Why CISOs should practice public speaking

When you think of cybersecurity professionals, and especially CISOs, what skills spring to mind? What kind of experience does a strong security leader need? And how important do you think soft skills like interpersonal communication really are?

More and more cybersecurity folk are realising the importance of how they relate to the outside world. And it’s not easy. For many tech-minded individuals, it’s much less demanding to dive into complex IT engineering than it is to speak directly and clearly to people who don’t really understand what you’re working on.

But at Black Hat MEA 2022, Tim Brown (VP and CISO at SolarWinds) explained that one of the main reasons he didn’t lose his job after a major security breach was because he’s good at public speaking.

And all CISOs should take note of this lesson.

The SolarWinds breach

We know you’ve heard of it. The 2020 SolarWinds hack was one of the biggest breaches of the 21st century – triggering a supply chain incident that affected thousands of organisations worldwide, including governments.

Brown was notified that compromised code may have been shipped on December 12th, 2020 – a Saturday. The breach had been put into action much earlier, around March, and has since been attributed to the Russian hacking group Nobelium.

“We essentially shut down development for six months on new features,” Brown said. “We had 400 engineers working on security alone, post-incident.”

But at BHMEA22 he didn’t want to go into the details of the breach – because those details are widely available online. Instead, he said, “I’m going to focus on what it was like.”

In the first days, “we learned as much as we could and fully committed all the resources we had. That meant the whole team.”

This happened to be deep in the COVID-19 pandemic, so the whole company was working remotely. Initially, they used their smartphones to communicate – but then they were notified that their email and comms apps had also been tainted in the breach. “So we couldn’t trust the way we were communicating, we had to shift to a different mechanism.”

“We know the code [the hackers] put in place was well crafted. They were extremely thoughtful, they weren’t wasting time, they weren’t creating noise in our environment or in our customers’ environment.”

“The whole model for them was how not to get discovered. Ship code, don’t get discovered, take advantage of what you ship, and get out.”

Acting as CISO when the world is watching

Everybody in the world with links to SolarWinds was trying to figure out if and how they were affected by the incident.

“We had involvement from the FBI very quickly. We engaged several third parties – DLA Piper and Crowdstrike, then additional partners as we went on.”

“The first days are really beyond intense. Everybody in the world is calling you. You’re getting calls from the governments of the world, you’re getting calls from agencies of the world, you’re getting calls from the largest customers in the world.”

Brown made a point to engage with large companies who’d been through similar breaches – to benefit from the wisdom of their experience. And he worked to create multiple streams for handling the pressures of the breach, including:

• IT teams to investigate how the breach happened
• Engineering teams to find out how the breach affected the organisation’s builds
• Customer outreach teams to liaise with businesses that may (or may not) have been affected
• Communications teams to distribute information to everyone who needed it
• Legal teams to handle law enforcement

The global press jumped on the story. In the aftermath of a breach, “every word matters,” Brown said, “make sure every bit of information you’re putting out is accurate.”

But no matter how hard you work to provide true information, you have to be prepared for misinformation in the press. It’s inevitable.

“We weren’t patrolling and trying to fix press. We were focused on making sure the customers were in a good place, making sure we had help for them, putting programs together to help them.”

And when you recognise that the global media is an untamable beast, this is a solid strategy: tell the truth, look after your customers, and accept that untrue things will be published.

“You’ll get outnumbered. When the press of the world is after you, you can’t really do much.”

That doesn’t mean, however, that as a CISO you shouldn’t keep attempting to communicate clear, validated information.

“From a CISO perspective, going through this, we talk about being fired,” Brown said. “I gave myself a 50/50 chance of being there. If the general sentiment of the world was ‘hey, we have to have somebody to blame’, I knew that probably needed to be me.”

But in spite of that knowledge he continued to do everything within his power to drive the machine forwards and stay out in front of the breach and its fallout. And crucially, he added, “If I didn’t have the skills to do presentations and talk to people and take ownership of what was going on, then we would’ve had to replace me with somebody that did.”

There’s a hard lesson about soft skills for all CISOs. Make sure you’re building your ability to communicate, to speak in public, to stand on a stage and own your experience. Develop your capacity to explain what’s happening and how you’re handling it. Because if you don’t, you might help your organisation survive a major breach – but your job won’t be safe.