The New CISO

In this episode of The New CISO, Steve is joined by guest Andrew Wilder, Adjunct Professor at Washington University in St. Louis and a multi-time CISO.After eighteen years, Andrew left a job he loved to transition into global security. Now, he gives back to the cybersecurity community by sharing his insight as a professor and mentor. Tune into today’s episode to learn more about his IT journey, expanding your network, and company red flags.Listen to Steve and Andrew discuss his five-step mentorship plan and essential interview guidelines for CISOs:Meet Andrew (1:38)Host Steve Moore introduces our guest today, Andrew Wilder, who has worked in cyber security for twenty years.Andrew got his start in cybersecurity by working at a paper company, where he worked in marketing, sales, inventory, customer service, and more. One day the owner came to him, wanting to change their computer systems. Being the youngest in the office, Andrew was given the project, beginning his IT journey.Eighteen Years (6:23)Andrew reveals why he stayed at Nestle for eighteen years. Andrew loved the people and culture and even met his wife on the job.Steve presses Andrew on why he didn’t stay longer, and Andrew reveals that he progressed as far as he could go. Wanting to move forward in his career, Andrew felt inclined to make the jump.A Difficult Move (8:12)Andrew shares how challenging it was to leave Nestle. Although his co-workers were shocked, Andrew knew going was right for him.If you’re in a similar situation, you may always find something to regret, but no situation is perfect. Ultimately, you have to do what’s best for you.Care About Your Career (11:50)When contemplating a career transition, Andrew recommends finding a mentor. Of course, no one will care for your career for you. You will make time for something and seek the necessary resources if you care about it.The Five-Step Plan (13:59)Andrew shares his five-step plan for changing careers, which includes creating a development plan with your mentor and filling in the gaps in your desired skill set.In addition, Andrew shares a helpful tip he received from Nestle, which is that 70% of your learning should be learning by doing. 20% of learning is through relationships, while 10% should be through a course or learning program.Getting In The Room (20:00)Steve presses Andrew on what steps CISOs should take to get in the room. Andrew recommends ensuring people know who you are and your expertise.If people don’t know you, you’ll never be able to prove yourself. That is the value of expanding your network.What To Ask (24:47)If you’re offered a board-type position, it’s essential to learn about the company culture and the CEO and review any incident reports that allow you to bring your expertise to the position.Interview Questions (28:24)Enterprise risk management is an excellent framework to focus on during an interview. Asking questions based on prior risks will reveal much about an organization, including red flags.Andrew also reveals other red flags to look for in an interview. If companies don’t show change or progress with security, the work culture will be less desirable for a CISO. The worst cyberculture you could join is one where they won’t admit when they’ve experienced a breach.Business Continuity Planning (37:20)Business continuity planning is ignored a lot in cybersecurity because it is business driven. In Andrew’s opinion, cybersecurity should be separate.Andrew and Steve discuss other business dynamics and what should or shouldn’t be the responsibility of the CISO.Why Teaching (41:43)Steve presses Andrew on why he teaches. Andrew likes to think it’s to give back, but he recognizes it’s a two-way street.Andrew teaches deputy CISOS, CIOs, and executives seeking to transition into the CISO role. He has created his own lesson plans from scratch to give security professionals the highest value in their education.The New CISO (47:55)To Andrew, being a new CISO means seeing cyber security as a business enabler. This mindset can include expanding your network and learning what different people in the field do.LinkedInQuote: Well, I'm a strong believer that if we're not constantly learning and growing and progressing, that we will become obsolete. The skills you were using five years ago are not the ones you're using. And the same thing goes for five years from now. [00:50:30] They also talk about the jobs that our kids are gonna have don't exist today. So whenever I have people reporting to me, I dedicate 10% of their time to learning and training, and growing so that they will develop the new skills and be able to take on those n

In this episode of The New CISO, Steve is joined by guest Suid Adeyanju, CEO and Co-Founder of RiverSafe Ltd.Although his parents dreamed of Suid becoming a lawyer or a doctor, Suid had a passion for technology. Although his path was challenging, Suid shares how he successfully transitioned from a security engineer to an entrepreneur. Tune into this week’s episode to learn more about Suid’s early career journey, the mindset differences between engineering and business leadership, and the catalyst for starting his business.Listen to Steve and Suid discuss navigating the corporate ladder and how security professionals can become business leaders:Meet Suid (1:39)Host Steve Moore introduces our guest today, Suid Adeyanju, a security professional and entrepreneur. At RiverSafe Ltd., Suid’s team specializes in cyber security, data operations, and demo. Since childhood, Suid wanted to work in technology. Recently, he found his old yearbook from Nigeria and saw that he wanted to be a computer engineer even then. Even though that goal was unusual then, it demonstrates that Suid always wanted to be in technology.At University (6:24)While at university, Suid initially went for computer science and mathematics. After studying accounting for two years, his professor steered him toward business information systems. As much as Suid loves computers, understanding how organizations deliver their services was a better fit. Think About Impact (10:26)Steve and Suid discuss how security leaders need to consider how their security work impacts the business. If leaders focus on making the business secure, they need to work with the business and understand the risks associated with the work.The Transition (13:40)Suid reflects on his transition from engineer to entrepreneur. As an engineer, Suid saw things in black and white. To run his business, he needed a different mindset because there is a difference between working with people versus computers.Workplace Challenges (20:03)Steve presses Suid on his time at Reuters. After two years of contracting, Suid saw that he was stuck in his role while his teammates gained more responsibility. Initially, Suid believed he needed to work harder and gain his master's in information security. Now, he understands that this mindset is common with ethnic minorities and reflects on the challenges he’s faced. Valuing Yourself (28:55)Suid realized that this particular work environment did not value the additional education he had gained or the extra work he put in. Without another job lined up, Suid decided to quit.Suid could take this risk because he had made good financial decisions, which gave him enough savings to rely on. Suid also had the proper professional skill set, preparing him to take a chance. Starting A Business (34:24)Suid reveals that this time led him to start his own business. Although it’s challenging to transition from engineer to entrepreneur, Suid knew his team was talented and could show value to their customers.The Big Break (38:14)Suid’s company got their big break when a senior manager at a major corruption chose to work with them. This manager took a chance on them with a significant project, which set Suid up for future momentum.Sound Advice (43:43)For the listeners who feel that the corporate world is not for them, Suid shares his advice. First, take a course that teaches how to set up a business. Secondly, find a mentor who can share with you valuable insight.The New Security Leader (47:21)To Suid, a new leader focuses on people. One must have empathy and the mentality that leaders are meant to serve.Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by guest Jeff Schilling, Global CISO for Teleperformance.Jeff returns to discuss a pressing issue for CISOs: Insider threats. With credentialed attacks on the rise, Jeff shares his take on the “flattening” of this evolving threat. Tune into today’s episode to learn more about the ABCs of bad actors, how Covid has contributed to the problem and complex recruiting scams.Listen to Steve and Jeff discuss which strategies are being employed to comprise employees’ credentials:The Return Of Jeff (1:42)Host Steve Moore introduces our returning guest today, Jeff Schilling of Teleperformance.Steve reveals this is Jeff's third time on the podcast. Unlike other episodes, where guests discuss their career journeys, Jeff is here to share necessary research regarding insider threats.The Problem (4:24)Jeff explores the fundamental issue of insider threats. He reveals the different levels of the skill pyramid that threat actors can be evaluated at. The “A” actors become insiders to exploit specific targets, which should be considered when creating a security system.The Flattening (12:46)Steve presses Jeff on what he means by “flattening techniques” that have led to our current state of attacks. Jeff explains how malware software and targeted phishing scams have been used to access their mark, an issue exasperated by remote work.Adversaries and Targets (19:54)Jeff explains how to communicate threat issues across departments, especially when there are language barriers. The biggest challenge is making messaging as simple as possible.Depending on the job functions of others, there are different responses and success results. This is why Jeff’s team focuses on training and additional monitoring and security control.More Tactics (23:28)There are many strategies that threat actors use to breach one’s security. Bad actors target companies through social media, such as Linkedin.Threat actors also learn about their target countries and reach out to them through more region-specific platforms. Jeff then asserted that insider threats must be part of every CISO’s security plan. Preventative Steps (31:42)Jeff assures us that there are things we can do to detect threats and explains those actions. Identifying the machine where phishing emails come from and implementing new technologies is key.The Near Future (35:50)With the evolving functions of AI, it may be easier for threat actors to be more convincing in their scams. Their messaging is getting more believable, which is why Jeff believes they are taking advantage of new technologies, despite there being safeguards.However, Jeff is not convinced that certain aspects of AI, like voice mimicking, will get more sophisticated. The New CISO (39:42)To Jeff, being a new CISO is constantly learning and having your finger on the pulse. If you think you know everything, it is likely you do not.Links mentioned:LinkedInQuote:“I used to say multifactor authentication at the edge was a big barrier for the threat actor to get over. That's no longer, I can't say that anymore. It's more like a small fence. And now, you got to look at how do you manage your privileges and how do you conduct IT operations inside of your wire, and how would a threat do it if they were an insider? And then what controls do you have to be able to detect that activity because they're going to be using IT tools, and they're going to look like they're coming in with a legitimate account.”

In this episode of The New CISO, Steve is joined by guest Chris Nolke, multi-time CISO, and founder of Skycrane.Chris had decades of cybersecurity experience before starting his own company. As a neurodivergent leader and life-long learner, Chris navigates the workplace with self-reflection and candor. Tune into today’s episode to learn more about Chris’ professional journey, his human approach to leadership, and his definition of happiness.Listen to Steve and Chris discuss the values that drive career decisions and how vulnerability can serve or harm you in the workplace:Meet Chris (1:41)Host Steve Moore introduces our guest today, Chris Nolke, the founder of Skycrane.Chris first started his cybersecurity journey while studying electrical engineering in college. From there, he got a job as an engineer, which eventually led him to his current path. As a life-longer learner, Chris followed the most interesting path to him: cyber security.Defining The Interesting Path (8:36)Chris wishes he had done a “values” exercise earlier in his career to determine his professional wants. He advises other people joining the workforce to consider a process where they discover what they believe in.When you understand your values, you can make more straightforward choices toward your career.Evaluating Jobs (10:59)Chris admits that every job he’s taken has been different than he initially believed. In those circumstances, it’s essential to determine your desire to stay in that position or pivot.Personal Characteristics (14:40)Steve presses Chris on what three bullet points his colleagues would list for him. Chris states that vulnerability, being a conversationalist, and expertise have become his brand in the workplace, which has made him successful.Going Further By Saying Less (25:16)Chris shares that many people who practice impulsive communication use that as a means of connection. Reflecting on this, Chris acknowledges the difference between impact and attention.After trial and error, Chris learned he would go further in his career if he said less.Sound Advice  (30:31)For leaders, Chris shares that neurodiversity is a superpower. If you can harness the pattern-recognizing skills of neurodivergent employees, you can build an incredible security team.To understand how to use this superpower, Chris recommends leaders have mindful conversations with their employees. People need to learn what they’re good at to get ahead.The Subject of Happiness (40:06)As a CISO, Chris is fascinated by the construct of happiness and what comes with it. Happiness is made up of joy but also contentment. Balancing between the two is the key to understanding and taking advantage of this construct.Chris recommends that every CISO creates a “happiness” process to avoid burnout, though burnout led Chris to start his own business.The New CISO (49:10)To Chris, being a new CISO is about creating a system of business relevance. You can improve your job when you understand the business's daily needs.Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by guest Peter Frochtenicht, National Manager for Security and Compliance and CISO at NEC Australia.A technician by nature, Peter has decades of experience across multiple countries. Today, he joins the podcast to discuss the complexities of AI and the benefits of time-saving tools. Tune into today’s episode to learn more about Peter’s technical journey, the most common security threats, and his advice for new CISOs.Listen to Steve and Peter discuss why automation is a critical component of security tools and how the threat landscape has changed globally:Meet Peter (1:36)Host Steve Moore introduces our guest today, Peter Frochtenicht, who has worked at NEC for nine years.Before NEC, Peter started his career as a systems engineer twenty years ago. Peter has worked in Africa and Australia and has worked his way up through different organizations.Catching Up (5:21)Ten years ago, the CISO role in Australia would be rare. Steve presses Peter as to why.Since the Australian population is smaller than the states with fewer big-name organizations, it took Australia longer to catch up in the security industry.Australia’s Biggest Threats (9:37)From a defense perspective, Australia is doing much business with the states, especially with submarines. From a threat perspective, they border China and some of the eastern countries, which makes a security threat from those countries more imminent.Increased Attacks (13:17)The most typical security attack that Peter witnesses is phishing, which affects organizations and citizens. According to Peter, it is human nature to be curious about and click on an email link. For outside threats, financial benefits and access to information are to be gained.AI has also advanced quickly, which can contribute to increased threats since you can mimic someone's voice. Organizations should be prepared to use AI for good but also be prepared for when there are more insidious reasons for using this new technology.The Benefits of AI (18:05)Steve presses Peter on what defense benefits he predicts will come from AI.Peter shares the automation tools his team uses that help reduce his analysts' headcount and save time. Chat GPT may help you personally, but Peter believes in partnering with known vendors that can help limit human error.What To Look For  (21:11)Peter shares what CISOs should or should not look for when choosing AI tools. Analytic tools are standard and can save much time and effort. As a result, organizations can save money and trust that there will be an increase in accuracy.If tools can help CISOs detect abnormalities with less effort, that would be of service. Of course, abnormal actions may not be malicious but could be a mistake by a well-meaning person. Investing In Employees (28:32)Peter believes in training his people to bring the best out of them. People don’t always have the right skills at the right time, but you build a strong team when you invest in your employees and their relationship with your vendors. Adding Skillsets (31:05)Steve asks Peter what skillsets he had to add, besides technical abilities, to perform his role. Peter discusses his career journey, including his transition into leadership.Peter had to gain a governance mindset and consider policies and when to update said policies. It’s challenging to ask for money to pursue your endeavors, but if you have a budget, you must spend it.Sound Advice (38:56)Looking up back at his career, Peter wouldn’t change much. But Peter recommends getting training and certifications to keep yourself up to date. You don’t need to wait for your company to suggest it to take on a new challenge.The New CISO (42:41)To Peter, being a new CISO means supporting the business and business structure. The biggest challenge for a CISO is adapting fast to new security changes while asking for money as needed.Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by guest Michael Meis, Associate CISO of the University of Kansas Health System.Beginning his career in the U.S. Army Signal Corp, Michael eventually transitioned into government consulting and the private sector. Today, he shares his philosophies on leadership and ownership in the cybersecurity field. Listen to the episode to learn more about his extensive technology background, the importance of inter-department friendships, and how he helps fellow service members make their professional transitions.Listen to Steve and Adam discuss how to navigate bureaucracy and adapt to corporate environments:Meet Michael (1:41)Host Steve Moore introduces our guest today, Michael Meis. Michael has been in IT and security for fifteen years and healthcare for two years. Michael met Steve a year ago during a security conference, leading to their connecting around the industry and their philosophies on leadership.Michael also reflects on his role in the military, which began with him working with radios and evolved into performing general technology support.Getting His Start (6:09)Michael was always interested in computers but initially never saw it as a career. He decided to join the military instead. However, his military recruiter encouraged him to take a tech-related job, and his security journey began. This first army signal corps job was less computer-heavy than expected, but Michael still learned a lot.Dealing With Corporate Politics (9:07)For ten years, Michael worked as a government consultant. This experience taught Michael to navigate complex bureaucratic dynamics to get past red tape.Michael highlights the importance of having solid relationships in different departments to get things done. You can determine which workplace rules to bend when you understand how things are and how your organization operates. Finding a Path (14:01)Michael expands on the importance of relationships in a corporate setting. You can leverage those relationships when needed to promote your department’s agendas.The more you understand your organization’s rules and politics, the less friction you will face, and the more you can build a trusted security culture. Government Challenges (22:44)Steve presses Michael on his quote, “Governance is important, but alone won’t solve all of your problems.”Anyone who has worked in government understands that there are always challenges within its IT environments. Since the government has total control over its IT, Michael learned early on that more than governance is needed to perfect these systems. Collaboration is needed between parties.Excuses, Excuses (28:13)Michael shares the security community’s common excuses that tend to irk him. Budget professionals can be challenging to work with from a leadership perspective. He also gets frustrated when people use a lack of training as a reason not to try something. Michael values training, but he understands that sometimes you have to take action before that formal training comes.Behavioral Norms (33:50)Michael explores the behavioral norms that came out of his military service.Learning how to function in a corporate environment is essential for people to know when leaving the military. The benefits of this experience were the rigor and structure, which can provide direction in life. On the flip side, it can be challenging to transition from that structure because you can grow dependent on it.Helping Others (39:07)As a leader, Michael tries to help other service members remove their need for a manual when making corporate transitions. That way, they can learn to embrace their creativity, benefiting their long-term careers.Ultimately, Michael aims to empower his teams and shift their professional mindsets.The New CISO (47:27)To Michael, being a new CISO means recognizing that they are not just security practitioners but business executives. The more security evolves as an industry, the more CISOs can adapt to these modern changes.Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by guest Adam Currie, CSO at HCL Software.Adam started his career 27 years ago, working the night shift as a main frame operator before working his way up in the security world. Today, he shares how he builds trust within his team, company, and himself. Listen to the episode to learn more about his expansive career journey, when to encourage your team, and dealing with imposter syndrome.Listen to Steve and Adam discuss the right time to challenge yourself and when leaders should foster an environment where it is safe to fail:Meet Adam (1:38)Host Steve Moore introduces our guest today, Adam Currie.Adam was first the head of security operations and architecture at HCL before transitioning into the CSO role. When Adam joined HCL, he brought his breadth of technical knowledge and understanding of how their user base consumed their tools. In this business, it's essential to understand how these programs are used while ensuring they are secure, a mentality that helped Adam move into the CSO position.The Main Framer (4:41)Steve asks Adam about his experience on the main frame.When Adam was a student, he worked as a tape librarian. This after-school job led to him taking classes and learning about mainframe operations and basic coding language. Desktop Support (8:26)Adam believes that having a desktop support background benefits security professionals because it provides an understanding of how end users operate. Communicating with this community with empathy adds significant value to any security team.Unexpected Steps: CISO to Soc to CISO (12:38)Adam did end-user support work at Bloomberg before moving into backend enterprise applications. Then he was asked to run Bloomberg's tier one and tier two service desks, a type of work Adam did not plan on returning to. However, this opportunity offered Adam his first management role, and he credits this position as getting him to where he is today.Building Trust With Your Team  (20:05)Upon reflecting on his job journey at Bloomberg, Adam shares why people seek new opportunities.When people leave positions or accept roles, it is for job growth. Most people want to consider how a job will help their families and goals before making a career transition. Adam would rather help his team explore their options than subdue it–though no one wants to lose valuable employees. He wants his team to trust him enough to be honest with him about when they want to make a change.A Challenge (25:21)For Adam, it is always a struggle to stay out of the weeds of the tech side of the business. He gravitates toward technology but understands that that is different from his role now. For leaders, it is more important to nurture an environment where employees are safe to fail because that is how people learn and grow. You shouldn't be reckless, but being inactive is more risky.Owning Failure (29:02)Steve presses Adam on how far he will go to own his team's failures. Adam thinks it is his job to communicate with senior management and shield his team from scrutiny.No matter what, we must be honest about what we can do to improve and have productive, unemotional conversations.Building a Brand (36:13)Building a brand comes with trial and error but is critical to success. Often this comes with changing the perception that security is a necessary evil. Demonstrating that security is a value-add partnership that leaders actively want to engage in is essential.Putting Yourself Out There (47:54)Though Adam is not a fan of public speaking, he believes in pushing himself past his comfort zone. Although he has experienced imposter syndrome about his experience, he is putting himself out there as a  podcast guest today to share his career journey.The New CISO (54:23)To Adam, a new CISO establishes a strong team and establishes trust within the business and with your peers. Trust is necessary to claim success.Links mentioned:LinkedInBio:A proprietor of service excellence and incubator of change, operating at the intersection of people, processes, and technology with 26 years' experience successfully partnering with business leaders to build strategies aligning to corporate and client needs, resulting in realization of value-add with a holistic approach to business, technology, and security.

