Are we a trade or a profession?
Kim Jones: Welcome to "CISO Perspectives". My name is Kim Jones, and I'm thrilled to be your host for this season's journey. Here we provide in-depth conversations and analysis of the complex issues and challenges, technological and otherwise, that the average CISO faces. We're bringing the deep conversations out of the conference, or more realistically, the conference bar, and tackling a single complex issue from every conceivable angle across a multi-episode arc. For our inaugural season, we here at "CISO Perspectives" have chosen to tackle the challenges surrounding the cyber talent ecosystem. We've been complaining about talent issues for the better part of a decade, but our piecemeal solutions don't seem to be solving the problem. [Background Music] Today we explore the question, is cybersecurity a trade or a profession? As a reminder, this is one of just three episodes that will be available to everyone. After the next episode, "CISO Perspectives" is available only to "CyberWire Pro" subscribers. If you haven't already done so, head on over to thecyberwire.com/pro to sign up so you can keep going deep with us on these conversations. And now, onto the show. [ Music ] In 2013, 18 years after the Chief Information Security officer role was created, the National Academy of Sciences, or NAS, released a report. This report stated that cybersecurity should be seen as an occupation, not a profession. In this report, NAS stated that the cybersecurity field was too young and that the technologies' threats and actions taken to counter them were changing too rapidly. Further, NAS felt that professionalization would, and I quote, "Impose certain barriers to entry which would prevent workers from entering the field at a time when demand for cybersecurity workers exceeds supply". This caused dismay and even disgruntlement amongst the old security heads who had built cyber from the ground up. As we discussed this report, we routinely conflated professionalism with being part of a profession. Indeed, many advocated that we were already a profession and were eager to prove NAS wrong. However, 12 years later, we're no closer to true professionalization. It seems as if nothing has changed, but the magnitude of the challenges we face and the enormity of the stakes. True professions have certain characteristics that cybersecurity does not fully meet. On the side that supports the belief that we are a profession, there are two compelling arguments. One, professions have a unique body of knowledge that can be codified, studied, and therefore, learned by others. While degrees aren't necessary for an individual to practice in the profession, degrees tend to ensure that individuals understand the basic principles of the profession. And two, professions have a service orientation, and not just to those who employ us. Professions, and the professionals within, are committed to the betterment of the profession itself. Professionals commit time, money, and effort to contribute to both the profession's body of knowledge and its administration. Unfortunately, there are two requirements for a profession that we have not met. One, professions have a code of ethics that defines appropriate behavior, meaning a profession's commitment to these standards would cause a professional to leave their employer before they violate them. While we may have organizations that have codes of ethics, there is no overarching uniform code of ethics for the cybersecurity profession. And two, professions have sanctioning organizations. In addition to promoting research and the exchange of ideas and acting as a collective voice, sanctioning organizations have the ability to limit or eliminate an individual's right to practice their craft if they violate the code of ethics or commit egregious acts. The sanctioning organization provides oversight and guardianship. No such organization exists in cybersecurity today. [Background Music] Given the hands-on nature of many cyber roles, there has been an equally strong argument that it should be considered a trade versus a profession. Indeed, we have seen a resurgence of this belief by a new generation of cyber warriors who insist that their knowledge and experience should be the only arbiter of selection and advancement. While this argument has some appeal, I contend that the argument for us being a trade is the weaker one. Trades have a clearly defined standards of entry, clear documented knowledge requirements for both entry and advancement, a mandatory apprenticeship structure that is supported by the trade, and additional mandatory certifications required for advancement. While I was a CISO at my last large company, I gained exposure to a true trade structure. My executive assistant's husband was working as an apprentice with a local power company to become a lineman. The levels of rigor of the program, the formal learning, the number of hours he needed as an apprentice before he could become a journeyman were highly structured. Cybersecurity has elements of the structure, but it lacks formality and it lacks mandate. So, what are we today? Are we a trade, a profession, neither, both? Folks, as much as it pains me to say this, the truth is this, the best adjective to describe us today is stagnant. The arguments