CISO Insider S1E6 — CISO Insider Season 1 recap
At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.
We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.
Here’s our Season 1 recap episode, featuring the best quotes and highlights from our first five episodes in season 1. We gathered insights, lessons, and other valuable soundbytes from infosec leaders at Sisense, Compass, LifeOmic and Caterpillar Financial.
Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at firstname.lastname@example.org.
Chris Martinez: Welcome to CISO Insider, Nightfall’s chat with chief information security officers. We host CISOs from different industries to discuss their pathways to the role, the challenges they face in their everyday work and lessons they can share with anyone aspiring to become a CISO. This podcast brings you into the world of cybersecurity and gives you a window into the most brilliant minds in the business.
Chris Martinez: Today on CISO Insider, it’s our season one recap episode, featuring the best quotes and highlights from our first five episodes in season one. We gathered insights, lessons and other valuable sound bites from InfoSec leaders at Sisense, Compass, LifeOmic and Caterpillar Financial.
Chris Martinez: Every CISO faces challenges on their path to the role. What sets great leaders apart is their ability to contextualize the challenges and find solutions from their experiences. Sisense Chief Security & Trust Officer Ty Sbano shares his advice on how to determine your personal sacrifice and risk tolerance. It’s a great place to start for building a defense against burnout and to achieve staying power in the role.
Ty Sbano: The big piece I’m going to focus on is sacrifice and risk tolerance. And what I mean by that is I think a lot of folks end up enamored with the idea that they get a degree or they start working in a vertical and they’re trying to specialize, but they don’t open themselves up to making real sacrifices to achieve some goals. And what I mean by sacrifice and risk tolerance is determining what is your balance when you go and achieve these goals. I grew up in a military family. We relocated a couple of times. I moved for every job. From the first job, to the second job, to the third job.
Ty Sbano: With the last two jobs I’ve stayed in San Francisco. It’s because now I have a lot more experience. I’ve decided I’m going to be here for a while, but there were just so many opportunities in San Francisco, as opposed to the other locations I had moved to. Different opportunity, but at right time, right place, right offer. And when you take those types of risks, you have to ask, what is your tolerance? And for me being younger, it massively wild because I thought, what do I have to lose? And now I’m in a different situation, I have some things to lose, but my risk tolerance is much higher.
Ty Sbano: I reflect on a conversation with Glenn Foster, when I told him I was leaving JPMorgan Chase to go to Capital One, he said, “Ty I think you’re taking too many risks in life right now. One, you’re getting married. That’s a big move. Two, you’re taking a new job. Three, you’re relocating for the job. Most people would be okay with one of those. Some people would be okay with taking two of those. But doing all three at the same time, I think you’re out of your mind.” And I said, “But that’s my risk tolerance.”
Chris Martinez: Compliance regimes like GDPR and CCPA are focus areas for InfoSec leaders. LifeOmic Chief Legal Officer Lisa Hawke shares her perspective on how to approach privacy and data protection under these frameworks. Her approach is to embrace change management to understand how wide your scope must be to get ahead of potential data loss issues. Take a listen.
Lisa Hawke: On the privacy and data protection side, I think the biggest challenge there is just dealing with different data types and usage issues. Or usage use cases across the company. Privacy and data protection goes so far beyond just production data if you’re a B2B SaaS company, because the definition of personal data, particularly under GDPR is just so broad and it’s going to touch every team, not just your engineering team. And that requires a ton of change management to address the actual requirements and best practices for privacy and data protection. But especially for the teams that are just not used to dealing with regulated data.
Chris Martinez: What does it take to become a great CISO? As Caterpillar Financial Services CISO Ross Young says, there’s no one way to be a CISO. For our guests, success in the role comes from skills, knowledge, and values from real world and on the job experience. Ross shares the value of soft skills and learning to become a people manager in his success as a CISO. Something he found and reinforces through his teaching roles in cyber programs at universities like Johns Hopkins.
