Security Leaders Must Be Sales Leaders

Patrick Benoit

VP, Global Head of GRC / BISO at CBRE

Learning Objectives

Please Join the VP, Global Head of Cyber GRC/ BISO, Patrick Benoit in this Executive Interview where he will discuss the role of the Business Information Security Officer (BISO).

"We need cyber people that are willing to admit the fact that they're salespeople, and that they can tell a story."

Patrick Benoit

VP, Global Head of GRC / BISO at CBRE


Hello, everyone and welcome to the CIO vision cybersecurity virtual summit hosted on quartz network. My name is Britt Erler, QN executive correspondent, thank you so much for joining us. We have a fantastic executive speaker here with us today, Patrick Benoit, Global Head of GRC and BISO at CBRE Welcome, Patrick. Thank you. I’m honored to be here. It’s a pleasure to have you here and really excited to gain your insights today for our cybersecurity audience. And let’s go ahead and kick it right off to give them some context, how did your career lead you to your current role with CBRE,

oh, it’s kind of a long and winding road and somewhat less distinguished than other than people may think. But uh, you know, I started in the military, and that’s where I kind of cut my teeth in technology. Long time ago, a long, long time ago, I won’t even go into that. But that led me to when I left the military working in defense contract, programming radar systems and doing software development and things like that, which eventually led me to entrepreneurship. And I had consulting company for about 15 years, and then went back into enterprise and, you know, jumped from software to infrastructure delivery, service management, project management, and eventually was a customer delivery executive for Dell services. And then got into building this concept of executive business partner, Nike business partner, or what some people might see as a business technology officer, and a business information security officer. So we built that out at Experian with two other gentlemen. And then they hired me here at CBR E to, to come over and build that business information security officer program here at CBR, which is totally focused on client security. So you know, I’m, I’m a sales guy, from a security point of view, which is unicorn kind of thing.

Fantastic, very expansive background. And really, you have a lot of areas of expertise that are going to be really beneficial for our topics today. But I want to start by talking about the traditional role of a business information security officer, what is it typically?

So it’s most often in the past been heard in the in the halls of financial institutions. And typically, it’s kind of a turnstile type role where it sits between the chief information security office and and the executives in the business line. And basically, you know, take the strategies, and the tactics from the security office turned to the business line and say, This is what we’re doing. From a security point of view, how’s it going to impact you? What do you need strategically to grow your business that we can help with from a security point of view, and then turn around and tell us chief security chief embrace security officer, those things involves a lot of just the logistics of, you know, answering the clients security questionnaires, or when they’re doing their third party assurance, to make sure that we do things the way we’re supposed to, for them, that we protect their data. And so it’s a very administrative, I consider kind of really swimlanes kind of role.

Okay. So nationally.

Sure. And based on that, and what you’ve seen in experience, do you believe that’s an accurate description of the role? Or do you believe there should be some differences moving


Yeah, I absolutely believe it should be different and, and obviously, there’s nuances that would be dependent on the company size and the company, you know, what the company is doing, but I believe that because you know, the word customer or client is involved, instead of being a pure logistics role, it needs to be kind of two expansion roles. One is as a sales, a member of the sales pursuit and account management team that is responsible for security, and is the, you know, senior most security client facing security executive. So it’s, it’s that reassurance role just like a salesperson is going to bring engineers in to reassure with respect to services or solutions. They should be bringing their BSO in to reassure the client and the customer with respect to security. The flip side of that is on the product side. If you happen to be delivering any kind of technology service or product, then you want to use the BSO to help instill maturity infosec maturity, make sure that controls are in place in the services and products. So that, frankly, it makes his life a lot easier when he’s got to stand in front of the customer and tell them what he’s doing. So it’s kind of the easy button side of it for the sales.

Sure. And so it sounds like a lot of these administrative tasks really need to be expanded. And they need to make sure that this role is helping the business as a whole, and not just kind of a middleman in that sort of sense. So based on what you’ve seen, what are some of the key areas for process and improvement that can really make this role successful for the business?

