Have you ever wished that there was some sort of Star-Trek universal translator device for communicating your department’s needs to the C-Suite?
Well, the technology isn’t quite there yet, but today’s guest offers the next best thing. John Sheridan, Co-Founder at Agency Performance Systems, joins the show to share the secrets to interdepartmental communication.
What we talked about:
- What your CFO cares about
- How to communicate risk from a business perspective
- Why you need to ditch the jargon and simplify your message
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice, and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
John Verry (00:25):
Hey there, and welcome yet again, to another episode of the Virtual CISO Podcast, with you, as always, is John Verry, your host. And here with me today, as sort of always, or becoming always, Andrea VanSeveren. Good morning, Andrea.
Andrea VanSeveren (00:41):
Good morning. Hey John, hi everyone.
John Verry (00:43):
I almost said, Jeremy. But, maybe [inaudible 00:00:46] call you Jeremy 2.0, but you’re gonna have to be the new and improved version.
Andrea VanSeveren (00:51):
I shall try.
John Verry (00:53):
All right. What did you think my conversation with John Sheridan?
Andrea VanSeveren (00:56):
Well, it was nice to know, he also enjoys a good glass of wine. But other than that, I thought he gave some great advice, especially to IT managers looking to invest in security, and being able to show how that relates to the health, and profitability of the organization, instead of just looking at the direct spend itself.
John Verry (01:16):
Yeah, unfortunately, in our field, all too often, there’s a bit of a disconnect between folks like me, kind of the tech propeller heads, I consider myself a reformed propeller head, and the business folks, right? And I think it’s largely stems from the fact that we tend to talk different languages. We’re on the technical side, we tend to talk bits and bytes, use a lot of acronyms. And on the business side we’re talking usually, things like ROI, and balance sheets, and things of that nature.
John Verry (01:41):
I think what John did a really interesting job of communicating was the fact that there’s a place in the middle that we can easily communicate with each other, right? At the end of the day, both of us are trying to effectively manage risk. And if we take our conversations to a risk centric approach, and we talk about how these investments that I’m asking for are going to help you manage business risk, and as a CFO, or COO, being requested of hundreds of thousands of dollars, or $50,000, how do I understand what value prop, what’s my return on investment? How is that helping me manage that risk? How is that helping me grow my business? So, I thought he really gave us some great tips for whichever seat you’re sitting in, right? The technical seat, or the business seat.
Andrea VanSeveren (02:25):
Right. Yep. So, if you’re an IT director, who needs some advice on how to get, say, 100k investment from your CFO for a key project, or on the flip side, if you’re the CFO, and you need to understand, “Why is my CISO asking me for so much money?” John really gives a lot of great insights.
John Verry (02:41):
And just to be clear, that was John Sheridan, not me, right?
Andrea VanSeveren (02:45):
John Verry (02:46):
No, no, that was your cue to say, “No, John, I’m in both Johns.” Or, “No, John, you did a great job too.”
Andrea VanSeveren (02:53):
Of course, of course.
John Verry (02:56):
[crosstalk 00:02:56]. Too late. Let’s get to the episode.
Andrea VanSeveren (03:00):
John Verry (03:04):
Mr. Sheridan, good Friday afternoon to you. How are you today?
John Sheridan (03:08):
I’m well, I’m well, and you?
John Verry (03:11):
I’m heading from this podcast right out with my kids, and their significant others, to go to do some brewery hopping.
John Sheridan (03:19):
John Verry (03:19):
I am about an hour from being good.
John Sheridan (03:22):
John Verry (03:23):
I’ve got to grind through you for the next hour.
John Sheridan (03:27):
All right. All right.
John Verry (03:30):
So, always like to start the podcast on a very easy basis. Tell us a little bit about who you are, and what is it that you do every day?
John Sheridan (03:37):
Yeah, sure. My background is in business, and my original story after school was I was a manager, and leader of a company of various sizes, for many years. But about 15 years ago, I decided to hang out a shingle, start my own coaching and consulting firm. Been doing that for 15 years, and it’s something that I never really set out to do intentionally, but it kind of happened by accident, and I stumbled into it with great luck, and I’m super happy doing it.
John Verry (04:08):
And for the record, I would say you’re very good at it, and the fact that we’ve been your client for… I was trying to figure out how long we’ve been your client for. My email goes back seven years, so I know we’ve worked together seven years, but it feels longer than that.
John Sheridan (04:23):
I think it’s I think it’s 10 John, or maybe more. I’m not sure. You’re not my oldest client, but you’re up there.