In this episode of The New CISO, Steve is joined by guest Mike Kelley, CISO of the E.W. Scripps Company.Mike worked as an auditor before eventually jumping into cyber security. Reflecting on his past, Mike shares how balancing ambition with transparency is critical to success. Listen to the episode to learn more about Mike’s auditing experience, falling into cyber security, and his advice for CISOs when interviewing.Listen to Steve and Mike discuss how leaders should assist their team with career development and why “fake it until you make it” makes for bad career advice:Meet Mike (1:44)Host Steve Moore introduces our guest today, Mike Kelley.Mike shares his role in the enterprise and consumer-based security field and how his duties differ from those in an internal security environment. Although he would say that consumer-based security is not clearly defined, his goal is to keep all things related to the consumer secure, in addition to the typical CISO goals.His Start (3:36)Before working at E.W. Scripps, Mike worked at KPMG, one of the big four firms. There, Mike performed external audits but also did some compliance consulting as well.Although no one wanted an auditor there, especially to answer his questions, Mike had to work on building a rapport with people in difficult situations. Through this role, Mike was exposed to numerous companies, allowing him to learn constantly. He may not have wanted to start in audits if he could do it all again, but this experience prepared him for his cyber security career.Adapting With Transparency (9:02)Mike has become comfortable with being uncomfortable and transparent when he doesn’t know something. When he got his CISO job, he told HR that this position was new to him and that he had a lot to learn. Being confident enough to say “I don’t know” is Mike’s mental motto because he knows he can adapt to new challenges. Ultimately anything is learnable as long as you push yourself, a mentality he encourages in his team.The Burn the Boats Method (17:42)After reflecting on his career decisions, including telling a company to fire him if he didn’t succeed as a director, Steve presses Mike on how he would react to someone sharing this approach.If one of Mike’s employees wanted to try a position out and see what happens, Mike would like to ease them into that role. He would let them transition through responsibilities first before changing that person’s title. Ultimately, trying and failing is okay, but Mike wants his team to fail soft versus hard.Falling Into Cyber Security (21:42)After looking for cyber security jobs for three years, Mike eased into this field through a position in compliance. Working side-by-side with security professionals, Mike was able to dip his toes.After lunch with his manager, he was offered the CISO role, and Mike immediately said yes. Mike admitted he didn’t know what he was doing but was encouraged to take this job.Rolling With It (25:01)Steve asks Mike if he ever wishes he said no when offered the CISO job. Mike knew this was the field he wanted to pursue, and he felt comfortable being transparent about his experience.Interview Questions (31:18)If you are a new CISO wanting to ask good questions in an interview, Mike suggests asking the purpose of that role at that company. Another helpful question concerns the company’s approach to trying new things and handling challenges.The Definition of Success (34:13)When evaluating a company during an interview, it’s essential to find out what that company’s definition of success is. Mike defines success as being aligned with the business that employs you and being seen beyond the security status.The Important People (36:50)If you don’t know where to start when beginning a new position, Mike suggests finding out who has influence in the organization and who delivers results.Once you know who those people are, you can nurture those relationships and get their input about the initiatives you want to implement. Bad Advice (42:21)The worst advice Mike received was “fake until you make it.” Although that approach may have good intentions, it is better to be transparent about your abilities. A quick way to imposter syndrome is to fake it. When you have humility, more people are inspired to help you toward your career goals.The New CISO (44:04)To Mike, a new CISO is having input in your organization’s strategic direction and getting an opportunity to take that to the next level. Having a leadership position is how he defines a successful CISO.Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by Martin Fisher, CISO at Northside Hospital.An information security veteran, Martin has worked in the commercial aviation, finance, and healthcare industries and was an award-winning podcast host. Today, he shares how to build a unified team and his approach to managing mental health. Listen to the episode to learn more about the value of hobbies, defining company culture, and being an empowering leader.Listen to Steve and Martin discusses the importance of shared team culture and how CISOs can balance the stress of the job:Meet Martin (1:50)Host Steve Moore introduces our guest today, Martin Fisher. Over his decades-long tech career, Martin has worked in several industries. His podcast, Southern Fried Security Podcast, lasted ten years and was an incredible learning experience. While a podcast host, Martin discovered that he used too much jargon for non-security listeners, encouraging him to expand to a larger audience.Other Hobbies (5:52)Martin considers himself an original nerd, playing Dungeons and Dragons as a kid and an adult. A fan of role-playing tabletop games, Martin has backed many Kickstarters and has a great gaming community within his group of friends.Mental Healthcare (8:22)A CISO for a hospital, Martin stresses that mental healthcare is healthcare. Martin believes in what his non-profit-based workplace stands for, which is why he has chosen this role.The Bad Day Factor (10:27)Martin manages his mental health by setting boundaries. People need to separate their work and personal life because it’s essential to have time to decompress. In the IT and security fields, there is a high percentage of neurodivergent employees who may need additional support in dealing with stress. Leaders must have employee assistance programs to help their staff with mental healthcare safely.Being Authentic (16:50)To build lasting relationships, you have to be your authentic self. When Martin looks for people to promote within his team, he looks for genuine individuals. Growing the Team (18:33)When Martin started his current position, he and the company culture aligned.Starting as the original security employee, Martin has been able to grow his team. His company understands that security is an investment and helps protect its patients, which has led to its success. Martin hires employees with their personalities in mind and how they fit the company culture.Patient Safety  (22:53)Confidentiality is paramount to uphold in the medical security field. Since they are a patient-safety-first organization, Martin ensures he hires employees who understand that mentality.Defining Work Culture (28:25)Northside lists its company culture on job listings to attract the right candidates, which includes kindness. Since Martin focuses on patient safety and quality care with his CISO work, he hires people who match those ideals.When you have this approach to hiring, you can create a positive feedback loop while forming a strong team.Culture Over Security? (33:35)Steve presses Martin on what’s more important: culture or preventing security issues?For Martin, security is still, of course, the focus. People are human and make mistakes, but they’ve never had a problem they couldn’t control. Bad Advice (38:43)The worst career advice Martin ever received was to work for a hedge fund. This environment was not a good fit for Martin, further emphasizing his point on authenticity's value.Military Experience (39:56)Martin explores how he has applied his military service experience to security crises. He has confidence in his CISO role because he has gone through worse. Having army training, he has a quiet confidence that has made him a better leader who empowers his team rather than micromanages them.The New CISO (48:18)To Martin, being a CISO at Northside is the best role he’s ever had. Protecting patients is both gratifying and terrifying, but he believes in his colleagues and the company’s mission.Links mentioned:LinkedIn@[email protected]

