Mark Weatherford, Senior Vice President and Chief Cybersecurity Strategist, vArmour
Mark Weatherford, Senior Vice President and Chief Cybersecurity Strategist, vArmour, and a member of the Black Hat Executive Summit advisory board, spoke with summit co-host Brian Gillooly about the takeaways that C-level attendees will get from the event, including the opportunity to discuss cybersecurity risk with business and technology leaders. Weatherford says few companies treat cybersecurity as the business risk it has become, and he explains how that should change. He also provides some details from his own session on cybersecurity insurance, and how an upheaval in the industry means that, right away, executives need to better understand the impact of the changing dynamics.
Brian Gillooly, Co-Host, Black Hat Executive Summit: Mark, as a member of the Black Hat Executive Summit Advisory Board, what do you see as some of the primary reasons C-level executives other than those focused solely on security, like CISOs, should attend the summit?
Mark Weatherford, Senior Vice President and Chief Cybersecurity Strategist, vArmour: Well, this is something I talk about around the country, and that is, security is not just a CISO issue. For too long, people in most organizations were taught that security problems got tossed over the fence to the CISO, because this was an IT thing that the CISO dealth with. Security is a shared responsibility. It’s the responsibility of everyone in the organization. And I think the biggest influencer is the CEO. It sounds obvious, but it’s not in many, even most, instances. The CEO sets the tone for a variety of issues, whether it’s safety or ethics or security, and if the CEO embraces it and evangelizes it, then everyone else in the company will get it. We’re starting to see the CEO saying that cybersecurity is one of the risks that they need to be paying attention to now. They, and the boards, understand financial risk, and competitive risk, and regulatory risk. Cybersecurity is just another one of those risks. That’s why it’s important for other people inside the executive suite to attend an event like this because they see security as a different plane: It’s not a technology issue, it’s a business issue that they need to be paying attention to.
Gillooly: To that point, when you talk to C-level executives in your role at The Chertoff Group, do you feel there’s a reluctance for those execs to embrace cybersecurity for some reason?
Weatherford: I don’t know if it’s a reluctance. The way I talk to people about it is – OK, cybersecurity; it sounds scary, it sounds foreign. It’s not that they’re reluctant, it’s that they’re scared* of it. It’s far too technical for them to understand. They push it off to let someone else who may in fact understand it make it their issue. So the conversation I have with CEOs is, listen, you don’t understand the weather, either, but you have to worry about weather risk. You don’t fully understand the regulatory issues, but you have to deal with it. This [cybersecurity risk] is exactly one of those things. You have to hire somebody competent to handle this piece of the business. You just have to be able to ask the right kind of questions, which is much less difficult than understanding the scary side of cybersecurity. So, I don’t think it’s a reluctance, I think people are just afraid of it. Many of us in the security business, probably myself at some point in my career but certainly not today, we used that fear, uncertainty and doubt to advance our agenda, but we are past that now. We as security executives need to be addressing business risks, not as a technical security risk. If we [security executives] want a seat at the table, we need to act like executives and focus on the business. We’re getting better, but we still have a long way to go.
Gillooly: Regarding that, with all these C-level execs in the same room at this event, what can they learn from each other?
Weatherford: The speakers at this event are the ones that have made that transition [to a more business-like approach], and have earned a seat at the table. So they’re able to have a dialogue that executives can understand and aren’t intimidated by.
Gillooly: What lasting message do you hope the attendees get from this event?
Weatherford: The lasting message is that security is part of the business going forward. It’s not something you’re going to address once a quarter or in your annual business meeting, this is something that needs to be on the CEO’s weekly agenda. It needs to be something that somebody is tracking on a very regular basis as part of the normal course of business. Just as in the weekly meeting the CFO gives an update and general counsel gives a status check, there needs to a status check on security and privacy.
Gillooly: In your session, ‘Cyber Insurance: Risks, Rewards, and Outcomes’ from 1:00 to 1:45 on Dec. 9, you and your fellow panelists will be talking about cyber insurance, which is a topic perfectly suited for this kind of audience. What issues will you address?
Weatherford: What I want people to get from our cyber insurance panel is that people have been reluctant to buy cybersecurity insurance because they haven’t really understood yet what goes into buying it. And that market has evolved. The takeaway for them will be that, not only is the market evolving, but buying a policy on an annual basis has become rather static. People need to be thinking proactively 12, 24, 36 months down the road that how I buy cyber insurance is going to be different. Because of the dynamic nature of threats and vulnerabilities, buying a static annual policy is probably going to change because the risk posture of most companies changes on a daily basis. And I personally believe that insurers and underwriters are going to go, ‘Holy cow, we can’t write a policy on January 1 and not revisit that until January 1 of next year,’ because of the ups and downs and dynamic nature of the threat landscape. The risk posture of companies is changing every single day. There’s going to be some level of evolution of insurance in how you pay for that. So they’ll tell customers, you either need to pay me more for this additional new risk, or you need to prove to me that you’ve mitigated this new threat to maintain some status quo in your insurance.