CISO Insider S1E5 — “There’s no one way to be a CISO” with Ross Young
At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.
We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.
Caterpillar Financial Services Corporation Chief Information Security Officer Ross Young shares his learnings from a career in both the public and private sectors, like how to develop shared goals and alignment within a security organization, why soft skills and people skills are essential for building relationships, and how introspection can make great managers.
Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at email@example.com.
Chris Martinez: Welcome to CISO Insider, Nightfall’s chat with chief information security officers. We host CISOs from different industries to discuss their pathways to the role, the challenges they face in their everyday work, and lessons they can share with anyone aspiring to become a CISO. This podcast brings you into the world of cybersecurity and gives you a window into the most brilliant minds in the business.
Chris Martinez: On today’s episode of CISO Insider, Caterpillar Financial Services CISO Ross Young joins us to discuss his distinguished career in the public and private sector. He shares insights from his role as an instructor with organizations like SANS and why teaching is important to him, plus how young security professionals can network during COVID. We round out our chat with Ross by sharing his wisdom about the importance of soft skills and people skills when building relationships with stakeholders in the security industry.
Chris Martinez: Here’s my colleague, Michael Osakwe from the Nightfall marketing team, with Ross. Please join us in welcoming Ross to the podcast.
Michael Osakwe: You’ve had a very fascinating career, going from government to the NSA, to the Federal Reserve Board, and now you’re in the private sector. What attracted you to begin your career in the government?
Ross Young: When I first started my career, there was this scholarship called Scholarship for Service, and it’s kind of like Reserve Officers Training Corps (ROTC). Essentially, you do two years of a master’s program, and then you are committed to working in the federal government for two years. I was attracted to working in the intelligence agencies, so it was a win-win. This was a great way for me to pay for college.
Michael Osakwe: What interested you about working in the intelligence community?
Ross Young: If you think about it, NSA and CIA are really the only places where you can do nation state-sponsored hacking for a career. You can’t really do that in a lot of places. Now you can do red teaming and pen testing in other organizations, but if you want to do it under intelligence operations, you need to work in an intelligence agency.
Michael Osakwe: What was behind your decision to transition to the private sector and into financial services?
Ross Young: I had a fantastic time in the career of the federal sector, primarily at NSA and CIA, and there came a point in my life where I noticed I was doing very similar work to what I would be doing in the private sector. Unfortunately, the federal pay does not match the private sector. As I saw my family grow from one, two, three, and four children, and trying to make it work on a single income budget in the Washington DC area proved quite challenging. I found was I could have just as much fun and success in the banking sector as I did in the federal sector, but have the ability to provide for my family a little bit better.
Michael Osakwe: Do you find there are skills that are analogous going from working in nation state hacking and counter hacking to working in the private sector?
Ross Young: I think when you take any organization that focuses on cyber security, there’s a lot of great lessons that can translate into a lot of places. Whether you come from the offensive side or the defensive side, or the governance risk and compliance side, you can leverage those lessons of working in a very large government or financial institution, and use those in the private sector. Like how do we understand risk and how do we quantify it? How do we focus not on compliance controls, but on real threats and vulnerabilities? And what is it we need to prioritize first, whether this is how we’re going to target an attack, or how are we’re going to look at which vulnerabilities we need to prioritize first in our remediation plan for an organization?
Michael Osakwe: How did you get started with teaching and how has teaching enhanced your work as a security professional? Would you recommend that other security professionals teach to improve their skills on the job as well?
Ross Young: One of the things that’s a little bit hidden is a lot of jobs in the federal sector, as you start going higher and higher, they really focus you on becoming a manager. A lot of the real technical work is often done by a team of contractors. As I went through my career and started noticing with more managerial leadership, soft skills were the focus of my job. And I wanted to keep some of the technical skills from expiring. I reached out to Johns Hopkins, where I got my second master’s degree, and found opportunities where I could teach classes in foundations of information assurance, web security, and dev ops classes, and started building the core curriculum for the university. After that, I found other folks who were passionate about teaching and training the next generation of security professionals and giving back to that community. SANS is another great organization I had the opportunity to partner with.
Michael Osakwe: Do you find that approach is preferable to simply being a student and taking classes to kind of keep up the technical muscles? Or maybe they’re equal in different ways?
