BSides SLC - 2024 - Escalating Privileges: The Hacker's Path to CISO - Matt Hillary

all right can everyone hear me okay even in the back awesome thanks friends for being here um this is my very first time ever speaking at bide Salt Lake City I've been a part of the community here for a long time um even the first time I think Bryce kind of helped start the whatever just do besides one year um I helped with the cfp that year and I always thought man I am way too nervous and I'm way too scared of a person to actually go up and speak and so it's taken me that long to finally get up here and hopefully share with you some things that will help all of us learn

together so um today uh again I appreciate you taking time to come listen and struggle through what I will hopefully do and convey this talk to you I listen to podcasts on 2x speed so I usually talk at 2x speed so hopefully you're able to keep up here I'm told to slow down because it actually gives a better experience for you um but I'll do very my very very best here um today I want to cover three different things just the pathways to ceso I'm going to use that quotes largely because every journey is different uh next just talk about the role intensity and demands and then hopefully just share some anecdotes and principles and experiences will help

you in your careers if you're considering becoming a ceso at some point in your career or a security leader remember leadership is not necessarily analogous to a title uh we can influence and help others wherever we are at in our own roles so for me I'm a huge Fast and Furious fan um and uh you know one principle that I've realized throughout my entire career is I seem to live my life a quarter Amel of time if you looked at my LinkedIn it's like Matt it's like you got a pogo stick STI you jumped here here here what's going on here just know and we'll talk about a second ago in a second that's very intentional um every career

decision I've made has been very intentional and very founded on the why behind that but if you feel this way you're not alone um just know that I think I usually think two years ahead and thinking hey what's the right Next Step here what's how are things going here all of that's usually driven by my own personal drivers and I'll talk about in a second as well about making sure you discover your own drivers and how you make your own decisions but this mess isn't to say to go about life or your career haphazardly or flippantly uh just know life is short um you want to be a part of things that matters and you

just own every second so your career is your own and I want to feel like you're always in the driver seat of your career for me speaking of being in a car um where did I start my journey becoming a where I'm at my role right now uh about nine years ago I was sitting in a car in the Adobe parking lot I think uh Nathan and Lonnie Bates were sitting in the car with me I was on the phone with uh the CFO at MX negotiating my offer to be mx's next director of security this was about 2 weeks after I had just accepted a calar offer for a prior offer from the same company with Adobe to say

hey Matt we want you to stay we'll give you this title we'll give you a different you know compensation package it was great I accepted that and then two weeks later I was like wait no no Matt like this is your goal you want to become a security leader it was actually at that point in time that I realized I love this domain of security and I love to help others and I love to help contribute and secure meaningful causes when I realized that it was like oh well let's say yes to this role and that's when I started off my career journey to becoming um a ciso uh this is my career journey I share it with you and I'm

going to share a few others as well again none of the same and it's actually kind of fascinating to see the differences between all of them um I got my masters information systems and then after that went to ernston young to be a consultant there then went to AWS to help start their compliance program um and and go there so heavy on the compliance space uh went to Adobe to help with their fed ramp program and some of the other compliance spaces there after that that's when I was like man I really like the hardcore side of security I want to jump in and learn that spot so what better opportunity than to switch over to being a director

of security and learning those things along the way um after that I went to instructure and then to workfront again here's the pogo stick to weave to uh lumio and then now to drada um it's been a fun experience along the way to kind of experience and learn in every one of these roles in different way actually seeing a couple folks walk in from working with you at Wii was really hardening to see well there's a couple team members that were the weave and love the experience and working with all of you wherever our Journeys have intersected um again every single one of these moves was very intentional with strong reasons and they all matched my

own personal drivers um I do want to talk here about I'll show it in a second in a second I'll show a diagram called The ceso Mind map and it really like shows the various domains of this role and the things that we have to worry about uh for me I was heavy on the compliance side when I started my career uh about about when I went to MX is is when I realized oh my gosh there are a lot of technical areas of the security world that I was not deep in and so at that point in time um I connected with some really good friends most of the time most of them from the Adobe space that

