Why to Use the Compliance Framework in Your Messaging & Positioning | Gary Hayslip
I get the fact that you're talking about the offensive framework, but you should really talk about the compliance framework, which a lot of CISOs, unfortunately, have to live in. Show them that too.
In this episode, I had a brutally honest conversation with Gary Hayslip, Global CISO for SoftBank Investment Advisers & SoftBank Group Internationalת about his challenges, goals, what vendors do that piss him off, and the alternatives.
Gary’s motivation for working in the cybersecurity industry:
Running teams, leading people, mentoring, and working with teams to figure out how to not just protect the company, but actually help the company with their revenue issues, their dev teams, and new products motivates him.
“It's just one of those fields that I thoroughly enjoy because it's constantly changing. It's not boring. It definitely keeps me on my toes. I have to continually educate myself. I have the opportunity to teach and to mentor, work with new CISOs and other vets like myself that are transitioning and coming into the field.”
What Gary hates most about the industry:
Companies will focus on a particular subject like AI and ML and won’t let go of that.
“That's all you hear. ‘We got AI and everything. We got blockchain and everything. We got machine learning and everything.’
Today, you pretty much expect most technologies are going to have machine learning in them. That's just table stakes.
I don't really care about that. Tell me, how am I gonna use it? What problems are going to solve? Why should I care? Why are you different than the other half a dozen companies that are doing the same thing?
It's just different colors of the same thing. And that just drives me nuts.
I'm trying to solve a problem. I'm trying to protect my company. I've got a unique business case for what I'm trying to do. And I hate having to deal with six to a half a dozen or more vendors who are all doing the same thing.”
Gary’s bleeding neck challenge right now:
SoftBank is 100% cloud and full SaaS. The security stack is different and the focus is really on the data layer, employees, and how they authenticate, what they have access to, how they handle data, how data is moved about the business, and who is allowed access to their apps. Also, are things being audited correctly?
“It's really a large data governance, data protection puzzle when you go a hundred percent cloud. I don't own the data centers. I don't own any servers or anything. It's very unique in my 20-plus years of my career.
This is the first time where I wasn't hybrid or I wasn't just a little bit of this and a little bit of that. I'm one thing.”
Gary’s goal as a CISO at SoftBank:
Having his whole tech stack integrated within the business and automating where he can.
“What I'm moving towards is building my stack where everything is integrated; where I've got data at my fingertips in real-time; where I'm relatively positive that it's accurate so that I can make decisions and then those decisions that need to be made, we automate where we can or we push to a third party like a SOC or an EDR provider where we can't automate, so when I'm talking with my boss, our CTO, I have a pretty good level of certainty that what we're looking at is true, the data's accurate and it's in real-time.”
When Gary evaluates a new security solution or technology:
He first does an internal assessment to establish a baseline of where they are with risk.
Then, he identifies the gaps and talks to his peers in other departments to level-set what he should be working on now, and what he can push out six months and 12 to 18 months.
After he triages, he looks at a list of issues that he and his team will address.
Five factors for replacing a security solution that’s been in place for a while:
It's just not hacking it anymore
It's just gotten too cost prohibitive
It's just too clunky
The team is too junior for the technology
There are new requirements
Decision criteria when evaluating a security solution:
Does it integrate into the current technology stack he has?
Is it API-driven so he can pull data?
What type of data does it generate?
Is it handling sensitive data where he has to worry about regulatory issues?
Is the data that is running inside the solution running in a proprietary format?
How easy it is for his team to use?
How easy is it for his team to pull reports?
How easy s it for his team to integrate and tie into their other technologies?
Does it help him answer any of his KRIs that his operating committee is expecting him to answer?
Does it generate some new metrics that he wasn't even aware of that have value?
“If I go ahead and I'm replacing something, one of the first things I will get asked by my boss, ‘is it like for like? You're removing something old, you're putting in something new. Are you getting at least the same services? Show us the plus. What else value-wise are you getting as well?’
And then we look at cost and if I'm getting at least a like for like and some other new services and the costs are relatively around the same. That's good to go. If the costs are cheaper, that's really good to go. If the costs are twice as much, that's not happening.”
Overcomplicated pricing schemes do not fly.
“When you start getting into these really weird pricing schemes that try to cover the vendor costs for cloud, most companies will take a step back ‘cause it's very hard to show and explain on budget.
If I can go ahead and say, ‘here, it's a set cost per user and this price doesn't change,’ and I know next year there may be a 2 to 5% increase, but it's roughly going to be around the same thing, my CFO's going to be happy because he knows what to expect from me.
But if the price costs are constantly changing, that's gonna get stupid really, really quick.”
At what point would it be a good idea to start talking about pricing?
If he sees a demo and he and the team like it, then want to go ahead and test it out, he will start asking about pricing even before he starts a POC because he wants to know a ballpark of what to expect.
“I'm not gonna go through all of the effort to stand it up and let my team start using it, we start POCing it, and then you go ahead and, surprise, you jack me with a price. That's just not gonna float. I wanna know ahead of time before we even start establishing that relationship with each other because I already know what's gonna be acceptable with my CFO.”
