It’s almost impossible to build a culture where security is central to big decisions without someone leading the way – someone who cares so deeply that they’re able to gain the board’s trust and support. How? Building a shared vocabulary, a shared understanding of complex challenges, and by creating a safe space to discuss them. These are all fundamental factors to making cybersecurity a priority for C-level executives.
It’s almost impossible to build a culture where security is central to big decisions without someone leading the way – someone who cares so deeply that they’re able to gain the board’s trust and support.
How? Building a shared vocabulary, a shared understanding of complex challenges, and by creating a safe space to discuss them. These are all fundamental factors to making cybersecurity a priority for C-level executives.
Today I’m joined by Claire Pales, the director of the security consultancy company The Security Collective and one of the people who knows this problem space best and is spearheading change with a unique approach.
Claire also does the long-running The Security Collective podcast, which is currently in its 9th season. She’s also authored two books – “The Secure CIO” and “The Secure Board” – which guide leaders through the complex world of cybersecurity and its myriad of implications.
In this episode, you’ll learn about the main points that company boards consider while developing their plans to invest in cybersecurity. You’ll also hear about the most effective approach while communicating the need for increased effort and focus in this direction. Lastly, you’ll understand why fear has repeatedly failed as a tool for pushing the field of cybersecurity ahead and delivering better outcomes.
Claire is our thoughtful, incredibly experienced guide into the complex world of high-impact decision-making and we can all learn from her nuances and compassionate methods.
In this episode, you will learn:
Connect with Claire:
[01:30] Andra Zaharia: To help you get to know today's guest, I want to quote just a tiny fragment from one of the articles she wrote: “I was driving recently, and when I pulled up at the traffic lights, I noticed the truck in front of me had a sticker that read “Safe by choice, not by chance.” It spoke to me as I thought about how many of my clients say to me, “Oh, we've never had a breach. We’re so fortunate.” Being more secure doesn't have to be good fortune. I love the reminder on the truck, that we make a choice about our security; we make a choice to have a dedicated security function; we make a choice to invest in having a secure culture, secure processes, and secure systems; we make a choice to use security-focused language in our everyday vernacular.” This really spoke to me as well, not just to Claire Pales, who is today's incredible guest on Cyber Empathy. I think that we also get to be empathetic by choice, not by chance. To activate our ability to be empathetic in situations where it doesn't come naturally takes a bit of practice. And it also takes examples from other people as well. So, this is why today's episode is one of those special moments where I got to meet and talk to one of the people in the industry who's always been generous, empathetic, open, and very, very supportive with people, and who has always tried to bridge an important gap between cybersecurity and boards that lead companies. Today's guest is Claire Pales, the director of the security collective, which is a consultancy company, and also a podcast that's been running for over nine seasons up to this point. Claire has an amazing experience, almost 20 years in the cybersecurity industry, which is absolutely fantastic. And you can tell that she's made the most of that experience because she is so articulate, so clear-minded, so focused. And she brings on so many great ideas that I hope will help you on your way to understanding not just how you can use cybersecurity concepts in our everyday life, but also see the potential of us working together, and us helping each other translate the technicalities between each of our jobs. She also wrote two books: The Secure CIO and The Secure Board, which I highly recommend. Her work is deeply anchored in the realities of the people that she serves, which are decision-makers and people on boards. And she is just incredibly passionate, incredibly kind, and I cannot wait for you to meet her and learn from her. So, let's dig into today's episode.
[04:41] Andra Zaharia: Claire, so wonderful to have you on the Cyber Empathy podcast. You are one of the people who has the most impact in the industry. You are doing so much to help bridge the gap between the general perspective on cybersecurity, which is highly technical, and decision-makers who have the power to impact hundreds and thousands and millions of people through their actions. So, you've been doing this for a long time, your contribution is so consistent, and so clear, and so focused that I'm very thankful for the opportunity to talk to you.
[05:17] Claire Pales: Thank you for having me. It's very odd to be on the other side of the microphone. But I'm really pleased to be sharing with you today.
[05:23] Andra Zaharia: Just to dive into your expertise, which we’ll only be able to cover the very tiny percentage, I wanted to ask you how do you practice empathy in the work that you do with cybersecurity leaders and business leaders?
