Listen to the Podcast:
H&R Block's Joshua Brown on Addressing Underlying Policy and Cultural Issues in Cybersecurity
From David Monnier, Chief Evangelist, Fellow, Teammate, USMC vet
Welcome to Team Cymru's newsletter, The Future of Cyber Risk.
Twice a month, we take deep dives from our podcast interviews with leading cybersecurity professionals and distill their insights right here for you.
In our latest edition, I speak with Joshua Brown, VP and Global CISO at H&R Block, who explains why storytelling is such a huge part of his role. Joshua also shares some advice for cybersecurity professionals, including a reminder that technology is the enforcement mechanism for our solutions, not the solution itself.
Here are the top takeaways from the interview.
#1: Improve Your Communication with Storytelling
“I mentioned the storytelling aspect. I think to tell a good story, you have to understand your audience. And when you're talking to the board, I think the tendency is we want to impress, we want to show them that we've got it. And so we often will revert to technical jargon. We will go too deep into the weeds. We don't pitch our story to the audience that we're presenting to. And it's kind of a cardinal sin.
“Understanding what motivates the board means that you also have to understand what your business is really trying to achieve, and not at a superficial level. I mean, you really have to understand what drives the business or what motivates the executives at your company because you're cautioning them, you're helping them make better risk based decisions.”
Actionable Takeaway: First, know your audience and what motivates them and their business. Remember that you're there to advise and help them make the best decision for the business rather than simply say "no." This way when you do have to say that dreaded word, your stakeholders will know that it's truly too much of a risk. No matter what message you're trying to convey, however, be sure to deliver that message in a way your audience will understand: in other words, a story. Make them see the scenarios play out in their heads of each option to help guide them to the best decision.
#2: Know When to Say “No”
“It's unhelpful to say ‘no’ out of the gate, especially without context. That's what creates shadow IT. The average employee is just trying to get their work done. They want to get their work done. They want to be efficient, they want to be effective, whether they're selling or they're creating or whatever it is. And anything we put in their way to accomplishing what they need, what they're getting paid to do, is a mistake.
“I think the phrase I use in my team is we want to create safe spaces for people to try dangerous things. And so I want to remove the decisions, the potential decisions from the end user's path that lead to bad places. I don't want to limit their ability, necessarily, to try different tools, to try different approaches. Sure, there's risk management you need to do with any of that stuff, right? Whether it's on prem, it's in the cloud, it's on a device, doesn't matter, ultimately, if you are approaching things the right way. And that is, what do I do to help the business be successful? And frankly, getting in the way of the employees that are driving revenue is not a great way to make the business be successful.”
Actionable Takeaway: Saying "no" too much, coupled with putting clunky or too many security measures in place can have the opposite effect of making people feel safe enough to do their work. And if employees are not able to do their work because of poor risk management, the whole business suffers. Instead, try to start with a "yes" to the things that are possible and lead the discussion into what can be done to move the "no" list into "maybes," or even "yeses." This way, even when you do have to reject an idea or request, your team and stakeholders will have more trust in your answer.
#3: Listen to Your Gut, Then Back It Up with the Facts
“I use the phrase ‘fact-based engineering’ a lot. I care about what your gut’s telling you, because if you've been in the game a while, like, some things may feel like a coincidence, they're not like, your gut’s telling you, nope, these are connected. Let's dig deeper. But ultimately, you can't sell, and you can't make decisions on that. You need to have facts to back things up.
“And so when we act like the business has to do something or else in big, scary letters, we lose credibility. And so when we lose credibility, we aren't seen as a partner that can help them achieve their desired business outcomes… So instead of stomping our feet and saying, we deserve a seat at the big kids table instead of the card table at Thanksgiving, like, act like it's hard enough to convince people that investments infosec shouldn't be measured in terms of an ROI, which I think is a classic mistake. like homeowners insurance, right? If your house never burns down, did you waste money on all those years paying your homeowners insurance? Well, no. Insurance doesn't prevent your house from being burned down. It helps ease the burden of a loss event. Infosec can actually help prevent disaster, but it can't guarantee it.
Actionable Takeaway: Sometimes you just have... a feeling. That's great! Trusting your gut can be a great tool in any security-related field. But as with any other security job, you still have to identify the actual issue and bring evidence when you raise the alert, otherwise you will lose your credibility and be seen as alarmist. As soon as you develop a hunch on something, document it and continue gathering evidence to that you can show where the issue is and if possible have a suggestion plan to address it.
