Take The Helm: Guidance For Prospective Future CISOs

all right so welcome everyone to a super exciting panel discussion on take the helm guidance for prospective future csos uh today this is we're going to have an adventure through the world of security leadership like never before I am absolutely thrilled to be joined by four amazing panelists each of them has stepped into a seesaw role for the first time in their careers and they're making a real impact at their companies we're going to go over their unique stories uh challenges that they faced stepping into the role and soak up any insights that they have to offer if you're thinking about being a CSO or you're just curious about what it takes uh today is going to be a good learning

experience um all right so to get started uh panelists are starting with Ari if you can go ahead and introduce yourself and tell us about your role and to add a little bit of flair uh to your intro a fun fact about yourself or a hobby that you love doing yes I will absolutely start this and also the fun fact was not in the prep document so hi everyone my name is Ariana Ouellette I go by Ari uh I grew up outside of Boston went to school there spent some time Consulting there before uh I decided that the snow was not for me I moved out to San Francisco started working for what at the time was a small

company called twilio had an amazing ride there spent a brief stint at OCTA also awesome and I'm currently the head of security and privacy at ngrok which is an API first Ingress as a service company oh and my fun fact um sorry again wasn't in the prep document uh my fun fact is that um I one time tried to break the pogo stick world record uh for pogoing and I failed miserably and also I was by myself so even if I did break it no one would have known

it's 10. we love hearing about failures and I'll go uh can you guys hear me so uh my name is Emory um I'm rosalom but Emery is easier for you everybody um and uh kind of on the same theme uh I I grew up in Turkey um outside of this country and then I ended up here uh mostly on the East Coast uh Washington DC worked uh there for World Bank for about eight years um did like a lot of cyber security and network security there and then uh then I ended up here in the Bay Area and then uh worked at Apple Salesforce Lending Club and back to Salesforce um all some of them are mostly like

engineering roles and then some of them are leadership roles and now I'm a head of security and compliance at a small company called dremion we do data lake houses um fun fact about me um so many of them but let's choose one um I got escorted out of a pretty important uh Las Vegas um Hotel because I kind of hacked into there I didn't I didn't want to I just touched the Four Corners one of those uh kind of like interactive panels and uh just if you do that thing at the lobby the definition of the shortest amount of time is you touching those four corners and you're being escorted out so that's pretty pretty quick like this we're just

gorgeous um I'm Katie Ledoux I am from Boston I still live in Boston I'll just die there in the snow clutching a Dunkin Donuts iced coffee I just can't escape um I uh spent most of my career at rapid7 cyber security vendor but I was on their internal security team um I built the security team at another uh data company like drumeo um called visitor a competitor um called uh Starburst it was very annoying to work there because a lot of people ask me about the candy um and it was so frustrating that I left to start these security team at attentive where I am now and um I have I have two cats that are named

after the de Chanel sisters that's my fun fact we were gonna name them after A-list celebrities but then our friend pointed out that they really aren't like they're very generic shelter cats and so we should name them after Sela celebrities so we named them after uh Zoe Deschanel and Emily Deschanel but we call that one bones because she's the main character in Bones let's see hi everyone I'm Kyle tobiner I grew up around here in the Bay area I'm actually from a little town called heelsberg I spent 10 years at Salesforce yeah I spent 10 years at Salesforce uh owning Enterprise appsec and vendor security and then I've now been two years at a place called capado as their head of

security and I.T and fun fact about me pre-pandemic I used to run the largest board game night in San Francisco and this is actually relevant because I'll mention this later and lastly I am Divya dwarkanath I'm a senior manager at snap and I'm really enjoying being responsible for appsecorbsec red team and supply chain security and a fun fact about me is that I'm a big Lakers fan

um but so let's get started um why did you want to be a CSO and when did you think was the right time to step into the role I'll start I haven't decided yet if I would like to be a CSO um for folks uh who I've chatted about this with of whom there are several in this room uh I have been incredibly adamant about not wanting to be the head of security uh for a very very long time and yet here I am talking to all of you about being ahead of security uh I recently sat down and thought through like what it was that made me not want to be ahead of security