Yeah, so if you can get the standardizing your response to the clients is key, because if every time a client, that different client asks you a question about some security control, or your policies or your your standards or something, and you come up with a little bit different answer, eventually, you’re going to get so many different answers out there that somebody’s going to say, Wait, what’s going on, you know, it, and it takes a lot of effort to recreate that response every time. So from a pure administrative and logistics point of view, the benefit, the place to optimize is in standardizing your responses to security questions, whether they’re part of RFPs, or whether they’re part of annual security or audit assessments, or anything else like that, just in general. So that’s a big deal right there, logistically, there are plenty of software out there that will help you automate answering questionnaires once you have those standard responses. And, you know, questionnaires can run anywhere from, you know, a few questions up to 1500 questions at a time from from a client. So automation is a big key there to make that efficient.

Absolutely. And I want to talk about what some of the other benefits are for the company as a whole, you know, you’ve mentioned how this role can truly contribute to the organization. But what are some of the other benefits that people may not realize?

Well, it’s it’s a huge role in terms of advocacy, advocacy, for the security practice as a whole. You know, we all we all engage in security awareness programs with our with our cybersecurity efforts, but they tend to be a little bit, here’s, here’s the program, here’s the session, here’s the article, here’s the blog, and then we move on. And there’s no real in my mind, socialized advocacy that goes on the same way. So the BSO has, there’s a great opportunity to use the VSA, who, by nature should be a salesperson should be very forward and very comfortable in front of people, as a an advocate to socialize the, you know, the security message of the company, the culture of the company. And there’s really only two things that that a B, so And frankly, I believe, to some degree, a technology executive as a whole should be really super focused on at a high level. And that is finding a way to enhance or drive revenue for the company, and finding a way to reduce risk for the company. Right? If you’re not attributing to, to, you know what, and one or either of those, or both of those kind of strategic goals, then your contribution may not be sufficient to keep you there.

I completely agree. And I think we’ve seen a huge push for that, especially over the last year in everything we’ve experienced, and just the changes every day within the cybersecurity industry. And with that, as a whole, for the security leader in general, and for every market across the board. How do you see it evolving?

it as far as the the seaso role and how that evolves, I think we’re going through a similar phase, much like the CIOs have gone through over time, if you go back into the dark ages, you know, an IT director was kind of the top of the heap within the company in terms of just make everything run. And eventually it evolved into a much more, you know, eventually tactical and strategic position. And then we we came about with the CIO. And even in the early days, the CIO was not necessarily a true C level position, until it established itself as a business leader, and a strategic value to the business as a whole. Again, revenue and risk. I think c says going through that same kind of evolution. I think that’s partly why in most cases, you’re going to see the seaso is reporting to the CIO, or a CTO or somebody some other senior technology leader. So currently, although we’d love to believe otherwise, it’s not what I would call a true C level position. It’s not operating at, you know, a level to leadership or reporting to the CEO or anything like that. I think we have the opportunity To get there, and the way we get there is that we have to really sell the value of being the business, not just not just we’re supporting the business and not just we’re partnering with the business without technology. And without secure technology. The business doesn’t operate. There are very few businesses now today that could operate with no technology and no security. Certainly not a large one. And so we have to stop being support and stop being partners and really frame ourselves as the business and as executives that contribute to revenue and risk reduction.

Definitely, and I think we’ve seen alone the need and the demand for cybersecurity professionals. But as you said, that’s not enough. You know, it needs to be the right people to really show that as this role in general, it really makes the business as a whole successful, not only from a financial standpoint, but protecting them from all of the shifts that we’re seeing right now. Right. And with that being said, with this demand, do you feel that there are enough qualified cybersecurity professionals out there?

