ITSPmagazine Podcast Network

What Interviewing for a CISO Role Can Tell Us About the State of Cyber in Business | A Conversation with Phil Beyer | Redefining CyberSecurity with Sean Martin

Episode Summary

In this episode of the Redefining CyberSecurity Podcast, host Sean Martin is joined by Phil Beyer, former Head of Security at Etsy, to dive into the nuanced dynamics of interviewing for Chief Information Security Officer (CISO) roles. The discussion provides a multifaceted exploration of the CISO job market from both the employer and candidate perspectives, highlighting the evolving expectations and realities facing security leaders today.

Episode Notes

Guest: Phil Beyer, Owner, Getting Security Done, Inc.

On LinkedIn | https://www.linkedin.com/in/pjbeyer/

____________________________

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/sean-martin

View This Show's Sponsors

___________________________

Episode Notes

Sean and Phil engage in a candid conversation about the state of the cybersecurity job market, emphasizing the shift towards an employer's market for CISO positions. This shift has intensified the challenges faced by candidates, including navigating interviews that may reveal deeper insights into an organization's cybersecurity program and its alignment (or lack thereof) with the candidate's vision and expertise.

Phil shares his experience and observations from his recent job searches, noting the complexities inherent in the process and the importance of aligning personal values and professional goals with potential roles. The episode touches on the importance of assessing the culture of potential employers and the critical role of the interviewing process in gauging fit on both sides.

A significant theme of the discussion is the need for transparency and clear communication between candidates and employers, particularly regarding the current state and desired direction of the cybersecurity program. Sean and Phil highlight how the expectations set during the interview process can significantly impact the ultimate success of the chosen CISO in driving the cybersecurity strategy forward.

Additionally, the episode addresses the broader implications of these hiring dynamics on the cybersecurity industry and the importance of fostering a community where shared experiences and strategies can lead to more effective leadership and program development.

Listeners will gain insights into the strategic considerations necessary for both CISO candidates and hiring organizations in today's complex cybersecurity landscape, as well as the leadership and relationship-building skills crucial for success in these influential roles.

Episode Transcription

What Interviewing for a CISO Role Can Tell Us About the State of Cyber in Business | A Conversation with Phil Beyer | Redefining CyberSecurity with Sean Martin

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new episode of redefining cybersecurity. I am Sean Martin, your host. And I know you, if you, if you follow the show, you hear me say it all the time. I get to talk to really cool people about really cool things. And, uh, I'm always looking at how we can. Better operationalize our technology and our cyber security programs for the benefit of the business, not just to reduce risk, but to help them grow and achieve new things, perhaps even innovate and, uh, and offer new, new services to their customers and partners.

Not always easy to do. Um, and of course the, the person at the helm of, of those programs typically is the chief information security officer. I think there's been a shift in. The role, of course, the, the weight on the shoulders of the person in the, in that seat, and perhaps even the number of seats available and the number of people trying to get a seat in that role.

And, [00:01:00] uh, it's, it's an interesting time, let's say this. And, um, I'm thrilled to have my guest on Phil Beyer. Thanks for joining me, Phil.

Phil Beyer: It was my pleasure, Sean. Thanks for having me.

Sean Martin: Yeah. It's always good to see you, my friend. And, uh, and, uh, I've been, I've been I know it sounds nerdy, but I've been dreaming about this topic since you and I met a few weeks back and, uh, and discussed it in, in a little bit of detail.

And I think it's made interesting conversation that the whole points. For me is kind of the state of the CSO job market,

what that looks like from an employer perspective and a, and a candidate perspective, but for me, it's also, I think there are some tells in the interviews. From a question and presentation perspective that may, might paint a different picture of the state of the cybersecurity program [00:02:00] compared to what those in the role might think is real based on what they present to their peers and the board compared to how they discuss the program with a candidate.

So. That's my, that's my perception. And I'm, and I'm excited to dig in to see where, where things go with this. Um, Phil, for those who have not met you yet, maybe a few words about some of the things you've been up to. Um, I know you all were, were good friends and engaged in a number of different things, but I want my audience to know how amazing you are.

Right.