made today are practically identical to those pointed out by NAS over a decade ago. While technology has only continued to flourish, we still can't decide what we want to be when we grow up. We are too busy to train newcomers and would rather steal experienced resources from one another. We remain collectively afraid of professionalization and its exclusionary potential. We refuse to adopt standards regarding needed knowledge, skills, and abilities. Yet we rail about the inadequacies of up-and-coming talent. Folks, it's 2013 all over again, or rather it's 2013 still. Is it any wonder why we have lost our agency with those who would regulate and legislate? Without clear answers and standards, we cannot blame our constituents for seeking guidance elsewhere. As a longtime practitioner, I contend that there comes a point in a career when technical depth, breadth, and expertise should equal our ability to lead and build. Our nation's Armed Forces provide a good bottle for us. Within a particular service branch, there are shared skills and abilities in which all members are trained and must regularly demonstrate proficiency. As service members advance in rank, their roles shift away from hands-on and into leading, training, and planning. That shift becomes more drastic within the senior, non-commissioned, and officer ranks. While junior ranks will poke good natured fun at senior ranks, there is, for the most part, mutual respect and an understanding of the need for these different roles. It's time to appreciate that cybersecurity is a combination of requirements that shift based upon role and scope. This is neither unique nor new, but it does require a level of definition and baseline requirements for entering the profession and proper in detailed scoping for advancement, [Background Music] things we have been unwilling to do for ourselves and the next generation of professionals. Until we do, we will remain nothing more than a glorified occupation that will continue to lose agency. My two cents. [ Music ] On today's episode, I'm joined by Larry Whiteside, a veteran cybersecurity leader, passionate advocate for diversity in tech, and Co-founder and President of Confide. Today's conversation revolves around a big question, is cybersecurity a trade or a profession? Let's get to it. First and foremost, Larry, thanks for making the time, man. I know how busy you are, and I appreciate you giving me a few moments of your day, man. So, let's take a couple minutes because I've known you for more years than either of us would like to admit, but, uh, my audience might not. So, take a couple, three minutes and tell us about you.
Larry Whiteside Jr.: Yeah, so I try to simplify it in this way. So, A, I'm a faith-led cyber executive. I've been in this industry for, I think, 33 years at this point. Ex air force officer, ran information warfare at the Pentagon. That's my last role. Jumped out, have held the role of a cyber leader/CISO about eight times across my career. And I've just been very fortunate and very blessed to have had the roles I've had, and be in the positions that I've been in to help others. So it's been a great journey. And the most impactful thing I've done, of course, is co-founded a not-for-profit, what was formerly called ICMCP, which is now called Cyversity.
Kim Jones: Fantastic. I was mentioning to someone, I remember the day and age, as do you, when you could put all of the men of color who were sitting in that cyber leader chair in a single room and still have there be less than 30 of us in the room. So yeah, we've been around a day and a half with her.
Larry Whiteside Jr.: Yes, we have.
Kim Jones: So, you and I have had this conversation before, and you've been around almost as long as I have so, you've seen the changes that have gone on in the environment. So, let's start with the basic question, are we a trade? Are we a profession? Are we both? Are we neither? Would love to hear your perspective on that.
Larry Whiteside Jr.: Yeah, so I've actually given some thought to that simply because, and I'm going to say, I think we're both. I think we're both because of a couple of factors. When you think about the entry level components, the entry level component of getting into cyber is very trade adjacent, right, meaning that there are certain skills that you need to have coming into this. It's not about certifications, it's not about degrees, it's about skills, which is why we say you can come out of high school and do this because if you create or foster certain skills on your own in high school, you can technically come into a cyber role and become proficient in the way that an organization needs you and go execute. So, at that level, I see it akin to a trade. The problem has always been, for entry level roles, we try and introduce them via internships. Internships do not align to trades. Because what I've noticed across the industry, the way an intern is treated, is definitely more of a let's give the work that no one else wants to do to that person [laughter]. Not let's train them. Let's hone the skills that they've brought to the table so that they can be better at that craft, and they can utilize it to better support us. So, with that, I think that we've had a mismatch there and, from a professional and trade perspective, right?
