Steve Gentry: Why CISOs Need to Drop the Chicken Little Mentality & Focus on Being Business Leaders
Steve Gentry: It goes back to the data is greater than your opinion. So we all can have these thoughts about, okay, this is why, hey, I think we've got too many applications, or I think we're overspread here. But to drive alignment, you can't just use your feelings. If you've got your CIO, your CISO coming to you and saying, " Well, I think this is a problem." It's like, " Great. I'm glad that you think that. Prove it to me."
Cory Wheeler: Hello, hello, and welcome to SaaSMe Unfiltered, the SaaS Management Podcast, the show with give it to you straight, real life advice from pros knee- deep in SaaS every single day. SaaS management superheroes just like you. We are back for another episode of SaaSMe Unfiltered. Very excited to have everyone joining us today. I'm Cory Wheeler, Co- Founder and Chief Customer Officer at Zylo.
Meredith Albertson: Hi everyone. And I'm Meredith Albertson, Chief Marketing Officer at Zylo.
Cory Wheeler: We have a wonderful guest joining us here today. This person has made previous stops in his career at Adobe VMware Workfront among others, and even started his own security practice. Most recently, the Chief Security Officer at Clari. He's got more than 20 years experience in IT and security. He's also a three- time founder, twice in tech, and he loves founding and eating and creating barbecue and barbecue businesses as well. He makes his own bacon. He's made elk bacon before. He knows Korean. He lives in Utah. Welcome to the show, the Renaissance man, Steve Gentry. How are you, Steve?
Steve Gentry: Thank you. Thank you. I just need to keep you as my mic man, wherever I go, Cory. It's fantastic. I really appreciate that intro.
Cory Wheeler: I would enjoy that as well. It'd be a lot of fun. I'm particularly excited about today's interview. I think you bring a lot of really interesting and different perspectives from the seed of being a CISO, but before jumping into the back and forth with Meredith and I, I'd love to hear from you how you got started in the security space and what has made you so passionate about what you're doing.
Steve Gentry: Yeah, so I started my career in 1988, an IS service desk. And I remember being pulled aside on my first day and being told by one of the mainframe guys that this was just a pointless career. He couldn't believe I took the job. They all didn't take the role because they didn't think that people needed desktops on their computer. So I went from being told that no one really needed desktops because there's rolling out desktops to analysts. Told no one needed desktops to the point where now we're dealing with customers having SaaS applications all over the world, and software that they never even see or install themselves. So it's been interesting journey through that. So I've gone all the way from the service desk, working my way up, running infrastructure teams, running global organizations in IT, to then making the switch over to security when I was working at Novell and having that mindset of starting to get into early days of identity and access management. And that led me into building my security practice to the point where I was starting to drive executive recruiting, not executive recruiting, but helping executives build their teams. Where we're working with the CISO, bringing in a CISO, so I would help. I was there in the meantime, build it all out, hand it off, and then go on to the next thing. And until I had one of my customers convince me to work for them full- time. And considering I was traveling 42 weeks a year or living away from the family, if I had told my wife that I had a job offer for a company that was just seven minutes away from the house, and I turned it down, you would not be talking to me today. I love her dearly, but she would've made sure that I just went on a long vacation.
Meredith Albertson: That would've been it. You would have been done.
Steve Gentry: That would have been it. So I've been able to see iterations. In the years that I've been doing this, I've seen the cycles that we go through on the security side. I've been seeing the cycles we go through on the IT side. Even in the early 2000s we've been talking about getting rid of the password. And we're still in 2023 talking about getting rid of the password.
Cory Wheeler: We are.
Steve Gentry: So it's just interesting to watch all these cycles that we go through and watching that journey in IT and where we've shifted to. And being able to take all those lessons that I've learned and apply them to the companies that I now have been working with.
Cory Wheeler: That is great. That's a fun journey to think about. I think the theme that as you and I have had conversations, you are much more of a business leader than a straight- up chief information security officer. You've got perspectives that I think are sometimes atypical of a run- of- the- mill CISO. Data being greater than opinion is one of those, and it's a theme we're going to carry out through the conversation. But your thought process typically extends beyond the CISO. So we were fortunate enough to have you on SaaSMe recently, and you spoke about partnering with procurement and looking at ways to save your business's money even before the economic downturn. And how eliminating redundant applications in technologies could improve efficiency, and collaboration across the organization. That business perspective has served you well. What are your thoughts today on what's being a good CISO and what's required beyond the standard job description of what a chief information security officer is and does?
