Security Sandbox 7.1.22
Ep 16 | 7.1.22

Whose Title is it Anyways? A discussion on the role of Info Security in the C-Suite and how it impacts your tech and process

Transcript

Amanda Fennell: Welcome to "Security Sandbox." I'm Amanda Fennell, chief security officer and chief information officer at Relativity, where we help the legal and compliance world solve complex data problems securely. And that takes a lot of creativity. One of the best things about a sandbox is you can explore and try anything. When good tech meets well-trained, empowered employees, your business is more secure. This season, we're exploring ways to elevate the strongest link in your security chain - people - through a creative use of technology, process and training. Grab your shovel, and let's dig in.

Amanda Fennell: In today's episode, our sandbox heads to the boardroom for a white-collar discussion with Ricardo Lafosse, chief information security officer at Kraft Heinz, and Andrew Watts, Relativity's chief customer officer and former CIO, on the current state of information security in the C-suite. What should it be? CIO, CSO, CISO, anything or a combination? We don't know. But the current perception and narrative around this specific title actually influences a lot about your technology and process within your departments. So grab your executive briefs, and bust out your corporate buzzwords. Let's dive in. 

Amanda Fennell: Oh, Ricardo, we're going to start with you because... 

Ricardo Lafosse: Of course. Of course. 

Amanda Fennell: It's going to be awesome. I know. I love the fact that I only know you because of Watts, and, like, that was the intro of all of this entire discussion for us to get to know each other. But I feel it's so organic to have the two of you together. 

Amanda Fennell: So, Ricardo, you're a CISO. I, Amanda, am a CSO and a CIO, which - that's a fun one we're going to talk about. Andrew - a CIO previously. Let's talk about how we view these roles that we're in or were in. What's the difference and what's the overlap? And let's just do the disclaimer now. These are our opinions that do not reflect the opinions of the entire industry. Is that correct? 

Ricardo Lafosse: A hundred percent. 

Amanda Fennell: OK. All right. You're first up, Ricardo. So what's your title technically mean? 

Ricardo Lafosse: Man, I should have just - my amazing, super awesome title, as I like to describe it to others - CISO. Also known in reality as if it's a logical or digital asset, for the most time, it's my problem to protect. That's how I simplify it as much as possible. See, Andrew got so upset. He just walked away. 

Amanda Fennell: He just left. Andrew said, I am done with this. But - so wait - so you specifically caveat digital asset? 

Ricardo Lafosse: Yes, yes. And I put a little asterisk because there's digital to physical - you know, especially in manufacturing with OT. There's that collaboration, that movement that a logical cyberattack could impact something physical. So it's not completely physical, but aspects of physical. 

Amanda Fennell: Aspects of it. OK. So kind of an interesting one, though. 

Ricardo Lafosse: Yeah. 

Amanda Fennell: So this is where I've always differentiated myself in the terms the CISO versus CSO when people have asked me, what's the difference? From my understanding and the way I've developed in my career, CISO was, as you say, digital assets or corporate assets and so on. But the CSO typically ends up being a, like, a product side as well. So we end up having either something in addition to - so either it's the product security, the corporate security and the physical security, et cetera. So it's kind of a conglomerate. I almost want to say it's a catchall. Like, if you use CSO, it's a catchall. But CISO definitely does double-click on the digital. But I don't know... 

Ricardo Lafosse: I'd agree. The product one is a very interesting item that you brought up because say - for example, in your industry, a product is a digital asset. So I don't see that - the physical side for that product. Or are you saying it's a product because it's an item that is delivered or goods service to an individual? 

Amanda Fennell: I'm going to pull Andrew in on this one because he created the security around our product, for the record. And I just took over a really cool program from him. But I would actually - I know, right? I'm resting on his laurels. But so it - I actually think it's because it's about the off boundary for what we use in terms of our program. So our off boundary includes some of the physical, which bleeds into our product. 

Ricardo Lafosse: Got you. 

Amanda Fennell: So you can't access - you know, I mean, like, you have to access and have badging and controls, man traps, et cetera. That is part of our off boundary for our product with the way that we approach our actual headquarters and things like that. So, Watts, you're up. What is a CIO and a CISO - what's the difference? 

