathan, I want to ask you about how you got into your sort of technical interest. You have a pretty wide ranging skill box here. So to let our listeners get to know you better, what first got you interested in computers and tech and cybersecurity? What was the initial spark?

Jonathan Gill: 4:45

Yeah, it takes me back to where all this started. It's worth saying I feel blessed and incredibly fortunate to have had the career I have and still enjoy, and it may surprise you, but actually only a passing interest in technology, oh yeah, ok, you can see some photographs behind me. I have a photography hobby and interest, so I have tech to support that. In fact, the photos of the kids are quite old behind me because now it's digital frames, so those are a bit dated, okay. But actually my journey started with me just looking for an opportunity out of university, really a chance to work hard and get rewarded for that, and a chance to find a role where I could track progress.

Jonathan Gill: 5:28

I crave feedback, I like to know how I'm doing and I wanted to be able to grow no-transcript and I probably didn't need all my fingers to count the number of products that were in the world and firewall one was a new thing a long, long time ago and that really got me interested in an important topic. So I love the sales and I love the new industry that was being born and I could see where that might go. No idea it would be the size actually of the problem that we have today and it's a potential extinction event for companies and it's now a boardroom topic. But I love the role, I love the challenge and I love that sales journey I've been on, but it started with that more than the tech.

Chris Sienko: 6:32

Yeah, no, I'm so glad you mentioned the sales part of it and, that being the way you, you know, moved into the area, you know, into the sector because you know. I like to look at people's career profiles on LinkedIn because I think that tells a good story about where you got started and what types of challenges you like. And you like you said you spent a decade or more in IT and security sales roles, and these are the sort of positions that I think now, if I'm not mistaken, kind of translate to what we call customer success managers Like you're. You know to some extent, like you're, you need to have an inside knowledge of the tool or service that you're selling, as well as kind of a vast array of the challenges that clients will need your item to solve. So you're not just you know. What do I need to do to sell you this widget? It's kind of here is the problem you have, or you tell me what the problem is you have and I can tell you if we can sort of solve it. And so I think in the pantheon of security jobs, these are as worthy of exploration as any of the sort of cool hackery, pen testery, red teamy type things. So I'm glad to talk to you from a pivot from sales into the harder, security tech.

Chris Sienko: 7:41

So I want to start with 2014. You became Executive Vice President of Global Sales at Veracode, and I'll just mention Sam King was one of my previous guests, humble brag and in 2016, your role at several other security companies included this international angle. You were VP EMEA for our listeners that's an acronym stands for Europe, middle East and Africa, for RSA, security and talent as well as the EVP global sales for Veracode. So Aaron Painter, one of our recent guests, a name tag talked about his work with IBM systems and traveling around China and Beijing to learn implementation and usage, and I think it's interesting to deepen your knowledge that way. But can you tell me about your roles in these companies and what you learned from working with cyber professionals outside of sort of US and Western European models?

Jonathan Gill: 8:27

Yeah, happy to. Just one thing I just might add to my first answer, which was my journey was accelerated, I think, by learning from people who'd walked the path before me. Okay, I've learned tons from people I've worked with and mentors and people who've been kind enough to give me advice along the way, but I also really got into this topic of personal development and personal growth Stephen Covey's Seven Habits of Highly Effective People. I remember Earl Nightingale Lead the Field, brian Tracy's Psychology of Achievement, and I found lessons learned that I quickly applied in the different roles I had and that made a big difference, rather than kind of stumbling through life and having to learn these things yourself.

Jonathan Gill: 9:13

Yes, big difference rather than kind of stumbling through life and having to learn these things yourself. Yes, and now I have an extensive library. I think I've bought books in many different formats physical book and kindle and tape, and then cd and then audible. I've probably got the same thing five times and sure, in different formats, but I found that to be an accelerator for me, um, to haven't rather have to learn the lessons, to just be guided by people who've walked ahead, and I'll bring that back in a second. Then the roles I've had. The journey, I would say, is inside sales field sales, first line sales management, into sales leadership role. Second, third line management, general management and CEO. This is my first CEO role. You were right with the way you described it. It's a problem-solving role. I always saw my role as the finish line was when the customer got value, not when a transaction was completed.

Chris Sienko: 10:11

You get that feedback afterwards.

Jonathan Gill: 10:13

You get the feedback and then you learn. You get that feedback afterwards. You get the feedback and then you learn. And you also get somebody who you know. You looked in the eyes and made them a promise and you kept the promise and you got them there, yes, and they help you.

Jonathan Gill: 10:24

I've learned so many things about the value proposition for a company I was at that we didn't know about until the customer said, oh, by the way, have you ever thought about using it for this? So by going on the entire journey with a customer, you learn a lot and you were right about what you said. You need to understand your technology and the problem, as well as the customer, and put those things together, pulling from other knowledge that you have from other customers. So you need to be well-informed. But also it's a business problem solving and there are other people who deep dive into the technology. So I've never been a technologist. I don't have Sam's credentials that you interviewed her or Chris Weisopel, who is the founder of Veracode. But my role has been to help solve problems for customers and I would say in the more senior roles I've had to solve problems in the companies I've worked at applying the same kind of mindset.

Chris Sienko: 11:17

Yeah, I love that. Can you talk about some of your sort of international sales work? Because again, I suspect that maybe you weren't like you said. If you weren't doing direct implementation, you were certainly getting some degree of insight into maybe different applications or different approaches to the same technology. Can you talk about that at all?

