CSO Perspectives (Pro) 12.5.22
Ep 93 | 12.5.22

Hash Table: How do Newbies become CISOs?


Rick Howard: I got my first official CISO job back in 2012, but I have been doing real cybersecurity work since about 1999, so it took me over a decade to get a job like that. But I have to say - I always wanted to be a CISO. For me, pursuing the leadership track, as opposed to the technical track, was the right direction. That's not for everyone, but for me, it was the right path. I always believed that the CISO role was the ultimate job for the senior security leader - taking everything you have learned in your career and applying it in the real world in some sort of comprehensive infosec program. I've been in one kind of CISO role or the other for over a decade now, in both small and large organizations, on both the commercial side and the business side. As such, whenever I travel around, the first question I get from cybersecurity newbies, either young folks coming out of school or older folks transitioning to new careers, is, what do I need to do in order to get a seasoned job sometime in the future? In fact, that's the most asked question we get here at "CSO Perspectives." In this show, we're finally getting around to addressing it, so...


Samuel L Jackson: (As Arnold) Hold on to your butts. 

Rick Howard: This is going to be fun. 

Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's Secret Sanctum Sanctorum Studios, located underwater somewhere along the Patapsco River near Baltimore Harbor, Md., in the good ol' US of A, and you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: You're listening to "The Goose Steps High," a character theme from the 1970 Disney animated movie "Aristocats," played in the background is a couple of geese, Amelia and Abigail Gabble, two of my favorite Disney characters, waddle down the road on the backroads of France. And this is appropriate because when I put the call out to the waddle of subject matter experts that regularly visit us here at the CyberWire Hash Table - see what I did there - waddle? Sometimes, I just crack myself up. I asked them if they had any advice for newbies pursuing CISO jobs. As you can imagine, they all had some opinions. 

Rick Howard: There was some consensus, though. Everybody agreed that the skills that were most important, even more than the technical skills that are required to understand your digital environments, were leadership and business acumen. Don Welch is the VP of information technology and global CIO for New York University. 

Don Welch: Being a CISO, more than any other IT function, requires you to understand the business so you can protect it and do it in a way that minimizes impact on the business and lead from where you are. Leadership as a CISO is influence. You're generally not going to have the authority to make things stick, and so you've got to influence people. So even though you don't have actual delegated authority, lead your teams. Lead committees that you're on. Practice every opportunity to lead through influence. Volunteer for every opportunity that you have. Leadership is something that's learned through experience, and the more chances you have to practice leadership, the better. 

Rick Howard: What Don said about volunteering is an important tool for your cybersecurity career. You're playing the long game here. You're not only looking for your first CISO job but also the one after that and the one after that. And I have to say, I've had three different CISO gigs in my career. In every one of them, I didn't get hired because of how smart I was or what school I went to or what certifications I had. In every single one of them, I got hired because somebody in the receiving organization knew me, either directly or indirectly. So what does that imply? It implies networking. And you can network in all kinds of ways. 

Dawn Cappelli: Join CISO groups if you can. If you're not a CISO yet, there are a lot of groups where vendors bring security leaders together. They do it locally, in your city. If you can look around, ask around, use your network, go to your local conferences and information sharing opportunities and get to know other security leaders so you know what's happening with them and what they're doing so you know you're not missing something. 

Rick Howard: That was Dawn Cappelli. She's the director of the OT-CERT at Dragos and formerly the CISO of Rockwell Automation. And I totally agree with her. One of the most gratifying experiences in my career is to volunteer to help one of the local cybersecurity organizations. Somebody somewhere is planning some kind of cybersecurity conference. Or some local club or university is always planning the next capture-the-flag event. And those people are always looking for volunteers to help work those projects. And what a great opportunity to meet people in the industry or join your local chapter of volunteer groups like maybe InfraGard or the Information System Security Association, ISSA, or maybe even the Information Systems Audit and Control Association, ISACA? How about the Open Web Application Security Project, OWASP? Maybe even 2600 and even the DEF CON conference - I put links in the show notes to get you started to see if you want to join any of those. Those groups are rich resources for things you can get involved in. And here's the thing - jump into the fray. Don't sit on the sidelines. You're looking to get noticed here, so volunteer and actually do the work. I've been on a lot of these committees in my career. What normally happens is that 30 people join, but only one or two do the bulk of the work, and everybody else watches from the sidelines. If you're the one that does the work, you're going to get noticed. And this is where you get to practice your influence and leadership skills. If you can help get a volunteer committee get something done, that is an amazing accomplishment. And it's a fantastic educational experience because, as Dawn said, CISOs don't normally own all the things that need protection in your organization. Your success depends on how well you can influence leaders to make the right decisions. Bob Turner is the field CISO for education at Fortinet and formerly the CISO for the University of Wisconsin at Madison. Here's what he had to say on the subject. 

