I’m delighted to announce the latest member of my CISO Advisors team, Bruce Brody. Bruce joins us with three decades of proven security leadership under his belt. He was the first executive-level CISO at the Departments of Veterans Affairs and Energy, and has had more recent success as CISO at Cubic Corporation and DRS Technologies.
Bruce’s role will be to help Cisco’s customers refine their security strategies, calling on his experiences and insights to guide them on key decision making.
He will also be a contributing member of our CISO Connections community and will add his voice to this new executive council which is comprised of security leaders from all over the world.
I recently sat down with Bruce and had a chat with him about his cybersecurity career, and the issues that he’s most passionate about:
Cybersecurity wasn’t an industry I ever thought I would end up in, mostly because it didn’t exist until my later career. For a long time I worked in the Department of Defense, and we were doing what was then called “information assurance”. We didn’t know what cybersecurity was yet.
In our early days, we were essentially fooling around with trusted systems and trusted computing. There was a lot of exploration and research and testing – in other words, trying to break as many things as possible. From there, I must have broken enough things, because I worked my way up to become the Chief of Information Assurance.
Soon after, I was able to move to the civilian side of government, to the Department of Veterans Affairs, where I become the first Chief Information Security Officer in the US federal government. Eventually, I became a CISO four times over.
Oh, wow. Have you got a couple of hours? J For the sake of brevity, I’ll stick to the main highlights.
When I got to the Department of Veterans Affairs, I was learning how to be a CISO for the first time, because it hadn’t been done before. I was dealing with 40,000 physicians, and physicians are extremely intelligent people. Yet, they can explain difficult things at the eighth grade level. Of course, it’s very difficult to explain cybersecurity along with its requirements, drivers and mandates at the eighth grade level. So, I learned from our physicians about how they did it. I essentially learned the equivalent of bedside manner. This allowed me to communicate clearly about security to people who weren’t experts in the subject.
Years later, I went over to the Department of Energy. Here, I was working with Nobel laureates and physicists. And again, physicists could explain physics at an eighth grade level.
When you’re explaining cybersecurity, you have to overcome the barrier of “What’s in it for me? What’s the why? What’s the value proposition? Why does leadership need to be concerned about this?” It’s similar to the barrier that physicists have to overcome – so I became their shadow, and learned how to communicate security in a simple manner, from a community of brainiacs. It helped me enormously.
As I moved forward in my career, I landed on both sides. I’ve been in the back office as a CISO, and I’ve also been in customer facing roles where I was at one of the Big Four (PricewaterhouseCoopers). I was working with CISOs, and helping them build, optimize, or transform their programs.
Being on both sides of the fence, in terms of understanding cybersecurity at its molecular level, was incredibly helpful.
I have 30 years of cybersecurity knowledge and experience that I’d like to give back, and use to help others in our industry. I’d been looking for a while for the right platform in order to do that. Cisco is one of the largest security companies in the world, so it’s a really great platform for me to give back all that experience. I think it will be a good marriage!
I actually learned my general approach in the Department of Defense, when I was part of the program that created what we now call drones (back then they didn’t fire missiles).
I was working on the quadrennial defense review. We learned in the course of our research that the time it took from when we identified a target, until when we could launch an aircraft to destroy that target, was way too long. In particular, it was the Iraqi rocket launchers that we were concerned about at the time.
What we needed to do was devise an approach where the sensor could actually be the shooter, so that once we found it, we could destroy it. And without waiting to launch an aircraft from a carrier that was 1000 miles away.
That kind of problem-solving approach involved parking everyone’s ego at the door, leaving your prerogatives behind, and focusing on the mission and the outcome, i.e. how do we achieve maximum success? That’s how I’ve approached almost every problem that I’ve dealt with in cybersecurity.
It’s about the organization’s core mission, how best to enable it, and how to reach the desired outcome. It’s not about cybersecurity, your ego, or your paycheck,
This also showed me that that security for the sake of security never gets you anywhere. It’s always got to be security for the sake of a specific outcome. I.e. how do you enable something with security, rather than how do you impede something with security. And how do you make a process better with security? How do you help the organization achieve its financial goals by adding security to its processes, capabilities, and tools? Those are the kinds of things that drive me all the way.
It would be the focus on the delta between compliance and risk management. Often, we get blinded by compliance. Compliance is important, we have to do it. It shows that we’re doing the diligence we need to do to manage risk in the computing enterprise.
But compliance only takes you so far. The actual measure of effective risk management is how well your processes are based on all the business drivers that need to be considered. Compliance is sometimes a distraction from sound risk management.
This whole field of governance, risk and compliance is something I’ve spent a lot of time in, especially when it comes to the NIST Special Publications, in which I’m fluent.
I can show you a system that is completely compliant. And that enterprise is extremely vulnerable. So that’s the concern I have – that delta between compliance, and actual risk management.
I spent almost a decade at the Defense Intelligence Agency. And the culture there is extremely security aware. But they also operate at a classified level. So it’s very difficult for any of their systems to be penetrated. Usually, their problem is the insider threat.
But the issue of cybersecurity is that it’s a people problem, first and foremost. Even if you throw technology at the problem, you still need people to manage or optimize the technology. Policy is how people should behave. But that’s not necessarily how people actually behave. So that’s where culture comes in.
A culture that comes from the top down and emphasizes security as an essential component of the business processes. This is absolutely imperative when it comes to making sure that your enterprise effectively manages risk.
Some people dread that hour that they have to spend every year, taking a little security quiz. It means nothing to how they actually do their job or live their lives.
Security awareness training has got to be fun. And it’s got to be interactive. And it’s got to be engaging, with strong storytelling, while baking it into their work life balance.
I’m relishing the opportunity to interact with CISOs and security leaders, and continuing my engagement in that community, while building new relationships. I’m also keen to participate in the relevant industry events, put out some thought leadership, and do some public speaking.
If you would like to speak to Bruce, and/or join our CISO community, please visit our dedicated CISO Connections page.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels