So you wanna be a CISO … Are you sure?

um okay so boom all right so here we are so um i hope everybody can hear me okay um ray and and g if if you can't please let me know but i like giving this talk yes no maybe so all right i like giving this talk

lost audio but your presentation looks good

you hear me now much better thank you all right so um i like giving this presentation because i get i hear this i get asked the question i hear the statement all the time you know um i want to be a c so how do i become a cso um and and you know just the the term becoming a cso just i hear it so much from people who are entering the industry who are early in the industry or who you know or mid-career everybody has aspirations to want to be a cso and when i ask them why you know that i don't really get real good explanations other than you know it's the top of the hill or it's just you

know it's the role that you know i would just want and uh but i don't think a lot of people really understand what the role is and so i give this presentation in a number of different ways and so today i'm taking a little bit of a a slant on it that i'll show based on some statistics so here we go so why this topic so if you think about where this role has come from right when when the cso role initially became a thing right we were largely technologists right we were we were in data centers we were we were new the bytes and bits associated with with networks and technology and you know layer 7 and osi

model and all of the things associated with the tech that makes up our industry firewalls and vulnerabilities and vulnerability management and vulnerability scanning and content filtering and all of these technical widgets and malware and you know the things that we were reporting on in the metrics that we were gathering were were all numbers and how how many infections did we have this month and and how many bad websites did we did people go to and all sorts of numbers and things however where it's gone today and where it's continuing to go is is to be more of a businessman of um a business person more of a role but has a seat at the table to

help the organization understand risk and what that risk means to the organization's bottom line the difference is though that picture on the right looks nice and it looks and and you know we we have our are beginning to get and or have in some cases this seat at the table what it took to get there and what it takes to stay there really looks like this right if you look at this picture like our days are long um the work is hard our schedules are ridiculous it is it is an insane amount of work and there's a lot that is on the cso's shoulders um that a lot of people just don't realize and don't think through

you think well the cso's running this large organization in some cases right they've got so many people um you know uh they've got these budgets and they they're ultimately in control but ultimately we're not so i i like to put this up because these are this is the sort of the mind map that seesaws have to think through on a daily basis as part of their organization in their role all of these different components right based on your business based on what your business does based on how your business makes money based on all these different points you've got to think about it you've got right application security you've got identity and access management um business enablement you've got to be

a leader to your people you've always also got to demonstrate leadership to your peers and your senior leadership and executive leadership you've got project management because you've got projects that the business is running because let's be clear they're not security projects every security project that you do is actually to support a business initiative right of mitigating risk so you've got projects you've got physical security architecture um you've got your own budget management thing you've got to do you've got that the operations of security there's so many different components right legal and regulatory who knew that right becoming a seesaw coming from the world of technology that i was going to have to understand all these

laws and regulations you know what isn't that what the attorneys are for no i have to know them i have to understand them right every cso has to know the the laws and regulations that govern the business that they run so if you think about what all this is how do you how do you do all this on a daily basis how do you go through and keep all these things that front of mind as you are operating your organization to mitigate risk for the company so i found this picture and and i thought it was actually quite funny because when i look at my calendar every day um it's really a crap shoot of you know

what do i do today which meeting do i actually go to because i tend to be double or triple booked just as every see so go talk to your csun in your organization and ask them right how many times a day are they double or triple book for meetings and it's just because we're asked to be in multiple places at the same time how do you do that right as a see so your time is so so scared across all these things because everybody needs your opinion everybody needs your input everybody needs the see sales uh perspective on something and that's in good organizations and in many organizations your calendar can still look like this and you're not

even being pulled into business you're not even being pulled into business meeting these are these are just your security team meetings where your team is trying to keep you updated on things that are going on you've got all the different things related to risks that are happening you've got security operations you've got your governance team you've got vulnerability management going on you've got all these different things that are happening you've got the projects that are happening you've got security engineering right how do we do this but a lot of people don't understand this a lot of people don't realize this is what cecil's deal with every day right additionally sales ask any cso if they've ever been to school

uh to be a salesperson or if they even thought that in their role that they would have to understand the no sales but at the end of the day that's what a ciso is a cso's doing and selling you have to sell your program right why i need these people why i need this technology you have to sell that you have to help them help the business understand that paying for the things that you need from a people and technology standpoint is really about cost avoidance for the business but that takes selling right you don't go into the seasonal world knowing that you have to be a salesman but once you get in you quickly learn

