Crucial Conversations With Your CEO

0:00:00 Emily Wearmouth: Hello and welcome to another edition of the Security Visionaries podcast. I'm your host, Emily Wearmouth, and today I'm joined by our first ever guest from Brazil. So welcome to the show, Nycholas Szucko. Did I say that right?

0:00:14 Nycholas Szucko: That's right. You just nailed. Thank you so much. We're so far away, but we're able to connect and communicate. I'm so glad to be here today.

0:00:23 Emily Wearmouth: So let me introduce you to the listeners so that they know why we've invited you on. Nycholas sits on six boards at the moment. There's a lot more on his CV, but currently six and is also heavily involved in diversity on Boards, which is the world's largest organization for C-level professionals in the world and is active across 15 countries. And regular listeners will know. I always like to find out the origin story of our guests, where they came from and why we should listen to their advice. Why are they security visionaries? And Nicholas, while your career has been on the business professional side, your early days as a systems analyst. Is that right?

0:00:59 Nycholas Szucko: I need to tell you something. Before two became a analyst, I was a musician. I thought that I was going to be a cello player. I used to pay cello for 10 years. I used to pay for the underage philharmonica here in Sao Paulo. Unfortunately, we know the challenge to be a musician, especially for the classic music and my way to be successful in my career and make money for my family. It was being a computer programmer, but the music helped me a lot to be successful in my career, like the team player, how to communicate with the other instruments from the orchestra, your group, how to everybody study and play as much as well. Well you are part to became just one music in the end. All this amazing experience helped me a lot and reading the thing that I need to read to play help me to do the logical computing programming. It was amazing how to, the things in our life, it's been connected through the time.

0:02:01 Emily Wearmouth: Yeah. Do you know, I've heard before and we've gone completely off piece immediately, but I've heard before that people that are very good at music are often very good at maths. So that link between reading music and writing code, that makes sense to me. I have no idea why, but it does make sense.

0:02:16 Nycholas Szucko: Completely sense, yes. And after that I went to the university, I start doing computer science, but it was too technical at this time and I decide to became an entrepreneur on the young age, a colleague from the university. We joined forces to build our first company. It wasn't cybersecurity at the time because more than 20 years ago, cybersecurity wasn't the big deal. When I opened my speech, I say I am from the time that the biggest challenge that we have in cybersecurity, it was like a inbox full of spam or a computer with a virus that just make the computers low, no more than these. And for sure after that the cybersecurity evolves a lot. The challenge too. And I start doing this kind of initiatives to connect not just the technical side but the business side. And when I look back, I think that's the big reason. It's because I start being, I interpret it early in my career.

0:03:15 Emily Wearmouth: Well, you've hit on something that I love the moment where we went back to the halcyon days where there were very few threats, but cybersecurity now is absolutely bigger, more important. There's much greater risks out there. And that means that security leaders within organizations are finding themselves even as a shift in the last decade, much more exposed to business conversations, senior leadership, the board want to know what they're doing. The risks that they are handling are on the board's radar. And I think it's interesting and what we're going to talk about today is how do people who perhaps have come up through a technical background or even just a department that to some extent was allowed to get on and do its thing relatively quietly, is now in the spotlight of the board. What extra skills do people need in order to navigate those relationships and in order to get the successes that they know that they're working towards? And I'm going to pin a lot of the conversation today on a piece of research that came out at the back end of last year, listeners can go and look it up. It's called Crucial Conversations. And the researchers did a really extensive job. They spoke to CEOs around the world and grilled them on how are they working with their technology leaders within their organization? What do they want from them, what's not working? And then they went and they spoke to the CIO and they sort of played that back to them and then they got the CIO perspective. And then they did another wave where they went into the CIO's team and they spoke to sort of VP level, the people that are very hands-on with the infrastructure to try and get an understanding of how visible are these conversations and how much are they able to take an understanding of what the business leaders want and apply it to the decisions that they're making day-to-day. So that's the background research and there's loads of data points and I'm going to be throwing some of them at you, Nycholas today and get your thoughts and opinions and advice on how we should walk forward. So the first question I want to ask you is related to a data point that shocked me. 39% of tech leaders report being completely misaligned with their CEO on key decision-making, completely misaligned, 39% and 31%. So almost a third aren't even confident that they could tell you what their CEO wants. So how should a security leader, how should a CISO start to bridge this alignment gap between and get some understanding of what the CEO wants and then start to apply it to what they're doing?