So I’ll go bad and say, it depends on on what we’re going to say qualified is, I think, I think that that was part of our evolution is, for years, you know, we just had maybe somebody executing firewall rules, or implementing firewall rules, or managing the network and so forth. And at some point, you know, PCI came along, and they went, Oh, you’ve got to have a named chief information security officer. So then people were smaller companies, especially were turning to, oh, you do the firewall rules, you’re our see. So now. And, you know, smart, ambitious folks that they were they parlayed that into the next bigger company, the next bigger company, the next bigger company, and sometimes they maybe didn’t get the kind of experience that was necessary for them to operate at that senior level. And not always, that’s the generalization only. And so I think that’s an evolution that’s going on too, we’re seeing more education that’s available, and not certifications that there are, they are out there. But certifications don’t necessarily mean education, and don’t mean, you know, capability. But, you know, we are getting some things like that we’re starting to see more and more community and pure efforts and events that that are helping to, you know, grow people to the point where they can be these executive business leaders, and not just the you know, IT security manager that has the title see, so, but that’s an evolution. And I think as a result, you have the quality concern, and then you have the the demand or the supply concern, and I think that our demand does outpace our supply right now, because that seaso role is getting pushed further and further down into smaller and smaller companies, because of regulations, you know, GDPR, ccpa, all the privacy things that are going on? And so, yeah, I think I think there’s some shortage. It’s how we deal with it, though,

right? And in with the cybersecurity professionals that are just coming into the marketplace, how do we ensure that they’re getting educated and trained properly, you know, for their future to make sure they’re going into the right business to make sure that we have the right tools?

I think that’s twofold. I think we have a responsibility in the in the industry in the career field to, you know, mentor, to encourage mentoring, to help direct people to resources and resources that can help them to get that kind of education. And we also have on the flip side of responsibility to educate hiring executives. so that they understand that just because a person has, you know, two years of operating a network with firewalls does not mean that they are a seaso. And and to help encourage an idea for a good progression path two, we had the similar problem, I think, with our challenge with the CIO roles in that we have a lot of technical paths to rise. And I don’t necessarily we we believe we always do a good job of creating a business leadership path that goes hand in hand with that technology path or with the cyber path and I think so we have a responsibility to help grow that as part of the course. culture.

Now, does artificial intelligence and machine learning play a role into not only the education but also the shortage that we’re seeing in cybersecurity professionals?

Yeah, I think it does. And I mean, you have to be careful with the terms, the terms are, are, are marketing hyped, you know, from, you know, just out of the world out of this world. But yes, there’s opportunity, especially if you look at the simple things first, which would be look for ways to automate through ml or AI or, or just, you know, just RPA kind of scenarios, to automate as many tier zero tier one lower level repetitive factory type tasks as we can, because the more we can do that, that means the less that we have to use our our other resources, and that’s going to help fill the gaps on so I think it absolutely can play, I think where we get in trouble is if we hear AI used, and all of a sudden we think is a panacea to all the problems, and that we no longer have to worry about the basics. And we forget about security 101. And so we’re running all these cool AI processes, but we have no idea what assets we actually have as an example. So that’s the flaw in that in that idea.

Right? Absolutely. And another question I have is in regards to privacy, which has become another major big game this year in the cyber market, you know, how does that relate to the security professionals role right now?

Yeah, there’s an old saying, What is it you can have security without privacy, but you can’t have privacy without security or something to that effect. So I think they go hand in hand, I think, over time, I suspect, we’ll see more and more convergence of security and privacy to make sure that they’re in step with each other. Currently, depending on the size of the company, and how the company is organized, there might be some separation of privacy teams and security teams. But I think more and more, you’re seeing that they’re having to work together so closely, that I believe one day, they may be just part of a larger team, maybe they’ll fall together under chief risk officer, maybe you know, I don’t know how that’s gonna work out. But we’ve got to continue to drive those two skills together.

