26 Apr What’s The Difference Between A Consultant And A CISO?
Jason Rader, chief information security officer at Insight Enterprises explains
Melbourne, Australia – Apr. 26, 2022
Jason Rader never aspired to be the CISO of a Fortune 500 company, but that’s exactly where he ended up after a seven-year engagement as a security consultant escalated into a permanent role late last year.
As vice president and CISO of IT solutions provider Insight Enterprises, he says, he has been “pleasantly surprised” at the engagement of the largely remote workforce of around 11,000, who have proved more responsive to his efforts at engagement than he anticipated.
“As a consultant, I would be telling them ‘you really need to engage your user base,’” he told Cybercrime Magazine. “But then I’d get to go home and let somebody deal with that hard work.”
The difference between being a consultant and a CISO is like the difference between being a boyfriend and a husband, Rader jokes.
For 25 years, he said, “I liked the consultant life… it’s all exciting and dazzling and you come in and say ‘hey, we can get all this new technology and do transformation and do these things,’” he said.
Now, as the CISO and metaphorical husband of six months, he said, he’s had to be the one that understands “there’s some stuff that’s got to be done before that can actually happen.”
Cybercrime Radio: New F500 CISO on the role
A vision for cybersecurity
In the new role, the buck stops with Rader — and in working to build a security culture as Insight Enterprises pivoted to become a more service-oriented company, he has come to realize that the “hard work” he previously joked about can also be extremely rewarding.
“I always had this thing that it was going to be hard to engage the user base and get them on board,” he explained, “but I really have found that everybody wants to know what their part is.”
“You tell them what’s going on, and they really [respond]. It’s a cool journey so far, and I’m really excited about where we’re going to go with this. The whole place has to change — not just security, and not just the lines of business — and everybody’s got to change to do this.”
Dragging the supply chain?
Yet for an organization dedicated to helping clients across a broad range of industry verticals to implement technology — and do it securely — user engagement has been just one of the challenges Rader has faced in his new role.
Given surging industry concern about the potential introduction of security vulnerabilities through trusted partners, filling out security questionnaires has become a bread-and-butter obligation for Insight Enterprises — which, Rader said, has led to dedicating “at least eight people to the security assessment questionnaires that you get as an organization of our size.”
While the questionnaires are a crucial part of risk management when engaging customers that face unprecedented scrutiny of their security practices, Rader says each questionnaire is worded differently, with different requirements and different expectations of the company.
Yet we’re still a long way from that point, he concedes. “Everyone asks questions different than everyone else, and it’s a lot of effort to go through and at the end we’re just as secure as we were before we filled it out,” he says.
“And while we’re very responsive — because, of course, Sales wants to make sure they can sell stuff and they can’t sell stuff unless clients feel good about it — [security reviews] are definitely a problem.”
Given the ubiquity of third-party risk reviews, Rader believes the security industry can do better than just flooding suppliers with complex surveys designed primarily to tick governance, regulatory and compliance (GRC) boxes.
As an industry, he explained, “we’re in this weird place. There are tons of regulators out there, and state and federal agencies that are asking similar questions — and it gets overwhelming.”
“My commitment back to our clientele and my constituents is that if there’s a security event, I’m going to let you know if that affects you.”
“It takes a long time to figure out all the nuances depending on the different verticals that you’re dealing with,” he continued. “And there’s got to be some kind of standardization to make it easier to respond.”
Looking for a better way
He’s not just trying to save his team paperwork: as a certified auditor himself, Rader knows more than most about the value of compliance questionnaires — and that’s why he’s ambivalent about their enduring value in reducing security.
“From a real perspective, everybody that’s ever been breached was compliant to all of the things that they needed to be compliant to,” he explains. “Even if you get a glowing [review] with all the boxes checked, it doesn’t mean you really have fantastic security.”
From a compliance perspective, however, he is pragmatic enough to understand the value of demonstrating alignment with security standards like ISO 27001 — which has become table stakes in many commercial arrangements.
Yet in any potential partnership, CISOs need to be ready to look past the checkboxes to build meaningful understanding about each organization’s strengths and weaknesses — and how they can work together to ensure the mutual security of an otherwise beneficial relationship.
“I’ve had some of the sales folks approach me and say ‘if we don’t have, say, ISO 27001 we can’t get this opportunity,’” he explained.
“But just because we haven’t decided to put our entire organization in scope for ISO 27001 doesn’t mean that we’re not secure. It means that I need to have a conversation with their CISO so we can talk about it.”
Indeed, “talking about it” has opened Rader’s eyes since he stepped into the new role — and the “really impressed” Rader likes what he’s seeing.
“Working with the internal core resources we have,” he said, “I talk to a lot of the security and C-level folks when we’re selling the type of consulting that we do. And [after] engaging with those core folks — they are rockstars, and I don’t think they get enough credit.”
“I love for people to get recognized, and I love helping people elevate the stuff that they’re doing really well, that might be missed. They need love, and they deserve it.”
– David Braue is an award-winning technology writer based in Melbourne, Australia.
Go here to read all of David’s Cybercrime Magazine articles.