Cybernomics Radio!
Cybernomics: The Tech Podcast for Business Leaders
Every Wednesday, Cybernomics delivers straight-to-the-point insights for business leaders who aren’t tech experts but need to make big calls about technology, cybersecurity, and digital strategy.
We break down the hidden costs, incentives, and opportunities behind today’s most important tech decisions. No jargon. Just clear conversations with seasoned tech executives.
Whether you’re budgeting for compliance, evaluating vendors, or planning your next digital investment, Cybernomics helps you make confident, high-impact choices without needing a computer science degree.
New episodes drop every Wednesday.
Follow us on LinkedIn and YouTube for bonus content and real-time updates.
Cybernomics Radio!
CISO vs BISO: Who's Really Running Security?
Charles Payne and Olivia Phillips join us to explore the evolving relationship between CISOs and BISOs, examining how business-focused security leadership is transforming cybersecurity from a technical function to a strategic business enabler.
• BISOs serve as the "Swiss army knife" of the CISO, bringing deeper business knowledge to security decisions
• The BISO role bridges the gap between technical security requirements and business objectives
• Both guests agree BISOs are well-positioned to become future CISOs due to their business acumen
• Quantifying security risks in financial terms changes board-level conversations (e.g., a $50K fix preventing a $6M loss)
• Business silos create hidden security costs when departments purchase redundant tools without coordination
• Transitioning from technical to strategic leadership requires learning to delegate and trust team members
• Strategic security leadership means focusing on business outcomes rather than getting lost in technical details
• AI will likely reshape junior security roles but also create opportunities for professional growth
Connect with our guests on LinkedIn: Olivia Phillips (#simplyolivia) and Charles Payne (#NYLCharlesPayne). Subscribe to the Cybernomics newsletter and YouTube channel for more insights on how security and business intersect.
Welcome to this episode of Cybernomics. I'm your host, josh Bruning, and I'm here today with the one and only Charles Payne, incredibly knowledgeable, extremely handsome, good-looking and charming CISO extraordinaire. Charles, welcome to Cybernomics. Pleasure to be here, josh. And we also have Olivia Phillips, who is the BISO at Amtrak, which I learned I just learned this today that Amtrak is half government, half union. I didn't even know that there were any government, but apparently they are. So to talk about the office of the BISO and we're going to do a little bit of you know and we're going to do a little bit of you know, wwe, ciso versus BISO today, having Charles as a CISO, olivia as the BISO, and doing some comparisons between the office of the BISO and the CISO. What is different, what is the same, what is a BISO? Anyway, Olivia, welcome to Cybernomics.
Speaker 2:Thank you, pleasure to be here.
Speaker 1:All right. So I've always gravitated towards the office of the BISO, because when I started in cybersecurity, my job was to communicate the IT and security language to the business and the business language to the IT group. Business analysts and project managers have kind of taken over this role. So in a company like Amtrak, so like these bigger organizations that are fortunate to have a BISO, what exactly is the role of the BISO? Are you that in-between bridge between the business and security, or is it something much more than that?
Speaker 2:I think it's much more than that. We work with the cyber team as well as the business team, but we also want to make sure that the cyber security team is embedded in the business and to show value. Also, I think of the BISOs as being the Swiss army knife of the CISO. We are going to know the business a little bit more in depth than the CISO, but we can bring that to the CISO's attention, especially when it comes to risks or new standards that are coming out.
Speaker 1:So is it fair to say that the BISO is to the security office what the business analyst is to the IT office?
Speaker 2:I think they go hand in hand. Yes, yeah.
Speaker 1:Except you've got a little bit more pull. I would think it's a senior position, correct?
Speaker 2:That is correct, yes.
Speaker 1:Okay, how senior are we talking?
Speaker 2:Well, it's director or senior director position. But I will be honest, I think in the next five years we will be sitting right next to the CISO part of that C-suite.
