Winamp Logo
The New CISO Cover
The New CISO Profile

The New CISO

English, Finance, 1 season, 120 episodes, 3 days, 17 hours, 54 minutes
About
The New CISO is hosted by Exabeam Chief Security Strategist, Steve Moore. A former IT security leader himself, Steve sits down with Chief Information Security Officers to get their take on cybersecurity trends, what it takes to lead security teams and how things are changing in today’s world.
Episode Artwork

Taking the First Step Toward Your Career Dreams

Summary:In this episode of The New CISO, host Steve Moore speaks with Nicola Sotira, Head of CERT at Poste Italiane, about his journey from technical expert to business leader, all while following his dreams. Nicola shares the importance of mentorship, the value of building strong teams, and how he applied a Viking mentality to overcome challenges in his career. Listen in as Nicola reflects on leaving a prestigious role in Italy to embrace new opportunities abroad and what aspiring leaders can learn from his story. Whether you're thinking about making a career change or simply looking for advice on leadership, Nicola’s insights will inspire you to take action and move toward your dreams.Listen to Steve and Nicola discuss:00:00 -Nicola Sotira's Career Journey and Mentorship03:37 - Balancing Business and Technical Roles06:40 - Adapting to Technological Disruption08:47 - Taking Risks: Moving to Sweden at Age 4015:12 - Leadership Lessons from Peter: The Viking Mentality18:17 - Hiring and Building a Strong IT Security Team23:23 - Making Work Fun and Following Your Passion28:52 - Advice for Aspiring CISOs: Follow Your DreamsLinks: LinkedIn
10/17/202430 minutes, 15 seconds
Episode Artwork

What Legacy Tech Can Teach New Leaders

Episode Summary: In this episode of The New CISO, host Steve Moore is joined by Nicola Sotira, head of CERT at Poste Italiane. Nicola shares his journey from working on cryptographic devices in the pre-internet era to leading security teams today. His early work with assembly language, hardware security, and cryptanalysis offered unique challenges, but it also taught him the value of persistence, creativity, and mentorship. Steve and Nicola discuss the evolving role of hardware in cybersecurity and the importance of securing the supply chain. Listen in to hear about the lessons Nicola learned from breaking hardware before it was sold and how they continue to inform his approach to security today.Listen to Steve and Nicola discuss the importance of hardware security, debugging code, and supply chain risks:00:00 - Nicola Sotira: Career in Cryptography04:46 - The Realities of Debugging Without Modern Tools07:58 - Key Lessons from Early Hardware Security Work12:43 - The Importance of Hardware in Cybersecurity16:26 - Supply Chain Security Risks and Real-World Examples23:00 - Criminal Collaboration and Emerging Cyber ThreatsLinks: LinkedIn
9/26/202427 minutes, 34 seconds
Episode Artwork

What CISOs Get Wrong: Advice From a Cybersecurity Entrepreneur

In this episode of The New CISO, host Steve Moore sits down with Larry Pfeifer, CEO and President of Metrics That Matter, for a deep dive into the evolving role of the CISO and the increasing importance of cybersecurity insurance. Larry offers valuable insights drawn from his unconventional career in cybersecurity, sharing advice for CISOs and entrepreneurs alike. From the need for CISOs to shift from awareness providers to business decision-makers, to the surprising connection between cybersecurity and insurance, this episode is packed with thought-provoking discussions.Listen to Steve and Larry explore the intersection of risk, metrics, and cybersecurity decision-making, and how customer service strategies from the Ritz-Carlton are being applied to improve client relations in cybersecurity.00:00 - Introduction: Board Level Metrics in Cybersecurity01:02 - Larry Pfeifer's Journey in Cybersecurity01:56 - Cybersecurity’s Future: Insurance and Risk03:56 - The Challenges of Cybersecurity Insurance08:04 - Key Lessons for CISOs and Risk Management12:00 - Client Management Post-Breach17:30 - Optimizing Cybersecurity Investments21:05 - Entrepreneurship: Realities and AdviceLinks:Larry Pfeifer on LinkedIn
9/5/202426 minutes, 21 seconds
Episode Artwork

Why the Best Salespeople Are Engineers

In this episode of The New CISO, host Steve is joined by Larry Pfeifer, CEO and President of Metrics That Matter. Although Larry is not a CISO, he has worked in many adjacent fields, including the US military, university IT research, sales engineering, and more. As a result of his vast experience, Larry has a unique lens on cybersecurity. Listen to the episode to learn more about Larry’s fascinating career journey, what salespeople and IT professionals have in common, and why he decided to start his own business.Listen to Steve and Larry discuss what makes working in IT at a university invaluable and when to talk about the vendor selection process:Meet Larry (1:39)As a CEO and entrepreneur, Larry does many different things in his daily life. His professional origins started in his high school Apple IIe classes, and later, he worked with new computer technology in the military. Overall, Larry compares his career journey to Forest Gump, acknowledging the exciting and extensive path he’s taken.After Service (6:39)Larry details his next moves after completing his military service. He helped run an educational network at a university, which led to him being interviewed on Leonard Nimoy’s technology show.Although there was no position like “CISO” at the time, Larry also led a checkpoint on Salaraboxes, among other cyber-related projects.Sound Advice (11:30)Steve presses Larry on whether it is worthwhile for students to work in education networks at a university. Larry believes that if you have the opportunity, you should take advantage of it. After all, it’s high-paying, flexible, and allows you to do real, hands-on work.Becoming an Entrepreneur (15:04)Larry shares how he broke into sales engineering and started working for the Philadelphia Stock Exchange, among other places. He went from a career in IT research to sales engineering to becoming a salesman, adding another layer to his professional skills. He also stresses the importance of discussing vendors and helping his peers determine what they like about their services, what they don’t like, and their costs. This interest led him to become the CEO of his own information-sharing business.Building a Brand (26:27)Reflecting on the beginning of his entrepreneurial journey, Larry shares how he worked with potential clients and narrowed in on his focus.Now, Larry is the CEO of a business that serves as a cyber-security platform. To do this job well, he understands the industry thoroughly.The Right Metrics (33:32)Through Metrics That Matters, Larry aims to simplify the cyber-security process by providing information that reports on a business’s weak points and what they could do better.Larry’s company fills in the technology gaps of CISOs, though he also knows there is no silver bullet to perfect cyber security. You must understand your environment and what your environment needs to secure your business properly.Links:LinkedIn
8/15/202440 minutes, 13 seconds
Episode Artwork

How to Become a “T-Shaped” Leader

In this episode of The New CISO, Steve is again joined by guest Grant Lockwood, Comedian, DJ, and the Chief Information Security Officer at Virtus Health. Today, Grant returns to explain how his approach to effective communication has evolved since becoming a security leader. Listen to the episode to learn the difference between safety and security, how stand-up comedy gave Grant an efficient framework for his CISO role, and the importance of having balance outside of work through hobbies.Listen to Steve and Grant discuss how to maintain confidence in work and life and how to optimize your message to make the best first impression: Comedy and Cyber Security (1:34)Steve asks Grant why stand-up comedy has made him a better CISO. To Grant, stand-up helped him learn how to operate in a degraded state, which he finds comparable to dealing with cyber programs.Like when a joke bombs, sometimes the most protected security programs can get hacked. Grant shares why these two mediums are similar and how both have given him the confidence to succeed in challenging situations.Comfort and Confidence (4:12)Grant shares how he determines his stand-up set lists and how to use that to get the audience on his side. He finds these lessons to also help in the workplace and understands the confidence that this framework provides.Studying Delivery (6:45)Grant reflects on the resources he’s utilized to become a better comedian, including listening to comedy podcasts. Ultimately, Grant expresses the importance of being economical with words—whether at work or on stage—to become an effective communicator.Good Advice (9:22)Steve presses Grant on what advice he would give his younger self, especially reflecting on his journey from an admin role to where he is now. Grant advises listeners to stay curious and teachable since there is much to learn.He also reveals why people should be well-rounded, T-shaped individuals and how hobbies can provide transferable skills.Getting There (12:31)Reflecting on his career, Grant explains what he meant when he said, “The thing that got you there isn’t what will keep you there.” He clarifies how his measures of success have changed as he’s learned more about how running a business works.Learning From Community (27:12)As both a comedian and a CISO, Grant explores how the security community could learn from the stand-up comedy community. Both communities are very supportive, but comedy is entirely audience-dependent. Therefore, comedy can teach security professionals to have better communication by “knowing your audience.”The New CISO (19:09)To Grant, being a new CISO means being adaptable, learning both the business and security side, and improving those around you.Links mentioned:LinkedInComedy Podcasts/Resources:Dissecting the FrogThe Comedian’s Comedian Podcast
7/25/202420 minutes, 22 seconds
Episode Artwork

Is Security Funny - What Hobbies Can Teach a CISO

In this episode of The New CISO, Steve is joined by guest Grant Lockwood, Chief Information Security Officer at Virtus Health.After starting his career in an administrative position, Grant found himself getting bored. After being urged by his wife, Grant turned things around and is now a DJ, comedian, and, of course, a successful CISO. Listen to the episode to learn more about Grant’s impressive career journey, how to make your content compelling, and the transferable skills from performing comedy.Listen to Steve and Grant discuss how hobbies can make you a better security leader and the importance of adapting to your surroundings:Meet Grant (1:33)Before becoming a CISO, Grant was a health sector chief information officer for a health department. Although his current role is very different, he can see the similarities between the two positions.Before these two roles, Grant had spent years in an administrative position. Not sure what he wanted to do, his wife encouraged him to take up some hobbies, leading him to become a more well-rounded security professional.Being a DJ (7:18)Grant explains what people don’t know about being a DJ. He understands that what makes him a strong DJ is that he’s good at computers, demonstrating the similarities between cyber security and music.Besides being a stress relief, Grant feels that being a DJ helps him with timing and being present, which he applies to his CISO role.The Funny CISO (11:40)Becoming a stand-up comedian has proven to be a transferable skill set for Grant. He reflects on how comedy helped him with his presentation skills and the ability to compel an audience. Truth to Power (18:55)Steve presses Grant on whether doing comedy has improved his ability to deliver truth to power. Grant understands how stand-up has expanded this skill set because he learned to hold others’ attention.Grant also shares his feelings on the “lizard brain” and how this influences how we interact with others. Comedy taps into people’s lizard brains because it's an involuntary reaction that can bond us.Being Adaptable (23:18)Grant explains how stand-up forces you to adapt to your environment and use it to your advantage. This mentality also applies to presentations because you can shift gears based on your audience’s reaction.When you can adjust your performance to the mood of others, you can hold their attention long enough to communicate your ideas effectively.A Better Training (27:12)If Grant could advise a security training leader, he would suggest they ask themselves, “Would this be entertaining to my mom?” Teaching potential CISOs how to make their work captivating to a wider net will make them better security leaders overall.Links mentioned:LinkedIn
7/4/202431 minutes, 22 seconds
Episode Artwork

Be the Coach of Your Security Team

In this episode of The New CISO, host Steve is joined by returning guest Sándor Incze, CISO at CM.com.In part two of his interview, Sándor shares his strategies for boosting team productivity. As a long-time security leader, Sándor understands how to get the best out of his team. Listen to the episode to learn more about the difference between nervousness and excitement, the benefits of his CM model, and how running a cyber security staff is like soccer.Listen to Steve and Sándor discuss how software development is like an F1 race and how to make a candidate confident during an interview:In the Interview (1:33)Sándor and Steve discuss high-stakes, stressful job interviews and how they can make candidates nervous. Although some security professionals are proud to make someone fumble during the interview process, Sándor and Steve share how to bring out the best version of someone to see if they are the right fit.CM Squared (8:56)Sándor shares the CM (or CM Squared) Model, a document he uses when auditing different companies' security systems to find their faults. With this model, Sándor can simplify technologies for business leaders and enhance their protections.Like an F1 Race (15:30)Like F1 racing, Sándor believes software development is a team effort. To help emphasize this metaphor, Sándor explains how different members of security teams mirror the roles of a racing crew.Team Strategies (19:49)When Sándor evaluates his role as a leader, he thinks of his staff as a soccer team. His team needs to score “goals,” and as their “coach,” it is his job to guide them.He also shares his motto, “Do something you like, do something you’re good at, and contribute.”The New CISO (27:12)To Sándor, being a new CISO means “keep it simple.” Making things too complicated does not stop cyber crimes. However, learning to talk to each other does.Links:LinkedIn
6/13/202429 minutes, 39 seconds
Episode Artwork

Perspectives on Security as a CISO and Police Officer

In this episode of The New CISO, host Steve is joined by guest Sándor Incze, CISO at CM.com.Today, Sándor shares his untraditional path to a dual career in the Infosec and law enforcement industries. Through diligence, initiative, and automation, Sándor has been able to balance both of his life’s passions. Listen to the episode to learn more about Sándor’s extensive professional journey, the benefits of automation, and how personal interactions can shape your perspective on a crisis.Listen to Steve and Sándor discuss what a police officer and a CISO have in common and when it’s appropriate to be “lazy”:Meet Sándor (1:33)Sándor has been passionate about tech since he was eleven years old. After tinkering around with an old computer at school, he became his school’s first administrator.He credits this experience as his professional origin story.An Opportunity With Law Enforcement (6:21)Sándor shares that he has been interested in law enforcement professionally since his youth. Although this path didn’t initially work out, he was able to eventually combine his two passions into the dual career he has today.Young and Successful (12:40)By eighteen years old, Sándor was already establishing a successful career and saw the financial benefits alongside that. Amusingly, he would buy a new motorcycle every six months, an impressive luxury for his youthful age.A Man In a Suit (14:03)After finishing his computer science degree, Sándor tried to move into a law enforcement career. This attempt didn’t work out as intended, so Sándor had to go to a job wearing a suit rather than a preferred police officer’s uniform.The Benefits of Laziness (16:18)Sándor jokingly admits he is lazy because of his love for automating repetitive tasks. However, this method has proven effective, revealing much about Sándor’s perspective on work.Lessons For the Listener (19:13)After his third opportunity, Sándor successfully transitioned into a law enforcement role. He initially started as a volunteer, but he was able to use his automation skills to gain respect, leading him to become a police officer finally.Life In the Academy (24:50)Sándor reveals the age at which he joined the police academy and what being a security leader and officer have in common. A deep understanding of people and an accurate perspective on life are crucial mindsets to carry into both fields.
5/23/202429 minutes, 38 seconds
Episode Artwork

Work Smarter: How to Empower Your Team and Yourself

In this episode of The New CISO, host Steve is joined again by guest Ash Hunt, Global CISO at Apex Group Ltd.Today, Ash shares how he transitioned from his career as a jazz musician into the vastly different world of cyber security. He also reveals his tips as a leader and a decision-maker. Listen to the episode to learn more about Ash’s unique professional journey, how security leaders inhibit their candidate search, and the secrets behind an empowered staff.Listen to Steve and Ash discuss the power of delegation and how to determine the best time to find a new role:Ash’s Return (1:39)Ash returns to the podcast to share how he achieved his cyber security start. Initially touring as a jazz musician in London, Ash acknowledges how his past has helped him with his current career.Fresh Challenges (10:13)Ash explains when to seek new challenges to avoid professional stagnation. He believes that when a company gets more out of him than he is out of that company, it is time to move on. This mentality has helped him decide when to leave an opportunity for a fresh one.Being Creative (17:21)Steve and Ash discuss the impact that they can have on others early in their careers. Ash tries to expose his interns to the industry as much as possible because there are so many exciting things to do in tech.He believes leaders should be more creative when judging and developing talent. For Ash, creative compromise, persuasion, stakeholder management, and communication are skills that he considers when evaluating potential candidates. Ownership and Delegation (22:01)While discussing the importance of enabling your staff, Ash asserts what makes an effective leader. Allowing your team to own their work and delegating tasks creates an empowered and productive company culture. Evaluating Loss (26:37)Steve presses Ash on how he handles approaching inefficiencies at work, such as issues with AI, to the executive team. Ash’s answer is to follow the money and expose what people think is true, but it turns out to be the opposite.Loss is rarely tracked, but pinpointing those causes can benefit your organization.The Cost of a Breach (33:19)Staying on the topic of loss, Steve and Ash reflect on the vast cost of a data breach and inefficient client management. Although Ash acknowledges that technology will be able to solve these issues over time, there is no harm in prioritizing clear data reports now.New CISO (38:01)To Ash, being a new CISO means converging cyber with technology. Ultimately, it is about working smarter, not harder, as a team.Links:Linkedin
5/2/202441 minutes, 9 seconds
Episode Artwork

Change the Way You Think About Loss, Risk, and Revenue

In this episode of The New CISO, Steve is joined by guest Ash Hunt, Global CISO at Apex Group Ltd.Today, Steve and Ash dive into the action of M&A (mergers and acquisitions) and how to conduct it well. As a CISO at one of the world’s largest administrators, Ash shares his valuable insight on loss, risk, and revenue generation in a constantly changing IT environment. Tune in to learn more about what causes loss during a merger, why decision management and risk management are one and the same, and the cultural changes in the security industry. Listen to Steve and Ash discuss how to quantify loss and what jaywalking and cyber security have in common.Meet Ash (1:34)Ash shares that he is proud to work for a fast-moving organization that has expanded worldwide. This growth has led to an exciting time from a technology and cybersecurity perspective.Successful M&A (5:16)Steve presses Ash on how to conduct M&A successfully. What hurts a business during an acquisition is when there are breaks in infrastructure that get overlooked.Luckily for Ash, he has a strong team that prioritizes infrastructure integration to avoid loss and increase revenue.Things in Common (12:25)Ash reveals what jaywalking and risk have in common. For example, everyone in London jaywalks, but like in cyber security, there is a degree of risk. Risk Management (15:10)According to Ash, risk management is decision management. Decision science is a critical part of Ash’s approach to security.Psychological barriers in the workplace halt optimal investment decisions that can generate revenue.Adding Value (25:36)Ash acknowledges that his most significant contribution toward his company is successfully integrating their infrastructure into one operating platform. He knows it will rationalize his tool stacks and clean up his budget, amongst other benefits.He has seen other companies experience operation inefficiency, access control failure, and inadvertent data disclosure, which he actively prevents.Changing the Operation Process (30:48)Steve and Ash marvel at the operational changes that need to be done in security. For example, many people still default to email versus a more secure portal for data exchange.In order to mitigate risk, cultural changes need to be made to operational processes. Links:LinkedIn
4/11/202434 minutes, 47 seconds
Episode Artwork

Keep Calm and Communicate Better: Advice for Young Managers

In this episode of The New CISO, host Steve is joined again by guest Ron Banks, CISO at Toyota Financial Services.In part two of his interview series, Ron shares his career advice for new cyber leaders. Listen to the episode to learn more about Ron’s take on China’s strategies, the importance of being inquisitive, and why we must be calm under chaos.Listen to Steve and Ron discuss key attributes CISOs look for in a young manager and the importance of communication and leadership:Where We Left Off (1:43)Piggy-backing from the last episode’s conversation, Ron explains the current state of our security concerning China and how they’ve recently gone dark. According to Ron, China has been playing 3D chess for a while and has found tangible ways to disrupt American life.A Shoutout To Ron (10:19)Steve gives a shoutout to Ron’s book, highlighting the state of American security and its relationship with China. Academic with numerous footnotes, Ron’s work provides readers with meaningful context related to cyber security.Valuable Advice (12:20)Ron reflects on the advice he wishes he could have given his younger self. He asserts that there is a path to cyber if you gain a technical foundation. He also shares how you need to be creative and curious to thrive in this industry.Evaluating Young Leaders (15:16)Steve presses Ron on how he evaluates young leaders in the security field. For the young manager, you must have the technical chops in addition to the personality.Managers need leadership and communication skills to inspire their teams. And, of course, practice makes perfect.Calm Communication (21:50)Ron and Steve discuss why leaders should practice calm communication. Leaders must put their teams at ease when there is chaos.New CISO (28:00)To Ron, being a new CISO means also being a business leader. Bridging the gap between the worlds is becoming more and more necessary as the world progresses.Links:Linkedin
3/21/202430 minutes, 21 seconds
Episode Artwork

Public-Private Partnership: How to Punish Bad Actors, Not Organizations

In this episode of The New CISO, host Steve is joined by guest Ron Banks, CISO at Toyota Financial Services.In part one of his two-part interview, Ron shares how he transitioned from a fighter pilot to a cybersecurity leader. He also digs into what is required for a joint government, private industry, cyber offensive response. Listen to the episode to learn more about Ron’s years as a combat veteran, how the government can improve security strategies, and the necessity of political will.Listen to Steve and Ron discuss the importance of public-private partnerships and the challenges of posing consequences on adversaries:Meet Ron (1:35)Steve introduces guest Ron Banks, a CISO, author, veteran, and academic. Ron details his duties as a fighter pilot and how he transitioned to education and then cyber security.What He Misses Most (5:17)Ron shares that what he misses most about his fighter pilot days is the rush from flying. However, he found the transition into cyber security simple because he gets to evaluate offensive and defensive security strategies reminiscent of his time serving.Possible Friction (8:10)Steve presses Ron on whether there is friction between cyber teams, their capabilities, and the grounds they are trying to defend on the private side.Ron explains that the virtual defense of the United States contains over 200 government organizations, each controlling a different lane. The cyber camp mainly covers the DOD, which comes with problems. On the Private Side (12:07)When discussing the lack of consequences for bad actors, Ron shares the great strides the FBI has made to improve their relationships with law enforcement in other countries. Despite these efforts, the behavior of cyber criminals has not changed enough, demonstrating that there is more our government can do.Things to Work On (17:54)Ron shares some advice for new security leaders working within the government. He suggests focusing on public/private partnerships because sharing information is critical.How Breach’s Occur (21:54)Ron discusses his tips for dealing with a breach and why they occur. There is a strategy where they can impose consequences on cyber criminals, which his team has accomplished by focusing on counter-terrorism.Ultimately, no more money needs to be invested, the relationships are built, and the technology is there, but there has to be the political will to defeat threat actors effectively.Advice to Lobby (29:01)Steve presses Ron on what it would take to lobby the government and get the necessary resources. Since the capability is there, Ron reaffirms that change is in the president’s control.Links:Linkedin
2/29/202435 minutes, 13 seconds
Episode Artwork

Why CISOs Need to be Champions of AI

In this episode of The New CISO, host Steve is joined by guest Mani Masood, Head of Information Security and Applied AI at a prominent healthcare MSP.Also a professor and family man, Mani’s various life experiences shaped his impressive decades-long career. Today, he shares his insight on balancing education with experience and embracing AI as a security leader. Listen to the episode to learn more about Mani’s career and education journey, the importance of having real-world skills, and what inspired Mani to write a book.Listen to Steve and Mani discuss how to adapt to new technology advancements and if InfoSec professionals should champion AI:Meet Mani (1:35)Steve introduces guest Mani Masood, who has worked in the security industry for two decades. First, Mani started in IT before transitioning into Information Security. Now, AI has quickly become a significant component of his role.Mani shares a story when a college professor saw his nervousness before an exam and suggested he get a job. His professor assured him that getting real-world experience would be extremely valuable.Real World Expertise (6:49)Mani reflects on how getting a degree is not the be-all-end-all of getting a job. Often, employers want to know what you’re capable of, which comes from having tangible skills applicable to your field.He also explains to Steve why it took him six years to finish his education instead of four: because he was gaining real-world experience.Times Have Changed  (18:18)Steve asks Mani about his perspective on the famous quote, “For those who can’t do, teach.” As technology has changed, Mani shares that nowadays, what you can do is more important than doing things right or following the status quo. The Time For AI (24:28)Like the tech boom, the AI era allows professionals to adjust to new advancements. Mani reveals that they have been trying to use artificial intelligence to solve InfoSec problems for some time, and this will become increasingly more possible as the tech matures. Defending The Tech (28:49)Mani discusses why security leaders should support AI and champion the technology within their organizations. Since InfoSec professionals have been working with AI for years, they should inspire others to believe there is a way to interact safely with this tech.Mani’s Recommendations (32:18)Steve presses Mani on his recommendations for security leaders when supporting artificial intelligence. Mani suggests that these leaders become comfortable with the tech themselves.Every InfoSec tool now has some AI faction, so security leaders should learn as much as possible about its benefits before championing it. Ultimately, CISOs must do their homework to ease their organization’s worries and create the necessary safeguards.Writing A Book (41:32)Mani shares why he is writing a book and what drives this project. He was first inspired to do so by a conversation with his wife. He initially sought to write a guide for his children, which led him to write a guide for other professionals.The New CISO (48:23)To Mani, being a new CISO means dealing with a new crossroads with technology. Whether you’ve been in the business for a long time or are new to the role, you must adjust quickly, pivot, and learn with your team.
2/8/202451 minutes, 46 seconds
Episode Artwork

A CISO’s Advice On Learning, Earning, and Dodging Burnout

In this episode of The New CISO, Steve is joined by returning guest Dr. Adrian Mayers, VP and CISO at Premera Blue Cross.As a veteran CISO, Dr. Adrian reveals his stress management and career tips. He also shares his thoughts on AI and its effect on the current threat landscape. Tune in to this week’s episode to learn more about determining your next career move, giving yourself grace, and why we shouldn’t vilify artificial intelligence.Listen to Steve and Dr. Adrian discuss evolving technology and approaching the research part of the job:Welcome Back, Dr. Adrian (1:32)Dr. Adrian reintroduces himself and his current CISO role to the audience. Steve also reveals why Dr. Adrian is a pleasure to have as a guest and his appreciation for the spark he brings to the conversation.Cutting CISOs Slack (5:40)Dr. Adrian unpacks why CISOs deserve grace as the role evolves and the stresses change. Detecting threat actors is a lot of responsibility, which creates tremendous pressure and leads to burnout.You can do better in your role long-term by understanding your limits and providing accurate expectations for the role.Working Together (12:33)Nowadays, taking criminal entities down requires foreign governments and the FBI to work together. Dr. Adrian shares his thoughts on this dynamic and how it takes a village to cover the defensive and offensive bases needed in the digital space.The Right Research (19:28)Steve presses Dr. Adrian on how he conducts research related to the job. Dr. Adrian has taken MIT classes and uses many online resources to obtain information. There are many sources to pull from, but you must use common sense to determine your gaps on various security topics, including AI. The Benefits of AI (25:02)Dr. Adrian discusses the benefits of artificial intelligence and how it is a technology that will open up the possibilities of what cybersecurity professionals can do. Although people fear this new tech will replace jobs, it fits the natural order of human progress.What Comes Next? (28:10)Steve and Dr. Adrian contemplate the off-ramps of what can come after being a CISO. To move up, you must understand the industry's business side or have enough knowledge to transition into teaching. Sponsorship is another aspect that CISOs can gain to determine their next career move. Ultimately, Dr. Adrian would like to redefine the work environment to support CISOs on their professional journey.Keeping Your Eyes Open (36:56)Steve asks Dr. Adrian how he knows when a CISO should seek new opportunities. How does he manage that internally?Dr. Adrian believes people should be self-aware enough to understand if they want to move on based on interest or if they want a new professional environment. It is an individual decision.Do CISOs Need Sports Agents? (45:46)Steve presses Dr. Adrian on his quote about how CISOs need sports agents. Dr. Adrian means by that quote that security professionals, like many others, need management to guide them and help them find new opportunities.Links mentioned:LinkedIn
1/18/202452 minutes, 55 seconds
Episode Artwork

How to Respond When You Don’t Get the Job

In this episode of The New CISO, guest Chris Fredrick, Deputy CISO at Baxter International, returns for the final part of his interview series with host Steve.In parts one and two, Chris shared his background and the lessons he’s learned during a breach. Today, Chris joins host Steve to discuss maintaining a productive outlook while looking for a new position. Listen to the episode to learn more about the lessons you can learn at every role, the importance of perception, and job-hunting challenges.Listen to Steve and Chris discuss the best time to leave a position post-breach and how to stay positive in the face of rejection:A New Job (1:40)After working on the SOC with Steve, Chris felt ready for a new challenge. He then saw a role that scared him, making him believe that that was the right position. This decision set him down his CISO path.However, this new position was temporary because when he threw his hat in the ring for the permanent role, it didn’t work out. Ultimately, this rejection caused Chris to reflect on his career journey.Doing Things Differently (6:03)Steve asks Chris if he would have done things differently in his interview, knowing what he knows now. Chris would make the same decisions, especially since his time there had many challenges. Even though that role didn’t pan out, Chris learned a lot during this time. He built confidence in his presentation skills and had the opportunity to meet more established CISOs. By networking with other CISOs, Chris realized he truly belonged in the security world.The Value of Stoicism (10:05)Chris advises on how to handle job rejection. He refers to Stoicism, which states we cannot control the outcome but can control our perception.When bad things happen, we can perceive it as a positive that will set us on the right path.Looking For Work (15:35)Despite Chris’ impressive career history, it took him months to find his next role. After evaluating his many interviews, Chris recommends that security recruiters learn more about the field to better choose candidates. Chris and Steve then discuss the other lessons Chris learned during the job-hunting process, including what questions interviewers should or shouldn’t ask. Referring to Stoicism again, Chris also recommends structuring a routine around job hunting, including doing a positive hobby you enjoy.The New CISO (28:32)To Chris, being a new CISO means understanding that we are tasked with the impossible. Therefore, it’s essential to build an environment where people never feel like they are being asked to do the impossible for the ungrateful.Links:Linkedin
12/28/202330 minutes, 29 seconds
Episode Artwork

Great Leaders Make Leaders — Especially During a Breach

In this episode of The New CISO, guest Chris Fredrick, Deputy CISO at Baxter International, returns for the second part of his interview series with host Steve.In part one, Chris shared his background and the beginning of his professional journey. Today, Chris joins host Steve to discuss a pivotal moment in their careers: a significant breach. Listen to the episode to learn more about how Chris transitioned into a managerial role and stepped up during a crisis.Listen to Steve and Chris discuss who managers really work for and the mark of a great leader:Welcome Back, Chris (1:52)Steve and Chris discuss where they left off in the last episode when they left their security team for a new opportunity.Focusing on insider threats, Chris shares his daily work for this specific role. During this time, Chris focused less on operations and built a program instead. He also researched what would be in an insider program.Vulnerability Management (4:10)Chris reflects on the lessons he learned while doing vulnerability management that made him the leader he is today. Chris believes this time taught him how to tell a good story and have clear metrics to back himself up.Network Security (9:28)After working in vulnerability management, Chris moved into network security with Steve and created a Soc. Chris initially came in as an individual contributor until he became a team lead before eventually becoming the manager.When he was a manager, Chris realized his role now was to worry about his team and less about himself. It was a profound moment for Chris when he discovered this truth.The Breach Itself (15:14)Chris shares what lessons he learned from a significant security breach. Chris and his team noticed for a while that there were warning signs of the breach but were initially ignored.However, when the event happened, they could take what they knew and move forward. Because Chris had working partnerships with other teams, he was able to get the help they needed, showcasing the importance of building your relationships before a crisis.Client Management (20:48)Steve presses Chris on what he remembers regarding the client management side of this time. Chris recalls dealing with many calls from clients who were understandably concerned. Many of these calls became heated, but one client assured Chris he understood what he was going through. As a result, Chris tries to be empathetic with others since they could be having a bad day, which could affect their behavior.Pride In Their Team (28:25)Steve reflects on how working with this incredible team was one of the best memories of his career. He has immense pride in this group, which Chris shares.Chris loved building something from nothing and seeing the great things their colleagues have done since. Forming a great team requires a healthy culture that brings people together.Stepping Up (31:38)After Steve left, Chris had to step up into a higher leadership role. This change became a pivotal moment in Chris’s career, coinciding with the birth of his first child.Links:Linkedin
12/7/202336 minutes, 22 seconds
Episode Artwork

How One Job Taught Five Important Leadership Lessons

In this episode of The New CISO, Steve is kicking off the first part of a three-part series with guest Chris Frederick, Deputy CISO at Baxter International.Chris began his career as a technician and met Steve on a small security team managing a large network. Now, Chris joins today to share key lessons from his early career and set the stage for the next upcoming episodes. Listen to the episode to learn more about Steve and Chris’ time working together, the process of changing companies, and learning to be a better leader.Listen to Steve and Chris discuss how to deliver the news you’re leaving a company and how managers should accept said news:Meet Chris (1:46)Chris has worked in IT security for over twenty years and knew since college that this area of the industry was his passion. Since starting a leadership role, he has found his new calling: becoming the best leader he can be.Infosec Memory Lane (5:04)Chris shares the memories of his time working with Steve on their small infosec security team. Chris remembers feeling overwhelmed initially but learned to handle the scope of his many responsibilities. Steve and Chris reminisce about the positives of this experience and the challenges. The best part was the camaraderie they felt as a team.Lessons Learned (9:43)Steve presses Chris on the lessons he learned during their time on the infosec team. This experience taught Chris the importance of curiosity and building credibility.Another valuable lesson was learning to have respectful conversations when colleagues disagree.Changing Companies (18:23)While working together, Steve and Chris had the opportunity to change companies after their CISO left. Chris walks through what occurred and the communication lessons it taught him. He wishes he had done some things differently since multiple people leaving put his manager in a tough spot, but he also learned valuable leadership skills.Links:Linkedin
11/16/202328 minutes, 18 seconds
Episode Artwork

Why CISOs Should Solve Business Problems, Not Technology Problems

In this episode of The New CISO, Steve is joined by guest Scott Moser, CISO at the Sabre Corporation.After twenty-five years, Scott retired from the Air Force to try his hand at the private sector. Now, Scott is transforming the CISO role from technical expert to business executive. Listen to the episode to learn more about Scott’s professional journey, being a customer-focused security professional, and what he learned from the Sabre interview process.Listen to Steve and Scott discuss contributing to the success of your organization and the importance of transparency:Meet Scott (1:44)Scott explains that Sabre is a software often used by hotels and airlines since the sixties. As a result, data protection is of the utmost importance to Scott in his CISO role.Scott then explores his career journey, where he started in the Air Force and eventually retired as a Colonel. During this time, he did cybersecurity-related work, which led him to the career he has today.Broad Experience (9:33)Scott shares how he had the opportunity to lead and mentor many people during his time in the Air Force, including police officers, firefighters, and more. He believes this time gave him the broad experience to communicate with business leaders. Now, he also meets with his customers, where he can easily explain the value that Sabre software can provide them, showing the value of a customer-focused CISO.The Importance of Trust (16:05)As CISOs, it’s essential to represent your company to customers and business leaders alike successfully. To do that, Scott recommends building trust, which requires significant transparency.A culture of trust will help your team through challenging times, so you should prioritize this when times are good.Effective Prep (24:40)Scott mentors his team by giving effective feedback and assessing his employee’s strengths. He works with his team to perfect their skill sets, including public speaking since that is a crucial part of business leadership.As long as people are doing the right thing, they shouldn’t be afraid to make mistakes, learn, and grow because it strengthens the company in the long run. Ultimately, we must transform ourselves to be what our organization needs.Scott’s Presentation (28:55)Steve asks Scott about his popular CISO leadership presentation. Scott reveals that this presentation is a passion project of his because he wants to be more than just a technical expert but a business leader.Scott had to evaluate his strengths and weaknesses to become the CISO he wanted to be, which informed his presentation.An Aha Moment (33:44)For Scott, his interview process at Sabre informed his perspective on becoming a business leader. When board members interviewed him, he understood what they wanted from their CISO.Board members want security professionals who think about improving the business, not just the technical side of the job.One Last Thing (41:46)Steve presses Scott on the last piece of advice he wishes to share. Scott tells the audience always to take advantage of a good crisis because it is the smartest time to get your organization to make a necessary change.The New CISO (44:42)To Scott, being a new CISO means being a business executive leader focused on the customer and financial success of the company.Links:Linkedin
11/2/202345 minutes, 57 seconds
Episode Artwork

The CISO Triforce: Preparing Your Post-Breach Go Bag

In this episode of The New CISO, Steve is joined by guest Mike Melo, CISO and VP of IT Shared Services with LifeLabs.After switching his studies from human viruses to computer viruses, Mike dedicated his career to technology and the people who use it. Today, he shares his methodologies for post-breach cyber-security transformations and leading remote teams. Listen to the episode to learn more about Mike’s career journey, the importance of the customer mindset, and the three tenets of his Zelda-inspired CISO Triforce.Listen to Steve and Mike discuss how to build human connections in a remote environment:Meet Mike (1:40)Mike has worked at LifeLabs for over five years and balances two positions.Although Mike faces many challenges, he has created synergy between the two teams.Getting His Start (4:02)When Mike was a teenager, he originally wanted to be a musician. Instead, he went into computer studies and studied human viruses. At the end of the day, he realized he didn’t want to be in a lab and instead wanted to explore his love for cybersecurity.The Customer Mindset (7:02)Mike recommends new security professionals go and see how businesses work. Learning the customer mindset early in your career will have great benefits later because you will understand what users need.Ultimately, security professionals must better interact with their customers and understand how humans behave daily. You must find ways to show up to the business and show you are here, especially in remote work environments. Socializing And Remote Work (16:42)Mike feels we’ve lost social currency with remote work because people are social beings. However, there are pros and cons to being in remote environments. As a leader, Mike developed a team charter to ensure better communication and created opportunities for positive socialization.Going Back In Time (27:28)Steve presses Mike on his time in university when he also worked as a security analyst. A double major as well, Mike had to balance a lot while he learned.However, Mike wouldn’t change anything because it allowed him to push his capabilities in the classroom and set him apart from his peers.Modern Learning (31:08)As a mentor, Mike recommends new professionals talk to many people. When you put yourself out there, you’ll find that people are receptive to teaching you about their experiences.Being Successful During a Breach (35:02)Steve asks Mike about his presentation on “Being Successful During a Breach.” From that presentation, Mike discusses his CISO Triforce, which he based on Zelda.You must have a wish list, an effective execution strategy, and assurance with your stakeholders. When you have those three pieces, you will be prepared to get through a breach.The Coaching Experience (44:46)Mike has found that mentoring has always come easy to him. He has always been passionate about it since he tutored other students in his youth and has found helping others incredibly fulfilling.The New CISO (49:43)To Mike, being a CISO means being agile and having a customer mindset. It’s essential to improve yourself constantly as a security professional and leader.Quote: “Just because you get a bucket of money doesn't mean that solves your problems. And one of the biggest challenges of the post-breach world is the actual transformation. You got this, okay, you get this money, you have this wishlist. Cool, now you have to find, hire onboard, ramp up, transition, ramp down, and then sustain, right? Those are such complicated stages in the whole process, and you have to start giving some of that...
10/19/202352 minutes, 14 seconds
Episode Artwork

