From Help Desk to CISO

Hello everyone. Welcome to higher ground and our very first speaker Nicholas Carol is here to talk to you about from help desk to CISO. Let's give him a round of applause and get started.

>> Good morning and thank you for joining me. You guys are the early riser crew, huh? Because we got the nice morning talks going. So, uh, yeah, I'm Nicholas Carroll. Uh I've done a little bit of everything in my career over the past 15 20 years and that includes going from help desk to CESO. And so today I'm here to talk a little bit about my journey and the kinds of skills that I built along the way and how they helped me get to that kind of role if that's of interest to you all. Uh but as I get started here I want to see real quick. We got a show of hands. Who here is in

some sort of like IT support or help desk kind of capacity? One, two, three. See a few hands there for All right. Some hands on this side. Good. Who here is in security leadership already? Anybody at that level? Why are you here then? H you know you've you've completed today's homework, you can go home now. So, but uh no, thank you. I when we get to questions and things at the end, you know, everybody's journeys are different and the way we do things. If you've got feedback or things you want to share, please, you know, yell it out and share. I'd love to hear other perspectives on things and how they can help because everybody's sharing can get people where

they want to go, right? Because that's a nice thing to do. And uh final show of hands, there's been a lot of stuff in the news recently with layoffs and things happening and a lot of the layoffs and stuff that we've been hearing about places like CrowdStrike and Microsoft and things that you know they're saying like AI is making us more efficient and that's why we don't need these people anymore. Is anyone in here concerned around AI and the continuation of your current jobs or getting jobs and how that kind of is going to impact things? We got some hands coming up so far. That's that's a good third or so of the room for hands there. So, I I'll I'll

start with kind of the elephant in the room here, right? Like you all are you're you're in good company on that. You know, uh Pew Research has done a poll recently. And in their poll, they found about 32% of people were believing that AI would lead to fewer jobs. Right? And that is something that we may see bear out, but I I don't know if that's necessarily going to be the case on things. But also generally about half of respondents were worried about the impact of AI in general and what it could mean for the industries and for their jobs and not just in tech and cyber but in all kinds of jobs. Right? There's there's AI for

law now. There's AI for retail. There's AI for your lawn mower. Everything's got AI. It's kind of the way it's going. But I think that we're going to wind up seeing overall a bit of a a back swing and a boon in a lot of this stuff, right? One of the things that we always have to remember is that AI isn't magic. It's still servers and cables and data centers and all the stuff, the tech that we have to protect. And so there will be jobs specific to these things that will be made out of that. But then there are places that are still hiring, right? Maybe not necessarily in the traditional space we think of when we think of tech

with like Microsoft and Apple and all of the big exciting names, but there's tons of jobs still out there. Uh, so my company, I think, is a good example of this. I work for a company called Nightwing. We are technically in the defense space, right? So we support, you know, all kinds of federal contracts and commercial clients that are really interested in strong offensive and defensive cyber stuff. And we're investing heavily in AI and automation right now because we have to, right? Our adversaries are doing it and we have to be able to answer that call. But my company is about two billion a year in revenue, a couple thousand employees across 36 locations I think across the

country, right? Plus remote stuff. And we have literally hundreds of jobs on our job site right now. Even though we are investing in AI and automation, we're still trying to hire because we still need people to help make our AI and automation better and to help us stack into a lot of these roles in tech and cyber and tech and cyber adjacent stuff. And it's not just my company as a really good example here, right? The reality is is that there are tech jobs in everything now. You know, a lot of people get kind of into the mindset of, well, tech is the big tech players and things like that, but realistically, tech is everywhere. Your local bank has

an uncontrollable tech stack. Your local school system has an uncontrollable tech stack. Your local hospital has an uncontrollable tech stack. They are getting into this stuff. They're pushing forward on things and they are drowning because of it. Right now, uh, my team does a lot of cyber threat intelligence stuff. One of the biggest things we track is who is getting hit by ransomware. Manufacturing is the top impacted industry so far this year in ransomware attacks. Manufacturing, then IT, then construction finance healthcare retail, government. All of these organizations are getting eaten alive from a cyber defense perspective and they know it. We're starting to see large investments into tool all kinds of positions and tools and things from health care clients from

