Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, vice president of security technology at Synopsys and author of “Software Security.” This podcast series is co-sponsored by Synopsys and IEEE Security and Privacy Magazine, where a portion of this interview will appear in print. For more, see www.computer.org/security and www.synopsys.com/silverbullet. This is the 142nd in a series of interviews with security gurus, and I’m super pleased to have today with me Craig Froelich. Hi, Craig.
Craig Froelich: Hey, Gary, how are you?
Gary: I’m good. Thanks for joining us.
Craig: Yeah, thanks for having me. I’m excited. I’m glad I was in the top 200.
Gary: Well, actually the top…yeah, you are in the top 200. Craig Froelich is the CISO of Bank of America. He leads the Global InfoSec Team responsible for security strategy, policy, and programs. Prior to moving to Bank of America through acquisition, Craig was responsible for Countrywide’s cyber security technology, networks, crisis management, and security operations. Craig’s background includes over a decade of experience in his early career spanning product management and application development for software and hardware companies.
Mr. Froelich serves on the board of FS-ISAC and the executive committee of BITS, among the other jillion things he does. He describes himself on Twitter as “a SoCal dude learning to be a southern gentleman.” Craig lives in North Carolina with his family. So thanks again for joining us.
Craig: Yeah, yeah, thanks, I really do appreciate it. I’m excited to be here.
Gary: Before we jump into a discussion of the CISO project, I wanted to ask you about career progression and mentorship and becoming a CISO. So did you set out with the goal of becoming a CISO, or how did your career progress?
Craig: No. In fact, I never considered myself to actually think of CISO as a destination or even a stop along my career. I think when I first started thinking about what it was like to work in a technology organization, I always thought about doing something that was really more about either application development or infrastructure. And inevitably, I realized when I was doing AppDev or infrastructure work, I was really bad at it. And what I always found was interesting was when I would sit down and I would chat with the information security team at any company I was ever working with at the time, I always had a really interesting and good conversation.
So I realized that I had passion and interest, and I just started heading down that path. But it wasn’t necessarily something that I carved out and said, “Hey, I’ve got to be a CISO.” In fact, there wasn’t even that title when I first started going down this. It was really more just an interest and it’s something that I still wake up every day really super excited because each day brings new challenges and new things that we get a chance to be able to go figure out how to deal with.
Gary: Well, as you know, I’ve talked to lots of CISOs in my day, and it’s super amazing what you’re doing down there. Thanks for sharing with everybody how this thing works.
Craig: Yeah, happy to.
Gary: We’re going to release this thing called the CISO Report, which is a project that I just completed. You can think of it as BSIMM for CISOs. It’s very much a data-driven project, just like the BSIMM was, with lots of in-person interviews with a bunch of people. In the end, we ended up interviewing 25 CISOs from lots of different companies. I’ll name the ones that are allowed to be named really quickly: ATP, Aetna, Allergan, B of A, Cisco, Citizens Bank, Eli Lilly, Facebook, Fannie Mae, Goldman Sachs, HSBC, Human Longevity, JPMorgan Chase, LifeLock, Morningstar, Starbucks, and U.S. Bank. And you were, obviously, one of those. The report’s pretty interesting. We’re releasing it publicly for the first time today, on the 17th of January. So my question for you is, Why did you agree to help with this project, and did you like the results, and how do you think the work can be used by other people?
Craig: Yeah. So, one, the reason why I wanted to participate and I wanted to see what we could do about not only participating in this most recent one but also the original one, which had a much smaller sample pool, was that I’m a big believer in benchmarks and being able to have a comparison to understand how we are doing as an organization, as a team, as individuals. This is such a nascent space. Information security and the information security teams within these companies have changed a lot over the last 10, 15 years. I still think that we’ve got lots of room for improvement. And if there’s a way for us to be able to do a comparison against folks who are doing this well, all the better. So I was really excited that Bank of America was one of the firms that was asked to participate.
What I’m hopeful for is that by doing more of these types of programs and benchmarks and analysis, that it will help people understand what the definition of “good” is. How do they know what it means to be a good, in this particular case, CISO or run a good information security team? And by doing that, we can then go back to all of the people that we work for, that we are responsible for taking care of, like the Board members and the management team, and go to them hand on heart and say, “Here’s where we stand, here’s what we’re doing, and here’s what you should be expecting from us.”
