CISOs share their stories

As we’re about to release our tenth episode of the Security Stories podcast, I thought I’d reflect back some of the amazing stories we’ve heard so far.

I’ll be perfectly honest: I wasn’t sure how the podcast was going to turn out at the beginning. I simply went into it with a passionate belief that hearing other people’s experiences is one of the best ways to learn.

Nothing could have prepared me for the depth of the stories I would be privileged to listen to, or the response we’ve had from people who have listened.

Creating a security tribe

The running theme of our podcast is that security is far more about people than anyone might think.  Every CISO that I’ve spoken to is supremely passionate about their team.

Mark Weatherford
Mark Weatherford, Chief Strategy Officer at National Cybersecurity Centre

I’ll give you an example: I interviewed Mark Weatherford for episode 4.  Mark led cybersecurity initiatives in the United States, navy and he was also CISO for the states of Colorado and California (in the case of the latter he was hired by Arnold Schwarzenegger to help change the way California “did technology”). He is currently Chief Strategy Officer at National Cybersecurity Center.

I spoke to Mark about a paper which he wrote called “10 rules for cybersecurity sales people”. One of the rules was, and I quote, “Don’t talk about how bad or incompetent security staffs are these days. That’s my tribe you’re talking about. I’ve put my life-blood into building my team and many of these people are my personal friends who are way smarter than me.”

What I’ve also learned from all my interviews is that part of a CISO’s role is to ensure there is as much diversity in their team as possible. Not only is this pertinent from a cultural and representation perspective, it also means that the hacker landscape can be mirrored in the team. People who think differently, and can approach things from different angles, is exactly what you need to defeat bad actors.

Additionally, a CISO should be able to ensure everyone a culture of support. Because everyone has good and bad days, and no one can work to 100% capacity all the time (especially not in the times we’re living in right now). Burnout is such a huge issue in cybersecurity, and so it’s about building a team that has each other’s back.

What to look for in a security team

Marene Allison, CISO for Johnson & Johnson

Marene Allison is a military veteran, having graduated from West Point Acadmey in the first class to include women. She’s also an instrumental figure in getting rid of discriminatory laws acts against women in combat.

Marene served on the Defense Advisory Committee on Women in the Services appointed by the Secretary of Defense, and the Overseas Security Advisory Committee appointed by the Secretary of State.  I interviewed her in episode 7.

Marene loves questioning things, and that’s what she looks for in her team too. She recalled asking this question to her supervisors, “What are the requirements to be in combat? None other than you can’t be a woman? Ok that’s discrimination, let’s work on changing that.”

For Marene, one of the most important values in cybersecurity is to be inquisitive. People who always question the status quo. People who ask, “Why is that there?” make wonderful security engineers.

Table top exercises

Another story about Marene is that she developed and participated in the nuclear terrorism exercise, Compass Rose ’88. It was the largest mock terrorism incident exercise by the federal government, and the aim was to see how the interagencies would work together in the face of a nuclear weapon based attack.

Marene told me that that was when she learned about the significance of doing table top exercises. In our interview she talked about it’s never ok to guess how something might work. You have to see it in action. You have to test it. You have to refine it. Never make assumptions or be too quick to jump to conclusions, which applies to people as much as it does security.

Incredibly, some of the papers that Marene wrote from the exercise ended up in the Patriot Act. She has no idea how it happened, and will never get credit for it, but she doesn’t worry too much about that, she’s grateful that the experience has a legacy beyond what they did.

Being an ally

We first launched the podcast back in March, and since then the world has changed beyond recognition.  Many of the conversations I’ve held over the subsequent months have become even more pertinent – particularly when we came on to talking about topics like diversity, representation, respect, and being an ally.

Masha Sedova, cofounder of Elevate Security

Masha Sedova is the founder of Elevate Security which helps organizations to develop strong cybersecurity awareness programs for their people.  Masha was my guest for episode 5.

Three years ago when she was trying to raise investment funds, she and her male co-founder sat in front of a panel of investors. A few of the investors only directed questions to her male co-founder.  The business was Masha’s idea, and she was explaining the concept and the plan behind it, but they never gave her the respect of addressing her directly.

Her co-founder, Robert Fly, proceeded to explain that this was unacceptable, and then he physically turned his chair towards Masha so that he was facing her. That meant that everyone else needed to face her too.  I still remember the feeling I had when Masha recalled that story to me. I could visualise the room in the way that she told it (perhaps because I’ve been in similar situations myself).

Masha said that what Robert did for her that day, he’ll never know the full extent of how powerful it was.  Because she was so shocked and astounded by the fact that she wasn’t being given any respect, she couldn’t speak up for herself.  But Robert, being in a position of privilege just because he was male, stood up for her, and called the panellists out for their unreasonable behaviour.

And that’s what’s sometimes needed in these circumstances .  For people in privileged positions to be an ally, and give up their privilege to address the unbalance.   I really think it’s important that when we see injustice, we must call it out.

For another perspective on this, please listen to Andy Ellis’ story on the most recent episode. He is one of the biggest advocates for more representation in the cybersecurity industry, and he takes a no nonsense stance on it.  That episode is also worth a listen to hear my cohost Noureen talk about giving a “voice to the voiceless”.

Funny stories

I’ll leave you with a few funny stories.  The first one is that two people whom I’ve interviewed only started their jobs after being convinced that the offer wasn’t a phishing attack!

Theresa Payton, Author and President of Fortalice

Theresa Payton from Episode 3, is the first female CIO of the White House, having been hired by George W Bush in his second term.  But when she initially got the call, it took three attempts for them to convince her that this was the White House, and they did want to speak to her about the CIO role.

The same thing happened to Marene Allison when she decided to leave the FBI and got an offer to enter the coporate world (or, as she describes “the kind of security where they don’t shoot at you”).  She figured it was a scam, and it took multiple attempts to get through.

I’d be interested to hear if any other CISOs did this. A consequence of being so alert, I guess!

The second story is from Andy Ellis. He told me the story of “lizards versus cats”.  The common saying of course is that ‘X about as hard as herding cats’.   Insert whatever example you want there, whether it’s cybersecurity, or trying to understand the movie Inception.

However, all you need to herd cats are two things – a laser pointer, and some catnip.  A laser pointer is all you need to get a cat to be in the place you need it to be, because they will follow that beam no matter where you point it, even if it’s a difficult place to get to, or even if it’s inside the basket which they know will result in a trip to the vets.

And then you reward them with some catnip.

But if you try to use a laser pointer on a lizard, they will scatter.  They see it as a threat.  So it’s about working out what the laser pointer means.  Is it an encouraging tool that will get what you need? Or will it have the opposite effect?  The whole concept of FUD when it comes to cybersecurity, is thankfully becoming more and more obsolete.

If you’re intrigued by these stories and want to hear more, you can catch up with all our episodes here.  You can also subscribe to your podcast platform of choice, so you don’t miss anything (we release new episodes every two weeks).

If you’re a CISO or a security leader and would like to be part of our podcast community by sharing your story, please get in touch with me on LinkedIn and we’ll take it from there.

Lastly, I want to say a huge thank you to my cohosts Ben and Noureen, who are not only brilliant people and a pleasure to chat to, but they also bring their own unique perspectives and experiences to the podcast. Whether we’re talking about the threat landscape, or reminiscing about the past in our ‘On this Day’ feature.

I look forward to recording with them each time, and hope to keep doing the podcast for many episodes to come.

Listen to the Security Stories podcast