Mathew Sharp and Kyriakos “Rock” Lambros had very different starting points to their cybersecurity careers, but there is one thing they agree on: there is a dire need for CISOs to gain business knowledge to understand the business they operate in and therefore be equipped to effectively communicate security needs to the Board to garner support for their programs.
The co-authors of The CISO Evolution: Business Knowledge for Cybersecurity Executives (which was recently featured in the Forbes Executive Library) share what inspired them to write the book, their personal evolutions as CISOs, and answer the question: do we need more business-savvy CISOs or technology-savvy Board members?
Tune in to this episode of Ask A CISO to hear:
- Why it’s necessary to evolve into a CISO who can combine technical expertise with business savvy
- How they came together to write the book, the writing process, and their favorite chapters
- How you can use that business knowledge to understand the audience and connect value to your security program
- The answer to whether organizations need more business-minded security executives or more security-minded Board members
About The Guests:
Matthew's role at Logicworks includes responsibility for overall security strategy, internal and client environment security architecture, and oversight of the global security function.
Matthew has served as a strategic advisor to CISOs of Fortune 500 and global institutions.
Matthew has an impressive list of certifications, including C|CISO, PCI QSA, CISA, CCSP, CIPP, CISP, and even PMP.
Kyriakos "Rock" Lambros
Rock’s experience includes building security programs, architecture, operations, threat intelligence, governance, risk management, compliance, and incident response for multi-billion dollar global organizations spanning energy, eCommerce, government, banking, and manufacturing.
"Rock" serves as a corporate strategy and cybersecurity advisor on the board of several stealth-mode startups. He is also a member of the Secure Smart Cities Advisory Board at the National Cybersecurity Center.
About The Host: Paul Hady
Paul Hadjy is co-founder and CEO of Horangi Cyber Security.
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.
Hello, everyone, I'm Paul Hadjy, the host of Ask A CISO. Today we have two esteemed guests with us. First we have Matthew Sharp.
Matthew is the CISO at Logicworks, and co-author of The CISO Evolution. He hails from Brooklyn and has been in the IT industry for more than two decades. Matthew's role at Logicworks includes responsibility for overall security strategy, internal and client environment security architecture, and oversight of the global security function.
Matthew has served as a strategic advisor to CISOs of Fortune 500 and global institutions, and Matthew has an impressive list of certifications, including C|CISO, PCI QSA, CISA, CCSP, CIPP, CISP, and even PMP.
Thank you, Paul. Good to be here. I appreciate the opportunity.
Yeah, great! Glad to have you. And we also have Kyriakos “Rock” Lambros…
Kyriakos “Rock” Lambros
You nailed that!
Yeah, my father is from Greece. I assume that's a Greek thing, but I'm guessing. Rock’s experience includes building security programs, architecture, operations, threat intelligence, governance, risk management, compliance, and incident response for multi-billion dollar global organizations spanning energy, eCommerce, government, banking, and manufacturing.
“Rock” serves as a corporate strategy and cybersecurity advisor on the board of several stealth-mode startups. He is also a member of the Secure Smart Cities Advisory Board at the National Cybersecurity Center.
Outside of work, “Rock” enjoys American football, soccer, and martial arts.
Kyriakos “Rock” Lambros
Thank you, Paul.
Cool. Great to have two of you here today, it’s the first time we've actually had two guests on the show at the same time. So looking forward to this. Just to start it off, kind of like get to know each other, can you tell us a bit more about yourself? I'll let you go first, “Rock”.
Kyriakos “Rock” Lambros
From a career background perspective, you kind of nailed it in my bio. Started off in the industry way back in the early 2000s. You know, soon after 9-11, frankly, that's what kinda got me thinking that I needed to get into this type of space.
Instead of the knee-jerk reaction to go serve in the military, I was like, you know, this whole cyber Internet thing, that's this newfangled thing now it's probably going to be the next battlespace. And fortunately for me, one of the good premonitions I had in my life, and I’m still living here 20 years later.
So, thank you for having me.
Yeah, of course, it is a good choice on that. Similar career path, just a couple of years later. How about you, Matthew?
So we talked a little bit about this in some of the writing that we've done, but I had essentially the opposite career path as “Rock”.