finance clients from government clients. And so the kinds of jobs that we're doing probably aren't going to be for like Crowd Strike and things like that. Realistically, it's taking Crowd Strike and stuff that's out there and making it work for these other industries, right? So there's a lot of jobs out there. We just have to dig a little bit harder sometimes. Now, the Bureau of Labor Statistics actually tracks and predicts like what are going to be the fastest growing jobs and stuff. And they don't necessarily have like the cleanest titles for things. They have this tendency to put things into like giant buckets. Uh but if you look at the projected tenure growth and the median salaries for positions, the

kinds of stuff that people in this room are probably interested in doing like data scientists, information security analysts, computer information systems researchers are still predicted to be some of the largest growing jobs because you still have to partner with AI and work with it to make it better and get it going good. And speaking of fast growing jobs, the Bureau of Labor Statistics doesn't really have a clean CISO category per se or information security manager position, but they do lump that under computer and information systems managers. So your ISM, your CISO, all of those kinds of security management roles wind up in this bucket. And right now they're still predicting about 17% growth. Hundreds of thousands

of jobs in this category over the next 10 years because somebody has to manage this stuff across all of the industries. Cyber security exists everywhere and it's part of our lives and everything we do. So if you want one of these kinds of jobs, there's a good chance that you will be able to get one. There will be jobs for you to do and go get. One of the nice things too is the Bureau of Labor Statistics includes a little tab on their site that says how to become one of these. So if you're interested in becoming a computer and information systems manager, you can click on that tab and find not a whole lot of

information. It basically boils down to get a bachelor's degree and then shrug your shoulders, right? Like there's not a clear path here. Uh and that's a little bit of a challenge for us then because it's like well how do we define your journey and your path to becoming an information security leader right like how do you get there just get experience and get a bachelor's that's it's not that easy right uh if you're familiar with NIST they have their nice framework for cataloging all kinds of cyber security roles and jobs and putting them into neat little buckets and helping you define key areas that you'll have to understand in these different capacities and that's great

too to look that and be like, "Oh, okay. What kinds of domains do I have to understand? What kinds of techniques and technologies am I going to have to understand?" But again, it doesn't really lay out like a path for you. It just kind of says like, "Well, here's some stuff, right? Get learning." There is a site run by a nonprofit called Cyersseek. Cyerssek.org does give you a little bit more of an idea of a path. For them, the CISO role would fall under the cyber security manager bucket, right? Which they predict will grow and yada yada and all the good stuff. And they gave you some stuff that you can go here. But one of the nice things is you

can actually dig through and get an idea of like, hey, what kind of certifications will actually help me achieve this role or what kind of roles and skills will I have to have for this role? Right? You can kind of pull these things together and you can actually navigate from feeder roles like IT support or networking or dev and into these parts of cyber, right? So from there, you know, IT support to cyber security specialist to cyber security analyst or consultant to manager. It is this nice little linear progression of things that goes along the lines that you can follow to help get an idea of what your career trajectory might be. But, you know, it's one of the things that I

find a little frustrating with the tool is that if you select the mid-level or the advanced level for a lot of this stuff or like manager and things, you'll notice that it highlights a couple of feeder roles that they recommend like networking or software dev, but it leaves out IT support. And realistically, IT support is a perfectly valid feeder role to go to CISO or anything else. Any of these feeder rolls, anything over here from the side is a great way to break into cyber or break into tech and get your feet wet and get going. So you can actually start moving left to right and up the chain on whatever you want to do. And I would