Steve Gentry: First I had a web dev business back in the'90s, and then I started my own consulting practice in the 2000s. So having run my own businesses and having gone through the different facets of dealing with managing the money itself as we're trying to get the business off and running until the point that we sold it off. And then with my consulting practice, it was always I knew I was only going to be a consulting practice of one, so how was I going to manage my finances? What tools did I need in order to run this practice? So having just a breadth of areas where I've started and managed and run my own businesses, to when I was with the executive consulting practice that I was running, meeting with the different executive teams, having to justify and working through with those different executives what was going to be necessary. It gave me a lot of appreciation for all the different work that has to happen. One of my frustrations and where I am on my crusade is to champion the CISO as an actual business leader. We still have that mindset. Even a job description recently, they're like, we need doers. We need to expect you to be writing out code. Well, am I a CISO or am I an individual contributor? What are you looking for in that role? What do you want? Did you ask your CFO for a company your size is he's actually doing order management? Where is that line that we have being that shift? So how do I build that reputation? One of them, I need to stop having that Chicken Little approach that you see in a lot of security roles. It's that FUD we lead with, the sky is falling, everything's a risk. We got to get this done. I've been fortunate for last few companies I've been in particular have both been like 99.9% SaaS when it comes to their internal applications. When I was at Adobe, we're making that big shift that we're starting to run more SaaS applications. And having that mindset where it's okay, this is great, but we've got all these tools. Why am I logging into five different tools? Why am I having to go to all these different places to try and get these pieces of information? Where can I consolidate that? And then that mindset that I picked up as a consultant, which was great, I hear what you're trying to say. Let's walk back and find out what your business objective is. That's why my consulting practice was successful in my mind, was I was focused on the business outcomes they're trying to drive. And I've taken that mindset into the security. It's not about the technology. It's not about we've got to get these vulnerabilities remediated. It's how do we build a business and a practice that matches what the business objectives are that we're driving along with the business leaders? Meredith is a CMO. Do you really want to hear about how many vulnerabilities are in the product? It's great. Well, what does that mean? What's the context? Should I be worried? Should I be getting to write up that we're about to get breached? Do I need to have that? Did you just cause me panic? And so it's that how do I not have that same mentality and get the CISOs and CIOs of the world be seen as business leaders? Because we're talking about the things that matter to a business, and not just about our own individual practice that people really don't understand a lot of the context too.
Meredith Albertson: Steve, that's a great segue, actually got me thinking. FUD, fear, uncertainty, doubt. And I've heard you say this, I don't know if it's a mantra or just a bit of a tagline for you that I've kind of at least associated with you in my brain of data being greater than opinion. And you talked a little bit just about that, what that means to you from a business standpoint, but how has that helped you take companies that you have been a part of and help them operate more strategically?
Steve Gentry: And I'm going to give DP, Chief Customer Officer at Zylo, full credit for their... Chief Operating Officer. Sorry, Cory, I just gave him your title. My bad.
Cory Wheeler: You're good. He would rather have my title.
Steve Gentry: But yeah, DP actually when we were for SaasMe, he used that and I have totally latched onto it. Because I love that statement. And you can view it as two different ways. Some people hear it, see I know what I'm talking about. The data that I have is greater than your opinion. But I also like to look at it introspectively, because as we're looking through our processes, as I'm trying to manage all of the SaaS applications in an organization, as I'm looking at the security, it's like, okay, if I want to manage risk, because ultimately all risk, whether it's security, whether it's people, whether it's industry, all of it is enterprise risk management. So how am I taking that data and getting rid of my own ignorance? We all have ignorance. It's whether or not we're taking the steps to remove that ignorance. And so that's where I love the statement that he made is data is greater than your opinion, because we can take that information. Tools like Zylo. This is why I have been a two- time customer of Zylo and why I've loved jumping on conversations with you guys is that is how this product functions. And I know this is not necessarily trying to be the product segue, but I'm going to champion it because that's why I'm on this call. I love your guys' product. But it's also the mindset that the product is driving, which is what resonates with me. It's that mindset of I can go and build data. I can tell you, okay, we have 11 different project and program management tools in our environment. CRO, head of sales, you're trying to buy more tools, but do you know that your RevOps team is managing seven different project management tools that your own sales organization is using at different times? CMO, this is the one I just had, I know you're responsible not only for marketing, but you also have the biz dev team underneath you. Well, you've got 33 tools just in biz dev and then you got another 20 tools on top of that for your marketing organization. And that's four people total that you have in an ops organization. I know people still like to talk about shadow IT, and I kind of want to break that up a little bit and want to not get into the, because shadow IT is typically bad IT organizations not supporting their business. So how do they support the organization? It's fine having a distributed IT model and have an operations team managing their own applications, but how is IT, who are supposed to be the technology experts, how do we drive that or use that expertise that we have and help drive the efficiency in the business? How do I say, hey Meredith, by the way, okay, so here's 53 applications that you have for four people in your ops organization. You want to know why your team's overwhelmed? They may not be able to articulate it because they may not realize how many apps that they have. But how are they managing their day? How can I give you time back? So you have people- time, so you have administrative time that's taken off your plate. Because we can pull these into Okta or Ping or Duo, whatever your third party identity management tool is that you're using. How can we help automate that onboarding process? So by taking a look at the whole and being able to provide that context of here's all the applications that you have, here's the money that you're spending on it. So when you need more funds, by the way, I can help reduce. We can get rid of about five of these applications off the top. And then let me give you administrative hours back by, let me have my IT organization help you automate that process of onboarding, offboarding administration. So we can work back. And so the ops team that's sitting under you is focusing on the things that matter to them, and they're not trying to manage general IT work. So it's being able to clearly define what a shared responsibility model looks like. Like when you're signing up for AWS or Azure, or GCP, there's a shared responsibility. Here's everything that they're going to do for you. So when you hear about breaches in AWS, it's not because AWS was compromised, it's because the people forgot about their own shared responsibility and didn't secure the applications on top. The same goes internal as we go to these distributed RevOps models or distributed ops models inside the organizations. It's not because IT is not doing its job in the sense of managing those applications. IT and security are not doing a good job job helping people understand what their responsibility is within this. Educating them and not in a way that bores the living crap out of them, but helping them reduce that footprint that they've got, understand what that means, and then providing ways to them for automate or self- service that work to take workload off from their plate. And being more efficient as an organization knowing what their financial footprint looks like. You need dollars back. Well great, here's how we're going to help get you dollars back.