0:05:40 Nycholas Szucko: From my point of view, it's all about communication. As much as we want the board level, the C level, understand the cybersecurity language, and even though the technology language from the CIO, the CTO, we need to understand that the board level and C level, they have a lot of responsibilities and a full agenda for different complete subjects. They have the fiscal, they have the macroeconomics, they have everything in their plate, they need to find a way to prioritize. And yes, cybersecurity can generate a huge impact, but a misaligned contract, these kind of big things that happen around the world can really break a company. And when we understand that it's our job, learn more about the business, learn the language that they are speaking, that is completely aligned with risk, exposure, business impact. And we need to tell them that we are a key part of the strategy to guarantee the business continuity. No reduce the impact, increase the maturity level of our operation and protect the branch. We are the guardian to protect the brand, but we as a technical CISO, CIO, CTO we need to step ahead, learn from the business and do the translation to them because as I told you, they plate is full of different subjects and it's difficult to understand. And when we start saying technical things, we generate a disconnection, the misalignment, and create this distance between the board, the C level and the CISO and CIO.

0:07:17 Emily Wearmouth: There's something interesting in there when we talk about communicating or these new skills that leaders need to acquire. There's a lot of focus on the talking part of communication, but communication has an awful lot of listening involved. Otherwise it's not communication, it's just talking. And that data point really goes to the heart of that for me that it isn't just about whether the CEO understands the technology. We'll come to that in a bit, but it's about whether the security leader understands the CEO and is listening to what the business wants. And I wonder are there certain forums or environments that security leaders can put themselves in to do a better job of listening and absorbing what the business wants to help them when they're playing things back?

0:08:02 Nycholas Szucko: Yes, we learn a lot how to talk but so little about to listen. And for a successful communication, we need to make sure that the other parts understand because we need to remember the C level and the board. They have a lot of experience. They have a career full of different scenarios. They can take decisions, but we need to inform the indicators, the risk where we are in this scenario and share with them as much information as possible for a better decision. Because we need to remember in the end of the day it's a business decision, it's going to invest or not. It's going to reduce the risk or not depend off the appetite of the risk. Sometimes because the company need to acquire more market in this period of time, they're going to take more risk. It's natural for this kind of period of time from the company. But right now that I own the market, I need to protect my business, I'm going to invest more in cybersecurity and when I do my speech for the CISOs or the CIO, I try to bring some techniques that they need to learn to become more efficient in this kind of conversation. The podcast that I have with the name is Board and Board Members with the CSO from Bradesco Bank. He's amazing professional, Glauco Sampaio. He's another guy that's focused on the board member right now we are talking about that. How are those new skills that the CSO and the CIOs need to have? It's communication for sure. Storytelling. We need to find a way to tell the story in the way that's going to connect and make sense. In the end of the day, we need to have some kind of selling skills. Yes, we need to sell ourselves a professional. We need to sell the project to the board to be approved. That is very important. The financial piece, it's very important too because when we present in the way, it's very difficult to say that cybersecurity is going to generate ROI. But yes, we can protect the stock option price. Yes, we can help to reduce the risk because the impact is going to, right now it's 20 million but we can reduce to 10 million. This kind of conversation, or the way that we present the budget for the year, it's important to increase the chance to approve the budget and you make your project happen. Communication, storytelling, selling skills. And yes, learn a little bit about financials that's going to help you in your career and make yours successful.