also let you know and highlight the fact that you know there are more than just manager titles at the end of your career progression. Becoming a CISO isn't necessarily everything and it may not necessarily be the thing that you actually want to do in the end. It's an exciting title and it's cool, but engineer, architect, all these other pathways are really perfectly valid and for a lot of people may be a lot more fun. So, think about that as you're kind of going through things and figuring out where you want to go, whether management is actually the thing you want over doing something more technical. The other thing that I don't like necessarily about these tools is I think

they're great for giving you a general idea and a mapping, but they're very linear, right? It's it's very left to right and those kinds they're kind of the way things go and it's good as a guide, but realistically most people's career pathways don't go so straightforward. You know, you've got ups and downs and lefts and rights and you'll bounce back and forth between different roles and things. It winds up looking like a family circus comic by the time you're done with it, right? It goes all over the place. And being a CISO isn't necessarily the end of it, right? I held that title for a while and that's not my title currently. You know, you will move back and forth and up and

down as you go and that's perfectly valid. There's nothing wrong with that. There's nothing wrong with deciding that you don't necessarily like something or something may be better for you. It's about finding what you enjoy and doing it so that you don't necessarily wind up in a situation where you run into burnout. So, I'm Nicholas Carroll. Uh as I mentioned on the first title slide, I have done a little bit of everything from help desk to CISO. Uh and before I was help desk, I was not even in tech for a while, right? I've done all kinds of different things over the years. I work for a company called Nightwing, and I put our careers link up there earlier.

And when I share the PDF of this on LinkedIn later, you can go look at that or you can Google Nightwing jobs. Uh and hopefully you don't get the DC comic carrier trying to like look at your resume, you actually get our jobs website if you want to look at some stuff there. But we support Fortune 500s and government stuff and things like that. and we're hiring currently. Uh but also there are plenty of companies here at this conference who are looking for talent and hiring as well. So make sure you connect with them. You know there will be intuitits here. Adobe has a booth out there in the back. Every year I'm here. Adobe Adobe is out there

looking for people and hiring and recruiting and it's great. Like it's a good place to be to connect with people and share and learn more. So how did I go from help desk to CISO? Let me share a little bit of my actual journey and what I did, right? So, I was young and I got my AA degree, right? And I was in college and I was like, well, I want to do uh political science and foreign affairs. So, that's what I was doing at Florida State University. Uh, and I started working at FSU in a couple research positions and OPS, like part-time jobs and things. That's where I finally started working. Uh, and eventually I decided that no, I

kind of hate this. Uh, I burned out on my bachelor's degree and I bombed out of FSU for a while. And so I wound up with just an AA, which confused recruiters for the longest time of how do you have an AA from FSU. Like I didn't even know they did that, but it's like no, I I uh didn't finish, right? I got to year three and was like this isn't for me. So I left school and I got a job at Home Depot. And I pushed shopping carts for like half a year. And eventually from pushing shopping carts, I got to know some of the interior parts of the store better on electrical and plumbing and

things. And I got promoted to actually working in those areas. And in those areas, I learned a little bit about being hands-on and tinkering with things. But I had a manager who was old school, the customer is always right kind of customer service. And so I learned customer service skills at Home Depot. We had to make sure everything was right and we were taking care of our customers and we were doing things well. Customer service is one of those skills you will need to build on your way to becoming a security leader and manager because everyone inside and outside of your company is a customer. So, you will want to grow that at some point. After I

worked at Home Depot and I learned customer service and things, I actually got a job at U-Haul and I took my customer service skills there and they were like, "Well, we want you to be a mechanic. We want you to be a mechanic on our trucks and trailers, but also somebody who will service people's towing systems on their trucks and things that they bring to us. So, we want your customer service skills. And they're going to teach you how to troubleshoot and diagnose things. So, at Home Depot, I learned customer service. And at U-Haul, I learned troubleshooting. So, customer service plus troubleshooting equals help desk because that's literally what that job is. And in fact, I got my first help desk

