With his extensive global experience in helping to safeguard large, complex organizations, David has tremendous insight into incident response and resilience, and knows the critical role that employees play in helping to fight cyber-attacks.
HMG Strategy Founder and CEO Hunter Muller recently sat down with David to discuss the role of the CISO as a trusted advisor to the CEO and the Board.
Hunter Muller: David, itโs an honor and a privilege to interview you here today and to gain some insights about whatโs impacting the enterprise, not only from the CISO role, but the CEO and the Boardโs understanding of the incredibly complex fabric of global, interconnected enterprises that we have right now. Whatโs on your mind relative to the role of the CISO having to step up and be that trusted advisor to the CEO and to the Board?
David Mahon: I think itโs a couple of things. One, as the CISO profession evolves, you must partner with all business units to have a clear understanding of their global strategiesโhow they are going to market, their revenue targets. And you need to think about what capabilities are needed to deliver safely in a global environment and protect the organization.
HM: You have to agree, David, weโre in an unprecedented time. How should the CISO be communicating to the board, specifically regarding the risks the enterprise is facing?
DM: While boards have similar governance responsibilities on risk, audit capabilities, and approving strategies, they also contain very individualized personalities to a great degree. You want to learn those personalitiesโhow they think, whatโs important to them, and how they evaluate risk within the context of their opportunities and their responsibilities.
To do that, you have to take a look at prior board agendas. Assess whatโs come before them in the past and what that tells you about how they like to have information delivered to them.
Then you have to put the risk lens on it. One, youโre obviously trying to explain your program and why itโs necessary to protect your organization. Two, you must convey to them that you a re engaged with and monitoring what I call leading indicators and shifts. Just like theyโre monitoring and looking for leading indicators and shifts in the market, there are leading indicators youโre monitoring, evaluating, and analyzing that will cause a shift in your cybersecurity posture.
Whether itโs a move to the cloud, the globalization of products and services, or new legal, regulatory and compliance requirementsโฆall can have implications for your cybersecurity responsibilities and that is what your board is going to want to hear from you.
HM: Interesting times. Have you ever seen so much activity on a global stage?
DM: Weโve always had global threats; weโve always had global challenges. But I have to say that seeing them in this scope, scale and diversity has probably never been to the level it is today.
HM: Because itโs such a complex role and such a complex problem, what does winning look like in this environment that weโre in?
DM: Not only do you need the right cybersecurity team, organizational structure, and leaders, but you must be able to govern from the inside with the right stakeholders. This includes legal representatives, regulatory, privacy, confidentiality, and the technology organization โand designing or integrating them in a way that allows you to deliver your cybersecurity stack along the way. That becomes critical to developing successful governing structures.
HM: Itโs been said that there are two types of organizations โ ones that have been breached and ones that think they havenโt been breached, but theyโve been breached.
DM: Everyone has been a target and victim of a cyberattack and a successful cyber-attack. No matter how good you are, there will always be incredibly innovative individuals with the intent on getting into your network and they will be successful. Your overall plan has to focus on what happens when they are successfulโhow you minimize the impact, how you contain the threat, and how you help ensure that youโve remediated the threat.
HM: Letโs pivot the discussion to leadership. We study leadership very strongly here at HMG Strategy โ leadership matters more than ever. What kind of competencies do you look for in a top CISO in terms of leading into the C-suite, the Board, and the line of business? How would you describe your leadership style, as well?
DM: I always look for five things in my leaders: First, an authentic interest in the cybersecurity profession and in the Deloitte organization.
The second attribute is tenacity. I donโt really need the smartest people in the room. I need the people that donโt leave the room until the problem is solved.
The third attribute is integrity. Not just the integrity that we traditionally might define as โdonโt lieโ or โdonโt steal,โ but in terms of the ability to share the actual events as they occurred โ devoid of any politics or devoid of any concern that you may have made a mistake. If I donโt have all the facts, then my plans are not going to meet expectations. If I find out you didnโt tell me everything I needed to know, Iโm never going to look at you the same way.
The fourth attribute is the personโs understanding of well-being. You have to take care of your health, your family, your significant relationships. But due to the nature of the work, like when youโre under attack late on a Friday, you will be working through the weekend. You have to enjoy the work because it is hard work.
Then the fifth attribute is your level of gratitude. Are you the type of person who is happy about where youโve landed in life and the challenges and the opportunities that have been presented to you? Because what Iโve learned over time is, if I can find leaders with those five attributes, I can build a cohesive, successful team that can accomplish just about anything.
HM: Iโve been studying leadership for over 30 years, writing about it as such, talking about it all over the world and I love your five-point checklist. Itโs spot on. It works, right?
DM: It does because youโre talking about what you need most: the right people and the right culture. Our biggest challenge is not technology or deploying technology globally. Our biggest challenge is culture, and culture trumps strategy every day of the week. You get me the right people with the right will and team cohesion, and youโll get the job done.
HM: Thank you so much for that. Thatโs exactly where weโre going next. Culture matters and it is important to get the culture right. Strong leadership is great, but strong followship is important, and you have to be good at communicating and storytelling. In essence, selling a vision on a safe and secure enterprise, right?
DM: Absolutely, and your culture is the biggest challenge for many reasons. Deloitte has over 345,000 practitioners in 150 countries and territories. Those 345,000 practitioners are broken down into all sorts of subcategories โ new hires coming right out of college, professionals coming out of other corporations, individuals that have been with Deloitte long-term โ they all bring their own culture. From a global perspective, there are very different cultures around the world. All those things have to come together when youโre building, in essence, a global culture and communications plan to incorporate what youโre going to do to move the organization in the direction it needs to be moved.
HM: How would you characterize the Deloitte culture? You obviously were attracted to joining Deloitte at a certain point, and it looks like youโre flourishing.
DM: When I looked at Deloitteโits worldwide capabilities, the challenges it addressed, etc. โ it led me down the path to the interview process. And what I found during every step of that interview process was that I wanted to be a member of the team. And a lot of that had to do with the people I met through the interview process, how I got to know them, the questions they asked and how they presented the challenges. What interested me the most was their commitment to the strategy. The challenge set before Deloitte was to globalize their cybersecurity capabilities around the world, and what I saw in each of the individuals I spoke to was a unified commitment to getting the job done.
HM: It seems like an amazing opportunity and an amazing responsibility. How many years has it been and whatโs the scorecard?
DM: Iโve been at Deloitte a little over five years. When you first join a large organization with a major program put in front of you, you need to enjoy being able to operate a bit in the fog in the early days. All that takes a lot of effort, but Iโm generally energized by the unknown.
Key Takeaways:
As a CISO, itโs critical to gain a deep understanding of the strategic objectives for each line-of-business and to align the organizationโs cybersecurity strategy with the business goals
When communicating to the Board of Directors, itโs helpful for CISOs to recognize both the personality of the Board along with how they evaluate and approach enterprise risk
Itโs important to remember that an organizationโs culture includes the attributes and influences that new employees bring into it from their prior experiences