Jonathan Gill: 11:38

Yeah, I can. So since university, panacea is my 10th company Many in the UK to begin with, and then Europe, middle East and Africa. And then actually, when I was working with Sam at Veracode, our family moved to Boston. Wonderful experience. One of my favorite companies I'd worked at until Panacea, which is my favorite now. That was the favorite experience I'd had. So that was working in the US market, a lot of US customers. We were working globally.

Jonathan Gill: 12:09

But I spent a lot of time in North America. But in my EMEA roles I've covered most European countries and a lot of time in the Middle East, dubai and Saudi and Qatar, especially providing cloud services to financial organizations, at that time at a company called Arcot in the area of fraud. But I've also got to work in many different industries and companies of different sizes. So even in the same geography you can meet different sized organizations solving different problems in the world and they're very different and they can have very different cultures and problems to solve. So there's a geographical element to this, but there's also a real diversity of learning from different industries, different sized organizations and the solutions that I've taken to customers have been to different buyers, different stakeholders.

Jonathan Gill: 13:02

Today it's the CISO, previously it's been head of risk or head of fraud within banks. Some of them have been CIO and IT director roles, so you see different parts of organizations as well. So really a real patchwork of experiences, all of which, I think, help you get a bigger picture of business. Yeah, yeah, when later on the journey you get asked a question or you see a problem over here, you've got a frame of reference which is bigger than that specific problem.

Chris Sienko: 13:33

So, constantly broadening out experiences and being able to reframe things into a bigger picture, I would say yeah, and I imagine that not only are you, you know, you're, like you said you're learning more about, you know the issues of business and especially, like you said, across different industries, different verticals. Then you also have you know you're you're developing different verticals. Then you also have you know you're developing, you know more knowledge of this product or these products or these tools that are having to solve different problems, maybe in the different parts of the same company.

Jonathan Gill: 14:18

And so, yeah, I imagine that you just feel like you get very sort of steeped into you know almost kind of living with this thing here as you're sort of watching it sort of you know cycle around a business or around an industry Exactly. There's another theme that I would weave through all this, which is, um, the foundation of of who I am and my leadership style and my professional career and I guess me as a person is is values and um integrity, um accountability, owning things, and there's absolutely a pattern I've seen through probably the most difficult circumstances I've faced in my career about humans. Okay, and because I think that's where I started, my role was to work with people more so than technology. So I remember earlier in the second company I worked at Integralis, who was a UK VAR helping build out cyber in the UK. Later in EMEA, and I met the IT director of a large newspaper and I was a kid, I was young in my career, early days, and we'd screwed up, we'd made a mistake, and I went up with one other person and was in this large boardroom with the IT director and I don't know 10 other people and the first thing I said was, hey, we made you a promise and something's gone wrong and I'm sorry for that and I own that and we're going to own it until we resolve it and I'll be personally accountable to you. And I remember the lady, the IT director, saying. She said nobody ever says that All these people are here to prove that we're right, so that you can own it, because we expect you to come and say you know, not my fault, not my problem and I was just amazed at that and I've seen that throughout my career.

Jonathan Gill: 15:52

I remember with one of the largest partners that we ever worked with three companies later at Arcot, we were in a situation where I was competing with another vendor and the other vendor dominated this space. I won't say who they are. They were doing really well, we were smaller, we were trying to grow and we'd just done a really good job for one of their customers, but this was impenetrable. They had this really strong partnership. We were smaller, we were trying to grow and we'd just done a really good job for one of their customers, but this was impenetrable. They had this really strong partnership. We weren't going to break through. So we did our best and then a salesperson at this other organization who was supplying the same partner went direct to one of their customers even though the deal was originally done through the partner. So we'd just done a really good job over here for this customer.

Jonathan Gill: 16:36

In fact, something went wrong and we kept a promise and we worked around the clock to solve it. So we were in credit and this other competing organization went overdrawn immediately because they broke trust. They went direct to a customer, so some salesperson was allowed to do something to get a commission check. That wasn't good for the company and wasn't good for the customer and we ended up owning all of their customers because we had trust and they didn't want to do business with that firm again. There's just countless examples of where doing the right thing, being trustworthy, looking somebody in the eyes and making them a promise and going the extra mile to keep it is the right thing to do. Oh yeah, and then when people don't do that, they undo years of of goodwill. So that's just a consistent theme I've seen as well. It's which is hold onto your values and hold high integrity, and life ultimately works out to be fair and treat you well as well.

Chris Sienko: 17:31

I, yeah, I, I. I think that's an outstanding insight and I think it's also, you know, worth noting that I mean, not only is it a great business practice and a vital business practice, but I think it's also worth learning to be able to sit in that kind of discomfort, because it would be very easy. I mean, I think a lot of the pain that you know, not my fault, not my fault is. I think a lot of those people probably could have said it is my fault, we'll make this right and we'll do, and that's a completely different path. But it requires that moment of, uh, that sort of ache If I was wrong, I did something wrong, someone's you know, or you might work in an organization where one mistake you know gets you drummed out, and that's a that's a much larger issue.

Chris Sienko: 18:10

Uh, um, I think, yeah, I think those are, um, really like a pair of of good things to keep in mind is, like you, you have to be able to, uh, you know, look the person in the eye, give them what they want, and you have to, even if it means sitting in your own discomfort for for a while and saying like, oh, this is going to be an unpleasant for a while, but we're going to work through it exactly, and I would, and I've actually got friendships that have come out of that.

Jonathan Gill: 18:36

I would say, every time we've held the mirror up to ourselves and taken that responsibility, it's worked out well and it's built trust and it's built relationships. It's never been relationship damaging because, guess what, when something goes wrong next time they'll come to you and expect you to do the same thing.