and came up with uh two reasons one was the politics are terrible um and the second was a huge case of imposter syndrome uh and when I moved to ngrok the company was around 30 folks and so the politics were just like there's not really that many politics at a 30 person company and we've grown since then but um having a supportive boss in a sport of CEO and cro about security meant that I wasn't having a lot of the struggles that I'd seen prior csos have that I had worked for and um so really then all that was left was uh my imposter syndrome of which that was kicked out of me by several friends of mine some of

whom are sitting at this table with me and um so I had a conversation with the CTO who I report to and right now I'm kind of just trying it out uh to kind of see how I feel about it and if it's something that I really don't want to do or if it was just something that I didn't want to do because I wasn't in the right place um and so that's how I ended up here so to answer the question I'm not sure and also I feel like it's uh whatever is right for you whenever it feels right in like your career and also your personal life because I feel like it's it's a

it's a big job and it's a big commitment

did you have certain skill sets that you thought that okay I can use this um yes and yes and no uh I think part of the thing that kind of helped me realize that that was a thing that I was ready for was uh when I first joined I was the only security person again 30 person company when I started and so I was kind of already doing all of security and already thinking about security strategy and where we should go next and where who we should hire um and uh I think that doing that helped me realize like oh I can do this with just a team as well and as the company grows

and so that was kind of the thing that made me sit up and realize that this was something that I felt ready to to step into so I just I it is I know politics is kind of an icky word and it is a big part of a leadership job um but I actually love the politics of my job uh yeah I so I knew that I wanted to be in this type of role if I when I first moved into a management role and I would think back about okay what was the best what was the highlight from my week it was always something that had to do with the people on the team so it was like oh we got someone's

H-1B visa thing figured out like that's so sick or um you know I think also we've all been on teams that have a really thoughtful strategy where people are getting consistent feedback on what they can be doing differently where people are you know you feel like you're set up to bring your best self to work and we've also been on teams where the leadership doesn't deliver on that consistently um so you know it sounds really like kind of corny like management book whatever but like the the multiplying effect that you can have on a team and I'm not saying I'm perfect at my job and I I always kill it in this department but it's really exciting for me to have

the opportunity to have a multiplying effect on the amazing members of our team by making sure we have a clear strategy by making sure I'm removing anything that gets in the way of them doing their job like that is so fun for me awesome um Emery how about you why Cecil um I never wanted to be one um a lot of people told me I would be good at it and I kind of followed their advice I follow a lot of advice sometimes terrible advices but um I and then the the only thing that I knew that actually real that not much advice driven but kind of like internal driven was that I've been all

over the security all over like from uh server security to network security for all the guys there who know what that is so they used to be cyber security um and then um like from there to like forensics to um I don't know like um firefighting to operations to product security to Enterprise security literally I've Been Everywhere on on that spectrum and that kind of prepared me for the guidance that I give right now that I feel extremely uh lucky I guess to to be able to do that and I think that that kind of made my decision right hey I've been here I've been there I know about this stuff I know a lot this stuff I've seen

the terrible version of this stuff I've seen the great version of that stuff so how can we make it how can I make it my own company's stuff right so that's kind of helped me a lot and then um there has been a lot of people who really like pushed me uh from my Corners like it's first in the IC corner I was I'm like I'm gonna I'm gonna break things that's it and then uh no no you should build good stuff okay all right I'm gonna build good stuff and then uh and in fact maybe you should lead a team nah technology is easy human heart so and then I ended up doing one and then um

it's kind of I I it kind of sounds like I didn't want to do any of these I actually did want it but uh I needed a little bit like push just do it dude so yeah it's kind of how it happened for me was it similar for Yuka like did you have various different domain experiences that made you feel that you're ready or you know you know what was it you know I had in my mind this picture that I had to get to a certain title in order to kind of be worthy of doing the doing the move uh and I had a really good conversation with with Mike Johnson who's been at CSO for a while

about two years ago and he was like don't be stupid you're ready now just go same here and I was like okay then let's try and he was totally right I you know I interviewed at a lot of places and I was found some really good options and settled on one that I was really excited about um you'll mentioned like politics briefly and you know certain skill sets like that you picked up through different domains um what what skill set do you think that someone should start developing if they don't have already before they go and uh accept the Cesar role so when you when you think about the the like the first time see so kind of job the most

