Caroline: From Cobalt at Home, this is "Humans of InfoSec," a show about real people, their work, and its impact on the information security industry. My guest today is my good friend and colleague, Nicole Dove, who is an innovative information security leader, with more than 15 years of experience driving results across cybersecurity, audit, global operations, and relationship management functions. Exceptional at building trust-based relationships to influence decision-makers and business partners, to effectively reduce risk, and improve security program maturity. I am looking at Nicole's LinkedIn. And I just wanna call out a few highlights. Harvard University Certificate, Citi, Goldman Sachs, PwC, all sorts of ADP, IANS Faculty, Business Information Security Officer at WarnerMedia. Nicole, you come to us with quite a career, and quite a lot of experience, and we are so happy to have you. Thank you for taking the time to speak with me today.
Nicole: Caroline, I am so, so happy to be here with you on this amazing platform that just highlights the best in all of us. So, thank you for having me.
Caroline: So, where to begin? Nicole, tell us what is the most fun part about your current role.
Nicole: The most fun part about my current role is actually watching CNN, watching March Madness live, watching Bleacher Report, watching all these fun things, and know that I am a part of the great teams that make that stuff happen. It's just, like, the perfect reward for all the hard work that we do.
Caroline: That's fantastic. I mean, that's gotta feel amazing. You know, earlier in my career, I sort of would, like, pick a job for whatever reason, but it's become for me later in my career when impact has been a super important job-choosing criteria. So, yeah, I just...I love that. Thank you so much. And then, tell us about your IANS Faculty role. What sorts of things are you teaching these days, or planning to teach in the future?
Nicole: So, I'm excited about the IANS Faculty role. I've been on the faculty less than a year. I think maybe just September is when I got started. And I've really started taking Ask an Expert calls. So, I talk to organizations, governments, companies of all different shapes and sizes. And, you know, what's interesting, I wasn't sure what necessarily types of calls that I would get. But I get a wide variety that really touch on one of my favorite things, which is people and the human element of cybersecurity, which is why this show is just fantastic, and I'm so honored to be here. You know, I talk to a lot of folks around, you know, we pressure-test a lot of the decisions that they make. A lot of leaders are looking to measure their success. We have a lot of junior practitioners who wanna understand what leaders are thinking about and how to shape strategies and, you know, are they working on the right things? What are they missing? It's a really, really exciting space to be in, and I'm firming up to build some actual symposiums and online trainings, one, around strategic roadmapping, which I just think is super exciting. But also the BISO role, and how to develop and position and leverage that role to drive success in security organizations.
Caroline: Well, now, I have, like, 1 million more questions I really wanna ask you. I wanna talk about this BISO thing. You know, for folks who may not be familiar with a BISO role, what do you think folks should be thinking about? And what should folks know about this role?
Nicole: Yeah. So, I love this role. It's super exciting. It's emerging in our industry. We're starting to see it happen a lot more and a lot more. I think, you know, potentially, there may or may have not been somebody doing the function, or, you know, addressing the purpose of what the role is. But we're seeing it's becoming a lot more formal, and it's starting to get, honestly, the respect that it deserves. I think what's happening, Caroline, is that we're seeing that technology and business are becoming more and more integrated, right? And so, risk and security now become more and more integrated, and really, a conversation that's beginning to happen the higher and higher you go, right? Boards are starting to ask now about cybersecurity. I've got a bunch of friends who, you know, have startups, right? Tech startups. They're shopping for investment. And the investors are asking about their security strategy.
And I don't know that we've really had somebody that sits in between the business and cybersecurity, and says, "Hey, what's everybody doing? And let's make sure that these things are on the same page." A lot of times, us cybersecurity people are looked at as the police, right? They, you know, "Oh, here come you guys." They think we're an extension of the auditors. But this role really helps shift security for the business to be less compliance and more strategic, more relevant, more thoughtful. And it's because we advocate for the business to our cybersecurity leaders, and then we advocate for security back to the business. So it's really like this cool relationship management, strategic, thought leadership, integration, translation. Some days I am a freakin' therapist. Other days a babysitter, some days a glorified project manager. Some days I act like a CISO. But it's just this really dynamic role that, you know, addresses a need that we all have, and it's to keep current, and keep security at the front of our minds, and be thoughtful about it as we conduct business. I'm really, really enjoying this role.
Caroline: That is amazing. I really love this idea. It kind of sounds to me like the way that you are playing this role, it's almost designed to give you a seat at the table. To me, it sounds like you are engaging with the business and with technology at the beginning. And in fact, another thing that you shared with us that you talk with folks about as IANS Faculty on these calls with folks, is strategic roadmapping, you know. And I think for some folks who may be listening, who might have security roles that they feel are a little bit more on the reactive side, how exciting to think we could have a seat at the table. We could be having conversations and relationships with the decision-makers at an organization who are deciding what the future of the organization is gonna be, and we can actually get in those conversations so that we can provide advice about risk management.
