CyberWire Daily - Solution Spotlight: Simone Petrella talking with Lee Parrish, CISO of Newell Brands, about his book and security relationship management. [Special Edition]
Episode Date: August 13, 2024On this Solution Spotlight, guest Lee Parrish, author and CISO at Newell Brands, joins N2K President Simone Petrella to discuss his book "The Shortest Hour: An Applied Approach to Boardroom Governan...ce of Cyber Security" and security relationship management. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k, code n2k. have spent billions of dollars on firewalls and VPNs. Yet breaches continue to rise
by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Hello, everyone, and welcome to this N2K CyberWire special edition. In today's Solution Spotlight, N2K President Simone Petrella speaks with Lee Parrish, CISO of Newell Brands, about his book, The Shortest Hour, an applied approach to boardroom governance of cybersecurity.
Here's their conversation.
Good afternoon. Welcome to Solution Spotlights,
where we talk about some of the most innovative strategies
shaping the future of cybersecurity leadership.
And today I am joined by Lee Parrish, CISO of Newell Brands
and author of a recently published book, The Shortest Hour.
Thanks for joining today, Lee.
Not at all. It's my pleasure. Thank you for having me.
Well, to start us off, I was hoping you could tell us a little bit about your leadership philosophy when it comes to building cybersecurity programs throughout your career and now at Newell Brands.
programs throughout your career and now at Newell Brands? Certainly. I've been doing this for about 23, 24 years now. And I think if there's one consistent theme across all of the companies
I've worked for and the strategies that I've built, it's been a focus, a hyper focus on
the people, the people aspect of the cybersecurity program.
So one thing I mention a lot to people, and I mention it in the book as well, is as CISOs,
we all have the same access to technology as every other CISO.
The security vendors are not selling to some of us and not others.
I mean, we're all on a level playing field.
And when it comes to processes and policy and things like that, again, we're all on the same landscape.
Nobody has an edge in that area.
We have access to research firms, analysts, frameworks, cybersecurity frameworks, all kinds of things.
We can get policy templates.
So, again, we're on an equal playing field. The true differentiator in a cybersecurity program
then lies in its people. And as a result of that, I spend a lot of time selecting the right people,
selecting people who are curious and people who like to dive into unintended use cases for technology and things like that,
people who are curious. And then once they're on board, you know, just supporting them as best as
I can. You know, it's all about, you know, making sure they're engaged, they're doing the work that
they find challenging and not just looking at a screen all day and just being nice.
So that's what I've been doing consistently over my career.
And that always resonates with me
as a recovering consultant
where we focus so much on people processing technology.
And I'm a huge advocate
that people are kind of truly the long pole in that tent.
And the companies that you've worked with
or the organizations that you advise, obviously the budget and the sophistication of some of those
enterprises can be very different. And so when it comes to selecting people, what's that consistent
thread that you have maybe leveraged throughout that journey to focus on the people? Because I'm
sure there have been organizations where you have unlimited operating budget to actually spend on salaries and you can kind of build the best or buy the best, but then
what happens when you're just looking for that curiosity and fostering them? Or is it a balance
between the two and it's been that way no matter what organization you've supported?
Yeah, I think there's always a challenge in bringing on new folks, getting the budget and things like that.
For small to mid-cap companies, maybe the budget's not there.
For large enterprises, they're certainly not just an open checkbook, but they scrutinize the spend as well.
recognize the spend as well. So what you want to do is make sure that when you do get the funding for that, you fill that share with the most optimal resource that you can find. And I know
there's debates in social media and professional networks where they say,
there's a shortage of cybersecurity experts, or some say, no, there's all shortage of cybersecurity experts or some say, no, there's, there's not as, you know,
there's all kinds of people applying for cybersecurity jobs. Um, what I've seen in my
career and recently in the last 10 years is the, the resumes that come across my desk are usually
people who have one to three years of experience. And so, um, if a CISO has a strategy to fill, let's say, 15 roles in their
cybersecurity program, and their strategy is, I want to fill these with people who have
eight to 10 years of experience, that may not be realistic, not in today's environment,
unless you're willing to pay over market for those folks and have them work remote 100% of the time,
pay them an exorbitant amount of money above comp ranges.
