If you go by social media, you’d think cybersecurity was a vocation only suitable to those with an almost overriding passion. But in reality, it’s a job. An important one, but a job. So why does it seem like cybersecurity hustle culture is the dominant narrative in our industry?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), partner, YL Ventures. Joining us is Edward Contreras, EVP/CISO, Frost Bank.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
Intro
0:00.000
[Announcer] The CISO Series is thrilled to announce we’ve launched a brand-new show called Security You Should Know. Each 15-minute episode gives you a focused look at one cybersecurity solution with two security leaders asking the questions you need to know from a vendor. Head on over to CISOseries.com to check it out.
[Voiceover] Best advice for a CISO. Go!
[Edward Contreras] Instead of teaching cybersecurity, learn the roles and programs of your stakeholders. Make your programs so relevant to the business that they have no idea they are doing security.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of said CISO Series and joining me as my cohost for this very episode, it is Andy Ellis. He is a partner with the YL Ventures. Andy, how many partners are there over at YL Ventures?
[Andy Ellis] There are two partners, one senior partner and one managing partner.
[David Spark] And then you’re just a simple partner?
[Andy Ellis] I’m just a simple partner.
[David Spark] You were an operating partner.
[Andy Ellis] I was an operating partner, so I’ve moved up.
[David Spark] Mm-hmm. It seems that just partner seems less than operating partner. I don’t know, how did operating partner…
[Andy Ellis] No, no, no. Operating partner is below partner.
[David Spark] Is there such thing as an associate partner?
[Andy Ellis] We just have associates at that level because partner has sort of an implied level of responsibility that we don’t necessarily have on all of our associates, etc. Or accountability, I should say. They actually are more responsible than I am. I don’t want to make them sound like I think they’re not doing it.
[David Spark] That was my next question. How responsible are you?
[Andy Ellis] They work harder, but they don’t have the fiduciary obligation.
[David Spark] All right. Well, that is Andy. I think I cut you off in the knees because you like to do your welcome to everybody in some language. Did you have a language set up for us?
[Andy Ellis] I actually did not because somebody pointed out that if I only did other languages, that might be a problem at some point if somebody is like… The vast majority of our listener base are presumably English speakers, given that the rest of this is in English. So, good morning, folks, or depending on when you’re listening, good afternoon, good evening, or good night.
[David Spark] Our sponsor for today’s episode is ThreatLocker, zero trust endpoint protection platform. ThreatLocker, been an absolutely spectacular sponsor of the CISO Series, will be continuing to be a fantastic sponsor all through 2025. I’ll be talking more about that later in the show. So, Andy, and I’m sure you’ve heard this line many, many times before, where people say, “Well, we’re exploring AI.
We don’t know whether we want to get into AI. We’re exploring the capabilities of all this stuff.” And what’s happening, and most notably, first Google tried to sell me Gemini as a subscription-based service. I didn’t want it. Now it’s imposing Gemini on me. I don’t have a choice at this point. Yesterday, I asked Gemini, “How do I turn you off?” And it said, “I can’t help you there.” Today I asked the same question again.
I’m assuming I’m not the only one who’s complaining about this.
[Andy Ellis] You’re probably not the only one who did that. It’s like clippy, but smarter.
[David Spark] It is a smarter, more annoying, and more importantly, what I have noticed about Gemini, and hopefully it’s getting fixed, is it’s slowing things down and causing me to… You know how when your computer goes slow and you’re typing, and it puts these weird breaks and all of a sudden what you typed isn’t coming out the way it should be coming out?
Gemini’s doing that and it’s a tad frustrating.
[Andy Ellis] Yeah. Yeah. I have noticed that there’s a lot of apps that don’t deal well with keyboard buffering, except then the app is creating keyboard buffering with latency and weird things happen.
[David Spark] Extraordinarily annoying.
[Andy Ellis] Yeah. My one requirement of anybody who builds productivity apps, if you’re a developer of productivity apps at any company, I don’t care where it is, if you are not a power user of your app, you need to be one. I’m tired of calendaring apps where very clearly the developers do not actually have complicated schedules.
Like get somebody on your team who has to go to a million conflicting meetings and manages five calendars and needs to have shared availability. It’s a disaster right now. Whatever you’re building, make sure that you’re using it and that it’s getting in your way because the rest of us would appreciate you fixing those problems.
[David Spark] Yeah. So, I just come back to the whole thing about when people say they’re exploring AI, it’s like when people say we’re exploring the cloud, it goes, “You’re already using it. It’s being imposed on you.”
[Andy Ellis] Right.
[David Spark] You don’t have a choice at this point. All right. Let’s bring on our guest. We haven’t had him on in a while, and I’m shocked that we haven’t had him on a while because he’s one of our favorites, called “friend of the show.” We refer to our favorites as friend of the show. He is definitely a friend of the show, and he’s moved up since the last time we had him here.
