The Resilience Factor Podcast
Cyber resilience is fast emerging as the driving force behind critical business continuity in our digital era. Faced with brownouts, blackouts, and the ‘when not if’ nature of cyberattacks, how do businesses harness this resilience for stronger cybersecurity and networking?
Listen in to The Resilience Factor as our hosts — renowned social engineer Jenny Radcliffe and Zscaler’s own Kate Baker — explore how organizations and employees can fail forward to adapt with confidence.
Through trend-based discussions with cybersecurity experts and pioneers, real-life case studies, and practical advice, The Resilience Factor offers audiences insights on the tools and strategies needed to build business and personal resilience.
The Resilience Factor Podcast
S1 E5 Becoming resilient by design with James Tucker
James Tucker, Head of CISO at Zscaler, joins the Resilience Factor podcast to explore the critical misalignment in how organizations plan for disruption. Drawing on deep industry experience, he introduces the concept of "organizational plasticity" (or the ability to adapt and evolve under pressure) and unpacks why flexibility, not fixed processes, underpins true resilience. James also explains why the most impactful CISOs often defy the traditional mold and bring fresh thinking to the heart of business strategy.
Cyber resilience is fast emerging as the driving force behind survival and success in a world of unprecedented digital transformation. Through trend-based discussions with cybersecurity experts and pioneers, real-life case studies and practical advice, the resilience factor offers the tools and strategies needed to build business and personal resilience in all areas of cybersecurity and networking personal resilience in all areas of cybersecurity and networking. Not only that, you'll get to hear from a range of industry-leading professionals and experts at the very top of their game. Join us as we build a vital resource to drive organizational resilience within a fast-moving security landscape. Hi and welcome to the Resilience Factor podcast with me, your host, jenny Radcliffe, brought to you by Zscaler.
Jenny Radcliffe:This week we are joined by James Tucker, head of CISO at Zscaler. With almost two decades of experience in the security industry, james Tucker, zscaler's head of CISO, has held key positions across many well-known cybersecurity companies over the course of his career across many well-known cybersecurity companies over the course of his career. Originally from Washington DC and now residing in Stockholm, james is a high-energy IT expert that values leading by example, a positive attitude and delivering results as a team. James joins us today to talk about all things resilience, including the findings from Zscaler's recent Resilience Factor Report and why security can be a business enabler. Welcome James and welcome listeners. We hope you enjoy the conversation. Hi James, how are you today?
James Tucker:Fantastic. Thanks for having me on.
Jenny Radcliffe:We're going to talk all about resilience and particularly, I thought we'd ask you first about sort of the current situation, because we tend to talk about being in the when and not the if era. Talk to me a little bit about what you think's causing that when, not if, and how can businesses prepare for it?
James Tucker:So I think of the when, not if, component, as really it's been something that's always existed. Right? Resilience has always been important when it comes to making sure our business is able to keep doing the things that our business does. With the way that a modern organization is built a heavy reliance on things like cloud computing, people able to work from home, work from anywhere a small error or a small failure in resilience can have a greater impact on the business. Right? If an email server went down, say five years ago, it was kind of a godsend. You know, like, hey, I hope it never comes up, I want to get my work done Now. If a major server application, whatever goes down, we start mentally clicking over how much revenue is being lost during that outage.
Jenny Radcliffe:I mean, I've heard it said a lot of conferences and in the industry that it is when, not if, you are going to be hacked, you are going to have a breach at some point. So it's that change from we can protect everything. We think we're really prepared to us in the security industry saying to people no, no, it will happen. It's just a question of how quickly you recover from it. Is that fair or have I missed something?
James Tucker:I think that's fair. Is that fair, or have I missed something? I think that's fair. I also think that when we look at the report that we ran at Zscaler trying to understand, because I think if you ask most people, hey, if something bad happens, are we good? They're going to say yeah, I think we're good, at least in a boardroom, probably. But there's also a bit of cognitive dissonance, right, because we think that we're 100% prepared. However, the bad guys or the catastrophic incident only needs to be right one time and we need to be able to prepare for every possible scenario. It's the million monkeys on a million typewriters, but instead of writing War and Peace or Shakespeare, in this case they're writing malicious code or malware. It's going to happen.
Jenny Radcliffe:Can you talk to me a little bit about how many businesses still think that they're in a sort of a protection mode as opposed to thinking about resilience as something that can drive the business forward a little bit and having that new, that fresher attitude to the whole topic of security?
James Tucker:If we think about protection mode. Let me change it slightly right. One of the things that struck me from the report was only 44% of CISOs in the survey respondents were involved in resilience planning. So what that tells me is that the CISO's job, according to the business, is to analyze risk and remove risk and to be in that protection mode. However, the digital systems that we have and all the things that CISOs and security folks work with very, very much need to be resilient and rely on that.