Speaker 1:Want to know what I think I think you're going right next to the CISO part of that C-suite, want to know what I think I think you're going to take over the CISO's chair. I think you're going to sit in that chair because and this is something that Charlie and I talk about a lot most CISOs are, and please don't come after me. I have a lot of friends who are CISOs and this is not to disparage anyone, but it's true. There are too many CISOs that are not business-focused. They're more technology-focused and you would think to have the position of a CISO you would have to be sort of the executive type. But the breed of CISOs that are executive types it's becoming less rare, but it's rarer than we want to admit. But I think that a BISO, being business focused and in the security office, that sounds an awful lot like what the CISO should be and what great CISOs are. So, charlie, do you think that the office of the BISO would ever replace the office of the CISO?
Speaker 3:So, fundamentally, I don't think the CISO position will technically go anywhere, but what I think you'll find is that the BISOs are now the CISOs. I think what you'll find is the logical progression from the BISO to the CISO, because having the business context in conjunction with the technical argument is very critical to today's evolving landscape.
Speaker 1:So, olivia, if you were to lose the title of BISO and became a CISO, do you feel like you would have lost anything?
Speaker 2:No, I think I would gain quite a bit because I would be bringing in the business acumen that I know into that cyber field, so I would be able to speak both languages of Spanish and English. But cyber, you know ones and zeros to business value or cost savings.
Speaker 1:Charlie, should CISOs be scared of the BISO? Is the BISO going to eat their lunch?
Speaker 3:I would think so. I mean I came from finance first before I went into IT and technology, so my background's already similar to BISO. So I mean, maybe I'm biased and prejudiced in that regard, but I see that the amount of advising that I do for other CISOs that don't have any business acumen I think that the BISOs are positioned correctly at this point in time to actually start to take over some of the CISO roles. So I think what we'll see now is a lot of the hirings and the people that are actually filling the CISO positions will be BISOs and such moving forward.
Speaker 1:Man, I thought I was going to get you guys to duke it out, but you're both on the same page. This is the most boring wrestling match I've ever seen, because you're holding hands and singing kumbaya and I don't think you're going to be on wwe anytime soon, but you know what? This is much better. I think that having that progression from the b so to the c so and sort of starting that conversation, is incredibly important, and I think that that's maybe the number one benefit of the BISO is that it's raising questions that everybody wanted to ask, namely, how do we make security a business function and less of a technical function? So, if anything, the BISO role, in my view and Olivia, you can correct me if I'm wrong the BISO role is an isolated, concentrated, business-focused security job that is telling all of us what security should look like, true or false?
Speaker 2:I would agree with that. Yeah, Okay, great.
Speaker 1:I got one right would agree with that. Yeah, okay, great, I got one right. I passed the exam. What do I get?
Speaker 2:What's my reward?
Speaker 1:A clap from the BISO and the CISO. Great. Can I get you guys to do that publicly? Okay, never mind, yes, okay, well, today is my lucky day, all right. So, moving on, what is the number one? And I won't hold it against you if you change your mind later, but just off the top of your head, if you were to say something, what is the number one hidden cost of security from a business perspective, maybe something that the business overlooks and, as the BISO, it could be something that you have caught, others have overlooked and you've brought it to light. So what would be that uncommon, unseen cost of security?
Speaker 2:From a business standpoint, it's the business doesn't talk to the business. And what I mean by that is that everybody's very siloed and what causes issues is these individual groups get their own tools but are the same within the organization so it cost the entire company as a whole so much more money. Until, like a true BISO, actually looks at it, who's supporting all these different organizations within the company to see, hey, why do we have 18 different types of VMware? Why can't we just buy one? Do like the Costco, buy it in bulk and it would give us cheaper. And that's one item that I've seen as a BISO that it's communication between the different orgs. It doesn't happen and the BISOs have to bring those walls down to open that communication.
Speaker 1:Yeah, does that sound like a risk to you, charlie, like in the traditional sense of thinking about cybersecurity or business risk? How?
Speaker 3:large is that risk, you know? So I'll speak to it from like an M&A strategy, so like a merger-acquisition strategy. So that's what Olivia is saying is actually very true, and what you find is that there's so many different technology stacks in your organization that it causes stress to your security team because now they're trying to patch stuff that's irrelevant, that they shouldn't have to patch anymore. Instead of trying to unify all the solutions, reduce the stress for your security team, which makes them more beneficial, more profitable. They can keep their eyes and they can focus on stuff that's more relevant to the business, as opposed to chasing stuff that was end of life five years ago.