Phil Beyer: Well, I don't know about the amazing part, but certainly the friend part. Absolutely. Um, hi folks. My name is Phil Beyer. Until about this time last year, I was head of security at Etsy. That was my most recent role. Um, so I led a wonderful team, amazing, very talented team, very engineering driven and, and in a very dynamic part, right?

That growth of Etsy through the pandemic was incredible. It was a great ride [00:03:00] to be a part of. Wonderful organization. Can't say enough good things about Etsy overall. Uh, before that I was in a variety of security leadership roles. I was a consultant in the first part of my career. So, um, LinkedIn has all the gory details if you want them, but ultimately, uh, that's my kind of path.

And, and a lot of the lens through which I view, I view things very technical background, comfortable in a lot of different domains and areas. And, uh, very interested in practical. Things, stuff that works, right? The kinds of information security practices that actually get something done as opposed to the stuff that looks great on paper or checks a box or something like that.

Sean Martin: Yeah. And that, that, that's one of the many things that I like about you, Phil, is you're, you're very thoughtful in, in how you approach things and how you present things and how you have conversations with others. I mean, you, you do a lot for the, the community at large. And, uh, [00:04:00] Yeah, I'm just thankful for, for having the opportunity to know you and chat with you.

So let's get into you. You've been looking at CISO roles, security leadership roles over the last few weeks, months, whatever.

Phil Beyer: Yeah, specifically over the last 12 months, but, but certainly also for years in, in searching for this would be back in 2019 and beginning a search that, that ultimately culminated in taking a role at Etsy, which was for all intents and purposes, it, I definitely was not.

The quote unquote CISO, but I was the leader of the security program. I was the senior most information security leader at Etsy. I reported to the board on a quarterly basis, a lot of the things that, that folks would tick off in terms of their checklist of, of what constitutes a CISO role. Um, so, uh, having been in seat there and having had other responsibilities are very CISO like this has been on my mind for, for many years and the job search process.

Was already complex and difficult and [00:05:00] challenging and and emotionally trying and it's not any easier In the current market before we get into that though sean I I want to say a couple things that I think are very relevant for this conversation that work that bear repeating because What we're about to talk about is far from well understood.

Any kind of job search is not like systematically as a process. I realized there are a whole bunch of people and a chameleon books and even more podcasts that, that, uh, and hosts and other things that talk about being experts in job search. And I, that's certainly not me. And I don't think any of those folks are necessarily searcher expert searchers either.

It's very much a non scientific process. We're unscientific or something in the sense that we can't control it. We can't measure it. We can't test it. I mean, we can't approach, we can't approach it with a scientific method. So it's, it's very. Um, easy to, the first thing here is caveat emptor, right? The buyer beware, the [00:06:00] disclaimer is anything that we're about to talk about.

It's not like I have clear conclusions and a bunch of guidance to give people, Oh, do this X, Y, and Z, and everything's going to be okay. Cause that's certainly not the case, even in a perfect job market or even in. Uh, a very, uh, you know, well established and, and a stable CISO job market, which is the opposite of what we're in right now.

Yeah. Um,

Sean Martin: yeah, I'll just make a comment there because I, that I don't think the, the goal here is to give advice for course, for seekers. I think, I think your experience, um, paints a picture that I, I don't think many might, Think about

Phil Beyer: yeah. Yeah, absolutely. And and that so so since we've we've kind of inserted that disclaimer caveat then I feel comfortable talking but um the the A lot of times when when folks including myself some if i'm not careful about it when we talk about these things um We can almost [00:07:00] lead the listener or lead the audience or lead the group of people we're talking to to come to some sort of conclusion.

And while I might and do intend to share things that I think are relevant and important and useful for folks, I don't think That they're, that they're, uh, gospel, or I don't think that they're clear, um, especially in your own experience. So I'm in the right place. That's good.

Sean Martin: The whole point of, uh, well, Mark, when I, his vision for ITSP magazine and my show in particular, as well as to get people to think exactly, there's no, there's no one right answer.

And sometimes there isn't even an answer. Sometimes there's many, um, and, and I guess. So tie back to it's yes, there are a lot of numbers and data that people and organizations can pull to say, this is how things look from a market perspective in a role, whatever. Um, there is science behind that, but ultimately it's [00:08:00] person talking to a person who's hiring for a job that they're going to do that by the way, has a culture

Phil Beyer: that

Sean Martin: is not scientific.