What About Third-Party Risk? A CISO’s Questions for the SEC

In this episode of The New CISO, Steve is joined by guest Dan Creed, CISO at Allegiant.Dan first discovered his love for computers as a teenager. He has since then channeled his skills into a career in security leadership, where he balances his technical expertise with business acumen and storytelling. Today, he shares his thoughts on supply chain risk and the SEC’s new changes to cyber security guidelines. Listen to the episode to learn more about the importance of coding, coping with stress, and his critiques of the SEC.Listen to Steve and Dan discuss how reporting protects shareholders and the new stakes for CISOs :Meet Dan (1:30)Today’s guest, Dan Creed, is the CISO for Allegiant, a travel company.Dan discovered how to take over his school’s television channel in high school, which stemmed from his friend getting dumped. Dan and his friend used the cable TV channel to post some unflattering messages about his friend’s ex.Although Dan was rightfully punished at the time, he was allowed to take over the school’s computer lab, and his career journey began.Maintaining Excitement (7:02)Dan maintains his excitement for technology by keeping up with all the changes in the industry, like changes in coding. If you love learning and learn fast, you will have a rewarding and lasting career in cyber security.An Important Role (13:23)Steve presses Dan on the importance of Absec. Dan reveals that Absec is related to code and that the most essential security aspect is code.If you are in a customer-facing role, you need to be able to install software on other people’s machines and make sure their vulnerabilities are shielded.Coping Mechanisms (16:45)Dan copes with workplace and personal stress by understanding that humans are imperfect and make mistakes. There’s risk in everything we do, so keeping a balanced perspective is critical when mitigating potential cybersecurity issues. Ultimately, the stress in the security industry is building as the stakes grow, so finding ways to cope is necessary.SOAR Review (19:27)Steve asks Dan about his opinion on the automation software SOAR. He thinks it has its place, but finding people who can automate themselves is better. People need to use the right tool for the job.Building a Response Playbook (21:58)Dan shares the first thing to automate when building a response playbook for the first time. First things first, make sure you can monitor strange behavior. Starting there allows you to work on the more complex procedures.His Driving Force (26:16)Dan reflects on his reasons for finishing his degree later in life. He wanted to learn how to “speak business,” in addition to his computer skills, which drove him to complete his undergraduate degree and MBA.Choosing One (31:02)Steve presses Dan on which one to choose if you could only pick one: storytelling or culture. Dan says it depends on the person and what they are good at.If you look at what’s more important, it would be building work culture first and seeing how your team reacts to phishing and annual security training.What is Material? (33:23)Dan and Steve discuss how reports influence the stakeholders and what they invest in. Dan is critical of how the SEC changed the cyber security guidelines, partly because they are poorly organized and confusing.There are good things, but more context is needed to determine materiality. These guidelines also do not factor in how to deal with third-party risk and supply-chain issues. Reporting Issues (41:23)The SEC has intended to help shareholders with these guidelines so that they can protect the share
10/5/202350 minutes, 49 seconds
Episode Artwork

100th Episode: Six Mentorship Questions with Two Top Leaders

In this episode of The New CISO, Steve is joined by returning guests Michael Meis, Associate CISO at The University of Kansas Health System, and Mark Weatherford, the Chief Strategy Officer at The National Cybersecurity Center.For the 100th episode, Mark and Michael are back to share their thoughts on decision-making, mentorship, learning, and leadership, amongst other topics essential to the security industry. Tune into today’s episode to learn more about the career opportunities Mark and Michael didn’t take, how to measure your journey and the importance of an effective team.Listen to Steve, Michael, and Mark discuss managing stress while diving head-first into challenging situations and how to maximize the growth of junior team members:Welcome Back (1:32)Jumping in, Steve presses returning guests Mark and Michael on the most interesting career opportunities they didn’t take.&nbsp;While in the navy, Mark received a call transferring him to Virginia for a promotion. Although he did not want to go, this transfer was great for him.For Michael, when he was in the army, he turned down a promotion multiple times. He decided early on in his career that the military would not be his long-term career.Sound Career Advice (13:04)Determining when you feel fulfilled professionally allows you to make better career choices. Although our goals evolve, it’s important to reevaluate our priorities at different life stages.From a leadership perspective, it’s valuable to not think of yourself as the most intelligent person in the room but instead surround yourself with people who can fill in the gaps in your skillset. Leaders need their junior-level colleagues to succeed, and giving these employees real responsibilities allows them to transition into more significant roles.Best Mentorship Books (21:30)Mark and Michael share the books they would recommend to new and future leaders. These books are worthwhile resources that help prepare CISOs to take on higher-level work when it is presented.New To The Job (28:02)Mark and Michael explore what new CISOs should assess when new to running their teams.&nbsp;It’s essential to determine if you have good people who have lacked effective mentorship or if your organization lacks talent. Ultimately, you must ensure you have the right employees to succeed.Ultimately, you need to see if people add value or not in a crisis.Owning A Crisis (35:40)Steve presses Mark and Michael on their leadership perspective in a crisis.&nbsp;Mark reflects on an experience involving the government, where one of his employees took ownership of their security breach. Mark is still in touch with this colleague today and credits his help resolving a high-level issue.Michael reflects on a junior analyst who quickly worked his way up because he had a can-do attitude. The best career advice is to take work off of other’s plates because the people you help will never forget.Staying Grounded (40:46)To close, Steve asks Mark and Michael a more individualized question. What helps them stay grounded during stressful times in the field?For Mark, he admits he’s not great at taking a step back from work. He is passionate about the business and understands a 9-5 clock would not work for most security professionals. He can manage his stress, but he knows he lacks life balance. Though to relax, he keeps honey bees.Michael encourages everyone to eliminate the preconceived notion that this path is like other jobs. Security professionals are all-in on their work and must decide what balance means to them. For Michael, he does meditation to center himself and regulate the physical manifestations of stress.Links mentioned:<a...
9/21/202346 minutes, 28 seconds
Episode Artwork

Know Your Strengths: How to Lead with Skills You Already Have

In this episode of The New CISO, Steve is joined by guest Maria Sexton, Chief Information Officer at the University Medical Center of Southern Nevada.Before starting her security career, Maria worked as a self-described secretary, seeking a better financial future for her family. Now, with her dream job, she shares how to become a strong communicator and leader. Tune into today’s episode to learn more about Maria’s passion for the healthcare industry, her strong people skills, and why you shouldn’t fake it until you make it.Listen to Steve and Maria discuss being confident in your strengths while understanding your weaknesses and what first-graders and board members have in common:Meet Maria (1:36)Maria reflects on why her current role is her dream job. With a diverse background, Mara found that healthcare customers were the people she wanted to serve.She didn’t plan on landing in healthcare, but she resonates with the mission of the field, which is why she feels she has her dream job. She recommends that everyone find an industry that aligns with them.Getting Her Start (6:00)Before starting her IT path, Maria worked as a secretary, a term not often used today. During this time, Maria went through personal family issues and needed to evaluate her financial future for herself and her children.Always interested in computers, Maria talked to the IT department at her company and asked how to get involved. Their advice led Maria to get a certificate, thus beginning the rewarding career she has today. It was scary initially, but Maria allowed herself to try and fail to succeed.Successful Communication (13:39)Steve presses Maria on whether she always had the clarity and confidence she showcases today.Maria understood she would never be an engineer, but her strengths lay in being diligent and taking notes. Therefore, she was excellent at communicating technology to people without a technology background, giving her a robust career skill set. Empathy, communication, and public speaking abilities made her the leader she is today.Explaining to a First Grader (16:33)Maria shares her experience talking to her granddaughter’s first-grade class about her job. She found these kids incredibly bright and showed a firm understanding of technology and computers.Learning how to communicate technology ideas to an audience without experience is critical.&nbsp;Standing Out (23:45)When evaluating a resume, Maria likes to see if they have motivation. Nowadays, more people than ever are interested in security. So, it’s essential to evaluate if the people coming in are serious.Maria is looking to hire a self-starter who takes advantage of the resources available to work in security. She also admires when applicants understand their strengths and weaknesses and where they can be best utilized.Confidence In Communication (27:22)Maria could always communicate effectively. As the child of Italian immigrants, Maria was responsible for speaking on behalf of her parents and helping them navigate the US.Her childhood also gave her empathy and the ability to read non-verbal cues, which has been helpful throughout her career. Learning to communicate with those around you is critical, no matter your role.Don’t Fake It Until You Make It (39:51)In terms of security, you really can’t fake it because the consequences could be dire. But outside of security, Maria has never liked the phrase “fake it until you make it.”This saying irks Maria because she thinks it is terrible advice. If you don’t know something, you should learn it. If you need a mentor, find one. You should want to get whatever you don’t have because...
9/7/202355 minutes, 23 seconds
Episode Artwork

What’s In a Word? Managing Your Message More Effectively

In this episode of The New CISO, Steve is joined by guest Frank Vesce, CISO for Allvue Systems.Beginning his life in a Brooklyn orphanage, Frank is now a cyber security leader, government advisor, youth mentor, and community advocate. Today, he joins Steve to discuss the technical and human side of cyber security. Tune into today’s episode to learn more about Frank’s professional journey, his approach to interviewing, and his motivation to mentor.Listen to Steve and Frank discuss the power of communication and the four types of complaints that can affect your organization:Meet Frank (1:36)Host Steve Moore introduces our guest today, Frank Vesce, who has over twenty years of experience, including global leadership positions.Frank first became intrigued by cybersecurity through the Matthew Broderick film War Games. During a coding class at university, Frank became even more interested in this field after reading the book The Cuckoo's Egg.&nbsp;First Gig (4:23)Frank's first security position was at Goldman Sachs. Before, Frank worked in IT and technology, but in 2010, Frank transitioned from infrastructure to security risk, and things moved forward from there.The Interview (5:16)Frank shares his unique approach to interviewing. He would call the interviewee by the wrong name to understand their personality.&nbsp;The best response would be when someone would politely and quickly correct him, how people answered demonstrated if they would fit on the team.Being Human (12:59)When people come to work and complain, it typically has nothing to do with their employer. They may have something going on in their personal lives, so it’s essential to get to the root of the problem before making assumptions.Frank then shares the different kinds of complainers in the workplace and how to work around them to strengthen your team.The US Coastguard (19:24)Steve presses Frank on his experience with the US Coastguard.Frank gained this opportunity from a few colleagues who asked Frank to join. The coastguard wanted someone from the financial sector to do tabletop exercises, and Frank was the right fit. Ultimately, these exercises helped inform public policy.Working in government also taught him the importance of communication chains and how to determine which phrases and words can or cannot be shared. Steve and Frank discuss managing your words effectively when security is essential.Bad Advice (29:51)Frank tries to learn from his mistakes and turn them into positives. However, he has one example of bad advice.He shares a story where his boss took him to coffee to yell at him for a mistake. However, Frank told his boss he wasn’t coached on that aspect of his job. Frank lacked advice during this circumstance.&nbsp;Different Philosophies (36:21)To Frank, teams need to be transparent with boards today as boards get savvier. Especially if there is a breach, you don’t want to lose your reputation with your firm.Learning how to translate what’s on the technology side to the business side is critical. Everything boils down to communication.What’s In A Word? (39:21)When Frank returned to Goldman Sachs, he was tasked with creating a change management system.During this project, Frank had an issue with a colleague over the word “re-engineer.” The colleague felt more comfortable with the word “enhance.” When new to a firm, using the right words to gather the most support is critical.Origin Story (43:50)Steve presses Frank about his life in an orphanage.&nbsp;Frank spent some time there but was later adopted by a caring family. This motivated Frank to give back, and now Frank works with the...
8/24/202350 minutes, 38 seconds
Episode Artwork

Confidence or Arrogance? Ego Problems and How to Solve Them

In this episode of The New CISO, Steve is joined by guest Brad Sexton, Chief Information Officer, and Information Security Officer at Terrible’s.After having issues with a Dot Matrix printer, Brad was inspired to transition from a career in education to IT. Through conflict, change, and self-reflection, Brad has become the effective leader he is today. Tune into today’s episode to learn more about Brad’s career journey, the consequences of “ego,” and how to leave a job gracefully.Listen to Steve and Brad discuss how leaders can walk the fine line between confidence and arrogance and the right motives for becoming a leader:Meet Brad (1:44)Host Steve Moore introduces our guest today, Brad Sexton, who started working at Terrible’s in Las Vegas last April.Brad shares that before becoming a CISO, he worked at a boys and girls type club where they all shared one printer. Wanting to be able to print from different areas of the office, Brad took on the task of updating the printer to fit his office’s needs. Brad has been in IT ever since.Next Steps (5:09)Brad reveals the next steps of his career transition. His boss at the education center asked Brad for IT-related help. Brad was then moved into the IT department and used this moment to finish his education.During this time, Brad could see tech from a bigger picture and eventually was designing a forklift upgrade for the theater. He started working with routers and did more and more. By the time Brad settled in Vegas, he could use his experience to manage teams successfully.Checking The Ego (11:13)Steve presses Brad on the lessons he learned from his first IT job.&nbsp;Brad believes that his ego got in the way of his ability to do his job. After many years, Brad finally understood what he could have done differently. Thankfully, his boss knew he had potential and was willing to have a difficult conversation that resonated with him later.The Clues (16:30)Brad explores the clues of a person with an ego problem. In addition, Brad explains that leaders should always create a safe space for their employees to communicate with them.Everyone has strengths and weaknesses, and it’s helpful when leaders can help their employees identify theirs. Ultimately, there is a “fine line between confidence and arrogance,” and leaders must have the confidence to articulate challenging feedback.The Right Motives (25:54)Steve presses Brad on what his motives were for becoming a leader. Brad reflects that he wanted a sphere of influence and recognized that he could make more of a difference in a higher position.Brad suggests always knowing your “why” before approaching leadership roles.The Wrong Fit (29:53)Brad worked in government and realized two things. He was in the wrong place, and they didn’t want them there either. Knowing there was tension from the beginning made Brad’s time in this role very challenging.Brad learned later that this company did not want anyone in that position, but he was the most qualified. Now, Brad understands the importance of finding the right fit for a role and considers that when interviewing future colleagues.Mutual Contact (34:58)Brad and Steve discuss a mutual connection named David, who is an individual who helped Brad move into the casino gaming space. Brad appreciates that David took a chance on him and is still in touch.Relationships are critical as you advance in your career because no one knows everything.Leaving Gracefully (40:04)Brad shares his tips on leaving a job gracefully. He suggests managing the emotion that you let someone down.&nbsp;Having an open communication line with your boss and feeling comfortable articulating your...
8/10/202349 minutes, 21 seconds
Episode Artwork

The 70-20-10 Rule: Steps You Can Take for Professional Growth

In this episode of The New CISO, Steve is joined by guest Andrew Wilder, Adjunct Professor at Washington University in St. Louis and a multi-time CISO.After eighteen years, Andrew left a job he loved to transition into global security. Now, he gives back to the cybersecurity community by sharing his insight as a professor and mentor. Tune into today’s episode to learn more about his IT journey, expanding your network, and company red flags.Listen to Steve and Andrew discuss his five-step mentorship plan and essential interview guidelines for CISOs:Meet Andrew (1:38)Host Steve Moore introduces our guest today, Andrew Wilder, who has worked in cyber security for twenty years.Andrew got his start in cybersecurity by working at a paper company, where he worked in marketing, sales, inventory, customer service, and more. One day the owner came to him, wanting to change their computer systems. Being the youngest in the office, Andrew was given the project, beginning his IT journey.Eighteen Years (6:23)Andrew reveals why he stayed at Nestle for eighteen years. Andrew loved the people and culture and even met his wife on the job.Steve presses Andrew on why he didn’t stay longer, and Andrew reveals that he progressed as far as he could go. Wanting to move forward in his career, Andrew felt inclined to make the jump.A Difficult Move (8:12)Andrew shares how challenging it was to leave Nestle. Although his co-workers were shocked, Andrew knew going was right for him.If you’re in a similar situation, you may always find something to regret, but no situation is perfect. Ultimately, you have to do what’s best for you.Care About Your Career (11:50)When contemplating a career transition, Andrew recommends finding a mentor. Of course, no one will care for your career for you. You will make time for something and seek the necessary resources if you care about it.The Five-Step Plan (13:59)Andrew shares his five-step plan for changing careers, which includes creating a development plan with your mentor and filling in the gaps in your desired skill set.In addition, Andrew shares a helpful tip he received from Nestle, which is that 70% of your learning should be learning by doing. 20% of learning is through relationships, while 10% should be through a course or learning program.Getting In The Room (20:00)Steve presses Andrew on what steps CISOs should take to get in the room. Andrew recommends ensuring people know who you are and your expertise.If people don’t know you, you’ll never be able to prove yourself. That is the value of expanding your network.What To Ask (24:47)If you’re offered a board-type position, it’s essential to learn about the company culture and the CEO and review any incident reports that allow you to bring your expertise to the position.Interview Questions (28:24)Enterprise risk management is an excellent framework to focus on during an interview. Asking questions based on prior risks will reveal much about an organization, including red flags.Andrew also reveals other red flags to look for in an interview. If companies don’t show change or progress with security, the work culture will be less desirable for a CISO. The worst cyberculture you could join is one where they won’t admit when they’ve experienced a breach.Business Continuity Planning (37:20)Business continuity planning is ignored a lot in cybersecurity because it is business driven. In Andrew’s opinion, cybersecurity should be separate.Andrew and Steve discuss other business dynamics and what should or shouldn’t be the responsibility of the CISO.Why Teaching (41:43)Steve presses...
7/27/202349 minutes, 17 seconds
Episode Artwork

Security Engineer to CEO: Taking a Chance on Yourself

In this episode of The New CISO, Steve is joined by guest Suid Adeyanju, CEO and Co-Founder of RiverSafe Ltd.Although his parents dreamed of Suid becoming a lawyer or a doctor, Suid had a passion for technology. Although his path was challenging, Suid shares how he successfully transitioned from a security engineer to an entrepreneur. Tune into this week’s episode to learn more about Suid’s early career journey, the mindset differences between engineering and business leadership, and the catalyst for starting his business.Listen to Steve and Suid discuss navigating the corporate ladder and how security professionals can become business leaders:Meet Suid (1:39)Host Steve Moore introduces our guest today, Suid Adeyanju, a security professional and entrepreneur. At RiverSafe Ltd., Suid’s team specializes in cyber security, data operations, and demo.&nbsp;Since childhood, Suid wanted to work in technology. Recently, he found his old yearbook from Nigeria and saw that he wanted to be a computer engineer even then. Even though that goal was unusual then, it demonstrates that Suid always wanted to be in technology.At University (6:24)While at university, Suid initially went for computer science and mathematics. After studying accounting for two years, his professor steered him toward business information systems.&nbsp;As much as Suid loves computers, understanding how organizations deliver their services was a better fit.&nbsp;Think About Impact (10:26)Steve and Suid discuss how security leaders need to consider how their security work impacts the business.&nbsp;If leaders focus on making the business secure, they need to work with the business and understand the risks associated with the work.The Transition (13:40)Suid reflects on his transition from engineer to entrepreneur.&nbsp;As an engineer, Suid saw things in black and white. To run his business, he needed a different mindset because there is a difference between working with people versus computers.Workplace Challenges (20:03)Steve presses Suid on his time at Reuters.&nbsp;After two years of contracting, Suid saw that he was stuck in his role while his teammates gained more responsibility. Initially, Suid believed he needed to work harder and gain his master's in information security. Now, he understands that this mindset is common with ethnic minorities and reflects on the challenges he’s faced.&nbsp;Valuing Yourself (28:55)Suid realized that this particular work environment did not value the additional education he had gained or the extra work he put in. Without another job lined up, Suid decided to quit.Suid could take this risk because he had made good financial decisions, which gave him enough savings to rely on. Suid also had the proper professional skill set, preparing him to take a chance.&nbsp;Starting A Business (34:24)Suid reveals that this time led him to start his own business. Although it’s challenging to transition from engineer to entrepreneur, Suid knew his team was talented and could show value to their customers.The Big Break (38:14)Suid’s company got their big break when a senior manager at a major corruption chose to work with them. This manager took a chance on them with a significant project, which set Suid up for future momentum.Sound Advice (43:43)For the listeners who feel that the corporate world is not for them, Suid shares his advice.&nbsp;First, take a course that teaches how to set up a business. Secondly, find a mentor who can share with you valuable insight.The New Security Leader (47:21)To Suid, a new leader focuses on people. One must have empathy and...
7/13/202349 minutes, 2 seconds
Episode Artwork

The ABCs of Threat Actors: How to Stop Attackers From Becoming Insiders

In this episode of The New CISO, Steve is joined by guest Jeff Schilling, Global CISO for Teleperformance.Jeff returns to discuss a pressing issue for CISOs: Insider threats. With credentialed attacks on the rise, Jeff shares his take on the “flattening” of this evolving threat. Tune into today’s episode to learn more about the ABCs of bad actors, how Covid has contributed to the problem and complex recruiting scams.Listen to Steve and Jeff discuss which strategies are being employed to comprise employees’ credentials:The Return Of Jeff (1:42)Host Steve Moore introduces our returning guest today, Jeff Schilling of Teleperformance.Steve reveals this is Jeff's third time on the podcast. Unlike other episodes, where guests discuss their career journeys, Jeff is here to share necessary research regarding insider threats.The Problem (4:24)Jeff explores the fundamental issue of insider threats. He reveals the different levels of the skill pyramid that threat actors can be evaluated at.&nbsp;The “A” actors become insiders to exploit specific targets, which should be considered when creating a security system.The Flattening (12:46)Steve presses Jeff on what he means by “flattening techniques” that have led to our current state of attacks. Jeff explains how malware software and targeted phishing scams have been used to access their mark, an issue exasperated by remote work.Adversaries and Targets (19:54)Jeff explains how to communicate threat issues across departments, especially when there are language barriers. The biggest challenge is making messaging as simple as possible.Depending on the job functions of others, there are different responses and success results. This is why Jeff’s team focuses on training and additional monitoring and security control.More Tactics (23:28)There are many strategies that threat actors use to breach one’s security. Bad actors target companies through social media, such as Linkedin.Threat actors also learn about their target countries and reach out to them through more region-specific platforms. Jeff then asserted that insider threats must be part of every CISO’s security plan.&nbsp;Preventative Steps (31:42)Jeff assures us that there are things we can do to detect threats and explains those actions. Identifying the machine where phishing emails come from and implementing new technologies is key.The Near Future (35:50)With the evolving functions of AI, it may be easier for threat actors to be more convincing in their scams. Their messaging is getting more believable, which is why Jeff believes they are taking advantage of new technologies, despite there being safeguards.However, Jeff is not convinced that certain aspects of AI, like voice mimicking, will get more sophisticated.&nbsp;The New CISO (39:42)To Jeff, being a new CISO is constantly learning and having your finger on the pulse. If you think you know everything, it is likely you do not.Links mentioned:LinkedInQuote:“I used to say multifactor authentication at the edge was a big barrier for the threat actor to get over. That's no longer, I can't say that anymore. It's more like a small fence. And now, you got to look at how do you manage your privileges and how do you conduct IT operations inside of your wire, and how would a threat do it if they were an insider? And then what controls do you have to be able to detect that activity because they're going to be using IT tools, and they're going to look like they're coming in with a legitimate account.”
6/29/202336 minutes, 4 seconds
Episode Artwork

Great Minds Think Differently: Neurodiversity and Vulnerability in Leadership

In this episode of The New CISO, Steve is joined by guest Chris Nolke, multi-time CISO, and founder of Skycrane.Chris had decades of cybersecurity experience before starting his own company. As a neurodivergent leader and life-long learner, Chris navigates the workplace with self-reflection and candor. Tune into today’s episode to learn more about Chris’ professional journey, his human approach to leadership, and his definition of happiness.Listen to Steve and Chris discuss the values that drive career decisions and how vulnerability can serve or harm you in the workplace:Meet Chris (1:41)Host Steve Moore introduces our guest today, Chris Nolke, the founder of Skycrane.Chris first started his cybersecurity journey while studying electrical engineering in college. From there, he got a job as an engineer, which eventually led him to his current path. As a life-longer learner, Chris followed the most interesting path to him: cyber security.Defining The Interesting Path (8:36)Chris wishes he had done a “values” exercise earlier in his career to determine his professional wants. He advises other people joining the workforce to consider a process where they discover what they believe in.When you understand your values, you can make more straightforward choices toward your career.Evaluating Jobs (10:59)Chris admits that every job he’s taken has been different than he initially believed. In those circumstances, it’s essential to determine your desire to stay in that position or pivot.Personal Characteristics (14:40)Steve presses Chris on what three bullet points his colleagues would list for him. Chris states that vulnerability, being a conversationalist, and expertise have become his brand in the workplace, which has made him successful.Going Further By Saying Less (25:16)Chris shares that many people who practice impulsive communication use that as a means of connection. Reflecting on this, Chris acknowledges the difference between impact and attention.After trial and error, Chris learned he would go further in his career if he said less.Sound Advice &nbsp;(30:31)For leaders, Chris shares that neurodiversity is a superpower. If you can harness the pattern-recognizing skills of neurodivergent employees, you can build an incredible security team.To understand how to use this superpower, Chris recommends leaders have mindful conversations with their employees. People need to learn what they’re good at to get ahead.The Subject of Happiness (40:06)As a CISO, Chris is fascinated by the construct of happiness and what comes with it. Happiness is made up of joy but also contentment. Balancing between the two is the key to understanding and taking advantage of this construct.Chris recommends that every CISO creates a “happiness” process to avoid burnout, though burnout led Chris to start his own business.The New CISO (49:10)To Chris, being a new CISO is about creating a system of business relevance. You can improve your job when you understand the business's daily needs.Links mentioned:LinkedIn
6/15/202351 minutes, 35 seconds
Episode Artwork

The Power of Automation: Which Tools Can Help Your Security Team?

In this episode of The New CISO, Steve is joined by guest Peter Frochtenicht, National Manager for Security and Compliance and CISO at NEC Australia.A technician by nature, Peter has decades of experience across multiple countries. Today, he joins the podcast to discuss the complexities of AI and the benefits of time-saving tools. Tune into today’s episode to learn more about Peter’s technical journey, the most common security threats, and his advice for new CISOs.Listen to Steve and Peter discuss why automation is a critical component of security tools and how the threat landscape has changed globally:Meet Peter (1:36)Host Steve Moore introduces our guest today, Peter Frochtenicht, who has worked at NEC for nine years.Before NEC, Peter started his career as a systems engineer twenty years ago. Peter has worked in Africa and Australia and has worked his way up through different organizations.Catching Up (5:21)Ten years ago, the CISO role in Australia would be rare. Steve presses Peter as to why.Since the Australian population is smaller than the states with fewer big-name organizations, it took Australia longer to catch up in the security industry.Australia’s Biggest Threats (9:37)From a defense perspective, Australia is doing much business with the states, especially with submarines. From a threat perspective, they border China and some of the eastern countries, which makes a security threat from those countries more imminent.Increased Attacks (13:17)The most typical security attack that Peter witnesses is phishing, which affects organizations and citizens. According to Peter, it is human nature to be curious about and click on an email link. For outside threats, financial benefits and access to information are to be gained.AI has also advanced quickly, which can contribute to increased threats since you can mimic someone's voice. Organizations should be prepared to use AI for good but also be prepared for when there are more insidious reasons for using this new technology.The Benefits of AI (18:05)Steve presses Peter on what defense benefits he predicts will come from AI.Peter shares the automation tools his team uses that help reduce his analysts' headcount and save time. Chat GPT may help you personally, but Peter believes in partnering with known vendors that can help limit human error.What To Look For &nbsp;(21:11)Peter shares what CISOs should or should not look for when choosing AI tools. Analytic tools are standard and can save much time and effort. As a result, organizations can save money and trust that there will be an increase in accuracy.If tools can help CISOs detect abnormalities with less effort, that would be of service. Of course, abnormal actions may not be malicious but could be a mistake by a well-meaning person.&nbsp;Investing In Employees (28:32)Peter believes in training his people to bring the best out of them. People don’t always have the right skills at the right time, but you build a strong team when you invest in your employees and their relationship with your vendors.&nbsp;Adding Skillsets (31:05)Steve asks Peter what skillsets he had to add, besides technical abilities, to perform his role. Peter discusses his career journey, including his transition into leadership.Peter had to gain a governance mindset and consider policies and when to update said policies. It’s challenging to ask for money to pursue your endeavors, but if you have a budget, you must spend it.Sound Advice (38:56)Looking up back at his career, Peter wouldn’t change much. But Peter recommends getting training and certifications to keep yourself up to date. You...
6/1/202345 minutes, 5 seconds
Episode Artwork

Taking Extreme Ownership: How 3 Common Excuses Hurt Security Leaders

In this episode of The New CISO, Steve is joined by guest Michael Meis, Associate CISO of the University of Kansas Health System.Beginning his career in the U.S. Army Signal Corp, Michael eventually transitioned into government consulting and the private sector. Today, he shares his philosophies on leadership and ownership in the cybersecurity field. Listen to the episode to learn more about his extensive technology background, the importance of inter-department friendships, and how he helps fellow service members make their professional transitions.Listen to Steve and Adam discuss how to navigate bureaucracy and adapt to corporate environments:Meet Michael (1:41)Host Steve Moore introduces our guest today, Michael Meis. Michael has been in IT and security for fifteen years and healthcare for two years. Michael met Steve a year ago during a security conference, leading to their connecting around the industry and their philosophies on leadership.Michael also reflects on his role in the military, which began with him working with radios and evolved into performing general technology support.Getting His Start (6:09)Michael was always interested in computers but initially never saw it as a career. He decided to join the military instead. However, his military recruiter encouraged him to take a tech-related job, and his security journey began.&nbsp;This first army signal corps job was less computer-heavy than expected, but Michael still learned a lot.Dealing With Corporate Politics (9:07)For ten years, Michael worked as a government consultant. This experience taught Michael to navigate complex bureaucratic dynamics to get past red tape.Michael highlights the importance of having solid relationships in different departments to get things done. You can determine which workplace rules to bend when you understand how things are and how your organization operates.&nbsp;Finding a Path (14:01)Michael expands on the importance of relationships in a corporate setting. You can leverage those relationships when needed to promote your department’s agendas.The more you understand your organization’s rules and politics, the less friction you will face, and the more you can build a trusted security culture.&nbsp;Government Challenges (22:44)Steve presses Michael on his quote, “Governance is important, but alone won’t solve all of your problems.”Anyone who has worked in government understands that there are always challenges within its IT environments. Since the government has total control over its IT, Michael learned early on that more than governance is needed to perfect these systems. Collaboration is needed between parties.Excuses, Excuses (28:13)Michael shares the security community’s common excuses that tend to irk him.&nbsp;Budget professionals can be challenging to work with from a leadership perspective. He also gets frustrated when people use a lack of training as a reason not to try something. Michael values training, but he understands that sometimes you have to take action before that formal training comes.Behavioral Norms (33:50)Michael explores the behavioral norms that came out of his military service.Learning how to function in a corporate environment is essential for people to know when leaving the military. The benefits of this experience were the rigor and structure, which can provide direction in life. On the flip side, it can be challenging to transition from that structure because you can grow dependent on it.Helping Others (39:07)As a leader, Michael tries to help other service members remove their need for a manual when making corporate transitions. That way, they can learn to embrace their...
5/18/202348 minutes, 53 seconds
Episode Artwork

How To Build Trust Within Your Team, Your Business, and Yourself

In this episode of The New CISO, Steve is joined by guest Adam Currie, CSO at HCL Software.Adam started his career 27 years ago, working the night shift as a main frame operator before working his way up in the security world. Today, he shares how he builds trust within his team, company, and himself. Listen to the episode to learn more about his expansive career journey, when to encourage your team, and dealing with imposter syndrome.Listen to Steve and Adam discuss the right time to challenge yourself and when leaders should foster an environment where it is safe to fail:Meet Adam (1:38)Host Steve Moore introduces our guest today, Adam Currie.Adam was first the head of security operations and architecture at HCL before transitioning into the CSO role. When Adam joined HCL, he brought his breadth of technical knowledge and understanding of how their user base consumed their tools. In this business, it's essential to understand how these programs are used while ensuring they are secure, a mentality that helped Adam move into the CSO position.The Main Framer (4:41)Steve asks Adam about his experience on the main frame.When Adam was a student, he worked as a tape librarian. This after-school job led to him taking classes and learning about mainframe operations and basic coding language.&nbsp;Desktop Support (8:26)Adam believes that having a desktop support background benefits security professionals because it provides an understanding of how end users operate. Communicating with this community with empathy adds significant value to any security team.Unexpected Steps: CISO to Soc to CISO (12:38)Adam did end-user support work at Bloomberg before moving into backend enterprise applications. Then he was asked to run Bloomberg's tier one and tier two service desks, a type of work Adam did not plan on returning to. However, this opportunity offered Adam his first management role, and he credits this position as getting him to where he is today.Building Trust With Your Team&nbsp; (20:05)Upon reflecting on his job journey at Bloomberg, Adam shares why people seek new opportunities.When people leave positions or accept roles, it is for job growth. Most people want to consider how a job will help their families and goals before making a career transition. Adam would rather help his team explore their options than subdue it–though no one wants to lose valuable employees. He wants his team to trust him enough to be honest with him about when they want to make a change.A Challenge (25:21)For Adam, it is always a struggle to stay out of the weeds of the tech side of the business. He gravitates toward technology but understands that that is different from his role now.&nbsp;For leaders, it is more important to nurture an environment where employees are safe to fail because that is how people learn and grow. You shouldn't be reckless, but being inactive is more risky.Owning Failure (29:02)Steve presses Adam on how far he will go to own his team's failures. Adam thinks it is his job to communicate with senior management and shield his team from scrutiny.No matter what, we must be honest about what we can do to improve and have productive, unemotional conversations.Building a Brand (36:13)Building a brand comes with trial and error but is critical to success. Often this comes with changing the perception that security is a necessary evil. Demonstrating that security is a value-add partnership that leaders actively want to engage in is essential.Putting Yourself Out There (47:54)Though Adam is not a fan of public speaking, he believes in pushing himself past his comfort zone. Although...
5/4/202355 minutes, 55 seconds
Episode Artwork

Be Comfortable Being Uncomfortable: Managing New Roles and Next Steps

In this episode of The New CISO, Steve is joined by guest Mike Kelley, CISO of the E.W. Scripps Company.Mike worked as an auditor before eventually jumping into cyber security. Reflecting on his past, Mike shares how balancing ambition with transparency is critical to success. Listen to the episode to learn more about Mike’s auditing experience, falling into cyber security, and his advice for CISOs when interviewing.Listen to Steve and Mike discuss how leaders should assist their team with career development and why “fake it until you make it” makes for bad career advice:Meet Mike (1:44)Host Steve Moore introduces our guest today, Mike Kelley.Mike shares his role in the enterprise and consumer-based security field and how his duties differ from those in an internal security environment. Although he would say that consumer-based security is not clearly defined, his goal is to keep all things related to the consumer secure, in addition to the typical CISO goals.His Start (3:36)Before working at E.W. Scripps, Mike worked at KPMG, one of the big four firms. There, Mike performed external audits but also did some compliance consulting as well.Although no one wanted an auditor there, especially to answer his questions, Mike had to work on building a rapport with people in difficult situations. Through this role, Mike was exposed to numerous companies, allowing him to learn constantly. He may not have wanted to start in audits if he could do it all again, but this experience prepared him for his cyber security career.Adapting With Transparency (9:02)Mike has become comfortable with being uncomfortable and transparent when he doesn’t know something. When he got his CISO job, he told HR that this position was new to him and that he had a lot to learn.&nbsp;Being confident enough to say “I don’t know” is Mike’s mental motto because he knows he can adapt to new challenges. Ultimately anything is learnable as long as you push yourself, a mentality he encourages in his team.The Burn the Boats Method (17:42)After reflecting on his career decisions, including telling a company to fire him if he didn’t succeed as a director, Steve presses Mike on how he would react to someone sharing this approach.If one of Mike’s employees wanted to try a position out and see what happens, Mike would like to ease them into that role. He would let them transition through responsibilities first before changing that person’s title. Ultimately, trying and failing is okay, but Mike wants his team to fail soft versus hard.Falling Into Cyber Security (21:42)After looking for cyber security jobs for three years, Mike eased into this field through a position in compliance. Working side-by-side with security professionals, Mike was able to dip his toes.After lunch with his manager, he was offered the CISO role, and Mike immediately said yes. Mike admitted he didn’t know what he was doing but was encouraged to take this job.Rolling With It (25:01)Steve asks Mike if he ever wishes he said no when offered the CISO job. Mike knew this was the field he wanted to pursue, and he felt comfortable being transparent about his experience.Interview Questions (31:18)If you are a new CISO wanting to ask good questions in an interview, Mike suggests asking the purpose of that role at that company. Another helpful question concerns the company’s approach to trying new things and handling challenges.The Definition of Success (34:13)When evaluating a company during an interview, it’s essential to find out what that company’s definition of success is. Mike defines success as being aligned with the business that employs you and being seen beyond the...
4/20/202347 minutes, 18 seconds
Episode Artwork

