The New CISO

In this episode of The New CISO, Matt King comes on to focus on the leadership side of cyber security. Matt talks about how lifelong learners make for great leaders, and how he learned to not make assumptions about his team members when managing them. Background Matt King is currently the VP of Global IT Security, CISO at Belcan. He has been with the company since 2017. Before transitioning into cyber security, Matt’s career focused on IT. However, Matt worked to bridge the gap in communication between the two before transitioning into cyber security. Becoming A Leader This episode notes the gaps between managers that received leadership training and what Matt learned about management when he transitioned into a leadership role. Some managers choose to delegate and coach people in different ways. Matt notes that when delegating tasks to your team members, it shouldn’t just be based on their knowledge level. Instead, it should be based on the specific task you are asking them to do. Analyzing Your Team Matt reflects on a situation where he made an assumption based on someone’s skill level and completely delegated a task to them. The results weren’t the best. A tip for managers: make sure you fully understand not just their skill level, but what that person can handle for that particular task. Also reflect on what they need from a delegation perspective: do they need handholding, general guidance or can they fully run with it? Up For The Challenge How do you amp yourself up to take on the challenge of managing people? The simple answer: try to learn from everybody you meet. Switching into the application, focus on the overall goals when you’re talking strategy and then divide your work up into chunks when dealing with the tactical side of the job. The New CISO For Matt, it’s all about flexibility. He places an emphasis on being open minded and being willing to help others. Links Matt King - LinkedIn Exabeam Podcasts

On this episode of the New CISO, Dr. Rebecca Wynn joins us to discuss the logistics of being a CISO both on a team and personal level. The episode focuses on what type of person is the right fit to become a CISO and how to properly manage the well-being of your team once you land that role, especially now that CISOs are managing their teams in a virtual setting.Background Dr. Wynn is currently a Global CISO & Chief Privacy Officer at [24]7.ai. Before that, she was the Head of Information Security/Data Protection Officer at Matrix Medical Network. She was recently listed in the Top 100 Women in Technology by Technology Magazine.Advice and HindsightWhen it comes to hindsight and analyzing yourself and your team from the stands, give yourself enough grace to realize that you are always learning. In the episode, Dr. Wynn and Steve talk about decisions made by CISOs that come before you and how you can take those pieces of information to propel the company forward.Employee WellnessAnalyzing the needs of your team is important in the work world, but being virtual can make that hard. Tips for checking on the team’s wellness behind the screen is discussed, including reminding your team members about the employee assistance programs available to them when they are struggling. Most importantly, this episode emphasizes letting your team members know you care about them as a person and not just as an employee.Should you Become a CISO?Dr. Wynn has written an article advising people not to become a CISO. She expands on this point, explaining that the term CISO has become watered down and people shouldn’t aspire to be at the highest position of cyber security if they don’t understand it and what goes into it. If you aren’t a big thinker or strategic in your thinking, a CISO is not the role for you. Instead, focus on being the best cyber professional you can be.Career Lifespan of a CISOThe time a CISO spends in their role at a particular company has shortened. This episode expands into a CISO’s typical timeline from when they take on a new role until they leave for a new opportunity. We also draw comparisons on the lifespan of a CISO versus the career lifespan of other higher positions, and who CISOs can report to during their time at the company.The New CISOFor Dr. Wynn, the new CISO is a person who tries to work with the organization and is not afraid to speak up for it. This person also never loses sight that the bad guys are always out there and that your organization is in a cyber war at all times.LinksDr. Rebecca Wynn – LinkedInExabeam Podcasts

Rinki Sethi joins us for the second time on the show, and this time she is with a new company. Just a few months ago, Rinki became the CISO at Twitter. In this episode, we talk about what made Rinki want to take the jump to a new company and how you can adjust to working for a new company when you’re completely remote.Background Rinki joined Twitter in September of 2020. Before that, she was the CISO at Rubrik. Rinki has also served in cyber security positions for IBM, Intuit, Walmart and eBay.Taking the LeapYour job is so much more than day-to-day tasks. It’s also about the relationships you form with your team and your interactions with them. When COVID-19 had her office go remote, Rinki was left in her house with a lot of free time. And that free time led her to do some deep thinking about who she was and who she wanted to be, realizing that she was no longer feeling challenged at her job. Rinki talks about looking at it from the perspective of the larger impact. Virtual InterviewsRinki’s hiring process was 100% virtual. For those who are used to traveling to another city for a few days to go through the interview process, this concept is hard to grasp. Rinki goes into detail on forming connections with the interviewers through a screen, and what questions you can ask the company to see if the environment is a good fit.Mental Health in the WorkplaceMental health is extremely important to Rinki, and she tries to implement that with her team as much as possible. However, she has yet to meet anyone from Twitter in-person due to the pandemic. That poses some challenges; instead of interpreting body language and the physical environment of your team, you have to interpret video calls and chat messages. Rinki shares some tips on how to ensure your team is prioritizing their mental health while reiterating one message: we are all still humans. The New CISOWhen asked what the new CISO means to her, Rinki emphasizes building and strengthening a security culture while continuing to be thought leaders for the company.LinksRinki Sethi - TwitterRinki Sethi - LinkedIn

Dr. Eric Cole of Secure Anchor joins us in this episode to talk about the misconceptions of what a CISO should really be. This episode focuses on the corporate side of cyber security and the line between a CISO and a security engineer.BACKGROUND Dr. Cole has over 30 years of cyber security experience. Before that, he was a hacker for eight years for the CIA. After spending almost an entire decade hacking into systems, he decided to switch from offense to defense, which he describes as being more challenging. MISCONCEPTIONS ON THE CISOBeing a CISO is not a technical role. The CISO is a strategic position that focuses on the strategy of execution. They focus on the growth of the business while understanding finance, revenue and how they can incorporate cyber security into that equation. Anyone in a technical mindset should not be a CISO – CISOs need to communicate and task their teams instead of running head-first into the data center. Anyone that enjoys doing the latter should consider switching to a security engineer. FINDING THE RIGHT FITUnsure if you selected the right CISO? They need to be comfortable in conservations revolving business decisions. The answers to “What business are we in? How does our organization make money?” should be as seamless as answering their name or where they’re from. ADVICE FOR A NEW CISODr. Cole reveals the secret to briefing a board: keep it short and simple. The only thing board executives care about is the potential for risk and what it will cost to fix that risk if it occurs. Going into this with a data, tech-focused perspective will not allow for a thorough understanding of the situation between the CISO and other executives. In another light, putting out little fires as a CISO is not going to scale well. A CISO entering the company should look at the processes in place within the organization and see how they can get security injected into it. Instead of managing the symptoms, get to the root of the diagnosis. THE NEW CISOWhen asked that the new CISO means to Dr. Cole, he emphasizes a business executive that is entrusted with helping the organization grow and be successful through cyber security. This CISO would use their focus on cybersecurity as a business enabler instead of viewing themselves as a technical resource. LINKSExabeamDr. Eric Cole - TwitterDr. Eric Cole - YouTubeDr. Eric Cole – Books on Amazon

Curtis Simpson, CISO of Armis joins us to discuss the pros and cons of starting your career in a small organization versus a large enterprise. How can you influence and inform business partners from a security perspective? Why do people believe the CISO shouldn’t report to the CIO? BACKGROUND Curtis likes to say he was born with a keyboard in his hand. Growing up with his father working in IT, Curtis was already coding by age 8. He started his career in mass organizations and served in various roles at Sysco over the course of 10 years (including Vice President & Global CISO) before coming to Armis in 2019. FROM TECH TO POLITICS When asked what advice he had for his younger self, Curtis had one answer: stay close to what you enjoy. By spending nearly all of his time playing politics with larger organizations, he gravitated away from what he loves: tech. In large organizations, he had to constantly fight for every morsel of progress and spent a lot of time educating company members on why he was even talking to them in the first place. LARGER VERSUS SMALLER ORGANIZATIONS The biggest difference between the two? The ratio of time spent in the political realm. In certain situations, a situation that could be signed off on in 30 minutes takes three months. The ability to balance an understanding of the market and enterprise is an important aspect of the role, but being a CISO is not about spending all of your time forming relationships to have minor decisions made. Instead, it should be about leading teams and learning the evolution of the markets. TIPS FOR STARTING SMALL A mistake Curtis noted for himself when he was at larger organizations: he was too title hungry. However, at smaller organizations, there is more opportunity for fulfillment and confidence-building. Smaller teams usually understand their objectives and are very hungry to prove themselves in the market. In the smaller model, you can also continue to discover your interests within the industry. TRANSPARENCY WITHIN THE INDUSTRY When asked what irritates him the most about the industry, Curtis notes the transparency. Companies are rarely focused on the right thing because they are rarely honest about what they do and don’t know. This has been a cultural norm, one that the industry must continue to disrupt. While the transparency has improved, there are still individuals in the industry that are guarded in their conversation. CISO AND THE CIO One of the most painful elements of Curtis’ career is that the industry has long past the mark where CISOs should not report up through the CIOs. In many cases, CISOs are representing a message to a CIO that unfortunately doesn’t have as much of a grasp on security. As a result, the CISO spends a lot of time creating and delivering a message that can start to fall apart. For example, a CIO may want to paint a different picture to the board, so they will create a less transparent image of the situation. THE NEW CISO For Curtis, the new CISO is all about servant leadership. This episode discusses the success and fulfillment of building teams and enabling them to perform at high levels. Teams with an established workflow and culture will follow you through the greatest challenges. LINKS New CISO Podcast Curtis Simpson - LinkedIn

Artie Wilkowsky, CISO for Dish Network, joins us on this episode to speak about specialization, leadership skills, and the qualities he looks for in new hires. Artie’s Background Artie has been working at Dish for over two years, helping with all their lines of business, such as Sling, Contact, and Wireless. Before that he bounced between consulting and industry, working in financial services and aerospace. Specialization vs. Generalization In thinking about advice for his younger self, Artie would tell himself not to worry so much about specializing right away. It’s important to get a broader view of an industry, see how different sectors impact one another, and then decide if you want to specialize. Artie believes that the more you progress in security, the more you end up being a generalist anyway, so it’s good to start there so you have that holistic foundation. Artie also encourages others to do the same; he helps people on his team shadow others in different areas of a company to have a better understanding of how they work. Automation and Budgeting Artie discuss how sometimes security and IT are not necessarily given a budget they need in order to excel in their areas. However, an unintended benefit of this is that CISOs or others who work in security are forced to become creative with their coding. Out of this creativity, you can have CISOs who must automate certain functions, as they can’t afford the staff to maintain them. These automations are not only impressive but strength the security. Skills You Develop and Ditch As you progress in security, there are certain skills that you will need to develop, and others you will need to ditch. Artie examines what skills have been helpful to hone or drop in his career and the careers of those around him. He believes that as a leader, you must be able to communicate, translate, and influence. Listen to the episode to hear more about what Artie means by these skills. Artie emphasizes the importance of learning how to work with others, as well as learning to now delegate and manage. Instead of doing it yourself because its faster, take the time to teach someone else so that they can have that experience Delegation In particular, you must learn how and when to delegate. Artie relays that if you don’t delegate, you stifle those around you. You don’t give them an opportunity to grow their skills and their career, and as a result, they may not stay around for as long. Additionally, when you don’t delegate, you signal to your team that you don’t trust them. Listen to the episode to hear more discussions on how behavior in meetings can also affect trust amongst the team. Responsibility of Growth When discussing the leadership role, Artie reiterates that you must invest in the individual, letting people come on special projects and allowing them to grow. If not, talent may leave. If you don’t create an environment for growth, you’ll not only lose that talent but struggle to acquire it. You may put forth a reputation of stagnation, which will turn people away. But whose responsibility is it to grow? The employee or the leader? Artie believes it’s a bit of both. The leader needs to create a space in which the individuals who want to grow can do so. However, the employee still has to advocate for him or herself, asking how they can improve and take on more. Hiring When Artie is hiring, he looks for specific skills in interviewees. He looks for people who ask why and who like solving problems. Particularly, people who are naturally curious. In addition, he seeks out those with verbal and written communication skills. Some people can write very well, but they don’t always know how to effectively communicate or express oneself. Artie discusses how he asks certain questions in the interview that would allow you to see those skills present. Listen to the episode to hear how Artie approaches his interviews so he can better understand the candidates’ thought process. Influence As a CISO—or any leader—you need to know how to influence others, as your job includes influencing a team and other members of the organization. Artie believes it comes down to trusting yourself and your abilities. In addition, he stresses understanding yourself, being prepared, and asking for advice from those you admire. As it’s a newer profession, CISOs and those in cybersecurity must be self-reflective and always self improving. New CISO For Artie, the new CISO is someone who understands their business, who leads and mentors others, and who gives people the tools that they need to be successful. Links: New CISO Podcast Artie Wilkowsky- LinkedIn

Gorka Sadowski, the CSO of Exabeam, joins us on this episode to speak about his decades of experience in cybersecurity and what he’s learned about acquiring new technology. Gorka’s Journey Although Gorka became Chief Strategy Officer for Exabeam only three months ago, he has over 30 years of experience in cybersecurity. Gorka has learned many valuable lessons along the way, especially during his time at Gartner, the global IT service management company. Each year, Gorka spoke to over 600-700 clients and vendors about their successes and failures. Although rigorous, the beauty of this is that by speaking to many different clients, he was able to recognize patterns on what works and what does not. Both vendors and clients benefit from these conversations. Newfound knowledge emerges, which is then studied in a more formal setting and is later published as research by Gartner. Non- Gartner research then compliments what is learned in the conversations of Gartner clients and vendors. The Pitch Problem One of the biggest issues that Gorka has identified is a misalignment with expectations of a product and the value proposition it’s supposed to fill. He feels that vendors oftentimes like to take liberties on pitch of their products and sometimes, the readers of the pitch can get caught up in wishful thinking. As someone who has spoken with both sides of this problem, Gorka feels it’s best to begin with why—why does someone need your tool? Then work your way through the how and the what. He discusses Toyota and their message as an example of the why aligns with the what. Listen to the episode to hear more on what Gorka means by this. Building Trust There are no shortages of huge claims or startups that promise everything. The CISO or the client organization need to learn how to pierce through the veil and filter the messaging they receive, and they need to do so diligently. Gorka advises vendors to build trust by being consistent and have the humility to admit when your technology cannot accomplish what the client wants. Ultimately, this will help you. It takes time to build trust, which Gorka reminds us, is not a binary quantity. Growing trust occurs with baby steps. Ultimately, things don’t have to be perfect for things to be great. What Covid Revealed Gorka believes that Covid revealed that many companies are using outdated or underutilized technology. But the pandemic also brought out the need to take stock of what a company has and question if it needs to be changed, updated, or encouraged. If you realize there is some old technology that isn’t useful anymore, you benefit from not just getting rid of it, but from saving yourself the cost of maintenance. This will free up your budget for new technology. The CISO and the Vendor Many times, the CISO is—and should be—skeptical. Gorka believes you need a healthy dose of reality so that you can understand the factors at play and to avoid being burned. By the time someone reaches the position of CISO, they can “smell the BS,” as they know how to pay attention to body language and asking the qualifying questions. Gorka also stresses the importance of the CISO creating an engaged process to buy new technology. He encourages CISOs to bring in many people and get more of the company involved. Listen to the episode to hear more of his thoughts on this. The Why, the How, and the What Gorka gives advice for the pitch itself. He iterates that the vendor and the client have to both understand why the tool is needed, in addition to how one can operationalize this tool. The organization must clearly see how they can embrace and implement this new tool. It’s important to follow up with the specific question of what value can this specific company get out of this tool? Why is it good for them specifically? Gorka emphasizes how the company should have a checklist of what value they want out of the tool before the meeting with the vendor. They must understand what value they are seeking, and how this fits into their budget ad mission. Listen to the episode to hear more about what both the client and vendor should do before and during the meeting. New CISO Gorka believes that the new CISO needs a good balance of preventative measures and the humble acknowledgement that things sometimes do happen. In addition, the CISO must pay attention to how the organization as a whole looks at threat detection, investigation and response, particularly utilizing analytics to help aid in the work. Listen to the episode to hear more on Gorka’s thoughts of an analytics driven, automated cyber security team. Links: New CISO Podcast Gorka Sadowski - LinkedIn

