BSides Tampa 2021| CISO Panel: John Burger Guy Albertini Michael Phillips Barry Kortekas Jon Sargent

so appreciate everyone jumping on awesome thanks mike thanks everybody for joining us today i'm really excited i've had a lot of fun today popping in and out of the sessions hopefully they've been beneficial for you kind of cool to do another virtual conference i mean it's fun to see the way these kind of these things come together so you know really enjoying that and again hope you guys have had a good day this is a special session i think you're going to get a lot out of this uh we met as a group earlier yesterday and kind of talked through the format here so let me give you a rundown on what the cso panel

is all about and kind of what the goals are for today so today really is all about just sharing information and sharing knowledge we've got a panel of i'll call them experts uh you know we've got a panel of some very experienced folks that are going to talk about some questions today on in different things and so we're going to get into that i'm going to moderate i'm just the talking head for today so nothing really important about me i've been in cyber security for about 25 years i'm an air force guy by trade i did 22 years in the air force i have been working in the in the private sector uh partnering pretty close with alba code which is

advanced cyber security and uh event sponsor of today's event so thanks to avocado for sponsoring thanks to all of our sponsors for today's event so let me give you a rundown of the format and the panel members for today let's jump to the next slide

cool so we'll jump right into the questions here but let me just give you a little bit of intro on these guys again it's a fairly impressive group so on the panel today we've got john berger john is the cso at reliaquest uh john is a retired army colonel uh and he serves as the chief information security and vice president of it infrastructure at reliaques prior to joining reliaquest he served for 27 years in multiple assignments including the cso at united states central command from 2010 to 2012. so john's got quite a bit of experience a lot of operational experience and leading a pretty high powered team there or high quest uh they continue to grow and i think

he's going to be looking for folks this year so we've also got gui albertini is a certified information system security professional and certified intrusion analyst he has over 35 years of successful experience in it and cyber security uh he is the information security officer at palm beach state college and president of g-sharp security llc he also serves on the crowd crowdstrike global customer advisory board and participates in the united states marine corps cyber auxiliary program gee thanks for being with us today we also have michael phillips uh michael is a co-founder of vsec he serves as a virtual chief information security officer he is also the owner of illuminate group llc where he specializes in his vcc

services michael is a former executive vice president ciso and data privacy officer at rosenthal collins group he served as assistant vice president information security officer of the federal reserve bank of chicago and director of information security for the americas with ubs a global investment bank providing financial services in over 50 countries he's also an adjunct professor at depaul university and holds this certified cso cssp csa i am certain certifications michael thanks for being with us today uh we also have barry cortacus barry is the evp of information security and the ciso for morgan and morgan barry is an accomplished information security leader with over 20 years of experience helping public private and government organizations protect their

most valuable information assets he's built successful and effective teams and helped reduce information risk exposure for numerous organizations over his career he's lived in tampa bay for almost 30 years and he enjoys walking cycling yoga and reads quite a bit barry thanks for being here and lastly we have john sargent john is the svp and head of cloud operations for truest financial which i think is now the largest regional bank in the world or in the country john correct from wrong on that sixth sixth largest u.s bank sixth largest u.s bank very cool so john is a global i.t executive transforming business processes and beating strategic targets through innovative i.t solutions uh he's got extensive leadership

experience in both it governance and business development and he's aligned i.t initiatives with global business development efforts at the sea level for about two two and a half decades uh john's manners multi-million dollar projects and session sas initiatives for fortune 500 clients he's got certificates as an executive chief information officer and a federal chief information officer uh so that's a lot that's our panel for today so as i said a pretty extensive group i don't know if you can virtually applause or send emojis or something but you know have a virtual round of applause for our for our panelists today thanks guys for being here okay let's dive into the meat next slide please

okay so we're going to go to our first question uh the first question for today and again today is just kind of a real talk session we're just looking at you know have a conversation and exchange some ideas please feel free to participate in the chat if something strikes you or something resonates uh but guys first question what are you looking for today when you bring on cyber security professionals within your teams thank you for that question what i'm looking for is three things essentially um i'm looking for an understanding of risk and that's cyber is not project management risk or not um any other type of risk i i find that even though when people