You're not going to find those people.
So what I've done is I seed the team with three, four cybersecurity experts,
people who have that level of experience.
experts, people who have that level of experience. And then the rest of the team I fill with people who are, maybe they don't have a lot of experience in cybersecurity. Maybe they don't have any
experience in cybersecurity. Maybe they came from IT or something like that.
But it's all about, you know, professionalism, the personality, you know, that curiosity is something that I continually look for in people.
People who are willing to engage and build relationships is important to me.
We're an extension of the business.
We enable the business.
So as a result, we have to work with the business.
And if we have people who are resistant to building relationships and just want to work kind of off on their own, that typically doesn't work too well.
So I look for people who have high personalities, very curious about things, and they inject into the team.
The experts will provide them experience and lessons learned from a career
of doing this. But the young, new in their career, cybersecurity people, they can challenge,
you know, what has been done before and ask questions. Well, why do we do it that way?
You know, and it kind of in the middle there brings out a lot of good innovation. So that's what
I found. Yeah. I think one of the most operative words that I just picked up on that you said is
the idea of having a strategy to begin with. And I know from personal experience, I've worked with
a number of colleagues and companies where the strategy is more just, you know, we have this
many openings and let's fill them as quickly as possible. And there hasn't been that thought put into, is it a team of eight to 10 years of
experience with a high salary cap? Or is it something that we're going to kind of round out
with smaller ones? What do you think, I guess my first question is like, why is it so hard for us
as an industry to kind of like wrap our heads around that strategy. Rick Howard and
I call it kind of like the money ball approach, right? If you're like building a team, you have
to sort of think about the constraints of the budget you have and then what are you going to
build and how do you think about those positions and those players before you actually start putting
people on the ground. But why has that been so hard for us? And my second kind of corollary to
that is what are some of your recommendations to,
you know, your peers and those coming up in the field to maybe integrate that into more of their
own program development strategies across cybersecurity? You know, it is a challenge.
I think that a lot of times, I think it's much better now than it was in the past. In the past,
than it was in the past.
In the past, most of, I will say many of the security leadership were comprised of people who were very technical
and didn't have a lot of business acumen.
They were hands on keyboard.
And when the need arose for someone to take a CISO role, the logical
selection was somebody who's been involved in it. And that usually was a technical person.
Even then, people understood what business was. They understood finance and maybe they could even
read a balance sheet or things like that. But when I talk about business skills, I'm talking at the same level as your peer leaders.
So the same level of experience in finance and strategy and operations as your peer executives would have. a glancing understanding of business, but a deep-seated expertise, not expertise, a deep-seated
knowledge of finance and all of those other business domains is critical. So I think that
kind of was the issue before. I think a lot of times as CISOs, we jump into something,
we're given budget and we're saying, okay, what do we want to do? And let's go, go forward and build this. Um, that's not the time to actually think about that. You
should be thinking about that before you get the money and before you even start talking to vendors
or before you even do an interview. Um, the, the analogy that I use quite a bit is, um, when you
go into a car, car dealership, uh, to purchase a car, you don't walk on the lot and say, show me
everything. I want to see SUVs. I want to see electric cars. I want to purchase a car. You don't walk on the lot and say, show me everything.
I want to see SUVs. I want to see electric cars. I want to see compact cars. I want to see sports
cars. I want to see electric vehicles. No, you already have an understanding of some of the
models that you want to see. And you probably have an understanding of the price range you're
probably going to pay. It's the same thing for cybersecurity. You should already know
what it is that you want, who you're going to talk to, and kind of sort of know how much you're going to pay.
As far as the people aspect goes, I would say one of the things that I like to do is to make a quad chart.