Andrew Watts: Definitions are interesting, right? So chief information officer has probably been around the longest and, in my opinion, has just a myriad of meanings in a lot of different companies. So, for example, chief information officer in some companies is responsible for applications - whether they're productivity applications, business applications, product-supporting applications - the integration of those to each other and the management of the data that is used by those applications in service of both employees and in service of customers who are using those tools, either through the employees or directly. In some cases, chief information officer also has security responsibilities. But increasingly, we're seeing the chief information security officer or the chief security officer be an independent position - reports to the CEO or the board. 

Andrew Watts: And I think it depends on the size of the company, the scale of the company and how they use technology. I think if you're a company who uses technology for a smaller part of your business and can get away with it, you could possibly have one person or the other. And what I mean by that is one CSO or one CIO tackle both things. Or if you're a large-scaled company, you could decide that you need two or even more of those roles. So in some cases, you're also seeing chief digitization officers, chief technology officers and so on also sort of around the mix there, as well. In my personal opinion, these days, for most organizations, the chief information officer is purely responsible for data application integrations and the IT organization, and the chief security officer is responsible for cybersecurity, product security, sometimes physical security. And the two of them work very closely together, with one having the responsibilities for making sure that the technology's managed in a cost-effective way and that it works well for the employees and the customers, and the other one responsible for risk management, basically, and ensuring that the company is set up well and protected from bad actors or unintentionally sort of - unintentional mistakes made by good actors. 

Amanda Fennell: So Watts, I'm going to use this shameless moment when I have you on a camera, a microphone - you were a CIO whenever I interviewed. What made you think that I could be a CSO here? 

Andrew Watts: I think that for Relativity, we were about to need information security to be a strong centerpiece of what we did in all aspects of running our business, running our product on behalf of our customers, whereas before you joined the company, we had a security program. We had a chief security officer. That was vastly different when we shrink-wrapped software and provided others to operate. When you operate customer's software, you operate on their data. You need someone who understands that anything that can impact that data and how the customers think about it needing to be protected - whether it is inside your corporation, inside the physical boundaries of your premise, or in terms of how the product works - it's got to be a 360 approach. And I think in your background, Amanda, you had done a significant amount of cyber breach work. You had done a significant amount of work in protecting critical assets for financial services companies and others and had a background also in e-discovery. So those things came together really nicely. 

Amanda Fennell: But reporting structure - and by the way, thank you. Appreciate that. But reporting structure, you made the decision as the CIO to not have a CSO report to you. You actually said, I'm going to step to the side. You're going to report to the CEO. And Ricardo, we're coming to you next, just to broadcast that. Actually it's coming in a second. But you made this decision to not have security report in to you. Why? I feel like I'm, like, grilling you. This is an interrogation. Where... 

Andrew Watts: We had... 

Amanda Fennell: ...Were you on the night... 

Andrew Watts: ...No. We had - yeah it could... 

Ricardo Lafosse: Yeah, Andrew. 

Andrew Watts: ...could be... 

Amanda Fennell: (Laughter). 

Andrew Watts: ...Could be seen that way. Could be seen that way. You know, you could say, well, Andrew or someone like him didn't want that responsibility, didn't want to deal with those things. He was scared of it or, you know, he was busy... 

Amanda Fennell: But... 

Andrew Watts: ...Whatever the reasons are... 

Amanda Fennell: I would have - Ricardo... 

Andrew Watts: ...It... 

Amanda Fennell: ...Would you have ever said that you thought he was scared? I would have never said that. 

Andrew Watts: Terrified... 

Ricardo Lafosse: No, no... 

Andrew Watts: ...Terrified. 

Ricardo Lafosse: ...He's just saying this because we're recording it. 

Amanda Fennell: I know, I know. 

Andrew Watts: That's right. That's right. But I think for us, at the time, we were entering a phase where there was going to be a full-time job. It's as simple as that. Our information security program, the execution of it, talking to our customers about it, investments made in it, and the expansion of it was a full-time job. And at the same time, the role of ensuring our applications and data was set up for our customers and for our customer's interactions with our team members, and then finally, the productivity of our employees was also a full-time job. And so it really was two roles, and it made a lot of sense for it to be a co-report to our CEO. 

