Are we a trade or a profession?

Kim Jones: Welcome to "CISO Perspectives". My name is Kim Jones and I am thrilled to be your host for this season's journey. Here, we provide in-depth conversations and analysis of the complex issues and challenges, technological and otherwise, that the average CISO faces. We're bringing the deep conversations out of the conference, or more realistically the conference bar, and tackling a single complex issue from every conceivable angle across a multi-episode arc. [ Music ] For our inaugural season, we here at "CISO Perspectives" have chosen to tackle the challenges surrounding the cyber talent ecosystem. We've been complaining about talent issues for the better part of a decade, but our piecemeal solutions don't seem to be solving the problem. Today we explore the question, is cybersecurity a trade, or a profession? [ Music ] In 2013, 18 years after the Chief Information Security Officer role was created, the National Academy of Sciences, or NAS, released a report. This report stated that cybersecurity should be seen as an occupation, not a profession. In this report, NAS stated that the cybersecurity field was too young and that the technologies, threats, and actions taken to counter them were changing too rapidly. Further, NAS felt that professionalization would, and I quote, "impose certain barriers to entry which would prevent workers from entering the field at a time when demand for cybersecurity workers exceeds supply", close quote. This caused dismay, and even disgruntlement, amongst the old security heads who had built cyber from the ground up. As we discuss this report, we routinely conflated professionalism with being part of a profession. Indeed, many advocated that we were already a profession and were eager to prove NAS wrong. However, 12 years later, we're no closer to true professionalization. It seems as if nothing has changed but the magnitude of the challenges we face and the enormity of the stakes. True professions have certain characteristics that cybersecurity does not fully meet. On the side that supports the belief that we are a profession, there are two compelling arguments. One, professions have a unique body of knowledge that can be codified, studied, and therefore learned by others. While degrees aren't necessary for an individual to practice in the profession, degrees tend to ensure that individuals understand the basic principles of the profession. And two, professions have a service orientation and not just to those who employ us. Professions and the professionals within are committed to the betterment of the profession itself. Professionals commit time, money, and effort to contribute to both the profession's body of knowledge and its administration. Unfortunately, there are two requirements for a profession that we have not met. One, professions have a code of ethics that defines appropriate behavior, meaning a profession's commitment to these standards would cause a professional to leave their employer before they violate them. While we may have organizations that have codes of ethics, there is no overarching uniform code of ethics for the cybersecurity profession. And two, professions have sanctioning organizations. In addition to promoting research and the exchange of ideas and acting as a collective voice, sanctioning organizations have the ability to limit or eliminate an individual's right to practice their craft if they violate the code of ethics or commit egregious acts. The sanctioning organization provides oversight and guardianship. No such organization exists in cybersecurity today. [ Music ] Given the hands-on nature of many cyber roles, there has been an equally strong argument that it should be considered a trade versus a profession. Indeed, we have seen a resurgence of this belief by a new generation of cyber warriors who insist that their knowledge and experience should be the only arbiter of selection and advancement. While this argument has some appeal, I contend that the argument for us being a trade is the weaker one. Trades have clearly defined standards of entry, clear documented knowledge requirements for both entry and advancement, a mandatory apprenticeship structure that is supported by the trade, and additional mandatory certifications required for advancement. While I was a CISO at my last large company, I gained exposure to a true trade structure. My executive assistant's husband was working as an apprentice with a local power company to become a lineman. The levels of rigor of the program, the formal learning, and the number of hours he needed as an apprentice before he could become a journeyman were highly structured. Cybersecurity has elements of this structure, but it lacks formality and it lacks mandate. So what are we today? Are we a trade? A profession? Neither? Both? Folks, as much as it pains me to say this, the truth is this: The best adjective to describe us today is stagnant. The arguments made today are practically identical to those pointed out by NAS over a decade ago. While technology has only continued to flourish, we still can't decide what we want to be when we grow up. We are too busy to train newcomers and would rather steal experienced resources from one another. We remain collectively afraid of professionalization and its exclusionary potential. We refuse to adopt standards regarding needed knowledge, skills, and abilities, yet we rail about the inadequacies of up-and-coming talent. Folks, it's 2013 all over again, or rather it's 2013 still. Is it any wonder why we have lost our agency with those who would regulate and legislate? Without clear answers and standards, we cannot blame our constituents for seeking guidance elsewhere. As a long-time practitioner, I contend that there comes a point in a career when technical depth, breadth, and expertise should equal our ability to lead and build. Our nation's armed forces provide a good model for us. Within a particular service branch, there are shared skills and abilities in which all members are trained and must regularly demonstrate proficiency. As service members advance in rank, their roles shift away from hands-on and into leading, training, and planning. That shift becomes more drastic within the senior non-commissioned and officer ranks. While junior ranks will poke good-natured fun at senior ranks, there is, for the most part, mutual respect and an understanding of the need for these different roles. It's time to appreciate that cybersecurity is a combination of requirements that shift based upon role and scope. This is neither unique nor new, but it does require a level of definition and baseline requirements for entering the profession and proper and detailed scoping for advancement; things we have been unwilling to do for ourselves and the next generation of professionals. Until we do, we will remain nothing more than a glorified occupation that will continue to lose agency. My two cents. [ Music ] On today's episode, I'm joined by Larry Whiteside, a veteran cybersecurity leader, passionate advocate for diversity in tech, and co-founder and president of Confide. Today's conversation revolves around a big question: Is cybersecurity a trade or a profession? Let's get to it. First and foremost, Larry, thanks for making the time, man. I know how busy you are and I appreciate you giving me a few moments of your day, man. So let's take a couple minutes, because I've known you for more years than either of us would like to admit, but my audience might not, so take a couple three minutes and tell us about you.