In this episode of The New CISO, Steve is joined by guest Jeff Farinich, SVP of Technology Services and CISO at New American Funding.First starting his career as a general contractor, Jeff now prides himself on solving security problems. Today, Jeff shares how he makes career decisions and manages his organization’s risks. Listen to the episode to learn more about Jeff’s extensive career journey, his development relationship with vendors, and how CISOs take on a great deal of personal risk.Listen to Steve and Jeff discuss the right time to leave a company and the personal and monetary cost of a breach:Meet Jeff (1:45)Host Steve Moore introduces our guest today, Jeff Farinich.In his early twenties, Jeff studied accounting but realized it wasn’t for him. He then became a general contractor, but by his mid-twenties, he was still determining what he wanted to do. He soon took a course that kickstarted his IT career, putting him on the path to becoming a CISO.Adjusting To The Job (4:20)When Jeff started his first IT job, he was excited by the change of direction. However, Jeff realized he always dabbled in tech because even at his first accounting job, he helped manage PCs.Multiple Paths (6:28)Jeff reflects on his job at a large property management company and his position as an MS manager at a small movie studio.He soon began his path into security management and leadership. Through the movie studio, he also went to the premiere of a Jean-Claude Van Damme movie.Advice To His Younger Self (10:45)If Jeff could give his younger self advice, he would suggest getting as much tech experience as possible on the VAR side. He also would have stayed in Silicon Valley longer, possibly having an even more explosive career.A MacGyver Type (15:38)Steve presses Jeff on whether he would ever consider stepping away from the technical side of security to get on the strategy/VAR side.Jeff is very open but also likes to fix things. He refers to himself as a MacGyver type “born with a screwdriver in hand.”A Development Relationship (19:30)Jeff enjoys having a development partnership with partners by trying new, untested tech at a low cost.This type of relationship allows both parties to win and allows Jeff to be creative and drive innovation for that vendor.Evaluating Vendors (22:13)There are fewer IT vendors than security vendors, so there have been fewer decisions for Jeff to make. Evaluating vendors to work with is a process and can leave room for great, collaborative relationships.A Small Step (27:35)Before jumping into vendor development, Jeff recommends understanding the industry and being knowledgeable about the vendor space you’re interested in. If you are someone who doesn’t always want to contact your VAR but doesn’t know where to start, it’s essential to begin by learning and choosing carefully.Moving Up and Out (32:59)Steve presses Jeff on clarifying his belief that “the best way to move up is to move out.”Jeff is far from a job hopper, but if you wait to the point where you are desperate to leave your company, you probably should have left sooner. If you are not fixing the problems you want to repair, or there are a lot of risks, it’s valid to seek new opportunities.Managing Liability (34:51)CISOs always need to evaluate how much risk they are taking on. Whether you are an officer or director, you should realize that liability can reach you. Jeff has pushed for ways for CISOs not to be personally liable for breaches.Individual Risk (36:20)Jeff and Steve share the costs of a breach and how that can trickle down to the CISO, whether monetarily or mentally. CISOs have bad day factors that can outweigh other members of a company.The New CISO (43:44)To Jeff, a new CISO is someone who deals with ever-growing cybercrime. You may not get everything you need on day one, but being a CISO is a journey of learning.Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by guest Laura Louthan, Founder & vCISO at Angel Cybersecurity.Originally from Britain, Laura moved to Los Angeles to explore new opportunities before transitioning into IT. Eventually starting her own business, Laura shares her self-sufficient approach to cyber security. Listen to the episode to learn more about Laura’s unconventional career journey, why it’s more efficient when you understand your abilities, and how she handles being a contracted CISO.Listen to Steve and Laura discuss embracing challenges but avoiding struggle and tackling likeability when applying for jobs:Meet Laura (1:45)Host Steve Moore introduces our guest today, Laura Louthan.CISO and only employee at Angel Cybersecurity, Laura, had an eclectic past before settling into the security field. She worked as a scuba instructor, can-can dancer, and temp before getting her first IT job. She feels she was fortunate to break into IT when she did.London and LA (5:04)Laura explains why London and Los Angeles didn’t suit her well. She had a job in London that she didn’t enjoy, but her brother worked in Los Angeles in the film industry. When she got to LA, she realized that the movie business was not for her, bringing her to her Club Med job. When something didn’t sit right with her, she left and is grateful that she used her twenties to explore. She advises people looking for work to try temping because you just need to meet someone to get your foot in the door.Learning On The Job (9:47)While working in IT at Equifax, Laura had to teach herself how to do things. She figured out how to get answers and become self-sufficient, which is a valuable skill.She knows how to get things done but also understands her skillset. She believes that it is more efficient to be truthful about your abilities.Challenges, Not Struggles (14:09)Laura admits that while she likes a challenge, she does not want to struggle. For example, she understands that privacy and security are different, although overlap exists. If her clients asked her to fulfill their privacy needs, she believes that would be inefficient since that is not her area of expertise. She would be happy to refer that client to a privacy professional instead.The Privacy Question (16:24)Steve asks Laura if there is a greater need for privacy help. Laura believes this is external pressure for CISOs, and that privacy pressure comes after security.Laura thinks privacy is exciting and intellectual but recognizes it as a different CISO mindset. She is very comfortable with her specialty in security.Her Time At Sephora  (22:48)At Sephora, Laura was the head of Information Security. After working in the credit industry, she found the retail space to be a fascinating change.Although Laura is not the archetypal security type, she found her personality and gender made her a good fit for this female-focused company. The Likeability Index (27:41)Steve and Laura discuss how “likeability” is typically higher in women, which can hurt them during negotiations because women tend to want to be liked.Women also tend to apply for jobs they are overqualified for. Laura advises women to apply for jobs they think are reaches for themselves instead, which is what men do. We should all hope for a job that challenges us.In The Interview (31:22)Laura and Steve explore different questions candidates should ask or consider during the interview process.For Laura, she asks what technology the potential client uses, their industry, and other questions that clarify if she's the right fit. Before taking a client on, you want to ensure you can help them. Ultimately, if you do good work, clients will typically recommend you.Legally Speaking (36:20)Since Laura is not an employee of her clients, she explains how she handles legal risk. Laura has errors and admissions insurance and details that she is not responsible for other companies' compliance. Since Laura is not full-time, she can’t be there for every meeting, but she works hard to discuss how she can get them where they want to go.The Challenges of Being a CISO (41:55)Laura shares that the worst part of the cybersecurity industry can be the negative security person. She believes that what CISOs can do better is to collaborate with other departments outside of IT.The New vCISO (43:45)To Laura, a new vCISO is a chance to be pragmatic and enable the business. Working together is a joint decision, so building relationships with the people you work with is important.Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by guest Rupa Parameswaran. At the time Rupa joined the show, she was Head of Security at Amplitude. Now, she’s transitioned to a new role as VP of Security & IT at Handshake.Growing up, Rupa was initially given a choice: to marry or become a doctor or engineer. With the support of her family, Rupa pursued her passions as a leader in the cyber security world. Listen to the episode to learn more about Rupa’s advice to the listeners, her first product development opportunity, and why every CISO needs to understand the power of influence.Listen to Steve and Rupa discuss the importance of having allies across the security business and how to build a culture of mindfulness in your organization:Meet Rupa (1:40)Host Steve Moore introduces our guest today, Rupa Parameswaran.With decades of experience and a deep-rooted technical background, Rupa has seen how security has evolved over the years and why CISOs need to grow with these new procedural changes. As the head of security at Amplitude, Rupa ensures that the product and employees are secure in both privacy and culture.Engineering Background (4:00)Before starting her career in cyber security, Rupa first studied engineering. Growing up in India, she felt she had a choice between getting married or going down an engineering or medical path.Rupa determined that becoming a doctor was not for her and became interested in computer engineering. In university, she worked on an AI project, leading her to move to the United States and the security industry.A Clear Path (7:08)Pre-Amazon, Rupa and her colleagues were trying to create a marketplace for books with AI security technology. After this incredible experience, it was clear to Rupa what her career should involve.Having Support (9:04)Rupa shares that India has been a typically male-dominated society, which is changing slowly. Many more parents are interested in helping their daughters pursue careers and become self-sufficient versus getting married.Rupa’s mother fought for independence, which she wanted for her children. Grateful for the support, Rupa was able to pursue her passions.Rupa’s Advice (13:50)Whether someone is a woman or just someone determining what they want to do, Rupa recommends that everyone find their passion. If you discover something that excites you, seek mentors or people you can trust to discuss your interests.You will be on a good path if you can build a support group. It may be a slow process, but it is a critical one. With mindfulness, you can build credibility with your work, and nothing can stop you.Post University (17:09)After university, Rupa was at a crossroads. Should she go into academia or not? As she determined this, she got an opportunity to be a software engineer with a new company.Interested in the GDPR security product they were building, Rupa was able to be a developer on the project. Believing in the company’s vision, Rupa was excited to get immediate security industry exposure across different team initiatives. Having Influence (25:19)Rupa reflects on what she learned from the GDPR project. She became skilled at building ally support groups and influencing security development without having to manage people directly.This unique opportunity gave her essential leadership skills and the ability to spread security mindfulness throughout the company. Her Definition (28:48)Steve presses Rupa on her definition of “security mindfulness.” To Rupa, this phrase demonstrates a willingness to include security in every initiative you pursue. If you build out a unique group of security-minded professionals, each person can preface the importance of this topic in meetings without you. Having another person speak up on your department’s behalf shows successful security mindfulness.Find Your Allies (32:19)As a security leader, finding your security allies is critical. When you need resources, education, or policy changes, you need to have people in your corner to help you.Rupa advises the listeners to find these allies early and “catch the wave when you see it.” The Currency Of Credibility (35:17)Rupa defines the currency of credibility as building trust amongst your colleagues. If you can show your coworkers you have this knowledge and the data to back your proposals, it’ll be easier for others to agree with your judgment. Understanding your product allows you to be a better security leader.Holding Executives’ Attention (40:00)When it comes to leadership, you must build allies and know your audience. By having relationships with executives, you can better understand what piques their interest and convey to them that the company’s security is equally important to you.The New CISO (47:38)To Rupa, a new CISO is someone who is constantly evolving. Keeping the wheel of security turning is the primary goal of any security professional because security is a journey.Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by returning guest Mark Weatherford, CSO and SVP of Regulated Industries at AlertEnterprise.In last week’s episode, Mark shared how he set the foundation for his incredible career, from his start in the Navy to his time working for Governor Arnold Schwarzenegger. Today, Mark delves into his lasting legacy in the cyber security field. Listen to part two of this episode to learn more about being the plus one at security meetings, Mark’s mentorship perspective, and putting in the work to succeed.Listen to Steve and Mark discuss what it means to be coachable and the importance of experience:The White House Basement (1:33)Host Steve Moore presses his guest Mark Weatherford on a meeting he attended in the White House basement.Mark was initially instructed to use this meeting as a learning experience to see how things worked. Unexpectedly, John, the National Security Advisor, asked Mark his thoughts on an issue, and Mark answered on the spot. Strong Leadership (6:44)John asking Mark a security question showed strong leadership because it allowed Mark, who was new to the team, to be included.When you’re the CISO in charge, you should bring a team lead or a middle manager to meetings, so they can learn and provide input. This type of experience will allow them to build skills and develop confidence, which they will need as they climb the cyber security ladder. Mentorship Advice (10:29)Mark advises the younger leader to always look for opportunities to mentor people. Generally, Marks tries to be available to those who ask him to chat about leadership and security. On the other side, younger people need to be willing to ask for help.The Mentorship Exchange (16:10)Steve asks Mark what people should expect from mentorship lunches. Is it just lunch or something more pressing?Mark explains how in his case, he was friends with his mentor, so they mostly just enjoyed meals together. However, his mentor would ask him questions about work to see how he could help. Of course, different dynamics operate differently, but the main thing mentees should consider about themselves is, “am I coachable?”Steering The Mentee (19:47)Mark and Steve discuss how to guide mentees away from vanity. Nowadays, new security professionals may focus too much on the job title than becoming a leader. Mark then further explains what it means to be coachable: a willingness to take in the tough feedback to improve.In the Meeting (21:24)When Mark meets with potential mentees, he’ll give them a homework lesson and ask them what their goals are. He will also ask them what efforts they’ve made to achieve their goals.With so many CISO opportunities out there, people are getting jobs without putting in the hard work, though having experience is essential.The New CISO (24:08)To Mark, being a new CISO is a wide-open field. One must understand the job's responsibilities and be creative with their resources. Ultimately, being a new CISO is having the experience that validates your position in the role.Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by guest Mark Weatherford, CISO and Head of Regulated Industries at AlertEnterprise.After many years in CISO roles, Mark eventually found himself in the White House. Reflecting on his incredible career journey, Marks evaluates the opportunities that led him to success. Listen to part one of this episode to learn more about Mark’s navy experience, the importance of delegating in leadership, and how to become the guy who always gets the call.Listen to Steve and Mark discuss when to put the fear aside and embrace the possibility of failure and the willingness to take on new opportunities:Meet Mark (1:51)Host Steve Moore introduces our guest today, Mark Weatherford. The current Chief Security Officer at AlertEnterprise, specializing in IT and OT security.Before starting his cyber security career, Mark wanted to build dams and roads in the navy. Instead, the navy had other ideas and picked Mark to be placed in the advanced electronics program, leading him to the CISO industry. Measuring Your Day (7:21)Mark measures his work day by the goals his team achieved or when a project is done. Although it’s a different set of standards than when you see a road or other construction projects completed before you, cyber security work can also be assessed.Life After The Navy (9:08)By the time Mark started his job at Raytheon, the Navy had a contract to complete a security project with them. Already determining when he would leave the Navy, Raytheon called him about a position that fit his skillset: building a security operations center from the ground up.Relying On Your Team (14:14)Steve presses Mark on what he learned from managing the start of the security operations center. Mark gathered that no one can do everything and that it’s essential to have a core group of leaders to rely on.Good leadership comes from delegating authority to people without micro-managing, empowering them to excel at their jobs.Working With Fear (22:07)“That’s all part of learning. Things are going to break now and then,” Marks explains when expanding on his leadership philosophy.Reflecting on his own experience with gaining new skills, Mark’s advice to anyone is that mistakes happen when you’re learning. We may be uncomfortable when things are unfamiliar, but as long as we’re not doing anything malicious, we can figure things out.What Happens Next (24:14)One day Mark received a call from his boss about a project with the Federal Government in Colorado. A year later, Mark got another call from his next job, leading him to a cabinet position.Through his impressive work experience, Mark was considered for exciting political opportunities impacting our country.That’s Politics (28:53)Mark discovered pretty quickly in politics that people aren’t always truthful. Unfortunately, he understands that this is the industry's nature, and that is how things are. As a result, it’s natural to become wary and not take everything you hear at face value, although Mark still gives people the benefit of the doubt.Working With The Legislature (31:13)Mark’s work in government allowed him to influence policy as well. Mark learned about the trade-offs in politics during this experience and why opposition can create barriers to security policy. Becoming The Terminator’s CISO (34:58)After leaving Colorado, Mark was called for the opportunity to work for Governor Arnold Schwarzenegger in California. Mark recognizes that the secret to his success derives from being prepared for new positions when they arise. Mark never directly worked with Governor Schwarzenegger, but having this role gave him a lot of respect in the security world.Having Pride (38:06)Mark is very proud of his time in California. With over 160 departments, agencies, and organizations operating there with different security needs, Mark worked with them all to find solutions. This level of collaboration and relation-building was an incredible experience with lasting, positive results today.Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by guest Sandy Dunn, Lead Consultant, and Founder at Quark IQ.After spending years in healthcare, Sandy pivoted into a start-up before being laid off. Now embarking on the next stage of her career, Sandy shares the valuable lessons she’s learned and how she embraces life’s challenges. Listen to the episode to learn more about Sandy’s strengths as a CISO, the correlation between motherhood and leadership, and how to navigate the start-up industry.Listen to Steve and Sandy discuss the benefits of failure and maintaining an authentic mentor/mentee relationship:Meet Sandy (1:43)Host Steve Moore introduces our guest today, Sandy Dunn. Sandy has been a CISO for eight years at both a healthcare company and a startup.As she tackles her newest endeavor as the lead Consultant at Quark IQ, Sandy acknowledges that her strengths in the cyber security world are her persistence and passion for creating well-functioning systems. Although she may not think of herself as the most brilliant person in the room, her determination has been an asset everywhere she goes.Nothing To Prove (4:26)Sandy recognizes the leadership benefits of not needing to prove her brilliance. Since she doesn’t mind admitting when she doesn’t understand something, others can gain clarity, and she can identify unknown issues. She asks the questions others are afraid to ask for the benefit of her team.Although others may feel subject to imposter syndrome, Sandy reminds listeners that everyone has a vital role in the room.Having a Softer Side (10:46)As an executive who is also a mother, Sandy can use that nurturing skill set to motivate and manage her team. Sandy has become a stronger leader by putting her employees’ needs first, much like her children.Managing In The Moment (13:46)Steve presses Sandy on how she deals with team members prone to tantrums. Similar to her approach with her children and horses, Sandy’s first instinct is to understand her employees, how they think, and what upsets them. Like what drove her to cyber security, Sandy loves puzzles, including what puzzles her about people.In general, Sandy believes diversity in views and backgrounds is highly beneficial to a department because different perspectives bring different skills and abilities to the table.Potential Red Flags (20:09)Sandy is consistently asked to be a mentor, which she is grateful to do. However, she feels a person lacks curiosity if they ask her questions answerable through a quick google search.If someone fails to take the initiative to learn themselves, a job in cyber security would not be a good match for them.Resume Review (21:38)During a cyber security career day, Sandy reviewed resumes and determined who she felt were great candidates.Sandy, also an adjunct professor, found this experience rewarding because she had the chance to talk with and guide individuals on their CISO journeys. The Mentee/Mentor Relationship (25:21)Steve and Sandy discuss the mentor and mentee relationship.Sandy doesn’t love those terms because it’s too official for the nature of the dynamic: relationship-building. Instead of asking someone you admire to be their mentee, ask them what they are working on and how you can help, and a mutually collaborative relationship can form.Taking A Chance (30:31)Steve presses Sandy on her move from an established company to a start-up.Sandy recognized that she was no longer growing as a CISO at her healthcare job, so she jumped into a start-up business. Although she put too much trust into this company before they earned it, she did feel like it was a risk worth taking. Insight For Next Time (35:56)Reflecting on her seven months at the start-up, Sandy reveals what she wishes she would have done and what she learned from this experience.The best advice would be to study start-ups, how they function, and what they need to do to expand. Doing your homework is always a good idea when joining a new company.The Aftermath (39:00)Sandy shares how she felt after being laid off, which happened the day after she was asked to conduct mock interviews and give career advice to students.Although she did not feel like the best person to advise others at that moment, she is grateful for the people she met during those seven months and the experience as a whole. Her main advice now is to “run towards the pain” and let your failures facilitate growth.The New CISO (43:56)To Sandy, being a new CISO means constantly evolving. If you’re in this unique position, it’s best to find new ways to collaborate, cooperate, and make positive changes for your customers and team alike.Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by returning guest Steve Magowan, VP of Cyber Security at Blackberry.Steve returns to dig into the reality of data science and AI and ML in cyber security. Breaking through the buzzwords, Steve understands the current state of technology and how it's used to protect revenue today. Listen to the episode to learn more about communicating expectations, using risk management to generate funding and the current landscape of security threats.Listen to Steve and Steve discuss educating executives and how utilizing data science in your security program can reduce friction and translate risk:Welcome Back, Steve (1:45)Host Steve Moore reintroduces our guest today, Steve Magowan. As a reminder, Steve manages everything security-related for Blackberry, from corporate security development to spearheading IoT initiatives.When asked to define AI, Steve Magowan explains that what AI means to the security world today is machine learning, both unsupervised and supervised, to prevent risk. In general, AI is still being widely researched and is often a buzzword thrown around, but full-on AI remains theoretical.Turning AI Into Action (6:22)Steve asks Steve Magowan how he handles the AI suggestion from executives, who may need more clarification on how this tech is used. Steve Magowan recognizes that he is a business enabler whose job is not only to protect data but to protect revenue. He would need to keep his company's resources in mind when discussing AI and determine if this type of tech is necessary for the goals ahead.Protector of Revenue (11:30)Steve Magowan has the unique position of protecting revenue for his company, an uncommon skill set for CISOs. Steve uses ML technology to map business activities and relate that to security. Having that ability allows him to communicate with executives in business terms to ensure their funds remain safe.Clear Lines (15:34)Although Steve has this authority, he believes CISOs should refrain from reporting to a CFO or CIO because their mandates conflict. Although executives wish to simplify their correspondence by going to a CIO for a one-stop shop, conflating their roles with a CISO would downplay both positions and render them less effective. Understanding Risk Management (19:10)Steve Magowan always tells leaders that risk management is the language in which security leaders gain money because you can turn security problems into dollars and cents. Pulling data allows you to understand and pitch how to receive resources based on the security issues faced.Ultimately, Steve's job is not to separate operations and business. His role is not to achieve technical outcomes but business outcomes using technical outcomes. Walking Through Detection Triggers (27:22)Steve asks Steve Magowan why the detection of bad things has shifted from signatures to "normal vs. abnormal."Steve Magowan explains how the landscape has changed and that cybercriminals now have more money to commit crimes and have the same education as security professionals. With cyber criminals getting more clever, ML is the only way to detect patterns that don't make sense, though even that is getting challenging.Staying Resilient (32:42)When facing sophisticated threats, you must ensure that you have data backups that cannot be breached and limit the scope of the hacker's blast radius for any hit. There will always be threats, but you must do your best to remain resilient. The Bias Problem (34:58)Steve Magowan outlines the risks of building your own ML program, such as personal biases that can skew the results of your data. The biggest lesson is that data can lie and lead you in the wrong direction if you let it. The Flow Of Output To Input (39:22)From a data science perspective, the data doesn't always cooperate. Although the goal is always to make the data readable to executives and reduce friction, these systems have been designed by different people from different systems during different times. Every security leader must parse through the information and bake it together into something usable for the business. Helpful Tips (43:48)Steve Magowan recommends mapping your tools, determining the problems they solve, and then relating that to your greater security framework. You can then review what works and what tools can be removed or added. The main goal is finding your problems and then mapping your solutions accordingly.What It Means To Be An Executive (39:47)Steve presses Steve Magowan on what it means to be an executive who leverages data science and ML. To Steve, it means you must use your technical skills to protect revenue if you want a seat at the table. Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by Jackie Mattingly of Owensboro Health.With a passion for technology since childhood, Jackie first began her career in IT. Today, she shares how an experience with a malicious insider transitioned her into a career in information security. Listen to the episode to learn more about Jackie’s career journey, navigating company acquisitions, and protecting patients’ data.Listen to Steve and Jackie discuss the unique challenges of working as a healthcare CISO and handling security breaches:Meet Jackie (1:51)Host Steve Moore introduces our guest today, Jackie Mattingly. Jackie is the CISO for Owensboro Health, a three-hospital system in Kentucky serving eighteen counties and two states.Jackie knew she wanted to work in technology since she was a little girl, first sparked by the game Oregon Trail. Getting her degree in computer programming, Jackie reflects on how she gained the work experience needed to have the career she wanted.News Days (7:04)Steve asks Jackie about her time working at a local news publication and if she has met anyone interesting while there. Jackie shares that she mainly worked alone at night, loading the news articles to the website.The Radiology Center (8:41)Jackie’s next move into information technology was at a radiology imaging center, whose owner understood the importance of keeping up with technology. In one of the first radiology centers with an MRI machine, Jackie reflects on connecting the other radiology systems to that machine and what you should consider when working with a new device.Transitioning Through Acquisitions (13:18)When Owensboro Health acquired the radiology center, Jackie’s lifestyle changed. Now at a much larger organization with never-ending hours, Jackie had to meet the challenges of serving a 24-hour operation. Preventing Burnout (17:17)To prevent her staff from burnout, Jackie rotated calls and cross-trained each person so no matter what, people could take on each other’s roles during their on-call shift.Jackie would also be available to dive into on-call sessions because she likes to help and get into the weeds of technology. Leveraging The Team (20:30)Jackie has tested new technology for her companies throughout her career. Now managing the information technology for a hospital, Jackie recognized the difficulty of getting advanced technology for a larger company.While it is understandable that the hospital focuses more on patient care than tech, Jackie shares how she and her staff were leveraged to get the hospital’s systems up to par.Updating The Voice Network (25:43)Steve presses Jackie on her role in upgrading the hospital’s voice network. With so many providers’ offices and clinics to service, Jackie did have to hire a consulting company to help with the project.Although Jackie does not have a project management certificate, she does believe that training is valuable.Phasing Into Information Security (29:32)One day the FBI showed up at the hospital to state that an employee was stealing patients’ identities through their systems. Still, in her IT management role, Jackie was less information security-minded at the time.Jackie was brought on to navigate this investigation and fell in love with the security world, leading to the next phase of her career. During this time, Jackie learned that she couldn’t quit obsessing over this breach and had the drive to solve security problems.Becoming The CISO (34:22)In 2013, Jackie moved from being the IT leader to officially the security leader. She then started auditing access to patients’ charts and finding other ways to protect others’ personal information.Soon Owensboro acquired another hospital, and the FBI arrived again to share that there was an even more significant security breach from a malicious outsider. Since this breach was inherited from the newly merged hospital, Jackie had to work through their systems and determine how to handle the issue.Money and Momentum (39:47)Steve presses Jackie on how she handled having money and momentum in the security space for the first time. Jackie immediately put inscriptions in place and built a security team who could help them with the organization’s overall mission.Getting Involved Early (43:27)After getting involved with another acquisition, Jackie explains how much easier that process was since they were brought on early. They were able to do their due diligence more effectively using their own products.The New CISO (46:01)To Jackie, being a CISO in healthcare is rewarding because you protect patients and their data.Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by Demetrios “Laz” Lazarikos, three-time CISO and Co-founder of Blue Lava Security.A naturally curious child, Laz became interested in technology early, prompting his life-long love of learning. Today, he shares how different lessons from childhood and the airforce led to his fulfilling CISO career. Listen to the episode to learn more about Laz’s fascinating cybersecurity journey, the influence of his family, and how to become a more effective mentor.Listen to Steve and Laz discuss his approach to career development and how his passion for learning led to his success:Meet Laz (1:43)Host Steve Moore introduces our guest today, Laz Lazarikos. With over thirty years of security experience, Laz wanted to build a platform where security leaders could measure, optimize, and develop their security programs, which he accomplished with Blue Lava.As a child, Laz’s mother encouraged his interest in technology. Passionate about solving tech problems at an early age, Laz credits his childhood interest as his cyber security start.Growing Up Greek (6:56)Laz shares what it was like growing up in a traditional Greek family, which he compares to the film My Big Fat Greek Wedding. From a family of entrepreneurs, Laz felt pressure to take over the family business but instead started a security career.At twelve years old, Laz’s mother advised him to go to his uncle, a loan shark, for a loan to buy tech, which he paid back with interest. Laz appreciates the lessons he received from his mother and credits her for giving him valuable life experience.Meeting Carl Sagan (10:46)At ten years old, Laz heard Carl Sagan, of the original Cosmos fame, speak during a field trip. Much of Carl’s speech resonated with Laz, including that anyone could do anything they wanted if their actions aligned with their goals. Going Into The Airforce (13:13)Steve asks Laz about his time in the airforce. While being recruited, Laz became interested in how systems and machines worked. Before he joined, the airforce promised he would get much training and education around security communications, which secured his interest.At seventeen, Laz’s mother allowed him to emancipate, and he officially joined the airforce and learned foundational lessons for functioning in society.A Foundation Of Learning (18:30)Steve presses Laz on what he is doing today in his pursuit of education. Laz shares how his mother took him to the library every weekend as a kid and how his father had him complete writing exercises based on the newspaper.Today, Laz looks at education as something you can never lose and can apply to life and work. Still a lover of libraries, Laz has three library cards for three cities and looks to history to improve his efforts.Working Backward To Move Forward (22:32)In terms of mentorship, Laz recommends thinking about your goals and working backward. This approach has always worked for Laz and other CISOs as well.Laz puts thought into how he uses his time for personal growth and looks to the great CISOs of history to evaluate actions for success.MBA Or Side Hustle (30:00)Steve presses Laz on if CISOs should get an MBA or do a side hustle to build a security network. To make this decision, you should evaluate the cost and time investments required and determine if either opportunity is needed for your overarching goals. You have to make choices based on what’s best for you.Advancing Through Mentorship (36:58)To Laz, your CISO career boils down to mentorship, and he acknowledges that his mentors were his family and, later, the airforce. With meaningful relationships, training, and academic learning, you can advance your career and succeed at your job.The Missing Piece (39:32)Steve asks Laz what senior security professionals are missing in terms of mentorship tactics. Laz recognizes that CISOs should understand their goal as leaders and then work backward. He also suggests being open to feedback and working on teaching effectively.Laz felt inspired to teach to give back to the community and share his life lessons with his students.A New CISO (49:25)To Laz, new CISOs should ask themselves if they are coachable, open to feedback, and willing to learn new ways. Although the old tactics were helpful, we must look to new strategies as we move forward. Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by Tyler Farrar, the CISO at Exabeam.With malware-free attacks becoming increasingly common, Tyler understands the best ways to bridge the effectiveness gap. With this in mind, he shares his SOC philosophy and the importance of threat detection. Listen to the episode to learn more about the act of prevention, the pillars of a SIEM product, and why attackers gravitate toward credential techniques.Listen to Steve and Tyler discuss the steps to success in an age of constantly increasing data :Meet Tyler (2:06)Host Steve Moore introduces our guest today, his colleague, Tyler Farrar. Before working at Exabeam, Tyler was a customer.With his impressive background in the security field, Tyler explains Exabeam's perspective on "defender behavior" and balancing incident response and crisis management with prevention.The Focus On Prevention (5:50)Steve presses Tyler on how you should balance your methods to increase prevention. Tyler lists different preventative tools, such as firewalls, and stresses the importance of detecting suspicious activity early on.Tyler gives his take on how response becomes prevention in crisis management. Preventative tools can fail, so being able to detect suspicious behaviors is critical.Addressing The Gap (10:36)Addressing the gap in analytics, Tyler recognizes that there is a difference between what the security team needs and what the SIEM product delivers. Every company faces an immense volume of data, an inefficient manual cyber process, and software that can fail to detect the attacker's behaviors. Tyler lists the solutions that can counteract these problems, including behavioral analytics.The Rise Of Malware-Free Attacks (14:32)Steve points out how 71% of cyber-attacks are credentialed and malware-free. Tyler explains that attackers use the compromised credentials approach because it is easy. CISOs can miss the mark because legacy software can be ineffective at detecting threats.New-Scale SIEM (20:43)According to Tyler, new-scale SIEMs would be able to securely ingest data from anywhere, parse through that information quickly, and then store that information and make it searchable.Tyler also explores his philosophy on how to design a SOC. One example of a productive SOC is conducting risk assessments throughout the organization to identify gaps and then acting on those results.Life Of The Analyst (28:52)Steve presses Tyler on how the experience of the investigation factors into meaningful work for the analyst. Tyler stresses the importance of SOC leadership to make the team effective. A stressed SOC can lead to the loss of talented workers and affect the company's security.New Software Ahead  (33:16)Tyler discusses the products he is looking forward to on the horizon. Every CISO's goal is to keep their company safe. Being able to show all the threats and vulnerabilities in place would be hugely valuable, which is why Tyler is interested in Systems Navigator.SOC Philosophy (49:55)Tyler's top SOC philosophy is to be aligned with your adversaries and learn how they think in addition to your defenders. Understanding both perspectives can create a culture of empowerment and protect the organization from threats.Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by Tom August, a seasoned CISO with over thirty years of experience.First starting his career as an accounting intern, Tom has since had an incredible journey where he not only wrote the CISO Handbook but created a risk-management methodology. Today, he shares what he's learned from his years in the cybersecurity industry and the importance of storytelling. Listen to the episode to learn more about Tom’s unique transition into cybersecurity, the inspiration behind the CISO Handbook, and selling your “why.”Listen to Steve and Tom discuss how to captivate executives without fearmongering and navigating hard conversations with the broader organization:Meet Tom (1:55)Host Steve Moore introduces our guest today, Tom August. Over his decades-long career, Tom has worked across multiple industries, from healthcare to military defense to financial services. A lifelong fan of electronics, cybersecurity became a life-changing move for Tom, despite having an initially unrelated start.Tom’s Take (5:30)Steve presses Tom on what it was like watching the famous John McAfee and his team work when Tom was an accounting intern.Tom saw they had an organized methodology and plan when handling a security breach and appreciated being brought in. A wide-eyed college student, Tom was fascinated by everything he learned and wanted to do more.The Move To Financial Services (9:07)While building out the security program at a financial organization, Tom had the opportunity to be mentored by one of the original CISOs, Micki Krause. Recognizing that Micki is a trailblazer in the cybersecurity industry, Tom appreciates that he learned technical skills from her and how to communicate with chief executives.After being challenged by Micki, Tom was encouraged to write security books, leading to the CISO Handbook.The CISO Storyteller (15:50)To Tom, every CISO needs to be a storyteller, though few have mastered that. Often CISOs will speak to executives using different buzzwords and acronyms versus adequately explaining the problem they are trying to solve. To combat this, Tom urges listeners to work on their communication skills.The IT Audit (17:07)Tom led many audits and learned many facts about the organizations. Tom had to present a lot of research to international executives as a result.Although Tom can’t share much information about this time, he acknowledges that specific cultural differences made it challenging to tell the story of the problem at hand.A Lever of Influence (27:55)Due to his mentor relationship with Micki, Tom learned a simple but valuable risk-management methodology. Tom decided to take that further by meeting with executives individually to see what they cared about in terms of risk.As a result, Tom ensured that he could meet the needs of his organization. By the time he met with the board, there were no surprises about his security plans.Improving Our Stories (36:50)Steve presses Tom on why so many CISOs lack comprehensive storytelling skills, which Tom credits as their need to be correct. Recognizing that CISOs have good intentions, Tom also understands they can miss the bigger picture.If you are a CISO, you should know why your problem is compelling, and if you can sell that, the “where, ” “when,” and funding will follow. The main thing is not to be confusing with your delivery to maintain captivation and promote clarity.Risk Vs. Compliance (44:46)Due to his accounting background, Tom understands that auditors are well-intentioned but limited due to their checklists. Knowing that risk does not follow the rules, Tom explains that compliance is not always the most helpful approach.Risks are difficult to quantify and require everyone involved to be on the same page about the next steps.The Modern CISO (49:55)To Tom, being a new CISO means you are a fantastic listener,  business partner, and someone who understands both risk and compliance. And, of course, you need to be a good storyteller who knows how to put everything together.Links mentioned:LinkedIn

