23
Martin Fisher
“I do not believe that groups of people make decisions—people make decisions.”
Twitter: @armorguy • Website: www.linkedin.com/in/martinjfisher Martin Fisher is a 20-year information security veteran who has worked in the commercial aviation, finance, and healthcare delivery industries. He was a founding host of the award-winning Southern Fried Security Podcast for 10 years, has appeared on NPR's “Science Friday with Ira Fladow,” and has spoken internationally on a variety of information security topics. He has led a variety of teams through significant transformations and helped create high-performing teams of engaged and effective security professionals. Do you believe there is a massive shortage of career cybersecurity professionals? Yes, there is. That said, I don't think cranking out 60,000+ new CISSPs is going to fix the real underlying problem. That problem is that our current generation of security technologies hasn't matured to the point where we can reliably automate responses across all environments. I think the current focus on creating mills where we turn people into “security professionals” is an almost decent bandage to the problem, but we're ignoring the fact that we need to better integrate security into all aspects of IT operations. Let's be honest—security operations is a subset of IT operations, and the sooner we realize that and develop/adopt the kinds of automation and processes that make IT operations (like DevOps) a practical reality, we will always be behind the curve. What's the most important decision you've made or action you've taken related to a business risk? What comes to mind immediately may seem small, but it changed the way I think about risk. As the CISO for a hospital, we once got a frantic call from a presurgery unit because one of the devices monitoring a patient was showing a malware infection. The screen that had the data for the patient was being overlaid by a warning from the endpoint security tool. The tool wanted to do a reboot, but that had a chance of creating a patient safety issue. What do you do? Do you protect all of the other devices on the network, reboot and clean the device, and have the clinical team monitor the patient differently? Do you quarantine the device? What I decided to do was remotely remove the endpoint software from the device so it wouldn't alarm during the rest of the procedure. Then, and only then, we cleaned the device. We also started monitoring the rest of the environment closely to see if the malware was spreading. Thankfully, the patient had a great outcome, the malware didn't move, and we got everything cleaned up. I've told this story before, and I almost always see one of two reactions. The first is “Wow, that makes sense,” and the second is a mix of bewilderment and dismay that I somehow allowed the Bad Guy to win. The lesson here is that the point of information security is to support the goals and objectives of the organization. At a hospital, that's “we heal people—we do not harm people,” so that decision was the right one. How do you make hard decisions? Do you find yourself more often making people, process, or technology decisions? I look for what data is available to inform the choices. I have a small cadre of trusted staff who have very different viewpoints than I do, and we discuss options, outcomes, and pitfalls. We try to come up with different responses and what the likely results will be for each. We have Plan A, Plan B, Plan C, and so on. Then I decide. I do not believe that groups of people make decisions—people make decisions. I value the input of my team immensely, but, at the end of the day, I am responsible. If the decision was the correct one, I will let the plaudits fall on my team, as they are usually the ones doing the actual work. If the decision was faulty, that is my responsibility alone. That is what leaders do. What's something that you struggle with as a leader, and how do you overcome that? I'm entering a stage of life where many times I am the oldest person in the room. It's easy to use the “I have experience” or “How could you, Young Person, possibly have insight on this?” crutches to control conversations and drive decisions. Some/many/most people wouldn't even realize I was doing that. However, as Admiral Akbar tells us, “It's a trap!” I do have experience. I have seen a lot. But the younger folks on my team have a different set of experiences and (even more importantly) a totally different world view than me. If I dismiss their ideas, their experiences, or their perspective out of hand, I have wasted a valuable resource that the organization pays a lot of money to make available to me. How do you lead your team to execute and get results? Most everything I do in this arena is built on what I learned as a young officer in the United States Army. You lead your team by example. You set high expectations, provide resources and support, and then get out of the way. I am routinely stunned at how much my folks do with what they have to a level of quality that exceeds my wildest expectations. What's even more, they usually do it in a way that bears little resemblance to the way I thought it could be done. As an individual contributor (and yes, leaders are also individual contributors), I always alter my style to fit into what my leaders want/need/expect. Not every boss I've had uses the same methods I do. In fact, some of the best bosses I've had had wildly different leadership styles that I was able to adapt to and succeed. Do you have a workforce