Podcast

CISO Insider S2E7 - CISO Insider Season 2 Recap

Icons
by
Martinez
Martinez
,
September 1, 2021
On this page

At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.

We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.  

Our season 2 recap episode is a collection of the best quotes and highlights from our second season. We gathered insights, lessons, and other valuable soundbites from CISOs and security leaders at Even Financial, Segment, MongoDB, One Main Financial, and Datadog. Hear from our brilliant guests and make sure to catch their episodes featuring our full interviews for a deep dive into cybersecurity, leadership, and much more.  

Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at marketing@nightfall.ai.

Chris Martinez: Welcome to CISO Insider, Nightfall’s chat with Chief Information Security Officers. We host CISOs from different industries to discuss their pathways to the role, the challenges they face in their everyday work, and lessons they can share with anyone aspiring to become a CISO. This podcast brings you into the world of cybersecurity and gives you a window into the most brilliant minds in the business.  

Chris Martinez: Today on CISO Insider it’s our season 2 recap episode, featuring the best quotes and highlights from our six episodes in season 2. We gathered insights, lessons, and other valuable soundbites from CISOs and security leaders at Even Financial, Segment, MongoDB, One Main Financial, and Datadog. Hear from our brilliant guests and make sure to catch their episodes featuring our full interviews for a deep dive into cybersecurity, leadership, and much more.  

The cybersecurity community

Chris Martinez: Each of our guests this season has helped build a community of cybersecurity within their own organizations. Their impact has helped security practitioners grow at every career stage. 

Chris Martinez: Even Financial CISO Mitch Zahler was part of the beginnings of cybersecurity as we know it, learning from and working with some of the most influential cybersecurity leaders of all time like John McAfee and Steve Katz, whom Mitch identified as the “first CISO.” Listen to what Mitch has to say about the value of building a career path alongside the most influential people in the industry, and where the biggest lessons of his early career came from:

Mitch Zahler: Since the world of data security, as it was called back then, was very small, I was speaking and interacting with people like Steve Katz who I’ve stayed in touch with after all these years. Steve, for those listeners who don’t know, was the first CISO. I still have a connection with him, and his insights into various security ideas have stayed with me. I apply many of the things that we spoke about over those past years. I would have lunch with Steve and we’d discuss where I was going in my career and he would give me advice. I probably couldn’t get that kind of advice from anybody else in the field because Steve had pretty much the most experience, again, being the first CISO.

Mitch Zahler: I also used to speak at conferences with people like John McAfee and other security leaders who were trying to launch their security products. It was an amazing time in the industry, and I learned a lot from these people in the early days as well. But I think the one person that really changed my thinking about security and mentored me quite a bit was my boss at a place I used to work at, Republic National Bank. He told me that I needed to make sure that any controls I put in place were as transparent as possible for the user. He used to tell me if they weren’t, then people would try to bypass them, and then security wouldn’t work. He told me also that you can’t slow down the business. We need to find a way to implement security controls in a smart and effective way. He gave me that advice a long time ago and I still practice it.

Chris Martinez: Emilio Escobar’s experience as CISO of Datadog has given him opportunities to build a culture of security where protecting data is the responsibility of everyone who works at the company. Here he talks to me about how building champions across the company is the best way to scale security:

Emilio Escobar: We have people who sit in the security SIG chair or co-chair for Kubernetes. We have that kind of expertise internally, so we definitely trust them with that. They don’t necessarily report to security, but they come with the expertise to do the work properly. On top of that, we have people within the security teams who act as advisors for different compliance frameworks or different implementations or technologies. We can leverage them and embed them deeper with other teams to make sure that security concerns are being addressed appropriately. We deliver value to customers by providing them with the tools that they need to do their work securely. That has been evolving as the company has continued to grow.

Emilio Escobar: Very early, we built a culture where security is everyone’s responsibility. We have a good dynamic where people come to us with questions. We work with them. I don’t like checkbox approaches. I don’t like throwing things over the fence to other teams. We continuously work to make sure that security teams are deeply involved with product engineers, and finance and legal operations teams, to make sure that we’re working with them to prioritize security. Enabling that trust goes both ways. Building champions across your entire company is the best way to scale security. That way you don’t need security as one all-seeing eye everywhere. That’s definitely not going to scale for us.