Chris Sienko: 18:55

Yes.

Jonathan Gill: 18:55

If you're doing it because it's values and you're not doing it for short term interest. If you're playing the long game, where you want to build long term relationships with people and build that kind of reputation, then it's what you do in your own self-interest, yeah, and I think it brings people closer together.

Chris Sienko: 19:12

Absolutely Universal value there. I think that's a great way to sort of end that portion of the show. But I want to talk about our big topic today. So, jonathan, we had some pre-show discussions around what we were going to talk about and we came up with sort of two topics that I think pair around a larger topic of major challenges, of the role of the CISO and how to circumvent them to stave off burnout. So the first one I really am very intrigued by.

Chris Sienko: 19:38

You told me about a need for quote, the increasingly perilous role of the CISO and the need for a system of record that can be trusted. So to give our listeners some context, this would be in response to the all too common response to companies boards. When an inevitable breach or compromise happens, you know someone has to take the blame. It's often the CISO. You know there's no company that would admit that you're being fired for being the here. Where the buck stops, buck stops here, regardless of negligence or not. So I want to start out by defining your term. You said quote. There's a need for CISOs to have a trusted and validated system of record to ensure they are reporting accurately and in good faith, along with the ability to prove the right controls are in place and, critically, that controls are continually monitored so that they have been implemented correctly. So, jonathan, let's start visualizing this. What would this system of record look like in practice? How would it be implemented?

Jonathan Gill: 20:31

Yeah, if I just start by saying this, this is what we do as a company. We help CISOs and security teams thrive. So this is all we do. This is what our focus is. And I would say and you highlighted the macro point here the Joe Sullivan Uber case, tim Brown, solarwinds. Look at what's going on with UnitedHealth right now. There's a lot of regulatory and legal focus on what is the CISO role generally.

Jonathan Gill: 21:01

But before I answer your question, if I could just zoom out a little bit, please, yeah, if I think about I call them eight megatrends, if I think about the forces that are working with an increasingly fast speed of change in global interconnectedness, where a geopolitical situation over here leads to a competitive or business situation over here. We're more connected. That drives more and more IT innovation. We talked in the chat before we went live around our COVID experience and how that's driven people to work from home and hybrid environments and digitization. So you've got more and more technology. The surface area increases, so the threat actor who has become more sophisticated, can take advantage of that. That spawns the I don't know how many 5,000, 7,000 cyber vendors in the world with their tens of thousands of products. Yes, and then layer on the changing economic climate where you need to find automation and efficiencies. And even if you had enough budget, you've got a shortage of cyber skills. And because the scorecard shows that we spend what $200 billion on cyber and the cyber damage is 50 times greater almost $10 trillion and the cost of the average breach went up last year by 15% and a billion dollars of ransomware payments, which I think is double the year before.

Jonathan Gill: 22:24

If you look at the score card, it's going in one direction and therefore the regulators have stepped in. They see the interconnectedness, the risk of critical national infrastructure and they're raising the bar from the CISO to the exec team into the boardroom. So the CISO role is now one of a lot of focus, a lot of focus in a technical role or technical journey now, engaging in business conversations, holding people accountable. Some of the CISOs I'm friends with and work closely with would say the number one job now is stakeholder management and work closely with would say the number one job now is stakeholder management Very different than what it was before. So if you just recognize those trends, all of which drive towards pressure on the CISO, so that's the first idea I'd share. Just get your response to that. Do you recognize those trends? Do you have a point of view on those, chris?

Chris Sienko: 23:13

Oh, yeah, no, absolutely, I was just writing down stakeholder management. I think that's a really great phrase to sort of describe the. You know, we've what I was hearing from cso's, you know, five years ago, four years ago, was, yeah, they don't know what I do and I just, you know, go to the board and you know we, we do our best, or whatever. But now that uh, breaches, you know, have always been inevitable, but now they're really inevitable and they're costly and they're business disrupting you.

Chris Sienko: 23:58

Uh, you know, um, I was unable to get my prescriptions, except my paper the other week because uh, ascension medical got ransomware in my, in my town and um, it's, it's becoming very real for a lot of people, uh, in upper levels of you know how do we stop this? And they feel sort of powerless, I imagine. And so you know, when you feel powerless you're, you know if you're a person of integrity, the you know you look back and say what do I do? And if you're maybe a little more challenged in that regard, maybe your thought is okay, well, where can this punishment go to, things like that, and so, yeah, so I think that's really interesting. But, yeah, say more.

Jonathan Gill: 24:43

Well, it's interesting the way you framed it, so I would come to the same conclusion, which is the CISO is not set up for success.

Chris Sienko: 24:49

And it's not their fault?

Jonathan Gill: 24:52

Where's their CRM? Where's their ERP system? Where's their workday? Where's their enterprise platform?

Jonathan Gill: 24:59

But there's something else just to. I will answer your question, but there's something else just to share that you prompted, which is there's an invisibility to this. If a company starts out with a level of inherent risk and then they define their risk appetite, they set their residual risk and they use controls to bring that inherent risk down to the risk that they're willing to tolerate the residual risk and, of course, if you live in the residual risk and you were to get breached, you would say that, whilst that might be a terrible event, that's okay because you accepted that amount of risk when you set the residual risk. You don't have bars on all your windows on your home. You accept a certain amount of risk when you set the residual risk. You don't have bars on all your windows on your home. You accept a certain amount of risk, but that's not the problem. The problem is between the inherent risk, where they started, and the intended residual risk. There's another spot on the graph, which is their actual residual risk, that they can't see. And they can't see it because no large organization knows how many computers they have.