taught me things like hey what does vulnerability management really mean how do we actually deploy scanners what are we supposed to do for security operations how are we supposed to detect various threats that are hitting our organization all that was a very steep learning curve joining MX in that part of my career but uh no better opportunity than jumping in the deep end to learn how to swim I wanted to give a couple other ceso examples here of folks that have progressed through this role one is Vara um she's right now A Prosper Marketplace again started kind of in the big four space Consulting space and then I saw like I want to say mid-2010s she

went to found a couple of companies and then recently just joined Prosper Marketplace again longer durations of these companies um definitely learning along the way but now leading security at a company which is very very cool another one's Brandon Greenwood Brandon got his BS in computer science and then jumped in be hardcore security Eng again stayed more on the hardcore technical side of things um contined to progress he has spent I think a good 12 13 14 years at Overstock which was just acquired by Bed Bath and Beyond uh cool to see him progress in that role and now continue to inherit more and more of even some of the operational aspects of that organization

so again a Shar is another example here uh of someone else in their C Journey another one's Mandy M's a sea elastic uh again I these seem to be big four started this was not the intent it was larger to show various current cesos and their role have different progressions here now Mandy um you know while she started the in young big four route in deoe went to become a security officer and then ceso security officer as well and Now is really cool to see her both uh be a ceso at elastic but also advise a number of other companies now this slide is definitely a massive amount these are all cesos these are not all the cesos they're definitely

thousands out there and Al all I'll have their various backgrounds that you can go look up on LinkedIn learn from and see what things they did to kind of navigate this journey to the space all of this is this is what I was mentioned before it's called The ceso Mind map in a second actually I'll show it now this is actually the real ceso mind map when you actually try to explode what is on the mind of a ceso in a map um the person that I want to give attribution to here is Rafi greman who is at Verizon he put this together uh this seemed a little bit better to at least highlight in a nicer way to

different domains that we worry about in this role so as you're considering this role or being a security leader in the future this is a lot um every day as a human being I look at this and think this is intense and there is no other way to kind of describe the reality of this particular role um and so some of the things that are on this are like Team Management business enablement sdlc security architecture compliance and audits legal in HR risk management Automation and analytics um new on the map and that's kind of shown here on the the left hand side in the red is um Ai and gen Ai and having to secure all of

our use of that and both our product and by our people remote work security team branding awareness governance identity management um security operations which is that massive right hand side at the top there which has a number of domains in it of itself and resilience um not shown that many cesos are starting to inherit is it engineering or sometimes called it Enterprise engineering where they have a lot of the SAS products that are used by your company um not also on here is what I've learned in this role being at dra being a the security company um has its own list of uh demands on this role working with customers uh being up here on stage uh

which is what I usually call the thing that keeps me up at night the most as a ceso which most would actually attribute to a breach for me it's being up here on stage but uh for you I just share that the demanding on the marketing side the sales side the leadership side of this role uh may not be as highlighted here that it just expands to the map um where are Star Trek fans at and kobu right um the unwinable scenario when I saw this I'm like this is no different than being a seod day and actually this is one of the things that uh middle of my journey I realized what is wrong with my mental

health like why am I suffering in this role which is not too far uncommon for many in the cesos that I talk with in slack channels behind closed doors about things that they also suffer with in this role thinking oh my gosh my back is killing me why is that happening I'm under all this stress what is going on um realizing that oh my gosh we can literally do everything in this role and still get breached uh and that reality is a defining dissonance that I think hits every single one of us so as a human um you know breach hits a fell we saw I think sisa just releas about cense getting breached and and you know

obviously vulnerabilities with poo getting dropped it's like man it never stops and we really are trying our very very best and so when I look at organizations get breached uh or uh CEOs in that role I realize there's a human behind that um so those who aren't familiar with KOB asamu again it's a a famous fictional simulation in Star Trek where the cadets are put through this unwinable scenario where they're supposed to go and rescue um basically a ship that is the kobashi Maru that's stranded in the Cleon neutral zone um and your mission is you get a distress call you're supposed to go save them but they're in the neutral zone so the clons

they get involved if you enter that space and so ends up you know being this massive uh uh test and this test is is supposed to be able to help um assess whether that candidate or C Cadet is good at making difficult decisions Under Pressure dealing with potential sacrifice command ability and crisis management um and so in many ways uh we're putting this impossible situation to cesos but it's fun to be able to exercise Ingenuity ethical considerations and Leadership uh all under this kind of pressure setup so if that interests you this is the role for you but I share this with you so you can also realize in in in a good way saying

