So you want to be a CISO?

Show Notes

This episode features insights from two esteemed CISOs, Frank DePaola and Andrew Wilder, sharing their journeys into cybersecurity, the importance of mentorship, and essential leadership traits. They discuss the evolving role of a CISO, the need for business acumen, and the vital balance required between technical prowess and organizational needs.

• Frank DePaola and Andrew Wilder share their unique career paths in cybersecurity 
• Importance of mentorship in career development and growth 
• Insights into balancing technical skills and business acumen for aspiring CISOs 
• Current challenges faced by CISOs in a rapidly evolving threat landscape 
• Tools and resources that help CISOs maintain organizational security 
• The personal rewards and sense of purpose found in the CISO role 

If you're looking for personalized mentorship, click the link below to sign up for a free consultation with us. During this session, we'll talk about your goals, your challenges, and how we can better help you. This may include reviewing resumes, career advice, and setting up action plans tailored for your needs.

• Mentorship - sign up for a free session
• Frank DePaola's LinkedIn Profile
• Andrew Wilder's LinkedIn Profile

Chapters

• 0:03: Journeys of CISOs in Cybersecurity
• 13:05: The Power of Mentorship in Leadership
• 16:32: Career Advancement Through Mentorship
• 28:43: CISO Role Balance and Industry Siloing
• 35:24: Navigating Challenges as a CISO
• 46:34: Essential Tools for CSOs
• 50:20: CISOs on Rewards and Impact

Transcript

Steve: 0:03

Could you teach me First learn stand, then learn fly. Nature ruled on your son, not the mind.

John: 0:12

I know what you're trying to do. I'm trying to free your mind, neo, but I can only show you the door. You're the one that has to walk through it.

Steve: 0:24

What is the most inspiring thing I ever said to you don't be an idiot changed my life so you want to be a CISO?

John: 0:36

well, this is the episode to take and check out for us. Um, we've talked to two amazing CISOs, andrew Wilder and Frank DePaula, who share they kind of share behind the curtain what happens when you're in that role, as we've talked about a little bit. But it's good to have another perspective and I think they shared some really great advice from their career and their journeys. What'd you think, steve?

Steve: 1:02

Yeah, no, I thought it was great. They definitely talked about how they got started, all the work and challenges they face moving up to be CISOs now, and they talked about some good strategies for success things for you to take into account overall in your career, but especially if you want to be a CISO. This is definitely the episode for you. So we hope you enjoyed this episode episode and thank you again, frank and Andrew. All right, welcome to another episode of the Cybersecurity Mentors Podcast. Today we have the pleasure of being joined by two exceptional CISOs leaders in the cybersecurity world. We have Frank DiPaola and Andrew Wilder. Welcome.

John: 1:41

Welcome, welcome Glad to have you all welcome, welcome, glad to have y'all. Thanks, guys, good to be here. Yeah, um, if you don't mind, we'll start with frank first. Frank just kind of give us a brief intro. We're going to jump into more in depth, but kind of give us an intro of who you are and what you're about sure, uh, thanks for having me.

Frank: 2:02

uh, frank depala, I'm currently CISO for a global manufacturing company that's headquartered in Charlotte, north Carolina, called Enpro. I've been here for about six and a half years, first time CISO, first ever CISO for the organization. Before Enpro, I worked for companies like GE, humana and a few other smaller companies, largely doing systems engineering and cybersecurity. So happy to be here, guys.

John: 2:31

Yeah, and I met Frank at the FBI CISO Academy where we got to jump out of planes and helicopters, shoot machine guns.

John: 2:40

What. What do you mean?

Frank: 2:42

I wish it was awesome.

Andrew: 2:44

I think you get like one magazine and a Glock at the end of the week.

Andrew: 2:48

That's what I heard

John: 2:49

it's true, but yeah, anyways, andrew, how about you?

Andrew: 2:55

Okay, Andrew Wilder, I'm the CISO of VetCorps. It's a veterinary consolidation company. I've been in cyber leadership for about 20, 23 years I think, and started out in consulting, spent the majority of my career at Nestle, the food company. Since then I've been a CISO three times and I met Frank at RSA at a Sequoia event and we hit it off and we've been buddies since then. We talk about once a month and just kind of uh commiserate and share more stories awesome.

John: 3:31

Yeah, you need, you need. We're all in this together. Absolutely, you gotta have a buddy um. To get through it. Yeah, so, steve, what do you want to talk about? The their journeys, how they they got into cyber.

Steve: 3:44

Yeah, absolutely so. Yeah, I mean, this question is for both of you, so please jump in as you see fit. But yeah, we really want to know what drew you into cybersecurity or kind of how your cybersecurity career got started. So, frank, why don't we start with you?

Frank: 4:00

Sure. So my background in cyber, like probably a lot of people, started in IT. So I spent about 10 years on active duty in the Army doing networking and that kind of opened the door for a career in technology. I thought I was going to be a network engineer for the rest of my career, but getting out of the Army, one thing I realized is there aren't a lot of opportunities for network engineers, so quickly pivoted to systems engineering and infrastructure and did that for a while, did a little bit of consulting until I landed with the hospitality organization.

Frank: 4:41

Unbeknownst to me, about three months before I I joined them, they had a data breach in one of their restaurants. Typical story a manager. This was before the prevalence of wi-fi in restaurants. A restaurant manager brings his wireless router into the office, do some work on his personal laptop, plugs it into the corporate router and and you know the rest is history Data Breach 101.

