Ostendio CEO, Grant Elliott, discusses the role of a CISO
Should we be hiring more operational CISOs instead of technical CISOs?
On this "What's the problem?" podcast, Mike Krass interviews Cyber Security professionals to understand what problems they face in today's connected world. From security practitioners to folks working on the business side of security, Mike explores their qualifications, asks them to name and explore a key security problem before wrapping up each episode with a fun question ("Tell us about the worst haircut you've ever had"). These punchy, 10-to-15 minute episodes are meant to educate and inspire those working in the world of cybersecurity.
Grant Elliott from Ostendio joins us to discuss how an effective CISO is an operational CISO. Your organization can have all the correct technical systems in place, but if you are missing proper administration, you'll always have vulnerabilities.
Mike Krass: Welcome to "What's the Problem?", the podcast where we dive deep into the most pressing issues facing cyber and data security leaders today. Each episode, we're joined by a guest expert who will share their insights and their experiences on the challenges that they're currently facing or seen in the world of security. Whether you're a seasoned veteran or a new leader to the field, this podcast provides valuable info and some strategies to get your organization to the next level. So join us as we explore the ever-evolving landscape of cybersecurity and discover new ways to tackle problems that keep us up. This is What's the Problem. I am your host, Mike Krass. Let's get started. Today, we are joined by the one, the only Grant Elliot of Ostendio.
Mike Krass: Grant. say hello to our listeners.
Grant Elliott: Hi, everyone. Great to be here.
Mike Krass: Glad to have you, sir. Now, our first question is always the same. For all of our guests, Grant, can you tell our listeners why you're qualified to talk about security?
Grant Elliott: Sure. So I, about 10 years ago, founded a company called Ostendio. Ostendio is a cloud-based security management platform. And we help organizations build, operate and demonstrate or showcase their information security programs. Prior to that, I spent a number of years as both the Chief Operations Officer and Chief Information Security Officer of a digital health company. I had my fill of going around and completing security programs, conducting security audits, and demonstrating risk assessments to our various clients. Many of which were in the healthcare space, so providers, payers, pharmaceuticals, etc. So a lot of experience living in this world.
Mike Krass: The CEO and the Chief Information Security Officer. That's interesting, Grant. I think that's actually a great jumping off point for our discussion today. We were talking offline, and you said that we should be hiring more operational CISOs instead of technical CISOs? Why would you say something like that?
Grant Elliott: Yeah. And first of all, this is not to bash anyone with a technical background. I think it's really interesting because, when I talked to lots of CISOs, the kind of conclusion I've come to based on my background is that 85% of the challenges today on operating an effective security program tend to be administrative. Technology has evolved today at an amazing rate, where the tools that we have available to us are significantly more sophisticated and easy to implement than they ever have been. In fact, some of the challenges we have today are not necessarily the complexity of the individual tools that we work with. It's really just how many there really are and how many we’re operating. This actually kind of conveys a logistical challenge more than a technical challenge. One example to give on this is, if you're old enough as I am, to think about encrypting a laptop. When laptops or desktops first came on, you actually had to pay for additional services to basically encrypt. Many laptops weren't encrypted when you bought them. You had to buy additional software. And as a result, many laptops weren't encrypted. Well, today, every single laptop that you buy, just about, seems to come with encryption software. And so it's not something that people necessarily need to think about today. And so I think, when building a security program, the biggest challenges are operational.
Listen to the full episode or read the full transcript here.