He’s now the senior EVP CISO over at Frost Bank, none other than Eddie Contreras. Eddie, thank you so much for joining us.
[Edward Contreras] Thank you for having me.
What’s the starting point for a CISO?
5:04.834
[David Spark] When we talk about CISOs “speaking the language of the business,” we’re quite literally talking about translation. Now, Deepak Gupta took that to heart, outlining how organizations can start creating a company-wide translation guide for cybersecurity. This should start with a glossary and then build out with a consistent tone and style with updates driven by user feedback and changes in best practices.
Gupta also emphasizes the need to ground all these cybersecurity concepts and translations in more relatable stories and analogies. So, by the way, that, we’ve heard a lot and full agreement, but the glossary, I don’t know if anyone’s really going to do that though. I’m curious, Andy, it’s one thing to tell people to explain difficult concepts simply.
It’s another to do it. How do you break it down to find the core that will actually resonate and how do you know when someone actually gets it?
[Andy Ellis] So, I like the approach here, but I don’t like the ordering of the approach. This feels like one of those very heavyweight, like let’s do all the work before we get any benefit. And the real answer here is this is all about cultural language. Like what is the language of your culture within your organization and how are you going to change it?
And the way that you change it is not by writing a glossary and a translation guide and sort of trying to impose it all at once. Instead, you talk very slowly, you pick new things.
Like I’m a big fan of when people talk about root causes, I like to talk about systemic hazards. Like what are the underlying hazards that created risk for you? And then how did you trigger them? And that’s a really simple change, I picked it up, for those of you who are familiar with Nancy Leveson’s work around engineering a safer world.
Kelly Shortridge has also written a book on security chaos engineering. Like this is the underlying language we use. And you start using the language and you recognize that it’s going to be a long time before people will adopt it. You’re going to have to explain sometimes. Other times you’re using their language, but you be consistent with just a handful of words, a dozen, no more, and that’s what you go with.
And when you see what resonates, and how you know it resonates is when people start using it back to you. Then you’re like, “Okay, hazards has stuck. Now let’s talk about unacceptable losses.” And one of my favorite things, like if you don’t know what the unacceptable losses are to your business, how are you going to communicate to them about what risks are presenting?
Because if you say, “Oh, hey, Edward, I’m really worried about your bank that your planes are going to crash.” And Edward’s like, “What are you talking about? We don’t have planes. That’s not an unacceptable loss to us.” He’s got different ones. So, you then can use that, sort of talk about I need to use your language, I don’t need you to use mine.
[David Spark] So, Eddie, I’m going to throw this to you, and I’m looking this up right now and I’m going to find it. One of our most popular videos on our site, I don’t know if you know this, Eddie, is you explaining the topic of speaking the language to the business. So, you have been seen talking about this very issue.
What have you seen works in terms of sort of finding that core to get people to understand and for it to resonate?
[Edward Contreras] Well, first, that’s a shocking stat. That’s really good. I’m excited. I’ll have to get a trophy or a medal here on that and tell my wife all about it. My kids never believe me, but my wife does.
[David Spark] It’s called Do You Want to Be a CISO? Here, it came out. We’ll include the link to this.
[Andy Ellis] Get Andrew to make him a certificate and send it over because Eddie can be the second person with an Andrew certificate.
[Edward Contreras] I see the sweaters. I think certificates would hit harder. I think I like that. I like that. Well, I think the reality here when it comes to many of our programs, it’s simplicity sometimes. And I think sometimes the challenge is just the numerous amount of different terminologies and acronyms that are out there.
And so, what I like to do is really talk about common language. And common language is not as common as many people think. If I was to go into a room and ask somebody, “Spell mister,” you’re going to get multiple variations of how someone spells mister. Is it two letters? Is it two letters with a dot?
Is it the full word spelled out? And so, in the risk area, when somebody says, “I have high risk,” is that the same high meaning in terminology that your CFO uses, that your chief risk officer uses, that your auditor uses? Because I think telling the business to learn seven different variations of what high means is just a program killer.
And so, being able to first work with anybody who’s identifying risk and making sure that if we’re using a term, that we have consistency in the term. And that may mean other programs have to either change their terminology, use the same language, verbiage, and definitions that you’re using because really, it’s about making the business understand risk in a simplified vision.
And so, that type of alignment really does help. And it’s not anything about cybersecurity. Sometimes it’s really just about commonality and using the same term that everybody else is using in the business.
[David Spark] By the way, that is such a perfect, simplistic answer that so hits home. And Andy was smiling all the way through it. I mean, if everyone’s not using the same term of what high means, you’ve got serious problems, Andy.
