So, you want to be a CISO. But do you really?

so hey folks uh thanks for attending besides 10 year anniversary shout out to the folks to get this uh rebooted on our 10th so they've done a tremendous amount of work getting us to where we're at today so we're going to talk a little bit about so you want to be a ciso and the real question is is do you really want to be a ciso um this is probably going to be a little interactive we'll uh try to save the questions to the end if we run out of time i'm gonna lurk around in the job finder discord channel so if we run out and i can't get to your question just ping me over there at the

end really uh just so you know who i am a lot of folks know me from the boston area i've been a ciso here in boston for you know 10 15 years or so started my career as an engineer and then kind of migrated over to product management and then fell like most folks into the security practice um by happenstance i guess you know i was doing some engineering work they said hey do you want to be an abstech person i said yeah that sounds like something and then i was an absent person and drifted over to become a ciso and i've been a cisco here in the boston area for quite a while so this is

kind of near and dear to me as i look to grow the next rounds of cisos as i someday would like to retire so someone's got to step up and take my job at some point but really the thing i wanted to start with is probably a story before we get into the talk today about why this talk so i volunteer at the local vocational high school to teach students in their computer technology program about various computer technology things and at the end of one of the talks you know these coveted talks that we're doing is they're trying to bring people in so the kids can actually pay attention to their class they a student reached out to me and

said so i want to be a hacker and then i want to be a ciso and i said okay so let's put the hacker aside because that's probably a whole nother talk about whether you want to be a hacker or not and what that means and then i i said to myself okay so you want to be a ciso and it occurred to me that i had been giving this chat to both my staff and folks that i mentor probably hundreds of times over the course of my career but recognizing that i have a scaling problem in that i can do that one-on-one with folks but having a challenge of kind of broadly distributing that out so that

was what led to this particular talk so this is my opportunity to kind of reach out and give this guidance that i have to as many folks as possible and one fell swoop as opposed to me doing this as a one-off so that was really what genesis this talk and really what we're going to talk about today are four things and this is kind of broad career advice as well i know we're going to focus a little bit on ciso but the first couple of slides are really going to be about you managing your own career so the first one is probably the most important slide is why do you want to be a ciso and again broadly

applicable to whatever career opportunity you want to do but you got to understand why you want to do this before you can actually figure out how to do it i think once you understand why it's important for you to understand what a day in the life of a ciso is because i'll be honest with you it's probably not what you expect um so it so you figure out why you figure out what decision point now do you really want this job i will tell you you know what i see from folks is is that by the time we have this conversation and folks that i mentor i have this conversation they generally say i don't want this job

let's assume for a second that we get past this and we now say yep still want the job got it i'm motivated i know what i want to do here i understand what the job is how do i get there so we're going to spend some time talking about the skills and experience you're going to need to get this gig and then lastly i'll be honest with you and i see it more and more so now that you've had the job for a while and i i am a poster child for this when's it time to leave so i will talk a lot about this and now shout out to the mental health hacker folks

and the other channels i think there is a time when you need to recognize that the job is not the job that you want to do anymore so we're going to spend the last part of the presentation talking about that as throughout this presentation what i'll do is i'll try to give you a few nuggets of wisdom i think i call them cautionary tales in the presentation we're going to talk a little bit about that because there are areas that you need to focus in on so when i talk about those cautionary tales listen up a little bit i guess because those are the things that i found that are the most interesting parts that you should pay attention to because

there are nuggets that you should take away and really think about so when i when that when that happens put down the diet do i got one over here and kind of freak your ears up a little bit and pay attention to that because that's probably an important nugget for you guys to take away let's talk about motivation so i'll be honest with you you need to soul search for this job as well as any other job why do you actually want this gig and for me i i look at four kind of big buckets for why people want to be a ciso left to right i think these are the ones that i hear

the most so i hear the most on the left and all the way to the least on the right but these are usually the big four buckets the first one i'll be honest with you is money folks say cisos make good cash and the reality of that is that's very true um if you look at the boston area in itself and even the greater new england area you know your low salary for someone that carries the title of ciso is 250 000 all in with some variable compensation and it can be as high as four hundred thousand dollars so when you look at that number it's a it's a pretty interesting number right if you're

starting your career out at a junior analyst risk analyst or junior stock analyst you know making fifty or sixty thousand dollars that that's a tremendous amount of money what i will tell you is is that do not fall into the trap that it's solely based on money you know i think if i look back on my career and when i started a lot of my early decisions were money-based but as i progressed up it became much more what i'll call mission based in that it was less about that extra dollar in my paycheck and more about believing in the opportunity that i was pursuing my cautionary tale with respect to money is beware of the golden handcuffs you know

