4 Keys to Being a Successful CISO

hey everybody so glad to be here thanks for coming especially after chick-fil-a uh it was really a rush to the table a big fan of chick-fil-a and i'm even a bigger fan of b-sides augusta i've been to all but one and i had some issues i couldn't come but always come always look ways to enjoy what's happening in this area it's just so exciting on everything it's just like the investment would go up i knew the impact at cyber in this area is going up but it's just blowing mind blowing it's a delight talk about this and so the thing i want to talk about is some keys to be a successful chief information security officer i've been a

privilege to have that role in many different organizations and what i want to do is talk about some of those keys for in particular to help you understand some areas that might be neglected if you're not careful with respect to leading people that lead people that do cyber security things and so that's the purpose of this talk is anybody here already a cso anybody done or senior security leader a couple of yep so so yeah so good to see that and i think that that's really key is to whether you're interested in that or not or you want to understand what's going on in the mind someone who leads to cyber this is you my goal is i wanted to think about the

me several years ago a long time ago and in fact 11 years ago decided that i wanted to be a chief information security officer but i wasn't ready i remember when i applied for that first job and i didn't even get an interview and i thought well i've been in cyber for a while i've done some things i've done all the things that i knew to do and it's a good reason that company didn't hire me or promote me into that role because there's all kinds of things i didn't know that i didn't know to be successful so my goal for this time together is to share some things that i've learned with the hopes that

at a minimum you don't have to learn these things as well and so that's what i wanted to focus on with this conversation and to do that i want to go back in time like a long time ago 25 years ago while this is not i didn't have a cell phone 25 years ago 25 years ago the job i had was what's shown up here on the screen i was working at maytag in southeast tennessee my job was to run a machine sort of like this except the ones i worked with dirtier heavier older all those ears there and my job was to go in six days a week and help run machines that basically

made parts to ultimately produce a maytag stove that was my job i worked really hard for this job everything will be great it'll be awesome i would like that it pays well very well respectable uh position in the community that i was living in i thought i had arrived when i had that job and after doing that uh to two people one person works on one side of the machine that kind of puts them in the 500 tons worth of force and out the other side it's bended or it has a hole in it or you know things to afford the progress of making stoves i was on the receiving end and so the person on the giving to me

end he had been there for 30 years for 30 years he would take it put it there the machine would come down and hand it off to someone and that someone case was me and i said to myself you know i could do this it's a good paying job great benefit all nothing wrong with the job i was doing i decided that wearing steel-toed shoes long sleeve shirts protective gear all the things because of an environment like that i thought to myself self what would it look like if i didn't do that the rest of my professional career that's exactly what i was i had that conversation so my shift 4 30 in the afternoon to three in the morning

usually six days a week i went in early one day and one day went in early and i went to talk with hr i said hey hr i remember during orientation you said that one of the many benefits at maytag was that if i go to school and correct me if i'm wrong but if i go to school you'll pay for it did i get that right do i remember from that and as it turns out that's exactly what happened they said you know yes we have that benefit go get a receipt go pay for things bring it back and we'll find a way but what was curious to me is they said this we've never had anybody from the plant

doing you know manufacturing work to ever do this so they said they were honest they were transparent they said no one's ever done that before we'll go figure it out while you go and pay and bring back the receipts and we'll make it all right and they did make it all right this hunch i had this idea i had i think i want to do something else really led me to the place that i'm at today and that idea of what is it like to want more what is it like to want to do more so whether you're a cso whether you want to be a cso someday or you may very well wonder what rattles in

the mind of someone who leads people that leads people that does cyber security this is the talk for you and again i want to share four key areas of what that looks like and what that looks like to go think about what is success what is the when how do i know when i find it how do i know when i get there what's so funny at my last full-time job i was privileged to lead the security function for the federal reserve bank of atlanta atlanta's home for me i always come to b-sides augustine from atlanta but uh because of remembering where i used to work and the things i used to do and it's a good job it just didn't allow me

to do things i wanted to do when i walked in the halls very big very nice very prominent halls of the federal reserve bank of atlanta and all the places i've worked ever since you know typically in the morning on monday someone will say how you doing it's monday oh god it's monday all the things you've said that i've said that you hear that and it's become kind of normal but when people would ask me that question when they would say russell it's monday it's eight o'clock in the morning well i wish we had another long day weekend i got to recover from all the things that over the weekend and i get that i understand that i respect that