Larry Whiteside: Yeah, so I mean, I try to simplify it in this way. So, A, I'm a faith-led cyber executive. I've been in this industry for, jeez, I think 33 years at this point. Ex-air force officer, ran information warfare at the Pentagon, that's my last role. Jumped out, and have held the role of a cyber leader slash CISO about eight times across my career. And I've just been, I've been very fortunate and very blessed to have had the roles I've had and be in the positions that I've been in to help others. So it's been, it's been a great journey. And the most impactful thing I've done, of course, is co-founded a not for profit called what was formerly called ICMCP, which is now called Cyversity.

Kim Jones: Fantastic. I was mentioning to someone, I remember the day and age, as do you, when you could put all of the men of color who were sitting in that cyber leader chair in a single room and still have there be less than 30 of us in the room. So, yeah, it's a -- we've been around a day and a half, brother. [laughs]

Larry Whiteside: Yes, we have.

Kim Jones: So, you and I've had this conversation before and you've been around almost as long as I have, so you've seen the changes that have gone on in the environment. So let's start with the basic question. Are we a trade? Are we a profession? Are we both? Are we neither? Would love to hear your perspective on that.

Larry Whiteside: Yeah, so I've actually given some thought to that, simply because -- and I'm going to say, I think we're both. I think we're both because of a couple of factors. When you think about the entry level components, right, the entry level component of getting into cyber is very trade adjacent, right? Meaning that there are certain skills that you need to have coming into this. It's not about certification, it's not about degrees, it's about skills, which is why we say you can come out of high school and do this. Because if you create or foster certain skills on your own in high school, you can technically come into a cyber role and become proficient in the way that an organization needs you and go execute, right? So at that level, I see it akin to a trade. The problem has always been, for entry level roles, we try and we try and introduce them via internships. Internships do not align to trades, because what I've noticed across the industry, the way an intern is treated is definitely more of a, "Let's give the work that no one else wants to do to that person".

Kim Jones: [laughs]

Larry Whiteside: Not, "Let's train them, let's hone the skills that they've brought to the table so that they can be better at that craft and they can utilize it to better support us". So with that, I think that we've had a mismatch there from a professional and trade perspective, right?

