Clarify Health CISO Fred Bret-Mounet has given much thought to the tension between securing a business and growing it. Speaking to Pulse Q&A, Bret-Mounet elaborated on how he drew himself into the business side of things and what it is that gets him up every morning.
Pulse Q&A: Welcome to another AMA. Today we have Fred Bret-Mounet, CISO of Clarify Health. Looking forward to talk to you.
Bret-Mounet: Thank you.
Pulse Q&A: I know you’ve been in this role for barely a fortnight. How did you approach the first days in the new role?
Bret-Mounet: That’s an excellent question. I’ve been CISO for quite a while now but a new environment always throws in a wrench. I actually like that because, little by little, the daily activities can get a little bit dull. So introducing a new context really gets me excited.
The first 30 days is getting to understand not only the lay of the land. More importantly, it’s stepping back to reflect on what is already there as well. It is easy to make the assumption that you’re coming into a green field and everything that has been there is not up to par. The reality is far from that.
I used to work at a company that pretty much invented the security consulting field. I was a security consultant where I would jump in, drop into a client site, break into stuff, produce a report that was technically very accurate and had content that I was proud of. But once I became a CISO, I realized how full of it I was.
At the end of the 30 days my role is really going to be, in big part, the role of an evangelist.
I had no idea what I was aiming for. Building security for security’s sake will result in Fort Knox but will put the business out of business. My role I’ve come to realize early in my career is really not to build the most secure environments, process or people. My role is really to educate the organization and have us take risks that included the information security dimension.
When you make a decision at any level in an organization, you usually understand things like the financial risk. Am I allowed to purchase this service? Is it within my purchasing rights? Basic things like that but the security consequences of that decision are usually not very well understood. That’s where I need to understand the business and understand the business drivers to make sure that my security input can be tailored to those drivers.
Pulse Q&A: Were you initially reluctant about embracing the business side?
Bret-Mounet: As a geek, it was initially very hard for me to let go. The reality is, even as individuals, we take risks every day. When you cross the street, you take some amount of risk by jaywalking, for example. But it’s a calculated risk.
So I had to really shift my mindset from the absolute black-and-white. I’ve had to switch my strategy. And I think my background of consulting really helped me understand how to tease out the business drivers and understand how I should not go for the black-and-white perspective because that would be the death of the business that I would be advising.
Pulse Q&A: It sounds like there’s this underlying tension there between securing the business and growing it.
Bret-Mounet: I have a pet peeve on that tension. I do embrace that tension and I agree with you that it is really an important one. Over my career I’ve seen quite a few security practitioners–typically around a beer–move together, birds of a feather, talking about how disgusted they are that so and so or whatever part of the business doesn’t get it.
[O]nce I became a CISO, I realized how full of it I was.
Essentially they had an idea that they thought was really important and was shut down for financial, prioritization reasons etc. I see those security practitioners that literally retreat and point a finger to the rest of the organization.
Every single time I have a knee jerk reaction, I’m pointing the finger back at them. You know what? At the end of the day you tried to sell a vision to someone and your sale was unsuccessful. Whose fault is it? It is yours because you have failed to understand the audience and you have failed to understand their constraints or educate them as to the consequences of their decisions. Unfortunately, a lot of the security industry still behaves that way; as them vs. us.
At the end of the 30 days my role is really going to be in big part the role of an evangelist. Yes, I represent the security posture of the organization. Yes, I am the guy we fire if things go wrong, and that’s fine. But the responsibility for our security posture is not mine. My biggest tool is helping educate the organization.
Pulse Q&A: The role of evangelist: is that exacerbated in a startup or is it the same more established companies?
That’s a very good question. So having been part of smaller organizations such as startups in my last two environments and having been part of very well established larger organizations, I will say that the job is easier in a startup world.
In majority it is due to the fact that there is a typical type of employee in a startup that is much more interested in the unknown and in discovering and a getting-it-done attitude. Whereas in established organizations, there’s a lot more structure, organizational barriers and rigidity in the definition of a role. I can guarantee you every employee here at Clarify will drop anything they’re doing to help out if there is a need, regardless of their skills. And so that attitude really helps me even though they’re swamped.
Every few years, throughout my 20 years in information security, I’ve had to literally reinvent myself.
Pulse Q&A: You’ve spoken a lot in the past on IoT. Do you think there is still a lack of awareness about this dimension and that this is an opportunity for this market to soar?
Bret-Mounet: The optimist in me says it’s an opportunity. The pessimist in me says it’s a hopeless opportunity because the general public is so far behind that they don’t necessarily understand what they need to care about.
Take for example GDPR and California. The internet has been around for 40 years and, in the US, we still don’t have that critical mass to see things like the GDPR says. Your data belongs to you. Data about you belongs to you. You have the right to be forgotten. Good luck trying that in the US today. So going back to your original question, is it an opportunity? Yes. But the learning curve is really steep because the general public has very little understanding of why they should care.
Pulse Q&A: Fred, I hate to leave you on a pessimistic tone. Would you like to have the last word to build us up again?
Bret-Mounet: There’s one thing that gets me to work in the morning. I’m like a lot of humans. I tend to be bored when I get to do the same thing over and over again. That’s why I don’t trust humans. That’s why I would rather automate something, even if it’s of lesser quality than a human could be. I know it’s 100% more repeatable. It’s a platform that I can improve over time.
One thing that gets me up in the morning is that tomorrow’s problem is not going to be the same as today. Every few years, throughout my 20 years in information security, I’ve had to literally reinvent myself. It used to be not long ago that SMS multifactor authentication was a pretty much acceptable standard. Today, it’s not. So that gets me excited. Because all the time I have to learn new stuff. I have to adapt to new paradigms and reinvent myself.
Pulse Q&A: That’s a great note to end on. Thank you very much for your time today. Really appreciate it.
Bret-Mounet: Thank you, sir. It was a pleasure.