David Mahdi is the acting CIO for Transmit Security, but he’s not the Chief Information Officer — he’s the Chief Identity Officer. Currently, David leads strategy, direction, and transformation efforts that focus on the convergence of cybersecurity and identity. He also authored the book, “The Art of Selling Cybersecurity,” and was a VP of Research at Gartner. David’s core mission is to help drive the market evolution of identity security across people, processes, and technology.

In this episode of Risk & Reels, we explore the importance of standards in a successful cybersecurity practice and how we can communicate this importance to business leaders.

*Conversation has been edited for length and clarity.

Risk and Reels Opening Question

Jeffrey Wheatman: As everyone knows, we’re going to start with a movie question…so give me a character from a movie who isn’t necessarily a traditional heroic role, but in the end turned out to be a hero. 

David Mahdi: I’m going to go with Leon from “Leon: The Professional”…it was an Italian hit man, although he was played by a French actor, living in New York City…I think that movie is kind of interesting because you have the anti-hero…he’s a bad guy…and he ends up protecting Natalie Portman’s character.

JW: That’s a good one…I’m going to give you my [anti-hero]…Anakin Skywalker and Darth Vader. At the end, Luke is able to get his father to kind of push aside his dark side. While you can’t forgive all the evil that Darth Vadar and Anakin did, he helps conquer the Emperor and he essentially saves the universe.

The Importance of Standards in Cybersecurity

JW: So now let’s talk about the real reason people show up to listen..we at BlackKite are very much about standards. Let’s talk a little bit about why standards are such an important [part] of running programs, being more secure…more risk resilient.

DM: Imagine you get in your car and let’s just say you live somewhere in the US and you drive from one state to another and traffic lights are different colors. Stop is blue, should stop is green, and go is red. Well, that would confuse most people in the world. We’ve come to the conclusion that keeping red, yellow, and green works well. This is the basis for all standards really… openness and interoperability.

With the mass adoption of multi-cloud, Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS)…industry experts realized that they needed to use open standards to make it easier for on-prem applications and services to plug into [these new technologies]. 

JW: So this is not a new concept, right? Standards and interoperability. There were all these network security stacks that were supposed to be interoperable. But what we found was that wasn’t the case.

DM: You could look at Gartner’s data, Forrester’s data, anyone’s data, and [it’s clear] that CISOs are dealing with too much technology. I would say the average CISO is dealing with anywhere from 50 and 80 cybersecurity products, and that list keeps growing. For example, identity threat detection and response (ITDR) is a newer risk category, and so IDTR solutions are on the radar for some organizations. In general, organizations purchase solutions for each type of risk, and then you’re left with this huge [tech] stack…vendors have to understand that they need to coexist with competitors, and might even need to integrate their products. [Integration] gives them the ability to consolidate because that’s what customers want, and vendors should be delivering on customers’ expectations.

Why Vendors Should Default to Open Standards

JW: Standards in general are not a new concept…but what’s new is vendors’ openness to customers having some sort of access to their cybersecurity practices. What’s different now? 

DM: Vendors are aware that orchestration helps customers with overall day-to-day management of their tech stack. With product integration, you’ll also see lower response times if your products can talk to each other. 

In general, [vendors] should be defaulting to open standards…because vendors get acquired. Vendors might fizzle away or sell off chunks of their technology stack to other companies..but if they’re using open standards, customers can still bring in any product and service and continue using the original solutions as part of their tech stack.

The Importance of Storytelling in Communicating Standards

JW: How can we do a better job communicating technology and technology risks to business audiences? I think some guidance for CISOs and other leaders is to push your vendors…tell the vendors, “If you’re not working with standards and connecting with other vendors, then we’re not going to buy products from you.” How do we embed this whole concept [of storytelling] around this? 

DM: I’ve learned a lot from you in terms of storytelling. If it’s just a data point, we don’t have an emotional connection to it. I think for our audience and CISOs in general, we have to hook the notion of openness and interoperability with making your life and job easier…[as well as] protecting your organization. In the long run, it’s the better way to go and we should tell the stories that connect these dots. 

So traffic lights are one [story]…but so is incident response time. You can double your response rates if you’re using open standards and they’re hooked into these…Gartner cybersecurity mesh-like architectures. Because if you’re having to log in to six different consoles to find an indicator of compromise [nugget], the attackers already are way more efficient than you. So you can’t have those barriers. Being able to tell those stories…I think helps.

And then…I think of regulatory compliance. That is a whole confusing area with [regulation] dates, guidelines, guidance, and everything. The CISO has too much on their plate…something needs to change…at some point, the landscape needs to change. 

To learn more about utilizing standards to keep your organization safe from third-party cyber risk, check out the full Risk & Reels podcast episode.