So he was an operator and became a consultant, and I spent the first decade or so of my career in consulting after a short stint in some software development. And then, more recently, became an operator obviously at, you know, Crocs and now with Logicworks. So I've been in a cybersecurity leadership role for the last eight years now.
Wow. That's crazy to think of. So yeah, that was the, and anyway, we talk a little bit about path dependence and kind of where you came from limits your options and also helps develop your thinking. And so, essentially “Rock” and I are complete opposites in that regard.
Tell us a bit about how you met, considering you guys are quite far away from each other, at least in the U.S.
I used to live in Colorado, so we would stumble into each other a couple of times at CISO roundtable dinners and things like that. But really kind of what brought us together more tightly, a friend, Merlin, put us as two guests on a panel back at RSA 2020 and that's kinda the thing that really pulled us together tighter.
Kyriakos “Rock” Lambros
Yup, and then after RSA 2020, you know, the world came to an end, and our passion project was the book that you see over Matt’s shoulder over there.
Yes! Convenient placement that matches our little plaque which is from our first office, which is now in my home office.
So tell us a bit more about the book, The CISO Evolution, and why do CISOs need to evolve? What aspects of their responsibilities are evolving? Curious to hear your thoughts on that.
So the book is, is basically our attempt to make MBA concepts accessible to cybersecurity people.
And over the last decade or so, it became really apparent that we need to take a more prominent role inside of the business, but in order to do that, we have to be able to interact at an executive level. And so as we've continued to get exposure to the executive ranks and in the later parts of our careers, and then also via consulting, spending more time with CISOs and see what they're struggling with directly, it just made sense for us to try and break that down.
So that was the endeavor basically.
Kyriakos “Rock” Lambros
Yeah. we see some common symptoms in the industry with regards to CISO burnout, misalignment of cyber security programs through organizational strategy, a misperception of where cyber really lies within the organization. Are we the end all and be all? Absolutely not.
But you know, a lot of CISOs take risk decisions personally, right? Because we're the ones that are on the hook and, you know, kind of the genesis of the book was how do we distill quickly concepts to CISOs that allow them to elevate their conversations within the organization that will then allow them to elevate their programs and funding for their programs and started alleviating all the symptoms.
Yeah, definitely true. I mean the executive presence and the ability to explain cybersecurity risks to business executives is a unique skill that not many people have, but of course, a very important one, a hundred percent agreed on it.
How did you all evolve and tell us a bit more about your personal journeys as evolving CISOs?
Kyriakos “Rock” Lambros
So I started off my career as an Oracle DBA frankly, and then as I mentioned, after 9-11, kind of made that shift to cybersecurity, but that really started with data security and database security, which then migrated into systems administration that sits with security, which then migrated into network security and operations. And then, you know, GRC functions, and allowed me to grow into a CISO role at one of the gas companies here in Denver where I built up both the IT and OTT security programs. So the kind of the operational technology side.
And along the way I realized kind of more and more that, you can learn technical skills anywhere, right? Like on-the-job training, I have plenty of access to technology. But for me to grow, I definitely, you know, I had the concept that I definitely wanted to get a Masters degree and it was really like try and do it in a technical field like computer science or cybersecurity Masters or whatever, or do I wanted to try and run myself out from a business and leadership standpoint?
So for me, my personal choice was to get an MBA, and that really allowed me to start seeing cybersecurity from the perspective of the overall organization, and how it fits into other risks that the organization needs to deal with.
Oh, and other initiatives, right? Like why, why spend a dollar on security when I can spend a dollar on sales and marketing? How does that fit or how do the decisions I make affect the revenue generation engine of the business?
And frankly for me, that MBA kind of propelled me into management and leadership. And open at least open the opportunities for those conversations.
And then obviously I had to step through the door. But that's kind of how I evolved over time. And, you know, the premise of why we wrote the book is you don't need to go spend whatever 60 grand or 100 grand, but get an MBA, but here's the key concepts to learn and how they apply for cybersecurity.
Well, that's awesome. And you mentioned a couple of things that I wanted to comment on, like an Oracle DBA. I still have nightmares about being inside of a skiff and troubleshooting or a 1, 2, 3, whatever error number, outside, finding some weird thread, and then having no clear answers to what that error means. I don't know why they couldn't just write error messages. Very frustrated.
