So, You Want To Be A CISO...? - Joshua Brown

so I'm going to turn this on these badges are freaking awesome can you get a hand for the people to design this and uh they go to 11. I don't know if everybody noticed that but uh I'm gonna go ahead and set mine to 11 because yeah anyway so hey uh we're gonna talk uh this anybody that was in the room for the previous talk which was awesome and intense and very personal uh this talk is not that this is going to be a lighter look a little bit at uh why you might not want to be a CSA what about you why you might want to um so uh just real quick because I really don't want to make this about me but this is something same guy except older and fatter which is what happens over time um I've been doing it for over 25 years I'm the CSO at H R Block here in town this talk is not about H R Block uh this is about my experience uh in my career and I I get a lot of questions from people about uh you know in mentoring relationships and things like that about okay well how do I take the next step in my career and by and large people have terrible ideas about what a CSO actually does and why they might want to be one so uh we're going to ask uh ask and answer three big questions today first what the hell is wrong with you why would you want to do this second um what are you good at right does it match any of the things that an average CSO might actually do on a day-to-day basis and then we're going to circle back like why are you here why are you in this room right now because if you're in this room I'm I'm expecting it's because either you're lost uh or you're bored uh you might have fallen asleep or maybe you actually want to become a CSO and we'll see if there's any good matches there so let's start here um what's wrong with you whatever reasons you may have for thinking you might want to be a CSO or likely really badass um this is largely due to the fact that most people don't actually understand what a season does I was one of those people for a long time um remember you know I think we tend to forget because we're in the weeds so much every day in our careers that infosec is a pretty young practice you know it's sprouted out of out of I.T but we haven't been around that long and you know we understand infosec infinitely better than people that aren't in infosec understand it right our peers our colleagues at work um and you think about you know degree programs in infosec that's super new like when I went to school which was admittedly a while back like that was not an option like even like a computer science degree just meant you learned Pascal or some nonsense like that so let's look at some of the worst possible reasons that you might want to become a CSO see if any of these resonate with you money I like money do you like money we should hang out um you know the and then this is this is one of those like if your goal is money there's lots of careers where you can make a lot of money um as kind of the Pinnacle uh position it's got the C in front of it whether you're talking about a CSO or ciso that's going to be one of the highest paid positions in our industry Fair um salary.com says right now average CSO based salaries between 180 and 300. uh Glassdoor says shockingly 97 to 240. uh pay scale says 110 to 230. in comparison like data scientists average 150. and they don't have to put up with half the for the season that's guarantee it um there's a lot of really hot uh areas that are having explosive growth in I.T right so machine learning AI blockchain developers things like that money is great really uh unless you don't have the time to enjoy it um 88 of csos I read this this interesting report out of the UK called uh uh life inside the perimeter I think is what it was called and it was supposed to help people understand the modern CSO whatever that means because 20 years ago there wasn't a non-modern CSO um but 88 of csos say they do way more than the 40 hours a week closer to 60 hours and they rarely disconnect and that's absolutely true the other 12 percent are lying or they're golfing until they get fired uh what about power right the power csos have to be Master influencers to be successful in their roles but that doesn't equate to power most other executives are going to view what you do with suspicion or even hostility because what you do is placing responsibilities and burdens not to mention costs on their team your priorities are not their priorities and so you know while you own the outcomes of the security problems in your company and those challenges you've got to bring people along with you so this is one of those cases where a CSO title you have the role you have the responsibility you may not have the actual power to affect change directly you can't dictate it and make it happen how about boredom like I've done all the things I've hacked all the things what do I do next um being a student will definitely lead you to the opposite of boredom if you think you've done it all you want a new challenge you will definitely get it but I think you'll definitely get that in infosec anyway um you know going back to that survey that I mentioned earlier 25 of the CSO survey thought that the job has an impact on their mental or physical health or both uh as well as their personal and family relationships uh and 17 of csos admitted that they're either medicating using alcohol or drugs to deal with their job stress for those of you are in the room for the last talk this is a very common thing we know that alcohol is very prevalent uh drugs very prevalent in infosec um I think 17 is low I think most people probably medicate and self-medicate so what about like I'm overqualified I can't fit any more certifications on my business card um surprisingly while the CSO role is kind of the Pinnacle of infosec jobs the technical responsibilities of a CSO are far less important than the soft skills your ability to talk with and connect with other people so you may have done all the things and gotten all the certifications that's awesome I was on that track for a long time too but if you don't know how to talk to people if you don't have a clue about how business actually works specifically the business that you're supposed to be leading the security efforts for or you aren't great or you don't love building a team like you don't like that aspect you don't like vendor management you don't like budget management this might not be the right path for you so anybody here played exploding kittens before yeah pope of nope is here to tell you no terrible reasons all of those were terrible terrible reasons um there are other terrible reasons