Kim Jones: So, reflecting back, yes, it is possible because, particularly at the entry level, we are more skills and abilities-focused than certification, college degree. And we'll talk about the goods and bads of that later on. So, that is, and I love the term you use, that it is trade adjacent. If we believe that, then why are we not seeing folks come out of high school, enter cyber? Why are we not advertising for folks out of high school in cyber? Why do we refuse to hire people who do not have a college degree or at least x number of years doing this at the entry level? Because, if you are correct, why aren't we acting in a manner that agrees with you?
Larry Whiteside Jr.: So, yeah, there are a number of factors that I'm going to drill in on a few of them. So, number one, we, as cyber leaders, and I'm pointing at people who sit at the top of the food chain, have let HR take over and run how we hire.
Kim Jones: Explain.
Larry Whiteside: So, when a CISO goes in and gets their role as a CISO, what happens is they allow HR to categorize, map, and align the roles in cyber to the roles in the other technology roles in the organization. And so, for those, they create this singular expectation, these singular job requirements, these singular things of what education must be, all of these different components that make up a job description and the requirements that you must have coming into the job.
Kim Jones: Is that really still happening? And I, let me explain where I'm coming from. From my perspective, and it might be, my background is break fix. So, in most of the gigs I take, I write the job descriptions and I fight with HR for those job descriptions. So, my experience base may not be typical, so is that still happening?
Larry Whiteside Jr.: Yes, go look at the job description. So, because I'm Cyversity, I mentor a lot of people and I engage. I've got multiple slack groups and signal groups and all sorts of groups in which I am engaging with people who are out looking at jobs and, for entry level roles, there's still tons of jobs out there that say entry level or three years' experience. How does that align? Entry level with a four year college degree or equivalent. Well, what is the equivalent of a four year college degree, four years of experience?
Kim Jones: Yeah.
Larry Whiteside Jr.: Well, that's still not an entry level role. So, we've got this mismatch. I need to find out what are the risks that exists and how can I best mitigate them. Not thinking that, the reality is, if you can't build a team properly, you're not going to get any of that stuff done anyways.
Kim Jones: [Laughter] Yeah, I've had similar conversations with CISO to say, I want an entry level position, but I want them to be able to do certain things. And in order for them to do certain things, they need to have these experiences. Then I go back and say, then why aren't you sitting there labeling that not as an entry level position? Because I'm a believer, worst case, that entry level requires zero to six months, preferably zero. Then I get the, well, I don't want to budget for the experience.
Larry Whiteside: Training.
Kim Jones: So, is that an HR problem or is that a CSO problem? Because they want to have their cake and eat it too.
Larry Whiteside Jr.: It's both. It's both. I've seen organizations where HR is very hard around the salary bands.
Kim Jones: Okay.
Larry Whiteside Jr.: And around the job requirements based on salary bands.
Kim Jones: Okay.
Larry Whiteside Jr.: No, we can't have someone who doesn't have a degree in the salary band. Across the organization globally, you have to have a degree to fit what's inside the salary band, and I'm like, we're unicorns. That's like, that doesn't work for me.
Kim Jones: Okay.
Larry Whiteside Jr.: And so, I've had to have that battle and I've had this conversation with CISOs who have also had to have that battle. But to your point, we also are impatient because we, as CISOs, also.
Kim Jones: Hang on, hang on, hang on. Whoa, whoa, whoa. Your tax dollars trained me to do this as they did to you. So let me try this, us? Really? Say it isn't so.