Chris Martinez: One Main Financial CISO Michelle Valdez brings up an excellent point about CISOs mentoring fellow leaders within the industry. The best way to build a cybersecurity community is to reach out to others who are looking to become better leaders. Take a listen to Michelle’s vision: 

Michelle Valdez: When I think about people who have mentored me, the best guidance comes from the people who have helped me believe in myself. Imposter syndrome is a real thing for CISOs, no matter your background, or how long you’ve been in the role, or the way we’ve done it before, or whether you’re a man or a woman, or whether you’re an underrepresented minority. It happens to every CISO I know. You need to have people to talk to and help you through it. I’m part of CISO groups where we rely on each other when we’re having one of those days. Look for somebody who prepares you for the communication and resources challenges you’re going to face. One of my mentors helped prepare me for my first presentation to the board because I was terrified. I was like, “Oh my God, I’m presenting to the board of directors. I’ve never done this before.” They helped me think through the things that are important to convey and how I would speak to those things. It was so beneficial.

Michelle Valdez: When I’ve talked to other people about mentoring CISOs, I think that it is something that most CISOs don’t do well. I don’t know if you’ve seen the security strategy that the CISO at Equifax published. I’ve never seen anybody publish something like that before. I’ve read it at least five times. He speaks on how we do not as a community help to grow leaders, the way that we should. I wish I had somebody that I could ask about my challenges and not be worried that they think that I’m not competent enough to be a CISO. It’s important that we have a community that we can trust with people that tell us what we need to hear and help us, but not judge us in any way shape or form or question our ability or us being in our leadership positions.

Approaches to data security

Chris Martinez: Threats to data security are consistent across all industries. When CISOs face these challenges, their approaches must fit into different aspects of the business and mold to the resources and teams they have. In our chats with our guests, we learned which security threats are top of mind in their organizations.

Chris Martinez: MongoDB deputy CISO Chris Sandulow talked to us about the threats that exist when working with third party vendors and systems. How his organization uses credentials is a key concern for protecting MongoDB’s internal data and systems:

Chris Sandulow: I think third-party vendor management is a problem, not only for us, but for everyone with a relationship with third parties. If we think about security products back in the day, you generally had the concept where you could bring a software product on premise. If that was in your environment, you had some level of control around how you could operate that product and maintain security controls around it.

Chris Sandulow: But nowadays, many products simply aren’t available on premise, or we don’t want to maintain them on premise. So you’re stuck with having to accept the security constraints of a SaaS vendor and what they have in place. This often means you might be stuck in a situation where a vendor is business-critical, but you’re unhappy with their security posture, and you need to make a risk decision and determine if there are other ways to limit that risk. It can be very difficult to make a realistic business discussion around this, given the difficulty in monitoring the security practices of a third party vendor.

Chris Martinez: Shadow IT might be a dirty word to some CISOs. Emilio sees it as a valuable way to gauge how well a security org is serving its customers. Reducing the prevalence of shadow IT within the org leads to better outcomes when limiting data sprawl. Take a listen:

Emilio Escobar: Data is continuously growing. Many people think that data is like garbage. The more you keep it, the more it starts to smell. But it has value and meaning to different teams and different business units. We have to make sure that our customers have the proper tools that they need to handle and manage their everyday work. We have a known catalog of services and tools that we use at Datadog. We know where the data is, so we can help them apply the right level of controls and legal agreements. But then we also create an environment where our culture is open. People can ask for new tools if the ones that we currently support do not meet their needs. 

Emilio Escobar: We enable our teams by trying to reduce the probability of shadow IT. We don’t put a lot of blockers that keep people getting the tools that they need for their work. We work with those teams to understand the life cycle of data that I mentioned. We ask questions like, What are we using? Who needs access? How long do we keep it? And then we try to take an approach of “set it and forget it” so they don’t have to continuously think about that on top of their day-to-day work, which for most of the company is probably not security related.