On today’s episode, David Damato, the CISO at Gemini Trust Company, joins us to speak about what occurs within organizations during and after a breach—and what should happen for the best outcome. He emphasizes communication, confidence, and clarity. David’s Journey David works for Gemini, one of the few regulated crypto currency exchanges out there. It is regulated by the New York Department of Financial Services, along with other entities. They must demonstrate that they’re a legitimate organization, as the field as a whole has had a lot of problems. They prioritize building trust, and David believes the industry is evolving to a more mature state. Before Gemini, he spent about 10-15 years working at scrappy, small organizations. He had a lot of fun helping them grow into larger institutions and sharpened his expertise. The Planning David has aided over 100 organizations directly during a crisis, and indirectly has helped a couple hundred. In working with many institutions, he has found that the best outcomes occur when the company executes on the practice and the planning they had done prior to the breach in an organized manner. Planning starts way before a breach and is structured around the architecture, logging system, data and if the team engages in mental exercises. David also explains that the size of the organization affects the outcome, as well as security’s status within the institution, and the two type of panic that rise: panic that people will find out or panic over the safety of the customers’ and their data. How David is often viewed, either has help or a hindrance, reveals the priorities of the leaders. An organization can either be grateful for his team exposing flaws so that they could fix them, or they try to hide mistakes. Listen to the episode to hear more examples of behavior that influence the crisis management. Branding and Communication Next, David speaks on communicating both internally and externally about the breach. An effective security team communicates with the rest of the institution about the importance of the job. If you can advertise to the right people about the threat and what you can do, you can receive more funding. If not, you might struggle to solidify your place in the institution. David also points to the branding of the company as having an impact on how the breach is viewed or manage. He gives Google as an example. They have great trust in them and they participate on boards and at events. When there was a breach, they talked about it and talked about it in the right way. People already liked the business and the brand before the breach occurred, so they were more forgiving when it did. All of these factors helped the breach be better received. Additionally, the figurehead of managing that breach is also important. David finds that non-technical executives need training so they can know what to say when a breach happens. Without this training, executives can sometimes misspeak out of lack of knowledge, or overshare without realizing this could worsen the threat. He emphasizes training and practice. During and after a breach, how an organization communicates to the public is key. Therefore, those points of contact must be taken seriously: from phone calls, to interviews, to the letter. As an example, David and Steve run through a practice interview. Listen to the episode to hear what David presents as a solid response, an incompetent one, and the difference between the two. David iterates on how institutions should have relationships with reporters who they trust and like. When these relationships are established, the news can be reported accurately by someone who understands cybersecurity. Additionally, they organization needs someone who understands what information should be public and what shouldn’t, for the safety of everyone involved. Evolving Controls David touches on how many institutions need to catch up with the evolving controls. Even not vendor specific systems, like the two-factor authentication, should be standard practice by now. Small, but important practices such as these can mitigate the risk of a large-scale breach. David states that most large companies still have outdated cyber security systems, as they’ve grown out of their old systems. They need a complete revamp of their methods and technologies. When you have this older system, it forces the security team to tackle an array of low scale attacks as opposed to focusing on more advanced, dangerous threats. Remediation Event When a breach occurs, it can reveal an advance that has been infiltrating a system for some time, even for years. When they’ve been in a system for that long, you have to assume that the attacker has affected everything. This warrants a remediation event, in which you have enterprise-wide password resets, new set of controls, and the whole platform is taken off the internet. This occurs all within 48 hours. Now that many businesses are on the Cloud, David discusses how t

On today’s episode, Aaron Baillio, the CISO of the University of Oklahoma, joins us to speak about his transition from the Department of Defense to higher education, how he managed merging teams, and how incorporating students into his SOC has benefitted everyone. The Switch from DOD to Education Before Aaron worked for the University of Oklahoma, he worked for the Department of Defense for 11 years. He reflects on how the DOD is primarily concerned about keeping secrets, whereas The higher education space is ultimately about giving away all the secrets. He loves how open the community to exchanging ideas. Listen to the episode to hear more on what he learned in his transition. Education vs. Commercial Aaron also discusses the intrinsic values in education: how everything you do is meant to support the student and to help educate and prepare them for life. The DOD, however, is all geared towards supporting the solider. He finds it very satisfying to be among young people. It’s also important to note that the salary in the education sector is about 12-13% less than commercial area. However, the education will offer free tuition for dependents, like children, and provides a better work-life balance, as they can’t compete with the salary. Aaron also speaks on the different security perspectives between the Department of Defense and education. Listen to the episode to hear how one field offers very ad hoc or tribal knowledge, whereas the other provides methodical training. Changes in the Job When Aaron first began, there was already a CISO, and then 9 months later, the CISO left. He had to learn how to adjust while still adjusting to the job. Then, 4 years later the CISO leaves again but during immense change for the university. Aaron rose to the occasion and moved into the role. His advice during times of change in your institution is to perform at least at the same level, if not better, than before the change. He iterates that you cannot slack. He learned that he had to let go of some of the technical information, and focus more on management side of the job, as well as learn the multiple layers of politics. Taking on the Leadership Role Fortunately, Aaron felt like he was supported by the university during his transition to a new role. He gives advice on what to do if your institution doesn’t support you. He encourages the listeners to get involved with charitable organizations or read books and listen to podcasts on leadership. However, when you’re practicing leadership, you will learn more, so it’s best to join organizations. Centralization at OU Campuses were so disorganized and disconnected But then a years ago, they acquired a new president, who wanted to centralize and consolidate the campuses Each campus had its own IT department and budget, so he had to oversee how to integrate this with grace and rationality Biggest hurdle was standardizing the technology While the faculty are the state employees and working towards tenure, they also act like contractors because they receive grant money and don’t want to conform to a standard way of doing things Managing people’s feelings was the greatest difficulties The people who didn’t want this amount of change left the organization Student Incorporation Aaron tells the story of a student coming to him and asking to learn cybersecurity. This sparked him to begin teaching a class on the 10 domains. Listen to the episode to hear his story. He also discusses how the industry wants people to have experience to get any job in cybersecurity, but they can’t get experience without a job. It became clear to Aaron that graduates out of OU were struggling to get jobs because they didn’t and couldn’t have experience at 22 years old—this especially depends on where you live as well. He speaks on how he thinks the industry got to this point and how every year, hundreds of thousands of cyber positions go unfilled, and not because of lack of talent. He urges CISOs to create more programs and opportunities that feed into the industry. Aaron started hiring students and incorporating them more in their cybersecurity team to give them that experience. He built a SOC with a student slant two or three years ago, and since then, it’s only been a great experience of refining raw talent and helping place students into jobs after the program. Everyone benefits from this set up: the team gets more help and students get experience and exposure. Aaron believes that many students have the passion, energy, and fire to do well but they need a firm or mentor to help them channel their energy into a productive source. He encourages CISOs to expose the younger generations to the possibilities of this field. Listen to the episode to hear more on how Aaron accomplished setting up a successful program, how he runs it, and how everyone benefits. Internship Expectations Aaron discusses how other industries have interns and expect graduates to have internships. They set up programs to help them with g

On today’s special episode of the New CISO podcast, Steve Moore chats with Deneen DeFiore of United Airlines, Colin Anderson of Levi Strauss & Co. and Charlie McNerney of Expedia on what it’s been like as a CISO during the pandemic. COVID and the Airline Industry Deneen begins by discussing how she became the CISO for United Airlines right as COVID hit. When the pandemic reached the US, there was a lot of fear that the airline would not make it. Because of this additional stress, Deneen focused in on what the priorities were from a business stand point. She touches on how her team had to juggle the increase of cyber criminals and threat actors, as well as maintaining the business and transition to telework. This amalgamation of challenges made her really assess what’s the most bang for your buck in terms of security – especially when the business is tightening its budget already to survive the pandemic. In terms of technology, Deneen and her team had to ask themselves what technology will help and protect the business right now and what can they put on hold. The incredible plans they had for the future had to be pushed back and implemented at a later date. Adjustment for the Airline Industry Like Deneen, Charlie is in the travel business, and speaks on how the change wasn’t gradual but rather sudden. Expedia had to adjust quickly, which was taxing from a digital and physical perspective. He says they had to focus on the most important questions: how do you take care of the employees as well as the travelers? In addition, how much self-care do you have for your system? Like every other business, Expedia’s initial plans had to go out the window. Then, they had to develop new plans and implement them in an effective manner. In terms of the future, Charlie points to the new catchphrase: there was a lot of perspiration to shut everything down, but there’s also a lot of aspiration to open up again. Opportunity in the time of COVID Colin discusses how, while they experienced a dramatic decline in revenue, Levi’s thought they could innovate and come out of the pandemic better than before. The challenges they have faced have forced creativity and technology to evolve. While revenue is still hurting, they’re investing in the future. This situation has forced them to do 2 years of change in a 6-month period. Overall, he feels these past few months have been challenging but exciting. Priorities for 2021 Going into 2021, Deneen and her team are focused on safety and less interaction. They are coming up with a system that keeps everyone save by using more online measures, biometrics, and new technologies. Unlike before, they now need to collect more health data, and find themselves with a greater dependency on digitization and automation. Biometrics, for example, is a technology that used to be a nice thing to have, a bonus element. Now, however, it’s a necessity. Listen to the episode to hear more about how they’re streamlining their process and expanding Clear. Updates during COVID Colin and his team used lockdown as an opportunity to update software and hardware that they’ve been wanting to but would’ve been too disruptive under normal circumstances. Because of this, they were able to push forward new solutions. Historically, the security budget was focused on enterprise security, with a small portion carved out for product security. Now, that’s flipped. Listen to the episode to hear more about Colin’s perspective. Colin also discusses the importance of protecting the consumer and protecting the trust between the enterprise and the consumer, especially for a consumer facing business. He also touches on how to maintain trust with the customer, as well as placing yourself in the position of the attacker in order to better combat threats. Perspective on Risk Deneen relays how she and her team are altering their view and approach to risk. She believes the industry must move to a dynamic view of security. A security team can’t just check off the boxes and pass a test, they need to be constantly updating and evolving. She also believes that organizations need to do a better job integrating intelligence from all different sources. Listen to the episode to hear more about how she thinks the industry needs to evolve. Third Party Risk and Increasing Issues All three guests speak on mitigating third party risks through universal participation and cooperation. Not only do customers have to understand risk, so do the employees. They believe that CISOs need to focus on supply chain to help mitigate third-party risks. Charlie has had partners compromised and because of this, they have had to cut off access to data. He says it’s challenging but the business understands it because the number one priority is to protect the company, employees, and customers. The issue, as they deliberate, is that every large company has hundreds of thousands of suppliers, which makes them more vulnerable. Each partner has a different risk and different

On today’s episode, Steve Marshall, the CISO of the UK Group for Byte Software, discusses how he moved from biophysics to cyber security, how security impacts business decisions, and why he thinks the hiring process of the industry is overlooking talent for certifications. Steve’s Journey Steve originally studied physiology and was on his way to receiving his PhD when the IT world called to him. He ended up not completely his degree to work in IT and become the head of the department, and eventually, move into security across North America and the UK. For the past fifteen years, he’s been in a management position. Listen to the episode to hear more about his journey and how he went from physiology to CISO and CIO. What is “good”? Steve thoughtfully questions what a “good” CISO is in this episode. He believes there is no single answer, as each company needs something different. Steve also observes that the industry is moving towards having people of blended skill sets and different backgrounds, and therefore “good” for one organization could mean adequate for another. As technology is changing so quickly, the traditional standards of what a CISO should be, what qualifications they should have and what they should do are rapidly changing. To Steve, a “good” CISO fulfills the needs of the individual company, as well as challenges that company to do better. Security and Business Like many CISOs, Steve initially struggled with talking to boards. He understands that many security people are really passionate about security and care about the business, so when they see the business making decisions that put them at a greater risk, they are bothered. However, Steve believes that they aren’t seeing the whole picture and miss out on the other factors that are driving these decisions. Reach Across the Aisle In order to get around this tunnel vision, Steve encourages CISOs to build connections with the movers and shakers of the other teams, so that you can better understand what drives decisions. Steve goes on to explain why understanding different teams is imperative for business decisions, internal support, and collaboration. He stresses that the key is to listen. For Steve, he attends different meetings across different fields within the company to have a better idea of what each team is working on and what their needs are. Additionally, he tells a humorous story about how listening to the conversations during a smoke break made him well respected in his company. Listen on to hear that story and how connecting with other leaders makes you and the company stronger. Steve’s Two Roles Due to the dual nature of his roles, Steve has to sit in many sales meetings, while the typical CISO does not. No matter your role in security, every company is trying to sell a product, and it’s important to understand the sales team so that you can better assist, but also so that your voice is respected and heard when you have something to say. Who Owns the Risk? While many CISOs feel they own the risk, as we have discussed many times on this podcast, Steve feels that he doesn’t own the risk. Instead, he feels the business does as it’s the one who succeeds or fails based on the risk itself. Steve’s perspective is that he’s in charge of understanding the data and making that data clear to the higher ups, but he doesn’t own the data itself. We talk about how you need to have a mature and respectful conversation with the other teams in the business in order to come to a consensus about risk. Listen to the episode to hear of Steve’s perspective and how this view of ownership affects the communication around the risk level, the proper controls the security team needs to put in place, and who signs off on risk decisions. Reporting When reporting to the CEO, Steve recommends focusing on the impact of the business, the future of the business, and the overall picture. As other guests have said, Steve encourages CISOs to align their reports with business strategy. The CEO doesn’t care, or has time to hear all the nitty, gritty details—that’s why they hired you. Steve chooses to focus on security as it relates to the objectives of the business, and what will impact that or support that from an acceleration or goals-based perspective. It’s about speaking the business’s language, and not boring the management with unimportant details they don’t care about. Listen to the episode for more in depth advice on how to effectively communicate security issues with management. Answering Security Questions Oftentimes, management teams will reach out and ask CISOs questions about security risks they’ve read in the news. Not all management teams will be as proactive, but you will eventually find yourself in a situation where you have to answer unprompted questions. Steve’s view on this is that the higher up you go, the less time people have, so he suggests answering in a succinct way that explains how the security question relates to them. Diversity in the Hiri

On today’s episode, Jeff Schilling, the CISO for Teleperformance, joins us today to discuss the transition from a security career in the military to the private sector, the importance of relationships, and security in relation to the Cloud. Transition from the Army to Civilian Life Jeff recounts his career in CISO, first discussing Teleperformance, which he joined this year. He then dives into the 24 years he spent in the military, which ended with his retirement as a Colonel in 2012 from US Army. Though his army career was very varied, he loved every part of it. When he left the military, Jeff did a 180 and decided not to work in government, which proved a more difficult path. He learned early on that the threat profile is very different in the civilian sector than it is for the military, as well as how that threat is discussed. One of the hardest parts of the transition is the lack of basic security knowledge or awareness in the civilian sector. In the military, everyone is speaking that language and thinking about security and security operations center. Listen to the episode to hear more about the challenges that Jeff overcame, and the insights learned. Thorough Examination One of the other important lessons the Army taught Jeff was diligence. He approaches every potential threat or breach with a thorough process. He believes that while many security officers excel in stopping a crisis in the moment, they forget to step back and assess why that crisis occurred in the first place. Jeff speaks on how after a breach, many SOCs place the work on the IT team. However, he believes that everyone involved should examine what actually went wrong and make an effort to document the incident correctly. If the incident is documented thoroughly and accurately, then leadership has a better chance of properly understanding what occurred and how to prevent similar breaches in the future At the end of the day, Jeff says “it’s what you measure, and how you measure it.” The Importance of Relationships Jeff next speaks on how he has witnessed many CISOs and CIOs say they will never work for each other. He believes this is the wrong attitude because those are all people that can help close your security gaps and make your job and life easier. He acknowledges that you don’t need to be buddy-buddy, but you do need to have an understanding of how someone else’s goals intersect with your own. Jeff touches on how this relates to viewing the SOC as a whole. He advocates for a normalization of data across all sector in the risk management. Data needs to be translated into a risk statement that makes sense for that risk officer in order to show the gravity of the situation in a way that is clear and understandable. Listen on to hear more of Jeff’s thoughts on why clear communication and respectful relationships affect security. Elevated Privileges One area of security that Jeff points out is currently weak is the protection around elevated privileges. He illuminates how many major breaches have been a result of a security issue with those that have elevated privileges. For example, the lack of a two-factor authentication code for execs because they don’t want the extra step of looking at their phone poses a threat to security that could easily be solved. The Security Environment in The Cloud Jeff recounts a funny story in which he wound up speaking at Cloud Security conference as the expert for the Department of Defense, when only a few weeks prior, he had to Google what the cloud was. Listen to the episode to hear how this assuming antic occurred. In talking more seriously about the Cloud, Jeff asserts that it’s actually easier to defend on the Cloud, as he no longer has to wait for someone to go to a data center and make sure all the right wires are in the right places. Now, he could design strong architecture via the software, with lots of efficiency gains and less overhead. In focusing more on building security around the Cloud, he emphasizes communication and integration between developers and analysts after the initial building of the Cloud software. On this story, he also reflects on the importance of public speaking. While he does iterate that it is a learned skill, he encourages our listeners to speak at events if asked. He specified to leave room at the end of your speech for Q&A, as that is the most valuable part of the event. Adversary Behavior in the Cloud In order to fight against persistent adversaries, Jeff believes you need to have a rapidly changing, healthy environment. Unfortunately, he states that elevated credentials are still weak points in the Cloud environment, in addition to development staff being particularly under threat. Listen to the episode to hear more about the significant changes in security as a result of the Cloud and how to tackle them properly. Tips for Security in the Cloud We also expand our discussion to cover specific tips for analysts and developers listening the podcast now. Jeff says tha

