CISO Insider S1E1 – “Cybersecurity is a mindset” with Ty Sbano, Part 1
At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.
We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.
We’re excited to kick off season 1 with Sisense Chief Security & Trust Officer Ty Sbano as our very first guest. In part 1 of our chat, Ty discusses his path to the CISO role: his early beginnings, his learnings on the job, and how to find the right balance while building a career. Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at firstname.lastname@example.org.
Chris Martinez: Welcome to CISO Insider, Nightfall’s chat with chief information security officers. We host CISOs from different industries to discuss their pathways to the role, the challenges they face in their everyday work, and lessons they can share with anyone aspiring to become a CISO. This podcast brings you into the world of cybersecurity and gives you a window into the most brilliant minds in the business.
Chris Martinez: I’m Chris Martinez. Today on CISO Insider, Ty Sbano from Sisense joins us to talk about what makes him get out of bed in the morning as an InfoSec leader, how he became an advisor for Nightfall, and a lot more. Please join us in welcoming Ty to CISO Insider.
Chris Martinez: Tell us about yourself and your educational background. What drew you into tech at an early age, or did you discover it later in life?
Ty Sbano: Okay. That’s a big, loaded question so let’s start with the education piece and then let’s zoom back into more the early childhood aspect. Formal education, I did my undergrad at Penn State University, bachelor of science in information science and technology with a focus on security. There were multiple tracks within this major. This was when they started phasing out MIS and ultimately started saying business and computers, and that’s when computers were still a word for having work afterwards.
Ty Sbano: A big piece of this was also, I did a minor in Japanese. I’m half Japanese, and that allowed me to pad my GPA, but I don’t even really care about my GPA at this time for my undergrad and, frankly, I don’t think it matters all that much going forward in your life either. But doing my undergrad, I think it did lead to the direct path into the security world. The difference is that there wasn’t a lot of money in 2006 when I graduated and I didn’t really make all that much. I’m very favorable that the direction of the world of security has allowed me to operate in.
Ty Sbano: After that, probably about six years into my career, I went out and I looked for a master’s program that didn’t require a lot of onsite or in-person experience because I wasn’t really looking for that as far as my growth plan. I really looked at CISOs out in the world and pictured, what are the characteristics? What are the development opportunities? What are the things that they work on and have on their resume as well? A master’s is one of those things that you just expect to see. For me, I wanted to work on more of my ability to write technical messages, executive communications, all that stuff.
Ty Sbano: I’m not going to say I got better because of it, but I will say it probably improved, but over an 18-month intensive program, I did my master’s of information assurance at Norwich University and graduated summa cum laude, which was cool for me because I think there’s a difference. The reason I mentioned the GPA is, when you pay for it all yourself, you start to care about the outcome and results. I think when I did my master’s I’m like, “If I get an A-.” Now it’s a much different experience of, “I could have just did it all,” and I did it right.
Ty Sbano: In this scenario, I came out much different than before, and I think I just appreciate it a lot more because all of my personal money was going into it as opposed to the folks that helped me with my undergrad which was my dad, by and large, and then my grandparents too that helped me get that start into my career. Outside of that, I’ve earned a few certifications along the way, some that expired like some of the earlier SANS GSEC, that was one of the first that I got, which was general security certification. It expired after two years, SANS is pretty expensive to maintain.
Ty Sbano: But I ultimately went the road of, what are the certs that last a while with CPEs and a few other things that you have to manage? I got the ISC2’s SSCP, which you don’t really have to get any more. The CISSP, which is the gold standard. CEH, or certified ethical hacker wasn’t as big as before when I was taking it, but I think it’s found a little bit more footing. Then the CCSK I did like three years ago, which is a cloud security of knowledge, which I’m not going to say it was the best, I’m not going to say it was the worst, but it was just another thing that I got done. A few others in there along the way, but I think those are the main ones that really mattered.
Ty Sbano: Pulling back to your first question, I think security is a mindset and I don’t think it’s something you can really teach. Really it’s an element of curiosity. I think there’s a lot of patterns and behaviors that you find amongst security practitioners of why and how, and, “How do I make this work better for me? Or how do I turn this around and get some sort of use out of it that wasn’t intentional?” For me, it was breaking down a lot of electronics. It started with telephones. Anything that was an old electronic that just sat around, I was just fascinated by, why did these things work?