Amanda Fennell: Yeah. But man, we moved so fast because of that relationship, because - and I will say this. Ricardo, I don't know if you feel this way, but having a CIO that gets security, follows it, understands it and knows where to go and what the prioritization is - we moved so fast in security with that help in that partnership. So I don't know if you have - what your reporting structure is. Now is the time for you to lodge a formal complaint for you to do that if your reporting structure is bad. But what is your reporting structure, and is it the way that you think it normally is, and does it work well? 

Ricardo Lafosse: Yeah, absolutely. So I report to the global CIO, which is a staunch advocate of cybersecurity, and I couldn't agree with you more. We get a lot of traction, a lot of buy-in, specifically the old homage of, oh, is it operations or security? Who wins in the battle? And CIO has to, like, punch him or her or their self in the face to decide who wins or flips a coin. But no, in reality, you get a little bit of both because you get the support from the traditional IT side of the house but you are also enabled to go to the chief legal officer. You can go straight to the CO if you want to get the right agenda and the right traction needed. So for me, it works to report in to the global CIO because of that level of support and that level of engagement. And also something that really wasn't highlighted to me until I got to an organization this size is an X multiplier if I need to bring in additional resources within traditional IT to support security functions. A great example is vulnerability management, where security doesn't just do it themselves. You need a whole slew of other departments to work collaboratively, and that CIO helps you be that glue instead of, oh, Ricardo's saying we have all of these critical vulnerabilities, and he wants them done now. Ha, ha, ha, ha. No, it gets done now because of that level of support. 

Amanda Fennell: So you mentioned something randomly there that I'm going to click on a little bit more here. 

Ricardo Lafosse: Yes. 

Amanda Fennell: Here we go. You opened it up. You mentioned the ability to go directly to, like, a chief legal officer. Who expected there to be so many politics behind this role? 'Cause I did not. So - and, Watts, you've been a CIO. Ricardo, you're in this role now. I mean, did you know there was going to be this many politics for - I got to go convince everybody that this is the thing to do and that there's fear, uncertainty and doubt? Or how do you go about it? Is it a political game? Or do you have to just work through the different personalities? 

Ricardo Lafosse: I'll take the first stab. I think it's a little bit of both. And I will take a lot of cutting my teeth in local and federal government, which - so there were politics. That's all I got for today. But it was a lot of - why is security important to them? Specifically in Cook County, we had separately legal entities that did not really have to report back to the office of our president, per se. And you had to create those relationships to really highlight why security was important. And then our board of directors was also very separated on their level of expertise. Why, Ricardo, this crazy new guy, out of the blue is asking for funding when we never had to really fund this. He's crazy. But being able to convince them and do a little of the politician side but more of that influencing and showing the real value to each of those elected officials in those specific different departments on why security is important, not strictly from a protection perspective but an operational perspective or a process improvement, showing more value than - I'm protecting you from the hackers. 

Amanda Fennell: So, Watts, do you think - so I think that we've spent a lot of time here at Relativity working on educating, like educating our peers, educating the board, educate - and not just because they don't know about security or about tech as a CIO but, specifically, like, we have to make sure that they're on the same page as us before we can tell them the direction of our vision. So I don't know if you feel the same. But do you feel it's political? And do you think that that's where you spend a lot of your time, is the education and the influencing? 

Andrew Watts: You know, I think we're lucky to work in an organization that's incredibly open to ideas and doesn't have a ton of hierarchical politics. I think the information that needs to find its way to peers and others is more of an education problem. I've been in organizations that also have the political issue of, for example, a certain person shouldn't talk to another person without going through a hierarchy and things like that. I'm not a huge believer in it myself. I think that anyone working in a company should be able to try to influence and make change. But I think when you are in an unfortunate situation where you have a lot of hierarchy, structure and expectations around how data and information flows up and down, it can get really sticky. 