Ross Young: I think you can gain a lot of great skills by taking classes. I highly recommend everybody does continuing education classes. However, if you want to build your personal brand and become more of a thought leader and start getting more opportunities to lead in the community, I think that’s where you have to step into an active leadership role in building the next generation of training. That’s what I like about these opportunities. It allowed me time to focus what I wanted to build for the next generation of curriculum.
Ross Young: At Johns Hopkins, we’ve been doing the DevOps class for years. We’ve pivoted it to also be more of a DevSecOps class, and we were one of the first universities to build that into the computer science and security curriculum. That’s something that you are seeing a lot of organizations push over the last five years, but it was unheard of in academia. When you look at those opportunities to shape the minds of 30 students every semester going through those classes, I think that’s where we can have a larger impact than we really understand.
Michael Osakwe: We saw the threats and safeguard matrix you created on LinkedIn on your profile. Can you share the story behind that, and talk about how you think about the risks that you face in your day-to-day work as a CISO?
Ross Young: There’s no one way to be a CISO. However, I think every single CISO has the same ask; come in, spend the first two to three months to observe and orient on the environment, and build a cybersecurity plan and strategy. As I started thinking about that, I started reflecting on how do I want to do this? What security models do I want to choose? How do I want to prioritize the top risks? There’s this really big focus of being a hundred percent compliant or focusing one hundred percent on the threats and attacks that you have. And somewhere you have to meet in that middle ground. For me, I thought it was more important to focus on the threats and risks that are the most important to our environment. When I started looking through the models, Sounil Yu has the cyber defense matrix, which I think is a fantastic starting place. It allows you to look at a variety of different layers of technology and maps to the NIST functions.
Ross Young: That application-focused view is really informative and it helps you build a portfolio of all the technologies. When I looked at that, it was very technology focused and it didn’t translate to the rest of the business. When I would go to a risk committee and speak in cloud layers or application data layers, it doesn’t resonate with lawyers and other folks who are non-technical. But what does resonate are things like safeguards and threats to an organization. So how could I, after interviewing hundreds of folks within the organization, identify the top threats to the organization, and then build an in-depth defense approach of how we’re going to tackle these in order?
Ross Young: I identified key things. You’ll see most organizations face similar threats of ransomware and phishing. How do we identify, detect, and protect against them, respond and recover through this NIS model, and then choose a certain number of metrics to actually show progress on these defensive countermeasures or safeguards?
Michael Osakwe: If you were to put yourself in the shoes of someone who’s aspiring to be a security professional after COVID, how would you personally go about pursuing an InfoSec education and career in this environment?
Ross Young: I think the first thing you have to do is get an overview of cyber. Whether you get a cyber degree or you come out with a generic security plus Certified Ethical Hacker (CEH) type certification, I think that sets the baseline so you can speak the terminology. Then afterwards, you need to gain a core discipline in cyber. There’s a variety of disciplines. Some folks come from the offensive side of the house of the hacking and pen testing side of things. Others spend a career inside the Cybersecurity Operations Center (CSOC), where they learn how to be an analyst and look at malware and find different types of threat intel. Another angle is coming from the GRC, the governance risk and compliance side, where you learn a lot of the policies and make sure the organization can meet maturity mappings of security organizations.
Ross Young: After you build that core discipline, you need to understand enough about the other areas so that you can be a well-rounded CISO, and then be able to provide things back to the business in terms of risk and resources. I think every CISO would benefit from having a role as an Information Security Officer (ISO). Sometimes you call it a business information security officer (BISO) or an Information Systems Security Manager (ISM), depending on where you are in the industry verticals. These roles contain opportunities to meet with customers, and you don’t control the resources and you’re speaking for and behalf of cyber. You’re leveraging the policies, interpreting them, and prioritizing remediation burn down, but ultimately it’s the developer organizations who are hands-on fixing things. Using those soft influencer skills to help lead and champion better security is a key skill that you’ll gain in that role, where you can leverage those politicking abilities to be a really good CISO. Once you put those three things together, the fundamentals, developing the core discipline, and then building those soft skills to influence an organization, I think you’ve built a really good CISO.
Michael Osakwe: Would you say these core aspects haven’t changed much since COVID, or were the case even before COVID?