common one is like a a small SAS company that's you know maybe series B series C and starting to scale and in that environment understanding all the different pieces of the business and how they function and why they need to do what they do I think is really really important so for me owning vendor security at Salesforce was one of the best things I ever did for my career because it taught me through what everyone was buying to you know automate and scale what their business needs were and what their challenges were and then dropping into a much much smaller company the challenges and problems were identical and so that really helped me you know get a foothold

with all the different business departments I needed to influence I've been really surprised um I suppose I thought that this job would be trying to convince people that security matters um I've found a surprising amount of this job is actually uh contextualizing individual risks humans are really bad at the the risk management calculation like the the likelihood times impact and sometimes when a new threat arises and it's being talked about at really any level of the company people focus on the worst possible outcome and not the likely outcome and not the the the likelihood of it happening or not happening um which is you know so there's a lot of passion of oh we need to fix this right

now because they're thinking of the worst possible thing that could come to fruition which maybe seems great if you're like well you run security don't you want everyone to throw all of the resources at that if that's the way that you run the program it can be very like you know chasing shiny objects and then if you're investing your time there then you're not investing your time in something that maybe is a bigger risk because it is more likely to happen um and so I think that the skill set that I'd be developing is when a new threat arises and someone brings it to your team helping them and yourself sort of contextualize what is the real risk instead of let's

throw all of our resources on this right now like let's let's actually approach it in a more thoughtful calculated way because especially as a leader of a program you can't be people are going to get burnt out if every single time something comes up you're you're sprinting towards fixing that and then you've got 75 percent of the way there and a new threat or risk comes up and you start sprinting in the other direction um so that that's something that I would start noodling on I saw Emery shaking his head vigorously when he started no I I was shaking my head with the risk risk gauge of people and it's just terrible people are terrible risk

I don't know what we have as it risk calculator I don't know how we survived in being like eight billion people did we make terrible decisions um in addition to that I think one thing that helped me a lot is empathy and uh that kind of um empathy with the developer empathy with the business empathy with the customer especially and uh that that helps a lot driving some of these terrible risk calculation mattresses in our in our head for example um should we shut down this thing and you have some sort of experience that you know that the likelihood of shutting it down is not gonna impact the business that much or likelihood of that shutting it down is

going to impact the business a lot but not not actually a risk maybe we shouldn't shut it down right yeah we should let it do something and then peel a plan accordingly right that's some sort of an empathy on on not not just a yep there's there's something there let's shut down this that's risky right that's that make it being able to make that call and in the position to make that cause actually pretty scary but but still like uh I think that's where the input helps a lot and then uh sometimes even in the uh way of doing things too like I've seen that too we can talk about it but yeah I think empathy is extremely

important for being any sort of leader so yeah I think that also makes your partner see you as more human and not like just someone who's going to come with a list of you know things for them to do and like orders to execute on but someone who will work with them together for what's better for the business and security is a part of that yeah I think uh I liked what you were saying Katie about kind of risk and prioritization because I think some of the one of the biggest things that I feel more prepared for because of some of the prior things that I've done is that you know you don't have unlimited

resources you don't have unlimited people to solve all of the security problems even though that would be lovely um which ones do you pick why do you pick them and then how do you bump that up against all of the other priorities that your company has going on like new products are launching or you know there's a huge uh implementation that's going on like those same people need to help do security at your company how do you convince them to spend time on the things that need to be prioritized and so having that like going through that process and talking through that like any kind of projects or any kind of initiatives where you can get involved

in those kind of discussions I think would be super helpful and explain to the customer why you made that priority and then yeah like interesting 100 explaining to the customer why you made that priority why did you fix that CV well I was writing with a feature that you want us to do it right there's no exploitability of that CB right so it's your own like compost manner you talk to them and that actually builds Trust did you all feel that you know you talked about skill sets that want to develop did you have them when you jumped into the Seesaw role or did you feel that was there something where you were like holy like I you know I I don't

know how to do this and how did you cope with that and how did you develop that skill set I think you go into your first company with a plan in mind and they always say like no plan survives contact with the Enemy like you get there and everything immediately changes um I think for me I had always kind of you know not put a lot of stock in compliance it wasn't my favorite thing uh and then it's a lot of what I do now is compliance ISO sock 2 fedramp all at the same time it's really exciting um but you also learned that like in a small company those compliance objectives are very very meaningful like they'll let you

