CG - Meet the CISO - Panel

thank you for coming out - besides Las Vegas and the ground truth talk we are here this morning with Ian and his panel this evening it's Las Vegas so it's a it's morning I'm sure there's some people in Vegas just now getting up you know introduce the rest of the panel as we go along but first we need to thank our sponsors especially our inner circle sponsors critical stack and Bala mail as well as some of our stellar sponsors which include seeker secure code warrior blackberry and Amazon these talks are being streamed live and recorded so if we have audience interaction which we are planning to on this talk please raise your hand and all run the mic for

you and since it is being streamed if you can silence your cell phone we would appreciate it very much with that I have two pairs of socks to give out from our sponsors and then we'll get started [Music]

so thank you good so hi everyone my name's Ian I am the hello I'm the chief security officer for centrist and what we have today in the next 40 minutes or so is if you're familiar with the meet the Fed panel at DEFCON and besides and stuff like that this is the meet the seaso panel we just finished up a full day see so track and I have sort of hand-picked a new participants from the track that can talk about their career again they can talk about their expectations from people coming up the ranks towards AC so in position they can talk about their learnings and experiences in security and this panel is basically designed to cater for you

guys so most of it hopefully is going to be driven by your questions again it could be career related it could be professional like how do you deal with this how do you deal with that it open it up I will make sure that I stay mostly silent unless you have a specific questions for me which you shouldn't because these guys are the core team what I did when I select that the the esteemed panel is I try to make sure that we have an interesting variety of backgrounds experiences and current roles in terms of companies so without further ado a sandy would you like to introduce yourself absolutely I'm sandy done I work for a health care

organization in Idaho hi my name is Joe Sullivan ominous CSO at CloudFlare my name is Shana Rose and I'm CSO at Avant and also amount of both financial FinTech companies and before we go on to your questions I think it's it's if you can elaborate a little bit on your personal backgrounds like word not literally grow up but ramen from a security perspective what was your experience background how did you get to the role I think that's going to provide a lot of meat for our participants John yes I started out working for a company called Leviathan security group back in 2005 and that was up in Seattle and I was an aspirational pentester so I got

in my opinion taken under the wing of some of the people like to this day considered to be some of the strongest insecurity great mentors too so I learned a lot on the pentesting side and got my hands pretty dirty with that but we were a very small company at that time so I also took around a lot of the project management stuff and ended up I think just naturally evolving into some kind of manager although I fought it for a very long time and then you know kind of got tired of the pentesting consulting reporting that kind of stuff traveling so I went to work for some bigger companies and started out as a

program manager and that kind of an in-app sec and that evolved more into taking on other responsibilities and other programs too and that just kind of led me naturally into a Cecil role I actually started my career by going to law school and then I really really wanted to be a federal prosecutor so I could be on the meet the Fed panel never got invited I never got invited to meet the Fed panel but I started I was in the US Attorney's Office here in Las Vegas in the 1990s in 1997 I started here and I was the only prosecutor in the office in his 20s so and I had a computer on my desk so I started doing the tech cases

and then the Department of Justice created a program and then I got training and then Robert Muller was the US attorney up in the Bay Area and he wanted to have a high tech unit in Silicon Valley and I wanted to leave Vegas and moved up there worked in the US Attorney's Office in Northern California after a few years left I went to ebay worked on trust and safety at eBay and PayPal I went to Facebook became the Facebook CSO I joined the company in 2008 was the CSO at Facebook for 2009 to 2015 was recruited over to over spent two and a half years as uber CSO I was fired from that role a little less than

two years ago took some time off and then found a position that CloudFlare so I kind of keep it short so I am I got started doing competitive intelligence on MFP printers and at that time this is about 2001 and I started going well if we're sending off these printers shouldn't we care about who we're sending it to what we're sending and so we really didn't have anyone who's doing security on the MF piece nobody was really talking about it and so I started listening to the Paul calm in cyber speak and they talk about it and then I take notes during the podcast and then I download all the tools that they talked about so what happened was I became