On today’s episode, George Finney, the CISO of Southern Methodist University, joins us to discuss how cybersecurity is a team sport that depends on openness and collaboration, and examine how culture can directly impact the likelihood of future breach. How a Law Degree Helped George George Finney is an accomplished CISO with a more unique background: he has a JD. While it’s becoming more common for CISOs to get an MBA, it’s rare that they would have a law degree. He attended night law school while working full time, reading thousands of pages of dry legal cases. George reflects on the process and says it helped push him to a new level of work, made him more efficient, and helped him understand the big picture of “why” with cybersecurity. George says receiving higher education made him more curious and gave him more of a global understanding of the business. While he doesn’t encourage every CISO to apply to law school, he points out how useful it can be to understand security through another lens than just a technological one. Additionally, higher education degrees help CISOs more with employment opportunities. Advice for 25-year-old George George reflects on what advice he would give his younger self. He focuses on how your career is a process; he’s worked corporate jobs, startups, and attended law school. He believes that those different experiences can help prepare someone for a leadership position. He tells his younger self to embrace variety and wishes he had pursued more diversity in his career. He touches on how he’d tell his younger self that cybersecurity is a team sport, which we delve more into later. The Healthy Leadership Mindset Traditionally, there is the idea in cybersecurity that the problem is always people-based, or that certain people are to blame. However, this pervasive attitude discredits employees and doesn’t allow them rise to the occasion. George speaks on how leadership needs to include mentorship, and needs to want people to succeed, instead of just waiting for them to fail. Listen to the episode to hear more about the dangers of writing people off as “dumb” instead of taking the time to help them improve. The CISO that Cried Wolf George also discusses how the fear of being poorly perceived can impact security. He gives the example of Robert Ebeling, the engineer who tried to warn NASA about the space shuttle the Challenger. Unfortunately, he was ignored, as he told his management something NASA didn’t want to hear, and as a result, the astronauts died. We speak on the nuances of trying to navigate the CISO position, as its purpose is to raise alarm when necessary. We talk about how you don’t want to be the CISO that cried wolf every time there is potential for risk. However, you also don’t want to keep quiet out of fear. Listen on to hear what George has to say on this topic. Well-Aware: Master the Nine Cybersecurity Habits to Protect your Future Whether you are a technical or non-technical leader, you can benefit from this book through the lessons you learn in his historical and psychological examples George wrote the book because he wanted to help CISOs bridge the gap in speaking to other leadership positions within the company Professional development book for CISOs specifically Focusing on habits and small challenges that can make a huge difference Potentially adjusting these habits can help prevent attacks Listen to the episode to hear more on the nine habits and more about George’s book Leadership in the Time of COVID George urges team leaders to have extra compassion in this time. People are now in a seven-month long stress period—whether with kids at home or worrying after elderly parents. As a leader, it’s important to understand that your team isn’t going to perform as well as they did last year, and to be empathetic. Phishing As a result of COVID, phishing is up, perhaps because they recognize people are vulnerable in this time. George discusses how he sends out phishing emails to staff in order to test what campaigns are more effective than others. In studying psychological data, he discovered that analytical thinking is much higher in the mornings than in the afternoons, and that users are 10x more likely to click on his simulated phishing messages. Listen to the episode to hear how to incorporate this knowledge into training and how to adjust behavior to avoid this. Culture We reflect on how company and national culture can have an impact on culture. The company culture of the never-ending workday, i.e. the expectation to answer emails at any time, even late at night, also feeds into phishing. In certain nations, questioning is more accepted than others. This culture on top of corporate culture can influence the likelihood of a future security breach. If people understand that learning and asking questions is safe, they may be less likely to click on a phishing email. Cybersecurity and the Culture Audit Diving further into this topic, George looked at the Glass Door

On today’s episode, Charlie McNerney discusses shared responsibility in cybersecurity, the idea of trust, and how diagnosing a problem before treating it has aided him in his career. Early Retirement and Intellectual Income After working 25 years at Microsoft, Charlie retired early. Six months later—after getting a boat and a dog—he found himself bored and seeking, what he calls, an “intellectual income experience.” After a phone call from a friend, Charlie ended up consulting for Expedia Group, and eventually came on as a full-time CISO. Listen to the episode to hear more about what an intellectual income is and what it means to Charlie. Shared Responsibility In setting up Expedia to understand what they need in a CISO, Charlie had to encourage them to question if they understood their risk posture now, and who was responsible for risk. He delves into how a company can value risk and actively try to understand it, as the Expedia Group does, but still wonder who certain tasks fall to. Charlie relays how imperative it is to convey that everyone shares the responsibility of risk. We discuss the importance of recognizing how anyone can impact risk and how the security team needs to articulate this to the rest of the company. Trust in a Company Charlie also touches on how every company is at risk nowadays to hackers or breaches, as every company is now a tech company. As a result, trust in the company, for the customers, supplies or between the employees is so important. In order to be effective, the security needs the support and trust from the rest of the company, especially from company boards. If boards can value the trust in the company and understand how that impacts finances, then the security can be more effective. The Medical Model for Security Charlies believes in following the medical model in his approach to cyber security. What he means by this is to copy the way doctors tackle illness: symptoms, diagnoses, treatment, recovery. If you treat a problem before you diagnose, it leads to malpractice—the same applies to security. When you discover symptoms, you need to put the security risk in terms of their transactions, not in terms of risk. Charlie encourages the CISO to not sensationalize and scare people until you actually know what’s going on. Building Trust During a Crisis As we’ve discussed before on this podcast, having a playbook before there’s a crisis is imperative. What Charlie points out is also making sure everyone is aware of the playbook and comprehends it before a breach. His advice for a CISO during a breach: focus on data and not feed into fear. In addition, it’s important to communicate properly with other teams within the company. Liston on to hear what Charlie believes security teams need to convey to other departments in the business. Competition and Cooperation Charlie reflects on what advice he would’ve given his younger self. To him, when you’re younger and trying to understand your position in the company, you can get competitive with yourself and others. When you’re in that competitive mindset, you miss out on the cooperative mode. Charlies delves into how focusing on a title can lose relationships that you will need later. He shares his advice for how to be collaborative with others and how to have better emotional intelligence. Listen on to hear more about why cooperation is better than competition in the workspace. Being a Respectful Leader and Finding Respectful Leadership In this episode, we converse on how you need to love what you do and how even if you enjoy your job, if you hate your boss, you’ll hate your days. Charlie disagrees with the mentality of living for the weekend. Hear what else he has to say on the significance of work culture. Legacy in Leadership Charlie brings up being cogitative of legacy when you are a leader. He challenges our audience to ask themselves if the work they’re doing is something they’re willing to put their name on. He urges people to be intentional about the jobs you take and what you do for those jobs. Listen on to hear more about how legacy can take on many forms and be remembered in different ways. Mentorship Charlie dispels the idea that your boss always needs to be your mentor. Instead, he encourages you to search out other mentors and to keep seeking until you find someone who can guide you. He believes that having the right mentor will separate you in your career. Hiring Process during COVID Though COVID has disrupted our everyday lives, Charlie iterates that hiring remotely doesn’t need to be difficult. He is still looking for someone with energy and who wants to be at the company. Those young, energetic people are who Charlie wants to build up and help grow. In addition to the hiring process, he discusses how to be an engaged leader when it comes to promotions. He emphasizes specificity and clarity in reviews and feedback. Listen to the episode to hear more on how to change meetings into coachable moments. The New CISO Where t

On today’s episode, we continue our conversation with Steve Katz, the first CISO, and discuss the importance of understanding yourself, your role, and the company for which you work. Marketing Yourself Within the Company One of the things that Steve stresses is that you need to be able to market yourself and the role of CISO to the rest of the company. It’s only in your best interest to know how to articulate why cybersecurity matters and how it impacts the business. In order to do so, you must first understand the company and its products, because only then can you effectively explain how your position can help the business. Listen to the episode to hear more about Steve’s thoughts on business relevant security. Your Mission and Foundational Principles One question Steve always asks CISOs is if they have read the company’s mission statement. Steve believes it’s a big problem to ignore the fundamentals of a company. Additionally, he advocates for every CISO coming up with a mission statement for their own team, and to align that mission with the company’s mission. He recounts how coming up with 5-10 foundational principals changed the group mindset, provided clarity to the work they were doing, and overall, change the culture of the team. The Citi Breach and the First Time “CISO” was Used Steve recounts another incredible tale about how an enormous breach at Citi led to the solidification of his role as CISO, and of the coining of the term. He joined the company when they were experiencing a security issue and were losing valuable bank customers. In this episode, he relays how he had to meet with top 20 customers to ask them questions about security, and to answer their questions. He was expected to keep only 50% of those customers after his meetings. He came back with all 20 customers. Listen on to discover what questions he asked them, and how he managed to maintain their trust and business relationship. Know Yourself We discuss the importance of knowing yourself as a person and how this affects your abilities as a CISO. Steve encourages you to understand your strengths and weaknesses—and to hire someone who can compensate for the areas in which you struggle. He admits that he excels at identifying talent and getting work done efficiently but can’t handle details. He is honest with us today to encourage you to be honest with yourself and to act accordingly. The Customer’s Perspective Though briefly touched upon, Steve reiterates that you must make an effort to keep in mind the customer’s perspective. In this regard, he hired only multi-lingual regional officers who could therefore explain the security problem in the local tongue. This made them a friendlier face that welcomed a more trusting relationship. The C’s of Finding a New Job Steve also runs through his criteria for the job search, which he calls The C’s. The C’s include challenge, commitment, chemistry, culture, clarity and compensation. What he means by this is how challenging the job is, how committed is the company to resolving issues, what the chemistry is between you and the person you’re reporting to, the workplace culture, clarity as to what success looks like, and lastly compensation. He stresses that compensation is the last C to prioritize. Listen to the episode to hear Steve expand on The C’s and why compensation is actually the least important criteria. Meetings with Vendors When it comes to meetings, Steve believes that vendors need to do their homework, be clear, and need to get to the point. He shares a humorous tactic on how he got vendors to sell quickly and effectively. He also tells us what the one question is that he asks at every vendor meeting, and why you need to be extremely cautious when planning a live demo. Check out the episode to hear Steve’s tactic and the question he always asks. The Evolving CISO Position Steve believes that the CISO will evolve into two positions: a Chief Information Risk Officer who reports to a Chief Security Technology Officer. He explains that the CIRO defines the what and the why, while the CSTO takes care of the how. These roles speak two different languages and therefore need to separate into two different positions. While one acts as a risk advisor to the board, the other deals with how the team will tackle combatting the risk. Steve discusses why he thinks its imperative to separate the roles and how, by not doing so, you will erode your authority and legitimacy with the board. He explains that he already sees this split occurring and that you should take some time to reflect on what your strengths are and gravitating towards either the CIRO or CSTO position. The New CISO to Steve Lastly, Steve talks about what the new CISO means to him. He believes that the challenge is greater today than ever before and how leadership is now taking a real interest in cybersecurity. Therefore, the new CISO should redefine and redirect the program, and think seriously about bringing in data scientists to

Early Days of Security at Morgan Steve first began working in cybersecurity at JPMorgan, then known as Morgan Guarantee. He recounts the attitude towards CISOs in the 1980s, where many people didn’t really have a concept of cyber security or what it looks like. When Steve started, he had to change access rules and work against the resistance to PCs and Apple technology in banks. Listen on to hear his stories and how he overcame skepticism towards cybersecurity. Building an Active Community One of the many amazing experiences Steve tells is how all the data security officers from the NY banks would get together every three months. They would spend the morning eating donuts and drinking coffee, but also exchanging contact information, discussing what was going on in the field, and brainstorming together. Before Twitter—or even just internet—the CISOs would connect over breakfast and help each other out. In this episode, Steve recounts how 12 officers from different banks helped him make a deal with a difficult vendor. A Board Presentation and its Lessons One of the best, and most valuable stories Steve describes is in the early 80s, when he and his team discovered several PC viruses. When he told his boss, Steve had to stand in front of the Board of Directors with zero prep work and explain what computer viruses were and how they can impact Morgan. In under three minutes, he had acquired $400,000 to implement antivirus techniques. In this episode, he relays the incredible story and the life lessons he learned about communicating with executives and why being transparent is best. Effective Explanations Steve puts forth his theory on how most executives view themselves and how this influences the way in which you need to explain cybersecurity matters. He urges CISOs to go through everything carefully and logically, and to rehearse your explanation beforehand. He says your explanation needs to pass the “grandma test” before you speak to an executive. Listen to the episode to discover what he means by this. Steve also illuminates why a lot of security people struggle to explain themselves. He points to who they surround themselves with and how they need to shift their thinking when speaking to leadership. Unrealistic Expectations and Stress on CISOs In this episode, we also touch on how studies have shown that CISOs tend to have high levels of substance abuse, divorce, physically poor health all from stress, as we’ve discussed in previous episodes. Steve believes the problem is in how we define what goes with the job. CISOs go in afraid of being fired after a breech, but the industry hasn’t accepted the fact that a breech will happen. Every CISO gets fired at some point, but Steve states that you should get fired for doing the right thing, not the wrong thing. He encourages CISOs to come into the job by being clear about what’s feasible and what’s not. To explain that there’s no perfect cure, but we can reduce risk, and build trust and credibility with the executives. Most of all, don’t make promises you can’t keep. On this topic of the relationship to executives, Steve encourages CISOs to get to know the leadership before there’s a problem or breech, so they know who you are when it happens. Let them know why you’re there and what’s important to them, not to you, by focusing on business risks. Present these risks as you understand them, their impact, and the ways you can potentially mitigate. To help buffer personal stress, he explains why the ultimate risk is on the business itself and not on you, and how who you are isn’t the same as what you do. What Steve Loves about the Job While there are many stresses to the job, Steve brings up what he loves most about it. He feels stimulated by the constant challenges and loves the cybersecurity community. Listen to the episode to hear more about why this community means so much to him and why, in his opinion, it’s the best professional community out there. The New CISO Lastly for Part 1, we discuss what the new CISO means to Steve. His answer may surprise you. Tune into the episode to find out what that is. Links: Exabeam: Website New CISO Podcast LinkedIn: Steve Katz

Improving the Sales Process In this episode, we discuss how and why it’s so difficult for a security team leader to discover new trends in technologies in a safe and effective way. Damien points out that it can be challenging to discern who and what to rely on when broaching new systems. Listen to the episode to hear more about how to find the right balance of someone who understands the company and the importance of building a long term, trusted relationship. Advice for the New Salesperson One of the first points that Damien brings up is that the best way to increase your sales isn’t always trying to sell everything new. Rather, he encourages the salesperson to focus on building sustainable and genuine relationships with clients, that will then result in introductions to others in the field. We delve into why CISOs tend to shy away from salespeople and what to do about it. Reaching Executives You Don’t Know If you are in sales and struggles to cut through the hesitation and cynicism to reach executives you personally don’t know, how can you do your job? Damien suggests several strategies including referrals and what that requires, as well as attending conferences and how to properly go about starting conversations with new people. Two Types of CISOs In examining the culture around CISOs, Damien identifies the two personas that frequently crop up and the problems with each. First, there is the traditional CISOs that are aggressive in order to reach the top of that particular environment, and as a result, can have a superiority complex—even towards other CISOs. Unfortunately, these people are hard to change when it comes to sales relationships. Then, there are the steady and calm leaders, who have consistently delivered. However, sometimes they feel overwhelmed and when they get cold sales calls, they can be dismissive. Damien reminds everyone is human and to give everyone a chance. Social Hierarchy of CISOs In this episode, we talk about what good-natured CISOs can fall prey to, and what we mean by a “Hollywood” CISO. Damien identifies real leaders as those who want to learn, but also want to pay it forward through education, experience and introductions. He believes this is what makes a good CISO with a longstanding reputation in the industry. The Problems with the Award Systems The idea of “Hollywood” CISOs brings up the point that there are some companies that have better marketing and PR, and therefore result in the same individuals winning awards. We discuss how unfortunately, this creates a boy’s club, so to speak, that ends up shutting out those of different backgrounds, cultures, experiences. Listen on to hear about the consequences of generating a myopic view of leadership. Factions in the Industry and Shifting Positions Particularly in Australia, Damien delves into how the CISO is starting to morph into the CSO and the factions that are forming in the industry. While some people believe the position is all about the tech and data, others believe it incorporates consideration about the work culture and organization. Although there are different theories, one thing remains clear: one person can’t do all the responsibilities anymore. Listen on to discover why this fragmentation occurs and how leadership backgrounds provide different lens through which to view the role of a CISO. Misaligned Incentive and How Capitalism Affects the Technology We delve deep into how and why politics and business now seep into technology decisions. Capitalism pushes companies to look for growth from year to year, which incentivizes employees but can also have many negative consequences. We touch on how this effects salespeople and creates a vicious cycle for them, as well as how it breaks down their relationships with CISOs. As the industry sometimes forces growth, new softwares are rushed through with little time spent on design and testing. We discuss how this rushed process impacts the software itself, the product team, the utilization of the program with potential mistakes. Damien advocates for not trying to tick a box, but rather seeking out added value for the business. Remediation As a result of this rushed software, we touch on the importance of remediation and its business consequences. Damien brings up the prevelance of half-baked installations that remain in the network once abandoned and the importance and cost of cleaning those out. Offshore Vulnerability We shift our conversation to focus on how COVID-19 highlights vulnerabilities of organizations with offshore facilities. Companies must decide if they want to pay to bring those services back onshore or relax standards and let people work on sensitive information from home in different countries. COVID-19’s Effect on Australia and Why a Vaccine isn’t a Simple Fix As Damien is a part of Deakin University in Australia, he touches on how COVID-19 has greatly affected one of Australia’s top three exports: education. With a travel ban, foreign students can’t com