Jonathan Gill: 25:58

Cmdbs are not complete, it's not their fault. The tools that you deploy and most of the customers we deal with are large, complex, global organizations. Maybe 50 tools is at the low end, 150 is probably at the top end, but that's how many different cyber tools they have and each one of them needs to be deployed on the right assets. But you don't know how many assets you have and the tools don't know where they're not, they only know where they are. So you've got fog over the estate, so you can't see the assets, and then each tool is an unreliable witness because it knows where it is. It doesn't know where it isn't, and you can't just export that data and aggregate it into a PowerPoint slide and say that's our security posture. In the words of one of my favorite quotes is Mark Twain, and he said it ain't what you don't know that gets you into trouble, it's what you know for sure. That just ain't.

Jonathan Gill: 26:51

So I think that's the problem that many organizations have is they don't have visibility of their IT estate and therefore their security posture, with their controls over the top.

Jonathan Gill: 27:05

So going back to your question, which I haven't forgotten, which is the system of record, is the ability to have visibility of the assets and that means everything. You have the workst, each of the controls, so that you have one system that gives you oversight over those controls, over those assets. And the reason I framed it was because without that platform, you can see how difficult the CISO role is. And without the platform you've got your inherent risk and your residual risk, which is your intended, but you don't know where your actual residual risk is and therefore the business can't make decisions and the CISO can't hold the business accountable because they can't pass on the information. So it gets stuck with the CISO. And our mission is to solve that problem and to help CISOs get visibility and share it with all the people who need it. And that's the system of record that we talked about in the prep Does that make sense?

Chris Sienko: 28:20

It does, yeah, no, absolutely. It was also very evocative, I like, yeah, a fog over the moors. I mean, I was imagining that we really are, you know, sort of presiding over. You know, and we've talked about this on the show before, about the idea that, especially with remote and hybrid work, that you know you're essentially defending a bunch of individual villages rather than, like the master castle anymore. But it's also interesting because, like you said, there's, you know, these sort of assets that are trapped in a black box, basically, and they don't know where they are or what's outside. And I mean one thing that's been on the show quite a lot, whether we talked about it directly or people were just asking about it is the notion of asset detection, and I mean that seems like one of the key things here. Does that feature into this particular platform as well? Does it start with the reckoning of, like, ok, what all are we working with here?

Jonathan Gill: 29:13

Yeah, I'd say you've got a technology problem, a people problem and a business problem If we just pull together the threads that we've just been talking about. The technology problem is the complicated nature and the fragmented, siloed nature of the tools and the tools that work on identity versus vulnerability, versus AppSec, versus user awareness. They're not even looking at the same data. So you end up with contradictions. So even if it were accurate, you still can't stitch it together because it contradicts with itself. So you've got this technology problem. Let's call that the lack of visibility. You've then got the people problem, where humans get thrown at this to try and turn all of that data into accurate data. But you're always on the back foot because you're kind of crossing your fingers hoping the data is correct, but it's always out of date, it's always inaccurate. You know you can't quite get there. Yeah, that means people turn up in the business arguing about the data. Someone brings their own spreadsheet or their own database, so the energy isn't channeled into solving problems. People are disagreeing. So you get the human problem of mistrust. Maybe the cso hasn't got the credibility to hold people accountable because someone says, hey, that's not my server, not my problem. So you get that lack of clarity. And if you haven't got clarity and you haven't got clear roles and responsibility, you can't have the accountability. So it kind of bounces back to the CISO, where it doesn't belong.

Jonathan Gill: 30:34

But the third problem is the ultimate business problem, which is, yes, you need assets and yes, you need controls coverage, but you have to be able to translate that into the language of a business stakeholder. So that stakeholder says okay, I understand what I need to do to meet my requirements for the policy of these controls and I understand why that's important to the line of business or the area of responsibility that I own. And the CISO can say I recommend you make this decision. And the business leader can say I understand, I've got your advice and I recognize I'm accountable to the risk committee or to the board and being able to drive prioritization, knowing what to do next and then collaboration where everyone's working on the same system of record, then you can break through the technology problem, which is the assets. But really that's just scratching the surface.

Jonathan Gill: 31:25

What you then need to do is help people work together, hold each other accountable to be able to solve the business problem of where was that actual residual dot on the graph and how do I get that to be where the intended residual risk is? Or the business says do you know what? We're going to move that intended residual risk further up because we can't prioritize it. So we accept more risk. But you do so in the light of day, making informed choices, where, if you were then breached, people look around and say, hey, that's the risk we took to take advantage of this business opportunity and it didn't work out. But you clear the fog. In fact one of our customers said we've removed the fog of war from the estate.

Chris Sienko: 32:06

Yeah, interesting, yes, oh, I want to talk about how this works with regards to breaches, because you know, obviously we're talking about the fact that, like you said, in the fog of war someone gets assigned blame, someone has to walk the plank, or whatever. So how do you envision a system like this working as a? Is it even possible to make it work as a binding document, like report of these actions act, like something that could be sort of held up as saying like this is you know, we did what we could, we took the risks that we wanted to? Or would it just be more like a record for the CISO so that when they get their you know walking papers and go for the next interview, they can say so about this breach at your old company and you can, you know, hold it up or whatever? But like, where do you see this going with regards? Because I don't think I'm sure your product's great, but I don't think it's going to change the culture overnight of sacking the CISO as soon as something goes wrong.

Jonathan Gill: 33:05

Where does it fit into that?

Chris Sienko: 33:06

do you think?