close a deal that you couldn't deal which might mean the difference between keeping somebody or firing somebody because you know all the VC money drives up and suddenly you're worried about margins so suddenly the the actions that you take have a very real profound impact and I think that was very very different I didn't expect that as much and any tips to cope with that or you just try your best I think um there's just going to be so much you don't know you bring into it a certain skill set you know if you're in a more narrow job in a larger company for example like I was you come in as a CSO and you have to do everything and you

have to make the decision on everything and so having a network of people like people at this table or like slack channels dedicated to csos that has been the place where I go a lot to ask a lot of questions and get a lot of help because you need a community of people who can teach you some of these things that you never got an opportunity to learn and I think on the front of those skill sets too I think it can be really overwhelming to think oh well I have to have all of these skill sets you actually just have to be able to build a team that has all of those skill sets uh and I think on the

the uh point of you know building your network of people who are supporting you um a lot of my team at attentive is people that I have worked with before and attentive is so much better for having those really exceptional people on that team um and so you know it's it's really investing in hiring people whether that's just you know being I get it's so many people don't take the recruiting and interview process seriously like that is so much of our job is really killing it with recruiting um and also just you know but like you're here so you're you're already building your network of security people but if you move into this type of

management role like a crazy amount of your job is trying to get all of the best people you've ever worked with before to work with you again so all of the networking you're doing now becomes extremely helpful right you're only as good as your team yes yeah because there's none of us couldn't do all of the things we have to be able to hire people who can fill in those gaps um I think certain skills that maybe not skills but maybe experience that I didn't have is um talking to customers that that I never did it I was always hidden under some pile that you should never talk to the customer which baby good for a good reason I don't know

uh but uh uh that was interesting because um you're kind of especially on security front sometimes functionality product in smaller companies you're at the Forefront of um kind of like where the friction's on where customers like why but what I wanted this and you I got this right and then um that that part is it was it's interesting also uh something really cool that I've seen that I never ever thought of it is that you give confidence to some people who are going to use your product that's that's okay yeah that guy knows what he's talking about I think they're doing the right thing and then um that's that's how you start building the trust right trust is the

most important thing especially with data on the data field right and then uh that that kind of was missing for me and then uh compliance was 25 years of my life after a professional life I'm like I don't want compliance and then um and then I I had to and um and I killed it but uh but uh I got sucked too take two I saw twenty seven thousand miles please compliance hip-hop um but uh but uh what I learned is that without these on the table it doesn't even start right so the business doesn't even start so that's that's a huge impact to the business by by the virtue of you know getting these compliance

certifications and I'm a firm believer of if you're security or compliant you're if you're a company you might not be secure right um once you focus on security you're only like a 90 there right and the other one is mapping mapping those controls to what what they require in the company side yeah the the um what you brought up about the uh customer calls and I would say also calls with Auditors too yeah that it is such a specific song and dance like it is its own like if you if you're an application security engineer and it's like well I don't take random calls with customers just and you want to move into a role where you you would be more

customer facing just Shadow some of those calls because it is just really there is a certain language of saying I don't know the answer to that let me go figure it out and get back to you and like being smooth and confident about that that is just like really great to have under your belts yeah we used to get the compliance team at twilio used to give like how to talk to an auditor briefings before an audit and they would bring in like all the engineers that needed to do it because it is a specific language and if you don't know it you like all of a sudden you all these like unnecessary things that are on your

audit reports that go to your customer and then you have to explain it to them too which is kind of like a double whammy for I think what you were talking about I'm right terrible you don't want to explain your your audit missings like what you missed in the audit you don't want to explain that to your customers yeah it's some really great tips there on how to prepare you know what to watch out for um moving on from just like preparing for the role when you start to receive offers uh for head of security or CSO rules what are some things that one should watch out for like are there any due diligence items like for example I always think

about the orc structure like you know should the role only report to head of engineering or would it be okay to report to CFO uh you know how do you think about that and you know due diligence in general like what would you think about before accepting an offer I think um you know they're like obviously the regular due diligence for any role like what kind of company is it do you like the product do you are do you care about securing the product um is for smaller companies is the the company in a place where they can continue paying your paycheck financially those I think are kind of table Stakes I would say the biggest uh