Ross Young: One of the first areas I had to grow was instead of being technically right, how did I make sure I didn’t damage the relationship when I was presenting conflicting views? And that was a difficult challenge for me. I really had to read and study a lot. Part of that involved looking at personality types and understanding Myers-Briggs. Part of it involved reading a lot of books on using challenging questions and being able to ask things a certain way to be more introspective. For example, I would ask a question and if I brought one answer to the business and they gave a different answer, we’re naturally fighting over the same turf, over the same dollars and resources. But if we talked about what the shared goals and objectives we can agree to, and then we can both outline a plan and say, which one is more likely to get us there? And how could this plan if we implemented it perfectly, still not get us the right answers, the right goals and situations?
Ross Young: And then we outlined the different flaws together and found we’re sharing opportunities for the same goals and objectives, that brought a very different focus of how we could partner together. As I started focusing and reading a lot of these persuasion, leadership, and influence topics, and listening to podcasts about it, that’s where I learned to develop some of the soft skills that I think are really needed. Nobody cares if you’re right. They care if you can actually transform the business. That comes through shared understanding and shared goals and alignment, and as you partner with the organization on those things, I think that’s where the transformation happens.
Chris Martinez: One big takeaway from our chat with Lisa was how to learn and apply change management and risk triage. For Lisa part of her success came from knowing the difference between getting to and succeeding in the InfoSec leader role and understanding how to prioritize what’s thrown at her every day.
Lisa Hawke: To get to the role, I think is very different than succeeding in the role. And I have to say that when it comes to getting to the role, my personal experience is pretty unique in that I was actually hired at Everlaw as a director with a different title when the company was only 25 people. And my role grew into what it is now*. So when I see job descriptions, I’m not sure how they find anyone who meets all of those job qualifications and descriptions, especially if you look at my background.
Lisa Hawke: So the other question, to succeed in this role? From my perspective, there’s a few critical skills that I can share. One would be change management and risk triaging in the context of your specific business and operations. This is especially true in a startup. As a security leader, you won’t be able to address every single thing and you’re going to have to choose what is most important in your business to address and what’s most important to your customers and regulators. [*editor’s note: this episode was recorded when Lisa was at her role at Everlaw. She is now the Chief Legal Officer at LifeOmic].
Chris Martinez: Compass CISO J.J. Agha, shared the keys to success for his roles, applying the OODA loop to tough problems and taking lessons from his advisory work. Here’s J.J. talking about what he’s gleaned from thinking outside the box and reading between the lines.
J.J. Agha: I have my process where I have to do my day to day, and then I also have the advisory work, where maybe it’s not about a security product decision every day. Maybe it’s about having a conversation with a customer, or a VC, or another advisor, asking how can I help shape their path as a company? From being an internal, I am very closely knit, day to day with, what is our business goals, our business initiatives. Context switching allows me to be fresh and allows me to constantly take my learnings that I have day-to-day from my day job and apply it to advisorship.
J.J. Agha: The work I take from being an advisor, I ask how the companies I advise are approaching an issue or challenge in a better way, and figure out how do we solve for it and provide feedback to it. It’s this constant feedback cycle and gigantic OODA loop within myself: I’m going to observe. I’m going to act. I’m going to make a decision. I’m going to constantly follow through, throughout that process.
Chris Martinez: The pandemic has thrown a lot at us in the InfoSec industry. CISOs and cybersecurity leaders have had to make the best of things in an unprecedented year. It’s a testament to the good leaders who have been able to keep their security organizations afloat and even thriving in some cases. Success during dark times comes from different places for each leader, but a common thread we heard from our guests since season one was the ability to seize opportunity to do things differently when all the rules get thrown out the window. Ross looks to what we’ve gained during the pandemic as a remote first working culture and how smart InfoSec leaders can apply these gains to save money, time, and process in the future of work, even post COVID.
Ross Young: I think the biggest thing that you’re seeing because of COVID is a change to a work from home strategy. Whereas some companies may have always been a work in the office first and allow people to flex from home once or twice a week. I think we’re now looking at our businesses to say, how could we be 100% remote? We’ve already done it for six months. It doesn’t hurt to do this longer. And we might gain some business benefits. We could shrink the size of our office spaces. We could recruit people from locations we’ve never had before. It provides a lot of new opportunities to re-envision the workforce. I think that’s the biggest new view of an IT organization to tap into that and provide that digital transformation that we’ve never had from being a hundred work from home organization, or at least large parts of it.
