The CISO Is Dead. Long Live The CCSO

I want to say that good morning Ireland good morning Dublin the first time that I came to Dublin was back in 2012 and I was uh flying over in on a regular basis uh for doing different projects in Dublin and around Dublin and I've had an amazing time um I haven't H I haven't come back since 2019 uh I was walking the streets and I'm very happy to to tell you that I was remembering the different alleys I was exploring dubling here and there and all that I haven't been to the Spire this year but uh the attraction apparently this year is your portal right from Dublin to New York but someone from the only my friend's website went there and

shut it down I think or something like that yeah so having said that and having the presentation on um a couple of things before I start this is going to be a very interesting hopefully very interesting presentation for you because it carries a lot of weight when it comes to experience and it will act as in a sense as food for thought for the decisions that you will personally made in the future for your own evolution in this industry and your career path uh so bear with me try to um navigate with me the little corners of this presentation and hopefully by the end of it you will have some very important things to discuss with me with

yourselves and you with your colleagues now I have to stand here because we don't have a microphone I usually walk around so the uniform code of military Justice dictates Marshall uh penalties um to those officers that send a soldier to the battle without a weapon there ought to be a similar guideline for the Cyber Security Professionals or those leaders who assume these roles of leaders and send their staff into the Cyber Battlefield without the necessary weapons over the years one of the most important challenges that I have seen in so many organizations corporations cons Consulting session is that the people who lead the space whatever that is their information security grou teams the cyber security

teams the it teams it doesn't matter they expect their people to perform without guiding them towards the right path without giving them the weapons to fight the the everyday battles this today uh it's been referred to as a skills shortage I was apparently one of the first people that challenged this narrative and I said that there isn't a skills shortage what actually is a very bad outdated way of hiring people I don't know how many of you have been to different interviews with different companies and different organizations but I think some of you if not many of you have gone through the process of a very typical blunt short listing process which surprising or not

has not been written by the hiring manager in many cases it has been copy pasted or written put together by the HR department and in the specialization role that they're trying to hire the description of the RO does not reflect on the requirements the daytoday requirements that you need to do and what do you personally as an individual you bring into the picture everybody was saying we need to hire talents if you Google this you won't find many definition what we mean by Talent I'll tell you what I mean by talent and I'm doing this to formulate and drive my things that I'm I'm been building over the years Talent is is to bring someone in

an interview and sit down and ask them what they know I want them to tell me what they're good at I want them to tell me how they solve the problem previously I want them if they are first graduates to tell me how did they went around to do their final year project whatever it was the interview is not about me about the interviewer to impose my ego go to the person that I'm interviewing the interview is about discovering it's a discovering journey to hear you what you have to say and talents and I would involve myself saying that I was and I'm still am a kick in many sense many ways of of the world so I

have certain ways of saying things if I'm in an interview or I had so the hiring manager should be ring between the lines because they're not hiring a used car salesman they're using a guy a lady a person that basically is writing code they're reading their own stuff they might be excited about certain things not everybody in a particular job description will know exactly the same thing we're taking the individuality away so this is what I mean by hiring talents and I'm saying this because to give you the highlights for for those who don't really know me or for those who do who do it's nice to see some familiar faces I've been in this

industry for more than 20 years I started back in 1998 and I went to the university on purpose that was doing practical information security and computer security back in 2001 and it was Hardcore I went to that University to do um software engineering Bachelor because only the master was the security in order to do the security Masters and to be to be to be prepared for that I found I finished my bachelors I went back to my um home I found the lecture material of the Masters and I was studying by myself during the summer how do you communicate this dedication and this excitement during an interview when the question is do you remember the O

layer by heart I don't I don't care do you get my point do you see how the individual should be brought in into the picture so among this journey I have written a lot of code not because I was a developer but because I wanted to understand and do my life and make my life better so when I wanted to do something and make my life easier I wanted to script it or program it I wanted to see how how you do it I wanted to understand it I'll give you an example everybody's blocking IP addresses when they they're reversing code how many people do they block or they looking for de decimal values instead of IP addresses if you

