From Hacking to C-Suite: Navigating the Labyrinth of Security Careers

welcome to the panel navigating the Labyrinth of security careers please give a round of applause to our amazing panelist and panel

moderator uh just a quick note if you have any questions throughout the panel please submit them to a slider you had either QR code outside of the theater or go to bit sf.org Q&A and we'll address them at the end of the session and now I'll head over to niik who will present our panelists excellent welcome everyone um before I introduce myself and our panelists I want to say Welcome to our panel this afternoon and I want to start with a little audience participation so show of hands um how many individual contributors do I have in the room so people in security engineer analyst software engineering roles excellent okay so keep your hands raised if you've if you're think about

dabbling in a different security domain maybe pivoting privacy detection response switching it up yes okay we'll have something for you spoiler alert um okay now my manager's in the room yay anybody any of the managers in the room thinking about what's next is the is an executive position in my future where do I grow from here mhm yes we'll have some think for you a little later too all right um well thank you all for being here this afternoon uh we'll start our panel with introducing all of ourselves and a little bit of our origin story how we all got into the security field in the first place um so I'll start and then hand it over to my panel

so my name is Nicole I currently lead platform and application security at ROBLOX kind of focused on all the proactive security space and my origin story how I got into security was really by by total accident and chance started out as a full stack software engineer and turns out uh during my time at Yahoo while working on identity when you're on the other side of a state sponsored attack you become a security professional pretty fast so that's uh that's how I got my start and um I'll be here for life now so I'll I'll pass it over now to Caroline hi my name is Caroline Wong I'm the chief strategy officer at Cobalt we're an offensive security company I got my

start in security when I was a high school student and my immigrant father said to me Caroline what would you like to study in college and I said I'd really like to study dance or psychology and he said you're going to study engineering and you're going to attend the best school you get accepted to and so I studied electrical engineering and Computer Sciences at UC Berkeley I ended up getting an internship in e at eBay uh between my Junior and Senior year and when I graduated it was 2005 so it was right after the first version of PCI DSS had come out um and the rest is history hi everyone Swati Joi I'm currently VP of SAS Cloud security at

Oracle SAS so my team's remit is securing Oracle applications that sit on the cloud previously I was with Netflix leading their detection and response team and before that I was an instent response consultant with mendiant um very much unlike U Caroline and Nicole uh I did a very intentional switch to security um I graduated um Bachelor's in computer science um and started out as a Java developer and then wanted to come to the United States to study to do my masters but I did not want to do my masters in generic computer science so I was looking around and that's where the code that I had written would go through SASS and Das and that's how I got to

know about security and I looked at a couple of universities that were NSA accredited and got into security and yeah like Nicole I'm I'm here for life now yeah good to be here everyone is stuck for life I'm Anna bellus I lead security at Netflix um I got my my origin story for getting into security is I started tinkering a lot with computers and Technology as a child and so I am self-taught I never went to school for for anything really um but I took a lot of different jobs within the security space I've done anything from offensive security network uh product Security application security I ended up doing uh distributed botn net type detection

activities for a very long time uh and so glad to be here but also maybe not for Life yeah TBD TBD hi I'm thi um I did math in undergrad and didn't really know what to do with it I thought about being a professor being an actuary and then in my last year at undergrad I discovered cryptography and everything kind of came together I did a master's program that was math and CS joint learn more about cryptography web security and then went on to take a role on the paranoids team at Yahoo working on web application security uh from there I moved to work on securing the web platform itself at Mozilla and I pivoted over to privacy

halfway through that which I'll talk about a little bit later um working with the w3c Privacy community group um I co-founded that group to build the next generation of privacy preserving apis for the web so we were providing users not just a secure experience but a private one too uh and then after a decade at Mozilla I'm now a principal engineer at Google working on privacy and security and some policy too uh in search excellent so now we'll shift into pivoting so let's talk a little bit about pivoting into different domains different roles we've all made different career pivots into different domains um so tell me a little bit about how you made the swap was it intentional um love

