Today we welcome Tony Gonzalez, former CISO for QBE North America and Principal at Innervision Services LLC, to The CXO Journey to the AI Future podcast. Tony is a visionary and results and solutions-driven professional with 20+ years of experience in cybersecurity and IT leadership roles in the financial services, biotech, consumer goods, and chemical manufacturing industries.
I would say my journey to being a CISO may be a little different than you would think. I came out of school with a background in economics and management, and I ended up transitioning into the world of industrial engineering, after which I went back to school for computer science. A lot of my experience came through the process control and manufacturing side, including a stint as the head of a biotech company. But throughout all that time, I still needed to build out a ton of back office infrastructure, including security.
I took a role with Pfizer on the manufacturing side running their IT. In all the traditional IT roles that I had, security was a huge part of it – this was back in the day when cybersecurity wasn’t a term and security was just another technical function within IT.
I ran one of their largest manufacturing plants and eventually took over most of the U.S. and Puerto Rico IT functions for a couple of years. I’d complain about how our corporate groups didn’t have a clue about how security and compliance impacted the manufacturing side of the house, and they told me: “Why don’t you quit complaining? Why don’t you come over here and do something about it?” So I did.
I think that’s one of the underlying things that gets you into a role like a CISO role. If you don’t really have a passion for it, if you don’t really like it or like what you have to do from that perspective, then you should probably think about something else to do, because it’s a consuming role.
When I went to corporate, I put a plan together on how they could build a security and compliance function, an early-stage GRC function, and they said, “Okay, build it for us.” So I built their first true group that handled cybersecurity, risk, and compliance for the corporation.
At that time, it had 150,000 employees and about $62 million in sales. So, it was quite a challenge and quite an opportunity.
I used to tell some of the people who work in my organizations that there comes a time in most of the technical roles, and it definitely happens in the security space, where you have to make a choice of where you want to go in your role and where you want to be.
More often than not, you will run into a dual ladder separation where you either hang up your toolkit and go the management route, or you stay on the technical side, where you get further into architecture and some of the engineering modes.
People have to decide what fits the best for them, because in the CISO roles and the senior roles, it’s very difficult to stay on top of all those technologies to a level where you can consider yourself a technical expert. So when you look at a CISO position, or even the next level down in most seasoned organizations, you have to deal with security and technology, you have to deal with risk management, you have to deal with compliance, you have to be a legal advisor, you have to be the leader of the group, and you also have to be the business advisor, because that’s really where the role is evolving. You’re more the business advisor and have to educate the organization on what the risks are and how everyone can move ahead successfully and build value in their organization while keeping risk at a minimum.
Well, it’s being knowledgeable about where the risks are. But then it’s also being able to connect the dots. You can’t assume that anybody has the same level of understanding of what the security risks are, what risks are in general related to technology, and how that’s actually going to affect their business. So it’s really being that translator for those board members and senior leaders so that they can see how a particular risk may stop them from adding value to the organization, or alter or open the organization up to additional risks that they may not want to take on.
Extra question: Can you learn the communication skill set? How do you stay up to date with technology and communication?
I guess it’s a discussion over time because it’s not something that you’re going to get right the first time.
Nobody who does it for the first time should be discouraged if it doesn’t go right. But it’s a combination of understanding the audience that you’re talking to and the level of understanding of cyber technology that they have.
You have to make things resonate because that’s how you get all of your initiatives backed. That’s how you get budget.
There are some basic things that people need to develop along the road so they can become or be effective as a CISO. It’s really about always realizing you’re not the smartest person in the room and knowing when to listen more than to speak. It’s about understanding the business that you’re supporting.
There are always many things that are logical to implement from a security POV which don’t make sense for the business. Cyber teams have always said “no,” when they need to be thinking about “how.”
I always remember being told that God gave you two ears and one mouth. If you’re always doing all the talking, you’re never getting to hear what’s really concerning the people that you’re trying to support. When you understand what their concerns are and you can put those concerns at ease, that’s when you’re building a very strong sustainable relationship with those people.