are from i.t there is a somewhat of a lack of understanding of what cyber risk is and so uh when you have to when you're working in security you really need to understand a good you need to have a good understanding of what cyber risk is because everything that you do is going to be based on that understanding so once you have that that's great and and the the ability to be able to actually understand it um the other one is that fire in the belly that passion uh there's a lot going on in cyber security there's a lot of good days and there's a lot of bad days and you don't have that passion

you can get burned out easily so i look for people with that passion to say yeah this is what i would like to do and the other one is you know i'm looking for skills from another area so security is great but when you can combine that with something else so let's say something with networking or development development or anything else that you can combine security with i think that brings uh that the extra element that is often needed in this industry yeah i completely agree uh excellent comments i mean the whole control environments and all the control structures we put in place should all be driven by you know informed by risk so uh yeah

completely agree anybody else have any thoughts or comments on the question yeah yeah yeah i completely agree with ghee on the um on the fire in the belly the rest of the stuff can be learned but somebody who's got a drive to to be there to complete to work hard to learn new things constantly because this environment changes so fast if you're not committed to being on top of it all the time uh it's going to be difficult to be a top performer in cloud cloud security or any security space again i think underlying that i mean i have a great opportunity um being a professor at the university i get to see up-and-coming talent

and people who have a lot of passion i'm always looking for someone who's curious who's always asking that next question who kind of jumps out in front of everything before we even get to that part of the presentation you know they're inquisitive you know just systems analysts you know at the core they want to take things apart they want to understand why it's happening and they want to you know take it apart and put it back together so that it actually works better um the other thing i look for are um team players and let me let me give some context that uh in graduate school you know it uh they get a lot of type a's and they

bring us all together and in the end it's just capstone and just watching all these groups implode because the type a's can't get along i mean that's exactly what we're kind of looking for in the teams that we build our people who understand that they're very good at something someone else may not be as good as they are in that area but the team collectively comes together and leverages the strengths of one another and in the end what we're doing is we're working as a collective group and achieving things together and lastly just don't be a jerk i mean i can't emphasize this enough csos talk to one another we have a very close-knit cso organization particularly here in

the midwest and we all get on the phone we talk to each other and if some some really you know great analyst architect you know is just going from position to position to position for the money we all know we all know who you are we know what you're doing we know what you're good at we know what you're not so i would just suggest you know just know that other folks are looking at you as you're coming up through the ranks and you're probably going to get observed to be you know exceptional or just exceptional great yeah that's great comments michael completely agree uh john and barry so from you know fire in the belly from a leadership

standpoint right how do what's important there to maintain folks and help them kind of maintain that fire in their belly and what does that look like day to day sure yeah uh you know day to day uh i think for me anyway it starts with um this desire uh a desire you know i start my day and really the first the first hour of my day um is all about reading uh and you know that whatever it is for you that's okay but what i'm looking for when i build my team um is people who have that same desire it's great you know if we're going to be security engineers certainly we need to know about the latest vulnerabilities

that are out there um and i'm not discounting that what i'm saying is if i'm in the legal industry it's great if i'm looking at how other things in the legal industry might affect security um or you know if i'm in government and certain things are happening in the government space by reading outside of my primary discipline it brings an awareness to other things that are going on and it makes in my opinion for a more rounded security professional yeah hey michael we we uh we hire for attitude energy effort um our uh our philosophy on that is that effort is what really distinguishes you know mediocre from good and good from great at the end of the day

um and we hire for intangibles i i love the curious one um i like uh mike phillips on um collaborative right and being a team player so if i were to summarize him it would be kind of this curious collaborative um the one that we didn't mention was humble i find that people are very open-minded are very humble and they're also very collaborative um and the last thing and i kind of talked about effort but hard working right at the end of the day effort is what in our in our minds uh really distinguishes uh you know mediocre from good and or great so um those are kind of they're all intangible so you didn't hear anything about

