In this Digital CxO Leadership Insights series video, Kandji CISO Chaim Mazal explains how remote work has permanently changed the role of the CISO.
Mike Vizard: Hey guys welcome to the latest Digital CxO videocast. I’m your host, Mike Vizard. Today we’re with Chaim Mazal, who is CISO and senior vice president of engineering for Kandji. They are a maker of a MDM platform for helping you to manage your mobile computing devices. Chaim, welcome to the show.
Chaim Mazal: Thanks for having me, happy to be here.
Mike Vizard: One of the things that we are seeing these days is that there’s convergence at the C-level, there’s much more collaboration among all the execs and one of those execs happens to be the CISO. What do you think it is though that’s making the CISO part of this conversation now, versus any other time in history, because it’s not like CISOs haven’t been banging on that door for the last decade or so.
Chaim Mazal: Absolutely. I think now is that we continue to see this uptick and trend of having serious material impact to the business based on breaches. This has been a historical thing, but also within the last year or so you know 2021 has had the highest amount of breaches historically ever recorded. A lot of those breaches have contained significant amounts of PII that were unfortunately truly detrimental to the long-term business value.
So having a representative to be able to speak to the risk at the highest levels is mandatory for a business to be successful. It’s a key integral part of the business. There’s three keys for a business to be successful, customers have to know you, they have to like you, and they have to trust you. And if trust is eroded and it’s very difficult for a business to continue to be successful in the world we live in today.
Mike Vizard: I think a lot of that conversation didn’t take place because historically people have viewed the security folks as you know Dr. No, no matter what I said they would say, “No.” As one guy joked not too long ago, he said, “If my security people have been around when they invented the phone, they would have told me not to use it, because some information may get out.” How do you kind of reconcile the risk factors, because you know all business involves risk, so are security people getting more comfortable with risk or are they just getting better at having the conversation?
Chaim Mazal: Yeah, I agree with that sentiment a hundred percent. Unfortunately, security used to be a no function and I think the “No” used to come from a place of lack of understanding or knowledge of what it took for the business to be successful and how there was, how they were able to essentially bridge the gap between securing the business, reducing the risk, while providing the ultimate customer value.
I joke all the time like the most secure SaaS company is one that doesn’t have any external internet connections, right? And so obviously that’s not how people do business. So I think the new wave of security, the new wave of CISO is yes, but, right? Like we need to find ways to solve for the business, but we need to do so by thinking about unique and interesting ways that we can marginalize and reduce risk across the board, while still providing ultimately that end user customer value.
Mike Vizard: What do you think are the dynamics like? I mean because the board may get together or you know I don’t know once a quarter or whatever, so how does that CISO engage with the other C-level executives in a meaningful way that allows them to make a difference, because I mean you can’t talk to them every day, but talking to them once a quarter isn’t going to do it either.
Chaim Mazal: Yeah, absolutely. So I think there’s a lot of process and procedure that gets scoped out at the executive level and maybe having you know a risk committee where you can talk about things that get translated to business-level objectives that directly align to the business strategies and goals. But really actually being able to show customer impact, positive customer sentiment and playing back security to your end users and consumers, while you’re able to make investments that reduce risk and hedge the business from essentially you know having any material negative impact.
So again, it’s aligning to those business values, it’s talking about a reoccurring basis and thinking about how to align it to your current business objectives and goals, right? And I think a lot of CISOs and a lot of organizations have started utilizing and picking up the strategy and I think it’s very easy to tie back the investment of security to positive end users sentiment.
Mike Vizard: What’s your sense of the appreciation of the C-level executives for having that conversation? Because I think the security people clearly want to have that chat, but you know how receptive are the other guys or is it something that the CEO has to force or what is their level of maturity?
Chaim Mazal: I got to be honest, I think it’s getting better and better every day and more proactive every day. I can just talk about my representative experiences, right, where in the majority of my career and reporting lines has been to either (a) the CTO, the CFO, but not necessarily the CEO. I think you’re seeing modern CEOs be more engaged upfront on a daily basis. I think you’re seeing them actively ask questions, actively do _____ into the news.
You know I can give an example. You know there was a couple of breaches recently and you know having the CEO proactively reach out saying, “Hey, you know do we need to do anything? Does this impact us? What’s the blast radius?” You know thankfully in this conversation there was zero impact, we’re not a consumer, but it’s something that’s become top-of-mind for CEOs, because they realize obviously that if something is negatively impactful, right, you could unfortunately lose a tremendous amount of market share and negative customer sentiment is very hard to shake off long term.
So again, I think this is becoming part of the business, it’s something that’s top-of-mind for executives and CEOs and general executive leadership teams. So I think the conversation is here to stay and it isn’t going anywhere anytime soon.
Mike Vizard: Do you think that the costs have reached the point where they’re also paying attention, because you know if I think back 10 or 15 years ago the fines might have been you know, “Well that was a slap on the wrist,” but maybe now the costs have reached the point where I’m getting hit by something that has a material impact on the financial statement for the quarter.
Chaim Mazal: Absolutely that’s a great point. So it’s not just potential customer impact, right, it’s also regulatory and governmental impact since we’ve implemented all these different regional-specific data regimes. Like just GDPR itself, and we look at the fines levied on some of these you know big major tech companies over the last couple of years and that’s enough to give anybody heartburn or cause for concern. So it’s absolutely part of it.
I think as we go ahead and continue to expand we see a lot of divergence, right, in these different, you know, data frameworks or data privacy frameworks and making sure, again, that there’s a clear business plan to address them for global companies that operate globally, right? It is also something that’s bubbling this up and making it top-of-mind for the executive leadership team. Because there’s a lot of key indicators and impact that has to be taken into concern when you go ahead and rollout your product across a global landscape, right, whether it’s Brazil, whether it’s Australia, or whether it’s the EU, investments have to be made to be able to fill the requirements. So again, these ongoing conversations are making these things front and center for the executive leadership team.