Ross Young: Security has a role in making sure if we’re going to do this as our primary strategy, how are we enabling the business to do things that they needed to do before? Maybe we were using printers all the time and uploading attachments and now we have to go to a DocuSign world. Things like that, of where we look at the security to improve the business functions is really where we’re going to have to do better.
Chris Martinez: Ty sees the impacts of COVID as a challenge in his role, and for those coming up in the industry as well. It’s a trial by fire in many cases, but asking the right questions and relying on creativity can help mitigate the impacts of COVID on our working lives. Here’s Ty.
Ty Sbano: It’s going to be tough. I think the direct impact will be on new hires. I hope some folks didn’t have their offers pulled if they were about to start, but I suspect that may have happened. I think internship requirements are going to be really rough as far as onboarding to most companies like ours, where we’re 100% remote right now. I think that’s going to be tough, even starting in an internship right now and learning an environment that may have been an in-person culture that is now telling new hires, welcome to the company. Here’s your laptop. Leave our office now, go home and get set up and set up a bunch of Zoom meetings. This is how it works now.
Ty Sbano: I think it’s going to be a tough go for sure, given how the market is right now. I think a lot of companies are learning and figuring it out. I don’t know if there are too many security practitioners that have ever been through a pandemic of this level. I think those are the folks that may have some secret sauce, but I think the rest of us, we worked through this, we had some high-scale plans that get us through, but we’ve also had to be creative along the way where there wasn’t a lot of documented guidance.
Ty Sbano: Often times it’s about using basic principles of security hygiene, what makes sense for the organization and contextual management instead of relying on something you read in a book and then implementing it. Some people just never really cared about business continuity. It went as far as, “We use AWS, we don’t have to worry about it.” But if your office shuts down now, can you still do your marketing? Can you still do your sales? Are you still able to engage? It’s rough right now because you’re seeing a lot of layoffs happening.
Ty Sbano: Typically layoffs include folks that are underperforming, redundant, or no longer required, but now you’re seeing folks early in their careers in that situation. I’ve definitely gone to bat for my team. And especially right now, I have a team of three people. I offer myself in those scenarios where we have to make a cut. I say, here’s howto save the most money. I’m going. If your own manager thinks that’s a good call, that’s going to be a rough conversation. But you’re playing a game of chicken at the same time. You’re looking at it from a data-driven standpoint. As a people manager, especially if you want to be a CISO, you’re going to have to learn how to deal with really tough decisions.
Chris Martinez: A good leader is someone who helps the people around them. Our guests share their advice on how to get the most out of early career resources and where to find the best tools for learning as you build your skills. When talking with Ross is easy to see he’s a great teacher. One of the best pieces of advice for young professionals is to pursue the right do it yourself education opportunities and maximize networking within the InfoSec community.
Ross Young: With technical knowledge, there is a wealth of things that are out there. From doing things like taking SANS related training, to pursuing other online training. There’s so many providers out there like a Cloud Guru where you can go and learn AWS or Azure certifications. I’ve seen that explode over the past couple of years. Also listen to the technical conferences that are near you. Sometimes people focus on the Black Hat conferences that are a little pricier, but there’s a lot of local B-side conferences. There’s a lot of local OWASP conferences of application security-focused things that you can be involved in. I’ve found the security community on LinkedIn to have a wealth of knowledge. If there’s a tool that you’d like to learn, see if the creator is on LinkedIn. Just message that person and say, “Hey, I found this really interesting, I’d love to learn more.”
Ross Young: I’ve been really impressed at how much people are willing to talk about it. It’s kind of like their child. They’re excited when people take interest in their research and they’re willing to show you what they’re working on. Those little nuggets are where you can build those personal relationships and continue to network from these technical conferences and training. I think it’s how we’re going to build more subject matter experts in the field.
Chris Martinez: Part of Lisa’s work includes her role with the organization Women in Security and Privacy (WISP), where she works to help underrepresented and minority InfoSec professionals have a seat at the table. Lisa thinks all of us have a role in helping more people of color, women, and others who have traditionally been shut out of opportunities.