the biggest thing I was looking for in my role and I think this is common across many leadership positions is is leadership committed to making the security program successful and that can be that can come across in a few different ways do they have money to put into the program will they let you hire the right people um and do they care like will they put their own necks out to like make sure that you're successful because it's not just you it's it's commitment across the board and so that's the number one thing that I think is important when looking for a role I would say also you know choosing your first CSO role that's that's your moment

to be really really selfish because in theory you're going to want a second see so well maybe you won't but you do you want a second CSO role and so you're gonna have to pick a company where you can survive for two years you have the correct authority to actually get stuff done that you can show for when you go on to the next company and there are a lot of I don't know I would call them maybe like traps out there where they say it's a CSO role but it's just going to be you by yourself forever with a mountain of tech debt that you can never solve and that's just it sucks for them

but it's not good for your career to kind of go into that so looking for a company where you can get alignment with a boss around resourcing and like what the plan is because you know if you talk to your boss and you're like you know I think this needs to be a six-person team in the first year and he's like whoa whoa whoa like it's just you there's no money for anything else that's a red flag but he may say well I was thinking more like four and maybe that's fine you know you can come to an agreement like that um um Katie I'm sure you have a lot to say about um I do I love the org structure

question because I know we have different opinions about this I I have to be reporting into I need to be in the same place as engineering so I report into a CTO um and I have reported all over the place like Co CFO guy that was a founder and also ran a research team like where can we put security decks and I just think they're even these are all competent leaders the issue for me when I've been anywhere other than engineering is not feeling like our team was really part of the engineering team and consequently feeling like our winds are each other's you know my wins are your wins your wins are my wins um we really you know we are in

engineering all hands together we go to the engineering off site together and that sort of collaboration um and like the just the relationship building with those teams that you get organically if that's where your org sits is incredibly helpful to me because obviously we work with all different and I'm at a SAS company um so it might be SAS company specific but you know we work with all different teams but I don't have a lot of it's just much less complicated projects that we do with essentially any other team and having the buy-in from other engineers and you know the level of comfort to go back and forth they want to do something we are like

hey that's a little bit janky maybe we could switch it up and do it in this slightly more secure way and they're like oh well that would actually screw me up a little bit what if we did you know like that back and forth until you get to the perfect solution it's really hard to do that without a rapport so that's why I like to make kiss kiss engineering security does anyone else they would be able to work with anyone that's not an engineering like report to anyone else and still be successful don't everyone look at me because Katie and I were discussing this before this also I would love to hear an org discussion with the kiss kiss

um okay here are my thoughts on this particular topic so my the teams that I've been on before have also reported to like a whole host of places it's it's been engineering it's been legal it's been um Finance I've reported security teams into the the CEO before um I think the most important thing I think Ideal World right you you do report into engineering and the engineering leader is super supportive of the Security Org I think if you don't have that second part it can be a nightmare and so like my preference is whoever is most willing to throw support behind the Security Org to get things done is where potentially the best place for security

is because I think that you can also have those a lot of those amazing relationships with engineering go to engineering all hands like be part of their off-sites their fun activities um do kiss kiss yeah um it's gone I think that you can have a lot of that without being in the engine it's obviously way easier if if you're um in Oregon and reporting to the same person and whatnot but I've also seen that go incredibly poorly and so I have like a slightly different take on on just like level of support being the number one thing I I think it depends the answer is it depends just like many answers and security um technology or manufacturing right I mean

that that also depends like you can be a ciso for manufacturing and or or financial organization where you're heavily regulated and you're under Chief risk officer it kind of depends I like being under engineering because we I'm an engineer at the end of the day and then I can speak the language and I can like I said let's go back to it I can build empathy right because this guy has to write this code for eight hours uh maybe he's not gonna sleep tonight right and then um uh I think I think it depends it really depends um I like CFOs a lot that's weird but because they're they're kind of like that's super weird because that they kind of