In this episode of The New CISO, Steve is joined by Jason Hamilton, CISO at Mutual of Omaha, to discuss how having a military background leads to security success.After twenty-two years in the U.S. Marine Corps, Jason was able to take his skillset and move into the cyber security industry. Today, he shares what he learned over the years that prepared him for the career he has today. Listen to the episode to learn more about Jason’s military experience, tips for officers entering the civilian workforce, and the importance of corporate mentorship.Listen to Steve and Jason discuss ways for veterans to transition into the corporate world:Meet Jason (1:45)Host Steve Moore introduces our guest today, Jason Hamilton. Jason shares his first mission as a Communications Systems and Information Officer. Jason also divulges what a higher-ranking officer should do, such as refining leadership skills and managing efficiently. Essential Lessons (8:30)Steve presses Jason on what else he learned from his early days as an officer.Jason explains that there’s no such thing as a perfect leader, and everyone makes mistakes. The key is to learn from your mistakes when you’re young, which applies to both the military and corporate world.Civilian Training (10:01)When Jason first joined the Marine Corps, information technology was separate from his role. To move up, Jason had to learn to work with data on the battlefield and eventually took on an instructor position. To get smart fast, he took civilian classes to ensure he could adequately train other officers on information and data.Part Of The Job (14:56)As Jason rose through the ranks, working with data remained. Jason learned about Cyber, formerly known as Information Assurance, and how it became a priority of the Marine Corps. As Cyber became part of the military, it became more and more a part of Jason’s career. The Last Ten Years (19:22)Jason reflects on his last ten years in the corps. Like anyone who has long served, he had to broaden his horizons to reach a different level, often through education. Jason had a strictly cyber role by the end of his military career and focused on leadership.Ultimately, Jason credits everything he did in the Marine Corps for preparing him for the corporate world.General Feeback (22:55)Steve presses Jason for advice he can give other officers looking to transition into civilian work. Jason reminds officers to humble themselves when entering the corporate sector because co-workers may not care about their military past. Also, he urges officers to work on resume writing and seek mentorship when looking for a job. Lessons On Corporate Culture (32:10)When veterans come into an interview, there is a natural culture shock, primarily because workers are not as likely to be Type A outside the military. Other differences are incorporating empathy and listening into your leadership style. While it is up to you to quickly solve a problem in the military, in the corporate world, there is much more emphasis on nurturing your team to fix workplace issues.The Mentor Relationship (35:31)Jason used to meet his corporate mentor once a month and learned after his first meeting that he would need to drive the conversation. Jason then would send his mentor his agenda two weeks ahead of time to ensure that he would make the most out of every encounter.Ultimately, veterans need to show initiative when transitioning into civilian work.The End Of The Mentorship (37:37)Steven asks Jason what officers should gain from a corporate mentorship program. Besides resume writing, Jason urges veterans to learn how to negotiate salaries and familiarize themselves with corporate culture.Finally, A CISO (41:58)Now a CISO, Jason shares his goals when starting his cyber security career. His first goal was to give himself two years in the corporate world to see how he fared. His next goal was to learn how to influence the program and take the necessary steps.To Jason, being a new CISO means having the ability to set a direction in the corporate world. It also means giving back to his company and associates as he continues to hone his leadership abilities.Links mentioned:Mutual of Ohama

In this episode of The New CISO, Steve is joined by Bryan Willett, CSO at Lexmark International, Inc, to highlight the importance of collaboration and team building.With over two decades of experience, Bryan understands the CISO role and how to support your team. With this in mind, he shares what CISOs can do once they achieve this status to develop their skills further. Listen to the episode to learn more about transitioning into management, sharing your knowledge, and the benefits of diversity.Listen to Steve and  Bryan discuss how to build a diverse security team and the skills needed to be a better CISO:Meet Bryan (1:50)Host Steve Moore introduces our guest today, Bryan Willett. Bryan has worked at Lexmark for over 25 years and prioritizes minimizing risk for the business.With a unique scope of duties, Bryan has worked his way up the ranks and monitors security trends, such as supply chain measures. Ultimately, he understands the importance of collaboration to keep all company areas safe. The Road Travelled (5:37)Beginning his career in firmware development, Bryan wanted to transition into a position where he could learn more about the product development pipeline and work with people. He then went down the product management track, which set him up for the leadership side of the field. The Best PM (10:27)When asked about his stepping stone from product manager to manager, Bryan reflects on what motivates him to work hard and improve the team around him. Feeling Intimidated (13:00)Steve presses Bryan on how intimidation and imposter syndrome impacts career goals.Bryan shares that he’s primarily looking for team members who are jacks of all trades and that he believes having a diverse set of knowledge will set you up for success. With multiple skills, you will be able to work well in the security field, even if it’s initially uncomfortable. Developing as a CISO (16:26)Bryan shares what CISOs can do in their position to develop further. Once getting into a management position, you should always support your team and prepare them for their subsequent roles. Improving as a Salesperson (24:02)As you pitch executive leadership on programs you want to implement, make sure you can explain what you need simply, without technical jargon, to convey the key points you are trying to make. Crafting a clear elevator pitch will help you make the sale.Solving Business Problems (31:18)Early in Bryan’s career, Lexmark was experiencing challenges due to the nature of the printing industry. Noticing that the company could experience a certain level of risk, Bryan built a highly capable team to harden the system and create a security development lifecycle for both the company and the customers. Third-Party Risk Management (38:16)When Bryan started his third-party risk management program at Lexmark, he had to partner with the procurement and legal team. Due to experience with other aspects of the business, Bryan was well-prepared to oversee this endeavor and communicate with others about their needs.Business Savvy (42:07)Steve presses Bryan on the future of CISOs.Considering the CISO today, Bryan understands they likely worked their way up in the security field. However, Bryan recognizes that this field will mature as we uncover new risks, and the CISO role will change with it. Bryan predicts that future CISOs will have the immense business knowledge needed to keep the company moving and make necessary trade-offs.The New CISO (45:47)To Bryan, being a new CISO means focusing on diversity in the workplace by hiring individuals different than you. It’s essential to understand your weaknesses and fill in the gaps with other talented security professionals who can make your team complete. Links mentioned:Lexmark

In this episode of The New CISO, Steve is joined by Aaron Bailey, CISO and co-founder of The Missing Link, to discuss what it takes to start your own security business.Getting his first computer at eleven years old, Steve has always loved working with technology. Through explaining his professional journey, Steve shares the benefits and difficulties of being a cyber security founder. Listen to the episode to learn more about Aaron’s first jobs, joining an established startup, and success after being a corporate CISO.Listen to Steve and Aaron discuss being your own boss and the challenges of being a co-founder:Meet Aaron (1:32)Host Steve Moore introduces our guest today, Aaron Bailey. Always a tinkerer with technology, Aaron explains how he started in cyber security, working his way up from entry-level positions.After high school, Aaron struggled to find a job. After memorizing a manual per his father’s advice with a proposition of being quizzed, Aaron finally got hired at a computer shop, launching his career.Why This Job (9:23)Steve asks Aaron what the pay was like at his first job. Through hard work, Aaron’s salary doubled within a year, and he was paid far more than other people his age.Aaron’s Advice (11:52)Although Aaron does not believe you need to be a staunch techie like himself for every job, what he looks for in an interviewee is passion, intelligence, perseverance, and dedication to the field.Essential Aid (19:42)Steve presses Aaron on the guide Essential Aid and how to explain it to others. Aaron defines it as containing the top mitigation strategies for cyber intrusions. To use it properly, you have to embrace automation.Becoming a Founder (25:53)When Aaron’s colleague Sam resigned from their corporate job, Aaron learned he was starting his own business and wanted Aaron to come with him. Sam prompted Aaron to meet with the other partners, beginning the next stage of his CISO career. Aaron then shares the early weeks of joining the Missing Link and the challenges along the way.A Non-Startup Startup (33:05)The Missing Link was already a successful startup before Aaron joined, but they did not have a cyber security department. Aaron and Sam then became the company’s security professionals, which came with tremendous planning and organizing. The Entrepreneur CISO (38:48)Host Steve presses Aaron on his advice for other CISOs wanting to start their own businesses. Aaron shares what was difficult about being a corporate CISO where you’re not always listened to compared to his position at the Missing Link. As a founder, you have increased responsibilities, but it’s much easier to ask for what you need for your team.More Advice (44:03)Aaron is still learning the shareholding and equity aspects of being a founder. Success once does not always mean success every time, so Aaron’s main advice is to always ask for advice.Starting your own cyber security department is the most incredible interview of your career, but this path is not always easy.A New CISO Founder (50:59)To Aaron, being a CISO and a boss means having a seat on the board. Training new CISOs and watching them leave to start their own companies gives him the most joy. Ultimately, the new CISO strives for the top and is not afraid to bring others up in this increasingly necessary field.Links mentioned:The Missing Link