Ty Sbano: Then ultimately getting my first computer, which my dad bought for me. He had no interest, no desire, no need for a computer, but his idea was, “Let me get this and see what happens. I’m just going to create an opportunity,” and for me it was educational games. It was a lot of figuring out how the early stages of computing work. But yeah, it was a lot of educational games on the Commodore 64, and slowly but surely this thing started getting into more of, I wouldn’t say a hobby. It was just more of the instinctual aspect of wanting to learn, grow, and create.
Ty Sbano: I think for a lot of security practitioners you go down that road, and then depending on how you go, maybe you do some bad stuff along the way, maybe you don’t. If you do bad stuff, do it before you’re 18, and after you’re 18 definitely curtail it unless you’re going to make a lot of money and maybe you want to live outside of the U.S. or places without cyber laws.
Chris Martinez: What was your first job out of college?
Ty Sbano: Yeah. One of the things for me, I don’t typically describe it, I usually go right into the job. But I think for this series it’s worth mentioning. Throughout basically my, not my freshman year, starting in my junior year I always had a job. Either it was part-time as a resident assistant, a computer lab technician, doing something additional basically. By the time I got to my junior year, I was working part-time as at the helpdesk and it was through one of my friends whose dad was working in one of the health and human development University of Penn State, so one of the colleges within the college. Then he gave me an opportunity.
Ty Sbano: Typically within this department they usually let their children work as employees and every now and then they would make an exception because there was only so many hours that they can hand off for troubleshooting, fixing PCs, configuring email, all this stuff for end users. I had an opportunity there, and that actually spawned into an additional opportunity. One, I was working on a lot of technical things with configurating windows environments, also testing windows environments.
Ty Sbano: Maybe not asked to test those environments, but when you upset your sysadmin because you can do a net send across the entire organization and then the next day that change is made, but there is absolute anger and animosity the moment that you do it. But you’re sitting there like, “Yeah, you can be angry that I did it, but you can also not be angry that someone else didn’t do it and actually exploited the rest of our base of employees in the org.” It was one of those really weird, unique scenarios where as I was exploring, security was still early, some of those thought processes started cranking in my head.
Ty Sbano: At the same time I also became a web manager at Penn State as well, and I hosted one of the websites that was out there for the Pennsylvania Office of Rural Health. I’ve worked full-time in my senior year, and that allowed me to figure out this thing called lack of balance, which I will get to later, where you should achieve balance. I was working 40 hours a week. I was doing my last year of school. I was partying a lot like most people do in their last year. Ultimately through that transition period, I locked in my first job the second semester before my last. My last semester was really a lot more socially entertaining because you know you have a job already lined up versus everything else prior to that, you’re taking it pretty seriously as far as your GPA.
Ty Sbano: My first real security gig was at a company called Protiviti. It’s a small consulting shop. I think it’s like 3,000 employees still worldwide. But I was a security and privacy risk consultant, and I left as a senior security privacy and risk consultant. But I did everything under the sun from penetration testing, remotely doing PCI-based scans, payment card industry. All the way to doing red teams onsite, where I was going in and breaking in environments, literally stealing laptops, and then showing up at the CEO’s office that same business week after they caught me and being like, “Here are 11 of your employees laptops. Here’s the post-it note with all their names.” He’s like, “This is going to be a rough day for all of these people.”
Ty Sbano: You reflect on it, but at the same time it taught me a lot about the consultant mindset, especially when you’re coming right out of school. You got to learn something really quick. You have to figure out how to not be an expert, but almost have empathy as an expert because you’re going to go deal with real experts. If you get to the head of IT at one of the world’s biggest insurance companies, and you’re like, “Hi, my name’s, Ty. I did Cisco ASA configurations when I was in college and for some of my degree, but I’ve never done anything to the level of complexity that you do.”
Ty Sbano: But I’ve been given a piece of software called Red Seal that allows me to analyze all your firewall rules. But when I present results or findings, I want to have the empathetic view of like, how would I take this information feedback from someone that doesn’t know jack about my system, me, how I thought, what the tech debt is, all this stuff. Then how do I present it in a way that actually renders value?
Ty Sbano: I think for that first job, I learned that element, that security is usually underappreciated, overworked. But at the same time, when presented with someone trying to help, the openness element actually can be turned on its head. Because I think a lot of people are very resistant and the terminology is typically calling your baby ugly because you do a pen test, you hand over the results. You say, “Everything sucks, good luck.”