but when they would look at me and they would say how are you doing i would always have the very same answer and people would laugh at me and i'm okay with that but they would say how are you and i would say i'm living the dream and why would i say that because just a couple of slides ago i showed just a little glimpse into the er when i frankly wasn't living the dream 25 years ago my story was not standing in here and talking about these things 25 years ago it was sweat hot no air conditioner for me very unsafe environment could be hurt or injured at any time because of the working conditions and i thought to

myself not living the dream at all so when people say how are you doing i can i'm old enough to remember to be able to go back in time and recall what that looks like and so what i realized to get that transition from where i was to where i'm privileged to be at today the place where i'm literally living the dream it took four things what are the four things they just let her see it wasn't my intention just kind of played out that way and i want to walk you through that journey of constraints culture clarity and customer service nothing technical at all not one of those things is really technical things but

seeing people that lead people that do cyber security for the most critical things that perhaps could be done and so let's talk about the first one the first one is constraints what constraints are necessary for someone to be and serve as a successful chief information security officer in this case it's a gate kind of keep out restricted what are some constraints what are some things that someone to be a successful cyber security leader does not need to have perhaps if you're like me i started at the lowest of the low on the org chart in cyber and you can work my way up to different organizations moving relocating training certifications all the things that we do

but in that journey my job response i had a couple responsibilities but one of them was to be in charge of windows security for a large healthcare company in southeast tennessee before my first job stay at that job i had been entered into a group domain admins and so i had full admin privileges which looking back maybe wasn't the best idea but that was what was necessary i had that i had to do those things and i had that access what did that mean that meant i could basically do anything i wanted to from a security and configuration perspective in the domain no one was going to tell me no i had all the rights all the

permissions but as i started to move up into my journey of leadership you know team leader manager supervisor all the things like that the need for me to maintain and keep that access dwindled like pretty fast and while i've been to school i've had the training i've learned and i was pretty proficient after several years of doing that at administering a domain my job at the time did not require that i started to move up the organization i needed less and less administrative access to do my job because my job wasn't always hands on keyboard playing around with group policy there are some places what are some areas where even though maybe in an approval process

oftentimes the security leaders will say yes you can be in that group or yes you can do that thing or yes you can interpret the policy that way just because you can doesn't necessarily mean that you could again that idea of what are some constraints and so there goes this because you can doesn't mean you could got some big thumbs up there yeah from a fellow see so yeah that's exactly right just because you can doesn't mean you should uh and what might that look like when i had uh five and a half six and a half seven half years ago when i started at my last full-time job i was really excited about coming in and

proving to the organization that they've made a good hiring decision i want to come in and impress them give them some ideas ooh never thought of it that way we're so glad you're here good job we're so glad that you're here russell that was my tell anybody that before telling you here right now but that was my goal when i started my most previous full-time job so i want to come in and make a big impact and his life would happen wouldn't you know it a couple of weeks into my tenure back in 2015 there was a security incident and a lot of the work that i've done in the past is around instant response

building teams responding recovering all the work that comes uh with that and you've done that work you know typically you know five o'clock on a friday uh before a long weekend you get a call and it kind of ruins your plans that's been an area that i wouldn't quite so new to the job executive over the cyber security program i decide i want to come in and make a big impact hey chief of instant handling team i think i'll take this one what were they going to say well you're my boss's bosses blood they didn't mean much verbal resistance but i don't know heard the words no hard no don't do that went in low severity worked through it brief did

the things coordinated do this do that here's the report here's the re all the stuff it worked out just fine but i'll never forget about that that was back in 2015 i'll never forget that because i made a mistake the chief of the instant handling team shouldn't have had to say to the chief information security officer no russell it's my job to lead the team that responds to incidents no russell it's not you don't even have access to all these you're still the fng there's something better for you to do whatever that thing is what constraints are necessary because our time is limited how can we best spend our time again looking at constraints there might be a

way to think about that oops again in access and access control are there certain groups certain meetings certain things that we've accumulated over time and maybe you've seen that i've certainly seen that as the longer you're at an organization you're longer your tenure the more likely that you have like a whole bunch of groups and projects and sharepoints and all the access that you have that you might have needed in the past but perhaps you don't need right now what would it look like if there was a process a calendar reminder a recurring nudge that says does russell still need to be a domain admin does russell still need to go to that meeting does russell