i know folks we're there was a back and forth on the discord channel earlier today we were talking about salary in the boston area there are organizations that will gold and handcuff you if you're not familiar with that phrase it means they will pay you more than the market rate i would caution you to not adjust your lifestyle to that golden handcuff because at some point in time the handcuffs will come off and you will be in a situation where you're living above your means so i guess my my guidance and cautionary tale to you all is just money is a great motivator but what i will tell you is for me personally believe in the mission

more than anything else because i think you'll probably have a lot more job satisfaction than the cash the cash is transient and perishable i think mission is probably more important the second motivator that i see for folks is prestige i'm a c right all of a sudden i'm a chief and with that you know folks believe that there's a certain amount of prestige being called the chief information security officer the chief security officer the chief trust officer or whichever variant you may have in your organization what i will tell you is is that yes there's a there is a little bit of cachet and we jokingly call it the key to the executive washroom you know once

you're a ciso you're always a cisco but the reality of it is is that the job in itself except in very few organizations you are not on par with the rest of your c-level compatriots and we we like to call this the little c so no matter how much you feel that you're going to be a c-level participant in the organization the reality of it is is that you're always probably going to be a little c comparatively to your internal peers so you are likely not on par with the chief financial officer or the chief legal officer in general counsel so while there is prestige in the sea what i would tell you is is that

recognize that you will likely always be the little c in your organization now there are obviously caveats in every one of these and certain organizations take you know have an executive level see ciso or cso that reports the ceo but those are few and far between and i've seen many organizations that have tried that and then backpedaled and dropped that person down under the cio or under the co or something else so just recognize that yes there is prestige for it but you may not be the level of procedure that you think you have the next one power right so you are the head of security you are in charge you can do everything you tell folks what to do

yes to a fashion but what i would tell you is that that command and control mindset is very 1990s you know modern cisos of today it's about influence it's not about command and control and if you feel that you're going to come in and roll over folks and get what you want because you're the ciso you're in the wrong gig i'll be honest with you that gig just doesn't work in 2020 so if you're in it for power you're not in it i'm gonna be brutally honest with you this is not the role for you because you're not going to have the power that you think you have based on the title that you think you have

so the last one is probably the most interesting one i i think a lot of folks think that they have to so they look at the pyramid of progression inside information security and they say hey in order for me to move up i've got to be the ciso right that's the pinnacle role for information security i'll tell you that that's not true you know i think you've been sold a bill of goods that you have to be the ciso the reality of it is is that there are great careers to be had and not being the person that has to take the ciso role if and i'll just do a little shout out for folks i

in shameless promotion i've posted out some career ladders out on github open source in there it'll demonstrate that you can make a really good salary and never have to be the ciso but i think people fall into this trap that they they think they have to be that person because it's the top role and i will tell you that is absolutely not true you can have a great career and not be the ciso in information information security there are other motivators obviously with respect to this but these are the four that i hear and all the folks that i talk to so you know you need to do a little soul search and figure out

what's motivating you for this is it the money is it the prestige is it the power is it because i have to because before we talk about what the job is you really need to understand why you're on this journey so if you look at these things and you go all right mark i think i have to or i i want the money i think we should segue over to what the job is because these two things together will decide whether this is the right job for you so we're going to move over to so so what does the day look like for ciso and i'll be honest with you it's probably not what you would expect

it to be and again results will vary smaller organizations the mix will be different larger organizations are going to be much more like this but i'll be honest with you this is what i generally see an organ in what i would call a typical information security organization of you know 10-ish people five to five to 15 is usually what if you if you see some research where the average information security department size is this is what your day is gonna look like so i'm gonna be honest with you if this doesn't appeal to you this is not the job for you talk about what we'll start on the left subject matter expertise i will tell you

that if you think you're going to be a technologist as a ciso you're in the wrong kick you are not there to be a player coach you are there to coach the team and if you're spending your time running plays on the field be it soccer football rugby whatever it is you are not doing a service to your team you're not a ciso you're just a technologist with a title i'll be honest with you you're not doing the tasks that you need to do at an executive level to be successful in the organization so if if this is creeping north now i'm going to be honest with you there are times when that has to happen