[Andy Ellis] Yeah. So, I completely agree with that, but I want to point out the flip side of this coin, which is don’t overload a term. Like risk is one of my favorite ones. You do not have a risk, right? When people talk about it, they say, “Well, we have this risk here.” And I’m like, “What is it?
Is it a scenario? Is it a vulnerability? Is it an adversary?” We use the word risk as a singular noun to mean like 70 things. So, where you have it overloaded, stop using it for that. Risk should be about sort of this aggregate feel of how dangerous we are, right? Risk is a perception, not a specific scenario.
If it’s a scenario, talk about a scenario, figure out what that language is. So, simultaneously don’t use one word to mean many things, but if that’s happening, go find a different word.
Would this person be a good fit for the job?
11:01.615
[David Spark] “All I ever read is that you need passion, a drive. You need to live, breathe, eat, drink cybersecurity in order to succeed in it or even work in it.” Now this came from a frustrated post on the cybersecurity subreddit and wondered why this kind of hustle mentality has thrived in cybersecurity.
Some commenters felt this was just the result of the Reddit/LinkedIn echo chamber, but others pointed out that doing “extracurricular” cybersecurity activities outside of work does help you stand out early in your career. Still others pointed out that a curious and inquisitive mindset is really what you need in the field.
It’s up to leaders to “keep morale and passion in strong supply.” So, Eddie, I will start with you. Can you be a good cybersecurity professional without being insanely passionate about it? And can you think of someone who fits this bill? Like someone who’s just great at the job, but when the job’s over, they’re like, “I’m going to go lead the rest of my life.” Eddie?
[Edward Contreras] Yeah, I think there’s two ways that you can look at this and maybe I’ll use two different analogies here. When you’re in school, when everybody was in school and trying to get grades, the goal is to graduate high school, right? Now you can graduate with straight C’s, and you can graduate with straight A’s.
The level of effort that it takes to get A’s gives you more opportunities after your high school days are over. And then if you are a straight C student, those opportunities are different. And so, yes, you can graduate from high school and be in both of those areas and still be successful in life. The other analogy I would use is sports.
Think of Michael Jordan. Michael Jordan excelled in his field. And why did he excel? Because he put in the extra time, he had a different work ethic, he put more into it. Now, of course, he’s a billionaire, makes more money in marketing than he does anywhere else. But not everybody’s Michael Jordan.
He had multiple people on his team that didn’t have that same work ethic and drive. And so, yes, you can be successful in cybersecurity.
[David Spark] You can be an NBA player, essentially, without having the same drive as Michael Jordan.
[Edward Contreras] You can be an NBA player.
[Laughter]
[Edward Contreras] But the challenge is, what do you want to do with that career? If you are looking to excel, stand out, move up, and grow, there’s other commitments that are required for that. And if you want to move slower pace, then there’s opportunities there as well. So, I think it really depends on what you want to do in the field and where you ultimately want to end up will dictate how much commitment you have after hours.
But it can work both ways.
[David Spark] All right. Good analogies there. All right. I’m going to throw this one to you, Andy. We see this because these are the people go to the trade shows and conferences. It’s kind of the echo chamber. We see it on Reddit as well. I mean, what about the person who just wants to do the job and then keep their life as separate from that as possible?
[Andy Ellis] So, let me start by saying I love the analogies. I use professional athletes all the time as analogies and they’re awful analogies. Here’s where they’re broken. I don’t know how many NBA players there are. I do know how many NFL players there are. It’s what, like 1600? That’s it. Do not compare yourself to professional athletes.
You are not among the top 1600 people in this entire profession.
[David Spark] Ah, well, hold on, Andy. Speak for yourself there.
[Andy Ellis] And so the mental logic… No, no. Very seriously. If you’re a listener to this podcast, you are not the Patrick Mahomes of information security.
[David Spark] Wait a second. Hold on. We are hoping that the top 1600 listen to this show. Stop cutting our show off at the knees.
[Andy Ellis] So, maybe one of you is the Patrick Mahomes, but we have more than 1600 listeners. There’s a lot of folks. There’s a different way that development happens among elite organizations where it’s like it’s cutthroat. If you cannot maintain your role in the top 1600, you’re gone. You’re off the NFL roster.
That’s it. There is no tolerance for I’m a B+ player who gets my job done but that’s it. I’m not trying to keep developing, nope.
[David Spark] No, I get it, yeah, yeah. So, the analogy doesn’t fit fully here.
[Andy Ellis] I need you all to really understand that. But let’s dig into sort of this original complaint, which is, oh, my God, do I need to live, eat, breathe? Here’s the real answer, which is ultimately your career success is going to come down to two major factors. There’s a lot of luck, a lot of opportunity, But how much you develop, how much are you growing, and what are you getting done?