Cory Wheeler: All of this is spot on. I think the next kind of follow- up question I have to that would be pretty valuable for those folks on the call. Talk about how you've architected your data. What are your data sources, your go- to data sources? How have you built that internally in the organizations that you've been a part of? Is it a massive data lake or are they pieces and parts of different areas that give you the inputs to make those strategic decisions? Talk about what that looks like. As you step into a role, what are those things that you're looking to put in place?
Steve Gentry: I'm going to be a little bit of a security nerd for just a moment-
Cory Wheeler: Let's get it. I love it.
Steve Gentry: ... as we're goinginto this. Because going to an organization, there's three areas of metrics that I want to be able to figure out. The first set of metrics is how much of our code is done in a secure environment. inaudible actually did a great article on this that I've adopted. Great thing about having a lot of smart people out there in the world, is I don't have to reinvent the wheel. I never want to be the smartest person in the room, because it means I've stopped learning. That I need to move rooms. And it usually also means it's just a bunch of toddlers. So having the people put out there, so taking this model and adopting it to what makes sense and how works in my brain. So it's that how much of our code is done in an environment that we can recreate, that's done in a way that we have some sense of security around it. The second one is how much of our product can we stand up? Can we cold- start? So as four SaaS companies in a row now, how much of our company can we turn around and if everything goes to crap, can we cold- start and rebuild all this environment? How long is it going to take? That breaks down into a lot of different things like, okay, so where's all of our dataset? What are the tools that we're using? Where's all this coming from? And the last piece is the data governance piece. In that data governance piece is what is our data that we have? Where's our data? How is it being protected because who has access to it? And those, of course, all these things break down into multiple metrics underneath them. But taking that mindset and being able to answer those questions when I come into an organization will then allow me to start building out that map of, oh, you say you're using Sumo Logic. Well, these folks are also using Datadog. They're also using X and Y and Z. And so oh, great, so we've got eight different logging and monitoring tools. Where's our source of truth? Well, this is what we use and this is what we use. Great. So we don't have a great picture about it. That's some risk right there. How do I help us get a better picture about what's going on? And so as we build that out, as I'm looking at all the different data sources that we have, then I start having that thing. And this is what led me into Workfront, led me into purchasing Zylo in the first places. I started seeing all these different applications that we were using. And I'm like, well, this does this and this is, okay, finance. What's our source of truth on applications that are coming into the picture? They gave me a list. Accounting. What are you aware? If they gave me a list, I put those lists together. IT, what do you have? And I'm looking at three different sources just for our applications and none of them match up. Nobody knows exactly what that source of truth is. And so as we're going through that process, so for me, the security risk of not even knowing where we may have critical data, and the applications and assets I'm trying to protect, and I'm being held responsible to protect, gives me a lot of angst. So if I'm to do my job well, I need to understand our architecture. I need to understand what our footprint is. So how am I driving that? And by doing so, again, it goes back to what we first talked about, what are our corporate objectives? What is it we're trying to accomplish as a company? Skip my own goals. What is it that the three to five things that the executive team has laid out of this is where the company is going, this is what we're trying to accomplish. If everything else goes away, these are the things that we need to get taken care of. Based on that, what is the work that I'm doing that aligns to that work? And then how am I protecting or how am I helping drive better efficiency in the processes by getting people the access to the data they need, when they need it, wherever they need it. Especially as we have a lot of beyond port models or hybrid models. How are we enabling the business to actually meet their objectives, but also securing that data that we've got out there? So for me as a security professional, as an IT professional, and I do separate IT and security out as two different skill sets, that's part of my job. But doing so, it has to be done in a way that lines up with what the business is trying to accomplish. How are we driving all of this to the same goal line? So security doesn't have this goal off over here of I'm going to lock everything down. And you hear that we're going to remove all this access. We're going to lock, but I need this to do my job. Your job isn't to take away the data that I need. Your job is to secure the data so I can keep using it so the company can keep moving forward.
Meredith Albertson: Steve, I love hearing your perspective and your strategy and how you're thinking about data and you started to touch on alignment. And I'd like to dig a little bit more into that. Managing SaaS, it's an important part of the business's fiscal maturity. It does provide that scalability and also velocity to the business. You and your teams historically have made this look really, really easy. How does that focus your perspective, how you're thinking about data, really help you drive that alignment in the business from the executive team all the way across?