And in the top right corner would be things that we absolutely need in our cybersecurity program from an expertise perspective.
And then it also means at that level where we have gaps.
So for instance, if we need threat intelligence, let's say, we have a high need for threat
intelligence in our organization.
And currently on our team, we don't have any resources that have that level of threat intelligence.
That falls in that top right corner.
But in the bottom left corner,
if it's a nice to have kind of skill
that we're looking for
and we already have people that have that,
I'm not going to focus on hiring for those roles.
I'm going to prioritize on the roles
where we have a gap in the skill set on our
current team and we have a high need for that skill. So that's kind of the way that I've done
it. And then I meet with, before I even give the strategy to the CEO, what I'll do is I'll go to
each of the individual leaders. Like I'll go to the CFO and talk about budget and I'll go to the
CIO and I'll talk about technology and I'll talk about how the security solutions I'm proposing may interoperate with what's already in the environment. you know, what level of expertise we're looking for.
Geographically, where are we going to place those individuals that make sense in the overall program?
It's like a chess match.
You know, you just want to make sure that the whole strategy fits together.
And you don't want to have people on the team that have all the same skill sets.
You don't want a bunch of people who are really good at threat intelligence,
and then they don't understand other domains within cybersecurity.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
your compliance controls right now, like right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
It really hits on another theme that obviously is part of what you implement in your own leadership roles, but also is in your book that is,
I know, geared towards independent directors,
but probably just as helpful for existing CISOs.
And it's that kind of theme concept around security relationship management.
How do you build a relationship with your peer executives,
other stakeholders in the organizations?
And your examples just really illustrated
how important that is.
But that must, that takes a lot of time and effort. Can you walk through what, like maybe some,
you know, examples or stories of just like how you kind of learn to navigate those waters and
maybe some things that you've learned that have helped grease the skids when it comes to that
relationship building and management as you
then build and execute on your cybersecurity program? Yeah, it started whenever I first got
into cybersecurity. So this was back in the late 90s, early 2000. I was awarded a position as a CISO at a company. And I was very excited. And so I reached out to peers in
the area who were CISOs. I was trying to garner some information on some tips and best practices
and things like that that I could incorporate into my new role. And there was one person who was very nice and set up a day worth of discussions and things like that.
So I went to his office and introduced myself.
And we started talking about the role of the CISO and how it's so important.
And we walked around the office and we ran into the vice president of corporate security. So the physical
security. And he introduced me to that vice president. And we talked for a minute about
how important cybersecurity was. And then my host said, actually, I don't think we've ever met in
person. My name's so-and-so. And I was kind of taken aback a little bit. And then we met the CFO,
same thing happened. It was, we've not met. My name is so-and little bit. And then we met the CFO. Same thing happened.
It was, we've not met.
My name is so-and-so.
And I thought to myself, how can somebody be effective in this role and not have a strong relationship?
Now, it's gotten a lot better over the years.
This was 23 years ago, 24 years ago.
But it planted a seed in me.
And I thought to myself, if I'm going to do this and
do it right, I need to build relationships across the business. And so at that time, I said, I'm
going to go and get an MBA degree. And whenever I was telling my friends about it, they asked,
are you getting out of security? And I said, no, I'm getting an MBA so I can do security better.
I need to speak the vernacular.
I need to understand what's important to them.
So that was the initial seeds that started.
And then over time, it culminated into a very structured program that I call security relationship management.
And that is tracking my relationships
across the company and externally as well to make sure that I'm nurturing those relationships and
I'm giving them the time that they need to be effective. You know, we spend so much time
with relationship building and personal in our personal lives. We don't tend to track those too
much. I mean, with our spouses and our partners and our children and, you know, members of church or our pets even, you know, you don't really need to track a lot of that stuff.
It's just, you know, natural.
But as you move into the corporate world and there's hundreds and hundreds and thousands of different relationships, if you're not tracking those and understanding the key
stakeholders and the interactions that you have with those folks, you're not going to be successful.