0:10:37 Emily Wearmouth: Something else that came through in the research, and I'm going to give both the UK and the US pronunciation here. CEOs wanted a trusted lieutenant to the American listener, they want a trusted lieutenant. They were talking about someone that can speak the language of business, someone they can work with. But that trusted word felt really important to me. And I wonder how do you go from being a lieutenant to being a trusted lieutenant? How do you step up in the CEO's eyes and build that trust?

0:11:04 Nycholas Szucko: From my experience, you need to put in a position that you're going to serve. Yes, we're going to take care of the pipes, yes, we're going to take care of the dirty jobs for the cybersecurity, not just for the technology, but try to educate everybody. Position yourself as a communicator, building reach between other areas. And as soon as you are available for someone from one C level, you build this trust advisor connection for sure. He's going to tell good things about you for the next one. And the amount of time and energy that we invest for this first one is going to reduce for the next one, maybe after one year, two years. Take time is not from one day to another. Be providing services to them, communicating in their language and being proactive. Sometimes when something come up in the news, translating their language, the language of your business and share as a piece of training, a piece of education for those C levels. And after maybe one, two years, you're going to have a chance to have a 10 minutes presentation to the board. That's going to be amazing. You need to train a lot because presenting to the board, you need to be focused, you need to get numbers, benchmark, and you need to do it in just 10 minutes. It's a very challenge. You start with surveillance, service, helping them, supporting the operation, and for sure they're going to find your spot on the scenario and have a chance to present to the board.

0:12:38 Emily Wearmouth: Before I ask the next question, I just want to acknowledge the obvious. The sun has come out here in the UK now. It has not been a thing since we started capturing video for our episodes way back in the autumn. So we sort of hadn't anticipated what might happen when the summer started to arrive in the UK. So I do apologize if I get really, really bright as the sun ducks out from behind clouds on this lovely spring day. The other thing I wanted to pick up on from the research was the vast spectrum that came back from the CEOs in terms of their comfort with risk. And you alluded to it earlier that the world has changed quite a lot. And while even five years ago we would think risk is bad, we want to avoid risk. But actually in business today, you can't avoid risk and through risk is where rewards lie. So some CEOs are much more comfortable with taking on risks than others. And I wonder, do you have any advice to help security leaders determine what risk comfort level does their CEO have? Because it's not something that is a uniform across the board. Every CEO is going to be different. How do you psychoanalyze your CEO to work out their comfort with risk?

0:13:48 Nycholas Szucko: We need to study a lot even before having the first meeting. We study from the past experience from this CEO or the board members. Something that I do recently is when I get the board members that I need to be in front during a presentation, I do some role plays with the AI. I create the personas for each board member and do some kind of interaction to understand the reaction and be well prepared for the next meeting. It's a really good piece of device that you can make everybody right now had a chance to do it and you became well prepared.

0:14:29 Emily Wearmouth: How are you doing that, Nicola? On that one? Are you building little AI versions of individual execs that you work with or are you going for sort of the AI systems generic understanding of A CEO or CFO?

0:14:42 Nycholas Szucko: Exactly. And they can guide me to the best way to communicate or a specific word that's going to get the attention or the approach that I need to have from the beginning to make sure that I'm successful. When I do this kind of preparation, I feel more comfortable in front of the board members because I need to tell you, even me having a lot of experience, I have some butterflies in the stomach when I am in part of important meeting as much as prepare myself better is going to be my presentation, my meeting. And I'm going to feel more comfortable about that. And I help us to understand first the profile of this equity and the vertical that this company is working. Just one example, when we talk with startups, startups they are agile, they can take more risk. No, and they are, how can I say, willing to do that because of the profile of the company or maybe the age of the executives. But when you go to the industry, it's a completely different scenario. But yes, right now, no. The cyber attacks can reach the plants with attacks and generate a huge impact in the producer process of the plant. No, but we understand they are more risk averse. No. How will position your pitch with someone that have more risk averse? My suggestion would be first understand the professional look back on his career. We can see that those levels doing speech in podcast interview, get those insights for you to have a better communication. And second, understand the vertical understanding the vertical, how much risk the vertical it's willing to take. You're going to be very successful on the communication and in the meeting.