Gary: I like that a lot. I mean, one of the reasons I started this project in the first place was because I was really a little bit in the dark about what CISOs do all day. In some sense, there are a lot of CISOs that are still in the dark about what CISOs do all day. And so if we look at what the best people are doing and how people are approaching this job, and build a benchmark, we can all kind of improve in a measurable way, I suppose.
Craig: Yeah, that’s right. And the thing that’s interesting to me about the CISO title is that it’s a pretty generic title. I think a lot of people make assumptions as to what that role is. But what was really interesting about the work that you did was you showed that a CISO is not just a title but it is the person combined with the company that they work for that makes up a magic combination of either success or not a success. And that it really is a little bit more scientific than not.
Gary: Yeah. So of course, when we had these conversations to gather all the data—because, like I said before, this was a data-driven thing—we tried to build a framework like the software security framework we built for the BSIMM. And frankly, that was a way easier framework to build, because when you help invent a field, you sort of know the framework by heart.
For this one, I ended up building this very generic thing with 12 parts that fall under three groups: Workforce, Governance, and Controls, which you could more generally call People, Process, and Technology. And you know, we used that framework to guide the conversation with everybody in a very open-ended way. But all these things kind of overlap. What are your thoughts about overlap of CISO responsibilities in your experience with your peer group, and are we sort of doomed to some sort of generic framework, like the one that we came up with? Or can we get more specific?
Craig: I think we can get more specific, but I think it’s going to require us to be able to iterate our way through this. Depending upon who you talk to that is titled as a CISO, many of us have different responsibilities, different scopes. We sit in different parts of the organization. We’re funded differently. And I think it goes back to the difference between how organizations look at and view the importance of information security. I think there’s a lot of companies who are dealing with the information security challenge, and they look at it as a function of compliance that they will go through and they’ll make sure that they comply with all of the laws, rules, and regs. And they’ll go through and they’ll check that box, but they’re really looking at it as a compliance aspect.
But I think a lot of companies are increasingly looking at this as something that’s more than just compliance, that they have to be committed to doing it, and that the commitment starts from the top down, and it is an obligation of everybody who works in the organization. For those companies who have transitioned from compliance to commitment, I think that the role of a CISO is different. As we iterate our way through these generic frameworks and move to something that’s a little bit more specific, I think it’ll allow us to be able to decompose the organizations who have made that transition and measure them accordingly.
Gary: I think that’s right. So in this group, in this work, we talked to 25 CISOs, and we identified four major groups of CISOs that I call the “four tribes.” And I’ll very briefly cover those, starting at the bottom. The first tribe is Security as a Cost Center. That’s Tribe 4. Tribe 3 is Security as Compliance, which you just sort of alluded to. Tribe 2 is Security as Technology. And Tribe 1 is Security as Enabler. First of all, I want to point out that one of the goals of the work was to keep things as simple as possible to keep the results useful, which is why all the numbers of stuff are as small as possible, like 4 tribes is better than 25 tribes.
My view is that when you know a tribe, like Tribe 1: Security as Enabler, it can help you with career development and firm evolution and understanding both the limits and the potential of a particular situation you might find yourself in as CISO. So I wanted to ask you, What did it take to become a Tribe 1 CISO? And how did you move from a highly technical guy into a business person who’s treated as an equal by your business peers at the board level at Bank of America?
Craig: So one, I would say that just like any relationship, it does come down to two parties. The company, Bank of America, was already in a position where they were looking for somebody who could be an enabler. They didn’t want to have somebody who fell into Tribe [2, 3, or 4]. And that’s really more of a statement of my predecessors, who came in and laid a really strong foundation and explained and helped them understand what it took for this organization to be successful. That looked and smelled an awful lot like a Tribe 1 enabler. So the company was looking for that.
Now, in terms of my role in that, you’re right. I came from a technology background, and I’m really comfortable with technology. But it’s not enough to be able to sit in front of the Board and to talk about all of the technical things that we’re super proud of. Because really, when it comes down to it, the Board, the management team—they need to know beyond technology that when the chips are down, the person who is sitting in front of them is somebody who is going to be able to lead them through a potential crisis. That confidence is something that is built up. And it’s not just about technical aptitude. It’s about leadership; it’s about knowledge of the business; it’s about knowing the difference between what things are critical or not.