open up your terminal your command line and you ping a nine if you you can convert an IP address into a decimal long decimal number it works so you don't have to hide IP addresses with IP addresses you can convert them to decimal numbers it's a long integer basically so if you know how things actually are done in your fields in whatever everybody is working on you can become an expert in your field and these are the talents that we're looking for now again um I've done my bachelor my masters and my PhD are all within the information security space uh again to give you an example back in 2004 I wrote the threat intelligence

engine uh and the threat the threat assessment engine uh what you guys we AI in 2004 which I explain what is the next version also which is called National understanding it's the next Evolution for computers to understand events back in 2004 and uh after that I have been doing projects in more than 16 countries around the world one of them being Ireland most of the projects are on a need to need to know basis and that is why I don't have time to go and flex on social media fight with people on Twitter post every day 45 times on LinkedIn and do all these annoying annoying things that I see uh I like to go to conferences and meet

people who are making a difference personally and they know me I know them and that's it I respect them they respect me and that's about it um there is no need for this um online celebritism because that celebritism also sometimes sidetracks and you are

celebritization when the people who who are putting on a pedestal are the the criminal mindset they don't see that you are the heroes of your stories because you are doing the hard work in security and that's even harder taking a baseball bat to break a car it's much much easier and Ste it than actually sitting down designing the process designing the imobilizer designing the encryption processes in order to protect and defend it right I personally have more have more respect for this than telling me I downloaded um exploit from the dark web I wrote I I run it and I took down I don't know company or whatever and whatever doesn't matter I hope that

again communicat the right message now to understand the the extent of what I'm telling you I have been involved in writing designing so many other words that it doesn't need necessarily needs to be said uh cyber security strategies information security strategies for three different countries so I've done some stuff in my 20 years of career and I wish we had more time to go through a lot of the examples and the stories and Lessons Learned however today we are here to summarize what I've just opened up with uh with something about the future something about that I think will be beneficial to you and it wouldn't be a cyber security presentation without the iceberg slide right with a hidden ice

below the surface of the water however it's not I do not have this that for that reason though I have it for a different reason because everybody's talking about cyber security but I don't know how many of you actually know what actually what does Cyber actually means because cyber and this is where the Greek element comes here it's from the word kerno from the Greek word ker no and I wrote in Greek it doesn't matter the first five letters the last one looks like an English p in Greek is r kerno in Greek means to steer and navigate and back in the day 25 years ago it was being used to for the cyber space You Are doing things in a virtual

environment in the cyber space in this to the unknown that is why we're using the word cyber today there are many debates if we were if we should be using it or not that is a different discussion so let's take you through the Journey to navigate career paths right now many of you or some of you or a lot of the people that you know in the organizations that you are working for or you will work in the future for those who are students the leading aspiring role in organization is the role of the ceso the Chief Information Security Officer this role has been involved through different weird paths over the year and a lot of weird conversations on

what actually are the responsibilities of the Chief Information Security Officer some of you might be programs some of you might be in De secops some of you may be uh working in threat intelligence some of you may be working within the spectrum of the GRC the governance risk and compliance some of you you might be seeing the role of the ciso as the Ultimate Security oriented job that pays a lot of money and you want to reach that level someday so what happened apparently is that Caesar over the years they shoot themselves on the leg on the foot right is that the expression on the foot how well you see 20 years ago when this thing started needing someone to

lead the security space it became a trend and we have until this day Caesar who are there and want to be there not to lead information security and cyber security initiatives whatever they want to be there to do only managerial work they want to approve budgets they want to manage people and they want to join um boardroom meetings and that's about it and believe me for saying this and I've seen this because of my experience and that's why I showcase the experience at the beginning otherwise I don't I rarely do I rarely do that is because with banks payment processors acquires other companies startups private equities and all these um organizations that are work government organizations Federal

organizations have worked with before I see a very particular Trend cesos wanted to be only managers and when it comes to security incident Brides which I don't care about the bridge I care about the people working in this organization and protect their jobs protect their career paths that's my priority this is what why I'm get inspired to be in this industry because what I do is for the people that they are they're working for this organization so they can secure their jobs it they can it they can make more money they get like better bonuses and all that and these people can feed their families and there is some growth in order to get to bring more people and