specific skills here obviously they have to have an aptitude right but at the end of the day we can teach folks that it's the intangibles that i look for and i think other are saying the same thing we're just saying it in slightly different uh language and words over yeah that's correct it means means the recipe is the same you know the ingredients are in the recipe are the same they come together a little bit differently but you know everybody's looking for pretty much the same thing which you know as a team player somebody that's a thinker and it's going to be looking to you know solve problems which we're presented with all the time and then to barry's

point you've got to be keeping up to speed with everything so rapidly changing under our feet so you got to be reading all the time you've got to be smart and you've got to be you know seeking that out so you got to have initiative too so great great input fellas let's um let's move to the next question um okay so along that along those lines then as we we dive a little bit in deeper into kind of our own uh personal development and you know professional development today's a big part of that workforce development so how do you ensure your staff and yourself stay abreast of those latest trends and technologies those things that are driving how we

approach our our day-to-day business our operations and those services that we're providing to our businesses to deliver the value yeah uh you know this one is so to me this one is so tied to the first question as i'm building the team uh i'm looking for people who have that motivation to take this on themselves right so gone are the days when you could just deflect and say hey my career is not my own your career is your and you own it and you know i'm i'm looking for people who understand that um to help people with that um you know certainly offering the opportunity to learn um is huge uh some of the ogs uh here in

in the audience you know there was a time when you came on as a security professional and you know you got to go to a microsoft conference and that's how it was um you know those those days are gone and there is so much opportunity out there for all of us to learn in ways that we couldn't even imagine when some of us um and so just encouraging that uh as a cso i'm i'm in a unique spot that i can help in some ways financially right so i as i build the teams and i say okay our goals for this year include making sure that we uh professionally we achieve these things whatever they are

and again i am not necessarily saying we can only uh try to promote people in security space um overall i want to make sure that we have people who are well-rounded in several different disciplines so just being the encourager um and sometimes just being the listener right trying to understand what my team is interested in um and what they're good at i certainly don't want to take a security engineer or an architect who has no interest in uh you know whatever it might be and put them on all those projects um it's really trying to help use your team um to the best of their abilities yeah uh that is definitely uh leveraging the the

interests of the team uh when they're when you're building that out the other thing that i i try to do is i try to encourage the teammates uh to take some and it depends on the team what capability and balance we have but i try to get them to spend one day a sprint where most of the teams are working on two week sprints one day of sprint is their training day and what and that may mean different things for different folks they may be you know attending a class they may be reading articles they may be doing something else uh related to advancing their career and advancing their capabilities uh and it built that into the camera

into the resource model so that those those staff are staying up to date and are staying ahead of the emerging technology yeah yeah i just like to add to that um certainly agree with everybody what everybody said and and based on the last point one of the things that i found helpful is when they work as a team so when there's an incident everybody's working as a team everybody's engaged and exposed to what's happening and if there's something that you don't quite understand it builds that corrupt curiosity and so if you're trying to solve a problem and you don't know how to solve it and you've got to go research it it increases that the likelihood that that analyst is

going to look to see well how can i solve this problem so you keep them engaged and you have them work as a team and then you cross train them then that will constantly bring those talents up to speed for every every incident that occurs is going to build their confidence and of course it is a bet it is a great day when your analyst finds the bad guy and it becomes bragging rights and so have them engaged and and work as a team i find works quite well

yeah great comment tells anybody else on this question yeah just real quick i don't know that any one person can keep up with everything so you know for me you know we we all as csos assign certain areas of the technology stack to different people and obviously there's probably some rubric around why we've assigned them my expectation is that they're always looking for better ways to to leverage new technologies in their functional domain for the betterment of the of the company um and i'm my so to to uh to say it another way you know i really want uh i want most of our most of our um our research to be really mission focused

on what what do we need because you can really get lost in the sauce and try to keep up with everything and at the end of the day it becomes overwhelming so focus on those functional areas that you need to support the business and obviously um you know all those need to be very mission relevant that would be my my two cents on that michael yeah and mission relevant kind of points to aligning you know your goals with the organizational goals right and um if you've had an opportunity to kind of do a really mature you know professional um development piece that the pmp they used to call it i think uh you know you would definitely