are the the mosque the most risk aware people are in a company and then uh since our job is risk and Trust I think uh that's also an interesting uh combination where uh you might you might think of it too I like so far being under engineering because we play this game that has been occasions where um segregation of Duties right I mean like um they ruled me out because it was a more important thing for engineering which is I'm like okay great I mean uh I don't take it personally but here's the risk you sign off on that risk but go our ways and we're fine right so uh sometimes I've seen I've seen it

happening that uh you know engineering wins all the time but hey somebody's giving I think the other part of this question is something you need to touch on which is when you're taking that role what should you be looking for to set yourself up for Success because you he told me about some things that I probably should have asked about being in my contract I just simply did it that was gonna be like speaking of risk what can you what should you have in your contract to protect yourself from you know liability or you know have the titles that you want like how do you negotiate that and about things like you know double trigger and you know compensation in

case of termination uh yeah how should you think think about the contract so I'm very lucky to have some some really strong CSO mentors who who've helped me through this this period um and I think that the most important thing I learned is everything is negotiable everything is negotiable your title your salary your options the things in your contract to protect you they can all be shifted to end up with an offer that best suits you so you there's probably three things that every CSO wants in their contract and there's a first time ciso you probably aren't going to get all of them there's the double trigger which is change of control change of scope so like if your

company gets Acquired and you're not going to get a CSO job in the acquired company that activates your double trigger and accelerates your options so you can potentially go somewhere else and not lose out on you know the payout uh there is golden parachute which is that they fire you they have to do it in a certain way for a certain amount of money which can really protect you in very risky companies you know if you know you're taking a big risk there's a lot of tech dangerous Tech debt getting golden parachute um is important and then uh directors and officers Insurance um not every CSO is a director of the company but you can get specifically

named on the insurance policy and that's really important if you get personally sued for something that happened at the company uh the dno insurance will protect you and provide you legal coverage um I'd be curious for everyone I personally I got a double trigger but nothing else I can't emphasize enough how much I didn't know any of these things existed before taking this role so I said I know who's going to be my next advisor for my next role and no parachutes I just like free falling so yeah see Kyle if you could um provide your information to be all of our age yeah my services available I will help uh yeah these were things that

I was vaguely aware that were out in the world but because I was not when I actually interviewed it was for a head of GRC role it wasn't necessarily something that was as applicable um and if I had interviewed as a head of security I probably would have looked slightly into um but yeah definitely something to to keep in mind for next time and did you negotiate for all the other things and didn't get them or did you not know about them yeah I tried I think at the time our my company was a little immature so like the the dno thing they were just like we don't we don't we don't know how to do that so no you know

so so that's one I've still been working on like two years later I think I'm about to get on the dno policy so I'm excited about that um I think you also mentioned title I think title is one of the most critical things you can negotiate like when we submitted the cfp one of the pieces of feedback we got from The Proposal was well there's only one CSO in this panel about sea cells like what's with that it's me yeah and I think there's a conflation in our industry about like there's the title ciso which is like a c-level executive and then there's the role of ciso which is like named in compliance documents and you know diligence and that role of

CSO doesn't always have the title of CSO and some people who get the title ciso don't always have the role of actually owning security at the company so you got to make sure you're getting I think the first time you want the role of CSO more than you necessarily need the title of CSO so that's why I negotiated for head of security I think MRI you negotiate for head of security they just give it to me so uh if you can get sea so great but I think there are other very if you get CSO that probably you know you can't negotiate I can't come in and be like I want everything you have to pick the thing or can you that you

yeah that you want and um I I mean I remember when I was like okay I kind of I mean it look it's so stupid like obviously all of us have the same job and security people know that I honestly at the time I was applying to Executive MBA programs and I was like having a CSO title is gonna help my application to get into one of the top schools that I want to go to um so that's why that was important to me at the time but for other people I mean I'm sure for most people it's like oh if I pick one thing to negotiate on am I gonna have a fancier title on