So that's kind of the genesis of security relationship management.
It's an incredible story and I can speak firsthand. I've spent a lot of time kind of
brokering, I'd say the translation role between kind of security leaders and then HR in
particular when it comes to people and how to identify those priorities, everything else. And
it definitely requires a level of nuance. And I don't think it's only the responsibility of
those of us who are on the security side. I think there's kind of that executive responsibility for
all those other stakeholders in an organization to kind of think about how
security impacts what they do as well. And I say that to pivot into what inspired you to write this
book, because if I have it correct, really the shortest hour is meant to help inform new directors
on boards to understand how they can actually, you know, conduct and not only ask
the right questions as they execute cybersecurity oversight, but also understand enough to make,
you know, some real actionable decisions out of that and evaluate where things are. So,
can you talk to me a little bit about what, you know, what inspired you and what are some of the
things that you hope directors who have an opportunity to read this take away from it? Yeah, absolutely.
I was, I was blessed very early on in my career, uh, where I was surrounded by leaders who were
very engaging and they wanted me to participate and they gave me invitations, uh, to participate.
I realized that a lot of listeners who are CISOs may not have that
same level of support and they have to fight their way in. So I do realize that I was very
blessed early on. And throughout my career, again, I've been extremely blessed. And every company
I've worked for, there was an opportunity for me to present to
senior leaders and to the board of directors and to committees as well in an, um, unfiltered way
to be able to explain risk and, and not be, um, toned down by, by leaders and things. Well,
don't say that, you know, they, they were very open. So that's the baseline. I mean, if you don't have that, the game is over.
But very early on, I was interacting with some very, very serious people on different boards.
So it was retired admirals and generals from the military.
It was CEOs of Fortune 10, Fortune 100 companies.
Not an intimidating bunch at all.
Not at all. And there was a White House chief of staff, a U.S. presidential candidate,
all of these different folks in my very first time working with the board. So I learned very quickly.
And it was really nice to be able to have that experience. And then as I moved throughout my career, I had experiences with working with the board, not just in a presentation format, but actually like one-on-one.
To be able to fly to a location and meet with a new director who's coming on board and giving them an overview of the cybersecurity program and what to expect.
I've been asked to assist in special projects for the board that required a lot of confidentiality and things like that.
I've been able to work very closely with the chairpersons of the committees in which I've reported to.
So access and then that deep relationship has
really helped. And so, you know, about three years ago, two and a half years ago, I was thinking,
you know, it would be nice to kind of give back to the industry and kind of talk about
my experiences with working with boards, as well as I've seen an opportunity with how boards are providing oversight to cybersecurity programs specifically.
It's a systemic risk.
It always falls on either number one or number two on the enterprise risk management programs
for every company I've been a part of and certainly probably for the ones of your listeners.
And then I looked at my experiences,
and I know they vary because of surveys and things like that.
And other CISOs may say,
no, I speak for an hour every month.
Others will say, no, I don't speak at all
except for one supplemental presentation
I put in the documentation.
So I just kind of took an
average and I said, well, it's about 15 minutes then. If it's 15 minutes a quarter speaking to
the audit committee or the technology committee or something like that, and there's four quarters
in a year, that's an hour. So that's the shortest hour. I believe that one hour a year is not enough
time to talk about something as critical as cybersecurity.
And so I started writing.
And as I was writing, the SEC proposed some regulations about disclosure.
And I thought, wow, this is really timing out to be really good because that's what I'm talking about.
And December of last year, I finished the book.
It was published by Taylor & Francis with CRC Press.
And I went through the editing process and it just launched last week.
So it's been a great journey.
I really enjoyed doing it.
And hopefully people will enjoy it and provide good feedback.
You brought up the SEC, so I have to ask.