pull down some of those objectives and then you know do derivatives of them into your team's um goals as well one of the things i found is really you know convincing the team that their pmp was not my responsibility it was theirs right that once a year view and what was going on was not working you know i challenged them all to bring me in once a quarter and talk about the things that we had in their development track and how they were progressing because priorities change on a regular basis right if we're waiting once a year to go back and revisit i'm going to forget half the things that we did and so are

they and that's not a fair marker so i challenge them all to you know bring bring it to me on a quarterly basis bring to me the things that have happened that have changed let's track it interactively i mean it's their skills not mine right and most of them are developing skills that are transportable you know not just for that organization where they're working today but if they want to continue to enhance themselves as professionals and then become you know executive leadership they have to do things that maybe is not under the purview of what i have there i had one challenge with the you know working in financial services most of the time folks

typically get accustomed to having um a bonus as part of their annual um variable income and uh one time i held it back from someone after i asked them like three times i said listen i really need you to get this certification and every year every year for three years it was like well i was too busy and i knew they weren't they just didn't want to get the certification and one year when the bonus time came around i said yeah i held you back a little bit because you know we talked about this three different times this year but i may potentially do that and they were very frustrated with me but got that certification within four weeks

four months i'm sorry within that quarter got that certification got the cost of certification paid by us got the certification and then became much more valuable to the organization and then when they left they you know they were able to request a higher salary as well so really just getting them getting my teams to understand that you know the more they enhance themselves the better they enhance the team and those transportable skills that they have are just invaluable when they take them someplace else as well yeah that's that's a great point i mean it's not only just we do it for a professional development on our own but we do it for a larger purpose right

to help the greater community which i think that's where i see this really coming into play and one of the one of the best ways that i stay up to speed is just by talking to other people in the tribe in terms of like hey what's what's working what are you doing if there's a if there's a current event like the solar winds thing you know i can't wait to have a conversation with a peer about that to just find out hey what do you think about that what happened there you know what are your thoughts and what worked and what didn't work and so uh and it's a never-ending thing for us that's why we're part of you know

professional development groups we have these seminars and stuff we're always learning especially in our industry so great insights there fellas let's go ahead and move to the next question question three okay uh so so we talked a lot about you know empowering the teams building really good teams and obviously we're delivering you know high value services to the business so how do we manage and report on the effectiveness of our services and our programs with regards to cyber security some people say we're throwing a lot of money in a problem we can't really put our finger on how well we're doing uh you know there's breaches everywhere uh so how do how do how do you guys

communicate kind of the overall performance of your programs and functions to your businesses and organizations yeah thanks uh mike i'll take like i'll take this one first um you know i i learned this really great metric from uh michael phillips today i love it right it's the mean time until the eyes glass over right right which is which which is a very very creative way of saying it depends on your audience and for me i have a very technical board so i can take some technical metrics to them but there are a lot of uh there are a lot of executives and boards that that aren't like that what i found over the course of my time

at reliaquest the questions that we get from boards are typically around literally six areas and i've never found a question that wasn't within these six areas they're either around the latest threat right so something happens i'm sure every one of us had an inquiry about solarwinds right or whatever got published in the washington post or new york times they're related to risk like hey what what are our most vulnerable areas what are you worried about these are the types of things that you may get they're related around investment where should we spend more money if you had one dollar to spend where would you spend it they're related to in some cases compliance um depending on the nature of the

business they're related to maturity how are we doing how are we doing against our peers right um or they're or they're or they want comparison right and those are kind of related in a way so something around threat risk investment compliance maturity comparison i've not seen any questions that someone's ever asked me that didn't fall into one of those six categories now when you break that down now we get into whether where where do you how do you answer those questions depends on the nature of your board and i could i could talk all day long about certain metrics that can be used but um some boards are very risk centric um they don't really want to know how