to start with you thuny and that you made a really intentional switch into the Privacy domain yeah so I had been working at Mozilla on security and over time I saw uh the threat model changing like I was no longer just thinking about attackers breaking into systems and user accounts uh but we saw in the world technology companies themselves were using leveraging web Technologies to learn uh data about people Pro um create profiles on those people share that data and then have that data used for various purposes including microt targeting and manipulation and back then uh privacy wasn't getting the kind of attention it is now and so I really felt like I needed to get into that space and go

beyond protecting the user from an attacker but also protecting them from these companies at large uh and so that's kind of how I pivoted into privacy and then it was hard to go back um the mindsets are very similar though the skills that you use in one versus the other um and so now I'm in a role where I get to do a lot of different things but still privacy is is my passion Caroline you've made some really interesting pivots as well would you tell us a little more about those yeah so one of them is I actually began my security career in the GRC area um at eBay I was responsible for our information security policy I was

partnering with business and technology leaders at for example PayPal to ensure that we were compliant with PCI next when I went to Zinga I wrote the very first information security policy to help take that company public at that point in my career I made a pivot from GRC to application security and offensive security now because I began at eBay I did have some exposure to web app security but it wasn't really until I began to do management consulting at sigal particularly as a Bim practice lead and then currently at Cobalt where I focus a lot more on the offensive security side another kind of layer of um pivoting that I want to share has to

do with you know kind of going from policy towards more quantitative so I think of both of those things as being under an umbrella of risk management um but certainly to shift from a policy and compliance view of the world uh to kind of a quantitative testing uh view uh has has been really fun uh to kind of change it up yeah I think for me it was to answer your question Nicole like is it easy to Pivot it's not it is hard but it's it's doable so I had a little bit of a swing between generalist and and specialist so early part of my career I was focused on doing proactive security absc you know

risk compliance I was a security analyst I started my career as a security analyst in the sock so I've done a lot of you know PR rent ative security things and then I interviewed with Twitter and Google and both of them rejected me and they said we love you you're amazing but we don't know which team to put you at so I had become a generalist at that point and I realized okay I need to kind of go the specialized route and then throughout my career I had gotten really good feedback that hey your crisis Communications calm Under Pressure like you're great with incident response you try that it was also I hadn't done the defense side of

the house um so I decided I want to do that but it was it was difficult to get a job at mandant I went through I got rejected once I had to do the interview again and I got through so the the six years then four years at Netflix and two years at Mandan I was focused on defense operations so at that point I had preventative experience defensive experience and then I was like okay I want to do the whole thing and that was difficult too so now I'm I kind of had to dig myself out of the hole I dug myself into uh I was a DNR leader and now I wanted to be a Security executive

so I had to go back to proving that I could be a generalist and could lead so yeah it was not easy but it it it's possible mhm and then let's chat a little bit about making the switch from Individual contributor to people leader manager um that's something for me I resisted for many years in my career and eventually was ready to try something new try a new challenge I'd love to hear about your journey from being more on the adversarial red team Hands-On Anna to being a people manager yeah and I think first of all I think uh women especially often times get sort of forced or cor coralled into doing leadership roles because there is an

understanding or a Prejudice that we are more softspoken or perhaps have better people skills or whatever um and so I think I also resisted that for a very long time I think my move into management was frankly not a choice it sort of had to happen uh they did not really have any any better Alternatives and so I stepped up into something that I wasn't particularly comfortable in at all um but I ended up loving it um but when now when I do management coaching for people who are interested in moving into management we talk a lot about motivation right are you ready to stop doing the thing that you want to do every day and instead support others in

doing it and are you also ready to let others do the thing and enough that you let them fail in doing it without you stepping in and doing it for them MH I think one thing for me as I became a much more senior IC it became much more nebulous for me like what does growth look like I'd love to hear a little more about your journey and growing in very senior and specialized IC roles sunby yeah I'm uh I really enjoy uh the fact that I got to stay on the icy track uh as a principal engineer and that there are companies that have principal engineer distinguished engineer fellow like areas to grow on uh the icy track I