[05:39] Claire Pales: So, in preparing for today, I was thinking about this. And I think there are three areas for me. The first one is, I work as an Interim Chief Information Security Officer. And in the work that I do and in my business model, I'm able to go into organizations as the interim leader and work in the business for a period of time before I start hiring for the permanent replacement. And so I'm able to give candidates a hand-on-heart reflection of what the role entails. It's not empathy for cybersecurity, per se, but it's empathy for candidates because I want them to know what they're walking into, what the risk posture looks like, what the culture is like. And by working as the interim leader, I give them that firsthand knowledge and understanding of what the role will really be like, what their boss will be like, what the team is like. And sometimes I arrive there as the interim and I'm the only person. And so it's this kind of crazy experience that I can then say to someone, “I'm trialing this for you, and this is what the business is like.” So, it's either going to attract them further, or it's going to give them enough information that they know that that's not the right role for them. So, I literally put myself in the shoes of the candidate by doing the role and immersing myself in the culture. It makes for a really rich recruitment experience. And over the last five and a half years I've been doing this, every person I've ever hired, except for one, is still in their jobs today. And so, for me, to see that me being able to show them and then relate to what I'm doing in the role allows them to think, “Okay, this is the right direction for me or the right role for me, or actually, that doesn't sound like it's the place for me.”
[07:15] Claire Pales: Secondly, for me, empathy in my work is around encouraging cyber leaders to really connect with the employee community through the pain points that they're experiencing. So, we've always had this great engagement when we talk about keeping your kids safe, or your aging parents safe online, or giving tips for using your iPhone or your Android or whatever. If we run those brown bag lunches or engagement sessions, if we try to help people understand how it's going to impact their personal lives, they tend to come in their droves. There are people standing outside the doors when we run these awareness or behavior-change sessions. If we talk about their lives, not what they're doing at their computer at work, but really how they're going to be impacted, and making security relatable for personal and professional reasons. The two can come together. And certainly, at the moment, with the world the way it is and people still doing a lot of work from home, helping people to understand the risks of letting your kids play computer games on your work computer, the two worlds have absolutely collided. So, using this connection to build relationships with people and encourage behavior change, not just security awareness, but people actually saying to themselves, “Well, I wouldn't want my money impacted in that way,” or “I wouldn't want my identity impacted in that way.” And so they can really relate to the experience that someone's going to have in the workplace as a customer as much as they can relate to it in their own personal lives.
[08:39] Claire Pales: I think as security leaders, we've tried to do that over time but it continues to be a really, really important mechanism to have our staff understand that if it was them in their personal lives impacted, how would that play out. And the third area is working with boards. And when I work with boards and I talk to them about cyber investment and the impact that cyber risk has on communities. These past two years, we've seen incidents where the supply of food or the supply of petrol, medical services, all been impacted by cyberattacks, particularly ransomware, where you might have had to shut down a whole hospital, or even a wing of a hospital, or a complete shutdown of a network. This can be life or death. And helping boards to understand the need to protect data and systems through that risk-based cyber investment lens is key to getting them to understand its customer safety. It's not just about losing email for a few days, but it's about people out in the communities not being able to live their lives. That could be the result of a cyber attack. So, wrapping it all up, putting the customer at the center of everything we do, including putting them at the center of the impact of a cyber incident, helps us as a cyber community to get our organizations to think putting themselves in their shoes putting, themselves in the shoes of the customer. Because even if one customer is impacted by a data breach or a cyberattack, it could be life-changing to that one person. And we saw a particular scenario in the UK in the last couple of years where a pension fund was impacted, and a spokesperson came out and said, “Oh, it was only a handful of our customers that were impacted.” But their whole identities were stolen. And so even if it's one person, we want to see leaders who are feeling the impact and showing, not remorse, but they're showing empathy towards customers who might have to change their whole outlook because of a cyber incident through a company they happen to do business with.