Nicole: Oh, yeah. You know, it's interesting, and I appreciate that you say that. One of the challenges of this role, and this is actually something I'm really excited, I'm gonna be presenting at RSA in February about it. One of the things that I realized coming into this role is, you know, it's not...you typically don't get a welcome party, right? Nobody's like, "Hey, here's my table. Come sit at it." A lot of times, one of the foundational things that BISOs will do, and many BISOs may identify with this as a challenge, we've gotta find our way in that room. We've gotta find our way. When we get in that room, we've gotta carry our weight, right? And we've gotta deliver, so that we can stay in that room. Because a lot of times, you know, they don't see security as partner. And it's our job to turn the tide, but when we get that seat at the table, the possibilities are truly, truly endless.
Caroline: So, I will ask you to give advice to our listeners. If someone finds themselves at that table, however they got there, what advice do you have for them, either to prepare for that conversation, or, while they're there, what should they be doing? What should they be saying? What should they be... How should they be behaving?
Nicole: You know, coming from some of the cultures that I've worked in, you know, it was very much...and maybe this is because I came from a consulting background, right? Big four. Come in, hit the ground running, we gotta get quick wins. And I understand that perspective, because we were on the time clock. You know, we had a finite engagement with a client, and we wanted to deliver value, because our hourly rates were out the wazoo, right? But now, when you are a part of an organization, it's not just come in, grab the low-hanging fruit, deliver, and show your results. First, it's understand the business. Get to know who the key players are. Just listen to people. One of the things, and I stole this from a dear friend, he says, "I just went on a listening tour." And I love that advice, that perspective, that strategy. Let me just come in, understand who people are, how they work, what they're focused on, what their challenges are, right? What type of people are successful at this organization? How do they like working with the security teams? Figure those things out. Try to solve for those things. And then I think, you know, you'd really be in a great space to drive some shifts and some changes, because people will then invite you in, because you understand them, as opposed to coming in and trying to shove security, shove policy, and shove best practices down their throat.
Caroline: That is such a valuable insight. A listening tour. I have never heard security work described that way. And I absolutely love it. You know, Nicole, when I look at your education, I kind of chuckled to myself, because you and I, we actually have these complementary reverse versions. What I mean by that is, you have a BA in finance and accounting, and you have an executive certificate in cybersecurity and managing risk from Harvard. I have a BS in computer science. And I have an executive certificate from Stanford in finance and accounting. I went to school for engineering, and I was like, "Oh, I gotta figure out this finance and accounting stuff." And you went to school for finance and accounting.
And so, I wonder, if you can tell us... first of all, I think there are so many security people who are always trying to figure out "how do I talk to these business people?" And there's an assumption that the language is dollars. And I think that's an oversimplification. I think there is actually so much to be said for listening. And I also think that the finance and accounting people are always gonna be so much better at the money stuff, for the most part, than the cybersecurity folks. So don't even try to play that game, because you go in there... I mean, I remember trying to use the FAIR model, for example, which I think is a fantastic model. But in practice, when I tried to use it, what happened was, I got in there, and we're trying to make these recommendations about managing risk. And the conversation doesn't even get to the part where they're giving us money or resources. It just has to do with them attacking our model and telling us that they don't think our assumptions are valid. So when we tried it at a place that I used to work for, it just wasn't successful. And I would love to understand, Nicole, as a young person, why did you decide to study finance and accounting?
Nicole: You're gonna love this. So, I was always good at math, right? My mom was a banker. She's retired now. My dad is a musician. So there's always been this math thing happening for me. And I essentially chose my major because I wanted to wear suits and tell people what to do. That's why I chose accounting.
Caroline: Yes, yes, yes. Yes, yes, a million times, yes. I love that so much. And that is, I just have to say, I have a closet full of super nice business wear, and I just wear sweat suit jumpsuits all the time, which is really nice. But you and I will both, I believe, be at RSA 2022 in person. We will be dressed up, we will look amazing, we will give our talks. I am so looking forward...actually, I don't think you and I have ever met in person. I feel...
Nicole: We've not. It feels like we have.
Caroline: I feel like we have, but actually we haven't. So, I actually don't...I even don't...I don't even know how tall you are. You could be...for all I know, you could be like 4 feet tall, or you could be 7 feet tall, and I actually don't know, because I've only seen you on Zoom. On...