Emilio Escobar: Shadow IT, in its literal definition, is tools, applications, and services that people are using that are not known to your IT or security teams, or other teams that are tasked with maintaining those systems or at least need to be informed. That includes legal, for example. I think shadow IT is a good measure to track. At Datadog, I also oversee IT security. For me, it’s a good indicator of how well we are serving our customers. Do we have the right tools in place or do they feel like they’re forced to go elsewhere and get a tool because the current ones don’t meet their needs? I use that as a measure of IT service quality or product terminology like Net Promoter Score for how much people trust IT and why they can come to us and ask for new tools. We have a system built so they can go get what they need.

Chris Martinez: Segment VP of Security Coleen Coolidge also sees the need to increase security among the third party vendors that her teams work with. But it’s only one piece of the cybersecurity puzzle — she also talks to us about business continuity planning for the new reality of working through COVID, and how leaders can plan for managing employee burnout on their teams. Because keeping your teams intact and healthy is just as important as maintaining the software and systems you use in your everyday work.

Coleen Coolidge: Two things come to mind. One is an increased focus on third-party security among all the vendors we’re all using. When you think about what your tech stack really is, or even just the tools that you use, you might have some software actually installed on your desktop. There would be a certain number of licenses and everything would be contained in your data center. Now, when you think about what makes up just one department’s security, like all the different tools that your HR department uses, none of those things are things that you built. 

Coleen Coolidge: These apps were installed onto a person’s desktop and none of it is closely locked down and monitored. These are all SaaS tools that you don’t have a huge amount of control over. I think that we need a reckoning with any third-party tool that you depend on, making sure that you avoid sending the vendor several questions because I don’t really think adding a ton more questions helps your understanding. I think it’s really about how you put controls in place to guard against the apps’ deficiencies. How do you guard your organizational data, and your users’ data? 

Coleen Coolidge: The second thing has been related to business continuity planning. A lot of security people are suffering from burnout. We are counting the days until we get fully vaccinated, and until the things that we want to do open back up. I actually think we’re going to have a personnel shortage where everybody is trying to take off at the same time and travel abroad or just go visit family. They want to go on an extremely long vacation and want to take two months off of work. If you think you already have a shortage of people now, imagine when everybody wants to take vacation at the same time. And people are entitled to this because if you think about how hard the last year has been on everyone, we might need to do a shutdown just so people can really spend time with their families and friends.

Aligning business goals with infosec initiatives

Chris Martinez: In these conversations with our guests, we heard one common theme come up frequently: the need for CISOs to understand the business priorities of their organizations and how to build security initiatives that support the direction of the business.

Chris Martinez: Mitch learned how to become an advocate for the business over his career as a security leader in fintech and financial services. Here’s how he encourages security leaders to create and build partnerships with stakeholders across the business:

Mitch Zahler: Coming from the world of big banks most of my career, I understand my peers in those institutions and how they operate and practice security. When you’re in financial technology, the culture is usually very different compared to large institutions. So I would advise those in financial technology, if they haven’t done any work in large corporations, to listen and forge relationships with your security peers in those larger organizations. Keep in mind that they may operate in different ways, but we all have the same end goal. I truly believe that each side can learn from each other, whether it be about business or security.

Mitch Zahler: Also remember that you not only need to deal with security, but you need to be an advocate for the business. The role of the CISO has matured in many organizations to where you’re a member of the business team as well. Understanding your business and the institution you’re partnering with is important for a win-win outcome. Some people may be intimidated by the larger security teams that big financials have. Don’t be. Try to forge a partnership with those teams. You’d be surprised how many of the same issues they share with fintech organizations. There are things that are different, but a lot of things are the same.

Chris Martinez: Coleen identifies leadership for CISOs as balancing their technical knowledge with management savvy. She says communicating key ideas like the roadmap, objectives, and accomplishments of the security team with the rest of your company, including the board and executives, is one of the most important skills for CISOs to have. Take a listen:

Coleen Coolidge: As far as skills go, most security leaders I know came up through particular paths in security, like application or network security. Some have a strong governance, risk, and compliance background. Once you get to a very high level in security, I think that being able to command an army, rather than trying to show off your glory days has more value. What was once your deeply technical work is now your team’s domain and their area to shine. It’s not all about you showing off to your team and everyone else. 