Frank: 5:08

So I had an opportunity through that experience to one learn about data breaches, learn about PCI compliance, and all of that ultimately led to an opportunity for me to both build a PCI compliance program and a cybersecurity program for the organization. And this was kind of, you know, 2008, 2009. So you know, fairly early days in cybersecurity but around the time when, in my opinion, when cybersecurity was really coming full steam onto the scene. So through my tenure with that particular organization I had a chance to grow and build the security and the compliance program and then from there just developed a pure passion for cybersecurity and through a divestiture that company was acquired. So I had an opportunity to leave and find greener pastures. I found an opportunity with Humana to focus purely on cybersecurity and you know that really just opened up some doors. Then at GE after that, working on some world-class cybersecurity programs with some world-class cybersecurity leaders, got to really know what a sound security program should look like and get a lot of experience and that ultimately led to the opportunity that I currently have with Enpro.

John: 6:37

Very cool, yeah. So one quick note before Andrew goes. I remember talking to I think it was the Secret Service, because they had a bunch of cases of restaurants, that where people were getting popped and they were using the same back of the house server that they use to cash all the credit cards to be processed as the same one they use to serve the Internet, right, and they were just compromised and it was a field day for bad guys Like whoa. Look what we got right.

John: 7:10

Speaking some language yeah yeah, nice, andrew.

John: 7:14

How about you?

Andrew: 7:15

Okay, so first of all, I learned some stuff about Frank just then, so I'm already enjoying this. This is value-add for me right now, you guys. So raise your hand if you've ever seen the TV show the Office with Michael and Jim and Pam and the whole crew. So the first job that I had out of school was as a customer service rep at a paper company in San Diego. All right, and because it was a small company, I ended up doing everything. So I did marketing and sales, I did inventory, I did finance. When we get really busy, I would go out into the warehouse and drive the forklift and pick pallets and load the trucks business.

Andrew: 8:01

One day the owner of the company comes in and he says hey, andrew. He says we're going to replace our old mainframe computer system with Windows servers and Windows workstations. And I said, man, that's a smart idea. And he said guess what? You're the youngest guy, so you get to do it. I'm like I don't know how smart that is, but let's see. So there was no kind of data conversion tools at that time. So for the next three months I worked nights and weekends and converted all the data over. And one day we go live with this new system and it's most exciting day in my young career. Like stuff is breaking, I'm fixing it on the fly, you know, we're making it work. And at the end of that experience I thought, you know, maybe I should do this IT thing as a career. So I saved up some vacation time, I saved up some money, I flew to Chicago in the wintertime Really really cold, I remember and I did this two-week Microsoft boot camp and for those of you that can remember back this far in the early 2000s, the MCSE certificate was like resume gold. So for a guy that knew absolutely nothing and had done one like mainframe to Windows conversion, I passed seven Microsoft exams and came home with this MCE certificate, which is probably one of these somewhere on this wall back here. It definitely is one of those. Not probably one of those, but maybe you can see it what I say. So anyway, I put my resume out all over the country.

Andrew: 9:29

I got picked up by HP to do a cyber consulting job for Bank of America. In fact, at the time it wasn't called cyber, it was called information security. Basically, we were doing a vulnerability management program for the bank in Atlanta, moved my family across the country and did this for a couple of years and then did some other gigs with HP as a consultant, with Nestle and with DHL, the shipping company. Got job offers from all three because you know I would go in and do a kind of good job. And then I ended up picking Nestle because of the culture Really love the culture, really love the culture. It was a very you know, we're in this together kind of kind of culture and I ran. I started. The first job I had at Nestle was managing the information security team for Nestle USA, which was their largest operating company, and then every like two or three years I just get more scope, more team, more budget, more responsibility.

Andrew: 10:24

When I left Nestle in 21, I was the regional CISO of Americas, asia and Europe and I had a team of 60 people. I didn't really sleep. Monday mornings were pretty good and Friday afternoons were pretty good, but Tuesday, wednesday, thursday I was starting at 5 am and ending at 6 or 7 pm to deal with Australia and Europe and in between and then the teams in the Americas. But a lot of fun, learned a ton and actually very similar to what Frank said, I got to work for an excellent security leader and learn what a really good security program looks like.

Andrew: 10:58

There was an old CFO that I had who said we need people who know what good looks like. And I know what good looks like and I know what good looks like and I can kind of replicate that when I go to other places. But the CISO of Nestle sat me down one day and he said look, you know you've reached the top of your career that you can here. Your next job is my job and I'm not going anywhere for the next 10 years or so. So if you want to make that next move in your career, let me help you to find a job at another place as a global CISO. And so he did.

Andrew: 11:28

I was CISO of Hillenbrand for two years manufacturing company, not unlike Frank and then since then I've been the CISO for two different veterinary consolidation companies community veterinary partners and now VetCorps and really, really loving it. I made a great decision to come to this place. It's a lot of fun, really great leadership team, great people, great organization. We're making some huge moves in cyber right now. I'm very excited about that and hiring people. So, anyway, that's my story and how I got here.

John: 11:58

Cool. So I wrote a couple of notes and you see me looking down. I'm always writing things down. I wrote a couple of notes and you'll see me looking down. I'm always writing things down. Um, but um, mainframe I didn't really have a mainframe that I had to deal with other than like AS400s is like the mini mainframes, but um but now, like you'd be surprised, we need people that actually still need know how to to deal and program a mainframe. Yep, it's not going away.

Andrew: 12:26

There's big problems with that?

Frank: 12:26

because no one is learning it anymore, and how do you?

Andrew: 12:28

train school and you can't you know, you can't get we pro to do that for you. I mean, it's it's not a it's not an easy task if you have those old legacy system yeah, I won't go down a rabbit hole, but I could.

John: 12:38

But the other one is mcse. I am, I am MCSE NT 4.0, so shout out right.

Andrew: 12:47

I'm a Windows 2000 MCSE, but it's not that much of a difference.