Bob Turner: Success in cybersecurity requires curiosity. You need to be able to seek the answers to those what, when, who and how questions when something happens. And that's whether it's a security event in progress or the way a policy is being implemented. To be a CISO, I believe you should have mastery over at least one of the domains of cybersecurity and a strong working knowledge of the others. And here I'm talking about risk and vulnerability management, security architecture and engineering, compliance within your chosen industry and, of course, security operations. But the most important trait CISOs must have in their toolbox is to be able to work with leaders and power players in your organization. It's a soft skill, but it's a hard requirement. 

Dawn Cappelli: And then finally, people management. You know, a lot of people overlook that, as well. They think of a CISO as a very technical role, but being a good leader and focusing on your people and finding people that are passionate about their job is, to me, one of the most critical roles that a CISO can have. 

Rick Howard: That was Dawn Cappelli again. And by the way, she is one of the authors of the Cybersecurity Canon Hall of Fame book "The CERT Guide to Insider Threats." And speaking of the Canon Project, I asked Dr. Georgianna Shea if there were any Canon books that newbies could read that would help them in their careers. She's the chief technologist at the Foundation for Defense of Democracies, a regular here at the CyberWire Hash Table, and she also works with me on the Canon Committee. And it turns out that the Canon Project has many books that apply here. Before we get there, though, I asked her to explain what the Canon Project is. 

Georgianna Shea: So I reference it as a - it's a book club for cybersecurity professionals. 

Rick Howard: I always say nerds, but OK, professionals. 


Georgianna Shea: OK. Or nerds. Either way. So it's housed at Ohio State University. You can go to their website and look at the Cybersecurity Canon - has the books, has the different members there. And what we do is go through cybersecurity books, read them so that everyone doesn't have to read every single book - that they can go through and find the books that pertain to the specific genre they're looking for. We read them. We review them. And then we nominate the ones that we feel are timeless and really fills a whole in the cybersecurity professional's education. So it's something that you really need to read and have in your library. So that's what we recommended and promote on the Cybersecurity Canon. 

Rick Howard: So what I like about it is every committee member, when they read the books, they also write a book review. So it isn't just a list of books that we think you should read. You can read what the committee member thinks about it and decide if you want to read it. And what you said - it really resonates with me, too - is that if you're going to spend some time to read a new cybersecurity book this year, you don't want to read a bad one, right? And so we do the work so that everybody else doesn't have to. And so pick the ones that we recommend, and that's where you should start. 

Rick Howard: So this year, you read and wrote a book review for a book called "The CISO Evolution: Business Knowledge for Cybersecurity Executives," published in this year, 2022, by Matthew Sharp and Rock Lambros. Why is this a good book for newbies who want to be CISOs to read? 

Georgianna Shea: Well, I will first say there are a couple other books in the canon that talk about being a CISO, becoming a CISO. There's the "CISO Desk Reference Guide." 

Rick Howard: Yeah. We're going to - I'm going to get to all those. OK, absolutely. 

Georgianna Shea: But I - right. But this is why I love this book. 

Rick Howard: OK. 

Georgianna Shea: So the other books - they're - the "Desk Reference Guide" - they have information in them. But this book, "The CISO Evolution" - not only is that "Desk Reference Guide" for everything you need to know. It introduces you to the business world of cybersecurity, not just the security side of cybersecurity. But it also has a website. So the website you can go to, and it provides you not just the knowledge but the tools that you need. It gives you templates, it gives you information. It gives you - it even gives you a scoring of how you should look at the people you're interviewing and what those minimum scores should be. So I love it because it's a toolbox that you can pick up and use at - you know, throughout the entire business cycle as a CISO. 

