Join hosts Sean Martin and Michael Piacente as they sit down with cybersecurity leader Heather Hinton to discover how a pioneering organization is transforming the role of CISOs by introducing professional standards, accreditation, and advocacy to elevate cybersecurity as a recognized discipline. This episode explores the critical skills, challenges, and systemic changes shaping the future of cybersecurity leadership in an increasingly complex threat landscape.
Sean Martin and Michael Piacente join forces roughly once per month (or so, depending on schedules) to discuss everything from looking for a new job, entering the field, finding the right work/life balance, examining the risks and rewards in the role, building and supporting your team, the value of the community, relevant newsworthy items, and so much more. Join us to help us understand the role of the CISO so that we can collectively find a path to Redefining CyberSecurity for business and society. If you have a topic idea or a comment on an episode, feel free to contact Sean Martin.
____________________________
Guests:
Heather Hinton, CISO-in-Residence, Professional Association of CISOs
On LinkedIn | https://www.linkedin.com/in/heather-hinton-9731911/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
Michael Piacente, Managing Partner and Cofounder of Hitch Partners
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/michael-piacente
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
LevelBlue | https://itspm.ag/levelblue266f6c
ThreatLocker | https://itspm.ag/threatlocker-r974
___________________________
Episode Notes
In this episode of the CISO Circuit Series, part of the Redefining Cybersecurity Podcast on ITSPmagazine, hosts Sean Martin and Michael Piacente welcomed Heather Hinton, seasoned cybersecurity leader, to discuss the evolving responsibilities and recognition of Chief Information Security Officers (CISOs). Their conversation explored the transformative work of the Professional Association of CISOs (PAC), an organization dedicated to establishing standards, accreditation, and support for cybersecurity leaders globally.
This episode addressed three critical questions shaping the modern CISO role:
Heather Hinton, whose career includes leadership roles like VP and CISO for IBM Cloud and PagerDuty, underscores that trust is foundational for a CISO’s success. Beyond technical expertise, a CISO must demonstrate leadership, strategic thinking, and effective communication with boards, executives, and teams. Hinton highlights that cybersecurity should not be perceived as merely a technical function but as a critical enabler of business objectives.
The PAC accreditation process reinforces this perspective by formalizing the skills needed to build trust. From fostering collaboration to aligning security strategies with organizational goals, PAC equips CISOs with tools to establish credibility and demonstrate value from day one.
Michael Piacente, Managing Partner at Hitch Partners and co-host of the CISO Circuit Series, emphasizes PAC’s role in professionalizing cybersecurity. By introducing a Code of Professional Conduct, structured accreditation programs, and robust career development resources, PAC is raising the bar for the profession. Hinton and Piacente explain that PAC’s ultimate vision is to make membership and accreditation standard for CISO roles, akin to certifications we've come to expect and rely upon for doctors or lawyers.
This vision reflects a growing recognition of cybersecurity as a discipline critical not only to organizations but to society as a whole. PAC’s advocacy extends to shaping global policies, setting professional standards, and fostering an environment where CISOs are equipped to handle emerging challenges like hybrid warfare and AI-driven threats.
The conversation also delves into the increasing legal and regulatory scrutiny CISOs face. Piacente and Hinton stress the importance of having clear job descriptions, liability protections, and professional resources—areas where PAC is driving significant progress. By providing legal and mental health support, along with peer-driven mentorship, PAC empowers CISOs to navigate these challenges with confidence.
Hinton notes that PAC is also a critical voice in addressing broader systemic risks, advocating for policies that protect CISOs while ensuring they are well-positioned to protect their organizations and society.
With goals to expand its membership to 1,000 and scale its accreditation programs by 2025, PAC is setting the foundation for a more unified and professionalized cybersecurity community. Hinton envisions PAC becoming a global authority, advising governments and organizations on cybersecurity standards and policies while fostering collaboration among professionals.
For those aspiring to advance cybersecurity as a recognized profession, PAC offers a platform to shape the future of the field. Learn more about PAC and how to join at TheCISO.org.
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel or telling your promotional story to the Redefining CyberSecurity audience?
👉 https://www.itspmagazine.com/advertise
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello, everybody. You are very welcome to a new redefining cyber security podcast here on ITSP magazine. I'm Sean Martin, your host. And as you know, if you listen to the show, I get to talk to cool people about cool things, all cyber, helping the business grow and stay safe. And, uh, I don't know that many cool people.