Speaker 1:Who owns that risk, If we've established that it's a risk? Is it procurement? Is it the GRC team? Is it the CISO's office? Is it the BISO? Is it the butler? Is it the nurse? Who is it?
Speaker 3:Ultimately, it's whoever gets held, whoever's holding the bag at the time that there's an incident.
Speaker 1:Which typically in a large organization. Who would that be?
Speaker 3:I mean it could be senior management, it could be one of the executives, but I mean typically it's going to be whatever department holds, especially if it's like an end-of-life tool. It could be whatever manager or whatever executive or whatever staff member signed off on that tool is used, accepting the risk for that tool even though it was end-of-life or nearing the end of its life or whatnot. So, going back to what Olivia said, you should definitely want to look at buying stuff in bulk so you can always maintain those service contracts.
Speaker 2:Well, let me ask you, Charles, have you ever had where people it's pointing fingers, like a risk happens and it's like, well, why didn't the CISO tell me it's your job to be the security officer. You should be aware of the situation.
Speaker 3:You didn't tell me, so it's technically not my fault.
Speaker 3:I was at a very large organization, financial organization, a bank, and yes, we played the blame game and it boiled down to as the executive, we can't know everything and that we have to rely on the people that we've hired in those positions, that we've delegated those tasks to, especially when they've accepted those risks on the rising chart.
Speaker 3:So it boils down to we try to communicate risk, we try to deliver it in a way that everybody understands, but at the same token we have to rely on our staff. And sometimes I fault myself on not training my staff on what to specifically to look for, because when I give them directions, sometimes I don't give them the ability to understand what those directions mean and I don't realize that until after there's a problem or after there's an incident, because they don't always necessarily tell me that. They don't understand what I'm saying. And that's where I have to step back and go back into the business mindset of trying to explain to everybody this is how it works and this is how it functions, and trying to distill the technical jargon back into the business, going back to what Olivia was saying originally. That's very difficult sometimes because sometimes you don't know that there's a problem until there's an issue or a conflict.
Speaker 1:So, as a BISO, olivia, if you are looking at a large company, let's say like a US bank size type company, where, to Charlie's point, you've got multiple levels, right. So you've got the guys in the server room all the way up to the CISO, the CTO, cio, whoever is at the top, right, and with these big companies you'll probably have like 20 CISOs, right. Everybody's trying to communicate down and people are trying to scream their lungs out to the top because in you know, the CISO may have said do not put in watch guard firewalls, okay, and by the time you play that game, you know, know, it gets all the way down. It turns into absolutely install watch guard firewalls. So it's not just the silo of departments but it's the silo of rank and level. So how would the BISO address that to solve that communication gap for such a large company and in the frame that Charlie had just given us?
Speaker 2:So for me it's been communicate, communicate, communicate, and it's I don't know what it is it's been the last 10 years. The communication it's not there where you can just go talk to somebody. So it's establishing that trust within the business and security to say, hey, here's the new policy, we cannot do this, we cannot implement these firewalls. And explaining why. Because that's going to be the question is why can't I? Okay, well, here's the reason why. Here's the risk. Now, that is, you know, coming from the executives, coming from our CISO, saying we can't do this. But it's communicating not just to the managers, senior managers, but also the developers, the firewall team, the entire network team. So you're not just as a BISO, you're not just getting you know, going, reporting stuff up as from an executive standpoint, but you're also reporting stuff down to make everybody aware of the situation and what's going on, especially when it comes to policies, procedures, because at the end of the day, if they don't know, they can't be fully effective in meeting the security requirements.
Speaker 1:But somebody's still going to be left holding the bag of apples, the hot potato, and someone will be accountable.