The Patient Safety Model: Developing a Hospital’s Security Culture

In this episode of The New CISO, Steve is joined by Martin Fisher, CISO at Northside Hospital.An information security veteran, Martin has worked in the commercial aviation, finance, and healthcare industries and was an award-winning podcast host. Today, he shares how to build a unified team and his approach to managing mental health. Listen to the episode to learn more about the value of hobbies, defining company culture, and being an empowering leader.Listen to Steve and Martin discusses the importance of shared team culture and how CISOs can balance the stress of the job:Meet Martin (1:50)Host Steve Moore introduces our guest today, Martin Fisher. Over his decades-long tech career, Martin has worked in several industries.&nbsp;His podcast, Southern Fried Security Podcast, lasted ten years and was an incredible learning experience. While a podcast host, Martin discovered that he used too much jargon for non-security listeners, encouraging him to expand to a larger audience.Other Hobbies (5:52)Martin considers himself an original nerd, playing Dungeons and Dragons as a kid and an adult. A fan of role-playing tabletop games, Martin has backed many Kickstarters and has a great gaming community within his group of friends.Mental Healthcare (8:22)A CISO for a hospital, Martin stresses that mental healthcare is healthcare. Martin believes in what his non-profit-based workplace stands for, which is why he has chosen this role.The Bad Day Factor (10:27)Martin manages his mental health by setting boundaries. People need to separate their work and personal life because it’s essential to have time to decompress.&nbsp;In the IT and security fields, there is a high percentage of neurodivergent employees who may need additional support in dealing with stress. Leaders must have employee assistance programs to help their staff with mental healthcare safely.Being Authentic (16:50)To build lasting relationships, you have to be your authentic self. When Martin looks for people to promote within his team, he looks for genuine individuals.&nbsp;Growing the Team (18:33)When Martin started his current position, he and the company culture aligned.Starting as the original security employee, Martin has been able to grow his team. His company understands that security is an investment and helps protect its patients, which has led to its success. Martin hires employees with their personalities in mind and how they fit the company culture.Patient Safety&nbsp; (22:53)Confidentiality is paramount to uphold in the medical security field. Since they are a patient-safety-first organization, Martin ensures he hires employees who understand that mentality.Defining Work Culture (28:25)Northside lists its company culture on job listings to attract the right candidates, which includes kindness. Since Martin focuses on patient safety and quality care with his CISO work, he hires people who match those ideals.When you have this approach to hiring, you can create a positive feedback loop while forming a strong team.Culture Over Security? (33:35)Steve presses Martin on what’s more important: culture or preventing security issues?For Martin, security is still, of course, the focus. People are human and make mistakes, but they’ve never had a problem they couldn’t control.&nbsp;Bad Advice (38:43)The worst career advice Martin ever received was to work for a hedge fund. This environment was not a good fit for Martin, further emphasizing his point on authenticity's value.Military Experience (39:56)Martin explores how he has applied his military service...
4/6/202349 minutes, 22 seconds
Episode Artwork

What Would a Breach Cost You? Personal Risk vs. Reward as a CISO

In this episode of The New CISO, Steve is joined by guest Jeff Farinich, SVP of Technology Services and CISO at New American Funding.First starting his career as a general contractor, Jeff now prides himself on solving security problems. Today, Jeff shares how he makes career decisions and manages his organization’s risks. Listen to the episode to learn more about Jeff’s extensive career journey, his development relationship with vendors, and how CISOs take on a great deal of personal risk.Listen to Steve and Jeff discuss the right time to leave a company and the personal and monetary cost of a breach:Meet Jeff (1:45)Host Steve Moore introduces our guest today, Jeff Farinich.In his early twenties, Jeff studied accounting but realized it wasn’t for him. He then became a general contractor, but by his mid-twenties, he was still determining what he wanted to do. He soon took a course that kickstarted his IT career, putting him on the path to becoming a CISO.Adjusting To The Job (4:20)When Jeff started his first IT job, he was excited by the change of direction.&nbsp;However, Jeff realized he always dabbled in tech because even at his first accounting job, he helped manage PCs.Multiple Paths (6:28)Jeff reflects on his job at a large property management company and his position as an MS manager at a small movie studio.He soon began his path into security management and leadership. Through the movie studio, he also went to the premiere of a Jean-Claude Van Damme movie.Advice To His Younger Self (10:45)If Jeff could give his younger self advice, he would suggest getting as much tech experience as possible on the VAR side. He also would have stayed in Silicon Valley longer, possibly having an even more explosive career.A MacGyver Type (15:38)Steve presses Jeff on whether he would ever consider stepping away from the technical side of security to get on the strategy/VAR side.Jeff is very open but also likes to fix things. He refers to himself as a MacGyver type “born with a screwdriver in hand.”A Development Relationship (19:30)Jeff enjoys having a development partnership with partners by trying new, untested tech at a low cost.This type of relationship allows both parties to win and allows Jeff to be creative and drive innovation for that vendor.Evaluating Vendors (22:13)There are fewer IT vendors than security vendors, so there have been fewer decisions for Jeff to make. Evaluating vendors to work with is a process and can leave room for great, collaborative relationships.A Small Step (27:35)Before jumping into vendor development, Jeff recommends understanding the industry and being knowledgeable about the vendor space you’re interested in.&nbsp;If you are someone who doesn’t always want to contact your VAR but doesn’t know where to start, it’s essential to begin by learning and choosing carefully.Moving Up and Out (32:59)Steve presses Jeff on clarifying his belief that “the best way to move up is to move out.”Jeff is far from a job hopper, but if you wait to the point where you are desperate to leave your company, you probably should have left sooner. If you are not fixing the problems you want to repair, or there are a lot of risks, it’s valid to seek new opportunities.Managing Liability (34:51)CISOs always need to evaluate how much risk they are taking on. Whether you are an officer or director, you should realize that liability can reach you. Jeff has pushed for ways for CISOs not to be personally liable for breaches.Individual Risk...
3/23/202344 minutes, 51 seconds
Episode Artwork

Self-Sufficient Security: The Perks of Being a vCISO

In this episode of The New CISO, Steve is joined by guest Laura Louthan, Founder &amp; vCISO at Angel Cybersecurity.Originally from Britain, Laura moved to Los Angeles to explore new opportunities before transitioning into IT. Eventually starting her own business, Laura shares her self-sufficient approach to cyber security. Listen to the episode to learn more about Laura’s unconventional career journey, why it’s more efficient when you understand your abilities, and how she handles being a contracted CISO.Listen to Steve and Laura discuss embracing challenges but avoiding struggle and tackling likeability when applying for jobs:Meet Laura (1:45)Host Steve Moore introduces our guest today, Laura Louthan.CISO and only employee at Angel Cybersecurity, Laura, had an eclectic past before settling into the security field. She worked as a scuba instructor, can-can dancer, and temp before getting her first IT job. She feels she was fortunate to break into IT when she did.London and LA (5:04)Laura explains why London and Los Angeles didn’t suit her well. She had a job in London that she didn’t enjoy, but her brother worked in Los Angeles in the film industry.&nbsp;When she got to LA, she realized that the movie business was not for her, bringing her to her Club Med job. When something didn’t sit right with her, she left and is grateful that she used her twenties to explore. She advises people looking for work to try temping because you just need to meet someone to get your foot in the door.Learning On The Job (9:47)While working in IT at Equifax, Laura had to teach herself how to do things. She figured out how to get answers and become self-sufficient, which is a valuable skill.She knows how to get things done but also understands her skillset. She believes that it is more efficient to be truthful about your abilities.Challenges, Not Struggles (14:09)Laura admits that while she likes a challenge, she does not want to struggle. For example, she understands that privacy and security are different, although overlap exists.&nbsp;If her clients asked her to fulfill their privacy needs, she believes that would be inefficient since that is not her area of expertise. She would be happy to refer that client to a privacy professional instead.The Privacy Question (16:24)Steve asks Laura if there is a greater need for privacy help. Laura believes this is external pressure for CISOs, and that privacy pressure comes after security.Laura thinks privacy is exciting and intellectual but recognizes it as a different CISO mindset. She is very comfortable with her specialty in security.Her Time At Sephora&nbsp; (22:48)At Sephora, Laura was the head of Information Security. After working in the credit industry, she found the retail space to be a fascinating change.Although Laura is not the archetypal security type, she found her personality and gender made her a good fit for this female-focused company.&nbsp;The Likeability Index (27:41)Steve and Laura discuss how “likeability” is typically higher in women, which can hurt them during negotiations because women tend to want to be liked.Women also tend to apply for jobs they are overqualified for. Laura advises women to apply for jobs they think are reaches for themselves instead, which is what men do. We should all hope for a job that challenges us.In The Interview (31:22)Laura and Steve explore different questions candidates should ask or consider during the interview process.For Laura, she asks what technology the potential client uses, their industry, and other questions that clarify if she's the right fit. Before taking a client on, you want to ensure...
3/9/202345 minutes, 19 seconds
Episode Artwork

5 Top Tips for Boosting Security Mindfulness

In this episode of The New CISO, Steve is joined by guest Rupa Parameswaran. At the time Rupa joined the show, she was Head of Security at Amplitude. Now, she’s transitioned to a new role as VP of Security &amp; IT at Handshake.Growing up, Rupa was initially given a choice: to marry or become a doctor or engineer. With the support of her family, Rupa pursued her passions as a leader in the cyber security world. Listen to the episode to learn more about Rupa’s advice to the listeners, her first product development opportunity, and why every CISO needs to understand the power of influence.Listen to Steve and Rupa discuss the importance of having allies across the security business and how to build a culture of mindfulness in your organization:Meet Rupa (1:40)Host Steve Moore introduces our guest today, Rupa Parameswaran.With decades of experience and a deep-rooted technical background, Rupa has seen how security has evolved over the years and why CISOs need to grow with these new procedural changes. As the head of security at Amplitude, Rupa ensures that the product and employees are secure in both privacy and culture.Engineering Background (4:00)Before starting her career in cyber security, Rupa first studied engineering. Growing up in India, she felt she had a choice between getting married or going down an engineering or medical path.Rupa determined that becoming a doctor was not for her and became interested in computer engineering. In university, she worked on an AI project, leading her to move to the United States and the security industry.A Clear Path (7:08)Pre-Amazon, Rupa and her colleagues were trying to create a marketplace for books with AI security technology. After this incredible experience, it was clear to Rupa what her career should involve.Having Support (9:04)Rupa shares that India has been a typically male-dominated society, which is changing slowly. Many more parents are interested in helping their daughters pursue careers and become self-sufficient versus getting married.Rupa’s mother fought for independence, which she wanted for her children. Grateful for the support, Rupa was able to pursue her passions.Rupa’s Advice (13:50)Whether someone is a woman or just someone determining what they want to do, Rupa recommends that everyone find their passion. If you discover something that excites you, seek mentors or people you can trust to discuss your interests.You will be on a good path if you can build a support group. It may be a slow process, but it is a critical one. With mindfulness, you can build credibility with your work, and nothing can stop you.Post University (17:09)After university, Rupa was at a crossroads. Should she go into academia or not? As she determined this, she got an opportunity to be a software engineer with a new company.Interested in the GDPR security product they were building, Rupa was able to be a developer on the project. Believing in the company’s vision, Rupa was excited to get immediate security industry exposure across different team initiatives.&nbsp;Having Influence (25:19)Rupa reflects on what she learned from the GDPR project. She became skilled at building ally support groups and influencing security development without having to manage people directly.This unique opportunity gave her essential leadership skills and the ability to spread security mindfulness throughout the company.&nbsp;Her Definition (28:48)Steve presses Rupa on her definition of “security mindfulness.” To Rupa, this phrase demonstrates a willingness to include security in every initiative you pursue.&nbsp;If you build out a unique group of security-minded...
2/23/202349 minutes, 19 seconds
Episode Artwork

Are You Ready to be a CISO? Why Mentors Matter with Mark Weatherford

In this episode of The New CISO, Steve is joined by returning guest Mark Weatherford, CSO and SVP of Regulated Industries at AlertEnterprise.In last week’s episode, Mark shared how he set the foundation for his incredible career, from his start in the Navy to his time working for Governor Arnold Schwarzenegger. Today, Mark delves into his lasting legacy in the cyber security field. Listen to part two of this episode to learn more about being the plus one at security meetings, Mark’s mentorship perspective, and putting in the work to succeed.Listen to Steve and Mark discuss what it means to be coachable and the importance of experience:The White House Basement (1:33)Host Steve Moore presses his guest Mark Weatherford on a meeting he attended in the White House basement.Mark was initially instructed to use this meeting as a learning experience to see how things worked. Unexpectedly, John, the National Security Advisor, asked Mark his thoughts on an issue, and Mark answered on the spot.&nbsp;Strong Leadership (6:44)John asking Mark a security question showed strong leadership because it allowed Mark, who was new to the team, to be included.When you’re the CISO in charge, you should bring a team lead or a middle manager to meetings, so they can learn and provide input. This type of experience will allow them to build skills and develop confidence, which they will need as they climb the cyber security ladder.&nbsp;Mentorship Advice (10:29)Mark advises the younger leader to always look for opportunities to mentor people. Generally, Marks tries to be available to those who ask him to chat about leadership and security.&nbsp;On the other side, younger people need to be willing to ask for help.The Mentorship Exchange (16:10)Steve asks Mark what people should expect from mentorship lunches. Is it just lunch or something more pressing?Mark explains how in his case, he was friends with his mentor, so they mostly just enjoyed meals together. However, his mentor would ask him questions about work to see how he could help. Of course, different dynamics operate differently, but the main thing mentees should consider about themselves is, “am I coachable?”Steering The Mentee (19:47)Mark and Steve discuss how to guide mentees away from vanity. Nowadays, new security professionals may focus too much on the job title than becoming a leader.&nbsp;Mark then further explains what it means to be coachable: a willingness to take in the tough feedback to improve.In the Meeting (21:24)When Mark meets with potential mentees, he’ll give them a homework lesson and ask them what their goals are. He will also ask them what efforts they’ve made to achieve their goals.With so many CISO opportunities out there, people are getting jobs without putting in the hard work, though having experience is essential.The New CISO (24:08)To Mark, being a new CISO is a wide-open field. One must understand the job's responsibilities and be creative with their resources. Ultimately, being a new CISO is having the experience that validates your position in the role.Links mentioned:LinkedIn
1/26/202326 minutes, 58 seconds
Episode Artwork

Be the One Who Gets the Call - The Keys to Landing New Opportunities

In this episode of The New CISO, Steve is joined by guest Mark Weatherford, CISO and Head of Regulated Industries at AlertEnterprise.After many years in CISO roles, Mark eventually found himself in the White House. Reflecting on his incredible career journey, Marks evaluates the opportunities that led him to success. Listen to part one of this episode to learn more about Mark’s navy experience, the importance of delegating in leadership, and how to become the guy who always gets the call.Listen to Steve and Mark discuss when to put the fear aside and embrace the possibility of failure and the willingness to take on new opportunities:Meet Mark (1:51)Host Steve Moore introduces our guest today, Mark Weatherford. The current Chief Security Officer at AlertEnterprise, specializing in IT and OT security.Before starting his cyber security career, Mark wanted to build dams and roads in the navy. Instead, the navy had other ideas and picked Mark to be placed in the advanced electronics program, leading him to the CISO industry.&nbsp;Measuring Your Day (7:21)Mark measures his work day by the goals his team achieved or when a project is done. Although it’s a different set of standards than when you see a road or other construction projects completed before you, cyber security work can also be assessed.Life After The Navy (9:08)By the time Mark started his job at Raytheon, the Navy had a contract to complete a security project with them. Already determining when he would leave the Navy, Raytheon called him about a position that fit his skillset: building a security operations center from the ground up.Relying On Your Team (14:14)Steve presses Mark on what he learned from managing the start of the security operations center. Mark gathered that no one can do everything and that it’s essential to have a core group of leaders to rely on.Good leadership comes from delegating authority to people without micro-managing, empowering them to excel at their jobs.Working With Fear (22:07)“That’s all part of learning. Things are going to break now and then,” Marks explains when expanding on his leadership philosophy.Reflecting on his own experience with gaining new skills, Mark’s advice to anyone is that mistakes happen when you’re learning. We may be uncomfortable when things are unfamiliar, but as long as we’re not doing anything malicious, we can figure things out.What Happens Next (24:14)One day Mark received a call from his boss about a project with the Federal Government in Colorado. A year later, Mark got another call from his next job, leading him to a cabinet position.Through his impressive work experience, Mark was considered for exciting political opportunities impacting our country.That’s Politics (28:53)Mark discovered pretty quickly in politics that people aren’t always truthful. Unfortunately, he understands that this is the industry's nature, and that is how things are. As a result, it’s natural to become wary and not take everything you hear at face value, although Mark still gives people the benefit of the doubt.Working With The Legislature (31:13)Mark’s work in government allowed him to influence policy as well. Mark learned about the trade-offs in politics during this experience and why opposition can create barriers to security policy.&nbsp;Becoming The Terminator’s CISO (34:58)After leaving Colorado, Mark was called for the opportunity to work for Governor Arnold Schwarzenegger in California.&nbsp;Mark recognizes that the secret to his success derives from being prepared for new positions when they arise. Mark never directly worked with Governor Schwarzenegger, but...
1/12/202341 minutes, 24 seconds
Episode Artwork

Learning From a Layoff: Career Growth, Change, and Opportunity

In this episode of The New CISO, Steve is joined by guest Sandy Dunn, Lead Consultant, and Founder at Quark IQ.After spending years in healthcare, Sandy pivoted into a start-up before being laid off. Now embarking on the next stage of her career, Sandy shares the valuable lessons she’s learned and how she embraces life’s challenges. Listen to the episode to learn more about Sandy’s strengths as a CISO, the correlation between motherhood and leadership, and how to navigate the start-up industry.Listen to Steve and Sandy discuss the benefits of failure and maintaining an authentic mentor/mentee relationship:Meet Sandy (1:43)Host Steve Moore introduces our guest today, Sandy Dunn. Sandy has been a CISO for eight years at both a healthcare company and a startup.As she tackles her newest endeavor as the lead Consultant at Quark IQ, Sandy acknowledges that her strengths in the cyber security world are her persistence and passion for creating well-functioning systems. Although she may not think of herself as the most brilliant person in the room, her determination has been an asset everywhere she goes.Nothing To Prove (4:26)Sandy recognizes the leadership benefits of not needing to prove her brilliance. Since she doesn’t mind admitting when she doesn’t understand something, others can gain clarity, and she can identify unknown issues. She asks the questions others are afraid to ask for the benefit of her team.Although others may feel subject to imposter syndrome, Sandy reminds listeners that everyone has a vital role in the room.Having a Softer Side (10:46)As an executive who is also a mother, Sandy can use that nurturing skill set to motivate and manage her team. Sandy has become a stronger leader by putting her employees’ needs first, much like her children.Managing In The Moment (13:46)Steve presses Sandy on how she deals with team members prone to tantrums. Similar to her approach with her children and horses, Sandy’s first instinct is to understand her employees, how they think, and what upsets them. Like what drove her to cyber security, Sandy loves puzzles, including what puzzles her about people.In general, Sandy believes diversity in views and backgrounds is highly beneficial to a department because different perspectives bring different skills and abilities to the table.Potential Red Flags (20:09)Sandy is consistently asked to be a mentor, which she is grateful to do. However, she feels a person lacks curiosity if they ask her questions answerable through a quick google search.If someone fails to take the initiative to learn themselves, a job in cyber security would not be a good match for them.Resume Review (21:38)During a cyber security career day, Sandy reviewed resumes and determined who she felt were great candidates.Sandy, also an adjunct professor, found this experience rewarding because she had the chance to talk with and guide individuals on their CISO journeys.&nbsp;The Mentee/Mentor Relationship (25:21)Steve and Sandy discuss the mentor and mentee relationship.Sandy doesn’t love those terms because it’s too official for the nature of the dynamic: relationship-building. Instead of asking someone you admire to be their mentee, ask them what they are working on and how you can help, and a mutually collaborative relationship can form.Taking A Chance (30:31)Steve presses Sandy on her move from an established company to a start-up.Sandy recognized that she was no longer growing as a CISO at her healthcare job, so she jumped into a start-up business. Although she put too much trust into this company before they earned it, she did feel like it was a risk worth...
12/29/202245 minutes, 34 seconds
Episode Artwork

Protecting Your Revenue with Machine Learning and Data Science

In this episode of The New CISO, Steve is joined by returning guest Steve Magowan, VP of Cyber Security at Blackberry.Steve returns to dig into the reality of data science and AI and ML in cyber security. Breaking through the buzzwords, Steve understands the current state of technology and how it's used to protect revenue today. Listen to the episode to learn more about communicating expectations, using risk management to generate funding and the current landscape of security threats.Listen to Steve and Steve discuss educating executives and how utilizing data science in your security program can reduce friction and translate risk:Welcome Back, Steve (1:45)Host Steve Moore reintroduces our guest today, Steve Magowan. As a reminder, Steve manages everything security-related for Blackberry, from corporate security development to spearheading IoT initiatives.When asked to define AI, Steve Magowan explains that what AI means to the security world today is machine learning, both unsupervised and supervised, to prevent risk. In general, AI is still being widely researched and is often a buzzword thrown around, but full-on AI remains theoretical.Turning AI Into Action (6:22)Steve asks Steve Magowan how he handles the AI suggestion from executives, who may need more clarification on how this tech is used.&nbsp;Steve Magowan recognizes that he is a business enabler whose job is not only to protect data but to protect revenue. He would need to keep his company's resources in mind when discussing AI and determine if this type of tech is necessary for the goals ahead.Protector of Revenue (11:30)Steve Magowan has the unique position of protecting revenue for his company, an uncommon skill set for CISOs. Steve uses ML technology to map business activities and relate that to security. Having that ability allows him to communicate with executives in business terms to ensure their funds remain safe.Clear Lines (15:34)Although Steve has this authority, he believes CISOs should refrain from reporting to a CFO or CIO because their mandates conflict. Although executives wish to simplify their correspondence by going to a CIO for a one-stop shop, conflating their roles with a CISO would downplay both positions and render them less effective.&nbsp;Understanding Risk Management (19:10)Steve Magowan always tells leaders that risk management is the language in which security leaders gain money because you can turn security problems into dollars and cents. Pulling data allows you to understand and pitch how to receive resources based on the security issues faced.Ultimately, Steve's job is not to separate operations and business. His role is not to achieve technical outcomes but business outcomes using technical outcomes.&nbsp;Walking Through Detection Triggers (27:22)Steve asks Steve Magowan why the detection of bad things has shifted from signatures to "normal vs. abnormal."Steve Magowan explains how the landscape has changed and that cybercriminals now have more money to commit crimes and have the same education as security professionals. With cyber criminals getting more clever, ML is the only way to detect patterns that don't make sense, though even that is getting challenging.Staying Resilient (32:42)When facing sophisticated threats, you must ensure that you have data backups that cannot be breached and limit the scope of the hacker's blast radius for any hit. There will always be threats, but you must do your best to remain resilient.&nbsp;The Bias Problem (34:58)Steve Magowan outlines the risks of building your own ML program, such as personal biases that can skew the results of your data. The biggest lesson is that data...
12/15/202248 minutes, 8 seconds
Episode Artwork

Life After Breach: How Hospitals Can Protect Patient Data

In this episode of The New CISO, Steve is joined by Jackie Mattingly of Owensboro Health.With a passion for technology since childhood, Jackie first began her career in IT. Today, she shares how an experience with a malicious insider transitioned her into a career in information security. Listen to the episode to learn more about Jackie’s career journey, navigating company acquisitions, and protecting patients’ data.Listen to Steve and Jackie discuss the unique challenges of working as a healthcare CISO and handling security breaches:Meet Jackie (1:51)Host Steve Moore introduces our guest today, Jackie Mattingly. Jackie is the CISO for Owensboro Health, a three-hospital system in Kentucky serving eighteen counties and two states.Jackie knew she wanted to work in technology since she was a little girl, first sparked by the game Oregon Trail. Getting her degree in computer programming, Jackie reflects on how she gained the work experience needed to have the career she wanted.News Days (7:04)Steve asks Jackie about her time working at a local news publication and if she has met anyone interesting while there. Jackie shares that she mainly worked alone at night, loading the news articles to the website.The Radiology Center (8:41)Jackie’s next move into information technology was at a radiology imaging center, whose owner understood the importance of keeping up with technology.&nbsp;In one of the first radiology centers with an MRI machine, Jackie reflects on connecting the other radiology systems to that machine and what you should consider when working with a new device.Transitioning Through Acquisitions (13:18)When Owensboro Health acquired the radiology center, Jackie’s lifestyle changed. Now at a much larger organization with never-ending hours, Jackie had to meet the challenges of serving a 24-hour operation.&nbsp;Preventing Burnout (17:17)To prevent her staff from burnout, Jackie rotated calls and cross-trained each person so no matter what, people could take on each other’s roles during their on-call shift.Jackie would also be available to dive into on-call sessions because she likes to help and get into the weeds of technology.&nbsp;Leveraging The Team (20:30)Jackie has tested new technology for her companies throughout her career. Now managing the information technology for a hospital, Jackie recognized the difficulty of getting advanced technology for a larger company.While it is understandable that the hospital focuses more on patient care than tech, Jackie shares how she and her staff were leveraged to get the hospital’s systems up to par.Updating The Voice Network (25:43)Steve presses Jackie on her role in upgrading the hospital’s voice network. With so many providers’ offices and clinics to service, Jackie did have to hire a consulting company to help with the project.Although Jackie does not have a project management certificate, she does believe that training is valuable.Phasing Into Information Security (29:32)One day the FBI showed up at the hospital to state that an employee was stealing patients’ identities through their systems. Still, in her IT management role, Jackie was less information security-minded at the time.Jackie was brought on to navigate this investigation and fell in love with the security world, leading to the next phase of her career. During this time, Jackie learned that she couldn’t quit obsessing over this breach and had the drive to solve security problems.Becoming The CISO (34:22)In 2013, Jackie moved from being the IT leader to officially the security leader. She then started auditing access to patients’ charts and...
12/1/202247 minutes, 19 seconds
Episode Artwork

Building Your Framework for Fulfillment

In this episode of The New CISO, Steve is joined by Demetrios “Laz” Lazarikos, three-time CISO and Co-founder of Blue Lava Security.A naturally curious child, Laz became interested in technology early, prompting his life-long love of learning. Today, he shares how different lessons from childhood and the airforce led to his fulfilling CISO career. Listen to the episode to learn more about Laz’s fascinating cybersecurity journey, the influence of his family, and how to become a more effective mentor.Listen to Steve and Laz discuss his approach to career development and how his passion for learning led to his success:Meet Laz (1:43)Host Steve Moore introduces our guest today, Laz Lazarikos. With over thirty years of security experience, Laz wanted to build a platform where security leaders could measure, optimize, and develop their security programs, which he accomplished with Blue Lava.As a child, Laz’s mother encouraged his interest in technology. Passionate about solving tech problems at an early age, Laz credits his childhood interest as his cyber security start.Growing Up Greek (6:56)Laz shares what it was like growing up in a traditional Greek family, which he compares to the film My Big Fat Greek Wedding. From a family of entrepreneurs, Laz felt pressure to take over the family business but instead started a security career.At twelve years old, Laz’s mother advised him to go to his uncle, a loan shark, for a loan to buy tech, which he paid back with interest. Laz appreciates the lessons he received from his mother and credits her for giving him valuable life experience.Meeting Carl Sagan (10:46)At ten years old, Laz heard Carl Sagan, of the original Cosmos fame, speak during a field trip. Much of Carl’s speech resonated with Laz, including that anyone could do anything they wanted if their actions aligned with their goals.&nbsp;Going Into The Airforce (13:13)Steve asks Laz about his time in the airforce. While being recruited, Laz became interested in how systems and machines worked. Before he joined, the airforce promised he would get much training and education around security communications, which secured his interest.At seventeen, Laz’s mother allowed him to emancipate, and he officially joined the airforce and learned foundational lessons for functioning in society.A Foundation Of Learning (18:30)Steve presses Laz on what he is doing today in his pursuit of education. Laz shares how his mother took him to the library every weekend as a kid and how his father had him complete writing exercises based on the newspaper.Today, Laz looks at education as something you can never lose and can apply to life and work. Still a lover of libraries, Laz has three library cards for three cities and looks to history to improve his efforts.Working Backward To Move Forward (22:32)In terms of mentorship, Laz recommends thinking about your goals and working backward. This approach has always worked for Laz and other CISOs as well.Laz puts thought into how he uses his time for personal growth and looks to the great CISOs of history to evaluate actions for success.MBA Or Side Hustle (30:00)Steve presses Laz on if CISOs should get an MBA or do a side hustle to build a security network.&nbsp;To make this decision, you should evaluate the cost and time investments required and determine if either opportunity is needed for your overarching goals. You have to make choices based on what’s best for you.Advancing Through Mentorship (36:58)To Laz, your CISO career boils down to mentorship, and he acknowledges that his mentors were his family and, later, the airforce. With meaningful relationships, training, and...
11/17/202250 minutes, 58 seconds
Episode Artwork

Bridging the Effectiveness Gap: A CISO's Perspective on New-Scale SIEM with Tyler Farrar

In this episode of The New CISO, Steve is joined by Tyler Farrar, the CISO at Exabeam.With malware-free attacks becoming increasingly common, Tyler understands the best ways to bridge the effectiveness gap. With this in mind, he shares his SOC philosophy and the importance of threat detection. Listen to the episode to learn more about the act of prevention, the pillars of a SIEM product, and why attackers gravitate toward credential techniques.Listen to Steve and Tyler discuss the steps to success in an age of constantly increasing data :Meet Tyler (2:06)Host Steve Moore introduces our guest today, his colleague, Tyler Farrar. Before working at Exabeam, Tyler was a customer.With his impressive background in the security field, Tyler explains Exabeam's perspective on "defender behavior" and balancing incident response and crisis management with prevention.The Focus On Prevention (5:50)Steve presses Tyler on how you should balance your methods to increase prevention. Tyler lists different preventative tools, such as firewalls, and stresses the importance of detecting suspicious activity early on.Tyler gives his take on how response becomes prevention in crisis management. Preventative tools can fail, so being able to detect suspicious behaviors is critical.Addressing The Gap (10:36)Addressing the gap in analytics, Tyler recognizes that there is a difference between what the security team needs and what the SIEM product delivers.&nbsp;Every company faces an immense volume of data, an inefficient manual cyber process, and software that can fail to detect the attacker's behaviors. Tyler lists the solutions that can counteract these problems, including behavioral analytics.The Rise Of Malware-Free Attacks (14:32)Steve points out how 71% of cyber-attacks are credentialed and malware-free. Tyler explains that attackers use the compromised credentials approach because it is easy. CISOs can miss the mark because legacy software can be ineffective at detecting threats.New-Scale SIEM (20:43)According to Tyler, new-scale SIEMs would be able to securely ingest data from anywhere, parse through that information quickly, and then store that information and make it searchable.Tyler also explores his philosophy on how to design a SOC. One example of a productive SOC is conducting risk assessments throughout the organization to identify gaps and then acting on those results.Life Of The Analyst (28:52)Steve presses Tyler on how the experience of the investigation factors into meaningful work for the analyst.&nbsp;Tyler stresses the importance of SOC leadership to make the team effective. A stressed SOC can lead to the loss of talented workers and affect the company's security.New Software Ahead&nbsp; (33:16)Tyler discusses the products he is looking forward to on the horizon. Every CISO's goal is to keep their company safe. Being able to show all the threats and vulnerabilities in place would be hugely valuable, which is why Tyler is interested in Systems Navigator.SOC Philosophy (49:55)Tyler's top SOC philosophy is to be aligned with your adversaries and learn how they think in addition to your defenders. Understanding both perspectives can create a culture of empowerment and protect the organization from threats.Links mentioned:LinkedIn
11/3/202243 minutes, 56 seconds
Episode Artwork

Storytelling For CISOs – How to Make Your Message Resonate with Tom August

In this episode of The New CISO, Steve is joined by Tom August, a seasoned CISO with over thirty years of experience.First starting his career as an accounting intern, Tom has since had an incredible journey where he not only wrote the CISO Handbook but created a risk-management methodology. Today, he shares what he's learned from his years in the cybersecurity industry and the importance of storytelling. Listen to the episode to learn more about Tom’s unique transition into cybersecurity, the inspiration behind the CISO Handbook, and selling your “why.”Listen to Steve and Tom discuss how to captivate executives without fearmongering and navigating hard conversations with the broader organization:Meet Tom (1:55)Host Steve Moore introduces our guest today, Tom August. Over his decades-long career, Tom has worked across multiple industries, from healthcare to military defense to financial services.&nbsp;A lifelong fan of electronics, cybersecurity became a life-changing move for Tom, despite having an initially unrelated start.Tom’s Take (5:30)Steve presses Tom on what it was like watching the famous John McAfee and his team work when Tom was an accounting intern.Tom saw they had an organized methodology and plan when handling a security breach and appreciated being brought in. A wide-eyed college student, Tom was fascinated by everything he learned and wanted to do more.The Move To Financial Services (9:07)While building out the security program at a financial organization, Tom had the opportunity to be mentored by one of the original CISOs, Micki Krause. Recognizing that Micki is a trailblazer in the cybersecurity industry, Tom appreciates that he learned technical skills from her and how to communicate with chief executives.After being challenged by Micki, Tom was encouraged to write security books, leading to the CISO Handbook.The CISO Storyteller (15:50)To Tom, every CISO needs to be a storyteller, though few have mastered that. Often CISOs will speak to executives using different buzzwords and acronyms versus adequately explaining the problem they are trying to solve. To combat this, Tom urges listeners to work on their communication skills.The IT Audit (17:07)Tom led many audits and learned many facts about the organizations. Tom had to present a lot of research to international executives as a result.Although Tom can’t share much information about this time, he acknowledges that specific cultural differences made it challenging to tell the story of the problem at hand.A Lever of Influence (27:55)Due to his mentor relationship with Micki, Tom learned a simple but valuable risk-management methodology. Tom decided to take that further by meeting with executives individually to see what they cared about in terms of risk.As a result, Tom ensured that he could meet the needs of his organization. By the time he met with the board, there were no surprises about his security plans.Improving Our Stories (36:50)Steve presses Tom on why so many CISOs lack comprehensive storytelling skills, which Tom credits as their need to be correct. Recognizing that CISOs have good intentions, Tom also understands they can miss the bigger picture.If you are a CISO, you should know why your problem is compelling, and if you can sell that, the “where, ” “when,” and funding will follow. The main thing is not to be confusing with your delivery to maintain captivation and promote clarity.Risk Vs. Compliance (44:46)Due to his accounting background, Tom understands that auditors are well-intentioned but limited due to their checklists. Knowing that risk does not follow the rules, Tom explains that compliance is not always...
10/20/202248 minutes, 22 seconds
Episode Artwork

Translating Your Military Skills for Security Success with Jason Hamilton

In this episode of The New CISO, Steve is joined by Jason Hamilton, CISO at Mutual of Omaha, to discuss how having a military background leads to security success.After twenty-two years in the U.S. Marine Corps, Jason was able to take his skillset and move into the cyber security industry. Today, he shares what he learned over the years that prepared him for the career he has today. Listen to the episode to learn more about Jason’s military experience, tips for officers entering the civilian workforce, and the importance of corporate mentorship.Listen to Steve and Jason discuss ways for veterans to transition into the corporate world:Meet Jason (1:45)Host Steve Moore introduces our guest today, Jason Hamilton. Jason shares his first mission as a Communications Systems and Information Officer. Jason also divulges what a higher-ranking officer should do, such as refining leadership skills and managing efficiently.&nbsp;Essential Lessons (8:30)Steve presses Jason on what else he learned from his early days as an officer.Jason explains that there’s no such thing as a perfect leader, and everyone makes mistakes. The key is to learn from your mistakes when you’re young, which applies to both the military and corporate world.Civilian Training (10:01)When Jason first joined the Marine Corps, information technology was separate from his role.&nbsp;To move up, Jason had to learn to work with data on the battlefield and eventually took on an instructor position. To get smart fast, he took civilian classes to ensure he could adequately train other officers on information and data.Part Of The Job (14:56)As Jason rose through the ranks, working with data remained. Jason learned about Cyber, formerly known as Information Assurance, and how it became a priority of the Marine Corps. As Cyber became part of the military, it became more and more a part of Jason’s career.&nbsp;The Last Ten Years (19:22)Jason reflects on his last ten years in the corps. Like anyone who has long served, he had to broaden his horizons to reach a different level, often through education. Jason had a strictly cyber role by the end of his military career and focused on leadership.Ultimately, Jason credits everything he did in the Marine Corps for preparing him for the corporate world.General Feeback (22:55)Steve presses Jason for advice he can give other officers looking to transition into civilian work.&nbsp;Jason reminds officers to humble themselves when entering the corporate sector because co-workers may not care about their military past. Also, he urges officers to work on resume writing and seek mentorship when looking for a job.&nbsp;Lessons On Corporate Culture (32:10)When veterans come into an interview, there is a natural culture shock, primarily because workers are not as likely to be Type A outside the military. Other differences are incorporating empathy and listening into your leadership style.&nbsp;While it is up to you to quickly solve a problem in the military, in the corporate world, there is much more emphasis on nurturing your team to fix workplace issues.The Mentor Relationship (35:31)Jason used to meet his corporate mentor once a month and learned after his first meeting that he would need to drive the conversation. Jason then would send his mentor his agenda two weeks ahead of time to ensure that he would make the most out of every encounter.Ultimately, veterans need to show initiative when transitioning into civilian work.The End Of The Mentorship (37:37)Steven asks Jason what officers should gain from a corporate mentorship program. Besides resume writing, Jason urges veterans to learn how to
10/6/202250 minutes, 26 seconds
Episode Artwork

Broad Knowledge is Power: Building a Better Security Team with Bryan Willett

In this episode of The New CISO, Steve is joined by Bryan Willett, CSO at Lexmark International, Inc, to highlight the importance of collaboration and team building.With over two decades of experience, Bryan understands the CISO role and how to support your team. With this in mind, he shares what CISOs can do once they achieve this status to develop their skills further. Listen to the episode to learn more about transitioning into management, sharing your knowledge, and the benefits of diversity.Listen to Steve and&nbsp; Bryan discuss how to build a diverse security team and the skills needed to be a better CISO:Meet Bryan (1:50)Host Steve Moore introduces our guest today, Bryan Willett. Bryan has worked at Lexmark for over 25 years and prioritizes minimizing risk for the business.With a unique scope of duties, Bryan has worked his way up the ranks and monitors security trends, such as supply chain measures. Ultimately, he understands the importance of collaboration to keep all company areas safe.&nbsp;The Road Travelled (5:37)Beginning his career in firmware development, Bryan wanted to transition into a position where he could learn more about the product development pipeline and work with people. He then went down the product management track, which set him up for the leadership side of the field.&nbsp;The Best PM (10:27)When asked about his stepping stone from product manager to manager, Bryan reflects on what motivates him to work hard and improve the team around him.&nbsp;Feeling Intimidated (13:00)Steve presses Bryan on how intimidation and imposter syndrome impacts career goals.Bryan shares that he’s primarily looking for team members who are jacks of all trades and that he believes having a diverse set of knowledge will set you up for success. With multiple skills, you will be able to work well in the security field, even if it’s initially uncomfortable.&nbsp;Developing as a CISO (16:26)Bryan shares what CISOs can do in their position to develop further. Once getting into a management position, you should always support your team and prepare them for their subsequent roles.&nbsp;Improving as a Salesperson (24:02)As you pitch executive leadership on programs you want to implement, make sure you can explain what you need simply, without technical jargon, to convey the key points you are trying to make. Crafting a clear elevator pitch will help you make the sale.Solving Business Problems (31:18)Early in Bryan’s career, Lexmark was experiencing challenges due to the nature of the printing industry. Noticing that the company could experience a certain level of risk, Bryan built a highly capable team to harden the system and create a security development lifecycle for both the company and the customers.&nbsp;Third-Party Risk Management (38:16)When Bryan started his third-party risk management program at Lexmark, he had to partner with the procurement and legal team. Due to experience with other aspects of the business, Bryan was well-prepared to oversee this endeavor and communicate with others about their needs.Business Savvy (42:07)Steve presses Bryan on the future of CISOs.Considering the CISO today, Bryan understands they likely worked their way up in the security field. However, Bryan recognizes that this field will mature as we uncover new risks, and the CISO role will change with it. Bryan predicts that future CISOs will have the immense business knowledge needed to keep the company moving and make necessary trade-offs.The New CISO (45:47)To Bryan, being a new CISO means focusing on diversity in the workplace by hiring individuals...
9/22/202247 minutes, 55 seconds
Episode Artwork

