Root To CISO

Do you aspire to become a Chief Information Security Officer?

The Root to CISO podcast provides firsthand career stories from experienced CISOs on their journey to success in the cybersecurity industry. Offering valuable guidance for aspiring professionals in the field through personal experiences and practical advice.

All Episodes

Root To CISO

How To Advance And Get Promoted In Cybersecurity | Root To CISO Podcast

May 26, 2026 • Kris Rides

0:00 | 7:57

Relying solely on technical skills and certifications is no longer enough to scale your career. In this episode of Root to CISO, top security executives break down the mindset, attitude, and connections needed to advance into cybersecurity leadership.

Melina Scotto shares her personal journey, explaining why saying "yes" to unexpected opportunities is a major career catalyst. She narrates how a close professional connection opened the door to a major job opportunity—proving that relationships often matter more than resumes.

Nicholas DeMeo delivers a powerful reality check: technical skills can be taught and mentored, but the right attitude cannot, and Nick Bruno dives into the importance of tackling hard challenges head-on, even when you don't feel 100% ready.

Watch now to learn how to cultivate a growth mindset, embrace uncomfortable career steps, and build a reputation that forces executive opportunities to find you.

Speaker 7 0:01

Hi, and welcome to the Root To CISO Byte Size podcast. I'm your host Kris Rides, and in these bite-sized episodes, we'll be speaking to experienced cybersecurity hiring managers. We'll be asking their advice on how you can stand out from the crowd to make the career moves you desire.

Speaker 0:22

how did you then progress into more and more sort of heavy security or even into sort of the leadership? 'cause that's how most careers tend to move towards.

Speaker 2 0:31

I think it was just always being willing to say, yes, absolutely. I'll pitch in, I'll take over, for the experience of it, for the resume building, maybe for some more. Money, but not always. it, it just depended. But I was excited to get to the next thing and do the next thing and get the next cert.

Speaker 0:54

And how did you get that first position? That's

Speaker 2 0:56

the craziest story. I still, I still don't believe it when I talk about it. But, I was leading a cybersecurity in, federal health, for, a couple of billion dollar company that got eaten up by another multi-billion dollar. Federal contracting company. And there was a repeat in this position that someone, me on my side and then, Sally Sweeney, just a wonderful, mentor, I guess the second most important mentor of my career and so I was super to talk to her. I called her up and said, Hey, why don't we just get, a, an appetizer around the corner and, have a glass of wine and talk cybersecurity. And, I walk away from that meeting just thinking, oh, it's gonna be so great to work with her. Meanwhile, she had been, interviewing for, her, her boss's position, but also interviewing elsewhere so, when. It turns out, she was offered the job and she turned it down because, she said, I found this other thing and it just seems more aligned. Maybe it's time for me to kinda move on to this other type of thing. And, she said, but I spoke to Melina. She's just like me. Same direction. I would go, I had no idea. they say it's, you know all about who but sometimes it's about who knows you, which is a different thing. It's not like I, I had asked her or promoted or, whatever. We, I just wanted to meet her so we could work better together. But we just, Resonated so, so completely in the same frequency that she said, Hey, if you want somebody like me, just pick Melina. And so I was asked to, to apply to this position and, my. My process was pretty quick. I didn't, they all knew me. I didn't really have to interview at all.

Kris Rides 3:03

If I look at people in their careers In their actual career. Like one of the biggest thing that makes, you know, the largest difference is that EQ factor is the factor of like, how do they gel with the people that they're interviewing with. How are they gonna be as part of the team? Right. It, it's more about the person often, right. Than the actual skills you can teach the skills. If we, if you've got somebody that's got all the skills but isn't a particularly nice person. Yeah. You know, are they gonna be a a, a good person to have in the team? The answer's no.

Nicholas Demeo 3:32

Exactly. Exactly. That's really important too, just to understand like how, who you are supposed to be as a person. I. And now not just be like, conformed to a shell, but be yourself. But able to bring your own unique personality to, to a team. Yep. And, and that's the mindset that, you know, you get into and it really helps you be successful because if they don't like you, they're not gonna wanna work with you.

Kris Rides 3:54

Yep.