Nicole: Virtually. Yeah. Yeah.
Caroline: That's really funny. That's hilarious.
Nicole: It's really funny. It's the, you know what? That's the thought process. I was 16 years old when I graduated high school. How do we expect these... And I was a kid. How do you expect kids to... I mean, there's some kids who are like, "I know what I wanna be when I grow up." You know, there was a young lady I went to college with. She's fantastic. She knew she wanted to be a lawyer. And she's an attorney. Me, I wasn't that kid, right? I bounced all over the place. So, it's been a journey. But yeah, I just wanted to wear suits. But we'll get to wear our suits in February.
Caroline: We will get to wear our suits. And you certainly got to wear some suits. I mean, look at this: Citi, Goldman, PwC. Senior auditor. You know, there was some suit-wearing roles. And what was it like? Did you enjoy that?
Nicole: You know, it was interesting. Those were some very interesting experiences. I had always wanted to travel. This is, literally, my decision-making scope is so interesting now that I'm hearing myself say these things out loud. I always wanted to travel. I wanted to study abroad. One of my best friends, Nicole Phillips, she studied abroad in college. She told me about the program. My parents just, they, like, "No, you're far too young. We're not gonna let you go." Right? Young black kid, traveling abroad is not like it is today. So, when I finally was able to work, I wanted a job that would allow me to travel. And that's what being an auditor at a Big Four firm was. So, for me, I was sold. My first business trip was to the Bahamas, and I was like, "Oh, I can do this forever."
Caroline: Oh my gosh. Very nice, right?
Nicole: It was fantastic. But I, what I didn't expect to like about those roles so much is that it allowed me to feed my curiosity. I am very much...I like to understand the nuts and bolts and things. I like to pressure-test things. I think I've said that already. I want to understand the why behind the why. I just love figuring things out, and I love making things better. And so, being able to do consulting and internal audit, especially, at a Big Four firm, where there's just such great talent, and such great organizations that procure that talent in those contracts, it was fantastic. It was amazing. I learned so much about executive communications, and executive presence, negotiation, influence, and quality of documentation. I think Big Four was one of the best training grounds ever that I could ever have in my career.
Caroline: Oh, that's awesome. That is awesome. Now, what is the difference between what you do today as a BISO and what you did at that stage in your career as an auditor? Do you feel like there are things that are the same? And what's different?
Nicole: So, I think the thing that's the same is risk. It's all based on risk. What I didn't like about being an auditor is the format of engagement. Whether it's internal or external audit. It's, "Hey, I know you guys are running a business. But here I come. I'm gonna disrupt everything. I've got a long list of things that I need you to give me. I'm gonna examine everything that you put in my lap, and I want you to prove that everything is true. And anything that I find to be untrue or erroneous, I'm gonna write a report, I'm gonna tell your boss, and I'm gonna tell his boss, and her boss, all the way up to the board, about all the bad things that you've done. And I'm gonna leave," right? There's just something that is so disruptive, and almost like a snitch, like a tattletale.
Caroline: Yeah, like a professional tattletale. Like, it's the job to be the tattletale. The way you describe it, you've got such compassion for the organizations and the functions for which you are auditing, you recognize how, to some extent, you're kind of like catching these folks off-guard. They've got other stuff to do.
Nicole: Yeah. Right. And they really do. They're running a business. Now, that doesn't negate the value, right? One of my most proud moments in an audit, I found over $1 million that nobody even knew was missing. Right? Crazy.
Nicole: So, I love delivering that value to the business, but I didn't wanna do it in such a disruptive, tattletale way. What I do now as a BISO is... I'm not a contractor. I am injecting myself into your business, into your teams. When I talk to my business partners, I don't say, "you guys," or "these teams." I say "We," and I mean that. And I think they understand, and they see, through my actions, that I do consider myself part of their teams. I sit in their town halls. The presidents of the companies, I sit in their SLT meetings. I am invested in the success of your company, and not...your organization, not just from a risk management perspective, but from an everything perspective. And when I engage with my team, again, I'm advocating for that business. And if something goes wrong, I too am gonna be held accountable. And that's what I think is the biggest difference between being an auditor and a BISO, is it's that level of engagement. You know, you find things, and you do work with the risk team. And you're identifying findings and issues, but you're there in the trenches, many times, even leading the resolution of the opportunities and challenges that you find.
Caroline: Very, very nice. It sounds like you get so much satisfaction out of your work, and that you are just continuing to evolve on your path. And also, you're doing so much to give back to the community, both in terms of your faculty role, as well as, as a LinkedIn learning instructor. Nicole, tell us a little bit about your upcoming course that you're developing.