That’s it. Time doesn’t actually matter. I know a lot of people who hustle and work a lot, but they’re not developing themselves and they’re not getting stuff done. So, it doesn’t matter that they’re putting in 80 hours if it’s 80 wasted hours.
Conversely, I’ve known people who, in their 40 hours a week, they’re learning all the time and they’re getting stuff done and they get more opportunities to develop, and they can take advantage of those. But yes, in general, if you go say, “Oh, I want to learn about this new thing, so I’m going to go home tonight, I’m going to turn on my AWS account, stand up some new RDS, do some various things,” you have developed yourself.
You learned a new skill that is valuable. You get to make a choice as to whether you want to do that or not. Your employer needs to decide. If they want you doing that, they should find time for you to do it within what they pay you if they think that’s an interesting thing. But yes, the people who are going to spend their time wisely and then spend more of it are going to get a leg up.
That’s just reality.
Sponsor – ThreatLocker
16:35.906
[David Spark] Our sponsor this week is ThreatLocker. And please, please stay tuned for this because this is pretty awesome. And they are such great supporters of the CISO Series, and what they’re doing, we’re very impressed with. So, cybersecurity isn’t just about fighting fires. We kind of all know this.
It’s about making sure they never start in the first place because that’s the best fire to fight, the one that never happens, right?
So, that’s where ThreatLocker actually comes in. With ThreatLocker’s deny-by-default approach, nothing runs on your network unless you say so. It’s like having a digital bouncer guarding your organization, keeping out ransomware, zero-day exploits, and sneaky supply chain attacks. Plus, you get a full audit trail of every action because visibility is power.
ThreatLocker’s US-based support team makes setup seamless, so you can stop worrying about vulnerabilities and start focusing on what matters most. That’s why thousands of companies trust ThreatLocker to keep their business running and secure. Take control of your business’s cybersecurity today. Just go to their website, ThreatLocker.com, to learn more.
It’s time to play “What’s Worse?”
17:54.512
[David Spark] All right. It is now time to play “What’s Worse?” Eddie, I know you know how to play this game. Andy, you know how to play as well. And this one’s quite unusual. This comes anonymous. I know this person very well, but it is anonymous because they are actually going through the struggle that is this “What’s Worse?” scenario.
All right?
[Andy Ellis] Mm-hmm.
[David Spark] So, I will make you answer first, Andy, and then Eddie, you can agree or disagree. I like it when you disagree with Andy. Here we go. What is worse? A great leader in a cybersecurity startup where your options will likely never pay out. So, you get options for the company, and you have a great leader, but your options are probably going to never pay out.
[Andy Ellis] I take offense at this one. It’s somebody who invests in a lot of companies that give people options. Come on, they’ll pay out.
[David Spark] Hold on. That’s scenario number one.
[Andy Ellis] You said a great leader. Is this the person is the great leader? I’m just trying to…
[David Spark] You work for a company. You work for a company, the leader is off the charts phenomenally. You’re learning a ton from them. They’re great.
[Andy Ellis] Oh, I see. Okay.
[David Spark] But the options for this company are never going to pay out. It’s never going to happen. It’s going to fail.
[Andy Ellis] Okay. Probably because they have a cybersecurity leader too early.
[David Spark] That could be the problem. I don’t know yet. Or the other option is your leader is the most toxic mind and soul draining leader at a cyber startup that will likely pay out. Which one’s worse?
[Andy Ellis] So, I like this one because this is purely subjective. Just to be very clear, it’s about what do you want? I don’t think there is a right or wrong answer that a lot come into. So, kudos to the person who’s wrestling with this. I’m going to assume that one of the… Here’s the challenge, which is if these are early…
[David Spark] By the way, he didn’t tell me, but I’m guessing he’s dealing with scenario number two right now.
[Andy Ellis] Right. So, I mean, is this supposed to be early stage, like earlier than series C versus later?
[David Spark] This is all I got. This is what he gave me. Feel free to early stage this, late stage. I mean, obviously, if it’s a late stage and it’s going to be bought tomorrow, hold on, you know. [Laughter]
[Andy Ellis] Right. Well, the challenge is in an early-stage startup is where your options are likely going to be the most valuable, assuming it succeeds because you got priced in very nicely. There probably shouldn’t be a cybersecurity leader that early unless they’ve got massive valuation with a lot of money to burn.
[David Spark] Well, they just say a great leader. It’s a cyber startup. It’s the leader at a cyber startup.
[Andy Ellis] Oh, so maybe it’s not actually about the CISO, maybe this is just about who’s building the company.
[David Spark] Right.
[Andy Ellis] Okay. Are you okay with me editing of that to be clear?
[David Spark] Yeah, yeah, yeah. It can be. Yes.
[Andy Ellis] Okay. We’re going to say this is about the company leadership, not the cyber team. Okay. But you’re a cybersecurity company. Well, I guess the question is, what do you want? Are you willing to put up with working for awful people for a little while? Let’s assume they’re not evil, they’re just awful.