And so to put any. Any, any plan in place based on pure numbers and data is going to be problematic in my opinion. So

Phil Beyer: yep

Sean Martin: all about getting people to think so let's um, where do you want to start phil?

Phil Beyer: Yeah. All right. Here's the the The thing that i'll say that will could color the conversation. I think this is the first Employers market for CSOs.

So if we talk about like a real estate market, right? You go out and say, it's a buyer's market. Well, uh, then, which is not what the case of buying houses right now, it's not a buyer's market. It's a seller's market, right? So that kind of economic model, we tend to understand this is the first time in my office,

Sean Martin: it's a lender's market.

Phil Beyer: Yeah. Good point. Good point. The folks who are making money are clearly the folks who are going to benefit from the high interest rates. [00:09:00] Um, the, the, This is the first time for CISOs, not necessarily for cybersecurity, all cybersecurity professionals, but I would say definitely for CISOs. This is the first time that it's been an employer's market, because right now, the demand is lower than it's been in many, many years, if not ever, but definitely lower than, than relatively than it's been in the past few years.

And the supply is very high. So the supply of, of people on the market. Is higher. Uh, and this is by, I mean, even with your, uh, you did interview, so I've complimented you before and I'll compliment you here on air that the CISO circuit series that you do with Michael Piacente of Hitch Partners is amazing.

And for the folks listening, you probably have already listened to that series, but if you haven't stop right now. And go listen to the first three there in that series because the guidance that Michael is giving, that's much more [00:10:00] statistical, but statistics based or, or, or a database in sense of his sample size is much higher, but I can just regurgitate here based on his information that the number of people, the number of available CSOs in the market is a ton higher based on his experience than it really ever has been.

And that, that kind of putting together those things. That yields in a very simple economic understanding of it's a, it's an employer's market. So that supply versus demand dynamic really is at play here. Um, it has implications for us, but, but that's, that's really what's driving a lot of this aspect of it.

Sean Martin: Yeah. And I, I think. Um, I've also seen or heard of, uh, CISO roles being cut and people and leadership underneath them given the responsibility, but not the title necessarily, and they're not replacing the role with somebody else. Um, so I think we [00:11:00] see more people entering the market. As CISOs and not as many positions as well.

Um, and then there's a lot of factors there too that I mean that we talked before we started about the weight on the shoulder of the person in that in that seat, the responsibility, the liability.

Phil Beyer: Yeah. Yeah.

Sean Martin: As well. And

Phil Beyer: yeah. And clearly that's not, and we're not going to solve that problem here. And you've talked to even recently have talked to folks who are working towards not necessarily solving the problem, but addressing it all these liability issues.

Certainly, they're not going away anytime soon. And, um, and whether that ends up affecting the person in the seat or the people looking for the seats or what have you, I think it's a relevant part of the conversation. It's just not necessarily something that's going to make or break. The search, right?

Because the, the search, you're either in the market for a CISO role, literally like me, you know, you're, you're on the market or you're in seat somewhere [00:12:00] and you're looking for a CISO role next, or you're aspiring to be looking for a CISO role at some point in the very near future. All of those in, in all of those cases, ultimately in, in, in speaking from my own personal experience here, ultimately the liability issues just complicate the matter.

They don't really make or break the decision. Um, the, the liability issues mean, well, maybe I'm going to ask for more if I get to the offer stage, maybe I'm going to ask for more, not necessarily compensation, but some more protections like people have talked about, and we can appoint folks in the right direction there.

But, uh, or, um, you know, am I going to look for the kinds of things in a program that, that, that I'm comfortable with, or that I'm comfortable problems I'm comfortable solving versus things that I'm, I'm uncomfortable working with. I think there are modifiers here, but, but ultimately it's, it's probably not going to drive folks away from aspiring to be a CISO.