Andrew Watts: And position and title can matter. I think at our company, it doesn't matter as much. But when it comes down to, for example, decision-making rights or, you know, who's the authority for the final say so, it really should be rested in a title or a role. For example, as we operate our security protocols, it's necessary for our certifications. You have to have somebody who's designated. It's the way their certifying auditors look at it. And so there's different aspects of why the role exists, why it's titled and so on. I think, lastly, to say to anyone who is struggling with this, I think it is worth breaking it into those different areas. Is this because of culture? Is this because of external necessity? Is it because of decision-making rights? Or is it simply because it works better in your organization? But it is worth thinking about why you need the title, the responsibilities and the decision-making rights to be set up correctly and who needs to know that. Is it you? Or is it the people around you? 

Amanda Fennell: Yeah. I've had people ask me - there's two sets of camps, I think, about the - to be clear, CISO was the role that I came in with and as, and as you moved into a chief customer officer role, it was an opportunity for me to expand and to flex and try this muscle out in a CIO role. There's two camps of people, one who think you can't do both. You can't be responsible for the infrastructure, the applications, all of those different things, the deployment of all the things that we do as a company and securing it. I personally don't find it to be difficult because I worked with you for so many years so closely. So I feel like it's not that difficult to do both of these roles together. Of course, I'm definitely not the CIO that you were, which is one that I aspire to. So blush, blush - right? - single tear. I know, Ricardo, don't cry. But I guess from your perspective, can the two exist as one as an area? 

Andrew Watts: Yeah, I think they can exist as one. See earlier comment or repeat - or listen to earlier comments about... 

Amanda Fennell: (Laughter). 

Andrew Watts: ...Some CIOs have security in them or some CSOs have information technology in them. I think they can absolutely be the same. I think that it takes a deft person such as yourself to distinguish between - I'm making a decision now about productivity, for example, or tools that our customers use from outside of our business. Or I'm governing those tools. I am applying risk management to those tools. And you have to sort of step in and out of those roles when you do so. But if you've set up amazing teams who have people in them to actually play out most of those areas of both monitoring and compliance or securing or, on the other side, implementing, managing data, integrating, those teams will take care of most of that and leave you to decision-making and strategy and so on. I think that in our organization, also, our IT organization does not build our software products that our customers use. They participate in some aspects of that, but because your role doesn't also build those products, you can sit in a compliance and risk management role working with our other peers, our chief technology officer and our chief product officer. So there's an interesting mix there for our company. I think in other companies, it really would depend on whether the idea of being a risk management and governance authority, overseeing all of the implementation of technology and data, would work well for your company. But I think in our case, it works quite well. 

Amanda Fennell: I have to ask a little bit of questions here about the tech stack that we use and so on, and, like, how we enable people. So, Ricardo, I love asking you questions you're not prepared for. Are you ready? 

Ricardo Lafosse: Oh, sure. Why not? 

Amanda Fennell: Here we go. OK. You get one technology that's in your stack that you're like, this is the best. This helps us do the best job - secures it, enables people, any of those things - like, the one that comes to mind that you're like, this technology actually really helps us do our job. 

Ricardo Lafosse: Oh, this is a good one. 

Amanda Fennell: I know. 

Ricardo Lafosse: Huh. I'd say one tech that really helps us - all right, this is going to be memorialized. I'll get the haters out there, as well. 

Amanda Fennell: OK. 

Ricardo Lafosse: Active Directory. 

Amanda Fennell: Gasp. Oh, my gosh. All right. 

Ricardo Lafosse: Yep. 

Amanda Fennell: Explain it. 

Ricardo Lafosse: And let me tell you why. 

Amanda Fennell: Oh, I'm ready. 

Ricardo Lafosse: The whole - our whole program has transformed from an I - from a typical controls ops run, your typical IT security shop, to everything that's based off an identity. If I don't - if I can't properly identify, I can't apply the appropriate controls, lease privilege, across the board. It all starts with the identity. I know you can yell, ugh, gross, and you can say as your AD - you can say all of this stuff. But the identity, whatever you... 

Amanda Fennell: I did those for you out there... 

Ricardo Lafosse: ...Whatever it is for your organization... 

Amanda Fennell: ...How dare you. 

Ricardo Lafosse: ...The identity is key. Yeah. 

Amanda Fennell: Ugh. How dare you. 