In this episode of the Exabeam Podcast, the host, Steve, and guest Chris Ard, discuss the more human aspects of the CISO role, effective leadership, and how complacency can be a dangerous quality. Work-Life Balance The first topic we covered was finding a work-life balance that benefits you and your family. Chris spent twenty years working for Microsoft, traveling all over to companies with major security breaches and helping them control the situation. Although he learned a lot and loved his job, he realized he barely spent any time at home, and when he did, he was always on calls. We discussed how easy it can be to settle into a role that you enjoy, but then end up remaining in your comfort zone. Once Chris acquired a new job did he find himself growing once again and spending more time with his family. Good Talent, Bad Breaches Spending two decades assisting different companies, Chris picked up on an interesting discrepancy between the talent and the security breaches. While breaches happen to everyone, some seem completely avoidable or like a mistake. As we talk about, many companies hire talented, intelligent people—and yet these preventable situations occur. Chris weighs in that many times, leadership can influence the strength of the security. If a CISO is willing to accept cookie-cutter systems as oppose to implementing a more holistic approach, their security can suffer. M&M Model Chris outlines a great metaphor for the condition of many security measures—the M&M model. The team has built a hard exterior with a soft interior, meaning, once an advisory has breached the initial wall, its free to move about in that environment with no obstacles. Listen on to hear more about how this happens. Bad Actor Residency We also speak on how it can sometimes take not just weeks, but sometimes months or even years to detect bad actors. We point to reasons why adversaries can remain in an environment for so long, and how teams or companies can overlook root causes. CISO’s Ownership of Breaches In today’s episode, we also pull outward to look at the hiring and firing system of CISOs and how it may not be the most effective system. When there is a breach, the CISO often takes the blame—but so much so that they end up having to leave. The issue with the CISO leaving is that they can never learn where things went wrong for that program and work towards growth. Listen on to hear about the teams Chris has encountered that do not get rid of their CISOs and how this effects their security overall. Invested Leadership The extent to which a leader makes an effort with the rest of the team has a surprising impact on how well that team performs. From sitting down with junior analysts, to receiving less filtered information, CISOs can transform how their team handles a crisis just by getting to understand them and their concerns prior to that crisis. Additionally, we touch on the commonality of leadership being pressured to alter assessments to fit certain initiatives. Marathon or a Sprint? The intense schedule of any CISO causes us to ask if this job is really a marathon or a sprint. In a way, you have to maintain the energy for daily tasks like a marathon, but in other ways, you burst towards the finish line while trying to stop a crisis. In thinking about the CISO burn out rate, we debate on how more problems can arise if one side is neglected, or if the team communication breaks down, leading to wasted energies. Hear about our different opinions on the matter in this episode. Pen Testing and Compliance A great point that Chris brings up is the failures of the pen tests, and how we can improve them. Oftentimes, the pen testing is so restricted that it fails to foster a realistic crisis-situation, leaving the team out to dry when there really is a crisis. As we point out, some companies would rather appear solid now, only later to be proven wrong, than to look weak upfront and solve real issues. Along with this pen testing is the idea of compliance. We perform the test annually in order to comply with industry standards, but as Chris says, we need more. We need more to motivate us to do well than just compliance—we need meticulousness and hard work. Continued Education In this episode, we also discuss the importance of always pushing to be better. Chris highlights that CISOs get good at their day jobs, but they don’t always push themselves to learn better crisis management when an incident does occur. As the landscape is constantly changing, we must change along with it in order to be able to assess new types of threats. Marketing While the security does not bring in revenue, they certainly can help prevent revenue loss by allowing the rest of leadership to focus on their goals. That’s why it’s important to explain what the team is doing and why it’s important to the rest of the company. Culture When transitioning to a new position, Chris stresses the importance of not just getting to know your team but also other executive

In this episode of The New CISO Podcast, the host, Steve, and guest David Rule of HarbourVest, discuss the skills he learned to transition from engineering to executive management, the evolution of leadership styles, and better ways to prepare for crisis management. Transition from Engineer to Executive Manager The first topic we covered was David’s transition from being on the tech side of security, to assuming a CISO position. We discuss how this change may be more challenging than originally anticipated, so in order to focus on developing leadership skills, David suggests entering a management role in a field in which you are familiar. He understood security and coding, and therefore he could spend more of his time learning how to be an effective leader. Nontechnical Managers While David’s path benefitted him, we also talked about the growth of more nontechnical leaders in cybersecurity. There are advantages and disadvantages to working under a nontechnical manager. How can you, as the employee, support your boss? Well, David points to the important skill of communication. Learning how to explain complicated concepts to someone who has less specific knowledge than you do proves to be an imperative skill for yourself, your manager, and the team. While nontechnical managers offer knowledge in other areas such as business or client relations, they have to be careful when it comes to proposals. If the company proposes a specific plan, the nontechnical manager could sometimes miss spotting future issues once s/he delves deeper into the tech itself. Administrative Rights of the Technical Manager As a technical manager has specific background in cybersecurity, s/he can be tempted to fiddle with the coding. However, the technical manager must stay away from the daily, more administrative tasks, for several reasons. Listen to the podcast to hear our different points on this subject! Advice for the Younger Self Another interesting conversation we had was on the type of advice we would give to our younger selves. David feels he should have been more self-aware, and more willing to accept constructive criticism. To him, feedback is a gift, and you can only improve once you see it as such. In addition to self-awareness, we discussed situational awareness. This skill helps guide you in knowing when to speak and when to listen. Listen on to hear more about how this tool can aid you in meetings and increase your social relations at work. Client Relations A key aspect to any management role that other employees do not always have is navigating relationships with clients. David walks us through his approach to speaking with new clients—and it doesn’t begin with the tech. You can hear more about the specifics in this episode. We also covered mentoring junior staff when it comes to client relations. David points out that meetings with clients helps junior staff members in two ways: you can explain to them what needs to be accomplished in the meeting, and then they can see you do it in person. This real-life experience helps them grow as an employee at a much more rapid rate. From you, they can learn how to deliver difficult news and still maintain grace. Crisis Management Another essential topic we spoke on was how to best train your team to manage a crisis in an effective way. David points out an astute observation: that by the time people have reached a leadership role, they haven’t worked through the problem at that level. They find themselves spending time on introductions and acclimating to the situation, which, in a crisis, is the worst time to have to do these things. To resolve this issue, David began an executive tabletop crisis discussion to help teach CISOs and other mangers how to handle a breach in a controlled environment. We also dive into getting ahead of the breach in terms of communication with clients, and how to manage their fears. Listen on to hear more specifics to how he facilitated conversations with not just the cybersecurity team, but the marketing and PR teams, and how to address clients in the face of a crisis. Different Metrics for Different CISOs We conversed about how formulating a program is an art, not a science. Every CISO builds a program that incorporates different sets of data. As a result, each CISO measures the success of his/her program via different metrics. A Good CISO vs. a Great CISO As different CISOs generate various styles of measuring the success of the program, it can be difficult to determine if your program is excelling. How do you know if you’re a great CISO—or just an average one? We talk about how world events influence the CISO position greatly and what the best CISOs do that separates them from the crowd. This role is a demanding one, and with the support and trust of the team, CISOs can effectively build trust in how their system works. Links: Exabeam: Website New CISO Podcast Steve Moore - Linkedin HarbourVest Website David Rule - LinkedIn

In this episode of The New CISO Podcast, the host Steve Moore, and guest Gary Hayslip discuss the difficulties veterans face when transitioning to the business world. They also converse on how to remedy security failings, and how risk ownership mentally and physically impacts CISOs. A Challenging Transition for Military Personnel After serving in the military for however many years, enlisted personnel receive one class on how to transition to civilian life. While the class teaches how to format resumes, it doesn’t provide the amount of support military need to adjust to a new lifestyle. When you are in the military, everything is organized and planned out for you, from your day, to your week, to your month, to your year. You always understand what you need to do, and what path to follow. When that type of strict structure falls away after duty, many veterans feel lost. They enter a new world filled with so much uncertainty. Suddenly, they have nothing planned out—they don’t even know what they’re doing the next hour. Overcoming Fears In order to overcome this anxiety, Hayslip stresses that you must begin planning your civilian life while during your tour—and more than just in the last six months of your time. He suggests planning out civilian life as early as two years ahead of time. If you start early, you leave room for any road bumps you may encounter. Moore and Hayslip recognize that this transition is a period of intense personal and professional growth. Oftentimes, vets can feel helpless, wondering how they will provide for their families. Hayslip suggests that military can rely on what they already know: community and mission. We discuss on today’s episode what Hayslip means by discovering a new community, one that connects them to a broader purpose and to others. We also talk about finding a new mission, and how this can help transitioning vets find themselves again. How Non-vet Employers Can Help As a non-veteran, Moore asks how employers can help their recently hired vet-employees. Hayslip suggests that veterans need to be provided guidance, but also a level of flexibility. Military personnel need to understand how much room they have to move. We deliberate on the nuances of steering vet-employees, and how to communicate the level of risk they are allowed to have. The AAR Process In broadening the topic from veterans to cybersecurity companies in general, we discuss the proper and most effective way to process an AAR. Hayslip emphasizes constant documentation and how AAR needs to be information and solution focused. This includes as much data and documentation as possible. In addition to data and documentation, Hayslip advocates for providing opinion and experience. If you offer why you made a specific decision based on previous experiences, then the team leader can have a better context to what happened. The leader can focus on why your decision worked one time and not another. What doesn’t work for AARs However, we believe that sometimes the process of an AAR becomes muddled. Hayslip points to when blame enters the equation, the AAR becomes ineffective. If one group is blamed in particular, then no one learns what actually happened. It also leads to people shying away from honesty. Moore highlights how bad leadership uses an AAR as a weapon against the employees, which only breeds mistrust and inefficiency. Hayslip offers his solutions to combat a toxic environment surrounding an AAR, such as breaking the teams down into small groups and facilitating self-reflection. In this episode, he dives into why this strategy works and how best to remove blame from the situation. A Mission vs. a Mission Statement We also touch on what we believe is the difference between a company mission and the sometimes corporate-sounding mission statement. Hayslip acknowledges that a mission statement is an attempt to get different groups of people focused in the same direction. But does a bland, emotionless statement do the trick? Not always. He points to focusing on purpose—what is the purpose of this company, other than to survive? He challenges businesses to remove the capitalistic goals for a moment and ask themselves what their purpose is. What does their product do for society? As your company evolves, so should your mission statement to reflect that change. Hayslip also proposes a way to structure mission statements with subsets, such as an action statement. He delves into why multiple statements help clarify the goals of each team, and of the overall company. Listen to the episode to hear the additional statements! Inclusive Culture Facilitating a more inclusive work culture in companies and cyber security teams can only benefit everyone involved. Hayslip offers ideas such as a “Lunch and Learn” or visiting other departments in order to grant more visibility to all parts of a company. Listen on to discover how these events helped bridge relationships with other teams, how it relates to the mission statement an

The American vs. European view on Insurance In first reviewing the report, we were struck by how Europe leads the rest of the globe in insurance to manage risk compared to the US. While the adoption rate of insurance is slowly growing in American companies, their European counterparts take precedence. This could be because European teams have a better understanding of how to use certain types of insurance, or that the European insurance markets and carriers better address cybersecurity risks than the US currently. Alternatively, this difference could boil down to not necessarily capabilities but to viewpoints on insurance. As Steve states, the American perspective is that insurance does not take the place of security programs. Perhaps this idea differs across the ocean. Who Leads in What Areas In studying the US, UK, Germany, Canada, and Australia, we mull over why certain countries dominate in various areas. In terms of possessing insurance itself and working with their privacy departments, Germany takes the lead—and significantly. Germany’s stats surpass that of Australia’s in possession by around 20%. For outsourcing, the UK and German dwarf the US. However, this piece of data may speak to another shifting trend—that more US companies are embracing outsourced security. We discuss why in the US in particular, we see that reach for autonomy in operations, even if it’s not the most beneficial system. Overconfidence? High percentages across the board show that many employers and employees feel fully confident in their ability to detect a threat. Is this a positive reflection on the industry or is it overconfidence? Does this perhaps relate to testing—adequate or not? We discuss what goes into confidence itself and the discrepancies between the perspective of the managers and the frontline workers. Attracting and Retaining Talent The difficulty with staffing can heavily influence the validity of the team. Being understaffed, significantly understaffed, or lacking staff with the right skills cropped up as a relatively common issue in many teams. We debate on what causes the issue of identifying talent and question if it connected to the absence of hiring standards. Low hiring standards may present as the obvious problem, but extremely high and inaccessible standards also generate equal issues. It can lead to a small number of job candidates—a pool in which the best person for the work has already been cut out due to innocuous details. On top of initial staffing is the idea of retaining top talent. The data revealed huge discrepancies between how leaders think they can retain talent and what skilled employees seek. While many managers believe the key is good pay, workers point to issues such as eliminating the mundane, poor leadership, or lack of communication. We also draw in additional points: how managers need to know their analysts by name, understand their areas of stress, and respecting them as simply human beings. The Undefined Career Path Another major inconsistency the report highlights was defining a career path for workers. In fact, when asked the question of one’s career trajectory, only 15% of employers valued it, while 64% of employees did. This is the biggest discrepancy in the report. A conversation needs to start to address this misunderstanding. Perhaps many CISOs don’t understand what SOCs do, or they think they do. Many employees want mentorship and guidance. If you invest in your frontline workers, they will better invest themselves in their work and in you. Unfortunately, mentorship in leaders is not always measured or rewarded—but maybe it should be? How do you measure your program? The report also brought to light how each team measures the success of its program, and how that differs among small SOCs and large ones. Organizations focus on failing an audit or causing an outage, as opposed to issues with a security incident. Perhaps this speaks to politics: that an outage is much more visible within the company and therefore more likely to cause them stress in their job than potentially a security issue. Smaller SOCs measure how many incidents they handle, whereas larger ones do not. This may make them feel like they are doing valuable work. Both small and large SOCs have the same or similar percentages for monetary cost per incident and meantime to detect. Through this statistic we explore the question of size itself—what does it mean? Maturity? Efficacy? Capabilities? IT Coordination and Tech While many CISOs believed coordination with the IT team went smoothly, frontline employees often disliked working with IT. The report did not specify if this distain towards working with IT related to incident, projects, or configurations and standards. This particular area may need to be further explored. Tech Lastly, we advocated for tech-enabling anything you can—you don’t want your team wasting time on mundane tasks that may drive them away or become inefficient. It’s imperative to update tech