LinkedIn or am I gonna get more money like probably more people I mean yeah if I wasn't in that very specific situation I would have preferred the latter I think there's also oh no I'm Gonna Change like slightly you change the topic so you go first so I I think I couldn't emphasize more I think uh head of security and compliance most of the time does exactly the same job as a seesaw or whatever title VP of security or something like that and the the quality of the work is pretty much the same the quantity of the work might be even higher than CSO but uh but uh she's so tired till always wins all right that's that's that's an

interesting one because there might be seesaws who are work like doing less work getting paid less but if they want to get another so much less work there you go some of us do but I mean like it might be it might be uh you'll put your next role it might you might be on top of the funnel right that that's interesting and in your first role too like I think you made the point of you should it's early on in your career you should always be making the decisions that are maximizing your learning so if if you are have a CSO title at one of those companies that you were describing where it's like okay we're giving you no

resources your job is basically to like sit at this desk with an enormous amount of tech debt that is not that's not it um it's much better throw in like a marketing CSO yes like if you're like a sales focused CSO that's also a different role a very like important one and one that I don't want to do so thank you for those people who do do it um but it's a different type of CSO role with see so title yeah that's true so what was the topic that you were gonna oh I was going to talk about marketing so I just put I pushed it in right there okay um talking about making a ton of money

are y'all making a ton more money than you did before yes no really actually I think also a big uh our company is I think one of the biggest differences too is um equity and I I have rsus at a company that is uh private and they are nothing unless we unless we have a liquidation event so um so the the answer is actually uh like not so much but I'm it's also I mean all of us are first time Jesus you know yeah is it is it first thing so if you land in a post IPO company Kudos right that's great and then um kind of the answer is kind of related to that because we play with the

Monopoly money right and then uh the the post IPO is real money and then if you go from a real money company to it doesn't matter the title or whatever if you go from one that has actual money and then the other to the Monopoly money you make less money period because you a good chunk of your uh income is actually that money and then uh but the other interesting part is that since now you're tied to make that Monopoly money real money you work your ass off to actually make it happen so that's where and one of the things that if you're gonna sell the software or SAS or whatever trust is one of the most

important things right and then that's where that's where you actually double your work your ass off because now you want actual money so yeah and the answer is uh I make less money yeah and that's also the most fun time to be at the company because I think everyone has the same goal yeah is it of you know let's let's be successful and you know yeah have a liquidation event four small companies uh so when I joined ngrac we were pre-series a and it was a bootstrapped startup uh and I had a really really hard time just figuring out what I should be getting paid and so I would come to the table with like

here's what I used to get paid can you figure out what that means from because I was at a public company prior I was going to a essentially a bootstrap startup that had maybe funding dreams in the future um and so this was actually something that like my a lot of my mentors helped me figure out and like hooked me up with like different people around you know how do I value startup funding you can read every article on the internet but none of them and if you know of any please email them to me um none of them really talk about what you should be getting paid as a security leader at a 30 person company that

hasn't taken funding yet and so that was actually really really hard for me so I think that I'm making an equivalent amount that I was before so I definitely didn't get a pay raise um but it's definitely a different type of role in a different type of company I think it's also the same thing that's true for any job which is I am making more money because I left my old company a bunch of a new company like that's that's when the big I I was at one company for a really long chunk of my career and I think any time you do that it just kind of ends up you know your salary doesn't really

keep if you work at the company that I work at I ignore everything I just said but if you so questions um a quick you know one sentence um impact like what impact or what is the biggest achievement you each of you have had at your company so far I'm about three weeks away from fedramp moderate and so for me I'm very very excited about that that's pretty wild um we're doing a big cross-functional engineering project that requires work from every single engineering team and it just requires so much buy-in and participation and effort across all of engineering and and what's meaningful about that to me I mean it will improve our security posture but

just that requires buy-in from leadership across engineering and that's like gorgeous foreign

but like I I'm actually super happy when I have an impact um I have impact bigger than security right now in my uh in my company like started engineering bootcamp started a bunch of different uh interesting um uh interactive uh things to to make to make people actually know each other Etc to make it work um I think uh my my biggest impact that my my gauge of impact is actually when I talk to the customers and when when I got like a Stern face and it's like so tell me about your security how do you do this and then at the end of the meeting they're like cool I like that yeah nice and and then that's that's

that's huge impact right there because that's gonna transfer as a word of mouth right to to their peers and their colleagues and their other companies Etc that's that's kind of my impact gauge right there I think the biggest I've noticed so we've gotten feedback a couple of times from our engineering or that the security team and this is you know it's two of us so it's not really uh take this for the greatest show but the security team is really easy to work with and I think that's like you can't get anything done if people don't want to work with you and so that for me is like the biggest thing thus far and and