still in service of trying to be in earnest a successful chief information security officer does he still need the things that he has the group memberships etc what would it look like to revisit that to prune that up and think about what are the examples what are the places where perhaps we've accumulated too much access control again constraints what's another constraint something that you can inflict upon yourself that can free you up to do the things that only you can do another constraint might be in money a lot of times i've been guilty of maybe you've heard as well maybe you've said as well you know what if my blankety blank boss would only give me another

million dollars i could buy fill in the blank and then i could solve all the cyber security problems at the company i'm privileged to work at and say that and in complete transparency i've said that before you know the reason i can't do that is i don't have any money the reason i can't do that is my splunk license only goes so far or my visibility is not what it should be and i think while it's easy to do that it's easy to say i've got the constraint of i don't have enough money maybe there's some things that we can do maybe there's a way where the constraint might actually be able to show some new

creativity or show a new possibility that if you had money if you had the license if you had the things that you say that are standing in the way maybe there's another way to do that back in 2011 i was working on a project and i became very excited the security control right maybe you've heard of them center for internet security they just give away a list of prioritized things to do that when you do them according to a lot of organizations u.s federal government other international

approach to say when you do these things not only do you get your pretty just for a lot of us but you also literally reduce the probability of a breach when i do these things i'm not just busy doing things that are mapped to compliance mapped to visibility a lot of automation and got me really excited about that when i heard about that again i heard about it first i think 2008 started to think well what would that look like they had examples where the u.s department of state like that department of state with people in every time zone around the world on a sensitive but unclassified network in the very first year reduced their vulnerabilities by 85

percent so i looked in the mirror like i'm not shaving brushing my teeth all the things we do in the morning i looked in the mirror and i said self what am i doing that has results like that what am i doing that could show that i'm doing whatever initiative things i'm working on leading doing what am i doing to and pretty quickly it struck me like nothing no no project working on have ever had that type of with math and metrics and reporting to show a reduction in well much of anything especially at that scale i was excited about what they did they were giving out charts and reports and templates here's how they did it and

very nice of them to do that for the community at the time i was excited about it but i was the security team at that time i was working to build a security function for a healthcare startup they didn't have a security person i went from a big team to being the team i was excited about doing that i just didn't have a way to make it happen no more funding no more budget you know just it was good we got a security part just be glad that you're here because before there was no security person i was excited about that but the constraint of a lack of funding i thought well about that what are some things that i

can do so i decided to read the find manual i had some security tools those are in place but i knew i couldn't get any more i thought well when i look at what state did what would it look like if i decided to lean in metaphorically to the tools that i had to see is perhaps there's some undocumented features perhaps there's some capabilities in those tools that could get me a little bit closer to the results of what state had and that's exactly what i did this idea of the constraint because i didn't have a support i didn't have the money didn't have the funding but i was inspired by the work that someone else

did was able to literally write the first paper uh give a presentation here at besides august actually a long time ago around what would it look like to solve for those controls without having to spend any money so that constraint allowed the creativity it's just an example there's plenty of examples but one example of i'm inspired to do that and not stopping with and i can only do it if i have whatever money state had to solve that same problem why do i say that because i want you to think about some areas where maybe you're saying if i only had three more people if i had a managed service provider if i had someone watching the alarms if only

i had these things then i could solve that problem so think about one and think about what would it look like to creatively solve that problem if you don't have enough money you know what we never have enough money what are some ways that we can lean in and solve for problems just like that what was interesting is gave that talk my first ever talk was at b-sides atlanta back when b-size atlanta used to be a whole really big deal like way bigger than augusta interesting how it's turned around i gave a talk on how to do that and to my most two most recent folks who hired me for a full-time job i wasn't

looking they were looking they came in and heard a way to approach that and actually got my last two full-time jobs as a result of doing just that there's a constraint where to find creativity to solve those particular problems so it does work it was out of necessity wasn't that for a job hunting and looking for the next job but interesting how life works sometimes the second c i'd love to share right now is around culture culture a lot of times especially as leaders or aspiring leaders you must ask yourself a question is this something that only i can do remember that instant response thing i talked about earlier on the previously is this something that only i can do at