Speaker 2:Well, it's also explaining to the service owners, or the owners or the managers, that they are going to be held accountable, especially when it comes to a risk, but then teaching them hey, you're signing on this risk, so, security, our CISO is going to sign on this risk and accept this risk, but at the end of the day, when it comes to that scapegoat you're going to be be as a manager, you're going to become that scapegoat because you're allowing this risk to continue so how do managers save their asses?
Speaker 3:like, don't implement a risk well, I would agree it's kind of like unplugged from the internet. Definitely, I think it's more than the lines of understanding completely what the risk really entails. But I mean, I mean there are plenty of softwares and I'm part of FAIR Institute and FAIR gives you a really great assessment on what each risk means in terms of dollars and cents and that's really what I can pay to the business. I'm like, hey look, this is going to cost you a billion dollars if this risk actually matures itself. If you can accept that, I'm okay going forward.
Speaker 3:It's breaking it down to the business and understanding and explaining to them what they're asking for really means to them. And when you talk to them in terms of share prices and monies lost and budgets and bonuses not paid, it's a different conversation. When it's like, oh well, we have these vulnerabilities that we have to go fix because that means nothing to them, but we're taking away your house stipends, we're taking away your bonuses, you're not getting any more stock options. This is how much it's going to cost all the shareholders. When you talk to them like that, when you start telling them how much bonus they're not going to get, then it's a different conversation. Wait a second, wait a second. What do you mean? We don't get our bonuses.
Speaker 1:Do you think that's what's driving all of this? Is ego, because if people are looking inward, then you forget to communicate, and when I've heard stories of these kinds of miscommunications, things getting all messed up, nobody knows who's accountable. It's because somebody was too busy enjoying their executive lifestyle and couldn't be bothered to communicate. So is it like a psychological problem or is this like a structural problem?
Speaker 3:Maybe it's ego, but there are so many folks that just have. It's a weird dynamic because when you try to talk to a CISO or another executive, it's like they seem to be like one of the most stressed individuals, but they also put up so many galler, so many guards and so many walls that they don't really have an open door policy. They have an open door policy, but it's not really accessible because there's so many walls in front of it. So it's like they kind of shoot themselves in the foot because they're they're trying to say it's my way or the highway, as opposed to actually truly having an open door policy where you can actually communicate issues and risks and problems. They don't want to hear it. That's kind of an issue. People are like, oh well, of course we want to hear that, and people will be listening to this and be like of course we have that.
Speaker 3:Yeah, but can you really go in and say, look, I had a problem with this, this didn't work, and then did you just tell them to fix it? Or did you stop, sit down, have a conversation and understand why your watch card firewalls or why your other products didn't work? What was the implementation issue, what? And then, instead of just looking at this technical challenge of like, if I implement this product, what happens? I just want it to work did you look at what happens when you implement that product? Did you look at what happens with the vulnerabilities?
Speaker 3:I mean, we've been a we've been a fortigate shop for a really long time and one of the things that another vendor brought up at RSA this year, among some other times, was FortiGate will make some crazy software have plenty of bugs, but you can't have any of the software updates for free. They charge you on a subscription model for the updates. Yes, you bought our hardware, you bought our software. By the way, we have plenty of bugs in it. We know that they're there, but if you want it to be fixed, you have to pay us. It's a service contract.
Speaker 1:Is that legal?
Speaker 3:I'm not sure, but that's what they're doing today. That's my gripe with them at the moment.
Speaker 1:Wow, Olivia thoughts. How into the weeds and the technical stuff do you ever get?
Speaker 2:I do not get into the weeds or technical. I try to be above that. Being my past experience, I did get in the weeds. I did all the tools. I truly understand it. But nowadays there are experts out there. There are people we hire who are the experts and I can go to them and ask them. Give me a high level of exactly what this is. What does it do? How is it going to provide value to the organization? And show me, show me it. You know, proof is in the pudding, as I like to call it. Don't just talk about it, I need to see it.
Speaker 2:And because I have that technical acumen, I know what I'm seeing, I don't have to guess and I can ask the technical questions, if need be, to fully understand it before bringing it to someone who is not technical at all and explaining what this does.