And I am notorious for going
off of my own script, so I apologize in advance. But, you know, what is, you know, having been
in these roles for the majority of your career and seeing what the SEC is coming out with as
far as disclosure, you know, of material breaches, of which there's a lot of questions around what
that definition of materiality really is, but then that coupled with, you know, annual filings and the requirement to
kind of report on the maturity of cybersecurity programs. Where do you fall on the spectrum of,
you know, is this good for us as an industry? Is this hampering because it's putting too much,
you know, handcuffs or potentially scapegoating those of us that are in,
been in cybersecurity and trying to, you know, be right all of scapegoating those of us that have been in cybersecurity and
trying to, you know, be right all of the time when it's impossible? What's your take?
Yeah, I think, you know, there's always been some level of disclosure about cybersecurity.
Usually it's in the risk section of the 10K, and there's a little bit of a blurb about cybersecurity and the availability of
systems and the capability to deliver services and products to customers and the risk of an attack,
cyber attack. But the SEC, their regulations were more specific to disclosing the different,
more details than we've ever seen before. And so the analogy that I use
in the book is when I was in the eighth grade, I took a math class and we were taking just general
arithmetic and things like that. And then we got into fractions and division and things like that
about halfway through the year and we would turn in our homework. So we would do our homework and
we'd turn it in the answers and we get our homework back graded. About halfway through the year and we would turn in our homework. So we would do our homework and we'd turn it in the answers and we'd get our homework back graded. About halfway through the year,
we started getting into algebra, you know, pre-algebra and things like that. And so the
teacher, I'll never forget her. I can still see her face. She said, okay, for your homework now,
I want you to start showing your work. And of course, everybody groans and they're like, oh gosh, you know, so now it was not just enough to give the answer. You had to give,
you had to show how you came to that answer. And I think the SEC regulations are show me your work.
You know, it's, it's no longer enough to just say you have it, show me how, how you have it.
With that said, I think it's a, it's a positive step in the right direction.
There were some regulations that were dropped.
Some were enhanced and edited.
But I think it's a good step in the right direction.
I think because it's a new regulation, we're always going to see things out of the gate where we have issues with trying to define materiality.
I think corporations have structured programs to determine what is material and what is not.
But as it relates to cybersecurity, I still think there's some work to do. I think there's some
ambiguity around what a reasonable shareholder is. Is that me with buying 10 bucks worth of a stock or is it Warren Buffett? Who is a reasonable
stakeholder? But I think those will get straightened out. We're already seeing that.
Some people initially disclosed something and the SEC provided comments and stuff. So we're
working together as an industry. I think it's a very positive step. I think it could be better
though. To bring it full circle to where we started in
your concept of relationship management, all the more reason to not only look at the CFO
and the head of physical security and head of HR, but also your head of legal.
We're putting together these filings. I mean, that should be a non-starter anyway,
like that should be a given, but you know, if you didn't have a reason to do it before,
you certainly do now. Yeah. One of my deepest relationships across the board at every company I've worked for has been with general counsel.
Even my current company.
It's just a wonderful relationship.
You're talking a lot.
You're sharing ideas.
You really need that.
That's the one relationship that I think has been most beneficial for me
in my 10 years at CESA.
Well, Lee, thank you so much for taking some time
to share some of your experiences with us,
as well as some of the nuggets
out of your newly published book.
So congratulations on getting that out there.
It's really been an amazing thing to read
as I've started to delve into it.
And for those who have not had a chance, Lee, I'll let you give one last plug.
Where can someone go get a copy, their hands on a copy of The Shortest Hour?
Yeah, so it's available to all the favorite booksellers, Barnes & Noble, Amazon.
You can go to Taylor & Francis, Rulage.
It's all over the place.
But thank you for the support.
I really, really appreciate it. Great. Thank you.
Our thanks to Lee Parrish, Chief Information Security Officer of Newell Brands. His book
is titled The Shortest Hour, An Applied Approach to Boardroom Governance of Cybersecurity.
Leigh Parrish spoke with N2K CyberWire's Simone Petrella.