Nicholas Demeo 3:55

And it's like you're trying to advance your career and nobody likes you. It's gonna be very difficult to move up.

Kris Rides 4:00

What are the ways that, if you look at people that are either already in the industry or early career or trying to get in the industry, what can they do to work on, on, on that part of their personality or that part of their skillset?

Nicholas Demeo 4:13

Yeah, absolutely. I think it's, it really comes down to understanding what the fundamentals of the industry is in the first place, and then going, okay, how can I adapt myself, to meet those requirements? And you start developing that like situational awareness where you're assuming there's something happening and so you're reacting or maybe you've already taken proactiveness. and really it's just that psychological mindset that really to work on Yeah. Is like, okay, what is cybersecurity? somebody that's like, okay, he's done, you know, these. Platforms. He's highly ranked, he's put a lot of time into, you know, hacking things. but once you put him on there and he is like, he's tunnel vision. Yeah. There's a lot of lost value there.

4:53

and

Nicholas Demeo 4:53

I think, people like myself, we're looking for ones that are already have that mindset correctly. Yeah. And then they're looking to get mentored. And that's like a dream come true for somebody in senior leadership. Like, oh my God, he's got everything he needs. He just needs to be taught. Yeah, let's do it. Yeah. and really it's just the mentality I think is the most important thing to have is when you're approaching this industry is having the right mentality.

kris-rides_1_01-08-2026_134143 5:16

Also people that are earlier on in their career put your hand up for stuff, right? That's how you become like the internal unicorn, right? You see a gap, you see something that needs help go and ask is that something I can help with? It's an ability to learn more and in the current market also potentially not, put yourself out of the bracket. If you are somebody with a unique set of skills, it would be hard to lay all of that piece of work off. You're creating some job security there

squadcaster-fe33_1_01-08-2026_164143 5:45

Yeah, and it's also as opportunities come up. If you have an interest in learning something new, doing that before the opportunity actually is in front of you to go apply for it. From a talent acquisition standpoint or talent management standpoint, you can do security or any type of role as part of your normal job, all if you do is say, Hey, I wanna learn. There's not gonna, be anybody that says, no, I'm not gonna, we don't need the help. We don't wanna train. Like part of how the security community at least how I grew up, is I kept asking 'em for things that I didn't know and how I could help and. Also not being able to say no, but I didn't wanna be a firewall admin when I was in early my career, but I took on everything else nobody else wanted, and i had no clue at that point. You had to figure it out, but you also had to ask, but you had to stretch yourself. And I think, like even with my current, security team and, and whatnot, It's a relatively small team, but I've extended it to my service desk and others throughout the entire organization that has an interest. They want to do, it doesn't matter. Vulnerability management, incident response, security monitor, like they have an interest. I will spend time with whoever that wants to learn. And then eventually when there's an opportunity and I've hired, or promoted three or four people from my service desk into my DevOps team or to my security team or even,

kris-rides_1_01-08-2026_134143 7:02

squadcaster-fe33_1_01-08-2026_164143 7:02

in an application development team. And just because they showed an interest,

kris-rides_1_01-08-2026_134143 7:06

squadcaster-fe33_1_01-08-2026_164143 7:06

they may not have the skills right now, but they'll get 'em.

kris-rides_1_01-08-2026_134143 7:09

get 'em. Yeah. Yeah. And often that's the way people find themselves into positions or roles or areas of interest that they never even would've touched. 'cause they didn't know about it. They didn't know it would be something they would be interested in.

squadcaster-fe33_1_01-08-2026_164143 7:22

It goes back to being added, like adding value.

kris-rides_1_01-08-2026_134143 7:24

value.

squadcaster-fe33_1_01-08-2026_164143 7:25

at the end of the day, it's like how do you add value to an organization? It doesn't matter what level it is. You have an interest. You can provide help that is adding value.

Speaker 6 7:35

Thank you for listening to the Root To CISO Byte Size podcast. I hope you enjoyed this episode. Make sure you keep an eye out for season three of the full Root To CISO podcast. And in the meantime, stay up to date by liking, commenting, and of course subscribing to our channel. Thank you.

Kris Rides

Host