[David Spark] You just don’t know how long a little while is. A little while could be a long while. You don’t know.
[Andy Ellis] A little while could be a long while. If I was going to go back and answer this one in 2021, I would tell you, “Get out of that company because there are not going to be very many good exits for the next three years. We didn’t know that three years ago, but now we do in hindsight.” But I think it’s going to come down to what are you really looking for?
You’re looking for the people that are going to develop you. You’re going to engage, but it’s a steppingstone for you to learn and grow, and you’re going to get your next one. Or are you looking for the money? And you really want that big payout? You want to be part of a thing, even if this team is awful?
But here’s the important thing to remember – are you going to cash in your options early? If you think the options are going to be worthwhile and they’re priced at a penny, then the day you get them, you should deem them to have been exercised, file the IRS form and basically pay for it upfront. Because then you also get the capital gains tax on them instead of an income tax later, always a wise thing to do.
But yeah, it’s going to be a trade-off. I kind of don’t want to answer this one. If it was me and you said, “Andy, you have two years at a company.”
[David Spark] But the thing is, if you know what the endpoint is, that’s the thing is it’s a very different story here.
[Andy Ellis] Right.
[David Spark] You don’t know what the endpoint is.
[Andy Ellis] Right. But if the person is claiming likelihood, so that’s what I’m trying to figure out. It’s like how are they defining likely for either one of these exits?
[David Spark] Likely 1 year, 10 years. Who knows?
[Andy Ellis] Yeah. Is it likely over 10 years? Likely over 5 years? See, I’m fortunate that for me, I’m saying I want to go for the place with the people who are amazing because I’ve had several successful exits. This is really easy for me, as somebody who’s had some success, but let’s just be very honest.
[David Spark] Figure you’re right out of the Air Force and this is what happened to you.
[Andy Ellis] Yeah. I worked for some people who were not the best managers ever, and I made a ton of money. So, I guess I have to go with the, assuming you’re at the startup to make money, then working for the one that’s not going to succeed, probably not your way to go.
[David Spark] So, A is the worst scenario. The first one.
[Andy Ellis] A is the worst scenario in that case, assuming what we’re assuming about where it was.
[David Spark] Right.
[Andy Ellis] Me coming right out of the Air Force, I want the success.
[David Spark] All right. Eddie has been very polite and quiet while you have been bantering this back and forth.
[Andy Ellis] And laughing at me silently.
[David Spark] Eddie, you have the floor, which one’s worse? And by the way, have you faced any of this or have any friends who have faced this?
[Edward Contreras] That was a journey that Andy went on. I was like, okay, he’s going to land on something here and I just wasn’t sure where it was. I had the wrong thing.
[Andy Ellis] I wasn’t sure either.
[Laughter]
[Edward Contreras] So, me being from the Silicon Valley originally, working during the dotcom days and seeing so many broken dreams and so many wishes and wants of, “If only I would have waited a little bit longer, if only I would have not joined the company.” And you always hear the Monday morning quarterback afterwards of all the decisions that you should have, could have, would have made.
The one that always pays out is relationships. And I think if you look at it from that perspective, option A absolutely is the better option where B is not, even though there’s quick riches…
[David Spark] Maybe not quick, there will be riches.
[Edward Contreras] Riches at some point. Yeah. You get riches. And I think what people don’t realize is those networks, those friendships in the long run, they do pay out, and they may be that long-term yield that you were hoping that turns around at some point in time, that guarantee. They usually do if you actually have a good leader that you can work with.
Typically, good leaders spawn new good leaders. And so, if you’re looking at how many companies are going to come from a failed company that eventually will take you on, I think that’s absolutely worth its weight in gold. But I think the challenge here is that you’re walking away from the money, right?
And so, if you’re playing the long game and you understand how money is made, then you typically would know that the stock market always goes up eventually. And so, if you do that with that vision in mind, I think option A is the better option. B is absolutely the worst of the worst because quick money isn’t always good money.
So, that’s my thought.
[David Spark] And it’s not guaranteed quick money. That’s the other thing.
[Andy Ellis] It’s not guaranteed quick money.
[David Spark] We’re saying more likely.
[Andy Ellis] But we’re sort of guaranteeing no money in the other one.
[David Spark] Yeah. The first one’s guaranteed. You’re going to be poor coming out of that.
[Andy Ellis] You’re basically going to hang out with somebody who’s a great leader, but not a good businessperson, who’s going to drive a business into the ground. You’re the last one in. Three years later, you walk away with nothing. And your team never grew. You didn’t get a lot of development. These are things you have to trade off.
[David Spark] By the way, I got to assume this happens all the time.
[Edward Contreras] Oh, yeah.
