How To Become A CISO & What Top CISOs Actually Look For | Root To CISO Podcast

Show Notes

In this episode, we speak to leading Chief Information Security Officers and we ask them to break down the real skills, mindset, and strategies behind successful cybersecurity careers from their personal experience.

If you're aiming for a CISO role or growing in cybersecurity, this episode covers:

•  The top skills every CISO needs (beyond technical knowledge) 
•  Why communication, curiosity, and likability matter more than you think 
•  How to build trust and influence stakeholders across a business 
•  The truth about networking and getting hired as a CISO
•  How great leaders develop teams and remove roadblocks
•  Why continuous learning is critical in cybersecurity 

You’ll hear real-world advice from experienced CISOs on leadership, career growth, and navigating complex organizations. If you are looking to become a CISO or grow in your career, this is for you!

Transcript

Speaker 7 0:01

Hi, and welcome to the Root To CISO Byte Size podcast. I'm your host Kris Rides, and in these bite-sized episodes, we'll be speaking to experienced cybersecurity hiring managers. We'll be asking their advice on how you can stand out from the crowd to make the career moves you desire.

Speaker 0:22

Really excited today to have Alyssa Abdullah, Dr. Jay as she's well known to probably most of you. Dr. Jay. Thank you so much for joining us today. Thank you for having me. Good stuff. And can you let everybody know what you're kind of doing currently

Speaker 2 0:37

so I am currently the Deputy Chief Security Officer for MasterCard, responsible for securing MasterCard's assets. And our assets to us are not just, the information technology and information. data people, people are part of that as well, so it's a huge remit.

Speaker 0:57

I went out to sort of around 500, it was over 500 CISOs on LinkedIn. And I asked them all their top three attributes that they thought made a successful ciso. and now I have a top 10 put together, and stuff and communication was absolutely one that number one continuously came up. Yeah. Yeah. now thinking about that, if I asked you your top three, obviously number one, you've already given me that, what would the other two be?

Speaker 2 1:25

well, I am gonna say you do have to know the technology. Yeah. but I'll pull that back.

Speaker 3 1:33

Yeah.

Speaker 2 1:33

I will say you've gotta be able to communicate. This is not gonna, this is gonna sound so funny. You've gotta be, you've gotta be curious. And you've gotta be likable.

Speaker 3 1:48

Yeah. Yes.

Speaker 2 1:49

Now, if you think about it, you say, wow, she didn't mention no nothing about knowing governance and no, nothing about knowing risk. Your curiosity is going to, is gonna drive all of that. Yes. Your curiosity, you always have to have a sense of curiosity and that will help you whether you are Driving, the security operations center, whether you're driving risk, whether you're driving your program managers. But then the other side of that is that, is the, is the, communications part. And the communications and likability have to go hand in hand. I tell my team all the time, we have a hard job. We have to sometimes tell people no. We have to sometimes tell people that you gotta select the hard way to innovate because it's the most secure way. But if they like you and you are not leaving, you're not running over, over running the bus, over people and leaving dead bodies. They will be willing to work with you.

Speaker 3 2:46

Yeah,

Speaker 2 2:47

and that's the chief security officer role is that we have to have partners. We have to have allies. There are many times that we're not in the room that we need someone else in the room to speak up for cybersecurity. There are many times where cybersecurity is still an afterthought and we need people to speak up for cybersecurity. And if they like you and you communicate well and you are curious, those, they will go the mile, they will go, run through a wall for you.

Speaker 3:14

And you talked about curiosity as well, because one of the other top like most popular answers we got was understanding the business. And that puts right into curiosity. Because a good, curious person is trying to understand, right, what makes this drive, why would this stakeholder believe in security? How are we gonna help them achieve what they need to achieve? Right. So it's that same curiosity part that will feed into that. Have you found that very challenging, like bringing in stakeholders and getting them sort of bought in? If you got any tips or advice? 'cause I think that's gonnas, a lot of CISOs out there that might struggle with that. I'm gonna

Speaker 2 3:48

say no, I don't struggle with it because I'm likable.