John Verry (04:27):
You meant longest term client, not oldest client, right?
John Sheridan (04:30):
John Verry (04:30):
Everybody knows I’m 29. I’m mean, we’ve had this conversation.
John Sheridan (04:36):
Yeah, you’re right. I forgot.
John Verry (04:38):
Yeah, you started helping me when I was in high school, on my paper route.
John Sheridan (04:40):
That’s right. That’s the plan.
John Verry (04:42):
The other thing too, of course, is you wrote a book. You didn’t mention that.
John Sheridan (04:45):
Yeah, The Perfect Business came out a couple years ago, you can find it on Amazon. It’s geared toward the business owner who wants to understand how systems can really help them change their business, and their lives.
John Verry (04:55):
Yeah, and as just a little plug for the book, right? And a plug for working with you, one of things that I’ve always liked by working with you is you’re one of those people who breaks down complex concepts into very simple ideas, and then builds them as somebody’s ready to accomplish them.
John Sheridan (05:13):
John Verry (05:13):
You’ll talk about two levers when there’s five, because the person is not ready to get to… But when they’re ready for three, and four, and five, you’ll let them know. And I thought you did a good job in the book, having worked with you, and then read your book, it was kind of interesting, because I got a chance to see what you’d done with me in writing, which was kind of cool.
John Sheridan (05:31):
No, that’s great. I appreciate that feedback. Thank you.
John Verry (05:33):
So, we have a small tradition here. What’s your drink of choice?
John Sheridan (05:38):
So John, I’m a wine guy. All types. And my approach to wine is pretty simple. I never drink the same wine twice, and I have no favorite. I don’t care about the varietal, the producer, Old World, New World, doesn’t matter to me. My view is that if I drank every bottle in the wine shop that happens to be about 100 yards that way from me, I would never get through half of it in the rest of my life. So, with so much out there, there’s no reason to replicate. Also too, I don’t know if you’ve ever experienced this yourself, you have a great experience with a wine somewhere, somehow, you go to the trouble of hunting it down to have another bottle, and it’s not the same experience.
John Verry (06:18):
Yeah. It could be the food, it could be the food, it could be the location, it could be the particular bottle. Yeah, I’ve experienced that with not only bottles of wine, but even bottles of bourbon.
John Sheridan (06:27):
John Verry (06:27):
Especially when [inaudible 00:06:28] single barrel, what happens is, that is a single barrel. And you go back, and you’re like, “Oh, I want another bottle of this.” And it’s like, “This isn’t the same.” Well, yeah, it isn’t. It’s a different barrel.
John Sheridan (06:37):
[inaudible 00:06:37] Barrel, yeah.
John Verry (06:37):
So, I agree with you completely on the wines, and you are the exact opposite of my wife. And my wife is, “Oh, I like this wine, buy it every time.” And I’m the opposite. I’m like you, it’s like, “Let me just try a different wine every time I go in.”
John Sheridan (06:49):
Life is too short. There’s too many great things to be discovered out there.
John Verry (06:54):
Exactly, exactly. So, thank you for coming on today. And really, what I wanted to chat about is, you and I chat a lot, right? In the construct of you coaching us. And we talk very different languages, right? I’m an IT guy. I like to talk bits and bytes. You’re a business guy, a finance guy, you like to talk dollars, and EBITDA, and things of that nature.
John Verry (07:16):
And I think that that same challenge happens all the time inside of businesses, right? When you were the CFO of that construction company, I’m sure you had people coming to you, and they were talking a different language than you.
John Sheridan (07:27):
John Verry (07:27):
So, we see this in our industry where an organization might right now be saying, “Hey, I need to get ISO-27001 certified, I need to be CMC accredited.” We’re chatting with their IT Director, or infosec guy, and let’s say this is a 70,000, 100,000, $150,000 exercise. They’ve got to go get approval. They’ll work with us, they’ll say, “Yup, this is the plan, this is what we should do, and these are the guys we should do it with.”
John Verry (07:53):
And then there’s something goes on behind the scenes, and now they’re in the CFO’s office. So what I really want to talk about was, how should… So for somebody who’s listening to this, and they’ve got to go pitch that $100,000 deal, how do you successfully pitch a big ticket item like that to a CFO, or COO? What are they thinking? What’s the process?
John Sheridan (08:14):
Sure. Well, I think the things that I can talk about here apply not just to that large project, but just about anything that someone in those situations wants to get done in an organization. And that is, I think you have to understand a couple of really just key principles, probably the most important of which is this. People do things for their reasons, not for your reasons.
