Cybereason CISO Interview Series: It’s only information security (but I like it)

Sometimes the career path to security and IT leadership doesn’t involve an undergraduate degree in computer science. Sometimes reaching the ranks of CIO and CISO involves an English degree and a desire to play rock-and-roll for a living.

At least that’s how Frank Gillman discovered his interest in IT. While Gillman, who honed his IT and security skills at various law firms in Los Angeles, harbored dreams of becoming a professional musician, a temp job in a firm’s technology department helped him discover that he enjoyed the challenges a career in IT offered. As Gillman gained more IT knowledge, he rose to the rank of CIO, a title he held at Allen Matkins for more than a decade and at Lewis Brisbois for four years before becoming the firm’s CISO in February.

Studying language and communication also played a role in Gillman’s professional success by giving him strong writing and speaking skills. “I just applied [my background] in a different area. I take very technical concepts, convert them and communicate them to executives,” he said. In this interview, Gillman talks about why technology needs to be viewed as a tool that helps a business achieve its goals and how playing in a band has aided him professionally.

You started your career in IT and includes serving as CIO twice. How does your experience as a CIO prepare you for the role of CISO?

I’ve been a CIO for 30 years in multiple firms. When you’re a CIO in the type of firms I have worked at – those that are leaner when it comes to the number of available resources in-house -- you wear multiple hats. In many ways you are the information officer, the risk officer. You’re overseeing a lot of elements, so I have a broad level of experience. I’ve picked up a lot of experience in the eDiscovery area since joining Lewis Brisbois as well. I had a broad enough outlook on IT and security that it wasn’t that hard. It’s been a relatively smooth transition.

CISOS AT LAW FIRMS TYPICALLY HANDLE INTERNAL INFORMATION SECURITY. BUT YOUR ROLE IS DIFFERENT. YOU’RE GOING TO HELP LEWIS BRISBOIS’ CLIENTS WITH THEIR SECURITY. COULD YOU TALK ABOUT WHY THERE WAS A NEED TO EXPAND THE SCOPE OF WHAT A LAW FIRM’S CISO USUALLY DOES?

One of the things I like about our firm is that it’s always been entrepreneurial. We have regular leadership discussions among different practice groups and talk about how we can stay on the cutting edge of what firms are offering, how we can differentiate ourselves beyond already being really good lawyers and providing strong value. Our data privacy and cybersecurity group has been steadily growing within the firm. Our idea was to take that growth and stimulate it even more by bundling technical consulting elements with all the work we’re already doing under attorney-client privilege in order to maximize value to our clients.

Leadership looked at my tactical experience and said, ‘Frank, do you want an opportunity to do something different? Do you want to be a part of this?’ I was originally brought here to stabilize our IT infrastructure and we’ve put in the base of that platform for the most part, so I said yes.  We’ve got some great lawyers within the data privacy and cybersecurity group and we make a good team.

CIOs and CISOs have a reputation for butting heads? Previously, how did you balance the roles of technology and security leader?   

There’s a natural conflict between the roles. The CIO is trying to grow and expand the number of things that the firm is doing. The CISO is supporting those efforts, but with every technical advance, there is usually an opposite increase in the risk factor for data exposure. It’s a difficult balance to maintain. The thing that has always been true for me in achieving balance is to avoid overly focusing on technology. I view technology solely as a tool toward a larger function. The focus must squarely be on the lawyer. How can technology make the lawyer, and therefore the law firm, successful?

The CIO versus CISO battle only starts because both entities forget what the mission is when it comes to the law firm. It’s very easy to avoid turf wars between IT and security if the mindset that’s driving your decisions is to increase the effectiveness of the lawyer.

Now that I have a billable role, which means I fill out timesheets and account for my time, I’m even more aware of how critical it is for lawyers to work without interruption. When technology is not available or fails, and I’ve got to sit there and start to figure out how to do a workaround instead of focus on my client work, it drives me crazy. The issues between the CIO and CISO are because they’re too focused on technology, and not on technology helping the lawyer.

How can CISOs better understand the role of security is to enable the business?  