really knowledgeable about security and then the go-to person that transitioned to different careers and they kept growing took some sans classes and ended up being on the cyber security team in HP and now I've been at the my current employer for about two and a half years but it's how I eat on the way in here so I knew I was pretty good at translating security to the business so I saw being a CSO as my career goal and so I had this trajectory I was working on my masters at that wall in five years obviously so and I got hired as the I the IT security architect at this company I was brand new to it I was

there for two months the seaso left and they plugged me in as the CSO and the worst part was I was trying to take my finals for my master's that's I know this is really bad timing for me but you know when the door opened like part of me was like well I don't know if I want to because everyone kept saying do you want to be the IT security architect I love the geeky stuff or do you want to be the see so I'm like no I don't know so I end up being the see so I have a great team and it's been a very interesting journey awesome thank you appreciate it with that any questions

from the crowd we would love to address anything can we use the microphone for the people listening online you answered my first question which was your did your high school guidance counselor suggest that you become a CSO but I'm curious about about the changes you've seen in the cyber security information security field over the time that you've been doing this anyone in particular or randomly selects and volunteer it went first lesson okay I've seen the position change a lot so I've been in the CSO role for about a decade at three different companies and the thing that I've seen is it is become much more of an executive level of focus and attention with boards and I think we as

a profession are really struggling to catch up with the heightened expectations of us and the heightened need for us I always think about if you if you stop to see if you stop if you stop the CFO in the hallway and said how do I become a CFO and you stopped ten CFOs you would get very similar answers from all ten CFOs they would say go do this in college go through these three jobs and then you'll be ready for CFO but the like in our profession if you ask the three of us where you looked at our you looked at the four of us in our backgrounds and how we got where we are

we all took very different paths and we just spent the day together 50 of us csos and we probably had 40 different paths among the 50 and we'd probably give 40 different kind of recommendations and we're still struggling as a profession to figure out like do we want to report to the CEO do we want to have quarterly board access to or do we want to stayed hidden down in the director level of the company so I think that the the profession is changing a lot and we're all getting dragged along with it yeah I would agree with that completely I think and a lot of my roles that I've been and I've literally invented that role I saw

somewhere in the company or you know something wasn't working and I thought well I have the skill set to fill that I know app SEC and I know program management that sounds like I can run this program for this like yeah so I mean I think that the beauty of that is like we're really truly defining what this industry means right now and you guys are in the best spot to do that because you're you're on the front lines of literally everything and you know where the weak spots are you know literally and figuratively so you know you know like he was saying like we really are still trying to figure out what this all means and you know I would

love to say that we have all the answers for everything but I've seen it evolved from it from there being literally no no structure to roles or what we're supposed to do to you know major companies be like oh we should probably you know hire somebody to do a security thing you know and it's a major news network and they've had one firewall dude for forty five years and now they have a security I remember that the likelihood of me being fired has just escalated we're seeing you in the next yeah but you know I don't think it's CFO has to say well you know I'm gonna get but the likelihood of me getting fired

so that we still you know and that's a maturity thing where you you you take it on because you're willing you like fighters I think you know we like Ian said we were just all in a room together with 50 FS in was great conversations and there were so many strong personality in that room but the reason because you have you really have to be kind of a bull in a china shop to be a si so today hopefully the industry will mature where that it becomes more of a CFO you know this is your role and responsibility and we're not going to just fire you you know if there's any security issue cool question over the back oh yeah I've got

a question and it for all of the panelists and and the moderators well based on your varied histories to your current positions I was curious about probably three perspectives if you care to share them one would be the size of the company versus your for lack of a better word attack surface or your vulnerabilities and the amount of resources you might have and perhaps if you have a an insight to share on the ethical dilemmas that might get you fired and lastly do you think the c-suite executives and I'm stereotyping again who may have come through their position as a CFO or maybe a bit more traditional career path as opposed to the variety you exhibited

today or described how that might influence their awareness of data protection information security I can tell you from my background as an engineer and an attorney c-suite people don't always appreciate the fact that it's going to cost money to protect the data they collect it and they're not liking what you're telling them