[10:35] Andra Zaharia: I think those are such wonderful examples. And you come from such a generous posture. The ultimate exercise in empathy; to walk in the shoes of the person who is going to take on the role, and be so candidly open about all of the things that they're going to face. I think what's actually becoming almost a stereotype is the fact that the cybersecurity industry is understaffed, and that there aren't enough people. And then the conversation that happens in the industry, with and around people who have experience, is always that it's not that there aren't enough qualified or talented or interested and curious people. It's that the recruitment process is broken in so many ways. So, you, leading by example and doing this at a high level, and showing people a very transparent path forward, I think, is a wonderful thing that you're doing. And also, I think that it helps stories like yours. And examples like the ones that you just shared are so important because they show not just a different aspect of cybersecurity, but they show the real work that happens behind the scenes; the work that goes far beyond technology; the work that actually shapes technology because those are the principles that we build on. In spite of buzzwords, we're not at a point where technology creates itself. So, we're still responsible for that and making sure that it follows the right principles. What kind of stories have you seen resonate the most with boards? You've given so many examples, what personal stories have you seen have the most impact, and really bring up that reflex of being empathetic towards others?
[12:23] Claire Pales: I think there's a couple of types of stories that impact, well, when you're talking to boards and those senior levels of the organization. If we think about what boards are most focused on, they're really focused on things like culture, performance of the business, and solvency. They're really worried about an organization being able to stay afloat. And when you have the conversation, particularly around ransomware, and you say to them, “If we were hit by ransomware and we had to close down our whole network so there would be no way to contact our customers, there'd be no way to have a conversation, and we could return to business but with pen and paper – we've worked out, we could probably only do that for three days. And after that, all chaos would break loose.” The wheels turn the board around, “Okay, well, that would mean our performance would be impacted. And that would also mean, from a solvency perspective, maybe our shareholders will be impacted.” It really puts it into the language of the board. And I think that's what's important around empathy is, it's not just walking in someone's shoes and understanding the impact on them; it's using language that brings the two parties together. And I see so often that if we can talk to boards about what's impacting your organization or their organization, but also getting them to understand the impact that a cybersecurity incident has had on a peer organization or another organization that allows that board to relate. So, from the board's perspective, I never want to say to them, “XYZ company got impacted by a cyberattack, and this is how we would have responded.” What I want to say to them is, “These are the controls we've got in place, so that if it was to happen to us, ransomware or a data breach, this is what we're doing.”
[14:07] Claire Pales: So, being really positive about the things we could put in place, but telling stories to the board that in the language that they understand. In the same way that you'd speak in a very different way to the CEO or to the head of marketing, it's helping them to get the information into their mind that's most relevant to them. And then realizing, when the light bulb goes on, “Oh, now I get it. Our customers wouldn't be able to interact with us.” We saw a case recently where an organization had to shut down even their email, and they had to converse with their customers via a Gmail account because they’d shut everything off because of a ransomware attack. So, organizations realizing the impact of their reputation of that as well, which is very high on the board's agenda too. So, the stories we tell have to be relevant, and they have to drive straight to the heart of what that audience is interested in and what's going to hit home with them.
[15:00] Andra Zaharia: Those are very powerful examples. And I think that there's so much that we take for granted, no matter what our role is, especially technology and all of the things that we are used to. You see people reacting when social networks go down because they take them for granted. And that's a minor thing, a minor inconvenience for most people, not for businesses necessarily, or for other people who rely on it for a range of personal reasons. And when you extrapolate that, and when you magnify it, and amplify it by orders of millions with these companies that we depend on for so many things, from utilities to having a job and then getting our paycheck and things like that – it really paints a more vivid picture. And I think that it's finally through the work that you do, and the other people in the cybersecurity industry do, and even people who are passionate about it, who have no relation to the industry whatsoever. I think that this work in the compound effect is starting to change people's perspective and to show them that there is no distinction between our offline and our online lives, that they're extremely interconnected, interdependent, and that internet is not just for fun. I mean, most of us think we know this, but we don't really know it until we feel it. And what we're all trying to do and achieve here is to try to minimize the risk of something major happening in our lives, whether it's us as individuals or at an organizational level. It’s just humans have a difficult time coping with being proactive about abstract stuff, we're not really good at that. And that's why we need a whole load of empathy to be able to speak in their language, just like you mentioned. You've talked to so many people in the industry throughout The Security Collective podcast for a number of years, and you've seen stories and perspectives so numerous and rich that they paint. I mean there is just a body of work that's an education in itself. So, I wanted to ask if there are any specific questions that you use to try to bring people's personal feelings and opinions into the conversation because it was J Wolfgang Goerlich who said that good security reflects our values. And I strongly believe that as well. So, what personal stakes and skin in the game have you seen people manifest during this podcast?