you're doing they want to know what you're doing to keep this from happening um my board tends to be risk centric not all boards are risk centric um some are very compliance-centric where you know sometimes i t and security is more of a utility i think that's becoming less and less of the case um but at the end of the day you know if you're a risk-based you're going to talk to your your board about things to reduce the probability of bad things from happening or things to reduce the impact uh should something happen um and then you get into you know metrics around investment and i won't go into all the metrics but at the end of the

day um you know you can be measuring risk you can be measuring all the things that have to do with probability you can get into vulnerability and normalize that you know how many vulnerabilities by host you get into fishing metrics i've seen all kinds of metrics here but i'll pause and say those are the six areas and depending on your board you're going to pick ways to communicate to them some some want stories some want numbers and i'll pause there uh mike uh i'd love to hear from some of my other colleagues over john i i definitely agree with what you're saying i also notice on the business side a lot of the business don't really

understand cyber security don't understand what we do there's an idea but they really don't understand it and i've come across that several times and part of what what i've tried to do to communicate exactly what you just mentioned is to create some sort of scorecard uh maybe a monthly scorecard reporting exactly the things that you just mentioned um so if where are we with compliance and sort of do like a traffic light red green yellow um in terms of incidents how many incidents uh they may not even understand the level the number of incidents that the organization is experiencing uh realizing that let's say a university or higher ed you know type organization you know and especially if you're doing

research you probably got the nation state on that network trying to get all your stuff and the business doesn't really understand that and so when you if we can somehow bring a scorecard or some sort of program or system that that illustrates what we do and and puts it in a language that they understand i find that that is really helpful yeah definitely agree i mean we got to be able to communicate that value because the business can really do near to nothing without the data right and the data being available so it's a critical function john s or barry any any thoughts or comments here on how you guys are managing this either from the cloud

perspective john s or barry you know kind of relatively new and enrolled where you presented a scorecard and said hey this is how we're doing as you're taking over here you know good luck uh you know just kind of curious what your insights are in kind of real world you know certainly i would have loved to be presented with one but that that was how that started um but uh but we you know it's very everything we're doing is very metric driven and conveniently the cloud gives that capability to to really dive um deep in in what's happening uh and and uh pull that those metrics together but i think like john said you have to be able to take those

metrics and tell the story that the board is asking for in in the way that they want to consume it so whether that is uh um this is our measure of current risk and this is a you know this is our our value in mitigating that risk or mitigating the impact of that type of breach uh if that's what they're looking for or if they are looking for that more technical and this is how many it you know how many attempts we had how many were reported this is where they got access or didn't get access this is what was what was exposed or not exposed um it really depends on on that on the audience um but

it needs to be driven in data you need to be pulled from uh from the uh the metrics that you that you're capturing and if you're not capturing it like with anything you can't make it better you can't improve it so um and i'll just uh i'll just kind of reiterate what john b said is it really depends on on what your board is interested in and just figuring out a way to make sure that you're you're addressing whatever their concerns are i've you know i've had to report to um to teams who have been solely interested in compliance you know the question was are we pci compliant yes or no uh we are great okay we'll talk to you next

quarter or you know now now it's a little bit different um so really just figuring out what's important what are the concerns of the board uh it's great input yeah definitely i was just typing something in the chat so was target on your pci compliant comment so um yeah because you know compliance and security are come to completely different things but there's a reason that the business needs to know yet the other thing i think that's important here is we gotta leverage automation and you know some of the analytic power that technology can bring because i've been parts of these metric programs that grow out of control or you've got you know the end of the quarter you've

got a 87 slide you know presentation and you have a three hour meeting and you don't get past slide six you know and uh and there's like 100 you know 200 man hours that goes into building the presentation so don't want it to get to that point either we're just collecting all this data and not really making any decisions around it which is really what we should be doing is informing the decision makers in the house mike you raised a great point if i could just elaborate really quickly um you know i have clients across manufacturing uh refineries and financial services financial services are highly regulated so their regulators tell them what should be in the board report so we have

