Rob Black is a cybersecurity leader and entrepreneur whose career has spanned nearly two decades across identity, authentication, and GRC work.
He spent nearly four years as Principal PM for SecurID at RSA Security, the company’s flagship authentication product, and was a key remediation contributor to the 2011 RSA SecurID nation-state breach. He holds several patents in identity and authentication, and has written extensively on GRC, including his piece “The Fall of SOC 2.”
Today, Black leads Fractional CISO, the advisory firm he founded in 2017, providing part-time CISO leadership with services spanning cybersecurity transformation, incident response, vendor management, SOC 2 readiness, and AI governance.
We spoke to Black as part of our ongoing series interviewing cybersecurity professionals to bring you their unique insights into cybersecurity today, the challenges they are facing, and the realities of what it takes to defend complex global environments.
1. What cybersecurity challenges do your teams deal with on a day-to-day basis?
We’re helping support many different companies in their cybersecurity programs, so it really depends on the company. Each one has their own unique challenges. Some have a very nascent cybersecurity program, so the challenges are the things that everyone has: things like, is their email good? Are they preventing ransomware? Are people clicking on things they shouldn’t? All the typical things you might worry about.
Our more sophisticated clients have some very sophisticated challenges. Things like, are credible threat actors trying to attack them? How do you invest the dollars properly? Are these controls good enough? And then there’s AI: you’ve got employees doing crazy things with it, putting all their intellectual property and customer data in there, letting AI have administrative access to systems. All the old problems, but now with something that can go off and do things on its own.
There are two sides to the risk. If you do not use AI, there’s market risk, relevance risk, all that sort of thing. But if you’re all-in on AI with no controls, that’s also bad. Where’s the happy medium? That’s something we work on every day.
2. How have the challenges you deal with evolved in the last few years?
Going back to the AI bit — maybe two or two and a half years ago, all of a sudden, for every single client we worked with, we were creating an AI policy. We had to ask, what are they allowed to do? What tools can they use? What can different folks do? And now we’re revising that thinking.
Separately, the noise level has gone way up; I think that’s true in society in general. Getting management’s focus on cybersecurity, even if they want to invest, can be quite difficult. Something might be red alert in my mind, and in their mind they’re like, “Eh, we’ll just live with it.”
That might have been true a long time ago. Now the threat landscape has just opened up so much that it’s difficult to say, “Hey, you need to focus on these 10 things.” You can get someone to focus on three things maybe, but 10 can be quite difficult.
3. How do you set teams up for success dealing with these challenges?
The first part is really to create a consistent process that folks can follow. Have a weekly meeting, have a good agenda, have good follow-up, make sure people own their action items. Just like with any project, it’s “What are the things that we’re going to do? What are we getting done for next week? Frank, you own this problem, come back next week and deliver X.” So really good project management (assigning tasks, sending agenda reminders, meeting weekly) solves half the problems.
The next bit is great prioritization of the issues. If you have 100 issues, you’re not getting through more than half a dozen of them in any given period of time. So, make sure you have a rigorously prioritized list. Re-look at it every month or every quarter, maybe even more frequently, and make sure the things you’re working on are actually the things that are going to smartly lower the risk to the business.
When it comes to business risk, this is really important, especially if you’re looking for funding or trying to get people to do something. Just saying something is “high risk” is very boring. The CEO hears about “high risk” things all the time. But if you say, “there’s a 10% chance of a $5 million loss,” that hits very differently. Then the CEO can say, “I think I’m willing to take that chance,” or, “Holy smokes, that’s horrible, we’ve got to do something about it.”
Quantifying the answer, giving it in business terms, makes a huge difference compared to saying “this risk is high.” They’re already managing all kinds of high risks (currency swaps, key employees leaving, customers not adopting a new product). You want to give them something specific they can make a business decision on, based on real data.
You also have to be credible. You actually have to do your homework. That means saying things like, “This system is worth X dollars, this much data is at risk, this is what the impact would be.” There’s math you have to do to get there, but once you’ve done it, the explaining and convincing side gets much easier.
4. What impact do you see new technologies like AI having on your day-to-day? Do you see AI having a long-term impact?
AI is probably the most prevalent one, and we’ve already seen it tremendously impact our day-to-day. It’s funny too, because it’s not some magic button that just solves the problem. It’s more like: we have a process, and now I can use AI to speed up this portion of the process. When people are expecting the magic AI button to fix things, it doesn’t necessarily work.
