CONTRIBUTOR
Chief Operating Officer, COO
Techstrong Group

Synopsis

In many enterprises, the CISO and security team have traditionally been regarded as “The Department of ‘No,'” with security perceived as a barrier to innovation rather than a catalyst. But establishing and building relationships are paramount to breaking down mistrust and helping organizations recover more quickly during times of crisis.

In this Digital CxO Leadership Insights video, Jasper Ossentjuk, senior vice president and CISO of NielsenIQ, discusses the importance of developing and nurturing personal relationships to advance security within an organization.

Transcript

Charlene O’Hanlon: Hey, everybody. Welcome to the Digital CxO Leadership Insights series. I’m Charlene O’Hanlon, and I have the distinct pleasure of having a conversation now with Jasper Ossentjuk, who is the Senior Vice President and CISO at NielsenIQ. Jasper, thank you so much for joining me today. Really appreciate it.

Jasper Ossentjuk: Yeah. Thanks for having me. I’m happy to be here.

O’Hanlon: Excellent. Well, thank you for being one of the initial folks to be a part of the website and the conversation that we’re having. And I do appreciate your support.

And I’m very, very interested in having a conversation with you about what you see as within your role is fundamental to kind of forming relationships and how important that is in your role as a CISO, especially, I would imagine with crisis management.

So kind of walk me through a little bit about – just tell me about how you go about interacting with folks in your organization and how you kind of work on building trust in relationships. I know that’s very important to you.

Ossentjuk: Yeah. If I can, I’ll start with reiterating the importance of trust in the relationships. And I think there may be in some cases, CISOs might over-index on the technology, certainly, CISOs of the past, and I would say the criticism of maybe some junior or newer CISOs has been heavily focused on technology, heavily focused on security controls.

And the observation I’ve come to over the years is that building trust and relationships is as important, if not more so. And some of the value there comes from oftentimes the engagement in big enterprises with a CISO happens at a time of crisis. And you don’t want to be building the trust and relationship in a crisis scenario, it’s better to have done that before the crisis strikes.

And so you want to build that trust, that rapport, that engagement in good times so that you can lean on the trust and credibility you’ve established when the inevitable challenging times occur.

O’Hanlon: No, that makes a whole lot of sense. So I know all the times when we’ve had to deal with crisis management situations in our organization, ranging from total blackouts to whatever, having to deal with the pandemic, having that level of comfort between employee and executive leadership goes a long way to just ensuring that things get done and there’s not a lot of pushback.

But it goes a level deeper because it also kind of includes a level of, I guess, personalization, if you will, for lack of a better word, there is that kind of mutual understanding that we’re all in this together. Right? I mean, it’s all about team-building in the end.

Ossentjuk: Yeah, that’s right. And I think it’s important that, especially when you engage with business leaders, they understand you’re part of their team with a focus on revenue generation, a focus on customer impact.

And if they think that you’re coming from the perspective of paranoia and security is here to block things and the sky is falling, it’s not a good position to be operating from in a crisis scenario. Yeah, for sure.

O’Hanlon: So it’s interesting that you say that so many, there are other CISOs that kind of come at their position from a technology perspective and obviously technology plays a huge role in what you do. But it’s kind of less of a focus if you will, that the CISOs are kind of focusing on the personal relationships. Now, how did you kind of come to this conclusion? Was there some sort of aha moment for you?

Ossentjuk: Sure. Yeah, I’d like to say I just came about it on my own, but really it’s a function of having made a lot of mistakes in my career. It is a function of trying to build the relationship, the trust and the credibility when bad things are happening around you and just seeing that it doesn’t work, it’s not optimal.

I’ve been on the responsible party for shutting down a business application and impacting a customer because of security-related activity. It never works out well and you wind up apologizing more than you’d ever like.

And so from those sort of hard lessons, I’ve learned that it’s better to go build the relationship, establish the understanding of the business. You have to know the customers, you have to know how the business makes money, and it’s better, then, to be in a position to just have the rapport with somebody to call them up and say, “Here’s the scenario, and here are the options, and that’s the other thing.”