John Sheridan (08:40):
So, I think before you walk into that office, and you may be armed with all kinds of facts, and reasons that mean something to you. I think you have to stop first, and say to yourself, “My reasons don’t count. They really don’t care about my reasons. What are theirs?” And put yourself in their chair. Broaden the scope of what you have to worry about to theirs, or narrow it to theirs, whatever the case might be, and figure out, what’s their reasons? What do they care about? What are the consequences for them if things go right? What are the consequences if they go wrong? And then frame up your language, frame up your approach in their frame, not yours. So, I think that’s… That sounds a little abstract, John, but I think that’s really the at the root of influence, which is really what we’re talking about here. Does that make sense?
John Verry (09:34):
That makes sense. So, let’s drill that down a little bit. And in a weird way, that sounds an awful lot like the concept of marketing, right? We have a tendency to think of our product, and what we deliver from our perspective, instead of the customer’s perspective. So you’re saying, “Okay, the CFO is now my customer, and I’m pitching this project.” The challenge that marketing always has is, it’s hard if you’re not that person on the other side, to understand that customer profile. Right?
John Sheridan (09:57):
John Verry (09:57):
So let’s talk about the profile of a CFO, or COO. So, you’re saying, “Think like them.” Tell us a little bit about them, and what are the ways that they think, so we know how to communicate with them?
John Sheridan (10:10):
Sure. So, this may come as unwelcome news to some of your audience, but the CEO, CFO, they’re probably looking at any kind of spend, any kind of investment, with the first question is, “How does this help me find new customers, or keep my existing customers?” That’s about it, A. B, they’re probably also thinking that anything to do with the IT world is an expense, a necessary evil, something that is not revenue generating, and therefore doesn’t really deserve a heck of a lot of my time.
John Sheridan (10:46):
Yes, some will likely be, particularly given whatever experiences they might have had, they might be sensitive to the idea of risk management, of not letting bad things happen. But first and foremost, I think they’re looking at whatever spend it is and saying, “What am I getting back here? What am I getting for this? And do I really need to invest this?” The drive is to cut expense, not spend more, so what’s the justification?
John Sheridan (11:12):
And I think they’re trained, particularly CFOs are trained, to think in dollars and cents, not necessarily in more abstract terms, like risk, or quantifying those difficult to quantify things. Dollars and cents are easy to analyze, easy to understand, easy to argue about. But, it’s the things that are difficult to quantify that, because they’re so tough to quantify, don’t get discussed, don’t get considered with enough weight. Because if I can’t put a number on it, and all I think about is in terms of numbers, it’s the old classic, if all I have is a hammer, everything looks like a nail problem.
John Verry (11:53):
I think you’re right. I mean, I think that’s really what we see, is that, like, in a perfect world, we’d have actuarial tables, or we’d have exact calculations. “If you spend $100,000 on ISO-27001, you’re 12% less likely to be breached, and on average, and our breach would cost us 1.2 million, which gives you a $144,000 return on investment, and we’re going to gain three more customers with an average lifetime value of X. But it doesn’t exist. So, with that nuance, right? Is it really just going in with an idea of ROI? I mean, do you see like, if I was walking into you, and pitching it, should I try to calculate an ROI, or at least give you the data, so you can calculate ROI? What should I come in? How should I be prepared?
John Sheridan (12:38):
Oh, so I think, to the extent you can quantify anything, yes, you should quantify it. And if that means going to other parts of the business, and going into your VP of sales, your VP of marketing saying, “Hey, I don’t want to do this. But if I came in on Monday and said to you that I just got off the phone with our biggest customer, and they’re a little ticked because someone used our login to their system, and made off with a million records of their customer data.” What would you do? What would the consequences be?
John Sheridan (13:05):
And after they get done shaking a little bit, maybe you could imagine the lost sales. Right? I think beyond that, John, though, the things that can’t be quantified, I think you can ask some great questions. Like, “Mr. CFO, what kind of risk are you comfortable with? I mean, if I came in here and told you that we had a breach, what are the consequences? Are you going to go to the boss? Am I? Do you want to have that conversation? What’s the impact of that on the organization?” Because I think it’s beyond just, “Hey, what are the odds of this happening?” It’s, “If it does happen, what is the magnitude of the consequence? Is this a showstopper?” Right.
