93. Empowering the Board with Ian Yip
Claire is joined by Ian Yip, Founder and CEO of Avertro, the cyber-why company. They discuss cyber culture at the board level and talk about the impact of security leadership on the culture within cyber teams. Ian talks about the value of using the business's language in your cybersecurity discussions at the board level, and about bringing meaningful information to directors and doing so proactively. They also discuss that you have to rock the boat sometimes to make real change and the burnout that can come from this.
Avertro is a venture-backed cybersecurity software company based out of Sydney, Australia. Ian has two decades of cybersecurity experience in a variety of leadership, advisory, strategy, sales, marketing, product management and technical roles across Asia Pacific and Europe in some of the world’s leading companies including McAfee, Ernst & Young, and IBM.
Links:
Transcript
CP: Hello, and welcome to The Security Collective podcast. I'm Claire Pales, and in season nine, we have invited guests to speak specifically about how we can change the behaviours of our staff when it comes to their cybersecurity habits and actions. Today's guest is Ian Yip. Ian is the founder and CEO of Avertro, the cyber-why company. Avertro is a venture-backed cybersecurity software company based out of Sydney, Australia. He has two decades of cybersecurity experience in a variety of leadership, advisory, strategy, sales and marketing, and product roles across Asia Pacific and Europe in some of the world’s leading companies including McAfee, Ernst & Young, and IBM. In our conversation Ian and I covered cyber culture at the board level. But we also talked about the impact of security leadership on the culture within cyber teams. Ian talks about the value of using the business's language in your cybersecurity discussions at the board level, and about bringing meaningful information to directors and doing so proactively. We discussed that you have to rock the boat sometimes to make real change and the burnout that can come from this. Please enjoy my chat with Ian Yip about the culture of cybersecurity.
Ian Yip, it's great to have you join us on The Security Collective today.
IY: Pleasure to be here.
CP: So given you run a business that focuses heavily on good governance, I'm really interested to know what role you see governance playing in organisational behaviour change. Specifically, of course, in relation to cyber.
IY: Governance in general, I think it is a signal that an organisation cares about something. However, sometimes where we see the challenges, the teams and the organisation may not believe that governance is backed by any real action. Meaning sometimes cyber related things will get sacrificed for other things. And I think there's a disconnect between governance structures and processes, versus what is actually done.
CP: So at that board level, what do you think security leaders or, you know, CISOs, or heads of, or whoever's bringing the message to the board. What do you think they can do better to help directors get that sense of confidence or to be creating that culture of making cybersecurity just part of the way that business is done, and having the confidence that there are actions behind the governance processes that are before them?
IY: The Heads of Securities, the CISOs of the world, they really are there to be the champion for the cause, right. So I think the attitudes of every single cyber professional regardless of how senior or junior you are, needs to be about championing the cause. It's taking accountability, it's going the extra mile, right. We often talk about, we have to meet people halfway. But I think, as cyber people, we sometimes have to go more than halfway, we probably have to do a lot of the work. We hear the tenure of your average CISO might be two to three years. A lot of it has to do with burnout, if you have to keep banging your head against a brick wall. But it takes perseverance, persistence, it takes trying to make it easier for the board to really get behind the cause for the CISO, for the cyber team, for culture. And if the cyber team and the leadership shows that kind of proactiveness, and that kind of extra work, then by and large the board will see and recognise the extra effort that they're putting in and come to the party slowly but surely. And the key is just to understand it's going to take time, and that we have to take accountability for our actions, or lack thereof.
CP: Are you suggesting a much more proactive approach? Because often, the security leader is invited into the board, when it suits the board's agenda. Not as part of this is always what we're going to be talking about in our business. So when you say, you know, we need to go that extra mile, is your suggestion that the CISO or the head of or whoever that security leader is, being much more proactive about bringing cyber to the boardroom conversation?
IY: Absolutely right. And I think if your security function was a business, how would you sell it? It takes communication skills, it takes relationship building skills, it takes trying to understand the people you're trying to connect with as human being. Putting that foundational human connection there to make that conversation easier and to make things happen and be proactive about it.
CP: I see the opportunity, I guess, for a security leader to do that, and approaching these people and learning about who these people are. Understanding what's important to the board is just as important as the security leader bringing cyber and what's important to them to that director, because it is the board who sets the culture for the organisation. So we've talked about this in the podcast before if the board is very focused on M&A, for example, or is very focused on divesting and getting rid of certain parts of the business or they want to get into new geographies, that's going to affect cyber, but it's also going to affect the culture of the organisation. So sitting down with directors and understanding what's important from their side, as you said, it's a relationship. It's not just this kind of one way pouring of information at the board and hoping that they'll endorse whatever you're after.