job at the college I bombed out of at Florida State University. I actually wound up working there at that time. I got my job on help desk. And that exposed me to networking because there was an enterprise networking team and we were constantly going around and it was always an, you know, an argument of is it the network or is it the computer? And so I learned how to do wire sharkark and all the things so we could prove who was wrong and who was right. And eventually that got me into networking and I got my net plus and my CCNA and I got moved into a networking role with a state agency for a while and I did that

there and then I went to work for a small company that had its own small data center doing networking for them and there I got into firewalls and things and it's like this is neat. I like this kind of stuff but I didn't really understand what those alerts meant. Why are we getting told that we've got 10 quadillion packets a day coming from China trying to do some sort of brute force attack thing? What does this mean? What do we do? So I went from networking, I got my C, I got my SEC plus and I started getting more into security and I went to security administration, doing EDR work, doing firewall work, doing you know the actual

security administration side of things and learning how that works and how to apply defenses to different systems. Once I learned how to apply the senses to different systems, I got into my first security management job and it was literally a small company that needed somebody who understood like, hey, how do you apply this stuff for HIPPA? And I was like, well, I got my healthcare IT technician certification. So, I have some understanding of HIPPA and I have some understanding of security automation and security pieces. They're like, that's great. We're going to give you a job in this. I didn't last very long there. Uh that was not a great place to be. But I learned a bunch about management and

actually what management means and how to do people management interactions in the short time that I was there. Uh and that served me pretty well. But I was like I kind of I kind of don't like this environment. And so I bounced out of there and I wound up in auditing. Uh and I actually wound up doing auditing for the state of Florida in election cyber operations. So, I was part of a team that actually was traveling the states looking at elections infrastructure and trying to figure out what's good and what's bad and how do we make things actually look good and work the way we want them to. And from that position, I started doing

that, looking at like local government stuff and things like that. And I then I was like I turned my eyes to the state government stuff and I was like, "Hey, by the way, if you guys want to match what we were doing there, we should do this and this and this." And so I was communicating and managing up a little bit to some elected officials and they liked the fact that I was willing to speak truth to power and bring them that information and I was presenting it to them in ways they could understand because I was not using technical jargon all the time. And they were like, "That's great. We want you to be our

security leader." Uh, and so I got promoted to being the CISO for the Florida Department of State doing the election cyber operations. And I did a lot of the election cyber architecture for the state of Florida for a while. Uh, and this is fun. And I did these things and eventually they were like, "Oh, we like what you're doing here. Could you do it for the rest of tech?" And I was like, "Okay, I guess." And so I wound up becoming essentially the chief technology officer over about 50 employees doing dev, network, help desk, security for the state, everything. And at this point, the job stopped being so hands-on and fun. And it started being a lot of PowerPoints and budgets

and arguing and crisis communication. And it's one of those things where it's like, "Wow, these are the skills you have to have as a CISO. I'm really tired of getting calls from the FBI at 7 p.m. at night. I think I want a break." And so a buddy of mine actually, you know, told me like, "Oh, we've got an opening." And stuff like that. So that sounds interesting. So, at this point in the chain, I I actually went back and got my bachelor's degree in cyber security. Uh, it only took me almost 20 years from the time that I originally bombed out to really do it. And then I moved into a more technical management role where I'm at now at

Nightwing where I do I I lead a team of very self-driven people who are doing a lot of cyber threat intelligence and incident response work and helping to assist soft workflows. And now we're starting to get into doing a lot of AI and cyber defense projects. So, we're doing, you know, a lot of automation workflows and things that we're putting together. And we're working on training agents for things that we can incorporate into the sock to lighten the burden of the rest of the stuff that we're doing. And that's what I'm doing now. And it's really interesting. I like it. I get to build stuff. It's more technical and it's fun. That doesn't mean I probably won't go back to a CISO

style role in the future. I probably will. It just means that right now what I am like doing and what I am doing is a little bit more hands-on technical management with a team of self-driven professionals where I have to focus less on the budget or on you know employee relations and things like that. The kinds of things you'll have to do as a CISO but aren't necessarily always that exciting, right? So technical skills aren't everything. Like I said, customer service, project management, leadership. Those are all the kinds of things you'll need there. In the how to become one on the Bureau of Labor Statistics, they kind of hint at this. They mention leadership skills and communication