Steve Gentry: Yeah, it goes back to the data is greater than your opinion. So we all can have these thoughts about this is why I think we've got too many applications or I think we're overspread here. But to drive alignment, you can't just use your feelings. If you've got your CIO, your CISO coming to you and saying, well, I think this is a problem, it's like, great, I'm glad that you think that. Prove it to me. It's the trust but verify. I think you're a smart person, but show me why that you think that's really a problem. Don't just tell me that it is. So in order to have alignment, you need to have that data. You need to have information to align people against or with. And it's the against of we've got too many applications we need to reduce, or with it, we have this process that's going to lay it out. We can get through the procurement process faster. We know where our discounts are coming from. By the way, you have a bunch of unused licenses that are just sitting there. Let me help you get some of that money back so you can go get this other tool that you're looking for. And finding ways that alignment comes from using that data to provide wins for that executive's organization. Any good executive, you guys know what you want is your team to be successful. You have a job to do. I want our marketing campaigns to be efficient. I want them to drive numbers. I want to get not just tofu, I want to drive that all the way through our new customers signing up. How are we doing that? Well, I don't want to sit here and think about all the applications that I have that are taking up my team's time. I want them to focus on that. We're here to drive revenue as part of the go- to- market organization. So as we're trying to drive revenue, here's a win I can give you, but I can take all this disparate data that's in 20 different systems and scale it down to a few. I'm not trying to get rid of all applications. We have redundancy. I'm not trying to nail it down to just one. But what makes sense for the business? And as I drive that efficiency and can show that win, then you're just like, okay, great. I don't need to worry about anything. My team can go do their job. They can have the data that they need. They can have the data in front of them. You showed me where that data is and how it can help us have a win. And it's never once will this will make it better for IT? This will make us more secure. Ultimately, even though that is an important aspect and we're trying to reduce risk as executives, your first charter is about your area of business, not someone else's. And so how do I make that as a win for you? And it's providing you the data that you need that shows where I can provide you wins and not doing negatives. There's some great studies that have been done around the neuroscience behind FUD. And so security organizations are known for FUD. And when you're going in there and you're doing, the sky is falling, you're creating anxiety for people. And as you keep doing that, anxiety is actually releasing chemicals in the brain. So then it becomes an association that anytime that person sees you, those chemicals are getting a release because they're expecting that. So literally security organizations, IT organizations who live on FUD, and are not using data, are actually causing a neurochemical reaction that make people not want to talk to you because they're already upset, already anxious, and they literally feel like crap whenever you walk into a room or jump on a meeting. It's the security industry, this is what we've been doing. We literally have been creating an association. It's similar to Pavlov, they're ringing the bell, but it's the other way around. We're not feeding people, we're making them anxious and they don't want to talk to us. So it's getting rid of that FUD. Using data to show the wins for their organization, not how it applies to me. It's about finding secondary ways and not using security, not using IT as the stick, but using those as the secondary wins that I get what I want out of the process, but providing you what you need and wins for you.
Meredith Albertson: That's great. And I think when you have data, you're moving away from that FUD and that anxiety feeling. You're building that level of trust across the business. It becomes that really fantastic foundation that I think you have continued to build in organization after organization. Building that foundation for great decision- making. And you started to touch on this a little bit and it's fascinating your perspective on efficiency. And I know that this is a topic that's really near and dear to your heart. Some of those business efficiencies that you're really looking to solve for in your role as the CISO of the business.
Steve Gentry: Onboarding and offboarding is one of them. It's something we get audited against. It's one of those things that when people have accesses for too long, it's a big risk factor. If you have someone that's pissed off after an exit from the company, and if we're not getting rid of their accesses. But ultimately as we've gone to a more distributed model out there for organizations and these other teams are responsible for access management, this is where it goes in the shared responsibility model. You guys can do the administration of your new tool. You need to build new workflows. You need NetSuite to do something specific. Fantastic. Go ahead. Let us handle the identity management portion of it. Let us handle these aspects and show you as it ties back. One, because it makes the audits better, which when you're in a SaaS application, those audits are used as part of the customer due diligence. So it involves the sales process. You don't want anything to slow down that sales process and show up on the audit report. So what are those things that we're doing that are inaudible? So onboarding and offboarding is one of those things. Also, data retention. If we know where the applications are, we know where we need to be. Removing data as potentially customer churn or something else happens that we've got data for a long time. How do we do this cleanup? Had a conversation recently with the chief engineering officer and it was my margins suck because we're holding on data since the foundation of the company. How do we get through this process? I need to get my margins better. We just ended up having a conversation with his team of you're not allowed to hire any more SREs until you get this data cleanup done. And it was fascinating just being able to sit in that conversation and listen as people are talking and going through that, because it was that mindset of his win was, I need to get better margins so I can hire more people to focus on resiliency and keep going. Well, my team can tell you where all those data repositories are. Let us help. You can do the cleanup work, things like that. Let us help you by showing where all these repositories sit that we're aware of and we can map through and things that we've been able to map through for you. And so it was a win- win on both sides of the house. So we can drive that efficiency, we can drive that win. Because we were able to give them information, we're able to give them data. Not just speculation, but we know this is, and we can tell you the age of the data that's sitting in there, because this is the last time that purge occurred. This is the last time data was deleted out of it.
