Getting to Know the CISO: Gene Scriven

Listen to the podcast here. 

Chris Blum: Hello and welcome to the Security Sisters Network podcast, Getting to Know the CISO. We have Suzanne Higgs, the co-founder, and CMO of Security Sisters Network, with us today. Welcome.

Suzanne Higgs: Hi.

Chris Blum: We also have Gene Scriven. He is a CISO. He’s been at several different companies that you know. Currently, he’s at a major Fiserv firm. I will hand it over to Gene to tell you a little bit about himself. Welcome, Gene.

Gene Scriven: Hi. Thank you, Chris. Yeah, as you said, been doing this for a long time. I sat in a meeting at work the other day and realized that I’ve been doing this longer than some of the people I work with have been alive. So, I guess there’s a lot to be said for being seasoned in what you do.

My background started in the government. Parlayed that into several other things. It’s always been security-based.

We didn’t even have the word cybersecurity back then. We’ll use that a lot now. Use that a lot today. I have worked for many of the big four, five, and six consulting firms. I worked for, like I said, a lot of government agencies. I have been in many situations now where being the CISO, responsible for protecting data, everything from large airline systems to a large retailer to financial services—so I have been doing this for a while.

You learn from your mistakes. You know, by growing. Hopefully, we’ll talk about some of that today. Yeah.

Chris Blum: Awesome. Awesome. Well, let’s face it, as a CISO, you’re one of the most sought-after people on the face of the earth. Every cybersecurity security company is trying to get in front of you.

One of the things we wanted to talk about was serving on boards as a CISO for various vendors. Have you done this in the past?

Gene Scriven: Oh, I have. I have. I’ve done this several times throughout my career. I mean, sometimes it’s just a knowledge-sharing thing. Sometimes it’s specific to a product or a company.

More recently, it’s been around legislative, regulatory-type things, getting advisory boards together to talk about, and in some cases, lobbying for changes to some of the regulatory requirements here.

Suzanne Higgs: All right. What is one thing that you refuse to share?

Gene Scriven: Wow. Professionally or personally?

Suzanne Higgs: Hey, personally, but what comes to mind?

Gene Scriven: Yeah. I’ve got two answers for you. I mean, professionally, being the CISO at a company, folks that are listening that are CISOs at companies, there are a lot of things that we have access to, that we’re privy to, that we don’t want to share.

I’ll give you a good example. People always say, “We want to see the results of your penetration tests or your vulnerability scanning.”

While we’re more than eager to share summaries of those things, we will only share specific vulnerabilities for obvious reasons.

Although I’m a big presence on Facebook and other things, I try to keep my family out of things for people that are friends.

In the world that we’re in today, it’s just better to do your job and do it well but keep personal stuff on one side and professional stuff on the other.

Chris Blum: Okay. So what are some of the most significant benefits you’ve seen from companies having a CISO advisory board?

Gene Scriven: Sure. Good question. So who better to talk about cybersecurity than the folks that do it for a living? Whether it’s, like I said, for a product or a service, or whether it’s just from a knowledge-sharing perspective, when you’ve got the trust of CISOs, when you’ve got people involved that do this for a living, you can’t go wrong.

Benefits to the company would include that. Benefits to me as a participant, I get to stay current. I get to build my informal network. It’s invaluable for me, in my role, and for others with these jobs.

We’ll often get into discussions with our board of directors or executives. They say, “Well, how are other companies doing this?”

It’s great for me to pick up the phone, call Suzanne, call some of my peers at other places, and say, “Hey, let’s talk about situation X.” And then I can go back and say, “Here’s what some of the other companies in the industry are doing.”

It’s helpful to me. It’s helpful to others. It’s just a win-win. It’s a win for the companies. It’s a win for us that choose to participate, and time well spent.

Chris Blum: Fantastic. It’s all about networking. Right?

Gene Scriven: Absolutely.

Suzanne Higgs: All right. Would you rather have no cell phone access or no car access?

Gene Scriven: Well, I would rather have no cell phone access and a lot of reasons for that.

As you know, we go on a lot of cruises. One of the reasons that we go on cruises is I need cell phone access. We’re on a cruise. So, it’s an opportunity to actually get away.

While I use my cell phone a lot to communicate with family and whatnot, it’s, quite frankly, more of a problem for me than not because of calls that I get that I want. It’s a way for me to unplug from work.

I work from home, so not using the car wouldn’t be a significant problem, but I would actually enjoy a vacation away from cellular connectivity for a period of time. So, yeah.

Chris Blum: A true vacation, be disconnected.

Gene Scriven: Yeah, absolutely.

Chris Blum: We’ve all worked in security. I’ve worked with startups. One of the things I think is missing in a lot of them is that very few do have advisory boards. Why do you think so few companies don’t take advantage of having a CISO or a C-level advisory board?

Gene Scriven: I think many may decide that that’s what they want to do. They decide to grow it natively.

