Watch podcast interview now with Greg Warren and the HALOCK Radio host Terry Kurzynski.
TRANSCRIPT
Terry Kurzynski 0:07
We have HALOCK Radio as we interview information security leaders and today we have Greg Warren from Standard Parking plus, otherwise known as SP Plus.
Greg Warren 0:20
Correct.
Terry Kurzynski 0:20
Greg, welcome to the HALOCK Radio podcast.
Greg Warren 0:26
Well, thanks for having me.
I mean, I’m definitely happy to be here and looking forward to it.
Terry Kurzynski 0:31
So we originally met, we’ve been working together for five years and specifically when you started at Standard Parking, right, but let’s go a little bit back in in time.
Greg Warren 0:41
Correct.
Terry Kurzynski 0:45
I want to give the listeners a little bit of your background and you know I was impressed looking at your background.
So you started out as a marine, that where is that safe to say?
That’s where your career kind of started.
Greg Warren 0:58
It is.
It is, you know, I mean, it’s hard to believe that I’ve been doing information security for almost 19 years.
Now the time has flown by, but you know I got my introduction into the information security field through the Marine Corps.
Uh, you know, if I were to step back a few years, I was a computer science major.
In my undergraduate college life.
But you know, I’ve always had a passion for, you know, computing and networking and understanding how information systems and information technology works.
But you know what I what I found is, is that you know, after a couple years in the Marine Corps, I started to pivot more into the idea of network security.
Database security encryption and I found it fascinating and I’ve been doing it ever since.
Terry Kurzynski 1:50
Alright, so I got to ask the you know question that everyone asked you.
Like how was boot camp right?
So like you know, was that a real thing?
Was it tough?
Greg Warren 2:02
The camp was probably the hardest thing I’ve ever done in my life.
Umm you can try to prepare yourself as much as you want and you can hear the stories from other Marines that have been through it, but until you’re there.
Uh.
Even the stories you hear don’t do it justice.
Proper justice, I mean, we’re talking 13 weeks, 90 days of just intensity where you literally have no moments to yourself.
You know the drill instructors who run bootcamp.
They are all over you from the time you put your feet on the yellow footprints till the time you graduate, it is no joke.
Terry Kurzynski 2:38
Yellow footprints.
Ohh, you really got to stand and perfect separation, huh? Yeah.
Greg Warren 2:42
That’s right, that starts at all.
You take a bus, you show up at the they call it the Marine Corps Recruit Depot, and you line up on those yellow footprints.
And then the drill instructors come, and it begins.
Terry Kurzynski 2:55
Is that … how is that?
How you manage your team today?
You know, people follow orders or people die.
Is that you know, is that your message out there?
Greg Warren 3:03
Uh, you know, I do not manage with that much intensity, but I will say this, you know the discipline that you get out of the Marine Corps, it’s most definitely translated not only into my professional life, my personal life as well.
So, you know, I think I think the biggest thing I can take away and it’s something I still practice today is just the idea of accountability and the idea of teamwork and leading by example.
Terry Kurzynski 3:21
Yeah.
Well, I so I’ll expose a vulnerability here.
So I I signed up for the Navy at the University of Wisconsin.
You know, back in just say just say the 80s.
Greg Warren 3:41
Mm-hmm.
Terry Kurzynski 3:44
OK.
Then we’ll just stop there.
Greg Warren 3:45
Yeah.
Terry Kurzynski 3:47
I probably saw.
I know I saw a Top Gun, you know?
And then everyone wanted to be a pilot and you know, sign up for the Navy.
Greg Warren 3:52
Mm-hmm.
Terry Kurzynski 3:53
So I was one of those guys.
And so the underclassmen have the first registration week.
They’re not.
They’re not doing boot camp right, but the upper classman are.
I happened to have my dorm that was right outside the field where they were doing their 5:00 AM exercises and drills, and I had just gotten in at like 4:00 AM, right.
Greg Warren 4:10
Umm.
Terry Kurzynski 4:16
So like because it’s registration weekly it’s party week, you know, you’re just you’re not really going to school yet.
Greg Warren 4:22
Sure.
Terry Kurzynski 4:22
And I was like, what, who are these guys?
And when I got to the bottom of who was out there yelling and screaming at 5:00 AM, it was my crew that I was gonna be doing the same thing the next week.
Greg Warren 4:34
Mm-hmm.
Terry Kurzynski 4:35
I bowed out.