my last full-time job so a minute i live in atlanta there's like six and a half million people in atlanta traffic is nasty awful horrible um of course pre-paid doing my commute to go 25 miles was a minimum of 45 minutes each way and usually longer on the way home so i get up early go to work get there early russell how you doing living the dream a minute sincerely and i tried my best to leave at a decent time to not be stuck in just terrible traffic if you've been stuck in land traffic i'm sorry 45 minutes i'd listen to podcasts i do the things i call my parents call my brother call my k all the things to kind

of have an agenda for sitting in my car sometimes moving many times not moving but one of the things i did every single time all the way to work is mentally i would say what are some things that i only i can do i'd ask myself that question i'd assign myself that task what are three things russell that only you can do and on the way home which was always a much longer trip i would ask myself of those three things did you do those three things those three things that only you can do and by saying that i'm not saying that i'm better than anybody at all in any form or fashion don't hear that

but because of the position the responsibility the role that i had as chief information security officer i wanted to recognize that there's some things that only i could do maybe it was approve a policy or approve an exception or brief a board or whatever it might be so that those that are doing the things to stop bad things from happening can have their time freed up to do what they do the best what are things that only i can do and if on the way home when i asked myself is how would i do those i'd reach around good job did it one two three yes and if i didn't i'd hold myself accountable on the way

to work the next day maybe i'd have four things or five things or six things of what are some things that only i can do maybe it's small things maybe it's canceling a meeting it's so many things but in a leadership position what are some things that only you can do for me what i've seen success i've had at leading large and small and medium-sized security teams culture is well everything what would it look like if your colleagues if those that you were privileged to lead when they walked into the building are they logged into zoom or teams or however you're working in this environment right now what if when they were asked how are you

doing what if they were to say you know i'm living the dream i know my purpose i know my passion and i'm doing things that align uh where my person my passion and purpose exist i'm doing those things as much as possible i'm not doing the things that i hate to do i'm not working in a factory i'm not delivering pizza i'm not whatever the things that they were doing what would it look like if you could create and design intentionally as a leader a culture where things like that would be said by those that you're privileged to leave what would that look like just imagine again about what are some things that only you

as a successful cso can do this one always makes me smile an example uh would be i called it it's not a very creative name you leave it if you can think of a more creative name let me know i'll change it but i always call it the cafeteria test no creativity in the name but this idea that you know if you work a nine-to-five job or whatever your time is at some point at larger organizations maybe there's a cafeteria you can go in and get lunch uh and i can just in my mind i can just see cafeteria lines of places i've worked at in the past you get your tray you kind of walk around well i'm

going to get a burger i'm going to get a hot dog i'm going to get a salad i'll eat healthy today i'll get a smoothie what all the options are but since you've got to go there anyway since you should go there anyway as you get your tray and as you walking around deciding what to get what if you go on a mission what if you again assign yourself some work as you're carrying your tray around what if you look around and you see people who are already there they've already made their choice of the things that they're going to get in you and you see there they are you don't say anything just kind of

watch and then you count maybe you walk towards them a little bit not in a creepy way but you get near them and then they lock eyes the second that happens not a word is said that little micro second right there when they that those eyes are locked and they see you what do they do when they see you is it i think i'd rather leave i don't want a pizza there's no way there's that security guy coming there's that security girl coming and that's not good or again when you lock eyes there's russell he fixed my problem whether him or his team or the team he's previously what if you did that cafeteria test like

two or three people not creepy not goofy i don't want you to go to hr and get in trouble but what if you went to places where your co-workers are at and cafeteria ted or something like that to say how's that engagement maybe do it another time maybe do it another time i did that for seven months and what i found was i got non-verbal feedback if there was tension if there was happiness if there was there's a blanket blanket security people team again whether it's about me or the team that i'm privileged to leave didn't really matter i wanted to see how we're showing up how are we offering and adding value to those that we're working

with i've never been working at an organization that existed because of cyber security i've been at places where companies make things and do things and serve things and cyber is a way to reduce the risk and them doing that particular function so i've never worked in a place where the reason we work here is cyber but that's probably a good thing because i get to help tailor and craft the culture such that when there's encounters at the cafeteria at the entrance at the exit at the parking garage where possible i want them to be better feeling better off than now that when they before they first engaged with us or specifically with me did that for seven months i gave an