Lisa Hawke: I personally don’t think that attracting underrepresented folks is the problem. I think that there are tons of talented people who want to and are in the field already. The problem I see more is more related to gatekeeping, whether that’s in the form of unreasonable job descriptions, extremely expensive training and certifications, lack of actual entry level roles, or biased hiring practices.
Chris Martinez: Certifications are a hot topic among InfoSec pros. Some see them as essential for success. Some may rely on them as badges of honor. You’ll find one true thing when asking about certifications: their value is highly subjective and everyone has a differing opinion about their usefulness. Our experts offered their points of view on the role of certificates and their success. Ross sees tremendous opportunity to learn from studying for certifications and much less value in getting wrapped up and chasing the certifications themselves.
Ross Young: I believe studying for a certification is fantastic. There’s so much knowledge that you gain. However, I’m not really hooked into taking a certification exam and paying the money and focusing on continuing your CPEs every year. So I’m probably going to say certifications nay, but the opportunity to study for them and gain the knowledge, yea.
Ross Young: I think the biggest thing that’s changed is just how much the community has grown. I first started cybersecurity in 2005, right about when Facebook was really starting to take off. LinkedIn really was not there at that point in time. So your ability to network with other folks was really limited by who you might’ve caught at a DEF CON conference and kept an in contact with.
Ross Young: Now, there are literally hundreds of cyber conferences. And so I think there are so many more opportunities to find people to learn from, compared to it before when it was a bit harder to find subject matter experts or people who had spent 10 years in the field. Now you’re going to find a lot more people who have those skills that you can network and learn from.
Chris Martinez: J.J’s advice on what certifications can add to the path to success as a CISO contains a return to basics and foundational learning. Here’s J.J. on the resources that have helped him learn the most and why certifications alone aren’t enough.
J.J. Agha: I pay for Pentester’s Academy, which is a broad, diverse group. It comes down to how someone likes to learn — it might be tangible where they want to be hands-on versus wanting to read a book and going the certificate route. Providing a suite of available resources has been a common approach. In the time I have no, I like to read, but then make it practical. I’ll read a chapter and apply it. I have to know, how do I actually make this useful? What I’m reading in the book, whether if I’m going for a certification or if I’m going for an exam, might not actually be applied to the real world. The instructor or the exam creator can’t see all the variables.
J.J. Agha: I think the best way to learn now is to use what’s available from these academies online. Pentester Academy and hackthebox.eu are great. Security in general is so diverse. Do you want to become a network security engineer? Do you want to become an enterprise security engineer? How do you get access to AWS and without it costing an arm and a leg? I think one of the issues with certificates is that they try to generalize security too much. They try to generalize the problem versus just get a basic understanding of how TCP/IP works, or how does the OSI model work. Get the basic understanding of the particular protocols and how the internet works. Then apply what’s interesting to you around those frameworks and protocols to security.
J.J. Agha: You’re not going to become a crypto expert and then a network security expert and then a software engineer overnight. But if you pick these particular verticals to dive into and match the right learnings to it, you can apply it as practical knowledge versus book knowledge. Once you start getting practical, it’s nice to have a conversation with someone you consider a coach, mentor, or manager, or even just a senior lead engineer on the team. Bounce ideas off them based on what you’ve read or studied. As I went through my early career and got my certificates, I knew could find a soundboard to constantly ask, how to apply what I read to the real world.
Chris Martinez: Michael and I had a wonderful time hosting our four InfoSec leaders on season one of CISO Insider. We learned a lot about what it takes to become an InfoSec leader and how we can become better in our roles as InfoSec marketing professionals. We hope you enjoyed the first season of CISO Insider. We’re hard at work on season two and looking forward to bringing you more insights and lessons from the industry’s best and brightest leaders. Thanks for taking this journey with us.
Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry’s first cloud native data loss prevention solution. If you are enjoying this show, please leave us a review and rating on Apple Podcasts. The ratings and reviews help more people find us. Follow Nightfall on Twitter, Facebook, LinkedIn and Instagram at Nightfall AI. That’s Nightfall AI, and email us at email@example.com with questions, feedback and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from. Stay safe out there and we’ll see you again next time.
Stay tuned for the season 2 coming Spring 2021!
Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack & GitHub as well as IaaS platforms like AWS. You can schedule a demo with us below to see the Nightfall platform in action.