John Verry (13:48):
Gotcha. So, it sounds like there’s two sides to this conversation, right? So it sounds like there’s the value creation, like, what are you going to do? What is this going to allow us to do that we couldn’t do prior? Right? So, that might be winning new customers, bidding on different types of projects. Would you consider thought leadership, or being perceived better by clients as being part of that value creation?
John Sheridan (14:12):
Oh, absolutely. Sure. It depends on the industry, but I mean, being a leader in some of these areas could make it safe to buy from us. Right? It could become a competitive advantage in ways. And I think that’s collaboration with your marketing team, and a lot of times there are things that we do for our customers that are really incredible that we don’t sell to them, they don’t realize that we do it, they don’t get the benefit of unless we educate them on that.
John Verry (14:39):
That’s actually a really interesting idea that I hadn’t really thought about, is that… And it makes total sense, right? That if you were the infosec guy, or IT guy, that corralling other people, to support your argument, right? Because you’re right, the sales guy that is hearing from one out of every four customers, “Hey, do you have an ISO-27001 certification?” Or, “Tell me about your security story.” Or the fact that we’re leaning out, instead of leaning in, or we’re not answering those questions, or the marketing person that saying, “Wow, I’ve researched the market. We’d be the first person in our market to be able to say we’re doing this, which would give us a significant value proposition that other people don’t have.” So, that’s actually interesting, that idea of bringing other people from the organization to support your spend.
John Sheridan (15:30):
Yeah, it could come in the opposite way too, that, “Hey, Tom in sales tells me that the customers have been asking about this, and we cannot be late to this party. We do not want to be finding out too late that this is a table stakes requirement for getting an RFP, or something like that.”
John Sheridan (15:47):
I think also John, the bigger thing you bring up is quite important, which is, there’s more than one player involved in these decisions. Right? And so, an IT professional has to have some organizational savvy. They have to realize that political support is often a key to making decisions of this magnitude. So, getting marketing on board, getting sales on board, getting production on board, understanding the competitive environment, these are all things that, in addition to the personal relationships that need to happen, for all these things to be effective, are all part of this. It’s not just one meeting with the CFO, there’s a lot more going on behind the scenes.
John Verry (16:28):
I think it’s changing quite a bit. But in the old days, the IT guys were not well spoken necessarily, they were a little… Let’s say they didn’t have the highest the EIQs. I think that’s changed a lot in the last 10 to 15 years. So really, what you’re saying is almost it’s an EIQ issue, right? Is that you’re trying to be persuasive, you’re trying to sell an idea to management, and what you’ve got to do is you’ve got to rally the troops, harbor all this additional support, to make this compelling argument that’s going to be self evident.
John Sheridan (17:00):
I think you’re correct, I have observed that change, and I think sort of the cliche was, when learning about anyone in the IT, the highest compliment you can pay, or hear about somebody in that role was, “They don’t sound like someone from IT.” Right?
John Sheridan (17:16):
Which brings me to this idea of language, and when you’re managing up, choosing your words carefully, and choosing what words not to use carefully. In other words, leave jargon at the door. And that’s difficult, because it’s your day to day, right? It’s the world you live in. But it’s not the world that others live in, as you know. So, you have to be conscious about your word choice, conscious about how you’re describing things, telling stories, giving context, not going down rabbit holes, so that you have an audience that’s receptive.
John Verry (17:50):
Gotcha. So, that ties I think, as well into the concept of risk. So, it’s easier to pitch value creation side of the argument. Because it naturally translates into, I think more quantifiable, easily quantifiable numbers, right? Three more customers, maintaining 40% more customers, retention, whatever that might be.
John Verry (18:16):
On the risk side, risk is probability times impact, right? Both of those are fuzzy things. What would the impact be? How many clients would we lose? That’s a hard question to answer. We might not know that answer. What’s the probability that we’re going to get breached? What’s the probability we’re going to have an earthquake? Some stuff is actuarial table based, but most isn’t in our field. So, any thoughts on how communicating the risk side of the equation, what’s that language? Do we need to talk in the same impact criteria? How does a CFO, or a COO view risk differently than a infosec guy?
John Sheridan (18:57):
So, I think we have to remember, contrary to stories you might have heard, that CFOs are human beings, right? And we are wired for stories. So, I would say, what’s the great metaphor? And here we are, as we record this, John, a few weeks ago, we know there was a really bad winter storm in Texas, and one that was record breaking over long, long periods of time. I don’t know if it was ever recorded a colder event.