Speaker 3:51

You're like, they like me so they'll talk to me about it, you know? No, I mean

Speaker 2 3:55

you really have to build connections. You've gotta build connections internally and externally, you and those and when I. Say that I'm not just talking about the superficial, I'm talking about, like I have many, many meetings on my calendar ad nause just around building connections, continuing to stay curious, knowing what's happening. So when someone asks me and they have a hard problem and I have to accept the risk. I know why I am accepting the risk, I understand it. Or flip side of that, if I say I'm not accepting the risk, then they have, we have such a good relationship that I've built the trust, they trust me. And that's what you want. You wanna ciso so that you trust so that whether they're on board with your solution or whether they're not, you trust what their decision is.

Speaker 4:49

Yes. Yeah. 'cause there's some points when you can take all of the feedback, you can listen to people, but ultimately you are the one that's gotta stand by the decision you make. Right? Right. And so you've got to make the decision and maybe not everybody's in agreement with it. You need to know that everybody else around you is gonna at least follow and not feel annoyed or bitter about that. Right. Their, their choice not happening. Right. Yeah. That must be a tough thing to manage. That's not,

Speaker 2 5:13

it's, it, it, it can be. It can be, but like I said, the road to relationships never ends. And it doesn't stop. It doesn't stop at one, one-on-one. Yeah. And if you think, oh, I have a regular one-on-one with this person, I built a relationship. No, you haven't. there's always things that you can do and that's something that I had to get out of my comfort zone. I tell you, you cannot be a CISO and be. You have to be, if you are an introvert, you have to intentionally make yourself an extrovert, right? Because you have to, you really, really have to go on your own roadshow, to help people understand what's in it for me. Right. Why? Why are we doing things like that like this? Why are we not accepting the risk? The why? The why, the why. And if you make the why make sense to them and make them understand what could go wrong outside of we could be breached, right?

Speaker 3 6:10

Yeah.

Speaker 2 6:11

Duh. Everybody knows that. But you gotta take it to a level where they understand it and they understand their impact into it. Now you have a good value proposition for someone else. There is a way to cultivate your story, so that it highlights your successes. I'm a quote person. and last week again, someone said companies love scar tissue.

Speaker 6:35

Yeah.

Speaker 2 6:36

And so if you've got some bruises, guess what that means? You try.

Speaker 6:40

Yes.

Speaker 2 6:40

That means you tried and so step stepping back, stepping, sidewards, moving around, pivoting, or staying in the same place for a certain number of years so that you can get all that, you can get all that you feel like you need out of a project, out of a company, out of an organization. There's nothing wrong with that.

Speaker 4 6:58

with me today, I've got Andrew Wilder. Andrew, welcome to the podcast.

Speaker 5 7:04

Thanks, Kris. Thanks for having me. So right now I am the Chief Security Officer at Vetco. Vetco is a veterinary consolidation company. We own about 900 veterinary hospitals in North America. I'm their first CISO that they've ever had. And, building a small team there and doing a few things like identity and operations and stuff like that, and a little bit of physical security too.

Speaker 2 7:29

When people come to me and say, Hey, I'm looking, I'm a ciso, I'm looking for my next role. Like, what's your advice? You're very good at networking. Like what do you do? The advice that I always give them is network. Network, network. Yeah. So if you know somebody at that company, then you can be a, a, a name instead of just a mindless person on a stack of resumes that no one's ever gonna look at. so if you can get a, a referral from a human being, that's incredible. My current job I got, I applied for it on LinkedIn and they called me and I got the job. Now that's not the advice that I give anybody else. That's not a good way to do things. You can do it that way. It sometimes very rarely works, but, that's how I got my current job. I can't believe it myself. And when I tell people, they also can't believe it, but it's the.