Kim Jones: Reflecting back, yes, it is possible because, particularly at the entry level, we are more skills and abilities focused than certification, college degree, and we'll talk about the goods and bads of that later on. So that is, and I love the term you use, that is trade adjacent. If we believe that, then why are we not seeing folks come out of high school enter cyber? Why are we not advertising for folks out of high school in cyber? Why do we refuse to hire people who do not have a college degree or at least X number of years doing this at the entry level? Because, if you are correct, why aren't we acting in a manner that agrees with you?

Larry Whiteside: So, yeah, yeah. So there are a number of factors that I'm going to drill in on a few of them. So number one, we as cyber leaders, and I'm pointing at people who sit at the top of the food chain, have let HR take over and run how we hire, right?

Kim Jones: Explain.

Larry Whiteside: So when a CISO goes in and gets their role as a CISO, what happens is they allow HR to categorize, map, and align the roles in cyber to the roles in the other technology roles in the organization. And so for those, they create the singular expectation, the singular job requirements, the singular things of what education must be, all of these different components that make up a job description and the requirements that you must have coming into the job.

Kim Jones: Is that really still happening? And let me explain where I'm coming from. From my perspective, and it might be, you know, my background is break-fix. So in most of the gigs I take, I write the job descriptions and I fight with HR for those job descriptions. So my experience base may not be typical. So, is that still happening?

Larry Whiteside: Yes, go look at the job description. So, because I'm Cyversity, I mentor a lot of people and I engage. I've got multiple Slack groups and Signal groups and all sorts of groups in which I am engaging with people who are out looking at jobs. And for entry level roles, there's still tons of jobs out there that say entry level with three years of experience. How does that align? Entry level with a college degree, with a four-year college degree or equivalent? Well, what is the equivalent of a four-year college degree? Four years of experience? Well, that's still not an entry level role. Right? So, so we've got this mismatch. I need to find out what are the risks that exist, right, and how can I best mitigate them? Not thinking that the reality is if you can't build a team properly, you're not going to get any of that stuff done anyways.

Kim Jones: [laughs] Yeah, I've had similar conversations with CISO to say I want an entry level position, but I want them to be able to do certain things, and in order for them to do certain things, they need to have these experiences. Then I go back and say, then why aren't you sitting there labeling that not as an entry level position? Because I'm a believer, worst-case, that entry level requires zero to six months, preferably zero. Then I get the, well, I don't want to budget for the experience. So is that an HR problem? Or is that a CISO problem? Because they want to have their cake and eat it too.

Larry Whiteside: It's both. It's both, right? I've seen organizations where HR is very hard around the salary bands and around the job requirements based on salary bands. No, we can't have someone who doesn't have a degree in this salary band. Across the organization globally, you have to have a degree to fit with inside the salary band. And I'm like, we're unicorns. That's like, that's, that doesn't work for me. Right?

Kim Jones: Okay.

Larry Whiteside: And so, so I've had to have that battle. And I've had this conversation with CISO's who have also had to have that battle. But to your point, we also are impatient because we are CISOs also --

Kim Jones: Hey, hang on, hang on, hang on, hey, whoa, whoa, whoa. Your tax dollars trained me to do this, as they did you, so let me try this. Us? Really? Say it isn't so! [laughs]

Larry Whiteside: [laughs] But, but there's a reason that the CISO role is -- the tenure of a CISO is under two years. Right? And with that, you know, as a CISO, when you go, when you've got a limited amount of runway to get things done. So with that, you're trying -- if you are focused on building a team, you're trying to build a high performing team. And then in an effort to build a high performing team, what you leave out often is the lower level, entry level, and figuring out how to get people into your pipeline to get people skilled up to become that high performer. You don't take time for that.

Kim Jones: But let's, but let's play with that a little bit. Let's play with that a little bit. Because again, and yeah, for the sake of our audience, you know, Larry and I have had this conversation more than a dozen times and we've gone back and forth, but my job is to push because I want to make sure we're hitting all sides of this. So let's back up for a second. The tenure of a CISO is two years. Whose fault is that? That's us. So I'm back to the, and I'm going to rant a little bit here, I'm back to the tenure of a CISO is two years. Why? Because we look at ourselves as hired guns. We get bored. We get scared because of, oh my God, the sky is now falling and we have to actually dig in and do a little work. You know, so again, yeah, HR has a component of this, but if that's the case, then are we a profession? Because professionals don't act as hired guns. So are we trade adjacent? Or are we truly just a trade, because we're looking at the job to move on? And if we're not, what do we need to do to fix that?