You know, I just said, you know, I’m not.
Greg Warren 4:37
Got it.
Terry Kurzynski 4:37
I’m not gonna do it.
And I found a different way to pay for school, you know?
So that’s that.
Greg Warren 4:44
Yep.
Terry Kurzynski 4:44
That’s my military story right there in a nutshell.
I was too weak to move on so.
Greg Warren 4:52
Yeah.
Well, look, I had no intention.
I had never even thought about joining the military in any capacity.
Umm, you know?
But I had a really good friend my freshman year in college.
And you know right around towards the end of the year when it was about to finish a freshman year.
You know, I’d see this guy out there early every morning working out, running, and I finally asked him.
I’m like, dude, what are you, what are you doing?
You know what’s with what?
What?
What is with all these workouts so early in the morning?
Terry Kurzynski 5:19
Yeah.
Greg Warren 5:19
And he had told me that, you know, as soon as school let out, he was going into the Marine Corps.
And you know. Yeah.
Terry Kurzynski 5:26
Ah.
Greg Warren 5:26
So when he got out of boot camp and came back and you know, I started to talk to him more.
I mean, he really sold me on the idea.
And you know, again, he told me, like the military specialty that he picked, you know, it was information technology based and, you know, like I said, I was a CS major at the time.
And so was he.
And you know, he really sold me on it.
And so I got through about a year and almost two years of college before I joined.
And you know, I should preface this.
I mean, I joined as a reservist, but you know, I joined it kind of the peak of the Iraq war.
So I actually spent more time on active duty than I did in reserve status, so.
Terry Kurzynski 6:07
Did you have to get sent out to any hot zones?
Greg Warren 6:10
Yeah, I went to.
I went to Iraq.
I went for seven months.
You know, between 2004 and 2005 and yeah, again, you know just.
Terry Kurzynski 6:15
OK.
Greg Warren 6:23
It was a very good experience for me.
UM, you know, I I think the biggest takeaway is just the camaraderie, you know, and just, obviously being in a hot zone but also feeling that, you know, we had a mission and a purpose and we knew what that was from day one.
So yeah, you know, I remember the times fondly and, and even from a from a career perspective, that I mean that was kind of the next evolution a lot of on the job training you know, specific to information security out there.
You know, stuff that I had never been exposed to.
But yeah, you know, it really kind of set that foundation for me in my career when I came home.
Terry Kurzynski 7:04
Well, I was just going to say it seems like it served you well because you had a bunch of, you know, work efforts and we can talk about those.
It looks like application support specialist program information Security Compliance Administrator, GRC Guy at Walgreens. Right.
Greg Warren 7:12
Umm.
Mm-hmm. Yep.
Terry Kurzynski 7:19
So big companies, but you’re CISO at standard parking and it seems like all that those initial experiences really set you up well to lead and manage this this group at at Standard Parking, which by the way you get well, how big is the group?
Greg Warren 7:22
Yep.
Terry Kurzynski 7:39
It’s it.
A dozen people? Almost.
Greg Warren 7:42
Yeah, we you know, we have a team of 12 total. Mm-hmm.
Terry Kurzynski 7:45
OK.
Well, that I mean that’s a unit, right?
So A is that what we call that so you can a unit.
Greg Warren 7:49
Yes it is.
Terry Kurzynski 7:54
So the concept of purpose and mission is that something you’ve translated over now into the CISO role that you make sure everyone of your team members knows like.
Why are we here?
Our mission is just walk me through how that’s translated maybe to modern day work effort that you have today.
You know, civilian life.
Greg Warren 8:16
Yeah, absolutely.
I mean it’s, you know, I think it’s, you know, when I use words like camaraderie and teamwork.
Umm, I think what I’m trying to avoid, especially with my team, is this idea of being a silo.
Not only what I think about kind of the sub teams I have with an information security, but information security as a whole.
You know, we don’t wanna be siloed off from the rest of the organization.
I am a strong believer that you know, information security needs to be in organizational priority.
It needs to be in order as an organizational effort, and especially for my team.
I mean, I think it’s very important that we all understand, you know what our strategic objectives are, what our mission is.
And I think that it fosters an environment of collaboration.
You know, for example, if I have a governance team that is all about policy and compliance and controls, but then I have an operations team who’s kind of more in the day to day.
Umm, you know what I would contend is that.
One hand needs to be talking to the other.
You know, we need to make sure that we’re getting as much visibility and insight into our environment as possible.