There are times when you have to talk about some of the things that aren’t considered the most fun things to talk about or interesting things to talk about, but it’s about how you then link that to some of the things they’re trying to do or potentially do.
Oftentimes, M&As, for example, require a close look at vulnerabilities or other technical glitches that are in play in the environment. You need to start with what the risks are and then transition into a conversation around how those risks can be addressed. Sometimes it’s a matter of making sure that the business leaders and most senior leaders in the company understand that they’re taking that risk and that it’s not a cybersecurity decision to move forward, but a business decision.
I’ve had those conversations with people where I said “I wouldn’t do this. But if you actually want to move forward and do that, that’s fine. We’ll put a formal risk acceptance together. You’ll sign off on it and we’ll put some other mitigating controls in place, but it’s not the optimal way to address them.”
It’s definitely a people and process question. You have to have a good cadre of people on your team, people that can work together well, people that can complement each other’s skills, and you have to engage those people and empower them to build a strong process. Then you go after the technology that can make those processes more effective.
You’ll never get all the budget that you want or need. You’ll never get all the people you want or need. So you have to make the teams as effective and highly functional as possible.
With that said, there’s a balance between meeting the needs of the organization and also shoring up the foundation. You can’t just support the big projects and the flashy things that everybody is looking for, you still have to go back and make sure that you’re helping people, and implementing good asset management control and identity and access management controls.
You need to have a good process in place for dealing with your third-party risk management…some people are already talking about fourth party risk management. This stuff still matters because it’s where the big risks are.
And finally, it all goes back to your data: Knowing where data is and how you store it. Are you keeping data that’s confidential and sensitive from being exfiltrated or are you not treating it the way it should be? This gives the bad guys the opportunity to get to it and do something harmful to your organization and cause a loss of market dominance or potential.
I think AI is the one that’s getting everybody’s attention right now and that’s because, let’s face it, AI is just the latest of what we used to call disruptive technologies.
Prior we had the telephone, the TV, the internet, the cloud, and now it’s AI. Those are all technologies that made a significant impact on not only organizations but individuals’ lives. And you could throw social media in there in the middle as far as that goes.
So when you look at AI, you have to pay attention to it. You have to make sure that there’s some investment, and I would say investment in areas that are not only doing innovative things with AI but also setting up the guardrails to potentially protect organizations from hurting themselves.
Because it was the same thing with cloud and others where people assumed that the technology came with a certain amount of inherent security and it didn’t. You still have to configure things and make it so it’s not going to be easy to get at your information.
Overall though, AI has far more potential for bringing our technologies and our people to a much higher level of execution and ability.
However, many companies today are ignoring the people aspect. We keep talking about cybersecurity, the shortage of people, and the shortage of skills. But some people are starting to do interesting things where they’re looking at the characteristics of people who have made good cyber people in the past, rather than looking at experience, then putting a little time in to train them. That’s an area that may become invaluable in the future.
Many years ago, IBM decided there was a shortage of people who knew how to code. They did some psychological studies that showed that the way people think about constructing code was very, very close to the way people think about constructing music. And they started looking at people from music schools to train them to be coders.
So I think there are opportunities like that related to cyber, where you can take people that are either in other technical functions (or even outside of those technical functions) that you might not think of today.
Tony Gonzalez is the Principal at Innervision Services LLC and former CISO in North America for QBE North America.
He is a visionary and results and solutions-driven professional with 20+ years of experience in progressively responsible Cybersecurity and IT leadership roles in the financial services, insurance, pharmaceutical, biotechnology, consumer goods, and chemical manufacturing industries. Adept in building and leading global cybersecurity, IT technical, and support functions. He is a creative, resourceful problem solver with a track record of success in delivering cost-effective and value-added services to his customers. He also has experience in industrial engineering and process improvement.
His areas of expertise include Cybersecurity, Network Security, Application Security, Infrastructure Management and Security Incident Management, Process Design/Implementation, Risk Mitigation, Enterprise Architecture, IT Governance, Manufacturing/Laboratory Automation and many others.