a different challenge and that is we have to explain to them why what the regulator is telling us to report on is relevant to them and that's another thing i mean you can bring it bring the metric in there but make sure you're digging into why it's relevant or even why the regulator may think it's relevant and then not just a whole bunch of you know just just points but bring in the points that are relevant based on what they're asking for and explain why it's important i think john did a great job that earlier it really comes out to how likely and what the how the impact may affect them as an organization very

specific risk to that organization what that organization does yeah i agree i captured the six areas of performance measurement i thought those were great kind of the pillars there you can build any program around depending on you know focus of what the stakeholders want to see and what they want to hear about so that was great let's move on to uh to the next question might be an audience question i think nope okay so what are some challenges in best practice so asset and data management now we get you know okay controlling the estate right and sprawl and you know what are we actually protecting where is there a perimeter is there not a perimeter

you know is everybody a bad guy zero trust uh what are some challenges and best practices you've found to manage things like shadow i.t hybrid cloud and data sprawl across your environment i'll just open this up to the group probably our last question we've got about 10 minutes left in the session so let's have some discussion around this one we just we just were talking about the other day and uh it's a it's a difficult question when you get into you know there's there's 30 40 50 000 people that that are a part of your environment managing their uh then they're going out and and signing up for a sas service and sending company data out somewhere or or

building a cloud environment um it takes a a good communication with your your accounting and your business to make sure that uh there's not a path to pay for something with company funds um that's not part of the part of the approved process so you know making sure that if an expense report comes back with with a sas service or with a with a cloud service or with uh you know with some outside i.t that didn't come through the the appropriate process that that we're identifying that that we're going back and going through and remediating that because you know the ability of an individual currently to go out and spin up the service it's so easy it's so fast

you know data can leave the environment and so quickly you need to be from every perspective you need to be looking for that and and it requires the whole organization to look at it not just the security department i definitely agree with that john it's been a real challenge especially with higher ed and coded with people working remotely a user may not even think about it that hey let me just use my own services or my own dropbox or my own printer and not realizing by doing that they're introducing risk to the organization so um one of the ways that we try to to mitigate those risks is to increase visibility have more sensors just

watch almost everything and try to ensure that everybody who's working remotely has an asset that is owned by the organization and if they don't have an asset owned by the organization then we have to increase whatever visibility uh maybe have a knack to ensure that you have all the proper controls in it to get into onto our network um definitely have dlp to look at that data make sure that the data is not leaving without proper authorization so it certainly is a challenge but it's also you know it's something that we can actually mitigate and we're doing that on a consistent basis right now yeah i i would say my best practice for your your you got to make it security

easy and my my approach on this is get risk partners in the game so my chief risk my chief marketing officer right my chief revenue officer like i i can show them the functional you know impact analysis of things that could go wrong in their area and if you get them to be risk partners with you i think you know you can't stop the business from doing what it needs to do what you can do is you can mitigate the risks but you can only really do that if you get risk partners in the game and the best way i found to do that is engage them and show them hey here's how we measure the risk here's the things you

can do here's the things my team will help with and you get the risk partner uh in the game that's the approach that i've taken here it's not perfect um but i find when you beat him try to beat him with the governing stick you're just not going to get too far over yeah yeah definitely i'll weigh in there because i mean i've got a personal experience you know something that you know was was relatively shocking to me um you know working with an executive in an organization a large organization who was a risk owner who was approving risk exceptions uh in archer uh who had no idea that they were the risk owner and they were approving exceptions in

archer uh even what they even meant or uh you know it was just the security teams were sending them over they were disapproving them and yeah hey i need this data the business has got to go nobody was assessing the risk the security teams thought oh great they're signing off on the risk risk owner thought oh great security's assessing the risk and this they're recommending we implement you know it was just somewhere in the middle so communication is kind of important there too with with regards to identifying risk ownership and then you know empowering those risk owners to make security-minded decisions i think that's what you can yeah mike i found communication for me has has been really

the most important tool um keeping those lines of communication open with my peers and asking why and not not why for the sake of uh you know maybe some type of follow-up action but why for the sake of the business you know why are you going out and looking at bringing on a hybrid cloud service and you know if we can find out that they're doing it because we're not able to provide that capability well that's a completely different discussion right but communication is the key yep absolutely agree uh we're coming down on time here we've got just a few minutes left i think there is one audience question we can maybe take a quick stab