John Sheridan (19:26):
The consequences of which were the utilities were out of action for a week or so. Tremendously bad things happened, because in large part, they weren’t prepared. It was an event they thought would never happen, or maybe was so low risk, why bother investing [inaudible 00:19:43]? So, let’s tie that back in. “So, Bob, Mr. CFO, I was thinking about what happened in Texas last month, and I was thinking about our exposure. Do you think we ought to be a little more careful about what we’re doing?” And in other words, tie something that’s relatable into the risk, that is maybe not a number, but that is something that they can understand. “Oh, yeah. Probability low, impact, not acceptable risk.”
John Verry (20:13):
Okay. Yeah, I think that’s good guidance. I think, universally, and I would hate to be an insurance sales guy, because it’s the same thing. It’s like, it’s these things we don’t want to think about, and having to spend money to prevent something that we don’t think, or we certainly hope is never going to happen, is it feels wrong.
John Sheridan (20:38):
Yeah. And when you think about… I view it as analogous to insurance in many ways, right? There’s a range of possible outcomes, and there’s no such thing as 100%. But, I think, in that pitch, not so much telling, more asking. How do you feel about this potential outcome? Is this something that you would find acceptable if it happened?
John Verry (21:04):
John Sheridan (21:05):
John Verry (21:06):
Yeah, in a worst case, a lot of times, what we’ll do is we’ll say, “Look, get somebody to sign off on a risk.” It’s like, “Hey, my role in infosec director, is to is to identify risk. I’ve identified a risk, which to me looks like it would be unacceptable. You’re saying that you don’t want to fund it, which means you’re saying this risk is acceptable. Am I understanding that correctly? Hey, can you do me a favor? Will you shoot me an email that says that? Because I need to document that we considered this risk, and that you indicated that you didn’t want to mitigate said risk.” And I think sometimes you get a slightly different look when you ask someone to document something.
John Sheridan (21:43):
Oh, yeah. Yeah, that’s classic CYA, right? But so I think you’ve got to choose your tone and your language carefully when you pitch that, right? But I think if you set that up right, with like, “Okay.”
John Verry (21:58):
Well, that’s an interesting question. So, if you set it up as a… And that was going to ask you… My next question was going to be from other side, but is part of this that we need to put in place the right processes and systems ahead of time to deal with these issues, and to know that we know how to communicate with each other?
John Verry (22:13):
Like so in ISO-27001, as an example, you have this construct of a information security management team. And this governance of an ISMS committee being presented with data, and making a decision, and documenting those decisions is just, that’s the process.
John Sheridan (22:27):
John Verry (22:27):
And fundamentally, it’s a great process. It makes total sense, right? And so yeah, if I just walked in once, and for the only time, and said, “Well, you’re going to have to sign off on that.” Yeah, that might not fly, right? Especially if that guy signs your paycheck. But, if we’ve architected a process that we agree on is the best way to run our company, that kind of protects both of us, right?
John Sheridan (22:48):
Well, again, think about the consequences of not having that process, and something goes wrong, and the CEO asks the CFO, or the IT chief, whatever, “So what’s our process for this?” Well, there’s shrugs all around, heads roll. So, yeah, absolutely. Yeah. There’s no substitute for that. Not just for the butt coverage aspect of this that we’re kind of joking about. But, just from the practical standpoint of, these are consequences that we are going to face at some point or another. We know that bad things are going to happen, right? This is anticipated. But, without a process, there’s no discipline to address it in any kind of timely, or specific schedule, or in a specific way. It has to help.
John Verry (23:33):
So we talked about, I’m the IS guy walking in to you. So, let’s kind of reverse the table a little bit. You’re the CFO, COO sitting there, and that guy just walked in. And maybe, or maybe he didn’t pitch it in such a great way. Do you have any advice for a CFO, or COO? Maybe one who’s a little bit less technical, maybe a little bit less infosec oriented? He’s got a guy sitting there, making a plea for a lot of money, for something which sounds like we probably need this, but I can’t tell. What are some guidance for the CFO, COO, on the other side of the table?
John Sheridan (24:12):
So, I’m a little bit biased in this area. Maybe I’m a little more cognizant of the risks, because I’ve been on the receiving end of some bad IT circumstances in my career, going back many, many years. I had a backup fail. This is revealing my age. We had a server in our office to handle our stuff, which was backed up at corporate, ostensibly backed up at corporate, I came to learn. And things go down, I make some calls. “Yeah, we’re on it.” And then conspicuous silence for a few hours.