there's an expectation you're a technologist because you're the chief information security officer so you still need to understand technology but your days of running scanners and responding to jira tickets is effectively done you should not be doing that if it's creeping north of your time for any reasonable amount of time then you're not really doing the role that you should be doing in the organization moving down paperwork so welcome to being a leader and a manager in an organization so roughly twenty percent of your time is going to be spent doing paperwork everything from signing your regulatory reports be it for hippo or pci or iso attestation to doing your employee reviews and evals one of the most important tasks that you

could be doing uh working with procurement to buy all those fancy tools that you need to have in your organization or working on suppliers because customers want you to talk to them about what they're buying from you or famously developing your executive reports whether it's up to your cio or your quarterly board reports you're going to spend a tremendous amount of time doing paperwork so if you do not like doing powerpoint uh probably not a good spot for you because you're gonna do a fair amount of powerpoint in your lifespan the the cautionary tale i would tell you here is do not let this get away from you because you could easily fall into the

trap where the bulk of your time is spent doing paperwork what i would tell you here is if it starts to get more than a third of your time you need to delegate you're a leader in an organization you have staff that sits underneath you make them do the paperwork they need to learn how to do this as they progress their career so make sure that you can delegate out because you have more important things over on the right which we'll get to in a second otherwise get yourself an admin you know when i first started i didn't think that i could ever use an admin but once i got my first administrative assistant it was the best thing that ever happened

you know they they kept me on track they made sure that the things that i would slip off my day-to-day were taken care of um granted larger organizations so as a ciso you're likely not going to get an admin until you get to a certain size but my cautionary tale is do not get overwhelmed with paperwork either delegate it out or or get yourself an admin to do it enable your team i want to call out number two here again i know i talked a little bit about it but one of the most my opinion is one of the most important things that you can do as a leader of an information security organization is to ensure that you're

growing your staff so just like we're having this conversation about how you're going to grow your career while it's important for you to manage your own career it's also important for you as a leader to make sure that your team is progressing so for me personally one of the most important things that i take away to my team is to make sure that i'm growing their career and making sure that they're doing the things they need to grow their career as well that's i think it's the most important thing you guys can do for folks out there moving to the right and everybody's going to probably have a big sigh with this i will tell

you that 75 of your time is going to be spent in meetings and i pause there because that is really what you're going to expect as a ciso in an organization you're not player coaching anymore so you're not turning bytes and running scanners and doing code reviews you're filling out paperwork the reality of it is is it's probably the most important thing that you can do for your team for a number of reasons and we'll go through them here in a second but you're going to spend 75 percent of your time day to day in meetings so what does that mean out of an eight hour day six hours of your day north of six hours

of your day is going to be meeting somebody in the organization or outside the organization the reason i think it's the most important thing you can do is because your job as a ciso is to influence the organization and your external stakeholders you need to market your team meaning your team has a portfolio of things that you're doing for the organization you need to let the organization know that you're there you're doing you hung a shingle a security shingle in the org you better let people know what you're doing and how they're gonna do it that's your internal marketing you need to do your external marketing right you have a great team you're gonna need to

recruit people at some point in time you do that through external marketing my team is good it's great working here you're doing talks you're doing all those things that are necessary to make sure that there's an awareness of your program in the organization because without awareness your team's going to be very ineffective so people don't know you're there and what you do they're not going to come to you for advice guidance or whatever so marketing up and down communications so i say this specifically up and down so you as a leader need to communicate downwards to your organizations what's going on you need to talk to your staff so you should be having meetings with your people

if the last time you've talked to somebody is six months ago you have a problem you need to make sure that they're you're providing constant feedback back to your team likewise you need to communicate up meaning that a lot of your time is spent talking to your peers or your seniors to let them know the great job you're doing in information security and also the things that you need from them to be successful in reducing risk for the organization if we look at a spread you know we look at the layers of management in a typical organization a level one manager you know a typical manager spends most of their time communicating to their staff

a level two manager which say is a director spends a bulk of their time communicating across the organization and down to their subordinates a level three manager being a vice president and above spends a tremendous amount of their time communicating up and out so as you progress in an organization that communication is going to be critical for you to be successful third item goal alignment you need to get out there and make sure that everybody knows what your charter is what you hope to accomplish and make sure it aligns with the business requirements that are out there your number one job is to make sure that your goals align with everybody else's goals because if you have goals that don't

align with the business goals your goals aren't getting done so you need to make sure that you're out there telling folks what's important why it's important and how your what you're doing alliance of what's important for them fourth strategy you need a plan and you need to communicate that plan out to the organization so you need to figure out where you're going pick your north star figure out how the team's going to get there and communicate that strategy up both to your peer groups and all the way up to the board of directors if you're if you need to lastly business impact so what you're doing and how it impacts the business is one of the most important things that you