find that you can wear multiple hats in this role like sometimes I go very deep into a technical problem and figure out how to solve it other times I'm figuring out what's the product strategy for privacy and security uh other times I'm working across functional teams trying to deliver on something uh so you you get to kind of dabble in a lot of different areas and it's a very unique role that allows you to do that it's not so much like okay you're on the management track this is the way you go Etc uh the other thing I'll say is I almost I did manage for a year but I almost got into management multiple

times um for these reasons that Anna talked about soft skills um and Leadership skills and um I kind of told myself that you know those soft skills will be there I'll have them in the future and right now I want to to challenge myself technically so I'm going to stay in the technical role I also had another reason which um I I was raising two small boys I had two kids I thought on a management track I'll have to be on the hook at a specific place at a specific time and sometimes I might not be able to do that so let me stay on the IC track and one day I'll do management and here I am still on the IC

track and very grateful that I stayed uh in that role swy I know you've made a few switches to from Individual contributor or manager back to IC and tell me a little bit more about that Journey for you yeah I think for people in the room who are thinking about oh should I be a manager or like try both right like try it and see and usually sort of that trial and error takes a little bit it's not immediate it takes a takes a few years of being in each of the roles and figuring it out yeah so very similar to Anna um I was the founding application security engineer at Gartner and then the team

grew and then there was no manager so I kind of started doing the job and then asked for a promotion so I kind of moved into the manager role and from there kind of scope expanded a little bit then I managed the identity and access engineering team and the absc team and what we then called client security Center talking to our customers about what are we doing in terms of security controls um so from there then I got the opportunity at mandant to be an individual contributor and I decided to do it and and make the switch um there were lots of feedback given saying that do you really want to do that you're on

the manager track it's going to be a step down or you know either case so depending on kind of where you are in your life to tundis point um it was more money which was great um so I I decided to take it also because I wanted to round out my resume so there was other other factors that drove me to take that job um and after um you know a couple of years of doing that and then moving to Netflix in the IC role then I was a bit more intentional I think at that point I was like if I want to switch back to being a manager it was probably going to be a bit of a long-term switch and um I

was lucky that the opportunities did come to do that right um that that's not always the case sometimes you you um you'll probably have to wait a little bit or or try a few different Avenues um so yeah so it was It was kind of interesting um so I think from but from now on I think I've gone too far down the lane now so never say never uh but I kind of don't see me switching back to an IC role um in the next few years the other kind of pivots or switch um was also interesting for me was going from you know security Consulting into Netflix being consumer security and now the Oracle being Enterprise security

so at each stage I to kind of unlearn what I had learned in the previous role and kind of learn new things so that's something that maybe you all would want to consider too in terms of different industry and different flavors of Security Programs yeah and I'd love to double click on that I know we often or I often think about working in a tech company being on an infosec team and that is what a security career looks like um but I'd love to explore with the panel a little bit about what looking working at a different type of company might look like working at a security company um so I'd love to hear about

your experience Caroline being a senior leader at a security company yeah so you know I I do think that a lot of us when we think about jobs in infosec we think about being on security teams defending a particular company um and I had so much fun doing that at eBay and at Singa and it's it's just an entirely different type of job than when you're working for a security vendor you know kind of the team practitioner role you're kind of getting hit on all sides all the time there's a lot of kind of reacting to what's going on in the business what kind of incidents are happening right now you know what's a priority and

certainly you know the whole point of Security is to secure business value and so there's always kind of this like okay where's the business going and can security kind of try and get in front of that try and and get integrated with that um you know my my later career experience as a consultant working in product management working in strategy for Security Solutions companies it's actually it's it's totally different because it's not solely about risk management um it's actually about how many customers can we help you know how many different problems can we solve for lots of different types of people um and so there's it's a very kind of different thing and I think that you know there

are certain um types of skills and experience that are really valuable on a security team and at a security vendor I think that you know the skills of the the universe of possible skills that can be applicable um is really expanded you know whether uh a person is customer facing such as in a sales or marketing job you know or or product or engineering or even Finance um so for anyone in the room who may actually not yet be an infos SEC but if you happen to have a lot of experience or skills from a different domain um then that might be something to look at and consider and I'd love to turn it to you

swathy and hear a little bit about your experience working at mandiant shifting from that experience into a tech company yeah the the Consulting experience yeah I I always kind of tell some of the junior folks that if you ever get an opportunity to work as a consultant I think it would be a really great one or any type of customer support function to be to be honest um yeah it was I will say though that life did come a little bit at a personal cost I had a I had a young daughter at the time when I joined my daughter was a year and a half so year and a half into three and a half uh for the two years um