that you have to be so you you have to sell to your peers you have to sell to executive management and it's a constant selling every day because each quarter when when the numbers get low when the when the uh businesses looking at how do they take how do they um uh reserve money and because the business isn't doing as well right you as a security leader right csos we don't generate revenue so because we don't generate revenue they're looking at your 10 million dollar budget or whatever your budget may be and they're like maybe we can carve something off of that so being a salesman is is a large part of a ceso's role on a daily basis

compliance right you've heard the term i'm sure millions of times if you've been in this business for any time at all compliance doesn't equal security right but at the end of the day compliance should be your best friend in your business as a cso we should be holding hands and singing kumbaya with our chief compliance officers because at the end of the day the the regulations and the controls by which uh compliance is governed will help us to get the money and the budget and the resources that we go to ask for as a salesperson right but at the end of the day you can't let compliance rule your life but we have to think

about and we have to do this balancing act as a c cell right you have to understand the needs of compliance but you have to ensure that you don't prioritize them over true security and risk and this is my favorite piece so a lot of people forget that security doesn't own anything right if you really think about it and you really go look at your organization and you think about everything that you're securing right security doesn't have any ownership and most of the things that it secures now that's starting to change there are some places where the cesos are now starting to take on technology operations as part of their role so now you know they're not just telling it to

patch they now own patch management they're not you know they're not telling um i t hey you need to make these firewall changes or you need to to make these changes in this infrastructure you need to make these changes and changes in aws they're now starting to own a lot of that infrastructure but that's a small percentage so if you think in your organization what does security own when security says hey new patches are out right does your organization actually give them the authority to dictate that patches are done in a certain amount of time and then follow up on that and hold people accountable if they're not in many cases they don't in many cases

sorry they realized my life wasn't wrong um in many cases that's not a deal so what what does security own not much right we own our stuff we own the tools that we utilize to help mitigate risk we own the tools that we utilize to monitor and evaluate risk inside the organization but outside of that we're advisors sitting back asking people to do things from our perspective right to mitigate risk for the organization but at the end of the day if you think about it when these breaches happen even if security told them to do it even if security right told them what the proper configuration was i haven't seen any cios get fired for

breaches i've seen a number of c cells get fired even though they had done what they were supposed to do so and again i go through these things because i want people to think through what this role really means because saying you want to be a cso right takes a lot of thought and when you get into that role there's a lot that comes with it this is a um and a fact that came out of the forbes article uh of a an interview or i should say a survey of almost i think a thousand csos between the u.s and europe and it's alarming but if you talk to c cells you'll a understand it and they'll all

agree with it the reality is at the end of the day when you think about some of the things i talked about about the breadth of the things that we have to be responsible for when you think about that mind map you think about we don't really own anything we are just governors we are just advisors to the people who do own stuff right the risk isn't ours it's the business risk but at the end of the day that we're the ones who are sort of held accountable if things don't go right not once have i seen a leader of a business unit who accepted risk associated with something and that and a breach happens of that risk that that

business leader is removed from their role but i guarantee every person watching this right now has probably seen at least one article where cso's been removed after a breach so some of these things is why this exists

if you look at this slide and you think about it right we if it's an interesting fact because you know i i found this statistic very interesting and i i had some conversations with see so friends of mine in europe and i and i talked to them about you know just the difference in um their vacation versus us in the us because for a long time i largely thought well this must be a us-based thing right because i know when i ran a global team my team in europe it was nothing for them to say hey i'm gonna take the month of march off for one one of the members of my team to say yeah hey i'm taking the month of

march off right in the u.s that's that's unheard of but we do take a week or two weeks right here in the u.s but when i ask this question of csos of my siso friends even in europe where vacationing is a thing and taking time off is a thing they align to this they're not taking a month off they're not even taking two weeks i can tell you in in the the last two decades that i've never taken two weeks off i can tell you in the last 10 years i haven't taken a full week off it's not some we get caught up because there's so much to do there's so much responsible and at the end of the day the eyes are

on us whether we own it or not which we done

the work hours are long right i know a lot of times people you know so a 40 hour work week i don't think there are many of us who you know in the only work a 40 hour work week and so but a hundred hour work week is not abnormal for a c cell right it's not abnormal 60 hours is is that's that's a good week for most cells when i i'd love for someone to ask the panel the cso panel later what their average work week is because even if we leave the office right most cisos get most of their email work done at night because if you think back to that calendar that