Success After CISO: How to Become Your Own Boss” with guest Aaron Bailey from The Missing Link

In this episode of The New CISO, Steve is joined by Aaron Bailey, CISO and co-founder of The Missing Link, to discuss what it takes to start your own security business.Getting his first computer at eleven years old, Steve has always loved working with technology. Through explaining his professional journey, Steve shares the benefits and difficulties of being a cyber security founder. Listen to the episode to learn more about Aaron’s first jobs, joining an established startup, and success after being a corporate CISO.Listen to Steve and Aaron discuss being your own boss and the challenges of being a co-founder:Meet Aaron (1:32)Host Steve Moore introduces our guest today, Aaron Bailey. Always a tinkerer with technology, Aaron explains how he started in cyber security, working his way up from entry-level positions.After high school, Aaron struggled to find a job. After memorizing a manual per his father’s advice with a proposition of being quizzed, Aaron finally got hired at a computer shop, launching his career.Why This Job (9:23)Steve asks Aaron what the pay was like at his first job.&nbsp;Through hard work, Aaron’s salary doubled within a year, and he was paid far more than other people his age.Aaron’s Advice (11:52)Although Aaron does not believe you need to be a staunch techie like himself for every job, what he looks for in an interviewee is passion, intelligence, perseverance, and dedication to the field.Essential Aid (19:42)Steve presses Aaron on the guide Essential Aid and how to explain it to others. Aaron defines it as containing the top mitigation strategies for cyber intrusions. To use it properly, you have to embrace automation.Becoming a Founder (25:53)When Aaron’s colleague Sam resigned from their corporate job, Aaron learned he was starting his own business and wanted Aaron to come with him.&nbsp;Sam prompted Aaron to meet with the other partners, beginning the next stage of his CISO career. Aaron then shares the early weeks of joining the Missing Link and the challenges along the way.A Non-Startup Startup (33:05)The Missing Link was already a successful startup before Aaron joined, but they did not have a cyber security department. Aaron and Sam then became the company’s security professionals, which came with tremendous planning and organizing.&nbsp;The Entrepreneur CISO (38:48)Host Steve presses Aaron on his advice for other CISOs wanting to start their own businesses.&nbsp;Aaron shares what was difficult about being a corporate CISO where you’re not always listened to compared to his position at the Missing Link. As a founder, you have increased responsibilities, but it’s much easier to ask for what you need for your team.More Advice (44:03)Aaron is still learning the shareholding and equity aspects of being a founder. Success once does not always mean success every time, so Aaron’s main advice is to always ask for advice.Starting your own cyber security department is the most incredible interview of your career, but this path is not always easy.A New CISO Founder (50:59)To Aaron, being a CISO and a boss means having a seat on the board. Training new CISOs and watching them leave to start their own companies gives him the most joy.&nbsp;Ultimately, the new CISO strives for the top and is not afraid to bring others up in this increasingly necessary field.Links mentioned:The Missing Link
9/8/202253 minutes, 20 seconds
Episode Artwork

Leading with a Military Mindset: It’s We, Not Me with Steve Magowan

In this episode of The New CISO, Steve is joined by Steve Magowan, Vice President of Cyber Security at BlackBerry, to discuss how military teachings apply to tech.First starting his career in the air force, Steve understands how the military mindset can make you an asset in the security field. Through evaluating the benefits of his experience, Steve shares what CISOs can learn from military professionals. Listen to the episode to learn more about the importance of understanding IoTs, the military work ethic, and how quality leadership stems from a lack of ego.Listen to Steve and Steve discuss the key qualities of a leader and breaking into cyber security:Meet Steve (1:39)Host Steve Moore introduces our guest today, Steve Magowan. Steve reveals how long he’s worked for BlackBerry.Steve Magowan explains how his background in the air force led to his cyber security career, where he utilizes his tech abilities and wears many hats.A Canadian In The Air Force (4:44)Steve asks Steve Magowan, a Canadian, what was more challenging about the air force: the cold in Canada or dealing with Americans?Steve shares that the real difficulty is flying through the congestion above the United States. He realized how empty most of Canada is, which makes for great training grounds.A Transition Opportunity (8:19)Steve Magowan shares how his various skill sets suited him well for transitioning into cyber security and how there are more needs for people who understand IoT applications.&nbsp;Although having this skill set is now recognized as vitally important, it’s challenging to find someone with tech abilities who can also manage a team. Due to their work ethic and unique perspective, the military has become a worthwhile option for recruiting cybersecurity professionals.&nbsp;The Military Mindset (13:56)Steve and Steve discuss the differences between non-military and military security professionals.&nbsp;Host Steve notes that people who have served tend to be more willing to work long hours and share their perspectives to manage a crisis. Steve Magowan explains that much of this team mentality comes from the “us and we and ours” core of their military training.Moving Into Cyber Security (17:00)Although Steve did not have a direct cyber security background, a family friend knew of a job for him in the field. With years of consulting and IoT experience at 38 years old, Steve was well suited to transition into, at first, an IT team due to his leadership skills.&nbsp;He recognizes that his military experience opened the door for him, but his hunger for knowledge made him succeed.Bringing Leadership To The Table (22:38)For aspiring CISOs, host Steve presses Steve on which qualities helped break him into the field and assure employers of his leadership abilities.Steve reiterates that his military background made him a worthwhile candidate, partly due to his lack of ego. Steve knows he’s not the most intelligent guy in the room, which makes him want to learn and figure out how to solve any security problems that come his way.The Emerging Problem (27:55)Supply chain risks are a growing threat, a challenge to people in the cyber security world. Steve Magowan shares how security professionals have dealt with these types of breaches and the differing objectives between business leaders and CISOs.Differing Agendas (31:15)Steve and Steve discuss the conflicting agendas between CIOs and CISOs. Corporate America has not fully grasped the increasing cyber threats, making it harder for CISOs to do their jobs.&nbsp;CISOs have accepted high-risk positions, which is why they must learn how to communicate with CFOs with their interests in...
8/25/202244 minutes, 28 seconds
Episode Artwork

Landing a Seat in the C-Suite with Mike Woodson

In this episode of The New CISO, Steve is joined by Mike Woodson, Director of Information Security and Privacy at Sonesta International Hotel Corporation, to discuss the risk and rewards of being a CISO.First starting his career in law enforcement and cybercrime investigation, Mike now applies his police mindset to cyber security leadership. With his varied experiences in mind, he shares how his unique background makes him a well-equipped CISO. Listen to the episode to learn more about getting to the root of a threat, working with global agencies, and why CISOs should be compensated well for their high-risk responsibilities.Listen to Steve and Dr. Adrian discuss the value of mentorship and the ins and outs of a CISO career:About Mike (1:46)Host Steve Moore introduces our guest today, Mike Woodson. Mike reveals how long he’s worked for Sonesta International Hotel Corporation and how he started in the cyber security field.Mike details his background in law enforcement and teaching, leading him to investigate global cyber crimes and begin his CISO career.The Cyber Cop (9:09)Steve presses Mike on how he applies his police investigative skills to the cyber security field.Mike asks the right questions to understand what he’s dealing with during a threat. He understands that his various skill-sets are a unique asset to the CISO job and help him get to the root of the problem.The Best Job (12:27)When asked about his favorite job, Mike shares how much he enjoyed his time working for the Indonesian government. He worked with various global agencies investigating cyber crimes, which allowed him to make a difference and meet impressive people.&nbsp;Mike’s Advice (14:53)Mike’s advice to his younger self is not to settle and be adventurous. He did not plan to go to Indonesia or be a CISO, but he took his opportunities and listened to the mentors he had along the way.Radio Days (18:57)Mike shares his past as a radio DJ and how it was his first love. Steve also discusses his recent experience as a podcast host.Interview Tips (22:35)Steve presses Mike on his perspective on perfecting CISO interviews.&nbsp;Mike reminds the listeners to be themselves and take the interview as it comes. Ultimately, you have to focus on being dynamic and asking probing questions. You have to “look before you leap.”Why CISOs Quit (27:53)Mike shares why some CISOS leave a position. If someone in this role is being treated as an afterthought by higher-ups, it can easily lead to dissatisfaction. For such a high-pressure job with crucial responsibilities, it’s essential to be taken seriously by management and paid appropriately.Should We Ever Ask The CIO? (29:39)Steve asks Mike if there are ever times a CISO should ever report to the CIO. To Mike, the answer is no.The role of the CISO has grown, and if they are the chief executive officer of cyber security, they should have a seat at the table. For the business's survival, the CISO should be trusted based on their expertise.Do We Need CSOs? (32:46)Many companies have CISOs and CSOs, which share the same command line. Mike believes some organizations should have both positions, depending on their structure.Setting The Tone (37:38)Steve asks Mike how new CISOs can be proactive post-hire.&nbsp;You'll do well if you focus on building relationships, listening to people, and learning the business. To Mike, a CISO is the person who looks, listens, and leans into his work.&nbsp;&nbsp;Links mentioned:Sonesta International Hotel Corporation
8/11/202243 minutes, 7 seconds
Episode Artwork

Train the Way You Fight, Fight the Way You Train with Dr. Adrian Mayers

In this episode of The New CISO, Steve is joined again by Dr. Adrian Mayers, VP and CISO at Premera Blue Cross, to dig deeper into his knowledge of insider threat management and intelligence.As an experienced CISO, Dr. Adrian understands the difficulties of a cyber security career. With this in mind, he shares the day-to-day obstacles of the profession and what aspiring CISOs can expect from the job. Listen to the episode to learn more about the pressures CISOs face, the psychology of insider threats, and how to work past life's challenges.Listen to Steve and Dr. Adrian discuss how to get through difficult life hurdles and manage cyber threats:The “Superhero” CISO (1:44)Host Steve Moore reintroduces our guest today, Dr. Adrian Mayers. They acknowledge the stress and pressure a CISO may feel to play a superhero role, stopping every cyber threat.Although no one can prevent every obstacle, Dr. Adrian insists that every CISO must consistently attempt with high motivation to stop every threat that comes your way.Taking A “Bad” Job (5:26)Steve presses Dr. Adrian if someone should ever take a “bad” CISO job.&nbsp;Dr. Adrian brings up that every CISO needs their eyes wide open with every gig, but that early in your career, you may have to take less than ideal positions in exchange for experience.&nbsp;The Bad Day Factor (9:53)When asked about his worst day on the job, Dr. Adrian reflects that there is always something you can learn from your most challenging moments.&nbsp;Insider Threat Management (13:01)Dr. Adrian shares that his affinity for investigating insider threats first developed from his love of video games. After extensive research on counter-intelligence, he understands that specific triggers in people’s lives can lead to unattended consequences or malicious intent.&nbsp;Evaluating The Insider Threat (15:35)Steve questions why an insider psychologically may want to compromise the security of their company.&nbsp;Dr. Adrian states that every insider who goes against their company has one thing in common: a desire to deviate from the norm. And determining that motivation helps the CISO manage their investigation.&nbsp;How Far Should The Staff Go (20:46)Dr. Adrian states that your team needs to understand exactly what their doing before talking to vendors or others. By discussing with your team the boundaries for their current investigation, you can gain additional insights that will put everyone on the right path.The “Why” For Education (22:31)Years ago, Dr. Adrian decided to get a doctorate in business administration specializing in international security. He then decided to get additional certificates in the security field. Ultimately, his desire for further education came from his immense curiosity but also was prompted by the grief of losing his daughter.Defining Quality Intel Programs (28:49)“Threat intelligence is full-spectrum intelligence,” according to Dr. Adrian. By leveraging the information from your intel program and applying context around it, every security team should be able to determine the motivation for the threat and paint a more holistic picture.&nbsp;Surprising Information (32:00)Steve presses Dr. Adrian on the most surprising things he’s learned from his background in threat management.Dr. Adrian reflects on the amount of data vacuumed from our adversaries. Another shocking piece is the amount of data our allies gather on the U.S. Though, of course, the reasoning for gathering that information varies.Ph.D. Proud (35:54)Dr. Adrian always puts his doctorate before his name for several reasons.&nbsp;As a Black man from Canada...
7/28/202243 minutes, 20 seconds
Episode Artwork

Trusting Your Tech to Tackle Human Problems with Dr. Adrian Mayers

In this episode of The New CISO, Steve is joined by Dr. Adrian Mayers, VP and CISO at Premera Blue Cross, to discuss what to consider when interviewing for CISO positions and how to trust your tech in the security field.Since fifth grade, Dr. Adrian Mayers has had a passion for computers. Now a CISO, he shares the role computers play in a security professional’s day-to-day life. Listen to the episode to hear more about Dr. Adrian’s advice for aspiring CISOs, the relationship between human behavior and tech, and his thoughts on the transition to automation.Listen to Steve and Dr. Adrian discuss how to find the right security team and solve human problems with technology:Meet Dr. Adrian (1:56)Host Steve Moore introduces our guest today, Dr. Adrian Mayers, who shares a bit about his life before Premera Blue Cross and his childhood interest in computers.The Power of Story-telling (5:43)Dr. Adrian explains his love of narrative-based gaming and how escapism provides relief after difficult work days. He also shares how video games give him strategy ideas he uses in his current role.The Character of a Leader (8:19)When asked about his characterization of a leader, Dr. Adrian reflects that a leader is someone who has integrity at their core. He expresses the importance of evaluating who you are and ensuring you bring your values into a leadership position.Advice For Aspiring CISOS (9:25)Steve asks Dr. Adrian his advice for those interviewing for CISO positions.&nbsp;Dr. Adrian shares why you should communicate how security plays into your day-to-day life and ask questions about the team's previous history when tackling security problems. The main thing is to be comfortable with who’s in front of you because you would build relationships with this team if offered the position.Looking For Your Next Position (16:08)There are different considerations if you’re courting a government position than evaluating a job at a start-up company. Ultimately, it depends on each security company's process and context when navigating the interview stages.Solving Human Problems (18:25)Steve asks Dr. Adrian about his thoughts on tech solving human problems.&nbsp;Dr. Adrian reminds the listeners not to get so wrapped in the technology that they forget what they’re trying to do: tackle human problems. Ultimately, tech helps CISOs do this work, but focusing on the human elements will keep you centered and effective.Not Trusting The Tech (21:44)Dr. Adrian recognizes that many security professionals wonder if they can trust data platforms versus the insights of actual human beings.&nbsp;He also understands that there is a difference between installing programs and implementing them. Overall, if you take the time to understand the tools, you can see how tech makes effective security decisions regarding human problems.Defending Automation (26:27)Steve presses Dr. Adrian on ways to convince security professionals to automate low-level tasks.&nbsp;Dr. Adrian assures the listeners that these changes are being made daily in the security field. By clarifying to security professionals that they will not be replaced by automation but will have more space for high-level problem-solving, the transition will be easier for teams to accept.The Definition of Good (29:49)Dr. Adrian explains that the definition of “good” for security programs stems from people. If security professionals have a sense of purpose to show up every day and learn how to use the tech, then that is the measure of a quality program.If you build a dialogue with your security team and understand their concerns and issues, they will have a sense of ease when...
7/14/202241 minutes, 58 seconds
Episode Artwork

Solving Security Puzzles with Kevin DeLange

On this episode of The New CISO, Steve is joined by Kevin DeLange, the VP and CISO of IGT, to discuss how Kevin’s love of problem-solving led him to a career in cyber security.Before joining the information security field, Kevin served in the military and completed a degree in Anthropology. Now a CISO, he reflects on how the skills he developed throughout these experiences brought him to where he is now. Listen to the episode to hear more about Kevin’s career journey, solving puzzles in the workplace, and his advice for those applying for CISO positions.Listen to Steve and Kevin discuss how to define a problem before solving it and the value of real-world experience:Meet Kevin (1:30)Host Steve Moore introduces our guest today, Kevin DeLange, who shares more about IGT, a global leader in casino games, and how long he’s worked there.Life Before IGT (2:43)At seventeen, Kevin joined the military and worked on nuclear missiles. He credits this experience as his first foray into the security world.The Practicality of Anthropology (5:58)After completing his service, Kevin finished a degree in Anthropology. Kevin explores how this discipline allowed him to solve complex problems, which he has applied to his security career.A Crooked Path (7:49)Steve asks Kevin what he means by his “crooked path” into cyber security.&nbsp;Kevin explains that life is not a straight line and that although he couldn’t predict his career in his youth, he understands that he acquired the right skills along the way.Generational Differences (9:32)Although there are college degrees now in the security field, Kevin recognizes that there is no substitute for real-life experience. Kevin then lists the traits he looks for when hiring a security professional, particularly highlighting the value of soft skills.Working With Senior Management (13:56)Steve asks Kevin the best ways to present a problem in the workplace and how to stand out to senior management.Kevin says that you need to tailor your communication to the audience in front of you, whether technical or business groups. It’s also essential to ensure you have advocates outside the company to support you, which comes from building relationships.CISOS And Their Sales Teams (17:51)Kevin explains that the company’s goal is to make money and that his job is to ensure that the company is securely making money. Although understandably, security professionals and sales teams may not see eye-to-eye, it is a necessary working relationship with a common goal.Making A Choice (20:12)Balancing three full-time jobs, Kevin eventually had to choose what he wanted to pursue. Ultimately, Kevin decided on information security because he finds it exciting and himself well-equipped for its problem-solving component.Simplifying The Problem (23:28)The most challenging thing for Kevin is to simplify the problem before trying to solve it, though that is what he strives to do most. Kevin laments that it’s “difficult to prove a negative,” but the more he condenses what he’s communicating to senior management, the more he can get the support he needs.Let Things Fail (28:12)You cannot oversee your own work as a CISO, so it’s critical to pass that duty to someone on your security team. Since you cannot do it all, it’s sometimes better to let things fail to move forward.His Best Advice (35:18)Steve asks Kevin what his red flags are for people applying for security leadership positions. Kevin provides his main criteria, which is paying attention to the hiring company’s definition of a CISO.Links mentioned:<a href="https://www.igt.com/"...
6/30/202237 minutes, 43 seconds
Episode Artwork

Building The Right Relationships with Den Jones

On this episode of The New CISO, Steve is joined by Den Jones, the Chief Security Officer at Banyan Security, to discuss the importance of trustworthy and transparent relationships in the cyber security field.Before joining the security intelligence industry, Den first worked as a postman walking the streets of his native Scotland and dreamed of becoming a musician. Now a CISO, he shares how to deal with misleading salespeople and create effective data security strategies. Listen to the episode to hear more about Den’s journey, the problems with vendors, and his thoughts on building relationships.Listen to Steve and Den discuss the importance of building a network and proactive security intelligence:Meet Den (1:40)Host Steve Moore introduces our guest today, Den Jones, who shares a bit about his past and how he transitioned from postal work into cyber security.&nbsp;The Must-Have Gear (3:31)As a postman obsessed with music, Den saw his buddy's house and a Roland RSP-550 that he was dying to have. Seeing this quality of gear led Den to quit his job to find a more lucrative career path, which eventually brought him into the world of cyber security.&nbsp;College in the UK (7:03)Unlike college in the US, where you learn several subjects, Den only took classes focused on IT. Unable to finish his degree, Den reflects on how he had to drop out of school yet was the first out of his peers to get an IT job.Get IT Started. Get IT Done. (12:18)Den also discusses his Banyan Security podcast, Get IT Started. Get IT Done. Every episode, Den brings inspirational guests on to share their cyber security journeys and the full cycle of their business endeavors.The Issue With Vendors (18:23)Den recognizes that the hype around marketing distracts cyber security professionals from their work and that harassing salespeople can be a considerable frustration. Den explains how it’s better to have a “build relationships, not sell stuff” mentality in addition to ways to build transparent vendor relationships.Building A Team (27:28)Steve asks Den why he had the mission to build a strong security intelligence team.&nbsp;Den explains that much of his motivation came from wanting to solve a major question the cyber security industry had not yet solved: “Was that you who logged in?” With a small team of college grads that Den organized, they built a data security platform that secures users from computer hackers through password protection.Keeping Data Safe (32:58)Den understands that executives do not share his interest in users' security and are motivated by staying out of the press, which a preventable security breach could cause. For practitioners, the goal then must be to help their firms maintain a solid reputation but also to find ways to use their work for good.The Pillars Of The Job (36:35)Steve presses Den on the ways to push and maintain proactive security intelligence.&nbsp;Den explains how to determine the core questions that lead to protecting data and the vital importance of having users’ login information. By looking at identities, user devices, and the intelligence behind the users and the device, Den can develop data security strategies.Tips and Recommendations (42:23)All service accounts should be predictable because it allows their team to detect when there are deviations from the norm. Den recommends maintaining tight access and monitoring service accounts’ task functions to keep data safe.What Does It Mean To Be A CISO Leader? (48:40)To Den, being a CISO means building a solid network of healthy relationships. With the right people around you, you can leverage their wisdom...
6/16/202250 minutes, 7 seconds
Episode Artwork

Don’t Be Afraid to Break Things with David Lingenfelter

On this episode of The New CISO, Steve is joined by David Lingenfelter, the Vice President of Information Security at Penn National Gaming, to discuss the requirement to constantly learn and evolve in the IT security field.After falling into his passion for IT, David quickly realized just how far his knowledge could take him if he constantly built upon it. Now after a nearly 30-year-long career in IT, with a focus on computer security, he shares his experiences growing and advancing through his work in the industry. Listen to the episode to hear more about David’s journey, his advice for beginners in the field, and his thoughts on IT management.Listen to Steve and David discuss knowledge and advancement in security:Meet David (1:20)Host Steve Moore introduces our guest today, David Lingenfelter, who shares a bit about his past and how he got his start in cyber security.&nbsp;The Wild West of IT (4:11)When David began his career in IT in the early 90s, modern technology like remote access was not standard in work computers. Reflecting on his past, David discusses how he learned to market these new products to average users who didn't understand IT.Constantly Learning (7:46)Before beginning his career, David was told, "if you never want to be bored, if you want to constantly be learning, go into Security." As a beginner in the field, he constantly played with new technology and learned defense methods against the ever-evolving security attacks on IT systems.Make It or Break It (11:44)The IT security field is demanding new strategies and technologies to combat threats. David stays sharp by constantly theorizing with colleagues, "how can we make this work? And better yet, how can we break it?" He found that by working together to build something or tear it apart, you can learn how different technologies would typically work in the security space.Go Play - Go Learn (15:12)Steve asks David for his advice to those who wish to start or evolve in the IT security field. Additionally, they share their thoughts on creating educational lab environments and needing to have the genuine desire to learn and grow in computer security.Business Management &amp; Security Leadership (19:25)David is now a VP of a company, which is a significant transition from where he started in IT. He describes the differences that he noticed between being a technical leader and being a business leader. Additionally, he and Steve discuss the new responsibilities that come with the business side of computer security, like product investments, protecting intellectual property, and more.Mark Your Celebrations (28:50)How do you celebrate when you receive funding to create technological advancements in computer security? David shares the ways that he demonstrates the value of his product creations to funders.Operational Mantras (31:36)David holds monthly meetings with his company's IT team to show them different things that they're doing from a security sprint, different threats coming up, etc. He values communication with his team as one of the ways to connect all operations of his business.End User Maturity (34:12)Implementing new security protocols for end users can often be met with resistance. David shares his thoughts on the topic and how to balance focus on implementing security and doing so in a way that has the least impact on end users.Building Confidence &amp; Asking Questions (38:04)It is essential for leaders in the workplace to feel confident in their team. Steve asks David to share the one thing a security leader can do to increase their confidence in their team that represents the analytic capability of their...
6/2/202245 minutes, 47 seconds
Episode Artwork

Investing in Your Security Team with Zane Gittins

Episode summary:On this special episode of The New CISO, Tim Lowe and Katie Hatch sit down with Zane Gittins, IT security manager. The co-founder of Rincon Security, Zane discusses what he’s learned building and managing an IT team. From computer science to consulting, Zane shares the journey of his career, and what has led him to focus on cyber security visibility. Listen to the episode to hear more about Zane’s day-to-day, his news intake, and how he manages his growing team. Listen to Tim, Katie and Zane discuss security management: Zane’s Background (1:58)Zane discusses his background in IT security management and consulting with his company Rincon. A small organization, Zane wears a lot of hats and tackles a variety of issue. Staffing (3:58)Zane breaks down the misconception that it’s impossible to find good staff. He believes that if you invest in junior employees, as well as off the right packages, you can put together a great team. He believes that people who are great communicators perform well in security. Zane sets up “lunch and learns” as a way to meet and bond with people in other areas of the business. Education (7:01)One internship can change the course of your career. At least, that’s what happened when Zane took on a security internship in college. Interested in computers from a young age, his education helped focus his path. Advice to the Younger Self (8:54)If Zane could change one thing about his journey in security, it would be to meet key members of the business sooner. Through making connections, Zane has learned what their concerns and risks are when it comes to security, and how he can help in those areas. The Day-to-Day (11:00)With security visibility as his top priority, Zane focuses on updating the systems and tools of the business, onboarding new people, helping the business move in the direction it desires. Zane spends several hours a week staying up to date on current trends, utilizing Twitter to identify cybersecurity news. This preparation also helps him give context to family, friends and coworker who hear about security stories in the media. Managing the Security (16:26)A high-pressure job, Zane must stay on top of things to prevent threats. In particular, he is concerned about supply chain attacks and any new type of attack we do not yet know exists. On the other side of the coin, Zane enjoys the technical side of the job. He shares a time where he had to act like a cyber detective while consulting. Motivating the Team (20:17)Hunting down false positives every day, all day, can be fatiguing. Zane shares how weekly practice challenges have boosted the confidence and knowledge of his team. Growing Team (24:07)Zane chats about the specific skills and tools he and his team have utilized as they’ve grown. As there are a lot of tools to learn, Zane encourages team members to become experts in certain tools and platforms. Security Threats and People (27:44)When consulting, Zane is most considered with external threats. Overall, he believes that everyone has something to bring to this growing industry. When it comes to hiring and training, Zane looks to people with passion. By documenting everything, Zane and his team can better scale and onboard. 24/7 Coverage (32:25)Zane talks about what it’s like to cover the environments 24/7 and still allow himself and his team to sleep. Links mentioned:Rincon Security <a...
4/14/202235 minutes, 12 seconds
Episode Artwork

Cybersecurity Trends and Practices

On this special episode of The New CISO, Steve chats once again with Chuck Markarian and Sean Murphy. The CISO for Paccar and BEC U respectively, Chuck and Sean share their insights on the current trends in cybersecurity, as well as delve into their predictions for the field and the changing relationships within it. Listen to the episode to hear more about how the government has influenced cybersecurity, the importance of cyber insurance, and much more. Listen to Steve, Chuck and Sean discuss cybersecurity trends: Who are Chuck and Sean? (2:23)Chuck and Sean explain their current roles at Paccar and BEC U respectively, as well as the backgrounds that led them there. Political Influence (4:32)Steve, Chuck, and Sean touch on the increasing presence of politics in cybersecurity. Sean weighs in on how relationships to law enforcement are altering, as well as how perceptions on cybersecurity have evolved and changed. The Perception of the Hacker (9:57)As the government becomes more involved, the blame on organizations for being attacked has now shifted to the attacker, rightfully so. No longer are hackers a kid in basement; hackers are real and dangerous threats that need to be stopped. This greater understanding of cyber warfare has better informed the public and organizations of what could truly happen. Investment and Involvement (14:22)With this increasing awareness of cybercrimes, boards and executes are more willing to invest in CISOs and their teams. It’s better to invest in preventative tools than to pay a bigger price after an attack. Steve, Chuck, and Sean also discuss what changes when the FBI gets involved and when organizations have to wait to fix problems. Tabletops (21:30)When simulating a breech, Chuck and Sean urge any leaders to really mimic the chaos that would naturally happen at that time. Be sure to include executives in this simulation, so they can gain practice and understanding of what will be a stressful situation in the future. In doing so, you’ll also be able to identify who is making what decisions before an event occurs.Cyber Insurance (24:20)Cyber insurance is becoming more common. CISOs need to educate themselves on policies and the language of cyber insurance. This brings up other questions such as, should individuals have coverage? Should CISOs and board members? Additionally, insurance forces companies and leadership to define what an incident and breech are. This helps in determining what to report externally. A Third Party (34:43)With a third party involved, like vendors, your risk level increases. From there, you need to assess how important that third party is and the level of risk with which you’re comfortable. It is part of the CISO’s job to help navigate those relationships and dynamics, and to make sure the organization is still protected. The New CISO (45:27)Before wrapping up, Sean touches on the importance of connecting and having conversations with other CISOs. If listeners have any questions, they can contact him via LinkedIn. Links:Exabeam PodcastsSean Murphy - LinkedIn
3/31/202247 minutes, 52 seconds
Episode Artwork

Management Training: Learning How To Manage Managers

On this episode of The New CISO podcast, Jeremy Sneeden joins Steve to chat about needing management training to learn how to manage others, advocate for his team, and quantify risks. As someone with a technical background, Jeremy had to learn a whole new set of skills for his managerial role at Allina Health. He talks about how the “focus funnel” approach for his new team helped save time and money, as well as how he removes obstacles so his team can do their job. Now the Director of Operations and Engineering, Jeremy coordinates with other managers to ensure the different organizational groups are up and running. While he excels in his position, he believes in continuing to learn and support others. &nbsp; Listen to Steve and Jeremy discuss management training:Jeremy’s Background (1:47)Jeremy chats about his current position as the Director of Operations and Engineering at Allina Health. Originally a technician, Jeremy still views himself as a security engineer, despite now being in management.Management Training (6:35)When asked to be a manager, Jeremy was terrified. He had to learn a new set of skills on his own. He advocates for better training for managers, as well as finding a philosophy that fits your style.Tools for Your Team (10:30)A great manager removes obstacles for their team. Jeremy discusses how his job is helping his people do their job, particularly in obtaining the right tools so that they can do so.Talking Money and Partnerships (14:45)Oftentimes, Jeremy needs to pitch higher-ups on a new tool or equipment. In order to gain approval, he recommends talking in specific dollars and cents. Additionally, he pairs up with other infrastructure groups who want the same things as he does. Together, they ask for additional money or tools for their teams.Knowing Your Numbers and Team (19:10)Know your assets—and their costs. When quantifying security risks, Jeremy had to understand the business better, as well as how important those assets are in dollars and cents.The Focus Funnel (25:12)After three years of managing, Jeremy became director. In charge of IT Asset Management, he sat down with his new team to examine their current tasks. If the task could be automated, they started that process. While it took time and upfront money, they saved hours and millions of dollars in the long-term.Embracing the Fear (34:01)A great manager pays attention, genuinely cares, take care of their people. They handle tasks that go unnoticed such as dealing with angry customers to advocating for your promotion. Jeremy believes that a great manager is also willing to get uncomfortable—or even scared—in order to grow and do what’s best for the team.Manger of Managers (40:30)As someone who manages other managers, Jeremy has learned when to get involved and when to back off. He has adapted to letting go of certain tasks and oversights, with the help of communication.The CISO in Training (45:44)Being a CISO-in-training to Jeremy means listening to his mentors, and continuing to learn and take care of his employees.&nbsp;Links:Exabeam Podcasts
3/10/202247 minutes, 5 seconds
Episode Artwork

Managing Your First Zero-Day Attack

On today’s episode, we are joined by Chris Wolski, the CISO of Port of Houston. He chats about job hunting, the aftermath of an attack and more.&nbsp;Becoming a CISOA returning guest, the last time Chris was on the show, he was unemployed. From being let go to landing his current position, the process took Chris six months. He chats about what that was like and the normal CISO versus the “Rockstar” CISO. Despite his limited experience in maritime, Chris took a chance and was rewarded.&nbsp;Socializing as a CISOVia events and even LinkedIn, Chris was able to expand his network. Through his connections, he was able to educate himself well enough in maritime transportation, laws and security to better understand his current job. Overall, Chris encourages you to do your homework on the industry, company and people when job searching.&nbsp;The First CISOThe first CISO at Port of Houston, Chris has faced unique challenges. In part, he’s had to convince the port why cybersecurity is needed, and how it can impact cargo movement.&nbsp;Attacks and RisksRecently, the port had an attack. Having a zero-day used against them, Chris found the experience eye-opening. Thankfully, Chris already had an action plan, as well as a risk metrics to guide him. Within 2 hours, the attack was contained and fully remediated after 10 hours.&nbsp;The Aftermath of an AttackAlthough doubted initially, Chris found himself trusted, despite it being done after an incident. He documented everything and encourages other CISOs to do the same. As a result of his work, he was elevated within the organization and the maritime community. There was no doubt of Chris’s ability and purpose within the organization. Within two hours, the port saw its ROI.After the incident, they shared what had happened in the hopes of opening up communication. By sharing, Chris can help others avoid what happened to Port Houston.&nbsp;Getting Help &nbsp;&nbsp;Due to the severity of the attack, Chris explains why the Coast Guard, FBI and other entities had to offer assistance. While it may be hard to juggle all those organizations, they have access to resources that Chris couldn’t have had otherwise. Again, it came down to reaching out to connections.&nbsp;Indifferent Insiders &nbsp;&nbsp;&nbsp;Do you need to have a major incident in order for an entire organization to believe in the role of a CISO? Chris explains how equating cybersecurity to something others already know can help convince them of its importance so they can better understand. With Port Houston, Chris compared cybersecurity to physical security to put everyone at ease.Nowadays, cybersecurity impacts everyone. Any machinery, manufacturing and more has computer chips in their parts, which makes them susceptible to an attack. It’s important to convey the severity of cybersecurity to others.&nbsp;The New CISOTo Chris, being a new CISO means doing your homework on your industry, company, and the people around you. Be willing to learn and you’ll find success.&nbsp;Links:Chris Wolski - LinkedInMaritime Security Talk - YouTube ChannelExabeam...
12/23/202139 minutes, 49 seconds
Episode Artwork

Demonstrating the Value of Your Program to the 'Layman'

On today’s episode, we are joined by Andrew Obadiaru, CISO and Head of IT for Cobalt. Andrew discusses using soft skills to build connections within an organization. Listen to the episode to hear his advice on&nbsp;Two Roles in OneAndrew discusses what it’s like to oversee both security and IT. The fields overlap in many ways and differ in others. He’s not the only guest who has taken on this joint role of security and technology. Andrew explains how depending on the industry and the size of the company, having one person managing both departments can either be extremely helpful or burdensome.For those entering that joint role with background in only one field, Andrew emphasizes getting to understand why IT or security is important and how it operates. With the help of good managers, you can overcome your lack of experience.&nbsp;Challenges in PerspectiveAndrew chats about the challenges in the industry, mainly how cybersecurity departments must prove their worth to their own company. Only when there’s a breach do many businesses see the importance of cybersecurity. As cybercrimes can happen due to anyone’s actions within an organization, it’s especially important to convey the purpose of the department.Andrew believes that if you can point to related data points -- for example, how cybersecurity impacts the ROI – then you can properly convince others of its value add.&nbsp;Developing Soft SkillsWhen selling the idea of cybersecurity to the rest of an organization, Andrew says to lean on soft skills. Learn the right balance between technical and business language to express yourself when talking to executives. Andrew encourages CISOs to focus on understanding concepts and get into the more technical details only if asked.&nbsp;Budgeting MeetingsWhen entering budgeting meetings, your approach must be different than it is for other topics. Andrew encourages CISOs to really understand the crown jewels of the organization, as well as its risks. When you can figure out what’s valued within the company and how well – or not well – it’s protected, then you can properly convey what you need.If you’re entering a routine optics meeting, you want to outline the current threats that the industry or competitors have seen and discuss how you plan to mitigate those.&nbsp;Building ConnectionsPrior to entering a budgeting meeting, it’s important to have allies on your side. This doesn’t mean just someone who you ask to back you before the meeting begins. Andrew stresses that building connections and creating allies can take weeks or even months and should look like you conveying to leaders how cybersecurity will impact their departments. So when asking for a larger budget and explaining why, the other department heads will understand the relevance and are more likely to back you.&nbsp;&nbsp;Andrew’s BackgroundAndrew has a background as an auditor, which he feels has benefitted him greatly. As he moved further into his career, he has found that his exposure to difficult conversations around money have helped him with his work now. He doesn’t feel intimidated, as he knows how to discuss difficult topics. Andrew believes that having a diverse background can be helpful in handling interpersonal relations or even conflict during meetings.&nbsp;Maturity vs. EfficacyAndrew differentiates a mature organization from an effective one. A mature organization may have a lot of documentation, repeatable steps and other solid processes. However, maturity within in an organization doesn’t always point to how effective they
11/18/202149 minutes, 33 seconds
Episode Artwork