Ross Young: I don’t think COVID has changed any of these core skills. If anything, the influence piece becomes more difficult, whereas before you could sit down and go to lunches with teams and have time to bond and connect with them, finding how to do that in a virtual way may be a little more challenging. It’s certainly very doable, and I think most people will have to achieve that, but it’s something that you’ll have to spend a little bit more time on.
Michael Osakwe: Have you noticed a dramatic shift in the CISO role after COVID? Do you think any of these changes will be permanent?
Ross Young: I think the biggest thing that you’re seeing because of COVID is a change to a work from home strategy. Whereas some companies may have always been a work in the office first and allow people to flex from home once or twice a week, I think we’re now looking at our businesses to ask how could we be a hundred percent remote? We’ve already done it for more than six months. It doesn’t hurt to do this longer. And oh, by the way, we might actually gain some business benefits. We could shrink the size of our office spaces. We could recruit people from locations we’ve never had before, and it provides a lot of new opportunities to reinvision the workforce.
Ross Young: I think that’s the biggest new view of an IT organization: to tap into that and provide that digital transformation that we’ve never had, from being a one hundred percent work from home organization. Security has a role in that, to make sure if we’re going to do this as our primary strategy, how to enable the business to do things that they needed to do before. Maybe we were using printers all the time and uploading attachments, and now we have to go to a DocuSign world. Things like that, of where we look at the security to improve the business functions is where we’re going to have to do better.
Michael Osakwe: Are there any strategies that have worked for your team facing the challenges of COVID and working remotely?
Ross Young: My current organization and my last organization are very technologically advanced. They had already built in a virtual telecommunications service like Zoom or Teams. They’ve already had VPNs and laptops you could work from home. I think a lot of that digital preparation is what allowed these organizations to really thrive, compared to others that have had to think about what to do when we have to close an overseas location and we lack laptops, while we only have desktops. That is a really hard business continuity exercise that you’re learning in real time. I’ve been very fortunate.
Michael Osakwe: How does a security professional learn to expect the unexpected, going from the rote knowledge and the technical skills that they have at the time to adjusting to a new challenge, like COVID?
Ross Young: If we look at COVID, yes it was very novel and it drastically changed the world, much like 9/11 did in the U.S. However, it wasn’t that long ago that most organizations were planning for the bird flu and swine flu in the late 2008 to 2010. So had you been involved in any of the disaster recovery business continuity exercises then, you probably had some good preparation that was applicable in 2020. If you missed that, maybe you joined the workforce in 2012 and hadn’t really seen too many of those, or were on a different team, I think the first thing is listen to folks who’ve been there before you. Sometimes they call them gray beards or just SMEs, subject matter experts. What else can you do? Could you start listening to podcasts of folks who are providing recommendations and talking about how you would pivot the organization? Could you read thought leadership papers coming from Harvard Business Review, Gartner, or other trusted sources where you’d be able to see some good recommendations you could bring to your organization quickly to pivot?
Michael Osakwe: As I’ve asked other security professionals about COVID, the responses have been mostly the same. The groundwork for many organizations has been laid, especially regarding flex work like you said, and preparedness for other types of disasters related to COVID. And in some ways, COVID is not as much of an unknown as we thought it would be.
Ross Young: I think the biggest thing with COVID was it wasn’t unexpected, it’s just the duration greatly exceeded what folks thought it would be. So instead of, “Hey, we’re out of work for a month and we’re working from home,” who knows how long this will last? Is it a year? Two years? We don’t know.
Michael Osakwe: How would an organization address other business continuity occurrences or disasters during COVID? Do you think the capacity to respond to other business threats has been minimized due to COVID? Or do you think that a lot of organizations should be in a good place to kind of address other continuity disasters during COVID?
Ross Young: I think at this point in time, COVID appears to be well handled in most IT organizations. Your resources are focused on the day in, day out of how we’re going to do it, and how we’re going to close the offices. All that’s probably well handled. I think those resources are untapped right now for other opportunities that you could apply them to. And who knows what the next thing will be. If there’s power outages or tornadoes or other things that could happen to any location, those are just the next things we need to think about for how we’re going to protect our organization.
Michael Osakwe: How should an early career security professional go about building some of the softer skills that you’ve built through teaching and education, like communication and leadership skills that are integral to addressing your stakeholders as a CISO?