For instance, take the transcript for this interview; you could run it through AI and ask it to fact-check what you wrote, to make sure there are no mistakes. It’s the same thing with governance, risk, and compliance work; I might ask, “Our client is using vendors X, Y, and Z. Any concerns there?” And the AI could say, “Well, vendor Y had a breach last month.” Could I have Googled that myself, done the research? Sure, but the AI gave me the answer in a minute. That’s one input into a much broader vendor evaluation, but instead of spending an hour digging up background on each vendor before I can even start that evaluation, I can get to the substantive analysis faster and tell my client “Hey, vendor Y doesn’t look like a fantastic option. Let’s switch gears or talk to them and see what they’re doing to mitigate this risk.”
On the hallucination front, sometimes I’ll have one AI check another AI to mitigate that. It’s definitely concerning when you’re using AI outside of your domain, because you’ve got no way to spot when it’s wrong. If it’s in your domain, oftentimes something doesn’t sound right and you say, are you sure this is true? And it’ll say, “oh yeah, oops, I totally made that up.”
5. You appeared on the She Said Privacy/He Said Security podcast discussing AI in GRC programs, where you emphasized the need to blend AI tools with human oversight and the importance of a security-first mindset when implementing AI. AI has evolved a lot since then. Where are you actually using AI in GRC work today, and where have the trade-offs you flagged gotten better — or worse?
You absolutely need the human in the loop on any kind of important AI decision-making. As we discussed, hallucinations can happen in any function, and making sure it’s doing the thing that you think it’s doing is quite important. Doing some level of validation in any process is really important.
On the GRC front, we’re using it in many different cases. Vendor management is a great one. You’re doing research, asking which of these vendors we should use, or saying we have five potential vendors, which ones have a good security program? Even if it doesn’t know whether it’s a good security program, it’s great at locating security webpages and trust centers. It shortens the research time.
Looking at big documents is another one. A lot of times you’ll run a security scan or have some sort of penetration test done, and the output is this impenetrable 50- or 100-page PDF. Thinking a human is going to be able to make heads or tails of that is unrealistic. But oftentimes you can give it to the AI and say, what are the five key insights I need from here? Then the AI gives you the five things, and you can check each one against the document. Most will be right; some might not be. Either way, it’s saved you a ton of time.
We see a lot of opportunities for automation around project management. We treat security as a project, just like anything else. We need to be cautious that AI doesn’t cause us to forget tasks, or reopen ones we’ve already closed. Human in the loop is super important, but right now we’re using AI in many of our processes, and we’ll continue to add more across GRC.
I think GRC is a great use case for AI just because it’s so paperwork-heavy and information-intensive. I don’t want to besmirch the GRC industry, but the day-to-day is not innovative; it’s more procedural. Anything that’s information-intensive, paperwork-heavy, and procedural is a great thing for AI to solve.
6. You wrote “The Fall of SOC 2,” arguing that audit quality has slipped to the point where some auditors will rubber-stamp anything. Now AI is being layered on top. When you’re putting an AI-first SaaS company through SOC 2 today, where does the framework actually break down — and what’s happening with the auditors when AI is in scope?
I think the framework is quite good. The reason SOC 2 is so prevalent is because it’s a flexible framework that allows you to communicate your cybersecurity program, and the attestation report can be tremendously valuable.
The AICPA (American Institute of Certified Public Accountants) owns this cybersecurity framework. They have not been diligent in making sure the quality bar is high. The problem is that these auditors are now doing high-volume work with not a lot of hours on each of the audits. There are plenty of great auditors out there doing high-quality work, but there are a bunch of low-end auditors who are not validating and just pushing things along. It’s like with any framework: if you decide not to do a good job with it, it’s not going to work great. Either the AICPA needs to enforce their program more rigorously, or there needs to be another party that comes in and says, “here’s the replacement for SOC 2.” The way things are right now, it’s not tenable. People are just not going to trust the reports.
For an AI company specifically, SOC 2 is really about your process, not so much about the underlying technology. It translates quite well to AI companies, technology companies, or really any process-driven business. It’s about: Are you following your process? Are those processes any good? Are you doing background checks in hiring? When someone leaves, do you make sure you take them out of all your systems? When you’re bringing on a new vendor, are you validating that they’re going to do a good job? Do you have good identity and access controls so that when someone logs in, it’s actually them and not an attacker? Those things are universal. It doesn’t really matter what the company is.
My view is that either the AICPA will jump in, intervene, and bolster it, or someone else is going to come up with some sort of replacement scheme. I’d prefer the AICPA to step in, but it’s kind of a bummer that some of these companies are tarnishing SOC 2’s reputation overall.
7. You spent nearly four years as Principal PM for SecurID at RSA — RSA’s flagship authentication product. What did that experience inside a major security vendor teach you about identity and authentication that you find yourself coming back to today, especially in your work with mid-market SaaS companies?