i showed you earlier if we're in meetings all day when can we actually read emails well most of us typically read emails between 9 00 pm and midnight right because you get home about around you gotta spend some time with the family i didn't put a slight in here about the divorce rate the divorce rate among cesos is high too but you gotta try to spend some time with family and once you spend some time with family back to the back to work because now you've got to go through and respond to all the emails that you got all day and try and prioritize those right it's not all glitz and glamour and then this is this is the big piece

right so i talked about this a little bit our role is risky the role of the cso is the role that first gets looked at right if if you ask some people they call the cso chief scapegoat officer because if you think to the breaches that have happened over the last five to ten years normally the person who gets hit first is the cso whether they did the right things or not it's still typically the seesaw because at the end of the day the cso is accountable if you look at this statistic right you think about that that's a a third basically a third of all csos think that if a breach occurs they're done

which also tells why the cecil t c so tenure is around 24 months because most people literally would rather leave on their own terms than than out where out where what does it ounce stay their welcome and that and that's what we feel you we we get into these roles understanding that the clock starts ticking right and that clock starts ticking down to either when you choose to leave on your own before breach happens or when a breach happens and they ask you to leave so that's what i started at the beginning right so you want to be a ciso and i hear this a lot and again people have all sorts of reasons but largely people think

well you know the cso role is the top of the mountain it's the top of the organization it's the one with the most authority it's it's the one that that you know you make so much money as a cso right you make good money you do

but is it really the top of the mountain because ultimately if you think about security right now security put it typically reports into a cio and in some cases they're now starting to report to cfos in large large organizations after a breach they're now sometimes moving the ciso to report to the ceo but for the most part they report to cio sometimes they report to the general counsel a chief risk officer but for the most part they report to the cio so is the cso the top of the security paradigm not really because they're starting to be people who transition out of the seesaw role into a cio role so you are have a cio who's got some

security uh experience and background and understands risk management and risk mitigation is that the top of the mountain right if you think about and this is just in tampa i didn't i didn't even pull uh put the salary numbers together for outside of tampa because it outside of tampa it dwarfs this once you start getting into some other areas but it's just important for people to think through whether they really want to be a seesaw or not understand that the role is not all glitz and glamour the role is not you know this super super fun role that you get to to do all these fun things the role's got a lot of risk right and

so if you you take nothing away from any of the stuff that i've talked about any of the things i've said understand that the cso role or chief information scapegoat officer role is the most risky in the company because you own nothing but you're responsible to protect everything even things you don't know that exist i.t stands up a a new s3 buckets in aws and they don't tell you even if you've got a process where when they do those things security's supposed to be involved it gets popped they're still going to look at you they're still going well oh you had a process well why was it is it their way you could have automated that

and i'm telling you these are real stories that i've heard from csos they they will look at you right salaries are increasing that's great right i i remember when the the median salary for seesaw was 150k and we thought we had we thought we had you know made our mint because we were like man median sound median salary had had crossed uh a 150 k right so a salary goes up though so does the risk because again back to an earlier point i made um the cso is not does not generate revenue and the cesa owns nothing but is responsible for everything

compliance would be your friend don't look at compliance as a negative look at it as as a way for you to help justify some of the resources that you need yes you can you can discuss risk and other things and those are also good things to talk about but compliance is your friend because compliance is mandatory right organizations don't have a choice of whether they're going to to you know meet government government regulations they don't have a choice of whether they're going to do certain things if you are a customer facing organization your customers are going to mandate that you must do certain things right whether it's iso certification whatever that is right so utilize those

things right to help you get your budget and and don't give compliance a stiff arm understand that being technical is not what's going to get you into a cessal role if after all this you're still interested i don't say this to i don't i don't say any of this in this presentation to deter people from becoming a cso everything i put in this presentation is to make sure people who want the seesaw role go into it with their eyes wide open there are tons of csos today that i will tell you who have been in the cso role for 10 years or more and are actively trying to get out of it and they're moving more into consulting and

they're moving into many other roles outside of the cso because they get burnt out we it's just a fact but understanding that your path to cso doesn't necessarily mean you have to be a technical expert anymore today the csos are about business risk they are more business executives than ever than ever right so understanding your business will get you understanding your business and how it makes money and and what what technology risk bring to impact an organization making money will get you there faster than being a technical expert on secure insecurity and lastly there's no straight path right there's no if you if you want to know how how did you become a cso my story is

