Security Sandbox 9.1.22
Ep 18 | 9.1.22

P/P/T and New Hire Slides - What to Expect, and How to Prepare for - a Role as CISO

Transcript

Amanda Fennell: Welcome to Security Sandbox. I'm Amanda Fennell, chief security officer and chief information officer at Relativity, where we help the legal and compliance world solve complex data problems securely. And that takes a lot of creativity. One of the best things about a sandbox is you can explore and try anything. When good tech meets well-trained, empowered employees, your business is more secure. This season, we're exploring ways to elevate the strongest link in your security chain - people - through a creative use of technology, process and training. Grab your shovel and let's dig in.

Amanda Fennell: In today's episode, we invite a few old friends to the sandbox. Tyler Young is a Relativity alum and current BigID CISO. And Dominik Birk used to work with both of us back in our Zurich days, but he's now PWC's deputy CISO of EMEA. So let's find out how they approached their first months as a CISO. Dust off your welcome materials, your icebreakers, org charts and let's dive in. Let's talk. OK. Awesome. So I do think it's fun to start with a bit of an icebreaker. We're going to pretend like you're actually interviewing for a CISO role. So are you ready for my icebreaker? It's going to be so awkward. There's no prep for this. There was no question prep. So are you ready? All right, so I'll be nice to Dom and let him go second. But, Tyler, as a chief security officer, what animal do you think best describes your style? 

Tyler Young: Should've let Dom go first. 

Amanda Fennell: I know. I'm so mean. 

Tyler Young: I think - and this isn't an animal. I think it's more of, like, a bug thing. I think I'm, like, a mix between, like, a butterfly and a bee. And it goes back to, like, the Muhammad Ali, float like a butterfly, sting like a bee concept. Like, you have to build the partnerships like a butterfly and kind of be there as, like, the guardrail. But then you also have to, like, occasionally put your foot down and sting. So I think it's, like, a bug combo. 

Amanda Fennell: Yeah, I think we've had this conversation when we talked about personality profiles, that there's very much, like, the - what do they call it? - the iron fist with the velvet glove. Like, you have to have strength to what you're doing and you have to have the knowledge base. But you also have to work as a partner to the business. Like, our job is to move forward securely. So, like, we're not here to hinder or block. But that makes sense. So you're going to do the Muhammad Ali quote. That's fine. We're starting with a quote instead of ending with one. That's fine. 

Tyler Young: Yeah, we can do both. 

Amanda Fennell: Dom - I could do both. Dom, what is your thought on that one? 

Dominik Birk: Multiple animals come to my mind, right? First, cockroach somehow, right? 

(LAUGHTER) 

Dominik Birk: You know, because it's the survival instinct that you basically need to have, right? Also a kangaroo, you know, jumping from A to B - right? - keep going, resilience, right? If you get punched down, basically you stand up again. 

Amanda Fennell: (Laughter) All right. That's awesome. All right. So now I'll go to - that was our icebreaker. Now we'll go to the regular question as security officers. So, you know, we've come a long way. We've all worked together at a table at, you know, Zurich, and we had different roles and everything. But at the end of this path, for many of us, it was to become a security officer. We wanted the ability to be able to make decisions about risk for companies. And we felt like we had some experience that could help us do that and be good at it. So you started roles as security officers. What were some of the first questions that were asked of you as soon as you started? You know, you get the job, you start and they're like, by the way, we need you to start on A, B and C. What are some of the first things? So, Dom, I'll start with you. 

Dominik Birk: I mean, before I even started, the first question I asked is, what kind of C-level support do you have for that topic in general, right? As we know, it's mission critical to have the senior management support and the attention towards this topic. So therefore, this is, like for me, a fundamentally important question that hopefully gets answered then with yes, you know, the senior management pays attention, right? They consider this to be mission critical for the company. 

Amanda Fennell: Yeah. I think that's - that is always the question about how much support you're going to be - I think the efficacy of the role is, like, how effective can you be if you don't genuinely have that from the beginning before you even get into the role? If somebody is saying - my husband always says, you go where you're wanted and you're needed. It has to be both. So they might want you, but they have to need you and vice versa. And I feel like that's, like, a super applicable thing for a security role. But, Tyler, so you start this role, what were you asking? 

