Take The Helm: Guidance For Prospective Future CISOs

all right so welcome everyone to a super exciting panel discussion on take the helm guidance for prospective future csos uh today this is we're going to have an adventure through the world of security leadership like never before I am absolutely thrilled to be joined by four amazing panelists each of them has stepped into a seesaw role for the first time in their careers and they're making a real impact at their companies we're going to go over their unique stories uh challenges that they faced stepping into the role and soak up any insights that they have to offer if you're thinking about being a CSO or you're just curious about what it takes uh today is going to be a good learning experience um all right so to get started uh panelists are starting with Ari if you can go ahead and introduce yourself and tell us about your role and to add a little bit of flair uh to your intro a fun fact about yourself or a hobby that you love doing yes I will absolutely start this and also the fun fact was not in the prep document so hi everyone my name is Ariana Ouellette I go by Ari uh I grew up outside of Boston went to school there spent some time Consulting there before uh I decided that the snow was not for me I moved out to San Francisco started working for what at the time was a small company called twilio had an amazing ride there spent a brief stint at OCTA also awesome and I'm currently the head of security and privacy at ngrok which is an API first Ingress as a service company oh and my fun fact um sorry again wasn't in the prep document uh my fun fact is that um I one time tried to break the pogo stick world record uh for pogoing and I failed miserably and also I was by myself so even if I did break it no one would have known it's 10. we love hearing about failures and I'll go uh can you guys hear me so uh my name is Emory um I'm rosalom but Emery is easier for you everybody um and uh kind of on the same theme uh I I grew up in Turkey um outside of this country and then I ended up here uh mostly on the East Coast uh Washington DC worked uh there for World Bank for about eight years um did like a lot of cyber security and network security there and then uh then I ended up here in the Bay Area and then uh worked at Apple Salesforce Lending Club and back to Salesforce um all some of them are mostly like engineering roles and then some of them are leadership roles and now I'm a head of security and compliance at a small company called dremion we do data lake houses um fun fact about me um so many of them but let's choose one um I got escorted out of a pretty important uh Las Vegas um Hotel because I kind of hacked into there I didn't I didn't want to I just touched the Four Corners one of those uh kind of like interactive panels and uh just if you do that thing at the lobby the definition of the shortest amount of time is you touching those four corners and you're being escorted out so that's pretty pretty quick like this we're just gorgeous um I'm Katie Ledoux I am from Boston I still live in Boston I'll just die there in the snow clutching a Dunkin Donuts iced coffee I just can't escape um I uh spent most of my career at rapid7 cyber security vendor but I was on their internal security team um I built the security team at another uh data company like drumeo um called visitor a competitor um called uh Starburst it was very annoying to work there because a lot of people ask me about the candy um and it was so frustrating that I left to start these security team at attentive where I am now and um I have I have two cats that are named after the de Chanel sisters that's my fun fact we were gonna name them after A-list celebrities but then our friend pointed out that they really aren't like they're very generic shelter cats and so we should name them after Sela celebrities so we named them after uh Zoe Deschanel and Emily Deschanel but we call that one bones because she's the main character in Bones let's see hi everyone I'm Kyle tobiner I grew up around here in the Bay area I'm actually from a little town called heelsberg I spent 10 years at Salesforce yeah I spent 10 years at Salesforce uh owning Enterprise appsec and vendor security and then I've now been two years at a place called capado as their head of security and I.T and fun fact about me pre-pandemic I used to run the largest board game night in San Francisco and this is actually relevant because I'll mention this later and lastly I am Divya dwarkanath I'm a senior manager at snap and I'm really enjoying being responsible for appsecorbsec red team and supply chain security and a fun fact about me is that I'm a big Lakers fan um but so let's get started um why did you want to be a CSO and when did you think was the right time to step into the role I'll start I haven't decided yet if I would like to be a CSO um for folks uh who I've chatted about this with of whom there are several in this room uh I have been incredibly adamant about not wanting to be the head of security uh for a very very long time and yet here I am talking to all of you about being ahead of security uh I recently sat down and thought through like what it was that made me not want to be ahead of security and came up with uh two reasons one was the politics are terrible um and the second was a huge case of imposter syndrome uh and when I moved to ngrok the company was around 30 folks and so the politics were just like there's not really that many politics at a 30 person company and we've grown since then but um having a supportive boss in a sport of CEO and cro about security meant that I wasn't having a lot of the struggles that I'd seen prior csos have that I had worked for and um so really then all that was left was uh my imposter syndrome of which that was kicked out of me by several friends of mine some of whom are sitting at this table with me and um so I had a conversation with the CTO who I report to and right now I'm kind of just trying it out uh to kind of see how I feel about it and if it's something that I really don't want to do or if it was just something that I didn't want to do because I wasn't in the right place um and so that's how I ended up here so to answer the question I'm not sure and also I feel like it's uh whatever is right for you whenever it feels right in like your career and also your personal life because I feel like it's it's a it's a big job and it's a big commitment did you have certain skill sets that you thought that okay I can use this um yes and yes and no uh I think part of the thing that kind of helped me realize that that was a thing that I was ready