0:16:31 Emily Wearmouth: So I want to get in the detail with you a little bit now because we know that CEOs don't want to know too much of the detail about what's going on in their tech stack and they want their leaders to be able to summarize things and bring in the key metrics that are pertinent to them. But what was consistent through the research was CEOs expressing a frustration in this black box of technology where perhaps in the past they used to be able to see physical racks in a data center and it made more sense to them. Now everything's sitting in the cloud, everything's a bit more virtual and they're really struggling and they're looking for their security leaders to help explain what's going on a little bit more. And it was picked up as well with the research that was done at the VP level where 61% of tech VP level reported that their CEO is frustrated by this lack of infrastructure transparency. And I wonder what are your thoughts about that? And just how far should security and tech leaders go in trying to explain what's going on inside the black box?

0:17:27 Nycholas Szucko: I think that we need to have a different approach even with as much technology that we have right now. A lot of time I use whiteboarding to do like generic explanation, very basics for the architecture, just the main things. And I always use the daily basis. Example, just one example, double factor of authentication, double factor of authentication. It's one locker, two lockers. And when we talk about protecting layers, you have your wall and the wall from the street all inside your door and the safe inside the house. Try to bring those kind of examples. It's not going to be too much of the tail, but do the whiteboard, do these correlated examples because it's going to make clear for them those kind of architecture and even the scenarios try to translate for the business side. Just one example, when I was working for the industry, they had all the equipments that they need to have to get in the plant, the helmet and everything else. This is what we need to do for our data is the same, but the language from the industry is completely different from the financial area. Now try to correlate those scenarios because it's going to be easier to explain for the audience to understand you. And when you realize that they are increasing, the number of the question or the question is more related. What you are trying to explain this is when you realize that you're being successful in this communication. When you arrive in a meeting, just you talk and you get out without questions or any interactions, it's not going to be a good meeting and maybe you're not going to be invited to be in the room again.

0:19:14 Emily Wearmouth: Yeah, you might run out the room thinking phew. I got away with that one. No one had any questions. But actually it's a clue that they possibly weren't engaging with what you were saying and questions are often a good thing.

0:19:25 Nycholas Szucko: Exactly.

0:19:26 Emily Wearmouth: I want to talk about agentic AI. So I think there was a stat from Gartner, I've got it here by 2028, they reckon that 15% of daily business decisions will be being made autonomously using agentic AI. So 2028's only two years time, 15% is quite a lot of business decisions being made by machines rather than humans. And I wondered whether this rise of the agentic workforce, whether you are seeing it change the way that boards are looking to IT leaders, are they looking at them more akin to HR leaders? Is their role changing in some way because they're now seen as the masters of this new workforce in some way?

0:20:04 Nycholas Szucko: Yes. One example that I was saying to a retail company, can you imagine your procurement department being just AI agents and each AI agent is going to have their own identity, is going to have their own credit card to be able to take the decision and finalize the transactions. And when we talk in the first about that, they say, no, that is impossible. No, it's possible right now. And you're going to reduce the cost of too many in the procurement. Yes, at the beginning we need to remember that we need to increase the investment for the first year is more investments than return because we need to invest in cybersecurity data protection and the project to implement this kind of AI department for you. But after that it's going to be amazing how productive and the insights that this department is going to provide to your business. And when we talk about this kind of approach, the CISO, the CIO, they can play a very important role to help to understand on the deep from the technology translate to the business, but be the ones that's going to lead the project holding hands with the procurement leader. Because the procurement leader knows everything about the department, the process and everything else. And the CIO can teach how technology can help on those process on the daily tasks and could be a really good, how can I say, teamwork aligned with the business.

0:21:35 Emily Wearmouth: Yeah, teamwork like the orchestra you were talking about at the beginning.

0:21:38 Nycholas Szucko: Oh, good call.