When I went to RSA, I had a good technical background, but I really was not a security person. I ended up being there almost five years before I left, and it was kind of like going to security grad school — you learn from everyone in the organization. Even the marketing and finance people knew a fair amount about security. And then the technologists were next level. It was a really remarkable situation. It was a very technical company, so I got an opportunity to learn the nuts and bolts under the covers, and an opportunity to earn several patents for some of the work I was doing.
As an aside: for anyone trying to break into security, I say get any role at a big security company and then move into more of a security role if you’re interested. Get in as marketing or finance or HR or whatever, and then scoot over.
In terms of identity and access management, a lot of what I learned is probably overkill for serving mid-market customers, but a lot of the general principles are great. For any sort of access control or identity and access management, you’ve got to be concerned about the root of trust — what is the thing that’s saying, “yes, you are authorized to access the system. Yes, you are authorized to access this piece of data or this part of the system.” Understanding where the root of trust is matters.
You’ve also got to understand that authentication can be foiled by an attacker. What are the mechanisms we have to check to make sure that the attacker is not impersonating that user? For RSA, the solution, especially back then, was largely around two-factor authentication. Now there are a lot of risk-based models. Sometimes you log in, maybe you’re traveling overseas, and you’ll get a message asking for some extra validation. A lot of that wasn’t necessarily in place 20 years ago, but applying those principles today makes a lot of sense for defending organizations’ identity and access management systems.
8. You were a key remediation contributor to the 2011 RSA SecurID breach — one of the defining nation-state attacks of the era, against a security company itself. Looking back at what you learned from inside that incident, what do you find yourself trying to teach clients today that you still see being missed?
There were lots of lessons learned from that incident. You don’t actually need an incident that big to learn them, but there are certainly lots of things to apply going forward.
The first thing is: you really need to be ready. One of the things we work on first with clients is having a good incident response plan. You might think that’s a funny thing to prioritize when there are all these technical controls you could put in place. But when something bad happens, what you want to do is revert to your training. Here’s the plan — here are the things I need to do: contact my cyber insurer, get legal counsel involved, bring all the right people into the loop. I’m only one part of the response, but there are other parts of the organization that could be impacted. You’ve got to make sure you have everyone’s contact information ready.
That follows some general principles in diagnosing problems. A lot of times in an incident, you might say, “Oh, X happened, so therefore it’s Y,” but maybe that’s a coincidence and really, Z is what caused it. You’ve got to be a good detective in root-causing the problem. And you’ve got to make sure you’re being a great teammate and including all the key folks, plus outside parties like legal counsel, cyber insurance, or law enforcement, to have a holistic approach to solving an incident.
9. What’s a widely held belief in the cybersecurity industry that you disagree with, or think needs to be challenged?
Obviously, if you’re in cybersecurity, the most important thing in the world is security. Or at least that’s what a lot of folks in my industry seem to think. I work with a lot of businesses, and if cyber were their number one concern (and they’re not in the security space), they would be out of business. Their top concerns have to be customers and revenue and product and customer support. Now, if security is only the 100th most important thing, that’s also bad. But security can’t be the number one thing. Security is a business enabler for more revenue, supporting customers, and protecting the organization, but it isn’t the number one thing.
And this goes back to the communication bit: believing security is the most important thing doesn’t serve security people well, and it doesn’t serve our industry, because it doesn’t lead to smart business outcomes.
Sometimes the answer is to undertake the risk and move on. Sometimes the answer is, of course, remediate that thing and bring in some technical controls. But everything can’t be red alert, 10 out of 10 issues. If it is, you’re never going to be able to run your business.
10. What advice would you give to fellow CISOs and industry practitioners?
Communication and executive presence are critical in a senior cybersecurity leader — probably the most important thing. If you can stand in front of the board, the CEO, or senior leadership and clearly communicate your point, that’s a superpower to get the things you want. That means speaking with some passion but not too much, avoiding technical jargon, and explaining things in language most folks can understand.
A lot of the time when folks aren’t getting funding, or the executive team isn’t doing the things they want, they’re not using that lens or those communication skills or that executive presence. You hear a lot of complaints, like “the CISO doesn’t report to the CEO.” Well, the CEO has a lot of things to worry about. Does it make sense for the CISO to report to the CEO? Maybe. But also: are you the right CISO to report to that CEO? Are you providing the executive presence and leadership to make sure the CEO understands the issues, and you’re not just yapping in their ear all the time?
That’s really important for cybersecurity practitioners. There are certainly some amazing ones, but there are also some folks who are technically amazing but much less amazing with communication and executive presence.