create more jobs that's why I do what I do so over the years we saw that cisos had this mentality that this is their job description just to be there to manage people and sign budgets and we've all seen this little me I believe MIM or me whatever the buzz word is of the empty jar of the budget before the data bridge and the full of coins jar after the data breach and I'm here to tell you because I've been in this boardroom meetings the only reason the jar was 90% of the cases empty before the bridge is because and I'm sorry to the scissors in the room is because the sees of the organization had no clue how to

communicate risk to the boardroom and to the CEO they couldn't go to the CEO and answer the question so what so if I do this so if I don't do this so what they couldn't imagine having a investing into a business that has a CFO a Chief Financial Officer that doesn't understand financials you better close down go home and that's it the company is going to go bankrupt same thing unfortunately this is the truth and if I go and present this into one of these big conferences that is full of sissors in the auditorium you understand the backl not because I'm lying simply because it doesn't follow the narrative how does that have to do with

all of you I'll tell you why because in the fifth domain of operations which is officially cyers space you can Wikipedia Google it with among sea land space and air the fifth domain of operation is officially cyers space you need people than understand what I said earlier that are responsible they are accountable and they have the right core values the right eth the ethics the right moral compass one of the Amazing Stories and I think an might be remembering this story because and I I do think she actually knows exactly who that person is um a few years back I was having a conversation with a C and I was trying to explain to him in what kind of risk he was putting

not only the organization but the employees his bad ethics his bad practices was putting people's jobs in Jeopardy this person turned around and said to me what it will happen if the company gets completely bridged and all IP is stolen so basically it goes bankrupt he tried to explain me what is going to happen because according to his words I wasn't seeing the C picture I wasn't manager enough at his level he said this number one if there is an incident and everything goes to hell we were going to be called into a briefing room with the CEO stakeholders the boardroom who do you think the CEO will believe my security guy my external consultant my security engineer or

me you will not even be allowed in the room I will tell them what happened so I'll go I'll get away with it number two most probably because this is how things are after 2 3 4 5 years I will be in another job by the time the manure hits the fence yeah yeah so that puts you into very a very good perspective this person's ethics this person's understanding the responsibility how he was operating on a daily basis and of course how he was treating his team it was all about him let him look good and everything else doesn't matter

with your careers and in the industry and the people and the young people that you discuss out there or um they are um you know they're looking into their career paths and all that especially when I when I was starting my journey it was very few career paths to take however information security or cyber security whatever you want to call it depending the context has a huge spectrum of career path that you can follow and personal attributes contribute significantly in your career path your mindset your maturity the level of understanding contribute significantly the way that you do pent test the way that you do social engineering the way that you think outside the box to

protect something put defensing mechanisms or take it to the next level you might not be realizing it but but you do it intentionally on unintentionally so the career path that was obvious for many people or still is is do we become part of the blue team or do we become part of the red team and of course it has many little options here and there what I'm trying to tell you here is that this is not the only two options if you one of the ways to identify where at in we in what you are good at is by writing down on a piece of paper what do you know best what are you interested in what do you like spending

hours reading or understanding and by listing those things down you start create your own job description that you like to take your career path through that was one of the ways and the method I was using when I was doing my PhD because I was um creating Ms projects and I was supervising Ms students that was my Approach my methodology in order to use in a way again from a Greek background the Socratic method to carve out what these people were good at already what they were aspiring to be so I was listening to them for half an hour or for an hour right because the project will take like 3 4 6 months to

do what they like doing so as I was writing this bullet points down then I was saying you know what in order to combine this and in order to write a challenge for this and in order to make the third circle which is for the future I believe the project we would be more excited to do is this project this idea believe it or not I would say 99% of the time the students were over the moon they couldn't wait to finish the the unit day in order to go home and start working on their projects and they were extremely successful the 1% it was not that it was unsuccessful it was simply during the

process they discovered that they were over excited they wanted to put too much in into the picture and it started becoming um a blow up of different initiatives for the final project that's how you Empower people directly or indirectly so don't be don't be the sees of backstory in the future don't try to earn a role and go for a job that is predefined for certain things in the future because of the spectrum and the evolution of cyber security and security being adopted properly up to a point to what we do with technology and the digital transformation that we're going through the SE of role will involve and it is already involving and I will tell you why I'm