James Tucker:When we look at the results of this survey and what we see, right, 94% of people say that their measures, their resilience measures, are effective, but they all expect to get hit, like you mentioned previously. But this dissonance is a big problem when it comes to how do we move forward? Right, security is not something that just stops bad stuff from happening. It is the engine that drives the business able to go forward, and I definitely see again that 44% of CISOs not to mention it wasn't a question on the survey, but I know a lot of CISOs, particularly in maybe not finance, but if you look at manufacturing and some other kind of similar we make hard items. The CISO is not even a member of the board and is sort of stuck at the kids table, if you will, and for me that shows that a lot of business are still hey, security's this thing that we have to do and not something that we do so we can achieve business outcomes.
Jenny Radcliffe:Sure, and I mean, we've all been in a boardroom being asked one question for you Are we safe?
Jenny Radcliffe:When we were preparing for this, you and I were talking about this idea that security is the department of no and I said to you well, I think every department thinks that the department of no. I mean finance think that the department of no, and procurement think that the department of no. And we always are. You know, all three of those examples security, procurement, finance, occasionally are the department of no. But I wondered, like what you think and you can see, so sort of, can they take lessons uh, from, from your experience or from their personal lives that helps them kind of push forward in that mode of being part of the business going forward, as opposed to someone who's there to kind of protect, grumpily, protect what we've got, and be seen as just like a sort of a very specialist part of the business that we have to have, rather than someone who is involved in the strategy, involved in pushing the company forward. Are there lessons there? What do you think the key things are?
James Tucker:When we think about what CISOs can do right in general, or what organizations can do to be kinder to their CISOs, maybe First give your CISO a hug. I guarantee you they've had a bad day and you know, a little goes a long way. But I think you know organizationally all of those different organizations when they think about security right, it's kind of that we're painted as being obsessed with. Think about security, right, it's kind of that we're painted as being obsessed with stopping the breach right. All that focuses on how we can stop the breach from happening.
James Tucker:We put out a lot of things up front as opposed to how can we plan to survive it? Right, how can we take a hit? Our organization is a boat, right. How can we take a hit? Our organization is a boat, right and we take a hit. We don't want to sink right. It's the CISO's job to make sure that we have the ability to seal off this panel, to seal off that, throw some duct tape on on the hole and keep going, because the business needs to go there. So if we can work to have the businesses see us as a business partner and not just the grumpy person who says no, then we would go a lot farther in terms of the way CISOs are able to communicate in business languages.
Jenny Radcliffe:One of the things I'm interested in in your take on as well with all of this is we do talk on the resilience factor a lot about not just the business resilience. But the One of the things I'm interested in in your take on as well with all of this is we do talk on on the resilience factor a lot about not just the business resilience but the resilience of the person in the role and perhaps what you know, what they can bring to to the job. That helps get this mentality in the you know, in the function and then throughout the business. That's coming from security. Do you see things in your career or in successful partners and customers that you've worked with that you think has been valuable in contributing to that resilience mindset?
James Tucker:I think that a lot of the best CISOs have maybe a government or military background in a lot of cases, because there's a lot of different things moving around, You're used to having to adapt to imperfect circumstances.
James Tucker:I also think that, honestly, some of the most successful CISOs out there are not your typical CISO profile. Right, they have, right, they have a very different background the ability to really not panic in in an incident and to be able to just keep on moving, taking a step forward. The ability to not just get locked in to. This is the course that we decided. This is the the plan, and then when something happens, go well, the plan says to do this, even though there might be a much faster, easier, cheaper way to go solve that. If I'm going to sum up that I think the most resilient CISOs that I see are the ones who are willing to disregard kind of the sins of the past. Right, and not just say I know, look this system, you know I started here as a tech level one and I'm very emotionally involved in the success of these things and then just say you know what? This is no longer fit for purpose.
James Tucker:Let's try something new.
Jenny Radcliffe:Let's break the mold and and push to try something that's completely different that's so interesting that you say that, because one of the things I talk about in social engineering and I learned a lot of this from a former military is they always say you know, you have to have a strategy and you follow that strategy to victory.
Jenny Radcliffe:Right. So you have a strategy and you follow it. Strategy to victory right. So you have a strategy and you follow it, but along the way and what I'm hearing from you is something that I say as well is that you need that tactical adaptability. So we say you strategize, you need a strategy, but built into that strategy and I think into the personality of you know, a resiliency, so, if you like, is that ability to do both. Right, we can walk and chew gum at the same time. We can have a strategy, but we need to adapt. This is what I'm hearing from you. You know, when it happens, we can't be so attached to what we have planned for that we can't move and change with, let's face it, what is a very fast paced situation in a breach or in an incident.
James Tucker:So you made me think about something which is you know, as we age, right, our brain plasticity goes down, our ability to learn new things and ingest those and take new actions. So I'd say the most resilient leader is somebody who's able to maintain that, to keep learning, not just be stuck in. This is the way that I did it 20 years ago, and ideally they're in an organization that also has some sort of organizational plasticity. If you will, that's not. Hey, you know. No, this is the way we deploy servers, because Bob invented this spreadsheet 20 years ago and this is the way we do it. So that kind of that personal and organizational plasticity, I think is really key when we're trying to adapt to unknown circumstances.
Jenny Radcliffe:So I love that idea. I think that's a great term and I've not heard it before organizational plasticity, that idea of still being able to adapt, like just talk to me a bit more about the kind of thing you mean.