So I was really fortunate having been a part of Bank of America for a long time. They gave me an opportunity to work in lots of different parts of the company. Through those different roles, I learned a lot about how this place is wired and what is important. So when I sit in this seat today, I have, one, a great deal of empathy for all of the people in the organizations that I’ve worked for, because I’ve done a lot of those jobs, and I can take what they do and explain it with confidence and, like I say, with the empathy that it deserves. But at the same time, because I understand the company, I can also understand what is important to the management team and where to be able to draw that distinction and line around how to be able to protect the firm without strangling it because we are being too restrictive and putting in place the wrong type of capabilities and controls.
Gary: And that’s the kind of, trade-off that senior management makes a lot. And there’s another tribe called Security as Technology, Tribe 2. And those people in Tribe 2, those CISOs, are really also exceptionally good. And it may be the case that in some organizations—like a more technical, say, service provider or software provider or technology provider—it might make sense to have the CISO be in the Technology tribe. I think in global banking, it makes sense for Tribe 1 CISOs to exist and to be looked for.
But those two tribes are very close together, and there’s a large conceptual distance between Tribe 1: Security as Enabler, Tribe 2: Security as Technology, and then Tribe 3, which is way over to the right of that, you know, Security as Compliance, which you alluded to. What we wanted to do in the work was break out these things we call discriminators between the tribes so that you can gather data and look at all of the things that you find out, apply these 18 discriminators, and figure out what tribe somebody’s supposed to be in. You’ll have to read the report itself—I’ll give you a URL later in the show—about what those 18 discriminators are exactly. We divide them into the three groups: Workforce, Governance, and Controls. But I do want to give you an example of one discriminator, and that one is the “CISO executive stance,” which you’ve already alluded to. And the way discriminators work is they have a slightly different view for each tribe.
So Tribe 4, the discriminator “CISO executive stance” says, “The security leader, whose title is likely not CISO but who remains the top of the security heap, is a technical person.” That’s Tribe 4.
Tribe 3, same discriminator: “The CISO is a seasoned senior executive, possibly without a deeply technical past. Compliance tribe CISOs are often excellent administrators,” so they’re more business people, really.
Tribe 2, same discriminator, “CISO executive stance”: “The CISO is a deep technical geek and in many cases may still be known primarily for technical work. The CISO has solid business skills, which may still be developing.” And I bet that one day you went through the Tribe 2 stuff, but we can talk about that in a second.
And then Tribe 1, the “CISO Executive Stance” in the Enabler tribe, which you’re in: “The CISO is a seasoned senior executive. While they often come with a deep technical past, they focus much more attention on the business and less on technology.”
I think it might be good to have an example or a story that highlights each of these tribes in relationship to that discriminator that I just talked about, if we can kind of keep it on point. So I’m wondering if you have a story that might apply to those discriminators in CISO executive stance.
Craig: Well, I don’t know that a story necessarily jumps top of mind, but I will say that my own personal transition, as I would say, from Tribe 2 to Tribe 1 was probably the hardest transition I’ve made in my professional career. Only second to the transition I made from going from an individual contributor to a manager when I first started my career. I would say that it is important to be technical. But remember that a lot of times when we’re sitting in front of the management team or a group of stakeholders, like a Board of Directors, they’re not technologists, or at least they probably aren’t technologists. I mean, if you’re working inside of a Silicon Valley firm, then you may be sitting in front of a group of folks that understand all of the jargon that we use as an industry. But being able to translate what we do into business terms—not into layperson’s terms, these are business people—and understanding how the levers of the organization work is something that took a long time for me to figure out. And I will say that I still work to try and figure it out on an everyday basis. It’s not just about how to be able to understand how the business is wired, but also how to be able to communicate in a way that they can consume it.
Gary: Yeah. And I think that one of the things that technology people sometimes overlook is that it’s not about what you can accomplish or can’t accomplish with a particular tech stack. It’s really about what the business wants to accomplish. I think that turn is a critical thing. You’ve said this, but you know, the CISO role really has evolved incredibly over the last decade. In fact, I think the whole Tribe 1 phenomenon is really pretty new, like probably less than a decade old, on the planet. But because we’ve identified these tribes and we’ve gathered data to support this view, I think we’re beginning to understand how we can measure this role and how you can evolve the role over time and even progress your own career. So obviously, more data is better. That’s always the case.