Ross Young: One of the first areas I had to grow was instead of being technically right, how did I make sure I didn’t damage the relationship when I was presenting conflicting views? That was a difficult challenge for me. I had to read and study a lot. Part of that involved looking at personality types and understanding Myers-Briggs. Part of it involved reading a lot of books on using challenging questions and being able to ask things a certain way to be more introspective. For example, I would ask a question, and if I brought one answer to the business and they gave me a different answer, we’re naturally fighting over the same turf, dollars, and resources. But if we talk about the shared goals and objectives we can agree to, we can both outline a plan and say, “Which one is more likely to get us there? And how could this plan, if we implemented it perfectly, still not get us the right answers, the right goals and situations?”
Ross Young: Then we outline the different flaws together and share the opportunities for the same goals and objectives. That brings a very different focus of how we could partner together. As I started reading a lot of these leadership and influence topics and listening to podcasts about it, that’s where I learned to develop some of the soft skills that are needed. Nobody cares if you’re right — they care if you can actually transform the business. That comes through shared understanding, shared goals, and alignment. As you partner with the organization on those things, I think that’s where the transformation happens.
Michael Osakwe: What resources exist for security professionals trying to learn after formal education ends? How can someone ensure that they keep gaining technical knowledge and a good hands on experience?
Ross Young: With technical knowledge, there’s a wealth of things out there, like taking SANS-related training or other online training. There’s so many providers out there, like A Cloud Guru where you can go and learn AWS or Azure certifications. I’ve seen that explode over the past couple of years. Also, listen to the technical conferences near you. Sometimes people really focus on the black hat conferences that are a little bit pricier, but there’s a lot of local B-side conferences. There’s a lot of local OWASP conferences of application security focused things that you can be involved in.
Ross Young: I’ve found the security community on LinkedIn to be a wealth of knowledge. If there’s a tool that you’d like to learn more, see if one of the creators is on LinkedIn. Message that person and say, “Hey, I found this really interesting. I’d love to learn more.” I’ve been really impressed at how much people are willing to talk about it. It’s kind of like their child. They’re excited when people take interest in their research and they’re willing to show you what they’re working on. And those little nuggets are where you can build those personal relationships and continue to network from these technical conferences and training. think it’s how we’re going to build more subject matter experts in the field.
Michael Osakwe: Would you say that compared to 10 or 20 years ago, there has now been an explosion of opportunities to develop these skills?
Ross Young: I think the biggest thing that has happened is just how much the community has grown. If you were to look in 2005, when I first started cyber security, that was when Facebook started to take off. LinkedIn was not there at that point in time. So your ability to network with other folks was limited by who you might’ve caught at a DEF CON conference and kept in contact with. Now, there are literally hundreds of cyber conferences. It used to be a bit harder to find subject matter experts or people who had spent 10 years in the field. Now you’re going to find a lot more people who have those skills that you can network and learn from.
Michael Osakwe: With COVID accelerating the number of online events that are happening, do you think that’s going to shake things up even more and make it even easier to reach out to strangers? Now with COVID, everyone’s working from home and everyone’s putting on virtual events. Do you think that’s going to kind of increase the amount of opportunities someone could find?
Ross Young: I am seeing a huge uptick in the number of online events. I think that’s great. Because these are online events, we’re seeing more of them are low cost or free for the attendees. They’re paid for by vendors and sponsors, but folks who attend it don’t have to pay the high conference fees that they would for an in-person event at a large venue. That’s going to help with adoption, because now you can have folks who are teenagers or who didn’t have money being able to attend these and learn a lot more.
Ross Young: The other thing that we’re seeing is digital recording of all of the content. Before, a lot of these things were in-person only at these events. Now everything is put on YouTube video, Vimeo, or Twitch and recorded. I can see so many more conferences and content, whereas 10 years ago, I may have only been able to get the slides from that presentation, not a live recording.
Michael Osakwe: What makes you get out of bed every day? What do you wake up for?
Ross Young: I’m excited to get smarter and continue to learn and think about new things in cyber and innovate in the space. There’s a lot of things to learn, and even though I’ve been in it so long, I really feel like I’m learning something new every day and I’m just excited to read and see what’s new.