Don't Cut Corners When It Comes To Credentials

On today’s episode, Martin Littmann, CISO at Kelsey-Seybold clinic in Houston, joins us once again to discuss credentials. The systems in place to create them and protect them are essential. Hear his opinions on these systems.&nbsp;CredentialsMartin outlines exactly what defines credentials. Credentials are the username and password created to log into an account. One question Martin attempts to determine is how do you know if the person using an account is someone who is authorized?He shares his method for identifying this. Previously, it was largely based on trust before technology was advanced enough. Nowadays, it is very important to use technology to identify if account activity is normal or abnormal. Using the location of logins is very important. Correlating people’s activity and determining if it is abnormal is a good way to identify and flag abnormal activity.&nbsp;&nbsp;Risk ManagementHow does this translate to risk management? If you notice suspicious trends, introduce a new challenge the user must answer to authenticate their identity. Learn how to discern between threats and simple bad IT.&nbsp;Normal behavior is time of access, duration of access, and location of access. Use this to identify normal and assess the risk.&nbsp; Frequent QuestioningSecurity personnel have access to analytical tools and therefore have a wealth of information. They can help to determine compromise. Thus, they often receive an influx of questions. While they can’t access everything, there is a lot of information that security personnel access. Other members in the company can use the information to determine productivity.&nbsp;A piece of advice: present the facts without making assumptions. &nbsp;Martin’s Steps to Account Protection Do we have a standard by which we create accounts? If the process is automated- is it bulletproof and unable to be overridden? How is the length and strength process? What is the process of creating the password? &nbsp;Martin’s AdviceAt a policy level, there will be certain requirements that a password must meet. However, there also needs to be technology behind it to enforce these requirements.&nbsp;Marin suggests that organizations need to invest in protecting credentials. The password policy needs to be reasonable and specific.&nbsp; Password Rotation and LockoutWhat does Martin think about these topics? He believes that longer passwords are stronger but changing the password frequently does not help because people will simplify the password. He is not a fan of the 90 day password but believes passwords should be changed in certain incidents.Martin also recommends utilizing a password vault.&nbsp;Be Discrete&nbsp;On a personal level, remember that your own data can be searched out. Using somebody else's data to answer your personal questions can help to protect you, as well.&nbsp;&nbsp;Final Advice When doing two factor authentication, if you can use an app rather than receive an SMS, do it.&nbsp; When talking about password vaults, don’t use the browser function to store passwords, use a dedicated app.&nbsp; &nbsp;Links:Exabeam Podcasts<a...
11/4/202150 minutes, 21 seconds
Episode Artwork

Invest in People as Much as Tools

On today’s episode, Luk Schoonaert, CISO for Exclusive Networks, joins us to discuss his experiences becoming a new CISO as well as the digital transformations and threat hunting.&nbsp;&nbsp;&nbsp;Career/HistoryCurrently based out of Belgium, Luk has been in security for over 20 years. Working in startups for years, he developed his passion for security. Newly, he has become the CISO for Exclusive Networks. He is a technology focused, goal oriented individual.&nbsp;&nbsp;Working with the Buyer&nbsp;If you are working with vendors or as a defender in a network, it is essential to equip the buyer and teach them how to sell internally. Leaving them with a clear picture, number or story that enables them to get their job done is an important skill to have. Luk advises to listen and ask questions in your meetings. Talk about the big picture and be transparent.&nbsp;&nbsp;RepresentationWhat should a CISO report to the board? How should they represent their program? Be there for the business so the business can function. Think about how you can best help the business to grow in what they are doing.&nbsp;&nbsp;Digital TransformationWith the cloud becoming more in use, sometimes the security team gets left behind when the data transfer occurs. Adapting to such changes requires extra help and can also lead to mistakes or attacks. If you lose your logs, it can cause many problems to arise. However, it can be a great opportunity - if you get ahead of it.&nbsp;&nbsp;FocusAs a CISO, pick one thing and do it well. If you focus on one thing and succeed, you’ll be able to build some credibility and gain leadership merit.&nbsp;Threat HuntingLuk has helped to build a Threat Hunting Academy. People can oftentimes stay too connected to old technology. He is giving workshops where, using a lab environment, they show how a breach occurs. This visualization of an attack is something many people never see or truly understand. Their program has received positive feedback and they now have an even more hands-on class.&nbsp;&nbsp;By showing how an intrusion happens, it can help people realize where they may be lacking. This is an ongoing effort but it helps things to not go undetected. Ask the “what ifs.” You will get a good idea at how well you could do should an attack occur.&nbsp;Through this, you can measure efficacy and tell the story of your business.&nbsp; Being a New CISOTo Luk, being a new CISO is a very exciting expeirene. Being able to implement security practices in a company and drive the direction of certain practices is exciting. Ensuring secure functions of a company is something he takes very seriously.&nbsp; Links:Exabeam Podcasts
10/21/202148 minutes, 25 seconds
Episode Artwork

Empowering People to Bring Their “Whole Self” to Work

On today’s episode, we are joined by Azzam Zahir, Global Director of Insider Threat and Security at General Motors. He discusses his journey in becoming a leader in his field and what he has learned in that process.&nbsp;&nbsp;Journey to LeadershipAfter finishing school, Azzam took it upon himself to seek opportunities and work extremely hard in any job assigned to him. His inquisitive mindset helped to forge his path. In 2007/2008 was when his title changed to being a leader. His strengths in managing with influence helped him to take on that leadership role. The transition to the role involved understanding the new responsibility of managing people.&nbsp;&nbsp;His biggest fear going into the position was the fear of failing as a people leader. He worried about giving them the necessary time and attention to allow them to succeed. An unexpected challenge was the day to day management tasks.&nbsp;&nbsp;ReviewHow does Azzam review people and give them feedback? Contrary to the typical HR review process, he does it early and often. Don’t wait until a review period to give constructive feedback. This can eliminate some of the nervousness and help people to be more receptive to the feedback.What cornerstones of leadership does Azzam expect? Leaders should allow people to be their individual selves and bring their uniqueness to the table. Let them do work that makes sense with the skills they already have. &nbsp;&nbsp;Young AzzamWhat advice would Azzam give to his younger self? One thing, which is challenging, is don’t chase the money. Focus on the career, not the jobs being offered to you. If the job doesn’t offer you great opportunities for career growth, reconsider taking it.&nbsp;It is important to know how to leave a job if that is what you want. Receiving a counter to make you stay doesn’t fix the reasons why you wanted to leave the job. When young, it can be hard not to want things to go really fast.&nbsp;&nbsp;Job Vs CareerHow can you know the difference between a job and a career? Mentorship is really helpful with this. Have both an internal and external mentor. Your internal mentor will help you navigate politically within the organization and avoid pitfalls. Your external mentor has no association with the company so they can give outside perspective. The mix of the two insights provides a happy medium. The internal mentor will likely be more challenging to establish.&nbsp;&nbsp;Diversity and InclusionAzzam presents an exercise that has benefits for diversity and inclusion. The exercise surrounds coming up with a short questionnaire. It asked things such as: Where did you grow up? How many languages do you speak? What is your educational background? They anonymously answered and mapped out the responses. You can watch people making assumptions of who they think answered. You can discover new similarities and discover people’s strengths in the differences. This is a great way to connect your teams and build trust/awareness.&nbsp;&nbsp;Who to Look for in a TeamLook for active learners. The education you have is in the past. What are they still learning? You want a team that will continue to grow and evolve.&nbsp;&nbsp;&nbsp;Being a New CISOAzzam advises that the information is out there. Don’t sit around waiting for change. The CISO needs to be proactive in moving their teams towards the change versus reacting to it.&nbsp;&nbsp;Links:Exabeam...
10/8/202150 minutes, 4 seconds
Episode Artwork

Building Your First Cybersecurity Program

On today’s episode we are joined by Benjamin Edelen, former CISO of the City of Boulder. Leading with people first strategy, he aims to serve and protect the community and discusses his transition in and out of the CISO role.&nbsp;&nbsp;Starting from Scratch5 years ago, Edelen was chosen to be the first CISO of the City of Boulder. With no security programming or procedures in place, he had to build the program from scratch. This was a large challenge he had to face. His solution was to pour a lot of himself and his personality into the company. Ultimately, the program became deeply intertwined with his personality.&nbsp;Although he has since left the position, he tried to figure out how to leave while keeping the system in tact. Having connection and passion for your job is important. However, it can make it hard to discern work from personal life.&nbsp;&nbsp;Turning PointWhen did Edelen realize it was time to move on? He notes that the CIO of the organization was very transformative with a thorough plan of advancement. He speaks on the fact that she wanted to guide him on being successful both in the company and beyond. He was encouraged to go out into the world, even if that was with another organization.&nbsp;There is often a point when someone needs to move on in order to continue to grow.&nbsp;&nbsp;Passing the TorchPassing a role that you served in for a long time can be very challenging. It is important to learn how to move on. It can be difficult to see the role fade away or change. Sometimes the company may not listen to your advice or continue to take the role in the ways you envisioned it. Emotional reactions during these times are natural.&nbsp;&nbsp;Transitioning DocumentsWhat is Edelen’s advice for leaving the role? He had to decide how to transition out of the role as he was leaving. This can be deciding to recommend people to take on the roles. Writing down the tasks is important. The biggest challenge was a request/business case for the continuation of the role he was leaving.&nbsp;As he was creating the transition documents, he realized he was also creating a document he could use to begin his next role.&nbsp;&nbsp;RecognitionEdelen notes that the recognition he needed was knowing he was protecting the people. Recognizing successes within the company is very important. In cyber security, the focus is often the failures. However, focusing on success can make a large difference.&nbsp;&nbsp;Employment ContractsCISOs are not always the best at creating employment contracts. Putting together a list of questions and topics can be a great thing to consider. Contract negotiation is pretty standard. It is powerful to outline certain expectations you have of the job.&nbsp;Steeve Moore encourages listeners to reach out to him on LinkedIn.&nbsp;&nbsp;Being a New CISOTo Benjamin Edelen, being a new CISO means placing an organization and their people under your protection. He builds an organization intertwined with who he is as a person, and he would do it again. Helping other people navigate mistakes is a large part of the role. Taking on the role means making a commitment to the people and standing against risk.&nbsp; Links:Exabeam Podcasts
9/16/202141 minutes
Episode Artwork

Knowing When It's Time to Move Onto New Challenges

On today’s episode we are joined by Jerich Beason, senior vice president and CISO at Epiq. He delves into advice on networking, knowing which job is right for you, and how to build trust as a CISO.&nbsp;&nbsp;Advice to Younger SelfBeason says he would have spent more time on relationships. While he had relationships, he wishes he had done more to maintain those relationships across gigs. Keep up contact with people, you never know when you may want to connect down the line.&nbsp;So how do you upkeep relationships? Being intentional with your responses is important. Reach out and update those you are connected with. Who you know is extremely important in the job market. Keep in mind those people who have helped you along the way. A simple thank you goes a long way.&nbsp;&nbsp;NetworkDon’t focus all your energy networking at the top. Network with everyone. It will help with hires and building teams. So who should you reach out to? Network with people who are where you want to be. Also reach out to a peer group. Mentor when you have the chance, as well.&nbsp;Wasted Time?Young Jerich wasted time chasing a lot of certifications. An ongoing list of certifications takes a lot of time to obtain, but they do not necessarily stay relevant. Be deliberate about the ones you go after. His most valuable certifications are IT focused.&nbsp;&nbsp;Epiq Cyberside ChatsBeason hosts a podcast of his own which he discusses. It is relatively new with goals of working to be a leader in the industry of cybersecurity.&nbsp;&nbsp;New OpportunitiesYou have a current position but are offered a new opportunity. What do you do? How do you make that decision? Beason walks us through his experience choosing a new job and what influenced his decision. He thought about his personal brand and what he wants to do as a CISO.&nbsp;He had open discussions with his boss about being torn in his decision. It was a brief discussion but helped provide clarity in the situation.&nbsp;&nbsp;Personal BrandingThink about what success means to you and what you want to achieve. How do you want to look back on your career?&nbsp;&nbsp;TrustAs the first CISO in the company, much of his role early on was teaching people what a CISO was. He gained the trust of people in the company over time. He helped rebuild trust in the business. Strategy can only be successful if there is trust behind it.&nbsp;How do you know if you have trust? Trust is a combination of character and competence. Beason tries to demonstrate trust by showing that his goal is to help the organization succeed.&nbsp;Reaching out to top customers is extremely important. Communicating changes both short term and in strategy is necessary.&nbsp;&nbsp;&nbsp;Three Phases1). Foundation to work on preventing attacks2). Play with more cutting edge technologies to build on foundations3). Reach back and have transparency&nbsp;Be Knowledgeable&nbsp;You have to know about what you are protecting in order to succeed. Having a complete picture is essential. Utilizing technology to gain visibility can be useful. Beason feels as if he has knowledge of 99% of their devices.&nbsp;&nbsp;RecommendationsBeason recommends several books that have helped him along his journey as a CISO. He suggests several books on trust including “Speed of Trust.”&nbsp;Being a New...
9/2/202144 minutes, 36 seconds
Episode Artwork

Leading Cybersecurity as a Key Business Driver

On today’s episode we are joined by Dr. Tim Proffitt, managing director of information security at a Houston based company as well as a professor at several institutions. He discusses his own education as well as his experience educating others and how this impacts his job.&nbsp;&nbsp;Advice to Younger SelfYoung Tim wasted a lot of time doing unnecessary things. Tim would advise his younger self to not waste so much time playing video games and late night TV.&nbsp;EducationProffitt has always valued seeing things through. He always planned on getting a bachelor's degree and decided to continue his education. After qualifying for a new masters program, he wanted to see that through. Proffitt then saw it through to getting his PHD. He values expanding his knowledge and challenging himself.&nbsp;Would Proffitt advise doing the same? It depends on self reflection and the individual. Formal education is not required for being successful in your field but it can develop some great traits. If you can see what you would get out of your masters degree, then go for it.&nbsp;Getting a masters does not always equate to earning more money. However, when you choose to go through with this program, you will be stretched. It will open doors you didn’t have access to before.&nbsp;&nbsp;CredentialsCredentials are important at a certain level, but experience is just as important. Listing and talking about your credentials and experience can help some conversations and hinder others so self awareness is important.&nbsp;&nbsp;Successful Written CommunicationsProffitt explains that seeking out writing skill sets is important. It takes time and effort. Bouncing ideas off someone can be very useful too. Find that resource and mentor. A simple Google search can help you find seminars that can assist you in bettering your writing skills, as well.&nbsp;Networking, Mentors and Career ArcsSeek out and try to find a mentor early on in your career. A mentor is someone that can offer help and advice during your career. Proffitt wishes he found a mentor sooner.&nbsp;After you become a CISO what is the career arc? A progression often occurring is becoming a member of the board of directors. It could also be becoming a CEO or beginning to teach.&nbsp;&nbsp;TeachingWhat would Proffitt suggest to people thinking about teaching? Teaching at a community college would likely require a master's degree. Teach one class and see what you think. His goals were to be an engaging professor and getting students to want to go into his field. You can change the generations and introduce new people to the field.&nbsp;How does being a college professor better Proffitt at his day job? He can view the challenges with a different lens by interacting with the viewpoints of his students. It forces him to think in different ways.&nbsp;&nbsp;What Do We Miss in Security?We often do not dive deep enough into issues. There is always more information about why things are the way they are. Taking time to listen to the engineers is important and can aid in decision making. People may be managing problems, but not reaching the core.Every security program should be expending time on a risk register. This can transform the business. Presenting a simple risk register can be very profound. Consider using tools such as the 5 “whys?” or a SWOT analysis.&nbsp;What Do CISOs Not Get Enough Credit For?No credit is given when things are running smoothly. However, when things are not running...
8/19/202150 minutes, 32 seconds
Episode Artwork

Defending Data and Corporate Systems Without Sacrificing Revenue and Velocity

On today’s episode, Tyler Farrar, CISO for Maxar Technologies, joins us to discuss the ins and outs of threat intelligence. He delves into the importance of not assuming malicious intent and his approach to compliance versus security.&nbsp;&nbsp;Introduction to Tyler Farrar&nbsp;Maxar Technologies is a satellite imagery and satellite manufacturing company. Farrar got his start with IT in the U.S. Navy. Working with the Cyber National Mission Forces to protect critical United States infrastructure. He was responsible for managing and leading a team of navy sailors and civilians. They would gather data and intelligence and he was responsible for commanding the mission of the operations. Threat Intelligence&nbsp;&nbsp;Farrar notes that many people misuse the term threat intelligence. Taking legitimate sources, forming a hypothesis about what this means within the company network and then acting on the hypothesis is the true process of threat intelligence.&nbsp;&nbsp;Farrar discusses how standstills can occur. Sometimes companies will find the source, but fail to use the information to better the company. A repeatable process in acting on intelligence is essential and should be used in the private sector. Farrar discusses misconceptions in log sources within threat intelligence. Working through key outcomes and identifying desired achievements can help formulate use cases.&nbsp;&nbsp;Outcome&nbsp;How would Farrar define an outcome as it relates to threat intelligence? It is centered around quick identification and action upon a threat. After identifying use cases, narrow down what information will identify a certain use case to be used.&nbsp;&nbsp;Consider making a chart of your company’s process. This can allow the process to be explained to others with more ease. Farrar notes the importance of working with key stakeholders in this process, as well.&nbsp;&nbsp;Insider Threat&nbsp;Insider threat is also a misconstrued area. People are very complex and thus insider threat is a challenging area. While there is no one approach, Farrar discloses advice to approach this: managing cyber security, reaching out to the employee when necessary and working with them to understand why an activity took place.&nbsp;&nbsp;From here, determine the right steps to take. How and when do you reach out and what do you say? With data loss on the line this can become challenging.&nbsp;&nbsp;Analysts&nbsp;&nbsp;How do we train analysts to have cognitive management and have a trust first mentality? Analysts can become quickly overwhelmed with a constant influx of alerts and false positives. When this continues, they can become burnt out. As leaders, try to motivate your employees to feel positive about their work environment. If they can tie their work directly back to the mission of the organization, this can be a large factor. Being mission centric can help align the employees to the business.&nbsp;&nbsp;Look at your goals. How much time is necessary for achieving them? Understand what activity from your employees is normal to avoid spending time and technology on unnecessary activities.&nbsp;&nbsp;Community Culture&nbsp;It takes time to change the culture of your business partners and the community as a whole. Many organizations want to be in a place where people come to them, but still need to gain confidence from others. It is easiest to utilize lessons learned from a crisis as a...
8/5/202144 minutes, 20 seconds
Episode Artwork

Growing Your Confidence as a Young Leader

On this Episode of The New CISO, Steve Moore is joined by special guest Michael St. Vincent, the CISO of The Cosmopolitan of Las Vegas. They discuss the importance of networking as well as advice for succeeding as a CISO and in the workplace.&nbsp;&nbsp;Introduction to the Cosmopolitan of Las Vegas.St. Vincent has been the CISO for 6 years at The Cosmopolitan of Las Vegas, a resort hotel in Vegas. He shares that his favorite thing about the hotel is the artsy and off beat culture of the hotel and the joy of just walking through the building. “Secret Pizza” is a delicious stop, as well. Moore shares his experience grabbing a slice at Secret Pizza, too.&nbsp;&nbsp;Advice to a Younger SelfSt. Vincent shares that he wishes he would have networked more. Diving into the community is important. Being slightly more closed off can pose challenges and lead to missed opportunities. Just start talking to people and see how this can help your career. Many people feel as if they don’t have enough experience to share perspective but having confidence in yourself can help greatly. St. Vincent shares two main pieces of advice.&nbsp;1). Confidence. Accepting that you don’t have to know everything can make networking easier. Look at it as a learning process.&nbsp;&nbsp;2). Don’t Dominate The Room. Offer an idea and see where it goes. This opens up a conversation and allows room for others to share their ideas.&nbsp;Coaching NetworkingLearn from listening. Being present and listening to who is speaking is how you show respect to the speaker and learn. Being kind is also important. Present an opposing opinion in a kind way, but let people respond. Being a coach to the next generation is an incredible opportunity. This will create a strong and successful community going forward.&nbsp;Networking OpportunitiesIn Las Vegas, they have a networking cocktail hour with industry professionals, as well as a few students who get invited to participate in these events. Getting a feel for the room is an extremely beneficial experience for up and coming individuals.&nbsp;St. Vincent holds one-on-one meetings with his staff to offer feedback. He speaks on the importance of having conversations and growing communities. These outreaches end up being very worth it in the long run.&nbsp;&nbsp;The Hiring ProcessNot everyone can get hired for positions they interview for. St. Vincent and Moore advise to always reach out to the hiring manager and ask for an off the record debriefing. Giving and getting feedback is important and can help you grow and this honest feedback can be very helpful in the future.&nbsp;&nbsp;Admitting “I Don’t Know”Why is it so hard to admit you don’t know something? Lacking confidence can be partly to blame. There is also an expectation that we need to know everything. This is a common way to feel. It is worse to make up a solution than admitting you don’t know something. Asking for help is okay, and there will be many people willing to help you out. Admitting we have limits can be challenging, but it is human. Being overconfident and “showboating” is not the way to go. This indicates that things will not go well, most likely.&nbsp;&nbsp;360 Review: Confidence vs ArroganceSt. Vincent shares about his 360 review and the realization that some people perceived him as arrogant. There is a fine line between confidence and arrogance. Behind this is attitude and self awareness. A 360 review takes a certain type of openness. You must be willing to listen to the feedback you will receive. Making...
7/26/202143 minutes, 57 seconds
Episode Artwork

Four Key Elements of a Security Strategy

On this Episode of The New CISO, Steve Moore is joined by special guest Mark Ferguson, the CISO for a cyber security company Bombardier. They discuss roles of a CISO in cybersecurity and the strategies involved in dealing with breaches and building teams.&nbsp;&nbsp;Moving to CanadaOriginally from Scotland but now residing in Montreal, Canada, Ferguson shares some background on where he has lived in the past and the process of moving to Canada. Ferguson expresses his excitement of experiencing Montreal when it becomes more open. He has been taking some French classes to become better acquainted with the language.&nbsp;&nbsp;TravelFerguson has been able to travel often and live in many places for his job. Opportunities to relocate have been present multiple times throughout his career. Ferguson advises taking opportunities to relocate for a career. He has moved to the United States, to Poland, and now to Canada. He enjoys the experiences of new places. Moore discusses how relocation may be less common in companies based out of the United States.&nbsp;First CISO RoleFerguson reflects on the decision to become a CISO. He honestly admits that some days it can be exhausting and doubts can arise. There are good days and bad days in the role. At the end of the day, he knows he is capable of solving any problems that arise. The role brings a lot of diversity.&nbsp;&nbsp;Getting to be a CISO/4 PillarsHow did you get to the point of being a CISO, Moore asks? Ferguson says he had a great mentor and was able to help identify his assets. Getting things done and strategic planning are important as well. The four main pillars of strategy are.&nbsp;&nbsp;1). Educational awareness2). Strong Identity Management/Data Security3). Strong basics of IT management and maintenance4). Using agile technology&nbsp;Building a program &amp; Facing ChallengesYou have to know what players you need to make things work. Building strong relationships is important and will assist with the aspect of vulnerability management. It can be a challenge to identify where problems lie and explaining the problems can be a challenge as well. Ferguson notes these are things he still actively is working on.&nbsp;&nbsp;Moore notes that the CISO position can be nearly impossible at times. However, others pulling their weight in the company is essential. IT systems are extremely complex and joining everything to work as one can be difficult. This is, realistically, not a simple problem to solve.&nbsp;&nbsp;Breaches with assets could be a big detriment to the company. Holding people accountable and working together is one way to avoid these breaches. Running audits is time consuming, but important to keep everything in check.&nbsp;&nbsp;Best parts of the jobFerguson shares some of the best parts of his job. One of his favorite things is building great teams. Finding great people to work with is very rewarding. These people don’t have to be perfect, but finding what makes them an asset to the team is great. Inevitably, these team members will come and go, but developing great teams is one of the best parts of the CISO role, says Ferguson.&nbsp;&nbsp;Breach Response PlanOne of the first lessons to learn is that a cyber breach is not a cyber security problem. Ferguson mentioned that they recently faced a breach, and there is a lot to learn from the situation. This occurred at a critical time. They assumed the breach would be coming from the bottom up, however it was at a...
7/8/202148 minutes, 28 seconds
Episode Artwork

Earning the Business’ Trust as the New CISO

On today’s episode, Rob Hornbuckle, CISO for Allegiant airlines, joins us to discuss the scope of his early career. From advice he’d give his younger self, to learning how to accept feedback and undergo self development, join us for this informative conversation.&nbsp;Advice to Your Former SelfRob Hornbuckle reflects on his current success and thinks back to what he wishes he could tell a younger version of himself. Taking on a leadership position early on made the learning process quick. If he could go back, Rob would tell himself to work more on soft skills and people skills. Rob then delves into the importance of relationships in higher levels of a company.&nbsp;&nbsp;Moving into Leadership&nbsp;Rob’s first leadership role did not have a preexisting security program, rather it was Rob’s job to establish and build a program. We then discuss the challenges of this role, given that Rob was starting a leadership position while simultaneously building a program. Additional challenges include the amount of effort needed to grow relationships. It is an investment of time into others and yourself.Previously, being seen as the best or smartest in the room would be a positive, but there has been a shift. Rob says being perceived as the smartest can be off-putting to others and he highlights how listening to others' input is beneficial. Rob discusses why this first leadership role ended up coming to an end, but notes that his mission within the role was achieved with success. He loops back to mention how taking his own advice at this younger stage would have helped expedite this process.&nbsp;&nbsp;&nbsp;Feedback is NewRob delves into the reasons he went back to get a masters degree: thinking this would solve a problem. While the degree was helpful in the long-run, he notes that the problem of feeling he wasn’t trusted enough stemmed from not being viewed as expert-enough.&nbsp;Feedback is essential. Rob mentions the importance of seeking out feedback. He then provides an example of asking for feedback. While his process has changed since, at this time, Rob waited a year before sending calendar invites asking for feedback from his colleagues.&nbsp;One feedback he received was that he was not trusted. Rob was informed that many senior executives had been there for years, and he was not welcomed with trust. He figured later that fully understanding the organization would help build this trust.&nbsp;&nbsp;Changing and CoachingThe two lessons he took from the feedback were about emotional intelligence and business. To address this, Rob sought out an executive coach. Rob discusses what an executive coach is and what the coaching entails. His coach performed a 360 degree view to figure out where he may be falling short by gathering information from past work. Rob discloses that a 9 month program cost him $6,000. While it is a large investment, Rob notes that he would, in fact do this again. To address the business trust issue, Rob sought out his MBA, paying for this degree himself.&nbsp;Rob notes that the most important takeaway was identifying what he needed to work on to grow emotional intelligence. Working on strengths and weaknesses was an important part of this bettering process. &nbsp;Utilizing Your Past&nbsp;It is important to use all the technical skills from your past in current endeavors.We discuss how, for example, having a background in theatre can be extremely important in leadership endeavors down the line. Hours put into an activity in early years can be very useful in, say, presenting at conferences. There is a lot of theatre involved at an executive level. Confidence and...
6/24/202142 minutes, 51 seconds
Episode Artwork

Building an Insider Threat Program from Scratch

Kylie “KT” Boyle joins us in the latest episode of The New CISO, which is also the beginning of a new segment: The New CISO Foundations. Every security program is built off of a foundation; this episode will focus on KT’s mission and what building blocks his organization represents.   Background KT Boyle leads Anubis Security Groups. He has been in the cybersecurity realm for over 17 years. He worked in cyber security operations for the US Cyber Command and various Global Fortune 500 companies. He currently focuses on providing modern cybersecurity and continuous security monitoring, along with data loss protection/prevention.   From Military to Cybersecurity Before focusing on cybersecurity, the first decade of KT’s military career was spent as a special forces soldier. KT talks about his transition into a different realm as he became a father and how he learned about a space that was unfamiliar to him. He also gives advice for anyone who is considering taking the leap into a new job.   3 Core Components of Building Teams This episode breaks down teams into three core components: team performance, visibility and tool efficacy. Human beings are the cornerstone of any good team, and when you analyze employees, you should also take into consideration who they are as a person outside of work. The visibility component discusses having visibility into all of the environments within the team while tool efficacy details how to have efficient tools for your team regardless of what sector or tech stack you are operating on. When you have employees that understand these three core components, KT says this makes the hiring process a little easier because now you no longer need to have a subject matter expert at every level. Focusing on the leadership perspective: what does your business do and what is changing about it? If you can communicate this clearly, you’re ahead of the game.   What Do Bad Security Analysts Do? To keep it simple: bad security analysts don’t ask questions. Some members of the cybersecurity realm are not the most experienced extroverts. However, asking questions show that you’re engaged and interested in learning about the industry and tasks at hand. If you’re not asking questions, this typically means one of two things: you’re looking for a new job or you are happy with your current output and are coasting through. To counterpoint, Steve mentions that some people who don’t ask questions may have worked under poor leadership in the past. The episode discusses ways to incentivize your team members and how to create an environment where they can be comfortable with asking questions.   Links Exabeam Podcasts
6/10/202157 minutes, 5 seconds
Episode Artwork

Why Teams Fail Building Resilience into your Security Program and Culture

We focus on resiliency in this week’s episode of The New CISO, which was originally recorded at the 2021 RSA Conference. Steve sits down with two former guests on the show, Dave Damato and Sandro Buccianeri to talk about the hard-hitting questions from the inside: why do people fail, and what impact does resilience have on program success? Thinking About Resilience As Steve mentions, there is a lack of definition for what is “good” within the cybersecurity realm. So how do we think about resilience and failure when there is no solid definition for what “good” is? And how can we establish resilience for our team members? Setting expectations through frameworks depending on your industry and defining success and capabilities for the team is crucial. However, leaders must also stop and acknowledge that your team members are not robots; they are individuals with challenges that all play a massive part in how they show up every day.   Feedback and Executive Decisions If employees are scared to speak out if something is wrong within an organization, leaders are basing their decisions based on an echo chamber of positive feedback. Feedback is critical when it comes to correcting any errors or putting out fires, especially in a larger organization with a bigger staff. Showing that you can take criticism and feedback will allow team members to communicate in a more confident way, in turn creating a better work culture. When it comes to operating with other executives, CISOs often feel like they aren’t as established in the corporate landscape as other roles. CISOs need to shift their focus onto how they can have an impact on the business and the top level goals of the organization, which could mean weighing in on company wide issues such as pay rates, benefits, the hiring process, etc. Managing Expectations Expectations start as soon as the interview process does. Where do leaders mess up, and how can we fix it? The biggest challenge within security is that there aren’t enough staff and/or resources, so managing the resources in place and setting expectations is key. It’s important to make sure your team isn’t constantly putting out fires. Evaluate when/if you need to hire a new person or bring in a consultant to solve some issues.   Hiring For Resilience Is it actually possible to gauge someone’s resilience during an interview? What traits should you be looking for during that initial conversation to see if they would be a good fit on your team? Dave and Sandro share their secrets on what exactly they ask and what exactly they are looking for in a candidate to continue to drive that theme of team resilience.   Links Exabeam Podcasts Dave Damato - Twitter Sandro Bucchianeri - LinkedIn
5/27/202148 minutes, 47 seconds
Episode Artwork

Sugarcoating Security Data Doesn't Help Anyone

The latest episode of The New CISO features not one, but two guests! Chuck Markarian and Sean Murphy sit down to discuss the inner struggles of networking, establishing a risk council within your company and dealing with high-risk situations. Background Chuck Markarian is the CISO at Paccar. He has been with the company for 16 years and has served in a CISO role for almost five years, focusing on security risk assessment and project management. Sean Murphy is the CISO at BECU, the third largest credit union in the country. Sean has been in his role for about two years. He previously served in the Air Force for 21 years before jumping into the financial services sector. Networking as an Introvert Networking in itself can be intimidating, but when you’re an introvert, it’s more nerve-wracking. Chuck and Sean discuss how to calm the nerves and take that first step at a networking event, which ironically is how the duo ended up becoming friends. The episode discusses translating this advice into navigating in a virtual space as networking events continue to be held online. Starting a Risk Council The guys talk about how to socialize a risk council and get one established. The main focus is catching an employee’s interest in that initial email. This episode goes through different questions to ask your team members that will lead them to recognize what areas interest them the most and what areas pose the greatest concern. The bottom line: ask the right kind of questions that let employees find out what is important to them and discuss responses to situations when dealing with risk management. Then, develop a plan of attack. Dealing with High-Risk Situations High-risk situations and security issues are bound to happen. The largest differentiator is how you react to it. The focus quickly goes to “How could this happen?” when the shift needs to be on “How quickly can we get things back to normal?” Sean and Chuck discuss navigating high-risk situations with executives based on your current relationship with them, and how the CISO is often not the sole person to blame when something goes wrong in the cyber security realm. Rose-Colored Glasses Some things unintentionally get sugarcoated by organizations, where reports get tweaked as they go further up the chain. The verdict? CISOs are not doing the organization any justice if they are trying to spin the news. In turn, a CISO could find themselves without a job if something goes wrong and the company was not provided with accurate data and objectives.You’re not doing the org any justice if you’re trying to spin the news, you're not protecting your job. Always communicate the message as you see it.   Links Chuck Markarian - LinkedIn Sean Murphy - LinkedIn Exabeam Podcasts
5/13/202157 minutes, 15 seconds
Episode Artwork

Getting the Job Done Doesn't Always Mean Getting Credit for It

Our latest episode features Brian Fricke, CISO & IT Risk Head at City National Bank. Brian joins us to discuss developing mentorships in the industry, how to be a positive leader and how to have a proper work-life balance when you are constantly dealing with high-stress situations. Background Brian got his start working in IT and information security through the military and federal government. He served in the United States Marine Corps and worked in the federal government realm before transitioning over finance. Brian gives some insight on the transition and how his military background prepared him for a career in information security. Rounding Yourself Out When asked what advice he would give to his younger self, Brian says he would encourage himself to round himself out and learn as much about the business and industries as possible. The episode also touches on “not living in anyone’s shadow” and not being afraid to take bold steps within your career if you think you have a solution for a problem. Leaders Listen Brian was propelled to become a more mindful leader after dealing with a former boss who did not listen. It prompted him to become more mindful and ask his staff what their opinions are during meetings and when dealing with specific situations. Brian says leaders should ask questions that spark creativity and thought, especially when you're working with junior staff. Acquiring Mentors What's the best way for someone to grow? Long -term work experience is probably the biggest component, but mentorships and partnerships are a large piece of this as well.  Brian addresses the type of people to seek out: people who have gone down the path you are looking at, others who have gone down parallel paths, etc. Brian discusses how you can build that mentorship and start that first conversation to start a beneficial mentorship. Meditation is Key Cyber security often involves high-stress situations. The work-life balance and mental health components are just as important. Brian talks about how meditation has benefitted him personally and how it could benefit other CISOs or professionals working in high-stress situations. Celebrate the Small Victories  If you wait until hitting major milestones to celebrate, employees can sink into a dull mindset. Celebrating the small victories along the way can help boost employee morale and keep everyone motivated. Brian holds a weekly meeting where his staff can recognize positive moments from the week and give shoutouts to their colleagues. Links Brian Fricke - LinkedIn Exabeam Podcasts
4/29/202148 minutes, 34 seconds
Episode Artwork

Why Does Cybersecurity Mentorship Matter?