0:21:43 Emily Wearmouth: All right. What else did I want to grill you about today? Oh, here's one. So a frustration that came up from the tech teams within the research was that they get brought into the strategic planning cycle far too late that decisions have already made, been made even within business units around major AI initiatives or new cloud vendors that are being brought into the organization that they are always playing catch up. And I think 63% of IT leaders said that they feel completely removed from the strategic conversations that actively shape the IT decisions. How can people get themselves involved much earlier in those conversations? How do you step forward from being reactive to being almost consultative I guess in that way within the business?

0:22:28 Nycholas Szucko: Remember our previous conversations talking about serving the services to the other person, to the other department? No, we need to be proactive because it's not going to change from the night to the day. It's not going to be something forced. Now you need to involve cybersecurity for tomorrow. And this is difficult. Try to be proactive, schedule a meeting, first meeting just to understand the department. Second, just to understand the needs. Third, to have more back and forth conversation about the possibilities. And this person is going to understand that you are not there to block the projects because remember a lot of CIOs and CISOs from the past, they have this kind of approach. You're not going to launch the product, you cannot do it. That you need to be aligned as a partner that is going to enable the business, enable the new product, but always sharing the risk and the possible impact. And the final decision, you need to remember, it's not your decision, it's a business decision. Who owns the product? The CEO that runs the company. You're going to be a really good align if you can provide as much information as possible. Help on this education process to be able to be involved since the beginning. It's going to take time, but you need to start doing that right now. And I remember a case with a big financial company here in Brazil that he was able to, how can I say, infiltrate one person from the cybersecurity team in each squad from the company. But yes, the skills for this person for cybersecurity that was infiltrated wasn't the most technical person, they were the ones that have the better communication skill and negotiation skills. Negotiation is another skill that is very important for everybody.

0:24:24 Emily Wearmouth: It's interesting because when you think about how large organizations are set up, very often their HR team has within the department, their business partner aligned to other business units and the finance team will have business partners aligned to marketing for instance. But the tech team doesn't tend to do business partner perhaps in the very largest organizations, but it doesn't tend to do business partners in the same way of infiltrating all of the other teams and having someone working directly with them so that they can anticipate these projects ahead of time or as they start rolling and start influencing them straight away.

0:25:01 Nycholas Szucko: Exactly. I think that is a really, really good approach to have it. And the second one is the education process is spread to the company. It's not just on the cybersecurity month in November that you're going to have the seminars, the speakers, you need to find a way to be able to talk about the subject on the monthly basis. No, just one example. When we work in an industry, they have one minute for safety. When the general manager for the plant start the meeting, they say something. Unfortunately when incident happens, incident happens Because of that, the new process or procedure is this new one. It's going to have a training the following weeks. Everybody need to attend for the safety of everybody here. Why you cannot have one minute for the cybersecurity. No have for safety, let's have for security too. but you need to understand those dynamics and try to be part or mitigate. Replicate the same approach because it's already working. You don't need to reinvent everything.

0:26:07 Emily Wearmouth: I want to talk about, well over here we call them plasters, Band-Aids. I dunno what Portuguese is for the Band-Aid or the plaster, but that's what we're going to talk about next.

0:26:16 Nycholas Szucko: Band-aid resonates for us.

0:26:18 Emily Wearmouth: Bandaid works. Okay, we're going to talk about band-aids. The research found that band-aids are often happening in technology purchases specifically because there is a lack of buy-in at the senior level to make them more strategic changes that everybody knows needs to happen. Everybody knows these band-aids are short-term solutions trying to fix a problem but possibly creating another one down the line. And the CIO research found that 36% of them, so a third thought that their business was investing in IT infrastructure but still leading to band-aid rather than more architectural fixes. And I wondered if you had any advice on how does a leader help move that investment from, here's a point problem and we are going to fix it, into hold my hand, I'm going to walk you through what might seem quite scary, but we're going to do some big grownup modernization so that we can use fewer band-aids in future. How do you change that conversation?