saying this to a speciality role that needs to drive change needs to be the leader of a group it doesn't need to be the definitive leader of a whole organization or or a whole group of organizations you can be within Dev SEC Ops and have a leader in there that is that Ro understands leads is the seor on so build your career paths towards becoming good at that particular area that you are interested in try to read and study for that particular role if you want to take it somewhere else if you want to become a Cesar for example again the SE what I'm saying C now I mean the expert or the speci Specialist or the lead of the cyber

security team space vertical Department right I'm talking about that person the person that an organization a CEO a company or in a consultancy space someone will come to you and say I have this problem we need to take this journey I need your advice I want you your inputs and I want you to drive it in order to do this you need to be informed you need to be able to make informed decisions don't do what is happening today where that informed decision is by AO again that he says to the CEO or to the people that are expecting his leadership or her leadership um let me call Gardner let me call this consultancy let me call the

big four let me call someone let me give them a lot of money so basically to ask the question and answer a question that is so so basic and they should be driving this St now how many of you have heard the Red Queen hypothesis so the Red Queen hypothesis which is also referred to as the Red Queen effect is an evolutionary hypothesis which proposes that species and organisms must constantly adapt evolve and Prof proliferate not merely to gain a reproductive advantage but to also survive while ped against ever evolving rival species organisms in a continuously changing environment that reflects on how you should be seeing the cyber security space the information security space the

roles that you are operating within you have to constantly involve not only you at all levels of leadership and unfortunately the leadership that we currently have has been falling behind in the Looking Through the Glass in Alice in Waterland the Red Queen and that's why it's called the Red Queen hypothesis in this case uh says to Alice now here you see it takes all the running to keep in the same place and this is what we do in cyber security we have to Simply keep running just to be on the same to be on the same space and if the leaders of today do not do not understand that they're fully behind and they have falling behind this

is why this is why um there is a new a new in a sense a role that is being discussed for the future that it will start replacing what is the current a ro the leader of a whole information security um Team or Department because if you take under consideration people processes technology and data you need when this thing goes forward you need first of all to understand what it means to be responsible accountable consulted and informed this is comes from the racing metrics which where usually we see leaders want to be consulted and informed and never be responsible or accountable for things now here's something that you need to know as you develop your own

leadership skills try to take under consideration the industry and the sector that you are operating within the priorities of a penetration Tester the way that they are operating the way that you conduct the penetration testing right the way that they are scheduling planning reacting the risk they are taking in certain cases when it comes to the oil and gas industry is completely different when you will be doing that against telecommunications IM media again we've been taking the one solution fits all make sure that whatever you do in this industry you take under consideration the industry and the sector that you are operating within that will explode the way of your understanding on what where you need to

go uh I will I'm closing with this the path is difficult however there is a new sheriff in town it's going to to be called Chief cyber security officer it is you as a chief operation officers as Coos in your role how do you perform and you operate the chief cyber security officer it might sound like a Fairytail but it is real um it is coming Al long Ana as you know it's the European uh cyber security agency I appointed a chief cyber security officer two or three months ago simply because of all these reasons that I just told you because you need someone that actually take responsibility and accountability as their um daily area of

operating they need to take it under consideration you need to have someone that when the organizations go to they understand the bigger picture they're not just there to drink coffee how does that reflect against you you are that role you are that future whatever op again you might be in Blue Team you might be in a red team in the future you will have to understand very well your area and you will have to give certain answers it's not about let's run a pentest it's about we are in oil and gas here's the priorities here's the mindset here how we should operate these are the threats these are the the risks this is what it

means thinking outside of the box this is how we redefine what we do with pentest there is a huge opportunity if you try to do and think that way in the future that I usually say makes you a security Champion however I know it's a lot to take and it takes a lot of discussion and there might be you having a lot of questions or I didn't um explain something into much detail to the constraints of the time but believe me it makes a huge difference I can give you personal example what I cannot say on camera how it will make your life extremely more easy if you know if you take under consideration what we

discussed today in order to improve the way or change the way that you see and see things that will definitely convert you into a security Legend within your own organization or within departments or within your career paths now have you SE that thank you so much for taking the time to be in this talk I hope it was a little bit different from uh what you usually get as a keynote because I wanted to be informative and um thank you for having me in Dublin take care have a enjoy your something and enjoy the day if you have any questions you can come and find me later on if you want want to ask something I'm going to be here the whole

day thank you so much