assignment to those that was were a direct report to me uh in the org chart and said look as a leadership team i've tried this i'm gonna do this and i want you to do the same thing why did i want them to do that i wanted them to feel that tension i wanted them to be more aware of how they were showing up and how those that they were privileged to lead were interacting with folks who out doing their things in common areas and feel that and then where possible change their behaviors change their approach to be able to add more value again this tells you how are you showing up how's your team showing up and from a

cultural perspective what are things that you can do to better improve or mold the culture of the team that you're privileged to lead to better meet the needs of your respective organization again goofy name cafeteria test it's been great i've loved it and it may be a little bit weird until you get back into or if you do get back to an in-person scenario but maybe you do it before you go to the next talk maybe you choose to do that today just something to think about i talked about earlier walking the halls again looking at the culture i told earlier that idea of walking in and russell how are you doing again i'm living the dream i can't

imagine doing something other than what i'm doing now it took being bold it took asking questions it took frankly me remembering what my life was like 25 years ago to be able to say that but walk in the halls as you walk the halls or as you walk the zoom calls right as you walk the teams or webex or whatever technologies you might be using in lieu of walking the halls what does that look like to show up in a way what would that look like if you could talk to the person that recruited me to my last full-time job back in 2015 they talked to me for a very long time hey will you come will you come and take a

decrease in pay will you have a longer commute and you have a higher stress level job okay they didn't say that but that's kind of how it works out sometimes if you were to go to the hr recruiter that recruited me and you were to say herb of all the questions russell asked before saying yes to that offer to go work and lead a very successful very prominent security team at a super important organization what's the key idea what's the number one type of question it was that it was culture what's it like to work there where i was working at before in telecommunications i knew the culture i've been there for a while i knew how to navigate how to get

expense reports paid how to cover for and take care of and communicate different issues but another organization i didn't know the culture i wanted to know was i going to like to be there would they like for me to be there those ideas of what's it like to walk the halls literally or metaphorically another way to think about culture is in this idea of understanding the culture and then saying what would it look like to improve the culture an idea i like is this idea of experimentation culture a lot of times you can think of organization-wise culture according to john carter wicked smart professor author student from harvard business school said that culture changed for large organizations

in his book called leading change three to ten years it's like wow that's a long time i have no idea where i'm gonna be in 10 years you have no idea if you'll be working at the same company in 10 years so you might think that's someone else's problem but what if we thought about culture as the culture of the team that we're privileged to lead maybe we go from i like the whole company culture to be better but maybe i'm going to focus on some things that only i can do and that's the culture of improving the culture in the teen that i'm privileged i like this idea of experiments what are some experiments let's just say

let's make it safe to try a couple of ideas here's an example of some things that i've done just against some examples that you can consider as well when i was a cio and the iso for a financial services organization had all hands meeting room people developers help desk security dbas the whole bit i said you know what what i've seen on my calendar is but there's a lot of recurring meetings there's like sometimes double triple quadruple book just like how in the world can people not see that like i'm busy from three o'clock to four o'clock every thursday and no i i literally can't go to all those meetings so i had an idea i said let's try this

experiment let's try this experiment for everybody here in the room the next time you get a meeting invite and there's no agenda like the reason i want you in this meeting is i want you to talk about this thing and give us an update or and it'll only take this time and then when you're done you can leave if you want to the next time you get a meeting invite and there's no agenda you have my permission to go in and decline the meeting and everybody is like silence what but you can i see there's a decline button but i didn't know you could actually use it in your email calendaring system and if you feel bad about it

if you're not quite sure click decline and put a little statement put these words my boss russell said that i don't have to go to the meeting with an agenda done blame me it was an experiment i wondered what would it look like if there was clarity around why do you want me to go to that meeting why do i need to be there what am i trying to achieve in that particular meeting fun fact i didn't ask anybody's permission i didn't go to my boss maybe i should have i didn't go to my boss and say hey boss here's what i want to do let's have a committee let's do a study let's do a

i just said i'm sensing there's a problem there i'm sensing maybe you don't like to go to all these meetings blame me i never got in trouble i never even told my boss like before during or after but all of a sudden there was people going to less meetings and people under having clarity of the reason i'm at this meeting is i need to give a report on whatever i need to give a status whatever i need to do those particular things nobody got fired nobody got in trouble and even though i don't know or did it if anyone ever said the reason i'm not going to this meeting but nobody ever called me and says why