I would take couple of trips a month but they add up right like in 2 years you miss miss ballet recital my husband would be by himself date night eating alone and be outside on a call um but that adrenaline rush is amazing you learn quite a bit and you also learn how things are done in different Industries so I was I was um I was managing a few different clients Healthcare oil and gas um Tech so you really kind of get a real slice of view of how these things are done in in different um environments and then you're also really thrusted into a high stress situation so I think Stress Management um executive

communication and really mixing that with kind of technical skills it's like this on the-go job that you really learn so Stress Management I really learned um in that job and which which has uh proven to be quite useful throughout my career and then when I came to Netflix you know I was so I was so used to the consultant life of you know have an agenda you're going into the the meeting and at Netflix it was like we're going to have a hallway conversation and we're going to do this U so yeah to you also have to adjust to how every organization talks and how decisions are made um in organizations and then when I moved to

Oracle this is a completely different role right so so in this role um the skills that's needed downwards it's it's very different from skills that needed upwards so the skills that are needed for my team is you have to be very technically Savvy you have to know about ethical hacking and red teaming and GRC and detection engineering and what's going on in each of the areas and then upwards I really have to be able to communicate effectively about risk explain very complex topics in a few minutes and and make a decision and move on and then the skills needed sideways um to talk to my peers talk to my um you know peers in engineering and in um

operations or in um you know HR and other functions are persuasion and influence so with this EXA role you really sandwich between kind of different priorities and you use every tool in your toolbox um to be effective absolutely and to that point I'd love to hear quickly from every panel member as you've grown in your career what are one or two skills Beyond you know technical hard skills if you will that have really helped you to grow in your career I like communication is key and I think swathy touched on something in in your previous answer there around Consulting and how it really exposes you to the need to communicate clearly for different audiences and having to learn

a lot about that I think one of my biggest uh where I've learned the most was working nonprofits for a long time where you have to wear so many different hats uh mostly in places you might not be trained in and learn things really quickly and I think that really really helps in all these different areas too but communication I think is the key skill yeah I think along with communication is like understanding who your communicating to and what their value system is um often in security and privacy you're trying to convince people to do certain things and so understanding what is the thing that motivates them what is the like with every project there's various things to

highlight so you know I'll have a project I'll have three different versions of a slide deck depending on who the audience is on which thing to highlight um to help motivate them to collaborate with you and the other trait that I find has been really helpful is um trying to like exude passion um and influence others motivate others um to really think about what they're doing what the impact is and demonstrate that so that they go the extra mile to get the project done yeah there's one that I'd like to share um similar to other folks here I've been in ic roles I've been in management roles I've been in roles where I've been leading people managers

and one of the skills I developed along the way was how to build teams so to me as an IC there's sort of a type of work that I can do and a and a type of impact that I can make and I find that building a team and kind of getting into a situation where 1+ 1 equals 10 if you build it the right way uh to me that's so much fun um and then there is kind of the hard part that goes along with Team Building which is Performance Management you know it's entirely a different thing to be an individual contributor and to kind of constantly be improving oneself and ensure that you know each of us is

leading is meeting our own expectations and exceeding those expectations um it's entirely a different thing uh to do that with a group of people yeah I would say two things for me one is you know once a TPM always a TPM TPM is for technical program manager I definitely rely on that skill set quite a bit even in this current role um so to be able to kind of organize groups organize people around a project around an outcome around a result um is I definitely use that quite often the other one would be contact switching um you're required to contact switch very very often there might be an email where somebody's saying they have a better