John Sheridan (24:45):
I do another call back, “What’s going on?” “Oh, yeah, don’t worry. We’ve got a backup. We take them off premises at night, for [inaudible 00:24:53].” “Great. Sounds good to me, check in tomorrow.” Tomorrow morning comes and goes, another phone call checking in.
John Sheridan (24:59):
“Well, yeah, he didn’t come in today.” “Who’s he?” “Bob, you know, the guy down the hall who’s in charge of it.” “Okay, fine. Can we…” And then now, red lights are flashing everywhere, right? Well, to make a long and painful story a little bit shorter, he shows up the next day, but for some unknown reason had erased the the tape, and written over it.
John Sheridan (25:24):
So, I had the pleasure of exposing a huge flaw in our entire corporation’s backup system. But the consequence of that was, your younger listeners are probably laughing at the antiquated technology. But, that’s not the point. It’s that I lost several days of work, I felt the pain. And so, I appreciate the value of a belt and suspenders approach to this idea of security, and reliability, et cetera.
John Sheridan (25:49):
But, I also know that I’ve wasted tons of money myself, frankly, over my career, on initiatives that just went south, went three, four, or five X over budget, way over time. And I think many others in my chair have a healthy skepticism about anything of this sort. Right? So, I say, embrace your skepticism, but ask great questions. I think that’s the answer, is there is no one thing to say, or do, other than ask great questions.
John Sheridan (26:21):
And including things like my generic ones, which are, “Okay, that sounds great. What are the top three things that are going to go wrong here?” Which is fundamentals of any kind of planning, anticipating obstacles. Right? And based upon the vendor’s experience, where is the vendor’s experience about what has gone wrong? The top three things. And what’s the plan to mitigate that?
John Sheridan (26:42):
Great, what are the next three? Okay, let’s uncover what those are. Let’s look at an implementation plan, it hasn’t been drawn up yet, because it’s not in the contract? Fine. Let’s look at someone else’s implementation plan. Really demonstrate to me that this has been thought through, and that the assumptions underlying this are reasonable. And never underestimate the pain involved with the change from a human standpoint. I think if you cover those bases, then I think you can get to a level of understanding, and making a sound judgment about the risk and reward, and the cost justification.
John Verry (27:18):
Is the value prop there, like are you thinking that you know enough to know when you look at the plan, and all of the underlying data, or is the value prop that you know that that person did their due diligence, so you feel like even if you don’t fully understand that you have a higher reason to believe that they do, and that it’s been well thought through?
John Sheridan (27:39):
Sure, yeah, all that, that’s going to just come back to my relationship, and my judgment of the person in front of me, and do I trust them? Which is based upon the track record of having worked with them. Having said that, though, I think most CFOs are on the more of the trust, but verify side of the equation. All right? Rather than just say, “Okay, you said so, so okay.” And they are typically detail oriented, and are willing, and enjoy digging into those details. And prove it to me, prove it to me, prove it to me. So be prepared, be prepared to prove it.
John Verry (28:16):
Gotcha. And going back to that same idea, as a CFO, COO, is your expectation that I’m bringing you an answer? Or is it that I’m bringing you choices, with one that I believe is the answer? And do you see the consideration of alternatives from the CFO COO side as being an important part of that due diligence process that you would do?
John Sheridan (28:41):
Yeah, because especially in an area where we’ve got a range of risks, right? A range of possible outcomes, I think there’s got to be a reasonable assortment of approaches to that. And I think that makes the decision easier, frankly, for a CFO, when they understand it. “Ah, here’s the range of possibilities. It’s evident the research has been done, it’s evident that there’s a plan that is appropriate for us, it’s just a question of choosing the right one.”
John Verry (29:08):
Yeah, because I mean, I do think your thought process is so true. I mean, the numbers are going to be off, but it’s like simple crazy, like 70% of major information technology, information security projects don’t fulfill the bulk of the objectives of the initiative, and like a third are abandoned. So like you said, you’ve wasted a lot of money. We do as an industry waste an inordinate amount of money. So I do think it’s really critical that you’re getting those alternatives, you’re getting those different choices, so that you can kind of see, “What are my options here? What’s the right value prop risk balance?” I guess, would be the right word.
John Sheridan (29:42):
Yeah. Yeah. And I think John, when you’re talking about, going back to the IT side of the table on this thing, there’s the vision that you talked about, the value add, as you describe. But I do think that the opposite is true, that the risks, the potential downfalls are also strong motivators to overcome whatever resistance you’re going to encounter in the C suite. So, you can build up the potential pain that could happen, you can build up the vision to overcome resistance. And then the other thing is to overcome resistance is educate. Right? Knock down the resistance.