I can easily the first one which is like essentially if I can distill it how many security people do you need right it really there's no right answer to that I've I've had external consultants come in and try to do some formula that's like for every 50 tech people you should have one security person but that doesn't you know quantify the amount of risk and our IT assets or would it you know define out what your threat landscape looks like at all so it's really you have to figure out a way to communicate that up to the people that are deciding who's getting what resources and that's really up to you so you know I'll use those external

consultants even if I think they're wrong to paint the picture that I need internally so I don't know there's no right answer yeah as a profession we haven't really picked a good model for evaluating risk yet it's something that's one of the hottest topics and security leadership right now is the different risk models and how you calculate risk and the reality is you can't really look at the size of the company or the number of engineers or your product all revenues or revenues like it a company like mine that sits in front of thousands of other companies the risk if we said oh we're on you know we're only a thousand employees at that company so we should have a pretty small

security team that's not factoring in well all of our customers secrets are being decrypted in memory on our machines so we have a heightened security risk even though we're a smaller company and so we're gonna invest not based on the size of the company or the number of the engineers but on a more thoughtful approach to risk just to strengthen that point I've seen again I've worked with companies hedge fund is a good example you have about 30 professionals like 30 people who actually do the work and about 20 people in security because they're rolling bazillions of dollars every day and they have a huge attack surface they're completely ignorant and all they do is you know put their brains to work and

and bet other people's money I've had you know in my current company were 14,000 people my security team half of it is probably here is less than 30 people so it's you know it's not a scaling question it's as joe said before you know pick any of their parameters put them in any shape or form there's no formula that can answer it out you have to sit down and figure out what how does this company work what's the attack surface what's the risk models how effective can we be internally what's the the the operating functions inside the company how centralized decentralized it does it does it operate what's the executive leadership like so there's a sorry to

disappoint you there's no formula or direct answer for that as far as I'll start picking up on the on the second topic which is the the kind of other c-suite / executive approach to risk or security first of all I think it's our responsibility it's our little job to be part of that conversation and facilitate that with inputs from our end so it's up to us to identify first of all how the business operates so what whatever you're providing back as inputs is not in context and not just I just saw a really cool hack on iOS and I can I can pull your phone no one gives a no one cares you have to contextualize

that so marrying and I think all three panelists here mentioned the ability to take security and technical elements and translate them to business literally what we do on a daily basis I would say that part of the challenge that we have not just with the Suites the C suite but with every person who's using the Internet today is they they don't understand that security isn't binary there's no I mean there's no single lock that you twist that makes you secure it's a process it's everything that you do I'm it's not sharing your phone number at the grocery store to get that coupon it's it's it's not posting about you know in details about your company on your Linkedin so

someone's really not it's helping them understand and also you know I want to really highlight that it took us 25 years to create all of this code that has all of these problems we're not going to get out of it today or next year I mean it's going to take us another 20 years now I will tell you and I was actually there selling people computers in 1996 where I was upgrading them from 16 to 32 megabytes of memory it was the third largest purchase that they were making you know they would buy their home their car and their computer a lot of times it was the most expensive thing that they were buying at that time

we had built-in security what we have today would not have happened if we had developed it securely we would never have made the progress that we've made now do we have a lot of catch up to do absolutely absolutely but it'll take us 10 to 15 years and we talked about this today I think there will be a time in in 10 or 15 years where the seaso stop doesn't exist where it's it's just quality it's just we're just talking about it you know the best car to drive you know you'll walk in you'll buy a security product just like you go to the grocery store and you never question about where that fruit came from you

never you know are worried about it you you trust the system that you're secure to buy that food are there problems dispatch ilysm get into stuff everyone's wrong laughter yes we'll still have that will still have to be a process but hopefully as we mature and we start understanding you know and again pulling on conversation we had today there's nothing magic about this a security vulnerability means that it was it was a requirement that was not well defined and not well tested and developed I mean it's not magic it's just that you know features other things are getting pushed ahead of them thanks for mentioning a hedge fund so I'm gonna go to my boss

now and ask for 27 more people so I'd like to ask each of you you know I think it was touched upon earlier by yourself where the CSO should report in the business and I realize there's no right or wrong answer and I think a lot of its dependent on how the organization is structured and their culture I'm curious to hear your feedback on you know what your thoughts are on that I've reported to the CTO the CFO chief legal counsel and chief product officer and my response to all this is that I just want to report to the place that this person doesn't get in my way right because I don't Amen you know I hope that they trust