Larry Whiteside Jr.: But there's a reason that the CISO role is the tenure of a CISO is under two years. And with that, you know as a CISO, when you go, and you've got a limited amount of runway to get things done. So, with that, if you are focused on building a team, you're trying to build a high performing team. And in an effort to build a high performing team, what you leave out often is the lower level, entry level, and figuring out how to get people into your pipeline to get people skilled up to become that high performer. You don't take time for that. >>Kim Jones: But let's play with that a little bit. Let's play with that a little bit. But because again, for the sake of our audience, Larry and I have had this conversation more than a dozen times, and we've gone back and forth. But my job is to push, because I want to make sure we're hitting all sides of this. So, let's back up for a second. The tenure of a CISO is two years. Whose fault is that? That's us. So, I'm back to, and I'm going to rant a little bit here, I'm back to the tenure of a CISO is two years. Why? Because we look at ourselves as hired guns? We get bored? We get scared because of, oh my God, the sky is now falling and we have to actually dig in and do a little work? So again, yeah, HR has a component of this, but if that's the case, then are we a profession Because professionals don't act as hired guns. So, are we trade adjacent or are we truly just a trade? No.
Kim Jones: Because we're looking at the job to move on? And if we're not, what do we need to do to fix that?
Larry Whiteside Jr.: So, no, no, no, it's interesting, you bring up some good points. So, do we get bored? Yes. Because there are some of us are builders. Some of us who are fixers. And some of us who are all of the above. And there's a mix of everybody in there. So yes, there's multiple reasons why the tenure is only 24 months, but one of those reasons is also why we call it the Chief Information Scapegoat Officer. Because 364 days of the year, everything can be fine. On day 365 when something does happen and the entire organization looks at you and says, how could you let that happen? And you go to your email list and you go to your risk registry, and you show all the things that you've shown them around the risk that ended up getting exploited that we needed to repair that. So, the role having all of the responsibility and not only the authority, is also partially why.
Kim Jones: Well, I understand there's some uniqueness to that and I understand, because you and I have both grown up with that, but I'm also wondering is are we scapegoating that? Are we at a point where there is uniqueness to our position. But I am wondering if we're leaning on that uniqueness as an excuse to do things like put ourselves apart from the business versus learning what's important to the business. We've fought during the timeframe you and I came up, Larry, to say we need to have a seat at the table and be professionals. Yet, we're still acting like tradesmen that says, I really don't care whether you understand or not, and I really don't care what you do for a living today. This is the problem. Solve it, and if you don't like it, fine. And if I think you're telling me that you don't want to solve it, and you're not going to listen to me, and my spidey sense begins to tingle back here that I may have a concern, then I move on.
Larry Whiteside Jr.: Yeah, so, I look at it a little differently. So, I look at the top of the food chain and a few levels down as 100% a profession. And, and here's why. Part of the challenge that we have is this role is not as old as the quote unquote "C-level roles" that exist in corporate entities, right?
Kim Jones: Yep, very true.
Larry Whiteside Jr.: Additionally, there's not a true, holistic training mechanism that gives what used to be a technologist role. The business acumen, the ability to articulate, the ability to communicate, the ability to understand finances, the ability to understand business, the ability to understand P&L, the ability to understand all of the different nuances of business that most other C-level and senior executives go through on their journey.
Kim Jones: I've got to, you've got to run back that for a second and here's why. While I agree with you on that okay, you know, I built the degree program to do just that. And I couldn't get the support of CISOs in the community, in the environment, to back that because they weren't technical enough. Because I split the training to make sure they knew how to communicate. They understood the business and the pieces and parts here so that they could be prepared to be the Renaissance men and women that they needed to be. And I couldn't get support from the CISO community because they weren't technical enough. So, I have to go back.
Larry Whiteside Jr.: So who is they? When you say, "they", who is they?
Kim Jones: My students.
Larry Whiteside Jr.: Yes.
Kim Jones: My students and graduates, who, by the way, were coming out with decent technical background, but not as much heavy tech as, say, a comp sci major would be. That creates that transition for the CIO who's come up from hard scrabble, bits and bites, arms in the wire, et cetera. You're saying that there's no transition from that technical to this piece? Agreed. So, and you said like in other places, agreed. Give me that transition for the CIO.
Larry Whiteside Jr.: So, CIOs got pulled up. So, remember CIOs, they were forced to be business executives. They were forced because they were reporting into CEOs, boards of directors and CFOs.