IY: Yeah, definitely, right. It's about empathising with them. It's understanding where they're coming from. Just understanding how you could solve their problem, right . Security is here to reduce risk, to maintain secure as much as we can. But we're ultimately here as a problem solving function. And your example around M&A, right, and if M&A is that important, then, how do you make M&A less risky from a cyber standpoint? How do you help a board member understand that as part of M&A, there's a whole bunch of due diligence that needs to happen. So if you can arm a board member with the knowledge and the education so that board member can be empowered, that's a win-win situation all around because you're literally helping the business do what's important to them. But also advancing the cyber agenda at the same time, and ultimately aligning cyber as a function with what's important to the business, as opposed to unfortunately being seen as a cost centre for the most part.
CP: So how do you get the board around the table, or the directors around the table, you know, if we follow on with our M&A example, to recognise that there's not enough cyber due diligence happening, you know, potentially in partnerships or in mergers or in whatever is happening with the board at the time? How do we get them to put cyber at the front of their mind?
IY: it's a bit of a marketing exercise, right. So I think that relationship building doesn't necessarily only need to happen when the board meetings happen or over the coffees. If you've got a communication channel, there's an education part of it that goes on. So you may start to get a board member who you know is going to be interested in it, or you're trying to get them to come around to it. So there's a way you can send information saying this is relevant for what we're trying to do, that's the education part, I think, as a ecosystem, we are getting better at it, but there is a way you can also help add to the education by keeping the information flow relevant and consistent and constant.
CP: I want to come back to something that you mentioned earlier about security leaders burning out. And the behaviour that leads to burnout, if you think about it, is as a leader, they are exhibiting these behaviours and suggesting that is an appropriate way I suppose to conduct ourselves within the organisation. A lot of extra hours, a lot of extra work, trying to sort of push this heavy barrel up a hill. And I'm interested to understand if you think that these behaviours and actions within the cybersecurity team play a role in the overall cyber culture outside of the security team across the wider business.
IY: Short answer is yes. I think cybersecurity team's culture is a reflection of the core people in there and the leaders within that team. And it's seen by the other parts of the organisation. So a pragmatic, cooperative, communicative cybersecurity team is going to be more effective and more well liked by the organisation as a whole. As opposed to one that is the department of no, right. They're toxic, they have a line they will never cross, they don't want to negotiate anything. It's my way or the highway. I mean, unfortunately, I think information security has been around for so long, that there are still people who subscribe to those old ways of thinking and that kind of behaviour, which absolutely needs to go away, right. Not only are we doing ourselves a disservice, we're not encouraging new people to join our industry. We're not encouraging people to want to work with us. And I think the culture is that important where if it is that toxic it will start to wear on themselves as well, even if it's a subconscious thing, right.
CP: And so having a CISO that is, I guess, under this enormous amount of pressure, from a prioritisation standpoint, how do they work out the technology that they put in place to protect an organisation, and this building of culture change, which everybody seems to expect is also going on?
IY: I think the first thing is, technology is only a part of the puzzle. It is a holistic viewpoint that we need to take on everything. Audit, obviously, it has a part to play, the bits of tech that we put in have a part to play. But it's I mean, you said risk management. For me, what I found is most effective in my experience in my travels, in my various roles, is it has to be risk based, right? Because that is the language of the board and the people you're trying to convince and the stakeholders and how they make decisions. It is how much risk are we exposed to if you're asking me to spend $20 million? Like can I spend $10 million dollars? How do you have that conversation, right? So to answer your question of prioritisation, it's how do I bring that risk down to a level that I'm comfortable with. Like we'll call it risk appetite, risk tolerance, various ways to say it, but taking people on that journey. And it's and the reason I say it's holistic is because technology, foundational technology and specific technology, that will bring down your highest risks, are obviously things that will go in first. But awareness and culture always comes up. Because as much as we don't like to sometimes shine the spotlight or put a mirror on ourselves, we are as humans, often people are sometimes doing not necessarily the most cyber sensible things. So we just have to make sure we're on our toes and make sure everybody else around us is on their toes, which reduces a significant amount of risk, right. So it is about risk management. It's about making sure that you don't try and buy everything under the sun and pay for everything under the sun. It's, I'm trying to reduce these top five risks. What is my most cost effective way of reducing these top five risks within the time period that I've told the ExCo and the board that I'm going to do it in and what am I going to spend to do it.
CP: Which is interesting, because if you talk in risk based language, you would hope that the executive and the board would understand because that's something that they're dealing with every day. And what I found interesting, when I was writing my book for directors, the strongest theme that came through was their lack of confidence in making decisions around cybersecurity. And why do you think they find such a challenge dealing with cyber risk, as opposed to I don't know climate change or operational risk? Or, you know if it's manufacturing, then it might be health and safety risk. Why is it that cyber risk in itself seems so difficult for the board to get their head around, as opposed to all the other risks that they're dealing with on a day to day basis?