Tune in as Steve Moore talks with Christopher Hymes, the CISO of Riot Games, about acceptable risk and the parallels between anti-cheat teams and threat hunting. Security Within The Gaming World The video game market is massive, there are a ton of games and a ton of gamers out there. Like any large industry, the gaming industry is not immune from security threats. Games are fun because they are competitive, you have to build the gaming skills over time. This opens up an entire market for cheating scams within the gaming industry. The game developers have anti-cheat teams to help combat this problem, cheating in the games is not only unfair, but it makes the experience less enjoyable for all the other players and poses a threat to the developers as well. If the game becomes less desirable then people won’t want to play, in turn ruining the developers market. Advice To A Younger Self In the security industry everything can seem critical all the time, every issue can seemingly need to be solved immediately. A strength of an effective CISO is being able to step back with a calm perspective and look at the bigger picture. Remaining calm in a crisis is a way to avoid causing panic and effectively solve the issue at hand. Especially when you are new to a company or position there is an innate desire to please those above you in the company, but being able to lead by example and remaining calm will make dealing with the problem an easier process. Going full steam ahead 24/7 leads to burnout, so prioritize your moves and what you consider a major crisis. The security industry is a high-pressure industry, so being able to recognize that and alleviate the pressure where you can, can make for a better working environment. Necessary Roles Of Security Leadership Security is often overlooked by startups as a necessary position from the beginning, most companies establish themselves then add a security team later. This puts the security team and CISO at a disadvantage from the start, because they are often brought in to solve an issue that is already present, instead of being hired in a proactive way. Security within companies needs to be culturally embedded into the organization ethos, it needs to be built in from day one. Security teams build trust and need to be viewed as an essential building block to any company. Building a security team takes time, but when a team is built with consideration and the strongest values have been instilled in every team member, the team should sustain many years and last after the CISO has left. Being a CISO is a leadership role, so build the team you want your name attached to for years to come. What Being A New CISO Means Being a new CISO is not about the technology. It is about the mindset, about building the teams, and being a calming voice of reason for the organization. When you as a CISO are seen as a leader within the company, it benefits everyone. Resources: The New CISO: Linkedin Christopher Hymes: Linkedin Riot Games: Website Exabeam: Website

Career Transitioning After Decades With Another Organization Being with the same organization for a long period of time is a wonderful achievement, but when you’re ready for a change of scenery, the transition can be tough after such a long stint with one organization. Being able to set up into your new role with fresh eyes and ears to really listen and get to know your new team can quickly build that working dynamic. If the industry is different from the previous organization, that adds another layers of learning into the mix, so really taking the time to research the industry and have an understanding of where the new organization fits into the industry. Taking the time to learn the role will help build trust and allow you to showcase your expertise in a way that is relatable to other major players within the organization. Building Trust Building trust is essential for teams to be able to together in harmony with the objective of doing what’s best for the organization. This is an ongoing practice that will continue to change and evolve throughout the span of working within an organization. Get to know your security team, as well as other members of the leadership teams, and the executives. Each individual will have different strengths they bring to the table, knowing those before a crisis makes for an easier working situation when issues arise. Being in the leadership role of a CISO means taking on a lot of responsibility for the team you lead, you’ll have to take the wrap for them when issues come up, and be able to explain to others what went wrong and how it was fixed. Being able to trust and be trusted by your security team is so essential for any CISO, but especially when you’re new and maybe even coming in to clean up a mess from a previous CISO, working on building that trust should rank high on the list of priorities. Applicable Technology There is new technology coming out all the time, constantly evolving technology for issues of every kind. From a security standpoint recognizing that the latest and greatest technology is only good if it solves a problem for the organization. Just because it is new and shiny doesn’t mean it can actually be plausible for the organization’s issues and business model. So really getting into the nitty-gritty details of the organization can really save you from spending a ton of the security budget on technology that may not even be a good fit for the organization. That being said, there are tons of technology options that will be a great fit for the organization, once the knowledge of what the organization actually needs has been established. Speaking To A Younger You When it comes to giving advice to a younger you when first starting out, Deneen spoke to her advantage by being a constant learner and being able to take in a ton information. Have the confidence to ask the questions you need answers to, don’t be afraid to raise your hand. You can create your own pathways be being self-taught and creating a space for yourself by your own right. The confidence in yourself will take you a long way both professionally and personally, so take the time to invest in yourself. Being A New CISO There’s no one size fits all model for being a new CISO, but being able to build and gain trust is so key to having these enabling business relationships. Managing the integrity of the organization through trust is what it’s all about. Resources: Deneen DiFiore: Linkedin United Airlines: Website Steve Moore: Linkedin Exabeam: Website

Advice To A Younger Self A core truth to being successful is always delivering more than the organization expects. Going above and beyond to find out what is most important to your customers is key. Make the customers reality your reality and work from that viewpoint. Figure out their definition of value and find your place in that value, then fuse those two points together. The Previous CISO Failed To Deliver A lot of times a bad CISO isn’t something that happens in a purposeful manner. The organization is growing and evolving and the position needs to be filled. This is common when someone is very good technically and continues to get promotions until they find themselves in a position the do not know how to fill. It takes more than technical skills to be a successful CISO, it takes leadership skills, strategy, and good communication skills. Those communication skills are key to building trust across multiple departments before a crisis arises. So what if you aren’t aware that the previous CISO wasn’t competent, there are some questions you can ask in the interview process to get answers. For example you could ask questions such as; where does security sit in the organization, what are the communication channels the security team uses, and who does the security talk to within the organization? If you feel like you aren’t getting the answers to these inquiries or you feel you’re being lied to, there is a good chance you’re potentially being hired to clean up a major mess. Cleaning Up The Pieces Sometimes going back to square one is only approach if the organization was left in absolute shambles. Meet with the CEO as soon as possible to get the entire picture of what all needs to be done. Sometimes one bad manager or one bad director can ruin the entire team and sometimes the entire organization, being able to get in there and identify that quickly and get rid of the dead weight is key to rebuilding the organization. Meet with people to see who is doing what, meet with the executives, then your peers, and then your employees. Build that base knowledge of the company culture and who is there and why they are there. Once you’ve gained this knowledge, use it to show your value to the organization. Show them tangible results that you’ve come in, cleaned house, rebuilt the security structure, and what that is doing for the organization. This builds credibility, which builds trust, gains funding, and gets support. Marketing The Success So now that you’ve been hired on to clean up a giant mess, and you are starting to see the rebuilding of the security team come together, it’s now time to show some of those successes. Perhaps there were changes that were made that went unnoticed until they were being completely relied on, for example if you set in place the infrastructure to be able to work completely remotely and now that is being utilized, share that with the executives. Create a program to test the holes and weaknesses in the security system and then share the results and also share how you’ve fixed the bugs in the system you found. These tests and programs will not only show your value as CISO to executives, but it will showcase how important each member of your team is and how they contributed to evolving success of the security team. This will build team morale, which directly correlates into better company culture. The board cares about acquisition and retention, so you need to known how to market your program to them to emphasize those key points. Sit down with the executives and find out what their biggest issues are with security, figure out how you can make their lives easier. Building the team around the companies needs is key to prolonged success. Beyond the executives, meet the sales team and find out their needs with the security team. The sales teams are out on the ground speaking with customers all day, so if you can give them some answers to security FAQs before they have to ask, that builds yet another bridge into the wider part of the organization. What Being A New CISO Means Never stop learning, be hungry to learn and improve. Always be the best version of yourself you can be. Resources: New CISO Podcast: Linkedin Steve Moore: Linkedin Exabeam: Website OpenText: Website Ed Kiledjian: Linkedin

Taking The Jump From Consulting & Advice To A Younger Self With consulting you have the opportunity to work with multiple large companies, which can be an attractive aspect of the job. Working with multiple companies on that scale can introduce you to the latest technology and how it works differently for different companies. That being said, if you want to build a team from the ground up a transition from consulting might be best for you. Also if you’re looking to partner, or gain any ownership in a company, consulting may not be your best bet. Develop relationships while in the consulting position to really feel out where you want to be, and then you’ll already be a familiar face when you’re looking to be hired on at a company. Participating in networking groups is a great way to meet peers and other relevant connections you may want to utilize in the future. Just making sure that you are prioritizing your time and energy effectively can keep burnout at bay as well, focus on what you really want to achieve and walk down that path. Making these connections and being empathetic about others positions can really help advance your career, try to put yourself in others’ shoes when making these connections. Tying Success To Business Risk Being able to make an impact with the way you communicate requires empathy. To be an effective communicator you must be able to put yourself in the position of the other higher executives including CEOs, CFOs, and other critical positions. If you cannot relay information to them in a format they relate to, the problem could be a crisis just by the loss of time on trying to communicate. For some businesses security has always been a priority, yet for many other depending on the industry, security is only now coming to the forefront as a priority. Security teams need support, investment, and visibility. That is where those communication skills come in, present the value of the security team to other executives in a way the will relate to. Beyond Compliance Having up-to-date certifications and technology will only work in your favor as a security team, but you cannot stop there, certifications alone will not stop negative issues from arising. There needs to be both efficiency and maturity working in tandem. There is compliance, which offers your team a framework to then build upon to meet your specific needs. Compliance does not guarantee that your company is 100% protected against negative events; it is a critical element, although not the only element. Identify what the real risk factors are within your company and view security as an ongoing process. Educate the executive leadership on the independent testing results and findings and how your team has shifted to deal with these real risk factors that are beyond compliance. Being a new and effective CISO means not only being technical, but also in-tune with the current needs of the industry by communicating in an empathetic way. Resources: Steve Moore: Linkedin Marzena Fuller: Linkedin Exabeam: Website CISCO: Website

Building A Relationship With Other Teams The sooner these relationships can be built, the better. Meeting top executives and other team leads during a crisis is less than ideal. Get to know the people that are closer to the consumer, the writers, the social media managers, the sooner this relationship is established the better the partnership is when you need to come together in a crisis. Building those relationships now build trust within the company as a whole. Where To Begin? Every company is different and stepping into the role of CISO will be different depending on the specific needs of those companies. Asking to be introduced to the executives, team leads, and other specific roles when you are first hired on or even during the interview process can put you on their radar from the beginning. Asking questions to your direct contacts and your direct team is a great way to feel out which individuals you need to meet and in what order. Generating A Safe Statement Before The Problem Arises The language used in a crisis response as well as the speed of the response are critical components of how the public will perceive the company. Having pre-written general responses that can essentially be “fill in the blank” templates for a variety of problems can get that statement out as soon as possible. This speed of response can help the company change the narrative of the situation at hand. Adopting this kind of proactive approach will not only build trust between the teams before a crisis, but will change the way consumers view your company. Early Career Advice Doing research into the companies you’ll be interviewing with can help you find the right workplace that aligns with your personal ethos. Seeking out companies that are known for doing meaningful work, have good workplace morale, and align with you can greatly boost your career drive. Start by defining what is important to you and find companies with similar missions. Empathy And Care In The Workplace Building a strong workplace culture around your ethos will change the way you view working. Getting to know the lives of your colleagues and showing genuine interest in their well-being can build a web of trust. Carve out time where anyone from your team can come to, have an open door policy for these times and let them come to you for any reason. Building a team with members that have a strong sense of protection that bleeds out into all aspects of their lives are the individuals that are going to push your company forward. What Being A New CISO Means Being reliable, patient, and having a broad understanding of personal and business acumen. Being able to stand up for your principles and provide servant leadership for those who look to you on a daily basis. Resources: Steve Moore: Linkedin Kirsten Davies: Linkedin Exabeam: Website Estee Lauder: Website

Building Up To A Position Of Power Holding the dual position of CTO/CISO needs to come with a lot of experience and drive. Being able to build the security organization around the needs of the company led to being both the Chief Technology Officer as well as Chief Information Security Officer. Noticing what was interfering with the safety of the company through passive observation has directly played into both roles. Doing research, having conversations, and interacting with other people are all examples of seemingly passive observations. Advice To A Younger Self A great piece of advice is to not limit your thinking to what technology can be and how it can evolve. Also not limiting how these technological advances can be applied to benefit you and your company. An example such as the invention of virtual doctor appointments is a use of technology many never even considered an option not too long ago. This did pose some security concerns, but the program was able to built around the technology, and the team was prepared for these changes. Remotely Working Advice In Uncertain Times Some positions such as doctors and nurses do not really have the option to work completely remotely patients need to be seen. But more administrative positions, also support positions absolutely can safely work from home. There are going to be concerns anytime a huge shift in the workday changes. Inside threats can be large or small, something as simple as the employees not getting the work done from home to something larger like medical information being released to the wrong people which is a direct HIPAA violation. Pushing it even further, what if that information was sold for profit by an employee. Identify the threats before they become a major crisis. When working from home to want to essentially replicate the way work was done on premises. If most meetings were conference calls that can easily be done at home. If meetings were typically done in person around a conference table, use group video chat for these meetings at home. From a leadership standpoint working remotely can bring up unique challenges. Not everyone is as familiar with technology or the software needed to make these connections, so giving the education on the tools used could be a great first step when moving to a remote workforce. Getting everyone on the same technology, making sure teams have the access they need, and making sure that the security isn’t abandoned because of an emergency are all great points to cover upfront. In some cases purchases and upgrades may need to happen before the shift to remote work. Making sure the right purchases are being made for the unique situation the company is in can make or break your budget. Another great piece of advice is to spend the company money as if it were your own. When clients come to you with an example of breach and are worried that it could happen to them, do the research and explain to them the truth. Explain how that breach happened, and stress to them that human error causes more issues than technology failure, and a combination of the two is what leads to the most unfortunate events. What Being A New CISO Means Mentorship plays a big role, grooming a member or members of your team so that can confidently replace yourself when the time comes. Security is everywhere in all aspects of our lives, the new CISO needs to be think big picture. Resources: Steve Moore: Linkedin Martin Littmann: Linkedin Kelsey-Seybold Clinic: Website Exabeam: Website

Transitioning Into The CISO Role Learning to balance the executive role with the tactical needs of the team can be tricky to balance. Being able to see to the larger picture within both roles can keep you on track and relevant within both places. Remember the roles you’ve had in the past and draw from those experiences and knowledge. Audits are typically not something anyone wants to have on their plate, but there are values in the audits. Audits not only bring an extra set of eyes to your team, but can also point out the areas of weakness that can use some bulking up before there is a major crisis. It can be very proactive to lean in to the audit and partner with the auditor instead of just trying to get through it unscathed. What Is Lacking In The Security Industry The major points that come to mind when thinking of security might be something like, integrity, confidentiality, availability of data, and protection. But as much as we need to protect we also needs to share, the future of healthcare is being able to safely exchange information, and if it is locked away nothing can be exchanged. Within healthcare security things tend to be more vulnerable, especially for the nurses and caretakers working within hospice care. The have the weight of caring for a patient that is at the end of their life, as a security executive the last thing you want to do is make that caretaker’s jobs more difficult. To be able to put yourself in that caretaker’s position and be able to see what their user experience is like can be pivotal to how your base your security team and program. Take a step back and remember what you’re trying to protect in the first places, behind each client is a real person. Designing Solutions For Real Threats There are many different security strategies for different types of needs. Some companies needs full steam ahead all the time, but many need a different type of solution. Before you build a program that just looks good on paper, get in there and really analyze what the threats and weaknesses are. After those points have been identified then move on to the next steps of building the program around the actual threats. An example of this is knowing how to use automation within your specific needs within the company. Identifying what can safely be automated before just jumping in with all the new automation tools will help everyone involved. Get to know your team; what is the most tedious part of their job is, identify their largest stressor, and what they believe can be automated. Being a CISO means breaking down all the barriers and having the power to show a more practical approach to security and how being able to provide help can influence drastic changes in the way information is protected. Resources: Steve Moore: Linkedin Richard Kaufman: Linkedin Exabeam: Website Amedisys: Website

The Day You Lose Your Job Losing your job to many can come as a complete shock, maybe even more so when you’re in a position of power such as an executive role. There are many extra steps when leaving a security executive position, sometimes you have to hand over your phone, computer, tablets for security purposes, and if you used this for personal use as well, you could lose a lot of valuable files and information. Sometimes you don’t even get a clear picture of why you are being let go, and that can make it difficult to correct that behavior in the future. What Could Have Been Done Differently Everyone brings their own unique backgrounds into the workplace, a lot of times that experience can work in your favor, but in some cases it may work against you. In Chris’ case he a military veteran and has had a hard time shaking his military exterior. In any position communication is key and there is always room for improvement, check yourself and make sure you’re communicating effectively. Even going as far back as the interview process communication is so important, maybe the right questions weren’t asked and it potentially wasn’t a great from the beginning. Moving Forward The application process can be exhaustive and often discouraging. When in executive positions this can exasperate the process, especially after being fired. You need to know your limitations when applying for new positions. Are you willing to relocate? Are you willing to take on a different position from CISO? Know the answers to these questions before diving in headfirst. Self-reflection is key in moving on from the experience too, know your weaknesses, identify them and correct the problems. This may even mean getting new certifications, which will look excellent when added to your resume. Don’t give up, keep fighting, develop these relationships, and get yourself back in the game. Maintaining Relationships In business it’s easy to keep people at arm’s length for professional reasons, but that can also be seen as off-putting to your colleagues. It is beneficial for you to have good professional relationships; you will need references in the future. Creating these relationships make for a better workplace and confidence moving forward. Create your team around you whether they are within the company, a vendor, or someone in the same professional sphere as you. You never know how far a little empathy and kindness can go. Resources: Steve Moore: Linkedin Chris Wolski: Linkedin Exabeam: Website