Kyriakos “Rock” Lambros
I remember I still have PTSD as well. There was one particular Oracle error number, I forget what it was like 1066 or something where it was just an immediate call to support. It was just like, forget troubleshooting, immediately call support.
Yeah, the other experience I had is like one time I changed the hostname on our Oracle Linux box.
And for everyone out there don't do that, it's the most painful thing. Nothing happened for three days, but then all of a sudden you couldn't write to the database. It was an interesting experience.
And the other thing you mentioned, I think that is important to recognize is explaining to people why security's important.
One thing that I think a lot of people don't think about, but I actually have written about myself in some of Horangi’s content is that security is a sales enabler. Which I truly believe. And we just thankfully got our SOC 2 certificationSOC 2 certification last month and kudos to our security team for getting that.
Within a month of getting that over like 25 of our customers actually asked for the report as part of the due diligence process, And that sped up and actually, helps us win a couple of deals because we had a SOC 2 certification and our competition didn't.
So I really think that's important for CISOs to think about and explain to executives, but also for executives to think about when investing in security that it actually can be, and it is, especially in B2B, a sales enabler.
Kyriakos “Rock” Lambros
Matt can attest to that. I don't know how much Matt can share, but he's been in some situations recently where his company has some big wins as a result of the security program and the security function and the support his team lent to the sales process.
Yeah. I mean I was having a conversation actually yesterday with our Chief Revenue Officer and just locking in his mind and making sure that we were square.
Well, over 85% of the revenue at Logicworks is dependent on some variant of cybersecurity. So most of the cloud workloads that we operate on behalf of our customers end up being tied to some kind of complex regulatory environment.
So, certainly, as we look to go upmarket and to scale our, you know, take down some big fish and whales or whatever you, you got to have all the bonafide, you've got, gotta have the credentials.
And often, I mean, you, Paul, you're probably seeing this, like having the SOC 2 keeps you into the shortlist, but you still have to do the selling and, and build the trust in order to secure the business. So, really, I find myself playing two roles in the sales cycle. The first one is to basically keep us on the shortlist to qualify for the deal, make sure that we're a qualified provider.
And then on the back end of the deal, it's about making sure that we've inspired enough trust to let customers feel confident that if they put their information in the cloud that we're going to manage that it's going to be well taken care of and compliant, you know? So yeah. We're absolutely seeing exactly what you're saying.
Yeah. It's hugely important. And you know, obviously like, you know, a lot of security companies, all three of us of like, there's an element of, we have to practice what we preach and we all try to do that.
So congrats very much on the launch of your book. I know you mentioned you started writing it in 2020 after you met so that was a completely during-the-COVID book. So tell us a bit about how the process was and like what were some takeaways for listeners out there in terms of actually sitting down and writing a book?
Yeah, we, I mean, so we started meeting shortly after the conference “Rock” said, “Let’s write a book!”
And if I'm honest, I didn't really think we were going to do it. I thought we'd hang out and have a couple of conversations. And so over nine months we sort of brainstormed maybe an hour or two every Friday we would get together and we would have conversations and it sort of like pulled it all together.
And then we went out and sold the idea. We sold an outline. We didn't sell a book to John Wiley and Sons, which is you know, a well-known tier-one publisher. And so then once that was locked in, the cadence of communication and the effort really, really started to go into high gear. But previous to that, it was probably, I don't know, a couple of hours a week for nine months just cultivating the ideas.
And then we split up the content. Really starting from the foundation of what content did we cover in our MBAs. And then, of course, there was a lot of overlap because you can't do an MBA without, you know, finance and accounting and strategy. And you gotta have a go-to-market plan for any business.
And so like all of those things were obvious things that we wanted to feature in the book. And so we split up the categories, we just kind of drew a line down the middle and I wrote a bunch of the foundational business knowledge content related to accounting and valuation and what have you.
And then “Rock” took on the stuff that he's probably better suited to. He's obviously managed much larger teams and been exposed to much larger organizations. So the communication and leadership stuff was a no-brainer for him.
Sounds like an involved process and like the idea of like, sort of getting the outline down in kind of up for them to, to kind of review and then using that to write the book.