Meredith Albertson: If you are not unlocking the full value of your SaaS, what are you doing? There is no denying it. SaaS is mission- critical to your company's growth and success. And as the number two operating expense for most organizations, it's your biggest opportunity to save money and drive efficiency. The time is now to do something about it. Join me and your fellow IT, SAM, finance and procurement leaders at SaaSMe. SaaSMe is the industry's only dedicated SaaS management event where you can sharpen your skills, hear from your peers, and learn how to unlock value and responsible business growth through smarter SaaS management. Register today at SaaSMe. com. That's S-A- A- S- M- E. com.
Cory Wheeler: It is fantastic that data is stronger than opinions and then you build on top of that. Data drives efficiency. And so in our world as we think about this, this is where our worlds collide. You've adopted a SaaS management platform a couple of times in the past. We find that a lot of companies are using spreadsheets to inventory and track their apps. You said it earlier on, you went to your finance team, your accounting team, your IT team to get all of these different lists of solutions. And in our conference last May, you said you can't run SaaS off of a spreadsheet, so why does manual tracking, why do spreadsheets set you up to fail in SaaS management? And why are you, and why have you used, and gone all in on, a SaaS management tool instead?
Steve Gentry: As the chief customer officer, if you were looking at NPS scores and you send out these things, but you don't just do them once and okay, that's it. Wait, we got our NPS score. That's what we're going to base everything off of for the next 10 years. It's a regular process. When we're having these conversations and we're talking about our application, SaaS companies in particular have a tendency to be very fluid organizations. But companies, even some of your more traditional shops, if you start going into healthcare or financial services, they still are doing regular purchasing process. They may be more rigid about it, but SaaS application, most companies in general are pretty fast flowing. You build that spreadsheet out, it is going to be incorrect and inaccurate before you're done even collecting all the data. Some vendors going to be offboarded before two days after you got the data from finance. So they've already taken out the system and now you're trying to track down an owner and then by the time you do that, three weeks later they're like no, we got rid of that app. And you spent three weeks of time. You had a member of your team spending their time chasing down these application owners for an application that doesn't exist. Being able to automate those processes, automation and self- service. My teams have heard that from me for ages. We are an enablement organization whether we're talking security, whether we're talking IT, it's how do we enable the business? And self- service and automation is that process. So how am I automating that data collection? So if the CRO, if the CFO, CMO want to see what applications are sitting in their environments. How are we doing on this? How are we driving costs? I've got reports that they could just go click and get access to. We're not having to go I'll get back to you next month. I've got the data right in front of me because we're doing this real- time access. We're continually looking at how things are being used. We have a running total of who's accessing the application for the last 90 days, and we can see that fluctuation. We can do the comparison against applications like this person's feature that you guys were working on. This is one of those things that I'm going to gush a little bit over this aspect that you guys built. Because this is fantastic. It's not just let's compare applications. Let's compare people across all the redundant applications. So this user, there's nine of these, we've got this many users who are in all nine of those applications. Or they're in six of these nine. And so you can show that data of do you have someone who's literally logging in to six different project management tools to manage as they work across the business? This cannot be good for them and efficient for them. Being able to take all of that data, being able to drive it in, and put it in, in a way that it's real time instead of a point in time data. Because lagging data indicators, they're useful to a point, but ultimately to drive a business, you need realtime information, not lagging indicators. That's why you start off with your metrics and the decks that you're doing as you're working with the board. Lagging is what it starts off with, but then you keep driving more and more into real time data. Your board wants to know not what you did six months ago, even though it's a quarterly board meeting, they want to know this quarter went well. Why? This is the data we've got as of right now. Here's how we're driving. Here's how our discount metrics bottle up. We've got to work on our pricing and packaging because we keep having to do heavy discounting. So we can have all of these things across any portions of business. That's data that you're using to be more efficient as a company. And you can use lagging, but the data that gives you the best information is your realtime data. And so that's what I want out of the tools that I'm working with in security. That's what I want out of my SaaS management tools, is that real- time data that I can get that says, here's where we are as of right now, not where I was three months ago.
Cory Wheeler: Perfectly said. So the concept of data and efficiency and driving an overall strategy internally is critical. So let's move a little bit into third party risk management. So I'd love to know what's on your mind around why is it so strategic? People think of third party risk management as a pretty linear process, but why is it so strategic to most businesses? What are the unknown challenges also that make it difficult?