That's why I know one in particular, Mr. Michael Piacente, and he's, uh, he's the one that's connected to lots of, lots of amazing people, and, uh, he's brought with him Heather to the show, and, uh, Heather Hinton. I'm excited to get to chat with her. Michael, how's it going?
Michael Piacente: It's going well. I, I, I, I got to meet a cool person when I met you.
So, you know, that's how the love affair started.
Sean Martin: You're too kind. This is starting to remind me like the, uh, the episode we did in Vegas.
Michael Piacente: A little bit. Yeah. When Heather and I, uh, when Heather sees the awkward stares from one another, then, uh, [00:01:00]
Sean Martin: that's right. Well, this is, this is really cool. Uh, it's part of the, uh, Cecil circuit series that, uh, Michael and I do every now and then we can both find time on the calendar that aligns.
We're not someplace. else from our home. Uh, and we can actually have a have a chat with somebody who is also available. And, uh, usually folks in the CSO role and connected to the security community are often very busy. But, uh, we, we get to talk about the CSO role and, and the experiences people have and, and how that connects to business and ultimately society as well.
Um, so Michael, uh, what are we doing today?
Michael Piacente: Yeah, today, uh, first of all, I, I know you're in LA, so just wish all the good people of LA, uh, safety and, and, uh, peace down there. Um, so, I know you're right in the thick of it there, uh, so, uh, be safe down there as
Sean Martin: well. I echo those sentiments as well.
Michael Piacente: Yeah, so, um, yeah, so, uh, today, uh, we wanted to introduce, uh, Heather Hinton, um, [00:02:00] who, uh, and, uh, Heather, I apologize the adjective, but I view you as very much a luminary in the, um, Cyber security world.
Um, you've kind of forgotten more about this business than most of us have ever learned. Uh, and I had a honor of meeting you a couple of years ago. Um, and, uh, just really gotten to know you a bit, uh, through pack, which will certainly get into, but just a little, a little bit about your, your background. I'd love to understand sort of the.
Maneuvering as a, as an exec search guy, I'm always interested in people's histories and how they became to be where they are today and what sort of formulates their opinions. And so, um, I know you, you know, Heather started out, uh, actually in college, uh, school, uh, university of Toronto. Uh, PhD in electrical and computer engineering, a master's, uh, to, to boot.
Then, um, uh, I think you started at a center, which for those who are, uh, under my age group, uh, that is now, uh, excuse me, Anderson, that is now [00:03:00] called the center. So, uh, Anderson with an E N at the end, we used to always make that mistake. Um, then he went off to be a professor, adjunct professor, which is really fascinating.
Um, and then. Then it was crazy. Then you went, uh, spent a long time over at Tivoli, um, distinguished engineer among other things. Um, uh, you ended up as the VP in CISO for IBM's cloud unit, uh, for quite some time, a decade or so. Um, and then, uh, uh, stops at ring central and, um. Excuse me, my computer's about to go dark on me.
Uh, RingCentral and, um, and I actually met you, uh, when you were the CISO at PagerDuty, Um, and it was just, uh, kind of an honor to watch your, um, your trajectory. And then, uh, then you've been, uh, kind of the founding members, one of the founding members, along with, uh, our mutual friends, Val and Tyson [00:04:00] Kapsinski and, and, uh, Steve Zielinski and a lot of others for this amazing organization called PAC.
Uh, professional association of sisters. So let's kind of start at the beginning of there and, uh, kind of how, um, from a wee, from a wee young lady, um, where did this all start and, and just anything you want to cover in your background, because I always think it's super fascinating to, to, to look at your history.
Heather Hinton: Thanks. Thank you for that really kind introduction. Um, so I described my security journey sort of as a random walk. I think in many ways I am representative of many people who end up as a CISO in that we have done all sorts of different things and in doing so have built up a, a resume of lots of different experiences, which are all things that are needed to, to be a CISO.
When I started, there was no such thing as CISO, to be clear, right? I started in security before Steve Katz. So, you know, that's part of how I've been able to do so many [00:05:00] things. I've been around for a while.
Michael Piacente: Pre SK is a long time ago.
Heather Hinton: Yes. That's right. Um, and I think what brought me into security to start with, and what has kept me there is that this really fascinating combination of really interesting problems that directly impact people.
It's one of those few areas where you can be a technical expert, and you have to be aware of the impact of what you're doing on people. And this started with, originally with the Morris Worm, which was an incredibly cool and exciting and intellectual exercise that completely got out of control. And, you know, what we don't really remember, or what we, Really focus on is the impact on the people right on Bob Morris Senior on on Bob Morris Junior.