Mike Vizard: For somebody who is struggling to have this conversation and which there’s probably still many CISOs out there who are probably going home slightly frustrated every day, what’s your best advice to those folks about how to go and make this actually happen?
Chaim Mazal: I would say treat it like any other executive-level business function, right? You have to have a projected plan, you have to have a projected investment that you’re asking for and you have to be able to go ahead and align that with potential returns for the business long term.
So being able to have a clear line of sight of what you’re asking for and what you’re trying to achieve and how it’s going to help make the business successful and not just talking about technical terms of your day-to-day operations that your team might actively be doing to reduce risk for the organization. It’s nice that we’re performing proper data hygiene and we’re patching all our machines, but the business needs to know how those investments are relating to the bottom line, of how you’re positively impacting customers on a daily basis.
Mike Vizard: When you hear about digital business transformation as well and of course people are thinking that those applications may be a little more sensitive than many of the legacy applications, is that changing the conversation in a positive light for CISOs as well, because people are starting to figure out there’s a lot more at risk frankly?
Chaim Mazal: Absolutely. I think there’s different levels of risk and how they present themselves, right? Historically you’re responsible for managing all of your assets and managing all of your applications, doing all of those things holistically internally and you basically made your own bed, and whether or not your team could execute on it, it was solely up to you. As part of this digital transformation, we’re relying and depending on third-party organizations, right, to do their due diligence to secure their product, to secure their offerings. Then for us to use compliance trademarks to be able to vet and understand that they are in fact doing the things that they say they’re doing.
So with supply chain attacks and with all of those consequences and breaches that we’ve seen recently it is definitely something that’s top-of-mind for organizations, making sure that they vet all third-party vendors. But I am also a firm believer that you know businesses have to focus on their core competency and that’s not necessarily managing other people’s software. So you have to trust in the business partners that you choose. You have to trust in the vendors that you use. But you definitely have to have a rigorous and stringent vetting process for all of your third party, your sub-processors, and all of those things, because unfortunately that seems to be the preferred attack _____ of choice right now.
Mike Vizard: What is your sense of how is remote work changed the equation as well? It seems like not only is the company changing in the way it might engage customers externally, but the way it operates internally has changed as well. Has that helped mature this conversation a little bit, because we have had such a shift now that people are going, “Hey, you know it’s not enough to hide behind a firewall, because everybody is on the other side of the firewall these days.”
Chaim Mazal: Absolutely, and I think a lot of this caught a lot of organizations off guard. So we had a different level of maturity in you know remote hybrid in-person workforces. A lot of the things that took place for the last couple of years with COVID and the whole pandemic forced a lot of those conversations to be expedited in very, very serious ways.
So just based on the things that you know I’ve seen and across my peer group as well, you know some companies already had a pretty strong different layered approach of security controls for external you know parties to work from and other ones in other organizations didn’t have any, right? Everyone’s required to come to the office, authenticate to a corporate network, you know only use ______ authentications you know from that corporate network based on the things you have. So I think that we’ve seen a lot of companies scramble recently to go ahead and try to implement those same level of quality security controls to support a remote workforce as they had as an in-person office where you could control this simply by your corporate network or a singular firewall.
So and then we’ve also seen you know the emergence of _____ authentication under the guidance of zero trust and everyone went to support applications. We’re saying, “Hey, public open internet is fine, but, right, we’re going to have these mechanisms that ensure that everyone can authenticate, we can log, and we can go ahead and create visibility for whose accessing what applications and what assets across our environment’s organizations while we reduce risk from that public space.”
We’ve seen a major growth in this market segment and the kind of the throwing around of this buzz word, something that’s historically existed for a long time, but it was – it’s been, it’s, we’ve definitely seen a strong increase in this since the pandemic started. So it’s definitely has been a huge obstacle, but for an organization like Kandji that was birthed out of remote first, it’s been a smooth and easy transition, because a lot of those investments were made early and upfront as well. So…
Mike Vizard: Yeah I just think that a lot of organizations aren’t quite sure who they can trust anymore because everybody is on the other side of that firewall, could be almost anybody, so we hear a lot more about zero trust. So is zero trust going to run all the way from the employee out to the customer and you need to think about that end-to-end?
Chaim Mazal: Yeah absolutely. So it’s not just your internal system, right, it’s also how you deploy and deliver your product. So again, there’s a lot of scrutiny that needs to be implemented in a lot of different places. There’s some very cool products that are coming out lately and offering solutions to organizations that help solve the problem of organizations trying to bake and build these things internally, which they have done historically. I think it’s a very interesting concept you know.
I don’t want to throw out, but I know Cloudflare also has an interesting offering, Banning Security has an interesting offering. There’s a lot of companies that are thinking about this in a very proactive, modern way. It’s not solely about your internal business assets, it’s also too to help kind of moderate your application development, your internal product development. So by the time it gets actually surfaced to your end user and customer, right, there’s been validation, authentication, authorization every step of the way.
So we’re definitely in the modern age of security here and that’s also why there’s such hefty price tags along on the security budgeting and vendor side as well.
Mike Vizard: Cool. Hey, Chaim thanks for spending some time with us and giving us some perspective on the CISO side of the equation.
Chaim Mazal: Absolutely, it’s been my pleasure and enjoyed the conversation thoroughly.
Mike Vizard: All right. And thank you all for watching this latest episode of the Digital CxO videocast. We hope you’ll find this one and other ones on the Digital CxO website. And most importantly going forward, hey stay safe.