GO phish
How do you deal with stress and unwind outside the office ?
I coach my young son ’ s soccer team . It is about as opposite from the CISO job as possible – I don ’ t know if that ’ s an accident or a subconscious decision . It ’ s outside , physical and there are a lot more pizza parties . It ’ s also satisfying in a different way from the CISO job because it ’ s very transactional . You show up to a game , and you win , lose or draw . Then , you can switch off until the next practice or game . By contrast , the CISO job has an endless stream of things to track on an on-going basis .
If you could go back and change one career decision what would it be ?
I would not change anything . I have always directed my career based on what seems interesting , or ideally , both interesting and needed . This has served me well . I ’ ve had a lot of fun , learned many different things and met many different people . I ’ ve had the fortune to have had plenty of impact , so I now get more satisfaction from helping others have impact .
What do you currently identify as the major areas of investment in the cybersecurity industry ?
We ’ re at an interesting point in time where there is pressure on corporate budgets , including cybersecurity . So , companies are keen to invest in cybersecurity solutions that are capital-efficient . I ’ m fortunate to work in the bug bounty space , which is at what I call the ‘ sharp end ’ of security . This is to say that the results we and hackers provide are not theoretical or abstract .
We offer a stream of real , serious risk information that can be acted on urgently to prevent a criminal from showing up and causing a breach . I think we ’ re going to see more scrutiny on whether – really – a given cybersecurity product meaningfully changes your risk profile . If not , out goes the solution . I ’ m privileged to work with many household-name financial institutions that know a thing or two about calculating return on investment .
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions ?
Different regions have different regulations . For example , in Europe , there ’ s the GDPR . Here in my home of California , we have the CCPA law . One approach that simplifies things is to take some of the commonalities of these laws and treat them as a baseline of excellence that you apply to all your user base . For example , if a user has a question about their account , is it simpler to ask them where they ’ re based and then decline their request if you can ? Or is it simpler to just help them regardless of where they are based ?
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months ?
There have certainly been some shockwaves resonating through the CISO community over the past year or two . We ’ re seeing more accountability for CISOs and in some organisations this has led to changes . In my role , I already report directly to the CEO and meet with the board twice a year , so I feel I have the support and the direct connections I need to prioritise anything with a cross-organisational component .
What advice would you offer somebody aspiring to obtain a C-level position in the security industry ? Optimise your career around learning and gaining experience . If you have a C-level position , no two days are going to look the same . To be effective , you ’ re going to need a lot of experience in many different situations . To get this experience , make sure you choose an organisation you can learn from . Make sure you work for an organisation and a leader you can learn from . A good leader will take the craziness and complexity of running a security program and make it digestible to you . They will explain the rationale and decisions and ask for your input , and they will show you how they balance business needs with risk analysis .
Push your comfort level . Perhaps you have large company experience ? Working for a smaller company or even a start-up will often let you get ‘ closer to the action ’. This will accelerate your learning of how a security program is run and how to make difficult trade-offs . Or perhaps you have small company experience ? Working for a larger company with a mature and competent security posture will show you ‘ what good looks like ’ so you can chart a journey if you hold a more senior position at a smaller company .
But before you embark on this journey to the C-suite , take a pause and make sure you know yourself . Why are you aiming for a C-level position ? You need a good answer to this . Perhaps more importantly , you need to have confidence you ’ d be happy in such a position . There are different joys and frustrations to every job , so make sure you are going in eyes wide open .
68 WWW . INTELLIGENTCISO . COM