Steve Gentry: One, how most companies are running third party risk management is security theater. Plain and simple. It's all about have I reviewed that they have a SOC 2, have I checked that their financials are solid? That they're going to be a vendor that's going to be around? That is not third party risk. That is you have taken a point in time data that there's no clear context behind it. So when I look at security third party risk management, it's how is this vendor playing into my overall risk as a company? Do they have confidential data? Is it customer data? Is it internal data? And if it is internal external data, how am I protecting that information? Even if it's a SaaS product, what am I doing? Is it behind multifactor authentication? Am I using any type of security keys to protect this? Do I have it white- listed so it can only be accessed through a ZTNA tool? A zero trust network access tool. Or a VPN? How am I protecting it? Because ultimately when people think of third party risk management, they're thinking about the security questionnaires. I have had security questionnaires that were up to 800 questions. Literally 891 is my largest questionnaire that was sent to me and I sent it back and said, there's not a chance in hell I'm filling this out. Because the only way to truly know what the security organization is, is to have one of your security people hired into that organization and feeding you data back. Which might be construed as corporate espionage or something. It's not illegal. It would still be unethical. But we really have no way, so why are we spending all of our time and effort when we talk about third party risk on part of the process that has no bearing on our internal company because we have no control over it? And what are we doing on the things that we can control? I almost feel like we're going into an AA meeting now. This should be security CISO's anonymous. What can I control? What can I control? How do I get over that? And so this is where third party risk management needs to go back to that data governance. What are those things that we care about and what are we doing about it? What's our responsibility versus what the SaaS company's going to do? I can't do anything to change Zylo's security program, but I'm still going to use you as a vendor and I'm going to put my gates and controls around it to make sure that I'm keeping myself as protected as I can. We've got plenty of indicators. SolarWinds, Microsoft, LinkedIn just had another. There's an announcement's that's come back the last couple of days about issues over at LinkedIn with compromise of accounts. I can't control any of that, but I can do things where I'm protecting myself or I'm protecting my organization. And that's what I'm going to focus on.
Meredith Albertson: Staying on top of this [risk management and security] is obviously very important, but how do you stay on top of it? All the apps, all the data, all the regulations that you and the business need to abide by in order to make sure that the organization is secure. You're lowering that risk. There are things within your control, not within your control. But how are you and your team staying on top of this? What's your approach there?
Steve Gentry: Gin is how I stay... No, that's how I deal with the stress of having to stay on top, but my bad. Part of it's having a really good network of vendors and associations that you can go to. I've got a couple of Slack channels that I pay attention to really closely. Because I know I'm going to get some data out there. There's a great group of CISOs that are very active in the community. So having that networking aspect where you've got contacts out there in the industry so you can get information, so it's not a lagging indicator. Two, again, it's knowing where your control is. What are the boundaries or the scope of responsibility, and focusing on that. We get too wrapped up, again, it goes back to that Chicken Little mentality. Where that comes from is that they start seeing all the different problems that are out there, and in total, yes, they can seem significant, but if you break them down to the individual pieces, we can address this. This is a couple of sprints or this is a goal that we can get taken care of this quarter, maybe in a month, month and a half. So focusing on breaking things down into logical chunks for one. It goes down into project management principles. I know we're all over the place in different areas of the business, but that's part of being a leader is you have to look at all these different aspects. So bringing in project management principles. What are our milestones? What are the things we're trying to do in manageable chunks? And again, it's knowing where all these pieces are and being diligent, and continuing to pay attention to the shifts in the business, shifts in the priority. When you're meeting with your stakeholders, it's meeting with them about the things that are important to them. I always hated jumping into a meeting with a member of the ELT now going, " All right, what do you want to talk about?" " Well, I want to understand what your business is." " Well, what security thing should I be worried about?" " Well, I need to understand your business so we can know where that is. I want to understand what your processes are. What are the things that keep you up at night?" And especially talking to engineering, talking to product. If I can help you solve those things that are keeping you up at night, and having my team we'll go ahead and take good care of this stuff for you, then I'll help drive and we can help get some of our wishes into the product pipeline. So it's staying on top of it. It's constant diligence knowing that there are going to be misses. Security is not perfect. I had an interview once where I was asking the individual chief customer officer, it wasn't Cory, an individual that was going through the interview process. " What do you expect out of the CISO in this role?" " I never want to have one of those awkward conversations with customers. I never want to be able to tell them that we just had a breach and have to send out those notifications." I'm like, " Cool, if that's your expectation, I'm going to walk away from this interview process. Because there's no way I can promise you." It's saying that, okay, Cory, you're going to promise that 100% of the customers are going to be satisfied. Meredith, you're going to promise that every campaign is going to bring in X amount of dollars every single time. Well, that's not really what this campaign is for. We're trying to drive this. We can't make these broad scope promises. So knowing the scope of the work that we can accomplish, making clear to everyone else, that's what you're trying to accomplish. So you're setting those expectations and then you're working with everyone. You're working with your stakeholders to making sure you're constantly aligned, you're continuing to be diligent, you're staying on top of where the business is going. And you just have to keep tweaking. Tweaking the goals or the things that you're going on. Hopefully you're not making huge course corrections. But it's just like when you're sailing, you're out there, you're going to make sure that you're still on course. And you're going to keep checking occasionally. You're not just going to set in like, yeah, I'm fine. This isn't the run inaudible of security or finance or procurement. You're going to have to constantly check and make sure that you're being diligent in the work that you're doing.
Meredith Albertson: Has that diligence, you said that several times and it really spoke to me, is a SaaS management platform, does it help you in that journey, that focus on diligence that you mentioned a few times?