Coleen Coolidge: It’s great for you if you’ve been able to stay technical. But are you also as good at your main job of commanding that army of the different parts of your security teams? Are you able to inspire and lead all of them? Are you able to put together a roadmap and a vision that speaks to every single person on your team? Can they map their daily work to your five-year vision? Do your executives understand where you’re trying to go? Do they understand why your set of security teams is good? Do they understand the main principles of what you’re trying to get across? When you become that leader on that side, you need to be very effective at those levels.

Chris Martinez: Chris finds relationship building with people throughout the company to be a successful method for ensuring that his team’s progress aligns with the company’s overall business objectives. Including the needs and processes of your stakeholders in the security strategy and vision makes for a more comprehensive plan. Let’s hear from Chris:

Chris Sandulow: One thing that I always talk to my colleagues about, and particularly people on my team, is that you must desire for your colleagues to succeed. We don’t need to be best friends, but it’s important to understand what success means for them, and understand those teams’ processes, their perspectives, and their roles. If you have this information, it’s easier to create a relationship with someone in a non-combative way, and help them feel comfortable sharing information with you. It’s helpful to understand what’s out there and maintain visibility, and make people comfortable with working with us.

Chris Sandulow: Secondly, we also invest in a security championship program. I found this to be really helpful to connect our team with others out there that have an interest in security. At MongoDB, we specifically speak with people across multiple different departments, and we engage with them regularly, and utilize this relationship for info gathering and focused training, as well as proof of concept for pilots amongst a group of people that have some passion for security. And lastly, even though this sounds obvious, it’s really important to be aligned with business objectives and thinking about the direction of where the business is going, and expanding upon that. We need to understand if we make a certain product decision or certain change — then ask what it means to the security posture of the product. What does that mean to our current plans, and does it impact our capabilities at all? The common theme here is relationships and making sure that you nurture those relationships, and understand the perspectives of the people you’re working with.

Unique skills as a value add to the CISO role

Chris Martinez: Were you surprised to hear that some of our CISOs came from nontraditional backgrounds? Technical knowhow is definitely a requirement for the role, but it’s not always necessary to have those skills when starting in the role. Other skills, like understanding how to align with business priorities like we discussed earlier, are becoming more and more important for the up and coming CISO. According to a 2019 Price Waterhouse Coopers and Harvard Business Review Analytic Services survey, 63% of respondents said culture will be among the top five responsibilities for CISOs within three years. The time of building so-called “soft skills” is now.

Our guests shared the unique abilities each brings to their role. Conventional thinking has made technical skills a given in some cases, or just less important than other strengths like effective leadership, clear communication, and relationship building.

Michelle has thrived in the CISO role without a technical background. As she mentioned earlier in one of our season highlights, there was a time when she convinced herself she couldn’t do the job. By leveraging her strengths and learning how those traits and skills fit into the big picture at her companies, Michelle has succeeded as a technical leader. Let’s hear a bit from her story on how CISOs with non-technical backgrounds can make it work:

Michelle Valdez: The first thing I would say is, don’t convince yourself you can’t do it particularly if you don’t have a deep technical background. I think that there are some companies and some CISO roles where the way that the role is structured, they want somebody who is highly technical. Those just aren’t going to be the right roles for somebody who isn’t highly technical, who hasn’t been an engineer, or who doesn’t have experience in incident response working in a SOC. More and more these days, people are looking for leaders who can communicate to the rest of the business in a non-technical way, in a way that’s meaningful to a wider group of stakeholders. It’s becoming more and more about managing risk. I think it’s always been that way, but I think it’s now driving, in some cases, different skill sets for CISOs. It always depends upon each organization, but I was very fortunate to be brought on to a role where I worked for our Chief Risk Officer and I focused on risk.

Michelle Valdez: It’s all about minimizing the risk to our company from a cybersecurity perspective. I don’t have a technical background. I never coded. I never was an engineer. I built programs in organizations. I’m a process person. At one point I convinced myself, there was no way I could do this role. I told myself I would never be able to get there because I just wasn’t technical enough. So what I would suggest to people is to learn the different aspects of cyber. You don’t have to be an expert. As a matter of fact, I think it’s almost problematic if you’re too much of an expert in any one field, because it’s hard for you to then let your team lead and do what they need to do.

