Achieving Cyber Resilience and More with Jim Routh

As a former CISO at companies including MassMutual, CVS Health, Aetna, JP Morgan Chase, KPMG, Depository Trust and Clearing Corp., and American Express, Jim Routh is considered an icon in the industry. Dr. Rebecca Wynn, host of Soulful CXO had a chance to speak to Routh and cover important topics including:

• Why he relates being a CISO to sleeping like a baby
• How managing expectations is necessary rather than meeting expectations
• Finding your allies in the Board and Executive Leadership

You can watch the full episode here and gather some of his insights below.

The Rise To CISO

Like many CISOs, Jim Routh’s path to this field was opportunistic, as he calls it. After a few roles in IT, and with a somewhat forced move to the East by his wife, he reached out to his boss at American Express at the time who was the CIO, and asked for a position in New York. He took a role there in customer data analytics which merged with the risk management group which had him reporting to the Chief Risk Officer. Eventually, they were looking for their first CISO, and Routh was given that role.

As he shared, “On my first day, a guy who has in-depth cyber security expertise passed me in a hallway and he gave me a piece of paper and he said, Look, keep this name and phone number for you when you get in over your head. He didn't say ‘if,’ he said ‘when’ you get in over your head.”

Routh quickly realized he was in over his head, he made the call and it turned out to be Steve Katz, who is known as “the father of cyber security” Or as “the world’s first Chief Information Security Officer (CISO).”

Two valuable lessons Routh quickly learned:

1. There's no such thing as competition in cybersecurity.

2. You give and you help others be more effective as a professional. It really helps the industry and helps everyone, and it comes back to you later. 

Sleeping Like A Baby

Routh has been quoted as saying as a CISO, he slept like a baby, which would quickly raise eyebrows. He clarified, while also noting he stole that line from Steve Katz, that a baby wakes up every 2-3 hours crying and that’s basically what it’s like as a CISO.

The reality is when you protect an enterprise, you're on 24 hours a day, 7 days a week, 365 days a year, no matter what else you may be doing, it's always in the back of your mind. “What if that ransomware attack nails us? Are we well prepared? What do we have to do to get better prepared? How can we be more effective? Are we applying the lessons learned?”

Routh notes that the pandemic forced everyone to change. But, that new reality wasn’t a sustainable model, employees were working from home, and many had children at home or aging parents living with them. It became necessary to educate teams, that the first thing and most important thing is your health. They had to be reminded to think about themselves and their needs first. Second, the priority list must be the needs of their dependents, and third to adjust the work schedule to accommodate the first two things. This was a seismic shift in leadership from prior decades when the expectation was to be always available, always respond to emails, always be on text messaging, always there, always work weekends, work nights, whatever it was, and be readily available and supportive.

“And we all had to learn as leaders, we had to learn how to do that. That wasn't a leadership competency that was necessarily inherent in our role models. Who we learned from it was something we had to fundamentally do. And then you throw on top of that the fact that we had to learn how to be tolerant, how to be an ally for diversity and to promote inclusive behaviors. And so, all of these changes, really put an impact on people and leaders to help with the impact on people,” Routh shares.

Managing, Not Meeting Expectations

Routh shares that there’s a leadership skill that he undervalued throughout his career, but ultimately led to positive results once realized. It comes down to managing expectations for the Board rather than meeting expectations. It’s a complete shift from how things are typically viewed for CISOs. In Routh’s words, “Managing expectations is being a facilitator.” He sees the need to have a consensus; it may be impossible to get agreement from the Board members, but as a facilitator, you can lead the process of coming to a consensus, which means you have to engage others to make sure that they're sharing your perspective.

Do You Know Your DBG?

In terms of golden connections within your organization, Routh shares some techniques. He takes the core stakeholders and divides them into two groups the Board and the Executive Leadership team. Looking at the Board, the CISO needs to find their DBG, “Designated Board Geek.” Clearly, you won’t find that in his or her title, but when a tough IT decision needs to be made, most of the Board sits back in the physical meeting and turns their head towards the DBG. There is your indicator of who the DBG is. Routh dives into the time you need to spend with your DBG so that when you’re in the Board meeting presenting and somebody asks a question, you're going to pause. With the information you’ve shared with your DBG in your 1to1s, during that pause, he/she may answer the question for them. And if your DBG answers the question for them, they carry tremendous credibility that you do not have.

In the leadership team, you’re a sponsor. A sponsor is not, really a mentor, so they can play both roles. But sponsorship says that they're going to give you the benefit of the doubt. They're going to give you a level of trust. The ideal scenario is to turn the CEO into your sponsor. He notes that this doesn’t happen overnight, but in your one-on-one time, you share a decision or an outcome and a rationale for that, and you spend more time on the rationale than the decision. Ultimately though this approach, your sponsor will give you some wind at your back and support, especially when it's a tough decision and they'll use the rationale that you've essentially armed them with. These are really subtle but foundational to success, both for the executive leaders and for the Board.

True Cyber Resilience

Regardless of what industry you’re in, any major enterprise has a significant attack surface and there will be a cyber security incident. It’s never a matter of “if,” but rather “when.” True enterprise-wide cyber resilience is a necessity and that is a set of enterprise-wide practices that lead to resilience. It allows you to respond quickly to a

cyber security incident with minimal business impact and apply the lessons learned from incidents to a continuous improvement process, even when the incidents don't happen just in your enterprise. For Routh, that is as good as it ever gets. The ability to respond quickly, minimize the business impact, and then the lessons learned going forward.

Mentorship

Routh currently mentors CISOs, “want to be” CISOs, some students, undergrads as well as grad students. Steve Katz and Ed Amoroso were his mentors and Routh recalled Katz stating to him, ‘Look, the way mentorship works is the mentees do all the work. They are the ones that determine the frequency, schedule the meetings and figure out what the agenda is. Basically, the mentor just shows up and offers some wisdom occasionally. The burden is really on the mentees.’ Routh’s advice to anybody who is looking to gain some insights as a cyber security professional is just to reach out and be willing to do the work.

You can listen to the full episode here which is chock full of great advice for security professionals at every level in their careers.