In the latest episode of The New CISO, Sandro Bucchianeri joins us to discuss finding a mentor during the early portion of your career, how cyber security leaders can navigate corporate relationships, and the success of building a cybersecurity academy in South Africa. Background Sandro is the Group Chief Security Officer of Absa Group in South Africa. He has worked in cyber security for companies across the globe, including the United Kingdom and the United Arab Emirates Mental Wellness Emphasis Sandro’s advice to his younger self: breathe, take a breath, relax.  Being a CISO is a very stressful position, and this episode talks about some aspects of mental wellness that are important for maintaining your physical health and stress levels. Sandro talks about his experience of implementing meditation in his early 40s and wishes he learned how to do it earlier in his career. The episode discusses the benefits of mindfulness and how you can apply it to your daily routine.Navigating Mentorships Knowing your why, the reason why you want to hit certain milestones in your career, is the most important thing when trying to reach success.  What you need to do to get there is one element, but using your own story and background is a more powerful motivator for drive. This is a very different dynamic in comparison to just working to get money. This episode talks about how these realizations and other soft skills can benefit you when you enter a leadership role. Corporate Relationships Sandro talks about the human condition and how that relates to relationships with board members. People show up differently when there is more on the line, which is why they will act differently in a casual one-on-one setting versus a board meeting. Those casual coffee chats are still suggested to humanize and understand the board members. Be authentic and transparent with them no matter who you’re speaking to. And if you are not getting time with a senior member or board member, ask yourself why.  Mentorship There’s no central golden source of truth for becoming a successful leader. Sandro learned early on that he needed to latch onto mentors. Expanding on that, the episode discusses the ability to listen to them and be patient. It is the most fundamental thing Sandro has learned, as opposed to jumping the gun and trying to find an answer right away. Sandro and Steve also discuss the perfection culture within the industry and how you can combat it. Absa Academy Sandro discusses the Absa Academy and its progress over the years, and how it has been able to lift South Africans out of poverty and into a career of cybersecurity. The episode mentions the obstacles the academy faced during the pandemic and the lessons students learn throughout the program.   Links Sandro Bucchianeri - LinkedIn Sandro Bucchianeri - Twitter Absa Cybersecurity Academy Exabeam Podcasts
4/15/202149 minutes, 43 seconds
Episode Artwork

Why Great Teams Need "Lifelong Learners"

In this episode of The New CISO, Matt King comes on to focus on the leadership side of cyber security. Matt talks about how lifelong learners make for great leaders, and how he learned to not make assumptions about his team members when managing them.    Background  Matt King is currently the VP of Global IT Security, CISO at Belcan. He has been with the company since 2017. Before transitioning into cyber security, Matt’s career focused on IT. However, Matt worked to bridge the gap in communication between the two before transitioning into cyber security.    Becoming A Leader  This episode notes the gaps between managers that received leadership training and what Matt learned about management when he transitioned into a leadership role. Some managers choose to delegate and coach people in different ways. Matt notes that when delegating tasks to your team members, it shouldn’t just be based on their knowledge level. Instead, it should be based on the specific task you are asking them to do.    Analyzing Your Team  Matt reflects on a situation where he made an assumption based on someone’s skill level and completely delegated a task to them. The results weren’t the best. A tip for managers: make sure you fully understand not just their skill level, but what that person can handle for that particular task. Also reflect on what they need from a delegation perspective: do they need handholding, general guidance or can they fully run with it?    Up For The Challenge  How do you amp yourself up to take on the challenge of managing people? The simple answer: try to learn from everybody you meet. Switching into the application, focus on the overall goals when you’re talking strategy and then divide your work up into chunks when dealing with the tactical side of the job.    The New CISO  For Matt, it’s all about flexibility. He places an emphasis on being open minded and being willing to help others.    Links  Matt King - LinkedIn Exabeam Podcasts 
4/1/202145 minutes, 29 seconds
Episode Artwork

Don't Aspire to be a CISO

On this episode of the New CISO, Dr. Rebecca Wynn joins us to discuss the logistics of being a CISO both on a team and personal level. The episode focuses on what type of person is the right fit to become a CISO and how to properly manage the well-being of your team once you land that role, especially now that CISOs are managing their teams in a virtual setting.Background Dr. Wynn is currently a Global CISO & Chief Privacy Officer at [24]7.ai. Before that, she was the Head of Information Security/Data Protection Officer at Matrix Medical Network. She was recently listed in the Top 100 Women in Technology by Technology Magazine.Advice and HindsightWhen it comes to hindsight and analyzing yourself and your team from the stands, give yourself enough grace to realize that you are always learning. In the episode, Dr. Wynn and Steve talk about decisions made by CISOs that come before you and how you can take those pieces of information to propel the company forward.Employee WellnessAnalyzing the needs of your team is important in the work world, but being virtual can make that hard. Tips for checking on the team’s wellness behind the screen is discussed, including reminding your team members about the employee assistance programs available to them when they are struggling. Most importantly, this episode emphasizes letting your team members know you care about them as a person and not just as an employee.Should you Become a CISO?Dr. Wynn has written an article advising people not to become a CISO. She expands on this point, explaining that the term CISO has become watered down and people shouldn’t aspire to be at the highest position of cyber security if they don’t understand it and what goes into it. If you aren’t a big thinker or strategic in your thinking, a CISO is not the role for you. Instead, focus on being the best cyber professional you can be.Career Lifespan of a CISOThe time a CISO spends in their role at a particular company has shortened. This episode expands into a CISO’s typical timeline from when they take on a new role until they leave for a new opportunity. We also draw comparisons on the lifespan of a CISO versus the career lifespan of other higher positions, and who CISOs can report to during their time at the company.The New CISOFor Dr. Wynn, the new CISO is a person who tries to work with the organization and is not afraid to speak up for it. This person also never loses sight that the bad guys are always out there and that your organization is in a cyber war at all times.LinksDr. Rebecca Wynn – LinkedInExabeam Podcasts
3/18/202142 minutes, 13 seconds
Episode Artwork

Exploring New Job Opportunities Amid a Global Pandemic

Rinki Sethi joins us for the second time on the show, and this time she is with a new company. Just a few months ago, Rinki became the CISO at Twitter. In this episode, we talk about what made Rinki want to take the jump to a new company and how you can adjust to working for a new company when you’re completely remote.Background Rinki joined Twitter in September of 2020. Before that, she was the CISO at Rubrik. Rinki has also served in cyber security positions for IBM, Intuit, Walmart and eBay.Taking the LeapYour job is so much more than day-to-day tasks. It’s also about the relationships you form with your team and your interactions with them. When COVID-19 had her office go remote, Rinki was left in her house with a lot of free time. And that free time led her to do some deep thinking about who she was and who she wanted to be, realizing that she was no longer feeling challenged at her job. Rinki talks about looking at it from the perspective of the larger impact. Virtual InterviewsRinki’s hiring process was 100% virtual. For those who are used to traveling to another city for a few days to go through the interview process, this concept is hard to grasp. Rinki goes into detail on forming connections with the interviewers through a screen, and what questions you can ask the company to see if the environment is a good fit.Mental Health in the WorkplaceMental health is extremely important to Rinki, and she tries to implement that with her team as much as possible. However, she has yet to meet anyone from Twitter in-person due to the pandemic. That poses some challenges; instead of interpreting body language and the physical environment of your team, you have to interpret video calls and chat messages. Rinki shares some tips on how to ensure your team is prioritizing their mental health while reiterating one message: we are all still humans. The New CISOWhen asked what the new CISO means to her, Rinki emphasizes building and strengthening a security culture while continuing to be thought leaders for the company.LinksRinki Sethi - TwitterRinki Sethi - LinkedIn
3/4/202143 minutes, 37 seconds
Episode Artwork

Four Key Questions Every CISO Should Ask Their Board

Dr. Eric Cole of Secure Anchor joins us in this episode to talk about the misconceptions of what a CISO should really be. This episode focuses on the corporate side of cyber security and the line between a CISO and a security engineer.BACKGROUND Dr. Cole has over 30 years of cyber security experience.  Before that, he was a hacker for eight years for the CIA. After spending almost an entire decade hacking into systems, he decided to switch from offense to defense, which he describes as being more challenging. MISCONCEPTIONS ON THE CISOBeing a CISO is not a technical role. The CISO is a strategic position that focuses on the strategy of execution. They focus on the growth of the business while understanding finance, revenue and how they can incorporate cyber security into that equation. Anyone in a technical mindset should not be a CISO – CISOs need to communicate and task their teams instead of running head-first into the data center. Anyone that enjoys doing the latter should consider switching to a security engineer. FINDING THE RIGHT FITUnsure if you selected the right CISO? They need to be comfortable in conservations revolving business decisions. The answers to “What business are we in? How does our organization make money?” should be as seamless as answering their name or where they’re from. ADVICE FOR A NEW CISODr. Cole reveals the secret to briefing a board: keep it short and simple. The only thing board executives care about is the potential for risk and what it will cost to fix that risk if it occurs. Going into this with a data, tech-focused perspective will not allow for a thorough understanding of the situation between the CISO and other executives. In another light, putting out little fires as a CISO is not going to scale well. A CISO entering the company should look at the processes in place within the organization and see how they can get security injected into it. Instead of managing the symptoms, get to the root of the diagnosis. THE NEW CISOWhen asked that the new CISO means to Dr. Cole, he emphasizes a business executive that is entrusted with helping the organization grow and be successful through cyber security. This CISO would use their focus on cybersecurity as a business enabler instead of viewing themselves as a technical resource. LINKSExabeamDr. Eric Cole - TwitterDr. Eric Cole - YouTubeDr. Eric Cole – Books on Amazon
2/18/202145 minutes, 11 seconds
Episode Artwork

Influencing and Informing Non-Technical Business Partners on Security Issues

Curtis Simpson, CISO of Armis joins us to discuss the pros and cons of starting your career in a small organization versus a large enterprise. How can you influence and inform business partners from a security perspective? Why do people believe the CISO shouldn’t report to the CIO? BACKGROUND Curtis likes to say he was born with a keyboard in his hand. Growing up with his father working in IT, Curtis was already coding by age 8. He started his career in mass organizations and served in various roles at Sysco over the course of 10 years (including Vice President & Global CISO) before coming to Armis in 2019.   FROM TECH TO POLITICS When asked what advice he had for his younger self, Curtis had one answer: stay close to what you enjoy. By spending nearly all of his time playing politics with larger organizations, he gravitated away from what he loves: tech. In large organizations, he had to constantly fight for every morsel of progress and spent a lot of time educating company members on why he was even talking to them in the first place. LARGER VERSUS SMALLER ORGANIZATIONS The biggest difference between the two? The ratio of time spent in the political realm. In certain situations, a situation that could be signed off on in 30 minutes takes three months. The ability to balance an understanding of the market and enterprise is an important aspect of the role, but being a CISO is not about spending all of your time forming relationships to have minor decisions made. Instead, it should be about leading teams and learning the evolution of the markets.   TIPS FOR STARTING SMALL A mistake Curtis noted for himself when he was at larger organizations: he was too title hungry. However, at smaller organizations, there is more opportunity for fulfillment and confidence-building. Smaller teams usually understand their objectives and are very hungry to prove themselves in the market. In the smaller model, you can also continue to discover your interests within the industry. TRANSPARENCY WITHIN THE INDUSTRY When asked what irritates him the most about the industry, Curtis notes the transparency. Companies are rarely focused on the right thing because they are rarely honest about what they do and don’t know. This has been a cultural norm, one that the industry must continue to disrupt. While the transparency has improved, there are still individuals in the industry that are guarded in their conversation.  CISO AND THE CIO One of the most painful elements of Curtis’ career is that the industry has long past the mark where CISOs should not report up through the CIOs. In many cases, CISOs are representing a message to a CIO that unfortunately doesn’t have as much of a grasp on security. As a result, the CISO spends a lot of time creating and delivering a message that can start to fall apart. For example, a CIO may want to paint a different picture to the board, so they will create a less transparent image of the situation. THE NEW CISO For Curtis, the new CISO is all about servant leadership. This episode discusses the success and fulfillment of building teams and enabling them to perform at high levels. Teams with an established workflow and culture will follow you through the greatest challenges. LINKS New CISO Podcast Curtis Simpson - LinkedIn
2/17/202149 minutes, 59 seconds
Episode Artwork

How Do Leaders Cultivate Diversity of Thought

Artie Wilkowsky, CISO for Dish Network, joins us on this episode to speak about specialization, leadership skills, and the qualities he looks for in new hires.     Artie’s Background Artie has been working at Dish for over two years, helping with all their lines of business, such as Sling, Contact, and Wireless. Before that he bounced between consulting and industry, working in financial services and aerospace.    Specialization vs. Generalization In thinking about advice for his younger self, Artie would tell himself not to worry so much about specializing right away. It’s important to get a broader view of an industry, see how different sectors impact one another, and then decide if you want to specialize. Artie believes that the more you progress in security, the more you end up being a generalist anyway, so it’s good to start there so you have that holistic foundation.    Artie also encourages others to do the same; he helps people on his team shadow others in different areas of a company to have a better understanding of how they work. Automation and Budgeting  Artie discuss how sometimes security and IT are not necessarily given a budget they need in order to excel in their areas. However, an unintended benefit of this is that CISOs or others who work in security are forced to become creative with their coding. Out of this creativity, you can have CISOs who must automate certain functions, as they can’t afford the staff to maintain them. These automations are not only impressive but strength the security.   Skills You Develop and Ditch As you progress in security, there are certain skills that you will need to develop, and others you will need to ditch. Artie examines what skills have been helpful to hone or drop in his career and the careers of those around him. He believes that as a leader, you must be able to communicate, translate, and influence. Listen to the episode to hear more about what Artie means by these skills.   Artie emphasizes the importance of learning how to work with others, as well as learning to now delegate and manage.  Instead of doing it yourself because its faster, take the time to teach someone else so that they can have that experience    Delegation In particular, you must learn how and when to delegate. Artie relays that if you don’t delegate, you stifle those around you. You don’t give them an opportunity to grow their skills and their career, and as a result, they may not stay around for as long. Additionally, when you don’t delegate, you signal to your team that you don’t trust them. Listen to the episode to hear more discussions on how behavior in meetings can also affect trust amongst the team.  Responsibility of Growth  When discussing the leadership role, Artie reiterates that you must invest in the individual, letting people come on special projects and allowing them to grow. If not, talent may leave. If you don’t create an environment for growth, you’ll not only lose that talent but struggle to acquire it. You may put forth a reputation of stagnation, which will turn people away.   But whose responsibility is it to grow? The employee or the leader? Artie believes it’s a bit of both. The leader needs to create a space in which the individuals who want to grow can do so. However, the employee still has to advocate for him or herself, asking how they can improve and take on more.    Hiring  When Artie is hiring, he looks for specific skills in interviewees. He looks for people who ask why and who like solving problems. Particularly, people who are naturally curious. In addition, he seeks out those with verbal and written communication skills. Some people can write very well, but they don’t always know how to effectively communicate or express oneself.    Artie discusses how he...
1/21/202150 minutes, 53 seconds
Episode Artwork

Balance Budget and Tools by Rationalizing Your Security Stack

Gorka Sadowski, the CSO of Exabeam, joins us on this episode to speak about his decades of experience in cybersecurity and what he’s learned about acquiring new technology.  Gorka’s Journey Although Gorka became Chief Strategy Officer for Exabeam only three months ago, he has over 30 years of experience in cybersecurity. Gorka has learned many valuable lessons along the way, especially during his time at Gartner, the global IT service management company.    Each year, Gorka spoke to over 600-700 clients and vendors about their successes and failures. Although rigorous, the beauty of this is that by speaking to many different clients, he was able to recognize patterns on what works and what does not. Both vendors and clients benefit from these conversations. Newfound knowledge emerges, which is then studied in a more formal setting and is later published as research by Gartner.   Non- Gartner research then compliments what is learned in the conversations of Gartner clients and vendors.   The Pitch Problem  One of the biggest issues that Gorka has identified is a misalignment with expectations of a product and the value proposition it’s supposed to fill. He feels that vendors oftentimes like to take liberties on pitch of their products and sometimes, the readers of the pitch can get caught up in wishful thinking.    As someone who has spoken with both sides of this problem, Gorka feels it’s best to begin with why—why does someone need your tool? Then work your way through the how and the what. He discusses Toyota and their message as an example of the why aligns with the what. Listen to the episode to hear more on what Gorka means by this.   Building Trust There are no shortages of huge claims or startups that promise everything. The CISO or the client organization need to learn how to pierce through the veil and filter the messaging they receive, and they need to do so diligently.    Gorka advises vendors to build trust by being consistent and have the humility to admit when your technology cannot accomplish what the client wants. Ultimately, this will help you. It takes time to build trust, which Gorka reminds us, is not a binary quantity. Growing trust occurs with baby steps. Ultimately, things don’t have to be perfect for things to be great.  What Covid Revealed  Gorka believes that Covid revealed that many companies are using outdated or underutilized technology. But the pandemic also brought out the need to take stock of what a company has and question if it needs to be changed, updated, or encouraged. If you realize there is some old technology that isn’t useful anymore, you benefit from not just getting rid of it, but from saving yourself the cost of maintenance. This will free up your budget for new technology.  The CISO and the Vendor Many times, the CISO is—and should be—skeptical. Gorka believes you need a healthy dose of reality so that you can understand the factors at play and to avoid being burned. By the time someone reaches the position of CISO, they can “smell the BS,” as they know how to pay attention to body language and asking the qualifying questions.    Gorka also stresses the importance of the CISO creating an engaged process to buy new technology. He encourages CISOs to bring in many people and get more of the company involved. Listen to the episode to hear more of his thoughts on this.  The Why, the How, and the What  Gorka gives advice for the pitch itself. He iterates that the vendor and the client have to both understand why the tool is needed, in addition to how one can operationalize this tool. The organization must clearly see how they can embrace and implement this new tool.    It’s important to follow up with the specific question of what value can this specific company...
1/7/202146 minutes, 6 seconds
Episode Artwork

The Moments After a Major Breach

On today’s episode, David Damato, the CISO at Gemini Trust Company, joins us to speak about what occurs within organizations during and after a breach—and what should happen for the best outcome. He emphasizes communication, confidence, and clarity.    David’s Journey  David works for Gemini, one of the few regulated crypto currency exchanges out there. It is regulated by the New York Department of Financial Services, along with other entities. They must demonstrate that they’re a legitimate organization, as the field as a whole has had a lot of problems. They prioritize building trust, and David believes the industry is evolving to a more mature state.    Before Gemini, he spent about 10-15 years working at scrappy, small organizations. He had a lot of fun helping them grow into larger institutions and sharpened his expertise.   The Planning  David has aided over 100 organizations directly during a crisis, and indirectly has helped a couple hundred. In working with many institutions, he has found that the best outcomes occur when the company executes on the practice and the planning they had done prior to the breach in an organized manner. Planning starts way before a breach and is structured around the architecture, logging system, data and if the team engages in mental exercises.    David also explains that the size of the organization affects the outcome, as well as security’s status within the institution, and the two type of panic that rise: panic that people will find out or panic over the safety of the customers’ and their data. How David is often viewed, either has help or a hindrance, reveals the priorities of the leaders. An organization can either be grateful for his team exposing flaws so that they could fix them, or they try to hide mistakes. Listen to the episode to hear more examples of behavior that influence the crisis management.    Branding and Communication Next, David speaks on communicating both internally and externally about the breach. An effective security team communicates with the rest of the institution about the importance of the job. If you can advertise to the right people about the threat and what you can do, you can receive more funding. If not, you might struggle to solidify your place in the institution.     David also points to the branding of the company as having an impact on how the breach is viewed or manage. He gives Google as an example. They have great trust in them and they participate on boards and at events. When there was a breach, they talked about it and talked about it in the right way. People already liked the business and the brand before the breach occurred, so they were more forgiving when it did. All of these factors helped the breach be better received.    Additionally, the figurehead of managing that breach is also important. David finds that non-technical executives need training so they can know what to say when a breach happens. Without this training, executives can sometimes misspeak out of lack of knowledge, or overshare without realizing this could worsen the threat. He emphasizes training and practice.  During and after a breach, how an organization communicates to the public is key. Therefore, those points of contact must be taken seriously: from phone calls, to interviews, to the letter. As an example, David and Steve run through a practice interview. Listen to the episode to hear what David presents as a solid response, an incompetent one, and the difference between the two.    David iterates on how institutions should have relationships with reporters who they trust and like. When these relationships are established, the news can be reported accurately by someone who understands cybersecurity. Additionally, they organization needs someone who understands what information should be public and what...
12/23/202046 minutes, 47 seconds
Episode Artwork

Building a Student-Run SOC to Meet Threats Head-On

On today’s episode, Aaron Baillio, the CISO of the University of Oklahoma, joins us to speak about his transition from the Department of Defense to higher education, how he managed merging teams, and how incorporating students into his SOC has benefitted everyone.    The Switch from DOD to Education  Before Aaron worked for the University of Oklahoma, he worked for the Department of Defense for 11 years. He reflects on how the DOD is primarily concerned about keeping secrets, whereas  The higher education space is ultimately about giving away all the secrets. He loves how open the community to exchanging ideas. Listen to the episode to hear more on what he learned in his transition.   Education vs. Commercial  Aaron also discusses the intrinsic values in education: how everything you do is meant to support the student and to help educate and prepare them for life. The DOD, however, is all geared towards supporting the solider. He finds it very satisfying to be among young people.    It’s also important to note that the salary in the education sector is about 12-13% less than commercial area. However, the education will offer free tuition for dependents, like children, and provides a better work-life balance, as they can’t compete with the salary.    Aaron also speaks on the different security perspectives between the Department of Defense and education. Listen to the episode to hear how one field offers very ad hoc or tribal knowledge, whereas the other provides methodical training.   Changes in the Job When Aaron first began, there was already a CISO, and then 9 months later, the CISO left. He had to learn how to adjust while still adjusting to the job. Then, 4 years later the CISO leaves again but during immense change for the university. Aaron rose to the occasion and moved into the role. His advice during times of change in your institution is to perform at least at the same level, if not better, than before the change. He iterates that you cannot slack.   He learned that he had to let go of some of the technical information, and focus more on management side of the job, as well as learn the multiple layers of politics.    Taking on the Leadership Role  Fortunately, Aaron felt like he was supported by the university during his transition to a new role. He gives advice on what to do if your institution doesn’t support you. He encourages the listeners to get involved with charitable organizations or read books and listen to podcasts on leadership. However, when you’re practicing leadership, you will learn more, so it’s best to join organizations.    Centralization at OU  Campuses were so disorganized and disconnected  But then a years ago, they acquired a new president, who wanted to centralize and consolidate the campuses    Each campus had its own IT department and budget, so he had to oversee how to integrate this with grace and rationality    Biggest hurdle was standardizing the technology  While the faculty are the state employees and working towards tenure, they also act like contractors because they receive grant money and don’t want to conform to a standard way of doing things  Managing people’s feelings was the greatest difficulties  The people who didn’t want this amount of change left the organization  Student Incorporation Aaron tells the story of a student coming to him and asking to learn cybersecurity. This sparked him to begin teaching a class on the 10 domains. Listen to the episode to hear his story.    He also discusses how the industry wants people to have experience to get any job in cybersecurity, but they can’t get experience without a job. It became clear to Aaron that graduates out of OU were struggling to get jobs because they didn’t and couldn’t have
12/10/20201 hour, 2 minutes, 30 seconds
Episode Artwork

2021 Cybersecurity Trends

On today’s special episode of the New CISO podcast, Steve Moore chats with Deneen DeFiore of United Airlines, Colin Anderson of Levi Strauss & Co. and Charlie McNerney of Expedia on what it’s been like as a CISO during the pandemic.    COVID and the Airline Industry  Deneen begins by discussing how she became the CISO for United Airlines right as COVID hit. When the pandemic reached the US, there was a lot of fear that the airline would not make it. Because of this additional stress, Deneen focused in on what the priorities were from a business stand point. She touches on how her team had to juggle the increase of cyber criminals and threat actors, as well as maintaining the business and transition to telework. This amalgamation of challenges made her really assess what’s the most bang for your buck in terms of security – especially when the business is tightening its budget already to survive the pandemic. In terms of technology, Deneen and her team had to ask themselves what technology will help and protect the business right now and what can they put on hold. The incredible plans they had for the future had to be pushed back and implemented at a later date.    Adjustment for the Airline Industry  Like Deneen, Charlie is in the travel business, and speaks on how the change wasn’t gradual but rather sudden. Expedia had to adjust quickly, which was taxing from a digital and physical perspective. He says they had to focus on the most important questions: how do you take care of the employees as well as the travelers? In addition, how much self-care do you have for your system? Like every other business, Expedia’s initial plans had to go out the window. Then, they had to develop new plans and implement them in an effective manner.  In terms of the future, Charlie points to the new catchphrase: there was a lot of perspiration to shut everything down, but there’s also a lot of aspiration to open up again.   Opportunity in the time of COVID Colin discusses how, while they experienced a dramatic decline in revenue, Levi’s thought they could innovate and come out of the pandemic better than before. The challenges they have faced have forced creativity and technology to evolve. While revenue is still hurting, they’re investing in the future. This situation has forced them to do 2 years of change in a 6-month period. Overall, he feels these past few months have been challenging but exciting.  Priorities for 2021  Going into 2021, Deneen and her team are focused on safety and less interaction. They are coming up with a system that keeps everyone save by using more online measures, biometrics, and new technologies. Unlike before, they now need to collect more health data, and find themselves with a greater dependency on digitization and automation. Biometrics, for example, is a technology that used to be a nice thing to have, a bonus element. Now, however, it’s a necessity. Listen to the episode to hear more about how they’re streamlining their process and expanding Clear.    Updates during COVID Colin and his team used lockdown as an opportunity to update software and hardware that they’ve been wanting to but would’ve been too disruptive under normal circumstances. Because of this, they were able to push forward new solutions. Historically, the security budget was focused on enterprise security, with a small portion carved out for product security. Now, that’s flipped. Listen to the episode to hear more about Colin’s perspective.   Colin also discusses the importance of protecting the consumer and protecting the trust between the enterprise and the consumer, especially for a consumer facing business. He also touches on how to maintain trust with the customer, as well as placing yourself in the position of the attacker in order to better combat threats.    Perspective on Risk  Deneen...
11/26/202059 minutes, 11 seconds
Episode Artwork

Are Hiring Policies Driving the Cybersecurity Skills Shortage?

On today’s episode, Steve Marshall, the CISO of the UK Group for Byte Software, discusses how he moved from biophysics to cyber security, how security impacts business decisions, and why he thinks the hiring process of the industry is overlooking talent for certifications.   Steve’s Journey  Steve originally studied physiology and was on his way to receiving his PhD when the IT world called to him. He ended up not completely his degree to work in IT and become the head of the department, and eventually, move into security across North America and the UK. For the past fifteen years, he’s been in a management position. Listen to the episode to hear more about his journey and how he went from physiology to CISO and CIO.  What is “good”? Steve thoughtfully questions what a “good” CISO is in this episode. He believes there is no single answer, as each company needs something different. Steve also observes that the industry is moving towards having people of blended skill sets and different backgrounds, and therefore “good” for one organization could mean adequate for another. As technology is changing so quickly, the traditional standards of what a CISO should be, what qualifications they should have and what they should do are rapidly changing.    To Steve, a “good” CISO fulfills the needs of the individual company, as well as challenges that company to do better.   Security and Business  Like many CISOs, Steve initially struggled with talking to boards. He understands that many security people are really passionate about security and care about the business, so when they see the business making decisions that put them at a greater risk, they are bothered. However, Steve believes that they aren’t seeing the whole picture and miss out on the other factors that are driving these decisions.  Reach Across the Aisle  In order to get around this tunnel vision, Steve encourages CISOs to build connections with the movers and shakers of the other teams, so that you can better understand what drives decisions.    Steve goes on to explain why understanding different teams is imperative for business decisions, internal support, and collaboration. He stresses that the key is to listen. For Steve, he attends different meetings across different fields within the company to have a better idea of what each team is working on and what their needs are. Additionally, he tells a humorous story about how listening to the conversations during a smoke break made him well respected in his company. Listen on to hear that story and how connecting with other leaders makes you and the company stronger.  Steve’s Two Roles  Due to the dual nature of his roles, Steve has to sit in many sales meetings, while the typical CISO does not. No matter your role in security, every company is trying to sell a product, and it’s important to understand the sales team so that you can better assist, but also so that your voice is respected and heard when you have something to say.   Who Owns the Risk? While many CISOs feel they own the risk, as we have discussed many times on this podcast, Steve feels that he doesn’t own the risk. Instead, he feels the business does as it’s the one who succeeds or fails based on the risk itself.    Steve’s perspective is that he’s in charge of understanding the data and making that data clear to the higher ups, but he doesn’t own the data itself. We talk about how you need to have a mature and respectful conversation with the other teams in the business in order to come to a consensus about risk. Listen to the episode to hear of Steve’s perspective and how this view of ownership affects the communication around the risk level, the proper controls the security team needs to put in place, and who signs off on risk decisions.  Reporting  When...
11/12/202050 minutes, 37 seconds
Episode Artwork

Translating Your Military Experience of Operationalizing Security into the Private Sector

On today’s episode, Jeff Schilling, the CISO for Teleperformance, joins us today to discuss the transition from a security career in the military to the private sector, the importance of relationships, and security in relation to the Cloud.  Transition from the Army to Civilian Life  Jeff recounts his career in CISO, first discussing Teleperformance, which he joined this year. He then dives into the 24 years he spent in the military, which ended with his retirement as a Colonel in 2012 from US Army. Though his army career was very varied, he loved every part of it.    When he left the military, Jeff did a 180 and decided not to work in government, which proved a more difficult path. He learned early on that the threat profile is very different in the civilian sector than it is for the military, as well as how that threat is discussed. One of the hardest parts of the transition is the lack of basic security knowledge or awareness in the civilian sector.  In the military, everyone is speaking that language and thinking about security and security operations center. Listen to the episode to hear more about the challenges that Jeff overcame, and the insights learned.      Thorough Examination  One of the other important lessons the Army taught Jeff was diligence. He approaches every potential threat or breach with a thorough process. He believes that while many security officers excel in stopping a crisis in the moment, they forget to step back and assess why that crisis occurred in the first place.    Jeff speaks on how after a breach, many SOCs place the work on the IT team. However, he believes that everyone involved should examine what actually went wrong and make an effort to document the incident correctly. If the incident is documented thoroughly and accurately, then leadership has a better chance of properly understanding what occurred and how to prevent similar breaches in the future    At the end of the day, Jeff says “it’s what you measure, and how you measure it.”    The Importance of Relationships  Jeff next speaks on how he has witnessed many CISOs and CIOs say they will never work for each other. He believes this is the wrong attitude because those are all people that can help close your security gaps and make your job and life easier. He acknowledges that you don’t need to be buddy-buddy, but you do need to have an understanding of how someone else’s goals intersect with your own.   Jeff touches on how this relates to viewing the SOC as a whole. He advocates for a normalization of data across all sector in the risk management. Data needs to be translated into a risk statement that makes sense for that risk officer in order to show the gravity of the situation in a way that is clear and understandable. Listen on to hear more of Jeff’s thoughts on why clear communication and respectful relationships affect security.  Elevated Privileges One area of security that Jeff points out is currently weak is the protection around elevated privileges. He illuminates how many major breaches have been a result of a security issue with those that have elevated privileges. For example, the lack of a two-factor authentication code for execs because they don’t want the extra step of looking at their phone poses a threat to security that could easily be solved.    The Security Environment in The Cloud  Jeff recounts a funny story in which he wound up speaking at Cloud Security conference as the expert for the Department of Defense, when only a few weeks prior, he had to Google what the cloud was. Listen to the episode to hear how this assuming antic occurred.    In talking more seriously about the Cloud, Jeff asserts that it’s actually easier to defend on the Cloud, as he no longer has to wait for someone to go to a data center and make sure all the...
10/29/202052 minutes, 42 seconds
Episode Artwork

Culture Eats…Security for Breakfast

On today’s episode, George Finney, the CISO of Southern Methodist University, joins us to discuss how cybersecurity is a team sport that depends on openness and collaboration, and examine how culture can directly impact the likelihood of future breach.    How a Law Degree Helped George  George Finney is an accomplished CISO with a more unique background: he has a JD. While it’s becoming more common for CISOs to get an MBA, it’s rare that they would have a law degree. He attended night law school while working full time, reading thousands of pages of dry legal cases. George reflects on the process and says it helped push him to a new level of work, made him more efficient, and helped him understand the big picture of “why” with cybersecurity.  George says receiving higher education made him more curious and gave him more of a global understanding of the business. While he doesn’t encourage every CISO to apply to law school, he points out how useful it can be to understand security through another lens than just a technological one. Additionally, higher education degrees help CISOs more with employment opportunities.    Advice for 25-year-old George  George reflects on what advice he would give his younger self. He focuses on how your career is a process; he’s worked corporate jobs, startups, and attended law school. He believes that those different experiences can help prepare someone for a leadership position. He tells his younger self to embrace variety and wishes he had pursued more diversity in his career.  He touches on how he’d tell his younger self that cybersecurity is a team sport, which we delve more into later. The Healthy Leadership Mindset  Traditionally, there is the idea in cybersecurity that the problem is always people-based, or that certain people are to blame. However, this pervasive attitude discredits employees and doesn’t allow them rise to the occasion. George speaks on how leadership needs to include mentorship, and needs to want people to succeed, instead of just waiting for them to fail.  Listen to the episode to hear more about the dangers of writing people off as “dumb” instead of taking the time to help them improve.  The CISO that Cried Wolf George also discusses how the fear of being poorly perceived can impact security. He gives the example of Robert Ebeling, the engineer who tried to warn NASA about the space shuttle the Challenger. Unfortunately, he was ignored, as he told his management something NASA didn’t want to hear, and as a result, the astronauts died.  We speak on the nuances of trying to navigate the CISO position, as its purpose is to raise alarm when necessary. We talk about how you don’t want to be the CISO that cried wolf every time there is potential for risk. However, you also don’t want to keep quiet out of fear. Listen on to hear what George has to say on this topic.  Well-Aware: Master the Nine Cybersecurity Habits to Protect your Future  Whether you are a technical or non-technical leader, you can benefit from this book through the lessons you learn in his historical and psychological examples    George wrote the book because he wanted to help CISOs bridge the gap in speaking to other leadership positions within the company    Professional development book for CISOs specifically    Focusing on habits and small challenges that can make a huge difference    Potentially adjusting these habits can help prevent attacks    Listen to the episode to hear more on the nine habits and more about George’s book Leadership in the Time of COVID George urges team leaders to have extra compassion in this time. People are now in a seven-month long stress period—whether with kids at home or worrying after elderly parents. As a leader, it’s important to...
10/15/202046 minutes, 37 seconds
Episode Artwork

Managing Risk While Building Trust in a Post - Breach Environment

On today’s episode, Charlie McNerney discusses shared responsibility in cybersecurity, the idea of trust, and how diagnosing a problem before treating it has aided him in his career.    Early Retirement and Intellectual Income  After working 25 years at Microsoft, Charlie retired early. Six months later—after getting a boat and a dog—he found himself bored and seeking, what he calls, an “intellectual income experience.” After a phone call from a friend, Charlie ended up consulting for Expedia Group, and eventually came on as a full-time CISO. Listen to the episode to hear more about what an intellectual income is and what it means to Charlie.    Shared Responsibility  In setting up Expedia to understand what they need in a CISO, Charlie had to encourage them to question if they understood their risk posture now, and who was responsible for risk. He delves into how a company can value risk and actively try to understand it, as the Expedia Group does, but still wonder who certain tasks fall to. Charlie relays how imperative it is to convey that everyone shares the responsibility of risk. We discuss the importance of recognizing how anyone can impact risk and how the security team needs to articulate this to the rest of the company.    Trust in a Company  Charlie also touches on how every company is at risk nowadays to hackers or breaches, as every company is now a tech company. As a result, trust in the company, for the customers, supplies or between the employees is so important. In order to be effective, the security needs the support and trust from the rest of the company, especially from company boards. If boards can value the trust in the company and understand how that impacts finances, then the security can be more effective.   The Medical Model for Security  Charlies believes in following the medical model in his approach to cyber security. What he means by this is to copy the way doctors tackle illness: symptoms, diagnoses, treatment, recovery. If you treat a problem before you diagnose, it leads to malpractice—the same applies to security. When you discover symptoms, you need to put the security risk in terms of their transactions, not in terms of risk. Charlie encourages the CISO to not sensationalize and scare people until you actually know what’s going on. Building Trust During a Crisis  As we’ve discussed before on this podcast, having a playbook before there’s a crisis is imperative. What Charlie points out is also making sure everyone is aware of the playbook and comprehends it before a breach. His advice for a CISO during a breach: focus on data and not feed into fear. In addition, it’s important to communicate properly with other teams within the company. Liston on to hear what Charlie believes security teams need to convey to other departments in the business.   Competition and Cooperation  Charlie reflects on what advice he would’ve given his younger self. To him, when you’re younger and trying to understand your position in the company, you can get competitive with yourself and others. When you’re in that competitive mindset, you miss out on the cooperative mode. Charlies delves into how focusing on a title can lose relationships that you will need later. He shares his advice for how to be collaborative with others and how to have better emotional intelligence. Listen on to hear more about why cooperation is better than competition in the workspace.   Being a Respectful Leader and Finding Respectful Leadership In this episode, we converse on how you need to love what you do and how even if you enjoy your job, if you hate your boss, you’ll hate your days. Charlie disagrees with the mentality of living for the weekend. Hear what else he has to say on the significance of work culture.  Legacy in Leadership  Charlie brings up being...
10/1/202054 minutes, 54 seconds
Episode Artwork

Lessons Learned from the “First CISO” Part 2

On today’s episode, we continue our conversation with Steve Katz, the first CISO, and discuss the importance of understanding yourself, your role, and the company for which you work. Marketing Yourself Within the Company    One of the things that Steve stresses is that you need to be able to market yourself and the role of CISO to the rest of the company. It’s only in your best interest to know how to articulate why cybersecurity matters and how it impacts the business. In order to do so, you must first understand the company and its products, because only then can you effectively explain how your position can help the business. Listen to the episode to hear more about Steve’s thoughts on business relevant security.    Your Mission and Foundational Principles     One question Steve always asks CISOs is if they have read the company’s mission statement. Steve believes it’s a big problem to ignore the fundamentals of a company. Additionally, he advocates for every CISO coming up with a mission statement for their own team, and to align that mission with the company’s mission. He recounts how coming up with 5-10 foundational principals changed the group mindset, provided clarity to the work they were doing, and overall, change the culture of the team.  The Citi Breach and the First Time “CISO” was Used   Steve recounts another incredible tale about how an enormous breach at Citi led to the solidification of his role as CISO, and of the coining of the term. He joined the company when they were experiencing a security issue and were losing valuable bank customers. In this episode, he relays how he had to meet with top 20 customers to ask them questions about security, and to answer their questions. He was expected to keep only 50% of those customers after his meetings. He came back with all 20 customers. Listen on to discover what questions he asked them, and how he managed to maintain their trust and business relationship.     Know Yourself    We discuss the importance of knowing yourself as a person and how this affects your abilities as a CISO. Steve encourages you to understand your strengths and weaknesses—and to hire someone who can compensate for the areas in which you struggle. He admits that he excels at identifying talent and getting work done efficiently but can’t handle details. He is honest with us today to encourage you to be honest with yourself and to act accordingly.    The Customer’s Perspective    Though briefly touched upon, Steve reiterates that you must make an effort to keep in mind the customer’s perspective. In this regard, he hired only multi-lingual regional officers who could therefore explain the security problem in the local tongue. This made them a friendlier face that welcomed a more trusting relationship.   The C’s of Finding a New Job   Steve also runs through his criteria for the job search, which he calls The C’s. The C’s include challenge, commitment, chemistry, culture, clarity and compensation. What he means by this is how challenging the job is, how committed is the company to resolving issues, what the chemistry is between you and the person you’re reporting to, the workplace culture, clarity as to what success looks like, and lastly compensation. He stresses that compensation is the last C to prioritize. Listen to the episode to hear Steve expand on The C’s and why compensation is actually the least important criteria. Meetings with Vendors    When it comes to meetings, Steve believes that vendors need to do their homework, be clear, and need to get to the point. He shares a humorous tactic on how he got vendors to sell quickly and effectively. He also tells us what the one question is that he asks at every vendor meeting, and why you need to be extremely cautious when planning a live demo....
9/17/202038 minutes, 39 seconds
Episode Artwork

Lessons Learned from the “First CISO” Part 1

Early Days of Security at Morgan Steve first began working in cybersecurity at JPMorgan, then known as Morgan Guarantee. He recounts the attitude towards CISOs in the 1980s, where many people didn’t really have a concept of cyber security or what it looks like. When Steve started, he had to change access rules and work against the resistance to PCs and Apple technology in banks. Listen on to hear his stories and how he overcame skepticism towards cybersecurity. Building an Active Community One of the many amazing experiences Steve tells is how all the data security officers from the NY banks would get together every three months. They would spend the morning eating donuts and drinking coffee, but also exchanging contact information, discussing what was going on in the field, and brainstorming together. Before Twitter—or even just internet—the CISOs would connect over breakfast and help each other out. In this episode, Steve recounts how 12 officers from different banks helped him make a deal with a difficult vendor. A Board Presentation and its Lessons One of the best, and most valuable stories Steve describes is in the early 80s, when he and his team discovered several PC viruses. When he told his boss, Steve had to stand in front of the Board of Directors with zero prep work and explain what computer viruses were and how they can impact Morgan. In under three minutes, he had acquired $400,000 to implement antivirus techniques. In this episode, he relays the incredible story and the life lessons he learned about communicating with executives and why being transparent is best. Effective Explanations Steve puts forth his theory on how most executives view themselves and how this influences the way in which you need to explain cybersecurity matters. He urges CISOs to go through everything carefully and logically, and to rehearse your explanation beforehand. He says your explanation needs to pass the “grandma test” before you speak to an executive. Listen to the episode to discover what he means by this.  Steve also illuminates why a lot of security people struggle to explain themselves. He points to who they surround themselves with and how they need to shift their thinking when speaking to leadership. Unrealistic Expectations and Stress on CISOs In this episode, we also touch on how studies have shown that CISOs tend to have high levels of substance abuse, divorce, physically poor health all from stress, as we’ve discussed in previous episodes. Steve believes the problem is in how we define what goes with the job. CISOs go in afraid of being fired after a breech, but the industry hasn’t accepted the fact that a breech will happen. Every CISO gets fired at some point, but Steve states that you should get fired for doing the right thing, not the wrong thing. He encourages CISOs to come into the job by being clear about what’s feasible and what’s not. To explain that there’s no perfect cure, but we can reduce risk, and build trust and credibility with the executives. Most of all, don’t make promises you can’t keep. On this topic of the relationship to executives, Steve encourages CISOs to get to know the leadership before there’s a problem or breech, so they know who you are when it happens. Let them know why you’re there and what’s important to them, not to you, by focusing on business risks. Present these risks as you understand them, their impact, and the ways you can potentially mitigate. To help buffer personal stress, he explains why the ultimate risk is on the business itself and not on you, and how who you are isn’t the same as what you do. What Steve Loves about the Job While there are many stresses to the job, Steve brings up what he loves most about it. He feels stimulated by the constant challenges and loves the cybersecurity community. Listen to the episode to hear more about why this community means so much to him and why, in...
9/3/202038 minutes, 39 seconds
Episode Artwork