skills, but literally it's like a bullet point. They don't really give you a whole lot of guidance on how do I get those or what do I do? It's just kind of like, yeah, you'll need this. Figure it out. And the same thing on Cyber Seek, right? It's just a bullet point. Do you need project management and risk management? Again, not tons of information on how or why or where do we go to get those things. they just kind of are. So, I'm going to tell you right now, if you want those kinds of things and you want to build those skills, you need an MBA. Everyone in here who wants to be a security leader needs an MBA

and not the degree, right? Don't worry about that part. I'm not actually talking about that. What you need to do is master, build, and articulate. Right? The actual skills you will have to have aren't necessarily going to come from a degree. Degrees are great and you should get one if you want one, but it's not the end all be all. You know, they're not going to teach you the specifics of how to handle crisis communications for cyber security in a degree program. You're going to have to learn some of that on the line in the line of fire doing it, right? But you will need to be able to go in and talk about things and

really be a master a master of technical skills and domains. You're going to have to understand a lot of IT and technology and how it interrelates and how it works and what all those pieces are. And you're going to be able to master business and finance because you're going to have to be able to take those technical skills and translate them to people who don't understand them, right? They understand risk and dollars and so you have to be able to speak risk and dollars. You're going to have to build your network and your connections. Realistically, a lot of these jobs, especially at the top, aren't posted to job boards. They come from recruiters who find you on LinkedIn. They come from

connections you make at conferences and things. Building trust and connecting people will get you a long way when you're trying to move into those highle positions, but not just outside of your own company, right? You need to build opportunities to practice leadership inside of where you're at right now because leadership is a skill and it takes time to develop. You have to work on it and you have to do that in ways that don't necessarily always happen at the lower levels in IT and tech stuff. You don't get a lot of leadership things. You have to make it and articulate. Your ability to communicate and storytell is what's going to land you a lot of your higher level jobs in

management and help you do these things. Right? I became a CISO because my secret weapon was PowerPoint. That's how it goes. And then eventually you're gonna have to get into being able to do things like crisis communications and proper executive presentations, right? Really, you're you're mastering business acumen. You're mastering all parts of the business, not necessarily from a degree, but from the kinds of skills you build along your journey. In my journey, I learned customer service at Home Depot. I learned troubleshooting at U-Haul. I learned technical skills at each step of the way that I got a new certification or I leveled up a job. And when I combined all those things together, it eventually wound up putting

me into a leadership role, right? Where I could be working with more of the overall business. So, a couple more specifics things then, right? So, mastering technical skills and certifications, you're going to have to understand a lot of tech stuff and you're going to have to be able to show that you can understand a lot of tech stuff. I know degrees and certifications can sometimes be a hot button issue or a little controversial, but they do have their place, especially in your journey on these things. See, because here's here's one of the things that happens. I, as a security leader, write a job description and I hand that job description to a recruiter or an HR

specialist who has no background in tech or cyber and no idea what any of these things mean. and they are the ones who do a lot of the initial screenings and they post the jobs and are looking through stuff. And so what happens then is they don't want to bring you people all the time to their security leaders that may not necessarily understand things or have some way to validate that you do know that thing, right? And that's really what some of the value comes from from certifications. One of it is literally you learn stuff which is really good to do and you should always be doing that. But the other part of it is you get that credential that helps

you pass those initial gatekeeping points for HR and recruiters because now they're more comfortable making the recommendation for you because you have a CISP or a SISM or whatever else, right? You have something that backs your knowledge in that domain. So that's where that value comes from is that it kind of serves as a checkpoint that non-technical recruiting staff can use to help feed you into more exciting technical roles. You're going to have to master a lot of stuff in GRC, too. Governance, risk, and compliance, especially your frameworks, your NIST, your ISO, your COBIT, all that stuff because you're going to have to be able to manage the governance of your organization, right? You're going