Initial Worries & New Challenges Going from consulting into a leadership position requires you to take on a new level of responsibility. You take that leap of having more permanence in the position but also now having to lead a team of other security professionals. Olivia also was in the unique position of not only being a new CISO but also the first CISO at MailChimp. This unique position came with high expectations but also a rewarding sense of accomplishment when goals are being reached. Some of the challenges can include completely changing the opinions and workload of your colleagues; this position is brand new and may not be received well at first. Remaining professional and listening to needs and concerns of others can build trust when you’re new in the workplace. It can be easy to go into a new position and be a bit over zealous, you’re new, you want to impress the company, just be able to rein it in as to not step on any toes and burn any bridges right out of the gate. It is very important to gain trust when starting out at a new company in a new position. Gaining Trust As A New CISO Coming on too strong in a new position can be off-putting to your colleagues. It is essential that you are able to sit down with your peers and learn how to communicate and connect to your team. Make yourself available to get to know your team, be humble in your approach. Showing loyalty to those you work closely with can build trust quickly, be transparent, be authentic with them. Showing vulnerability and being able to admit when your wrong adds humility into professional relationships which can make the workplace much more comfortable. Stand up for your team as well, you are now in a leadership position as a CISO and have a whole team of people that now look to you for support. Being there for them and staying strong in your stance as a leader will build trust within your team. Early Wins In The First 90 Days Have meetings early on to establish what is important within the security team and why this team is essential, get feedback on your research and then share it. Establish relationships with others outside of the security team, being able to work closely with other leadership positions can make for a strong driving force within the company as a whole. You do not want to get stuck in the position of having to make a point in the midst of a crisis, get these relationships established first. Resources: Steve Moore: Linkedin Olivia Rose: Linkedin Gary Hayslip: Linkedin Exabeam: Website MailChimp: Website

Advice To A Younger Self, Before Becoming A CISO Perfectionism can hinder the natural learning experience. As someone fresh in their career it can be hard to not want to be perfect, there are expectations to be met. Yet making mistakes and learning from them is real job experience. Don’t be afraid to take risks and fail, you’ll learn from your mistakes. Being new in your career can feel isolating, vulnerable, and flat out scary. It is okay to make mistakes, just learn from them Gender In The Workplace Sometimes being the only woman in the class or the office can work to your advantage. Being able to provide that thought diversity can really work well for women in the workplace. Having a fresh perspective and ideas brings a well-rounded view to task at hand. Use your unique position to your advantage. As a leader you should be building a diverse, inclusive team. Technical Expertise, Necessary Or Not Having a baseline technical knowledge will absolutely never hurt you in a cyber security career. That being said, a mix of technical knowledge and business understanding is the sweet spot for problem solving. As a CISO being able to partner with others, even other teams is pivotal to fast, effective, problem solving. Having a good knowledge of both will be most beneficial because you have a general knowledge of both the business side and the technical side. There are many ways to define the actual role of a CISO, and they will all depend on the specific company. CISOs wear a lot of hats for a lot of different companies, and they may completely differ based on the company. Yet with the new regulations rolling out around cyber security this could change soon and become more streamlined. Company Organization And Security Burial One of the most frustrating aspects of looking for a job in the cyber security filed can be the company organization. We are constantly bombarded with news of security and data breaches, yet some companies have their security team basically buried under other, potentially less essential teams. With the rise of data breaches and data hacking, you want to work for a company that values all you bring to the table, because this is an uphill battle when it comes to cyber security. Being valued too low in the organization can lead to internal conflict. Being able to report not only actual issues, but also the risks before it gets to the critical breaking point. Reporting Risks In A Proactive Manner There are tons of risks with any company, being able to identify the risks before they are problems and create solutions around the specific issues at hand can save you from major issues in the future. Analyzing user behavior and seeing how negligent or risky a specific set of people are and creating solutions around that is going to really resonate with executives because it nips the problem before it becomes a problem. Talking about how the team is enabled to handle threats is another big one. Looking at the numbers of threats, seeing what could be automated, and what an analyst needed to follow up as well. Automation saves time, money, and keeps history from repeating itself. Psychology And User Behavior Having contextual training is so important. There are many certifications that security teams get year after year, but they have almost no impact. If the training isn’t directly relevant to the company and even the specific team there will be no impact, or even a negative impact. Prevention is key, so have the relevant training and technology, look at programs and make sure that security is built into the programs already in place. If that isn’t what is happening, then something needs to change, the programs need to be cleaned up and modernized to the potential risks surrounding it. This training will be used not just in the workplace but the teams will take this home and use it in their everyday life, almost like modern life skills. What Being A New CISO Means To You Everything is a learning experience, being able to use the experience form your past to propel your future career. It has been really great working for a company that is 5 years old and learning new, modern ways of cyber security has been a great learning experience. Resources: Steve Moore: Linkedin Rinki Sethi: Linkedin Exabeam: Website Rubrik: Website

Transitioning Into CISO And The Initial Challenges Becoming the head of any department, and having all that responsibility on you can be very intimidating at first. Going from more behind the scenes to front and center can be uncomfortable, but reflect back on all your experience and let that guide your decision-making. Delegation is important in leadership roles, so get the team together and put your minds together to build a great security team. Identify the top priorities for your position, focus on those, and identify what can be delegated. Mentorship Advice To A Younger Self When you are able to put yourself in other’s shoes, you can understand their motivations and how to work well within their realm. Understanding people and their professional wants and needs can make for lasting and reliable partnerships. Being transparent with your needs can many times lead to seeing you have similar professional goals, now that both parties see the end goal they can now work together much more smoothly. Building trust with other members of the organization before an issue arises can also make solving these issues much less intimidating in the future when something does come up that requires their attention. Collecting Feedback & Continuing Improvement The security industry is constantly in flux, so the need for continuing improvement is pivotal to the success. Have a conversation about the constraints your team is working within. Look outside your direct colleagues, outside of your team, go to other departments and ask them the same questions you ask your team. Having a fresh set of eyes on an issue at hand can lead to progressive solutions that may have been overlooked by those directly working within security. Moving specific test from manual to automation based can free up time and capital that may need to be invested in another area of security. The frequency of security patching may need to change, as well as the speed of the testing process. The feedback events can be so helpful, getting the organization together to solve the issues being faced. Going into these events there needs to be a focus on the problems that need solving, look to the experts in these areas, and having these conversations in-person, and if possible hosted by an outside unbiased party. Celebrating Success Security teams face a plethora of issues and problems constantly. This is a taxing industry that takes dedication and focus to be successful in. So when there is success we need to all be better at celebrating it. Giving credit where it’s due, having conversations about the successful methods used to achieve this success, and keeping team morale high can make for a more pleasant work experience. Resources & Links: Steve Moore: Linkedin Steve Person: Linkedin Exabeam: Website Cambia Health Solutions: Website Speed Of Trust Book: Website

Identifying Burnout In The Workplace Burnout is a common occurrence in any industry, but especially among those looking to carve out their place in the industry. No one works well when they aren’t at their best, identifying burnout early on can stop it in its tracks. If you’re noticing someone is acting out of character or being short, they may be experiencing burnout. Another tell can be the hours you’re seeing someone put in, no one should be up at midnight still working. Advice To A Younger You Networking can get you to great places, starting early in your career can really put you where you want to be a few years down the road. Don’t be shy, get out there and meet people within the industry. Network both inside and outside of the company you’re a part of. Transitioning Into Leadership Not everyone is cutout for management. When taking a leadership role you need to be able to prioritize your team and realize you’re directly responsible for those who work with you. To be a good leader you have to take all the knowledge you’ve learned up to this point and be able to teach it to others in a way that makes sense to each individual. Empathy plays a huge role in leadership, you must be able to put yourself in the position of others and understand their point of view. Being open to feedback and being able to take it with an open mind is essential in leadership; it’s going to come both solicited and non-solicited. Third Party Risks And Why We Don’t Love It What is third party risk? It’s when a company brings in another company to handle a certain project or service. Within security this plays a huge risk because you’re essentially giving this other company access or information to the inner workings of your company. From a security standpoint this is a huge risk and variable, so doing thorough and meticulous research into the companies brought is key. This can ruffle some feathers with the third party, but at the end of the day you’re in charge of security so you need to fulfill your duties to the company you’re employed with. The real issue arises when you’ve done the research, and don’t feel that the third party is a good match for the company, yet leadership above you wants to move forward regardless. The CISO is now tasked with trying to figure out how they can make this work with the third party, whether that means changing language within the contract, adjusting the work the third party is doing, or reworking how you present your findings to leadership above you. Warning Signs Of A Bad Third Party Review How many exceptions are you making to be able to work with this vendor? Does it seem it like some rules are being bent? Policies and procedures aren’t being followed? These are all huge warning signs. Another warning sign is an across the board process for each new vendor, this isn’t the most effective way to lower risks, and this can lower sales and revenue. Some vendors will be more risky then others, so there should be separate policies for different companies based on their risks. What Being A New CISO Means To Me Building relationships while being honest and transparent is key to being a CISO. If we all viewed ourselves as a vendor and service provider we could all get the tasks at hand done. Also be on the lookout for my book being released in summer 2020: Startup Secure Banking In Cybersecurity, From Founding To Exit Resources: Steve Moore: Linkedin Chris Castaldo: Linkedin Exabeam: Website Dataminr: Website

Marketing In Relation To Security Marketing is all about getting a certain message to the right audience. A background in this field can be a great way to transition into other positions including the CISO. Being able to take a look at the bigger picture and then funnel that picture down to solve the problem at hand can be aided with a marketing approach. Advice To Those Just Starting Out Being new in an industry can be isolating by itself alone, but being female in a male dominated industry can emphasize that isolation. Being able to feel comfortable in your individuality will help anyone in any position. Also being gentler with yourself as a person, and attempting to enjoy the path you’re on can provide you with a higher sense of self-worth. Being The Only Woman In The Meeting Speaking in general terms men tend to be more direct and interact differently within their own gender. Being the only woman there you have to adapt, speaking more directly, and bluntly for example. This being said the same would be true of a man working in a female dominated industry, adapting to the culture of the industry will set you apart. Having the proper certification and licenses can set you apart as well, it is unfortunate that the business culture is this way, but it will prove on paper that you are capable and have the skillset to demand respect in the industry. Being prepared and researching beforehand is key to success as well, spend a little extra time researching your client. Why Women Are Encouraged To Pursue A Career In Security Women are highly detail-oriented which is huge in the realm of security, yet a common misconception of security is that it is a technical only position. Technical has a place in security, but that isn’t the only aspect of the industry. Being able to communicate, see the bigger picture, work within a team, and cooperate with the company are other aspects within the security field that women can strive in whether being a technical person or not. Friendly Advice To Men In The Workplace In meeting be an active listener, do not interrupt women, do not repeat their ideas and state them as your own. Women who have children also have different life pressures, but when you schedule a happy hour meeting that almost immediately excludes the women on your team with children. Having lunch meetings are a great way to keep the whole team involved and at the table. Having meeting over a round of golf is fairly typical, but don’t exclude the women on your team, the conscience of who your team is and how to involve everyone in the productivity in the workplace. Keep it equal, don’t interrupt, and be aware of how you are interacting. Women want to be treated like equals, women don’t want to be separated by gender in their industry. Advice To Women In The Security Industry You are going to face adversity, harassment, isolation, and many other challenges when you are the minority in the industry. It is not going to be easy, you are definitely going to have to put the work in. That being said, the higher you climb the less of a minority you are. So stay focused, toughen up, and climb the latter. Resources: Steve Moore: Linkedin Olivia Rose: Linkedin Exabeam: Website MailChimp: Website

The Slow Evolution Of The CISO The role of the CISO is changing but maybe not at the preferable speed. The role has been changing throughout the existence of the CISO from a small technical role to an IT position, to a role that is more demanding than ever. It is becoming a much more executive role than in the past. Connecting The Changing CISO Position To The Business Needs To understand the business needs, as the CISO the business needs to understand you, and your role with the company. Paint a clear picture to the executives and stakeholders on your scope of practice. How these higher positions see you is pivotal in fitting the role with the business functions. Don’t be afraid to ask for help outside of your department for a fresh perspective, let them help-you-help-them. Within the security industry things are moving fast, and they are moving towards digitalization, date, and technology. Many titles are changing within the workplace but the core responsibilities are remaining the same, but with more specific points of interest. Automation And The Impact On The CISO There are so many micro-services and technology improvement products coming onto the market all the time, all this automation really changes the way the CISO has to create their system structure. Being able to have a solid security design and mission can allow for these smaller pieces to fit into the CISO puzzle. Automation is the future of technology and having a position or perhaps even a team to focus on automation is ideal for any large business with a security team. If the automation isn’t being done correctly or the wrong things are being automated it’s useless. If you are spending a ton of time fixing your automation mistakes, it isn’t being adequately placed for the issues at hand. Taking A Look At The Risks Within Building a strong, coherent, and trustworthy team is just as important as the technology used to keep outside attackers away. Educating your team on what is personal property and what is a security risk is crucial. Insider attacks are becoming more and more prevalent in the security industry. Some of these incidents are done with innocent intentions and are just based on negligent naiveté, and aren’t malicious, but some are and having the understanding between security, HR, and management is critical in how these issues are dealt with. Each department has its own purpose within the organization and when they all work together it makes for a well-oiled machine. As a security officer there are some pieces of information that cannot be shared with other departments. It’s your position as the CISO to do something if you see something that is negatively impacting the security. As an executive officer it is your responsibility to take these security breach actions in your own hands. Potential 2020 Trends Doing more with less is trending in cybersecurity, retaining the same size team but having more responsibility with that team. Getting creative in problem solving when the resources aren’t available can prove the real value of your team to the organization. Using fresh perspective ideas when the team is small and resources are limited can really show you what you and your team are capable of. Resources: Steve Moore Linkedin Brian Haugli Linkedin Scott Morris Linkedin Exabeam Website Side Channel Website

Partnering with Higher Education to Prepare Students for a Career in Cybersecurity Being associated with an advisory committee gives you a lot of freedom to really create the programs a future CISO needs to be hirable right out of school. The committee is able to see what classes need to be added to the curriculum, or if more classes aren’t plausible seminars are always an option. By being part of a larger advisory committee you can brainstorm with members from different industries and create an entire program from what you learn works in other industries. The Biggest Issues With Being Hired Right Out Of School Education is huge when it comes to being prepared for a job. Years of dedicated study and focus should not be taken lightly. However, some aspects of the job that can’t be taught from a lesson plan, you just have to get out there in the industry. There are certifications that can be obtained after graduating, but real life experience is irreplaceable. Internships, and job shadowing are great ways to get that experience while still completing your education. Advice To A Young CISO Don’t be afraid to take risks, get out there and align yourself with the right people. Go get that certification, ask to be mentored by someone you admire, learn from those who are ready to help. Don’t live too cautiously with your career, you can always build yourself back up. Finding A Mentor Or Mentee There are many ways to find a mentor in the age of technology. There may be someone within your company that can mentor you, but don’t limit yourself to that. Linkedin is a great resource for finding a mentor. You can also look at other companies with in your industry. On finding a mentee, just be open to teaching someone what you know about the industry, they may end up being an employee of your company in the future. The Importance Of Presenting Your Knowledge Being able to get up there and show your knowledge within the industry is so important. When you get to show what all you’ve been working for and get feedback from your peers on the subject, you really put yourself out there in a unique way. It can be very gratifying to share your knowledge and experience with others, whether you are speaking about problems or solutions. Redundancy Within The Industry There are many point solutions that don’t let us get to the root of the problem quickly. For a solution product to be effective there needs to be better communication between the product producers and the CISO so the products will remain relevant within the industry. If there are too many programs trying to get the same result, you know you have an efficiency problem and it’s time re-evaluate. Discovering The Big Picture Having a real and candid conversation about what you need to do your job effectively is very helpful. For a product to work effectively the producers need to know who is using it and why. Invest in products that have teams who are willing to learn about your specific pain points and needs as a CISO. There needs to be more consultation between the CISO and VAR. What Being A New CISO Means To Marc It has evolved so much over the years; the CISO has a bigger responsibility than ever before. There are so many ways the CISO is being pulled in their modern environment that a serious hands-on approach is necessary. Understanding business, your peers, and technical enough to understand the scope of the entire company are key elements in being a modern CISO. Resources: Steve Moore: Linkedin Marc Crudgington: Linkedin Woodforest Bank: Website Exabeam: Website