And that was for me this incredible revelation in terms of how technology and in [00:06:00] particular security, um, is such a double edged sword. It can be used for good. It can be used for bad and. Play such an important role in what we do, and as we have seen, you know, the internet grow, as we've seen, uh, banks go online, as we've kind of worried about how do I identify my, who I am, how do I do identity verification online, I used to go into the bank or into the post office, how do I do that now, when I can claim to be Mickey Mouse, and, you know, unless somebody's already pick, picked Mickey Mouse as an email address, I get it.
Um, And so one of the things that has just been consistent through every role that I've had is, what are the security implications? What does it mean for products, for how people use them, for how people think? How do we develop them? How do we think about threats? How do we think about risks? And then what's really emerged, I think, in the last 10 years is an awareness of the broader cyber security landscape [00:07:00] of the nation states of cyber security.
Now, to be totally honest, as a new element of warfare, right? So we now actually talked about kinetic warfare versus cyber warfare and hybrid warfare. We haven't started really thinking enough about that as a society, but I think that's kind of like the next big thing. And when we look at emerging technologies like AI, what is that going to do for how we go down that path?
How we protect not only ourselves, our organizations, but society. That's probably a whole separate other conversation, but it is, um, you know, just to go back to what I said at the beginning, it's one of those things where there is Always an interesting problem, and that interesting problem always impacts people, and that's what makes this such a fun place, and that's what I think drove me to being a CISO in the first place, was being able to help influence that to make everything be better, and that's why [00:08:00] I'm so attracted to what we're doing with the Professional Association of CISOs, or the PAC, and that is really trying to, um, Make sure that the practice of cybersecurity for all cybersecurity professionals, not just CISOs, is one that is recognized, has standards, that we hold ourselves accountable, and that we're paying attention to not just what we need to do with this tool, but what we're doing within our team, for our company, for For a society.
How do we talk about cyber security when we're at a dinner party and someone tells us that they don't have MFA on their bank account, right? We need to to really broaden the appeal and understanding of the role that cyber security practitioners play within society. We need to be treated as. and viewed as the same type of stakeholders as lawyers, as accountants, as medical doctors, you know, [00:09:00] those other very, very well established professions.
Sean Martin: Yeah, I want to jump in, Michael, if I can, because the, um, I kind of shivered a little bit when you mentioned Tivoli, um, my experience, uh, building products in the past and trying to use some, some of that stuff to make things happen. But I guess when I look back over time and the role of cybersecurity and the evolution of the CISO, I think it's a bit of a double edged sword, a blessing and a curse in that.
Many, many of us were involved in trying to figure out how to make the business run with technology.
Heather Hinton: Yeah,
Sean Martin: and then, and then this, this new fancy word comes around now about resilience. It wasn't necessarily a theme back in the day necessarily, but resilience became an issue connected to cyber threats and the role of security started to blossom and [00:10:00] I I guess what I'm trying to say is we, we didn't have the security knowledge.
We're still trying to understand technology as well. And we evolved with that. And then we've started to grow with the expansion of the threats and, and that type of thing today. I'm wondering your, your perspective on this. Do you find that. New security leaders don't have that, that trajectory of just understanding how business runs, how to use technology to enable it, and there's a lot of focus on what security is and what threats are and what risk is.
And we kind of missed some of that stuff. I'm just wondering.
Heather Hinton: Yeah, no, I think you're 100 percent spot on. I think that, um, Security is a highly technical field. Most of us did grow up technical and, uh, some of us kind of just landed in cyber security, but other people are legitimately pursuing it as a career, but it has always been very technically focused, right?
And when [00:11:00] you think about it, when people think security, right, often, if you say, I do cyber security at a dinner party, people say, they used to say passwords, and then they would say encryption, and then they would say pen testing, but they would always come up with these very targeted and kind of almost narrow definitions of what they thought it meant.
But they were always technical. They are always technical. Nobody says, Oh, you're helping to protect the business from bad guys, right? You are enabling the business. So that they can succeed to provide, uh, services and products to customers that, you know, are going to help the customers grow their businesses that are going to protect everybody's data.
We don't, we don't think about that often enough, and that's one of the areas that we really. As part of our growing up as a profession really need to focus. We really need to start to understand that, um, while we are there to keep the bad guys out and to help and to make sure that we can [00:12:00] recover quickly when they get in, not if right.
But we are doing this in service of the business, right? Not in service of keeping the bad guys out. We are doing this because there is a business that needs protecting and that business has data. It employs people. It provides a service. And until we really start to embed that in our thinking. We're going to stay pigeonholed in this very technical role where we're kind of pushed off in the corner.