Frank: 12:51

I'm a 2003 MCSE alright, see yeah, very cool, yeah, so awesome. Thank you all for sharing your stories yeah, absolutely so.

Steve: 13:05

this podcast is kind of focused more on mentorship and just helping those get a start in their career. So along your journeys, were there any specific people and you guys kind of mentioned some kind of high level that kind of helped you, maybe, mentored you, guide you along the way, mentor, you, guide you along the way? But if you guys could focus on that a little bit more and give me some specifics maybe on how they helped you or assisted you, uh, you know that would be great yeah, any mentors mentors, it could be, uh, not in it, right, whatever like mentors and and how that worked out.

John: 13:39

And or then the adverse of that is how you've been able to potentially mentor people andrew was talking about people that he's had some experience with. I bet both of you have and or then the adverse of that is how you've been able to potentially mentor people Andrew was talking about people that he's had some experience with. I bet both of you have. But yeah, anything around mentors and mentorship.

John: 13:54

You want to go first this time, Andrew?

Andrew: 13:56

Sure. So there is a guy who is my kind of helped me go from a manager to a leader, which I think are two very different things. I'll tell you a fun story about this guy. So when at one point Nestle did a ton of mergers and acquisitions and a ton of we do like IT consolidation all the time because of all the M&A. So one of these consolidation moves that we did Nestle Purina security and Nestle USA security they merged and I was maybe a year, year and a half in and the guy from Purina who was their security manager had been there like 10 years. He had a bigger team and they said, hey, who do you think should lead this new team? And I said I think he should. He's got more experience, he's got a larger team. Like let's just let him do it. So he and I went from being peers to me being his subordinate and that was fine. You know, I started doing kind of project management stuff to do automation with identity.

Andrew: 14:53

It was a good year or two and then that guy ended up leaving and when he left the organization he had to write up a little blurb about everybody. And he wrote up a little blurb about everybody, but about me. He wrote like two pages and he just, he just destroyed me. He said this guy is horrible and you should never make him the leader of the team. And I hate this guy and I don't know why he did all this stuff to me. It's horrible.

Andrew: 15:18

So so my, my mentor, the guy who I haven't talked about yet, he reads this thing to me after the guy leaves, and then he takes it and he tears the paper in half in front of me and he says I don't give a what this guy said.

Andrew: 15:30

He says if you do a good job, I'm going to promote you. And I said okay, I like this, like I, you know, not that I needed a clean slate, but this guy didn't like me and whatever. So I did a good job and this guy promoted me probably three times, maybe four times within the next five or eight years or so. So it was a great opportunity for someone to say I'm going to give you a chance and I don't care what anybody else has said about you, and that was very empowering to me. To say it's all on you, it's not about somebody else's opinion, and if you do a good job, you're going to get rewarded. So that was. That's my specific mentor program that I want to talk, and sure I've mentored a lot of other people, but I want to hear Frank's mentor first and then I'll talk about my the people that I've mentored.

Frank: 16:15

Yeah, that was good. Yeah, so you know, when I when I think about leadership and mentorship leadership, I can honestly say that maybe damn near all of the leadership qualities that I've learned have come through my military experience, I mean even my first. I can remember my first two weeks after graduating from basic training in my technical school. I was assigned to this sergeant and he was kind of a, he was a bit of a hard ass and, interestingly enough, he was getting ready to get out of the army. So you know he didn't necessarily have to care, um, but he did. And one thing he told me is, I think maybe day two he told me uh, no matter what you do, even if it's something as trivial as scrubbing the, the floor, the, the floor, the urinals and the latrine, do it to the best of your ability, because you don't know who's looking, you don't know who's watching and you know I kind of you know, discounted that at the time. But interestingly enough, later on down the road I was actually leading a detail of folks cleaning bathrooms and our first sergeant walked in and you know saw how good of a job I was doing leading and it, you know, it, kind of opened up some doors for me later on down the road and I I thought back to that one conversation where he told me that it's like, look, you know and he was just using that as as an example but it just you know, it always stuck with me no matter what you're doing, do it to the best of your ability, because somebody is always watching, even when you don't think they are. In addition, I mean, I just you know boundless other lessons that I learned from, from good leaders.

Frank: 17:56

Another one is in the military. They always talk about mission first, right, mission first, mission first. And when you think about that concept, that means the team is really expendable and to some extent the military would have you think that way that, look, we're all, we're all just here to serve the greater good of whatever the mission would drive you to. But in all reality it's the people that are executing the mission. So if you don't at some level focus on the people, then you're really doing the whole organization a disservice the military, or whether you're leading teams as a CISO, you're doing your teams a disservice.

Frank: 18:34

So I've really kind of taken that and really focused on how I lead my teams. I care about what my teams think about me. I know there's some great CISOs that don't. They think, look, I don't necessarily need to be liked, I'm just going to get the job done and hey, I can respect that. But the way I have found to be effective is look, I'm going to get the job done and you know what, I'm going to be a good person to the extent where I'm going to forge good, strong relationships with my team in the business, to the extent where I'm going to forge good, strong relationships with my team in the business. So you know all of that to say.

Frank: 19:10

To tie it back to leaders lots of good, lots of good mentors that I had that taught me these lessons in the military, um, and I have had some good uh, you know cybersecurity leaders along the way, um, and and even found some some good services to provide mentor um, you know mentor services or coaching services as well, where I have found those great opportunities. There's a great CISO. I think he's now the VP of data privacy engineering at Meta, but he's a guy that's in the local Charlotte community. But he's a guy that's in the local Charlotte community and I saw him speaking at several conferences and there's just sometimes, when certain people speak. You know the message and how they convey it really resonates with you. And he's actually the guy that introduced me to the FBI CISO Academy where I met John and know and several others. So you know all that to say. I think you know mentorship can come in many different ways and look different to different people. So you know it's. I've had many along the way.