aren't you people going to meetings anymore it's an experiment we made it safe to try we did a little time box hey let's try it for 90. let's just see what happens if we get in and we realize it's not going to work i'll take the blame seriously i'll take it away but what would it look like if we create an environment in our eye then we're better off

look at those i've got ideas a developer if i were a developer i've got this idea and if you're a developer let's go in business together we'll be rich together i've got an idea let's just imagine if before you scheduled a meeting in whatever scheduling service that you use for meetings imagine easy math you've got 10 people and up for easy math everyone makes 100 an hour what would it look like as you go and add those 10 people are the distribution list and you say you click button it was like a doll that said 100 times 10 equals what so let's just say there was a little message that came up that said are you

if you're gonna get with the value before you you are thousand dollars of value for that one

people make different money and i made easy numbers and just math there what would it look like if we understood the cost of the things that we're doing before we did the things that we're doing are we getting that much value again let me know if you got ways to think making a plug-in like that could make someone money culture as well how we talk how we think i mentioned before living the dream i don't care i know where i came from i know not that long ago i was not living the dream but other ways to look at language isn't it fun sometimes when you do say fishing tests and people click on it and it makes it

fun to say things like users they're the weakest link those users they don't know what they're doing they're the weakest that's why that's happening they're just not smart enough to use our systems and in full disclosure i hated like saying that i don't even say that but i wanted to say that because i've said that before and maybe you say that now maybe your team has said things like that before if those accountants were only smart enough i click on those links if that dba just had sense about themselves they wouldn't do things when we blame others when we have someone else is so bad is a dba clicked on a link all of a sudden it's their fault

what it looked like if we changed it a little bit i don't want people clicking on links and you may or may not focus on that i know a lot of companies i work with are focusing on that but what if you change the narrative from users are stupid they're dumb they don't have any sense they're not smart enough they shouldn't have access to the internet and what if you change to our colleagues are the biggest target the access our cfo has the access our accountants has is so valuable that attacker wants to get their credentials and do bad things how can i protect them better or maybe this question this is a tough one too

ask a question after your next fishing exercise or any social engineering type of test that you do what if instead of saying it's their fault what if you said this question what was it about my training that led the database administrator to say it's okay to click on links in every single email that they get what was it about my training what would it look like if we took some responsibility for the language that we use in ways that we try to do that here's a hack anybody know the mission of your respective organization who what's the mission of your company

beautiful crisp clear concise you know why we spoke about last night we know exactly why you do the things you do the population that you serve when you do that and i'm grateful that you do that and that you know i've never worked in a place that was in security alone what if i monday morning so i'm giving you some homework because i think about monday when you go log in however you log in or show up however you show up at your respective if you spend i don't know the mission of my calendar an appointment for five minutes what would it look like if i was able to quote the mission of my company

an example that i can i can't remember all the words i wish i could but i can't but i'll use an example of the american red cross the american red cross to serve the most vulnerable let's just imagine that monday morning we all wake up and we're all the chief information security officer for the american red cross whose mission is to serve the most vulnerable what would it look like if when we logged in on tuesday the next day after we discovered the mission at the american red cross with all being chief information security officer there what would it look like if every action that we took we would say these words the reason i'm

going to this meeting is to serve the most vulnerable what if the person who's leading the chief of the incident handling team if they said the reason i'm the chief of the incident handling team is i'm going to serve the most vulnerable the reason why our security team has a strategy for the next three years is i'm gonna serve i want to leave people that lead people that serve the most vulnerable what would it look like if you intentionally change the culture of your security from we're smart we're lead we can apt and we can dlp and all the acronyms that we can acronym there's value there i'm not dismissing the things you've learned and the capabilities that you

have and the ambitions that you aspire to have whether it's be a cso or understand to see so better but what if as a leader you changed the culture to such places where oh well forgot it that you were able to align and support your team in that way what if january 2 of next year if that's the first day your team comes in to work what if they knew and had in their job description and had in their performance objectives the reason i'm the chief of instant handling team is the mission of your company the reason i'm scanning all my systems every day all the time is the mission of your respective organization so

uh mission for knowing so since you know the mission you well deserve thank you for that what would it look like if you did that on purpose with a purpose what will it cost you five minutes of time that's what i want for you so think about it that way and then also looking at clarity again having that the reason uh that i do the things i do i talked about you know the commute time that i used to have now it's just going down to the basement so it's like i gotta talk really fast i like to go down 15 steps as is my commute now versus in the past driving around atlanta but again