And so you know, you’re right.
You know, you kind of use that term, unit, platoon, whatever you want to call it.
But you know, that’s really how I view my team now is that, you know, we do.
You know, we try to meet at least twice a week as a team.
You know, this isn’t about just like me delegating to managers and not going on, not knowing what’s going on as far as day-to-day operations.
You know, I think a lot can be accomplished just by making sure that I’m talking to my team a couple times a week and not just about, hey, what’s going on?
That’s a given.
I mean, enough emails and enough calls take place to where I understand the lay of the land, but I like to think a little bit bigger, you know.
I take a lot out of what my team tells me.
I take a lot out of the suggestions they make the ideas that they have, and I think it’s just really an opportunity for them to have their voice heard and I think it’s really an opportunity for them to step up.
You know, I think that everybody in their life has certain career ambitions and, you know, that’s something that I really want to foster.
Terry Kurzynski 10:38
Yeah.
Greg Warren 10:42
And I think that through that collaboration, through that camaraderie, through that teamwork, we’re able to have success.
Terry Kurzynski 10:51
Talk to me about the, you know, if you’ve had a big everyone’s had challenges in their career and whether it’s here at Standard Parking, doesn’t matter where it was.
But, umm, you know, a big challenge that you might have had that seemed almost impossible, you know, or you know, the toughest you’ve had up to that point.
How did you go about attacking it and getting it accomplished?
What was the output?
You know we haven’t talked about this.
So I’m curious to see what your answer is on it.
Greg Warren 11:23
Yeah, I would.
I would say that the biggest challenge I had I was at Walgreens Boots Alliance.
And it was the idea that, and maybe this started sooner than you know what I’m about to say as far as timing.
But you know, this is when I first started really to notice it, and it was the idea of having this Governance Risk Compliance model at an organizational level.
And so at Walgreens Boots Alliance, you know, I know a lot of people they know Walgreens, they know the pharmacy chain.
Terry Kurzynski 11:57
Yeah.
Greg Warren 11:57
Umm, but WBA really, was this idea of three entities combining into one giant parent company.
You know, you had all the Walgreens pharmacies, which at the time numbered 10,000 and then you had all the boots, pharmacies out of the UK, which were in the thousands and then you had the pharmaceutical arm alliance.
Terry Kurzynski 12:18
Yeah.
Greg Warren 12:20
Umm, where we were conducting operations in business in 26 different countries.
The challenge was how do we foster an environment of governance and when I say governance, I’m governance.
I’m talking the idea of, you know, policy standard control that everybody in this WBA organization was to adhere to and you know, the challenge was, is that when we started this team at WBA, it was it was a relatively young team.
We didn’t have a lot of resources.
We didn’t have a lot of visibility into the organization and so it was daunting to think how are we going to start to propagate this program and look, it’d be one thing if it was a huge organization that was just, let’s say, stateside base, but we ran into a lot of instances where some of the countries we worked with, 95% of their people didn’t speak English.
Terry Kurzynski 13:15
Hmm.
Greg Warren 13:16
So you know, how do we start to think about, you know, very technical language, policy language also throwing this idea of risk and other compliance programs such as, you know, especially PCI, HIPAA, you know, how do we start to build this foundation?
How do we start to build this core?
So it was definitely a significant challenge and you know, how did we overcome it?
Teamwork.
And when I say teamwork is is that you know, even with the team size at the time it, WBA, it was everybody understanding their role.
You know, constantly just, you know, having meetings with these various countries to really understand first, you know, what are we dealing with?
You know what exactly is the kind of application suite?
What is the data?
You know what is the PII that we’re dealing with?
What are your current practices?
You know from there, you know, it kind of moved into this idea of an assessment phase.
Being able to calculate risk, being able to identify gaps, and then really, you know, we just tracked it over two years, you know, across all these different entities and countries to try to get them into compliance with our overall governance risk and compliance program.
Terry Kurzynski 14:27
How did you solve the language barrier?
What were some of the tricks there?
Greg Warren 14:32
Translators, you know, we had to, you know, we got a little creative.
Terry Kurzynski 14:34
OK, well.
Greg Warren 14:37
You know, I think that you know again a company you know the size of WBA.
I mean, I think the organization understood the importance of what we were trying to do.
So what helped us?
A lot is that you know, whenever we did need resources, whenever we did need to put in security tools, automation.
You know, and I even say consultants, you know, translators, I mean, we were able to get that and you know, it was.
