What happens when you gather a panel of security leaders who all happen to be bald men with beards? You get some beard grooming jokes, but also some hard-won insights from decades of navigating cyber leadership.
In June, the CISO Series hosted its monthly Reddit AMA (Ask Me Anything) on r/cybersecurity. The theme?
“I’m a CISO/Security leader. I’m also a bald man with facial hair. Ask Me Anything.”
While the setup was tongue-in-cheek, the answers were anything but. From leadership alignment and burnout to vendor lock-in and security telemetry, the discussion covered the very real challenges CISOs face, and the strategies they use to lead effectively.
A big thanks to our participants, listed here:
- Todd Hughes, (u/HovercraftFlashy7039), senior compliance analyst, Harbor IT
- Josh Harguess, (u/firemountainJosh), co-founder, CTO, Fire Mountain Labs
- Jason Fruge, (u/Potential-Move3948), cybersecurity advisor, Risksilience LLC
- Andrew Wilder, (u/CyberInTheBoardroom), CISO, Vetcor
- Rob Allen, (u/threatlocker_rob), chief product officer, ThreatLocker
- Jerich Beason, (u/CyberByJB), CISO, WM
- Michael Farnum, (u/CybrSecHTX), founder and president, HouSecCon
- Edwin Covert, (u/ebcovert3) head of cyber risk engineering, Bowhead Specialty
- Gary Hayslip, (u/Shaynei), CISO, Softbank Investment Advisers
- Fredrick Lee, (u/CometaryStones), CISO, Reddit
Here are some of their best takeaways from the AMA.
1. Haircuts are cheap. Good security isnโt.
Q: Does being bald bring any advantages in cybersecurity? Asking as a guy with a receding hairline.
“I spend no money for barbers and I can get ready in less than 5 minutes because I donโt have to brush my hair. Efficiency and cost savings are good lessons for cybersecurity professionals.”
โ Michael Farnum, founder and president, HouSecCon
“Youโre not distracted by the superficialโฆ All attention on cyber. All attention on protectionโฆ Youโre going to be so good, youโre going to get tired of being so good.”
โ Jason Fruge, cybersecurity advisor, Risksilience LLC
The jokes landed, and the message was real: confidence, clarity, and presence matter in leadership roles. And a little humor doesn’t hurt in this industry.
2. Know the job you’re actually signing up for
Q: Why do CISOs get fired when a company gets hacked?
“Sadly, the CISO becomes the scapegoat. This is why itโs critical to thoroughly document your GRC programโฆ get Board/Senior Leadership signoff on risk toleranceโฆ and maintain your own CYA documentation.”
โ Todd Hughes, senior compliance analyst, Harbor IT
“Culture is a combination of what you celebrate and what you tolerate. Reward the behavior you want repeated and hold people accountable who exhibit behaviors you donโt want.”
โ Jerich Beason, CISO, WM
“You are not protected. Have D&O insurance. Severance package pre-negotiated. Personal Legal Liability insurance. And make sure everything is well documented.”
โ Andrew Wilder, CISO, Vetcor
Getting blamed may come with the title. Knowing how to protect your reputationโand your livelihoodโis part of the job.
3. What ICs donโt see from the CISO seat
Q: What do security engineers at the IC level not see that CISOs see?
“Usually business alignment issues and budget constraints. CISOs have to directly take the needs of the business into consideration when making decisionsโฆ People deeper in the trenches donโt usually have those conversations.”
โ Michael Farnum, founder and president, HouSecCon
“As a CISOโฆ I am talking to the business, educating the executive team and boardโฆ and getting feedback about where the company is goingโฆ I look at my security program as a service organization. We are there to serve the business.”
โ Gary Hayslip, CISO, Softbank Investment Advisers
“As a CISO my role is to set the team on a path and remove any obstacles while they focus on executingโฆ Iโm looking around the corner strategizing and gaining support for the next path I set the team on.”
โ Jerich Beason, CISO, WM
Security leadership requires strategic vision and patienceโand that perspective only comes with time and access.
4. SIEMs are evolvingโbut so are expectations
Q: Favorite SIEM? Is SIEM still useful?
“Iโm going to go old school and say Nitro Security. It used Flashโฆ Searches were crazy easy. And it looked really slick. But, yeah, Flashโฆ That was a bad idea ultimately.”
โ Michael Farnum, founder and president, HouSecCon
“I honestly believeโฆ SIEM will not exist in 5 years. It will evolve into something very different than what is currently on the market due to AI.”
โ Gary Hayslip, CISO, Softbank Investment Advisers
“We need some of the capabilities that SIEMs provide but we donโt need SIEMs anymore.”
โ Fredrick Lee, CISO, Reddit
“Do we still need a SIEM? Why not put all of your security telemetry in a data lake and build an LLM to query it?”
โ Andrew Wilder, CISO, Vetcor
The next generation of security tooling will be shaped by data engineering and AIโnot dashboards.
5. Avoiding vendor lock-in
Q: What do you think of big platform vendors like CrowdStrike or Palo Alto trying to own everything?
“I am not a fan of platformization. Think MS and E5. Once they get their tentacles into you, trying to rip and replace becomes next to impossibleโฆ Thatโs why I like to keep my stack as fluid as possible.”
โ Andrew Wilder, CISO, Vetcor
Follow-up Q: Are you going SIEM-less?
“I am considering the ideaโฆ But at this point it means that my SIEM is not the same vendor as my EDR or my mail providerโฆ If my SIEM vendor were to be boughtโฆ it would be pretty easy for me to get out.”
โ Andrew Wilder, CISO, Vetcor
Vendor consolidation may look convenientโbut flexibility and exit strategies matter more in the long run.
6. The CISO is not your frontline engineer
Q: Should a CISO engineer security tools or certify existing solutions?
“A CISO should be ensuring the overall cyber program aligns with business needs. So in a sense that is both of what you described aboveโฆ At the end of the day, security (and a CISO) exists to serve a business purpose.”
โ Edwin Covert, vp of advisory services, Fenix24
“A CISO should not be the primary line of defenseโฆ Engineering of requirements versus engineering of solutions, essentially.”
โ Michael Farnum, founder and president, HouSecCon
“The CISO serves as a second-line resourceโฆ implementing a security strategy that avoids overall business disruption from cybersecurity incidents.”
โ Jason Fruge, cybersecurity advisor, Risksilience LLC
“This depends on the type of CISO the organization needs. Early stage companies need more hands-on CISOs but CISOs in the Fortune 500 spend more time interfacing with execs.”
โ Jerich Beason, CISO, WM
The definition of โCISOโ is shiftingโbut alignment with the business is the throughline.
7. Five things every security leader should know
Q: Can you make a top 5 list of DOs and DONโTs?
“1. Know WHOโS in your enterprise
2. Test your recovery plans often with realistic assumptions (annually is insufficient IMO)”
3. Know WHATโs on your enterprise
4. Know HOW fast your team can respond to an incident
5. Know your backups are actually immutable”
โ Edwin Covert, vp of advisory services, Fenix24
Final Thoughts
This monthโs AMA combined humor and honesty in the best way. The โbald beard brigadeโ may have been a lighthearted theme, but the insights were serious. Leadership, communication, and resilience came through as the true differentiators of todayโs security leaders.
Read the unfiltered discussion directly on the Reddit AMA page.
Join us next time!
Our July AMA is coming soon:
โI’m a security professional who has worked in and out of Government roles. I can tell you the pros and cons. Ask me anything.โ
July 27 โ August 2, 2025
Tune in on r/cybersecurity and stay connected with CISO Series to participate.