We're given a, you know, at the Christmas dinner. We're the one at the kids table. We're not at the adults table. But as we start to learn how to speak business to understand trade offs to understand that, you know. There, there are going to be situations where we don't get to do what we as security people think absolutely has to happen because the businesses said that is really important.
But unfortunately, these other seven things are even more [00:13:00] important. So how do we manage this situation? It's one that is extremely emotionally difficult for us because we view our role as protectors. And it's really hard if you think about it as a parent, right? When you are a parent, you want to protect your child from every single possible threat.
And it's really hard the first time they go off on the bicycle all on their own, going down the street to see their friends, because you're going, what can happen? But you have to let them do it.
Michael Piacente: Uh, first of all, a great question, Sean, and, um, uh, lady fine. Ladies and gentlemen of the, uh, of, of the audience. This is what a luminary sounds like. So, uh, there you go. So my earlier comment, , uh, just amazing insight. Uh, I, I was gonna, uh, circle back to PAC because, um. You know, forgetting that I actually am involved in this and I've been in this on this journey is an amazing journey of advocating and having this the origin of this organization.
I'm curious [00:14:00] as to if you can help the audience understand. How is it morphed over time? Right? So we started somewhere. And at one point, and now it's moved into a different direction. And I think that's really important. Phase and curious if you can kind of enlighten us on that. It's a, such an important organization.
Um, and I, I refer to it almost every day, uh, in my discussions with CISOs, uh, the advocacy that it provides and the education. So I would love to hear more about how it's kind of worked over time. And, you know, what are some of those expectations for scope moving forward?
Heather Hinton: Sure. And, you know, it's really, I'm going to start with the origin story because it's actually very interesting.
Um, you know, we know that both Tim Brown and Joe Sullivan have incurred pretty eye bleeding bills for legal defense for themselves. And a bunch of people started looking at this going, wow, that could be me and I would lose my house. I would lose my retirement plan. How would I pay for my legal defense if something like this happened?
And. So a group of people got together and said, well, clearly we need to [00:15:00] have a professional liability insurance offering for CISOs. And as is always the case when you're doing these kinds of things, right? Insurances want insurance companies, they want their, for them, there's safety in numbers, right?
That's how they build actuarial tables. It's how they amortize their risk and their costs. And so the insurance company said, well, that's really great, but we want, we want to be dealing with a professional association. Because that's part of how we're going to manage our risk. And when we started looking at this, we said, okay, we need an association.
Fine, it's a way to get people together. And then we really started digging into what other professional associations do, the history, how long medicine has been a profession, and legal, and actuary, and accounting, and you know, you name it. And we, we really started had this aha moment that in order to be viewed as, you know, that level of profession, right, to have if you walk into a party and you say, I'm an [00:16:00] engineer, people go, Oh, you know, you're an engineer, right?
We want people to say the same thing when you say I'm a cyber security practitioner. And we found that really, we needed. To have a code of professional conduct to hold ourselves accountable for what are the best behaviors for integrity and honesty and transparency, and we needed to have standards, right?
What, what does the CISO look like? What is the CISO responsible for? What are they accountable for? How do they, what are the skills? And the expertise and the leadership competencies that we expect them to have. And every time we peeled the onion and kind of what a professional was, we sort of found another area where we need to grow up as a community of cyber security practitioners.
And we're having a professional association will help us with that growth in that leadership. And so now what we've done is we've built out an association and we have. Um, all of the makings of the [00:17:00] type of discipline and respect that you get with these other Um, professional associations and professions as a whole.
Michael Piacente: Interesting. Yeah. Yeah, it, it's been fascinating to watch and I, I, I, again, I've had a, uh, kind of a front row seat to the evolution of this. So, um, I'm a bit cheating here, but, um, but I, I'm curious as, uh, where is, how has it morphed over time? I mean, that's, um. You know, we started here and then, um, how big is the organization, you know, who should be, who should be looking at joining this, um, you know, this is an opportunity to, uh, get the word.
I, I still think a very, very small fraction, despite all of the, um, uh, marketing and whatnot behind, uh, the talking about it, this is, uh, This is our megaphone. So we want to make sure we get the, uh, the word out to everyone too.
Heather Hinton: Yeah. And look, I'd love the numbers to be even higher than they are, but we officially launched in October and we're well over a hundred members now.