Yeah, it was.
It was not an easy task, you know, it was not an easy task, you know, especially, you know, even on the state side, you know, with Walgreens, I mean it’s a, you know, as a complete culture shift at the time and I talk about this idea of timing and this idea of governance, risk compliance because you know what I would contend is, is that up until that point in my career, you know, I had noticed that there was a huge focus on this idea of network security.
I always felt that infrastructure security, database security, that information security almost got this, uh, this connotation that it was directly tied to IT and it had to be overly technical.
But what I would contend is, is that I’ve seen that shift dramatically to where you really have to make sure you can speak that technical language, but then be able to translate it into business terms that business units and that different, you know, business application owners can understand.
Terry Kurzynski 16:02
You know, Greg, I think this is a perfect spot for me to stop for a sponsorship.
Uh, a message.
So this HALOCK Radio podcast is sponsored by Reasonable Risk software as a service.
It’s a cybersecurity governance platform.
The only one based on duty of care risk, and I believe you have a little familiarity with that because SP Plus actually has been using that for a few years.
Any comments there?
Greg Warren 16:30
Well, look, It’s been a game changer for us in a good way.
Umm, you know when we first started working with HALOCK?
To me, the mission was simple.
I felt that the way we were looking at risk.
Was very immature for an organization our size and you know it was one thing to work with HALOCK on the methodology on the duty of care, you know, risk analysis process, that production of a risk register, all that was essential.
But to me, you know, then we needed a way to translate that.
We needed a way to almost automate that, and that’s where the reasonable risk tool has really helped us a lot.
And what I mean by that is, is that you know, when you think about information security.
It’s very wide and what I mean by that is, is that you know whether you’re talking about some, you know your ISMS or BCDR or incident response or, you know, systems maintenance is that you know we’re able to take the findings that come out of our risk register.
We’re able to prioritize those findings, you know, and then we’re able to use reasonable risk to really stand up projects to tie that to NIST controls to figure out who the accountable officers need to be in the business unit.
And it really gives us an idea where it gives us a true kind of understanding of how we can get to that risk reduction that we’re looking for as an organization.
You know, for example, you know if I have an associated project that has seven or eight different subtasks and there’s associated risk ratings, which each of those.
But I know that if I were to complete this remediation plan, it would take me to X score.
You know, that’s very helpful to me.
It’s very helpful to my team and I think the thing I like about Reasonable Risk too is is that the ease of use is there.
You know, we’ve been fortunate to be kind of one of the early adopters of the tool and we’ve seen how it’s matured over the years.
And I think that that’s directly correlates to some of the successes that we’ve seen with the maturity of our program.
Umm, you know?
Look, I’ve worked with other GRC tools before and uh.
Just the implementation process for some of those GRC tools.
It took us months and it was one thing for an information security team or even an IT team to use some of those governance tools.
But then when we tried to, you know, propagate that to the rest of the organization, it presented another challenge.
It was confusing.
It was time consuming.
It was overly complicated.
What it didn’t need to be so you know, I know for my team, all 12 people on our team, we all have visibility.
We all use and we understand how you know the reasonable this tool can help us.
Uh, you know, achieve our mission and you know, continue to mature the program.
Terry Kurzynski 19:28
That was way more than I expected, Greg.
So that’s good to know.
I’ll let the Reasonable Risk folks know about the use of the tool, but let’s segue to the stress of a security leader like we’re constantly dealing with breaches and incidents, and I mean or our peers are right and you know these big ransom attacks, it’s stressful.
Let’s face it, it’s stressful.
Greg Warren 19:52
Yep. Mm-hmm.
Terry Kurzynski 19:54
I got to know.
I like to kind of find out what people are doing to destress, so let’s talk about that side of it.
Greg Warren 19:56
Sure.
You know and, and I’m glad.
Terry Kurzynski 19:57
Because you seem very calm.
Greg Warren 19:59
Well, now I’m.
I’m.
I’m glad you bring this up because you know, uh, you know, a couple years back, you know, I had to take an honest, you know, look in the mirror and, you know, I think I was prioritizing way too much of my time for work.
Terry Kurzynski 20:03
You know the work life balance.
What are you doing to destress?
Greg Warren 20:14
And you know, I was constantly checking my email at 11:30 at night and waking up and having to do work on Saturday morning.
Umm, but to destress, I mean really, you know, I’m married.