Anyway, I’m wondering what you think about what we did when we went from a population of 12 two years ago and we were just beginning to think about this work, to a population of 25, which we have now, and we’re publicly releasing this stuff for the first time this week. And you know, what you think about gathering even more data and getting more people involved and how CISOs interact with each other professionally out there in the world.
Craig: Yeah. I’ll go back to my comment earlier about how, as an industry and as a profession, CISO is still relatively new and there is a lot of discrepancy between the title and what people actually do every single day. So getting more data for something like this and being able to create a benchmark and a baseline so that individuals can understand what the definition of “good” is, I think, is something that is important for all of us who do the job today. But more importantly, I also believe that it is something that is going to be important for the people who’d fill our seats in the future.
Gary: Absolutely agree with that, yeah.
Craig: Yeah. Because otherwise, they won’t know what to be able to strive for. They won’t know what skills they’re going to need to have. And I think too often we say, “Well, you need to work on your soft skills,” or, “You need to go and think about how to do a presentation or understand how to manage the business.” But with programs like this, now you can take these individual discriminators, and you can tie it back to a professional development plan and say, “I need to go strengthen my time on executive stance,” or, “I need to go figure out how to be able to think about how to curate a security message.” These are discriminators that give a lot more meat to having a professional development conversation than I think we’ve been able to do in the past.
Gary: My theory is that CISOs can actually change their stripes. So you could use the discriminators to make a strategic plan, but it does require a dance, in some sense, between the individual who’s in the CISO role and the firm as well. In some cases, if it’s just the wrong dance, it might not be for you.
Craig: Yeah. I think it would be really hard—just like going back to that relationship analogy I used—to say, “Hey, I’m an enabler CISO, but I’m working in a compliance-driven organization,” or vice versa.
Gary: And in some sense, I’ve seen that happen. I mean, compliance is kind of the glass ceiling of CISO Land.
We’ll be right back after this message.
If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on garymcgraw.com. There, you can find writings, videos, and even original music.
We’re releasing this thing on the 17th, which is today. So here’s the URL for the CISO Report.
So that’s the CISO Report. And I want to turn briefly, for a couple minutes, back to your own work, if that’s OK with you.
Craig: Yeah, sure.
Gary: The main thing I wanted to ask is you’ve built this remarkable team of talented people in your organization that come from widely different backgrounds and wildly different backgrounds. And the question is, How’d you do that? And why does your kind of hodgepodge team, that’s just all these incredibly successful people on totally different dimensions, work as a team?
Craig: Well, it’s a very intentional strategy. So when I sit down with a Board of Directors, my strategy, in many cases, can be summarized in four words: That’s tech, that’s talent. And if you decompose that statement, you have to have best talent in order to have best technology because it’s the people that make the tech go. So being able to make sure that we have a really outstanding talent workforce is something that I spend almost all of my time on. Today, we have a team of about 2,400 information security professionals that are inside the organization dedicated to defending the firm.
And you’re right: They do come from all walks of life. And that diversity of background and of experience and just individuals is super important to me. Because if we’re trying to anticipate the actions of some sort of adversary, we can’t just have a bunch of people who look and act and sound the same sitting inside the organization. We need to be able to make sure that we get people from all walks of life—different backgrounds, different experiences, different races, different ethnicities, different genders—all under one roof. It’s important that we give them a really hard problem and the ability to solve it. I’ve found, more often than not, that’s really what a lot of people are motivated by.
One of the nice things is that working for a bank that has a brand like Bank of America, and the commitment that we have from the management team to make sure that we do everything necessary in order to not only protect our clients and customers but also make sure that we have a sound and safe financial services ecosystem—that’s a really hard problem. They give us all of the air cover budget and the ability to spend that money to be able to make sure that we have the ability to go solve that problem.