Ricardo Lafosse: Yeah. Hold on, let me wash off. 

Amanda Fennell: (Laughter) I know. You're in a lot of trouble. Watts, what's your thoughts? Do you agree on this one? Do you think that's the tech to double down on? Oh, that's... 

Andrew Watts: I think it's... 

Amanda Fennell: ...A cringe. 

Andrew Watts: I think it's vital. I mean, I do think that foundational... 

Ricardo Lafosse: I told you. 

Andrew Watts: I think foundational technologies are important, and identity and access management is really key to it. Vital - gee, that's a tough one. I mean, I think increasingly, it's becoming the data itself, I mean, which is not, of course, technology. But the technology that stores, protects, transforms, makes visible... 

Amanda Fennell: Relativity? 

Andrew Watts: ...Surfaces data to - yeah, could be - it could be Relativity - to the employees and the customers that need it and the leadership that needs it for your business. I mean, I think anything that can enable better views of the data about your business that your customers are using about - and with your employees is just vital these days. So the data products, I suppose, or the data technologies would be my answer. 

Amanda Fennell: OK. I would go with the IAM side of it. I don't know that I would double down on just Active Directory specifically. 

Ricardo Lafosse: I think - you know, you told me a tool. Look, Andrew ran away, see, 'cause you... 

Amanda Fennell: I can't believe you two. 

Ricardo Lafosse: ...Said Active Directory. That's why. 

Amanda Fennell: I know. 

Ricardo Lafosse: For the record, it's the identity piece. And for me, in my industry, it is Active Directory. Andrew can't get to his data if I can't identify him 

Amanda Fennell: You know, it seems like an existential crisis there. Like, you have to know who you are, right? I need you to know... 

Ricardo Lafosse: Yeah. 

Amanda Fennell: ...Who you are. I need to know what you're allowed to do. I need to look... 

Ricardo Lafosse: Yeah. 

Amanda Fennell: ...I need to know all those different things, your role - was it least privilege? What's our CISSP words? 

Ricardo Lafosse: Same, same. 

Amanda Fennell: And what are all of these privileges? 

Ricardo Lafosse: Yeah, whatever. But more - it's not awesome. It's not, like, super cool. There's not laser beams... 

Amanda Fennell: Yeah, it's not sexy. 

Ricardo Lafosse: ...Coming out of it. No. 

Amanda Fennell: I can say. This is not - I'm not watching, like, "Star Wars," the new - like, "The Mandalorian" and "Book of" - this is - yeah, you're, like, back - this is "A New Hope." This is backwards. 

Ricardo Lafosse: Hey, hey, hey. 

Amanda Fennell: (Laughter) Hey, easy. 

Ricardo Lafosse: Essential to the story, OK? 

Amanda Fennell: It's foundational. But yes. 

Ricardo Lafosse: (Laughter). 

Amanda Fennell: It's foundational. So, all right, Ricardo, I'm going to go in, like, an interesting route to ask you a question. When you talk to people - I think before I was - maybe, like, the first few years I was in this industry of security, I feel like all Cs were confusing to me. Like, I didn't know what any of them were, you know, in terms of... 

Ricardo Lafosse: Yeah. 

Amanda Fennell: ...Like, C what? You know, COO, CFO, CIO, CSO, like, OK, I don't - so it's a C, that's it. Out of curiosity, what's something that was the biggest misconception you had for the role - like, something that you thought this is what it meant at some point, but then you got into it, and you're like, yeah, no, that's not it? 

Ricardo Lafosse: Oh, this one's fantastic 'cause I do a lot of mentorship of WESes and FEOs who are like, oh, this is so cool to be a CISO. I was like, let me tell you what it really is. 

Amanda Fennell: Heads up. 

Ricardo Lafosse: I thought... 

Amanda Fennell: Take a knee, take a knee. 

Ricardo Lafosse: I thought it was, like, super-secret ninja stuff where you're leading, you're architecting, you're, like, doing - jumping into a boardroom saying, secure this. 

Amanda Fennell: But wait... 

Ricardo Lafosse: No. 

Amanda Fennell: ...It's like the "Mission Impossible" when he goes... 