Tyler Young: So along with Dom, like, what is the executive buy-in look like across the board? Because you can't do this alone. On the other side, it's, what is the budget and funding look like for head count, tool growth, that kind of stuff? Because the last thing you want to do is get into a role where you have no executive support and you have no money, so you really can't solve the problems. And you look at all these risks and you uncover all these things and you just kind of, like, look at them like, well, I don't know how I'm going to solve these because some of these things are, like, risk-based things that need to be fixed that you can't fix without the right people, process, technology. And if I can't do three, what am I doing here? So, like, I think that was, like, one of the most crucial things. And I think the other part is, like, buy-in from the board and the - working for a security - on the security vendor side a lot of the board is, like, security practitioners or former practitioners. So it was an easy answer to the question. But, like, without board approval and without board support and understanding of security, it can make things really difficult as well. 

Amanda Fennell: Well, OK, so go off script a little bit here just because of curiosity. You both are new in the roles now, but you've been doing a lot of these things for many years. So interesting little thing here - you two caught up - and I am definitely going to be like I'm a TMZ reporter. What did you two talk about? Like, what did you two compare as notes that you were like, oh, my God, this is not what I was expecting, or, this is my biggest hurdle that I'm dealing with in the role? 

Tyler Young: We actually talked about something you and I, Amanda, have talked about a lot in the past - was, like, the - how to be a parent with young children and be an executive and somebody who deals with a lot of stress from, like, the security side of the house. And Dom and I talked a lot about that... 

Amanda Fennell: Dom, you had a kid? 

Dominik Birk: Yeah. 

Amanda Fennell: What? What? What's going on? How old is your kid? 

Dominik Birk: Just a couple of months. Yeah. 

Amanda Fennell: Aww (ph), yeah. That's... 

Dominik Birk: So yeah. 

Amanda Fennell: Congratulations. 

Dominik Birk: Thank you. 

Amanda Fennell: That is super-cool. What a great little topic. So here we are. Let's pivot into being a chief security officer and being a great dad. Let's talk about that for a minute. So you had a conflict with this, Tyler. You figured this out. It is - I've said before that it feels like the CSO role is basically that - like, you know, a CEO looks at a company and says, OK, I'm going to lift this risk responsibility over to this person so they can basically be liable and help me, you know, mitigate any risks and stuff like that. So there's a lot on our shoulders. I think the first day that I ever started the role at Zurich in incident response, I think I broke out in hives, like, physically because I was so stressed out by this and the onus of what's on your shoulders then. So what did you two decide or talk about about how to handle this? 

Dominik Birk: I mean, we talked about it generally. And I realized that my understanding is right. It's complicated, right? It's extremely complicated, especially if you love your role, your job - right? - if you're passionate about it. You know, you need to bring these two topics to the table and find the right space - right? - for both important topics. So that's complicated, right? I would say definitely it's a daily... 

Amanda Fennell: This is my Facebook update. 

Dominik Birk: ...Challenge that I'm facing at least. Yeah. 

Amanda Fennell: Tyler, your turn. 

Tyler Young: So I was talking with a founder of a company, and we were talking about, like, how he took the jump from CSO to build a company. And he basically was talking about how he sets time aside every day for his kids and that there is this book that was written about - I think it was about a dad who travels a lot for work. And at the end of the day - he didn't realize at the time at the end of the day, it showed his children how to - you know, how to work hard for what you want and how to build that, like, business mantra and then, like, how to be a leader. And so they use this as, like, a vision. 

Tyler Young: But I also - on the flipside of it, I was also talking about this as well. And it's like, you have a long time to work. You only have a finite time with a kid who's 1 years old and taking their first steps or 3 years old and telling you, Daddy, I missed you when you went to a work trip. And so I was, like, torn between, like, do you be an amazing role model and work really hard and show them that if they work hard, they can do anything they put their mind to? Or do you never want to miss those moments that you'll never get again? 

Tyler Young: And so it's like you have to balance the two. And I know we talk about work-life balance or work-life harmony or whatever we want to call it. And you do have to make a choice because being an executive and being specifically a security executive, it can suck you in, like, fully. You can spend 100 hours a week solving problems. And what I've realized is - and something, Amanda, you've taught me really well - it's like you have to build the people around you to help kind of, like, duplicate yourself and, like, delegate different tasks because you can't do it all yourself. If you try to do it all yourself, you're going to bury yourself doing it. 

Amanda Fennell: All right. That's... 

Dominik Birk: And... 

Amanda Fennell: Go ahead, Dom. Yeah. 