[17:31] Claire Pales: So, selfishly, I asked questions on my podcast that I'm interested to know the answers to. So, there's not necessarily a huge science behind it. It's really when I meet people, I'm thinking to myself, “What do I want to know about them? About their experience? What have they been through? Their challenges, their achievements. But the problems that I've been able to solve as well. Because I found that people tend to listen to my podcast for two reasons. Firstly, they either listen because they can relate to the guest. So, if I have a security leader on, then I might have lots of feedback from security leaders who listened in and can relate to what that person might be going through. Or the second reason they listen is because they're hungry to know what others have been through and what they've learned. So, I've been working in cyber for a long time, and so I can also relate to my guests and what they're talking about. But in 99% of cases, I approach people. When people come to me and ask me to come on the podcast, I always am a little bit wary because I love the idea of me going out and finding people who I see their story or I hear their story and it really resonates with me, and I think that's going to resonate with my audience. So, I know it's hard, when you podcast, you don't actually know who's out there listening. But I do know some of my audience when I meet people and they say, “Oh, I've heard your podcast,” or “I love listening to your podcast,” or “I just discovered your podcast.” And the types of people that I speak to, then when I hear stories and I want to interview people, I think to myself, “Well, what would I want to know about this person and how they've experienced something in particular?”
[19:08] Claire Pales: We've had such an array of guests. We've had people come on and talk about being a cyber breach coach. We've had people come on and talk about the skills crisis, or the skill shortage, or whatever you want to call it right through to CIOs of small companies who've talked about how they've been really resourceful to build outside the teams or how they've built their operating model. And I guess that's why I changed the name of the podcast to The Security Collective because I wanted it to be much broader than just talking to CIOs about how they built out their security functions. We've had one about cybersecurity and using marketing as a mechanism, and we had a woman come on from HR who talked about how they have built resilience in their organization. Because these days, it feels like, in cyber, all we talk about is resilience, and I thought, “Well, maybe we could talk her ahead of people and see what she's done through COVID to keep their organization resilient.” And so I'm trying to think outside the box a little bit so that my audience gets stories that aren't always the same, and that aren't always talking through leadership or team building, but actually all of the parts that pull into that. And so everybody, who's an audience member, can relate in some way to each episode. That's really what I'm after.
[20:21] Andra Zaharia: You've created such a great space for collaboration, basically. I think that being exposed to all of these stories and having the transparencies that we crave for in the cybersecurity space, generally, and in other industries as well. And this is particularly what I love about the industry is that it really stretches your perspective, it really gives you a range of mental models and behavioral patterns to work with to identify. It really helps surface all of these things that interact with one another and cultivate that ability that's called systems thinking, which is helpful in any part of our lives, especially in building businesses, especially in dealing with an incredibly complex world that’s not going to get any simpler if we're honest and realistic about it. So, you mentioned repetition, and I think that this is from people who have been in the industry for a long time, and I see this in their books and content and articles and conversations. There are topics that haven't changed for the past 30 years. There are issues that are extremely persistent because they're built deeply cemented into other systems that security has to deal with. So, how do you keep going? How do you feed your enthusiasm and energy and optimism in the face of these repetitive challenges that you see, not just as a contributor to the industry, but also in your role and the work that you do?