Rick Howard: So some real practical things you can do, as opposed to lofty ideas, you know, big strategies and things. Here's the day-to-day tools you use to do your job. It's something like that. Is that what you're saying? 

Georgianna Shea: Absolutely. I mean, it gives you the strategy, as well, but it really gets you into the mindset of, OK, here's the strategy. Here's the - and here's the tactical way to get there. 

Rick Howard: I got the chance to interview the authors early in 2022 when their book came out. Here's what Matt Sharp, the CISO of Logic Works, and Rock Lambros, the CEO of RockCyber, had to say about CISOs learning the business. 

Matt Sharp: The message is primarily, you need business acumen to thrive to have a seat at the table. And we comprise business acumen of three pillars. We talk about foundational business knowledge, communication and education and leadership. 

Rick Howard: I'm so glad you did this book because just looking through it, the explanation of just the financial statement for an organization - I wish I would've had that when I was much younger. I had to learn all that through osmosis and crawling into the CFO's office and saying, can you please explain this to me? So thank you for explaining that to the masses. I really appreciate that. 

Matt Sharp: Right on. 

Rick Howard: So, Rock, let me bring you into this. Why publish this book now? Has something significantly changed in the CISO evolution that we all need to take a look at? Or it's just - is this a missing piece that CISOs need to have under their belt? 

Rock Lambros: Yeah. I don't think anything has changed, which is the problem, right? So it is the missing piece that I think CISOs need to have under their belt. You know, cybersecurity - we can't treat it like black magic anymore. We got away with that for too long - like, saying, just give us money, and we're going to do things over here. But... 

Rick Howard: Guilty. I've done that in my career, and I feel bad about it now 'cause it's definitely not the right way to do it. 

Rock Lambros: It's all good. And like Matt said, CISOs are more and more being asked into the executive suite. And also, on the flipside, CISOs are more and more complaining that they're not getting a seat at the table at the executive suite. So what's that gap? What's that missing divide? And Matt and I believe it is that foundational business knowledge. 

Rick Howard: After the break, Dr. Shea and I will recommend more books from the Cybersecurity Canon Project that newbies can read to get ready to be a CISO. And we'll finish up by having everybody at the hash table discuss the CISO's typical career path. Hint, hint - there isn't one. Come right back. 

Rick Howard: The second book from the canon list that I want to recommend to cybersecurity newbies is a hall of fame candidate book called "Navigating the Cybersecurity Career Path." 

Helen Patton: Hello. My name is Helen Patton, and I wrote the book "Navigating the Cybersecurity Career Path," which is a book for people who are looking to get into security or really do well in security or even to lead a security team. 

Rick Howard: She is the former Ohio State University CISO and is currently the CISO for the Cisco Security Business Group. And full disclosure here - she's been on the Cybersecurity Canon Committee for years and has just recently stepped down as chairman. So I may be a bit biased by recommending her book, but I thought she covered some much-needed detail on the people side of the people-process-technology triad. 

Rick Howard: Most of the books that were reviewed on the Canon Committee have a technical component, but this one - not so much. She talks about resume writing for security professionals; how to stay up-to-date in an ever-changing field, something near and dear to my heart; how to manage stress, something that gets little attention in this stress-inducing field; navigating the diversity gap both as a minority and as a woman and how leaders should write job descriptions to eliminate bias in those things. And once we get a diverse team, how do we keep it so? She talks about the decision to stay technical or move towards leadership and how to deal with imposter syndrome. And I don't know about you guys, but oh, my God, I still deal with this. After a 30-year cybersecurity career, every once in a while, that thing hits me like a ton of bricks. So I asked Dr. Shea if she gets imposter syndrome, too. 

Georgianna Shea: Oh, every day. You know... 

Rick Howard: (Laughter). 

Georgianna Shea: I'm constantly surrounded by smarter people who are very, very, you know, technical. They're very deep in their topics. So I'm just lucky to be around most of the people I get to work with. 

Rick Howard: I keep thinking any day now, they're going to find me out that they - they're going to realize I'm just making this up as I go. I just know, any day, you know, that's going to happen. So you read this book. Your take on it is a little bit different than mine. What did you think about Helen's book? 