Moving From Consultant to CISO As a consultant you gain a lot of work experience very quickly, because you are working with a lot of clients on many issues. Seeing the transition from consultant to CISO is fairly common. As a consultant you don’t get to see the changes you’ve made grow over time, you only see the short-term effects and move on. If the decision is made to leave consulting and sign on full-time with one company as CISO, you see how everything you do evolves overtime, and are able to put all of your focus into one place. Advice To Younger Consultants And Future CISOs In every professional career there is a desire to succeed, sometimes we make ourselves crazy trying to get there. Knowing when to ask the right questions to clients is so important, they might not even know what they need and by steering the conversation with questions we can all get the desired outcome we are looking for. Having a clear perspective on what they actually are looking for can help you to deliver an appropriate result, while keeping you work load balanced. Security Reporting Structures Every company and organization is different; there is no golden rule of reporting when it comes to security. By understanding the dynamics of the organization you can get a clearer picture as to reporting. As a CISO reporting too low of the chain of command can cause problems, as well as reporting too high with someone who doesn’t understand the risks you are reporting. Get to know the dynamics and see how every part works together to better help you report. Evaluating A Problem At A New Workplace Coming into a new place of work you have to learn how the organization functions quickly. Watch closely to understand how the different departments work internally and with each other. When a problem arises and you have this knowledge you will be able to effectively report to right place, at the right time. Doing the right thing for the organization as a whole is always better than doing what is best for one single department. Frequency Of Reporting Normal information that doesn’t include a severe incident is typically looked over monthly, and again quarterly. For standard incidents doing monthly reports about what goals were achieved, what is projected to happen, and how it is going to be handled is common and those monthly reports will be revisited in quarterly reports. If there is a severe problem or incident that needs to be handled in real time, don’t risk a small issue becoming a huge one by not reporting. Identifying Warning Signs And Red Flags The security of information effects everyone in the organization, if you are speaking with a leader of an organization and you realize that there is no involvement of other departments in security that should be viewed as a red flag. All departments can weigh in on security, it’s important to have multiple perspectives on an issue. Security also needs to have a separate budget, it should never be a line item on the IT budget, and you don’t want to work for a place that invest in the security of the organization. Being able to speak with CEOs about the needs of the security team is very important, if they are unwilling to learn and listen about your expertise, that is a major red flag. Lenny Defines Being The New CISO It has always been about lifelong learning, being able to grow and develop. It’s good to constantly grow and evolve, challenge yourself professionally. Resources: Exabeam Website Steve Moore Linkedin Lenny Levy Linkedin

The Basics Of Being A Global CISO The various pillars include security, which is, operations, corporate, product, customer, production, and automation. It also includes compliance, undergoing audits and certifications throughout each year. You need to maintain trust between platforms, products, and customers. Quality management, data protection, privacy principals, customer advocacy, risk and assurance, are also major pieces of the CISO puzzle. How Lakshmi Got Where Is Today Lakshmi built herself up over the past 24 years with a vast background of experience. She’s been in the information risk-management/security field for a long time and has developed her view of the position over that time. Beginning as a security engineer, she has elevated her career to where it is today. Empathy In The Professional Realm Lakshmi has worn many hats in her long career, which lets her understand where her colleagues are coming from. She is able to put herself in their shoes, because she has been there. This has created an empathetic environment around her work and lets her effectively communicate with others. As a child she developed a strong sense of empathy, which wasn’t lost as an adult, she has kept this with her and was able to incorporate this mindset in her professional life. Being in the business of trust, empathy goes along way to gaining that trust you need to provide the work for your clients and colleagues. What Is The Trust Office? The Trust Office is comprised of all the teams working with Lakshmi; she is the head of this office at Box. Trust is the key to any and every aspect of her position. The mission statement of this office is protect the Box brand with secure products, secure operations, and continued compliance. She believes that seeing through a lens of trust leads to a less fragmented and more cohesive view of how to engage, invest, converse, and prioritize around risks. The Cloud And How Customers Are Confused No cloud provider comes without risks involved, the customer needs to weigh the risks involved between the platforms they are researching. If all platforms were more transparent with their customers, some of this confusion could be alleviated. Customers are also entering into a partnership with their provider, both playing their own unique roles in this relationship. The takeaway; understand the risks and understand that this is a partnership. Recognizing Red Flags It is very important to understand your own risk appetite before getting too deep with any platform, have the conversations with your team to be able to pinpoint what will and will not be acceptable to the company. Secondly, understanding what the actual risks are. If you aren’t getting the level of transparency you’re looking for with that platform, this probably shouldn’t end in a partnership. Another important aspect to consider is mutual understanding, the platform should understand how and why you going to be using their product. There should be open dialogue about what both parties need from each other beforehand. The Concept Of Zero Touch Defined This can be explained by looking into the three different layers. RPA or rapid process automation, the most basic layer, the next layer up is ML or machine learning, followed by AI or augmented intelligence. These are the three phases a customer could be in on their way to zero touch. By utilizing this concept, and minimizing human intervention a company can retain their manpower to focus on strategy and more proactive work. This is also beneficial for the customer by saving time, remaining consistent, keeping manual errors at a lower rate, and a general better user experience. Understanding The Risks Security Teams Face In The Era Of Cloud Services The major risk is a security team becoming obsolete; the team is only as valuable as they are irreplaceable. If the security team isn’t highly educated on the specific needs of the business, why are they necessary? A few way to educate yourself on the needs of the business, is understanding where the business comes from and who utilizes it, knowing the risks and pain points the business faces regularly, and be able to clearly define how your organization provides value. Using Communication To Create Change Or Partnerships So many aspects of running a business can be automated, some can’t, an open dialogue about responsibilities, wants, needs, and stressors can’t be automated. This comes back to transparency and empathy, when opening up the conversation remain authentic, clearly state what you believe your responsibilities are, inquire about your counterpart’s role. This transparency can lead to building trust, which can create necessary change or partnerships. This human element shouldn’t be overlooked, showing vulnerability can make everyone feel connected and comfortable with each other, knowing they come confidently come back to a dialogue whenever necessary. Single Pane Of Glass: The Mindset The term “single pane of glass” is used pr

Securing a Cybersecurity Organization Chief Information Security Officer of Netskope, Lamont Orange, talks with Steve Moore about the unique differences between working as a CISO for a private company versus doing it on the vendor side of things; securing a cyber security organization. As cyber security becomes entrenched in the business cycle, other business functions have expanded their interactions with security teams. That said, the understanding of what a CISO does hasn't always followed the same trajectory. How do we as security professionals, help our organizations interact with our security teams and help them understand the role we play in an increasingly at risk world? The major difference between being a CISO for a vendor vs private organization Working for a vendor, you have a direct line into change and solving the problems that really need to be solved. Working with a private organization, it's everybody's opinion and no one knows really what you're talking about. Lamont encourages everyone to spend time in both worlds because when you're working for a company, you're in a particular vertical so you have ground floor opportunity to understand all the challenges, whether they're business challenges, technology challenges, people challenges, you really get to understand the industry in which you're working and serving some of that. How did Lamont get his start? He has had the opportunity of serving in a consulting capacity to organizations. That gave him more of that, that multi vertical multi industry perspective. Lamont wanted to give back and go to an organization where he got to grow something from the ground up, watch it grow and watch it be something really valuable and a differentiator to the business. He also wanted to see what the opportunities were on the vendor side because it seemed very intriguing and an opportunity was presented. What he found is that the language barrier is gone. The challenge then became to take all of that industry expertise and all of that business knowledge and apply it to a way where he can lead the vendor side. When you're on the vendor and product side, you get to effect masses of companies. You get to interact with so many different thought leaders and coaches. You get to make the industry better from the solutions and tools perspective that we have to offer. But you're also growing people’s careers at the same time discussing the path that you've gone through. Find opportunities to speak. There's just so much goodness in it that helps you grow as a professional also. There are so many lives that you can touch from a career perspective and making a difference and how we deal with our adversaries. Figuring out how to share in the security community When you look at our adversaries, they're definitely sharing. They talk about the latest way they use and abuse. We need to do some of the same thing. “This is what was effective with this particular adversary.” “This was what was effective in this particular vertical because this is how we do business and this is what's effective”. Those types of conversations are priceless and we need to figure out a way to have more of them. What is change management? There'll be changes in infrastructure. There'll be changes in operating model and there's a board that we have to go through to get the changes approved. We implement those changes. If we start going back to fundamentals and what's happening in cybersecurity, what's happening with the role of the CISO and the CSO and all the technology players, we are back to the basic definition of change management. Not only do we have to adapt to change, we have to embrace it for what it brings. We have to look forward to what the positives are with this change. We have to demonstrate to others why this change was either good or is not the best plan of attack, and then we adjust. You don't want to have a stagnation in anything that you do because it either becomes boring or you become complacent. What this is showing us is that our industry is neither boring or complacent. It is very dynamic and we need to figure out how to manage that. What change are you excited about? Lamont is excited about the movement to cloud. The industry as a whole, it's a new operating model. We've so long looked at all of these different solutions that we've cobbled together to keep filling gaps of whatever the threat landscape brought to us with this movement. Now we get to take a fresh look and if we are at a point where we have a seat at the table, we get to walk with the business and actually consult with them and talk to them about what this new paradigm that they want to go into will really bring. With our fresh look, we can say that we're really looking to enable you to be able to take away some of this friction cause we don't have all of these different hoops and a different control frameworks and the whole let's lock it down mentality anymore. We know that you need to be open and now we nee

Understanding the Adversary Mick Jenkins, Chief Information Security Officer at Brunel University & a former Counter Terrorism officer in the British Armed Forces speaks with Steve Moore about the ideological similarities between defending against terrorists versus cyber criminals, the benefits of mentorship throughout your career in security, and the re-emergence of Soviet era espionage techniques. Building a career in security can be a challenge, even for those of us who start off early. For some however, the job can be a natural progression from her Majesty's armed forces to helping secure the 2012 Olympics and ultimately becoming a CISO. So how do you channel these unique experiences into something that will withstand the diverse threats organizations face today? Who is Mick Jenkins? My career & professional involvements these days are in cybersecurity and sort of lie in the world I exist in as a non-executive director. At the moment I do all sorts of different things on the computer in terms of dealing with investigations, dealing with IT directors, and current strategies. I signed up & started working in her majesty's armed forces when I was sixteen and a half years old. I certainly never expected to end up as a CISO dealing with strategic cyber security because my life began as a soldier in the British Army. Working with a Mentor During the Transformation Process I think you and I are both very keen on spotting & identifying the leaders of tomorrow and investing in them. And I think this is particularly important because as we know, over the next 5-10 years, the cyber world is going to need the best of leaders to support boards and deliver strategies that are coherent. For me having had such wonderful careers, I want to be able to pay some of that back to younger men & ladies. These are people who have the talent to go all the way to the top of the cyber tree as CISOs or strategic leaders both in government and the private sector. Luckily I'm connected with a number of people and different organizations here in the UK, and one of the wonderful ones is a small company taking veterans, who have done something like 22 years or more in service in the military. These are very loyal servants, very disciplined, very capable, and quick learners. The organization takes them out of the forces and retrains them as cyber specialists, cyber analysts, or information security managers, and then places them in industries. It has been very important and key for me that I try to help people who've got the talent. And just like in the military, it's all about thought and actual leadership. It’s about leading by example, having good strategic foresights and acting as a mentor or coach. At the moment I have 2 individuals who are much younger than me who I believe have got the talent. I’m earmarking them for the right career progression over the course of 5-10 years and trying to make sure that they do progress all the way to the top of the cyber tree. I was lucky as my mentor used to take me for lunch quite often every 2-3 months. And he would ask, ‘Are you in the right job here?’, ‘Is there anything I can do?’, ‘Tell me about this company you're working for’, ‘I really think you need to be doing this and this next.’ I had that for the 15 years I had in both the military and in my ultimate career in cyber security. And so I think mentorship and identifying good talent is something we owe ourselves for the future, which is something I particularly enjoy doing. Mick’s Advice for the Transformation Process As I look back at my career, one thing about me is that I was always striving to achieve excellence and be honest in whatever I was asked to do or serve in her Majesty's service. And I think many of us in the professional armed forces do strive for sheer excellence. And if you've got that kind of psyche to achieve excellence, you'll go above & beyond to learn from people. In my case a lot of it was about learning about the adversary. When I started working as an explosive disposal officer, particularly involved in high risk research, I wanted to beat the terrorist and so I needed to be at the top of my game. I took every opportunity to talk to some of the more experienced ground operators who had served in Iraq and Afghanistan. I looked up to my mentor as well. It's always a fabulous thing for someone going through multiple careers to have a mentor or coach. My particular mentor is a wonderful chap called John Almonds. He is in his seventies now, and he is the guy I aspire to be. I hope to achieve everything he did throughout his military & civilian careers. He is still a very fit man - fitness in body & mind, which kind of exists all the way through your military career into retirement. And this certainly helps when dealing with high stress/ high pressure situations. Understanding Your Adversary In the army, I finished as an Intelligence Officer within the British Defense Intelligence. And then I made the transformation

Contributing to the Cybersecurity Community Scott Morris, Vice President, Chief Information Security Officer at BlueCross BlueShield Western New York sits down to talk to Steve Moore about how to be active on cybersecurity communities. They talk about how to encourage young security professionals to find their voice, and the importance of sharing information as a means of strengthening the industry as a whole. What Advice Would You Have for Your Younger Self? I'm not one to really hold regrets or look back at the past, but I would say I've always pursued the uncomfortable things. I always try to find things to solve or problems I could help with, which is how I got around in the day. So always challenge yourself and make sure that you always make the right choices. I would tell my younger self to continue pushing. What Was Your Actual Start in InfoSec? My starting point was in information technology, more importantly in web development. I used to be a web developer by trade & quickly came to understand the risks involved in that. I continued to grow in my information security knowledge & experience, and for a while I was an expert in my former organization. And then I grew from there with a keen desire to know as much as I can and to help as much as I can in information security. Through observation & conversation, Steve Moore has come to realize that some of the best people in InfoSec didn't actually start off in it. You kind of have to learn to build and create things and ultimately break them before you can know how to defend and protect them. And this is a great foundation As I look back on my career, I recently realized that even from the early days and in previous organizations, I've never actually applied for a position; I've always somewhat in a way created the position. And I did that by finding areas or things that needed to be solved or fixed and made better. In my current organization for example, we had an issue where we were having problems passing or being consistently good in our external audits. I took that on and turned it around, and through that exposure in a very diverse organization, I was able to start piecing together some of the things we needed to get where we are today and build the successful security program we have in place. Any Tips for Someone Getting Ready to Do What You've Done? The answer is something I tell all of my team members today. For the most part, what we do is not something we're responsible for and we can successfully build respect and great relationships. You need to understand your controllers and the people responsible for these processes and functions and build a relationship with them to help move things forward. How Did You Get Involved in Security Communities? At my previous role, I worked for a large consulting company and I had a very large community. But I realized that I needed to have more exposure outside of that. So I started turning to people and organizations locally around here. But there weren’t security communities back then; there were more technology communities. So getting involved with technology organizations was my entry point. I was hooked immediately and continued to grow & expand to where I am today. What Do You Think is the Responsibility of Security Leaders? As a leader, I think it's really important to set an example. I try to do the best I can by participating in these communities in various ways by not only attending it but by being a part of it, being an action and a voice within these communities, and by bringing my teams along and the people that are in this space. As leaders we have a responsibility to continue driving that. In Buffalo we are a pretty small community and we leverage those conduits and forms to continue to grow and vet out what we're doing. So lead by example, participate and the teams will come along. What Benefits/Changes Have You Seen in the Junior Staff in the Buffalo Area? In Blue Cross Blue Shield, we are fortunate to have a robust and talented security department, and not a lot of people especially in Buffalo or other small organizations have that. So we push out there and continue with what we're doing. And this helps a lot of people get past those first few layers with decisions and choices if they can hear from a trusted source. And frankly those conversations help us as well as we continue to share our experiences with the community not only in Buffalo but across the nation. We try to present topics that we feel others can learn from and we get great feedback by sharing the experiences we've had, and especially the lessons learned. What Do You Share? Two of our primary outlets for that is first ,within the Blue Cross Blue Shield community where we have more than 30 organizations, and we tend to share things within that trusted community quite often. We're also a huge proponent and a member of Hysek, and that's been a tremendous value for information sharing across healthcare organizations and other