So I think that that's great. My goal is, [00:18:00] you know, I would love for us to be at a thousand members within the next 18 months. I think that that's, it's aggressive, but it's achievable who should join. I think. Um, want to be CISOs, deputy CISOs, early career CISOs, um, mid career CISOs, established CISOs.
Everybody that wants to play a leadership role, whether it's with a CISO title, or as the head of application security, or the head of the tool, or whatever. I mean, honestly, we are, um, we're called the Professional Association of CISOs. But the intention and expectation is, is that we are there for all cyber security practitioners.
I think that everybody that wants to be able to say to themselves, I am holding myself accountable to this high bar through our code of professional conduct should consider joining. I think that everybody that [00:19:00] wants to have a career as a CSO or as a a CSO You know, a cybersecurity leader should join because we've got programs in place to help you network, develop the skills to work with executive recruiters such as yourself, Michael, to do things like make sure that when you get that job offer, it properly states the things for which you are responsible, for which you are accountable, that that offer includes the protections that you need, that you are being set up for success.
When you go into a company right from day one, and you know, we do that by partnering with executive recruiters and then your continued success happens because we are helping you with the standards of, uh, skills, expertise and leadership competencies that you need to help grow both yourself and mature your company.
Through its cyber security journey.
Michael Piacente: Yeah, and by the way, thanks for saying that [00:20:00] on the executive recruiting site because it does. I mean, we, we will not run a, we will not run a search unless the client commits to either full identification or placement on the policy at a level. Yeah, we haven't done it in three or four years.
We certainly not about to start doing it. Um, if clients don't understand the ramifications of that with all the evidence that's out there, it's not just Tim and Joe, it's a couple dozen others that haven't been publicly named. Right. So, um, it's, it's not a flash in the pan that is never going to happen.
Yes. Those, those particular situations have very interesting circumstances that surround them, that make them unique, but it's. much more common right now. Um, and as much as the final rule attempted, uh, and then first, you know, first, first try, right? Uh, it didn't have the teeth to push back on the organization.
So CISOs are definitely in on an island. Um, I think very few people understand that still. And so it's great that that pack is [00:21:00] behind that. Um, and, and, and it's not, uh, it's, it's not just come in and, and just have a stamp of approval, right? It's, it's the, there's quite a bit of involved in the timing and the scope.
Um, you have an, you know, attestation and accreditation. So I wonder if you could cover that a bit, um, uh, in, in, in what is involved when someone does join.
Heather Hinton: Sure. And, um, so we don't. We don't require or expect that everybody goes through this overall lowercase accreditation process. But one of the things that we believe is that just as, you know, lawyers and doctors and engineers and so on have to demonstrate competency to be able to practice.
We are taking the same approach and we're doing it. We're rolling out a staged approach to demonstrating these skills. And we spent a lot of time looking and researching, sort of, how do you [00:22:00] really acquire skills, right? You learn them, you go to school, you learn them, you take some tests, and then you go and practice them, right?
And, you know, you, this, and it's very similar, right, to how do you learn to ride a bike, right? You're going to fall off the bike a bunch of times, you're not going to be really great, but you keep practicing and eventually you become beyond proficient, you actually master that skill. And so when we look at learn, practice, mastery, that's really how we are thinking about how you go through and, and, um, go through the accreditation process.
So, uh, in 2026, we'll roll out something to help with the learn and we're going to call that CISO ready attestation. What we are rolling out right now is attestation and that is an evaluation of your practice. How do you practice the skills? How do you practice? Good communication, collaboration, relationship building, strategic thinking.
And so we, we, you build a leadership portfolio that talks, where you talk about [00:23:00] how you practice these skills. And we then work with you to say, you know, this is really great. You know, here's some areas where we think that you need to sort of. Improve or or strengthen your practice so that you can get to mastery and you demonstrate mastery through the what we call accreditation and accreditation is modeled very much on what you would do with a PhD and an oral and examination where you will come in and unlike practice where you were talking about what you did for accreditation, we're really looking at hypothetical.
How would you do something? We were very mindful that we wanted to do practice before we did theory, because everybody knows how to pass a theory test, right? You study for it and you practice it. But what, what the theory test doesn't do. Is really poke on what happens when something really bad happens, right?
Everybody knows the theory of how to [00:24:00] respond to an incident, right? I have my playbook. I follow my playbook. What not everybody knows is when that incident actually happens. And my playbook says the first thing I do is I call my CEO. But now I'm in that instance. And my team is panicking. I've got to get them under control.
I've got to do all of these other things. And all of a sudden, 12 hours later and I haven't called my CEO. Right. So understanding how you practice is critical to, to get in place before you start talking about what is the theory. And so we were very mindful of this because this isn't how other, other certifications work.