like yes yes while this sounds painful or impossible it is very much a a very very fun fulfilling and rewarding role um and so today I get to the point of just saying like Hey nearly a third I think this is a year or so ago of cesos uh in their role or considering leaving their current organization or 9 and 10 report being moderately tremendously stressed and the average SE so tenure is just two years and two months pretty opening uh uh kind of stats there but I hope these help you see hey if you're considering this role these are some things that I I realized along the way and I wanted to share with you the rest

of my talk today just some various anecdotes that hopefully will help you in your current role or as you progress towards this role if it's one of your goals um I really lik the last talk it was very very cool to hear the experience of a fellow security professional share their journey and it was really neat to hear her um and and say hey like very vulnerably open say this is what happened and so I'm hoping to do the same thing here so the rest of the talk um just like my brain bouncing all over the place is going to have a bunch of random cool anecdotes that have helped me kind of see where we're at

number one I mentioned the dissonance learn to live with the dissonance uh in many ways we're in this scenario of cesos where again we can do everything and still fail um but uh I I've been thinking this one I think there was like three cesos that were on a panel at RSA one year and they were talking about hey what is it like being in the role of ceso and I think all of them within three months all three cesos had opted out of their big ceso jobs it was like I'm done with this role um at some point I probably will opt out um but for now it's fun being in the fight I think honestly when people ask me what

keeps me up at night besides being up on stage giving talks uh is uh um honestly sleep pretty well because I'm surrounded by incredible team members many of them here uh even my own team that helps support and knowing that if anything happens we got each other's back and we're going to work towards that um learning to live with this dissonance is is been something that's help for me one uh massive aspect has been meditation mindfulness and awareness uh just one of the I think Sam Harris is the one that kind of helped me understand the purpose of meditation which is not to become a good meditator but to be more mindful of your surroundings and awareness of

what's going on this is extremely valuable when incidents happen or when stresses are happen or when I am feeling crumpy or when I'm whatever it may be to be able to take a moment to relax to understand and watch these thoughts and feelings process and pass like waves um to be able to again survive persist in this role the C so that I mentioned a second ago a couple weeks ago it's like man it's 4:00 my back is killing me this role is literally stressing out my body um all of the recommendations on that were around mindfulness going to take a walk be able to just just just completely disconnect from work take that time to process the feelings and

pressure that you're experiencing this role I encourage all of you to do the same this is awesome there's great apps there head headspaces another one awesome awesome opportunities here um following your own advice uh you know if your best friend were to ask you how he or she could live a better life um you would probably find many useful things to say yet you might not live that way yourself so Sam Harris here was saying wisdom is nothing more profound than the unability to follow one's own advice um take some time to listen to yourself relationships matter most uh and preparing for this I reached out to Ryan gurnie uh he's an operating partner while Ventures but also a former ciso

looker uh very very cool human being uh he I was like hey you've been in this game a hell of a long I have like what really matters to you and he's like I I concluded the rest here at the bottom but he said your network and I couldn't agree more many people here are in my network and I love these kind of conferences where we can connect with others it totally goes in line with this book that was released a couple years ago called the good life and basically the thesis of this book was and they did a longit it was the longest longitudinal study that they had done and they thought hey what really stands out in

differentiating our lives being better or fulfilled or happy it was all relationships so strong relationships were the strongest predictor of Life satisfaction and better predictors of long and happy lives then social class wealth Fame IQ or even genes were strong relationships and so strong Rel are not correlated with happiness but with physical health longevity and financial success too so our connections and how we interact with each other really matter the most um it was fun listening to Kenny Scott uh earlier today talk about oscal and the amazing work that he's doing over parami um he mentioned he's like I learned this is the way that I learn and when he said that I was like

that's exactly right here like the way I was able to get to where I'm at and many of my peers is they learned the the way that they learn and they applied that throughout and we all learn in different ways and having that will help multiple facets in your own role for me I realized not to I was say a couple years ago um oh my gosh like I do not learn well in these kind of settings where someone is talking to me I learn really really well in having a problem and in bashing against that problem and in having friends to be able to ask and say I am approaching this problem but I'm