offer so now we you got to go to a dive and save there is a there is an OD day that's dropped so there is another slack Channel where you're trying to do incident response you're trying to like keep a tab of everything that's going on um you know there is a a peer of yours that has some resourcing issues and want to borrow some people from your team like how can you solve for that how can you be there for your first team so if you have opportunities in your current job right now to contact switch often do that use that muscle because it's going to be quite helpful it's so true I find often the

art is in you know if you have so many balls that you're juggling finding out which balls are rubber and can bounce and can withstand falling on the floor and which balls are glass and cannot fall uh or they'll totally shatter and break so try to focus on those glass balls if nothing else um and then we'll round us out with our panel uh questions here before taking some questions from the audience with a little bit of a spicy one the Pinnacle of a security career is it the ceso role is that what we're all aspiring to have we made it once we have a ceso title and even if you get there is is

that it can you is that you're done growing then no okay simp you know this is a little bit of kind of an on the-fly thing but can we actually also kind of adjust this question and say you know both do we think ceso is the Pinnacle of one's career and and maybe secondly maybe each person from the group can kind of share like here's a pinnacle in my career maybe not the Pinnacle because we're each still kind of a work in progress but I think that could be a fun twist yes go for it please do I feel like you have to go first now for the idea you got to do it and

I'm happy to share my perspective um I have worked with very closely with many cesos it's not a job I want to have personally it doesn't it doesn't sort of have the things that are kind of for me the perfect intersection of what I love doing and what is really really fun for me to do um when I think about a role I'm really thinking about how can I maximize my positive impact on the world and for me ceso just doesn't happen to be that thing um in terms of a a pinnacle for me personally uh in 201 I wrote a book security metrics a beginner's guide um and in 2022 that book was inaugurated into the security

uh Canon Hall of Fame uh so that that was really fun yeah I think thinking of a title and saying that's the Pinnacle of my career I think that's very limiting at least um in my personal opinion so um that would not be sort of the best way I think yeah similar to Cataline I think if it is is if it's impact if it's you whatever your criteria is I think sort of growth is growth is that but and we all know that career is not linear right like it's definitely a a non nonlinear path um and just limiting it to just that one title I think is saying no to so many other possibilities which uh it seems like

I'll be doing a disservice to my own career by taking that limited view um so I think about it less about level and position and more about what is it that I want to accomplish like what impact am I trying to make what threat am I trying to Pivot in the industry and then from there thinking about what role will let me get there and it's not just what role what company what team within that company um is going to let me set up set myself up to make that change uh make it one place expand it Beyond influence elsewhere so uh for me the the Pinnacle is making these like privacy pivots in the organiz in in the tech

industry itself right starting at one company pushing that to be the norm at other places and then going on to solve another problem yeah there is something there about flexibility I I think this is so title to me feels limiting uh which is a little strange perhaps to many um and so so it's all about where you can find the most impact um and that necessarily being the siso job thank you all for that and we have 15 minutes left so I'm going to um peek at our slido and see if we have any questions from the

audience all right here we go so we have a question here do you have any novel ways that you use to communicate how security initiatives are tied to the highest level business issues speaking to 10-K risks Etc yeah um I think security metrics is a big topic and often doesn't get a lot of love that it deserves in our industry also because it's it's not only complex but it's extremely tailored to the organization where you are part of the security team or are leading the security team for um so in general I think some of the top top three metrics are pretty straightforward like if if you're the the Security executive responsible to communicate this to the board or even other senior