Other certifications work, you get a test and you get, and you, you get the checkbox. We're really, you need to practice it. You continue to practice it. And once you, we know that you know how to practice it, then we're going to start throwing those things out. Theoretical situations at you, where you can really shine and show how would you talk to the board?
How would you [00:25:00] talk to the executive leadership team when you do this? So it's a it is a stage thing. It's an evolution. It is really intended to help. All levels of CISO from early career to those that have been doing this for a while, um, had a really, really interesting conversation with somebody that I consider to be one of the greats in the CISO department the other day, and he was talking about, um, Going and getting a new role.
He's, he's changing his role and, uh, I was blown away when he said, you know, I've been doing this for 30 years. I kind of thought I knew everything because of what we're doing here with the pack and because of how we've been looking at attestation and accreditation and competencies and, and what we need to have in my job description and in my protections as a CISO.
I was able to negotiate a better role for myself. I was able to do things that I wouldn't have been able to do without the pack. And I was blown away because I kind of thought [00:26:00] he's the one that knows it all. You know, so there's always stuff to learn.
Michael Piacente: Right, and you have to be willing to learn. And I would agree with that.
So on the exact search side, by the way, I mean, once we get through on a candidate's kind of full biopsy of what they've done, how they've done it, who they did it with, um, you know, 80 percent of the time I spend with CISOs and other security executives is. is really understanding the why, um, and, um, and why, why they come to these conclusions, but also their storytelling capabilities, right?
So, um, this is, this is what companies are. I mean, we're running multiple searches right now where, um, the cognitive testing and all that is being done, but. It's really more how, how you, um, frame a discussion of an experience and evidence that you went through that so that when you're navigating this company through, you know, towards the Rocky Shores that they know that you're going to be a great commander, a [00:27:00] incident commander, um, post, you know, during to the media, to your board, to your team, to make sure You know, we've got this, right?
You don't have all the answers, but we've been through this. We know what it looks like. Um, every everything is different or every scenario is different. But you know, this is what we've done in the past. And by the way, this is what I've learned from my mistakes. That that's the kind of narrative we want to hear.
That's the storytelling we want to hear. Um, if I were up to me, I would get rid of resumes in a second, right? I think resumes are a crutch. Um, I've been very vocal about this. I think it's all about our storytelling and being able to put that into a, uh, you know, digestible format for everyone else in the organization.
Understand. I think pack brings us there, um, really focuses on on that thing, which is a very, um, a very new muscle for many CISOs because of what you said earlier. Um, you know, a lot of them originated from a highly technical place. And so this is not, this is not their everyday discussions, right? But they're getting much [00:28:00] better at it.
I mean, it's almost unrecognizable from when we started this business to where we are now, as far as how many great storytellers there are out there. Um, because also there's a lot of great stories. There's no shortage of content you're getting attacked every minute of every day by different, you know, uh, different adversaries.
Uh, and so it's, it's pretty amazing to watch. Uh, I, I just applaud you and the team I've gotten to know. I know most of the people on the team, the founding team, but. Just getting a lot closer to them and seeing what, um, what they've built is, is really incredible. So thank you for that. Um, I guess, um, looking forward, Heather, what, what, um, what do you want to accomplish moving forward?
I mean, this is a big year. Um, 2025, if you can, by the way, happy new year, Sean, I even say happy new year, how rude of me. Um, this is my first time seeing you since you were like on the other side of the world for like six months. So, um, but, uh, but yeah, what's in store for us? Um, we have big conferences coming up and whatnot.
What, what, uh, what does 2025 look like to you and what [00:29:00] success look like?
Heather Hinton: I'm going to tie that into some, to an observation that I wanted to make based on your previous comments, right? Sure. When you are going into a CSER role, trust is critical. And it takes time to establish trust. We all know that right.
You know, we want to trust and then verify. And one of the things that we believe is that by going through the attestation and accreditation process, we're going to be able to jumpstart that trust because you're coming. You know what you would call that good housekeeping seal of approval that says, you know how to do that storytelling, you know how to do that leadership remain calm under pressure partner and so on and so on.
And I think that, uh, that trust and that transparency and that verification is a large part of what we want to accomplish in 2025, which is to continue to grow the membership. I would love to, by the end of the year, have taken, um, a hundred [00:30:00] people through attestation and twenty five people through accreditation.