at that and then wrap up here in the next three to four minutes gabby do we have a question from a bunch of questions we have oh cool i just won what can you can you pick one pressure okay let's see yeah you can yeah you pick one you're killing me guys okay what knowing what you know now this is a good question knowing what you know now what would you change to help someone starting out as a cyber professional thinking about becoming a cso and i'm sure you guys are doing this day-to-day and you're mentoring and you know your develop your leadership development that you're doing with your teams but you know what is that advice those

couple of key points that you pass along as advice to say hey you know five years from now 10 years from now this is the goal that's great but you know in order to get here these are the habits that you need these are the goals that you should be setting for yourselves you know how do you guys share that knowledge kind of as the as the jedi masters of your is to frame the the security problems in in challenges that you're looking at in relation to how they affect the business that's important to it's not about security for security's sake it's about security for enabling the businesses and and so if you frame your research and your study in

that in that frame it'll be a lot easier for you to communicate with the business which will put you in the place if if your goal is to be you see so that's how that's how you drive yourself there i agree if you want to be an effective ciso you gotta understand the business as well as the other executives it's the reason why most cisos many systems not all don't get a seat at the table it's because they can't they can't relate to the business and what their what their function does the only other thing i'd say to this question is that at the core of every every leadership position is leadership so it's a key piece uh and don't

underestimate how important it is over yeah i'd also like to offer um understanding the why you know just making sure that whoever it is that you're mentoring or working with understands why they want to become a cso in the first place you know there's a number of reasons that you might and not all of them are good so really just having that thorough understanding of why um and also you know the role of cso changes so i can only speak to you know why you might want to be a cso today i think all of us have seen the role of a cso change over the last three years over the last five years and it's likely that you know in the

next five years it's going to look very different again yes i agree with everybody here and i guess i would emphasize yeah why why do you want to be a ciso and and you know there was i think it was larry who said who had a presentation on do you really want to be a cso and that was a great presentation and i would recommend if whoever is interested in that should um probably get a copy of that those slide that's because it really goes into the good the bad and the ugly yeah michael any final comments on a perspective from a virtual see so no two organizations are the same none are the same no boards are the same

it's different everywhere you go understand that you're the asset right and align your talents with what you think you can do for an organization but also know that some organizations will chew you up and spit you out the life you know the tenure of a cso is about 18 months in most organizations um and it is changing the the the field is changing rapidly i see so many fractional and virtual csos now because many smbs cannot afford that that price tag and then many of the csos really need to understand i think i think he pointed this out you know the risk to the business if the business is not there there's no i.t if the it's right there there's no cyber

risk there's no cyber risk i don't need to see so so kind of you know look at it from that perspective and just know you know you're the asset you know build your talent so that you can do what you want to do and after see so there's life after season trust me be ready for that too

i want to thank the panelists for i'm just getting some background noise here but i want to thank the panelists for your time today gentlemen that was phenomenal insights it was great to have the discussion with you around this for the audience members thanks for your time thanks for your attention i'll tell you too another uh another key to success in this industry is your network so you know there's there's some folks on the left-hand side of the uh of the panel here you know that you just listened to for an hour so maybe shoot them a note tell them thanks if you learned something or you want to talk more uh you know including myself or anybody

else that you met today on the conference i do want to thank gabby the whole entire team there's an army of volunteers that made this pulled this off you notice that we were able to kind of sit here and talk so certainly appreciate them appreciate the sponsors and appreciate everybody behind uh the first virtual b-sides for tampa and i think john said it best if we can't support our backyard then you know how good are we as a security professional so um gabby i'll turn it over to you any closing comments or anything we need to do to clean up here speakers john john mike mike mike uh i guess not let's get out of here then

nothing hurt thanks everybody i appreciate your time and have a rest the wonderful rest of the conference we have the keynote coming up at the top of the great thank you thank you thanks mike appreciate it thanks all