Georgianna Shea: Well, it's a good book, but I think you need to understand that I'm much more of a - you know, I like the toolbox. I can relate to the scene in the movie - what is the movie? - "Office Space," when Jennifer Aniston's... 

Rick Howard: Yeah. 

Georgianna Shea: ...You know, in the restaurant, and she's like, OK, well, how much flair do I need? What is the minimal flair? Just tell me. What is it? 


Jennifer Aniston: (As Joanna) And I... 

Mike Judge: (As Stan) We need to talk about your flair. 

Jennifer Aniston: (As Joanna) Really? I have 15 pieces on. 

Mike Judge: (As Stan) Well, OK. Fifteen is the minimum, OK? 

Jennifer Aniston: (As Joanna) Oh, OK. 

Mike Judge: (As Stan) Now, you know, it's up to you whether or not you want to just do the bare minimum or - well, like, Brian, for example, has 37 pieces of flair on today - OK? - and a terrific smile. 

Jennifer Aniston: (As Joanna) OK, so you want me to wear more. 

Rick Howard: Give me the details. I want... 

Georgianna Shea: Yes. Specifically, what are we looking for here? And then the manager is telling her, whatever you feel is appropriate. And she goes, well, I feel like the minimum is appropriate. It's like, well, if the minimum is OK with you. And she goes, well, if it has to be more, than tell me what the more is. So I am that, I guess, sort of, you know, detail-requiring kind of person. And I found Helen's book to be... 

Rick Howard: You don't want any of this touchy-feely BS stuff, really. Do you? 

Georgianna Shea: I am not a touchy-feely person either, yeah. So I found her book applies very broadly across all different professions, not just cybersecurity. It's - you know, it's understanding what you want to do, understanding what your passion is, understanding why you want to do something and then motivating you to go do that. And then in her book, it's towards cybersecurity in the cyber field. But you could apply the book to any field, I feel. Just use different examples. 

Georgianna Shea: So my take was when you compare these two books specifically, "The CISO Evolution" and Helen's book, I find that her book, like, as you said, focuses on the person. And it's from the person's position, you know, what's important to them; what's - what are their values; what do they want to accomplish, and then pushes outward to then the company, whereas I found "The CISO Evolution" is more of firmly understanding the company, firmly understanding the business model, firmly understanding all the exterior factors to you and then you figuring out how you fit into that world. So it was sort of a different direction. 

Rick Howard: So I agree. It's - you could apply what Helen talks about into any kind of profession, but I'm glad that she wrote it specifically for the cybersecurity community. I'm like you. I'm not much of a touchy-feely kind of guy. But I need to be dragged over there to that side every once in a while just to make sure I'm not, you know, burning the house down or something. So the third book we want to talk about you've already mentioned is the "CISO Desk Reference Guide" volumes one and two. It's two different books written by Bill Bonney, Gary Hayslip and Matt Stamper. And I've known these guys forever. And they present the essentials and represent the perfect example of what a desk reference guide should be - a collection, a starting point for topics that all current and aspiring CISOs should know about. The content may not be the final word on many of the subjects, but it's a fantastic place to start. Readers can start to think about their own ideas so, you know, what that job should be and how they do each of those. So in Volume 1, they talk about how the CISO office should be organized, policy and audit, metrics and risk management, board management - that's a really important topic. And in the second book, they talk about finding talent, threat intelligence, continuity planning, incident response and strategic planning. 

Rick Howard: And I would say, George (ph), that this is not a book you read cover to cover. You know, it's one you have on your desk to refer to when you need a pointer or two. And back in the day when I was in the Army, we'd call these things our smart books, these little notebooks that we carried around that contained bits and pieces of knowledge that we learned through the school of hard knocks. And the best thing about these volumes is that you have three seasoned professionals giving us their notes so that we don't have to go through the pain of discovery ourselves. 