Ricardo Lafosse: Yeah. 

Amanda Fennell: ...Into the room... 

Ricardo Lafosse: Yeah, yeah, yeah. 

Amanda Fennell: ...Toast, toast. Yeah. No. 

Ricardo Lafosse: That's exactly what I thought. No - more than, I say, probably, 70 to 80% is influencing and educating, which I knew there was a little bit of. It's essential. 

Amanda Fennell: Yeah. 

Ricardo Lafosse: Budget, HR-related stuff, vendor management-related stuff, removing roadblocks - ridiculous and legit - and then creating reports. My strongest tool is PowerPoint and Excel. 

Amanda Fennell: Oh, right? 

Ricardo Lafosse: Right? 

Amanda Fennell: PowerPoint is - I've asked this question in interviews. Like, if you were a Microsoft application, what application would you be? Oh, I'd be PowerPoint. No question. 

Ricardo Lafosse: PPTX for life. 

Amanda Fennell: Oh (laughter). But this is, like, how you have to tell a story and convince things and be like, this is the data. Here's the bottom line upfront, the bluff, right? Here's the data. Here's the story. Here's what we're projecting, etc., etc. But it goes back to influencing and trying to... 

Ricardo Lafosse: Yep. 

Amanda Fennell: ...You know, budget and things like that. But I did think that it was a little bit ninja, and it's not, so... 

Ricardo Lafosse: Yeah. You - every once in a while, you'll get it. But, no. 

Amanda Fennell: Every once in a while. 

Ricardo Lafosse: I have, like, eight Excel tabs open right now. 

Amanda Fennell: Oh, I don't - I'm on vacation. This is my vacation. We're not - I have no... 

Ricardo Lafosse: Nice. 

Amanda Fennell: I know, nice... 

Ricardo Lafosse: Yeah. 

Amanda Fennell: ...Spending it with you gents. Wattsy (ph), I - so Wattsy, up to you, biggest misconception - you were a CIO. You came in as a VP of IT. You worked your way through this. You moved into the CIO role. I stole it from you in a game of chance, in blackjack. I'm kidding. No, I didn't. But what was your biggest misconception you had when you started in the role that you were like, this is not what I thought it was going to be? 

Andrew Watts: So I've been an IT leader of sorts for a decade or two before that. So there wasn't much left that I didn't know it would be. I would say probably the biggest misconception was how different companies utilize their IT and security resources. So, for example, Relativity is a software company. We have a lot of very smart, creative employees as a whole. Our employees at Relativity largely would prefer to solve their own technology problems if they can. 

Amanda Fennell: Shadow IT, shadow IT. 

Andrew Watts: Fix my laptop. Fix my application. Buy my application with my credit card. Put my data in it. Yes, so there's definitely some of that. I think that in other organizations, there are employees who wouldn't dare do those things. They wouldn't dare start shadow IT. They wouldn't dare try to fix their own computer. They rely on the IT department completely. I think what you can get done as a security or a technology leader largely depends on the way your customers, which can include your employees, like to work. 

Andrew Watts: And, I think, I find, for example, at Relativity, we could get a lot more done in the service of making our employees more productive or our customers happier because our employees were more willing to do some of the work themselves. And so you can scale your IT team in a way like you can scale your security team. You have security champions instead of hundreds of security employees, for example. In other organizations, there's people who are too busy to become a security champion or to solve their own IT problems. They're too busy doing other things. And so you don't get quite as much scale. So that was probably a gap for me that I've learned being at Relativity. I think another one definitely jibes with what Ricardo said. The amount of work that goes into reporting, planning, the amount of time spent in coaching and helping mentor people so that they can do this type of work in the future and make great choices, is huge. 

Amanda Fennell: You know, for both of you - it's interesting for me to be in a session with you both because you represent two different ends of the spectrum that I have within me that I like to access. And so Ricardo, I met you initially and immediately was like, awesome. This person's just as crazy as I am and - hi. And after absolutely spending time together, it's a question of if I said, Ricardo, we got to go to Brazil and get tattoos, I feel like you'd be like, let me just get my passport. I'll be right there. So you're... 