Let’s take Lucy from marketing and Bob from the media department, and let’s slap this thing together and invite a bunch of CISOs and expect it is going to work. It doesn’t, and it won’t.

I think a lot of people have learned. I think we’ve all learned that if you want something like this, you’ve got to be able to attract the people who will provide you with the benefit. You’ve got to have the real CISOs there. You’ve got to have the networks in there.

I think the only way to do that unless you happen to be a top-end technology company, is to bring somebody in to manage that for you. Somebody’s got to build it. Somebody’s got to manage it and maintain it.

I think that’s why a lot of companies don’t have advisory boards because they try to do it internally and realize that they’ve bit off much more than they can chew and need to rethink it and possibly consider getting somebody to manage it for them.

Chris Blum: In startups, you don’t always have connections. Maybe the CEO knows two CISOs that are helping you out, but outside of that, there’s just not that network and that connection.

Gene Scriven: I get calls all the time from different people that I know that I trust and that want some help with things. Depending on the mood I’m in and the relationship, we may have a conversation.

But if you as a company want an advisory board, it’s got to be well-oiled. It’s got to be smooth. It’s got to be built on trust.

Just picking up the phone and asking me to donate some of my time to improve your product is not instilling much trust. It needs to be managed properly.

Suzanne Higgs: All right. So what advice would you give your younger self or those starting out?

Gene Scriven: Oh, wow. How much time do we have here? I’d love to come up with a funny answer that says, don’t take life seriously, find the humor in everything. That’s kind of a given with me, anyway.

I think the advice that I would give people, a younger me, rather than not sweat the small stuff, is to be very careful about the bridges you burn, guy.

I tell young people that work for me this all the time. There are times when you’re going to want to walk away from something and wave a middle finger at somebody. It’s probably justified.

But at the same time, this community is such a small world that you’re going to run into these people again.

Have I burned bridges in my life? I have. I’ve sometimes come to regret it. I think you approach everybody with respect. You treat everybody like you want to be treated. And like I said, restrain yourself when that time comes that you want to storm out the door and say things to people because you’re going to see them again. It’s going to happen again. 

Gene Scriven: We move around a lot now. How many times have we left and gone to another company and go, there’s Bob? I remember Bob. I hope Bob doesn’t remember what I said to him when I left.

Chris Blum: The CISOs are really busy. You’ve got a lot going on. Why would you join an advisory board and give up your precious time to help a company out?

Gene Scriven: Everybody’s going to answer that question differently. For some people, it’s, I want to be on an advisory board because they bring me to cool cities and they take me to fancy restaurants and all of that.

That’s maybe part of it. But I think the big piece I alluded to a little earlier is that there’s got to be something in it for me.

Not to sound selfish or not to sound greedy, but my time is extremely valuable. For me to take, sometimes, days out to go deal with a company on an advisory board, there’s got to be something in it for me.

As I said, I’m looking for networking, the ability to get together with people I’ve known and worked with.

I mean, Suzanne, you know me. I’ll pick up the phone and call any of the 20 people I’ve known for 20 years and ask them for advice. They’ll do the same with me.

That’s the kind of thing that you need for this to work. I need to feel like the time I’m investing in an advisory board will pay off.

That’s either going to be that it’s a product that I use or that I’m going to use. They’re going to listen to me about what we might incorporate into it, that it’s going to be like I said, my informal network, or that it’s going to be an opportunity to do knowledge sharing to the point where I can benefit. My company can benefit from the information I bring back from my peers.

Again, I can pick up the phone and call these people anytime I want, but it’s great to have 20 CISOs together in the same room, with common knowledge, talking about things that are important to us.

Chris Blum: Do you join an advisory board based on the relationship, or is it a technology, or is it a mix of both?

Gene Scriven: 99 times out of a hundred, it will be the relationship.

I will tell you, I’ve been on some advisory boards where I felt like it was to my benefit because of the technology and because I was probably going to be using that technology to get involved in steering the direction, the strategic plan for it.

But 99 times out of a hundred, it’s going to be the relationship and what I can walk away from an advisory board with.

Again, if I can sway the direction of a product, that’s great. But if I can walk out of there with knowledge, with empirical evidence of how other people are doing things, with maybe a tweak to something that somebody’s done that’s going to help me, that’s invaluable to me. That’s the kind of thing I’m looking for. Yeah.

Suzanne Higgs: That’s amazing. That’s a great answer, Gene. I like that. So if you were in a made-for-TV movie, who would you want to play you?

Gene Scriven: Okay. If we’re talking about just looks, I forget the guy’s name. Wow. I forget his name. Oh, Dennis Franz, the guy that was on Hill Street Blues. There’s kind of a resemblance there, I think. I don’t know, to some degree.

Obviously, I would want the Tom Cruise character to play me in whatever I’m doing, but there’s a big difference.

Somebody funny, somebody witty, somebody that’s not terribly ugly, and it depends on what the movie is, I guess.