Steve Gentry: The Zylo dashboard, when I log in, the Insights. By the way, you have this many new applications coming that have joined in the last month, the last 30 days, this many new applications. And as you're going through and just focusing on Zylo itself, looking at the Insights that I can get out of it and knowing that I've got these applications here are telling me that I've got a bunch of unused licenses in this group. Part of that diligence is if you're bringing in a tool, we all love the new shiny, and you're going to end up having a bunch of shelf ware. So if you're going to do that automation, if you're going to take the time to set up something like Zylo, are you using the data out of it? Because we get caught up in finding the next... We're like crows. What's the next new shiny that I can find and bring back? And it's like, no, no. How do we stay focused? And I know I'm talking about being diligent of trying to pay attention all the time, but there's also that you're trying to look out here while still focusing on this, as you're doing these different things. And so it's how do you stay focused on the data that you've got and using the tools that you've got and using the insights that you've got out of these tools. Zylo is giving you this information that says you have this redundancy. What are you doing with it? How are we going and providing that data? How are we driving that efficiency? Instead of just saying, " Oh, great, I got a report, I can tell you, but have you done anything with it?" And I know it takes time. And this is what I want to set expectations of people. With any tool that you set up as you're going through an environment, you've got to go through that process. You're going to refine that data. Whether you're talking about setting up a GRC tool, you don't go turn it on and add in all of your compliance things at the first. You go through like, we're going to add our SOC 2, we're going to add our ISO 27001, we're going to add PCA. And you do it in steps. As you're taking that data, it's the same thing. Okay, we've implemented a SaaS management tool. Here's the first milestone that I want. And so it's not just about the implementation. It's like once you have that data, what are you then turning and using that data and setting the milestones internally for you to continue to drive adoption, drive usage, drive efficiency, and get people the information they need to be more efficient in their own areas of business. So it's stop focusing on the next new shiny. Start thinking about the tools that you have. How are you using them to the best ability? And if they're not tools that are helping you drive that, or not tools that are helping you match your objectives, get rid of them.
Cory Wheeler: Steve, you've hit the ball pretty far. You've gone around first, second, and third, you are coming home, and I'm going to throw you a softball here. CISOs typically report to the CIO. After everything you've explained today and what you've talked through, should CISO's report directly into the CEO?
Steve Gentry: So there's a study that just came out recently that previous year, 8% of CISOs reporting to the CEO. With the latest study, 5% of CISOs report to the CEO. Part of it is there's still too many Chicken Little CISOs out there, but they're becoming fewer and fewer. One, no, I don't think the CISOs should sit to a technical role, whether we're talking CIO or CTO. Because part of the problem is they keep seeing security as a technical job, and it's not. There are very technical team members in our organization. Product security, information security, portions of our compliance organization. There are people who have to be very technical to do their job. It is not a technical job. I would like to see more CISOs sitting at the CEO. One, we need to do better at focusing on the business instead of security and privacy. We got to get rid of the blinders on our own parts and start being business leaders. But I'm going to use an example. If you asked the CTO or chief product officer, the CROs, if you would let them make decisions for your area of the business, if you see them as a business leader. And I've been asking this question. I was at Black Hat last week and I was asking different folks, and they're just like, " Oh God, no. No, I don't want them." They're really good at selling. We give other executives a pass on that they're not necessarily broad scoped. They're just really good in their area, but they're being mentored. We need to think we need more mentorship of CISOs, when we're taking these people who have typically come up through technical roles. They haven't really been mentored in the soft skills aspect. Ultimately leading a business is about having an expertise in an area that you can drive through, but also having the skills, the soft skills to be able to communicate that out and why it's important to the business. We need to start mentoring these CISOs. So yes, I'm going to 100% advocate that CISOs, if you want to treat them as a C- level, then treat them as a C- level, have them report to the CEO. But you got to make sure that you're mentoring them. And give them a little bit of leeway, but be clear what expectations are. If you're coming in and you start pulling your Chicken Little shit, you're going back to the kid's table. Everything is not a risk. And so it's being able to be clear with expectations, but give them... A lot of us have been through, and we've worked with every area of the business. I'm a customer facing CISO. I work with the go- to- market organizations. Whether I'm doing speaking engagements, whether I'm on the phone with a customer. I work with finance and accounting, I work with legal, I work with product, I work with engineering. Pick a other C- suite member out there and I have to work with them as part of my role. We're still considered like, oh, you're the technical folks. But you really don't want me writing code anymore. It has been since the late'90s last time I wrote code. Trust me, you don't want me doing this. You'll probably get a hello, world out of it. Anything other than that, it's probably going to burn the product to the ground.
Meredith Albertson: Well, Steve, we've got a lot of listeners who I think today are on the same career path as you. And you talked about mentorship. I'd love to get a mentorship moment from you. And what do aspiring chief security officers or CISOs, what do they need to be thinking about today in order to get prepared for that next step in their career path?
Steve Gentry: Yeah, it's a great question. And this is going to be the world according to Steve. One, it's stop trying to focus on your certifications. Personal certifications are not the key to your executive role. It's how are you building your executive presence? There are enough companies out there that have these programs that focus on executive presence and executive presentations. So not just your presence when you're there, but your presentation skills. Learn if you've got an angst. I have huge anxiety over public speaking for about the first two minutes as I'm into something and then I'm just rolling. I forced myself into that habit. I've been on stage so many times and over the years, and I forced myself early because I'm very much an introvert. But I love doing these things because I want people to be successful. So it's finding ways to get out of your comfort zone to focus on those soft skills. And if you're like, well, what does he mean by soft skills? It's your presentation ability. It's being able to tie things to business objectives. It's being able to build your business acumen that you have that are these things that are lacking in a technical role. Go focus on those. I've got people that I'm talking to after coming out of the Black Hat conference where I was just like, I've got some ideas for you to get your next level. I was mentoring someone as part of my succession plan to drive them into the next role. Putting them in front of the board at times to get them that practice. So just stop focusing on the technical of your certifications or not really what's there. Start learning what it actually means to work on your soft skills, your presentation skills, learn how to speak.