can articulate out to the organization if you cannot tie what you're doing to true business impact for the org you eventually will have a smaller budget and fewer people i'll tell you that straight up so you need to make sure that whatever strategy and goals that you set up and you've aligned and tied to a direct business impact because eventually your budget will get smaller if it doesn't all of these things together position your team and you to be successful in the organization so all of this time that you're meeting folks and having conversations is probably the most important thing that you can do in the organization because at the end of the day your job

is to enable your team to be successful so if you're not having these meetings and having these conversations and aligning your team ultimately is not going to be successful in the organization so with that the cautionary tale here is if you're not doing this you are doing a disservice to your team so if you're holed up in your office not having communications about what your plan is and how it's impactful for the business you are not going to have a successful team in that organization it may not happen right away it may happen in 18 months but someday someone's going to cross the t and dot and i and your team is going to be much smaller and be less impactful in

the organization so we've talked about why you want the job now we've talked about what you're going to do during the day and i suspect that there are a lot of folks on the call and on this on this are going i'm not sure i want this job and the reality of it is i'll show you a nugget so of the 200 or so folks that i've spoken to about this we get to this stage in the conversation and i would say a full 85 percent of them go this is not the job that i want i've recognized that i thought i had to i am not a fan of paperwork in meetings all day i want to be a technologist and

that's not my job i think i want to stay in the technical track and be an architect or i want to be in consulting or something else so if you're sitting there listening to this saying i'm not sure i'm gonna tell you you're probably in with the bulk of the people who have said this is probably not the job that i'm interested in i don't really want this gig so you can stop now and listen stop now and drop if you've said this is not what i want but we're going to move on to all right so you've you've got the right motivation you've got you understand what the job is you're like i'm in mark

right i'm ready to go for this job so how do i get there right we've got to a point now or i've committed i think it's the job that i want to apply for so let's talk about you know what it's going to take to get there so how do i prep for this a lot of words here and we'll do our best to get through these but there are kind of eight core functional areas that you need to begin to start prepping yourself to take on this responsibility so you know what you need to do you know what the job is let's just talk through these so technical skills i mentioned it earlier there's an

expectation that you have technical acumen i it's changed a little bit recently you know there are a lot more systems that are coming on that are business focused but at the end of the day there's still an expectation that the chief information security officer is a technologist so while you don't really necessarily know you need to know how to run the blinky boxes you better know what the blinky boxes do and have a sense of what there are and if for nothing else you can cry foul on the team if they're trying to pull something over your eyes and say hey mark i need the widget over here and you're like oh yeah the widget we should

buy one of those so you still need to have some technical acumen so do not let that slide but again i what i would tell you is you don't necessarily need to be the end-all be-all of all technology now the difference here is as you grow your career your technologist technologist technologist cisso so you're growing your technical acumen throughout the early stages of your career you just need to keep that at a level playing field and keep up with it as you get there so keep growing as you're growing up through the positions but recognize that it's not going to be an absolute that you know everything from a technology perspective when you get to the cisar job

secondly time and grade i get it it's not fair you know the whole time in grade you need to spend 10 years in a job before you get promoted is very 1950s 1960ish but the expectation of any c level position is is that you've got some time uh in the job or or in industry so you let's be honest you're not going to get a ciso gig if you got less than seven plus years you may get one uh entitled with less than that the reality is it's probably more likely a player coach job and you're not doing a true cisos gig um so for better or worse fair or not there's going to be an expectation that

you're likely not going to hit this gig until you get at least seven to 10 years under your belt in industry before they give you the position next one controversial education what i would tell you is that historically and historically within the last 10 years or so you know human resources for any professional position is is generally required a bachelor's degree in any discipline right basket weaving music not to downplay those but it could be in anything they just want a bachelor's degree the reality of it is is that i'm of the opinion that in order to be a great information security person a bachelor's degree is not an absolute requirement and i've hired to that in

the past i think attitude and aptitude are the two most important things that i look for in an information security professional the bachelor's degree just proves to me that you can get through four years at a college and pass some tests um so so for me i don't require that for any one of my jobs that i generally hire in information security likewise like i said earlier i don't care what it's in so if you do come with a bachelor's degree do not feel that you know sorry boston college northeastern everybody else i doesn't have to be in cyber security i will tell you that some of the best information security professionals i've ever hired have had non-technology