to have to actually be able to apply best practices and things. You know, for us, when we were doing it in elections, we did the CIS framework for critical controls. So, it's like I can map this to NIST or HIPPA or whatever you want, but it's an easy breakdown checklist that I can go through with everybody. You can take that same concept and idea and put that to any job you're doing right now. You can start dabbling in governance a little bit. Take that kind of stuff to your boss now and be like, "Hey, by the way, have you seen this best practice thing or even you've seen this compliance thing?" Show them that you're interested in that kind of stuff

if you want to grow that way. But I will tell you that when it comes down to it, experience does beat all certifications, degrees, and things will help you get your foot in the door. time spent doing these roles and your ability to communicate that you have done the role is going to be what helps you open and get the next job, right? And get you that next piece up. Being able to show that yes, I I was new to cyber. I got my degree and I got a junior sock analyst role or I got a help desk role. I got a thing. You know, you have time in seat that makes you valuable and proves that

you were you're doing things that's going to go a long way. Business and finance, I hope you like Excel. because it's going to become a large part of your job. You're going to know pivot tables like nobody's business by the time you're done with this stuff, right? The CRM systems, the stuff the business uses, you're going to have to get familiar with that. You understand how to manage a budget because what's going to happen as a security leader is the board is going to come to you and say, "Hey, you've got half a million dollars this year for salary and you've got a quart million dollars this year for security licensing and tool sets." And it's going to be your responsibility

to make it all work. And so you have to be able to track and show what you're doing and why. But then you actually have to be able to take this information and turn it into something that they can consume. Metrics matter. Things like meanantime to tech, mean time to respond. They may not necessarily sound exciting for things, but when the board comes to you at the end of the year and says, "How did you spend our money and why should we continue to invest in you?" Being able to back that up with proper numbers on, hey, look, that firewall we bought, it blocked half a million things right here. It blocked half a million things right there. This

analyst that we invested in training for, look at this incident response thing that they were able to do. They stopped the ransomware incident. So instead of paying $10 million to recover, we paid for one person's salary and we were golden, right? You have to be able to translate all of the stuff that you're doing into dollars and cents that they understand and then show it to them through metrics in easy to read and easy to understand bites so you can speak their language. Build your network. All right? You will have to build a network of people that you're working with on stuff. LinkedIn isn't just for shameless self-promotion. You can use it to actually find your

local groups to connect with the people that you actually need to be working with in your area to get the next leg up on what you want to do, right? Find your local connections. Find your your chapter of like the cyber breakfast club or your Isaka chapter or IC2 chapter or whatever, right? Find those groups, connect with them, go to their meetings, meet with them. Actually start getting face-toface interaction with people. When you want to be a leader, you have to be likable. People will have to want to work with you and people want to work with people they know and trust. And so if they know your face and they've shaken your hand, they are more likely

to want to hire you or promote you into doing something right. So do that around your area. Do that around wherever you're going for things. Build that network out, but build your internal connections as well. Start to build trust across teams. Make sure that other parts of the business kind of know your name, right? volunteer for cross functional projects or volunteer to go and sit with another team for a while and learn how they're doing things so they know that you care and that you're interested and you can help translate things to their needs and you understand their pain points and honestly try to find a mentor in a lot of this stuff too right like I did proving ground a couple

years ago and they partnered me up with a mentor to help me prepare my talk on things and that helped a lot finding a mentor really works It helps you kind of build a connection and grow, but it helps you understand different ways the paths work. My journey is mine. That other CISO's journey will be different. And the journey you might have to take to reach CISO in another organization is going to be completely yours. And so getting outside perspective from multiple mentors and experiences can help you shape what you need to do to get where you want to go. And especially if you're at a lower level, build opportunities for leadership. Right? When you're on help