Jonathan Gill: 33:06

Yeah, understood, it's a good question. I would say this is a living platform. Customers refer to it as a golden source of truth and it's available to all. So if you could just and this is really the power that organizations have with the data that they already have. So, yes, we have a platform that applies data science, but the data is already there. So, whether it's Panacea or something else, the points I'm making still apply.

Jonathan Gill: 33:38

So if you've got all that data in one place, now you have a platform that you could inspect your security posture from a high level. You can have a single score against everything or against particular initiatives. If you have a zero trust initiative or PCI4 initiative against particular initiatives. If you have a zero trust initiative or PCI4 initiative, or you want to look at it through NIST CSF 2.0, or show me controls from a ransomware attack vector or customer audits or supply chain audits, whatever window you want to see, you can see into that window from a high level single scores aggregation. But then you can drill down because all the data is in the platform into an individual initiative or a metric, and then you could see every asset behind that Might be 150,000 assets, might be 10,000 assets.

Jonathan Gill: 34:31

You could see all the tools that found, all the assets and the information you got from them. So nobody then says that's not my server. Or we've had people come into a proof of value and someone has said on the call that server's not on my network, we've turned it off. And then somebody pings it and they get a response back because it is on the network.

Jonathan Gill: 34:51

It was supposed to be turned off, but somebody closed out the ticket but they didn't decommission the technology. So being able to see from the highest level which might be a regulator, external audit, a board report or high-level exec engagement but then when somebody says, I'm not sure about that to be able to drill down into any level of detail you like any app, any vuln, any patch, any owner, any application, anything you like and scrutinize it. You then create this collaborative system where everybody's working on the same truth data and it's translated into the dashboards or the window that that stakeholder needs, whether it's highly technical or more of a business summary. So just imagine having that and then people enabled to use that every day. And we have hundreds or thousands of people in companies using our platform. Some use it every day, maybe one customer. Recently, 40% of their folks were using it every day. 20% were using it every week. Some people might just use it every now and again or just once to solve a particular problem they have, but everyone's looking at the same truth data.

Jonathan Gill: 35:57

You would hope that there's never a disconnect between the CISO and the rest of the organization, because the CISO is informing the business on the choices they need to make and then saying but if you've only got this amount of capacity, let me use the data to make a big problem smaller. You might start with 200,000 volms for a business owner, but only some of them are patchable. And then some of them are in the CESA, the non-exploitable vulnerability database, and then some of them are on critical infrastructure or important business services. So you make a huge problem into a small problem and then you can make rapid progress on that. Celebrate wins, move on to the next thing. So in your kind of court of law scenario, you wins, move on to the next thing.

Jonathan Gill: 36:39

So in your kind of court of law scenario, you hope you would never get there. Right, of course, because everybody was collaborating in meetings and conversations and this became part of the cadence. And if the CISO was left, the company, under whatever circumstances, went to the new role. I hope they'd be able to say, yeah, we knew our security posture, we understood and accepted the risk, I informed the business, they made choices.

Jonathan Gill: 37:01

Hey, it didn't work out. We'll learn from that, and this system of record might then enable us to turn some dials and move that residual risk to a different spot where we have less of a risk appetite, based on what we learned. But the same system would then inform the next chapter of that company and the CISO would then potentially go off and do the same thing in the next place. So I'm just hoping we could eradicate the scenario, ideally prevent the breach if the business wanted to channel the energy that way. But if not, everybody walk out shoulder to shoulder and said, hey, we made some choices and you business risk, and sometimes it works out and sometimes it doesn't.

Chris Sienko: 37:38

Yeah, yeah, absolutely.

Chris Sienko: 37:39

Now I want to move from that, you know, because I think we want to talk about the fact that any of these things that a CISO is bringing to a board or bringing to people who have to make the implementations is an interruption out of their day, and I'm sure you know they have a hard time.

Chris Sienko: 38:00

You know, oh God, now what you know, like that we have another, another thing we have to deal with and now he's got, he's giving me these risk scenarios and now you know, I'm having to, you know, decide between you know big money, lots of risk, little money, you know whatever. But can you you speak, before we go into sort of the storytelling aspects of a CISO, can you talk about? Have you spoken to any CISOs who use this particular platform who feel that it has been kind of a reduction of stress in their work? I mean, is the fact, like you said, the fact that you're sort of clearing the fog of war and you're clearing some of the uncertainties around the role? Have you seen, seen tangible results like that with regards to CISO quality of life and quality of work?

Jonathan Gill: 38:43

Yeah, there's something that's game-changing when you move from data overwhelm, that fog, the lack of visibility, but all the data you do have, there's just so much of it. When you can channel that through the data science of this platform or a different platform, then they say things like this is the platform of platforms. Now I see everything for the first time. I mentioned that we moved the fog of war quote. Somebody said we've moved from tribal knowledge to data-driven. So you start to change the mood in the organization. You start to change the mood in the organization and there was a picture if you like they were using their arms, I'll try and paint it with mine when a CISO said the IT estate and the status of controls, performance, so their coverage and their performance is complicated. It's not complex and it's knowable. It might not seem that way when you've got a hundred tools and all of this data, but that's absolutely data, scienceable and it's knowable. Then out. So draw a picture of your house and kind of put your IT estate and your controls inside the house Simple diagram, but representative. Outside the house you have threat actors and supply chain risk and then you have all of these questions coming at you from stakeholders, from regulators to supply chain questionnaires and customer audits. Now that outside world is unknowable generally and it's complex. But if you can get your house in order and if you have got visibility of your assets and your controls and the performance of those controls and you can inform the business to make choices, get your house in order. The knowable complicated helps you manage the unknowable complex. So when the questions come at you from the stakeholders which yesterday were impossible, now the answer is in the platform.