Michelle Valdez: To be more strategic and learn the different aspects, surround yourself with experts who can help teach you. I hire some of the greatest experts who know way more about what they do. That’s how it should be. You want to surround yourself with the best people, because I learn from them every day and it makes us have a better program because of it. Cybersecurity is still this mystical thing to a lot of people. Many people approach it like, “There’s an incident in the news and I don’t have to worry about it because there’s a team of people who take care of it. I don’t even have to concern myself.” One of the hardest things when you’re building a framework or a program that you have to transform iis helping everybody understand their critical role in cybersecurity regardless of what they do.

Chris Martinez: Coleen told us she was “tricked” into going into security. As a project manager who was focused on systems that analyzed mortgage data for subprime lenders, her role at the time initially had very little to do with security. It was in that project where she found her passion for infosec. Here’s Coleen giving us the “long story short” version of how she met the security specialist who put her onto her new path and how she’s leveraged her skills that led to her becoming VP of Security at Segment.

Coleen Coolidge: He told me that anyone can manage projects, but not everyone can do security. He saw the way I helped transform the product we worked on together when we first met into something that was good in the end. He saw that as the kind of transformation the org needed.

Coleen Coolidge: He asked me to think about it, and give it a try for one year. He promised to point me in the right direction and get me the training I needed. After that, if I decided I hated it, I could always go back to managing projects. I went for it. I was early enough in my career that I could pivot. He put me through a week of SANS training: Unix security, Windows security, network security, cryptography, the standard with the lab, and the test. Many of these topics were things that I had really never dealt with before. And they went quite deep, which I wasn’t necessarily ready for. To reinforce this training and get a sense of what was out there with security, he would drop me into different teams for short term projects. For example, the network security folks at the time were really getting into forensics using EnCase and found some weirdness with the loans. That’s how I learned EnCase, how to maintain chain of custody, how to do the collection of evidence, and how to do the searches. I’d essentially just go group by group, jump in and help with all of the grunt work they needed, like documentation or reviews.

Coleen Coolidge: For the other side of network security, they handed me this green pager. It meant I was on call and I needed to respond with the correct procedures. I had to look at the alerts coming in from the firewall and the IPS. Being a beginner and thrown in at the bottom of each of these stacks was not fun. There were days that I went home crying and thinking it was the worst thing ever. Why would anybody sign up for this job?

Coleen Coolidge: But it taught me the basics of what it’s like to be on each of these teams. I don’t have a developer background. But these teams would ask if I could threat model, follow directions, and have other people follow directions. And yes, I have that background. So I was able to do a threat model for applications on their teams. I found that it wasn’t as terrible as I thought. One of the best things about going from app security to network security to desktop security, I found the most gracious group of internal customers I ever came across was the developers. 

Coleen Coolidge: I told them right away, I don’t have the same background that you do. The background I have is security. And even then I’ve only been doing it a short time, but here’s what I know. The developers were extremely helpful to me with decomposing their application, seeing where are the inputs and the outputs, and understanding who would care about attacking this [and] what is the most valuable piece of this. Seeing the look of discovery on their faces, I don’t think anybody had ever sat with them before and asked them to look at their application and features the way that an attacker would. They’d always looked at it as if they’re a user and wanted to get the most out of everything. 

Coleen Coolidge: I was the one asking: “What if you have a user who’s bad? How would any of these protections change?” I would say it was mutually beneficial. My boss wanted me to gain experience in every single area. He even had me do a stint with the physical security, so I sat with the building security folks. I was up for anything that he could think of. He’d put me on an upcoming audit for review work and help write the management response. I think I got the full buffet table of what it was like to work in security. 

Coleen Coolidge: At the end of that first year, he said I’d learned so much like working on EnCase, writing policies, helping us pass audits, working on the IDS, revamping network documentation, and helping developers. He asked if I really wanted to go back to just managing projects? I think he knew the answer was no. Even though I had started at the very bottom and honestly, still was at the bottom then, there was just so much richness in the broad field of security that there’s no way that I could go back.