In this episode of The New CISO, Steve is joined by Steve Magowan, Vice President of Cyber Security at BlackBerry, to discuss how military teachings apply to tech.First starting his career in the air force, Steve understands how the military mindset can make you an asset in the security field. Through evaluating the benefits of his experience, Steve shares what CISOs can learn from military professionals. Listen to the episode to learn more about the importance of understanding IoTs, the military work ethic, and how quality leadership stems from a lack of ego.Listen to Steve and Steve discuss the key qualities of a leader and breaking into cyber security:Meet Steve (1:39)Host Steve Moore introduces our guest today, Steve Magowan. Steve reveals how long he’s worked for BlackBerry.Steve Magowan explains how his background in the air force led to his cyber security career, where he utilizes his tech abilities and wears many hats.A Canadian In The Air Force (4:44)Steve asks Steve Magowan, a Canadian, what was more challenging about the air force: the cold in Canada or dealing with Americans?Steve shares that the real difficulty is flying through the congestion above the United States. He realized how empty most of Canada is, which makes for great training grounds.A Transition Opportunity (8:19)Steve Magowan shares how his various skill sets suited him well for transitioning into cyber security and how there are more needs for people who understand IoT applications. Although having this skill set is now recognized as vitally important, it’s challenging to find someone with tech abilities who can also manage a team. Due to their work ethic and unique perspective, the military has become a worthwhile option for recruiting cybersecurity professionals. The Military Mindset (13:56)Steve and Steve discuss the differences between non-military and military security professionals. Host Steve notes that people who have served tend to be more willing to work long hours and share their perspectives to manage a crisis. Steve Magowan explains that much of this team mentality comes from the “us and we and ours” core of their military training.Moving Into Cyber Security (17:00)Although Steve did not have a direct cyber security background, a family friend knew of a job for him in the field. With years of consulting and IoT experience at 38 years old, Steve was well suited to transition into, at first, an IT team due to his leadership skills. He recognizes that his military experience opened the door for him, but his hunger for knowledge made him succeed.Bringing Leadership To The Table (22:38)For aspiring CISOs, host Steve presses Steve on which qualities helped break him into the field and assure employers of his leadership abilities.Steve reiterates that his military background made him a worthwhile candidate, partly due to his lack of ego. Steve knows he’s not the most intelligent guy in the room, which makes him want to learn and figure out how to solve any security problems that come his way.The Emerging Problem (27:55)Supply chain risks are a growing threat, a challenge to people in the cyber security world. Steve Magowan shares how security professionals have dealt with these types of breaches and the differing objectives between business leaders and CISOs.Differing Agendas (31:15)Steve and Steve discuss the conflicting agendas between CIOs and CISOs. Corporate America has not fully grasped the increasing cyber threats, making it harder for CISOs to do their jobs. CISOs have accepted high-risk positions, which is why they must learn how to communicate with CFOs with their interests in mind: money and business outcome. See You Next Time (41:16)With so much to discuss, especially third-party and supply chain risks, host Steve invites Steve back to the show.The New CISO (42:25)To Steve Magowan, a CISO is someone who is an enabler versus a barrier. A CISO’s job is to protect the company against risk and allow the business to succeed.Links mentioned:BlackBerry

In this episode of The New CISO, Steve is joined by Mike Woodson, Director of Information Security and Privacy at Sonesta International Hotel Corporation, to discuss the risk and rewards of being a CISO.First starting his career in law enforcement and cybercrime investigation, Mike now applies his police mindset to cyber security leadership. With his varied experiences in mind, he shares how his unique background makes him a well-equipped CISO. Listen to the episode to learn more about getting to the root of a threat, working with global agencies, and why CISOs should be compensated well for their high-risk responsibilities.Listen to Steve and Dr. Adrian discuss the value of mentorship and the ins and outs of a CISO career:About Mike (1:46)Host Steve Moore introduces our guest today, Mike Woodson. Mike reveals how long he’s worked for Sonesta International Hotel Corporation and how he started in the cyber security field.Mike details his background in law enforcement and teaching, leading him to investigate global cyber crimes and begin his CISO career.The Cyber Cop (9:09)Steve presses Mike on how he applies his police investigative skills to the cyber security field.Mike asks the right questions to understand what he’s dealing with during a threat. He understands that his various skill-sets are a unique asset to the CISO job and help him get to the root of the problem.The Best Job (12:27)When asked about his favorite job, Mike shares how much he enjoyed his time working for the Indonesian government. He worked with various global agencies investigating cyber crimes, which allowed him to make a difference and meet impressive people. Mike’s Advice (14:53)Mike’s advice to his younger self is not to settle and be adventurous. He did not plan to go to Indonesia or be a CISO, but he took his opportunities and listened to the mentors he had along the way.Radio Days (18:57)Mike shares his past as a radio DJ and how it was his first love. Steve also discusses his recent experience as a podcast host.Interview Tips (22:35)Steve presses Mike on his perspective on perfecting CISO interviews. Mike reminds the listeners to be themselves and take the interview as it comes. Ultimately, you have to focus on being dynamic and asking probing questions. You have to “look before you leap.”Why CISOs Quit (27:53)Mike shares why some CISOS leave a position. If someone in this role is being treated as an afterthought by higher-ups, it can easily lead to dissatisfaction. For such a high-pressure job with crucial responsibilities, it’s essential to be taken seriously by management and paid appropriately.Should We Ever Ask The CIO? (29:39)Steve asks Mike if there are ever times a CISO should ever report to the CIO. To Mike, the answer is no.The role of the CISO has grown, and if they are the chief executive officer of cyber security, they should have a seat at the table. For the business's survival, the CISO should be trusted based on their expertise.Do We Need CSOs? (32:46)Many companies have CISOs and CSOs, which share the same command line. Mike believes some organizations should have both positions, depending on their structure.Setting The Tone (37:38)Steve asks Mike how new CISOs can be proactive post-hire. You'll do well if you focus on building relationships, listening to people, and learning the business. To Mike, a CISO is the person who looks, listens, and leans into his work.  Links mentioned:Sonesta International Hotel Corporation

In this episode of The New CISO, Steve is joined again by Dr. Adrian Mayers, VP and CISO at Premera Blue Cross, to dig deeper into his knowledge of insider threat management and intelligence.As an experienced CISO, Dr. Adrian understands the difficulties of a cyber security career. With this in mind, he shares the day-to-day obstacles of the profession and what aspiring CISOs can expect from the job. Listen to the episode to learn more about the pressures CISOs face, the psychology of insider threats, and how to work past life's challenges.Listen to Steve and Dr. Adrian discuss how to get through difficult life hurdles and manage cyber threats:The “Superhero” CISO (1:44)Host Steve Moore reintroduces our guest today, Dr. Adrian Mayers. They acknowledge the stress and pressure a CISO may feel to play a superhero role, stopping every cyber threat.Although no one can prevent every obstacle, Dr. Adrian insists that every CISO must consistently attempt with high motivation to stop every threat that comes your way.Taking A “Bad” Job (5:26)Steve presses Dr. Adrian if someone should ever take a “bad” CISO job. Dr. Adrian brings up that every CISO needs their eyes wide open with every gig, but that early in your career, you may have to take less than ideal positions in exchange for experience. The Bad Day Factor (9:53)When asked about his worst day on the job, Dr. Adrian reflects that there is always something you can learn from your most challenging moments. Insider Threat Management (13:01)Dr. Adrian shares that his affinity for investigating insider threats first developed from his love of video games. After extensive research on counter-intelligence, he understands that specific triggers in people’s lives can lead to unattended consequences or malicious intent. Evaluating The Insider Threat (15:35)Steve questions why an insider psychologically may want to compromise the security of their company. Dr. Adrian states that every insider who goes against their company has one thing in common: a desire to deviate from the norm. And determining that motivation helps the CISO manage their investigation. How Far Should The Staff Go (20:46)Dr. Adrian states that your team needs to understand exactly what their doing before talking to vendors or others. By discussing with your team the boundaries for their current investigation, you can gain additional insights that will put everyone on the right path.The “Why” For Education (22:31)Years ago, Dr. Adrian decided to get a doctorate in business administration specializing in international security. He then decided to get additional certificates in the security field. Ultimately, his desire for further education came from his immense curiosity but also was prompted by the grief of losing his daughter.Defining Quality Intel Programs (28:49)“Threat intelligence is full-spectrum intelligence,” according to Dr. Adrian. By leveraging the information from your intel program and applying context around it, every security team should be able to determine the motivation for the threat and paint a more holistic picture. Surprising Information (32:00)Steve presses Dr. Adrian on the most surprising things he’s learned from his background in threat management.Dr. Adrian reflects on the amount of data vacuumed from our adversaries. Another shocking piece is the amount of data our allies gather on the U.S. Though, of course, the reasoning for gathering that information varies.Ph.D. Proud (35:54)Dr. Adrian always puts his doctorate before his name for several reasons. As a Black man from Canada living and working in the United States, he realized he would experience more hurdles than others in the field. This put him on the path to being better, and getting his education has always put him in the position to thrive.Links mentioned:Premera Blue Cross

In this episode of The New CISO, Steve is joined by Dr. Adrian Mayers, VP and CISO at Premera Blue Cross, to discuss what to consider when interviewing for CISO positions and how to trust your tech in the security field.Since fifth grade, Dr. Adrian Mayers has had a passion for computers. Now a CISO, he shares the role computers play in a security professional’s day-to-day life. Listen to the episode to hear more about Dr. Adrian’s advice for aspiring CISOs, the relationship between human behavior and tech, and his thoughts on the transition to automation.Listen to Steve and Dr. Adrian discuss how to find the right security team and solve human problems with technology:Meet Dr. Adrian (1:56)Host Steve Moore introduces our guest today, Dr. Adrian Mayers, who shares a bit about his life before Premera Blue Cross and his childhood interest in computers.The Power of Story-telling (5:43)Dr. Adrian explains his love of narrative-based gaming and how escapism provides relief after difficult work days. He also shares how video games give him strategy ideas he uses in his current role.The Character of a Leader (8:19)When asked about his characterization of a leader, Dr. Adrian reflects that a leader is someone who has integrity at their core. He expresses the importance of evaluating who you are and ensuring you bring your values into a leadership position.Advice For Aspiring CISOS (9:25)Steve asks Dr. Adrian his advice for those interviewing for CISO positions. Dr. Adrian shares why you should communicate how security plays into your day-to-day life and ask questions about the team's previous history when tackling security problems. The main thing is to be comfortable with who’s in front of you because you would build relationships with this team if offered the position.Looking For Your Next Position (16:08)There are different considerations if you’re courting a government position than evaluating a job at a start-up company. Ultimately, it depends on each security company's process and context when navigating the interview stages.Solving Human Problems (18:25)Steve asks Dr. Adrian about his thoughts on tech solving human problems. Dr. Adrian reminds the listeners not to get so wrapped in the technology that they forget what they’re trying to do: tackle human problems. Ultimately, tech helps CISOs do this work, but focusing on the human elements will keep you centered and effective.Not Trusting The Tech (21:44)Dr. Adrian recognizes that many security professionals wonder if they can trust data platforms versus the insights of actual human beings. He also understands that there is a difference between installing programs and implementing them. Overall, if you take the time to understand the tools, you can see how tech makes effective security decisions regarding human problems.Defending Automation (26:27)Steve presses Dr. Adrian on ways to convince security professionals to automate low-level tasks. Dr. Adrian assures the listeners that these changes are being made daily in the security field. By clarifying to security professionals that they will not be replaced by automation but will have more space for high-level problem-solving, the transition will be easier for teams to accept.The Definition of Good (29:49)Dr. Adrian explains that the definition of “good” for security programs stems from people. If security professionals have a sense of purpose to show up every day and learn how to use the tech, then that is the measure of a quality program.If you build a dialogue with your security team and understand their concerns and issues, they will have a sense of ease when moving in a technological direction.Final Advice (38:45)To Dr. Adrian, the most vital thing when interviewing for a CISO position is always to do your homework. If you are clear about your experience and how you can benefit the security team, you will be able to communicate why you are suitable for the role.Ultimately, you want to show how you are ready to roll up your sleeves and get to work, despite potential difficult days ahead.Links mentioned:Premera Blue Cross

On this episode of The New CISO, Steve is joined by Kevin DeLange, the VP and CISO of IGT, to discuss how Kevin’s love of problem-solving led him to a career in cyber security.Before joining the information security field, Kevin served in the military and completed a degree in Anthropology. Now a CISO, he reflects on how the skills he developed throughout these experiences brought him to where he is now. Listen to the episode to hear more about Kevin’s career journey, solving puzzles in the workplace, and his advice for those applying for CISO positions.Listen to Steve and Kevin discuss how to define a problem before solving it and the value of real-world experience:Meet Kevin (1:30)Host Steve Moore introduces our guest today, Kevin DeLange, who shares more about IGT, a global leader in casino games, and how long he’s worked there.Life Before IGT (2:43)At seventeen, Kevin joined the military and worked on nuclear missiles. He credits this experience as his first foray into the security world.The Practicality of Anthropology (5:58)After completing his service, Kevin finished a degree in Anthropology. Kevin explores how this discipline allowed him to solve complex problems, which he has applied to his security career.A Crooked Path (7:49)Steve asks Kevin what he means by his “crooked path” into cyber security. Kevin explains that life is not a straight line and that although he couldn’t predict his career in his youth, he understands that he acquired the right skills along the way.Generational Differences (9:32)Although there are college degrees now in the security field, Kevin recognizes that there is no substitute for real-life experience. Kevin then lists the traits he looks for when hiring a security professional, particularly highlighting the value of soft skills.Working With Senior Management (13:56)Steve asks Kevin the best ways to present a problem in the workplace and how to stand out to senior management.Kevin says that you need to tailor your communication to the audience in front of you, whether technical or business groups. It’s also essential to ensure you have advocates outside the company to support you, which comes from building relationships.CISOS And Their Sales Teams (17:51)Kevin explains that the company’s goal is to make money and that his job is to ensure that the company is securely making money. Although understandably, security professionals and sales teams may not see eye-to-eye, it is a necessary working relationship with a common goal.Making A Choice (20:12)Balancing three full-time jobs, Kevin eventually had to choose what he wanted to pursue. Ultimately, Kevin decided on information security because he finds it exciting and himself well-equipped for its problem-solving component.Simplifying The Problem (23:28)The most challenging thing for Kevin is to simplify the problem before trying to solve it, though that is what he strives to do most. Kevin laments that it’s “difficult to prove a negative,” but the more he condenses what he’s communicating to senior management, the more he can get the support he needs.Let Things Fail (28:12)You cannot oversee your own work as a CISO, so it’s critical to pass that duty to someone on your security team. Since you cannot do it all, it’s sometimes better to let things fail to move forward.His Best Advice (35:18)Steve asks Kevin what his red flags are for people applying for security leadership positions. Kevin provides his main criteria, which is paying attention to the hiring company’s definition of a CISO.Links mentioned:IGT

On this episode of The New CISO, Steve is joined by Den Jones, the Chief Security Officer at Banyan Security, to discuss the importance of trustworthy and transparent relationships in the cyber security field.Before joining the security intelligence industry, Den first worked as a postman walking the streets of his native Scotland and dreamed of becoming a musician. Now a CISO, he shares how to deal with misleading salespeople and create effective data security strategies. Listen to the episode to hear more about Den’s journey, the problems with vendors, and his thoughts on building relationships.Listen to Steve and Den discuss the importance of building a network and proactive security intelligence:Meet Den (1:40)Host Steve Moore introduces our guest today, Den Jones, who shares a bit about his past and how he transitioned from postal work into cyber security. The Must-Have Gear (3:31)As a postman obsessed with music, Den saw his buddy's house and a Roland RSP-550 that he was dying to have. Seeing this quality of gear led Den to quit his job to find a more lucrative career path, which eventually brought him into the world of cyber security. College in the UK (7:03)Unlike college in the US, where you learn several subjects, Den only took classes focused on IT. Unable to finish his degree, Den reflects on how he had to drop out of school yet was the first out of his peers to get an IT job.Get IT Started. Get IT Done. (12:18)Den also discusses his Banyan Security podcast, Get IT Started. Get IT Done. Every episode, Den brings inspirational guests on to share their cyber security journeys and the full cycle of their business endeavors.The Issue With Vendors (18:23)Den recognizes that the hype around marketing distracts cyber security professionals from their work and that harassing salespeople can be a considerable frustration. Den explains how it’s better to have a “build relationships, not sell stuff” mentality in addition to ways to build transparent vendor relationships.Building A Team (27:28)Steve asks Den why he had the mission to build a strong security intelligence team. Den explains that much of his motivation came from wanting to solve a major question the cyber security industry had not yet solved: “Was that you who logged in?” With a small team of college grads that Den organized, they built a data security platform that secures users from computer hackers through password protection.Keeping Data Safe (32:58)Den understands that executives do not share his interest in users' security and are motivated by staying out of the press, which a preventable security breach could cause. For practitioners, the goal then must be to help their firms maintain a solid reputation but also to find ways to use their work for good.The Pillars Of The Job (36:35)Steve presses Den on the ways to push and maintain proactive security intelligence. Den explains how to determine the core questions that lead to protecting data and the vital importance of having users’ login information. By looking at identities, user devices, and the intelligence behind the users and the device, Den can develop data security strategies.Tips and Recommendations (42:23)All service accounts should be predictable because it allows their team to detect when there are deviations from the norm. Den recommends maintaining tight access and monitoring service accounts’ task functions to keep data safe.What Does It Mean To Be A CISO Leader? (48:40)To Den, being a CISO means building a solid network of healthy relationships. With the right people around you, you can leverage their wisdom and advice to be a productive leader in the cyber security world.Links mentioned:Podcast - Get IT Started. Get IT Done. Banyan Security

On this episode of The New CISO, Steve is joined by David Lingenfelter, the Vice President of Information Security at Penn National Gaming, to discuss the requirement to constantly learn and evolve in the IT security field.After falling into his passion for IT, David quickly realized just how far his knowledge could take him if he constantly built upon it. Now after a nearly 30-year-long career in IT, with a focus on computer security, he shares his experiences growing and advancing through his work in the industry. Listen to the episode to hear more about David’s journey, his advice for beginners in the field, and his thoughts on IT management.Listen to Steve and David discuss knowledge and advancement in security:Meet David (1:20)Host Steve Moore introduces our guest today, David Lingenfelter, who shares a bit about his past and how he got his start in cyber security. The Wild West of IT (4:11)When David began his career in IT in the early 90s, modern technology like remote access was not standard in work computers. Reflecting on his past, David discusses how he learned to market these new products to average users who didn't understand IT.Constantly Learning (7:46)Before beginning his career, David was told, "if you never want to be bored, if you want to constantly be learning, go into Security." As a beginner in the field, he constantly played with new technology and learned defense methods against the ever-evolving security attacks on IT systems.Make It or Break It (11:44)The IT security field is demanding new strategies and technologies to combat threats. David stays sharp by constantly theorizing with colleagues, "how can we make this work? And better yet, how can we break it?" He found that by working together to build something or tear it apart, you can learn how different technologies would typically work in the security space.Go Play - Go Learn (15:12)Steve asks David for his advice to those who wish to start or evolve in the IT security field. Additionally, they share their thoughts on creating educational lab environments and needing to have the genuine desire to learn and grow in computer security.Business Management & Security Leadership (19:25)David is now a VP of a company, which is a significant transition from where he started in IT. He describes the differences that he noticed between being a technical leader and being a business leader. Additionally, he and Steve discuss the new responsibilities that come with the business side of computer security, like product investments, protecting intellectual property, and more.Mark Your Celebrations (28:50)How do you celebrate when you receive funding to create technological advancements in computer security? David shares the ways that he demonstrates the value of his product creations to funders.Operational Mantras (31:36)David holds monthly meetings with his company's IT team to show them different things that they're doing from a security sprint, different threats coming up, etc. He values communication with his team as one of the ways to connect all operations of his business.End User Maturity (34:12)Implementing new security protocols for end users can often be met with resistance. David shares his thoughts on the topic and how to balance focus on implementing security and doing so in a way that has the least impact on end users.Building Confidence & Asking Questions (38:04)It is essential for leaders in the workplace to feel confident in their team. Steve asks David to share the one thing a security leader can do to increase their confidence in their team that represents the analytic capability of their organization. David cites the importance of communicating with team members, asking questions, and finding answers.