degrees one of the best people that i've mentored up and now he's becoming a ciso he's got a degree in classical jazz and he's spectacular with respect to his ability to be an information security professional so if you're a non-traditional tech person do not feel that a career in information security is outside the realm it's not an absolute much to the chagrin of my folks in higher education i will tell you as far as an advanced degree is concerned only pursue one if it's a skill you're going to need so do not go off and say i think i need an mba for this job because you don't you really don't need an mba if you

think you need an mba because you need to learn about finance and accounting and marketing go get the mba but the reality of it is is requiring an mba or a phd in cyber is really a waste of your time like i said only get that advanced degree if you feel you need to get it to learn new skills otherwise you're just spending money and time that could be better spent with your family or doing a hobby that you're interested in so let's talk about certifications um so when you start out your information security career and your junior like yeah everybody let's get to the issp um and you know there's some mildly interesting things about

getting through the hr gauntlet with a certification right so sometimes you get one i have a couple most information security people have at least one just because someone said they needed to get one in the past what i would tell you for the ciso rule is there are certified cisos i couldn't tell you what a certified ciso is to be honest with you so if you're looking at that and you're going to learn something from the process go ahead and take the cert but it's not something that i look at nor have i heard any of the executive recruiters look at and say well this guy's got a certified ciso and this person has a certified ciso

and i'm going to hire the certified one over the other certified one i've never seen that happen and i haven't heard that from uh any of the executive recruiters that i've dealt with so well it's mildly important when you start out get yourself assert as you progress up becomes less and less important sorry i sac and ise squared moving over to the right business skills i'm going to tell you this is the most probably the most important skill that you can get as you progress up to a cisco so you you're a technologist you've started your career as a technologist you've learned all of this stuff uh like i can configure a firewall and i

can do guard duty on aws you better know about finance sales and marketing and operations because your job is a business leader in the organization so you need to have skills in all of these they don't have to be like a practitioner level skills but you better understand budgets you better understand the sales process because in many cases especially if you're working at a product company you're going to be asked to participate in the sales process so you better understand what that process is and what you can say and what you can't say and what pipeline is you better understand marketing um and you know for me i wasn't a marketing person i went to

work for a security vendor right into the deep end of the pool and all of a sudden i'm a marketing person i have a persona and i've gotta like speak and do all these other things you better understand what pipeline is and what leads are because those are gonna be important for you lastly um and this is a bit controversial when i tell folks this that have started their whole career in information security what i would suggest to you is leave for a short period of time a year or 18 months if you have the opportunity take an assignment in the business and here's the rationale for that what i find especially when you're at a

larger company and you're dealing with a board of directors there's an expectation of your business credibility so if you've always been a technologist you want to be seen as a business person because that's what's going to drive change in the organization at that level and if you've never actually been a business person you lack that credibility at the senior level so what i what i try to recommend to folks that are are progressing at a you know say a fortune 2000 company or above you should consider like taking another assignment somewhere else for a while for me i had the privilege of actually running product management for a little while carrying a number which is an interesting bit

um if you've never done that before being on the other side of the house so i was running the apsec team saying hey you need to go do all of this stuff and all of a sudden on the other side listening to my former appsec folks tell me oh by the way i need you to do this you're like well hey i've got a ship tomorrow and so it gives you a perspective that you may not have so if you have an opportunity to do this i would highly encourage you guys to take advantage of this when you can next thing that's probably the second most important thing is you need friends and we're going to talk about

these next three are about friends so your first set of friends is your cross-disciplined friends so you need to find friends and other things that are not information security because they're going to help you with things at some point in time so you need to on you need friends and finance you need friends and legal you need friends in marketing because you need to you're going to need to draw on these friends at certain points in your career to help you get through certain issues your next set of friends is your bench so as you're progressing up you're meeting a whole bunch of colleagues start ferreting out those colleagues because eventually when you get the

ciso's job you're going to have to build team and who better to staff the team with with all those friends that you have that you know are great sock people or they're great risk people or they're great absec people so you need to start to begin to build your bench of people that when you take the ciso job you can call upon them to restaff your team because that's the reality most jobs you guys probably have seen this come through networking not through getting something on indeed let's be honest so you're going to get your your gig on through your network not through just submitting out there and that's especially true with cisos so you need to make sure that when you

roll in and if that new team has a problem in appsec as an example you've got a leader on the bench that you can bring in and say i'm going to bring sally in and she's going to run this abstract program and i know her i know what she can do and we're ready to go lastly i call it external squirrels so as you're progressing up your peers are progressing up as well right so you're coming up with a group i have a group here in boston that are my peers that we we communicate all the time and signal on our secrets world channel you need these people as much as you need the other two