Michael Osakwe: Certifications: yay or nay, and why?
Ross Young: I believe studying for a certification is fantastic. There’s so much knowledge that you gain. However, I’m not really into taking a certification exam and paying the money and focusing on continuing your continuing professional education (CPE) every year. I’m probably going to say certifications, nay, but the opportunity to study for them and gain the knowledge, yay.
Michael Osakwe: Is there one piece of advice that you know now that would have made the earlier half of your career much easier?
Ross Young: I’ve always wanted to be an executive, and I think I focused on rising through the corporate ranks too fast, instead of enjoying the journey when you’re in some of the grunt work jobs. Those are the opportunities where you really get to be technical, and you have lot more time and less expectations of you when you’re a junior associate. Enjoy those, use those opportunities to learn, and focus less on making more money or having this opportunity where you command a large number of folks and just be happy where you’re at along the way.
Michael Osakwe: Do you have any advice for young security professionals who are looking to network during COVID?
Ross Young: I think just reaching out to folks helps. If somebody says, “Hey, I need help,” or, “This is what I’m doing and I’d love some advice,” most people are going to respond to that. Now that may be very different from a sales call from a vendor, but I think the number of people in the cyber industry willing to help others is tremendous and you just have to ask.
Michael Osakwe: What are you most proud of as an InfoSec executive?
Ross Young: The biggest thing for me is asking, have I made things better, and have I helped the people around me to get smarter? At the end of the day, I work as hard as I can and I do the best I can, but I’m one person. Hopefully I’ve been able to magnify that by the ten or a hundred people that I work with so that the change I have is larger than just the work that I do.
Michael Osakwe: Which podcasts or books have you read recently?
Ross Young: When it comes to podcasts, I’m a big fan of The New CISO. I also like the CISO Relationship Podcast and Defense in Depth. Those are some of the bigger ones I routinely listen to. I also really like some of the personal ones that focus on how can we really help people. I think that is so key and it’s not talked about enough. Humans of InfoSec and other podcasts like Lead to Win that focus more on some of these personal dynamics, that has been really helpful for me.
Ross Young: As far as books, the one book that I always recommend anyone in the IT industry listen to in an audio book or read, depending on your preference, is The Phoenix Project by Gene Kim. I have listened to that probably 10 times on audio book, just driving to and from work. One thing that is very transformative of how to take an organization that appears dysfunctional to making small little incremental wins, bringing people on the journey, and helping so that we can succeed this kind of theory of Ubuntu, if you will. I think that’s powerful because it’s applicable to so many organizations.
Michael Osakwe: Do you have anything that you personally want to plug, social media channels, or articles that you’ve written?
Ross Young: There’s a couple of things I’m doing. If you really want to see the work that I’m doing, please follow me on LinkedIn. I am launching a new podcast called CISO Tradecraft. It’s going to be differently focused. I’ve seen a lot of programs focused on how do we mature as a software organization? How do we improve the technology and get to different levels? How do we build the people? How do we take someone who is an entry or mid-level manager in cyber and help them become a first-time CISO? What are the skills and trade craft that they need to develop?
Ross Young: So my friend, Jean Mark Hardy and myself are launching this podcast and building and sharing some of that knowledge. If anybody else has things where they’re looking to share, please network on LinkedIn and join some of those communities. Follow popular hashtags like information security and cyber, because I think that’s where a lot of the audience is very thirsty for knowledge and we all gain when we share great ideas.
Michael Osakwe: Thank you so much, Ross, for doing this. This has been a great conversation and I really enjoyed talking to you. Great having you on the show.
Ross Young: I appreciate it, Michael. Thanks for having me.
Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry’s first cloud native data loss prevention solution. If you are enjoying this show, please leave us a review and rating on Apple Podcasts. The ratings and reviews help more people find us. Follow Nightfall on Twitter, Facebook, LinkedIn and Instagram at Nightfall AI. That’s Nightfall AI, and email us at firstname.lastname@example.org with questions, feedback and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from. Stay safe out there and we’ll see you again next time.
Stay tuned for the season 1 finale episode with highlights from all our guests from this season, coming on February 17.
Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack & GitHub as well as IaaS platforms like AWS. You can schedule a demo with us below to see the Nightfall platform in action.