what are three things that only i can do and how can i hold myself to account to make sure that i'm doing those respective things that's what we're looking at there great book uh here greg mcewen this idea of essentialism anyone read this book so greg mcewen yeah so greg that idea of all the meanings of all the responsibilities of all the things that we have to do how our mind gets as cluttered as the diagram at the top left there that idea he gives the analogy of looking at your closet like literally the closet say in your bedroom of all your clothes and all your besides augusta shirts and all the other shirts and all the

other things that you have and how when it's a big clutter it's hard to go and find the shirt that you're looking for it's hard to find the pants that you're looking for or the shorts that you're wanting to wear whatever but this idea of what are some things that only i can do is a way to think about clearing out all that junk getting saying no to those meetings stopping those assignments getting out of those groups and out of those gatherings where you're not uniquely qualified and set up for success to be successful in that way time i've learned that no is a complete sentence now i've learned that now old 52 year old man finally learning that a no is a

complete sentence not a no i don't want to not i'll ask you later that i did let me get back with you later i'll tell you no no that's not something that only i can do no i shouldn't run and take over from the chief instant handling team a minor incident that i'm still talking about seven years later no that's not something that aligns to the mission of our respective organization no that's not my job right now no that's not something that only i can do a dear friend and former colleague of mine a single mother from dallas texas she would say when someone asked her as a senior cyber security leader ceso of a very important

company when they would ask her to do something her name's bridget when she said they say hey bridget will you come serve on this committee hey bridget will you go write that policy hey bridget will you go do whatever she said she would literally close her eyes and in her mind's eye have a picture of her daughter abby and all of a sudden when she could see in her mind's eye a visual of her daughter abby she could make a better decision do i want to be on that committee and be away from my daughter or would i'd rather be with my daughter i don't have a daughter whose name is abby i have a daughter whose name is

lindsay i have a son whose name is jackson but i would when she said that i thought that makes it so much easier to decide am i going to say yes to this or should i say no to that from a family perspective in addition to the things that you get required and compelled to do in corporate life as well there's a little hack from a dear friend uh bridget on how she personified that she wanted to be a great mother and one of the ways that she was able to do that is to imagine what's at stake when i say yes i'm going to stay late when i say yes i'm going to work the

weekend when i say yes i'm going to do those things unless i have in my mind what's at stake like a picture of my wife or my son or my daughter or important things that i want to do i might go ahead and say well yeah there's room on my calendar i'll go ahead and say yes put systems in place find the things that are most important to you spouse friends family neighbor whatever it might be ups drivers amazon doesn't matter what it is but imagine who are the things and people that are important to you and before you say yes i'll do that think of what you're going to say no to if i say yes to this thing i've said no

to everything else that could happen at that particular time and also be aware that with success comes a lot of opportunity the more successful that you become the more your boss promotes you gives you raises gives you assignments gives you more than one job to do at a time hypothetically first the more you're going to have to recognize that and find a visualization or find a practice to where you're not just doing all the things for all the people all the time you'll find yourself in a bad way what i like to do is to do a calendar audit so this is the second day of the first quarter for this year so monday i've got a calendar appointment you know

i saw my calendar when we got plugged in earlier it's full of reminders full of things at the beginning of every quarter i go to a calendar audit what are recurring meetings recurring tasks recurring items that i have on my calendar now that might not be most appropriate for the fourth quarter of this year are there some places where i can say no i don't want to go there anymore no i don't need to go do that anymore no that's not going to help me achieve my goals my end of the year goals i'm going to have a reminder go off at some point monday morning that says go revisit that go make sure that the

things on your calendar horizon are still things that matter a lot so be aware of success and put some systems in place to help you nudge you so that you have to keep brain space of remembering that every quarter but maybe just you know a minute recurring calendar reminder am i still working on the things i need to work on and have it remind you every 90 days you set up a system and the system can remind you periodically to do the things such as say no the last one to talk about 10 minutes left and i'm going to see how quickly we can land the plane ahead of schedule is this customer service a friend of mine atlanta