Jonathan Gill: 40:34

One of our customers I remember telling me their experience with Log4j and other customers recently with the MoveIt vulnerability. The platform will tell you where the thousands of instances of the Log4Shell vulnerability is and you'll find all the SVP or the exec owners of that, prioritized by business importance of the infrastructure or the service. And then within the platform you can drive remediation objectives to say, start here and over this period of time, get to here and you can track it in hours and days and people then collaborate, working together because you've got the clarity, you've got the role and responsibility, you've got the accountability and you've got a measurement system that tracks progress over time. So now when something hits you can deal with it because you've got your house in order.

Jonathan Gill: 41:21

When your house isn't in order and you have to run around to answer a board member's question and it's an easy question, but it's an impossible answer or a zero-day hit and you don't know where it is, that's everybody on the back foot. That's crisis management. When everything is at your fingertips or a new regulatory requirement comes in or DORA says now you need to map controls to operational resilience and important business services, you can do that within the platform because you're just finding different ways to look at the data. So, absolutely, we see that, and we see that not just for the CISO. We see that in audit IT users like CMDB, business users, soc, detect response teams as well as control owners. So many stakeholders around the business can benefit from this single source of truth data stakeholders around the business can benefit from this single source of truth data.

Chris Sienko: 42:14

Yeah, absolutely OK. Now I want to jump from there to the other sort of point we discussed in terms of CISO health, and this is more of an abstract one. But you discussed the need for quote CISOs to be storytellers and you said they should be able to quote abstract complexity and distill relevant information into a narrative that the board can understand, collaborate with people who sit outside of security, who are essential to successful deployment of controls, and demonstrate progress, to tell a positive story while also making a clear, successful business case for investment. So we talk a lot on this show and in tech about quote unquote soft skills. This show and in tech about quote unquote soft skills, and it's one of the most vital requirements I hear from the C-suite people who need, you know, need for CISOs and people at security of any level to speak the language of their tech in the work, but also the language of their company, whether it's policy regulations like HIPAA and GDPR and Servings Oxley, we all agree on this.

Chris Sienko: 43:06

But the next level down, jonathan, one issue I discussed with our past guest this was Dan Roberts of Tech Whispers is the more preeminent issue of CISOs not already having a seat at the table. If they talk to the board at all, it's often because they're being hauled up in front of the board because something terrible happened, or they're having to explain why they need more money or what have you? Within this framework, you're describing how individual CISOs, or the class of workers in the CISO position, can start to sort of change the culture to make sure that this is more of a first-class C-suite position and not one that, again, to use Dan Roberts's term, schedules the meetings rather than is invited to the meetings or, worse, is only invited after the third or fourth meeting on the project.

Jonathan Gill: 43:47

Yeah, great question, and that's changing. You prompted another thought. Early in my career, I learned that you get delegated to who you sound like. Yeah, okay. So when I was trying to get to a business leader or a senior executive and I was asking questions or talking about technology, the executive didn't want to have that conversation and actually might not have been qualified to have it. So they delegate you to an SME. So I learned to go and talk to the language of the person who was our ultimate buyer or decision maker, or who I was going to be accountable to, and talk in their language, not my language, I would say.

Jonathan Gill: 44:24

By harnessing the data that you have when that's at your fingertips, you can tell stories. But there's more to it than that. I mentioned some of these examples of where the CISO can then partner, where internal audit could start to use the same platform. One customer said it's done 80% of the work of internal audit for us, so now they're using the same truth data. Well, that takes out the friction between the CISO team and the internal audit team when they're using the same truth data. Well, that takes out the friction between the CISO team and the internal audit team when they're using the same data and all the assumptions and logic, the data lineage and the transparency is in the platform so they can see that the data can be fed back to the CMDB. So the IT team now benefits. And we've had customers who've made significant improvement in the completeness of a CMDB based on getting enriched data fed back from all the tools back into the same CMDB that fed our platform. So you've got this cycle of truth data being shared. We've had red teams come in and find findings which turned out to be configuration problems which were found in the platform.

Jonathan Gill: 45:31

We've had control owners. There's a great quote from one who said I love the fact that I've got a single denominator. So all of these tools give me all these different numerators and denominators and none of the denominators are correct. They all know what the numerator is, they know where they are installed, but out of how many assets they should be installed, none of them know. But out of how many assets they should be installed, none of them know. Panacea, ccm, continuous Controls Monitoring, gives you a single denominator. So the control owners benefit as well.

Jonathan Gill: 46:12

And I mentioned earlier that the platform translates data into the language of business or whichever stakeholder you are, so you're talking their language and when you can talk about somebody who runs a business and the risk that they have, or even a ransomware dashboard for their business, with their controls, and being able to prioritize how much risk you have in end of life assets that are critical infrastructure that you didn't know about, or how many privileges that are not in the vault that should be, that you weren't aware of. And a lot of these problems are process problems that you can fix at the root cause. Don't reintroduce vulnerabilities with a build configuration. Fix the build configuration, don't reintroduce the vulnerabilities. And this platform allows you to see patterns like that. So your banking wins all the time. That reduces the attack surface.

Jonathan Gill: 46:57

So the data and the warm engagements, relationships that you're building across the organization really help. And then, when you can aggregate security down into a single number and you can show progress over time down into a single number and you can show progress over time, and then you can heat map it to see according to business units or critical services or regulated services, when you can slice it like that, you can explain security to the language of the board or the regulator or the external auditor or your internal stakeholders in a way that facilitates the storytelling, because the platform's doing the heavy work for you. It's translating data into a dashboard or a window for a particular stakeholder to make it easy for the CISO and their team to then interact. You're talking, you're producing data that's reader friendly, not just writer friendly. So that goes. That goes a long way.