[Andy Ellis] Yes.
[Edward Contreras] It absolutely does.
[David Spark] Like people are struggling with this constantly.
[Andy Ellis] Yeah. The vast majority of startups don’t succeed.
[David Spark] Yeah.
[Edward Contreras] And I think another thing that a lot of your listeners need to be aware of is what’s the difference between an option and a restricted stock unit.
[Andy Ellis] Yes.
[Edward Contreras] When someone’s coming to you and saying we have all this promise and you’re likely to be on the positive end of this, what’s your financial commitment to actually execute that? And I think some people just don’t understand the difference between what stocks are versus other types of stocks.
[Andy Ellis] Right.
[Edward Contreras] So, there’s some learning curves there as well.
[Andy Ellis] Yeah. And where are you priced? What’s on the cap table? What’s the current valuation? There’s a whole bunch of interesting things in there to pay attention to. But here’s going to be one piece of advice to folks because I have seen people who’ve made this mistake, which is they made the choice to go for the better environment.
Fine choice, go for it. But because they fell in love with the leader and the team, they did not leave when it was time to do so.
[David Spark] Good point.
[Andy Ellis] And always recognize that at the end of the day, when they run out of money, this is not a family. Startups are not families. Nobody there is actually going to take care of you. You might become friends, but at the end of the day, it’s still a business. And if it’s a business that fails, they’re not there to take care of you.
They have a fiduciary responsibility to what’s left for the shareholders.
[David Spark] And there’s a way to walk away to maintain those relationships because of what you said, Eddie.
[Andy Ellis] Yeah.
[David Spark] The long game, relationships always pay out. And I couldn’t agree more with that one. They always do.
[Andy Ellis] Yep.
[Edward Contreras] And if you think about what goes on in these tech companies and in these areas where you have, unfortunately, companies that don’t make it, you have serial entrepreneurs, and they don’t stop at one failure. So, sometimes one company goes down, two, three, four. Most of the successes that go on right now with these companies have a series of failures.
And so, if you know who those serial entrepreneurs are and you understand what they’re capable of, it does kind of give you that upper hand as to making that decision.
[David Spark] Let me throw another sort of twist to this because this is something that actually happened to me. I had someone who approached me, two people I used to work with, one guy I thought the world of, great guy. I think either he threw me business, or I threw him, I can’t even remember but couldn’t think more highly of him.
The other guy, a complete schmuck, hated him, didn’t like him at all. Yet the two of them decided to partner. And I go, “Why? You’re great. You’re not. What’s going on here?” And they wanted to do business with me. I’m like, “Well, half of this equation I like, [Laughter] the other half I don’t.” Have you run into something like this where there’s literally a dichotomy of like, “Yes, happy to go here, but what’s going on here?” Either of you?
Yes?
[Andy Ellis] I mean, we certainly see it. We’ll see founding teams where we’re like, “We love one of the founders.” And one of these founders were like, “How do you get them off the team?” But sometimes it’s the right person in the right role. It’s like, oh, we actually want a person because who they’re selling to needs that type of a personality, but maybe we don’t want to invest.
Maybe we don’t want to do business with you, but good luck to you.
[David Spark] Mm-hmm.
[Andy Ellis] Here’s another thing. If you make friends with somebody in the industry and then they come to you with a business opportunity, this is not your friend anymore. This is your business partner. Make the decision. And if they’re a friend, they’ll be polite about it. They’ll be like, “Hey, it’s great to talk to you.
I really appreciate the opportunity, but I’m not doing this.” I say no to a lot of things my friends bring me.
[Edward Contreras] I think Andy just agreed with me.
[David Spark] Hold it. Andy just agreed with you. There you go.
[Edward Contreras] I think Andy just agreed with me that those friendships are the most valuable because, yeah, that’s when those offers come, right? It’s like, okay, I made that relationship. Now you can choose to accept it or deny it. And this has happened to me, David. It has happened. I used to work at a company in the Bay Area.
And most people, when you work for the government, you typically ended up at either McAfee or Symantec. This was like pre-Mandy [Phonetic 00:29:10] days.
[David Spark] Yeah.
[Edward Contreras] And so, when Symantec was out there and doing what they were doing, they were known as the acquisition company. They came in and they just acquired companies. Well, through that process, you realize very quickly what was success and what was not successful in that model. And then it just so happened to be a lot of them came out to do their own companies, and they built that model that you just referred to, David, where this one person, phenomenal to work with, and this other person, oh, wow, I don’t know how much greatness I can take with this relationship here.
[Laughter]
Where can we cut costs?