Speaker 1:I don't know if I want my BISO in the weeds. I feel like that's a recipe for death. I don't want my heart surgeon pulling my teeth out. You know what I mean. So I feel like if you were too much in the weeds. I think that that's the problem is like, when you're in the weeds and you're in the technical role, it requires a lot of attention and a lot of deep focus and you have to get down there and once you get down there, it's hard to come up. It's like jumping into a very, very deep well. Um, so yeah, I feel like the biso is like sitting at the top of the well, looking in every now and then and hey, what's this thing? And then they yell up oh, that's a's a firewall. Do we need it? Yeah, all right, thanks, here's a quarter.
Speaker 2:Yep, no, and I've actually had to learn that lesson, moving from a technical director to a non-technical director. It was definitely like, oh, let me put my hands on the keyboard, let me do it, and it's like nope, you are the expert, I am just gathering the information so that I can make the right decision and bring that to the business to make the right decision when it comes to signing off that, yes, we're going to purchase this tool and you know, we're about to give this company $3 million.
Speaker 1:What was that? Climb out of the well Like, because now I can picture you at the bottom of the well. It's dark Often. There are lights and servers all around you. What was that? Climb out of the technical weeds into the glorious light of the business? What was that, like you know, detaching from the keyboard.
Speaker 2:Very difficult, I will say it. It took me about probably a year because I just I had access to the tools, I had access to everything, so I didn't have to ask anybody. It was oh, I'll just do it myself because it's faster. It's kind of, you know, if you have wives or husbands like they ask you to take out the trash and you don't do it, right then and there and they're just like fine, I'll just do it myself.
Speaker 1:Passive, aggressively.
Speaker 2:Yes. So it took a lot, and it took a lot of reading about leadership and how to become into that executive suite and how you have to trust the people who are giving you the information and allowing them to do their jobs, because that's what they're getting paid for and I'm getting paid for to look higher up from an executive standpoint. It was very difficult. I slid down the well many times, but from my failures, from disappointments in myself, I was able to get out of the well and learn to stay more. Don't go in the weeds, just stay at this level and let the experts do their job.
Speaker 1:Expand what happened every time that you were supposed to do a non-weedy thing and you didn't. It sounded like it was painful at times. So do you have any good stories?
Speaker 2:It was very painful. I do have a story. We were having scanning issues. Unfortunately, our security team who do the scanning, they were sick with COVID and people were like, well, we'll just wait, it's okay. And that was another thing was I had to be think more strategic than tactical, because tactical is.
Speaker 2:I went in and I'm like you know what? I have access to the tool. I'll keep the. You know I'm thinking of the mission. The mission is still going. Let me help here.
Speaker 2:And it was my manager basically was like what are you doing? That is not your job. I understand you're trying to support the mission and you're very passionate about what you're trying to do because you see the problem and you want to have that solution right away. But it's not holding other people accountable. You know everybody gets sick, it's okay. The work is still going to be here. We're not going to. You know nothing's going to stop, it's okay. And that was very hard pill to swallow because it was no, the mission has to keep on going and we got to do this and it was like nope, stop. I need you to focus on this and that is your responsibilities. I understand you want to help everybody and be superwoman. You can't, because you're going to get burnt out and you're going to. You know, then all of a sudden you're going to be out for a week. We just can't have that.
Speaker 1:Where do you think that urge comes from? Is it like a safety net, so there's safety in having your hands on the keyboard and it's scary to embrace the strategic. Or is it just you have a hero complex Like what prompts you to you know, almost in an addictive way? Go back to the keyboard.
Speaker 2:I think it was a hero complex for me, because it I I dealt with that. I I dealt with you know. Hey, we had it was mission critical. We had to have this, especially supporting um, the government, as well as our soldiers overseas. It's that just came up with that mindset and it and it wasn't like, oh, look at me, I'm the hero. It was I, I, me, I was like I was successfully able to do that and then it was, you know, as I was bringing people up and mentoring other, the younger generation and people who I had worked for me, I had to sit back and watch and learn that I'm become, you know, I'm becoming that micromanager, I am becoming that, you know, even though I wasn't like, you know, watching everything they did.