Jonathan Gill: 47:51

And, yeah, some of the CISOs that we work with they'll say things like one said to me personally, I went from being a risk taker to a business facilitator. In previous meetings I walked away as the CISO with the risk. In the last meeting I was able to give them their slice of risk for each business owner. They heard my recommendations and they agreed that they're accountable and they'll explain their decisions to the risk committee. Now that felt like a moment on the journey with that CISO to free them of the burden of all of this accountability, which doesn't really belong to them, and empowering them to find a vessel to give that to the people who need to own it, who, actually, who want it because they want their business to be safe. They just didn't know what to do because they didn't understand. So you're just lubricating the machinery of communication, if that makes sense, to make it easier for everybody, both the sender and the receivers.

Chris Sienko: 48:45

Oh yeah, and I think that makes also good storytelling for the people who are taking their advice. Like you said, you know I knew the risk I was taking. We took it. It worked out well, we made a profit. Everybody's happy. You know there's less of like I don't know what I did, but something went well with. You know, more communication all around is always, I think, always better.

Chris Sienko: 49:09

But so, as we wrap up today, jonathan, I want to sort of ask you maybe a more philosophical question. I know that you, like you said, you started in. You know the sort of sales side of cybersecurity and you know, certainly you work a lot of CISOs and C-suite people. But, for, if you were to be someone new to the cybersecurity industry, based on what you've seen, based on the way, like you said, things like risk reporting and vulnerabilities are you know adopting, like what would, what career mapping strategies would you adopt if you were starting in 2024? Are there things that change about the industry that you'd have to think about? Are there things that you're seeing changing that make you say you know, hey, everybody, you need to know about this immediately. In five years it's going to be huge.

Jonathan Gill: 49:51

Yeah, great question. I heard a figure recently that there were 5.5 million people working globally in cyber and 4 million open roles, and those roles are very different to the roles when I started in my career. I would go back to something I said at the beginning, which is if I were doing this again. One thing I did that I would do again is I would dive into the world of self-learning, understand concepts. I remember Stephen Covey's Seven Habits of Highly Effective People, that concept of inner circle, outer circle, where you want as many things in the inner circle of things that you can influence and not so many things in the outer circle of things that you can't. It taught me to put as many things in the inner circle of things that you can influence and not so many things in the outer circle of things that you can't. It taught me to put as many things in my inner circle as I could so I could take responsibility for it, rather than what's an easier thing to do is move things from the inner circle into the outer circle and say, hey, I can't do anything about that. Well, that's too hard or that's not my fault. So, being grounded in some of the rules of the world, just like knowing the laws of physics. That's helpful and I would definitely do that and that, I think, has served me well.

Jonathan Gill: 50:58

Something I came across only in the last 12 months that I wish I'd done at the start of my career and it would be interesting to see if I ended up in the same place was a thing called Ikigai I don't know if you've seen that where there are four circles Things that you're great at is one, things that you love, things that the world needs and things that you can get paid for. I did that in my role actually this year not things the world needs and things that you get paid for, but things I love, things I'm good at and things the company needs right now. That helped drive my prioritization, because sometimes I can good at and things the company needs right now, and that helped drive my prioritization, because sometimes I can be tempted to do things that I love. That might not be what the company needs most importantly, and some things the company needs I might not be very good at and therefore I might put that on the hard to do list.

Jonathan Gill: 51:43

So this was I would do this from a career point of view to try and work out which bets to place first of all. So I would, I would do that and I'll do that with my. I've got a 19 and a 16-year-old and when they enter the workplace I'll go through that exercise with them. You've got to know enough about yourself first of all, so maybe you need a bit of experience, but I'd certainly start with that. Have you seen that process? Have you come across that before?

Chris Sienko: 52:07

I have not no, no, that sounds great, though. Yeah, yeah, it's super really helpful. Um, yeah, yeah great piece of the second. Thing.

Jonathan Gill: 52:13

Oh, go ahead sorry, um, somebody I met in um 2020, um, had written a book, william schneider, and the book was called a lead right for your company's type, and he described four different types of companies and people thrive generally in one of them, but not in all four. And the author realized that people would move from one company to another and they were flying in the previous company and then they would crash and nobody knew why. And if you're in an organization like an oil rig or a nuclear submarine or a utility he calls it predictable and dependable you follow the rules. There's a process to follow. Lives are in danger if you don't, whereas if you are in an enrichment company, which is the opposite of that, like maybe a Patagonia or a charity or someone who's driving something from value, you really have got much less process and much more freedom.

Jonathan Gill: 53:17

And there were two other types. One was customized, which might be a design company or an architect or PR company, where they customize their solution for you. And then the other one was the type of companies I'm attracted to, which is best of breed, but I worked at IBM for a while and I loved it. I learned a lot about sales methodology and big organizations, but there's 300,000 people.

Jonathan Gill: 53:37

I felt like a number and you had to follow the process, whereas in a startup, I don't believe in hierarchy. Actually, I want meritocracy. I want people in any level in the company challenging my ideas because we need to make the best decisions we can and I've got no ego in being right. But that doesn't work in a highly process-oriented, hierarchical organization. Oh yeah, so the same person. In those two environments one might get fired and one might absolutely love it, and there's nothing wrong with the person. So I would have a look at the type of culture that was a good fit for you as well and see where you might thrive.