Ricardo Lafosse: What time? We're leaving at 4? 

Amanda Fennell: Yeah - no, 4:30. 

Ricardo Lafosse: All right, cool - oh. 

Amanda Fennell: But, yeah, so, like, this spectrum of crazy that is there is absolutely right here. This is - you're the representation in my head whenever I have, you know, the angel and the devil - like, you're the one over here that's definitely the crazy. Watts has always represented the calm. And he always brings the calmness from me. From the time I met him initially to now, I can still say, as soon as he starts speaking, I immediately, like - got it. OK. This person's in control. They know how to do what they're doing. And I can trust them. And so I love this dynamic of what I saw initially is still present with the way I see you all today after years together. The reason I say this is my question - what did you think of each other when you first met versus what you think now? Ricardo's up first. What did you first think about Watts... 

Ricardo Lafosse: (Laughter). 

Amanda Fennell: ...Versus what you think now? 

Ricardo Lafosse: Well, for me, it was really easy to blame everything that went wrong at Morningstar on Watts. 

Amanda Fennell: (Laughter) 'Cause he exited the role. Right, Morningstar. 

Ricardo Lafosse: Yeah, yeah. 

Amanda Fennell: Yeah. 

Ricardo Lafosse: Yeah. I was like, oh, well, who created this policy? It's either Michael Allen's problem... 

Amanda Fennell: Yeah. 

Ricardo Lafosse: ...Or it was Andrew Watts' problem. 

Amanda Fennell: Yeah. 

Ricardo Lafosse: So it was a really easy scapegoat. But I echo your very calm, confident demeanor at all times. I've never been in a crisis with Watts, but I could just imagine, like, everyone chill out. We're going to do steps A through F. Something goes awry - we got it. 

Amanda Fennell: Yeah. If we have a bar fight... 

Ricardo Lafosse: Cool chap, this guy. 

Amanda Fennell: ...In Detroit, we want Watts with us, for sure. He's going to talk them down. 

Ricardo Lafosse: Exactly, exactly. 

Amanda Fennell: You and I, however, will get in the bar fight, but yeah. 

Ricardo Lafosse: Oh, we're getting cut, but it'll be worth it. 

Amanda Fennell: So he's always been the calm. 

Ricardo Lafosse: Yeah. 

Amanda Fennell: I like it. Watts, what did you initially think of Ricardo, and what do you think today? Is it still the same? 

Andrew Watts: I'm going to make sure that when you're in Brazil getting those tattoos, that those are clean needles, that you don't overpay and that neither of you comes home in a body bag. 

Andrew Watts: So actually, rather than how I thought about Ricardo when I first met him, I'll tell you what I thought about him when I first heard about him. So I had moved on from the other organization, and I heard that Relativity - sorry, the other organization - was recruiting for a person to take the role. And I think I heard things like, he has like, I don't know, something like 22 offspring, and he has a crazy hair style, and he's worked at about 22 different companies, one for each child, and... 

Amanda Fennell: (Laughter). 

Andrew Watts: ...That he was louder-than-life and had all sorts of ideas about how he was going to basically turn security on its head of that organization. 

Amanda Fennell: (Inaudible). 

Andrew Watts: And I was hearing all this from people who were still there, who probably fit more of the mold of myself, who were like, steady as she goes, keep everything on an even playing field. And the reason I was hearing it was a little bit of trepidation and fear, you know? That led to when I first met Ricardo. I was like, OK. He's edgy, but he's not that crazy. I'm still yet to... 

Amanda Fennell: He is. 

Andrew Watts: ...Find out whether he has 22 children or not. So... 

Amanda Fennell: No. It's not 22. 

Andrew Watts: ...Maybe we can discuss that today. 