0:27:18 Nycholas Szucko: Just one example for my career I was working in a big cloud provider. I start working that one year before the pandemic and when the pandemic happens, everybody need to move to the cloud the next day. And when they decide to move to the cloud, they do the movement as is. The same way there are plane inside my data center, I move into the cloud. It's not just a disaster from the cybersecurity perspective because the surface of attack it's way bigger. One small problem became a huge problem. But the consumption, because if you operate in the same way as in our data center, the billing at the end of the month is going to be huge. It was the first time that I was trying to deal with this kind of situation. When you are a native company in the cloud, I think that is easy because you can get all the benefits. We start coding the cloud, the containers and everything else. But we need to remember that a lot of companies that they are from the traditional business. Yes, they have part of the business in the cloud, but they have a lot of legacy. This suggestion you be, we need to cut in pieces because they're not going to solve everything from one day to another. No, the first thing that I suggest to do is put in a plan of the layers of cybersecurity that you have all around the company. The number that I saw in the past, it was for the big companies, they have at least 70 products to protect the company and around 30 providers to support on this process right now that we have the technology that exactly why we cannot have a platform approach from the seventy players on cybersecurity. Maybe you're going to have 30 good ones, maybe 20.

0:29:06 Nycholas Szucko: And having this platform approach, you can start onboarding in this new architecture, all the process, the products. And please understand that you are going to have maybe 5% of the technology that's going to be in your data center in a small computer that you cannot update. But it's going to be in a dark room with a lot of monitoring to avoid anyone to get in, no exposure to the internet. But it's a project that you need to say, we are here. The project in three years is to be there to reduce the risk, increase the efficiency, and try to do some consolidation. Because remember, if you have 70 products for cybersecurity, you're going to have a lot of silos is impossible to connect everything the same and find a incident of too many events.

0:29:58 Emily Wearmouth: Yeah. And I guess that's when you run into skills crisis because you need specialists for each element within your stack. You're going to run into team issues. Yeah, exactly. So I suppose what you're saying is build a platform strategy, but then you can take a step-by-step approach moving different parts of the business into it. But if you've got the right platform, then over time you can add things into the platform so that you're moving in the right direction without it being a big shock to the system.

0:30:26 Nycholas Szucko: That's correct. And the last advice about that would be focus on the low hanging fruit. Because can you imagine after three months, no. In the next board meeting, you already show a lot of consolidation, maybe reducing the cost of the core contract or making a better contract because we're able to consolidate more technology for the same price. When you give this winning for the next meeting, you're going to earn points. This is a game of earning points to get more space on the meeting and get more, how can I say, responsibility on this process too.

0:31:00 Emily Wearmouth: In the UK we'd call them brownie points that you earn brownie points with ideal senior leadership team.

0:31:05 Nycholas Szucko: Way better.

0:31:08 Emily Wearmouth: Nycholas, this has been a hugely interesting conversation and I really appreciate, I've basically thrown data points at you and you've made sense of things and you've given us some really constructive and very practical approaches that our listeners can take using the motivation of perhaps some bad behavior that the data point is showing us and then how they can improve and make things better within their own organization. So I really appreciate all of the insight and knowledge that you've brought to us today.

0:31:35 Nycholas Szucko: No, it's a pleasure for me to be here. I hope that the audience can understand my English. Maybe you can put some subtitle here to make sure that everybody understand, but it was amazing to have.

0:31:46 Emily Wearmouth: Brilliant.

0:31:47 Nycholas Szucko: Thanks. And I'm here basically in Brazil. All my experience came from the Latin America running the business here. We need to remember that we are a emerging region. Maybe the things that just at disclaimer, the things that I'm sharing here for a more mature region, it's not going to resonate. But we always can take some good insights for this amazing conversation. And thanks for the opportunity, Emily.

0:32:12 Emily Wearmouth: I think a lot of what you've said actually will resonate and be very useful to companies around the world. You have been listening to the Security Visionaries podcast and I've been your host, Emily Wearmouth. Do check out our back catalog on Spotify, apple podcasts or YouTube for other brilliant episodes with excellent experts giving other very useful information. They're all hosted either by me or by my co-hosts, Max Havey and Bailey Popp. And I'll catch you next time.