that I'm providing them with you know the correct counsel and the you know the right course of action I doubt that they're gonna provide that back to me in the the right security things to do so if they can enable me to get my job done and not hamper me or make me compete for resources or have some weird conflict of interests and that's where I think it should report to and every company is different there's a there's a really no answer to this I think sandy mentioned before were sort of Bulls in a china shop were very high friction people if you stand in our way I'm allowing myself to speak on behalf of the rest of the

panel if there's an executive that stands in your way in terms of functional management it's that's not gonna be a long-lasting marriage I my last two jobs I've reported to the CEO and I like that because it allows me to better understand what's going on across the company in terms of the priorities of other executives like we've talked we talked a lot today about risk judgment and the number one thing you need for good risk judgment other than good judgment is contacts and so by reporting to the CEO I feel like I have much better context I on the company's priorities from the top and on where the business really needs to go and so I used to like when I

didn't report to the CEO it was kind of like a little bit trying to read tea leaves of like what what what's really important and then I'd have to go force my way into conversations but at the end of the day I think as look because we're used to being Bulls in a china shop like if we see a security issue at our company we're going into the meeting in that room regardless of where we report yeah I think it's also important that we all have some sort of dotted line that's not interfered with by anyone at the company directly to the board of directors so they can help us make some pretty hefty decisions and courses of

action I'm gonna ask a question when the gentleman from plaid player you mentioned at the start that you got fired a couple years ago and you got a little like smile a little little grin with it - I'm sure other people have experienced that also but it made me want to ask kind of how you dealt with something like that but I think in the discussion and there's a broader question that is coming to my mind is how do you evaluate I see so how does the CEO or the board or whatever how do they evaluate the job to see so is done yeah getting fired is never fun no matter what your job is but I think when

you take that role like a lot of us we know going into taking the role that we run that risk it's it's kind of like being a baseball manager if the team doesn't perform the manager is usually the first to go and so you just accept that going in a lot I hear sometimes in the seaso community and not so much with the group today like like why wait we don't we need more power in our companies before we get the responsibility but I think you have to own the responsibility before you get the power if you will I think that you know I I just accepted you you asked about ethics and I really

believe that you know security is kind of part of your DNA and so you when you're in this role you accept that you may have to fall on your sword and so I you know I have there been times where I was uncomfortable with the decision and I chose that it wasn't the hill I wanted to die on yes but if there was you know I I do there are hills I will die on and you know you just accept that and then as far as being fired you know um I was worried about that a couple of months ago and it it wasn't negligence of my anything I did or anything my team did

it was just they were looking for a go and it wasn't fair I knew it wasn't fair but that's you accept it in the role now again I don't you know we talked about burnout in this bill we talked about stress and you know that definitely adds to it because you you you kind of accept that things aren't always fair in the role but it we're maturing it as an organization or as a group that probably applies to a lot of executive roles in in general I mean it's it's we tend to think we're very unique in that sense but guess what it's anyone who's responsible from an executive perspective is expect I mean that they

run the risk of the exposure so yes we have a lot of exposure we you know we're operating in a fairly immature field I think that that's a common theme that we're hearing here that's still evolving developing trying to define itself like I'll deal with all kinds of securities from compliance to AB SEC to physical security to everything if something happens guess whose head is couldn't be presented to the board a so yeah that that's I guess that's part of that that a maturity level of the profession there's a there's a new thing to that we have to worry about which is the the government repression right like you know Elizabeth Warren proposing that executives should go to jail for major

breaches right and that was response to the Equifax stuff and then all the election campaign security nonsense to which hopefully nothing like that rolls down this way but you know that's another level of stress too and my okay ours was keep keep Ian out of jail literally which was softened down by some okay our codes to keep the business out of jail I like that but that that's a real thing and that's something that's tangible very tangible but we can work towards not happen yeah yeah banker so since we're talking about where we should be reporting into I know there are risk officers who usually report it to a CEO and somehow since you're technology and most of the insurance

industry and risk people who do that job do not understand it do you think that's a good place for the CSIs to report like what what's the consensus in the community discussion about it I'm just curious it at least intact one of the concerns about reporting outside of a technical organization is recruiting and building a team that has credibility when I was at Facebook and we were building the security team from just a few people into hundreds I reported to the general counsel and engineers would look at our team and say are you real engineers and the engineering bar at Facebook is very high and as been very high and so we needed to have

