This month I celebrate my 7th anniversary as a board member of Zscaler. Holding this post and the advisor role has been a great honor and has led to countless occasions where I share my stories about secure agility and digital business innovation.
A great example was the recent CXO Summit in New York City, where I interviewed Larry Biagini, a chief technology evangelist at Zscaler. His pioneering work at GE is a beacon in the industry for any leader pursuing digital transformation. While we could’ve talked about any dimension of network and security architectures ad nauseam, we focused on enabling technology leaders to effectively communicate to the organizational committee that needs to hear it most: the board of directors.
First, we set the context for the audience by explaining why we are, in essence, disciples of zero trust and proponents of Zscaler (see links at the end of the article).
Until recently, board involvement with cybersecurity matters and IT infrastructure risks typically required a trigger, such as an incident like a breach or a disaster recovery, an M&A, or simply a review of the CIO’s annual budget. For Larry, it was when he was appointed Chief Digital Risk officer at GE. Leaders at the conglomerate noticed how security seemed to be a major hurdle for businesses to do business. “We had to get security out of the target area of the business and make it almost invisible, but we still had a job to do,” he recalled. It was time to engage the board.
Digitalization risk 101
Each board is unique, but they share something in common regarding risk: they understand things like credit, operational, and global risk. On the flip side, they rarely understand the risks associated with IT and digitalization. Larry recounts his first board meeting, where the first problem was how information was packaged to board members.
“I was forced to present what the previous CISO presented—a stoplight chart, red, yellow, green. I was so embarrassed to present that because I didn't believe in it….So one of the green lights was that we had DLP on all our devices. 99.9%. I said, ‘The reason I don't believe this one is because I don't know how many devices I have, so I can't get a percentage without a denominator.’”
Larry pointed out that we're playing a game on a field with no boundaries and no goal line. “You can't go over and declare winning. The only thing you could be happy about is if you don't lose or if you do lose that you don't get crushed when you lose,” he said.
As perilous sounding as this is for the CISO and the board, the way to overcome it is to mutually come to terms with what to worry about and focus on.
Back then and today, GE consists of many disparate business units, so they collaborate with leaders of each to limit and define their crown jewels like intellectual property and isolate top threats. Then Larry and his best people solved everything that made it into the pile. Trying to protect everything is not only impractical but not necessary.
“By getting the board to ask the questions of the businesses and turn it around to my group, we could focus on what mattered. And it turned out that the only way to do what we needed to do for the business was stop trying to protect everything and put our best resources into protecting what mattered. Because protecting everything was a fool's game,” according to Larry. “Once you embrace that, you realize you must have a different architecture.”
I agreed with Larry on this sentiment and said that different parts of the risk surface area were more critical than others. From there, the board is ready to understand the architecture that would best mitigate the risks associated with the most important things.
Entrusting the resilience of the internet takes time
Persuading a board to invest differently in underlying IT architecture means shifting perspective in the framework of a risk-cost-benefit analysis. It can take over a year and a half or more, but the exercise yields transparency of facts that you can assemble and integrate to support complex decisions.
“That's not the way they [board members] were born; that's not the way they were raised. That's not the experience they had. So making them uncomfortable enough to talk about it is the biggest thing that I was able to accomplish,” said Larry.
In ’97, while at Merrill Lynch, I worked on the Global Business Network (GBN) project. Three times we asked the Executive Management Committee for $250 million to rebuild the network, but they didn’t agree to fund it. Leadership put me in charge of running networks in late 2001, and the first thing I looked at was how much we were spending on them. It was roughly $150 million a year of capital. My team decided to deploy the GBN Architecture by redirecting the budget to only buy the standard architecture for the core network, and to add an internet-centric overlay network as a backup ready for the future.
With security as the focal point, Larry also had to get creative. He explained that rationalizing the critical assets that mattered at GE took a couple of rounds. He had to frame the risk in terms that everyone could understand, so he picked a dollar value threshold for negative impact. What started as generic items, e.g., intellectual property, business continuity, etc., were too broad. All intellectual property doesn’t have the same value or risk profile, so he went through multiple iterations to dwindle the assets to an acceptable number.
“We separated those things from the rest of the company, completely making them almost unusable…but since they were so valuable and by design should only be available to a select few, it was an appropriate design for the perceived risk.” At this point, GE started taking users off their internal network and provisioned direct app-to-user access, boosting the quality of the overall digital experience, all with the blessings of the board. To be clear, this is not complete to my knowledge, but since this is not a journey that happens overnight or without disruption, that’s not unexpected.
The art and science of return on security spend
What Larry did at GE was offer new enterprise capabilities that the company could include inside each business unit. Since addressing the intrinsic risks that exist inside each unit was initially outside the reach of his team (e.g., risks of healthcare equipment failure), they had to tally them all up. They assessed the digital risk component of each, which paved the way for buy-in. The transformation becomes a business initiative instead of an enterprise initiative. In turn, he saw new tributaries of funding to support the project.
I explained that frequently a CISO comes to the board with their portfolio of projects they think are the highest priority, but they need to present it in the context of the total threat landscape that they're dealing with. The board thinks they’re investing, say, $100 million in security, and then they can't understand why the investment may not result in not being breached.
By modeling the financials and risks correctly and laying out the worst-case scenarios in a manner that helps to prioritize, you help boards understand the probability and the likelihood of something happening and how bad it will be if it does. Stack ranking risks and threats and explaining them that way is a good way of communicating the realities of how much of the risk surface area the proposed budget can cover (and what it does not).
“Tie it into the numbers, tie it into what they understand, which is risk, dollars, speed, and business value,” advises Larry.
By adopting a fully zero trust architecture, there are many other aspects to think about. Your network architecture is one thing. The end-user experience is another, as in how you handle permissions and entitlements. But by going down that path, you're essentially buying a ton of agility for your business and massively improving your risk scoring with the board.
What to read next
Larry Biagini, Zscaler | CUBEConversation, October, 2019
Challenge Everything, Trust Nothing: What Boards Should Know About Zero Trust