you need confidance you need people that you can talk to about various security issues so you need to cultivate your external squirrel network because those folks are going to be there for you when you say i have i need this in information security you need people to ask you know you can go ask deloitte you can ask gartner but your your best source of information or is going to be your external squirrel network so you need to cultivate all three of these as you're progressing up through your career so tech skills time and grade education certification foundational ciso level skills business skills networking threefold networking get yourself a bench get yourself some friends that aren't infosec

and get yourself some infosec friends you need to do all eight of these things as you prepare to take this job so you're there mark i i've done all of these things right i got the tech skills 10 years got the education my cert i've learned about finance i got this group okay so now we're going to go and try to get the job right so this is your first time trying to get the system so how do we land it right so you're trying to land the whale so how so how does this happen um i said earlier and it's kind of funny that you know once a ciso always assists when it holds true

it's much easier to get your second ciso job than it is to get your first ciso job because once you get the tit someone's taken the opportunity to give you the title it's a little bit easier to get that um so this is really about how to land the first one the second one is much easier because you've already got it and you've got some background on this so where to look right so how do i start trying to find this game use your squirrels in your bench so in the community here in boston for cisos we all talk we all about we know all about all the open ciso wrecks as people move around so your squirrel

network will tell you generally where there's openings likewise your bench right so all of a sudden you know you've cultivated a bench and this person's working over at this organization and they're going to open a ciso role and you've worked with them before they really like you they're going to get you that information even before the job goes to the recruiter so you know make sure that you keep in contact with these folks they will be your best source of ground intelligence about when ciso rules are going up secondly look for internal transfer opportunities this is really focused on big organizations so in larger organizations they have this concept of a basis or business operating unit ciso

and really what this is is kind of a mini cisso in a functional group uh within an organization so i'll tell you folks and you can look at my linkedin i worked at emc and they had this construct where we had a ciso cso for the overall emc organization and there were business unit ciso so it's your opportunity to become a micro ciso in an org as a step up to being the final ciso so if you have an opportunity in a large organization to take this business focus one because you're you're effectively the ciso of that mini operating unit so you have all the benefits of being a ciso and all the benefits of calling

back to the larger organization for areas that where you need support so i would strongly urge if you have that opportunity take that opportunity because it shows that you know you go from running a team running the risk team to being a be ciso say for this particular business unit all of a sudden you have you know you're a ciso of a 700 million dollar uh business unit in a large organization that transition to go be the full ciso at a billion dollar company is an easy step up because you have a good store even though you weren't the macro cis so you you were in charge of 700 million dollars of this 64 billion

lastly what i would say is consider a down to up opportunity and what does that mean so so what that means is a lot of times you're working in a large information security organization you're a director and maybe you got 30 people working for you um like i said earlier sometimes getting the title lends itself for the job after that so some advice that i was giving on the the job recruiter chat a little earlier on discord was always take a job for the job after this job so down up exactly means that so i'm going to take a job in a smaller team with the ciso recognizing that i'm going to be there for two years so that

the job that i take after that is now a ciso at a 100 person organization so don't be afraid sometimes to step down in team size recognizing you're going to step up in responsibility in the job after you do the step down so it requires a little bit of planning and think through but you need to be thinking about two steps out not just the next step cautionary tale with respect to this you know once you're out there the recruit be careful of recruiters i love recruiters i've used recruiters in the past but they don't always have your best interests in mind right they're there to fill the job so just recognize who you're dealing with

and their motivations just like hiring a financial planner you get one that's independent and you get one that's going to sell you sell you their own stuff because they get commission just recognize that when you're dealing with that especially executive recruiters they stand to make a tremendous amount of money when you get your second ciso gig you now get reached out by these executive recruiters they're gonna probably you know they're they're looking at getting your whole salary paid to them when they fill the role so just recognize the motivation um when when you're dealing with a recruitment so you gotta lead things to watch out for so you gotta lead on this job things to

watch out for um scope of the role is important what does this mean it means that you need to try to figure out what your remit is you know a lot of times they'll say you're the ciso but you're not right you're a ciso entitle um and i'll give you a a story so i worked at dun and bradstreet i ran enterprise operations many many years ago and at the time don and bradstreet hired their first information security professional and i'll use his name because i i know him his name is jack radigan and jack's remit and his scope was to run information security um he didn't have any budget or any staff his job