Larry Whiteside: So, no, no, no. So it's interesting. You bring up some good points. So, so do we get bored? Yes, because there are some of us who are builders, some of us who are fixers, right, and some of us who are are are all of the above, right, and there's a mix of everybody in there, right? So, yes, there's multiple reasons why the tenure is only 24 months. But one of those reasons is also why we call it the chief information scapegoat officer. Because 364 days of the year, everything can be fine. On day 365, when something does happen and the entire organization looks at you and says, "How could you let that happen?" and you go, you go to your email list and you go to your risk registry and you show all the things that you've shown them around the risk that ended up getting exploited that we needed to repair that, right? So the role having all of the responsibility and not only the authority is also partially why.

Kim Jones: Well, I understand there's some uniqueness to that, you know, and I understand because you and I have both grown up with that. But I'm also wondering is, are we scapegoating that? Are we at a point where there is uniqueness to our position? But I'm wondering if we're leaning on that uniqueness as an excuse to do things like put ourselves apart from the business versus learning what's important to the business. We've fought during the timeframe, you and I came up, Larry, to say we need to have a seat at the table and be professionals, yet we're still acting like tradesmen that says, I really don't care whether you understand or not and I really don't care what you do for a living today, this is the problem, solve it, and if you don't like it, fine. And if I think you're telling me that you don't want to solve it and you're not going to listen to me and my spidey sense begins to tingle back here that you know I may have a concern, then I move on.

Larry Whiteside: Yeah, so I look at it a little differently, right? So I look at the top of the food chain and, you know, a few levels down as 100% a profession, and here's why. Part of the challenge that we have is this role was not as old as, quote-unquote, "C-level roles" that exist in corporate entities, right?

Kim Jones: Yep, very true.

Larry Whiteside: Additionally, there's not a true holistic training mechanism that gives what used to be a technologist role, the business acumen, the ability to articulate, the ability to communicate, the ability to understand finances, the ability to understand business, the ability to understand P&L, the ability to understand all of the different nuances of business that most other C-level and senior executives go through on their journey.

Kim Jones: No, you got to run back that for a second, and here's why. While I agree with you on that, okay, you know I built the degree program to do just that, and I couldn't get the support of CSOs in the community, in the environment, to back that because they weren't technical enough. Because I split the training to make sure they knew how to communicate, they understood the business and the pieces and parts here so that they could be prepared to be the Renaissance men and women that they needed to be, and I couldn't get support from the CISO community because they weren't technical enough. So I have to go back.

Larry Whiteside: So, who is they? When you say they, who is it?

Kim Jones: My students, my students. My students and graduates who, by the way, were coming out with decent technical background, but not as much heavy tech as say a Comp-Sci major would be. That creates that transition for the CIO who's come up from, you know, hard scrabble, bits and bytes, arms in the wire, et cetera. What is the -- you're saying that there's no transition from that technical to this piece. Agreed. So you said, like in other places. Agreed. Give me that transition for the CIO.

Larry Whiteside: So CIOs got pulled up. So remember, CIOs, they were forced to be business executives. They were forced because they were reporting into CEOs, board of directors, and CFOs.

Kim Jones: No argument on how they got there, Larry, but you indicated that there was a transition. They had to make that transition.

Larry Whiteside: Yes.

Kim Jones: So if I have to make that transition as a CISO, what things did the CIO have, that training opportunity, that particular knowledge that was forced upon them, that we're not seeing to the person who wants to translate to your role or mine?

Larry Whiteside: So, A, so CIOs are at a different pay bracket. Many of them went and got master's degrees in business, master's degrees in finance, and accelerated higher level degrees, education and certifications in things that aligned to the business of where they were being forced to go. So, and I use the word forced purposefully. Right?