Speaker 2:It was I need to step back. I need them to grow, I need them to be successful because, at the end of the day, if they're successful, I'm successful as a leader and if I'm doing it for them, they're not going to learn and they're not going to be held accountable and be able to get to that you know stage where they can be promoted as the next director, which is what has happened within my organization. I had somebody work for me for two years and was able to grow them as well as grow myself. And they have just now been promoted as a director, which brought me so much happiness. I've just now been promoted as a director, which brought me so much happiness. And, you know, and they came to me a couple of days ago and they were like hey, thank you for everything you did for me, because I wouldn't have been in the director position if you didn't help me.
Speaker 1:Shout out to that person.
Speaker 2:Yes.
Speaker 1:And I don't know if you want to reveal their name, but it's. Every time someone gets promoted to director, a security angel gets its wings.
Speaker 2:Yes, I do feel that I was. It just brought me happiness. I mean, it was more than just getting a promotion for myself. It was seeing them, you know, be promoted and seeing them grow. Leadership in action yes, hold on, Let me just take my tear out.
Speaker 1:All right, let's turn to investments. And, charlie, this is your forte, right. And so what does the BISO office offer a company that's going through a merger, or even a smaller company that's getting acquired? Does it add anything to the value of the company that's getting bought? Or you know just I'm guessing here, just assuming that because you have a BISO, you've probably identified a lot more business risks than if you otherwise didn't have one. So does having a BISO, or at least a function similar to the BISO, in a company make it more attractive? Similar to?
Speaker 3:the BISO in a company make it more attractive.
Speaker 3:I mean in essence, yes, they're going to know where all the inefficiencies are.
Speaker 3:They're not necessarily going to be able to address and fix all of them, because that's not specifically their job or their role, but they're probably the first person you want to talk to in terms of trying to address any of the inefficiencies that are in the business, because I'm sure they've got a list of pain points that's a mile long at that point. So they're going to know where all the VMware software licenses issues are, where everyone's using something different, where everyone's breaking protocol, where everyone's got their shadow IT stuff at, and they're going to know basically all the internal secrets that are hidden that management might not be all aware of, because everything is silent, everything is hidden away in different departments. So that'd be like your first resource to look into to find out where all the inefficiencies are. So when you go in for a merger and acquisition, you would actually know where to start cutting things out first and start restructuring from the inside out From that angle, Olivia, how do you measure the value of the b?
Speaker 1:so that is a difficult question, yeah I'm asking about roi here in cyber security, which is totally unfair. But, like everyone, maybe I can, maybe I can answer.
Speaker 3:Maybe I can answer it for her okay from a c-sos point or a b-so again, it's looking at all the inefficiencies down my level. I don't. I have no clue what they're doing. I don't as much as I want to get my hands on a keyboard and and, believe me, I've found down that. I've found down the well. I've sunk a few times, more than a a few times, in fact. I still do it, it's whatever.
Speaker 1:Yeah, what's down there guys, Like isn't there, like some.
Speaker 3:It's a rabbit hole that you get lost in. I will tell you that for sure, but no, it's. But going back, I think that the visa has the opportunity to find all the inefficiencies and find out where we can improve. Naturally, I'm not looking at that because that's not my objective or goal at the time, but they're going to actually be able to give us information that's valuable and critical to what we're trying to do and maintain the business objectives. What I do find is most people don't know how to consult with their BSO or their staff and find out what those are or what those inefficiencies are, because maybe they don't have that position in place or because they don't have a trusted network or trusted staff in place. I think that might be the biggest problem, but I think that the best issue or the best thing that they can do is report all the inefficiencies, all the business functions that we're not looking at.
Speaker 2:Yeah, I would agree. I know for Abiso we're working to show value and the value is executive reporting to show each group within the organization saying and kind of doing that I like to call it the high school grading level, where we show the vulnerabilities, we show incidents, slas, we show not just cyber risk but the business risk, because a lot of people are not looking at the business risks that are within the organization because of cyber takes so much SOPs, projects and comparing that to other executive reports, seeing if there's something where we can have more of a collaboration of projects or we could have. You know, if there's something that's a vulnerability that's affecting everybody, maybe we can come up with a Python script or something to push it out to everybody. So one, you know vulnerability is fixed and not having it, you know, go through change management 25 different times to patch the same CVE.