John Verry (30:18):
So, that is an interesting question. Right? So, I think there’s a little bit of a knowledge issue on both sides, right? There’s the guys on my side of the fence, that are not business people. Right? There’s the guys on your sense of the table that are not technologists. How important, if you were coaching an infosec director, how important would you… Would you suggest that they do some basic education that’s going to assist them in communicating managing up? And vice versa, same question, if you were counseling a CFO, or COO, that had a large technical component to what they were doing, a lot of people reporting up through them, would you counsel them to get some knowledge education?
John Sheridan (31:01):
Sure, so on the IT professional side, what I would say is absolutely, because this is not, again, I think we mentioned earlier, this is not just about a particular project, this is about everything you do in your career, frankly. You’re going to be selling up, selling sideways, selling down. And the more effective you are at that, the faster your career will advance, the more effective you will be in your role, the more desirable you’re going to be to have on the team, the more valuable you’re going to be on the team. Right?
John Sheridan (31:28):
So, I think these things that I refer to as soft skills, or that’s the jargon around that, learning how to put yourself in the other person’s shoes, understand their reasons, understand their buttons that you can push that they’re sensitive about, put things in their context, ask great questions. These are all skills. And thinking through, just get a piece of paper out, and draw the org chart, and figure out who’s involved in this decision? Who’s going to be influencing? Who do I need to lobby, and get on my side? Who can be a champion? Who’s going to be the rock thrower? How do I disarm the rock thrower? Just five or 10 minutes of thinking this through can put you miles ahead of winning that game, not just in this case, but in everything that you do in the organization.
John Sheridan (32:12):
And I’ll flip over to the CFO side. How much time, effort should a CFO put into learning the technical side of thing? I would say kind of a similar approach for the CFO. I think it’s more about developing, and building people that you can trust, that is going to get you further along than trying to become an expert in a field that you’re never going to become an expert at. I think you’re going to get better results that way, then you will… And again, this is something that applies to everyone around you, not just those people in the IT department.
John Verry (32:46):
Gotcha. And I think the other thing too, that some of the better CFOs, or COOs that I’ve interacted with, they’re not scared to look stupid. Right? I literally had a guy once say to me early in my career, and put me in my place to be honest with you, he said, “Talk to me like a five year old.” He goes, “I’m not following you. Talk to me like I’m a five year old. Treat me like I’m stupid. And if I still don’t understand you, I’m not the stupid one in the conversation.”
John Sheridan (33:15):
That’s a great way to put it. Well listen, you were very fortunate to have someone like that to deal with. There are people who, their main motivator is not looking bad. Right? Depending on the politics of the organization, that may be the case. “I just want to be invisible. I don’t want to look bad.” But at the same time, they’re not humble enough to say, “I don’t understand.” And part of you being savvy is recognizing this, and going back to basics, even though they might put on the image that, oh, they know everything, they’re an expert, and maybe they have to sell that image to somebody else in the office. But, recognizing that for what it really is, and taking the time necessary to educate, can win the game.
John Verry (33:59):
I guess that goes on both sides of the fence. Right? We need that CFO, COO who’s willing to say, “Look, this is an important decision. I don’t think I’m following you. I don’t understand what homomorphic encryption is. Can you explain it to me in a way which, somebody that’s totally uneducated this area can…” And same thing on the other side, with the IT guy. If you’re talking about EBITDA, or impact on finances, the impact criteria you consider when looking at a risk based decision, educate me on that so that I can help you understand the risk I’m talking about, and frame it in the way you think about risk.
John Sheridan (34:35):
That’s a tremendous talent, right? If you can explain something this complex to a 12-year-old, that’s actually a very difficult thing to do.
John Verry (34:44):
John Sheridan (34:45):
But a very powerful thing to do.
John Verry (34:47):
I agree completely. So, you’ve spent a lot of time in a lot of different organizations. First, before you started coaching, and now as a coach, you have that experience of being in dozens of different companies every day, and you see good and bad. When you think through best in class organizations, if you will, do you see anybody that’s really good at this? And how did they get good at this, where you see the senior management team, and the infosec, and IT folks, where there’s this seamless interface, and they’re making these great decisions, because they’ve navigated the issues we’ve been talking about?