Kim Jones: Yeah.

Larry Whiteside: So for us, where the role has been downplayed, not given the authority that it needs to actually execute upon the remit that they're asking of, right, we have to choose to go and typically pay out of our pockets, right, or find some other way to go get that education, in hopes of that accelerating us up into this other conversation.

Kim Jones: So as they were forced up there was a universal need, if you will, or rather, not need, understanding, that to pull this person up they need to do these things and this person needs to be pulled up. Therefore, if we would expect that that role to have certain things sitting around it, and they, many of them, are either paid to go do that or go do that because of the pay bracket, et cetera.

Larry Whiteside: Yes.

Kim Jones: Or conversely, the CISO sits every freaking place within the environment.

Larry Whiteside: Every place.

Kim Jones: And in some places sits way too low. So while there is a need for the role, that need may be the as that scapegoat, we just need to have someone with that title to report to the SEC so that we can fire their butts when the time comes --

Larry Whiteside: That's right.

Kim Jones: -- to individuals who truly have a seat at the table, either next to the CIO or, you know, my role, the CIO and the CSO reported to the Chief Operating Officer. There was the CEO, the COO, and then us, and sitting at that level operating at that level, different from other organizations and other verticals saying they belong in different places. So that lack of understanding as to where they belong has impacted the definition of not only what it means to be that business professional, but has slowed down our collective need to maybe define what that is, because we really haven't defined what the role is.

Larry Whiteside: That's right.

Kim Jones: So, okay. I want to make sure I'm understanding. Now, in that regard, you were about to make a point that says, and again, something else we've talked about, you were about to make a point that says different organizations, different business verticals may have different needs because there are different types of CISOs. So, talk to me about those different types of CISOs.

Larry Whiteside: Yeah. So, so, and we get into this debate a lot. Me and a number of people, right?

Kim Jones: Oh, yeah. [laughs] You, me, and about 50 others, usually.

Larry Whiteside: Right. Right. Because there's, are they really a CISO? No, no, wait, wait, wait, wait, right? And so we go down this path of, well, what's their remit? What do they do? And because you've got this large dichotomy of what the term CISO is in every organization, with big air quotes, because typical can be a bank. Well, guess what? A Fortune-500 bank is different than a community bank, is different than a credit union. Right? I know, I literally had dinner last night at Atlanta with a couple of people that were in financial services, and one was from Morgan Stanley and one was from a community bank. Well, at community bank, he didn't even have the CISO title, but he had the entire remit of the CISO.

Kim Jones: Yeah.

Larry Whiteside: Right? He had all of the responsibilities of a CISO. So, you then move into healthcare. Healthcare, again, can be, I've seen healthcare where the CISO reports into the CTO of the healthcare organization. I've seen it where it reports to the CIO. I've seen it where it reports to the chief medical officer. Right? So, we'll go over to retail, like, and it just continues to go. Now, don't even, and that's on the corporate side. Let's go to, let's go if you are a technology business, right? If you're a technology business and you are developing technology to sell to anyone. So, if you're selling to consumers or you're selling to -- in a technology business, you can report into the CTO and they want you to be deeply technical. And that's all you do. You never get involved in the business. Right? And so, there's so many different ways that this role is seen. And now, we are bastardizing ourselves, because there's a, there's a feeling in the industry, and I created a panel for this last year, that CISOs of cyber tech companies aren't really CISOs. And I'm like, wait, wait, wait, wait, hold off. Like, so are you telling me they're not protecting the data that you're utilizing? They're not making sure the tech is secure? They're not like, they don't have -- because I know tech CISOs on the cyber companies --

Kim Jones: Oh, dude, they get -- you have it worse. I was an intel officer for an intelligence battalion, which meant I had a thousand people who thought they knew how to do my job better than me.

Larry Whiteside: Right.