I’ve been on TV a few times for different things. How you sound to yourself on TV and how you look to yourself on TV are always different. So yeah, I’m going to go for the Tom Cruise type, play me in the movie thing.

Chris Blum: So, do you have an example of a time when you’ve been part of an advisory board, and you gave feedback, and it made it into the product or the brand?

Gene Scriven: Wow, good question. Yeah. Several years ago, I was on an advisory board for one of the leading antivirus companies. There were probably a dozen of us on that particular advisory board. And we all knew that that market was becoming a commodity, that AV would be everywhere, AV and malware.

So, we focused a lot on looking at the company, figuring out what native talents they had, and things like that.

Actually, we recommended that this company continue to do what they did within AV and malware but also delve a little bit into intrusive detection products, host-based, and network-based IDS-type products.

The company looked at that. They did their analyses. They brought in the experts. They ended up retooling resources, some of their development capabilities, and creating… boring to most people, but creating network and host-based intrusion detection systems.

The company did very well with that. So, I like to think that I’m one of the people in the room; that was originally my idea. I don’t remember if it was or not, quite frankly, but we did get behind it. The company did it and was very successful at it.

So, it’s things like that, I think, that help with these advisory councils. You get some objective input. You get some things that might be thinking out of the box a little bit. If companies pay attention to that and it’s of interest to them, it’s a win-win.

Chris Blum: You also aren’t drinking the Kool-Aid that whatever the company… You’re not invested in the company. So, I think that helps give an outside perspective to them as well.

Gene Scriven: Right. Well, a more polite way to say that is I have no requirement to drink the Kool-Aid. If I see something that’s going to help a company or something that makes sense from a technology perspective, it doesn’t hurt anybody’s feelings if I bring it up and say it.

If they are interested in it and dive into it, as I said, it ends up being a win-win for everybody.

Chris Blum: Okay. So what suggestions would you give to vendors that are working to build relationships with CISOs? They’re starting to plan to build an advisory board. What’s the most important thing they don’t know when they get started?

Advice number one, don’t waste my time. I’ve got so many people, and I’m not exaggerating here. I probably get 200 cold call sales messages a day.

I don’t even open most of them. I’ll look at their origins and maybe consider things, but most don’t even get opened.

I get it. You’re not asking me about sales calls. You’re asking me about advisory boards. But that just goes to show that there’s a lot of demand for our expertise, opinions, and thoughts on things. So, I guess number one is, don’t waste my time.

Kind of like what we’ve mentioned earlier, you have to look at it from my perspective. Okay. What’s in it for me? Sure, it would be great if I would jump on a plane and fly to visit you once a quarter and tell you what you need to do with your product, but what am I getting out of that?

Again, the nice restaurant and stuff is great. I can do that anywhere. I need to establish a relationship with a company. I need to establish a relationship with others on that advisory council. We need to trust each other.

I’ve been part of knowledge-sharing groups where, quite frankly… and we’re all adults, maybe there’s some friction between some of the people in there because of the industry they’re in or the company they’re with. Sometimes you have to part ways.

But if I were a company looking at putting together an advisory council, be extremely considerate of what you’re asking for. Don’t waste my time, to be blunt. Make it attractive to me. Give me something I will benefit from being a member of your advisory council.

I’ll give you great advice. We’ll talk about your products. We’ll talk about things that you might not have thought of. But again, there’s got to be some reason to motivate me to put you on my radar screen, to be part of that group you want me to be part of.

Suzanne Higgs: I have one last question for you, Gene. I really want you to think about it before you give your answer. Don’t blurt out. Don’t blurt it out. Really think about it. But who’s your favorite Security Sister?

Gene Scriven: No, I refuse to answer that one. I’m not going to do it. I’m not going to do it. I tell you what. You guys have got quite a thing going there. Both of you, I love you to death-

Suzanne Higgs: Love you too, Gene.

Gene Scriven: … and would do anything for you. Just podcasts like this, asking the opinions of folks who have been through this and know that you’re willing to learn things, is excellent. I do not have a favorite Security Sister.

Suzanne Higgs: I didn’t expect you to answer it. I just had to throw it out there.

Gene Scriven: This is not a commercial or a plug for you guys. It’s not. But kind of what we said earlier, which is so many companies start to do these advisory boards, and they try to handle it internally. They don’t have what it takes.

I mean, you know the people I’m talking about when I say if a particular person named Scott were to pick up the phone and call me and ask me for something, he’d have it in a heartbeat, just because of the background that we have.

You need that kind of insight, that kind of relationship with people. It doesn’t work if you don’t have it. I think you guys have that and are building that.

Suzanne Higgs: Oh, thank you.

Chris Blum: Well, thank you so much for your time today, Gene. This was wonderful chatting with you. If you’re listening to this, subscribe to our podcast and join us for the next one. Thanks, everybody. Have a great day.

Gene Scriven: Thanks for the opportunity. Thank you.

shows; you