Sean Martin: Yeah. So it's a complex, I've not done it, so I'm only [00:13:00] guessing here, but I, I'm assuming that the, the conversations are difficult to navigate. I'll just put it that way. Um, and I want your perspective on it. Cause I, I F I have a hunch that the hiring manager is Either not completely informed of the state of this cybersecurity program or is and may hold things back or is, and isn't holding things back and sharing something that, uh, is a tell for the, the candidate that says this may not be the environment that I want to be in, um, just in general, but also because of, and so when it's an employer's, Markets and the candidate has fewer options.

I'm assuming you don't, you don't want to cut things off the table [00:14:00] too soon, too quickly, but you also don't want to put yourself in a position where you're, you're in a role that, that the culture sucks. The manager is not great. The program is in shambles. There's no budget that the company doesn't believe in it.

It's, it's purely for compliance purview, whatever, pick your favorite thing there. So how, what are some of those conversations sounding like where you're trying to, um, Earn your spot there while also understanding what that spot really means. Are you going to go home happy or crying every night?

Phil Beyer: Um, it's a, it's a delicate balance.

I think you're, you're striking or you're describing the balance accurately. The, there are a few things that, that I have used. As, um, guiding principles, if you will, that helped me discern, is this the right thing to go after versus, uh, versus something else. [00:15:00] And a few of them are, are very, they, they, they limit the funnel, if you will.

Right. So in kind of a sales funnel funnel concept, like I have opportunities and I have. Things that I'm pursuing in terms of, of interviews or active, active opportunities versus getting to final round or offer or something like that. And, and at the top of that funnel, like what comes in, I just don't let stuff in that many other people do, Sean.

So, um, now massive caveat from before. My experience, but then also now in an employer's market. Oh, like that, the dynamic changes because you were, as you were just pointing out, well, okay Phil, you don't go after these kinds of roles and you do go after these other kinds of roles. You're not in a role right now.

So does that change the things? And a the honest answer is absolutely, it does. It absolutely changes what I would normally go after versus, um, versus what, what, uh, what I would normally avoid.

Sean Martin: Do you mind sharing some of that? Cause [00:16:00] months ago we, we met again. Um, I think there was a, we're in this, we're in the city we met, but, uh, uh, it was along the Hudson river there somewhere where you were describing kind of the ideal organization, what sector they're in.

And so I don't know if you can describe why you, what it was, why it was, and then maybe how things have, have shifted since if they have it all.

Phil Beyer: The. There's definitely, there's clear guidance from folks around doing a job search that tends to go better generally for people. It tends to go better when you have an idea of the, of the outcome you're looking for, not necessarily the job title, not necessarily the compensation, but even the target company, right?

Target market, target size team. If you're a people leader, target kind of role. A lot of times that comes down to job [00:17:00] title, but it even in, I would even say, especially in the CISO job market, there's all kinds of CISOs for all kinds of companies and a CISO who is compliance focused or who has a risk management background versus a CISO who has.

And a software engineering background versus CISO who has a penetration testing background. Those are very different archetypes, those three. And there's certainly more archetypes than that. Um, so understanding the kind of archetype or stereotype or what kind of CISO you are, right? That, that, that helps that your search.

And then each of those archetypes is appropriate for really a subset. Of companies or opportunities out there. There are situations where a company has had one and I've talked to folks like this. There are situations where a company has had one kind of CISO and now they're looking for a different kind of CISO.

But even then many of those kinds, many of those folks will really [00:18:00] think like they just have an impression of what they're looking for. They don't really have that much of an idea. You spoke to this already, but the hiring manager is Very often, like, I don't know, 90 plus percent, maybe even more is doesn't have a security background.

So unless they're working with, and again, uh, call out to the kinds of recruiting firms that, that, that you're friends with, and that both of us know, unless they're working with a very experienced recruiting firm, specifically in security CISO searches, they don't know what they're looking for, uh, which makes it even worse in this employer's market.

I mean, one of the key things that jumps out. That everybody either complains about or mentions or talks about, but is even worse in an employer's market of any kind is ambiguity of job descriptions.

Sean Martin: So we all say, could you use the archetype, right? So that's the character. What, what story are you going to put that character in?

And if you can't get a picture of [00:19:00] the story.

