Root To CISO
Do you aspire to become a Chief Information Security Officer?
The Root to CISO podcast provides firsthand career stories from experienced CISOs on their journey to success in the cybersecurity industry. Offering valuable guidance for aspiring professionals in the field through personal experiences and practical advice.
Root To CISO
Unconventional Journeys to Cybersecurity Leadership | Root To CISO Podcast
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Want to become a CISO? Sometimes things don't go as planned and it's oka
In this bite-sized episode of Root to CISO Byte Size, we recap the career journeys of some cybersecurity leaders. They share their real career journeys, from finance, helpdesk, government, and consulting into senior security leadership roles.
You’ll learn why there’s no single path into cybersecurity leadership, and what actually matters if you want to stand out and progress.
The episode covers:
* How these CISOs actually started their careers (it’s rarely cyber first)
* How sideways and backwards career moves are shape your career
* Learning by doing, figuring things out before feeling “ready”
* Taking opportunities others would hesitate to take (even without full experience)
* Treating every role like ownership, not just a job
Whether you're starting out in cybersecurity or aiming for leadership, this episode breaks down the mindset, decisions, and experiences that shape top CISOs.
Subscribe for more insights from real cybersecurity leaders.
#CISO #CyberSecurityCareer #InfoSec #CyberSecurityLeadership #GRC #TechCareers
Hi, and welcome to the Root To CISO Byte Size podcast. I'm your host Kris Rides, and in these bite-sized episodes, we'll be speaking to experienced cybersecurity hiring managers. We'll be asking their advice on how you can stand out from the crowd to make the career moves you desire. prior to getting into cyber, what was your background? What were you doing? And then move on to like, how did you end up getting into cyber?
SpeakerYeah, so it's very interesting. I have a very interesting turn in cyber, you know, quite interesting I would say because I started out as a financial analyst at a multinational organization. A year and a half into that role, I was able to streamline some of our processes, our close processes that then propelled me into an international controller where I had the fortune of living, uh, in Europe for about two years we were implementing the largest worldwide ERP system for a company called Baxter International. And from there unfortunately I was laid off. They had a huge rift. I was laid off and then moved back to one of the first consultants who did the Sarbanes-Oxley audit testing and things like that, uh, which again was the, a step towards cyber. From there I worked for another company called Vasco Data Security. We had a massive breach where the Dutch authority came in, took over the company and from there pivoted. I transitioned to Zurich, which is a large multinational insurance company, which, you know, in my mind looking back, it was a natural progression. I started out as, um, or as a reporting analyst. A year later I moved up into managing the team where we primarily focused on GRC, looking at controls, ensuring that controls were meeting the requirements. And from there we learned quickly that the world was shifting. We needed to have a good understanding of what the controls are doing. At the end of the day being in security, you have to understand what you're protecting and I think smartly we made the move of, you know, starting to move more into an advisory role where we started looking at the security metrics, looking at the technical controls as well as the, I would say, the administrative controls around how we're protecting, uh, the company's assets. That was again, the natural progression to CISO role. I mean, I would say fast-forward a couple years, I then moved under the KKR umbrella. KKR is a PE company and they have a portfolio of companies which, uh, enabled me to act as not only as an advisor, but as a CISO, head of security. As an advisor, I worked with multiple Fortune 100 companies building out their zero trust models ensuring that they had all the necessary controls in place to again, protect the, their environment. And then recently in the role I had, I had, I was a team of one, so security awareness program. A incident response program. We also had a framework that we built out and then built, basically gave them a roadmap to kind of finish the journey. So, uh, that's a long way, in terms of, uh, my career, but that's kind of the trajectory that I've been on. So the first CISO role the CISO role happened when- I was at Zurich. I always tried to take on more than I was supposed to, but it didn't, it did not actually happen at Zurich. It was a volunteer role. I was working for a non-for-profit at the time, and I said, "Hey, there are things that I've lear- I'm learning at Zurich. Why not help you, you know, secure your, putting in, uh, putting controls in place doing malware scans and things like that." Helped them out with the security awareness training program. I think two-factor authentication was something that was just coming in so I helped them with that. And then so that was on a pro bono basis. Yeah. Officially my CISO role was with KKR, and I s- you know, I started KKR around, uh, 2022. So I was just kind of the, the face, um, or a solutions architect working with CISOs. And I would literally tutor CISOs on how to talk to their CFOs. Speak in a language that your CFO can understand and appreciate and partner with you to... We're buying down risk. We're not buying another piece of technology. We're gonna buy down risk, and here's how we invest in this piece of capability, and that capability happens to be this technology."