Executives in your organization then you know incident Health right like incident metrics and you know what's going on what type of like ear in review in the in the last one full year what type are we seeing and then tying that to what are some of the Investments that we have made or we have not made I think that's um that's very effective the other one is often we miss is around like application or product security um you know we talk about security faults and security by Design and all of that but how much of that is driven into the product and you know as a result how much of the mitigation are we driving I

think that's a hard metric to track but if we even attempt to track it I think it it's an amazing story um um to say and then of course you know um we cannot just ignore compliance it's it's always going to be there it's essential for running the business um to provide that trust and Assurance to your customers um so that's something to track closely so I would say those three yeah I have a I have a thought uh one thing is novel kind of and one thing is less novel I'll start out with the less novel thing which is simply to say that throughout my career I've observed so many Security Professionals who do not have a super

strong grasp of what their organization is trying to accomplish so this individual mentioned a 10K in their question like how many Security Professionals have read the 10k of their company how many Security Professionals are attending their company's All Hands meetings and paying attention and knowing exactly you know what the executive are talking about how many how many Security Professionals understand what business metrics matter to their organization whether it's you know LTV to CAC for different segments rule of 40 like what do those things even mean you know we can probably talk about like whatever vulnerability happened last week but do we know these really critical things about our business um the slightly more novel one is to look

in the news like what happened recently to an organization that looks like yours in some way shape or form um and then to say Hey you know this happened to them what does our situation look like um and then you know it's a little bit of of Show and Tell we have a question for you Anna you mentioned a challenge shifting to leadership was letting people on your team fail how do you learn to cope with predictable incoming failures well that's a good question um I mean how do you cope with predictable failure how do you cope with predictable incoming failure I don't know um sorry I would have to think about that a little bit actually does anyone

else have a good answer to that I have a quick thought yeah yeah go ahead no predictable incoming failure as in if you're seeing something from far and it's going to fail that it's a really rough position to be in so you got to then either it's like you're trying to if the ship is not going in the right direction then you got to steer the ship so maybe it's a vision strategy yeah I if it's a performance thing maybe it's like telling your managers to coach this person because you see so much potential so it could be yeah and whether or not the decision that you are going to be making is retractable right we should

take bets all the time and uh if the decision that you're making is going going to stick can be really really hard to retract then perhaps we don't have as much appetite for for risk or or failure in that sense but I think if we believe that the decision that we're making can be uh undone and we can pivot then I think that's really where you let people fail a little bit more perhaps exactly I think all of us we learn from our own you know trials and errors and it's important I think to help normalize like taking risks and having a little failure is is okay it's part of the journey right um I'm going to jump down to one

that speaks to me personally I've made a few of these pivots um we have a question from the audience is it easier to it internally within an org or doable when switching orgs to I've done two job switch and security domain switches um I think for me it's just about building an external network and proving myself capable of solving different types of problems and learning quickly and that I think has helped me to make different both job and Company uh or excuse me company and security domain pivots at the same time um when I joined Netflix I got the recruiter reach out I was working on identity and access management and wanted to go deeper into the security

space so when the security team reached out I thought hey I'm going to take the call and see what happens and I you know ended up taking that opportunity similarly in my current move to Roblox um was having you know lunch with my current boss and he said hey we have to build a security or um you know pick your domain and I was like that sounds enticing I think I'd like to make a pivot um so I think definitely like just be open to those type you know don't hop too much but be open to those types of opportunities as they as they come up I'd love to hear also also on the question right better not to do it

internally or externally I think almost always internally it gives you a lot more opportunity to grow and learn and to make mistakes it's really hard to pick up a new job in a new place where you don't have familiarity with the rest of the stuff right if you know your job really well you might know all the context for how the business operates and so if you pivot within that space like it's going to be a lot easier here's an interesting one what does executive presence mean to you oh so I I think Executive presence means having a vision and being able to inspire folks I in particular think there's a distinction between executive presence

which I think of as effective influence than sort of being a task manager um you know not exactly a project or program manager but there's a difference between saying hey people here's a list of things to do and saying to folks hey here's a super interesting really meaningful problem that we have the power to go and solve and try and figure out together I was uh moderating a panel on communication like in um security communication and is is flee in the room at all maybe not um so this is this is a line from flee who's um uh Frederick Lee who is currently the ceso at Reddit and he said executive presence is BS I do

not agree with this so I what he was getting getting to with that was there is a certain box put around as an executive needs to operate say this way needs to speak this way so he was getting it hey but there is showing up as your authentic self and like there is your personal style and like how you speak and how you operate if it doesn't really fit in the confines of executive presence that doesn't mean that you have to completely change yourself of course you there are things that you can and learn to match your tone and delivery to the audience right like that we need to do in our daily job as well like you're