has been a senior leader at the ritz carlton anyone stayed at ritz carlton before nice service okay very nice service very extraordinary customer service that they have in place one of the reasons one of the many reasons they have that from horace schultz he was the founder this is atlanta based company fun fact gordon atlanta first one was in atlanta but horace schulze the ceo or former ceo since retired from that he empowered his employees to be able to meet if not exceed the needs of the guests and matter of fact that you may have heard this statement ladies and gentlemen serving ladies and gentlemen that's where it came from they actually have pre-approved any

associate working at ritz carlton when they see a problem that a guest has pre-approved them to be able to spend up to two thousand dollars per incident to fix that problem whatever that problem is no rules no forms no approvals no just fix the problem we want to have ladies and gentlemen serving ladies and gentlemen what lunch great when you go to chick-fil-a matter of fact when i picked my sandwich after depositing my uh ticket and the person put the chick-fil-a thing in my hand and i said thank you what was the response that they gave back to me my pleasure why is that we can get a chicken sandwich anywhere and it cost about the same thing

a couple bucks get some fries get a diet coke i'm on my way why is it that i go to a certain place to get my chicken sandwiches versus other places that maybe have chickens from the same place and maybe it's even a little bit cheaper what you may not know is that leaders senior leaders a lot of leaders from chick-fil-a got their customer service training right there and friend of mine eddie who used to be those trainers he would go to companies and chick-fil-a and other companies and say here's what makes ritz carlton culture so wonderful it was the focus on service how can i realize that every job ever had so far hasn't been in

place to do cyber but cyber helps the company maybe it lets them take more risks maybe it helps them to protect their assets better at growing developing doing all things companies but i talked my friend eddie has done a lot of education such as chick-fil-a said eddie what's the biggest mistake you've traveled around the world you've trained people you've lived in that culture you've done things you've been very successful in the foods and beverage service industry what's the number one mistake that you see and what he told me was the number one mistake that my friend eddie in atlanta sees when he did this training was people get excited they get in the room yeah we need to go do that we need to

have my pleasure or whatever the statement whatever that cultural improvement would be at your company but when they get back to their job on monday they don't take action knowing what to do and not doing it but it'll be like look for places to delight what would it look like whether you save my pleasure whether you give two thousand dollar free approval whatever it is what would it look like for you as someone who's privileged to lead people that lead people that do cyber what would it look like if you had a phrase or you had a motto or you had a contest or you had something even goofy that they could align to and then better

serve those that you're privileged to work with what if you instead of saying users those stupid users i hate saying that what if you change that what you said like i'm in my job because i've got specialized skills i know what i'm doing the cfo they've got skills they've got degrees they've got training they've got experience and they're an expert in their field too they're just not an expert in well the things that we're an expert in so i made it out of maytag i'm grateful that my school so grateful not to be in front of you today talking to the last 50 54 of what four keys to be a successful chief information security officer i'm living

the dream because not that long ago i was not living the dream and i wish i had pictures i wish there was a capability to have like this looks

the balls who have expectations the body from getting hurt from steel on coils machines 500 ton presses going up and down doing the things that they do to make stoves i'm grateful for that and i'm also grateful that that's not my story right now because i look for some keys to make me be the very best version of myself i've solved a problem being eaten

need to be busy but when i ask a question of what are some things that only i is this something that only i can do it's like that doing the cafeteria test when i unlocks eyes with me there's russell he solves my problems there's russell i'd rather leave than have to talk to ross i'm going to skip my lunch because what's the response how are you showing up that's how we win through four things constraints whether you put them on yourself or they're placed upon you how can you leverage them culture one of the most important things for you as a leader is this something that only i can do creating supporting refining improving the culture of those that are privileged

to lead that's how you win as a so having the clarity these are things that only i can do if i don't do them my team is not going to be the best in the world they're not going to have the access or the tools or the representation that they need in order to be successful customer service we saw it today at lunch when someone handed you your chicken sandwich and you said thank you you experienced in my opinion legendary customer service because they've been trained they say that and i think in most cases they actually mean it is their pleasure to put a chicken sandwich in your hand i'll end with this the very best advice

i've ever been given was given to me when i was working at may tech and advice is this i talk i give every every single day 25 years ago get wisdom as cheaply as you can get wisdom as cheaply as you can what i want for you i want you to not have to learn these four lessons the hard way whether you're a cso you want to be a cso or you wonder what in the world of the chief information security officer that's what i want for you make be clear be clever be creative in making them but you don't have to make these if you follow these steps to be a successful chief information security

officer that's it thanks for being here i really appreciate it