Nicole: So, I'm really, really excited to be in the ranks of illustrious LinkedIn Learning instructors like yourself, somebody who I admire so much. I'm really excited about this course. I feel like it's timely, and it's necessary, and the title of the course is called "Preventing Supply Chain Attacks." You know, when you start getting into a lot of attacks that are happening, they're not significantly sophisticated. So, it's really about how do we understand our bad actors? Their motivations? How do we understand their strategies? How do we leverage threat intelligence? How do we enhance and make a robust third-party lifecycle program that can position us to either prevent these attacks or respond immediately and in the best way, so that there's not a significant downstream impact to our customers, our business, or our data?
Caroline: Wow. I am very much looking forward to taking the course. I expect that there will be a lot of people who are going to be very interested in that content. I mean, I think that it is, in many ways, a top problem across industries. I think I read in the news the other day that there's, like, a cream cheese shortage, right? And I...
Nicole: Oh, my God.
Caroline: You know, there's supply chain of all these different domains, right? We work in software, and in digital media. But there are these very physical, analog comparisons, that are, perhaps it's really the same thing.
Nicole: Yeah. Yeah. For sure. We're seeing it all over the place. I was talking to a friend yesterday. There's a chicken wing shortage, right? It's supply chain issues.
Caroline: Oh, my gosh. What? What? All these things that I just, I thought I could take for granted. You know, I thought I could just take for granted that I could get my cream cheese, that I could get my chicken wings, and my...
Nicole: And here we are.
Caroline: Wonderful. There's so many different wrap-up questions that I could ask you. At the time of our recording, it is...today it is December 13th, 2021. You know, the year is kind of drawing to a close. Before we began recording today, you and I were just chatting about how it feels kind of like the sprint to the finish line before the holidays. How would you describe your thoughts about your job in 2021...your job or the industry? You know, pick your scope for this question. How do you feel about 2021? And what are you looking forward to in 2022?
Nicole: So, when I think about 2021, I'm seeing a significant shift, in some arenas when it comes to our industry, that really, really excite me. I love that boards are asking about cybersecurity. I love that. I love that there is a talent shortage in cybersecurity, because I think it's going to force the industry to hire more non-traditional folks like myself. And I think it will show them why they need folks with different skill sets to address the challenges of our industry. I think we're in quite a peculiar place. And I can't wait to see what happens as we get creative as an industry to resolve these challenges.
Caroline: Awesome. And 2022, what do you see in the future for our industry? What do you see happening right around the corner?
Nicole: You know, what I hope to see is cybersecurity being somewhat less of a domain expertise, and more injected and incorporated into everything we do as business professionals, even as consumers. It is so interwoven into the fabric of every single thing that we do, right? Without technology, you and I would not be right here today. Now that we're in this virtual environment, I mean, there's just so many things that just hang on the importance of being secure. And I would like to see cybersecurity be less of an afterthought and more of a strategic, foundational thought process for how we conduct ourselves in any and every aspect of our beings.
Caroline: Awesome. I love it. I have thought a lot this year about an analogy for cybersecurity. And there are many analogies that I think we have outgrown. There is a castle perimeter analogy. There is a vitamin analogy, a painkiller analogy, a band-aid analogy, an injection analogy. You know, all these analogies. And I actually think security is like a dance. Security is something that happens between people and because of people, and it has everything to do with the interaction and the context. So, I just...I love that. I love this idea that it could be embedded in what we do.
Nicole: Yeah, yeah. Your analogy is better than mine. I've been telling people cybersecurity is the baby of risk and technology.
Caroline: I'm gonna think about that one for a little while.
Nicole: Yeah, yeah.
Caroline: Okay. So, here's something that I really like about that, because I think that cybersecurity is an emergent property. And I think that's something that is captured in your analogy of a baby. These things have to come together to create the emergent technology. It does not exist without the things preceding it, without the things coming together and having context. So, I like that very much.
Nicole: Oh, yeah.
Caroline: I could not be happier to know you. I could not be happier to have spent a few minutes speaking with you today. I could not be happier to be seeing you. I really, really hope, in person, in February, and for now, thank you. Thank you so much for your generosity in sharing your time and your story with us today.
Nicole: Caroline, it was an honor. Thank you.
Caroline: If you enjoyed this episode, you’ll love seeing Nicole and me in person. We’ll be speaking at Cobalt’s upcoming cybersecurity roadshow, visiting different locations across the US. I'd love to see you there! Check out how to join by following the link in the episode's description.
Caroline: "Humans of InfoSec" is brought to you by Cobalt, a Pentest as a Service Company. You can find us on Twitter @humansofinfosec.