Phil Beyer: Yeah,

Sean Martin: you don't know

Phil Beyer: and historically in cybersecurity. Yeah, exactly. Exactly. We've we've we've complained about we've complained about ambiguous job descriptions all over the place for forever even a lot of times about our own companies or our own Our own inability to really craft a very accurate job description for a role.

We're about to post um, but it's even worse when a company is is uh knows that that they're going to be able to talk to All sorts of talent and get a great deal on them Because it's, it's a, it's an employer's market. So like in that situation, the, the job description is not helpful. The, uh, the vertical market of the company sometimes is helpful.

And if you can't work with, uh, a retained search recruiting firm, there were already kind of prequalifying. That's really why the, really the, the, the reason why you want to work with what's called a retained recruiting search firm or retained executive recruiter [00:20:00] is because they're paid in advance. And they, they essentially pre qualify the lead.

This is different than most of the other kind of, of firms, which are, or recruiters, which are called contingency. So if that's interesting to you, there are, there's books about it and, and resources there, but the, that distinction tends to be my first. Criteria is the opportunity coming from a retained search firm.

All right. I will I will talk to you Is the opportunity coming from a retained for not coming from a retained search firm? I won't pick up the phone It's it's really that simple at least historically that's not the case anymore for for the reasons that we've just been talking about but Uh for me at least But, uh, but a year ago, two years ago, three years ago, up until this, this latest, uh, this latest situation, my first, first, first decision making and only decision making criteria was, is a retained search firm involved?

If so, I'll talk. If not. I'm not interested because all that prequalification [00:21:00] and all the difficulty that that we're encountering and that you're speaking to Sean about, well, is that what, what can I learn? What can I discern about the program through the interviewing process? What can I see through kind of classic, uh, open source intelligence, searching through what I see online about the company.

Um, what can I hear from peers as I talk to them through the interviewing process? All of that. Is so much more complex when it hasn't been when the lead hasn't been pre qualified.

Sean Martin: So let's talk about the the engagement. So so something bypasses all the filters.

Phil Beyer: Yeah, of course,

Sean Martin: I mean, on both sides, right?

Because there's plenty of filters on the. On the hiring side. Um, I don't know, maybe, maybe a chat with somebody in the hiring, hiring role would be interesting as well. But I know in general, gazillions of candidates, a lot of filtering on the employer side, and [00:22:00] then now from your perspective, a lot of filters.

So it's a rare moment that the two align. On, on paper, we'll say, right. And then comes the human element. And so what, what are those conversations like? Um, and I'm looking at it from, from a couple different things. So how are, how are you presenting, how are you, Sharing your archetype that you want to be to them.

And how are you, if it wasn't hopefully enough, it was clear to say, I'm I'll take an interview to know what the setting is, what the story is going to be. How do you, how do you find that those align? Yeah, those conversations sound like, I guess what I'm asking.

Phil Beyer: Yeah. I would say that right off the bat, if you're clear about, if you differentiate yourself, if [00:23:00] one is clear about who you are and that kind of, whether you use the word archetype, I don't know that I would necessarily use that for, for, for folks other than with a, with a recruiter or something who probably understands that right off the bat.

And it's even telling you, Oh, based on what I'm hearing from you, Phil, this is the kind of, This is the kind of CISO that you are. Oh, yeah. Okay. I agree with you, Mr. and Mrs. Recruiter. Um, after that, after getting past that, the, that kind of screen, the first opportunity, I would think, and in my experience, to discern whether this is going to work.

You're probably talking most often. You're talking to hiring manager after the recruiter. That's usually the process. Usually, if you make it through the recruiter, the door with the recruiter and the recruiter screen, you're most often talking to hiring hiring manager as that first conversation before you go into a longer, larger interview process with peers or with other stakeholders.

And that conversation ends up being [00:24:00] critical for the reasons you're, you're speaking to. And that is, is this even going to work right? That based on the, the way that I work or the way that I think, or the way that I like to build a security program, or if I'm an aspiring CISO from years ago, that version of me, uh, is this the way that I want to, to build a security program?

Based on the questions that the hiring manager is asking, The, um, uh, the, the thing that they're interested in learning from you and what they're willing to tell you about the person in the role previously, which is usually a fairly standard question early on. If you haven't learned that, that tends to paint that, that very rough kind of impressionist style picture of, of what's going on behind the scenes.