The Benefits of Finding a Security Vendor Who Can Act as a Trusted Advisor

Improving the Sales Process    In this episode, we discuss how and why it’s so difficult for a security team leader to discover new trends in technologies in a safe and effective way. Damien points out that it can be challenging to discern who and what to rely on when broaching new systems. Listen to the episode to hear more about how to find the right balance of someone who understands the company and the importance of building a long term, trusted relationship.     Advice for the New Salesperson    One of the first points that Damien brings up is that the best way to increase your sales isn’t always trying to sell everything new. Rather, he encourages the salesperson to focus on building sustainable and genuine relationships with clients, that will then result in introductions to others in the field. We delve into why CISOs tend to shy away from salespeople and what to do about it.    Reaching Executives You Don’t Know     If you are in sales and struggles to cut through the hesitation and cynicism to reach executives you personally don’t know, how can you do your job? Damien suggests several strategies including referrals and what that requires, as well as attending conferences and how to properly go about starting conversations with new people.       Two Types of CISOs    In examining the culture around CISOs, Damien identifies the two personas that frequently crop up and the problems with each. First, there is the traditional CISOs that are aggressive in order to reach the top of that particular environment, and as a result, can have a superiority complex—even towards other CISOs. Unfortunately, these people are hard to change when it comes to sales relationships. Then, there are the steady and calm leaders, who have consistently delivered. However, sometimes they feel overwhelmed and when they get cold sales calls, they can be dismissive.  Damien reminds everyone is human and to give everyone a chance.     Social Hierarchy of CISOs    In this episode, we talk about what good-natured CISOs can fall prey to, and what we mean by a “Hollywood” CISO. Damien identifies real leaders as those who want to learn, but also want to pay it forward through education, experience and introductions. He believes this is what makes a good CISO with a longstanding reputation in the industry.       The Problems with the Award Systems     The idea of “Hollywood” CISOs brings up the point that there are some companies that   have better marketing and PR, and therefore result in the same individuals winning awards. We discuss how unfortunately, this creates a boy’s club, so to speak, that ends up shutting out those of different backgrounds, cultures, experiences. Listen on to hear about the consequences of generating a myopic view of leadership.     Factions in the Industry and Shifting Positions    Particularly in Australia, Damien delves into how the CISO is starting to morph into the CSO and the factions that are forming in the industry. While some people believe the position is all about the tech and data, others believe it incorporates consideration about the work culture and organization. Although there are different theories, one thing remains clear: one person can’t do all the responsibilities anymore. Listen on to discover why this fragmentation occurs and how leadership backgrounds provide different lens through which to view the role of a CISO.     Misaligned Incentive and How Capitalism Affects the Technology     We delve deep into how and why politics and business now seep into technology decisions. Capitalism pushes companies to look for growth from year to year, which incentivizes employees but can also have many negative...
8/20/20201 hour, 2 minutes, 54 seconds
Episode Artwork

Why the “Shiny New Thing” in Cybersecurity Isn’t Necessarily the Best Solution

In this episode of the Exabeam Podcast, the host, Steve, and guest Chris Ard, discuss the more human aspects of the CISO role, effective leadership, and how complacency can be a dangerous quality.       Work-Life Balance    The first topic we covered was finding a work-life balance that benefits you and your family. Chris spent twenty years working for Microsoft, traveling all over to companies with major security breaches and helping them control the situation. Although he learned a lot and loved his job, he realized he barely spent any time at home, and when he did, he was always on calls. We discussed how easy it can be to settle into a role that you enjoy, but then end up remaining in your comfort zone. Once Chris acquired a new job did he find himself growing once again and spending more time with his family.     Good Talent, Bad Breaches     Spending two decades assisting different companies, Chris picked up on an interesting discrepancy between the talent and the security breaches. While breaches happen to everyone, some seem completely avoidable or like a mistake. As we talk about, many companies hire talented, intelligent people—and yet these preventable situations occur. Chris weighs in that many times, leadership can influence the strength of the security. If a CISO is willing to accept cookie-cutter systems as oppose to implementing a more holistic approach, their security can suffer.     M&M Model     Chris outlines a great metaphor for the condition of many security measures—the M&M model. The team has built a hard exterior with a soft interior, meaning, once an advisory has breached the initial wall, its free to move about in that environment with no obstacles. Listen on to hear more about how this happens.     Bad Actor Residency     We also speak on how it can sometimes take not just weeks, but sometimes months or even years to detect bad actors. We point to reasons why adversaries can remain in an environment for so long, and how teams or companies can overlook root causes.     CISO’s Ownership of Breaches     In today’s episode, we also pull outward to look at the hiring and firing system of CISOs and how it may not be the most effective system. When there is a breach, the CISO often takes the blame—but so much so that they end up having to leave. The issue with the CISO leaving is that they can never learn where things went wrong for that program and work towards growth. Listen on to hear about the teams Chris has encountered that do not get rid of their CISOs and how this effects their security overall.     Invested Leadership     The extent to which a leader makes an effort with the rest of the team has a surprising impact on how well that team performs. From sitting down with junior analysts, to receiving less filtered information, CISOs can transform how their team handles a crisis just by getting to understand them and their concerns prior to that crisis. Additionally, we touch on the commonality of leadership being pressured to alter assessments to fit certain initiatives.     Marathon or a Sprint?     The intense schedule of any CISO causes us to ask if this job is really a marathon or a sprint. In a way, you have to maintain the energy for daily tasks like a marathon, but in other ways, you burst towards the finish line while trying to stop a crisis. In thinking about the CISO burn out rate, we debate on how more problems can arise if one side is neglected, or if the team communication breaks down, leading to wasted energies. Hear about our different opinions on the matter in this episode.      Pen Testing and Compliance     A great point that Chris brings up is the failures of the pen tests,
8/6/202049 minutes, 29 seconds
Episode Artwork

Making the Leap from Engineering to Cybersecurity Leadership

In this episode of The New CISO Podcast, the host, Steve, and guest David Rule of HarbourVest, discuss the skills he learned to transition from engineering to executive management, the evolution of leadership styles, and better ways to prepare for crisis management.     Transition from Engineer to Executive Manager     The first topic we covered was David’s transition from being on the tech side of security, to assuming a CISO position. We discuss how this change may be more challenging than originally anticipated, so in order to focus on developing leadership skills, David suggests entering a management role in a field in which you are familiar. He understood security and coding, and therefore he could spend more of his time learning how to be an effective leader.     Nontechnical Managers     While David’s path benefitted him, we also talked about the growth of more nontechnical leaders in cybersecurity. There are advantages and disadvantages to working under a nontechnical manager. How can you, as the employee, support your boss? Well, David points to the important skill of communication. Learning how to explain complicated concepts to someone who has less specific knowledge than you do proves to be an imperative skill for yourself, your manager, and the team.     While nontechnical managers offer knowledge in other areas such as business or client relations, they have to be careful when it comes to proposals. If the company proposes a specific plan, the nontechnical manager could sometimes miss spotting future issues once s/he delves deeper into the tech itself.        Administrative Rights of the Technical Manager    As a technical manager has specific background in cybersecurity, s/he can be tempted to fiddle with the coding. However, the technical manager must stay away from the daily, more administrative tasks, for several reasons. Listen to the podcast to hear our different points on this subject!       Advice for the Younger Self     Another interesting conversation we had was on the type of advice we would give to our younger selves. David feels he should have been more self-aware, and more willing to accept constructive criticism. To him, feedback is a gift, and you can only improve once you see it as such. In addition to self-awareness, we discussed situational awareness. This skill helps guide you in knowing when to speak and when to listen. Listen on to hear more about how this tool can aid you in meetings and increase your social relations at work.     Client Relations    A key aspect to any management role that other employees do not always have is navigating relationships with clients. David walks us through his approach to speaking with new clients—and it doesn’t begin with the tech. You can hear more about the specifics in this episode.     We also covered mentoring junior staff when it comes to client relations. David points out that meetings with clients helps junior staff members in two ways: you can explain to them what needs to be accomplished in the meeting, and then they can see you do it in person. This real-life experience helps them grow as an employee at a much more rapid rate. From you, they can learn how to deliver difficult news and still maintain grace.     Crisis Management     Another essential topic we spoke on was how to best train your team to manage a crisis in an effective way. David points out an astute observation: that by the time people have reached a leadership role, they haven’t worked through the problem at that level. They find themselves spending time on introductions and acclimating to the situation, which, in a crisis, is the worst time to have to do these things. To resolve this issue, David began an...
7/23/202044 minutes, 28 seconds
Episode Artwork

Is Our Understanding of who Owns Risk Driving CISOs to the Edge?

In this episode of The New CISO Podcast, the host Steve Moore, and guest Gary Hayslip discuss the difficulties veterans face when transitioning to the business world. They also converse on how to remedy security failings, and how risk ownership mentally and physically impacts CISOs.       A Challenging Transition for Military Personnel      After serving in the military for however many years, enlisted personnel receive one class on how to transition to civilian life. While the class teaches how to format resumes, it doesn’t provide the amount of support military need to adjust to a new lifestyle.     When you are in the military, everything is organized and planned out for you, from your day, to your week, to your month, to your year. You always understand what you need to do, and what path to follow.     When that type of strict structure falls away after duty, many veterans feel lost. They enter a new world filled with so much uncertainty. Suddenly, they have nothing planned out—they don’t even know what they’re doing the next hour.       Overcoming Fears     In order to overcome this anxiety, Hayslip stresses that you must begin planning your civilian life while during your tour—and more than just in the last six months of your time. He suggests planning out civilian life as early as two years ahead of time. If you start early, you leave room for any road bumps you may encounter.     Moore and Hayslip recognize that this transition is a period of intense personal and professional growth. Oftentimes, vets can feel helpless, wondering how they will provide for their families. Hayslip suggests that military can rely on what they already know: community and mission.      We discuss on today’s episode what Hayslip means by discovering a new community, one that connects them to a broader purpose and to others. We also talk about finding a new mission, and how this can help transitioning vets find themselves again.       How Non-vet Employers Can Help     As a non-veteran, Moore asks how employers can help their recently hired vet-employees. Hayslip suggests that veterans need to be provided guidance, but also a level of flexibility. Military personnel need to understand how much room they have to move. We deliberate on the nuances of steering vet-employees, and how to communicate the level of risk they are allowed to have.      The AAR Process     In broadening the topic from veterans to cybersecurity companies in general, we discuss the proper and most effective way to process an AAR.     Hayslip emphasizes constant documentation and how AAR needs to be information and solution focused. This includes as much data and documentation as possible.    In addition to data and documentation, Hayslip advocates for providing opinion and experience. If you offer why you made a specific decision based on previous experiences, then the team leader can have a better context to what happened. The leader can focus on why your decision worked one time and not another.       What doesn’t work for AARs    However, we believe that sometimes the process of an AAR becomes muddled.     Hayslip points to when blame enters the equation, the AAR becomes ineffective. If one group is blamed in particular, then no one learns what actually happened. It also leads to people shying away from honesty. Moore highlights how bad leadership uses an AAR as a weapon against the employees, which only breeds mistrust and inefficiency.    Hayslip offers his solutions to combat a toxic environment surrounding an AAR, such as breaking the teams down into small groups and facilitating self-reflection. In this...
7/9/202047 minutes, 43 seconds
Episode Artwork

The State of the SOC in 2020

The American vs. European view on Insurance     In first reviewing the report, we were struck by how Europe leads the rest of the globe in insurance to manage risk compared to the US. While the adoption rate of insurance is slowly growing in American companies, their European counterparts take precedence. This could be because European teams have a better understanding of how to use certain types of insurance, or that the European insurance markets and carriers better address cybersecurity risks than the US currently. Alternatively, this difference could boil down to not necessarily capabilities but to viewpoints on insurance. As Steve states, the American perspective is that insurance does not take the place of security programs. Perhaps this idea differs across the ocean.         Who Leads in What Areas     In studying the US, UK, Germany, Canada, and Australia, we mull over why certain countries dominate in various areas. In terms of possessing insurance itself and working with their privacy departments, Germany takes the lead—and significantly. Germany’s stats surpass that of Australia’s in possession by around 20%. For outsourcing, the UK and German dwarf the US. However, this piece of data may speak to another shifting trend—that more US companies are embracing outsourced security. We discuss why in the US in particular, we see that reach for autonomy in operations, even if it’s not the most beneficial system.      Overconfidence?    High percentages across the board show that many employers and employees feel fully confident in their ability to detect a threat. Is this a positive reflection on the industry or is it overconfidence? Does this perhaps relate to testing—adequate or not? We discuss what goes into confidence itself and the discrepancies between the perspective of the managers and the frontline workers.       Attracting and Retaining Talent     The difficulty with staffing can heavily influence the validity of the team. Being understaffed, significantly understaffed, or lacking staff with the right skills cropped up as a relatively common issue in many teams. We debate on what causes the issue of identifying talent and question if it connected to the absence of hiring standards. Low hiring standards may present as the obvious problem, but extremely high and inaccessible standards also generate equal issues. It can lead to a small number of job candidates—a pool in which the best person for the work has already been cut out due to innocuous details.     On top of initial staffing is the idea of retaining top talent. The data revealed huge discrepancies between how leaders think they can retain talent and what skilled employees seek. While many managers believe the key is good pay, workers point to issues such as eliminating the mundane, poor leadership, or lack of communication. We also draw in additional points: how managers need to know their analysts by name, understand their areas of stress, and respecting them as simply human beings.     The Undefined Career Path      Another major inconsistency the report highlights was defining a career path for workers. In fact, when asked the question of one’s career trajectory, only 15% of employers valued it, while 64% of employees did. This is the biggest discrepancy in the report. A conversation needs to start to address this misunderstanding. Perhaps many CISOs don’t understand what SOCs do, or they think they do. Many employees want mentorship and guidance. If you invest in your frontline workers, they will better invest themselves in their work and in you. Unfortunately, mentorship in leaders is not always measured or rewarded—but maybe it should be?       How do you measure your program?    The report also brought to light how each...
6/25/202053 minutes, 58 seconds
Episode Artwork

Determining Risk Tolerance for a 100-Million-User per Month Organization

Tune in as Steve Moore talks with Christopher Hymes, the CISO of Riot Games, about acceptable risk and the parallels between anti-cheat teams and threat hunting. Security Within The Gaming World The video game market is massive, there are a ton of games and a ton of gamers out there. Like any large industry, the gaming industry is not immune from security threats. Games are fun because they are competitive, you have to build the gaming skills over time. This opens up an entire market for cheating scams within the gaming industry. The game developers have anti-cheat teams to help combat this problem, cheating in the games is not only unfair, but it makes the experience less enjoyable for all the other players and poses a threat to the developers as well. If the game becomes less desirable then people won’t want to play, in turn ruining the developers market.    Advice To A Younger Self In the security industry everything can seem critical all the time, every issue can seemingly need to be solved immediately.  A strength of an effective CISO is being able to step back with a calm perspective and look at the bigger picture. Remaining calm in a crisis is a way to avoid causing panic and effectively solve the issue at hand. Especially when you are new to a company or position there is an innate desire to please those above you in the company, but being able to lead by example and remaining calm will make dealing with the problem an easier process. Going full steam ahead 24/7 leads to burnout, so prioritize your moves and what you consider a major crisis. The security industry is a high-pressure industry, so being able to recognize that and alleviate the pressure where you can, can make for a better working environment.    Necessary Roles Of Security Leadership  Security is often overlooked by startups as a necessary position from the beginning, most companies establish themselves then add a security team later. This puts the security team and CISO at a disadvantage from the start, because they are often brought in to solve an issue that is already present, instead of being hired in a proactive way. Security within companies needs to be culturally embedded into the organization ethos, it needs to be built in from day one. Security teams build trust and need to be viewed as an essential building block to any company. Building a security team takes time, but when a team is built with consideration and the strongest values have been instilled in every team member, the team should sustain many years and last after the CISO has left. Being a CISO is a leadership role, so build the team you want your name attached to for years to come.    What Being A New CISO Means Being a new CISO is not about the technology. It is about the mindset, about building the teams, and being a calming voice of reason for the organization. When you as a CISO are seen as a leader within the company, it benefits everyone.    Resources: The New CISO: Linkedin Christopher Hymes: Linkedin Riot Games: Website Exabeam: Website
6/4/202049 minutes, 22 seconds
Episode Artwork

Getting on With the Business of Security, by Building Trust

Career Transitioning After Decades With Another Organization Being with the same organization for a long period of time is a wonderful achievement, but when you’re ready for a change of scenery, the transition can be tough after such a long stint with one organization. Being able to set up into your new role with fresh eyes and ears to really listen and get to know your new team can quickly build that working dynamic. If the industry is different from the previous organization, that adds another layers of learning into the mix, so really taking the time to research the industry and have an understanding of where the new organization fits into the industry. Taking the time to learn the role will help build trust and allow you to showcase your expertise in a way that is relatable to other major players within the organization.    Building Trust Building trust is essential for teams to be able to together in harmony with the objective of doing what’s best for the organization. This is an ongoing practice that will continue to change and evolve throughout the span of working within an organization.  Get to know your security team, as well as other members of the leadership teams, and the executives. Each individual will have different strengths they bring to the table, knowing those before a crisis makes for an easier working situation when issues arise. Being in the leadership role of a CISO means taking on a lot of responsibility for the team you lead, you’ll have to take the wrap for them when issues come up, and be able to explain to others what went wrong and how it was fixed. Being able to trust and be trusted by your security team is so essential for any CISO, but especially when you’re new and maybe even coming in to clean up a mess from a previous CISO, working on building that trust should rank high on the list of priorities.  Applicable Technology  There is new technology coming out all the time, constantly evolving technology for issues of every kind. From a security standpoint recognizing that the latest and greatest technology is only good if it solves a problem for the organization. Just because it is new and shiny doesn’t mean it can actually be plausible for the organization’s issues and business model.  So really getting into the nitty-gritty details of the organization can really save you from spending a ton of the security budget on technology that may not even be a good fit for the organization. That being said, there are tons of technology options that will be a great fit for the organization, once the knowledge of what the organization actually needs has been established.    Speaking To A Younger You When it comes to giving advice to a younger you when first starting out, Deneen spoke to her advantage by being a constant learner and being able to take in a ton information. Have the confidence to ask the questions you need answers to, don’t be afraid to raise your hand. You can create your own pathways be being self-taught and creating a space for yourself by your own right. The confidence in yourself will take you a long way both professionally and personally, so take the time to invest in yourself.    Being A New CISO There’s no one size fits all model for being a new CISO, but being able to build and gain trust is so key to having these enabling business relationships. Managing the integrity of the organization through trust is what it’s all about.  Resources: Deneen DiFiore: Linkedin United Airlines: Website Steve Moore: Linkedin Exabeam: Website  
5/21/202040 minutes, 41 seconds
Episode Artwork

Recovering from a 'Bad CISO'

Advice To A Younger Self A core truth to being successful is always delivering more than the organization expects. Going above and beyond to find out what is most important to your customers is key. Make the customers reality your reality and work from that viewpoint.  Figure out their definition of value and find your place in that value, then fuse those two points together.    The Previous CISO Failed To Deliver A lot of times a bad CISO isn’t something that happens in a purposeful manner. The organization is growing and evolving and the position needs to be filled. This is common when someone is very good technically and continues to get promotions until they find themselves in a position the do not know how to fill.  It takes more than technical skills to be a successful CISO, it takes leadership skills, strategy, and good communication skills. Those communication skills are key to building trust across multiple departments before a crisis arises. So what if you aren’t aware that the previous CISO wasn’t competent, there are some questions you can ask in the interview process to get answers. For example you could ask questions such as; where does security sit in the organization, what are the communication channels the security team uses, and who does the security talk to within the organization? If you feel like you aren’t getting the answers to these inquiries or you feel you’re being lied to, there is a good chance you’re potentially being hired to clean up a major mess.  Cleaning Up The Pieces Sometimes going back to square one is only approach if the organization was left in absolute shambles. Meet with the CEO as soon as possible to get the entire picture of what all needs to be done. Sometimes one bad manager or one bad director can ruin the entire team and sometimes the entire organization, being able to get in there and identify that quickly and get rid of the dead weight is key to rebuilding the organization. Meet with people to see who is doing what, meet with the executives, then your peers, and then your employees. Build that base knowledge of the company culture and who is there and why they are there. Once you’ve gained this knowledge, use it to show your value to the organization. Show them tangible results that you’ve come in, cleaned house, rebuilt the security structure, and what that is doing for the organization. This builds credibility, which builds trust, gains funding, and gets support.    Marketing The Success So now that you’ve been hired on to clean up a giant mess, and you are starting to see the rebuilding of the security team come together, it’s now time to show some of those successes. Perhaps there were changes that were made that went unnoticed until they were being completely relied on, for example if you set in place the infrastructure to be able to work completely remotely and now that is being utilized, share that with the executives. Create a program to test the holes and weaknesses in the security system and then share the results and also share how you’ve fixed the bugs in the system you found. These tests and programs will not only show your value as CISO to executives, but it will showcase how important each member of your team is and how they contributed to evolving success of the security team. This will build team morale, which directly correlates into better company culture. The board cares about acquisition and retention, so you need to known how to market your program to them to emphasize those key points. Sit down with the executives and find out what their biggest issues are with security, figure out how you can make their lives easier. Building the team around the companies needs is key to prolonged success. Beyond the executives, meet the sales team and find out their needs with the security team. The sales teams are out on the ground speaking with customers all day, so if you can give them...
5/7/202049 minutes, 11 seconds
Episode Artwork

How Do You Measure the Success of Your Cybersecurity Program?

Taking The Jump From Consulting & Advice To A Younger Self With consulting you have the opportunity to work with multiple large companies, which can be an attractive aspect of the job. Working with multiple companies on that scale can introduce you to the latest technology and how it works differently for different companies. That being said, if you want to build a team from the ground up a transition from consulting might be best for you. Also if you’re looking to partner, or gain any ownership in a company, consulting may not be your best bet. Develop relationships while in the consulting position to really feel out where you want to be, and then you’ll already be a familiar face when you’re looking to be hired on at a company.  Participating in networking groups is a great way to meet peers and other relevant connections you may want to utilize in the future. Just making sure that you are prioritizing your time and energy effectively can keep burnout at bay as well, focus on what you really want to achieve and walk down that path. Making these connections and being empathetic about others positions can really help advance your career, try to put yourself in others’ shoes when making these connections.    Tying Success To Business Risk Being able to make an impact with the way you communicate requires empathy. To be an effective communicator you must be able to put yourself in the position of the other higher executives including CEOs, CFOs, and other critical positions. If you cannot relay information to them in a format they relate to, the problem could be a crisis just by the loss of time on trying to communicate.  For some businesses security has always been a priority, yet for many other depending on the industry, security is only now coming to the forefront as a priority. Security teams need support, investment, and visibility. That is where those communication skills come in, present the value of the security team to other executives in a way the will relate to.    Beyond Compliance Having up-to-date certifications and technology will only work in your favor as a security team, but you cannot stop there, certifications alone will not stop negative issues from arising. There needs to be both efficiency and maturity working in tandem. There is compliance, which offers your team a framework to then build upon to meet your specific needs. Compliance does not guarantee that your company is 100% protected against negative events; it is a critical element, although not the only element. Identify what the real risk factors are within your company and view security as an ongoing process. Educate the executive leadership on the independent testing results and findings and how your team has shifted to deal with these real risk factors that are beyond compliance. Being a new and effective CISO means not only being technical, but also in-tune with the current needs of the industry by communicating in an empathetic way.   Resources: Steve Moore: Linkedin Marzena Fuller: Linkedin Exabeam: Website CISCO: Website
4/23/202034 minutes, 25 seconds
Episode Artwork

How Emotional Intelligence Fortifies Capability In the Midst of A Crisis

Building A Relationship With Other Teams The sooner these relationships can be built, the better. Meeting top executives and other team leads during a crisis is less than ideal. Get to know the people that are closer to the consumer, the writers, the social media managers, the sooner this relationship is established the better the partnership is when you need to come together in a crisis. Building those relationships now build trust within the company as a whole.    Where To Begin? Every company is different and stepping into the role of CISO will be different depending on the specific needs of those companies. Asking to be introduced to the executives, team leads, and other specific roles when you are first hired on or even during the interview process can put you on their radar from the beginning. Asking questions to your direct contacts and your direct team is a great way to feel out which individuals you need to meet and in what order.  Generating A Safe Statement Before The Problem Arises The language used in a crisis response as well as the speed of the response are critical components of how the public will perceive the company.  Having pre-written general responses that can essentially be “fill in the blank” templates for a variety of problems can get that statement out as soon as possible. This speed of response can help the company change the narrative of the situation at hand. Adopting this kind of proactive approach will not only build trust between the teams before a crisis, but will change the way consumers view your company.    Early Career Advice Doing research into the companies you’ll be interviewing with can help you find the right workplace that aligns with your personal ethos. Seeking out companies that are known for doing meaningful work, have good workplace morale, and align with you can greatly boost your career drive. Start by defining what is important to you and find companies with similar missions.    Empathy And Care In The Workplace Building a strong workplace culture around your ethos will change the way you view working. Getting to know the lives of your colleagues and showing genuine interest in their well-being can build a web of trust. Carve out time where anyone from your team can come to, have an open door policy for these times and let them come to you for any reason. Building a team with members that have a strong sense of protection that bleeds out into all aspects of their lives are the individuals that are going to push your company forward.    What Being A New CISO Means Being reliable, patient, and having a broad understanding of personal and business acumen. Being able to stand up for your principles and provide servant leadership for those who look to you on a daily basis.    Resources:  Steve Moore: Linkedin Kirsten Davies: Linkedin Exabeam: Website Estee Lauder: Website
4/9/202047 minutes, 36 seconds
Episode Artwork

Strategies for Securing a Remote Workforce

Building Up To A Position Of Power Holding the dual position of CTO/CISO needs to come with a lot of experience and drive. Being able to build the security organization around the needs of the company led to being both the Chief Technology Officer as well as Chief Information Security Officer. Noticing what was interfering with the safety of the company through passive observation has directly played into both roles. Doing research, having conversations, and interacting with other people are all examples of seemingly passive observations.    Advice To A Younger Self A great piece of advice is to not limit your thinking to what technology can be and how it can evolve. Also not limiting how these technological advances can be applied to benefit you and your company. An example such as the invention of virtual doctor appointments is a use of technology many never even considered an option not too long ago. This did pose some security concerns, but the program was able to built around the technology, and the team was prepared for these changes.    Remotely Working Advice In Uncertain Times Some positions such as doctors and nurses do not really have the option to work completely remotely patients need to be seen. But more administrative positions, also support positions absolutely can safely work from home. There are going to be concerns anytime a huge shift in the workday changes. Inside threats can be large or small, something as simple as the employees not getting the work done from home to something larger like medical information being released to the wrong people which is a direct HIPAA violation. Pushing it even further, what if that information was sold for profit by an employee. Identify the threats before they become a major crisis.  When working from home to want to essentially replicate the way work was done on premises. If most meetings were conference calls that can easily be done at home. If meetings were typically done in person around a conference table, use group video chat for these meetings at home. From a leadership standpoint working remotely can bring up unique challenges. Not everyone is as familiar with technology or the software needed to make these connections, so giving the education on the tools used could be a great first step when moving to a remote workforce. Getting everyone on the same technology, making sure teams have the access they need, and making sure that the security isn’t abandoned because of an emergency are all great points to cover upfront. In some cases purchases and upgrades may need to happen before the shift to remote work. Making sure the right purchases are being made for the unique situation the company is in can make or break your budget. Another great piece of advice is to spend the company money as if it were your own. When clients come to you with an example of breach and are worried that it could happen to them, do the research and explain to them the truth. Explain how that breach happened, and stress to them that human error causes more issues than technology failure, and a combination of the two is what leads to the most unfortunate events.    What Being A New CISO Means  Mentorship plays a big role, grooming a member or members of your team so that can confidently replace yourself when the time comes. Security is everywhere in all aspects of our lives, the new CISO needs to be think big picture.  Resources: Steve Moore: Linkedin Martin Littmann: Linkedin Kelsey-Seybold Clinic: Website Exabeam: Website
3/26/202048 minutes, 19 seconds
Episode Artwork

No as a Service: Why Security Can Stifle Innovation and How to Prevent It

Transitioning Into The CISO Role Learning to balance the executive role with the tactical needs of the team can be tricky to balance. Being able to see to the larger picture within both roles can keep you on track and relevant within both places. Remember the roles you’ve had in the past and draw from those experiences and knowledge. Audits are typically not something anyone wants to have on their plate, but there are values in the audits. Audits not only bring an extra set of eyes to your team, but can also point out the areas of weakness that can use some bulking up before there is a major crisis. It can be very proactive to lean in to the audit and partner with the auditor instead of just trying to get through it unscathed.    What Is Lacking In The Security Industry The major points that come to mind when thinking of security might be something like, integrity, confidentiality, availability of data, and protection. But as much as we need to protect we also needs to share, the future of healthcare is being able to safely exchange information, and if it is locked away nothing can be exchanged. Within healthcare security things tend to be more vulnerable, especially for the nurses and caretakers working within hospice care. The have the weight of caring for a patient that is at the end of their life, as a security executive the last thing you want to do is make that caretaker’s jobs more difficult. To be able to put yourself in that caretaker’s position and be able to see what their user experience is like can be pivotal to how your base your security team and program. Take a step back and remember what you’re trying to protect in the first places, behind each client is a real person.    Designing Solutions For Real Threats There are many different security strategies for different types of needs. Some companies needs full steam ahead all the time, but many need a different type of solution. Before you build a program that just looks good on paper, get in there and really analyze what the threats and weaknesses are. After those points have been identified then move on to the next steps of building the program around the actual threats. An example of this is knowing how to use automation within your specific needs within the company. Identifying what can safely be automated before just jumping in with all the new automation tools will help everyone involved. Get to know your team; what is the most tedious part of their job is, identify their largest stressor, and what they believe can be automated. Being a CISO means breaking down all the barriers and having the power to show a more practical approach to security and how being able to provide help can influence drastic changes in the way information is protected.  Resources: Steve Moore: Linkedin Richard Kaufman: Linkedin Exabeam: Website Amedisys: Website
3/12/202045 minutes, 3 seconds
Episode Artwork

Losing Your Job as a CISO: Does the Cybersecurity Skills Shortage Extend to Executives?

The Day You Lose Your Job Losing your job to many can come as a complete shock, maybe even more so when you’re in a position of power such as an executive role.  There are many extra steps when leaving a security executive position, sometimes you have to hand over your phone, computer, tablets for security purposes, and if you used this for personal use as well, you could lose a lot of valuable files and information.  Sometimes you don’t even get a clear picture of why you are being let go, and that can make it difficult to correct that behavior in the future.    What Could Have Been Done Differently  Everyone brings their own unique backgrounds into the workplace, a lot of times that experience can work in your favor, but in some cases it may work against you. In Chris’ case he a military veteran and has had a hard time shaking his military exterior. In any position communication is key and there is always room for improvement, check yourself and make sure you’re communicating effectively. Even going as far back as the interview process communication is so important, maybe the right questions weren’t asked and it potentially wasn’t a great from the beginning.    Moving Forward The application process can be exhaustive and often discouraging. When in executive positions this can exasperate the process, especially after being fired. You need to know your limitations when applying for new positions. Are you willing to relocate? Are you willing to take on a different position from CISO? Know the answers to these questions before diving in headfirst.  Self-reflection is key in moving on from the experience too, know your weaknesses, identify them and correct the problems. This may even mean getting new certifications, which will look excellent when added to your resume. Don’t give up, keep fighting, develop these relationships, and get yourself back in the game.  Maintaining Relationships In business it’s easy to keep people at arm’s length for professional reasons, but that can also be seen as off-putting to your colleagues. It is beneficial for you to have good professional relationships; you will need references in the future. Creating these relationships make for a better workplace and confidence moving forward. Create your team around you whether they are within the company, a vendor, or someone in the same professional sphere as you.  You never know how far a little empathy and kindness can go.  Resources: Steve Moore: Linkedin Chris Wolski: Linkedin Exabeam: Website
2/27/202044 minutes, 12 seconds
Episode Artwork

Your First 90 Days As A New CISO

Initial Worries & New Challenges Going from consulting into a leadership position requires you to take on a new level of responsibility. You take that leap of having more permanence in the position but also now having to lead a team of other security professionals. Olivia also was in the unique position of not only being a new CISO but also the first CISO at MailChimp. This unique position came with high expectations but also a rewarding sense of accomplishment when goals are being reached. Some of the challenges can include completely changing the opinions and workload of your colleagues; this position is brand new and may not be received well at first. Remaining professional and listening to needs and concerns of others can build trust when you’re new in the workplace. It can be easy to go into a new position and be a bit over zealous, you’re new, you want to impress the company, just be able to rein it in as to not step on any toes and burn any bridges right out of the gate.  It is very important to gain trust when starting out at a new company in a new position.    Gaining Trust As A New CISO Coming on too strong in a new position can be off-putting to your colleagues. It is essential that you are able to sit down with your peers and learn how to communicate and connect to your team. Make yourself available to get to know your team, be humble in your approach. Showing loyalty to those you work closely with can build trust quickly, be transparent, be authentic with them. Showing vulnerability and being able to admit when your wrong adds humility into professional relationships which can make the workplace much more comfortable. Stand up for your team as well, you are now in a leadership position as a CISO and have a whole team of people that now look to you for support. Being there for them and staying strong in your stance as a leader will build trust within your team.    Early Wins In The First 90 Days Have meetings early on to establish what is important within the security team and why this team is essential, get feedback on your research and then share it. Establish relationships with others outside of the security team, being able to work closely with other leadership positions can make for a strong driving force within the company as a whole. You do not want to get stuck in the position of having to make a point in the midst of a crisis, get these relationships established first.    Resources: Steve Moore: Linkedin Olivia Rose: Linkedin Gary Hayslip: Linkedin Exabeam: Website MailChimp: Website
2/13/202049 minutes, 44 seconds
Episode Artwork

From the 'Basement' to the Board: Giving Cybersecurity Teams Greater Visibility

Advice To A Younger Self, Before Becoming A CISO Perfectionism can hinder the natural learning experience. As someone fresh in their career it can be hard to not want to be perfect, there are expectations to be met. Yet making mistakes and learning from them is real job experience. Don’t be afraid to take risks and fail, you’ll learn from your mistakes. Being new in your career can feel isolating, vulnerable, and flat out scary. It is okay to make mistakes, just learn from them    Gender In The Workplace Sometimes being the only woman in the class or the office can work to your advantage. Being able to provide that thought diversity can really work well for women in the workplace. Having a fresh perspective and ideas brings a well-rounded view to task at hand. Use your unique position to your advantage. As a leader you should be building a diverse, inclusive team.    Technical Expertise, Necessary Or Not Having a baseline technical knowledge will absolutely never hurt you in a cyber security career. That being said, a mix of technical knowledge and business understanding is the sweet spot for problem solving. As a CISO being able to partner with others, even other teams is pivotal to fast, effective, problem solving. Having a good knowledge of both will be most beneficial because you have a general knowledge of both the business side and the technical side. There are many ways to define the actual role of a CISO, and they will all depend on the specific company. CISOs wear a lot of hats for a lot of different companies, and they may completely differ based on the company. Yet with the new regulations rolling out around cyber security this could change soon and become more streamlined.    Company Organization And Security Burial  One of the most frustrating aspects of looking for a job in the cyber security filed can be the company organization. We are constantly bombarded with news of security and data breaches, yet some companies have their security team basically buried under other, potentially less essential teams. With the rise of data breaches and data hacking, you want to work for a company that values all you bring to the table, because this is an uphill battle when it comes to cyber security. Being valued too low in the organization can lead to internal conflict. Being able to report not only actual issues, but also the risks before it gets to the critical breaking point.    Reporting Risks In A Proactive Manner There are tons of risks with any company, being able to identify the risks before they are problems and create solutions around the specific issues at hand can save you from major issues in the future. Analyzing user behavior and seeing how negligent or risky a specific set of people are and creating solutions around that is going to really resonate with executives because it nips the problem before it becomes a problem. Talking about how the team is enabled to handle threats is another big one. Looking at the numbers of threats, seeing what could be automated, and what an analyst needed to follow up as well. Automation saves time, money, and keeps history from repeating itself.    Psychology And User Behavior  Having contextual training is so important. There are many certifications that security teams get year after year, but they have almost no impact. If the training isn’t directly relevant to the company and even the specific team there will be no impact, or even a negative impact. Prevention is key, so have the relevant training and technology, look at programs and make sure that security is built into the programs already in place. If that isn’t what is happening, then something needs to change, the programs need to be cleaned up and modernized to the potential risks surrounding it. This training will be used not just in the workplace but the teams will take this home and use it in their...
1/31/202045 minutes, 56 seconds
Episode Artwork

Lessons in Leadership: Taking a Step back and Learning to Trust the Experts on Your Team.mp3