Meredith Albertson: Yeah, I love that. And I would never have pegged you as an introvert. Well, thank you so much for being with us today. Just your insights, your perspective, your mentorship to our listeners has been incredible. We'd like to close out today's episode with, we like to do something a little bit fun, learn more a little bit about you personally, with a set of rapid- fire questions. So we're just going to kind of spit out a short phrase or word to you and we want to hear the first thing that kind of pops into your mind. So you ready to go?
Steve Gentry: Sounds good.
Meredith Albertson: All right. If you were not a CISO, what would you be?
Steve Gentry: COO. Just running it all. It's one of those things that I don't really want to be a CEO again, I want to be the power behind it. No, just kidding. It's that strategy portion side of the house. It's that how are we taking all of these things that we have going on and applying them to a business practice and that has multiple applications across the company.
Cory Wheeler: All right. Spreadsheets.
Steve Gentry: Just painful. First word that comes to mind is painful. Next word that comes to mind, pivot tables. Seriously, just talk to finance folks and everything. We're still running so much of a business off of spreadsheets. Even large corporations rely on spreadsheets way too much when there's ways to automate those processes.
Meredith Albertson: Other than your barbecue, what is your favorite style of barbecue? I'm just saying, I live in North Carolina.
Steve Gentry: It depends on what I'm eating. I don't want to get pulled pork from a Texas barbecue place. I'll hit brisket. So it all just depends on style. So my style is all over the place. As I'm doing my own barbecue, I've picked up things here and there. So I don't have a favorite style except depending on what I'm eating. But yes, I actually prefer a vinegar- based barbecue sauce when I'm eating pulled pork. Or mustard- base. I got to throw that in there as well. Vinegar- base and mustard- base when it comes to pork.
Cory Wheeler: What's your favorite thing about living in Utah?
Steve Gentry: It's been an interesting transition. It's a good thing. My Jersey accent has stayed hidden this whole time. Utah was very slow- paced when I first moved here. It's like, oh, okay. But one of the best things about living in Utah is their idea of bad traffic is hitting like 35 miles an hour on the freeway. They don't get traffic like we do in the Bay Area or New York, Chicago, Atlanta, plenty of other places that I've lived or spent a lot of time. It's good. Every state's got its good and it's bad, but Utah has grown on me. It's home. And we built our retirement home here just recently, and so it's fantastic. I've really enjoyed Utah.
Cory Wheeler: Good clean living. I would agree with that. Well, Steve, listen, going through the themes that you've addressed, data being greater than opinions, gaining efficiency off of that data, really talking to us about third party risk and the perspective of a CISO that is more of a business leader rather than fear, uncertainty and doubt driver and Chicken Little. I think your perspectives are really refreshing, are really comprehensive, and I think lend themselves very well to the success that we've had. We are so fortunate that you've joined us today, so thank you so much. And we look forward to chatting again with you soon.
Steve Gentry: It's been an absolute pleasure. I appreciate the opportunity you guys provided.
Cory Wheeler: Did you enjoy the episode? Pass it along to your friends. Subscribe to get notifications for the latest episode. Share your favorite takeaways and join the conversation on social media using hashtag SaaSMe Unfiltered.
With all the potential threats to your organization, it’s easy to fall victim to the Chicken Little mentality. But expounding “the sky is falling” only drives you further from your security goals. That’s why seasoned Chief Information Security Officer Steve Gentry believes security leaders must be business leaders first. In this episode, Steve explains this philosophy, the importance of data over opinions, and how to drive efficiency across your organization with SaaS.
- [00:00 - 01:47] Introduction to Steve Gentry, CISO at Clari, and many-time founder
- [01:58 - 04:23] How Steve got started in security at an IS service desk
- [04:25 - 08:24] What's required to be a good CISO beyond the standard job description? Discussing Steve's business savvy.
- [08:26 - 13:35] Why data is greater than opinion and how it helps Steve support more strategic operations
- [13:41 - 18:16] Steve's go-to data sources and tools, and the role of data to a company
- [18:16 - 22:38] Driving business alignment with executives using data
- [22:38 - 25:43] Building a foundation for success with data, and recognizing growth with operational efficiencies
- [26:43 - 31:10] Agility, and why Steve's gone all in on SaaS management tools instead of running off manual tracking and spreadsheets
- [31:17 - 34:22] Third party risk management, why is it so strategic to most businesses?
- [34:22 - 38:28] Staying on top of the entirety of risk management, security. How great vendors and other resources simplify the process
- [38:29 - 41:03] A focus on diligence, leveraging insights and automations in SaaS management
- [41:01 - 44:22] Should CISOs report directly to a company's CEO?
- [44:22 - 46:12] Mentorship and what future CISOs need to do to prepare for the next step in their career
- [46:17 - 49:23] Rapid fire questions and closing