credibility with those engineering teams and had to work through that it took a while but I think because we held our bar really high and we included engineers from different teams on all of our interview panels and things like that we were able to maintain technical credibility but you know if you if you're in a very compliance or oriented organization you might end up with a very compliance oriented security and function as someone who's trying to build a security program pretty much from nothing with a relatively large tax organization I'm curious can you give me a ball by idea of how your budgets are determined because I don't have one at all I've got big

somewhere else I'm getting ready to have that argument so I actually work on getting through staffer resources but I'm just curious you how you how is yours determined I like to point to any kind of external obligation that I might have to like a partner or from providing of our companies providing a service you know if I can point it back to some kind of contractual thing that I now cannot fulfill because I didn't get my staff or my funding or my tools or whatever that may be it makes it a lot easier to justify having a program or having funding for that program it's really hard for us to communicate out by saying oh we need to have a program because

it's a good idea because duh right like our executives want to spend their time and money on other stuff especially if they haven't felt a material impact of a failed security issue any time I can get someone else to say it instead of me that seems to go better I've heard a few CEOs recently say I have a hard time saying no to the security budget for fear that we have a breach because they know if they had said no to the funding you know if the Capital One CEO had said no to funding for cloud security then you know and so I think that it's really important to draw a line between your specific risks and the programs that

you're trying to build like I've managed risk functions where you're dealing with and it is so easy to get resourcing in that context because you have a source of truth chargebacks and so if you can say I if you give me a hundred thousand dollars in funding I will reduce fraud by three basis points everybody does the math and it's like okay it's you'll just keep getting all the funding you're needing one group yeah they're like okay I'll give you twice as much point removed twice as many basis points in front or you know or they'll give you ten times as much if you can use ten times as many basis points it's much harder in the information security

threat context to quantify risk again we talked about that earlier some some cyber insurance programs or come are coming together we're a little skeptical about that and the seaso community there are a few different risk programs that are coming together we're just a little skeptical about that in the CSO community but we're trying to get more quantifiable on if you give us this much money we'll reduce this much risk because that's usually the way it money gets spent in a company and you just have to think in that context the business case you have to make the business case for it I also will tell you and I've had to slow down my engineers is is a lot of times they get

tech you know crazy and I'm always like hey wait a minute are we putting at $2,000 fence around an $800 cow you know like this has to really you know I have to be able to show the business value that's a great expression steal that hi are you doing so you spent the whole day with Jesus at 50 CISOs what were the takeaways for you or were there any epiphanies and is what is that one thing you're going to take back to your organization after spending you know the whole David 50 ceases I think for me it was it was good to kind of hear that the challenges that I face every day aren't unique you know it's good to cure you

know some of that yeah I agree with that it's uh when you run security at a company you're a little bit on an island by yourself right your team you kind of don't want to show weakness to your team on the one side and on the flip side you need to show the other executives that you're the subject-matter expert so you who do you let down your guard - for me a lot of our conversations kind of boil down to being effective at communication in some form or another and I I remember starting to work for this seaso and the team wasn't really built out yet there was just a couple of us and he

immediately hired a communications expert and someone he was going to you know put out the status reports and make sure everyone knew what was going on with security and I was like that seems kind of backwards so they don't feel like we have a program to report on I think the session we had a session about board of directors and how to talk to them and how to the gotchas with with communicating with them and one of them at least for me that resonated was about confidence in communicating the board of directors I've had a couple of scenarios where I've been told to be less confident with the board of directors and then six months later I should be

more confident so it's kind of frustrating to figure out how the best way to communicate with them is but the end is really or the takeaway for me was that it's really just a game you know each board is going to be more or less difficult they're gonna have varying levels of knowledge about security and so playing that game with them and making sure that they can really take in the information in the way that they can consume it is really important related to that on the boards could you tell me how often or how much time do you get to spend with your boards I think in my case it's fairly unique or maybe not you can tell me if