Kyriakos “Rock” Lambros
Don’t underestimate, if anybody's out there thinking about it, don't underestimate the time commitment.
You know, for me, from a time commitment perspective, it was almost like going back and getting my MBA. Like my wife probably saw me about as often, between work and writing in the evenings. Once we had the deal we were like, oh wow, this is a real thing now: We need to write!
And it was very much, we had to keep the self-initiative going month over month to meet our deadlines because the publisher gave us a deadline a year out. There weren't really milestones that we have to meet in the meantime,
Matt and I had to set that. So we had to project manage ourselves and that's hard to do, you know, work and lives and just life in general in the middle of a global pandemic. So don't underestimate the time commitment if you’re thinking about writing a book.
Yeah, I would imagine…
I'll add a little bit to that. So a year sounds like… first we asked for two years, they said, no. So we said, okay, how about one?
Well, so I only wrote half a book, right? And “Rock” wrote half a book. So we split it pretty evenly and writing six or seven chapters is essentially like, you know, writing a 30-page paper every month for six months. And then you still have another six months worth of work because getting permissions is no easy task, figuring out what you want to pay for or not, or how you're going to replace that content and what you can, and can't say, and how much quoting you can do.
Like it, it turned out to be a really big endeavor there. And then I would say after we did the permission, you still have proofing. And then we ended up doing a logo design and founding a company just so that we could have a shared bank account to fund things like building a website to host the appendixes and all kinds of stuff that you just wouldn't anticipate.
So it was definitely more than writing the book. If you think about just writing, that was probably about half the work.
Yeah. I often have to write blog posts. And they're like 1,000 words, so it's nothing in comparison, but I sometimes struggle with that. So I can imagine like writing a book, it's a totally different endeavor. It's like walking up the local hill…
Kyriakos “Rock” Lambros
I immediately throw up all bullet points, but that's the type of writer I am, so I really have to kind of push myself outside of my comfort zone and then looking back, frankly, I'm just like, how the hell did I write so many words? It turned out to be more content than I anticipated. I’ve got all these bullets in my head, how am I going to turn all these into valuable content It remains to be seen if it's valuable.
We certainly think it is, but that was an interesting process for me.
Cool. So tell us maybe both of you can tell us what’s one key lesson that you want the readers to take away?
My favorite chapter is chapter four.
It's the valuation chapter. And we basically spend the chapter talking about first setting the groundwork so people can understand, really audience. So we talk about the differences between Venture PE hedge funds, strategic and financial backing. We really do a breakdown of value from just a structured who, what, where, when, why and how,
And we highlight that in an analogy and kind of relate that to a real estate purchase. And then in the back, we talk about valuation methods and we talk about value delivery mechanisms inside of business. So, redemptions versus dividends versus, there's another one I'm forgetting now.
But basically, like, you know, you can either get paid a dividend. You can earn interest or you can grow your equity and those are the three ways that you can really extract value.
And then I think we do a great job of, in a case study outlining basically how you might sit down, analyze a financial report or an earnings call or something like that and then connect that to your business, to your cybersecurity strategy, and really think about where you're investing in controls or how you're really influencing and enabling the business to take on that next growth phase or reduce costs or whatever it is, but do it in a safe way.
So yeah, it really connecting, you know, actual valuation like discounted cash flow, multiples valuation mechanisms directly to funding projects inside of your security program.
And so I think once you can make that connection, you can actually say you are “adding value” and you can say that to an appropriate audience, meaning the board who is primarily comprised of investors and independent directors, and actually be talking about the value that they care about as opposed to the value that you, as an employee you might care about or the value that a customer might be concerned about or a value that the lender who's giving you capital might care about.
I think that's the key: is really being able to understand the audience and connect value to your program. I think that probably leads into, I have a suspicion, I know what you're going to talk about, “Rock”, but I don't know, Paul, I don't know if you want to make any commentary before I hand it to “Rock”.
That's definitely interesting and stuff that I go through every day being a VC-backed company. It's interesting, challenging, but very relevant, I think for a CISO, especially if you're quite close to the business because ultimately, you know, you have to get the funding that you need to solve the problems that are important in terms of securing the revenue.