29:42.754
[David Spark] A 2024 ISC2 Cybersecurity Workforce Study found that 24% of respondents reported layoffs in cybersecurity with 37% facing budget cuts. So, doing more with less is imperative for a lot of organizations. Phillimon Zongo outlined some strategies and most are people centered. He suggests CISOs actively nurture psychological safety to promote teamwork and experimental thinking, dismantling command-style structures to make staff feel more valued and hiring a team with more diverse backgrounds to better compensate for blind spots.
All issues we’ve talked about many times on this show.
So, his other big suggestion is killing fuzzy and sacred cow projects for more high-impact ones with measurable outcomes. Andy, you’ve spoken about that. So, I’ll start with you. If you’re dealing with a shrinking budget and layoffs, how do you manage the team that’s still there? So, people are walking out, and I’m sure you’ve dealt with this, and the people who are left are getting kind of scared.
I mean, these are some basic good advice in general, but is there something you do different when that moment happens?
[Andy Ellis] So, yes, I’ve gone through this several times. And the very first thing is the phrase “doing more with less” should never come out of your mouth.
[David Spark] Mm-hmm.
[Andy Ellis] Do not say those words. It is the fastest way to build disengagement in your team. Because here’s the real answer. If you could have done more with less, then you could have done more with what you had before. And if you’re only going to try to do good leadership when you’ve had a layoff, what are you doing wrong?
That’s what you’re basically telling people. What do more with less means is I need you to deliver more, but I’m not going to help you. So, don’t say those words, even if that’s what you’re trying to do. And that’s your nuance. And what he’s suggesting is that. Kill the projects that aren’t producing value, kill the things that are make work, put things on life support.
The getting rid of the command style, this is not actually about making staff feel valued. It’s about letting staff do the things that they think matter. If I say, “Here’s my outcome, I don’t care how you do it.” Give me my outcome. And if they can do it in 10% of the time, fantastic. Get rid of 90% of the make work that was showing me how you did the work.
[David Spark] Eddie, I throw this to you. A, have you had to deal with this where staff had to go, and the people left are a little scared? How do you reinforce the ship still sailing?
[Edward Contreras] I think everybody’s kind of gone through this at some point in time in their career. I think one of the things you look at is do you follow the 80/20 rule and how many of your efforts are following that rule? Because sometimes the shiny, fuzzy, exciting thing may be solving for something that people liked but may not be what the masses need.
And so, when you’re going through some time of turmoil, sometimes you have to find a project and say, “Okay, how can we now bring something that 80% of the group will feel is appropriate?” And of course, it’s not a great answer, but it gives you the opportunity to deliver. It gives you an opportunity to be of value.
But you do expect that in return, there’s going to be recognition. Right? And so, yes, while you’re doing, and I think you’re not supposed to say the phrase “do more with less,” while you know you’re in that system and you know you’re working in that model, the reality is you can still make a lot of people extremely pleased with the products that you do deliver.
And so, it is just probably rethinking and refocusing how your program’s delivering and then making those adjustments.
Those are conversations that most leaders have to have at some point in time. You never know what can happen. Economy, pandemic, remote work, government changes. There’s a lot of things where people may be internalizing the same thing that the sky is falling, and you just never know when it’s happening.
I think the scenario you gave, though, is just kind of like the blatant one in your face where everybody’s realizing it. But I think at some point, most people have some of these challenges going on at all times. So, having that 80/20 rule will sometimes help.
Why are we still struggling with cybersecurity hiring?
33:41.715
[David Spark] “You need to assess the intrinsic aptitudes and attitudes that are essential for great security leaders.” Google Cloud CISO Phil Venables wrote a blog post that goes past technical qualifications of a job candidate and digs at some of the harder to gauge elements that organizations should be looking for.
Some of them aren’t too surprising, like curiosity, critical thinking, and team building. But some of them sound much more daunting to assess, like compatibility with your existing company culture, moral courage to stand their ground against disagreements, and the ability to build influence.” So, I’ll start with you, Eddie, on this one.
Which one of these examples I threw out is the hardest to draw out and how would you go about it in an interview? On either side, for that matter?
[Edward Contreras] I really look for somebody who’s receptive to feedback. I think that, for me, it’s a really good quality. You don’t always have to be right. You don’t always have to have the last word. But if you’re willing to receive feedback, good or positive, that means you’re probably somebody who wants to learn.
And if you are in a room with a lot of alpha type egos or blue type personalities where everybody’s a technical expert, and you walk into that room and try to take command of the room, it may not end well, right? And for whoever’s in the room, not for you, maybe for some of the people in the room. So, being able to sometimes listen and understand, okay, what are my weaknesses?
What are my strong points? And do I always need to talk? Right? Sometimes the quiet voice, when they do talk, leave the longest and lasting impression there. So, I look at qualities like those. I know they call them soft skills, but I do look at those qualities and I see Andy’s face and everybody talks about it.
I’m using the phrase that’s industry known as soft skills. I absolutely think those are critical and core skills. Those skills are absolutely needed.