desk, they don't usually come to you and say, "Here's a half million dollar project. I need you to manage the whole thing." Right? Like that's not going to happen. You're going to have to find and make those opportunities for yourself to show that you can be a leader. So volunteer for smaller stuff, right? New APs come in, volunteer to lead deploying those. They got new desktops in, volunteer to lead actually imaging them, right? All of those little things that you're doing, you're starting to build the leadership skills that you need to grow into a larger management or leadership style position. Leadership is a skill. You have to practice it. And it's built on a bunch of other skills

like customer service, emotional intelligence, project management, flexibility, all kinds of stuff, right? It's the kind of stuff that you will learn and grow through practice in your day-to-day operations if you're volunteering to actually take on stuff and kind of guide things. You don't have to be bossy. You don't get in there and be like, "This is the right way and we're doing it this way." Right? You just volunteer to be like, "Hey boss, instead of you having to have that mental load of putting out these desktops, I'll put it in a spreadsheet and help track it for you." Right? like show that you're interested in doing that kind of leadership and getting started on it and show that you want to

do those kinds of things, but also be willing to embrace accidental leadership. There are going to be times where you're kind of standing on the deck of the ship and no one is at the wheel and while the ship is still going in a direction, it's starting to list in the wrong way and nobody wants to grab the wheel that's spinning because they're afraid they'll get hurt. Don't be afraid to just stick your hand out and grab the wheel and help give some direction back to things, right? Don't be afraid to volunteer your opinion or your input on stuff. And again, you don't have to do this in a way that is pushy or mean. You can just raise your

hand and say, "Hey, I've got an idea. You know, why don't we try this? Why don't we do that?" Volunteer some ideas. Volunteer some information out there and start showing that you want to guide things. Embrace those opportunities where there is no leader there and you can kind of step up and go, okay, I think maybe we should try X. Doing that kind of stuff will get you recognition internally and it will help you build the types of stories you need to be able to tell when you're in an interview because when you're in an interview for a leadership position, they're going to ask you things like, "Tell me about a time you, you know, saved a project or

whatever." And you need to be able to speak to that from experience. And those are the times that you can actually get that experience. articulation. I I'm telling you right now, storytelling is the biggest thing in business, right? Your ability to actually craft a narrative and help people understand and be interested in something. You're going to be a storyteller in these types of roles. You're going to be talking to people that have no background in security and no understanding of this stuff. And you have to take this super thing that they think is dry and boring, and you have to get them amped about it. You have to get them excited to give you a million

dollars for a firewall. That takes a really good story. So, you have to be able to talk about things in ways they understand and things they want to hear and talk about and see, right? Um, there's a book and I've had some books on the slides that you've seen and I'll be sharing the slides out later, but there's a book called Made to Stick by Chip Heath which is all about communicating things that can be a little bit difficult or things that people don't necessarily want to understand. I highly recommend giving it a read. It's actually not that hard of a read overall. It was pretty quick. But it can help you kind of wrap your head

around like how do I start communicating some of these weird things or these extraneous things that people don't want to listen to, right? How do I get people to remember that security is important? You want to make sure you're communicating that stuff out and practice storytelling. You know, get up and speak at a conference. Like I said, I did Proving Ground a couple years ago. It was great. They gave me a mentor, someone who had done Black Hat and Defcon before, and they taught me a little bit better about how I would make my slides better, and they taught me a little bit better about how to speak better and how to get in front of people, right? Don't be afraid

to get up there and talk about stuff. Even if you don't think you have something to share, you really do. You have some different perspective or you've done something differently or you've learned something that you can be sharing. And by practicing sharing that, you're building your public speaking skills that you're going to need to be able to get up in front of a boardroom and tell your story, right? Same thing with uh there's an organization called Toast Masters, right? And you probably have a local chapter. All they do is help people get better at public speaking. You actually write little scripts and things and you go out and you practice and critique and you get