Transitioning Into CISO And The Initial Challenges Becoming the head of any department, and having all that responsibility on you can be very intimidating at first. Going from more behind the scenes to front and center can be uncomfortable, but reflect back on all your experience and let that guide your decision-making. Delegation is important in leadership roles, so get the team together and put your minds together to build a great security team. Identify the top priorities for your position, focus on those, and identify what can be delegated.    Mentorship Advice To A Younger Self When you are able to put yourself in other’s shoes, you can understand their motivations and how to work well within their realm. Understanding people and their professional wants and needs can make for lasting and reliable partnerships. Being transparent with your needs can many times lead to seeing you have similar professional goals, now that both parties see the end goal they can now work together much more smoothly.  Building trust with other members of the organization before an issue arises can also make solving these issues much less intimidating in the future when something does come up that requires their attention.   Collecting Feedback & Continuing Improvement The security industry is constantly in flux, so the need for continuing improvement is pivotal to the success.  Have a conversation about the constraints your team is working within. Look outside your direct colleagues, outside of your team, go to other departments and ask them the same questions you ask your team. Having a fresh set of eyes on an issue at hand can lead to progressive solutions that may have been overlooked by those directly working within security.  Moving specific test from manual to automation based can free up time and capital that may need to be invested in another area of security. The frequency of security patching may need to change, as well as the speed of the testing process. The feedback events can be so helpful, getting the organization together to solve the issues being faced. Going into these events there needs to be a focus on the problems that need solving, look to the experts in these areas, and having these conversations in-person, and if possible hosted by an outside unbiased party.    Celebrating Success Security teams face a plethora of issues and problems constantly. This is a taxing industry that takes dedication and focus to be successful in. So when there is success we need to all be better at celebrating it. Giving credit where it’s due, having conversations about the successful methods used to achieve this success, and keeping team morale high can make for a more pleasant work experience.  Resources & Links: Steve Moore: Linkedin Steve Person: Linkedin Exabeam: Website Cambia Health Solutions: Website Speed Of Trust Book: Website
1/17/202050 minutes, 55 seconds
Episode Artwork

Why 3rd Party Security Testing is the New Password Rotation

  Identifying Burnout In The Workplace Burnout is a common occurrence in any industry, but especially among those looking to carve out their place in the industry. No one works well when they aren’t at their best, identifying burnout early on can stop it in its tracks. If you’re noticing someone is acting out of character or being short, they may be experiencing burnout. Another tell can be the hours you’re seeing someone put in, no one should be up at midnight still working.    Advice To A Younger You Networking can get you to great places, starting early in your career can really put you where you want to be a few years down the road. Don’t be shy, get out there and meet people within the industry. Network both inside and outside of the company you’re a part of.    Transitioning Into Leadership Not everyone is cutout for management. When taking a leadership role you need to be able to prioritize your team and realize you’re directly responsible for those who work with you. To be a good leader you have to take all the knowledge you’ve learned up to this point and be able to teach it to others in a way that makes sense to each individual. Empathy plays a huge role in leadership, you must be able to put yourself in the position of others and understand their point of view. Being open to feedback and being able to take it with an open mind is essential in leadership; it’s going to come both solicited and non-solicited.   Third Party Risks And Why We Don’t Love It What is third party risk? It’s when a company brings in another company to handle a certain project or service. Within security this plays a huge risk because you’re essentially giving this other company access or information to the inner workings of your company. From a security standpoint this is a huge risk and variable, so doing thorough and meticulous research into the companies brought is key. This can ruffle some feathers with the third party, but at the end of the day you’re in charge of security so you need to fulfill your duties to the company you’re employed with. The real issue arises when you’ve done the research, and don’t feel that the third party is a good match for the company, yet leadership above you wants to move forward regardless. The CISO is now tasked with trying to figure out how they can make this work with the third party, whether that means changing language within the contract, adjusting the work the third party is doing, or reworking how you present your findings to leadership above you.    Warning Signs Of A Bad Third Party Review How many exceptions are you making to be able to work with this vendor? Does it seem it like some rules are being bent? Policies and procedures aren’t being followed? These are all huge warning signs.  Another warning sign is an across the board process for each new vendor, this isn’t the most effective way to lower risks, and this can lower sales and revenue. Some vendors will be more risky then others, so there should be separate policies for different companies based on their risks.    What Being A New CISO Means To Me Building relationships while being honest and transparent is key to being a CISO. If we all viewed ourselves as a vendor and service provider we could all get the tasks at hand done.  Also be on the lookout for my book being released in summer 2020: Startup Secure Banking In Cybersecurity, From Founding To Exit   Resources: Steve Moore: Linkedin Chris Castaldo: Linkedin Exabeam: Website Dataminr: Website
12/30/201950 minutes, 12 seconds
Episode Artwork

Unique Challenges, but More Opportunities for Women in Cybersecurity

Marketing In Relation To Security Marketing is all about getting a certain message to the right audience. A background in this field can be a great way to transition into other positions including the CISO. Being able to take a look at the bigger picture and then funnel that picture down to solve the problem at hand can be aided with a marketing approach.    Advice To Those Just Starting Out  Being new in an industry can be isolating by itself alone, but being female in a male dominated industry can emphasize that isolation. Being able to feel comfortable in your individuality will help anyone in any position. Also being gentler with yourself as a person, and attempting to enjoy the path you’re on can provide you with a higher sense of self-worth.      Being The Only Woman In The Meeting Speaking in general terms men tend to be more direct and interact differently within their own gender. Being the only woman there you have to adapt, speaking more directly, and bluntly for example. This being said the same would be true of a man working in a female dominated industry, adapting to the culture of the industry will set you apart. Having the proper certification and licenses can set you apart as well, it is unfortunate that the business culture is this way, but it will prove on paper that you are capable and have the skillset to demand respect in the industry. Being prepared and researching beforehand is key to success as well, spend a little extra time researching your client.    Why Women Are Encouraged To Pursue A Career In Security Women are highly detail-oriented which is huge in the realm of security, yet a common misconception of security is that it is a technical only position. Technical has a place in security, but that isn’t the only aspect of the industry. Being able to communicate, see the bigger picture, work within a team, and cooperate with the company are other aspects within the security field that women can strive in whether being a technical person or not.    Friendly Advice To Men In The Workplace In meeting be an active listener, do not interrupt women, do not repeat their ideas and state them as your own. Women who have children also have different life pressures, but when you schedule a happy hour meeting that almost immediately excludes the women on your team with children. Having lunch meetings are a great way to keep the whole team involved and at the table. Having meeting over a round of golf is fairly typical, but don’t exclude the women on your team, the conscience of who your team is and how to involve everyone in the productivity in the workplace. Keep it equal, don’t interrupt, and be aware of how you are interacting.  Women want to be treated like equals, women don’t want to be separated by gender in their industry.    Advice To Women In The Security Industry You are going to face adversity, harassment, isolation, and many other challenges when you are the minority in the industry. It is not going to be easy, you are definitely going to have to put the work in. That being said, the higher you climb the less of a minority you are. So stay focused, toughen up, and climb the latter.  Resources:  Steve Moore: Linkedin Olivia Rose: Linkedin Exabeam: Website MailChimp: Website
12/13/201947 minutes, 13 seconds
Episode Artwork

2020 Cyber Security Trends

The Slow Evolution Of The CISO The role of the CISO is changing but maybe not at the preferable speed. The role has been changing throughout the existence of the CISO from a small technical role to an IT position, to a role that is more demanding than ever. It is becoming a much more executive role than in the past.    Connecting The Changing CISO Position To The Business Needs To understand the business needs, as the CISO the business needs to understand you, and your role with the company. Paint a clear picture to the executives and stakeholders on your scope of practice. How these higher positions see you is pivotal in fitting the role with the business functions. Don’t be afraid to ask for help outside of your department for a fresh perspective, let them help-you-help-them. Within the security industry things are moving fast, and they are moving towards digitalization, date, and technology. Many titles are changing within the workplace but the core responsibilities are remaining the same, but with more specific points of interest.    Automation And The Impact On The CISO There are so many micro-services and technology improvement products coming onto the market all the time, all this automation really changes the way the CISO has to create their system structure. Being able to have a solid security design and mission can allow for these smaller pieces to fit into the CISO puzzle. Automation is the future of technology and having a position or perhaps even a team to focus on automation is ideal for any large business with a security team. If the automation isn’t being done correctly or the wrong things are being automated it’s useless. If you are spending a ton of time fixing your automation mistakes, it isn’t being adequately placed for the issues at hand.    Taking A Look At The Risks Within Building a strong, coherent, and trustworthy team is just as important as the technology used to keep outside attackers away. Educating your team on what is personal property and what is a security risk is crucial. Insider attacks are becoming more and more prevalent in the security industry. Some of these incidents are done with innocent intentions and are just based on negligent naiveté, and aren’t malicious, but some are and having the understanding between security, HR, and management is critical in how these issues are dealt with.  Each department has its own purpose within the organization and when they all work together it makes for a well-oiled machine. As a security officer there are some pieces of information that cannot be shared with other departments. It’s your position as the CISO to do something if you see something that is negatively impacting the security. As an executive officer it is your responsibility to take these security breach actions in your own hands.    Potential 2020 Trends Doing more with less is trending in cybersecurity, retaining the same size team but having more responsibility with that team. Getting creative in problem solving when the resources aren’t available can prove the real value of your team to the organization. Using fresh perspective ideas when the team is small and resources are limited can really show you what you and your team are capable of.    Resources:  Steve Moore Linkedin Brian Haugli Linkedin Scott Morris Linkedin Exabeam Website Side Channel Website
11/26/201953 minutes, 19 seconds
Episode Artwork

Partnering with Higher Education to Prepare Students for a Career in Cybersecurity

Partnering with Higher Education to Prepare Students for a Career in Cybersecurity Being associated with an advisory committee gives you a lot of freedom to really create the programs a future CISO needs to be hirable right out of school. The committee is able to see what classes need to be added to the curriculum, or if more classes aren’t plausible seminars are always an option. By being part of a larger advisory committee you can brainstorm with members from different industries and create an entire program from what you learn works in other industries.     The Biggest Issues With Being Hired Right Out Of School  Education is huge when it comes to being prepared for a job. Years of dedicated study and focus should not be taken lightly.  However, some aspects of the job that can’t be taught from a lesson plan, you just have to get out there in the industry. There are certifications that can be obtained after graduating, but real life experience is irreplaceable.  Internships, and job shadowing are great ways to get that experience while still completing your education.     Advice To A Young CISO  Don’t be afraid to take risks, get out there and align yourself with the right people. Go get that certification, ask to be mentored by someone you admire, learn from those who are ready to help. Don’t live too cautiously with your career, you can always build yourself back up.     Finding A Mentor Or Mentee  There are many ways to find a mentor in the age of technology. There may be someone within your company that can mentor you, but don’t limit yourself to that. Linkedin is a great resource for finding a mentor. You can also look at other companies with in your industry. On finding a mentee, just be open to teaching someone what you know about the industry, they may end up being an employee of your company in the future.     The Importance Of Presenting Your Knowledge  Being able to get up there and show your knowledge within the industry is so important. When you get to show what all you’ve been working for and get feedback from your peers on the subject, you really put yourself out there in a unique way. It can be very gratifying to share your knowledge and experience with others, whether you are speaking about problems or solutions.     Redundancy Within The Industry   There are many point solutions that don’t let us get to the root of the problem quickly. For a solution product to be effective there needs to be better communication between the product producers and the CISO so the products will remain relevant within the industry. If there are too many programs trying to get the same result, you know you have an efficiency problem and it’s time re-evaluate.     Discovering The Big Picture   Having a real and candid conversation about what you need to do your job effectively is very helpful. For a product to work effectively the producers need to know who is using it and why. Invest in products that have teams who are willing to learn about your specific pain points and needs as a CISO.  There needs to be more consultation between the CISO and VAR.     What Being A New CISO Means To Marc  It has evolved so much over the years; the CISO has a bigger responsibility than ever before. There are so many ways the CISO is being pulled in their modern environment that a serious hands-on approach is necessary. Understanding business, your peers, and technical enough to understand the scope of the entire company are key elements in being a modern CISO.     Resources:  Steve Moore: Linkedin  Marc Crudgington: Linkedin ...
11/13/201952 minutes, 52 seconds
Episode Artwork

Assessing Security Reporting Structures

Moving From Consultant to CISO  As a consultant you gain a lot of work experience very quickly, because you are working with a lot of clients on many issues. Seeing the transition from consultant to CISO is fairly common. As a consultant you don’t get to see the changes you’ve made grow over time, you only see the short-term effects and move on. If the decision is made to leave consulting and sign on full-time with one company as CISO, you see how everything you do evolves overtime, and are able to put all of your focus into one place.    Advice To Younger Consultants And Future CISOs  In every professional career there is a desire to succeed, sometimes we make ourselves crazy trying to get there. Knowing when to ask the right questions to clients is so important, they might not even know what they need and by steering the conversation with questions we can all get the desired outcome we are looking for. Having a clear perspective on what they actually are looking for can help you to deliver an appropriate result, while keeping you work load balanced.     Security Reporting Structures  Every company and organization is different; there is no golden rule of reporting when it comes to security. By understanding the dynamics of the organization you can get a clearer picture as to reporting. As a CISO reporting too low of the chain of command can cause problems, as well as reporting too high with someone who doesn’t understand the risks you are reporting. Get to know the dynamics and see how every part works together to better help you report.       Evaluating A Problem At A New Workplace  Coming into a new place of work you have to learn how the organization functions quickly. Watch closely to understand how the different departments work internally and with each other. When a problem arises and you have this knowledge you will be able to effectively report to right place, at the right time. Doing the right thing for the organization as a whole is always better than doing what is best for one single department.     Frequency Of Reporting  Normal information that doesn’t include a severe incident is typically looked over monthly, and again quarterly. For standard incidents doing monthly reports about what goals were achieved, what is projected to happen, and how it is going to be handled is common and those monthly reports will be revisited in quarterly reports. If there is a severe problem or incident that needs to be handled in real time, don’t risk a small issue becoming a huge one by not reporting.     Identifying Warning Signs And Red Flags  The security of information effects everyone in the organization, if you are speaking with a leader of an organization and you realize that there is no involvement of other departments in security that should be viewed as a red flag. All departments can weigh in on security, it’s important to have multiple perspectives on an issue. Security also needs to have a separate budget, it should never be a line item on the IT budget, and you don’t want to work for a place that invest in the security of the organization. Being able to speak with CEOs about the needs of the security team is very important, if they are unwilling to learn and listen about your expertise, that is a major red flag.     Lenny Defines Being The New CISO  It has always been about lifelong learning, being able to grow and develop. It’s good to constantly grow and evolve, challenge yourself professionally.     Resources:  Exabeam Website  Steve Moore Linkedin  Lenny Levy <a href="http://www.linkedin.com/in/lennylevy/" target="_blank"...
10/25/201931 minutes, 33 seconds
Episode Artwork

Digital Trust For Digital Transformation

The Basics Of Being A Global CISO  The various pillars include security, which is, operations, corporate, product, customer, production, and automation.  It also includes compliance, undergoing audits and certifications throughout each year. You need to maintain trust between platforms, products, and customers. Quality management, data protection, privacy principals, customer advocacy, risk and assurance, are also major pieces of the CISO puzzle.     How Lakshmi Got Where Is Today  Lakshmi built herself up over the past 24 years with a vast background of experience. She’s been in the information risk-management/security field for a long time and has developed her view of the position over that time. Beginning as a security engineer, she has elevated her career to where it is today.     Empathy In The Professional Realm  Lakshmi has worn many hats in her long career, which lets her understand where her colleagues are coming from. She is able to put herself in their shoes, because she has been there. This has created an empathetic environment around her work and lets her effectively communicate with others. As a child she developed a strong sense of empathy, which wasn’t lost as an adult, she has kept this with her and was able to incorporate this mindset in her professional life. Being in the business of trust, empathy goes along way to gaining that trust you need to provide the work for your clients and colleagues.     What Is The Trust Office?  The Trust Office is comprised of all the teams working with Lakshmi; she is the head of this office at Box. Trust is the key to any and every aspect of her position. The mission statement of this office is protect the Box brand with secure products, secure operations, and continued compliance. She believes that seeing through a lens of trust leads to a less fragmented and more cohesive view of how to engage, invest, converse, and prioritize around risks.     The Cloud And How Customers Are Confused  No cloud provider comes without risks involved, the customer needs to weigh the risks involved between the platforms they are researching. If all platforms were more transparent with their customers, some of this confusion could be alleviated. Customers are also entering into a partnership with their provider, both playing their own unique roles in this relationship. The takeaway; understand the risks and understand that this is a partnership.     Recognizing Red Flags  It is very important to understand your own risk appetite before getting too deep with any platform, have the conversations with your team to be able to pinpoint what will and will not be acceptable to the company. Secondly, understanding what the actual risks are. If you aren’t getting the level of transparency you’re looking for with that platform, this probably shouldn’t end in a partnership. Another important aspect to consider is mutual understanding, the platform should understand how and why you going to be using their product. There should be open dialogue about what both parties need from each other beforehand.     The Concept Of Zero Touch Defined  This can be explained by looking into the three different layers. RPA or rapid process automation, the most basic layer, the next layer up is ML or machine learning, followed by AI or augmented intelligence. These are the three phases a customer could be in on their way to zero touch. By utilizing this concept, and minimizing human intervention a company can retain their manpower to focus on strategy and more proactive work. This is also beneficial for the customer by saving time, remaining consistent, keeping manual errors at a lower rate, and a general better user experience.       Understanding The Risks Security Teams Face In The Era Of Cloud Services  The...
10/11/201959 minutes, 48 seconds
Episode Artwork

Securing a Cybersecurity Organization

Securing a Cybersecurity Organization Chief Information Security Officer of Netskope, Lamont Orange, talks with Steve Moore about the unique differences between working as a CISO for a private company versus doing it on the vendor side of things; securing a cyber security organization.  As cyber security becomes entrenched in the business cycle, other business functions have expanded their interactions with security teams. That said, the understanding of what a CISO does hasn't always followed the same trajectory. How do we as security professionals, help our organizations interact with our security teams and help them understand the role we play in an increasingly at risk world?     The major difference between being a CISO for a vendor vs private organization  Working for a vendor, you have a direct line into change and solving the problems that really need to be solved.   Working with a private organization, it's everybody's opinion and no one knows really what you're talking about.   Lamont encourages everyone to spend time in both worlds because when you're working for a company, you're in a particular vertical so you have ground floor opportunity to understand all the challenges, whether they're business challenges, technology challenges, people challenges, you really get to understand the industry in which you're working and serving some of that.     How did Lamont get his start?  He has had the opportunity of serving in a consulting capacity to organizations. That gave him more of that, that multi vertical multi industry perspective. Lamont wanted to give back and go to an organization where he got to grow something from the ground up, watch it grow and watch it be something really valuable and a differentiator to the business.  He also wanted to see what the opportunities were on the vendor side because it seemed very intriguing and an opportunity was presented. What he found is that the language barrier is gone. The challenge then became to take all of that industry expertise and all of that business knowledge and apply it to a way where he can lead the vendor side.  When you're on the vendor and product side, you get to effect masses of companies. You get to interact with so many different thought leaders and coaches. You get to make the industry better from the solutions and tools perspective that we have to offer. But you're also growing people’s careers at the same time discussing the path that you've gone through.  Find opportunities to speak. There's just so much goodness in it that helps you grow as a professional also. There are so many lives that you can touch from a career perspective and making a difference and how we deal with our adversaries.     Figuring out how to share in the security community  When you look at our adversaries, they're definitely sharing. They talk about the latest way they use and abuse. We need to do some of the same thing. “This is what was effective with this particular adversary.” “This was what was effective in this particular vertical because this is how we do business and this is what's effective”. Those types of conversations are priceless and we need to figure out a way to have more of them.       What is change management?  There'll be changes in infrastructure. There'll be changes in operating model and there's a board that we have to go through to get the changes approved.  We implement those changes. If we start going back to fundamentals and what's happening in cybersecurity, what's happening with the role of the CISO and the CSO and all the technology players, we are back to the basic definition of change management. Not only do we have to adapt to change, we have to embrace it for what it brings.  We have to look forward to what the positives are with this change. We have to demonstrate to others why this change was either good or is not the...
9/26/201942 minutes, 15 seconds
Episode Artwork

Understanding the Adversary

Understanding the Adversary Mick Jenkins, Chief Information Security Officer at Brunel University & a former Counter Terrorism officer in the British Armed Forces speaks with Steve Moore about the ideological similarities between defending against terrorists versus cyber criminals, the benefits of mentorship throughout your career in security, and the re-emergence of Soviet era espionage techniques. Building a career in security can be a challenge, even for those of us who start off early. For some however, the job can be a natural progression from her Majesty's armed forces to helping secure the 2012 Olympics and ultimately becoming a CISO. So how do you channel these unique experiences into something that will withstand the diverse threats organizations face today?   Who is Mick Jenkins? My career & professional involvements these days are in cybersecurity and sort of lie in the world I exist in as a non-executive director. At the moment I do all sorts of different things on the computer in terms of dealing with investigations, dealing with IT directors, and current strategies. I signed up & started working in her majesty's armed forces when I was sixteen and a half years old. I certainly never expected to end up as a CISO dealing with strategic cyber security because my life began as a soldier in the British Army.   Working with a Mentor During the Transformation Process I think you and I are both very keen on spotting & identifying the leaders of tomorrow and investing in them. And I think this is particularly important because as we know, over the next 5-10 years, the cyber world is going to need the best of leaders to support boards and deliver strategies that are coherent.  For me having had such wonderful careers, I want to be able to pay some of that back to younger men & ladies. These are people who have the talent to go all the way to the top of the cyber tree as CISOs or strategic leaders both in government and the private sector. Luckily I'm connected with a number of people and different organizations here in the UK, and one of the wonderful ones is a small company taking veterans, who have done something like 22 years or more in service in the military. These are very loyal servants, very disciplined, very capable, and quick learners. The organization takes them out of the forces and retrains them as cyber specialists, cyber analysts, or information security managers, and then places them in industries. It has been very important and key for me that I try to help people who've got the talent. And just like in the military, it's all about thought and actual leadership. It’s about leading by example, having good strategic foresights and acting as a mentor or coach. At the moment I have 2 individuals who are much younger than me who I believe have got the talent. I’m earmarking them for the right career progression over the course of 5-10 years and trying to make sure that they do progress all the way to the top of the cyber tree. I was lucky as my mentor used to take me for lunch quite often every 2-3 months. And he would ask, ‘Are you in the right job here?’, ‘Is there anything I can do?’, ‘Tell me about this company you're working for’, ‘I really think you need to be doing this and this next.’ I had that for the 15 years I had in both the military and in my ultimate career in cyber security. And so I think mentorship and identifying good talent is something we owe ourselves for the future, which is something I particularly enjoy doing.   Mick’s Advice for the Transformation Process As I look back at my career, one thing about me is that I was always striving to achieve excellence and be honest in whatever I was asked to do or serve in her Majesty's service. And I think many of us in the professional armed forces do strive for sheer excellence. And if you've got that kind of psyche to achieve...
9/10/201940 minutes, 55 seconds
Episode Artwork

Contributing to the Cybersecurity Community

Contributing to the Cybersecurity Community Scott Morris, Vice President, Chief Information Security Officer at BlueCross BlueShield Western New York sits down to talk to Steve Moore about how to be active on cybersecurity communities. They  talk about how to encourage young security professionals to find their voice, and the importance of sharing information as a means of strengthening the industry as a whole.   What Advice Would You Have for Your Younger Self? I'm not one to really hold regrets or look back at the past, but I would say I've always pursued the uncomfortable things. I always try to find things to solve or problems I could help with, which is how I got around in the day. So always challenge yourself and make sure that you always make the right choices. I would tell my younger self to continue pushing.   What Was Your Actual Start in InfoSec? My starting point was in information technology, more importantly in web development. I used to be a web developer by trade & quickly came to understand the risks involved in that. I continued to grow in my information security knowledge & experience, and for a while I was an expert in my former organization. And then I grew from there with a keen desire to know as much as I can and to help as much as I can in information security. Through observation & conversation, Steve Moore has come to realize that some of the best people in InfoSec didn't actually start off in it. You kind of have to learn to build and create things and ultimately break them before you can know how to defend and protect them. And this is a great foundation As I look back on my career, I recently realized that even from the early days and in previous organizations, I've never actually applied for a position; I've always somewhat in a way created the position. And I did that by finding areas or things that needed to be solved or fixed and made better. In my current organization for example, we had an issue where we were having problems passing or being consistently good in our external audits. I took that on and turned it around, and through that exposure in a very diverse organization, I was able to start piecing together some of the things we needed to get where we are today and build the successful security program we have in place.   Any Tips for Someone Getting Ready to Do What You've Done? The answer is something I tell all of my team members today. For the most part, what we do is not something we're responsible for and we can successfully build respect and great relationships. You need to understand your controllers and the people responsible for these processes and functions and build a relationship with them to help move things forward.   How Did You Get Involved in Security Communities? At my previous role, I worked for a large consulting company and I had a very large community. But I realized that I needed to have more exposure outside of that. So I started turning to people and organizations locally around here. But there weren’t security communities back then; there were more technology communities. So getting involved with technology organizations was my entry point. I was hooked immediately and continued to grow & expand to where I am today.   What Do You Think is the Responsibility of Security Leaders? As a leader, I think it's really important to set an example. I try to do the best I can by participating in these communities in various ways by not only attending it but by being a part of it, being an action and a voice within these communities, and by bringing my teams along and the people that are in this space. As leaders we have a responsibility to continue driving that. In Buffalo we are a pretty small community and we leverage those conduits and forms to continue to grow and vet out what we're doing. So lead by example, participate and the...
8/27/201934 minutes, 2 seconds
Episode Artwork

Does Security Training Really Work?

Does Security Training Really Work? David Tyburski, Chief Information Security Officer at Wynn Resort sits down to talk to Steve Moore about security training, specifically phishing training. He shares his thoughts on the idea of training vs education, positive vs negative reinforcement, and offers suggestions for engaging with employees.   David Tyburski’s Current Role I'm currently the global CISO for Wynn Resort, a casino in the north end strip in Las Vegas. About 9 years ago, Wynn put a directive to have a more dedicated security focus in on the environment in the organization. They basically handed it to me and for the last nine and a half years I have run this organization building it from just me to the organization it is today, managing all their properties & operations worldwide.   What Advice Would You Give Your Younger Self? One thing I would say is to be a little more attentive to the tool-set you bring, because we did a lot of false starts along the way as far as buying tools. If we'd spent a little more time evaluating where we could really use them, we would have been in a better position in the early days. And we do that today by ensuring we have good proper use of cases for every tool that we bring. Also, I'd tell my younger self to spend more time on the use case to know how to use it instead of just going to get it. Understand not just the reason why you want it, but how you will use it and what you expect from it.   What Bothers You About Phishing Training? It's not necessarily all phishing training, but what bothers me is that we're attempting to teach non-security professionals to be security professionals. They have backgrounds that are varied from us, they don't spend their time looking at security incidences or reading on security articles, but they're extremely talented people in other ways. They do an amazing job at what they do. But we as security professionals try to teach them that they've got to know what we know. So I think security professionals need to do a better job of understanding their role in the business, and building a technology solution around that instead of trying to get them to understand their business. Training vs Education There's a major difference between training & education. Wynn is an education program, because we're not training people but educating them. We want to give them the security knowledge and information they need for their organizations. We're educating people, trying to give them knowledge and not just teaching them the steps to accomplish something. We have to be able to transfer knowledge, and that's an education program. We have a continuous education program. We break up the topics and put them into small easy to digest chunks and we continuously run a new topic every week. It's timely and we do everything we can to relate it to everyday life. People are like water and will always try to take the path of least resistance. So in that light, if we can make our security program and educate our people in the right way, that the security of the organization is the path of least resistance, then it's no longer security fighting the rest of the business but security enabling the entire business to operate.   Should Information Security Be More Aggressive with Email Attachments? For an HR person whose job is recruiting, he needs to open the resumes he receives as attachments to emails. So how does information security help or enable that process and allow the person do the job safely? One way we can do this is to intercept the email, pull the attachment out, and re-write it in our own PDF where we turn off all the problematic ability and take out any possibility of weaponization, restrict what that PDF can do and look like, bundle it up and put it back in the email and send it off to the recipient. Now we won’t...
8/13/201931 minutes, 21 seconds
Episode Artwork

Winning Over the Board

Building an Effective Relationship with a Board Colin Anderson, Chief Information Security Officer at Levi Strauss & Co sits down with Steve Moore to talk about interacting and building an effective relationship with an organization’s board, managing expectations and sharing narratives that resonate, the makeup of a board meeting, and the different personalities associated with it.    What the CISO & a Board Have in Common The CISO and the board share something in common, which is to manage risk and make the business successful. However, the CISO has to earn the board's trust even when it's well established that he is the security subject matter expert.    Successful relationships must be nurtured, and this one is no different. Each board member comes to the table with a different point of view, background, expectations, and personality. Getting to know the board and how to best communicate with them is one of the CISO's top priorities.   Advice to a Younger Self The first rule is to know your board, because every board is different. Some are savvy & cyber aware while others have little technology & security exposure. You need to do your homework to better understand your board members' areas of expertise and experience. You want to know if any of them have had a security incidence or breach in the past, and if they have a deep understanding of security.   Another important question to ask yourself is whether you know any security leaders that have worked with some of your board members.    It's also important to know your narrative; what's the plan for your security function, how do you measure progress, and how best do you communicate and earn the trust and support from that board? I've seen a lot of leaders present in front of board committees and the most common mistake I see is the presenter not being prepared for that board audience. The presenter knows his stuff but he fails in communicating it in a way that earns the board's trust & confidence.    That story-telling skill is very important because your board is going to remember the narrative you tell them. They may resonate with the statistics you put in front of them temporarily, but a few months down the road they're not going to remember the numbers. They will remember the narrative you gave, that example you crafted to emphasize the point you wanted to put across.   The Different Types of Boards There are different types of boards, where some are security savvy while others are not. Generally, they don't care, they have an IT background, or they don't. But a day of reckoning is here for them. They need to figure out and no longer be ignorant to these issues or be dismissive of them. They should know what the security department, and especially what the CISO, does.    However, the security topic with boards is relatively new and still in its infancy. They don't really know how to measure whether that security program or security leader is being effective. The NACD (National Association of Corporate Directors) has put out some pretty prescriptive guidance for boards on how to effectively manage security risk. This helps educate the board and also helps the security leader know how the board will be measuring them.   Presenting to a Board Earning your board's trust is the most important thing you can do for your long-term success as a CISO. Educate them & build that partnership where you both work to manage risk to the business and enable it succeed.    The other board members bring skills and experience you don't possess, and you have skills and information they likely do not possess. They're looking at you as a subject matter expert on security to help them make more informed business decisions. So if a situation is bad & there's a problem, don't be afraid to put that concerning...
7/29/201937 minutes, 6 seconds
Episode Artwork

What it Means to be an Honest Broker

What it Means to be an Honest Broker As a former CISO in Hanover Insurance Group, Brian Haugli shares what it means to be an honest broker in the context of security leadership, which might be better described as an agent of trust and transparency for a business.  Brian and Steve Moore talk about strategies for delivering the right message to executives and the Board, the learning opportunities that come with candor and the honest truth about managing the inherent stress of the position. Advice to future or current leaders One big feedback I would give my younger self is don't focus so much on one area or another. Really be open to the ancillary spaces within security. Looking at human behavior, looking at the legal side of things, and pulling that information in to help round you out. Is there a core of bad leadership in information security? Not everyone is born to be a leader. It's something that you're born with that type of a capability. I think you look back at like type A/type B personalities. A lot of security folks are the type B, and there's nothing wrong with that, but I think there's a different level of getting leadership out of that that isn't as natural for them as somebody who is a type A, an outgoing type of a person. I don't think there's bad leaders in InfoSec. I just don't think there's enough of them. Transitioning on a small team vs large team On a smaller organization, you're going to wear more hats because there's just not enough people for that work to go around. The larger organizations, what I learned was I could sit down a team or four or five analysts, teach them in one or two hours how I would do something. And now, I've multiplied my capabilities by five. And that's much more effective than me trying to do that individually. The smaller teams, smaller orgs, they are struggling with being able to address this and I think that's where I want to find a niche for developing some work and some support and driving insight and guidance to these groups because they need help. The start of Side Channel Security We saw the need that small and medium businesses, nonprofits, VC-backed software firms, don't need a CISO full time but still need that kind of guidance and expertise. We started by supporting a nonprofit ... realizing the questions and the concerns were the same things that we had heard from our peers in larger organizations or our own organizations at the time.  It just built upon itself. Where are people most ignorant as it relates to information security and running a good program? I've got a bit of a mantra that I can't defend what I don't know exists and that's really asset identification, asset allocation.  Being able to answer what is your business obligations? And what are your business objectives? Can you identify the things that keep you running and could you tell me what a bad day looks like? You have to make them understand that your new reliance on technology and you storing all of this data and/or allowing access to these systems equates to your ability to provide services to your customers, whatever that is then. Those are usually ah-ha moments for folks and it's a good one to be there for because you can quickly help them realize what their concerns really should be from a security standpoint, but then quickly get them to how do we tackle this? How do we make this not an issue any longer? How do we mitigate that risk? What is an honest broker when delivering a security message to the ELT or the Board? I think it's just about transparency and integrity. Security, the definition of security, is confidentiality, integrity, and availability. As the CISO, your ability to obviously protect those things is one aspect. Your ability to showcase and embody the integrity of what it is that is being expected of you. Turning that around and then being able to explain that in...
5/20/201938 minutes, 7 seconds
Episode Artwork

The Ins and Outs of Budgeting

The Ins and Outs of Budgeting Andrew Wild, CISO at QTS Data Centers, sits down with Steve Moore to talk about IT security budgets, the challenges of prioritizing resources to balance risk and the value of cooperation.   IT Security Budget Managing an IT security budget isn't just about spreadsheets and internal procurement processes, it's about understanding your organization's business priorities. Add to that, the management of your vendors and VARs with which you work. A CISO's focus is to protect the organization and measurably reduce risk, which often requires the acquisition of technology. However, those decisions aren't just about tech. There's a lot of management planning that must occur. The combination of transparency, forecasting and relationship building is good for business.   Challenges of Prioritizing Resources to Balance Risk Anyone that aspires to have a more senior leadership role in an organization, needs to understand how things are budgeted and financed and paid for. Look at the amount that was budgeted in previous years and what was actually spent. Sometimes that is a way to glean some insight into how well that role is functioning. In some cases, an organization may be growing so fast that you or your budget is continually being adjusted upward which can be a great thing. An indicator perhaps of some issues either in execution or enough resources to execute would be if the amount that was budgeted exceeds by a not insignificant amount the amount that was spent.  If you're not spending everything that you were allocated, that's an indication of a problem within the organization.   The Value of Cooperation In the information security arena, there is very little that the information security team itself is able to accomplish without support across the organization. The infosec team is leading part of the effort, but there's always another team that's needed, whether it's the team that's racking the hardware. Whether it's the team that's going through and supporting you in the procurement process. Whether it's the legal team in terms of contract reviews. You are, to a very large extent, dependent upon other organizations to be able to accomplish your mission. It's important to try to learn how the procurement process works. What is the mechanism through which the value added resellers, the VARs, are selected, do you have the ability to influence which VARs you will get to work with for your information security solutions and services. It's not always just about within your organization too. It's about how you work with both the vendors and the VARs. Be considerate of the fact that the vendors and VARs work on a forecasting model where they have to be able to, with some level of precision, predict when opportunities are gonna close. Be up front and be transparent.   What is Being Forecasted? In any kind of a sales organization, the organization expects to be able to know what kind of transactions are gonna happen, what opportunities have been identified and that there is a definite progression through the sales process or the funnel as some people call it, where an opportunity for sales is identified--there's a need, there's a solution developed. People depend upon being able to plan because that's how companies be able to better plan and meet their numbers particularly if it is a publicly traded company.   What Makes a Good VAR? Someone that has likely either deployed the technology in their own environment or has deployed it in other customer environments and knows the solution it sells, and they're almost an extension of the company's sales engineering team. VARs will provide some very valuable information that you might not get working directly with the company itself.   A Better Relationship with Sales Go talk to people outside your organization....
4/22/201941 minutes, 51 seconds
Episode Artwork

Lessons Learned from a Virtual CISO

Lessons Learned from a Virtual CISO Matt Klein, Virtual CISO and Executive Advisor at Optiv, sits down with Steve Moore to share his insights on teamwork, getting visibility at the executive level, and the right prep for effective board conversations.   What is a Virtual CISO? Think of it as a trusted advisor, an executive advisor, talking about strategic elements of your security program, even some technical elements, at a high to medium level.  They are a trusted person to work with a company and make sure that they're headed in the right direction. Also, they are that person to bounce concepts off of and to make sure they're doing the right things as they're building their information security program.  There are times where the virtual CISO model comes into play where either the CISO has left the company, or possibly a small to medium size business that doesn't have the need for a full time CISO. Another situation is where a CISO is gone, or they're creating a CISO role, and they believe they had somebody on staff who is capable of doing the role but needs some guidance.   What is a bad CISO? Usually they're not talking the same language as the business. Everyone tries to get to that language of talking risk, but really talking about the business. What does the business do? What are the crown jewels? What are those elements of the business that are core to protect? Whether it be data in a regulated industry, most industries would love to protect their brand. They don't want their brand drug through the mud in terms of a data breach. It's those types of things.  It's really those situations where the CISO is either removed so far from the executive team or from the board of directors, that the voice of the CISO is never heard.   Is the CISO role measurably impossible? There are folks doing a fantastic job. They have what they need to get the job done and that's really the root of CISO success. It's budget, it's staffing, it's all of those core elements to a security program, but it's more than personal interaction with the business. There's an understanding of what the business does and what protection should be in place.  You can't place a blanket over everything, it's impossible, it's expensive. You never have enough staff. You really have to pick and choose what you want to get done inside of your program. In a risk-based approach that makes sense for your business. Set the base line at an executive level.   Interaction with the Board It was just getting to know who I was talking to. In this case it was the board of trustees of a private state institution. Just understanding who the players were and getting to the point where I was talking at a very rudimentary level about what a security program was.  There were no numbers for that initial meeting. It was really concepts. It was bringing some of the concepts of protecting the institution, protecting the brand. It's really a huge asset for them to consider from a protection standpoint. It was really setting a foundation of here's what we're trying to protect, here's the important things to the institution. Not so much asking for what I needed or statistics. It was very high level, get to know what the information security program is and what it does for the institution.  You would want to be at least a little bit comfortable with standing in front of a group of folks and delivering a message. When you're helping create a presentation, there's really two in one.  It's a larger presentation, that if you had all the time in the world--the set of slides that you would use, kind of walk through, and give people time to ask questions and be really open with your presentation. And then there's the scenario where you got to cut down to three minutes--that’s maximum two slides.  It's really going through those two exercises together, continuously on almost any presentation you...
4/10/201939 minutes, 51 seconds