philosophy or unique approach to talent acquisition? I have to give a lot of credit to Michael Auzenne and Mark Horstmann of Manager Tools (www.manager-tools.com) and their “Effective Hiring” series of podcasts in shaping how I currently hire people. By focusing on reasons to say “no” about a candidate versus looking for a “yes” radically shifts how you evaluate candidates for a complete fit and minimizes the chances of the dreaded Bad Hire. Retention is a function of creating challenging work environments and decent work/life balance and supporting the career growth of your folks. Sometimes that means changing their roles. Sometimes that means helping them find a role outside of your organization. It always means creating a team culture that knows the leader cares about the team individually as career professionals. Have you created a cohesive strategy for your information security program or business unit? Yes-ish, because the strategy is always evolving and is never fully set in stone because the strategy of the business is always evolving and never fully set in stone. We ensure that our program is aligned by always gut-checking ourselves with our corporate values. I'm a CISO for a hospital system. Patient safety is always the highest priority. Ensuring quality of care comes second. Protecting sensitive data comes after that. Looking at our program through that lens ensures that we are aligned with every other department in the organization. Those departments know we're aligned, and that makes collaboration with them to resolve difficult problems easier than the traditional adversarial relationship security had with other groups. What are your communication tips for interacting with executive leadership? Know what your executive leadership cares about. They probably are not interested in how many malware infections your endpoint security system squashed last quarter. They probably do care that outbreaks were identified, contained, and eradicated; that your cost projections were accurate; and that you didn't cause operation impacts. Speak the language of executive leadership. The days of impressing C-levels using “security speak” are long over. You need to know how your organization makes money and be able to speak in those terms. As a hospital CISO, I need to be able to use the language of safety and quality to describe what we do and how we do it. Listen more than you talk. I'm shocked how many people believe that the five minutes they get with a CEO/CFO/COO needs to be a mini-TED talk versus realizing that listening for four minutes about what that executive really wants is insanely valuable. When your team did well, use the pronoun “we.” When your team screwed up, use the pronoun “I.” Never should you ever do the reverse. Executives see through that and (rightly) judge harshly. How do you cultivate productive relationships with your boss, peers, direct reports, and other team members? The hospital term is rounding. I go and visit people on a regular basis to talk to them. I keep my commitments to them. I work to understand what is important to them, and they understand what is important to me. Professional courtesy is a thing that's super helpful and too often neglected up, down, and laterally in business relationships. Have you encountered challenges collaborating with revenue-generating teams like sales and product development? Of course! Revenue generation is what keeps businesses alive. If you build positive relationships in advance of the challenge, they know you want to protect them and that you realize the value of what they are trying to do. We call this “Don't say no. Say ‘not like that’” on my team. We must help revenue generation teams generate revenue safely. Otherwise, we have negative value. Have you encountered challenges collaborating with technology teams like information technology and software development? These are some of the hardest challenges to handle. Technology teams are desperately trying to accomplish their goals, be they reliability, deployment, innovation, and so forth. They get so laser focused on that goal that they perceive any delay or obstacle as true evil and will sometimes do crazy things to get around it. Technology teams are desperately trying to accomplish their goals, be they reliability, deployment, innovation, and so forth. The most effective solution I have is in the other key phrase we use on my team: “Guardrails, not speed bumps.” Think of it this way: speed bumps really don't accomplish much other than damage the undercarriage of your beloved low-slung car. Guardrails, on the other hand, will let you drive as fast as you can and, should you lose control, prevent you from crashing to the bottom of the rock-filled canyon. Your car will be damaged, but you will not die. The extension here is that our security program creates baselines, expectations, and guidelines but doesn't judge a solution. We will collaborate through the life cycle of the project and warn the project team when we feel they are getting too close to a guardrail. Should the team hit the guardrail, we will help pick up the pieces. The team has control of their fate. That empowerment builds the best relationships. Do you have any favorite books to recommend for people who want to lead cybersecurity teams? So many.
I look for books that have compelling characters who face challenges and lead through them, be they fictional or biographical. I also look for books that suggest actionable behaviors I can emulate or help develop thought processes I can use.