Episode summary:On this special episode of The New CISO, Tim Lowe and Katie Hatch sit down with Zane Gittins, IT security manager. The co-founder of Rincon Security, Zane discusses what he’s learned building and managing an IT team. From computer science to consulting, Zane shares the journey of his career, and what has led him to focus on cyber security visibility. Listen to the episode to hear more about Zane’s day-to-day, his news intake, and how he manages his growing team. Listen to Tim, Katie and Zane discuss security management: Zane’s Background (1:58)Zane discusses his background in IT security management and consulting with his company Rincon. A small organization, Zane wears a lot of hats and tackles a variety of issue. Staffing (3:58)Zane breaks down the misconception that it’s impossible to find good staff. He believes that if you invest in junior employees, as well as off the right packages, you can put together a great team. He believes that people who are great communicators perform well in security. Zane sets up “lunch and learns” as a way to meet and bond with people in other areas of the business. Education (7:01)One internship can change the course of your career. At least, that’s what happened when Zane took on a security internship in college. Interested in computers from a young age, his education helped focus his path. Advice to the Younger Self (8:54)If Zane could change one thing about his journey in security, it would be to meet key members of the business sooner. Through making connections, Zane has learned what their concerns and risks are when it comes to security, and how he can help in those areas. The Day-to-Day (11:00)With security visibility as his top priority, Zane focuses on updating the systems and tools of the business, onboarding new people, helping the business move in the direction it desires. Zane spends several hours a week staying up to date on current trends, utilizing Twitter to identify cybersecurity news. This preparation also helps him give context to family, friends and coworker who hear about security stories in the media. Managing the Security (16:26)A high-pressure job, Zane must stay on top of things to prevent threats. In particular, he is concerned about supply chain attacks and any new type of attack we do not yet know exists. On the other side of the coin, Zane enjoys the technical side of the job. He shares a time where he had to act like a cyber detective while consulting. Motivating the Team (20:17)Hunting down false positives every day, all day, can be fatiguing. Zane shares how weekly practice challenges have boosted the confidence and knowledge of his team. Growing Team (24:07)Zane chats about the specific skills and tools he and his team have utilized as they’ve grown. As there are a lot of tools to learn, Zane encourages team members to become experts in certain tools and platforms. Security Threats and People (27:44)When consulting, Zane is most considered with external threats. Overall, he believes that everyone has something to bring to this growing industry. When it comes to hiring and training, Zane looks to people with passion. By documenting everything, Zane and his team can better scale and onboard. 24/7 Coverage (32:25)Zane talks about what it’s like to cover the environments 24/7 and still allow himself and his team to sleep. Links mentioned:Rincon Security Exabeam Podcasts

On this special episode of The New CISO, Steve chats once again with Chuck Markarian and Sean Murphy. The CISO for Paccar and BEC U respectively, Chuck and Sean share their insights on the current trends in cybersecurity, as well as delve into their predictions for the field and the changing relationships within it. Listen to the episode to hear more about how the government has influenced cybersecurity, the importance of cyber insurance, and much more. Listen to Steve, Chuck and Sean discuss cybersecurity trends: Who are Chuck and Sean? (2:23)Chuck and Sean explain their current roles at Paccar and BEC U respectively, as well as the backgrounds that led them there. Political Influence (4:32)Steve, Chuck, and Sean touch on the increasing presence of politics in cybersecurity. Sean weighs in on how relationships to law enforcement are altering, as well as how perceptions on cybersecurity have evolved and changed. The Perception of the Hacker (9:57)As the government becomes more involved, the blame on organizations for being attacked has now shifted to the attacker, rightfully so. No longer are hackers a kid in basement; hackers are real and dangerous threats that need to be stopped. This greater understanding of cyber warfare has better informed the public and organizations of what could truly happen. Investment and Involvement (14:22)With this increasing awareness of cybercrimes, boards and executes are more willing to invest in CISOs and their teams. It’s better to invest in preventative tools than to pay a bigger price after an attack. Steve, Chuck, and Sean also discuss what changes when the FBI gets involved and when organizations have to wait to fix problems. Tabletops (21:30)When simulating a breech, Chuck and Sean urge any leaders to really mimic the chaos that would naturally happen at that time. Be sure to include executives in this simulation, so they can gain practice and understanding of what will be a stressful situation in the future. In doing so, you’ll also be able to identify who is making what decisions before an event occurs.Cyber Insurance (24:20)Cyber insurance is becoming more common. CISOs need to educate themselves on policies and the language of cyber insurance. This brings up other questions such as, should individuals have coverage? Should CISOs and board members? Additionally, insurance forces companies and leadership to define what an incident and breech are. This helps in determining what to report externally. A Third Party (34:43)With a third party involved, like vendors, your risk level increases. From there, you need to assess how important that third party is and the level of risk with which you’re comfortable. It is part of the CISO’s job to help navigate those relationships and dynamics, and to make sure the organization is still protected. The New CISO (45:27)Before wrapping up, Sean touches on the importance of connecting and having conversations with other CISOs. If listeners have any questions, they can contact him via LinkedIn. Links:Exabeam PodcastsSean Murphy - LinkedIn

On this episode of The New CISO podcast, Jeremy Sneeden joins Steve to chat about needing management training to learn how to manage others, advocate for his team, and quantify risks. As someone with a technical background, Jeremy had to learn a whole new set of skills for his managerial role at Allina Health. He talks about how the “focus funnel” approach for his new team helped save time and money, as well as how he removes obstacles so his team can do their job. Now the Director of Operations and Engineering, Jeremy coordinates with other managers to ensure the different organizational groups are up and running. While he excels in his position, he believes in continuing to learn and support others.   Listen to Steve and Jeremy discuss management training:Jeremy’s Background (1:47)Jeremy chats about his current position as the Director of Operations and Engineering at Allina Health. Originally a technician, Jeremy still views himself as a security engineer, despite now being in management.Management Training (6:35)When asked to be a manager, Jeremy was terrified. He had to learn a new set of skills on his own. He advocates for better training for managers, as well as finding a philosophy that fits your style.Tools for Your Team (10:30)A great manager removes obstacles for their team. Jeremy discusses how his job is helping his people do their job, particularly in obtaining the right tools so that they can do so.Talking Money and Partnerships (14:45)Oftentimes, Jeremy needs to pitch higher-ups on a new tool or equipment. In order to gain approval, he recommends talking in specific dollars and cents. Additionally, he pairs up with other infrastructure groups who want the same things as he does. Together, they ask for additional money or tools for their teams.Knowing Your Numbers and Team (19:10)Know your assets—and their costs. When quantifying security risks, Jeremy had to understand the business better, as well as how important those assets are in dollars and cents.The Focus Funnel (25:12)After three years of managing, Jeremy became director. In charge of IT Asset Management, he sat down with his new team to examine their current tasks. If the task could be automated, they started that process. While it took time and upfront money, they saved hours and millions of dollars in the long-term.Embracing the Fear (34:01)A great manager pays attention, genuinely cares, take care of their people. They handle tasks that go unnoticed such as dealing with angry customers to advocating for your promotion. Jeremy believes that a great manager is also willing to get uncomfortable—or even scared—in order to grow and do what’s best for the team.Manger of Managers (40:30)As someone who manages other managers, Jeremy has learned when to get involved and when to back off. He has adapted to letting go of certain tasks and oversights, with the help of communication.The CISO in Training (45:44)Being a CISO-in-training to Jeremy means listening to his mentors, and continuing to learn and take care of his employees. Links:Exabeam Podcasts

On today’s episode, we are joined by Chris Wolski, the CISO of Port of Houston. He chats about job hunting, the aftermath of an attack and more. Becoming a CISOA returning guest, the last time Chris was on the show, he was unemployed. From being let go to landing his current position, the process took Chris six months. He chats about what that was like and the normal CISO versus the “Rockstar” CISO. Despite his limited experience in maritime, Chris took a chance and was rewarded. Socializing as a CISOVia events and even LinkedIn, Chris was able to expand his network. Through his connections, he was able to educate himself well enough in maritime transportation, laws and security to better understand his current job. Overall, Chris encourages you to do your homework on the industry, company and people when job searching. The First CISOThe first CISO at Port of Houston, Chris has faced unique challenges. In part, he’s had to convince the port why cybersecurity is needed, and how it can impact cargo movement. Attacks and RisksRecently, the port had an attack. Having a zero-day used against them, Chris found the experience eye-opening. Thankfully, Chris already had an action plan, as well as a risk metrics to guide him. Within 2 hours, the attack was contained and fully remediated after 10 hours. The Aftermath of an AttackAlthough doubted initially, Chris found himself trusted, despite it being done after an incident. He documented everything and encourages other CISOs to do the same. As a result of his work, he was elevated within the organization and the maritime community. There was no doubt of Chris’s ability and purpose within the organization. Within two hours, the port saw its ROI.After the incident, they shared what had happened in the hopes of opening up communication. By sharing, Chris can help others avoid what happened to Port Houston. Getting Help   Due to the severity of the attack, Chris explains why the Coast Guard, FBI and other entities had to offer assistance. While it may be hard to juggle all those organizations, they have access to resources that Chris couldn’t have had otherwise. Again, it came down to reaching out to connections. Indifferent Insiders    Do you need to have a major incident in order for an entire organization to believe in the role of a CISO? Chris explains how equating cybersecurity to something others already know can help convince them of its importance so they can better understand. With Port Houston, Chris compared cybersecurity to physical security to put everyone at ease.Nowadays, cybersecurity impacts everyone. Any machinery, manufacturing and more has computer chips in their parts, which makes them susceptible to an attack. It’s important to convey the severity of cybersecurity to others. The New CISOTo Chris, being a new CISO means doing your homework on your industry, company, and the people around you. Be willing to learn and you’ll find success. Links:Chris Wolski - LinkedInMaritime Security Talk - YouTube ChannelExabeam Podcasts 

On today’s episode, we are joined by Andrew Obadiaru, CISO and Head of IT for Cobalt. Andrew discusses using soft skills to build connections within an organization. Listen to the episode to hear his advice on Two Roles in OneAndrew discusses what it’s like to oversee both security and IT. The fields overlap in many ways and differ in others. He’s not the only guest who has taken on this joint role of security and technology. Andrew explains how depending on the industry and the size of the company, having one person managing both departments can either be extremely helpful or burdensome.For those entering that joint role with background in only one field, Andrew emphasizes getting to understand why IT or security is important and how it operates. With the help of good managers, you can overcome your lack of experience. Challenges in PerspectiveAndrew chats about the challenges in the industry, mainly how cybersecurity departments must prove their worth to their own company. Only when there’s a breach do many businesses see the importance of cybersecurity. As cybercrimes can happen due to anyone’s actions within an organization, it’s especially important to convey the purpose of the department.Andrew believes that if you can point to related data points -- for example, how cybersecurity impacts the ROI – then you can properly convince others of its value add. Developing Soft SkillsWhen selling the idea of cybersecurity to the rest of an organization, Andrew says to lean on soft skills. Learn the right balance between technical and business language to express yourself when talking to executives. Andrew encourages CISOs to focus on understanding concepts and get into the more technical details only if asked. Budgeting MeetingsWhen entering budgeting meetings, your approach must be different than it is for other topics. Andrew encourages CISOs to really understand the crown jewels of the organization, as well as its risks. When you can figure out what’s valued within the company and how well – or not well – it’s protected, then you can properly convey what you need.If you’re entering a routine optics meeting, you want to outline the current threats that the industry or competitors have seen and discuss how you plan to mitigate those. Building ConnectionsPrior to entering a budgeting meeting, it’s important to have allies on your side. This doesn’t mean just someone who you ask to back you before the meeting begins. Andrew stresses that building connections and creating allies can take weeks or even months and should look like you conveying to leaders how cybersecurity will impact their departments. So when asking for a larger budget and explaining why, the other department heads will understand the relevance and are more likely to back you.  Andrew’s BackgroundAndrew has a background as an auditor, which he feels has benefitted him greatly. As he moved further into his career, he has found that his exposure to difficult conversations around money have helped him with his work now. He doesn’t feel intimidated, as he knows how to discuss difficult topics. Andrew believes that having a diverse background can be helpful in handling interpersonal relations or even conflict during meetings. Maturity vs. EfficacyAndrew differentiates a mature organization from an effective one. A mature organization may have a lot of documentation, repeatable steps and other solid processes. However, maturity within in an organization doesn’t always point to how effective they are in a crisis. “Are We Secure?”Oftentimes, the CEO or other execs will ask “are we secure, now?” Andrew shares his advice on how to answer without making promises you can’t guarantee. If asked this question in an interview, Andrew explains how sharing a plan of action may be the most impactful answer.Overall, Andrew encourages CISOs to never rush to answer any question. You don’t need to prove how intelligent you are by answering quickly—instead, it’s more important to answer correctly. Advice for the Younger SelfAndrew shares that he’d tell his younger self to be more mindful in his career. He says to be measured and clear, to examine the organization and see if he is a good fit for it.   The New CISOBeing a new CISO to Andrew is a big accomplishment and gives you a seat at the table. Links:Exabeam Podcasts Cobalt.io - Andrew Obadiaru

On today’s episode, Martin Littmann, CISO at Kelsey-Seybold clinic in Houston, joins us once again to discuss credentials. The systems in place to create them and protect them are essential. Hear his opinions on these systems. CredentialsMartin outlines exactly what defines credentials. Credentials are the username and password created to log into an account. One question Martin attempts to determine is how do you know if the person using an account is someone who is authorized?He shares his method for identifying this. Previously, it was largely based on trust before technology was advanced enough. Nowadays, it is very important to use technology to identify if account activity is normal or abnormal. Using the location of logins is very important. Correlating people’s activity and determining if it is abnormal is a good way to identify and flag abnormal activity.  Risk ManagementHow does this translate to risk management? If you notice suspicious trends, introduce a new challenge the user must answer to authenticate their identity. Learn how to discern between threats and simple bad IT. Normal behavior is time of access, duration of access, and location of access. Use this to identify normal and assess the risk.  Frequent QuestioningSecurity personnel have access to analytical tools and therefore have a wealth of information. They can help to determine compromise. Thus, they often receive an influx of questions. While they can’t access everything, there is a lot of information that security personnel access. Other members in the company can use the information to determine productivity. A piece of advice: present the facts without making assumptions.  Martin’s Steps to Account Protection Do we have a standard by which we create accounts? If the process is automated- is it bulletproof and unable to be overridden? How is the length and strength process? What is the process of creating the password?  Martin’s AdviceAt a policy level, there will be certain requirements that a password must meet. However, there also needs to be technology behind it to enforce these requirements. Marin suggests that organizations need to invest in protecting credentials. The password policy needs to be reasonable and specific.  Password Rotation and LockoutWhat does Martin think about these topics? He believes that longer passwords are stronger but changing the password frequently does not help because people will simplify the password. He is not a fan of the 90 day password but believes passwords should be changed in certain incidents.Martin also recommends utilizing a password vault. Be Discrete On a personal level, remember that your own data can be searched out. Using somebody else's data to answer your personal questions can help to protect you, as well.  Final Advice When doing two factor authentication, if you can use an app rather than receive an SMS, do it.  When talking about password vaults, don’t use the browser function to store passwords, use a dedicated app.   Links:Exabeam PodcastsMartin Littmann - LinkedIn