So today we work with really an unconstrained financial forecast. The CEO, Brian [Moynihan], often talks publicly about how the information security function within the organization is unconstrained: unconstrained budget, unconstrained in terms of our ability to be able to effect change. And you know, that just sends a really super powerful message not only to people’s accountability within the company—every employee understands why we do that—but it also is a great way to ring the dinner bell for anybody who is interested in thinking about information security as a career or is already doing that and wants to come to an organization and learn a lot.
Gary: Well, some organizations are constrained in their security approach by budget, and others are not. But all organizations certainly have a maximum capacity for properly absorbing security. It’s not infinite, and the field changes a lot. So I wonder, How do you figure out how much to do at once, and what to not do now, and how things are sinking in to keep the security culture at its tops at Bank of America?
Craig: Well, look: It’s not just enough to be able to have the money, but you have to be able to spend it. So the ability to effect change within the organization is necessary when you have that kind of commitment from the management team. So yes, we could spend it and potentially go so fast that we’re introducing risk, but that goes back to the need to be able to balance business expectations with the program that you’re running as a security professional.
Gary: Exactly. So there is a maximum kind of soak-in.
Craig: Yeah. I will say, though, that in most cases, companies can move faster than they probably are thinking that they can.
Gary: Oh, sure.
Craig: And finding that maximum velocity without becoming unsafe is the dance that I think any CISO has to face.
Gary: I totally agree with that. Last real question. So let’s talk about my favorite subject, software security. Do you think we’ve made progress in applied security engineering?
Craig: I think we’ve made some progress, but I think you only have to look back at some of the big headlines over the last 12–18 months to say that we have a lot of work to go do. You know, look: Any of the headlines have said—or have at least had one thing that is very consistent with—a vulnerability that was either known or should have been known to management. Most often, those were software vulnerabilities. And so we’re still seeing them too frequently, we’re still seeing them with the potential for too much damage, and they’re not something that is well-known across the tech community or the management team that’s responsible for making sure that it can’t be exploited. So I think we’ve done a lot as an industry, but I think we’ve got a lot of work to go from here.
Gary: I agree. The way I would put it is we know what to do, and now we have to do it.
Craig: Yeah, well said.
Gary: So now, kind of a fake question: Tell us what it’s like to be “an L.A. boy foisted into the genteel southern-gentleman culture in North Carolina.”
Craig: I will say it was easier for me than it was for my wife and kids. I come with a built-in network of folks. I knew people from the office; I’ve been coming here for years. So my transition to the South was relatively straightforward and happened in days and weeks. For my wife and kids, it was harder because they didn’t know anybody here. But I will say that Charlotte as a city is a remarkably open community. Very few people in Charlotte are from Charlotte. So it has this interesting dance where I think everybody has a recollection of what it was like to move here. And they remember that, but at the same time, they also pick up that southern hospitality and open charm.
People here are super friendly, far more friendly and open than what I remember from anybody—or most people—I ever met in Los Angeles. So it’s a very easy city to live in, and I think that’s one of the reasons why we’ve been here now for about 3 years. And when my family talks about home, they don’t talk about home as in L.A.; they talk about home as in Charlotte.
Gary: Yeah, very interesting. Very last question: What music is in heavy rotation in your life at the moment?
Craig: So we talk about music a lot, you and I. I would say that right now, I’ve kind of been doing a few things. So one, I love the new U2 album. That seems to be taking up a lot of rotation at the moment. For some reason, I’ve been doing a whole, like, South American / Central American kind of thing. So I’ve got that kind of in rotation. I don’t know. It just kind of depends on the day, the mood. We’ll see.
Craig: What about you? What are you up to? Are you still doing jazz?
Gary: I’m doing all sorts of stuff. Lately, I’ve been focusing on my own music, and I actually have a show this Friday. It’s sold out though, so you can’t go.
Craig: Well, I’m going to hold you to seeing you live one of these days.
Gary: Sounds good. Thanks for your time, Craig. This has been a great conversation.
Craig: Thanks, Gary, I appreciate it. Have a good day.
Gary: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is co-sponsored by Synopsys and IEEE Security and Privacy Magazine and syndicated by Search Security. The November/December issue of IEEE S&P Magazine includes our interview with New York Times tech reporter Nicole Perlroth, one of 12 interviews carried out over a year focused on women in security. Show links, notes, and an online discussion can be found on the Silver Bullet web page at www.synopsys.com/silverbullet. This is Gary McGraw.