[David Spark] He’s giving you the thumbs up now. [Laughter]
[Edward Contreras] They’re absolutely needed because, again, you can be the smartest person in the room, but if you don’t know how to deliver a message, it’s not going to land with anybody. So, those types of skills are the ones that I typically look for when I’m recruiting talent.
[David Spark] All right.
[Edward Contreras] That was a roller coaster, Andy. I seen you. You were like, “No, don’t say it.” [Laughter]
[David Spark] Just everyone listening right now, in the video, Andy was cringing at the beginning when he said soft skills. And then when Eddie said critical skills, he gave the thumbs up. So, yeah, there was a little of a roller coaster of emotions for Andy.
[Andy Ellis] It’s one of my soapboxes. I hate that phrase. But Eddie’s right. That’s what everybody uses. I think the real key thing here is the ability to communicate. At the end of the day, the job of the CISO is about convincing people to do things they were not going to do, except that you convince them to do it, and communication is your most powerful weapon.
You are a coder of the human brain, whether it’s going to be communicated voice, PowerPoint, whatever. How well can you tell a story that changes somebody’s model of the world? That’s what I want to look for. So, one of the questions I love asking when I’m interviewing people is I say, “Tell me about a technology that you love, you find life changing, whatever, explain it to me.” I don’t care.
You want to talk about, I guess since we’re using a Phil thing, I’ll say, “You want to talk about Google Workspace? Be my guest. Tell me how that’s life changing.” Talk about a microwave, a shoelace, I don’t care what it is, but what I’m trying to figure out is, can you explain this in a way that’s relatable to your audience?
[David Spark] Yes. I literally just had this experience in a series of interviews we’re hiring right now. And I was trying to get the person who we’re hiring who didn’t have specific experience of what we’re doing to relate what he’s doing to us. So, in the example, he said that he designed logos, and it was hard to get information.
I’m like, “Okay, well, let’s discuss. You’re going to design a logo for us. How do you begin the process?” And he goes, “Well, what do you want?” And so, I started giving the sort of generic answers that people give, “Well, I want something clean and professional,” [Laughter] just something that gives you no information.
And then from there, instead of asking me more questions, he goes, “Okay, well, this is what I’ll give you.” And I’m like, “You’re designing a logo on just that?”
[Andy Ellis] Yep.
[David Spark] And I realized he couldn’t communicate. He didn’t know how to start prying me and asking me questions.
[Andy Ellis] Right. Couldn’t explain the process in a way that gets you in it. Like, I want to explain the risk management process in a way that gets my engineers to be like, “Oh, I could just do that myself. Why do I need to call the security team?” Fantastic. You didn’t call us before, but now you’ll at least do the risk management in your head and that gets us further along.
Great.
[Edward Contreras] And I also think if you think about all these different security groups across all these different companies, if it was just as easy as delivering a message, you can just copy and paste that from the internet. You do have to do your interviews. You do have to understand how does it land with the company?
What’s appropriate? How much of this is necessary on day one versus year one versus year five? And so, you take it in bite sizes. You do have to interview, you have to talk to them, you have to challenge them, and you have to understand what are you passionate about? And if you were to talk to David and say, “Hey, what makes you smile?
What makes you happy? What do you like to do on your free time?” Does a logo come from that conversation, right? That’s a lot different than, “I know how to do logos.” So, yeah, I think that’s something that you have to be able to draw out of some people.
Closing
39:11.183
[David Spark] Well, thank you very much, Eddie. Thank you very much, Andy. That brings us to an end of the show. I want to thank our sponsor. That would be ThreatLocker. Remember, ThreatLocker.com. Not hard to find. It’s spelled the way it sounds. Just type it in your Google or put a .com at the end of it.
Eddie, any last thoughts about our conversation today? What I always like to ask, are you hiring?
[Edward Contreras] Thanks for having me on the show. I really appreciate it. I enjoyed not only this series, but all the series you have out there. It’s really engaging. So, if you’re not listening to everything that’s on CISO Series, make sure you do listen to it. They’re great episodes. I’ve been sharing them with our team.
[David Spark] Why don’t all guests say this?
[Andy Ellis] So that you can be one of the top 1600.
[David Spark] By the way, he’s saying this because he wants to come back again. But even if you didn’t say it, you’re coming back again, Eddie.
[Edward Contreras] I want the certificate, David. I want the certificate. And yes, we are hiring. So, if you live in the state of Texas and we do offer remote, but for HR reasons, the state of Texas is our boundaries. Please reach out. We have a lot of positions open across our program, not just in security, but in other areas of risk.
So, absolutely look us up.
[David Spark] Awesome. Thank you very much, Eddie. Thank you very much, Andy. And thank you very much to our audience. We greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.