Kim Jones: No argument on how they got there, Larry, but you indicated that there was a transition, they had to make that transition.
Larry Whiteside Jr.: Yes.
Kim Jones: So, if I have to make that transition as a CISO, what things did the CIO have, that training opportunity, that particular knowledge that was forced upon them, that we're not seeing to the person who wants to translate to your role or mine?
Larry Whiteside Jr.: So A, CIOs are at a different pay bracket. Many of them went and got master's degrees in business, master's degrees in finance, and accelerated higher level degrees, education and certifications, in things that aligned to the business of where they were being forced to go. So, and I use the word forced purposefully. So, for us, where the role has been downplayed, not given the authority that it needs to actually execute upon the remit that they're asking of, we have to choose to go and typically pay out of our pockets. Or find some other way to go get that education in hopes of that accelerating us up into this other conversation.
Kim Jones: So, as they were forced up, there was a universal need, if you will, or rather not need, understanding that, to pull this person up, they need to do these things and this person needs to be pulled up. Therefore, if we would expect that that role to have certain things sitting around it, and many of them are either paid to go do that or go do that because of the pay bracket, et cetera. Where conversely, the CISO sits every freaking place within the environment and in some places sits way too low. So, while there is a need for the role, that need may be the S, that scapegoat, and we just need to have someone on that title to report to the SEC so that we can fire their butts when the time comes.
Larry Whiteside Jr.: That's right.
Kim Jones: To individuals who truly have a seat at the table, either next to the CIO or my role, the CIO and the CSO reported to the Chief Operating Officer. There was the CEO, the COO, and then us. And sitting at that level, operating at that level, different from other organizations and in other verticals saying they belong in different places. So, that lack of understanding as to where they belong has impacted the definition of not only what it means to be that per business professional, but has slowed down our collective need to maybe define what that is because we really haven't defined what the role is.
Larry Whiteside Jr.: That's right.
Kim Jones: So, okay, I want to make sure I'm understanding, Now in that regard, you were about to make a point that says, and again, something else we've talked about, you were about to make a point that says, different organizations, different business verticals may have different needs because there are different types of CISOs. So, talk to me about those different types of CISOs.
Larry Whiteside Jr.: So, and we get into this debate a lot, me and a number of people.
Kim Jones: You, mem and about 50 others usually.
Larry Whiteside Jr.: Right. Because are they really a CISO? And I'm like, wait, wait, wait. And so, we go down this path of what's their remit? What are they doing? Because you've got this large dichotomy of what the term CISO is in every organization. With big air quotes because typical can be a bank. Well, guess what? A Fortune 500 bank is different than a community bank is different than a credit union. I know, I literally had dinner last night in Atlanta with a couple of people that were in financial services. And one was from Morgan Stanley and one was from a community bank. Well, a community bank, he didn't even have the CISO title, but he had the entire remit of the CISO.
Kim Jones: Yeah.
Larry Whiteside Jr.: He had all of the responsibilities of a CISO. So, you then move into healthcare. Healthcare, again, can be, I've seen healthcare where the CISO reports into the CTO of the healthcare organization. I've seen it where it reports to the CIO. I've seen it where it reports to the Chief Medical Officer. So, go over to retail and it just continues to go. Now don't even, and that's on the corporate side. Let's go if you are a technology business. If you're a technology business and you are developing technology to sell to anyone. So, if you're selling to consumers or you're selling in a technology business, you can report it to a CTO and they want you to be deeply technical and that's all you do. You never get involved in the business. And so, there's so many different ways that this role is seen. And now, we are bastardizing ourselves because there's a feeling in the industry, and I created a panel for this last year that CISOs of cyber tech companies aren't really CISOs. And I'm like, wait, wait, wait, wait, wait. Hold on. So, are you telling me they're not protecting the data that you're utilizing? They're not making sure the tech is secure? They're not like, they don't have, because I know tech CISOs on the cyber companies.