[21:48] Claire Pales: That’s really interesting because my children have a nickname for me, they call me Rules. I'm very focused on structure and rules and boundaries. That's how I grew up, and so that's how I raise my children now. And I'm pretty sure if people have heard me on other podcasts, I've talked about this before, but I'm pretty sure that's why I work in cybersecurity. And in fact, I probably would have worked in law, but my career didn't take me in that direction. But I love the idea that there's a right and a wrong. It's very clear. It's very binary. And I know the world isn't really like that. But I love the idea that when someone has experienced something, and it's worked, and the structure has worked, that they can repeat that. And so for me, using my framework to go into an organization, understand the business, work in the business, and then hire to replace myself. I know that that framework is repeatable, but everything else about it is not. And we have to grow and evolve and change. And we have to make sure that as an industry we are making sure we keep up. Because I heard someone say at a conference once that as an industry, we've failed at cybersecurity awareness because we're still doing all the things we were doing before and people are still clicking on phishing links. I agree that there are some outdated approaches to some cybersecurity activities, but I also think that we have to keep on keeping on. And the people I speak to on my podcast, the people I work with, in the industry and within my own business, we're so committed to – probably sounds a bit cliche – but making things better in terms of cybersecurity, that that's what gets us out of bed every day. And that real purpose of getting boards to recognize and prioritize cyber. And getting other C-suite, not just the CIO, but other C-suite to recognize that cyber is important.
[23:45] Claire Pales: Most people I meet in cybersecurity are in the industry and have been for a long time, because they know that as a collective, we're moving in the right direction. And yes, we have some outdated practices, but we also are trying our best to move with the pace of the world. But in all of that, our values around doing the right thing and getting other people to learn how to do the right thing as well, I think that's what drives us. It’s certainly what drives me. I know that there are always exceptions to rules, but I love the idea that we can put rules in place for the safety of organizations and for the safety of our customers as well. And I always come back to it; putting our customers at the center of everything we do. Don't buy a firewall because you think you need the technology to block the bad guys getting in; buy a firewall because it's going to protect your customers’ data and the “crown jewels” in your business. So, use that language because other parts of the business use that language.
[24:44] Andra Zaharia: So, what does empathy look like when it builds on empathy as a core principles instead of fear, uncertainty, and doubt, which is so overused and creates so much resistance in other people?
[24:56] Claire Pales: So, it's interesting playing back on the last question that you asked around what have we been doing for a long time that doesn't seem to be working. I feel like fear, uncertainty, and doubt have been used for a long time to scare boards into parting with more money and to scare staff into toeing the company line when it comes to processes and policies. And I think empathy can only be used as a core principle to cyber when there's a culture in the organization that lends itself to seeing security as a way of doing business. So, if instead of fear, uncertainty, and doubt, we speak about things like hope, help, and inspiration. And I think they're interesting terms when you think about them through the lens of cyber. We really need to be sharing stories of people who've learned from mistakes and people who have matured as a result. So often, we don't hear of organizations sharing their incidents internally, and even their near-misses, because they're worried that they’ll be ridiculed, they're worried that it will get out to the press. But if we're open internally within a business and create a safe environment for staff to hear about cyber attacks, then they'll come to learn the true potential, impact of clicking on a link, and the true nature of the hard work the security team does every day. One of the key things for me is that cyber is a very thankless part of the organization. And the protection the security team provides often goes unseen. So, if we think about the words “hope, help, and inspiration,” I think all security leaders are inspirational. You consider the burnout they go through, the sleepless nights; there are not many other leaders who would consider what role the CISO is playing, to ensure the business can operate each day. And so if you're looking for hope, help, and inspiration, look in the security team because they're inspiring people because they turn up every day and they push that heavy barrel up the hill. As an organization, many businesses would not be alive today if we didn't have those security people there. So, let's have a culture in a business that security is a great way of doing business, and not look at being fearful that we might have a cyber attack, but look at the people who are helping us to remain resilient.
[27:01] Andra Zaharia: That is a beautiful way to round up this conversation and to inspire, hopefully, everyone who's listening, their own particular journey towards maturity, like just you mentioned. I think that it is a maturing experience to educate yourself in what cybersecurity does and what it looks like. Whatever angle you're coming at, it really doesn't matter. I think that there's a path for anyone who wants to learn and who wants to use these concepts in whatever it is that they're doing. And I hope and I know that they will find lots of inspiration themselves in your words and in your experience. And I hope that they use this kind of window into your work and your perspective to explore all of your work, your books, and the podcasts, and so many other useful resources that you've created for the community. So, thank you so much, Claire. This has been absolutely incredible.
[28:00] Claire Pales: Thank you. And thank you for this podcast because I think using empathy as a tool and as a way of thinking about cybersecurity is something that not enough people are doing. So, thank you for having me, but thank you for the work you're doing too.