Ty Sbano: Two is, even if you contour your language a little bit to say, “Hey, we did an assessment, some of the common vulnerabilities may be in the top 10. You were great here, but maybe we got to do some misconfiguration checks here now and then, maybe we can automate that. Here’s what I can offer to help. Other than that, if you got a better answer, I’m happy to explore that.” But that piece gave me empathy. It also led me to the discovery that FinTech and financial service is where I wanted to gear towards. That’s when I started tracking my career more in that direction.
Chris Martinez: Did you know you wanted to be a CISO early in your career or was it something you realized later?
Ty Sbano: I don’t know. I sat down and I was typing this out for the past two nights and I don’t think it’s something you right out of the gate, aspire to be. Maybe if you end up in a security team, you’re like, “That’s the person, that’s the top,” and you say that’s what you want. But for me it wasn’t that. I think I had worked at a lot of organizations and you get mixed experiences when it comes to CISOs. There’s a range of personality traits and types. We’ll get more into some of the challenges of being a CISO. It’s not an easy job. It really isn’t. But I think the folks that inspired me, Glenn Foster, who was the director of information security for the corporate internet group, he is now the CISO over at TD.
Ty Sbano: I keep in touch with him every so often. But a lot of really good discussions with Glenn over my time at JP Morgan Chase, a lot of great opportunity. Ultimately is that I did a lot of early, early things in application security when most people didn’t understand what those were, or really the emergence of where we’re going with technology. I worked on the first mobile banking app. I worked on the BlackBerry Storms mobile banking app for Chase I’m like, “Who remembers a Blackberry One? Who remembers a touch UI for the BlackBerry?” Which was terrible, so even trying to test that bad boy was really tough.
Ty Sbano: Also in the same vein, when I transitioned out of that role to another role, really the biggest influencer in my career was Sydney Klein, who was one of the senior directors of information security. Sydney is just one of those people that showed me going from more of the individual contributor mindset of being an army of one.
Ty Sbano: Taking what I did in the consulting world, and she opened up the mentality and the ideology for me of no longer being just an army of one and showcasing what you can do as a team, showcasing how you can actually create and build something much more powerful than yourself and longstanding. By showing that power, that’s something that has resonated with me, and I’ve taken that. I took that inspiration.
Ty Sbano: I think, honestly, that was probably the moment where I thought, “Maybe I could do this at a larger company, but I got to figure out slowly but surely how to get there.” Two things happened. One was definitely Sydney. She’s now the CISO for Bristol Myers Squibb. She’s awesome. There’s also elements here from my time at Capital One where we did mergers and acquisitions. We acquired a bunch of startups, large financial institutions. For me, I was enamored with the startup realm, especially out in California and some of the tech companies out of Austin where, when they were acquired, most of them didn’t have a CISO. They didn’t have security, so I got this.
Ty Sbano: In my mind I asked, “Wow, I wonder if these companies would want security.” As I found out over the years, many early stage startups do not. The world has changed, it’s really cool to see that. But another part of that was trying to build the track to get to that point, because as much as I want to be a CISO of a large company, I didn’t have the skills to do it, and I’m not one to fake it until I make it. For me it’s like, how do I scale up in a different area, get my technical skills as an IC? Because no startup’s going to hire a team of 20 or 40. That’s when you’re managing all these folks as a director in a Fortune 50, or 11.
Ty Sbano: You start to have that type of experience where it’s a lot of pointing and telling versus doing, and thinking, and strategically planning, and meeting with the board, so you’re going up and down the stack. For me, I created a plan at that time to start moving downstream to a small to medium business, and then ultimately become a CISO, and now I’m on this retrack of no longer software security and product security, but everything security. I want to start on the small to medium business area. I think I’ve fallen in love with the early stage, startup realm, and late stage.
Ty Sbano: I don’t know if I want to go back to Fortune 500 or Fortune 100 specifically. I’m open to the idea, but it’s just a much different experience and skill-set than you would have when you’re building something from the ground up with founders, founding engineers, people that are trying to figure out what is product market fit. That’s pretty exciting. For me, being a CISO and having that realization came through a number of different inspirations. Then again, opportunity. I think the world has changed because people care about security and privacy a little bit more today.