Dominik Birk: I want to jump on that because that's an important topic, what Tyler said, right? Look. There - from my perspective, there - these two topics have one thing fundamentally in common. This is the challenge of prioritization, right? This whole family topic, work-life thing is a prioritization topic, right? And in our daily jobs, I mean, prioritization is key, right? If everything is a priority, nothing is a priority. And you will not get anything done, right? And by the way, this is also what, from my perspective, the business, our stakeholders - right? - our shareholders - they expect us to make decisions - right? - to prioritize and then execute. And, I mean, if we are not able to do that, we will not be successful in our roles, right? So it's a very important aspect, at least for me. 

Amanda Fennell: Where's the prioritization framework, then? How do you decide what fire to put the resources, the budget, etc. on? 

Dominik Birk: That's a very complicated one. 

(LAUGHTER) 

Amanda Fennell: I got this chart here. Let me pull this out. 

Dominik Birk: All right. OK. You know, I got to try first, right? I mean, at the end of the day, what are we doing here - right? - in our roles? We are reducing risk and protect the brands we are working for, right? That's the idea. That means when it comes to prioritization, you need to ask what kind of activities come next that will help my brand to reduce the highest risk and to push it to a lower level, right? So based on this principle, I try to make my prioritization decisions, right? What reduces most of the risk? And, yes, we can now dive into the details of this, you know, complex part. And to be honest, Amanda, I also - I trust my gut, really. It works so far. 

Amanda Fennell: I think that is actually the secret ingredient for this role - is actually that. I don't know why. And how many times, Tyler, have you heard me use the word Spidey sense? I don't... 

Tyler Young: All the time. 

Amanda Fennell: ...Know why, but I need you to do this thing. And then, like, months later, years, weeks, whatever, like, something will happen. I'm like, hey. Remember that thing I had you put together? Can you pull that out and dust it off? - 'cause we need that. But it's absolutely instinct that I think makes a good security officer. That is a great point. 

Tyler Young: A little bit different - while protecting the brand for my current role is important, I think the biggest thing is protecting our customers. Being a software product - and, Amanda, you definitely dealt with this. Being a software product, your customers and the security of what they're giving you and trusting you in is paramount. So building a good product security team focused in appsec, cloudsec is fundamental, and that was, like, my first priority. On top of that and coupled to that, it's third-party risks and third-party - whether it's third-party software components or whether it's contractors that may have access to something that you need to be monitoring or reducing that - those are like my top two risks. So customer product, and then third-party - whether it's software, whether it's people. Yeah, those are, like, my two... 

Amanda Fennell: Do you think people will be surprised when they listen to this episode and think that all of us said that, like, the customer experience and stakeholder experience and stuff is the most important? Like, I feel like everyone thinks security is such a big brother entity, but all three of us are like, well, it's really about how to, like, make this, you know, efficient and so on. Do you think that's going to be surprising, or has security really turned a direction now that, like, that's just accepted - that that's what we really care about is the stakeholders? 

Tyler Young: I think it's it depends on who you talk to and where they're coming from. I think anybody who's ever worked at a software vendor will 100% tell you customer and customer experience is No. 1, and on top of that, developer experience, right? Because I think it - I don't remember if it was Sieja or Gamson, but somebody brought up in the past about - being at a software company, your biggest asset is your people. And they're your developers. They're the people that are writing the code and the people that are supporting the product. And if they can't work functionally and access the things that need accessed, and a lot of us are spending a lot of time in the office at the time, and now with remote working, if you can't watch Twitch or YouTube and do it securely while you're working, you're going to lose people. And it's very difficult, in this day and age, to find talented developers, talented security practitioners. So it's... 

Amanda Fennell: OK. 

Tyler Young: ...Trying to balance that. 

Amanda Fennell: ...That's the question I'm going to ask you both - is about - what talents are you looking for? So you've got - so let's just calibrate now that we've got into the role. We've confirmed that there is executive sponsorship and buy-in that this is a needed and wanted thing - to have good security. We've got that. You get into this, and you start to realize that, as Dom had calibrated us, we've got to decide - what is the thing that's going to help us reduce the most risk? And that's how we prioritize these different things coming at us. Now you're looking at the talent, which is the great word of the years of hybrid and COVID. What are you looking for in talent? 