Kim Jones: Oh, dude, you have it worse. I was an intel officer for an intelligence battalion [Background Music] which meant I had a thousand people who thought they knew how to do my job better than me, including the light colonel for the, yeah, you guys get it worse. [ Music ] [Background Music] Agreeing with you on the practicality of what you are saying, there's still a, and you and I have talked about this, there's still a victim mentality here. The arguments that you're making right now are the same arguments in 2013 in the paper that I, or the lead into this that I talked about, we were talking about when I took my first chair in 2003, that the National Academy of Science is formalized in 2013. It is 2025. So, there's a bit of this that says we are painting ourselves as the perpetual victims. So, is it that we're just happy being victims? What aren't we doing and why won't we do it?
Larry Whiteside Jr.: So, yes, and.
Kim Jones: Please.
Larry Whiteside Jr.: It's not that we're happy being victims and I will say there is a movement to move and create a certification to the point of, and not a certification in the guise of A-C-I-S-S-P or something of that nature.
Kim Jones: Or a CCSO or anything of that nature
Larry Whiteside Jr.: Right, right, right, no.
Kim Jones: And let's back up. I'm not picking on any of those certifications.
Larry Whiteside Jr.: No, no, yeah. We love those.
Kim Jones: I have several of those certifications and they serve a purpose. And we're actually going to talk about certifications in a few episodes, if you want to talk about that in general. But, so yeah, please nobody get offended about the certifications. Please continue.
Larry Whiteside Jr.: There's finally been some uproar and some movement towards trying to create something similar or akin to what lawyers have. Where they have the bar Association, where an organization is being formed and formalized that is going to create curriculum around something like that where you have to go and pass something that your peers, people of your peer group, assess to say that, hey, yes, you are someone who has certain qualifications to be a CISO. Now.
Kim Jones: So, to reflect back on that, if I were to put that in other language, what we're saying is we are now taking a movement to professionalize.
Larry Whiteside Jr.: Yes.
Kim Jones: Because what you are describing are the tenets of the profession.
Larry Whiteside Jr.: That's exactly what you're hearing. And the reality is this, is we need to say thank you to the SEC, right? The bullseye that's been put on the chest of the CISO has caused this uproar because everybody finally recognized, more broadly, the risk that they are in in the role. And so, those cases that have been brought up through the SEC around the roles of CISO and things happening at different companies, I'm not going to name the companies and the breaches, it's easy to search, but that has driven a lot of fear. And so, now when people are going in to have conversations about the CISO role, they're asking some very, very direct questions about DNO insurance. When you talked about the Fortune 500 CISOs, there are more than 40 that do not have a CISO, that I know of directly, and are choosing not to advertise or hire for one right now. When the last one left, they've basically left it, the role blank.
Kim Jones: So, I've got to ask the question then, so yeah, we don't have 500, we have 460, if not 400. So, thank you for that, which is scary in and of itself. So, the question then arises, and I'm going to ask it long, is the effort or the groundswell that you're talking about too little, too late? If 10% of the biggest corporations, from a revenue standpoint, in the world don't believe that there's value in the role, have we waited too long to move down the path of professionalization? So, have we waited too long to wake up and say we want to be grownups?
Larry Whiteside Jr.: I don't think so. I think that what this is going to do is going to actually help drive the point that we've been trying to make for a long time, which is we deserve a seat at the table. This is a mechanism to demonstrate that there are many of us who have the skills to have the seat at the table. Had you just sought it out or tried to ask because
Kim Jones: But there are folks who are removing us from the table because we have failed to professionalize up until now. We're being tugged, and there's movement out there. And I'm sad to say some of this movement exists amongst our brethren who believe that the only way to be a good CISO is to be an IT professional. And after you and I struggled to pull us out from IT, they're fighting to put us back in.
Larry Whiteside Jr.: I know. Well, and that is what I call the old school CISO. Those, I hate to say it, but they're starting to age out. The majority, if not all of the CISOs that I know that are, I'll say the generation after us, I'll say 10 years our junior, eight to 10 years our junior have gone down.