Andrew: 20:20

I feel fortunate, but yeah, that's my, that's my take on mentorship so Frank's Frank's comments inspired me to say some some other things that I forgot to say. Okay, my first advice for anyone who wants to get anywhere in any career, not just in cybersecurity is to find yourself a mentor. And people say how do I get a mentor? Well, find someone that you look up to, that you respect, and ask them to be your mentor. The worst thing that can happen is that they can say no, but the best thing that can happen is that they become your mentor and your life changes. I actually had that same guy who I talked about before, who ripped the paper up. He ended up getting promoted and going to Switzerland and he told me a couple of years later, like you need a mentor, and who do you think it should be? And the next time we talked I said I think it should be you and he said well, I can't be your mentor, I don't have enough time. And what I did is I proceeded to book a monthly call with him and we just talk, and I turned it in as a mentee. I turned it into a mentoring session for myself. So I kind of I don't know jailbroke the mentoring situation, but I will tell you the five steps that I use for everybody that I mentor and anybody who's listening. You can apply these five steps to yourself without a mentor, or, if you find a mentor, you can ask them to follow these five steps, or you cannot, and I don't care, that's okay, but I'm just gonna give these to you anyway. So the first thing that I have people do is I want you to look at the job description, either for your current job, if you have a job right now, or for the job that you want, if you don't have a job and now, or for the job that you want if you don't have a job. And I want you to take those and take each line item on that thing. And I want you to do what we call t-shirt sizes against that, and you just say like I'm horrible at this, I'm okay at this, I'm really good at this. For each thing on the list, right, whatever the search that they want or the experience that you want, you go down that whole list and then, based on that list, you look at the things that you have the largest opportunities in, right, the things that you need the most to get to either your current job or this new job that you want, and then you create what we call development goals for each of those things.

Andrew: 22:37

Development goals. Look up smart goals. It should be specific, measurable, achievable, realistic, time-bound. But create smart development goals for yourself. One quote that I love is no one is going to care more about your career than you do. So don't be waiting for HR to do this for you. Don't wait for your manager to do this for you. Don't wait for your mentor to do this for you. Get off your ass and do this for yourself, and then people will help you along the way. So you create those development goals.

Andrew: 23:03

So that's step one, and then step two is create the development goals. Of course, actually do the development goals. I'm going to get this new certification, I'm going to take this class, I'm going to do public speaking, I'm going to be a design partner for a startup, whatever the thing is. Go, do those things. Then do the same things as step one and two, but do it for the position that you want to get in the future. You want to be like Frank. You want to be a CISO of a manufacturing company. What do you need to do to get there? What kind of leadership skills do you need? What are those things that you need to build on to get that and start working on that Now.

Andrew: 23:36

Step four is you create a vision board. Now I'm not going to tell you what your vision board should look like. Some people like pretty pictures and PowerPoints and other people want an Excel spreadsheet or whatever. I don't care what it is Something that tells you your goals and what you want to achieve. And you take that thing and you print it out. If you don't have a printer at home, go to FedEx, go to UPS store, whatever Figure out, go to your local library, print that thing out, put it on the wall behind your monitor, put it on your refrigerator, wherever it is that you can look at that thing every day.

Andrew: 24:09

And remember the equation one to the 365th power is one, but 1.01 to the 365th power is like 37. So if you can make one tiny 1% incremental change to your life and your job and your career every day, you can make huge things every year. And then, once you've done steps one, two, three and four, then I want you to go apply for that job and get feedback, ask for feedback ahead of time, say, hey, I really want to make sure that I get feedback. I've been working a lot to try to get this. Please give me feedback Now. A lot of people will not give you feedback because that's bad, but do it. Find someone who will give you feedback. If you want, contact me and I'll do a mock interview with you and I will give you feedback afterwards. But those are my five steps and feel free to take them and abuse them or throw them away as you wish, if I would have known Andrew was going to break out math, I wouldn't have agreed to do this podcast.

Steve: 25:04

Let me just give you a round of applause there, andrew. That's awesome, that is great great great advice. Thank you, appreciate it. That's awesome.

Frank: 25:13

One thing I'd like to piggyback on that, as Andrew was talking. One thing that resonated with me is something that he touched on, but something that I feel has been maybe one of the key ingredients to my personal success, and that is he talked about really exhibiting a sense of ownership in your development plan, and to me, that really resonates. To me. I've read a book somewhere in the past. I believe it was called like Extreme Ownership. It was… Jocko Willink.

Frank: 25:50

Jocko Willink, leif Babin, great, great book. But one thing they talk about is this concept of extreme ownership. And when I think about, you know, anything that is worth doing is obviously worth doing well. Thing that is is worth doing is is obviously worth doing well, but it it's also something that, um, if I, if I'm trying to be successful and whatever it is I set out to do, then I want to be in sole ownership of whether I achieve success or not, and I've often found that most people can actually control their own success if they exhibit a sense of extreme ownership. So, yeah, I just wanted to double tap on that and you know, share the book I just bought Extreme Ownership on Audible, so I will be right.

Andrew: 26:35

The next time that you and I catch up, I'll be giving you my feedback on the book.

John: 26:38

All right, I think you'll like it right now because he knows how big of a Jocko fanboy I am.

Steve: 26:47

Oh yeah, John gifted me that book, by the way.

John: 26:49

Yes, so I'm definitely a big fan, um, and his podcast is really good too, really good podcast. But uh, but no, I think that that's very good. I totally agree. I think a lot of people they are waiting for some hand to come down to help them, shepherd them to through their career, to the next step. Um, I, I definitely.