Kim Jones: Including the [inaudible 00:29:14] you guys get it worse. [ Music ] Agreeing with you on the practicality of what you are saying, there's still a, and you and I have talked about this, there's still a victim mentality here. The arguments that you're making right now are the same arguments in 2013, in the paper that I, or the lead into this that I talked about. We were talking about, you know, when I took my first chair in 2003, the National Academy of Sciences formalized in 2013. It is 2025. So there's a bit of this that says we are, we are painting ourselves at the perpetual victims. So is it that we're just happy being victims? What aren't we doing and why won't we do it?

Larry Whiteside: Yeah, so, so, yes, and.

Kim Jones: Please.

Larry Whiteside: It's not that we're happy being victims. And I will say there is a movement, right, to move and create a certification to the point of, and not a certification in the, in the, in the guise of, you know, a CISSP or something of that nature.

Kim Jones: Or a C|CISO or anything of that nature.

Larry Whiteside: Right, right, no, it's --

Kim Jones: And, and, and, look, look, look, let's back up. I'm not picking on any of those certifications.

Larry Whiteside: No, no, I, I, yeah, yeah, no, we --

Kim Jones: I have several of those certifications and they serve a purpose, and we're actually going to talk about certifications in a few episodes if you want to talk about that in general. But so, yeah, please, nobody get offended about the certifications. Please continue.

Larry Whiteside: There's finally been some uproar and some movement towards trying to create something similar or akin to what lawyers have, where there's a, where they have the Bar Association, right, where an organization is being formed and formalized that is going to create curriculum around something like that, where you have to go and be, pass something that your peers, right, people of your peer group assess to say that, hey, yes, you are someone who has certain qualifications to be a CISO. Now --

Kim Jones: So, so to reflect back on that, if I were to put that in other language, what we're saying is we are now taking a movement to professionalize.

Larry Whiteside: Yes.

Kim Jones: Because what you are describing are the tenets of profession.

Larry Whiteside: That's exactly what you're hearing. And the reality is this, is we need to say thank you to the SEC, right?

Kim Jones: [laughs]

Larry Whiteside: The bullseye that's been put on the chest of the CISO has caused this uproar, because everybody finally recognized more broadly the risk that they are in in the role, right? And so, so those cases that have been brought up through the SEC around the roles of CISO and things happening at different companies, I'm not going to name the companies and the breaches, it's easy to search, but that has driven a lot of fear. And so now when people are going in to have conversations about the CISO role, they're asking some very, very direct questions about D&O insurance. When you talk about the Fortune-500 CISOs, there are more than 40 that do not have a CISO, that I know of directly, and are choosing not to advertise or hire for one right now. Like, when the last one left, they basically left it, the role, blank.

Kim Jones: So I've got to ask the question then. So, yeah, so we don't have 500, we have 460, if not 400, so thank you for that, which is scary in and of itself. [laughs] So the question then arises, and I'm going to give you the, I'm going to ask it long, is the effort or the grounds for what you're talking about too little too late? If 10% of the biggest corporations for revenue standpoint in the world don't believe that there's value in the role, have we waited too long to move down the path of professionalization? So, have we waited too long to wake up and say we want to be grown-ups?

Larry Whiteside: I don't think so. I think that what this is going to do is going to actually help drive the point that we've been trying to make for a long time, which is we deserve a seat at the table. This is a mechanism to demonstrate that there are many of us who have the skills to have the seat at the table, had you just sought it out or tried to ask. Right? Because --

Kim Jones: But there are folks who are removing us from the table because we have failed to professionalize up until now. We're being -- and there's movement out there, and I'm sad to say some of this movement exists amongst our brethren who believe that the only way to be a good CISO is to be an IT professional. And after you and I struggled to pull us out from IT, they're fighting to put us back in.

Larry Whiteside: I know. Well, and that is what I'd call the old school CISO. Those, you know, I hate to say it, but they're starting to age out. Right? The majority, if not all, of the CISOs that I know that are, I'll say, the generation after us, I'll say 10 years, you know, our junior, eight to 10 years our junior have gone down --

Kim Jones: More like 15 for old guys like me, brother, but keep going. [laughs]

Larry Whiteside: [laughs] Yeah. So they are all working and have done a great job putting, working to ensure that they've got those other skills and capabilities to present. Many of them have gone and gotten master's degrees. Many of them have done, you know, financial certifications in finance and things of that nature to ensure that they know how to read a 10K and 8K and all those things that we taught ourselves to do, right, back in the day. So they are getting formal education.