Tyler Young: So from a technical perspective - and this is funny because I've grown to this - developers. If you don't have development skills, I'd probably want to look elsewhere because I do believe that, being in a software company, you shouldn't be focusing on hiring mass amounts of people to solve problems. You should be looking to automate things and to build products and solutions internally. And so, first and foremost, if you can write code or you're a skilled developer, we can teach you to fish and we can teach you the security stuff. But if you can't - it's very difficult to teach somebody to write code. 

Amanda Fennell: Dom, go for it. What are you looking for? 

Dominik Birk: Yeah, I mean, Tyler brought it in with an interesting aspect because, you see, it depends on the specific needs that the company might have, right? And let me - therefore, let me generalize it a little bit, right? What do we need first - specifically, you know, when we think about talent moving into future CISO roles, right? First, solid technical background in order to understand the risk landscape, right? It's ever-changing. Yes, some things are the same since decades. They potentially will remain the same, but there are also new aspects that you need to understand - especially, you know, to understand the full risk impact here. Then, second one is understanding business aspects, right? How does a company make money, right? This is something that sometimes we - as security people, we have a tendency to forget this. It's a very important aspect because, you know, at the end of the day, we are protecting our business, right? So how do they actually make money? And then, last but not least, social skills, right? These - we are not machines, right? We are humans. We are not talking, you know, strict, you know, TCP/IP, right? We are... 

Amanda Fennell: Unconventional (laughter). 

Dominik Birk: ...Individual. That means you need to bring along a specific amount of, you know, human interaction skills, social skills, in order to be able to transfer your message - right? - to make sure that you are able to influence the other side of the conversation, right? 

Amanda Fennell: That's a really awesome summary of, like, the three things that, like - for both of you, the way that you've put this together - that's exactly how I feel about it. So I'm not really surprised on that one. I have to ask the question, though - because of the talent that's out there and so on - we would be remiss if we did a podcast in 2022 and did not mention the word - everybody, coffee cups up - hybrid. Let's talk hybrid. How has this influenced your work model? Do you currently, like, retain a hybrid model, or is everyone back in the office? What are you requiring of your talent? So Tyler, you go up first. 

Tyler Young: So we're fully remote. We have a research and development engineering hub in Tel Aviv, and they usually go into the office several days a week - so in a more hybrid sense. But the rest of the company is fully remote. So we have an office in New York. I think it's kind of, like, an at-will thing. Some people go in sometimes. 

Amanda Fennell: But you don't find it as like a thing, like - because I feel like security has such a talent shortage right now that, like, people get to decide what kind of environment they want. Some people want to go in. Some people want to stay home, etc. So, like, I feel like there's a lot of landscape out there. But I would say, Dom, you probably have a different situation. People probably have to go in, right? 

Dominik Birk: To be honest, when - you know, when I thought about this hybrid question, for me, it was always like this, right? We - it's not related to the pandemic or something. I was always, you know, fully flexible in terms of working from where, how, and the importance is that you create an impact, right? And that is I think - that's the question we should ask. How do you create the impact? And again, it depends, right? Let's assume you're a CISA for a local territory - local company in a local - in the territory, right? You have your whole team on-site. Then it makes sense probably to meet more often in the office as well, right? Yet not all the time, but probably it makes sense to do that. If you have a fully globalized team - right? - this is where I'm coming from - doesn't really matter whether I'm sitting in the office or not. It matters in the context of can I actually communicate the right way with the people - right? Right? - time zones, etc. Am I flexible enough? And this is - these are the important questions for us. And to be honest, it was always for me the case, you know, this hybrid or - yeah, it was always very efficient and effective in my case. 

Amanda Fennell: I can't remember what the exact translation was that we did, Tyler - when we did a post-COVID starting, we had some swag, which is how Relativity keeps people happy, right? We have t-shirts, we have mugs, we have all these different things, and we put it on a t-shirt or somewhere that was, like, a Polish translation. And it's - this translation is essentially, like, work from where you are. Like, wherever you're at, that's where you would work if you needed to do the job. So it's an acceptance and acknowledgement that, you know, not everybody is doing things the way they did 20 years ago. So - OK, so we're getting towards a summary, but I have a curiosity for you, and I'm totally going to edit this. I'm probably not, actually. Sometimes we send over questions to let you know what might be the topic. And I'm curious, of the list of questions, which one were you like, this one. I want to answer this question. This is definitely something I feel strong about. Dom? 

Dominik Birk: The one with the animal in the beginning. 