Speaker 8:17

Well, that's the, that just goes to show about having like a diverse way to search for jobs, right? You have to have every element, you,

Speaker 2 8:26

you gotta know the right recruiters, right? Yeah. You gotta know them. and people say like, Hey, but I only recruit for like Minnesota. Why do I need to know you? Because there might be the perfect job for me. That's in Minnesota and I don't know it yet, and you don't know it yet. So every it is not, it's not who it's who knows you. Yes. Right. So they have to know you, and you gotta apply and you gotta work your network. All of those things. It's really a shotgun approach to, to find the right connection. And the second thing is, I think within the CISO community, there's a really positive thing of we want to help each other. Yeah. So I take calls, I would say about once a month, maybe a little bit more often than that. Of people from people who are looking for their next CISO gig. Want advice on how they can do that. I'm gonna look at their resume, look at their LinkedIn, the same kind of stuff that you do for people as well, but more from a practitioner perspective. Yeah. and I, look, I'm happy to do that. I want to help people and it's great and that builds that same long-term relationship thing because maybe, six months from now, two years from now, whatever, they're gonna remember that and you're gonna need help with something and they'll help you. As a leader, there's really two things that I do. the first thing is it's my role to help my team advance in their career. As a leader, my personal philosophy gonna help you advance in your career. So, whether that's inside or outside of the current organization, that's up to you. so I'm gonna look at, what are the things that you need to develop in your current role? What are the things that you need to develop for your future role? We're gonna devote at least 10% of your time to learning and training because if you don't continue to learn, you're gonna become obsolete. And then we're going to have development goals that we agree on, milestones that we can set for yourself. Is it a certification? Is it a course that you're gonna take? Are you gonna get a degree? And not just traditional training, but is there a project you're gonna work on? Is there a new tool that you're gonna learn about and implement? All of those kind of things, relationships, that you're gonna build. And not just on the technical side, but also on the. Soft side, the leadership side, public speaking and giving presentations, and all of those kind of things. So that's the first part is helping you advance your career. The second part is creating a safe space for people to succeed. I think a lot of times why people fail in big organizations is there's a lot of bureaucracy. Mm-hmm. You run into political roadblocks, financial roadblocks, resource roadblocks, skill roadblocks, whatever that is. It's my job to protect you. From those roadblocks and say, I'm gonna break down all of those roadblocks. I'm gonna let you do, there's a great quote from Steve Jobs, you probably know this as a recruiter. He says, we don't hire great people to tell them what to do. We hire great people to tell us what to do. Yes. So I'm not gonna get there and tell you what to do. I'm gonna get there and break all those boundaries for you so that you can succeed. There you go.

Speaker 11:29

Yeah. I love that. A great philosophy. It's like the succession planning thing. getting people ready is something that so many managers aren't great at. Yeah. and it's just that assumption that, management's so much more than respect. yeah. And then companies don't always support people through that, that that thing. and it impacts everybody, including the person that got the promotion, right? Yeah. So. Yeah, there's a lot what you mentioned companies supporting you through the sort of getting the upskilling job, the, like the bigger job. How, how were they supporting you and what, how do you think companies need to do that for people that are getting these promotions?

Speaker 2 12:14

There's kind of two types of leaders in terms of the teams that you hire. Mm-hmm. There's leaders who hire, yes people, right? Hire people that think like them. Sometimes even people that look like them, who every idea that they're gonna come for as a leader, they're gonna go, oh, that's a brilliant idea. That's great. And then there's the people who hire people who think differently than them, who won't say yes to every idea that they have. And that gives you a much stronger foundation when people will challenge your ideas as a leader. Because if you don't have someone challenging you and everything that you think or do is the right thing, you're gonna, you're going to land in big trouble, right? Yeah. You're gonna make big mistakes. So having, kind of that diversity of thought and people who think differently and act differently and look differently than you to help you make decisions, boy that's really powerful. I am Barbee, Mooneyhan. I've been in it for about 20 years and, done been doing security for, probably around eight years now. And I just started with a company called Uplight. I am their CISO and I run their privacy operations. uplight is a energy solution, so clean energy is absolutely amazing and I've been wanting to get into the energy sector for a really long time. so we support the utility companies with amazing technology to help them with energy consumption and usage, and the main response.