too numerous to mention now I only have 20 minutes so I'm not going to try but you know uh if you love playing with technology guess what I haven't put my hands on a keyboard for a while um you got to let go of that uh if you like spending other people's money also a terrible reason uh it's fun but it's not a great reason to seize that stress and burnout are the top risks for a CSO not job loss as a result of a breach a lot of people think with the average tenure of a CSO being about two and a half years it's because there's a breach and they need a head and it's yours and it rolls and we'll go on to the next thing actually it's job burnout stress that causes most of the churn so let's try a different different angle here instead of looking at uh bad reasons for becoming Caesar let's look at some of the things that CSO actually actually does um let's see if any of this resonates with you I'm going to I'm going to talk about four main things four main categories of things where ciso spends most of their time and again your mileage may vary this could be very dependent on the size of the organization whether you're in a heavy regulated industry Etc but uh four areas so a CSO strategizes um because you own all the security outcomes even for the things that you don't directly control uh you influence others in other words if I need something from the app Dev team I got to go convince the Afghan boss to put my stuff on their backlog and that means product features are going to have to come out or get de-prioritized recruiting Talent we've all been through a significant change in the way we recruit talent and the way people are actually willing to work under what conditions and how so this is a big aspect now I lost about 60 percent of my domestic team over the last year in turnover insurance and finally uh reporting so metrics but also just verbally reporting up according to the board according to the CEO or the CFO uh the rest of the executive team so let's dig in a little bit first strategically so the vision is all you you are responsible for developing executing and owning the outcomes of a comprehensive security strategy so this includes a bunch of different stuff uh development and Adoption of a comprehensive risk management program development and enhancement of policies standards procedures uh you know what not that um you know all of the things that would guide the activities undertaken inside the organization mechanisms to enforce the security controls detect when they're Mass attracting to compliance identifying the likely threats to the organization So reading into the threat intelligence reading the landscape being able to report up to the board here's what we think the big rocks are going to be in the next year and here's where we may need to make some targeted Investments um even basic things like end user security awareness training and testing right you're going to have a say in that how it's done how often it's done who gets it you're going to have to have a strong sense of when this happens because you're going to have people that say you work for a sales organization every time the salesperson fails your phishing test what what's going to happen right they're going to complain to their boss their boss is going to complain up and eventually they're going to say hey why are you wasting my time with this I'm trying to generate revenue for the company you'll have to align Security Solutions with Business Schools so this is back to that idea of understanding deeply how the business actually actually functions you'll find the C and the CSO is way more important than the next three letters uh and maintaining compliance with regulations Frameworks contractual requirements all that kind of stuff um you'll have to manage a budget and if you're in a Fortune 500 or Fortune 50 it's probably a pretty good sized budget um you will be responsible for the outcomes that are driven by the money that you spend and the Investments you make so again great power comes great responsibility sort of thing you are responsible for all security outcomes is why when he sees those drink and don't sleep very well um especially when you start realizing again you don't directly control most of the functions that lead to those outcomes so the influence aspect is massive you're still accountable so how do you influence you have the title you have the accountability as I mentioned multiple times what you don't have is the control so a lot of what you're going to want to do and need to do involves the ability to influence others so to influence others outside of infosec much less outside of I.T you need to have a deep understanding the business and you have to speak the language of the people that you have to influence which means you have to know and care about the things that they know and care about you can't expect to drag them to you or you you're going to just reinforce the idea that security is the place where good ideas go to die everything you do has a cost right there's personal Capital there's Hard Cash capital but the convincing of others that's really where this all kind of hinges is if you cannot walk into a room of people who have no idea how the technology Works no idea how to measure risk no idea what success looks like except they don't want to see their name in The Wall Street Journal you're going to have a bad day of it [Music] so I've given a couple talks lately on building High performing teams recruiting and retaining Talent building a high performing connected team is the most critical aspect of running an effective security program we talk a lot about people processing technology right people are the most important piece of that that's why they go first finding the right people is of Paramount importance so given the global shortage of talent in infosec around 750 850 000 openings in the U.S about three and a half million globally it's incumbent on the CSO the people leader to help solve this long-term Talent Problem by investing in training investing in mentoring investing in young Talent pipelines young talent doesn't necessarily mean I'm 21 years old and I'm graduating with my first infosec degree and I have no clue what I'm doing it may mean hey I'm a mom entering the workforce after my kids have just gone off to college for the first time I am a law enforcement professional who wants to try something different I've got on my team you know former law enforcement former military former Health Care former attorneys pull from wherever you can because what you're looking for I say this and people generally laugh at me but I'm looking for people that