So I think it's important to understand that and be able to speak to it, which is really, I think part of the business knowledge that this is a needs to be effective.
Kyriakos “Rock” Lambros
So, rolling off that foundational business knowledge, we roll right into communication and education.
And communication and education is really: now how do you take that foundational business knowledge, applying it to your cyber risk management program, and tie it into an overall enterprise risk management program.
I can't tell you how many times I've been involved in an organization, or I walk into an organization where cyber is like a small little line item in an enterprise risk register. Like buried very deep.
So now that you have that foundation of the business knowledge, how do you elevate the conversation to be able to elevate the profile of cyber risk within the organization.
So we walked through COSO is a very popular enterprise risk management framework. We walked through COSO and all the 20 principles, we kind of align how you would align cybersecurity to each of those 20 principles.
And the short thing is: don't even start a risk assessment until you understand the business context, understand the environment that the organization is working in. You know, is it a high growth mode, versus cash conservation mode because of COVID.
So understanding kind of the context of the organization, the overall strategy, which you've done and kind of the first part of the bulk of that Matt described.
And then. What I think for me, some of the most valuable concepts in the book are, it's hard to do any of this without establishing trust and, you know a good communication model if you will.
You know, establishing trust allows you to build those relationships within the organization upwards and downwards from being transparent to say what you do to do what you say to just, you know, shutting the hell up and listening.
Listening to the needs of business unit leaders, where they're saying, we need to create widget X, Y, Z, or provide service 1, 2, 3 to enable revenue growth in these areas.
And then formulating, providing for kind of safe communication environments where you can provide candid feedback upstream and downstream and across amongst your peers.
Because cybersecurity, even though, you know, I appreciate not being the department of no, they're going to be times with some difficult conversations and having that trust and understanding how to create a safe environment for people to communicate, whether it be people that you're leading or your peers or upstreaming, is critical.
Yeah, I agree. Question for you, Matt: Do we need more business-trained CISOs, or do we need more cyber security-aware board members?
Well, who's paying their bills, the cyber guys or the business guys, like, you know, who's hiring who?
We have to do a job of bridging the gap. I think “Rock” talks about in the book. Really, we should have you tell this story, but his mother speaks Greek and so he lays out basically, you know, that he owns the obligation to continue to grow and develop his ability to communicate with his mother and through the analogy which I'm butchering.
It really highlights that, you know, the obligation is on his shoulders and I think that's true for us as well. As cyber security people, we are operating inside of a greater context and we have an obligation to be able to tell people who are not cybersecurity experts why what we're talking about is an important thing and, in particular, how it affects them.
They don't have an obligation to tell us. We're feeling it firsthand, right? If the CFO says we're cutting costs, guess what that means? Or if the CFOs says we have an excess cash flow and we need to find a place to park this cash, like that's probably going to be an easy time to ask for some additional funding to do some cool stuff, or maybe do some experimentation or even press forward with maybe a little bit of innovation inside your business.
So I just think the framing of the question if I push a little bit further is: do we need more digital-savvy in boards? And the answer to that is absolutely a yes. And Bob Zukis is tackling that, I think, with the Digital Directors Network and he's doing a lot of great work to help get more digital-savvy.
He talks about… 20 years ago, this is mind-boggling to me. 20 years ago. it was not a requirement to have financial expertise on a board of directors and a large number of publicly traded companies did not have financial expertise on their boards.
So when they put that quota in place that happened and that made a big change, well, they now have a new obligation: if 60% of GDP going into the future is going to be on the back of digital transformation and that's true, I think the World Economic Forum gives some broader statistics even globally, then absolutely you need digital-savvy. And part of having digital savvy is being able to protect what you're building in order to preserve the value.
And so I would say: From that perspective, Paul, we do need more digital-savvy inside of boards, just like Bob is saying. And in addition to that, digital-savvy needs to include an awareness of cyber security.
He's done some great, great work. He talks about the difference, like being the CEO of a technology company does not make you digitally savvy. Being able to understand the systemic risks that exist inside of a complex digital environment is what he's really after.
And so I agree with that. So on one hand, yeah, we've got a bridge. We have the obligation to bridge the gap. And on the other hand as businesses. Inherently creating more and more value in a digital format, the leadership of those businesses has a natural obligation to be able to understand how that value is being created in order to accelerate it.