On today’s episode, Luk Schoonaert, CISO for Exclusive Networks, joins us to discuss his experiences becoming a new CISO as well as the digital transformations and threat hunting.   Career/HistoryCurrently based out of Belgium, Luk has been in security for over 20 years. Working in startups for years, he developed his passion for security. Newly, he has become the CISO for Exclusive Networks. He is a technology focused, goal oriented individual.  Working with the Buyer If you are working with vendors or as a defender in a network, it is essential to equip the buyer and teach them how to sell internally. Leaving them with a clear picture, number or story that enables them to get their job done is an important skill to have. Luk advises to listen and ask questions in your meetings. Talk about the big picture and be transparent.  RepresentationWhat should a CISO report to the board? How should they represent their program? Be there for the business so the business can function. Think about how you can best help the business to grow in what they are doing.  Digital TransformationWith the cloud becoming more in use, sometimes the security team gets left behind when the data transfer occurs. Adapting to such changes requires extra help and can also lead to mistakes or attacks. If you lose your logs, it can cause many problems to arise. However, it can be a great opportunity - if you get ahead of it.  FocusAs a CISO, pick one thing and do it well. If you focus on one thing and succeed, you’ll be able to build some credibility and gain leadership merit. Threat HuntingLuk has helped to build a Threat Hunting Academy. People can oftentimes stay too connected to old technology. He is giving workshops where, using a lab environment, they show how a breach occurs. This visualization of an attack is something many people never see or truly understand. Their program has received positive feedback and they now have an even more hands-on class.  By showing how an intrusion happens, it can help people realize where they may be lacking. This is an ongoing effort but it helps things to not go undetected. Ask the “what ifs.” You will get a good idea at how well you could do should an attack occur. Through this, you can measure efficacy and tell the story of your business.  Being a New CISOTo Luk, being a new CISO is a very exciting expeirene. Being able to implement security practices in a company and drive the direction of certain practices is exciting. Ensuring secure functions of a company is something he takes very seriously.  Links:Exabeam Podcasts

On today’s episode, we are joined by Azzam Zahir, Global Director of Insider Threat and Security at General Motors. He discusses his journey in becoming a leader in his field and what he has learned in that process.  Journey to LeadershipAfter finishing school, Azzam took it upon himself to seek opportunities and work extremely hard in any job assigned to him. His inquisitive mindset helped to forge his path. In 2007/2008 was when his title changed to being a leader. His strengths in managing with influence helped him to take on that leadership role. The transition to the role involved understanding the new responsibility of managing people.  His biggest fear going into the position was the fear of failing as a people leader. He worried about giving them the necessary time and attention to allow them to succeed. An unexpected challenge was the day to day management tasks.  ReviewHow does Azzam review people and give them feedback? Contrary to the typical HR review process, he does it early and often. Don’t wait until a review period to give constructive feedback. This can eliminate some of the nervousness and help people to be more receptive to the feedback.What cornerstones of leadership does Azzam expect? Leaders should allow people to be their individual selves and bring their uniqueness to the table. Let them do work that makes sense with the skills they already have.   Young AzzamWhat advice would Azzam give to his younger self? One thing, which is challenging, is don’t chase the money. Focus on the career, not the jobs being offered to you. If the job doesn’t offer you great opportunities for career growth, reconsider taking it. It is important to know how to leave a job if that is what you want. Receiving a counter to make you stay doesn’t fix the reasons why you wanted to leave the job. When young, it can be hard not to want things to go really fast.  Job Vs CareerHow can you know the difference between a job and a career? Mentorship is really helpful with this. Have both an internal and external mentor. Your internal mentor will help you navigate politically within the organization and avoid pitfalls. Your external mentor has no association with the company so they can give outside perspective. The mix of the two insights provides a happy medium. The internal mentor will likely be more challenging to establish.  Diversity and InclusionAzzam presents an exercise that has benefits for diversity and inclusion. The exercise surrounds coming up with a short questionnaire. It asked things such as: Where did you grow up? How many languages do you speak? What is your educational background? They anonymously answered and mapped out the responses. You can watch people making assumptions of who they think answered. You can discover new similarities and discover people’s strengths in the differences. This is a great way to connect your teams and build trust/awareness.  Who to Look for in a TeamLook for active learners. The education you have is in the past. What are they still learning? You want a team that will continue to grow and evolve.   Being a New CISOAzzam advises that the information is out there. Don’t sit around waiting for change. The CISO needs to be proactive in moving their teams towards the change versus reacting to it.  Links:Exabeam Podcasts

On today’s episode we are joined by Benjamin Edelen, former CISO of the City of Boulder. Leading with people first strategy, he aims to serve and protect the community and discusses his transition in and out of the CISO role.  Starting from Scratch5 years ago, Edelen was chosen to be the first CISO of the City of Boulder. With no security programming or procedures in place, he had to build the program from scratch. This was a large challenge he had to face. His solution was to pour a lot of himself and his personality into the company. Ultimately, the program became deeply intertwined with his personality. Although he has since left the position, he tried to figure out how to leave while keeping the system in tact. Having connection and passion for your job is important. However, it can make it hard to discern work from personal life.  Turning PointWhen did Edelen realize it was time to move on? He notes that the CIO of the organization was very transformative with a thorough plan of advancement. He speaks on the fact that she wanted to guide him on being successful both in the company and beyond. He was encouraged to go out into the world, even if that was with another organization. There is often a point when someone needs to move on in order to continue to grow.  Passing the TorchPassing a role that you served in for a long time can be very challenging. It is important to learn how to move on. It can be difficult to see the role fade away or change. Sometimes the company may not listen to your advice or continue to take the role in the ways you envisioned it. Emotional reactions during these times are natural.  Transitioning DocumentsWhat is Edelen’s advice for leaving the role? He had to decide how to transition out of the role as he was leaving. This can be deciding to recommend people to take on the roles. Writing down the tasks is important. The biggest challenge was a request/business case for the continuation of the role he was leaving. As he was creating the transition documents, he realized he was also creating a document he could use to begin his next role.  RecognitionEdelen notes that the recognition he needed was knowing he was protecting the people. Recognizing successes within the company is very important. In cyber security, the focus is often the failures. However, focusing on success can make a large difference.  Employment ContractsCISOs are not always the best at creating employment contracts. Putting together a list of questions and topics can be a great thing to consider. Contract negotiation is pretty standard. It is powerful to outline certain expectations you have of the job. Steeve Moore encourages listeners to reach out to him on LinkedIn.  Being a New CISOTo Benjamin Edelen, being a new CISO means placing an organization and their people under your protection. He builds an organization intertwined with who he is as a person, and he would do it again. Helping other people navigate mistakes is a large part of the role. Taking on the role means making a commitment to the people and standing against risk.  Links:Exabeam Podcasts

On today’s episode we are joined by Jerich Beason, senior vice president and CISO at Epiq. He delves into advice on networking, knowing which job is right for you, and how to build trust as a CISO.  Advice to Younger SelfBeason says he would have spent more time on relationships. While he had relationships, he wishes he had done more to maintain those relationships across gigs. Keep up contact with people, you never know when you may want to connect down the line. So how do you upkeep relationships? Being intentional with your responses is important. Reach out and update those you are connected with. Who you know is extremely important in the job market. Keep in mind those people who have helped you along the way. A simple thank you goes a long way.  NetworkDon’t focus all your energy networking at the top. Network with everyone. It will help with hires and building teams. So who should you reach out to? Network with people who are where you want to be. Also reach out to a peer group. Mentor when you have the chance, as well. Wasted Time?Young Jerich wasted time chasing a lot of certifications. An ongoing list of certifications takes a lot of time to obtain, but they do not necessarily stay relevant. Be deliberate about the ones you go after. His most valuable certifications are IT focused.  Epiq Cyberside ChatsBeason hosts a podcast of his own which he discusses. It is relatively new with goals of working to be a leader in the industry of cybersecurity.  New OpportunitiesYou have a current position but are offered a new opportunity. What do you do? How do you make that decision? Beason walks us through his experience choosing a new job and what influenced his decision. He thought about his personal brand and what he wants to do as a CISO. He had open discussions with his boss about being torn in his decision. It was a brief discussion but helped provide clarity in the situation.  Personal BrandingThink about what success means to you and what you want to achieve. How do you want to look back on your career?  TrustAs the first CISO in the company, much of his role early on was teaching people what a CISO was. He gained the trust of people in the company over time. He helped rebuild trust in the business. Strategy can only be successful if there is trust behind it. How do you know if you have trust? Trust is a combination of character and competence. Beason tries to demonstrate trust by showing that his goal is to help the organization succeed. Reaching out to top customers is extremely important. Communicating changes both short term and in strategy is necessary.   Three Phases1). Foundation to work on preventing attacks2). Play with more cutting edge technologies to build on foundations3). Reach back and have transparency Be Knowledgeable You have to know about what you are protecting in order to succeed. Having a complete picture is essential. Utilizing technology to gain visibility can be useful. Beason feels as if he has knowledge of 99% of their devices.  RecommendationsBeason recommends several books that have helped him along his journey as a CISO. He suggests several books on trust including “Speed of Trust.” Being a New CISOTo Jerich, being a new CISO is different in every scenario. Being able to speak the lingo and have a seat at the table is important as is understanding security fundamentals. Most importantly, recognize the changing nature of the job.   Links:Exabeam PodcastsEpiq Global

On today’s episode we are joined by Dr. Tim Proffitt, managing director of information security at a Houston based company as well as a professor at several institutions. He discusses his own education as well as his experience educating others and how this impacts his job.  Advice to Younger SelfYoung Tim wasted a lot of time doing unnecessary things. Tim would advise his younger self to not waste so much time playing video games and late night TV. EducationProffitt has always valued seeing things through. He always planned on getting a bachelor's degree and decided to continue his education. After qualifying for a new masters program, he wanted to see that through. Proffitt then saw it through to getting his PHD. He values expanding his knowledge and challenging himself. Would Proffitt advise doing the same? It depends on self reflection and the individual. Formal education is not required for being successful in your field but it can develop some great traits. If you can see what you would get out of your masters degree, then go for it. Getting a masters does not always equate to earning more money. However, when you choose to go through with this program, you will be stretched. It will open doors you didn’t have access to before.  CredentialsCredentials are important at a certain level, but experience is just as important. Listing and talking about your credentials and experience can help some conversations and hinder others so self awareness is important.  Successful Written CommunicationsProffitt explains that seeking out writing skill sets is important. It takes time and effort. Bouncing ideas off someone can be very useful too. Find that resource and mentor. A simple Google search can help you find seminars that can assist you in bettering your writing skills, as well. Networking, Mentors and Career ArcsSeek out and try to find a mentor early on in your career. A mentor is someone that can offer help and advice during your career. Proffitt wishes he found a mentor sooner. After you become a CISO what is the career arc? A progression often occurring is becoming a member of the board of directors. It could also be becoming a CEO or beginning to teach.  TeachingWhat would Proffitt suggest to people thinking about teaching? Teaching at a community college would likely require a master's degree. Teach one class and see what you think. His goals were to be an engaging professor and getting students to want to go into his field. You can change the generations and introduce new people to the field. How does being a college professor better Proffitt at his day job? He can view the challenges with a different lens by interacting with the viewpoints of his students. It forces him to think in different ways.  What Do We Miss in Security?We often do not dive deep enough into issues. There is always more information about why things are the way they are. Taking time to listen to the engineers is important and can aid in decision making. People may be managing problems, but not reaching the core.Every security program should be expending time on a risk register. This can transform the business. Presenting a simple risk register can be very profound. Consider using tools such as the 5 “whys?” or a SWOT analysis. What Do CISOs Not Get Enough Credit For?No credit is given when things are running smoothly. However, when things are not running well, they are criticized quickly. A lot of people don’t realize the manpower behind having the internet and technologies work. How does this get solved? As leaders, more credit can be given if metrics are improved. Proffitt dives into metrics and discusses which provide the most value.  New CISO/AdviceOne piece of advice that Proffitt has is to develop a feel good security packet to outline your security processes to an extent. Your sales team and liaisons can hand this out to help make people comfortable. It is pretty easy to build a template that will answer most of the questions coming at your industry. Obtaining this information shouldn’t be too difficult. This packet will be relatively simple to assemble. What does being a new CISO mean? You have to be a business enabler. You must help people get to their goals in a secure fashion.  Links:Exabeam Podcasts

On today’s episode, Tyler Farrar, CISO for Maxar Technologies, joins us to discuss the ins and outs of threat intelligence. He delves into the importance of not assuming malicious intent and his approach to compliance versus security.  Introduction to Tyler Farrar Maxar Technologies is a satellite imagery and satellite manufacturing company. Farrar got his start with IT in the U.S. Navy. Working with the Cyber National Mission Forces to protect critical United States infrastructure. He was responsible for managing and leading a team of navy sailors and civilians. They would gather data and intelligence and he was responsible for commanding the mission of the operations. Threat Intelligence  Farrar notes that many people misuse the term threat intelligence. Taking legitimate sources, forming a hypothesis about what this means within the company network and then acting on the hypothesis is the true process of threat intelligence.  Farrar discusses how standstills can occur. Sometimes companies will find the source, but fail to use the information to better the company. A repeatable process in acting on intelligence is essential and should be used in the private sector. Farrar discusses misconceptions in log sources within threat intelligence. Working through key outcomes and identifying desired achievements can help formulate use cases.  Outcome How would Farrar define an outcome as it relates to threat intelligence? It is centered around quick identification and action upon a threat. After identifying use cases, narrow down what information will identify a certain use case to be used.  Consider making a chart of your company’s process. This can allow the process to be explained to others with more ease. Farrar notes the importance of working with key stakeholders in this process, as well.  Insider Threat Insider threat is also a misconstrued area. People are very complex and thus insider threat is a challenging area. While there is no one approach, Farrar discloses advice to approach this: managing cyber security, reaching out to the employee when necessary and working with them to understand why an activity took place.  From here, determine the right steps to take. How and when do you reach out and what do you say? With data loss on the line this can become challenging.  Analysts  How do we train analysts to have cognitive management and have a trust first mentality? Analysts can become quickly overwhelmed with a constant influx of alerts and false positives. When this continues, they can become burnt out. As leaders, try to motivate your employees to feel positive about their work environment. If they can tie their work directly back to the mission of the organization, this can be a large factor. Being mission centric can help align the employees to the business.  Look at your goals. How much time is necessary for achieving them? Understand what activity from your employees is normal to avoid spending time and technology on unnecessary activities.  Community Culture It takes time to change the culture of your business partners and the community as a whole. Many organizations want to be in a place where people come to them, but still need to gain confidence from others. It is easiest to utilize lessons learned from a crisis as a conversation starter with your customers. With much focus on cybersecurity, providing cyber assurance to your customers is valuable. To do this, you must discuss the risks.  Frustrations in the Industry Farrar opens up about some of his frustrations within the industry. He explains that people get caught up in fixating on a compliant environment and are willing to wait for others to get to the compliant state. We need to utilize forward leaning technologies and not wait for compliance. Balance is important and we need to be moving faster. Just checking boxes is not enough, we must push to get to the next level. This can drive us far ahead.  What does being a new CISO mean? Farrar has his answer down to a tee. Defending data and corporate information systems when enabling revenue and business philosophy. LinksExabeam PodcastsMaxar website

On this Episode of The New CISO, Steve Moore is joined by special guest Michael St. Vincent, the CISO of The Cosmopolitan of Las Vegas. They discuss the importance of networking as well as advice for succeeding as a CISO and in the workplace.  Introduction to the Cosmopolitan of Las Vegas.St. Vincent has been the CISO for 6 years at The Cosmopolitan of Las Vegas, a resort hotel in Vegas. He shares that his favorite thing about the hotel is the artsy and off beat culture of the hotel and the joy of just walking through the building. “Secret Pizza” is a delicious stop, as well. Moore shares his experience grabbing a slice at Secret Pizza, too.  Advice to a Younger SelfSt. Vincent shares that he wishes he would have networked more. Diving into the community is important. Being slightly more closed off can pose challenges and lead to missed opportunities. Just start talking to people and see how this can help your career. Many people feel as if they don’t have enough experience to share perspective but having confidence in yourself can help greatly. St. Vincent shares two main pieces of advice. 1). Confidence. Accepting that you don’t have to know everything can make networking easier. Look at it as a learning process.  2). Don’t Dominate The Room. Offer an idea and see where it goes. This opens up a conversation and allows room for others to share their ideas. Coaching NetworkingLearn from listening. Being present and listening to who is speaking is how you show respect to the speaker and learn. Being kind is also important. Present an opposing opinion in a kind way, but let people respond. Being a coach to the next generation is an incredible opportunity. This will create a strong and successful community going forward. Networking OpportunitiesIn Las Vegas, they have a networking cocktail hour with industry professionals, as well as a few students who get invited to participate in these events. Getting a feel for the room is an extremely beneficial experience for up and coming individuals. St. Vincent holds one-on-one meetings with his staff to offer feedback. He speaks on the importance of having conversations and growing communities. These outreaches end up being very worth it in the long run.  The Hiring ProcessNot everyone can get hired for positions they interview for. St. Vincent and Moore advise to always reach out to the hiring manager and ask for an off the record debriefing. Giving and getting feedback is important and can help you grow and this honest feedback can be very helpful in the future.  Admitting “I Don’t Know”Why is it so hard to admit you don’t know something? Lacking confidence can be partly to blame. There is also an expectation that we need to know everything. This is a common way to feel. It is worse to make up a solution than admitting you don’t know something. Asking for help is okay, and there will be many people willing to help you out. Admitting we have limits can be challenging, but it is human. Being overconfident and “showboating” is not the way to go. This indicates that things will not go well, most likely.  360 Review: Confidence vs ArroganceSt. Vincent shares about his 360 review and the realization that some people perceived him as arrogant. There is a fine line between confidence and arrogance. Behind this is attitude and self awareness. A 360 review takes a certain type of openness. You must be willing to listen to the feedback you will receive. Making informed changes based on this feedback provides a lot of room for growth.  Relational ConfidenceOpening up and sharing on a personal level is important. St. Vincent welcomes others to argue with him, as long as they come with a reason. This opens grounds to more productive conversations and problem solving in the workplace.  Where is Credit Due?Security programs are often only evaluated on failures. What gears are St. Vincent trying to fix? He answers how the fixes can sometimes be hard to spot and are often operational. Overtime, credit will be given and problems will be solved. Being part of the solution helps people realize the controls. Moore also shares his experience in finding expired servers.  Trying to Own too Much Oftentimes, people agree to owning too much, but it can be too much to be doing all of this alone. Many companies have a security program in place but no asset control. The CISO will be responsible for protecting what they own, but if it is undefined this can be challenging. This leads the CISO to overcompensating. St. Vincent shares his advice for situations like this. Trying to own everything is not a path to success. Registering everything you own to an owner is helpful. This model will be more successful and having a motivation owner is important as well.  What Does Being a New CISO Mean?In St. Vincent’s experience, being a new CISO is about looking at the technology and pr