Rick Howard: The last book I want to talk about is an older book in the canon. It's called "Winning As a CISO". And it was written by Rich Baich. He's currently the CISO for the Central Intelligence Agency, the CIA. He was also the CISO for Wells Fargo. But when he published the book back in 2005, he was a principal for Deloitte's security and privacy service. And what can I say? He is way ahead of his time here. There are CISOs today that I've talked to on this show not doing what Rich was talking about over 15 years ago. He was one of the first to recognize that CISOs needed to understand the business first and then worry about cybersecurity. And back when most of the CISOs, including me, you know, were getting our hands dirty configuring firewall rules, Baich was advocating for getting out and talking to business leaders and actively pursuing InfoSec marketing campaigns to the business leadership to let them know what was going on and show why the team was valuable to them. So it was one of the first books we put into the Hall of Fame, and I still think it resonates today, this many years later. George, you probably haven't read that one, but what do you think after I said all that? 

Georgianna Shea: "Winning As a CISO" had discussed the need for the business knowledge back in 2005, which is exactly what the CISO revolution is bringing today. And I have seen whenever there's issues in the news, at organizations, you know, there's different cybersecurity compromises, and you have to wonder, well, what was the CISO doing, and why did that happen? And in some cases, the CISO may be trying to mitigate those risks that were eventually exploited, but the communication isn't coming across. If the business side of the house doesn't understand the cybersecurity piece of it, the security risk, they don't understand the language, then they're not going to understand the impact. 

Georgianna Shea: So is the CISO making the case, or is the CISO just not being understood? And in - sometimes the CISO may think, I am making the case, but, you know, the CEO, the COO, whoever they're reporting to, may not really understand what they're saying. So it's important for both sides, the business side and the cybersecurity side, to have that effective communication to ensure that, OK, we understand what the goals are, we understand what the risk acceptance is, and we understand where we're going from here. And it's not, OK, we were compromised, there was an issue, and if I had known this earlier, we would have done something differently. 

Rick Howard: This is one of my pet peeves. You know, it was my generation that did this to our industry, our profession. Early on in the 1990s, we insisted that cybersecurity was somehow different than all the other business risks that everybody has to deal with. We made a point to say how technical it was and that leadership would never understand all the details. And that really set us back for at least 20 years because what happened was that we lost the ear of the business leadership. Most CISOs today are buried in the bureaucracy at least two or three levels down. Their chief information security officers - chiefs in title only - they're not part of the senior executive team for the most part. There are exceptions, for sure, but it's not the norm. We made that mistake in the early days, and we're just now getting around to where the CISO is starting to speak in business terms, like risk and the probability of material impact. So Rich was way ahead of his time, and I always recommend his book to newbies so that they can understand how it should be done. 

Rick Howard: Now, Dr. Shea, you have one more book that you want to add to our newbie collection discussion. It's called "Click Here to Kill Everybody: Security and Survival in a Hyper-connected World," by an old boss of mine, the longtime cybersecurity pundit Bruce Schneier. 

Georgianna Shea: So "Click Here to Kill Everybody" by Bruce Schneier is - it's not a business book. It's not a CISO book. It's understanding cybersecurity and where it started, the different actual case studies and effects of different compromises and where it's going and what you need to know as a leader to, you know, take to your organization to prevent, you know, future attacks, to ensure good security, to ensure that your business processes are aligned so that you can implement those security strategies. So, you know, I was bringing up the business piece before. That's very important. 

Georgianna Shea: I think CISO, by default, you look at the technical piece, but I also want to stress that you need to have the experience and knowledge of knowing the art of the possible. I've worked with many people in the past where if they weren't specifically involved in, let's just say, you know, Stuxnet, or they weren't involved with, you know, SolarWinds, they may not know the lessons learned and what that actually means for their organization. So by having that knowledge of past historical compromises, it really puts you in the mindset of the possible, aside from standards of compliance, but, you know, ensuring security and resiliency for your organization. 

Rick Howard: So, George, you've been doing this cybersecurity stuff for a long time, OK? And so do you have any last advice for newbies here that want to grow up to be CISOs? What would you tell them? 

Georgianna Shea: So growing up and if you want to be a CISO - this is one of the other striking things about the "CISO Evolution" book. The - just discussing business terminology, the Master's of Business Administration. My formal education is bachelor's of computer science, master's in information technology, doctorate in computer science. I have never taken an economy class. Maybe I should be a little embarrassed about that. I haven't taken a business class. 

Rick Howard: Yeah, me, too. 