was to talk about information security and if something happened there was a breach he'd get fired so what i would tell you is you need to recognize that and try to tease that out because you do not want to be jack ratican and if you are going to be jack ratigan make sure you're compensated well for being jack ratigan and you know your jack rat again before you get into that so sorry jack if you're listening um and i know i use your example all the time but just recognize that that's the scope that you have also it's important on the business side as well so is it business focused is it just your online presence is it the whole

organization also what other things are you're going to be responsible for is it infosec is include physical security do you have privacy on top of that all those things are going to be important to understand when you're going for the job secondly title is not as important as job responsibility so even though you might come in as a senior director and not the ciso if you're effectively being the ciso don't get hung up on the title because you're doing the job and when you go to get the job after that you can articulate why you were effectively the ciso because i've seen many cisos that aren't doing the job of cisos and when they go

to get the next one they fail in the interview so don't get too hung up on it it's nice to have like i said executive washroom key but don't get hung up on it as long as you're doing the gig lastly understand the budget you have and the budget you don't have so as you're going through the process it's important to know the budget you have and what you don't have because what you don't want to do back to scope is get into a position where you get hired in as the ciso may be the first sister they have and there's no budget and no staff because all of a sudden you're not going to be ineffective

at implementing any strategy without that and i'll be honest with you just be leery of organizations say well we'll figure the budget out when you get here because we're not sure you're going to set that all up there's something to be said for that but also just be cautious that only really happens on brand new teams if there's an existing team that's out there that are doing security get figure out what your budget is and what you have before you actually figure out whether this is the role for you because you could have grand plans for a strategy and then recognize that you have no money in your staff to actually implement that strategy cautionary tale here um

don't pursue the executive washroom key at the expense of your ability to deliver to your team or family is a mouthful there but don't take the title if you're never going to be home i mean i i you know your motivation may be money it might be anything like that but what i'm telling you is my perception is it's not worth it and we're going to talk about burnout in the next slide a little bit but don't sacrifice for the key i guess let's talk about the interview so you're there right you got a lead you looked it up you got whatever ground intelligence you could get from your from your bench or your squirrels uh you

got a good sense something i want to go for so you're going into the interview um you're going to talk to business people not technical people so you better know how to speak business back to the earlier slide about business skills you know if you're talking about firewalls and wafts and that stuff wrong interview and it's going to go over their head and they'll go this guy's a technologist he doesn't know my problems uh i don't think he's a good fit for the organization the whole conversation should be business speak they are not going to test your technical acumen like a a another security professional they're not there to do that secondly demonstrate your collaborative

skills security is a partnership as you guys are well aware so you know you need to be able to demonstrate through examples your collaboration skills because you're these are folks that you're going to need to work with throughout your career at this organization they're going to want to make sure you're a good partner if you can't demonstrate you're a good partner they're not going to want to partner with you and therefore they're not going to hire you lastly be sincere meaning that be honest they um they want to make sure you're a human being you know don't try to answer the don't try to answer the question you think they want to hear don't do that

just answer it like you're going to answer it if it's not a right fit for you it's not a right fit for you don't try to fake your way into the job just be yourself if that's what they want to hire they'll hire you if not no harm no foul lastly this is critical for folks this role is based on integrity i don't think i need to tell folks but i've seen this happen do not lie during this interview process this community is too small and i'll be honest with you they will find out whether they find out after they hire you or they find out through the process you will get a reputation and it will

follow you around so we are security professionals it's about integrity like that's the i and the cia triad do not lie during the interview process there's exaggeration and there's lion right so but i'm telling you if you lie you will be found out don't do it you will ruin your career eventually for this so where to look went the interview got the job awesome right first ciso gig what i would tell you is you need to last through probation right so you're generally going to be on probation for 90 days i will tell you that i have seen folks flash out and only last 30 or 60 days in new cisco gates so your first goal should be you need to

last through your probation and how do you do that first thing meet as many people as possible during that time you know your job go back to the two slides ago meetings meetings meetings you need to figure out who your friends are you need to figure out what they do you need to have as many meetings as possible because that's what's going to get you the ground intelligence and the visibility you're going to need to build a successful program second thing this is especially true if you already have a team your first duty of care is to the team that's there right they might possibly lost a new leader or there's a new organizational structure one of the most

important things that you can do right out of the gate is take care of your team they might be there might be shocked because of leaders left or a shock because of a reorganization one of the most important these are the people that you're going to build success in the organization off of take care of them first it will pay forward tenfold lastly as you're preparing for this you should have a sketch of a 30-60-90 day plan meaning that you should come in with a rough idea of what you want to do now that goes to the cautionary tale of this is be humble you don't know everything every organization is different do not lead in