And if you don't understand how the value is being created, how on earth are you going to be, how can you add value to your, to a company as a fiduciary on a Board?
I don't think you can. So I mean, not that you can't, but I think you're going to be limited, right? There's certainly always the, you know, giving people access to markets or cheaper capital or offering to include additional talent that's not cybersecurity into a company. So lots of ways that Boards actually add value to a company, but not in the context that we're talking about.
Yeah, I think it's a good answer. Like you need, you need to be able to speak the language on both sides. And that's really important, especially in the modern world. Boards or, you know, in a lot of cases being held accountable for cyber security issues, as well as the CISOs, of course.
So, you know, it's important for both to be able to speak a similar language and understand both the business and the cyber security risk side of things. Especially if you're a technology company, right?
Kyriakos “Rock” Lambros
To kind of pull on the thread a little bit more: if there are more digitally savvy board members, that's inherently going to elevate the profile of cybersecurity within the organization, as they're addressing it from a systemic risk perspective, which is inherent, are we going to pull the CISO or the security function out? Like there's this grand debate about where the CISO should report.
And you know, my assertion is, or our assertion in the book is that it doesn't matter. It matters more about influence — how you can influence others.
But to be able to influence others. And for that kind of elevating security profiles to be successful as you have more digitally savvy Board members because they're going to be asking more difficult questions, it leads to requiring more business savvy CISOs.
So the answer to your original question, you know, like two things can be true at the same time. They both need to happen.
For sure. So, last question before we wrap things up. Maybe “Rock”, you can tell us your favorite story from the book.
Kyriakos “Rock” Lambros
Oh gosh. You know, I was unfortunately in an environment once where I was in a new role and within the first week, you know, that happened at a time with like an all-hands meeting. And, you know the meeting kind of went really well and everything. And then the VP who was leading the meeting stood up and pretty much said, “Alright, does anybody have any questions?”
And before the words came out of his mouth to finish the question, he pretty much packed up his things and walked out the door. And to me, that was just like the slap in the face.
This is going to be an interesting ride, right? This is, this is not a leader. This is a project manager and I'm, you know, kind of a wake-up call to unfortunately say like, don't, be that person.
And you know, sometimes you learn the most from being in difficult situations or a bad reporting structure or through failure. And I think that's an important concept to hold onto, like, what can you learn from the situation versus just, you know, woe is me and, you know, grinding away and just letting it affect you from a mental and emotional perspective.
Yeah, very true. And it doesn't sound like a great onboarding experience. We actually spend quite a lot of time on onboarding because I have a similar story about some places I've worked at where one was like a fantastic onboarding experience and the other one wasn't and definitely affected my tenure.
With good onboarding experience I can be there for like eight years. The other one was like less than a year. Right. And I think, yeah, first impressions mean a lot, especially in business. I think security is no different as well.
Yeah. So maybe give you both an opportunity to, to kind of like quickly, like tell us you know, shamelessly plug the book and where we can get it and anything interesting from that aspect.
Yeah. The book is called The CISO Evolution: Business Knowledge for Cybersecurity Executives. It's available in all major outlets. Certainly, Amazon carries it. But because it's been published by Wiley, they have direct connections in distribution to channels globally. It'll be available in digital format.
It's already up, ready for your Kindle and it'll come in other formats. And it's going to be an audiobook soon in another four or five weeks. And you can get it, you know, in all of the places that you would expect: Apple, Kindle, Audible, wherever you happen to buy.
So yeah. The. You know, it is what it's about. Exactly what we've been talking about. So I dunno how much more plugging I'll do there, but yeah, The CISO Evolution: Business Knowledge for Cyber Security Executives.
Kyriakos “Rock” Lambros
I’ll just add that you need to search for the entire title right now for Amazon. It hasn't gotten smart enough and it auto-correct CISO to Cisco. And we are most certainly not promoting any network gear in the book.
Well, we'll also make sure to post some links to the book when we post the podcast for the listeners.
Thank you, “Rock”, and thank you, Matthew, it was a pleasure having both of you on the podcast and hopefully, we'll see you again in the future.