John: 27:09

I just gave that advice today, andrew of like people asking me how do I get into this position or how do I get this job, and I'm like, well, what actually? I said, well, what do you want to be? What do you want to do? And they said I want to be in information security. I was like, well, that doesn't mean anything. That's so broad. What are some? Have you looked at actual job descriptions and looked at those and see what you want to be, what is the actual position? And they're like, oh yeah, I didn't think about that, right? So I totally agree with like looking at that list of things that they're looking for because that's their wish list, right, it may not be, you don't have to have everything, but that's their wish list normally, but that's a good hit list of things to go after for sure. So, yeah, thank you guys, pleasure.

Steve: 27:57

Just, I guess, staying around this topic of just helping build the next generation, can you guys maybe talk a little bit about some of the advice that you would give to those that maybe want to become a CISO? So we're moving on from getting into the world of cybersecurity but maybe somebody who wants to climb the corporate ladder and get to the very top position within cybersecurity within an organization?

John: 28:23

Yeah, first question I might have is like why do you want to be a CISO bud?

Frank: 28:29

It's a fair question, john. You know there's a lot of different reasons that people want to be CISOs and I think maybe the answers to some of those questions you know kind of drive whether they're successful in that endeavor or not. Whether they're successful in that endeavor or not, I think the vision board is a great way to create a roadmap for yourself to get to from point A to point B. If you want to be a CISO, have a mentor, allow the mentor to provide guidance and fill that guidance into the vision board to kind of help fill the gaps out and let that serve as sort of a ladder or a road to meet your objectives. But when I think about paths to the CISO role, I don't think there's any absolutes but generally speaking there's typically two paths right. Typically CISOs come up for the GRC route, where they're more risk-focused, oftentimes less technical. The alternative is they come up through the technical route as an engineer or security operations path or to some extent like that, and the one thing that I would encourage people to do is I think an effective CISO needs to find balance in both places. If you come up through the technical means, sometimes I see these CISOs lean on their technical backgrounds, but at the sacrifice of being able to be a good business partner and really understand and represent risk and represent risk On the flip side of that, folks that come in and just understand risk, their architectures, their you know, the tooling architectures and the development of their technical teams might suffer and as a result of that, their you know, their spending and just there's some other things that really can suffer from that. So so I would just say be aware that you know, whichever path a person comes through, they, they really need to just understand that there's balance in in everything.

Frank: 30:31

The other thing that I think is is good. Good advice to become a CISO is is is really you know, find, find or you know, do some soul searching to understand what type of organization do you want to be a CISO for. If you know, I'll say like in my experience, there's a lot of kind of industry. Once somebody works in an industry for a while, they can almost get, you know, get siloed within that industry. So if somebody wants to work as a CISO in a manufacturing organization, for example, they probably, as a up and comer, engineer or a manager or GRC leader or some extent, want to probably start getting that experience in the industry in which they want to eventually serve as a CISO for. So that would be a couple pieces of advice that I would give.

Andrew: 31:31

Okay, I don't want to say anything myself. I just want to talk about the stuff that Frank said. So I agree with the paths. I also have seen people come from IT audit, so that is another pathway, though it's not as typical as the two paths that he talked about. I really like to find a balance piece. A lot of times when entry level people are talking to me about I want to get into cybersecurity. That usually and you guys I'd love to hear feedback on this if I'm wrong Usually the two things that they want to do is SO analyst or pen tester. Am I wrong about that? No, what I tell them is go look at the cissp and look at the eight different uh, I don't know what they call them domains domains, domains, that's right, the eight domains.

Andrew: 32:16

And I say now go and look at, watch a youtube video or take a udemy course or whatever on something that's not pen testing, be a dr entry level person or asset management or grc or or application security. Look at all of those other things and then think about if every entry level person wants to be a pen tester or a sock analyst and you set yourself apart as one of those other things. Imagine how many more opportunities that you will have. So I like that find balance part. The other thing I think that people may not realize about being a CISO and when we think about coming up through GRC or cyber, is you're really and it does depend on the organization, but you really are becoming a business executive. So you need to understand the priorities and the drivers of the business. You need to be able to have a seat at the table of the C-suite. You need to understand things like how to read a financial report, what is EBITDA? What are these growth targets that we're going for? And then you start thinking about cybersecurity in a way of how do we support the business to do what they want to do? And the last thing I want to talk about is this bullshit about siloing CISOs. I think this is totally wrong. Now I have been in finance, in logistics, in consumer packaged goods, in manufacturing and now in pet care, and that's great.

Andrew: 33:39

But to me, a CISO is a CISO the, the, the skills are transferable. I could go tomorrow now I'm not going to, I'm very happy where I'm at but I could go tomorrow and be the CISO of a retail company or I don't know anything else. Right, I don't have to follow those things. If you saw the guy who was the former CISO of McDonald's, he was at Honeywell before that. What is Honeywell and McDonald's have to do with each other? Absolutely nothing. But it's a transferable skill. Now I will say that there are certain things like financial regulations, hipaa compliance, things like that that are, that are interesting to organizations, but those are skills that can be easily learned. If you find the right person who has the right I don't know the right mentality and the right personality for the role, I would say you know, give that person a shot and not just say, oh, I need to find a CISO who's been in the you know, organic material space and only that you know, because that's what we need. That's. That's ridiculous. That's the wrong people making the decisions.

Frank: 34:44

I agree. Unfortunately, though I see it quite a bit especially I'm in the Charlotte area where financial services is really, you know, big and there have been several CISO roles with financial services organizations and you know, when I talk to people who have been in the interview process, the ultimate disqualifier was they didn't have financial services CISO background. And I agree with you full, full, 100%, andrew, it's, it's, it's really a transferable skill and it's. There are some nuance, industry nuance, like you mentioned, some regulatory, you know, pieces that you look, those are things that you can pick up.