Does Security Training Really Work? David Tyburski, Chief Information Security Officer at Wynn Resort sits down to talk to Steve Moore about security training, specifically phishing training. He shares his thoughts on the idea of training vs education, positive vs negative reinforcement, and offers suggestions for engaging with employees. David Tyburski’s Current Role I'm currently the global CISO for Wynn Resort, a casino in the north end strip in Las Vegas. About 9 years ago, Wynn put a directive to have a more dedicated security focus in on the environment in the organization. They basically handed it to me and for the last nine and a half years I have run this organization building it from just me to the organization it is today, managing all their properties & operations worldwide. What Advice Would You Give Your Younger Self? One thing I would say is to be a little more attentive to the tool-set you bring, because we did a lot of false starts along the way as far as buying tools. If we'd spent a little more time evaluating where we could really use them, we would have been in a better position in the early days. And we do that today by ensuring we have good proper use of cases for every tool that we bring. Also, I'd tell my younger self to spend more time on the use case to know how to use it instead of just going to get it. Understand not just the reason why you want it, but how you will use it and what you expect from it. What Bothers You About Phishing Training? It's not necessarily all phishing training, but what bothers me is that we're attempting to teach non-security professionals to be security professionals. They have backgrounds that are varied from us, they don't spend their time looking at security incidences or reading on security articles, but they're extremely talented people in other ways. They do an amazing job at what they do. But we as security professionals try to teach them that they've got to know what we know. So I think security professionals need to do a better job of understanding their role in the business, and building a technology solution around that instead of trying to get them to understand their business. Training vs Education There's a major difference between training & education. Wynn is an education program, because we're not training people but educating them. We want to give them the security knowledge and information they need for their organizations. We're educating people, trying to give them knowledge and not just teaching them the steps to accomplish something. We have to be able to transfer knowledge, and that's an education program. We have a continuous education program. We break up the topics and put them into small easy to digest chunks and we continuously run a new topic every week. It's timely and we do everything we can to relate it to everyday life. People are like water and will always try to take the path of least resistance. So in that light, if we can make our security program and educate our people in the right way, that the security of the organization is the path of least resistance, then it's no longer security fighting the rest of the business but security enabling the entire business to operate. Should Information Security Be More Aggressive with Email Attachments? For an HR person whose job is recruiting, he needs to open the resumes he receives as attachments to emails. So how does information security help or enable that process and allow the person do the job safely? One way we can do this is to intercept the email, pull the attachment out, and re-write it in our own PDF where we turn off all the problematic ability and take out any possibility of weaponization, restrict what that PDF can do and look like, bundle it up and put it back in the email and send it off to the recipient. Now we won’t mind if the HR person opens it because it's safe. So to them they simply open the resumes the way they need to open them. They're doing their job and we're enabling it, but we're also protecting them from all the weaponization problems that could come along with emails and attachments. Good Security Programs If you bring in negative reinforcement in your organization, it will only go so far. If your objective is to reduce malware in your environment or reduce that phishing problem, then training people the way we seem to want to do is a negative reinforcement model. You may end up frightening employees to the extent that they're not willing to take the risk. So it's important to find a better way to bring that into your organization so that employees do their job of generating revenue and doing good things for the business. Employees also need to have a way to communicate back both positive & negative feedback- did it work or not, what slipped through and what did we not recognize? Any good security program is not dependent on one single item. You need to have multiple places to protect the same thing. So if we're eliminating 99.99% of phishing

Building an Effective Relationship with a Board Colin Anderson, Chief Information Security Officer at Levi Strauss & Co sits down with Steve Moore to talk about interacting and building an effective relationship with an organization’s board, managing expectations and sharing narratives that resonate, the makeup of a board meeting, and the different personalities associated with it. What the CISO & a Board Have in Common The CISO and the board share something in common, which is to manage risk and make the business successful. However, the CISO has to earn the board's trust even when it's well established that he is the security subject matter expert. Successful relationships must be nurtured, and this one is no different. Each board member comes to the table with a different point of view, background, expectations, and personality. Getting to know the board and how to best communicate with them is one of the CISO's top priorities. Advice to a Younger Self The first rule is to know your board, because every board is different. Some are savvy & cyber aware while others have little technology & security exposure. You need to do your homework to better understand your board members' areas of expertise and experience. You want to know if any of them have had a security incidence or breach in the past, and if they have a deep understanding of security. Another important question to ask yourself is whether you know any security leaders that have worked with some of your board members. It's also important to know your narrative; what's the plan for your security function, how do you measure progress, and how best do you communicate and earn the trust and support from that board? I've seen a lot of leaders present in front of board committees and the most common mistake I see is the presenter not being prepared for that board audience. The presenter knows his stuff but he fails in communicating it in a way that earns the board's trust & confidence. That story-telling skill is very important because your board is going to remember the narrative you tell them. They may resonate with the statistics you put in front of them temporarily, but a few months down the road they're not going to remember the numbers. They will remember the narrative you gave, that example you crafted to emphasize the point you wanted to put across. The Different Types of Boards There are different types of boards, where some are security savvy while others are not. Generally, they don't care, they have an IT background, or they don't. But a day of reckoning is here for them. They need to figure out and no longer be ignorant to these issues or be dismissive of them. They should know what the security department, and especially what the CISO, does. However, the security topic with boards is relatively new and still in its infancy. They don't really know how to measure whether that security program or security leader is being effective. The NACD (National Association of Corporate Directors) has put out some pretty prescriptive guidance for boards on how to effectively manage security risk. This helps educate the board and also helps the security leader know how the board will be measuring them. Presenting to a Board Earning your board's trust is the most important thing you can do for your long-term success as a CISO. Educate them & build that partnership where you both work to manage risk to the business and enable it succeed. The other board members bring skills and experience you don't possess, and you have skills and information they likely do not possess. They're looking at you as a subject matter expert on security to help them make more informed business decisions. So if a situation is bad & there's a problem, don't be afraid to put that concerning information to your board. Don't be afraid to say that you don't have all the answers. Tell them what you're doing or what you’re not going to do & why. In reality you have to make some hard choices. And that transparency gives credibility to your message and plans. The board is relying on you based on what you think is critical or important because they may not have all the background information. Your assessment of the situation carries a lot more weight with the board. Bringing in a 3rd Party to a Board Meeting A 3rd party can be brought in to emphasize a specific plan or concern you have. That extra voice can carry a lot of weight in some boards. The board may also bring in a 3rd party like an audit person to ask questions or give more insight on a given topic. If another CISO is to be brought in, he needs to bring more than just the security skillset to a board to be an effective board member. The Toughest Board Member Ever Presented to There was a telecommunications executive who had previously experienced a major security breach. He was new to the specific retail company in question and so he didn't have a really big understanding of the business. Also, he didn't fully understand that the

What it Means to be an Honest Broker As a former CISO in Hanover Insurance Group, Brian Haugli shares what it means to be an honest broker in the context of security leadership, which might be better described as an agent of trust and transparency for a business. Brian and Steve Moore talk about strategies for delivering the right message to executives and the Board, the learning opportunities that come with candor and the honest truth about managing the inherent stress of the position. Advice to future or current leaders One big feedback I would give my younger self is don't focus so much on one area or another. Really be open to the ancillary spaces within security. Looking at human behavior, looking at the legal side of things, and pulling that information in to help round you out. Is there a core of bad leadership in information security? Not everyone is born to be a leader. It's something that you're born with that type of a capability. I think you look back at like type A/type B personalities. A lot of security folks are the type B, and there's nothing wrong with that, but I think there's a different level of getting leadership out of that that isn't as natural for them as somebody who is a type A, an outgoing type of a person. I don't think there's bad leaders in InfoSec. I just don't think there's enough of them. Transitioning on a small team vs large team On a smaller organization, you're going to wear more hats because there's just not enough people for that work to go around. The larger organizations, what I learned was I could sit down a team or four or five analysts, teach them in one or two hours how I would do something. And now, I've multiplied my capabilities by five. And that's much more effective than me trying to do that individually. The smaller teams, smaller orgs, they are struggling with being able to address this and I think that's where I want to find a niche for developing some work and some support and driving insight and guidance to these groups because they need help. The start of Side Channel Security We saw the need that small and medium businesses, nonprofits, VC-backed software firms, don't need a CISO full time but still need that kind of guidance and expertise. We started by supporting a nonprofit ... realizing the questions and the concerns were the same things that we had heard from our peers in larger organizations or our own organizations at the time. It just built upon itself. Where are people most ignorant as it relates to information security and running a good program? I've got a bit of a mantra that I can't defend what I don't know exists and that's really asset identification, asset allocation. Being able to answer what is your business obligations? And what are your business objectives? Can you identify the things that keep you running and could you tell me what a bad day looks like? You have to make them understand that your new reliance on technology and you storing all of this data and/or allowing access to these systems equates to your ability to provide services to your customers, whatever that is then. Those are usually ah-ha moments for folks and it's a good one to be there for because you can quickly help them realize what their concerns really should be from a security standpoint, but then quickly get them to how do we tackle this? How do we make this not an issue any longer? How do we mitigate that risk? What is an honest broker when delivering a security message to the ELT or the Board? I think it's just about transparency and integrity. Security, the definition of security, is confidentiality, integrity, and availability. As the CISO, your ability to obviously protect those things is one aspect. Your ability to showcase and embody the integrity of what it is that is being expected of you. Turning that around and then being able to explain that in terms that honestly chances are nontechnical person and somebody who definitely doesn't understand information security is going to understand. Do they always really want the truth? Everybody always wants the truth but what they want is to make sure that you're not positioning as if the sky is falling on every conversation you're having. It's about talking about the level of risk at an appropriate level. What most senior leaders really want to hear is that you've got it under control. What you can do is be completely honest in the fact that you don't know what you don't know and then promise that you're going to go figure it out and come back to them with something. What are things that we forget to do? I think the thing that gets missed a lot is that security doesn't exist without the business. We're not in the position for the sake of a company or an organization. What’s the worst archetype of a CISO? I think there's a major difference between the CISO who has a real technical understanding of everybody on his team or her team and those who came through the CIO track or the business track. I think you can

The Ins and Outs of Budgeting Andrew Wild, CISO at QTS Data Centers, sits down with Steve Moore to talk about IT security budgets, the challenges of prioritizing resources to balance risk and the value of cooperation. IT Security Budget Managing an IT security budget isn't just about spreadsheets and internal procurement processes, it's about understanding your organization's business priorities. Add to that, the management of your vendors and VARs with which you work. A CISO's focus is to protect the organization and measurably reduce risk, which often requires the acquisition of technology. However, those decisions aren't just about tech. There's a lot of management planning that must occur. The combination of transparency, forecasting and relationship building is good for business. Challenges of Prioritizing Resources to Balance Risk Anyone that aspires to have a more senior leadership role in an organization, needs to understand how things are budgeted and financed and paid for. Look at the amount that was budgeted in previous years and what was actually spent. Sometimes that is a way to glean some insight into how well that role is functioning. In some cases, an organization may be growing so fast that you or your budget is continually being adjusted upward which can be a great thing. An indicator perhaps of some issues either in execution or enough resources to execute would be if the amount that was budgeted exceeds by a not insignificant amount the amount that was spent. If you're not spending everything that you were allocated, that's an indication of a problem within the organization. The Value of Cooperation In the information security arena, there is very little that the information security team itself is able to accomplish without support across the organization. The infosec team is leading part of the effort, but there's always another team that's needed, whether it's the team that's racking the hardware. Whether it's the team that's going through and supporting you in the procurement process. Whether it's the legal team in terms of contract reviews. You are, to a very large extent, dependent upon other organizations to be able to accomplish your mission. It's important to try to learn how the procurement process works. What is the mechanism through which the value added resellers, the VARs, are selected, do you have the ability to influence which VARs you will get to work with for your information security solutions and services. It's not always just about within your organization too. It's about how you work with both the vendors and the VARs. Be considerate of the fact that the vendors and VARs work on a forecasting model where they have to be able to, with some level of precision, predict when opportunities are gonna close. Be up front and be transparent. What is Being Forecasted? In any kind of a sales organization, the organization expects to be able to know what kind of transactions are gonna happen, what opportunities have been identified and that there is a definite progression through the sales process or the funnel as some people call it, where an opportunity for sales is identified--there's a need, there's a solution developed. People depend upon being able to plan because that's how companies be able to better plan and meet their numbers particularly if it is a publicly traded company. What Makes a Good VAR? Someone that has likely either deployed the technology in their own environment or has deployed it in other customer environments and knows the solution it sells, and they're almost an extension of the company's sales engineering team. VARs will provide some very valuable information that you might not get working directly with the company itself. A Better Relationship with Sales Go talk to people outside your organization. It can be very inspiring and helpful. It can also potentially lead to new opportunities. If you don't interact with people, it's really hard to be able to plan out your career. Either to know what you're interested in, or to become aware potentially of opportunities. It’s really about engaging with the larger part of the organization, recognizing that at some level, every member of the organization is a representative of that company, and is in some way assisting the organization in achieving its goals. Whether it be directly, through supporting the sales process, or cost management, or getting a project done on time or early. Growth of the CISO Position It's certainly getting bigger from a risk perspective. It's becoming a larger position because it's less focused on just implementing technology and more focused on managing business relationships and identifying and guiding an organization through the navigation of risk management. Resources: Exabeam - Website QTS Data Centers - Website Steve Moore - LinkedIn Andrew Wild - LinkedIn

Lessons Learned from a Virtual CISO Matt Klein, Virtual CISO and Executive Advisor at Optiv, sits down with Steve Moore to share his insights on teamwork, getting visibility at the executive level, and the right prep for effective board conversations. What is a Virtual CISO? Think of it as a trusted advisor, an executive advisor, talking about strategic elements of your security program, even some technical elements, at a high to medium level. They are a trusted person to work with a company and make sure that they're headed in the right direction. Also, they are that person to bounce concepts off of and to make sure they're doing the right things as they're building their information security program. There are times where the virtual CISO model comes into play where either the CISO has left the company, or possibly a small to medium size business that doesn't have the need for a full time CISO. Another situation is where a CISO is gone, or they're creating a CISO role, and they believe they had somebody on staff who is capable of doing the role but needs some guidance. What is a bad CISO? Usually they're not talking the same language as the business. Everyone tries to get to that language of talking risk, but really talking about the business. What does the business do? What are the crown jewels? What are those elements of the business that are core to protect? Whether it be data in a regulated industry, most industries would love to protect their brand. They don't want their brand drug through the mud in terms of a data breach. It's those types of things. It's really those situations where the CISO is either removed so far from the executive team or from the board of directors, that the voice of the CISO is never heard. Is the CISO role measurably impossible? There are folks doing a fantastic job. They have what they need to get the job done and that's really the root of CISO success. It's budget, it's staffing, it's all of those core elements to a security program, but it's more than personal interaction with the business. There's an understanding of what the business does and what protection should be in place. You can't place a blanket over everything, it's impossible, it's expensive. You never have enough staff. You really have to pick and choose what you want to get done inside of your program. In a risk-based approach that makes sense for your business. Set the base line at an executive level. Interaction with the Board It was just getting to know who I was talking to. In this case it was the board of trustees of a private state institution. Just understanding who the players were and getting to the point where I was talking at a very rudimentary level about what a security program was. There were no numbers for that initial meeting. It was really concepts. It was bringing some of the concepts of protecting the institution, protecting the brand. It's really a huge asset for them to consider from a protection standpoint. It was really setting a foundation of here's what we're trying to protect, here's the important things to the institution. Not so much asking for what I needed or statistics. It was very high level, get to know what the information security program is and what it does for the institution. You would want to be at least a little bit comfortable with standing in front of a group of folks and delivering a message. When you're helping create a presentation, there's really two in one. It's a larger presentation, that if you had all the time in the world--the set of slides that you would use, kind of walk through, and give people time to ask questions and be really open with your presentation. And then there's the scenario where you got to cut down to three minutes--that’s maximum two slides. It's really going through those two exercises together, continuously on almost any presentation you do, the long version and the short version. And deciding how you're going to deliver both of those messages. Leadership during crisis The first message is that you want to be [physically] together, because [a data breach] is a serious situation and it's something that most everyone had never imagined could happen. So you want it to be together and at least give people an outlet to say, "Can you believe this happened? How could this happen?" And just give people an outlet as a leader. Number two is just to be calm. Nobody wants to see the leadership running around losing their cool, acting outside of character, and it just doesn't go well. It doesn't give a sense of calm to your staff so that they can deliver you know, the tasks and the activities they need to do to get to the root of the problem and fix the problem. You're always going to have gaps in your program. Yet, always document what the gaps are and certainly document what it would take to fill the gap at a minimal level and then at a perfect level. Always have a plan It doesn’t have to be a three year plan, but it at least has to go 12 to 18 mo