Chris Martinez: What were some of the challenges you faced early in your career?
Ty Sbano: For me, I refine this because there are so many challenges. I don’t want to get into the elements of running into the glass ceiling at a young age and getting into leadership and management programs. I definitely ran into that being under 30 and getting a director title. Some people can be bitter about that so I’m not going to focus on that, I’m just going to mention it. The big piece I’m going to focus on is sacrifice and risk tolerance. What I mean by that is, I think a lot of folks end up enamored with the idea that they get a degree or they start working in a vertical and they’re trying to specialize, but they don’t open themselves up to making real sacrifices to achieve some goals.
Ty Sbano: What I mean by sacrifice and risk tolerance is determining what is your balance to go and achieve these goals. For me, I grew up in a military family. We relocated a couple of times, it wasn’t that crazy, but not everyone is in that mindset. I think when you think about sacrifice for your career and your growth, especially early on, I moved for every job from the first job, to the second job, to the third job. Now, just because of the last two jobs I’ve stayed in San Francisco. It’s because now I have a lot more experience. I’ve decided I’m going to be here for a while.
Ty Sbano: But there are just so many opportunities in San Francisco as opposed to the other locations I had moved to. Different opportunity, but right time, right place, right offer. When you take those types of risks, you have to evaluate what is your tolerance. For me being younger, it was massively wild because, what do I have to lose? Now I’m in a different situation. I have some things to lose, but my risk tolerance is much higher. For me, I reflect back on a conversation with Glen Foster. When I told him I was leaving JP Morgan Chase to go to Capital One he said, “Ty, I think you’re taking too many risks in life right now.” I’m like, “What are you talking about, Glen?”
Ty Sbano: He’s like, “Well, one, you just explain to me that, one, you’re leaving. Okay, I get that. We tried to work out an opportunity that didn’t seem to come to the right place. Ultimately it’s like one, you’re getting married,” and I’m like, “Yeah, that’s a big move.” He’s like, “That’s a big move.” He’s like, “Two, you’re taking a new job.” I’m like, “Yeah, that seems logical.” Three, “You’re relocating for the job.” He said, “Most people would be okay with one of those. Some people would be okay with taking two of those.” He’s like, “But doing all three at the same time, I think you’re out of your mind.” I’m like, “But that’s my risk tolerance.”
Ty Sbano: I think that’s the element is, what do I have to lose, and what do I have to gain? I think that’s when a lot of folks end up in this mindset, especially security practitioners. We think about everything that can go wrong like, “Oh my God, I’m doing this Monte Carlo analysis. This is the thing that’s going to go wrong. If I move and the job doesn’t work out, my wife’s going to leave me, this thing’s going to happen, I’m going to get fired,” and you start thinking about that. Hey, sometimes it might happen. But I like to think more of the mindset, and this took a little bit of time, honestly. What if he goes right?
Ty Sbano: That’s just a shift in your mindset of, what if it’s positive? What if it’s really good? What if everything actually works out? If you open yourself up to that ideology in your own brain, you open yourself up to more opportunities in that way. When you go back to, what are you willing to sacrifice? Sometimes it’s not even a sacrifice. Are you just willing to be open to taking on new challenges?
Ty Sbano: I found a lot of the folks that are willing to go in and I’ve been called a mercenary at times, a corporate mercenary that will go into any environment because I like the challenge. But as you figure out what that tolerance becomes, it can be a little exhausting to be honest with you. Sometimes the move is not the best thing. Sometimes the move is the absolute perfect thing that you needed in your life. You fall into the right circle of friends, the right work environment. Everything just fits and sometimes it doesn’t, and I’ve had both.
Ty Sbano: I will say, when you go through a year of, you’ve committed to a new job and it’s in a bad location you don’t like, your partner’s not happy with it, and yet you’re sitting there like, “Yeah, we made a bunch of money, but was it worth it?” You have to look back and not regret that decision. I think some of the challenges that I’ve faced throughout the career is not just early in defining what is that risk tolerance. It trails throughout, but you take those lessons, you pay it forward, you help other folks along the way.