It’s definitely an evolving role. And I think one that will continue to change as we see how you know, this year, affects the industry itself, and in how businesses are running and what they need to survive. Sure. And so with all of this being said, you know, we’ve talked about the security roles, how beneficial they are to an organization, how they need to evolve and change in order to be successful. So how do we raise awareness now for the security professionals and making it more effective? You know,

so raising awareness with anything comes back to this idea that we all have to be sales salespeople, and we all have to be marketing people. You know, we get up in the mornings, and we comb our hair a certain way, because we want to present a certain appearance, and we’re trying to, you know, build a story about who we are. And that’s what we have to do is we need to get more storytellers, which are the salespeople we need. We need cyber people that are willing to admit the fact that they’re salespeople, and that they can tell a story. And then we have to get people that can tell a good story. And we start building those stories and sharing those stories, it’s going to be a personal kind of thing it’s going to happen, because we’re going to do that by example. It’s not going to happen, because we put slides up and we say this is what needs to be done. It’s like many things, it’s going to become a part of the culture as as we become better examples of what it should look like, instead of just being tech people that run security.

And based on what you’ve seen within the industry that changes the adaptations that are happening, what’s next, for cyber security? Where are we going from here?

You know, again, I think the step up is to become significantly more strategic in the technology realm, and not just be viewed as, hey, we have to do security, because otherwise we’re not compliant. You know, that’s been an evolving and evolving view over time. Unfortunately, what we’re seeing is a lot of large institutions are executing their their third party assurance against companies from that checkbox point of view. And so it ends up filtering throughout the industry that we still have a little bit of a checkbox compliance process involved there. And so you know, I think You know, we have to keep driving towards making security just part of the culture as a whole. And it doesn’t stop at our business. And one thing that we learned this year, well, some of us already knew, but one thing that we really learned this year is it doesn’t stop at the building it the businesses, building doorways or walls. And so we’ve had to drive down into people’s homes, because they’re working from home. And there’s nothing wrong with us providing certain levels of security, awareness, not consulting or guidance or advice, but certain levels of security awareness, that would help them keep their family and their their home and their other aspects of their life or their personal life, protected against these kinds of things that’s going to build this culture and and what they do at home is what they bring to the business, usually not the other way around. So we want to focus on helping them be secure in their lives, which is going to translate into better security in the business.

Absolutely. It’s a brand new world. And it is so interesting to see how security has changed within just six to eight months with everyone working from home and how businesses are completely having to pivot and reinvent how they were doing it in the first place. Right. And my last question for you to wrap it up is for leaders that are seeing complete changes in their role in day to day duties, what are final pieces of advice that you have for them to make it through this time, and make sure that they are moving in the right direction.

So you know, we’ll get kind of Zen for a minute and just say live in the moment, and embrace the change, don’t fight chaos, because the best thing you can do is embrace it. And then you know, see what kind of order you can bring out of that chaos. And you know, there’s going to be things that you don’t like, and if you truly don’t like what’s happening to your role or to the way things are going, then fine reinvent yourself and find something that is better suited, and and do it by executing succession within your team so that you don’t leave your company high and dry. Right primary role of every leader coming into the job, one of the big duties is build a succession. And so you know, find out who that is help build that person help mentor that person. And if you decide you don’t like where it is because you can’t live in that moment, and you’re not willing to embrace that change. Help the other person take it, you move on.

I completely agree. It’s it’s the team around you. And you know, I use it as example my team itself, we all have to work together and collaborate to make this work as a whole. And if leaders are not doing that, they’re not relying on their team to work with them. At the end of the day, they’re not helping the business. So I couldn’t agree with more people is key. So thank you so much, Patrick. It’s been an absolute pleasure having you here today and you provided some incredible insights for the cybersecurity community. And thank you to everyone who has joined us as well. If you have any further questions for Patrick, there will be a discussion forum underneath this presentation. Thank you so much for joining us, be safe, be healthy and enjoy the rest of the summit. Right. Thank you.

Get full Q/N Access

Sign up to Q/N with a few details to watch this presentation.

  • Hidden
  • Hidden