Those numbers sound low, but, uh, on average, it takes, on, on my side, when we are reviewing attestation packages, it's about ten hours a package. When we're reviewing attest, uh, accreditation packages, I expect that it'll be twenty hours a package for several of us. So this is a big effort on our part because we are really investing.
In your career, your growth, your skills, um, so I would love to have, I would love to, by the end of the year, be at 750 members, um, 100 plus attested, 25 plus accredited. We, um. I would like to have, um, been through a couple of revisions of our code of professional conduct and really socialize that within the community and, and started to see how people are able to use that as armor.
You know, here's my armor to protect me [00:31:00] when my, when my, if my organization asks me to do something that's not quite right, I can say, I am obliged to do this. This is what my Code of Professional Conduct says, you know, so I'd like to really see people using that Code of Professional Conduct to help protect themselves and their organizations.
And, um, you know, just, I would really love, and this is not entirely in my control, this is not in my control at all, um, to be in a position to, Not have to protect CISOs or help protect CISOs who are being subject to subpoenas because of activist investors or, you know, other sorts of investigations and, and that's something else I wanted to just comment on.
You touched a little bit on it earlier, Michael, right? The, the Joe and Tim, that is That is the exception to the rule. We don't know, because they're all held confidential, the exact numbers of [00:32:00] CSOs that have been subject to investigations by the SEC, by the FTC, by investors, by whatever. But anecdotally, the number of CSOs who have been subject to subpoenas Yes.
You've been in this space long enough, this happens to you. And so I would really like to not have to be there to help protect CISOs, but for those that do need protecting, I really want us to be there to help them, to be the people standing beside them, holding them up and saying, you've got the weight of the association behind you.
We're going to help you work through this. You know, we've, we've got a group of lawyers that are. Here to sort of help you. We have people who have been through this experience so that we can help you with mental health because it's a huge, huge toll on you on your physical and mental health. When you go through this, we have people, we have a community that can be here to help you, right?
I don't want to have to use that community, but I want it to be there. In case [00:33:00] we need it.
Michael Piacente: Yeah, I love that. And you know, it's gotten to the point where it used to be the badge of the badge of honor was to know if you've made it to the system level is, you know, have you been through an active breach right now?
It's like, have you been deposed? I'm now asking that question in my interviews, you know, just to see, you know, like what level of, of, uh, barnacles this person might actually have created. And I'm actually, uh, next week I'm going to be, I'm on a little mini tour again with, uh, Mr. Sullivan, uh, three, three city tour.
And we're gonna be talking about a lot of these subjects, um,
in
our dinners and I'm excited because he always has new and refreshed, uh, versions of everything that's going on. And for him, it's an evolving situation, Tim as well and others. So, yeah, I mean, I would say that there are, um, you know, dozens of individuals I've spoken to that have been through this that haven't been named publicly.
Um, it's pretty scary thing. I'm not saying it's going to come down on everyone, but your level of preparation and protection and proactiveness. [00:34:00] Around that and where we hope to go. And your, your vision of success, I think is very much in alignment with the community. And so again, greatly appreciate that.
Um, is, um, is there anything else we're missing about PACT? Are we, is there, is there a way that people can get involved? Um, you've got RSA around the corner, Black Hat's not too far. I mean, is there, is there things that, uh, people can be getting together and learning from this community?
Heather Hinton: We, we are going to be having some events at, um, Red hat, red hat, I said black hat.
Red hat sounds great. Yeah, RSA. Yeah, we're going to be having some events at RSA. Um, so, you know, we would love to have people join us both just as members and then at RSA. We pride ourselves in sort of being by the community for the community. So I really would encourage people who want to give back, who have thoughts about the types of things that we can do to help CISOs who want to join and [00:35:00] help us as we refine.
The types of benefits working with executive recruiting firms to help us refine job descriptions and protections for CISOs. So, you know, if you have good, bad or indifferent experience in your career as a CISO, we would really love to have you come and join us and help. Um, and this is a Anybody that wants to come and join, we do require that you be a member because you have to sign the Code of Professional Conduct to participate in, in, in these events, but, um, this is not something that is US only.
We are focused on the US for this year, just because logistically, we, we just, we have to, we can't, we can't boil the ocean, but, We will be aggressively moving into the rest of the world, hopefully starting in 2026, and if somebody is in, I don't know, Germany, and they want to come and be a part and help us now, we are more than happy to have people, so this isn't a U.
S. only, and neither are the threats to CISOs, they are [00:36:00] not U. S. only, they are not driven by the SEC, they're not going away with the change of administration, these are global threats to CISOs that we need to be dealing with, uh, you know, we As a global community.
