With 40+ years of experience under his belt, David Mahon knows a thing or two about the threat landscape. Following a 28-year career with the FBI, David became Vice President of Corporate Security and then Chief Security Officer at CenturyLink before joining Deloitte Global as Chief Information Security Officer in 2018.
With his extensive global experience in helping to safeguard large, complex organizations, David has tremendous insight into incident response and resilience, and knows the critical role that employees play in helping to fight cyber-attacks.
HMG Strategy Founder and CEO Hunter Muller recently sat down with David to discuss the role of the CISO as a trusted advisor to the CEO and the Board.
Hunter Muller: David, it’s an honor and a privilege to interview you here today and to gain some insights about what’s impacting the enterprise, not only from the CISO role, but the CEO and the Board’s understanding of the incredibly complex fabric of global, interconnected enterprises that we have right now. What’s on your mind relative to the role of the CISO having to step up and be that trusted advisor to the CEO and to the Board?
David Mahon: I think it’s a couple of things. One, as the CISO profession evolves, you must partner with all business units to have a clear understanding of their global strategies—how they are going to market, their revenue targets. And you need to think about what capabilities are needed to deliver safely in a global environment and protect the organization.
HM: You have to agree, David, we’re in an unprecedented time. How should the CISO be communicating to the board, specifically regarding the risks the enterprise is facing?
DM: While boards have similar governance responsibilities on risk, audit capabilities, and approving strategies, they also contain very individualized personalities to a great degree. You want to learn those personalities—how they think, what’s important to them, and how they evaluate risk within the context of their opportunities and their responsibilities.
To do that, you have to take a look at prior board agendas. Assess what’s come before them in the past and what that tells you about how they like to have information delivered to them.
Then you have to put the risk lens on it. One, you’re obviously trying to explain your program and why it’s necessary to protect your organization. Two, you must convey to them that you a re engaged with and monitoring what I call leading indicators and shifts. Just like they’re monitoring and looking for leading indicators and shifts in the market, there are leading indicators you’re monitoring, evaluating, and analyzing that will cause a shift in your cybersecurity posture.
Whether it’s a move to the cloud, the globalization of products and services, or new legal, regulatory and compliance requirements…all can have implications for your cybersecurity responsibilities and that is what your board is going to want to hear from you.
HM: Interesting times. Have you ever seen so much activity on a global stage?
DM: We’ve always had global threats; we’ve always had global challenges. But I have to say that seeing them in this scope, scale and diversity has probably never been to the level it is today.
HM: Because it’s such a complex role and such a complex problem, what does winning look like in this environment that we’re in?
DM: Not only do you need the right cybersecurity team, organizational structure, and leaders, but you must be able to govern from the inside with the right stakeholders. This includes legal representatives, regulatory, privacy, confidentiality, and the technology organization —and designing or integrating them in a way that allows you to deliver your cybersecurity stack along the way. That becomes critical to developing successful governing structures.
HM: It’s been said that there are two types of organizations – ones that have been breached and ones that think they haven’t been breached, but they’ve been breached.
DM: Everyone has been a target and victim of a cyberattack and a successful cyber-attack. No matter how good you are, there will always be incredibly innovative individuals with the intent on getting into your network and they will be successful. Your overall plan has to focus on what happens when they are successful—how you minimize the impact, how you contain the threat, and how you help ensure that you’ve remediated the threat.
HM: Let’s pivot the discussion to leadership. We study leadership very strongly here at HMG Strategy – leadership matters more than ever. What kind of competencies do you look for in a top CISO in terms of leading into the C-suite, the Board, and the line of business? How would you describe your leadership style, as well?
DM: I always look for five things in my leaders: First, an authentic interest in the cybersecurity profession and in the Deloitte organization.
The second attribute is tenacity. I don’t really need the smartest people in the room. I need the people that don’t leave the room until the problem is solved.
The third attribute is integrity. Not just the integrity that we traditionally might define as “don’t lie” or “don’t steal,” but in terms of the ability to share the actual events as they occurred — devoid of any politics or devoid of any concern that you may have made a mistake. If I don’t have all the facts, then my plans are not going to meet expectations. If I find out you didn’t tell me everything I needed to know, I’m never going to look at you the same way.
The fourth attribute is the person’s understanding of well-being. You have to take care of your health, your family, your significant relationships. But due to the nature of the work, like when you’re under attack late on a Friday, you will be working through the weekend. You have to enjoy the work because it is hard work.
Then the fifth attribute is your level of gratitude. Are you the type of person who is happy about where you’ve landed in life and the challenges and the opportunities that have been presented to you? Because what I’ve learned over time is, if I can find leaders with those five attributes, I can build a cohesive, successful team that can accomplish just about anything.
HM: I’ve been studying leadership for over 30 years, writing about it as such, talking about it all over the world and I love your five-point checklist. It’s spot on. It works, right?
DM: It does because you’re talking about what you need most: the right people and the right culture. Our biggest challenge is not technology or deploying technology globally. Our biggest challenge is culture, and culture trumps strategy every day of the week. You get me the right people with the right will and team cohesion, and you’ll get the job done.
HM: Thank you so much for that. That’s exactly where we’re going next. Culture matters and it is important to get the culture right. Strong leadership is great, but strong followship is important, and you have to be good at communicating and storytelling. In essence, selling a vision on a safe and secure enterprise, right?
DM: Absolutely, and your culture is the biggest challenge for many reasons. Deloitte has over 345,000 practitioners in 150 countries and territories. Those 345,000 practitioners are broken down into all sorts of subcategories – new hires coming right out of college, professionals coming out of other corporations, individuals that have been with Deloitte long-term – they all bring their own culture. From a global perspective, there are very different cultures around the world. All those things have to come together when you’re building, in essence, a global culture and communications plan to incorporate what you’re going to do to move the organization in the direction it needs to be moved.
HM: How would you characterize the Deloitte culture? You obviously were attracted to joining Deloitte at a certain point, and it looks like you’re flourishing.
DM: When I looked at Deloitte—its worldwide capabilities, the challenges it addressed, etc. — it led me down the path to the interview process. And what I found during every step of that interview process was that I wanted to be a member of the team. And a lot of that had to do with the people I met through the interview process, how I got to know them, the questions they asked and how they presented the challenges. What interested me the most was their commitment to the strategy. The challenge set before Deloitte was to globalize their cybersecurity capabilities around the world, and what I saw in each of the individuals I spoke to was a unified commitment to getting the job done.
HM: It seems like an amazing opportunity and an amazing responsibility. How many years has it been and what’s the scorecard?
DM: I’ve been at Deloitte a little over five years. When you first join a large organization with a major program put in front of you, you need to enjoy being able to operate a bit in the fog in the early days. All that takes a lot of effort, but I’m generally energized by the unknown.
As a CISO, it’s critical to gain a deep understanding of the strategic objectives for each line-of-business and to align the organization’s cybersecurity strategy with the business goals
When communicating to the Board of Directors, it’s helpful for CISOs to recognize both the personality of the Board along with how they evaluate and approach enterprise risk
It’s important to remember that an organization’s culture includes the attributes and influences that new employees bring into it from their prior experiences