What it Means to be an Honest Broker As a former CISO in Hanover Insurance Group, Brian Haugli shares what it means to be an honest broker in the context of security leadership, which might be better described as an agent of trust and transparency for a business.  Brian and Steve Moore talk about strategies for delivering the right message to executives and the Board, the learning opportunities that come with candor and the honest truth about managing the inherent stress of the position. Advice to future or current leaders One big feedback I would give my younger self is don't focus so much on one area or another. Really be open to the ancillary spaces within security. Looking at human behavior, looking at the legal side of things, and pulling that information in to help round you out. Is there a core of bad leadership in information security? Not everyone is born to be a leader. It's something that you're born with that type of a capability. I think you look back at like type A/type B personalities. A lot of security folks are the type B, and there's nothing wrong with that, but I think there's a different level of getting leadership out of that that isn't as natural for them as somebody who is a type A, an outgoing type of a person. I don't think there's bad leaders in InfoSec. I just don't think there's enough of them. Transitioning on a small team vs large team On a smaller organization, you're going to wear more hats because there's just not enough people for that work to go around. The larger organizations, what I learned was I could sit down a team or four or five analysts, teach them in one or two hours how I would do something. And now, I've multiplied my capabilities by five. And that's much more effective than me trying to do that individually. The smaller teams, smaller orgs, they are struggling with being able to address this and I think that's where I want to find a niche for developing some work and some support and driving insight and guidance to these groups because they need help. The start of Side Channel Security We saw the need that small and medium businesses, nonprofits, VC-backed software firms, don't need a CISO full time but still need that kind of guidance and expertise. We started by supporting a nonprofit ... realizing the questions and the concerns were the same things that we had heard from our peers in larger organizations or our own organizations at the time.  It just built upon itself. Where are people most ignorant as it relates to information security and running a good program? I've got a bit of a mantra that I can't defend what I don't know exists and that's really asset identification, asset allocation.  Being able to answer what is your business obligations? And what are your business objectives? Can you identify the things that keep you running and could you tell me what a bad day looks like? You have to make them understand that your new reliance on technology and you storing all of this data and/or allowing access to these systems equates to your ability to provide services to your customers, whatever that is then. Those are usually ah-ha moments for folks and it's a good one to be there for because you can quickly help them realize what their concerns really should be from a security standpoint, but then quickly get them to how do we tackle this? How do we make this not an issue any longer? How do we mitigate that risk? What is an honest broker when delivering a security message to the ELT or the Board? I think it's just about transparency and integrity. Security, the definition of security, is confidentiality, integrity, and availability. As the CISO, your ability to obviously protect those things is one aspect. Your ability to showcase and embody the integrity of what it is that is being expected of you. Turning that around and then being able to explain that in terms that honestly chances are nontechnical person and somebody who definitely doesn't understand information security i