not sure why I am not able to overcome this what are your thoughts what would you do and having trusted advisers and friends again like Ryan gurny said your network uh was really something that helped me progress and grow so um last year I went to EDC which is like down Daisy Danny Daisy Carnival down in Vegas huge fan of EDM music I saw this sign it almost made me cry because I was like we all need to create a space where all are welcome and so as a leader in this role being a person that actually helps all folks feel welcome wherever they're at with their diverse backgrounds it's a leader responsibility to make that a safe place

for all of us for me I'm ner of Virgin um didn't find this out till recently with ADHD I was like oh my gosh no freaking Wonder many of you who've worked with me for 10 plus years are probably like man I could have told you that 10 years ago like why are you getting this realization now but along that whole phrase of you know being a place and space we all feel welcome as a leader as a ceso like Foster inclusive environment we all have our own Funk um and and I thought hey with this being me um I think it's technically combined type hyper hyperactive impulsive I showed the seeso Mind map I see this

graph right here I'm like no wonder I love this role like it's never going to get boring and um I I just want to make sure that uh that this is a good space for all of us um almost like this talk is bouncing around different things here um I was talking with Josh years ago Josh Blackwelder he's a s of one um incredible friend I I want to say five four or five years ago I was so frustrated about something at a company that I was at it's like why is this happening and why are we not making progress or why is this not where we need to be at he reminded me that Matt

your mind your mind and your brain is wired like a mechanical engineer where you have zero Toler es or near zero tolerances when you manufacture items um and he's like you can't think that way in this role you need to be able to think in a way where risk management is really driving your decisions and still have that little dissonance exist um again back to the mindfulness noticing that dissonance exists in my life as a result of this role has helped me still cope with and survive in this role so again having a a friend in Network that has helped me this has been one of those that has helped me um one is writing out

your program uh this morning at n9ine o'clock I spent time with our um you know our the security leader on my team that manages the security function our program I had written this out back in I want to say last summer and very similar to what I've done at other companies uh at MX at an instructure I just jumped right in was like we're just going to do security things I never actually wrote out the program what I noticed though is when team members would join the team they're like wait wait what's the holistic Drive of what we're trying to get here and realized I think when I was at weave I was like we need to write out

what our actual security program is what are the components what are the functions who are the team members assigned what are the successful outcomes taking time to actually write this out in a very strategic way was one that's actually helped drive very careful conversations with team members so with Josh on my team this morning we spent about an hour going through this one double clicking in the security operations program and I noticed there was a there was a difference between what I was expecting and what he was thinking and this document helped align that this morning in a way that I hadn't seen before in this role so I share that with you so you can spend time as when

you're leadership rool say hey this is what we're expecting this is why and what I love about someone like Josh is and why I encourage it at work is he is very very good at telling me like Matt I don't agree or I'm not sure this makes sense or that was like 2012 security we're at 2024 like how do we want to approach this and it was actually very very helpful conversation to um to help us grow and align on the program objectives find good mentors teachers and close friends to decompress with so Bryce you know he's one of my trusted advisers for the longest time and still is like how do you literally X and I

would literally fill in any security topic and Bryce will literally explain any security topic like I'm five which is amazing and then afterwards follow hey you want to go get wings you want to go to movie I love this level of decompression a couple nights ago we were spending time you know just I think it was at Trolley WinCo uh until you know midnight or later just chatting about life in general security stuff we talked about what's the next gen of sim looking like to hey let's talk about the uh the bsid things coming up whatever it may be but having folks like this has really helped me grow and hope you also find similar connections to this to help

you grow so many people in this room helped teach me and I appreciate you um I wish I could have all of you with a bubble here with a picture on it with a quote that you've given me because all of you have that and have shared that with me and I think that's incredible I want you to continue to do that speaking of mentorship and my working with my team member earlier you know a mentor is not someone who walks ahead of us and tells us how they did it a mentor is someone who walks like alongside us to guide us on what we can do folks like Simon cnnic or Adam Grant or others out