Michael Piacente: I, you know, we talked about goals and what's the success look like.
I would like to state here that by 2027, I would like to see member of PAC on every job description for us as well.
Heather Hinton: Wouldn't that be awesome?
Michael Piacente: Yeah. And I'm happy to start that. But, um, right now I'm just gonna be like, what's that? You know, um, but, um, for my clients, I'll have to explain it. And, but I want, I want the client to understand that that is a certification level and accreditation that is.
Just like they, you know, if it's the CFO is the hiring manager, they should understand that right away. Right. Like you said, doctors have Hippocratic oaths and everyone out lawyers and you have a certain bar to hit. And I think this is a really a special. A [00:37:00] special organization run by very special people.
Um, it's a, no accident that yourself and, uh, several others, um, who have done so much for the community are jumping in to do this. Um, uh, Val is incredible. Um, just has an engine that just won't stop.
Heather Hinton: And I love, I love, I don't know where he gets his energy.
Michael Piacente: I have no idea. That's, uh, we'll try to get him on the episode too, Sean, but, um, you know, uh, hold on tight cause he's, he, he goes quick and I love him.
Sean Martin: So, um, and maybe, maybe we can pull something together for, uh, RSA. Yes. It'd be better than you and I just staring at each other.
Michael Piacente: That'd be great. Um, so that, that was actually Black Hat where we stared at each other, but we can do that again.
Sean Martin: Yeah, we can do that. And, and, uh, Heather and a few others as well.
I think that'd be fun. Yeah, that'd be great. We'll have space there in the broadcast alley.
Heather Hinton: So, um, I wanted to And say for those people that want to find us, we are TheCISO. org. We have A web page where you can go and start to see some of our stuff. You can apply to join from [00:38:00] there. I'm Heather at the CSO.
So if somebody wants to, you know, uh, ask about the association and you want to do it privately, I'm happy to answer your emails. I'm not always the greatest at. You know, I don't sit in front of emails, so I kind of look at it once a day, but I promise that if people have questions and they want to reach out, I will answer, um, you know, so just, I wanted to get that in Sean, just because I'm looking at the time and I wanted to make sure we didn't lose that piece.
Sean Martin: I love that. And gazillion questions and I don't know, maybe we can have another, another conversation on some of the inner workings and, and, um. And, yeah, because we talked briefly about, uh, CISOs being on an island, you said that Michael, and, and this being an accreditation to present the CISO in a, in a trusted way, and I think there's the other side of that coin, right?
So, the, the insurers, the hiring organizations, the boards, um, [00:39:00] CC, right? The work that you're doing initially is designed to protect the CISO and give them some of that backing. Um, but I think there are other parties that also want to verify and trust what you're doing with this group too.
Heather Hinton: So Michael didn't ask where five years, but five, 10 years from now, I'd like us to actually be, um, Required to be accredited and licensed the way a doctor is I would like us to be when somebody in government has a question about the CSO role, right, we're one of the entities that they go to, we are able to help lobby for this, you know, global standards and and we are A respected and sought out advisor when governments or entities are coming up with new laws and regulations, right?
We are there when the EU is setting out product liability. Rules and we are able to provide a respected feedback [00:40:00] that is taken into account on the implications of these things and that we are able to partner with those types of leaders to help because look, I started out talking about hybrid warfare and cyber, cyber security's role in hybrid warfare.
Um, I think that's a huge change that we're going to have to make. And if we don't have a. Profession that is speaking for us. If we don't have ways for us to really formalize things like information sharing, which is something I didn't talk about at all, but it's it's necessary if we are not as a community in lockstep on what do we do?
How do we talk about it? How do we share information? How do we collectively protect our organizations in our societies? You know, we run the risk of some really bad things happen, and I don't want to be that negative person, but I think that realistically we have to be paying attention to this and proactively getting in front of it, [00:41:00] and that's one of the longer term things that I think we really have to be paying attention to.
Sean Martin: I love what you're doing and hopefully we can have more chats and I hope to meet you in San Francisco at RSA.
Heather Hinton: Awesome.
Sean Martin: And Heather, it's been amazing. Michael, as always,
Heather Hinton: Michael.
Michael Piacente: Yeah. Thank you. Thank you for doing this, Sean. And Heather is just amazing to have you. I look forward to talking to you in the next few weeks.
Heather Hinton: So great,
Sean Martin: the CISO. org, uh, check it out, join, participate, support, and, uh, please do stay tuned to redefining cybersecurity. Thanks everybody for listening and watching. We'll catch you on the next one. Thanks all.