IY: Foundationally, risk management over the years has been an inexact science, right. So, often the risk professional gets criticised for having estimates that we sometimes have trouble backing out. However, when you talk about some of the other areas other than cyber there are more tangible, right. So like climate change, you can look out the window and you can look at what's happening, the polar ice caps, and you can see what's happening. It's very, very tangible. It is very, very visceral. And we feel the impact, we know the impact as humans. From a cyber standpoint, unless you've actually suffered a cyber attack or had fraud happen to one of your accounts, it's not as tangible as some of these other things. And decision making really is about having the right information and accurate information and as much of it as you can. So back to the whole cyber thing, often the challenge for one board member who doesn't necessarily understand or want to make a decision is, they're not given defensible information that they can make sense of. Now if you can give a board member defensible information that they can make sense of that word empowerment, again, as a CISO, then you are empowering that board member or the CEO or the CFO, with enough information and the respect for them to be able to make an informed decision, rightly or wrongly in the end, for the outcomes that they're trying to get to. Back to the whole conversation we're having earlier, if you need the extra mile and make sure you can do that, they will thank you for it, as opposed to the opposite, where they will sometimes be paralysed to the point where they don't want to make a decision because they don't have that information to make a good decision. In the in the absence of good information the call to action for most people is I'm just not going to make one.
CP: Yeah, I think you make a really interesting point because and, you know, looping back to the part, the conversation we had at the start around this proactivity and not just waiting for the board to invite you, but for you to be saying, you know, I've got something to say and I want to get in front of the board. Giving enough information that the board can make decisions and feel confident in those in the totality of the decisions that they have to make. So not singling out cyber on its own. But, you know, feeling like it's part of the fabric of the other decisions that they have to make and the other risks that they have to manage. I think that's the balance, as you say, is getting the right information and sufficient information in front of the board on a regular basis. And sometimes pushing a little bit harder to get the opportunity to do that.
IY: Yeah, and as much as you can let them compare apples to apples, you should, right. It becomes really hard if you're the orange in the room, and everybody else is an apple. And they're going I don't know what to do with this orange. I know that's a green apple, that's a red one, that one's rotten, that one's fresh. And I can, I know which one I like, I know what I can do about each one. I don't know whether I like the orange or not. So that's another point we're making earlier is as a security leader, if you have a better understanding of the business as a whole and understand the pressure points around safety important to us, is ESG important to us, is impact on crime important to us, what are the other leaders trying to do. And ultimately, as a business, what are we trying to achieve so the KPIs align with the business ones. Then as the cybersecurity leader you can align what you're trying to present and your language, more like an apple instead of the orange.
CP: But that's what shifts the culture around cyber. I think that's exactly what shifts the board's approach to cyber. The broader culture in the organisation around cyber is if they can start to see how cybersecurity fits in to what these other departments are trying to achieve. Not the not the cost centre departments like cyber but the ones that are actually out there making the business money. If they can see how cybersecurity aligns with them. And, you know, even to the extent that cyber start to use the same language that those other departments are using, that's how you slowly change the culture across the business. I know it's like a perfect world and a utopia. But I think if you chip away at that, learning what the business is all about learning the value and the language that the other departments are using, and then bringing that all together in front of the board. Do you agree, do you think that that's what will slowly change their mindset and the broader culture around cyber?
IY: Yeah. Which is why I think the security leaders and I'm very deliberately using security leaders because I'm not just talking about the CISO, I'm talking about the people in the security team who have to make decisions, good decisions. More and more as we move forward, yes tech is very important. But security leaders have to understand that today. And to move forward, they are actually business leaders first and foremost. If you're not a business leader, you're not going to be able to do your job as impactfully and as efficiently and as effectively as you would ideally like. Which, interestingly enough, does lead to that burnout challenge that we were talking about. Because as humans today, and as professionals, we want to be making impact, right? And if you don't feel like making an impact, because of the way you're doing things and you just got to get better at it. And in the context of what we're talking about, it is business first, but it obviously is much more useful if you understand the context and the techniques logical side of things, but it's not a must, right. It is, you have to align with the whole business.