Chris Martinez: Mitch has a passion for writing and teaching that makes him stand out among CISOs working in the field today. As a professor at Rutgers University and as a regular contributor to publications like CSO Magazine, Mitch is able to share his expertise and knowledge in ways that go beyond his day to day work as a CISO. Let’s hear from Mitch on how he gives back to the cybersecurity community through these contributions:

Mitch Zahler: I usually try to dedicate one class each semester where I explain the various domains of information security to my students and what it takes to get a job in those areas. I also bring real-life examples from organizations I’ve worked at into the classroom, which is really important. Many times I’ve explained to my students current hacks that were reported in the news, because invariably we always have something that happened during the semester. This company got hacked, that company had a breach, or whatever it was. Something always happens at least once during the semester. 

Mitch Zahler: I remember when I first started teaching at Rutgers, I asked those who were going to graduate what their next steps were. Most of them said that they weren’t sure since they learned a lot of theory, but not enough practical hands-on skill. At that point I decided to add a Splunk lab to the syllabus. I know this great engineer, David Wiedaseck, from Splunk. He drove down from Boston every semester to run the lab. Of course, now we do it by Zoom. But the best part is that the students get a certificate for basic Splunk skills, which they can now put on their resume. Two students from my classes sent me an email and they said, “thanks for the lab. I put it on my resume, I got an interview, and I’m starting to work at a low level in a SOC.” That’s really gratifying.

Mitch Zahler: I find it very satisfying when my former students contact me and ask for advice. This may help them get their first security role. Before the pandemic I had the FBI come into class and give a lecture on what it’s like to work within the FBI. One student talked to this person, got his card, and that student now is working for the FBI cyber division. Another former student recently reached out to me and I helped him with some tips on his upcoming interview at Google. There are many others who have gone on to obtain a security job since I started teaching. At the end of the day, this is where I get a lot of satisfaction from teaching.

Mitch Zahler: There are many security practitioners that write articles for our peers, which entail many great security topics. I like to focus a portion of my career on the first canon from ISACA, which says protect society, the common good, necessary, public trust, and confidence, and the infrastructure. To that end, for many years around tax time, I have published articles about tax fraud and how to protect against it from a cybersecurity point of view. One of the biggest challenges is conveying in non-technical terms how scammers and hackers steal millions from unsuspecting Americans each year, especially the elderly. I’ve known two people this happened to. It upset me tremendously. So I started putting these articles out. The articles always include tips to save someone’s life savings or heartache knowing that they lost money.

Mitch Zahler: I also wrote an article for CSO Magazine that was titled “Volunteer Your Services, Not Your Personal Information”, based on another true story that happened to me. I helped a nonprofit who had their database of volunteers hacked. There was personally identifiable information (PII) in that database and the volunteers weren’t too happy it was stolen. The article tells the story, and shares practical tips for those volunteers who want to volunteer their services to worthy causes. I had someone from the infosec industry tell me he sent the article to a few of his relatives who do volunteer work many times a year and they implemented some of the tips I wrote about. I love doing that stuff.

Lifelong lessons in security

Chris Martinez: Great leaders are able to integrate their individual perspectives on the issues they’re tasked to solve into a strategy that fits with their company’s plans and growth. By bringing the lessons and tactics they’ve learned over their careers, each of our guests on Season 2 of CISO Insider has helped improve their companies’ security outcomes.

Chris Martinez: Chris makes time to educate peers and make senior leaders in his organizations aware of the goal of the security program. He makes these lessons tangible through tabletop exercises that are inclusive and focused on current issues. We hope you’ll gain some inspiration from Chris’ approach:

Chris Sandulow: It’s important to educate your peers and make other senior leaders aware of the goal of your security program. This might sound obvious, but it’s important to state that the goal is not to make a hardened shell that is completely impenetrable or that can’t be hacked. That’s nearly impossible. If it was possible, it would be infinitely expensive. The discussion should be around raising attacker costs, and making it infeasible to attack certain parts of a company, because it would be too expensive for the attacker. We are resource-constrained, but so are the attackers. The attackers are not going to go after something that’s very hardened. I think selling this point and making everyone aware that this is your objective is a key point in understanding how risk decisions and discussions should go.