Speaker 3Well, let's crack on with your, your career, like pre getting into cyber, what was your. What was your background? What was that foundation?
Speaker 4Oh, the foundation. So back in the day, my troubled youth, do you remember ICQ?
Speaker 3No.
Speaker 4The chat app.
Speaker 3Oh yes,
Speaker 4I do. Yeah, no, I do. Yeah. You would randomly connect with everybody. So how this whole thing started was that I was actually like, I started off as a script kiddie and you have to remember like, the mid nineties. Literally, like the time where the internet became the thing to be, it was, it was an evolution of sorts, and revolution. I ended up at a very small web hosting company that let me do system administration. And first, my humble beginning there was also like helpdesk. So I started in the helpdesk answering support tickets. One thing led to another. Then you start doing system administration, and this is the early 2000s. One thing that I realized was that there was an insatiable appetite there from a learning perspective. I didn't know what I was doing. There was never like the fear. What I knew that it's like, I don't know what this thing is, but I'm going to figure it out. And frankly speaking, I mean, that's how like the whole flash thing became to be because I was like, Hey, this looks cool. I want to try to animate something led to another thing. And they just, it was like evolution of sorts going through like the motions of like technology, figure out like, What matches the neural net in my brain, the neurons were clicking, they were firing. And then helpdesk was definitely the thing that, I enjoyed doing, but I also realized that, there wasn't necessarily like a, that was just the beginning of it. There was no, like, like you're going to become the master of helpdesk. They are, but here's the thing. titles are for free. They're free. One thing I learned in Silicon Valley is like titles. They don't matter that much. They can be handed out. It's free. It's what you do and how effective you are. And if I could like, encourage everyone, I would say focus less about the title, focus more about your, the impact that you're delivering. I always saw myself as a shareholder because I had like, that pedigree of like, running my own business is like, if I'm joining your company, I'm going to treat it as if this is my business that I'm running it and I'm going to like protect it. And I'm going to look out for it as well as I would with my own pocket, right? If it's, if this is coming out of my paycheck. This is coming out of my bank account. I'm going to treat it exactly the same way. That's really what you need to show as an individual contributor. Ultimately, you will get the title. I think that, the CISO title was really lucrative at one point, and it still is.
Speakerwhat, what were you doing before even getting into cyber? What was your foundation?
Speaker 6I actually started working when I was pretty young. 17. Didn't really have a ton of funds and didn't really honestly even have the grades to go straight into university at the time. So I got a job and I could type, and I landed, I think it was divine intervention. I landed in a computer center. At the National Institutes of Health, it was my second choice job. The first choice, tried to hire me and they ended up going on a hiring freeze. So I took my second choice. And really the rest is history. I, I worked there for, I'd say, a good straight year before I decided to try to go back to school so I went back and started a degree as a business marketing major is what I started to do at a community college. eventually my counselor. Asks to meet with me to check my progression and she says, Hey, what's your degree? I'm like, business marketing. She's like, I could have sworn you were a computer science. I'm like, why is that? She goes, 'cause the majority of your credits are computer science. So I'm like, well, if I change, will I lose any credit? Nope. So, I switched my major and just basically a full on went in to finish out as a computer. Computer and information science was a degree. So there began my admission that, okay, I really like this computing stuff, so maybe it's gonna be a career I worked there for 10 years. I realized I wanna see what, private industry, how it works, how business works. Mm-hmm. So then I started, looking for something outside just to get different experience. I didn't just wanna stay in one place, even though I felt like it was a noble place to work. I wanted just other experiences. So I did eventually at that, after graduation, moved to a, a private industry job. So I moved to Ohio and I took consulting role. We eventually got bought by a bigger company, but at the time we were pretty small. So you had to be super nimble and agile and just learn on the job. It was a super great place. Like people were really good, super moral people. However, just hard work, right? Like, just drop you in the middle of a, a job and be like, good luck. Figure it out. Right? So I, it definitely matures you very quickly and makes you begin to think on your feet. So I did that for almost four years. Wow. And I would say the lion's share of that time I spent. Probably at Proctor and Gamble the most of the time. So I went from government to a manufacturer.