Speaker 2:I think that's where the value comes in with the BISO. And then you know, also adding the numbers for the CISO, saying here's your biggest risk. We want to make you aware because we, you know we need you to bring that to the board. The BISOs don't go in front of the boards not in most organizations so we bring it up to the CISO, to bring it up to the board, letting the board be aware of the overarching organization risk and you know, kind of adding those numbers saying if we don't fix this, we're looking at a data breach that will cost us $6 million. So I think that's where the value of the overall business is functional.
Speaker 1:You just make sure that information and communication is as fluid, as crystal clear as possible, so that everybody knows what's going on at any given time. The board is aware of what's happening, everybody's aware of the risks and then, when there's time or when there is an opportunity to remediate or to fix something, that it happens quickly and effectively and efficiently. So your metrics are probably in the realm of time to XYZ. How much had we shortened blah, blah, blah? How many risks have we identified and remediated within the shortest amount of time? Is that fair?
Speaker 2:Yeah, that's absolutely fair.
Speaker 3:Okay, what do you think, charles? I think that is important. I think that, going back to what Olivia said earlier about the $6 million, I think that by far is going to give most CISOs ammunition for the board that they never had before and I know Olivia is kind of like a rare case, but I know that most CISOs don't have any way of quantifying risk or qualifying any of the risks and what that means in terms of dollars and cents. And that's their biggest problem when they speak to the board. The board doesn't want to hear about specifically how many farm buildings I know the CISO does, but the board doesn't want to listen to how many things have been remediated, what's been done. They want to know why are you costing us X amount of dollars? So when you quantify that risk, all these CVEs that Olivia was just talking about equal a $6 million risk to the business. Does the business want to spend $50,000 to patch the $6 million risk or they want to accept the $6 million risk? I think that type of information is very critical to the board because they are understanding if I spend $50,000, I'm hedging a bet that I'll save $6 million and that's what the board likes to understand.
Speaker 3:Why are you spending the money? It's not that we're a cost center, it's that we're essentially some type of insurance overlap. We're hedging bets versus CVEs or hedging bets versus vulnerabilities. And when you explain it in terms of dollars and cents, it's a different conversation. So, to go back to what Libby was saying, when you explain it in terms of dollars and cents, in conjunction with the technical information, it's a completely different conversation. Because then it's like oh, wait, wait.
Speaker 3:So we saved, so we fixed 10 or 15 cves, but we spent you know a hundred thousand dollars, whatever the case may be, but we saved the six million dollars. Or we spent you know fifty thousand but we saved the six million dollars. That's. That's no longer a cost. That, that's a, that's a risk mitigation strategy or an insurance policy, if you want to, if you want to qualify it like that, it's a, it's a pearl pearl. So at that point in time, it's no longer a cost center. Aspect of it it's, it's more of one lines of insurance and asset management. It's a different strategy, it's a different, it's the same information, but it's actually written off differently in the books and accounted for differently.
Speaker 1:Yeah, yeah, I think what you're saying is a laser. So what Olivia is positing is sort of the overall, or at least what she said, what I posited, and assume that I was right that the criteria for success is functional. But that's sort of the overall view of it. But if you were to be laser focused into what does that really mean at the end of the day? Which function? What kind of communication? What are we communicating then? To your point, charlie, it seems to be dollars and cents and risk.
Speaker 3:Correct. Is that a good summary? It is the board only cares about what it's going to cost them. Again, when you start talking about taking away bonuses, crashing the stock price or anything that negatively affects public opinion and or their stock values or their financial bonuses, it's a different conversation. So when you start tying dollars and cents risk to the risk of an incident or whatnot, now you're saying, if this, if this incident actually occurs, you're going to lose your bonuses, it's a different conversation.