for was uh when I first joined I was the only security person again 30 person company when I started and so I was kind of already doing all of security and already thinking about security strategy and where we should go next and where who we should hire um and uh I think that doing that helped me realize like oh I can do this with just a team as well and as the company grows and so that was kind of the thing that made me sit up and realize that this was something that I felt ready to to step into so I just I it is I know politics is kind of an icky word and it is a big part of a leadership job um but I actually love the politics of my job uh yeah I so I knew that I wanted to be in this type of role if I when I first moved into a management role and I would think back about okay what was the best what was the highlight from my week it was always something that had to do with the people on the team so it was like oh we got someone's H-1B visa thing figured out like that's so sick or um you know I think also we've all been on teams that have a really thoughtful strategy where people are getting consistent feedback on what they can be doing differently where people are you know you feel like you're set up to bring your best self to work and we've also been on teams where the leadership doesn't deliver on that consistently um so you know it sounds really like kind of corny like management book whatever but like the the multiplying effect that you can have on a team and I'm not saying I'm perfect at my job and I I always kill it in this department but it's really exciting for me to have the opportunity to have a multiplying effect on the amazing members of our team by making sure we have a clear strategy by making sure I'm removing anything that gets in the way of them doing their job like that is so fun for me awesome um Emery how about you why Cecil um I never wanted to be one um a lot of people told me I would be good at it and I kind of followed their advice I follow a lot of advice sometimes terrible advices but um I and then the the only thing that I knew that actually real that not much advice driven but kind of like internal driven was that I've been all over the security all over like from uh server security to network security for all the guys there who know what that is so they used to be cyber security um and then um like from there to like forensics to um I don't know like um firefighting to operations to product security to Enterprise security literally I've Been Everywhere on on that spectrum and that kind of prepared me for the guidance that I give right now that I feel extremely uh lucky I guess to to be able to do that and I think that that kind of made my decision right hey I've been here I've been there I know about this stuff I know a lot this stuff I've seen the terrible version of this stuff I've seen the great version of that stuff so how can we make it how can I make it my own company's stuff right so that's kind of helped me a lot and then um there has been a lot of people who really like pushed me uh from my Corners like it's first in the IC corner I was I'm like I'm gonna I'm gonna break things that's it and then uh no no you should build good stuff okay all right I'm gonna build good stuff and then uh and in fact maybe you should lead a team nah technology is easy human heart so and then I ended up doing one and then um it's kind of I I it kind of sounds like I didn't want to do any of these I actually did want it but uh I needed a little bit like push just do it dude so yeah it's kind of how it happened for me was it similar for Yuka like did you have various different domain experiences that made you feel that you're ready or you know you know what was it you know I had in my mind this picture that I had to get to a certain title in order to kind of be worthy of doing the doing the move uh and I had a really good conversation with with Mike Johnson who's been at CSO for a while about two years ago and he was like don't be stupid you're ready now just go same here and I was like okay then let's try and he was totally right I you know I interviewed at a lot of places and I was found some really good options and settled on one that I was really excited about um you'll mentioned like politics briefly and you know certain skill sets like that you picked up through different domains um what what skill set do you think that someone should start developing if they don't have already before they go and uh accept the Cesar role so when you when you think about the the like the first time see so kind of job the most common one is like a a small SAS company that's you know maybe series B series C and starting to scale and in that environment understanding all the different pieces of the business and how they function and why they need to do what they do I think is really really important so for me owning vendor security at Salesforce was one of the best things I ever did for my career because it taught me through what everyone was buying to you know automate and scale what their business needs were and what their challenges were and then dropping into a much much smaller company the challenges and problems were identical and so that really helped me you know get a foothold with all the different business departments I needed to influence I've been really surprised um I suppose I thought that this job would be trying to convince people that security matters um I've found a surprising amount of this job is actually uh contextualizing individual risks humans are really bad at the the risk management calculation like the the likelihood times impact and sometimes when a new threat arises and it's being talked about at really any level of the company people focus on the worst possible outcome and not the likely outcome and not the the the likelihood of it happening or not happening um which is you know so there's a lot of passion of oh we need to fix this right now because they're thinking of the worst possible thing that could come to fruition which maybe seems great if you're like well you run security don't you want everyone to throw all of the resources at that if that's the way that you run the program it can be very like you know chasing shiny objects and then if you're investing your time there then you're not investing your time in something that maybe is a bigger risk because it is more likely to happen um and so I think that the skill set that I'd be developing is when a new threat arises and someone brings it to your team helping them and yourself sort of contextualize what is the real risk instead of let's throw all of our resources on this