hopefully the biggest thing in the future being able to build a culture where everyone's on board security yeah so it's easy to build something for just the security team to use but it's really hard to build processes and tooling that other people like to use as well true awesome all right I think we're ready for questions

okay the question was what percentage of your time is spent doing people management of your direct reports I only have one so very little [Laughter] uh we also pretty lean uh security team and then uh um what do you when you say people management um if it's prioritizing work I think um you got to minimize that by hiring like someone who's a better self motivated at this stage of your team um driving their career is a constant thing I would say at least 10 to 20 percent of my time to be honest yeah I think one of the terms I really loved when I was interviewing uh was the term player coach you kind of sell yourself

for these roles is like I can be Hands-On but also grow and scale a team at the same time so there is you know 50 or more of it is probably going to be Hands-On until you actually scale that team up yeah and I think in addition to um I mentioned this before but in addition to um you know one-on-ones and making sure that their goals are clear for your directs a lot of my I was the first Security hire um and now it is part of our team as well a lot of the last year has been spent finding and coaching up the right leaders of that team especially in I.T because I have not run an I.T team

before so I needed to really find someone who could independently lead that function and that was I mean I have I was spending two and a half hours in interviews every single day and just ending the day like an absolute corpse yes please go ahead do you report to the board yes yes and what does it look like um I report to an audit committee quarterly which is a subset of the board um and that's been true other places that I've worked as well the audit committee is focused on like accounting stuff um but increasingly it and and security and internal audit are reporting there the approach that I take is every single meeting I remind them this is why our

security team exists like we meet our compliance requirements we uh build we are mitigating our known risks to a reasonable threshold and we are building resilience so that we can bounce back quickly from an incident and then I talk about this is what we have done over the last quarter to to move towards those outcomes and then this is what we're doing in in the next quarter I am super I have one board member who totally gets it and is so smart um I I really you know I think a lot of times it's just like I hope that nothing bad happens to me in this meeting I actually get a lot of value out of

meeting with this board member I think that he's a genius yeah we uh right now we're a small company we also have a we have a very small board uh we report I report security as a part of the engineering update um in Prior roles where I've built out board reporting for my boss uh it's looked essentially like this oh like everybody has their own kind of formula but generally it's like what kind of current events are happening and how does that impact our company uh what kind of projects do we have going on and then usually there's some kind of like highlight reel of either something cool that's been going on or a problem that

needs to be fixed or like a risk assessment readout something kind of like topical um I I personally do not report the uh to the board but I prepared a lot of uh metrics to the board is extremely interested in Risk and then when when cyber Security Professionals we think risk as cyber security risk but there are other risks not being able to fund it there's building fire risk Etc and then um at this point I I have a feeling that our company has like bigger risk fires that they're fighting and uh than cyber security and then um but it gets reported so yeah I think we have a question on this side right

the number one thing that you did to build a network of mentors just be Shameless just ask for things that you feel so uncomfortable asking for because they're all super super busy and distracted by like a million different things but if you can be very specific like hey I'm not in a slack channel can you put me in a slack Channel they're like oh yeah that's really easy for me to do I didn't think about doing that for you but I'll do it now like just ask and it's not I mean on the receiving end of them it's funny how I feel so awkward asking other people for help and then someone asks me for help and I'm like

yeah freaking no-brainer um okay I listened to a podcast about uh reporting risk to management and it was so amazing but the guy gave a high level overview of it I was like I want to do this but it's I'm missing some pieces of data like you know he didn't go into enough detail here and I messaged him on LinkedIn and he sent me back a calendly link and he was like put time on my calendar um he is his name is Jim uh he was like the CSO of like CV vs health and whatever a billion giant companies and he's like I'm retired I just like play Pickleball with my wife and then you can

put time on my calendar literally whatever you want I for free I was like this is insane it's insane so do you do that too Jim all right so we're out of time but we're gonna stick around for 10 more minutes so if you want to come ask questions or if you want to get to all these people and say hey can you be my mentor also you can just add us on LinkedIn we're all very cool with that yep all right thank you everyone also uh thank you to Divya who has yes thank you it was my pleasure [Applause]