Andrew: 35:24

I mean, it's the same thing about when you're hiring a cyber security person. You're not hiring for technical skill, you're hiring for personality. You're hiring for someone who's going to show up every day, who's curious, who's going to do the right things. You're not hiring for someone who's got the right certs as an and is an asshole. I don't want that. I want I want the. I want a good person who's going to show up, who's hungry, who's interested, who's going to be able to learn quickly. That's, that's what you want and the same thing you wanted to see.

John: 35:51

So a hungry, see so I agree, yeah, that's that's really really good. You know, you do see that and and I would see it in higher ed too. Right, they're looking for somebody that has experience in higher ed, and not only that, you know higher ed at a X size institution. Right, that's what they're looking for. And yeah, it is different. But I agree, I mean cybersecurity. It is universal. There's a lot of universal to that, universality to it. You just need to pick up the specifics to whatever the industry is. But I would say that's definitely something as somebody that wants to be a CISO. They need to think about these things. Maybe we're going to get over that at some point, but that might be a hurdle that you run into.

Frank: 36:37

Yeah, one more thing that Andrew said that resonated with me is really talking about the business acumen of a CISO. So I think you know cybersecurity is a fairly new industry as a whole, but you know the CISO role is also fairly new and it's constantly evolving and the effectiveness of a CISO really depends on their ability to be a good business partner. I think those that can really lean into that and double tap into that can really really help to transform our craft and transform themselves within the organization and the other the. You know some some suggestions on on how to do that? Are you know some guidance there or feedback that I've been given over the course of my time as a CISO? Is, you know, think outside the box. Like as a CISO, we think, oh, we're responsible for securing the organization. But if I want to be better connected with the organization, you know there are some things that I can do to become better acclimated with how the business functions.

Frank: 37:44

One of those is, at a very fundamental, intimate level know what your business does. Know what drives revenue. You know. Know what. Know about your supply chains. Know about you know your product mix. Know about you. Know if you are a company like Enpro, who grows through mergers and acquisitions. You know spend some time with your corp development team and know what goes into the diligence process when you're looking to buy a company. And maybe more fundamentally, if companies are publicly traded, you know read the 10K, go out and look at their 10K, their 8Ks like, understand their. You know how their organization is constructed and their financials and you know how the how their organization is constructed in their financials and you know there's a lot of free. You know quick kind of shortcut uh to to very uh powerful data that people can find out there and uh could be pretty powerful to helping helping people to become a lot more effective in their role yeah, take a corporate accounting course right.

Andrew: 38:41

It's not that hard to do. You can find it on LinkedIn. Learning or whatever. I mean just understanding how to read a financial report and be able to talk about it and not sound like you're crazy. That's good. You never want the C-suite to see you as the tech guy or the cyber guy. You want them to see you as a partner who happens to be a cybersecurity risk subject matter expert. But I'm here to help the company. I'm here for us to win business. I'm here for us to grow. You know, whatever the objectives of the business are, I agree.

Steve: 39:15

Yeah, great point. Yeah, I agree. So what are some of the challenges that you guys, as CISOs, face just in your roles, and what are some of the challenges that maybe somebody that would like to be in this position one day that they will be looking forward to dealing with if they get to that position?

Frank: 39:38

I think there's a lot of challenges as the role is evolving no-transcript breach and the SolarWinds breach, where CISOs or CSOs are directly targeted. Now there's even evolving guidance that says you have to have a separate policy that isn't necessarily tied to your organization's DNO policy, and so it's kind of like keeping up with this evolving landscape and making sure that you know that our personal risk and liability are not coming into jeopardy as a result of the, the, the job that we, you know, do on a on a day-to-day basis, and so that's just one of these outlier things that is is kind of interesting about how the CISO role is evolving. I'd say, on a kind of outside of that, what's hard about the job is just the sheer demand of change that we have to deal with on an hourly, minutely basis. Right, we're contending against threats that are, you know, we're always one step behind, and yet we have to make sure that we adequately manage the risk that these threats pose to our business, even though we're always, you know, playing from behind.

Frank: 41:14

When you couple that with emerging technology, like we're in the age of generative AI, like I was at AWS reInvent last week and all I heard was AI, every conversation had those two vowels in it, and you know, but it's just an example of you know. When technology changes at such a rapid pace as it has over the last two years since ChatGPT hit the scene, that only complicates our ability to adequately protect our organization and manage risk. It's not always the risk of adversarial actors attacking our business, but sometimes it's the risk of our corporate data being overshared on the internet in such a way that we can never get it back, such as through generative AI. So those would be a few things that jumped off of my mind for me.

Andrew: 42:05

Yeah, okay, I'm going to agree with all of Frank's things the risk of being a CISO. A lot of us are talking about getting personal legal liability insurance Now, whether that's through your company or through yourself, but something where, if you end up being in an Uber or SolarWinds situation, you will have insurance that will pay for your legal bills, that will pay for your PR bills, all of those things, because those guys are having to pay for those things themselves, which is not cheap. So having that is probably a good idea. And if there's some sort of a group of CISOs maybe 1,000 CISOs around the world or whatever who gets together and says we're going to joint find this personal legal liability insurance for everybody, it's an interesting way.