not talking the same language to everyone all the time so yeah I think I I agree I think exe executive presence doesn't mean you have to be in a box in a certain way but whatever feels natural to you and um I think then we mentioned know your audience and talk to your audience in a in a language that they understand what is the most energizing part of working in security and privacy for you and how does that play into your career choices and plans I think it's like you're helping real people like there's a real connection between what you're doing every day and societal safety and that's what keeps me going every day yeah can I

say money yeah yeah totally I I think there's something really special about setting an objective or a Target and just blowing right through it um I also love uh working with folks and coaching and mentoring folks uh and seeing individuals uh grow in their careers uh and and build uh the impact that they're able to to make I think it's the complexity of the space I think if you look technology-wise at security only 5 years ago it's going to look extremely different from what it is today we have to learn all the time and that can be be super challenging but it's also really exciting here's an interesting one on influence how do you convince your team

to prioritize a critical vulnerability reported on Friday at 8:00 P.M somebody's jinxing us right or yeah no we're well into the weekend here please don't drop any zero days um how do you convince people to do that over personal commitments so if it's critical for the business and if it needs convincing then there is a problem in the in the team structure or in the roles and responsibilities is what I would say um either the team is extremely strapped um you know for time and resource and for your mental load or it's kind of not clear who who needs to who has the ball and who needs to run with it um so I think yeah more my first approach would

not be to try try and to convince anyone um of it and trying to figure out why are we here in the first place and why why is there confusion around who needs to do this yeah yeah I think it's a process problem from two directions so the first process problem is why is there a critical vulnerability in the first place and that's not entirely a solvable problem but there are processes that you can put in place to lower the chances of that happening the second process problem is that there isn't it sounds like there's no business process to handle something like that and if it is critical then having a critical thing happen when team members are unavailable

is is not sort of the right setup is this a good time to plug Ariel's uh democratized vulnerability Management program that she spoke of earlier today yes with uh speaking of the ceso being the Pinnacle with the SEC rule changes do we see the new pinnacle as being a seat of the board um to influence security strategy at the very highest level oh spicy all the responsibility and all the liability exactly you got to keep it interesting on a Saturday night great there there's been discussions yeah there's been lots of discussions about unfortunately kind of some of the SC SEC rulings come down to two things one it comes down to discussions about who should the ceso report to and then

the discussion moves to why we need to have more cesos on the board um I would honestly love to see us as an industry come up with more than those two solutions because let's really be honest like where the ceso reports I don't know I think it's arguable right like it's whoever in the company's able to open doors and help you get a a table at the seat help help security get a table at the seat and sometimes that's not always the CEO the CEO doesn't have the time or the resources and sometimes it might be the C CTO sometimes maybe the CTO doesn't have the time so I think it's it's a it's not so useful conversation

to talk about like where does the ceso report to and how does that change obviously we don't want security not being prioritized at at um at the highest level of the company we do need that there needs to be a cultural shift um I think there is Merit to we need to have more cesos in the boardroom I do think that it makes the conversation front and center and if somebody has sort of that security Bend of mind and mindset and knows how hard it is in a highly highly cross functional Matrix environment to be successful in that role and if they can explain that to the rest of the board I think I think we can

drive some change there with that yeah yeah and with one minute left here i' i' like to round us out with this really nice closing question this has been great any resources you would recommend uh I have one which is that uh today you've been able to hear from the stories of a handful of us um and there's a lot of resources where you can learn about more people's security careers um I host a podcast called humans of infos SEC um we've got actually some of my guests here in the room with us and um there you can find stories of more than 80 uh different Information Security Experts um and uh everyone's story is totally different um

so if you want to learn more about you know more and more variations on how to do this thing uh check out humans of infos can also recommend a very recently published book by Will bankson and Mark Alik on the called the security path I think that there will be some hard copies tomorrow signed yeah signed hard copies and a code besid well thank you all so much thanks everyone yeah thank