Speaker 5And were you doing at that point you were doing dedicated it or some cyber or some, yeah,
Speaker 6at that point, I grew up in a mainframe shop in that NIH time, the PC became, and distributed computing really kicked off So I moved to the team that was in charge of figuring out what the heck the NIH was gonna do with PCs. And they actually really glammed onto the Macintosh because they were doing a lot of, biomedical type stuff with graphics, like the Human Genome Project was still going on at that time. They were trying to map that out so they needed those graphics. I ended up eventually becoming like a con, like a consulting level person. I was first like a dispatcher or a help desk person, and then I moved into being the person that would answer the questions. I. And then I got into, networking the computers together. I was a cis admin basically. Doing mostly what back then was called
Speaker 5local area networking for Yeah.
Speaker 6What became just what's built into systems today. I helped people connect those together. So I did that for a number of years. It evolved into other things, but stayed there. And right at this time it's. It's the late nineties, right? So now the internet is entering and I was still back doing cis admin stuff. So my next job I took, because I had some of that CIS admin experience, I joined General Electric and General Electric Aircraft Engines at the time. GE as a whole was trying to get on the web to do e-commerce. They're a manufacturer at the time, so it's like they weren't doing typical e-commerce. So it was parts sales and things like that. So they were hot and heavy in their journey to go to the web to start to do e-commerce, and I had to spend any time in that 'cause I was doing all this. Cis admin stuff, So I had to like quickly jump over and figure out what that world was about very quickly. 'cause they were, ahead of where I was. And it was a great experience. So I ended up own owning their identity solution, which all those systems had to connect into. So that's got how I made that move. And I stayed at GE for 19 years and then, I was ready to exit. I was like, all right, it's time to go. I'm gonna exit ge. It's time. And some leaders that I had worked with in the past figured found out I was gonna leave. And one of them who I'm still friends with today, who is a CISO of, United Airlines,
Speaker 2came to me and she said, Hey, um.
Speaker 6I'm gonna be the CISO at down, at back, at Aviation again. You should come work for me. I have some jobs open. I'm like, well, like what? She's like the threat operations leader. I'm like, whoa. I don't, I've never done threat operations. And she said to me, ops, sense of urgency. You know how the threat works, right? Even though you haven't been a threat animal. Yeah. You know the state of the threat, right? You know how to collaborate, how to bring diverse teams together, how to work globally. She's like, that's what they need you for. You could do it. So I'm like, alright. So I applied for the job, interviewed, and she hired me. So I ended up staying another two years at ge. In a threat operations role. Looking back, I wouldn't change it. Because I got a lot of professional exposure from that, and that's why I'm a big, advocate for people to do internships. If, if you can do that while you're in school because you're trying on for size, what you think you wanna do. And in any profession, there's varying types of aspects of that profession. Not everything is exactly the same. So getting to try a couple different experiences, will one tell you whether really that's the profession you wanna do, and then two, within that profession, what do I actually wanna do? What do I like to do?
Speaker 5I don't know anybody that's had a clear one like this. And the people that tend to get obsessed with doing this are the ones that often aren't building the breadth of other, other experience you need to. And so I think steps backwards and steps sidewards are really important.
Speaker 6Definitely sometimes backwards. Thank you for listening to the Root To CISO Byte Size podcast. I hope you enjoyed this episode. Make sure you keep an eye out for season three of the full Root To CISO podcast. And in the meantime, stay up to date by liking, commenting, and of course subscribing to our channel. Thank you.