John Sheridan (35:25):
So, I can speak in terms of collaboration in general, and I think if it’s good there, it’s going to be good everywhere, right? And I think that goes to culture. Right? That’s really what we’re talking about. If there is an environment where people are comfortable with conflict, where communication is open, where everyone has a degree of humility, and there is trust, those are tremendously effective organizations. Now, that’s not like a checkbox one, two, three kind of an answer for you, John, but I think that’s really what’s at the root of it.
John Verry (35:59):
Gotcha. And that makes sense to me. That makes sense to me. Because like you said, because those people are the people that feel empowered to say, “I don’t understand.” Or [crosstalk 00:36:10] like, “Look, I made a mistake.” Or, “I don’t have that information that you asked me for. Apologies, I should have thought of that. Let me come back to you.” Versus blowing smoke up your butt, and making something up, because I can get away with it.
John Sheridan (36:24):
Yeah, and then there’s all kinds of potential… There’s political interference, there’s… The relationships are at the root of all these things. So, it’s what are the norms in the organization? What are the explicit norms about how we treat each other, how we behave? Do we have each other’s back? Are we accountable? Do we take ownership? Do we play the game above the line? In other words, it’s not to say bad things don’t happen. Are we comfortable with conflict? Are we comfortable with disagreement? Do we have a way to approach disagreement that doesn’t become political, or personal? That’s what really gets great results.
John Verry (36:54):
We beat this up pretty good. Any last thoughts?
John Sheridan (36:56):
No, I think I know… We ended up speaking a lot about sort of non technical things, but I think those are really important for the IT professional to really value, and same for the people in the financial office, too.
John Verry (37:12):
Yeah, I agree. You surprised me with your answers. I expected this to be more tactical, but hearing you talk about it as being an EIQ communications culture issue, at the end of the day, and I think you’re the one who says this all the time. Every problem in our organization is a people problem.
John Sheridan (37:35):
John Verry (37:38):
Exactly. If you trace it back. So, if we’re having a problem where we’re not making good decisions on managing risk, or making investments from an IT, or infosec perspective, it’s probably a people problem.
John Sheridan (37:54):
Yeah, that’s where most of the friction lies, if it does exist. Yeah. Systems are important. Don’t get me wrong, I make a living off of systems, right? But it’s the people that make the systems go.
John Verry (38:04):
Yeah, in fact, I don’t know if we ever talked about this. But, I saw a statistic the other day that… Not a statistic, a data point that I love. Charles Demings once said that 94% of problems in an organization can be traced to a poor process, a poor system. Which I thought was really interesting, and just kind of speaks to what you just said, which is interesting.
John Sheridan (38:28):
John Verry (38:31):
I know I sent you this, our template for the today’s meeting late. Did you happen to have a chance to look at the next question I was going to ask? Or should I just bypass it? Oh, he didn’t,
John Sheridan (38:42):
Well, I’m trying to think what it was. I did read it, but I don’t remember what the next one was.
John Verry (38:45):
All right. So, the amazing or horrible CISO? Are you up for the question?
John Sheridan (38:49):
Amazing or… Well, okay, okay.
John Verry (38:53):
Yeah, so you’re not.
John Sheridan (38:53):
Ask away. Ask away.
John Verry (38:55):
You didn’t do your homework. Well, so let me ask the question. The next time I come to a coaching session, if I didn’t do my homework, are you going to let me off the hook?
John Sheridan (39:04):
Touche. Torture me all you want.
John Verry (39:07):
Yeah. So, we’ll skip that question if you’re not prepped for it.
John Sheridan (39:11):
John Verry (39:11):
Cool. Last question. You chat everyday with business leaders, and you have an interesting role, because you chat with a lot of folks on the technical side, and you chat with a lot of guys on the business side. Any particular other topics that you think would be interesting for us to cover on future podcasts?
John Sheridan (39:27):
I think that everything kind of ties back to what we already talked about. The challenges around this all come back to sort of non technical things for me.
John Verry (39:40):
Excellent. If someone wanted to get in touch with you, easiest way to do that?
John Sheridan (39:44):
Sure. John@JohnSheridan.com. Easy to remember.
John Verry (39:48):
That it is. Awesome, sir. As always, great to catch up. Thank you. You got me out of here 15 minutes earlier than I thought, so yeah, we’re getting to the brewery a little bit earlier. So, thank you.
John Sheridan (40:00):
My pleasure. Great to be with you.
John Verry (40:02):
All right. Have a good weekend, all right?
John Sheridan (40:05):
You’ve been listening to the Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered, or you need some help, you can reach us at firstname.lastname@example.org. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.