CP: It's probably a podcast for another day, but I think it's an interesting point around the need of a cybersecurity leader to first and foremost be a business leader. And, you know, we've talked many times previously with other guests around that capability set, that a CISO or a security layer to brings to that leadership role, and how difficult it is for someone who's grown up through a very technology focused path, and sort of comes out the other side, or gets promoted into the security leadership position, and hasn't necessarily had the business capability investment in their skill set in order to do that. And that's when you get burnt out, as you say, you're pushing a heavy barrel up the hill, you're learning on the job to be a leader, and you don't necessarily have those business skills. I think that makes it incredibly difficult for a leader to make an impact, as you said, and it's certainly not effortless to be a security leader. But, you know, coming from a place where you don't have the business leadership skills, first and foremost, very hard to make an impact at the board level and encourage them to change.
IY: Yeah, yeah, there's a huge amount of I think or self-awareness in being able to do that as well, which does take time to learn. And humility, right. I'm not trying to over generalise, but you sometimes do get people who come from a very technical background, who do take time to be self aware. And if you're very, very capable, from a technical standpoint, then you sometimes subconsciously also lose that humility. And unfortunately, I think, as you grow in your roles, and you get promoted for being good at what you do, you've got to be able to be self aware enough to say, okay, now it's my time to realise I've got gaps in my professional beam that I have to fill that I'm an absolute beginner on, and that then will allow them to elevate to the next level to really be that effective cybersecurity leader, which we need more of. And I think we are getting better at, but there still is obviously, quite a lot of development we have to do as an industry to help some of the people who are still coming in and be able to develop themselves professionally to occupy those roles.
CP: In terms of your professional development and your career path to sort of bring you to where you are today, you spent a number of years in professional services and consulting. I'm interested as to what drove you to come out of that and start your own cybersecurity business and solve a problem for the business community.
IY: The key word there is impact. I'm not at all suggesting consulting companies and corporate jobs don't make an impact. I think as a whole, obviously, big companies make a lot of impact. However, if you're talking about the individual, you are within the confines of a system, right? If I take some of the corporate jobs I have had in the past, there are a lot of good people in there who want to do the right thing. However, they're still human beings and family people in the end who are trying to make a decision between I know, the right thing to do, however, is it a hill I want to die on. How much do I want to rock this boat at the risk of either losing my job or not being up for the promotion, or not being in with the person who I need to influence and there's a lot of that going on. Meaning to make a real impact on change, often you've got to rock some sort of boat. And for me, I think it was just getting too hard to rock that boat. And I started to get frustrated in some of my roles, in particular the more recent ones. Where I knew what the right things to do were, but just the machines weren't letting me do it. And that's just how companies evolve over time when they become very, very large. And serendipity hit and allowed me to, I saw this problem that we're solving for a couple of years, and I saw the opportunity. It was a big risk obviously, and still is to do what I'm doing. But to really go and make that impact. And the main question I did ask myself when I was making decision was if you look back on that inflection point in your life, in 20 years time, would you regret not taking the opportunity to make an impact? And the answer was, yes, I didn't even hesitate. So I think that there's my thought process around why why I decided I needed to do this because it was my way of making the most impact I could on a huge problem that I saw our industry trying to tackle but not moving the needle enough for my liking.
CP: So having been in cybersecurity and in tech for a long time, what's something you do in your personal life? What's that key cybersecurity behaviour that you do every day, the one thing that personally you're a stickler for when it comes to cybersecurity? Away from Avertro or even part of Avertro, but in your personal life where no one's watching. You know, they say culture is the thing that people do when no one's watching. What's the cybersecurity behaviour that Ian Yip does, even if nobody's watching?
IY: I approach everything digital with a healthy level of scepticism. So I'll give you an example right, we always, often as a blanket statement, say don't ever click on links. And sometimes say, you know, I don't have time to go and tell somebody the nuances around clicking on links versus not clicking on links, but I will click on links sometimes honestly. However, that's not without my due diligence and performing assessment on whether I should click on a link. So I won't ever do anything blindly. So a link is an example of some things I do around should I give this thing a really strong password, or should I just use the really easy password, it is down to risk. How much risk of exposing myself to to doing this, and then I'll make the decision, right. So it's being cautious about what I'm doing so that I reduce my risk of having an outcome that I really don't want from a cyber safety standpoint.
CP: Ian, I wish everybody approached their lives digitally, with that healthy sense of scepticism. I don't like to use the word paranoia, but scepticism is a better way to put it definitely. But if everybody approached things in that way, then I think we would have a much better approach to cybersecurity. Totally risk based approach is what we want to instil in people. We don't want them to be so fearful that they're not productive. And we also don't want to put so much technology in place that our organisational employee communities think that the tech will look after them and they don't need to have that scepticism. So I think that's a great a great piece of advice and a great behaviour that you have. So thank you so much for sharing that with us. Thanks for your time today, it's been really good to chat. If people want to know more about Avertro, we are going to put information in the show notes. And so thank you for your generous time today Ian, and we'll speak again soon.
IY: Thanks for having me Claire.