going to be different from you know my buddy hussein was on here earlier that like john graham who's who's going to do his presentation sometime today every one of us who've gotten to the cecil seat have gotten through it be a different path there's no straight path there's no one path right but just understand whatever path you choose when you get to the end go in with your eyes wide open recognize that the glitz and glam that you think you've seen from the cso from whatever see so you know it's not all glitz and glam that's all i've got um you can reach out to me with any questions um thoughts about this presentation i'm

open as i said i love to run my mouth i speak a lot about different topics um you know that i'm a diversity champion so i have a not-for-profit gear to increasing women and uh minorities and lgbtq plus in the field of cyber security so my goal really is to just help people and and have people come into their career with their eyes wide open knowing exactly what they want and to follow their passion because if you follow anything for the glitch and the glamour or the money you're gonna be disappointed at the end so thank you very much

larry thank you so much for sharing that i think we have time for a few questions are you ready for them yes sir you mentioned skills for a cso what are the top skills to become a cso and you stress that some of these questions are going to overlap so we'll ask them in different ways to get better answers but what are the top skills for becoming a cso and it depends whether you come from a technical or a non-technical background yeah so so the top skills for becoming a cso has zero to do with your technical understanding right it has to do with you being a communicator right and being a leader so if you've got an

ability to to communicate with your peers with executive management and with your staff if you've got an ability to lead right so to be able to lead change if you understand risk right because everything now is about risk and you understand your business you have to to be a sea sort of organization the best way for you to get into a role of being a c-service organization is to is to know their business inside and out how they make money at the end of the day is what drives the business and so then if you know the business inside and out and understand what risk technology can impose on that and you you talk in that way those are

the things that will get you to becoming a ceo now i'm not saying that okay i'm you know you're a cis admin and go learn the business and you can go become a cso now i'm not saying that what i'm saying is is those are the things that once you've gone through demonstrating through your career right because you've got to go through the steps right you've got to at least have led a team right of some size so that they know that you are a leader and and can manage people because you know when you're a cso you typically have a team and you've got to and you've got to go through all things of building

people leading people leading and building teams so you need to have some experience there um you need to know security right to be a c so it's it's when i say you don't need to be technical meaning you don't have to know bits and bytes you don't you don't have to you know be able to work on a command line and no linux and no uh no uh know how to um script and all those are things that you need to know to be a cso um you need to understand the security landscape and and you need to know the difference between a firewall and a router you need to know the difference between you know an endpoint detection tool and

content filtering like so you need to know that you need to know security but you don't have to be a security technologist you do not have to be in the weed with security you don't have to understand how you don't have to understand it at a level where you can get on a keyboard and configure it you just need to know it and understand it great that was well answered how do you how did you larry transition from a technical person to a csu what was your particular path yeah so for for me right and i won't go through everything but um so i was a military officer and so when i being a military officer right you're

you're a leader and so i was in a role my last from 98 to 2002 i was at the pentagon i was running security at the pentagon and so transitioning that that was just being an officer in the military so when i got into the private sector the first thing i did was consulting and so after consulting um you know i transitioned into a leadership role and so i sort of went a different path right than most um because of being a military officer having the leadership and having a lot of that that stuff uh that i talked about being able to communicate and so and then coming out and being a consultant as my first private sector

job in the field i was advising csos and they were you know they weren't called to speechless at the time as vps of security right uh globally um and so by doing that i got to see and understand how they ran their security teams and so then when i left that role and got my first official you know head of security team reporting into the cio i sort of already knew i had the leadership from being a military officer and then having consulted to a number of global csos i sort of had an understanding of what what running those teams looked like so i took a little bit of a different path than normal because of that

now that you've been in companies can you talk about the progression from technical to management to security yeah so so it's it's been an interesting path right so so when c cells were technical in the in the early and mid 2000s we were technical because we were dealing with technology firewalls and right and the things that we were doing and we also didn't have a seat at the table in the boardroom i presented to the board but the things i presented to the board were for things that like their eyes would gloss over right the number of malware infections because at that time those were things that that we dealt with um right um and so those were numbers that we

gathered we didn't as ceciles we didn't really know any better because we weren't being asked more um it it probably after 2010 is when things begin to change um is that's when the board that's when executives wanted to know more because security was becoming more pervasive you started to have bigger and bigger breaches right you had the op opm breach you had all these different breaches that happened target all these different um breaches that happened they got a lot of visibility and people started recognizing that what uh cyber security could do to their bottom line if they were not taking care of it right so cyber liability insurance because it started becoming a big thing