are smarter than me and that aren't sociopaths and that's everything else you can train right you can't teach people to be good humans you need to find that piece have the right mindset the right curiosity the right Drive everything else can be taught you also need great communicators you need t-shaped Engineers we call them a block right so they're broad across a variety of topics and they go super deep in their one area of expertise you need a team that's going to rumble vulnerably in other words they're going to open themselves up they're going to advocate for the things they're passionate about you know when you're trying to figure out the best strategy together but ultimately even if it doesn't go their way they're going to get behind the solution and everybody's going to pull in the same direction [Music] um the other bit that's really tough here is it's not always uh you know sunshine and rainbows you're going to have to identify and aggressively address sources of unhappiness frustration and negativity before they spread so if somebody's unhappy about something you've got to do everything in your power to try and make it right but if it's ultimately not a good fit for that person in your organization you need to help them find the next thing if you leave people in who are whatever you want to call it quiet quitting that negativity spreads and it's going to cut down the efficacy and the cohesiveness of your team finally you know measuring what matters is a big piece metrics should drive everything we do we should act on fat based engineering not gut field so if I'm providing services to the business just like any other function that gets provided to the business if it's a critical function to help the business succeed it needs to be measurable which means you need to apply rigor and fact-based decision making to everything you do you got to keep the board of prize of the status challenges opportunities you've got to filter out the noise and the fud and just show here's what's working here's what isn't that's right you're going to be completely transparent about the stuff you do that absolutely doesn't work and is not worth it further investing um you know and the the really interesting thing I found in the last few years especially is that there's a massive difference between operational metrics that help your team know where to Pivot and apply force and effort uh and the kind of metrics the board is going to care about again there are going to be non-technical most of your other executives are going to be almost completely non-technical but they still need to understand the impact you have to the business uh SLA adherence for example so I'm almost out of time so let's Circle all the way back to where we started right about why are you here right you remember Pepperidge Farm remembers some of you ostensibly wanted to become a CSO or at least were curious about the topic so what are some actual good reasons from my perspective about why you might want to be a CSO and do things that a CSO does maybe you feel a deep connection to your work right you want your work to have a purpose over time you want to build a legacy something that outlasts you that will serve your business serve uh you know wherever you are working that's a great reason right being a CSO gives you the opportunity to plant seeds for all the Hamilton fans out there for a garden that you never get to eat the fruits of we all know there's not an end point in what we do it's a program it's a process and it's going to keep on going hopefully another good reason right you want to help solve the talent crisis I I believe this is one of my strongest Ambitions right now and I believe it is incumbent on all of us as leaders in the cyber security space to help solve the talent problem Mentor people guide people go out to high schools go out to local organizations teach them about security bring new talent in uh maybe you want to be an agent of change and help solve tough multiple dis multi-disciplinary problems like being able to speak clearly no seriously you know the the topic that was before me about neurodiversity like neurodiversity is a superpower for infosec departments the more different lenses you get looking at tough problems the better your odds are going to be to solve those problems if everybody in your team looks and thinks like me it's not going to go well for you you need a well-rounded team with lots of different backgrounds um maybe you want to continue learning not just about your own swim Lanes but about all of the wider business I guarantee you the CSO has to work harder than almost any other executive to understand the business because what we do often unless you work for a cyber security company doesn't directly Drive Revenue it's an enabler it's a protector for the business and so you will have to learn deeply because of all the reasons I gave earlier in terms of influencing your peers and getting the things you want actually done and also hey maybe you're an evil mastermind with world domination plans who am I to judge but this is a great place to start if that's what you want so on that note thank you um I'll put that up and anybody have any questions [Music] yeah so the question is uh what security companies could you work for in turn with study with to help round out your skill set and make you a better overall practitioner oh security domains gotcha yeah um so you know as a CSUN you're not going to be hands on keyboard unless you're working on a PowerPoint or in Excel pretty much or a board memo um just the way it is right now by the time you get to this place you probably gave up a lot of those things anyway um so it's not as much about um technical skills but you do have to have broad awareness over a regulatory space um you have to have you know I I think getting a business degree is actually pretty useful because it helps you understand a lot of the nuts and bolts of what's going on what's going along behind the scenes um you know the kind of stuff that you would study for when you take your cissp right those domains they're all important you're going to have to be conversant in those topics but you don't have to be the expert of how you actually address and fix those issues right that's why you hire people smarter than you to do the actual cyber securing if that helps yeah hi you mentioned uh earlier that you personally had like a 60 Minute cut in your in your talent uh I I was just a from your perspective do you think this this like post-pandemic like like hyper competitive nature is like here to say like do you think these remote jobs are always going to be like