Jonathan Gill: 54:13

But the biggest one I would say is dare to dream. I would say anybody who's choosing any career, whether it's cybersecurity or something else. The world will tell you you can't and people will want to frame you in their own image, and it's much safer to stay where you are than go somewhere else. We've got a customer who used to be a ski instructor and now he's running compliance and doing a wonderful job, and they hired him based on his outstanding qualities as a human being. Our data science lead is an astrophysicist. Her background, she processed a lot of data and she's been at the heart of our company growth.

Chris Sienko: 54:58

And.

Jonathan Gill: 54:58

I hire people based on their qualities. If they've got integrity. If they've got I don't know grit, drive, strong work ethic, determination. If they're highly accountable and do what they say and don't blame. If they've got high IQ. If they can get on well and play nice with people and collaborate but also hold them accountable. If somebody's got oodles of that but less experience and they can demonstrate where they've put their hand up and say, yeah, that was my fault and they haven't blamed. And when they got fired from the previous company, they say, hey, I screwed up, I made a mistake. I learned from that.

Jonathan Gill: 55:32

Let me tell you what I've done differently All day long. I'll place a bet on that over somebody who's highly credentialed but doesn't meet my criteria around character. Because think about it on a graph where one axis is your capability in the role and the other axis is your, your character or whether you're a good human being. Whichever way you want to phrase it, I want somebody who's top right. I'll trade off experience. I won't trade off values. I won't compromise on values. I can't.

Jonathan Gill: 56:01

It's hard to teach people values. People generally don't change in their core. But you can teach people experience and you can teach people skills and knowledge. So I just encourage people to dare to dream. Play chess not checkers with their career and think about the moves they want to make over the long term, find ways to get there and map their career and don't compromise.

Jonathan Gill: 56:23

And if you're in the wrong place and it's not a cultural fit far before me to say it because I don't know people's financial circumstances far before me to say it because I don't know people's financial circumstances. But I would play the long game and I would say your career is short. Every second, every minute, every hour, every day, every week, every month, every quarter, every year counts and therefore spend all of that as much as you can, growing and getting more valuable and delivering more value to companies, and then you can build your career path by serving the organizations and the teams you're in and the customers that you have. But the data dream is the thing I did early in my career and I think that served me well and that's what drove me to learn more and grow, because I wanted to do bigger roles and don't be limited by how we perceive ourselves today, because we can grow and we can learn to be anything we need to be.

Chris Sienko: 57:13

Fabulous, fabulous place to end. So before we go here, you've been telling us a little bit about Panacea's platform, the continuous control monitoring platform. Let us know anything else you want us to know about it, and also let us know where we can find you, jonathan Gill, or Panacea online.

Jonathan Gill: 57:30

Yeah, happy to. I mentioned earlier we serve chief information security officers at typically large, complex organizations. They're typically regulated and they want truth data about security posture and to be able to translate that to the non-technical stakeholders. So CISOs who want credibility, influence, to create a culture of accountability, we're a good fit and you're going to have a certain amount of complicated stuff assets and controls to need data science to sort of.

Chris Sienko: 58:01

There needs a four needs to be a forest for you to chop down the forest and the beauty.

Jonathan Gill: 58:06

The beauty is, it's a self-fulfilling outcome. The more trees, the more value, the more what seems to be complex but actually is complicated, overwhelmed, then, the more truth data you have at your fingertips to be able to make big problems smaller by filtering and looking at toxic combinations and compound risk. So that's what we do. We've been doing it. It's our 10-year anniversary this year and we've been on the journey to automate and standardize that to make it easier and faster to deploy and get value quickly. And we now cover 10 security domains, so we cover the breadth of security. So that's what we do. We're findable at panaceacom.

Chris Sienko: 58:43

Okay, p-a-n-a-s-e-e-r.

Jonathan Gill: 58:45

P-A-N-A-S-E-E-R. That's correct yeah.

Chris Sienko: 58:48

Okay, and Jonathan Gill, you're on LinkedIn. I know this because I'm friends with you on LinkedIn.

Jonathan Gill: 58:52

Yes, I am yeah. Yeah, Do you have any other social media?

Chris Sienko: 58:54

that you want to share Any blogs or anything. You'll find them on the website or via my LinkedIn profile All right, well, thank you so much for your time and insights today, Jonathan. This was a lot of fun talking to you, Chris.

Jonathan Gill: 59:07

Great questions. I've enjoyed the conversation. Thanks for your time today.

Chris Sienko: 59:09

My pleasure and, as always, thank you to everyone who's watching, listening and writing into the podcast with feedback. We're doing CyberWorks Live next week. I mean by the time this comes out it'll already have happened, but we're going to be answering cybersecurity beginner questions live, audience live questions. So always be asking questions, drop them in the comments below. We the comments below. We're always adding them to future episodes, so don't be afraid to let your voice be heard.

Chris Sienko: 59:36

So before I go, don't forget infosecinstitutecom slash free. We've got a whole bunch of free stuff and exclusive stuff for CyberWorks listeners, including a trailer for WorkBytes, our security awareness training program. It's an absolute hoot. You'll love it. Don't forget, we also have our Cybersecurity Talent Development eBook. This is really good for people who are just getting started in the industry. It suggests some in-depth training plans and strategies for what we target as the 12 most common security roles, including SOC Analyst, pentester, cloud Security Engineer, information Risk Analyst, privacy Manager, secure Coder, ics Professional and more. One more time infosecinstitutecom slash free, and the link is in the description below. So, before we go, thank you once again to Jonathan Gill and Panacea, and thank you for watching and listening. This is Chris Sanko signing off and until next time. Keep learning, keep developing and have fun while you're doing it. Bye for now, thanks everyone.