there have helped me in this leadership role learn some of these human skills to help me re Focus how I how I actually engage with my team members and that's been awesome I share that with you because many of you are going to be mentors or are mentors to friends um walk alongside them um learning your drivers is is key here when I was an instructor that came out with a tool called the drivers or Bridge drivers this is the URL at the bottom I encourage all of you to take a moment to go to the site or use a similar exercise to identify what your drivers are these are mine um I actually filled these out

earlier this week to say hey what's my latest slice or cut of drivers that I have right now these change over time um and expect that some of these will be met some of these won't w't be met these actually help Drive really healthy conversations with your leaders who may be in charge of your compensation or performance these are also good conversations to have with your team members when you try to understand where they're at in their career to help them Reach and grow as well um so learn them and and use that these are what I use to actually decide hey should I stay in this role or should I move to another role the only constant change the cesa

role Mandy mentioned this a few weeks ago Opera cyber up in Park City it's continuing to change we're having to move from technical expert to business Expert we're having to go Guardians of the gate to risk manager all these different things are changing for this role and this role will continue to evolve over time I will proudly admit that I'm a recovering uh self-awareness is key here and I share this very openly with you because what I came straight out of Amazon and Amazon is very very intense environment and the way we communicate was not uh one that I would be saying is favorable and one that was be connection building over time and so that's a great picture you

should put that on my LinkedIn to say hey I'm just going to openly admit it but the thing is is um this self-awareness on your own career journey is key I had some team members pull me aside and say Matt you know this interaction you just had with someone definitely not ideal and and I want to share that here so that you all know that we all have our own Funk we all have our things we're going to work through and grow that one I'm going to skip to this one is um after a really tough interaction I had one day at MX um you Brandon dwit he passed away a few years ago and uh he pulled me aside and

said Matt he said this he said you know when we meet other people where they're at instead of expecting them to meet us where we're at that's where leadership is born and so as you go on your own personal leadership Journeys remember this is meeting other people were there at first versus expecting them to come to your direction this is the same time that Brandon also drew a diagram on the board and saying we all have our own ceilings and he he grew this scph and he's like today you hit a ceiling and you keep bouncing up against that ceiling but you know what I know that you can actually burst through that ceiling and continue to grow in your

career um again this was a number of years ago and that's when my journey started to realiz iiz oh my gosh Matt the way you engage with people is completely against your own values of wanting to connect with others and so identifying your own drivers or your own values to help those kind of things and what you're doing to impede your ability to progress through that is is absolutely key here um I learned this the hard way to instructure one day I was really really frustrated with how I think our devops team was working there and I was I publicly shamed them I'm like this is not the definition of ownership and this is not whether be a

very much on a very public slack Channel publicly shame them like and I have to say the fastest way to lose your credibility and influence as a leader is by publicly shaming another and so uh again my dad told me he could learn things the easy way or the hard way this is an example where Matt Hillary learned things the hard way and I hope sharing that with you helps you learn it the easier way use capable AI pi a it's scary how good this is versus some of the talk therapy it's out there fun fun way to basically uh uh you can prepare for talks like that you can say hey I'm really frustrated about this employee or

I'm really frustrated about what we're doing here whatever it be clockwise is another one chat GPT is super super helpful and explaining things like Rive when it doesn't hallucinate um and it's it's super super helpful on the way so highly recommend this and a number of other AI capabilities are coming out now to help augment our ability to do our rle as well um Nathan's here uh I'm in a number of of signal conversations with some good close friends and that's my safe place to rant literally about anything and uh Nate is very very quick to pick up when Matt is triggered and he'll say Matt needs a hug and that's usually a signal to me to say Matt you're trigger right

now you need a hug and actually it's surprising how much just needing a hug actually helps another so remember that part as you engage with others um last but not least life is short precious beautiful experience the best this world has to offer um I know in many ways this role can be extremely extremely challenging and overwhelming but hopefully sharing some of those anecdotes today will help you in your career I'm sure the hardest thing about preparing this talk was oh my gosh how do you take 15 plus years of experiences and just still it down to these things to help you you know whether or not something you want to consider for your role but um honestly it has been an

incredible experience to grow learn alongside all of you and in getting to where I'm at and whatever the future holds here but uh one I want to show this the I hope these are helpful for you um these are things again that I learned we'll continue to learn I know we're all on our own journey and uh hopefully these help so for that that's that's what I wanted to share today hopefully it was helpful for all of you