Amanda Fennell: Yeah (laughter), we're getting to the bottom of this, but it's not. But I loved this dynamic, though, of, like, you came in thinking, I'm going to flip security on its head or this is the dynamic that came with you. This is the preceding, you know, impression people had of you. Same for me - I think people didn't know what to make of me for the first, maybe, year, Watts, like, that they kind of really - I'm not sure what's going on here. She's doing some weird stuff. They keep doing some really crazy things or whatever, but it just might work. And I think this is, like, one of my tie-ins as we roll up this episode of a couple of things that are really the biggest takeaways that I've got for it. I think that there's a part of this where the role requires a little bit of both, whether it's the CIO or the CSO role or the CISO role or any of the alphabet soup or any executive role, it requires the calm and the process of Watts, who's making sure that our needles are clean (laughter) and that we're not going home in a body bag, but we have that steady hand that's required. But a little bit of crazy goes a long way, and it helps to make us accomplish some things that is - it's kind of a jump ahead that you didn't expect that you would get. So I think that's where all three of us kind of blend together, and we make this great mixture. 

Ricardo Lafosse: I think that captured it quite well, and I think how cheesy it sounds. I think as more and more individuals go into this role, they need to have that open mindset of, there's a reason why there's a status quo. Challenge it. Break it. But keep Watts honest. Controlled chaos is all I ask for. 

Amanda Fennell: So Watts is going to absolutely say, so don't break it, but (laughter) - Watts, what's your thought? 

Ricardo Lafosse: Bend it a little bit. 

Amanda Fennell: Bend it. 

Ricardo Lafosse: Bend it a little bit. Yeah. 

Amanda Fennell: There is no (inaudible). 

Andrew Watts: No, I wouldn't change - I might have a different point of view in this case. I'll just simply add the timeline. I think the controlled chaos needs to happen at the beginning, when you're trying to solve problems. You're in that scrappy, dynamic, uncertain, ambiguous phase. And then, as time goes by, you need to standardize things and put them in a standard, routine, boring operational place and just do that forever. I think, particularly when you're working in really dynamic organizations, you don't always have time for the deep levels of process orientation at the beginning, and you're better off to try some scrappy things and know that risk is still managed in that way. But you're always trying to retire off things that are boring and routine, so it's a good way to think about things. 

Amanda Fennell: That's my perfect segue to my closing quote that I have for this. So I like to make it look like I'm super educated, so I'm going to quote Socrates. Take the moment, Ricardo. This is my educated moment, right? 

Ricardo Lafosse: I'm going to pet the unicorn while you do this. 

Amanda Fennell: Be impressed (laughter). Be impressed. There is an awesome quote that talks about, what I think, encapsulates what all three of us have done over my last five years of knowing all of us here, including myself - five years. (Reading) The secret of change is to focus all of your energy not on fighting the old, but on building the new. I think that's where all of our roles have gone. 

Ricardo Lafosse: Look at that. 

Amanda Fennell: I know. 

Ricardo Lafosse: That's so spot on. 

Amanda Fennell: It's suit - it's not what it's about - what it was in the past. It's about where are we going, and how are we trying to direct this, and how do we iterate? Like, all of us can say, candidly, our job today is not what it was six months ago. It changes every few months or so. What we do today and what delivery looks like, what success looks like, it's always changing, and you have to be agile and you - buzzword - but you have to be agile. I know. You have to keep going. So I think that's one of those things. When I was thinking about it, I was like, this feels like a Socrates. This is a Socrates moment. 

Ricardo Lafosse: You know what? I'll re-quote that. I'll put smaller - Socrates - but then put - Amanda - underneath it. 

Amanda Fennell: Oh, is this like the Wayne Gretzky - you miss 100% of the shots you don't take - but it's Michael Scott? 

Ricardo Lafosse: Yep. 

Amanda Fennell: (Laughter) It's perfect. That's all you need. All right. So, Ricardo, Andrew, I will say that when I thought about this idea of an episode that talked about what these roles are and what they mean, there's no two - I got my first pick. So I'm so glad I got both of you. I'm so glad you both had the time today to spend with us. But thank you so much for being here. 

Ricardo Lafosse: Thanks for having us. 

Andrew Watts: Very welcome - thanks for having us. Good discussion. 

Amanda Fennell: Thanks for digging into these topics with us today. We hope you got some valuable insights from the episode. Please share your comments. Give us a rating. We'd love to hear from you. 

Unidentified Person: "Security Sandbox" is produced by Relativity. Our theme music was created by Monarch. Find us wherever you listen to your podcasts, or visit relativity.com for more episodes.