I have two children and my family means everything to me and you know, I like to tell myself that the reason I put in so much hard work is to, you know, be there for them to support them.
Umm, but look, I can’t stress enough the importance of having that work life balance and I know that everybody says that.
But you know, how do I achieve it is that you know, I have to tell myself, you know, at certain times in the day, you know, this is family time.
This is time to be spent with your kids and you know my kids are at the age where they’re starting to get more involved in their activities and you know my daughter with gymnastics, my son with jujitsu.
And you know, just to be able to be a part of that, I mean that’s very important.
Terry Kurzynski 21:02
Yeah.
Greg Warren 21:07
You know, the other thing for me is physical exercise.
Terry Kurzynski 21:10
OK, let’s talk about what do you do?
Greg Warren 21:12
Well, I mean, look, I my routine is, uh, you know, I like to go to the gym four days a week.
Terry Kurzynski 21:13
What’s your routine?
What’s your routine tell me.
OK.
Greg Warren 21:19
You know, I’ll usually spend a a couple hours when I go umm, but it’s a great way to decompress?
It’s a great way to just kind of, you know, focus in on you know what I need to do.
You know, as far as working out and I always tell myself, you know what, don’t think about work while you’re there and you know it kind of allows me to.
It’s almost like a meditation for me when I’m at the gym, you know, I don’t have to worry about all the different work stressors.
Terry Kurzynski 21:41
Yeah.
Greg Warren 21:44
And you know, I’ve I’ve made it a point to really try to fit that into my schedule because, you know, especially going back to, like COVID and a little bit post COVID, I mean, I worked from home five days a week for two years straight and it was very easy for me just to wake up, start work, sit in the same chair every day for 10 hours and then as soon as I would finish work to go lay on the couch or do something like that.
Terry Kurzynski 22:08
Have a cocktail.
Greg Warren 22:09
Watch TV.
Terry Kurzynski 22:09
Have a beer.
Greg Warren 22:10
Exactly.
Exactly.
Terry Kurzynski 22:11
Yeah.
Greg Warren 22:12
And you know, look, I mean I think it’s a, you know I I think the physical exercise that I talk about and you know the time being spent with my kids and you know that really helps contribute to my overall mental health.
You know, I think that that’s probably one of the biggest takeaways I got too from, you know, talking to some of my fellow team members is that, you know, especially with COVID and this whole, you know, move to remote work, but even bigger than that like some of the stresses that come along with being in the information security, cyber world, you know, it can really take a toll on you mentally.
And I think that, you know, for me, I had to be cognizant of that and try to balance that out with some of the stuff that I just said.
And you know, it’s been a it’s been a bit, I’ve noticed a big difference, you know, not only in my physical and mental health, but, you know, you know, just being present, you know, being present for my family and, you know, really enjoying the time I have with my kids and my wife.
Terry Kurzynski 23:09
Yeah, it seems like when the endorphins are released, uh, there’s no problem.
We can’t solve, right?
There’s nothing.
Greg Warren 23:16
Yep.
Terry Kurzynski 23:17
There’s no stress anymore, so that’s good to hear.
I’m glad that you figured out because not everyone has, right.
I mean, there’s a high rate of, you know, mental illness and depression within the CISO community.
And so, given advice to others on how to handle it, I think is really good.
All right, so again, ask this question.
Umm well, I’m a big music guy.
Music lover.
So I’m always, you know, working my playlist?.
Greg Warren 23:43
Sure.
Terry Kurzynski 23:45
You know what’s do.
You have a song that you added to a playlist lately that you wanna share.
Greg Warren 23:50
Sure.
Yeah.
Terry Kurzynski 23:51
OK.
Greg Warren 23:51
Umm, so I don’t know.
Have you heard of the musical artist Sturgill Simpson?
Terry Kurzynski 23:56
No, I haven’t, no.
Greg Warren 23:57
You haven’t.
OK.
Well, you know, I was watching a I was watching the TV show called The Leftovers.
I don’t know if you’ve heard of that show.
It’s an HBO show.
It’s few years old, you know, and I was watching this episode and I heard this song, umm.
Terry Kurzynski 24:07
OK.
Greg Warren 24:12
And it just it was great song and I thought to myself, man who sings that.
So I did my little research.
I found out it was Sturgill Simpson and you know I’ll tell you, I’ve really I’ve become a huge fan of his music, so the last song I listened to was a song called Ronan by Sturgill Simpson.
Terry Kurzynski 24:28
Alright.