right now like let's let's actually approach it in a more thoughtful calculated way because especially as a leader of a program you can't be people are going to get burnt out if every single time something comes up you're you're sprinting towards fixing that and then you've got 75 percent of the way there and a new threat or risk comes up and you start sprinting in the other direction um so that that's something that I would start noodling on I saw Emery shaking his head vigorously when he started no I I was shaking my head with the risk risk gauge of people and it's just terrible people are terrible risk I don't know what we have as it risk calculator I don't know how we survived in being like eight billion people did we make terrible decisions um in addition to that I think one thing that helped me a lot is empathy and uh that kind of um empathy with the developer empathy with the business empathy with the customer especially and uh that that helps a lot driving some of these terrible risk calculation mattresses in our in our head for example um should we shut down this thing and you have some sort of experience that you know that the likelihood of shutting it down is not gonna impact the business that much or likelihood of that shutting it down is going to impact the business a lot but not not actually a risk maybe we shouldn't shut it down right yeah we should let it do something and then peel a plan accordingly right that's some sort of an empathy on on not not just a yep there's there's something there let's shut down this that's risky right that's that make it being able to make that call and in the position to make that cause actually pretty scary but but still like uh I think that's where the input helps a lot and then uh sometimes even in the uh way of doing things too like I've seen that too we can talk about it but yeah I think empathy is extremely important for being any sort of leader so yeah I think that also makes your partner see you as more human and not like just someone who's going to come with a list of you know things for them to do and like orders to execute on but someone who will work with them together for what's better for the business and security is a part of that yeah I think uh I liked what you were saying Katie about kind of risk and prioritization because I think some of the one of the biggest things that I feel more prepared for because of some of the prior things that I've done is that you know you don't have unlimited resources you don't have unlimited people to solve all of the security problems even though that would be lovely um which ones do you pick why do you pick them and then how do you bump that up against all of the other priorities that your company has going on like new products are launching or you know there's a huge uh implementation that's going on like those same people need to help do security at your company how do you convince them to spend time on the things that need to be prioritized and so having that like going through that process and talking through that like any kind of projects or any kind of initiatives where you can get involved in those kind of discussions I think would be super helpful and explain to the customer why you made that priority and then yeah like interesting 100 explaining to the customer why you made that priority why did you fix that CV well I was writing with a feature that you want us to do it right there's no exploitability of that CB right so it's your own like compost manner you talk to them and that actually builds Trust did you all feel that you know you talked about skill sets that want to develop did you have them when you jumped into the Seesaw role or did you feel that was there something where you were like holy like I you know I I don't know how to do this and how did you cope with that and how did you develop that skill set I think you go into your first company with a plan in mind and they always say like no plan survives contact with the Enemy like you get there and everything immediately changes um I think for me I had always kind of you know not put a lot of stock in compliance it wasn't my favorite thing uh and then it's a lot of what I do now is compliance ISO sock 2 fedramp all at the same time it's really exciting um but you also learned that like in a small company those compliance objectives are very very meaningful like they'll let you close a deal that you couldn't deal which might mean the difference between keeping somebody or firing somebody because you know all the VC money drives up and suddenly you're worried about margins so suddenly the the actions that you take have a very real profound impact and I think that was very very different I didn't expect that as much and any tips to cope with that or you just try your best I think um there's just going to be so much you don't know you bring into it a certain skill set you know if you're in a more narrow job in a larger company for example like I was you come in as a CSO and you have to do everything and you have to make the decision on everything and so having a network of people like people at this table or like slack channels dedicated to csos that has been the place where I go a lot to ask a lot of questions and get a lot of help because you need a community of people who can teach you some of these things that you never got an opportunity to learn and I think on the front of those skill sets too I think it can be really overwhelming to think oh well I have to have all of these skill sets you actually just have to be able to build a team that has all of those skill sets uh and I think on the the uh point of you know building your network of people who are supporting you um a lot of my team at attentive is people that I have worked with before and attentive is so much better for having those really exceptional people on that team um and so you know it's it's really investing in hiring people whether that's just you know being I get it's so many people don't take the recruiting and interview process seriously like that is so much of our job is really killing it with recruiting um and also just you know but like you're here so you're you're already building your network of security people but if you move into this type of management role like a crazy amount of your job is trying to get all of the best people you've ever worked with before to work with you again so all of the networking you're doing now becomes extremely helpful right you're only as good as your team yes yeah because there's none of us couldn't do all of the things we have to be able to hire people who can fill in those gaps um I