Kim Jones: More like 15 for old guys like me, brother, but keep going [laughter].
Larry Whiteside Jr.: Yeah. So, they are all working and have done a great job putting, working to ensure that they've got those other skills and capabilities to present. Many of them have gone and gotten master's degrees. Many of them have done financial certifications in finance and things of that nature to ensure that they know how to read a 10K, an 8K, and all those things that we taught ourselves to do back in the day. So, they are getting [inaudible 00:35:54].
Kim Jones: Yeah, our PhDs are from the schools of hard knocks, man, we banged into the wall and bounced off and flattened our forehead, so I remember it well.
Larry Whiteside Jr.: Yep. But, I don't think it's too late. Because, again, the risk and the threat that we're dealing with is not going away. Threat actors aren't going to say, oh, well, there's not a head of cyber anymore that can strategically deal with.
Kim Jones: Not that, but I mean, the argument can be made that, since we have carved ourselves out as a profession, what have we done to slow the flow of breaches, et cetera, within the environment? So, is there a value proposition of elevating our positions since what has been the relative impact there? That is the argument that is being used against us. Not saying I agree with you, I think that's fundamentally wrong, but I'd be curious to say, that is what I'm saying, is it too late?
Larry Whiteside Jr.: And I'm glad you brought that up. So, the value is in elevating us because we haven't had the authority to get the things accomplished that we needed to. I've had a CIO literally tell me, do not show that risk assessment to anyone
Kim Jones: Ooh, ouch.
Larry Whiteside Jr.: Right, right. So, what do you do in that position?
Kim Jones: Throw your badge on the table, or show them and then throw your badge on the table.
Larry Whiteside Jr.: No, because the head of head of internal audit knows we get an annual risk assessment. We had implemented some new infrastructure and some new applications that those things had risk associated with them, that I knew were going to show up as part of the annual thing. He gets a copy of it. I knew he would get a copy of it. Now, this is, again, this is back in the day a little bit, but those things happen. Those things are still happening today. So, it is about time that, yes, we professionalize so that we can level the role up so that we can then get the authority that we need in order to execute the way we should.
Kim Jones: Love it. Love it. All right, so I'm going close this one off. What is the one thing you would recommend that a young or aspiring CISO do? And what is the one thing that we haven't talked about or haven't mentioned as part of this trade versus profession discussion that you would like to make sure it gets mentioned in this podcast?
Larry Whiteside Jr.: Yeah, so, for any young CISO, there are two things that I think are critical to your success or failure. The first thing is getting ahold of your job descriptions holistically across the board. You need to own it and take ownership of it, meaning, on day one, when you get into the role, you need to be asking for every job description that's in your org, whether it's a filled position or not. Everything that exists inside their HR system as it relates to a cyber role, you need to understand them and you need to make sure that they align with your strategy that you're trying to build, first and foremost. And then as you go down building your strategy, if they do not, it is imperative that you change them to align with it. So that's one. Number two, and it goes with this because you need the supports to get this done, is you need to understand and build very deep personal relationships with every business leader in your business. And that is from the head of HR to the COO to the CFO, to every head of the line of business. And for me, I like to tell people, understand not just their remit, meaning what their business does, how they make money, but understand how the executive gets bonused [Background Music] because them making money is important, but the metrics to which they are measured to get bonused is even more important because those are the things that they're going to be paying attention to when you are building a program to see whether you are a hindrance or a helper to their metrics and the things that they're trying to get done. [ Music ]
Kim Jones: [Background Music] And that concludes our episode for today. Thank you all for tuning in and joining me and Larry as we talked about our industry's identity crisis. Before we end the episode, I want to remind you that there is only one more episode of "CISO Perspectives" available for non-pro members. If you are interested in becoming a Pro subscriber and hearing how the conversation continues to evolve over this season, visit thecyberwire.com/pro. That's thecyberwire.com/pro. There's a link in the show notes. As Pro Subscribers, you get access to key industry driven shows like this one and reports covering a variety of different topics from cyber to space. [ Music ]