Greg Warren 24:29
Ronan and uh, you know, he’s an interesting artist because he’s very versatile.
I mean, he kind of got his start more on the, you know, almost like bluegrass kind of country.
UM, genre.
Terry Kurzynski 24:42
I was gonna ask you what the genre was right so.
Greg Warren 24:45
Yeah.
And then and then he kind of moved into kind of straight what I would call like contemporary country, you know.
And now he’s trying to make this pivot into almost like I would almost say, like rock.
And that’s what his new album and his new album is a It’s not really new.
It’s still a few years old, but I’m still trying to catch up on this musical artist, so Ronan, he’s trying to make that transition more to rock.
Terry Kurzynski 25:02
Yeah.
Well, I’m going to look it up and I’ll add it to my playlist?.
Thank you very much.
Greg Warren 25:10
Uh-huh.
Terry Kurzynski 25:10
Maybe I’ll add it I gotta figure out which one to add it to right the Johnny Cash or the studio one or the rock one.
Greg Warren 25:10
Uh, huh.
Terry Kurzynski 25:17
So we’ll figure out which one to add it to.
Greg Warren 25:20
Yeah, I mean, definitely his earlier work it it reminds me a lot of Johnny Cash.
Really it does?
Terry Kurzynski 25:24
OK.
Greg Warren 25:25
Yeah, for sure.
Terry Kurzynski 25:26
That’s what I heard.
When you’re telling me that, OK, so any musical instruments, the hobbies that you have there?
Greg Warren 25:34
No, you know, I always wanted to learn to play an instrument.
You know, I think I think growing up for me, it was all about, you know, kind of academics and sports.
That was my biggest thing.
Terry Kurzynski 25:44
OK. Yeah.
Greg Warren 25:45
Umm.
But I’ll tell you I’ve always wanted to learn how to play the piano.
You know, I think it’s a beautiful instrument and I think, gosh, I mean some of the stuff that I hear you know is just a, it’s fascinating to me.
I mean especially like a professional, you know, concert pianist.
I mean, it’s just it blows my mind.
So if I had to do it over, I would have started young and I would have stuck with it.
Terry Kurzynski 26:13
Well, it’s never.
It’s never too late.
Is what I’ll say right?
You were expecting that probably so.
Greg Warren 26:19
It’s never.
Yeah, never too late.
Who knows?
Terry Kurzynski 26:22
Uh, well, I just started guitar.
Really, in the last 2 1/2 years and you know I’m well into my 50s.
So it’s, you know, it’s never too late, right?
Greg Warren 26:30
No.
Terry Kurzynski 26:32
Alright, so let’s go back to the you know what I want is for those up and coming security leaders to get some advice from those that have been there and done that for those that are budding sea cells.
Greg Warren 26:47
Umm.
Terry Kurzynski 26:47
What advice do you give them to, you know, what skills are they gonna need?
What advice or anything are you gonna give to the next generation right now, knowing what you know and I’ve seen at this point, what do you what do you, you look them in the eye and this is what you gotta do, you know?
Greg Warren 27:04
Yeah, 2 words, versatility and adaptability.
And let me explain that a little bit is is that you know when I think about versatility is is that.
I think having the technical understanding of how information systems, how IT applications networks, you know how, how, how all that functions.
I think having that knowledge will suit you well, but it’s not just about that.
You know, I think it’s understanding things like risk management, it’s understanding, you know, especially a big one for me that I’ve seen involve a lot over the years is the idea of data privacy.
And I think that’s only gonna continue to evolve.
Umm, but then you know, as you find yourself kind of stepping up the ladder into more senior positions.
Umm, for me it’s really transitioned into.
How can I communicate effectively, umm, with, with the C-Suite or with fellow UM, you know, application owners and business owners?
Umm, you know, and I think I mentioned this before, but it’s the idea that you know, if you have that technical background, if you understand the direction and the purpose of your information security program is being able to translate that into business terms.
And look, I get it.
I mean that sounds very ohh.
That sounds very easy in concept.
Ohh well that that sounds very good theoretically, but you know I can tell you that it is going to be a challenge because you know not everybody’s always going to agree with you you know and and even when you try to take some of those more technical terms and really water them down, they’re still gonna be the people that that say.
I have no idea what you’re talking about.
You’re going over my head and it’s almost like they close off.
Adaptability.
The reason I say that is because yes, what I’ve noticed with work animations is is that they are very anti change.