Speaker 1:And that's that's the the part that the visa brings to the, to the board meetings and to the table that the CISOs I don't want to say the Bezos function, because I'm not thinking of just like the role of the Bezo, but the Bezosphere. Do you think that AI will come for any jobs, especially the junior positions that are heavily involved in the operations of the Bezo?
Speaker 2:I think, yes, ai will be helping a lot of that low I don't want to say low-hanging fruit but that tier one, help desk, because it's going to be those generic general questions where you know I'm having issues connecting to the Internet or I'm having issues doing this and kind of adding those steps. But I think it's also going to lose that human factor where a user can contact the help desk and say I'm having this difficulty, can you walk me through it? And I think that's going to be difficult for a lot of end users. But I think it's also going to help with incident response tremendously. But at the end of the day and I know there's a lot of conversations regarding AI is it going to be more proactive in protecting your organization or is it going to be your next risk? And I think it's going to be both.
Speaker 2:But at the end of the day, it's who's the stronger developer developing AI when it comes to behavior analytics and do you have the backing to support your AI infrastructure doing that lesson? You know I call it lessons learned, but it's learning how your organization works and how it can manipulate. You know, take care of those false positives and help with the general. But I think that's also going to help support you know the people. If you're thinking of a help desk like the tier one, we're going to get rid of those, but we're going to move them as a tier two. And then you know those tier, you know two, tier two people. We would move them to a tier three and further up because, at the end, and that supports them, because, at the end of the day, we all want to grow, we all want to change and improve ourselves individually. This is the opportunity to do it.
Speaker 1:How does that work? That's one thing I don't understand with the narrative, because I hear everybody saying exactly what you just said in different iterations, and I think it's generally true, where AI will help people move into places they weren't before. But how do you take a junior team member, junior analyst who has six months of experience now you've got AI on your lap. Maybe that person is not ready to go into tier two for another two years? They just don't have the experience. Do you wait two years for that person to move in and hold off on AI while the world moves forward, or do you fire that person and have the AI take their job?
Speaker 2:I don't think even firing the person, because an organization is investing in people and if you invest in people, that investment is going to grow and it gives the people the opportunity. And I know that personally. So I've had companies where I was a junior in a different role and I didn't have all the expertise, I didn't have all the information, but the company invested in me and I was. I invested in the company and actually gave a profit, a value of what I was able to turn out, because they took the time to show me, teach me and allow me to grow into the position that they gave me.
Speaker 1:Well, I think that that is an admirable organization. I'm not confident that everybody would be as benevolent. I think a lot of companies are going to see this as a way to save money and to get rid of bloat. We'll see. I've got my ears to the ground and I think I see a lot of things in AI and agents that point me to that world where people will get let go or at least companies will stop hiring for those roles. But I'm hopeful. I really hope that it doesn't happen that way. I hope that it happens slowly and in a way that allows everyone to grow and everyone to take part of this AI boom. If people want to find you, Olivia, how can they find you and follow you?
Speaker 2:I'm on LinkedIn. Very easy to find Olivia Phillips, or my hashtag is simply Olivia, and they can find me and I'm always eager if they have questions or if they want to learn more. I will always take the time to pass my knowledge.
Speaker 1:Awesome, Charlie. Do you want to be found? You're in San Francisco right now. I don't know where you're going to be next. How can people follow you?
Speaker 3:They can always catch me on LinkedIn, just the same. So my hashtag is NYLCharlesPain, so they can catch me there. Happy to respond back to the questions, just the same. But yes, I'm not sure who I'll be next either.
Speaker 1:And if you want to find me, look me up on LinkedIn J-O-S-H-B-R-U-Y-N-I-N-G. I'm the only Josh Bruning on the planet. Nobody dare name your kid Josh Bruning, because I wear that with a badge of honor. And if you want to know more about Bruning Media and what we do, visit bruningcom B-R-U-Y-N-I-N-Gcom. And thank you for listening to this episode of Cybernomics. And oh, our Cybernomics newsletter is out, so subscribe. And also, we are regularly posting videos and shorts to YouTube, so make sure to slam that subscribe button and give us a thumbs up. Thanks for listening to this episode of Cybernomics. Bye.