CISOs can start to understand by focusing on how security affects the bottom line of the business. One of the problems that all security professionals face is the difficulty in getting a handle on the ever increasing amount of data in use. Managing data requires substantive investment in tools, time, and in changing the behavioral culture of the business. All those things can hurt profitability. Storing less data legitimately increases profitability. Companies that store less data require less infrastructure and reduce their risk of data exposure.

Technology professionals need to constantly focus on what makes the business money. People in the technical world can very easily become too insular on technology. Let’s face it. It’s a fascinating world. There’s new stuff coming out every day and each advance means platforms are constantly changing. People who go into this field are attracted to those ideas. Sometimes it’s hard to find balance between being interested in something, and remembering what the mission is.

Technology is a tool. That’s all it is. It has no intrinsic value separate from that. The value is how to leverage that tool.

Many security professionals didn’t start their careers in the industry. For example, you have a degree in English language. Could you talk about your career path and why technology and security appealed to you?

My career path is rare compared to most. It’s not something that could be replicated in today’s world. My dream was to be a rock and roll musician and a writer. I went to college and got a degree so that I could move to L.A. and not starve. In L.A. I worked as a professional musician for many years and started temping at a law firm because I needed to make money and knew the environment. My dad was a real estate lawyer. I was fortunate to be there as technology first really started coming into play in business, so I fell into my job in many ways.

My mentor was a man named Bill Guthner, one of the greatest men I have ever known. He was the managing partner of the firm. He had a truly unique skill in that he could recognize the quality traits in people and put them in roles that would challenge them and also help the business. He put me in IT and backed me 100% every single day until he retired. What has helped me be successful is my education, which is very much about language and communication. I can take very technical concepts, convert them and communicate them to executives. I believe the ability to write and speak well gave me the career I’m in. I just applied it in a different area.

Lewis Brisbios Frank GillmanI also still play in a band of CIOs from other major law firms. We’re called Legal Bytes and play original music about legal technology and other technology. We talk about this concept of the right brain and the left brain and how people who can combine the creative element and the technical element can really be effective. It’s a very powerful combination to have. Most people have one or the other. People who have both can be very effective.

Musical skills translate well into IT. They really let you visualize system infrastructure and articulate it in a different way.

Why did you stay in IT?

I’ve always found that IT challenges me more than any other area. I never want to come to work and watch the clock ticking. Everybody only gets one turn on the ride of life.  IT gives me the chance to innovate.

That’s what appealed to me about this new role. It’s an interesting experiment. We have no idea if it will be successful. We obviously want it to be successful, but there’s a certain element of risk in trying something new. That’s what I really respect about our leadership here. They’re not afraid of taking a risk.

How can security and IT leaders develop the imaginative side of their brain?

Try something that you’ve never done before. Take a risk. Do something outside your comfort zone. Do something that challenges you in your regular life and will force you to open your mind to different things. Taking risks makes you grow as an individual.

Anything that makes you grow as an individual will almost always have a positive effect and seep into your work, no matter what skills you learn.

Can you offer any advice on how security leaders can talk to their boards and C-suite peers about why security matters?

Almost any business centers on trust. Customers – or clients in our case – need to know they can trust us and data security is paramount to the reputation of the business. Executive boards and C-suite executives understand the value of that and the value of their brand.

Make the case that a company’s security posture has just as much to do with its brand as its advertising and customer support levels do. It’s all the same thing. Get less technical and align the security goals with the business goals.

How can security leaders help organizations develop a culture of security?

Security leaders should be more inclusive and bring more elements of the business into the equation. They have often been handed, or lulled, into this sense of ‘It’s my problem. Deal with it.’ But it’s really not. The IT systems are only part of the balance

Developing and implementing a genuine culture of security involves input and engagement from HR, marketing, facilities, and anyone else regularly involved in administration management. You need those people to make sure the company is addressing multiple needs re security. You also need them because they’re going to have critical functions to perform if there’s ever a data breach or other security incident. You want these people to be really integrated into the security plans as opposed to simply names on a contact sheet within your Incident Response or Business Continuity Plans.

Fred O'Connor
About the Author

Fred O'Connor

Fred is a Senior Content Writer at Cybereason who writes a variety of content including blogs, case studies, ebooks and white papers to help position Cybereason as the market leader in endpoint security products.