(LAUGHTER) 

Amanda Fennell: But that wasn't on the list. That was the one I just threw at you. 

Dominik Birk: No, I know, but I love it. I love it. 

Amanda Fennell: Yeah. OK. 

Dominik Birk: I still think about the kangaroo, right? It's still in my brain. I don't know if I can get it out now. 

Amanda Fennell: It is such a good point, though, about being ready to - like, when to jump in, when to pop, when to hop to the next thing because sometimes it's about securing something just enough to go to the thing that's the actual big risk or something. So it makes a lot of sense, but - all right, Tyler. What question on there were you like, oh, I'm going to sound so awesome to answer this question? 

Tyler Young: So I think it was, like, the future challenges that we're least prepared for. 

Amanda Fennell: What a best answer for the end of the segment. It's the perfect answer, but go for it. 

Tyler Young: And the answer is, I don't have an answer. 

Amanda Fennell: Wait, wait, wait, so this is future challenges that you should be prepared for, and your answer is, I don't have an answer. OK. Big ID. We've got to talk. 

Tyler Young: It's, what are you least prepared for? And it's because the attackers are shifting the way that they're going about exploiting us - companies, people - and predicting the future in tech is nearly impossible. No one would have - if you would have told somebody in CISO 10 years ago that SolarWinds and we're going to see APT groups compromising some software supply chains, they would've said you're crazy. And we saw it. And it's become the new, like, table stakes of how attackers are compromising companies globally. So what's next? I'm assuming it would be something to do with crypto and how they're going to hijack mass amounts of crypto wallets or whatever that will be. But I can't predict it in the way that technology evolves. It's very difficult to say what we need to be prepared for. 

Amanda Fennell: Well, all right. So I'm ready for it then. I'm going to tell you how to prepare. I'm not. I'm not, actually. But I will say there seems to be this... 

Tyler Young: So you're not prepared either. 

Amanda Fennell: I'm not - we're all working on it, Tyler - work in progress, OK? 

Tyler Young: We're hopping like kangaroos. 

Amanda Fennell: We're hopping like kangaroos. I'm going to see if we can, like, make that, like, our new mascot. But so I think the coolest part of this conversation is that to come full circle of not working together for years, to come back together for an episode where we're all shoulder-to-shoulder security officers now, we're all doing the same thing - it's such a cool thing. It feels like our top three things that come to mind for me for this episode - so I've got the job. It's not to block. It's to keep moving forward securely, to build on this, you know, next gen of what we need to be doing in the process, hopefully to probably try to figure out how to do that in the future. 

Amanda Fennell: But I think this really big focus on we're not here to hinder - we know this, but our job is to continue moving forward securely. The prioritization thing is such a great topic, and I think that's definitely the big one I would say, that focus on the kind of activities that are going to come next to help my organization push that risk to a lower level and center in this, I guess your instinct. It seems like we all leverage our instinct relatively to say, like, this is the thing. This is the thing we need to be worried about. Now we're in the future. So, Tyler, you can't put it into words, but that's because it's your instinct, probably. You know it when you see it, and you know it when you hear it. You'll be like, that's the thing. That's the thing. 

Tyler Young: Yeah. For sure. 

Amanda Fennell: And that's the main thing I would end this on, is to say it's trusting the spidey sense. It's more than just for superheroes. It's for security officers, I think. Yay, I love this. All right. So... 

Tyler Young: So are we superheroes now or kangaroos? 

Amanda Fennell: We are superheroes, by the way. We're kangaroo superheroes, No. 1 and 2. I will end on a quote because of Tyler. Tyler - Dom, I don't know if you're aware of this - he is obsessed with Winston Churchill. He loves him. It's his favorite character in history. But I will say, we'll end on a great quote from Winston Churchill. Success is not final. Failure is not fatal. It is the courage to continue that counts. I think that's every day for us, the courage to continue. Gentlemen, thank you so much for joining and getting to get back together - getting the band back together. Thanks for being here. 

Dominik Birk: Thank you, Amanda. It was great. Thanks, Tyler. 

Tyler Young: Yeah. 

Amanda Fennell: It's awesome. 

Tyler Young: Thanks, Amanda. Thanks, Dom. 

Amanda Fennell: Thanks for digging into these topics with us today. We hope you got some valuable insights from the episode. Please share your comments. Give us a rating. We'd love to hear from you.