so it just sort of transitioned over time where they started integrating security into more of the business and and and started realizing that it wasn't just a technology problem now that you've been a would you change i mean it's obvious you have a great deal of passion for your work you love it it flows in your blood but would you change your decision i wouldn't change my decision right so so so first off for me personally right um i don't believe in regrets right just from a personal standpoint i don't think there's there's any such thing as regrets and so everything in my life right uh professional or personal i look at as a lesson i look at it as something to

learn from so my time as a cso because i'm a cto now and so my time as a cso um i loved it it was wonderful it was i built great relationships with hundreds if not thousands of csos across the globe that i know and and love and have fun with and travel with and all sorts of things and so i wouldn't change any of it if if i had to do it all over again i wouldn't i wouldn't change anything i'd i'd probably be smarter early on and and and um and be more confident in myself a little bit as it relates to some things like salary and other things of that nature but that's a whole nother conversation

um but i wouldn't change it because uh it's about the journey right it's life is about the journey and so going through the things that i went through as a see cell shaped me right to be better for where i'm at today and so i i appreciated it uh would i go back to a seesaw role now i would be hard-pressed to go back to a seesaw role now honestly um you know after doing it for so long and and there are many csos who will echo you know that once they got into a different role like for them to go back to a seesaw role that they'd read so i can't say i'd run back to one today

right with my hand in the air like yes oh my god if one came that was just so compelling i couldn't pass it up i'd definitely think about it but i wouldn't i i wouldn't go search and i would not uh i would not you know be seeking out a cecil role to go back to today if it were my choice you touched on a few of the benefits could you talk about some more of the benefits and rewards of what you experienced while you were a seesaw yeah so so here's a reality so being a cso um [Music] there's a community it's it's almost like a fraternity right or sorority however you want to

coin it right it's you become part of a group of people that are all fighting the same battle right because every cso is dealing with the exact same things just in a different business and so we share a lot we communicate a lot i'm in i'm in multiple texts and whatsapp and signal groups and and linkedin groups with other cso and slack groups where we communicate and we share and write whether it's whether it's board presentations techniques topics like one of my signal groups were one of our buddies shared his table top exercise that he did with the executive team right all of these different things we share because we're all fighting the same battle and so that

camaraderie for me i think of it you know i like the military right i as as a member of the military right um you see someone else who's a military member or former service member and you automatically have this connection right the cso community is one of those same things where once you're a part of this community even when you move out of it right the the relationships that you've built and the time that you had in it people will you'll never forget and you'll always have them even once you move out of it that community will still look at you as one of them and so i i love that i i i will never i will never change that

um and i'll never lose the relationships that i had there those relationships continue over to the virtual cso role and what's your view of a vc cell no the so the vc so is a is becoming more popular but b is also needed if you think about the smaller medium-sized business market makes up 70 of global businesses but they don't have the cash flow they don't have the knowledge and know-how to be able to have a full-time cecil right again salaries are going up so sometimes they can't afford to have you know a cso that is is coming in and there's a full-time full-time employee so i think the virtual cso role is very important to

just security as a whole as an ecosystem so that these smaller organizations have someone who is giving them the strategic vision that they need around security for the for their business just have one more question slip in where and how can i find these communities you've talked about slack whatsapp linkedin so it's so first off it starts on linkedin it starts right where you've got to build relationships with people who are in these communities and then when you build relationships with people who are in these communities they then invite you into these communities right so again i've been in this business a long long time and so i've built relationships over you know the 28 years i've been in this

business and so with that and i've traveled a lot right and so i've lived in a number of places and i've traveled a lot for the cso because you know most people move for ceso roles right cso is one of those roles where it's it's you're not going to always be able to work remote and they right we're because of the pandemic that's becoming more of a thing but i can tell you most cesar's john graham uh who comes on is is a perfect example that he lived down here in florida right not far from me and he took a new role and right he had he moved right he couldn't when you take a seesaw role it typically

wants you somewhere near headquarters so that you can go in and and participate in board meetings and and and do those things and be part of you know meet with the executive team so um it's really getting out there engaging in linkedin connecting with other uh csos and then being invited and talking to them and engaging with them where they then bring you into those things larry it's always a pleasure to hear you talk i personally again and professionally i gain a lot of information so thank you for your time and returning to b-sides and a really big thanks for being flexible and dropping in the number two position today so my pleasure i i

really appreciate you guys inviting me every year so i love doing this i love tampa i love i love b-side so i'm all in with you guys appreciate your time