Chris Sandulow: In particular, I’m a big fan of using tabletop exercises to highlight this and to raise awareness, particularly among executives. Topic wise, we tend to stay on whatever is forefront in the news. In particular, our objective here is to raise awareness among other people that are not security professionals. They typically have the level of knowledge that you would see on the front page of CNN.com — a very high level report on a hack that happened. We try to construct a scenario that includes the same level of detail, but also includes areas within the business that we could use additional guidance on, and how we want to solve that particular problem. I’ll give you one critical example with ransomware, and the general questions of, “Could we be ransomed here? What would that look like? How would we respond? What would it look like to our customers? Do we have their appropriate playbooks to respond for different teams, whether that be communications, engineering, or other teams?” These questions can lead to a lot of interesting discussions, and also highlight to different leaders that they may have gaps that we need to address.

Chris Martinez: Emilio found validation in his personal approach to security over the last year working through the challenge of COVID. Keeping people throughout Datadog informed on IT and security policy decisions has helped Emilio’s team and the people that work with those teams feel included and take agency in their work. Hear from Emilio on why customer-first communications, for internal and external customers alike, has always been a priority:

Emilio Escobar: I’ve learned that people are generally interested in everything that happens at the company. People want to know what security or IT or any other team is thinking and doing. They ask questions about why we are doing things, how can we help their teams, how it impacts them, and how it compares to other priorities and what are the trade-offs? I think focusing on transparency is critical. People want to be in the know. They want to be involved, and want to feel included. The most successful culture is one where you allow people to feel included in everything. Datadog does a really good job at communicating business ideas, direction, reasons, and results with our employees. That way they feel included and their work actually matters.

Emilio Escobar: The information has to be more than just the day to day, sprint to sprint, or OKR to OKR view. Those things don’t help if you don’t understand what the big picture is. That was a good lesson learned within the last year. It’s refreshing to see that as a reminder every day at Datadog. 

Emilio Escobar: The second lesson I’ve learned from my teams this year as a first time IT manager was reinforcing what I’ve always known about being customer-first. I did consulting for a long time early in my career. That taught me to really be customer-first. But in IT that’s even more critical. An example is when security makes a policy change where they implement two-factor authentication throughout the company. Usually IT takes the brunt of the change. Security most of the time is siloed, where they make the policy change and IT has to deliver. IT is the team dealing with the tickets, user feedback, and training.

Emilio Escobar: What I’ve learned with IT this year is getting more visibility into that process and how much of the customer story we have to focus on before we make changes. We must be  transparent about why we’re doing it and the outcome that we’re looking for. The change curve has been a huge lesson for me in the last year.

Chris Martinez: Michelle talks to us about the growing importance of data security for CISOs. The needs and requirements of the business can change rapidly, especially during COVID and the new normal of remote work. Hear from Michelle speaking to the importance of protecting data in her role at One Main Financial:

Michelle Valdez: I think this is something that is becoming more and more prominent in the CISO role than before. Early on, it was about protecting the environment. At first, it was keeping people out, which we realized wasn’t realistic because nothing is impenetrable. Then it was a question of if they get in, how do we keep them from taking anything, and which wasn’t working either. 

Michelle Valdez: One of the things that we as an organization are emphasizing from a cybersecurity perspective is protecting data. As everybody’s environment is changing and shifting with COVID, we went from people being in the office to working from home. The attack surface has expanded, and in many cases exploded, and that perimeter is starting to evaporate. It really has to be about how to protect the data. That is a major key focus of our strategy at One Main, to make sure we are putting in the proper technology, the right people, and the processes for data security. If a bad actor gets into our environment, they won’t get our data, which is our best commodity.

Chris Martinez: We had a great time hosting these 5 cybersecurity leaders on Season 2 of CISO Insider. The best part of our conversations with these pros is getting to hear their stories and experiences in their own words.

Chris Martinez: We hope you enjoyed the second season of CISO Insider. Season 3 is coming soon with more interviews and insights from the best and brightest minds in the cybersecurity field. We look forward to sharing these stories with you coming later in 2021.

Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry’s first cloud native data loss prevention solution. If you are enjoying this show, please leave us a review and rating on Apple Podcasts. The ratings and reviews help more people find us. Follow Nightfall on Twitter, Facebook, LinkedIn and Instagram at Nightfall AI. That’s Nightfall A-I, and email us at marketing@nightfall.ai with questions, feedback and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from. Stay safe out there and we’ll see you again next time.