Well, hey, look, we we’ve been doing it this way for 10 years and it’s not broken.
So why can’t we keep doing it this way but little?
Do they know that you know?
And that’s one of the most fascinating things about information security.
Is is that it’s constantly evolving the threat environment is constantly changing and so you know it’s your responsibility to not only stay up to speed on that, but to try to convince them and you know, again it doesn’t need to be with a hammer.
It’s that, you know, you need to rely on that collaboration.
You need to rely on their help to help you drive your mission so it it’s been willing to adapt and you know, I think that, you know, that’s been some of the the hardest things that I’ve had to deal with is is that, you know, going into a certain meeting or meeting with certain stakeholders thinking ohh I’m gonna say this and I know what’s gonna go this way but it doesn’t always go how I thought it how I think it’s going to go no matter how much planning I put into it so being.
Terry Kurzynski 29:36
You know.
Greg Warren 29:57
Able to adapt to still accomplish the mission.
In meeting or meeting with certain stakeholders thinking OHH I I I’m gonna say this and I know it’s gonna go this way, but it it doesn’t always go how I thought it.
How I think it’s going to go, no matter how much planning I put into it.
So being able to adapt to still accomplish the mission.
Terry Kurzynski 30:11
To and what I heard there at that last one though is situational awareness, which is, you know, take you right back to the marine days too, right?
Where you gotta understand the situation on the ground and adapt to what you’re hearing coming at you.
Right.
Not just plowing forward with your mission, but you might have to adapt on that.
But I get something just hit me.
Greg Warren 30:29
Absolutely.
Terry Kurzynski 30:32
Is that a lot of the board?
Because they’re not information security executives, they don’t understand the this the threat actors and the hackers, right.
They’ve been used to competing with competitors who play by rules and regulations in the business world.
Greg Warren 30:45
Umm.
Terry Kurzynski 30:50
Now suddenly they have to combat a threat actor.
That’s kind of a competitor, but not really.
But there’s someone that’s someone that can take them out.
Who doesn’t play by the rules?
Who’s constantly adapting and changing, who’s as shadowy figure that you can actually see.
Greg Warren 31:02
Mm-hmm.
Terry Kurzynski 31:08
And identify clearly that kind of freaks them out. You know?
Like, that’s a part of our mission is like, how do we translate?
It’s no longer competing against, you know, other businesses like yours.
Greg Warren 31:22
Right.
Terry Kurzynski 31:22
You’ve gotta understand this threat actor isn’t going to play by the rules.
They’re gonna come after you and squeeze you however they can.
Greg Warren 31:27
Right.
Ohh absolutely.
I mean and.
And you know, I think you know, in kind of sticking with that..
Sometimes you have to be willing to tell them you know, worst case scenario and what I mean by that is, is that you know how do you take everything that you know you’re seeing in the news because you know, yeah, they read the Wall Street Journal too.
They read about all these different organizations, you know, getting hacked, ransomware victims, data breaches.
They see all this, but you know, if you can take some of those worst case scenarios and I think use practical examples that are out there in the business world and reflect that back into your own business and really talk about the associated business risk and impact to your business.
If this were to happen, then they start to listen well.
Hey, you know, understand that, you know, if we are the victim of a ransomware attack?
Umm, you know and someone gets in and they infiltrate our data and they encrypt it and they’re asking us for ransom.
I mean, think about some of the downstream effects and some of the downstream effects.
Is that think about the reputational impact that that could cause your organization you’re trying to maintain a competitive advantage, yet something like that happens to your organization.
I mean, it’s gonna cost you in terms of dollars.
That’s gonna cost you in terms of resources.
And I think again, you know that’s where I try not to get overly technical with well, what goes into you know, what’s the main contributor to a ransomware attack?
I mean, yes, that’s important, but I think translating that down to brass tacks business impact, it really gets, it catches their attention and then you can start that conversation.
Well, OK then what do we need to be doing as an organization to protect ourselves, whereas we as executives and senior leadership, where can we help you drive your mission?
And that’s exactly the kind of collaboration that you need.
I think it’s one thing to give them the facts, but the thing I’ve learned about executives as well and especially board of directors is that they wanna feel involved.
So it’s imperative for a CISO, it’s imperative for the information security department to really to be to take what is going on in the outside world, to look at some of these threat actors to even look at some of the threats internally in your environment and be able to translate that into terms they understand.
Terry Kurzynski 33:50
Perfectly said there it’s like drop the mic time right?