Andrew: 42:49

And second, frank talked on the threat landscape, which is constantly changing, right? So in what other roles do you have a constantly changing adversary kind of thing? It's not the same. And, of course, the risks of AI. Beyond that, for me, there's a slide that I show in the course that I teach at WashU and I start out with this page. That's called CISO responsibilities. There's a guy on LinkedIn who does like a mind map of CISO Responsibilities and the font is so tiny and the pictures are so small that you can't possibly read the slide. And that's kind of the point, because I tell them like, look, if you allow yourself to get into all of the details and minutia of absolutely everything that your job could possibly entail, you're never going to be successful. So I'm a strong believer that you can do a few things well.

Andrew: 43:36

There's a quote that is sometimes attributed to Warren Buffett. I don't know if it came from him or not, but he says something like write down a list of your top 10 priorities and then he said and then tear off the bottom seven and just focus on the top three. So that's kind of what I do with my team all the time is I'm always there to help them, to kind of protect them, so that they can focus on those top three priorities, and that all of these other requests that are coming in from leadership and from the side and stuff is not going to let that happen. So I think I'm going to finish that up by saying it's making an intelligent balance between risk and resources. It's making an intelligent balance between risk and resources. At any point we can make a decision that says we can control this risk at a huge like 99.9% level, but it might cost a ton of money and a ton of people to do it. So what's the risk appetite of the business and how much are we willing to spend and how many resources are we willing to throw at this risk to try and mitigate it to some extent? So balancing that risk and resources and doing that in a smart way that doesn't end up making you, you know, frontline, headline news or whatever and getting into an Uber situation.

Andrew: 44:46

Another thing that keeps me up at night is the idea of visibility. So it's one thing to control the risk that you know about, but unknown risk is a huge concern for me. When I was at Nestle, you're talking about millions of endpoints, 300,000 users right, how could you possibly control all that stuff? You can't. So having tools that will kind of scan your network all the time and find rogue devices and IoT things and stuff like that, that's important. So having that visibility, rogue devices and IoT things and stuff like that that's important. So having that visibility.

Andrew: 45:18

And the last thing for me, I think about this Gartner study at least every week and I don't have the link to the article.

Andrew: 45:23

I'll find it later, I'll send it to John so he can share it with people, but Gartner said that more than 70% of people will bypass cybersecurity controls if it helps them do their job better. And that's a wake-up call for two groups of people. One is it's a wake-up call if you are a cybersecurity vendor. Okay, you got to make sure that your tools are frictionless so that people will use them without having to do extra steps and things like that. And the second wake-up call is for cybersecurity leaders to make sure that the tools that you're providing to your organization are frictionless or as frictionless as possible, so you're not forcing people to jump through a bunch of crazy hoops in order to do their job correctly, because, guess what, they will bypass those things if they possibly can to do their jobs easier. Those are my challenges, which are, which are, quite a few. I should have just gone with three and thrown out the rest of the way.

John: 46:19

Yeah, I say uh, from Jurassic Park. Life finds a way. People will find a way around your policies and controls. They're going to find a way around those, for sure.

Steve: 46:31

That's awesome. No, I mean, this has all been great, great. So you mentioned tools and at one of the questions I had here that I wanted to ask you guys is as a cso, is there a tool or a piece of software that you cannot live without that helps you with your current role position? I haven't or or lets you sleep at night. It lets you sleep better at night.

Frank: 46:55

Excel, microsoft Excel Exactly.

Andrew: 47:00

My answer would be two things. One is something that looks like this A hardware token. So if I could get every single person in my organization to have a hardware token where the only way to log into your account is if you have this thing, that would solve a whole ton of problems. That's a dream that I have that has not yet come true, that I'm working on a vet course. We'll see, uh.

Andrew: 47:24

The second one is, um, automated patching um I, if I can have a tool that's better than what's that? Microsoft one? I can't think of what it's called right now.

John: 47:35

CM Huh SCCM.

Andrew: 47:39

Yes, sccm. That's better than SCCM that every time a critical or a security patch comes out, it will automatically patch things. And hey, it might break a couple things, but that's the risk of doing business. We can shut down all the servers and then we'd be totally secure.

Frank: 48:00

No, my risk of doing business. We can shut down all the servers and then we'd be totally secure. No, my idea is automated patching and hardware tokens. Those are my two favorites all right, good ones.

Frank: 48:05

Yeah, frank, yeah, when I, when I think about the most important tools in in my portfolio um, as a cso, you know that I I say it in jest, but I'm you but Excel is a pretty important tool, but obviously not for security outcomes I would say when I think about the attack surface that we're protecting against the endpoints represent a huge attack surface. And then email is another huge attack surface that everybody represents a piece of or a part of attack surface that everybody represents a piece of or a part of. And so I've always said my EBR solution is definitely one of the most impactful tools in our portfolio. And then obviously our email security tools because, as we say, every user represents a potential victim and it only takes one to click a link, install malware or do something else that could potentially put the organization at risk. Minimizing the potential for those things to become true is pretty important for me. Yeah definitely.

Steve: 49:16

John, what about you?

John: 49:17

I'm thinking about Excel. I want to know what Frank's Excel spreadsheets look like. Those are good, man. I think the dream list is passwordless, right, like if we get there at some point someday. Somebody told me recently as another school, and they said they're getting rid of active directory. They're just getting rid of it as an approach. I was like that's an approach. I don't know. Let me know how it goes. I want, I'm curious, right, but no, I think, I think that's great, I think I'm on point with both of them. You know, I love seeing when bad things happen. You know, being able to see how it happened and how it was stopped, right, and those things keep coming. But it's an arms race and we're trying to have better AI than the bad guys have right, so have our tools, have better AI, but no, that's a good question, awesome.

Steve: 50:12

Well, we're getting close to the end, so I want to ask all of you just one last question here and then open it up to you. But what is probably one of the most rewarding parts of being a CISO, or what has been so far? And anyone can take that one first.