you guys have the similar experience but it started out where I would get like the quarter the corner and the slide deck and maybe I would get to have five minutes and the valar board meeting and now I have an info SEC committee that is you know comprised of several board members plus executives and I get an hour and a half so we really get to dive in pretty deep so I think that as our company has grown and matured into really really truly caring about security I think that the the board response has been analogous yeah my company the expectation is that I'll engage the board every quarter in one way or another yeah depending as you

know written verbal in-person but reports go up or at least a like a zoom presentation on that quarterly and the supervisory board definitely quarterly at least I've written a report and it's a job I think there's also a trend with more board members reaching out directions directly to secure leaders thousand questions over the course of you know in between those quarterly board meetings and like one of the things we talked about today was yeah every you know there's every time there's a Capital One or something like that they're actually looking to us to give them some context is this irrelevant issue every security incident we should probably just proactively send an update to our board explaining how

relevant are irrelevant because they're wondering and they actually those are great moments to engage and show your expertise and maybe give them some context on your business what are some ways that you measure success in your organization's staying out of jail not so obvious I have a great team and so are we we really see ourselves as we kind of answer to each other first and foremost and so just keeping that team I've had served your numbers and since I've been to C so there which if you talk to any other C so that's like almost impossible so I'm you know really making sure that you know our communication that we track our process our what our goals are not just the

company goals but what we are passionate about as a security team if you don't measure it you're not gonna see improvement something I've heard over the years and so we try and measure where we are on everything so whether it's improving diversity on our team or reducing risk in a specific category we track it all and stay on top of it and look at the data and then recalibrate if we're not trending in the right direction well I can tell from our end were using several metrics I think if the two main ones are one is very tactical kind of NIST CSF approach that that's lay of the land we react and that's something that

you can semi objectively track over time and the second one is more much more from a risk perspective of top risk scenarios or law scenarios and how are we with those over time across the different businesses so that kind of provides tactical strategic perspective and the still said before if you can't measure it you're not doing anything about it or definitely can't ask for a budget around it so we have other okrs that are related to those things to security maturity to the business itself I mean if you're if you're lacking a lot and so these have been all security related which is nice but making sure that there is an alignment between what we're doing and

what the business is actually trying to accomplish is probably the the key element for successful measurements it's one of the things that I wish I had done was measure the maturity of the program when I took over because I'm we've done a whole lot of stuff and I can show a lot of that but I can't really show like I've changed the culture there I don't really I know that and my team knows that but I know I can't prove it I squash you yes I've got another question right 1:03 this is only one okay yeah because we're winding down but I was curious in terms of cloud providers if each of you had a different

strategy or risk model that you might use regarding how much protection does that cloud provider assume or how do you apportion liability or risk if that's you know if that's a question you care to answer it's data in motion versus data yeah we had a very long conversation about well not necessarily about cloud specifically pitches vendors and how to measure the risk around them the thing about vendor assessments is that they're really a point in time assessment just like a pen test is right like you get that one moment you know in you know in the assessment where you get to see just me me a little bit of insight into who they are and how

they're you know handling your security and you may not get the big picture so you never really know but there are some frameworks that you can follow and certain types of assessments that you can do on your vendors to become more comfortable with that like for example like at what level are they encrypting their data at rest and what what is what are the triggers for that and so forth I

mean the reality is is is that it's not that a cloud is insecure it's just a different process so it you know understand what the risks and where the controls need to be and then educate you know what controls and when using your contract amazing in what am i doing to manage that just one question so once you get to this see settle what's the kind of continuous education and continuous learning that you're building into your program to expand yourself personally so I think I'm the newest see so on the team and as you know I kind of it was a five-year plan that got from her shrunk immediately and one of the things that I

didn't think through was I got into security because I was so passionate about it I talked you know I did it in my off time I could talk you know I love hunting I loved the analyzing I love trying to figure stuff out and then as you become management then you're managing a lot of people and trying to determine if their cat being sick for three days is a legitimate reason for them to stay at home you know like all of you know in crisis and fires and you know all of that stuff and as we were talking about burnout and for me I there is a point where I have to go reconnect with with what I got you know why I took

