Guest advisor Caleb Sima is Chief Security Officer at Robinhood – the well-known stock brokerage app you may already have on your phone. He shared his thoughts on dealing with humans with our CyRise Elevate members.
Over a 20+ year career, Caleb has co-founded three companies, been a hacker, a CTO, a CEO, and is now a CISO and Board Member. An independent thinker with a curious mind, Caleb claims he went from a technical role to a CISO role because, “there’s always something new to learn”.
A widely recognised technical expert in identification of emerging security threats and penetration testing, he’s also a candid character who doesn’t mind a bit of a joke:
“I’m here to give investment advice and talk politics,” he laughs.
We asked Caleb what qualities he thinks helped him succeed. Despite his modesty, he still delivered us some nuggets of wisdom on success:
“What has helped me to become successful? I don’t know! I don’t even know if I would say I am a successful security leader, to be honest. I tend to be able to build good teams, the people around you are key. I hire people I think are smarter and better, then move things out of their way! Unblock them. That’s what I do every day.”
Top three pieces of advice for CISOs
Given that CyRise Elevate is all about getting better, faster, we grilled Caleb on his lessons learned from a career in security. Interestingly, most of his advice was not about security tools, workflows, or technical advice, but instead centred on dealing with the humans around you.
Here are Caleb’s top three pieces of advice for security leaders, on working with humans:
1: Humans need stories – not security information
Don’t overload your board with facts and figures
When engaging with the Board, one of the mistakes CISOs make is overloading them with information. “A lot of people come to the board with metrics and numbers and statuses. In my view, the board is not a status update, the board is about telling a story,” says Caleb.
Tell a good story
Tell a story about what’s most critical, what you need , and how the board can help you get that done. You should pick one, two, maybe three things that are top of mind, and tell this in a story – not in metrics”.
Need metrics? Try maturity models
“I lean towards maturity models because they’re impactful” says Caleb. “For example, I spent my first 90 days at Robinhood identifying our crown jewels, and working out what protections they had around them. My metrics were, ‘Ok, how many jewels do we have, and what level of maturity are we at protecting them?’ Once you have that information, you can work out your overall security maturity, and tell that as a story to the Board”.
2: Don’t educate developers on security
No-one likes security
“Security is a pain in the ass. No one wants to do it. It sucks!” laughs Caleb, with refreshing candour. “Personally, when I code, I can see what I’m doing wrong, but I just need to get the project done – then I go back and fix it. Building things is fun, security is painful.”
It’s not useful to teach developers security
Caleb points out that even security professionals don’t know everything about security. “I asked a room of security people to name the OWASP Top 10. No one could do it. This is a room full of security people! So how do we expect engineers to know cybersecurity, in addition to all their other priorities? Education is good, but that’s a long game. Don’t expect to fix engineers by educating them.”
Remove security problems from developers
“Your job isn’t to educate developers on security, but instead to abstract security problems away from them. How can they build a safe product without knowing security? My dream is that our intern at Robinhood could build a product and we could release it knowing it’s safe by default,” shares Caleb.
3: Can’t get your way? Escalate or contain
Disagreement on what poses a security risk is normal
When asked what to do when the security priorities conflicted with engineering priorities, Caleb had some cut-and-dry advice:
“Our job is to manage risk for the company. If there’s a major breach, then I haven’t done my job. So I think friction between security and the rest of the organisation is okay. If you’re in security and you’re liked by everybody, something is wrong! But it doesn’t mean you can’t get along.”
Don’t be afraid to escalate up the chain
“Obviously, you don’t want to screw your cross-functional partner by throwing them under the bus. But if I consider it a major risk, I’ll escalate, you bet,” Caleb shares.
Understand that security isn’t the top business priority
“When I escalate a critical problem, I don’t always get my way – and that’s okay. We might get together and agree we just don’t solve that risk. If the company decides this is just not the risk I’m going to spend my time on that’s okay. I’ve done my job. At the end of the day, security should never be priority #1. If it’s in the top 5, that’s great,” Caleb says.
Contain risks with compensating controls
“If the business has decided we cannot solve this risk, then it’s your responsibility to contain the risk. If you can’t convince the company to change, it’s your job to put in place compensating controls,” shares Caleb.
If you can’t have control, you need the ability to monitor the risk.
“If you can’t have monitoring, then we assume the thing is always breached, and build around that.
We figure out a lot of alternative ways to secure products and reduce risks, even if the cause of the risk itself can’t be changed in a way we might prefer,” shares Caleb.
For difficult decisions, use rings
To work out when to escalate a problem and when to go around it, Caleb suggests using an adapted version of the Intel Rings model to help make decisions.
“Ring 0 is most critical. If the risk falls in Ring 0, we don’t have compensating controls – I will die on a hill to make sure the vulnerability is secured. Ring 1 might be securing things like PII (personally identifying information). Ring 2 might be business systems. Ring 3 is all the things that aren’t as high risk.
For Robinhood, one of those Ring 0 issues is crypto-custody. There’s nothing we are lenient on – there’s strict engineering, immutability, integrity controls. At Ring 0, engineers must work around the controls we have in place.”
Follow Caleb Sima on Twitter and LinkedIn and Cyrise Elevate on Twitter and LinkedIn.
CyRise Elevate is our membership and development program for ambitious cybersecurity leaders. We’re currently recruiting members for our new CyRise Elevate tribes for GRC and technical security leaders and have limited spots available in our CyRise Elevate tribes for senior security leaders in scale-up organisations.
If you know an ambitious security leader you think might be a good fit, we’d love to meet them. For our new tribes, the perfect candidate is someone who has strategic responsibilities and (probably) reports to the CISO or the Head of Information Security. Is that you or someone you know? Send us an email at [email protected] and we can send you some more information.