Moving from a mindset of must-do or sort of ultimatum kind of engagement and talking from a perspective of options with the business. And that comes a little more naturally when you have a better rapport with them.

O’Hanlon: Yeah. That makes a lot of sense. And it’s also, we talk a lot about in application development in the software realm that security is kind of the department of no, and they can’t let the applications go out without impeding, doing testing at the very last minute before it goes out to production and all of a sudden things come to a grinding halt.

So I think it’s heartening to hear that there is that collaboration that’s going on. Do you find that there are particular cultures that, the organizational cultures, that encourage this more than others or maybe not encourage, but actually kind of support this more than others?

Ossentjuk: You mean support the positive engagement, the rapport? Yeah. I think my sense is security team members can help foster this and what I think contributes to the negative side of it would be security is oftentimes really good at finding problems, really good at communicating problems, really good at talking about what the risk is, and maybe less good about offering solutions, less good about offering options, and a real opportunity to collaborate more.

And when you show up and say, “Look, here’s the bad thing. I’m going to tell you the bad thing anyway, but let’s collaborate on the resolution.” And I think that’s two different engagements than if I just say here’s the bad thing and I leave. Or if I say, “Here’s the bad thing let’s get on the whiteboard, or let’s together figure out how to collaborate, or here are some options we’ve been thinking about to work around what it is that we’ve identified.”

I think that goes a long way to build the trust, it goes a long way to show team engagement as opposed to what I think the risk is for many security teams and that is adversarial sort of “us and them” kind of behavior.

O’Hanlon: Do you think we’re kind of moving to a culture in general in organizations where there has to be this collaborative kind of mindset? I’m thinking specifically of these organizations that have either moved to completely remote work or organizations that have kind of adopted this hybrid workforce because we all know that there are a lot of companies that are just not going to go back to in-office full-time.

And that obviously does change the dynamic, not only when we’re talking about relationships between employees and leadership, but also just the way that they kind of interact with technology and with systems and services. So how does that change what you as a CISO, how you approach building these relationships and making sure that once they have been built that they remained, that they don’t fall by the wayside.

Ossentjuk: Yeah. It definitely is more difficult now. And in the past, if a meeting didn’t go well and I made one of the mistakes that I alluded to earlier, you can hang out in the hallway and engage with the executive that the mistake was related to you. You could grab coffee, you could go walk to the break room, you could go in another conference room and have a follow-up meeting and say, “Hey, look, let me address exactly what happened or what went on and let’s talk about how we make it better.” It’s harder to do that, and you have to make intended effort to do it. And what I’ve taken to is headings. We have all the collaboration tools.

So I’ve taken as a meeting is wrapping up, if one of those events has happened, I’ll hit them up right away on the collaboration tool, whether it’s the real-time chat and just say, “Hey, can we connect? If not now, soon I want to follow up on what just happened.”

And I’ve had to make some additional effort and you make time to not just jump into the work-related aspect of it, and it can be a bit awkward, but you force the rapport and you talk about non-work-related things and you try to catch up on what happened on the weekend. And there is an element of we’ve got to go through this awkward sort of on zoom, tell me about your family and your life and your weekend.

But I think you have to do it and I think the more you do it at least in my experience, it gets a little easier and you build some knowledge and understanding of each other. And ultimately it’s all grounded in work, but if we have some contact, some things we can connect on, some shared interests, that just is another layer of trust and communication that we can rely on when we need to.

O’Hanlon: Well, I think this is great by the way, but I honestly believe that this is not really just specific to CISOs. I think that this is something that pretty much anybody who’s in a leadership position should take to work every day and engage with their employees and their coworkers on a level that is much more personal because, at the end of the day, we’re spending a lot of time with these people.

And so, we need to know who they are behind the zoom and behind the office door. So this is great stuff. Jasper, thank you so much. I really do appreciate your time and hope we can talk again in the future about all things, CISO-related and beyond.

Ossentjuk: Yeah. That’s great. Thank you.

O’Hanlon: All right. Great.

Show Notes