Ty Sbano: Because again, if you want to stay in your comfort zone, expect your skills, experience, pay to increase at that level. Low risk, low reward. High risk, high reward, and I think that model has proven itself many, many times. Like if you look at co-founders and founders they’re like, “Hey, we’re coming out of school, we’re founding a company.” Not everyone’s successful. We all anchor on the ones that are wildly successful because we’d like to believe that is possible. I think that’s, again, what if everything were to go right?
Chris Martinez: What are the resources you identified early and mid-career that helped you successfully progress up the ladder?
Ty Sbano: I’ve been working full-time, not considering that senior year of working when I was still an undergrad, about 14 years coming up on 15. If I go halfway through seven years, I think a lot of my lessons learned are still the same. Number one, I mentioned it already, having mentors and a personal board of advisors. Call it what you want to call it. You need to have people that you trust that may not have financial incentive on your career. I think that’s something that you have to be very conscientious about. What I mean by that is like your relationships, agreements with companies. If they’re running a company sometimes that is favorable because you can get a discount for certain services, but you also have to be careful of bias.
Ty Sbano: But one of the things I really recommend there is someone without bias and having the best interests out for you. When you’re talking about, “Dude, I just made the wrong decision. I moved to the wrong place, the company that said they were going to tell me to do this, and they’re going to give me this opportunity. Well, it flipped it on its ear. It is nothing that we agreed to. How do I navigate away out of this?” It’s like, you’re an executive now. You got to be in for the long run for a year. That’s sometimes what it is. In all honesty, the few key mentors that I’ve had long-term, they sometimes just reiterate exactly what you say.
Ty Sbano: Sometimes you need to hear it from that party to say, “This is what I’m hearing from you.” You’re like, “Oh man. Yeah, you’re right.” You’re just like, “I was thinking that and just hearing you say it rationalizes it more.” Or sometimes they’re like, “I don’t think this is your best decision right now.” You’re saying, you’re looking at the world as far as what you want to do with your development action plan and the steps to get there. If you make this jump and you go to this company and say you go international, how’s that going to help your brand grow within the security community in the U.S.?
Ty Sbano: Because sometimes going international doesn’t pay the dividends right now. Different time, different place, different country, but just contextually having that soundbite and that person that helps you make that sort of, I’m going to say educated guests, because you’re just getting additional insight into driving there. The other two things I’ll say is really… I think the one that I really like is surround yourself with people that motivate you. Again, this may go back to your risk tolerance and making sacrifice. But if you’re just with the same people, just doing the same things, just in the same cycle and not breaking your consistent cycle by trying new activities, learning new things, I think that’s where it can get a little bit dangerous.
Ty Sbano: I like the mantra of, get comfortable with being uncomfortable. The more you do that… I don’t actually know if it’s healthy. I’ve done this my whole career, of being uncomfortable, being challenged, but there are fundamental things. There are three things I’m really good at doing. It’s InfoSec, martial arts, and photography. That’s where I hang my real pillars of my life. If I lost one, I’m still good, and that’s the thing. If I’m just one thing in my identity, I’m just a security professional… look, I’ve had some rough days, and then sometimes you’re just like, “I got to quit this job. I just can’t keep doing this.”
Ty Sbano: Then you lose that job. You get rid of that job, or you quit too early, or maybe you quit too late and it has an emotional impact on you. I think that’s something that, specific to this field, is super risky. You look at the not only alcohol and substance abuse problems across the space in this field. I don’t think it’s independent of the justice field, but you will see a lot of correlation and causation related to CISOs in the community that unfortunately fall into this trap because you do have to self-medicate, you do have to figure out balance. But if you’re surrounding yourself with the right people on those sounding boards, same thing with your mentors, I think that helps you get to a good place with staying rational.
Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry’s first cloud-native data loss prevention solution. If you’re enjoying the show, please leave us a review and rating on Apple podcasts. The ratings and reviews help more people find us.
Follow Nightfall on Twitter, Facebook, LinkedIn, and Instagram at Nightfall AI and email us at email@example.com with questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from. Stay safe out there and we’ll see you again next time.
We’re sharing an early holiday gift with our readers and listeners: part 2 of our chat with Ty comes out December 23. Stay tuned for the next episode and the rest of our exciting slate of guests for season 1, beginning January 6, 2021. You won’t want to miss this! Follow CISO Insider for updates on our latest episodes.
Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack & GitHub as well as IaaS platforms like AWS. You can schedule a demo with us below to see the Nightfall platform in action