Compliance Uncomplicated Episode 7: Building a Secure Future With Vercel’s CISO
In the seventh episode of Compliance Uncomplicated, Ty Sbano, Chief Information Security Officer (CISO) at Vercel and investor at Silicon Valley CISO Investment Group (SVCI), joins Drata’s Kevin Kriebel, VP of Business Development, and Elliot Volkman, Director of Creative Services, to discuss all things CISO.
During the episode, Ty explains the importance of a practitioner mindset in security, and how it allows a CISO to understand the company's product and the best way to protect customers. He also provides advice on how to make the case for hiring a CISO and what to look for when hiring one for the first time.
Additionally, Ty talks about the risks of not involving your CISO at the board level, and how it could result in cyber insurance premiums going up, paying for cleanup, and psychological trauma after a significant incident.
As a CISO with 20 years of experience in the industry, Ty has a wealth of knowledge and offers valuable insights for anyone looking to improve their company's security posture. The episode is worth a listen if you’re interested in learning more about setting your business up for long-term security success and CISO best practices.
About Vercel
Vercel is a platform for frontend developers and designers that helps them build and deploy their projects easily, freeing them from unnecessary, time-consuming processes.
As a CISO, Ty is excited about Vercel's mission to eliminate the supply chain when it comes to deploying software. He believes that software should be created by engineers and delivered by engineers to achieve a more efficient and secure system.
“What Vercel is doing is exciting to me as a CISO, we're gonna be eliminating a lot of the supply chain when it comes to deployment of software. I'm excited for how software is going to be created by engineers and delivered by engineers. Not a broken, archaic process that I've been doing my whole career.”
Ty is proud of what Vercel is doing, and he believes that a CISO—like other leaders—should be fully committed to their company’s mission. “This is what we should do as CISOs. If I'm not bought into this mission, I need to go get another job.”
The Importance of a Practitioner Mindset
For Ty, having a practitioner mindset is critical for a CISO to be able to understand the company's product and the best way to protect customers.
By embedding themselves in the company, CISOs can gain a better understanding of the product, the sales process, and the customer experience. Ty believes that the practitioner mindset is key to ensuring that the right security collateral is available for sales and partners, and that a web interface is in place for self-service.
“For me, the practitioner mindset allows you to really embed yourself and then understand what we sell, why we sell it this way, and how we make sure we protect the customers that buy from us.”
“I want to make sure it's very easy for sales, partners, whoever else I'm working with, that they have the right trust kit, security collateral, or web interface to self-service for someone else to say ‘yes, for us, Vercel is the right choice.’”
Startup CISOs Should Be “Operator CISOs”
In startups, it's especially important for CISOs to be “operator CISOs” and get into the nitty-gritty with their team—even more so in their first year.
As an operator CISO himself, Ty shares his approach to his responsibilities. “I build, I run the engine as needed. I want to make sure when my people take time off, I still know how to run those engines.”
Ty advises new CISOs to understand the realities of incident responses, get on calls to understand the DNA, and provide real-time feedback to create a collaborative experience.
CISOs and the Board
Ty also stresses the importance of involving CISOs at the board level, highlighting the risks of having a talking head CISO in case of a security incident. He believes that board involvement is necessary for a CISO to fully understand a company's threat profile and to protect against the things that make the company nervous.
Give Your CISO a Seat at the Table
The risks of not involving the CISO or having a talking head CISO can be severe. Too often, companies rely on their cyber insurance as a fallback, rather than being proactive and vigilant. This usually ends up being a critical pitfall.
“Not only are you tapping into cyber insurance, your premiums are gonna go [way up] the next year, but also just paying for protection, paying for the cleanup, paying for the psychological trauma that people have just gone through with a major incident,” Ty points out. “You're going to lose humans in the process, and it's going to be painful.”
Earning Trust With the Board
To win trust with a board, you also have to balance the CISO being the bearer of bad news, and having a seat at the table.
“Who is your board? Where is their background? What are they likely to care about? And how do you give them enough information to either: follow up with questions to have a detailed discussion, or give them enough to keep doing what you're doing and be trusted and have the confidence that you get to keep going for a couple more years?"
Ty anticipates a trend towards more CISOs being involved at the board level, especially for publicly-traded companies.
“It’s going to be required in the near future… you need that representation at minimum on an annual basis.”
Thinking About Hiring Your First CISO?
During the episode, Ty also offers advice for startups looking to hire their first CISO. Here are some criteria Ty says organizations should consider before they bring a CISO onboard.
Determine if You’re Ready for a CISO
According to Ty, step one is simply asking yourself: Are we even ready to have a CISO?
“I would really understand: Do you need your CISO yet? That's number one. That's table stakes for me. It might just be a Head of Security [that you need].”
Ty explains that a CISO is a larger umbrella role, encompassing multiple areas of security, compliance, and more. If you’re looking for someone to run the engine on a day-to-day basis with a really well-defined role, it's probably not a CISO.
“I think CISOs are meant to really build and then take it to the next level.”
Know What You’re Looking For
If you’re ready for a CISO, Ty advises that you make sure you’re grounded in what you’re looking for. Tap your board members and socialize your search outside your leadership team to make sure you’re looking at and respecting industry baselines.
4 Key Skills Your CISO Should Have
Ty also provides some tips on what to look for when hiring a CISO for the first time:
Industry Hands-On Experience
Look for someone who has experience in the industry and has dealt with various security incidents before. Ty shares that it’s helpful to have some industry experience to equip them with the necessary skills to navigate your company's particular security needs, and anticipate potential risks or problems that could arise in the future.
“We probably need someone with a little bit more experience, wisdom, or exposure to what we do in our industry to understand: What is our threat profile? How are we going to protect against the things that make us get nervous? Every day.”
Effective Communication Skills
Communication is critical for a CISO. They should be able to explain complex security and compliance concepts to non-technical people in a way that they can understand.
“I think as we're growing up, more and more teams are starting to understand: Incidents are going to occur. Code is going to leak. Credentials are going to slip. People are going to steal stuff. Things are going to break… The more you actually communicate [and plan for] that in a thoughtful way, I think you will have a lot more trust.”
Business Acumen
A CISO needs to understand the business, its goals, and its objectives. By truly understanding the business, vision, roadmap, and product offerings, they will be better able to make security recommendations that align with the company's overall strategy.
Player-Coach Leadership
A CISO needs to be a leader, but they also need to know the inner workings of the work their team does and the company’s security programs. Operator CISOs are able to build and manage a team effectively, jump in as needed, and communicate their vision to others.
Listen to the Episode
You can find the entire episode of Compliance Uncomplicated on Apple Podcasts, Spotify, YouTube, and Amazon Music.
Visit Vercel to learn more about their platform and how you can power your developers and designers with their products.
Want to join the conversation? You can discuss this episode on Drata’s community, Secured, or subscribe to our newsletter, Trusted, to keep up with the latest news.
Put Security & Compliance on Autopilot®
Close more sales and build trust faster while eliminating hundreds of hours of manual work to maintain compliance.