better at getting in front of people and being comfortable on stage and doing that because it is a very critical skill in communication to be able to stand up in front of a boardroom or stand up in front of a conference or stand up anywhere and speak your voice. That is something you're going to have to do a lot and you want to be comfortable with it. And there's a book by uh Jeffrey Brown called the security leaders communication playbook. Another really good read too for helping to translate security things to other aspects of the business, right? Because they don't speak security, but you have to make them understand it if you want to defend

them. They look at security as a cost center. It's something they don't want to spend money on. And you have to convince them that it is actually something that's going to either save them money or generate money through your defensive actions. If they understand that and you convince them of that, then they will open the coffers and fund your programs. And you got to be ready for the stuff you don't want to do necessarily. Crisis communications, executive common communications. Don't make boring slides. Don't give people a wall of text. There's uh if you ever work with someone who probably came from a military background, there's a concept known as death by PowerPoint where it's like here's our PowerPoint slide and

it's just like 17 bullets in tiny tiny font and it's like wow, you tried to put it all there and it's going to take me three days to read this thing and I've got 30 seconds to read this slide from across a boardroom. It doesn't work. Right? Visualizing data, putting stuff into charts and graphs, making it things that people can see and understand, giving them reference points goes a long way. and break your slide up a little bit too, right? Give some visual balance to things. When people see charts and things, they kind of start to understand a little bit or at least they can understand, you know, what is up and down and what's good and bad a little

bit better even if they don't fully understand all the security concepts. You want to make sure they can visualize that data. I have a little bit of an unfair advantage in some of this. My wife has a BFA in graphic design and a masters in communications. Uh, and while she doesn't make my slides or anything like that, she talks about that stuff non-stop. And so I've had to like hear about panone colors and all these things that it's like, oh boy, it just kind of starts rubbing off. You can just go out and find some really nice templates online for PowerPoint that will start giving you ideas of what makes a good visualization or how should I be

visualizing this thing or how should I be showing it in a slide or how should I be breaking up my slides. You don't have to be married to someone uh who will not stop talking about art all the time, right? Like you can go out and just find some examples and start relating from there. And make sure when you put stuff down, you are translating it to risk and dollars because the people who control the purse strings in the business understand risk, opportunity, and money. And so you want to make sure that that's the way that you communicate because that's the language the business speaks. So if you can communicate that to them, they will be understanding and they will

be more likely to want to work with you on stuff. And then honestly, this one's a little hard, but you need to practice having difficult conversations because it's going to happen. A system is going to fail. A threat actor is going to get in. And you have to be able to get up in front of the boardroom or get up in front of people and say, "Whoops. Here's how we're going to fix it." Right? Like, it just happens. You have to be comfortable and confident in that situation. And if you're comfortable and confident when the worst has happened and you're able to do that, they're more likely to follow your path out when you try to guide them where they need to go.

So you want to be able to communicate to them. And you only really get that through practice. If your organization does tabletop exercises, practice crisis communications as part of the tabletop. Bring in your comms team to help you, right? Run stuff by them. Work with them on stuff. get them involved in it so they're part of it and so you can see how it works and you can try to practice some of it yourself so that when it eventually does happen because a breach is going to happen it's inevitable you're okay communicating that thing finally I'm going to leave you with this last little bit here that honestly being CISO isn't everything like I said architect engineer developer

there are tons of amazing career tracks and pathways that you can go to and CISO and security leadership tends to be a very high-risk somewhat highrisisk reward, but high burnout position, right? When something goes wrong, it's your fault and you're the problem and you're probably going to get swapped, right? That's kind of the way it goes for a lot of stuff. But you can kind of help mitigate some of that through good communication and working through things. But think about what you really want and whether you want to be doing budgeting and whether you want to be doing people management and things or you want to be doing more technical stuff or more development stuff and apply that towards

the actual pathway you want to follow. Uh, so anyway, that's my presentation. I appreciate you all coming. If you've got questions or things, you can feel free to shout them out. If not, I'll be kind of hanging out over here for a minute. Just come up and chat.