Kim Jones: Yeah, our PhDs are from the schools of hard knocks, man.

Larry Whiteside: Exactly.

Kim Jones: We've banged into the wall and bounced off and flattened our forehead, so I remember it well. [laughs]

Larry Whiteside: Well, I don't think it's too late. Because, again, the risk and the threat that we're dealing with is not going away. Right? Threat actors aren't going to say, oh, well, you know, there's not a head of cyber anymore, so that can strategically deal with --

Kim Jones: Not that, but I mean, the argument can be made that since we have carved ourselves out as a profession, what have we done to slow the flow of breaches, et cetera, within the environment? So is there a value proposition of elevating our positions? Since, what has been the relative impact there? That is the argument that is being used against us. Not saying I agree with you, I think that's fundamentally wrong, but I'd be curious to say, you know, that is where I'm saying, is it too late?

Larry Whiteside: Yeah, so, and I'm glad you brought that up. So the value is in elevating us, because we haven't had the authority to get the things accomplished that we needed to. I've had a CIO literally tell me, do not show that risk assessment to anyone.

Kim Jones: Ooh. Ouch.

Larry Whiteside: Right. Right. So what do you do in that position?

Kim Jones: Throw your badge on the table.

Larry Whiteside: [laughs]

Kim Jones: Or show them and then throw your badge on the table.

Larry Whiteside: No, I -- because the head of head of internal audit knows we get an annual risk assessment, we had implemented some new infrastructure and some new applications that those things had risk associated with them that I knew were going to show up as part of the annual thing. He gets a copy of it. I knew he gets a, would get a copy of it. Now this is, again, this is back in the day a little bit, but those things happen. Those things are still happening today.

Kim Jones: Yep.

Larry Whiteside: Right? So it is about time that, yes, we professionalize, so that we can level the role up so that we can then get the authority that we need in order to execute the way we should.

Kim Jones: Love it. Love it. All right. So I want to close this one off. What is the one thing you would recommend that a young or aspiring CISO do? And what is the one thing that we haven't talked about, or haven't mentioned as part of this trade versus professional discussion, that you would like to make sure gets mentioned in this podcast?

Larry Whiteside: Yeah. So for any young CISO, there are two things that I think are critical to your success or failure. The first thing is getting a hold of your job descriptions, holistically, across the board. You need to own it and take ownership of it. Right? Meaning, on day one, when you get into the role, you need to be asking for every job description that's in your org, whether it's a filled position or not, everything that exists inside your HR system as it relates to a cyber role. You need to understand them, you need to make sure that they align with your strategy that you're trying to build. Number first and foremost. And then as you go down building your strategy, if they do not, it is imperative that you change them to align with it. So that's one. Number two, and it goes with this, because you need the support to get this done, is you need to understand and build very deep personal relationships with every business leader in your business. And that is from the head of HR to the COO to the CFO, right, to every head of the line of business. And for me, I like to tell people understand not just their remit, meaning what their business does, how they make money, but understand how the executive gets bonused. Because them making money is important, but the metrics to which they are measured to get bonus is even more important, because those are the things that they're going to be paying attention to when you are building a program, to see whether you are a hindrance or a helper to their metrics and the things that they're trying to get done. [ Music ]

Kim Jones: And that's a wrap for today's episode. Thanks so much for tuning in and for your support as N2K Pro subscribers. Your continued support enables us to keep making shows like this one. If you enjoyed today's conversation and are interested in learning more, please visit the "CISO Perspectives" page to read our accompanying blog post which provides you with additional resources and analysis on today's topic. There's a link in the show notes. Tune in next week for more expert insights and meaningful discussions from "CISO Perspectives". Thanks for listening. [ Music ]