this job and so I'll block my calendar and go learn a new tool and my technical skills are slipping daily like it's I can feel it going away but I still try to get back in and do stuff because that's what I really love to do so um so you know I I actually go out and still get certification and still trying to do stuff I'm I took the fair and staying for the fair certification and I love Oh scent so trying to dig into that so just I don't feel like I'm done I keep trying to figure out how do I get better and get more knowledgeable yeah I think yeah we all went to school for one thing and

then we got jobs where we were individual contributors maybe doing that thing and then we moved into different roles a lot of us moved into manager roles and we quickly learned as managers that the skills to be a good manager are completely different than the skills to be a technical member of a team well when you move into leadership you also learn that I never I was never given the tools for this job and I need to acquire them quickly and understand my weaknesses right away and then the quit at the beginning of a career in leadership you realize I have a lot to focus on and you just have to break it down and pick one thing and for me I

always have one thing I'm working on and I try and give three to six months to that one thing and and then keep and I usually let my team know or at least the people reporting to me so they can hold me accountable for improvement in that particular area and you just keep going at it because you've never you know we're never perfect learning yeah yeah I mean I came from like a engineer research background so there's that part of me will never die and it'll always be there and I miss it daily so I think I'm always dabbling in it and probably maybe too close to my engineers at times because I'm wanting to work alongside

them but you know I come from a knapsack background and I realized that infrastructure network isn't necessarily my strength so I'll go off and do courses on my own and that necessarily tell people I'm doing them but just kind of absorb it because there's a lot there's a lot of information out there just suck in from that I can tell that I'm trying to balance between those two areas the element I mean again technical roots and working with a team and suddenly coming up with like a cool hack from the 80s or 90s and it was like oh that's always cool and and that's one side and I'm sort of cheating by actually being here so you know I find I

find a way to go to conferences by running one and get exposed to like cool technical content and take a peek at the CFP and look at all 200 300 500 you know presentations that are submitted and learn from them and the other side is really on on kind of the leadership management side you know lots of reading of various books some I can recommend someone can say are complete nonsense and are designed to sell more books interactions with other leaders and executives specifically not tech leaders I think brought me a lot of tools and language to kind of figure out how to how to do my job more effectively so it's kind of between these two and and

it's always a balancing act because I I can get very quickly drawn into something very technical and just spend like a night or it and that that's really detrimental to my productivity sometimes or I can again it's it's a tough balancing act I've seen to a point where I'm actually carving out time out of my calendar to do those things specifically otherwise I feel like I'm cheating or not doing my job correctly and I'm kind of losing grip over either part either the executive kind of management or the technical a good book I can recommend for the management side which I really like lately is called tools of titans or something like that by the guy who wrote 4-hour workweek and

it's really about athletic performance management but there's a lot that we can draw from that I think in our positions probably have time for one more question hi um so I'm fairly new to the field of cyber security and so I was hoping I could ask each one of you what skill you feel that you you would recommend somebody to kind of grow throughout their career and also if possible I know you said one question but if you could talk one of the hardest experiences you've had in the field just as you guys have so much experience well I think in terms of something that a lot of us in the security a lot of people in the security

field have to break through is imposter syndrome it's like the world we live in and the role we play in our companies it's very easy to tip like mute yourself because you question like do I do I have the power to speak up in this situation these people are really important they're moving really fast on some really big project and like what gives me the right to jump in front of that train and guy and help it slow down a little bit or something like that so I think hi I have dealt with that and almost everybody I know in the profession is dealt with that as you and as you grow in your career your because

you as a security person you're not just staying in one little tech stack all the time you're moving around in a lot of different contexts and the people you're engaging with our deeper tech experts than you on because they live in that stack every day and so you just got to overcome that I think that's yeah I mean I was second that you I'm you know find your superpower there's something that you bring to the table that no one else can do as well as you do and so but just like just say it's easy to get intimidated because this field does draw brilliant people but you have something about you so when I look at a resume and

looking at job applicants um I value problem solving creative thinking over how many tools they know

that's the best answer that I could give I'm not not copying out that literally Goodwin are you guys good I don't want to step on your toes all right thank you for joining besides meet the seaso panel I have a couple more pairs of socks for anybody who wants you want the NSA socks don't you yeah NSA cat sees all is a pair that I stole already but thank you for coming out one more round of applause for our panelists and see you tomorrow [Applause]