in your first 90 days saying you know how to solve everything in the world because you've done it six times over in different places you've never done it at this company you need to be humble about the people that preceded you in the organization that's there so while i tell you you need to have a plan that plan needs to be adapted for the organization it is if you come in saying you know everything you will probably not last through appropriation so congratulations you have the motivation you've liked the job you've got the job and you've lasted through probation so now you're on your way right your career is on the way um and you're doing the cisco gig doing

the ciso gig and then you're like maybe i don't want to do this to soap gig anymore so let's let's talk about life after ciso so when is it time to go let's be honest and this is broadly applicable to any role that you may have when is it time to go sometimes it's involuntary i hate to tell you this but as a ciso sometimes you're just gonna get fired you've done everything that you can do you did it the best of your ability and the reality of it is is that some there's been a breach or something happen and someone has to be accountable and you're it hence the reason all the way back to the

first slide the money is really good to be a ciso because the reality of it is is that you can be fired at any one particular point in time it's not personal sometimes it is sometimes you screwed up and you really deserve to get fired but sometimes it's it's it's not that way it's not personal they just have to do it you need to recognize that and move on what i will tell you is that the second part of this is it's funny enough there's no stigma to getting fired unlike other roles there's sometimes an expectation a system may get fired just because so unless you're getting fired every job over a course of time

there's not as much stigma to it as you would expect secondly is burnout so a lot of times if you think you're going to work 40 hours a week not happening back to mental health hackers you are going to work 24 7 breaches regulatory reports this is not a job if you think you're going to be this is not a lifestyle job you are going to be busy and a lot of times i've seen many of my peers burn out they look to alcohol they turn on their families they're not sleeping they're not getting the help to be honestly the job's not worth it you need to move on if you find yourself in this situation

third mission you know this is for me it holds true i want to believe in what the company is doing if i don't believe in what the companies they might find really hard to get motivated to do work so a lot of times you'll take a job because the mission was with something you believed in and neither the companies change direction or they're not fulfilling the mission if you can't look yourself in the mirror and say i enjoy working here and i believe in what we're doing get another gig lastly is growth so a lot of times you've done everything you can do you've been at the organization you've grown the team it's an awesome team

you're not getting what you need and you're also holding back the subordinates underneath you to grow so sometimes it's time for you just to move to the next opportunity and let one of your subordinates take over get somebody from the outside you've done everything you've done you did a great job you built a great team sometimes it's just time to move on the real the reality of it is is you know infosec is is an always moving profession you know most people don't retire in grade in infosec so if you're gonna move on where you go uh siso round two i call it so you've moved on to another organization you moved up you're making more money you're

climbing the ladder as i call a friend of mine did this he's the ciso over home depot and he's been progressively moving up the ladder and the size of an organization he has and i've got a team of like 800 people as a sister of um of home depot recognize what you're signing up for for that you're probably moving around a lot more headache a lot more money but there is there is this progression of larger organizations second the noble approach consulting or teaching so take what you've learned teach other people about it right so go be an adjunct at boston college or northeastern or do some consulting and this is the path that i took

you know i was done being a ciso and i've gone off and started a consultancy and that's what i chose to do with the rest of my career build something there's a lot of security startups there's plenty of money here in the boston area for security startups you got a great idea be a business person you got all those business skills now you learned them all go build something build the next great security product out there be an entrepreneur lastly you know if you've taken my advice earlier is take a business role so maybe you become a cio maybe you're the ceo you've learned all that stuff why not choose to do that but i guess the moral of the story here

is just just recognize folks that there will be a point in your career with a role that we've just worked through you've aligned on you've taken it and you really want to do it it's time for you to move and it could be for the reasons on the left and you're going to the reasons on the right but i would tell you that at least my experience has been most cisos only do a few turns in the game and if i look back at all the friends that i know and the friends that have moved on you know except for the real high growthers that are kind of moving up through the ladder most folks do two to five turns

tops as a ciso and they're generally moving on to something else so just recognize that there is life after ciso so you work really hard to get this job just recognize that this may not be the job that you retire on so with that a couple of things um this is my contact information we'll take questions here in a second uh and like i said i'll be on the job finder piece afterwards a couple of shout outs so one i mentioned earlier um as part of my last 10 years or so i've collated a bunch of career information um so i get helped it out it's all open source so folks want it you can just

chat me and i'll give it to you it has career ladders skills you need both business and technical along with salaries out there for uh basically the greater new england area so feel free to consume happy to answer questions