On this Episode of The New CISO, Steve Moore is joined by special guest Mark Ferguson, the CISO for a cyber security company Bombardier. They discuss roles of a CISO in cybersecurity and the strategies involved in dealing with breaches and building teams.  Moving to CanadaOriginally from Scotland but now residing in Montreal, Canada, Ferguson shares some background on where he has lived in the past and the process of moving to Canada. Ferguson expresses his excitement of experiencing Montreal when it becomes more open. He has been taking some French classes to become better acquainted with the language.  TravelFerguson has been able to travel often and live in many places for his job. Opportunities to relocate have been present multiple times throughout his career. Ferguson advises taking opportunities to relocate for a career. He has moved to the United States, to Poland, and now to Canada. He enjoys the experiences of new places. Moore discusses how relocation may be less common in companies based out of the United States. First CISO RoleFerguson reflects on the decision to become a CISO. He honestly admits that some days it can be exhausting and doubts can arise. There are good days and bad days in the role. At the end of the day, he knows he is capable of solving any problems that arise. The role brings a lot of diversity.  Getting to be a CISO/4 PillarsHow did you get to the point of being a CISO, Moore asks? Ferguson says he had a great mentor and was able to help identify his assets. Getting things done and strategic planning are important as well. The four main pillars of strategy are.  1). Educational awareness2). Strong Identity Management/Data Security3). Strong basics of IT management and maintenance4). Using agile technology Building a program & Facing ChallengesYou have to know what players you need to make things work. Building strong relationships is important and will assist with the aspect of vulnerability management. It can be a challenge to identify where problems lie and explaining the problems can be a challenge as well. Ferguson notes these are things he still actively is working on.  Moore notes that the CISO position can be nearly impossible at times. However, others pulling their weight in the company is essential. IT systems are extremely complex and joining everything to work as one can be difficult. This is, realistically, not a simple problem to solve.  Breaches with assets could be a big detriment to the company. Holding people accountable and working together is one way to avoid these breaches. Running audits is time consuming, but important to keep everything in check.  Best parts of the jobFerguson shares some of the best parts of his job. One of his favorite things is building great teams. Finding great people to work with is very rewarding. These people don’t have to be perfect, but finding what makes them an asset to the team is great. Inevitably, these team members will come and go, but developing great teams is one of the best parts of the CISO role, says Ferguson.  Breach Response PlanOne of the first lessons to learn is that a cyber breach is not a cyber security problem. Ferguson mentioned that they recently faced a breach, and there is a lot to learn from the situation. This occurred at a critical time. They assumed the breach would be coming from the bottom up, however it was at a more executive level. Their team learned about internal response from this.  A good response to a breach is having the right people involved in the situation. A business team to be involved in the response is important because it is a business problem. Quickly building out this team is very important. Making sure everyone knows what the problem and objective are is essential.  Once a breach occurs, there is a lot of responsibility involved. People often don’t understand the size of this responsibility until it occurs. With the right culture and leadership, response will occur more smoothly.  Important response tactics are Heat of the moment Assumptions don’t matter Speed  Scale Openness to any idea  Understand your role in the process  Communicating with the CustomerFerguson states that this is one of the most important ways of responding to a breach. Notifying the customers off the bat is necessary. How do you notify them? Ferguson shares how he approached communication. Turn to key stakeholders first and listen to others as well during the process. Having conversations will be time consuming but will ultimately go a lot further than sending an automated message. Many people will want to speak with the people directly involved because it gives them confidence with the answers they are receiving.  GrowingFerguson shares how this has helped him to grow as a leader. He was balancing a lot at the time of the breach so it forced him to test and

On today’s episode, Rob Hornbuckle, CISO for Allegiant airlines, joins us to discuss the scope of his early career. From advice he’d give his younger self, to learning how to accept feedback and undergo self development, join us for this informative conversation. Advice to Your Former SelfRob Hornbuckle reflects on his current success and thinks back to what he wishes he could tell a younger version of himself. Taking on a leadership position early on made the learning process quick. If he could go back, Rob would tell himself to work more on soft skills and people skills. Rob then delves into the importance of relationships in higher levels of a company.  Moving into Leadership Rob’s first leadership role did not have a preexisting security program, rather it was Rob’s job to establish and build a program. We then discuss the challenges of this role, given that Rob was starting a leadership position while simultaneously building a program. Additional challenges include the amount of effort needed to grow relationships. It is an investment of time into others and yourself.Previously, being seen as the best or smartest in the room would be a positive, but there has been a shift. Rob says being perceived as the smartest can be off-putting to others and he highlights how listening to others' input is beneficial. Rob discusses why this first leadership role ended up coming to an end, but notes that his mission within the role was achieved with success. He loops back to mention how taking his own advice at this younger stage would have helped expedite this process.   Feedback is NewRob delves into the reasons he went back to get a masters degree: thinking this would solve a problem. While the degree was helpful in the long-run, he notes that the problem of feeling he wasn’t trusted enough stemmed from not being viewed as expert-enough. Feedback is essential. Rob mentions the importance of seeking out feedback. He then provides an example of asking for feedback. While his process has changed since, at this time, Rob waited a year before sending calendar invites asking for feedback from his colleagues. One feedback he received was that he was not trusted. Rob was informed that many senior executives had been there for years, and he was not welcomed with trust. He figured later that fully understanding the organization would help build this trust.  Changing and CoachingThe two lessons he took from the feedback were about emotional intelligence and business. To address this, Rob sought out an executive coach. Rob discusses what an executive coach is and what the coaching entails. His coach performed a 360 degree view to figure out where he may be falling short by gathering information from past work. Rob discloses that a 9 month program cost him $6,000. While it is a large investment, Rob notes that he would, in fact do this again. To address the business trust issue, Rob sought out his MBA, paying for this degree himself. Rob notes that the most important takeaway was identifying what he needed to work on to grow emotional intelligence. Working on strengths and weaknesses was an important part of this bettering process.  Utilizing Your Past It is important to use all the technical skills from your past in current endeavors.We discuss how, for example, having a background in theatre can be extremely important in leadership endeavors down the line. Hours put into an activity in early years can be very useful in, say, presenting at conferences. There is a lot of theatre involved at an executive level. Confidence and presentation is very important and very theatrical. What do we mean by my presence and projection? Project as if you belong in the room (even if you don’t feel that way). Where you sit in a room can make a difference. For example, sitting at the edge of a room can be perceived as disinterested and perception can be cemented very quickly. Even if you work to better yourself, there may be a cap on how people can shift their perceptions of you. Personal development and making change in your organization can be slow processes. Growing business skills was a pretty lengthy process, but Rob reaped the benefits of having an MBA very quickly. Development of emotional intelligence took even longer. Even after the 9 month program, it still took time to see the changes.  Resume/LinkedInRob spent time being coached on his resume/LinkedIn. Would he do it again? Short answer is yes. It significantly helped others seek him out for jobs and helped him make it past the first round robot algorithms. How long should your resume be? It can be up to 2-3 pages, but everything you want them to read should be on page 1. Being a New CISOWhat does this mean to Rob? You need to be more of a people person than expected for a tech career.  Links:Exabeam Podcasts Rob Hornbuckle - LinkedIn

Kylie “KT” Boyle joins us in the latest episode of The New CISO, which is also the beginning of a new segment: The New CISO Foundations. Every security program is built off of a foundation; this episode will focus on KT’s mission and what building blocks his organization represents. Background KT Boyle leads Anubis Security Groups. He has been in the cybersecurity realm for over 17 years. He worked in cyber security operations for the US Cyber Command and various Global Fortune 500 companies. He currently focuses on providing modern cybersecurity and continuous security monitoring, along with data loss protection/prevention. From Military to Cybersecurity Before focusing on cybersecurity, the first decade of KT’s military career was spent as a special forces soldier. KT talks about his transition into a different realm as he became a father and how he learned about a space that was unfamiliar to him. He also gives advice for anyone who is considering taking the leap into a new job. 3 Core Components of Building Teams This episode breaks down teams into three core components: team performance, visibility and tool efficacy. Human beings are the cornerstone of any good team, and when you analyze employees, you should also take into consideration who they are as a person outside of work. The visibility component discusses having visibility into all of the environments within the team while tool efficacy details how to have efficient tools for your team regardless of what sector or tech stack you are operating on. When you have employees that understand these three core components, KT says this makes the hiring process a little easier because now you no longer need to have a subject matter expert at every level. Focusing on the leadership perspective: what does your business do and what is changing about it? If you can communicate this clearly, you’re ahead of the game. What Do Bad Security Analysts Do? To keep it simple: bad security analysts don’t ask questions. Some members of the cybersecurity realm are not the most experienced extroverts. However, asking questions show that you’re engaged and interested in learning about the industry and tasks at hand. If you’re not asking questions, this typically means one of two things: you’re looking for a new job or you are happy with your current output and are coasting through. To counterpoint, Steve mentions that some people who don’t ask questions may have worked under poor leadership in the past. The episode discusses ways to incentivize your team members and how to create an environment where they can be comfortable with asking questions. Links Exabeam Podcasts

We focus on resiliency in this week’s episode of The New CISO, which was originally recorded at the 2021 RSA Conference. Steve sits down with two former guests on the show, Dave Damato and Sandro Buccianeri to talk about the hard-hitting questions from the inside: why do people fail, and what impact does resilience have on program success? Thinking About Resilience As Steve mentions, there is a lack of definition for what is “good” within the cybersecurity realm. So how do we think about resilience and failure when there is no solid definition for what “good” is? And how can we establish resilience for our team members? Setting expectations through frameworks depending on your industry and defining success and capabilities for the team is crucial. However, leaders must also stop and acknowledge that your team members are not robots; they are individuals with challenges that all play a massive part in how they show up every day. Feedback and Executive Decisions If employees are scared to speak out if something is wrong within an organization, leaders are basing their decisions based on an echo chamber of positive feedback. Feedback is critical when it comes to correcting any errors or putting out fires, especially in a larger organization with a bigger staff. Showing that you can take criticism and feedback will allow team members to communicate in a more confident way, in turn creating a better work culture. When it comes to operating with other executives, CISOs often feel like they aren’t as established in the corporate landscape as other roles. CISOs need to shift their focus onto how they can have an impact on the business and the top level goals of the organization, which could mean weighing in on company wide issues such as pay rates, benefits, the hiring process, etc. Managing Expectations Expectations start as soon as the interview process does. Where do leaders mess up, and how can we fix it? The biggest challenge within security is that there aren’t enough staff and/or resources, so managing the resources in place and setting expectations is key. It’s important to make sure your team isn’t constantly putting out fires. Evaluate when/if you need to hire a new person or bring in a consultant to solve some issues. Hiring For Resilience Is it actually possible to gauge someone’s resilience during an interview? What traits should you be looking for during that initial conversation to see if they would be a good fit on your team? Dave and Sandro share their secrets on what exactly they ask and what exactly they are looking for in a candidate to continue to drive that theme of team resilience. Links Exabeam Podcasts Dave Damato - Twitter Sandro Bucchianeri - LinkedIn

The latest episode of The New CISO features not one, but two guests! Chuck Markarian and Sean Murphy sit down to discuss the inner struggles of networking, establishing a risk council within your company and dealing with high-risk situations. Background Chuck Markarian is the CISO at Paccar. He has been with the company for 16 years and has served in a CISO role for almost five years, focusing on security risk assessment and project management. Sean Murphy is the CISO at BECU, the third largest credit union in the country. Sean has been in his role for about two years. He previously served in the Air Force for 21 years before jumping into the financial services sector. Networking as an Introvert Networking in itself can be intimidating, but when you’re an introvert, it’s more nerve-wracking. Chuck and Sean discuss how to calm the nerves and take that first step at a networking event, which ironically is how the duo ended up becoming friends. The episode discusses translating this advice into navigating in a virtual space as networking events continue to be held online. Starting a Risk Council The guys talk about how to socialize a risk council and get one established. The main focus is catching an employee’s interest in that initial email. This episode goes through different questions to ask your team members that will lead them to recognize what areas interest them the most and what areas pose the greatest concern. The bottom line: ask the right kind of questions that let employees find out what is important to them and discuss responses to situations when dealing with risk management. Then, develop a plan of attack. Dealing with High-Risk Situations High-risk situations and security issues are bound to happen. The largest differentiator is how you react to it. The focus quickly goes to “How could this happen?” when the shift needs to be on “How quickly can we get things back to normal?” Sean and Chuck discuss navigating high-risk situations with executives based on your current relationship with them, and how the CISO is often not the sole person to blame when something goes wrong in the cyber security realm. Rose-Colored Glasses Some things unintentionally get sugarcoated by organizations, where reports get tweaked as they go further up the chain. The verdict? CISOs are not doing the organization any justice if they are trying to spin the news. In turn, a CISO could find themselves without a job if something goes wrong and the company was not provided with accurate data and objectives.You’re not doing the org any justice if you’re trying to spin the news, you're not protecting your job. Always communicate the message as you see it. Links Chuck Markarian - LinkedIn Sean Murphy - LinkedIn Exabeam Podcasts

Our latest episode features Brian Fricke, CISO & IT Risk Head at City National Bank. Brian joins us to discuss developing mentorships in the industry, how to be a positive leader and how to have a proper work-life balance when you are constantly dealing with high-stress situations. Background Brian got his start working in IT and information security through the military and federal government. He served in the United States Marine Corps and worked in the federal government realm before transitioning over finance. Brian gives some insight on the transition and how his military background prepared him for a career in information security. Rounding Yourself Out When asked what advice he would give to his younger self, Brian says he would encourage himself to round himself out and learn as much about the business and industries as possible. The episode also touches on “not living in anyone’s shadow” and not being afraid to take bold steps within your career if you think you have a solution for a problem. Leaders Listen Brian was propelled to become a more mindful leader after dealing with a former boss who did not listen. It prompted him to become more mindful and ask his staff what their opinions are during meetings and when dealing with specific situations. Brian says leaders should ask questions that spark creativity and thought, especially when you're working with junior staff. Acquiring Mentors What's the best way for someone to grow? Long -term work experience is probably the biggest component, but mentorships and partnerships are a large piece of this as well. Brian addresses the type of people to seek out: people who have gone down the path you are looking at, others who have gone down parallel paths, etc. Brian discusses how you can build that mentorship and start that first conversation to start a beneficial mentorship. Meditation is Key Cyber security often involves high-stress situations. The work-life balance and mental health components are just as important. Brian talks about how meditation has benefitted him personally and how it could benefit other CISOs or professionals working in high-stress situations. Celebrate the Small Victories If you wait until hitting major milestones to celebrate, employees can sink into a dull mindset. Celebrating the small victories along the way can help boost employee morale and keep everyone motivated. Brian holds a weekly meeting where his staff can recognize positive moments from the week and give shoutouts to their colleagues. Links Brian Fricke - LinkedIn Exabeam Podcasts

In the latest episode of The New CISO, Sandro Bucchianeri joins us to discuss finding a mentor during the early portion of your career, how cyber security leaders can navigate corporate relationships, and the success of building a cybersecurity academy in South Africa. Background Sandro is the Group Chief Security Officer of Absa Group in South Africa. He has worked in cyber security for companies across the globe, including the United Kingdom and the United Arab Emirates Mental Wellness Emphasis Sandro’s advice to his younger self: breathe, take a breath, relax. Being a CISO is a very stressful position, and this episode talks about some aspects of mental wellness that are important for maintaining your physical health and stress levels. Sandro talks about his experience of implementing meditation in his early 40s and wishes he learned how to do it earlier in his career. The episode discusses the benefits of mindfulness and how you can apply it to your daily routine.Navigating Mentorships Knowing your why, the reason why you want to hit certain milestones in your career, is the most important thing when trying to reach success. What you need to do to get there is one element, but using your own story and background is a more powerful motivator for drive. This is a very different dynamic in comparison to just working to get money. This episode talks about how these realizations and other soft skills can benefit you when you enter a leadership role. Corporate Relationships Sandro talks about the human condition and how that relates to relationships with board members. People show up differently when there is more on the line, which is why they will act differently in a casual one-on-one setting versus a board meeting. Those casual coffee chats are still suggested to humanize and understand the board members. Be authentic and transparent with them no matter who you’re speaking to. And if you are not getting time with a senior member or board member, ask yourself why. Mentorship There’s no central golden source of truth for becoming a successful leader. Sandro learned early on that he needed to latch onto mentors. Expanding on that, the episode discusses the ability to listen to them and be patient. It is the most fundamental thing Sandro has learned, as opposed to jumping the gun and trying to find an answer right away. Sandro and Steve also discuss the perfection culture within the industry and how you can combat it. Absa Academy Sandro discusses the Absa Academy and its progress over the years, and how it has been able to lift South Africans out of poverty and into a career of cybersecurity. The episode mentions the obstacles the academy faced during the pandemic and the lessons students learn throughout the program. Links Sandro Bucchianeri - LinkedIn Sandro Bucchianeri - Twitter Absa Cybersecurity Academy Exabeam Podcasts