August 24, 2020

Last Updated on January 15, 2024

One of the traditions on The Virtual CISO Podcast is asking our guests to name a real person or fictional character whom they feel would make a great or not-so-great CISO, and why. Almost every one of the answers has opened up new considerations and questions about the evolving CISO role.
Among the most eye-opening responses so far came from Daniel Cuthbert, who is a project leader and co-author for the Open Web Application Security Project (OWASP)’s Application Security Verification Standard (ASVS).

Asked by host John Verry, Pivot Point Security’s CISO and Managing Partner, to name “… an amazing or horrible CISO,” Daniel replied: “Indiana Jones.”

Here’s Daniel’s explanation: “I think the Indy character would make an amazing CISO because they are naturally curious and don’t mind taking risks—something CISOs traditionally have been afraid of doing; and also understanding there’s a big world out there and you can go explore, and sometimes it’s not bad. I think the CISO world is definitely changing.”
John replies that most people view CISOs as serving a risk management function, hence CISOs tend to focus on mitigating or reducing risk—not embracing risk.
Daniel’s thought-provoking answer is: “There was always that thing when I started, you were either techie or you’re management. I’m a very technical cybersecurity director, so the roles have blended, but traditionally CISOs come from a risk management thing, which means nervous Nellies, right?

“But if we look at modern businesses, unfortunately security is always the one saying no. Security is always the one that’s stopping business moving. And what I’ve learned is that’s the worst thing you can do, because businesses will move past security.

“And I think that’s where the modern CISO for me is someone who still understands the risks, but can also understand that the business needs to grow, it needs to evolve. We are in the most amazing time right now. Yes, this virus is awful and it scares the crap out of me, but it’s doing one thing that I’ve tried to do for nearly two decades. We’re now seeing the fact that we built networks like old castles, where everything was on-prem, as a pretty crap decision.
“We’re now seeing that, ‘Hey, remote working with access to it in a secure way at times of global crisis has to happen.’ And it’s taken this, where people are now going, ‘Okay, maybe yeah, we should actually allow people to do this.’ And I think that’s where CISO will change in the future, where they’re going to go, ‘Do you know what? Yes, let’s do it, but let’s look at ways of making sure it’s secure.’ Not, ‘No, we’re not doing it because the risks are too high.’
To listen to our outstanding episode of The Virtual CISO Podcast with Daniel Cuthbert all the way through, click here. If you don’t use Apple Podcasts, you can find all the episodes from The Virtual CISO Podcast here.

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!