Like that’s.
That’s it right there.
As a CISO, how you communicate that risk effectively so that they can make decisions is the whole job.
I mean, it’s not the whole job, but it’s a big part of it is the communication up.
And I know you’ve told me before I got to communicate up and I gotta communicate down the same risk has gotta be translated in different ways to different people.
So they understand in their sort of love language, I guess, right. So.
Greg Warren 34:19
Yeah, you’re absolutely right.
You know, I mean it’s, uh, I always like to use the term it.
It’s like a top down.
Bottoms up, meet in the middle.
So you know that conversation that I may have with the top level brass in the organization, it may look a little different than some of those conversations I’m having with the technical teams, but the message needs to be the same.
And I think everybody needs to understand their role and I think that when you can start to have those conversations with those different groups and everybody starts to get on board, then you start to see that idea of culture change.
And what I mean by that, you start to get that buy in from the organizations that you need as an information security department to be successful because without it, you know you’re gonna have holes.
You’re gonna have gaps and I think trying to get to that level of maturity that everybody’s trying to get to, it’s going to be greatly inhibited.
If you can’t get that organizational, buy in all the way around.
Terry Kurzynski 35:18
Yeah, just ineffective.
And nothing happens.
No change happens right?
And only bad stuff happens, yeah.
Greg Warren 35:22
You’re spinning your wheels.
You get caught, projects get delayed and bigger than that, that initial risk that was still there that you’re trying to remediate that you’re trying to reduce.
It’s still there, and odds are that that risk is only getting riskier by the day, by the week, because again, you know that’s how security works.
I mean, it’s a constantly evolving and that bad actor, that threat actor out there getting more savvy and as technology even continues to advance more and more and more.
You really got to stay ahead of the game and you gotta make sure that you know you have your defenses in place and you’re up to speed on kind of the latest and greatest.
Terry Kurzynski 36:03
Thanks, Greg.
It’s perfect.
Any final word or two words or three words.
Greg Warren 36:10
Ah.
Terry Kurzynski 36:11
So I heard.
Heard.
Let me sum up the seasons are the future have to be versatile.
Yeah, it’s good to have technology, but you have to be adaptable and you gotta speak the language of those that you’re communicating with.
Understand there are specific.
I use the word love language, but understand how to translate risk and security in terms that they will understand from their perspective.
Greg Warren 36:26
Mm-hmm.
Terry Kurzynski 36:33
And that’s the big takeaway I’m getting.
And you have to have a healthy life, work life balance.
You can’t be working till midnight and then up again at 6:00 AM doing all this all over again and not have a good work life balance.
So that and then I have to listen to Ronan more.
Greg Warren 36:47
Umm.
Terry Kurzynski 36:48
Apparently that’s gonna help me, so I gotta listen to that song.
Greg Warren 36:50
Sturgill Simpson.
That’s right.
Terry Kurzynski 36:51
Sturgill Simpson yeah.
Any other takeaways?
Final words.
Stair climbing.
That’s the final one and stair climb.
You did that three weeks ago, right?
Four weeks, something like.
Greg Warren 37:12
I did the Aon Stair climb.
Yes and.
Terry Kurzynski 37:14
Like it’s a Step up for Kids.
Isn’t that what that one is?
Greg Warren 37:16
It is.
It’s through Lurie’s Children’s.
Terry Kurzynski 37:17
Yeah, yeah.
Greg Warren 37:21
And yeah, I mean it’s something I had wanted to do for a few years.
And you know, finally I just said, fine.
I’m gonna do it, and I’m glad I did.
And you know, obviously, yeah.
Terry Kurzynski 37:30
Alright, I’ll join your team next year.
Greg Warren 37:33
You’re gonna join our team next year?
Umm, because we definitely need.
You know, it was kind of a lot of the Aon Center occupants, they were there.
And so we had a very small team, so we need to get more participation.
Terry Kurzynski 37:46
Alright.
Well, we’ll sign up next year.
Greg Warren 37:47
Yep, Yep, Yep.
Terry Kurzynski 37:47
I’ll join you.
Alright, so this is signing off of HALOCK Radio with Greg Warren over at Standard Parking or SP Plus.
Is that the proper term?
Right.
Greg Warren 37:57
That’s people, us.
Terry Kurzynski 37:57
These days as PCI, I thank you so much.
And we’ll see you soon.
Greg Warren 38:03
Alright, thank you.