Barriers that stall buying:
“My team may not even be ready for the technology. I may need to get some of the other low-hanging fruit done and get some of these guys through some training first before we go ahead and look at that technology. So a lot of times it's a maturity aspect.
He may have other business-critical issues the business is telling him to fix first.
“If the business tells me and this is the reason why, once I do an assessment and I've got kind of a list of gaps and a list of issues that I'm looking at that we're probably going to need to address, I always bring in my peers from the other departments, from the other business units that I work with and I want their input. They've been there longer. They understand how the business runs, they understand projects and stuff that are running in parallel that I may not know about. And I wanna understand my impact because security always has an impact on the business.”
How Gary evaluates new security technologies:
Industry events. He is a part of ISSA and ISACA.
He talks to his peers - he is part of multiple CISO Slack channels.
“I've probably got about two to 300 CISOs at my keyboard that I can go ahead and reach out to and a lot of times, I'll go, ‘Hey, I'm looking at this specific technology, or I got this specific issue, how are you guys handling it?’ And someone will reach out and say, well, I'm doing this. Or somebody will reach out and say, ‘Hey, you should take a look at this vendor. So I'll start collecting data that way.’
Analyst firms like Forrester and Gartner
“Typically from that I'll get two or three vendors that I should then start researching in depth, and of those two or three, I will then really start going in-depth and I'm looking at the stability of the company. I'm looking at who works there, the technology itself and what it does, and how it would be a fit within my org. Then I'll probably reach out. Either I'll reach out or our MSSP will reach out for me. And then we'll proceed to have a discussion and start looking at the three until I can make a decision.”
Differences or anomalies right now in the market that marketers, salespeople, or vendors can take advantage of to stand out:
Talk in terms of compliance and how your solution fits within a compliance framework.
“I get the fact that you're talking about the offensive framework, but you should really talk about the compliance framework, which a lot of us, unfortunately, have to live in. Show us that as well.”
Explain how your solution helps reduce risks and what risk you are helping him reduce.
Explain what, if any, monetary value is that because that’s what Gary is talking to when he speaks to his CFO, CEO, CTO, and executive team.
“The biggest thing is how is it gonna impact the business? The second biggest thing is it tends to be a cost, so they wanna know value-wise, what is this doing? Is this going to bring another service that we didn't have? Is this going to allow the dev teams to be able to work from home and work and be secure? Is it bringing in new services or bringing in new capabilities that we're able to do, but be able to do it securely?
It really helps if you can kind of explain those use cases because that's the differentiator. Those are the discussions I have on my end when I'm talking with the individuals that have the money, as to why I need to put this in, not only meeting the compliance issues and preventing the offensive attack issues, but I'm reducing our risk.”
Rules vendors are breaking when reaching out to security practitioners:
When they go ahead and they contact you and say, ‘Hey, you got 15 minutes to talk?’
“We all know it's not 15 minutes. We all know we're looking at an hour. All right? So don't BS. Just tell us what you need.”
Contacting security pros just because they attended an event with 500 other people and claiming you met them at an event when, in fact, you haven’t.
“Don't contact me and say, ‘Hey, we talked about this.’
No, we didn't. Don't pretend that we did because I remember you. I know who I talked to. I'm one of those people that I hold you to your word. I hold you to what you promise. I hold you to who you are and if you play tactics like that, I'm just not interested. I'm not gonna trust you. I'm not gonna trust you with my team. I'm not gonna trust you with what we need.”
The worst thing Gary’s experienced from a vendor:
“I had a vendor. We went in and we set up, I was interested in the technology and they come into my office and I guess they had just smoked a joint before they came in. ‘Cuz man, they smelled like marijuana, heavily, and I'm sitting around talking to the guy and I could tell he was seriously buzzing and I'm like, ‘dude, it's two o'clock in the afternoon and you're at my work, what are you doing?
I'm just looking at him and it was funny. He's just jabbering away while he is talking. He's having a good time with the discussion, really animated and I'm laughing more at just the discussion. And I'm like, I cannot believe I'm in this, this situation right now.”
A great experience Gary had with a vendor:
“I had a vendor who, we actually met at an event and we actually just talked about our families. We talked about what we were doing in the community and he just asked, ‘Hey, can I reach out to you later? We're doing blah, blah, blah. Is this something that you would be interested in?’
And I said, yeah, we actually got an issue around that and we're gonna be addressing that.
And then he proceeded to go ahead and contact me. And then when he went ahead and came out we sat, we whiteboarded and we discussed the issues. And what I found is at the end of it, they weren't a fit because of our internal networks. we're just really unique. He was the one that went in stated, ‘Hey, I don't think we're gonna be able to help you and this is why. It would probably be a really bad user experience because of this and everything.’
And we parted not a problem at all. And I referred three other CISOs because the guy was honest.”
Subscribe to Audience 1st
Get notified every time an episode drops to better understand your audience and turn them into loyal customers.