Georgianna Shea: So... 

Rick Howard: Yeah. 

Georgianna Shea: ...Most of the CISOs I know, they're the technical person who, as you mentioned, steps into the role. But if I know early on in my career that this is where I want to be, this is what I want to do, I would say, you know, take those steps early and start taking the business classes. Don't shy away from it. Don't continue to just add on to your technical certifications. Build out your business acumen, as well. I think that's very important. 

Rick Howard: The other point that all the guests here at the CyberWire Hash Table agreed on is that there isn't any one conventional path on the road to being a CISO. All the Hash Table members on this show got to where they are through some strange and unique path. Don't believe me? Check out another CyberWire podcast called "Career Notes," where infosec practitioners talk about how they got into cybersecurity. 

Simone Petrella: Hello. My name is Simone Petrella, and I am CEO of CyberVista. 

Simone Petrella: I was very into national parks, and I wanted to be a national park ranger - more specifically, maybe a research scientist to study volcanoes. So I know there's not a lot of logical link to cybersecurity there, but I did discover that the fatality rate of volcanologists is quite high because you cannot study them without actually entering an erupting volcano. So turns out it's a scary field to go into. 

Rick Howard: We've done some 100 "Career Notes" episodes at this point, and every show describes a unique path. And by the way, that was Simone Petrella, the president of N2K and one of my new bosses as we merge the CyberWire and CyberVista into a new organization. 

Helen Patton: Again, there is no clear path to being a CISO. There's no conventional way to do it. What I do suggest to people when they ask me this question is one, go and talk to a whole bunch of CISOs and find out what their backgrounds are and how they came to be in the role. You're going to get a whole bunch of answers. You're going to get a whole bunch of ideas that might apply to your particular position. The second thing is to go and look at job descriptions that are out there for CISO roles right now. Most of them are actually pretty poorly written, but they should get a general sense of the kinds of skill set and experience that hiring managers and companies are looking for. 

Don Welch: There are a lot of different paths to becoming a CISO. But I think the most important thing is to understand how your different path helps you to become a CISO and how to articulate that to others, because really, if you're going to become a CISO, you're going to have to interview for it. You're going to have to convince someone that you are the best candidate. Being able to articulate how that alternative path has given you insights into the business, into leadership, into cybersecurity, into strategic thinking - that's what's really important. 

Dawn Cappelli: So I guess the bottom line is my path was a very windy path, and I didn't have the goal of becoming CISO. But I think diversity - and not diversity in gender or nationality or race but diversity of experience - I think, is very important for a CISO. So expose yourself to a lot of different kinds of opportunities. It's about the journey, not necessarily the destination. 

Rick Howard: And there you have it, recommendations about how a newbie can become a CISO from a waddle of cybersecurity experts sitting at the CyberWire Hash Table. And yes, I'm still laughing at my own joke there. We got specific recommendations centered around networking and leadership development by volunteering at your local cybersecurity clubs and events. You get to know people, and you get to practice your leadership skills. I've included references in the show notes about where you can find more information. We got recommendations about what books to read from the Cybersecurity Canon Project - and again, references in the show notes. And we got everybody at the Hash Table to agree that there is no one conventional path to becoming a CISO. 

Rick Howard: And that's a wrap. I'd like to thank the waddle of CyberWire Hash Table experts who came on the show today. And if you're keeping score at home, that's a triple word score. Dawn Cappelli, the director of the OT-CERT at Dragos, Don Welch, the global university CIO at New York University, Helen Patton, the CISO for the Security Business Group at Cisco, Dr. Georgianna Shea, the chief technologist at the Foundation for Defense of Democracies, Bob Turner, the field CISO for education at Fortinet, Matt Sharp, the CISO at Logicworks and Rock Lambros, the CEO of RockCyber. Next week, we'll be talking about a new kind of CISO job, the virtual CISO. You don't want to miss that. And as always, if you agree or disagree with anything I have said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. Or if you prefer email, drop a line to csop@thecyberwire.com. That's csop@thecyberwire.com. And if you have any questions you would like us to answer here at the "CSO Perspectives" podcast, send a note to the same email address, and we will try to address them in the show. 

Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I'm Rick Howard. Thanks for listening.