Speaker 13:39

Excellent. Good job. There's a lot of, I mean, in some cases, like individuals contributed is kind of thrown into management and then not always supported, was there specific support that or anything that you personally worked on to, make yourself a better manager or, or give yourself that opportunity?

Speaker 2 14:01

yeah, I think that's a, that's a great question. the company or the organization I was at had a lot of, a lot of, courses that we could take And development courses, not just like technology courses, but development based courses. And I had taken the slew of inter of, managerial courses and everything to that nature. And I had been doing coaching for a really long time within the quality management and the training sides of it. So I think early on I saw the need to break out my need to succeed and understand it was my team's need to succeed. So they absolutely supported me in the sense of there was tons of training material, I had access to hr, but also there was a mindset change for myself that I had to. Really think about and really recognize and then start making changes within how I worked with other people as well. 'cause it wasn't just my team. I then had to represent my team externally as well. And the relationships that I developed with my peers and with other leaders across the organization, not just within it.

Speaker 15:16

Yeah, like making those stakeholders sort of bought into what your plan is and so you can deliver it much easier, right. If they're Absolutely, they're not bought in. It's gonna be really tough.

Speaker 2 15:26

I try to make it really easy for the leaders to, like, this is the thing, these are the relationships that are garnered. This is the buy-in that I have from these other components that have to be influenced or affected by the change that we're about to put into place. These are the policies, this is the documentation, this is the working group that we had. Now we need to implement it. What do you guys think? You know? Right? Like leading it all up to a, this is a really great idea, right?

Speaker 15:51

Are you in, you, in, you in, you're in good, you're in.

Speaker 2 15:55

but In. I also think though, it, it's important to, to drive back a why as well. Not just for, not just for, as a, we will talk about being a CISO in a moment, but not just as a CISO trying to influence the organization and making sure that we're making good sound business decisions with risk, impact, understanding. but it's also good in your early career too, to be able to come to the table and partner and have relationships and get buy-in. And the way that you do that is you. You just sometimes have to have tough conversations. Mm-hmm. I've been yelled at a lot over my career. Right. I've sat down at a table and said, what's your frustrations? Like what? Let's start having this conversation. I've been yelled at a lot, been, been. It might or might not have been screamed at a couple times. but then we start to work towards a path forward and we start to work towards a similar alignment, and an understanding. And you have to base that back in a why. So not only when you're influencing, you know, executive leadership and senior leadership across the business as well as early in your career when you're talking to people and you're trying to like. Why does this matter? Well, these are the reasons why this matter, and this is the influences and the benefits that could come out of this conversation or, or this working group, or this work stream and it. I think it's really important that we as people come to the table together and have those tough sometimes conversations that gets us on the, to the other side of the conversation, which is instead of, versus we have a with. Right? Nine times outta 10, humans are humans. If you go to them with an authentic, open conversation and you say, this is, tell me what you're seeing, this is what I'm seeing, and let's find a path forward. Nine times outta 10, you're gonna get a really good response to it. The other one person, one, one time, you deal with it and you learn how to address it appropriately and within a business, right? And, there will be times where it's unfortunately uncomfortable, but that nine times outta 10, you're gonna come out on the other side of it. So many times I've had. Okay, I'm gonna have this conversation today. It's gonna suck.

Speaker 3 18:13

Yeah,

Speaker 2 18:14

but the only way through is through. The only way unto the other side of it is to go through. Sometimes going around isn't enough.

Speaker 6 18:22

Thank you for listening to the Root To CISO Byte Size podcast. I hope you enjoyed this episode. Make sure you keep an eye out for season three of the full Root To CISO podcast. And in the meantime, stay up to date by liking, commenting, and of course subscribing to our channel. Thank you.