James Tucker:Let's think about you and I want to go and start our own company. Right, we're going to do social engineering and we're going to make pizzas, because pizza is delicious. Fine, so it's just the two of us. We have a lot of organizational plasticity here because it's going to be us two an AWS or Google account and some laptops. We can do whatever we want. If you look at an organization and I've met with organizations that said well, our IT charter started from this document. That's 180 years old True story In those organizations. It's very years old True story In those organizations. You know it's very process oriented. And then there's there's you know, lucy, who created this spreadsheet or this checklist of how we do a thing deploy a new server, onboard a new user and that's the way we do it. And that kind of if it ain't broke, don't fix it. Way we do it, and that kind of if it ain't broke, don't fix it mentality as opposed to hey, it's not broken, but could it be better, and being willing to change and and adjust within.
Jenny Radcliffe:That, I think, is key to resilience yeah, I think the idea of having an organization that learns from experience and you know and from mistakes that have been made, but still looks to the future and looks to like incrementally improve, even if it isn't broke, is really key. Do you think the security industry as a whole has resilience to it? The skills gap and problems, brain drains and everything else for various external factors? Do you think the industry has resilience built into it or is that something that we're really going to have to learn over time?
James Tucker:I mean yes and no, but I've been in vendor space for a very long time, right, every conference I go to, it's pretty much the same crew of people. Just every five years they rip off this logo, slap on a new one. When we look at the same thing within the banks in my home country, right, the same players kind of move from bank to bank and they move around. I think that we should and we are. I think globally it's a recognized problem, but I definitely feel like we need to invest more time and education into, you know, getting kids to see. I was going to say the joys of security, but maybe that's.
Jenny Radcliffe:No, but I know what you mean, though. It can be an exciting industry and it can be a topic that can engage people if it's done in the right way, right, if you speak in the right way about it. It's a fact in everyone's life now, so I don't think that it's a stretch to say it's important to teach kids the joy of security, because that makes them resilient to the tech they use.
James Tucker:I have my kids' phones fairly well locked down in the iPads and if they find a way around the security, they don't get yelled at right. They have to explain how they did it and then they get ice cream because that's awesome and I'm proud of them, right. So when we look at the ability to just go out and break stuff which is sort of how I got into this industry in the first place I think we need more spaces like that so they're not, uh, doing it out there on the public internet where, uh, it impacts our resiliency I.
Jenny Radcliffe:I agree we're almost coming to the end of what we're chatting about now, james, but we ask all our guests a kind of a final question, and I think that with yourself we could probably talk about this a lot for a lot longer, but I'm going to try and pin you down to sort of one thing, which is, obviously, with your career and your views in the industry, you've been pretty resilient yourself. So we ask every guest what is your resilience superpower?
James Tucker:So it's. It's funny because I'm known as that high energy guy and I'm often a little all over the place, but when, when it comes to go time, when it's pressure time, it is, you know, keep calm. Uh, keeping laser focused not just on the problem but on the end goal. Right, and if I'm being a kind of kind of honest, being too stubborn or maybe too stupid to give up, at times I don't know when to stop and I'm never happy until I'm on the other end of that. So I keep going. When things get tough, I don't have the answers right, but I try to stay humble, I try to learn as fast as I can and try to move the entire team forward towards whatever that goal. While I try to stay composed, I absolutely reserve the right to deploy strategic swearing during these situations.
Jenny Radcliffe:You've been very good. Neither of us have swore.
James Tucker:Continual improvement.
Jenny Radcliffe:Well, james, it's been amazing chatting to you. Thank you so much for sharing your thoughts. Thanks and thank you all for listening to this episode of the resilience factor. So let's reflect on that conversation with james tucker, the z scaler, unlock. The resilience factor report revealed that only 44% of CISOs were involved with resilience planning.
James Tucker:The CISO is not even on the board and is sort of stuck at the kids' table, if you will, and for me that shows that a lot of business are still. Hey, security is this thing that we have to do and not something that we do so we can achieve business outcomes?
Jenny Radcliffe:We saw from the report that 94% of respondents believe that their organization's cyber resilience measures are effective, but James thinks that that creates a bit of cognitive dissonance, as businesses are still vulnerable.
James Tucker:We think that we're 100% prepared. However, the bad guys or the catastrophic incident only needs to be right one time and we need to be able to prepare for every possible scenario. It's going to happen.
Jenny Radcliffe:James also introduced us to the term organizational plasticity, where an organization increases its ability to learn new things and take new actions.
James Tucker:And that kind of if it ain't broke, don't fix it, mentality as opposed to hey, it's not broken, but could it be better, and being willing to change and adjust within. That, I think, is key to resilience.
Jenny Radcliffe:We also talked about ensuring the next generation of security professionals come through, helping them see the joys of security.
James Tucker:I have my kids' phones fairly well locked down and if they find a way around the security they don't get yelled at. They have to explain how they did it and I'm proud of them. So when we look at the ability to just go out and break stuff, we need more spaces like that.
Jenny Radcliffe:You can find the Zscaler Unlock the Resilience Factor report by searching for Unlock the Resilience Factor on the Zscaler website at wwwzscalercom.