Ask Me Anything

Telling the right risk story, with Allen Darrah


October 6, 2021
min read
An image of Allen Darrah, Head of IT Operations, Security, Privacy, and Risk for Spencer Fane.

Allen Darrah, Head of IT at Spencer Fane, shares value-adding strategies for cybersecurity and risk management.

This AMA was edited for brevity.

Allen Darrah is the Head of IT Operations, Security, Privacy, and Risk for Spencer Fane.

What's the best approach for communicating security risks?

One of the most impactful things that we can do when having these conversations is to turn them into a story. You still need to have the metrics; that data is going to help you tell a story but don't present it. I've never talked with any president, CEO or anybody else who's really interested in charts from your team. If you can tie it to the things that they are interested in, that's great. But if you say, "I've got these charts and this spreadsheet. Let me send those to you so you can start reading through it before our meeting," they won’t want to talk to you. So think of it this way: what are things that you would talk about when you have nothing with you? 

Pain is a great motivator: talk about what hurts or what will hurt if change doesn't happen. If you're a cybersecurity professional, you're not talking about threat actors or, "We've seen this out of North Korea." They might be interested in that but that's not where the conversation value is going to be. It's going to be, "Did you know that we could be out of business tomorrow? Here's how that would happen. Our playbook has a scenario where we are out of business tomorrow morning. Do you want to talk about it?"

“Think of it this way: what are things that you would talk about when you have nothing with you?” 

That's an effective way to have somebody pick up the phone. You don't always want to go in that heavy but it's about getting and keeping attention. It's the same concept from finance and accounting, where you stress test different scenarios. They've been asking the best questions for a long time: "What happens if this entire product line just collapses because of some story that comes out about what we're producing, and nobody wants to use them anymore? How does that stress the rest of our organization?" 

What’s your approach when communicating security risks? Comment on this post in the Pulse community.

Why is robust vendor management so important?

What happens when things go off the rails with your vendors or your suppliers, or even your customers, can have a lasting impact on your organization and your relationships. Often, the only thing that's going to keep that relationship healthy is something that was probably written into the agreement you signed years ago that you both forgot about. And so you've got to be able to reference those and understand what's in them.

“If you gloss over [contract management], it can sour that relationship and be a huge risk for your company.”

Contract management's not a sexy topic. One of the things a lot of us see when we start moving into management positions or leadership positions is a DocuSign that is 18 pages long. You scroll to the bottom, and you just hit "sign and submit." You have no idea what's in it. You need somebody on your team, your general counsel (GC) or an outside contract attorney to help you manage the beginning of that relationship with vendors. You might think, "It's not about the contract. I need this up and running ASAP.." But if you gloss over that beginning stage, it can sour that relationship and be a huge risk for your company.

Do you think contract management can help minimize risk? Comment on this post in the Pulse community.

What will be the lasting impact of SolarWinds on IT management?

With the SolarWinds attack of 2020, so many relationships were ruined between organizations because of the triggering ripple effect of poor vendor management at the beginning. Organizations who were very far removed from SolarWinds became breached because of something upstream from them and now they're on the hook. Maybe they've had a big data loss, for example, that they're trying to navigate, and they've got their lawyers trying to figure out what to do. Then they're pulling out the contract for the first time to read it. The lawsuits started to hit Solarwinds, not because they got breached, but because they allegedly broke a bunch of agreements with their customers. The ramifications of not understanding the relationships that we have with our vendors, with our suppliers, and our customers will become very prevalent from now on.

“With the SolarWinds attack of 2020, so many relationships were ruined between organizations because of [...] poor vendor management at the beginning.”

The auditors of the world are about to get really busy. I still don't think the lasting impact has sunk in for the rest of us. It’s almost like the 9/11 of cybersecurity and risk management when it comes to vendors. But it's not being discussed at the level that I would expect. There should be a symposium about this. There will probably be MBA case studies about it but I'm surprised we haven't seen it on every business journal's front page. It wasn’t on the front page of even the Wall Street Journal when it comes to the lasting impact that this will have in the future.

Did the SolarWinds attack impact vendor management at your organization? Comment on this post in the Pulse community.

Do you think security will ever become a competitive differentiator for companies?

Most CISOs are still struggling to be heard. Even if the organization has a data privacy officer, a chief compliance officer and a CISO, I think it's laggard. It's still not understood how this person—this position, but also this person—can make your company more valuable. People think information security slows us down and that it's hurting innovation, productivity or collaboration. The great CISOs that we'll see coming out over the next 10 or 20 years are going to prove that that is completely false. In fact, it's the opposite.

“[CISOs] can add the most value to organizations by proving that the business takes your data privacy and security incredibly seriously.”

They can add the most value to organizations by proving that the business takes your data privacy and security incredibly seriously. The organizations that start singing that song will be the first to reap the rewards because nobody else is; that's the differentiator between organizations in the same market right now. Those that champion cybersecurity—especially data privacy, with CCPA and other state laws that we'll see over the following years—will win, flat out.

Do you consider security posture a competitive differentiator? Comment on this post in the Pulse community.

Access data and intelligence from thousands of verified technology CxOs, VPS, and Directors, while engaging in compelling conversations about what's top-of-mind for tech leaders today.

Join the Pulse Community

Join the executive community

Make and shape business decisions with tried-and-true advice and benchmarks from technology leaders

Executives powering Pulse

“With its survey data, Pulse skips the anecdotes and provides deep context and real numbers for the topics that are top of mind for my organization.”
Julie Cullivan photo
Julie Cullivan
Chief Technology and People Officer, Forescout
“Pulse beats any other platform, research company, Slack groups, etc. at getting me the most relevant advice and content. I rely on Pulse for all knowledge and insights. The answers are consistently exactly what I need.”
Roberto Torres photo
Roberto Torres
CTO, Taimingo
“What the IT community has needed is a vendor free, agenda free platform which encourages discussion and debate amongst peers. Pulse has nailed that in both their Q&A and timely reports.”
Lee's headshot
Lee Vorthman
CSO, Oracle
“I love that Pulse is a one-stop shop for all the peer conversations and insights that are presently super scattered and disconnected among various Slack channels and other CIO groups.”
Enrique Jenkins photo
Enrique Jenkins
Head of IT, DoorDash
“Being able to drive discussions on new tech with my peers and getting immediate feedback is exactly what has been missing until Pulse.”
Manjit Singh photo
Manjit Singh
CIO, Toyota
“For the past two weeks, the first news source I check [every morning] is Pulse. I look at Focused Five everyday. Pulse first, then Twitter, etc. You're that good.”
Miguel Borbolla Olea photo
Miguel Borbolla Olea
Director of IT, OCESA
“I’m excited for what the Pulse team have built to better connect the CIO community. It’s been exceptional for many of us in the community to get clarity and aid decision making as we develop our strategy.”
Yusuf Khan image
Yousuf Khan
CIO, Automation Anywhere
"Transformative change and real-time insights can only come from the people who are doing it day to day in an innovative way. I get a wide variety of that insight from Pulse."
Malcolm Harkins photo
Malcolm Harkins
Chief Security and Trust Officer, Cymatic