John: 50:32

Well, I always say and I've said this before, I'll let you guys think like, for me, getting a cso is kind of like getting your black belt in martial arts. Right, you get your black belt, you're like, I'm done, I made it, I got it right, um, but if you've ever done martial arts, it's like okay, now you got to learn a whole another thing there's. You just got to another level. It's another chapter and um, but it has afforded me a lot of opportunities to do cool things and meet cool people, like like frank, and being able to have some, some of those chances that I probably wouldn't have had, um, and it gives me more freedom to. I mean, the buck stops with me, but that, you know, and that's good and bad right, because now I, if something goes wrong, it's it's on me extreme ownership, but I also get the chance to help us move the needle to get better. So that's a cool. That's definitely one of my favorite things about it.

Andrew: 51:29

I'm gonna go with people. Um, you know, my, when I look back on my career so far and I think when I, at the end, when I reflect back, it's the people that I've helped along the way, that I've mentored, that I've seen go from analyst to specialist to leader, to, you know, regional head or CISO or whatever. I mean. That's, that's huge for me, and I love seeing people succeed and I love seeing Frank's dog, and, uh, so that's, and I love seeing Frank's dog, and so that's it For me, it's people.

Frank: 51:59

That's it, yeah, for me. You know, on a personal front. I mean, you know I get bored. I'm the type of person that you know my ADHD goes crazy. I get bored really easy.

Frank: 52:17

And the one thing I love about being a CISO is I could, I could literally be doing the same thing two consecutive days, but it'll look and feel completely different. The other thing is I've, you know, strangely enough, I almost look at cybersecurity professionals and maybe CISOs is almost like superheroes, right, like we are the defenders of the cyber. So, you know, it's almost like I get to, I get to be a hero and and uh, fight for the greater good. And you know, I, I served in the military and so, obviously, like I have this patriotism, um aspect to. You know who I am and being a CISO almost allows me to continue that whole. You know, that journey.

Frank: 53:00

I definitely would resonate with Andrew and the people aspect is important, but I just it's something that pays the bills, that affords me, you know, a good life that I enjoy doing. Like, when I talk to other CISOs, we always talk about, well, you know when, when would you like to retire? When would you like to retire? And in all honesty, I, I like that whole, that old Confucius saying that says if you love what you do, you never work a day in your life. And I wonder what I would do if I wasn't doing what I love, which is, you know, leading and and, uh, you know, doing cybersecurity things and supporting the business. And you know, sometimes it's in the it's, it's down in the foxhole, in the firefight with the team, but ultimately, you know, we're all working towards the greater good and it also doesn't matter if it's me or John or Steve or Andrew, but we're all working towards a common goal, just in different organizations, which is pretty cool too.

John: 53:58

Great answer yeah, both of you?

Steve: 54:01

Yep, absolutely. Thank you so much, and I know we're getting pretty close on time, so I want to go ahead and just close us off here. Frank Andrew, it truly has been a pleasure. I really enjoyed this conversation. I know our listeners will as well. But yeah, I just wanted to say thank you again. We will definitely try and have you back later on for another episode. This has been a great conversation and yeah, any final thoughts from you two?

Andrew: 54:28

I'd just like to thank you guys as well. Thanks to John for listening to my crazy idea of bringing Frank and I in here together. Great idea it here together great idea, I think that made it fun likewise.

Frank: 54:40

I'd like to thank both of you guys. It's been great to be here. Thank you, andrew, for spurring some thought when I was answering some questions. Glad to be here, frank, if you want to thank me.

Andrew: 54:54

You know the way to do it, so is it one of those bottles back there?

Frank: 54:58

yeah, yeah, I'll come back there I'm sure we'll see each other soon enough and I'll make sure to bring something, something good and tasty and I would say, you know, for anybody that has any other questions, you know, I think all of us are on linkedin.

Frank: 55:11

I don't want to speak for anybody else, but uh, you know. But I do enjoy mentorship, I do enjoy sharing and giving back to the community. So I would say reach out to me, find me on LinkedIn. I don't have a very common name so I shouldn't be that hard to find and would love to help. So thank you, guys, we'll link to you if you.

Frank: 55:30

If you like, we're happy to do that in the show. Yeah, so, if you like, we're happy to do that in the show. Yeah, absolutely.

Andrew: 55:34

Thank you the worst thing that can happen is people can say, no, that's right, absolutely that's right.

Steve: 55:39

Well, perfect.

John: 55:40

Thank you all. Thanks, guys, take care, see, you have a good one. Bye-bye have a good day. Thanks for tuning in to this episode. If you're looking for personalized mentorship, click the link below to sign up for a free consultation with us.

Steve: 55:55

Yep. During this session, we'll talk about your goals, your challenges and how we can better help you. This may include reviewing resumes, career advice, setting up action plans that are tailored for your needs.

John: 56:08

Yeah, at Cyber Professional Services, we're here to guide you at every state of your cybersecurity journey.

Steve: 56:15

That's right. So keep learning, stay secure and we'll see you next time. Thank you for tuning in to today's episode of the Cybersecurity Mentors podcast.

John: 56:25

Remember to subscribe to our podcast on your favorite platform so you get all the episodes. Join us next time as we continue to unlock the secrets of cybersecurity mentorship.

Steve: 56:35

Do you have questions or topics you'd like us to cover, or do you want to share your journey? Join us next time as we continue to unlock the secrets of cybersecurity mentorship. Do you have questions or topics you'd like us to cover, or do you want to share your journey? Join us on Discord at Cybersecurity Mentors Podcast and follow us on LinkedIn. We'd love to hear from you Until next time. I'm John Hoyt and I'm Steve Higuretta. Thank you for listening.