And if you, if you figure out right away, and certainly had this experience more than once, if you figure out right away that this person that is ostensibly hiring for this role, their attitude or their approach is very different than mine. [00:25:00] Not better or worse, just different. That's a clear sign right away that either they're going to dismiss me or decline me as a candidate and then we will both move on with our lives.

Or if they do advance me, I've got to, I got to understand from everybody else, whether the impression I got of a hiring manager in the, in that first conversation is accurate. And that's, that's not too difficult to, to discern as you go through in, as we ask, well, what is your impression of this person? Or how do you like working for, for, for Jill or something like that?

Like that, that kind of, that, that, that stuff, because we haven't said it yet, but it, it, It's worth underscoring here that being a CISO is all about relationships and influence. It's very rarely about knowledge, technical knowledge, or, Oh, can you give the right answer when you're in front of somebody, uh, like, like doing the calculus problem?

It's not really about that, like algorithmic. Technical knowledge. I realized that [00:26:00] there are some exceptions. Certainly there are some CSOs or there are some roles where the intimate technical knowledge of an architecture or a particular market or something like that might really like engineering prowess might really make or break the role.

I suppose that's possible, but I haven't ever been in that situation, and I've talked to many of the people I've talked to. That's not the way that they describe it. So I, I accept that there are exceptions to the rule, but generally the rule is relational. The rule is that the role is relational. And, and if you can effectively build relationships with your hiring manager, the first key stakeholder that any role has, and then the other key stakeholders, that's what you have to discern right away in the interviewing process.

Is this going to be even feasible or possible based on personality and archetype and all the things we've been talking about so far? Everything else I do think, especially in in this situation now, everything else is [00:27:00] really a solvable problem. So there may very well be Like bodies buried, uh, in, in the company, they're very, uh, hopefully not literal, right?

Figurative bodies, bodies, but, um, there, there may be, uh, massive holes to, to plug, uh, in the dam, right? With the more fingers than, than I have to, to plug up the dam. But you know, the other, the way that I tend to see those things, the, the like, Oh, there's, there are problems here. And, and should I be worried about that?

My view, Sean is job security, man. I've got, I got work to do like that. I'm not worried about that. I'm not, I'm not afraid of that. Right. That's looking for the

Sean Martin: cush, the cush. Uh, I have full support, the budgets, their teams built the, the former person in the seat. Just retired.

Phil Beyer: Yep. Yep. So, um, not so secret, secret, right?

So like this, this is just between you and I, right, [00:28:00] Sean, this is a, I'm about to give you the secret here. So this is just between you and I, yeah, I'll whisper it. Okay. Yeah. No, but that's not the case for anybody. No one is in that situation. No, he's in that seat. I know you. Yeah, i'm john. I I clearly we're friends I know, you know that and probably every listener knows that too But just in case you need to hear it one more time.

There is no role like that That is it's never the case. No one has enough money. No one has a big enough team No one has unlimited resources and even if you had it for a, for an instant or a blink of an eye, the next, your next boss or the next CFO or the new CEO or whatever is going to rip it right, rip, you know, pull that rug right out from under you.

So there is no situation that is, that is, uh, that is good. I do think that it's worth looking for something that, that would be like an untenable situation. Like there, there certainly have been those, we all through the community, cause [00:29:00] everybody talks, right? We've all heard about things like that. We've all heard about folks who were set up for failure or who are just teed up to be the scapegoat or, or what have you like, definitely that exists.

Sean Martin: Well, let's talk about maybe not the specifics there, but just kind of the realities of. So it is a hard job. There's a lot of responsibility. Uh, never, nothing ever aligns completely on all cylinders. No, not all cylinders are firing at the right times. So for me, that comes back to points you made earlier, where it's, it's about the people,

Phil Beyer: right?

Sean Martin: Right. Right. You're interacting with, and I use the word culture earlier. Uh, how do you, because. Are they honest that the program sucks? We're having trouble. We selected a platform that that's given us fits or, or we're due for an audit and we know we're going to fail and, and we [00:30:00] don't know how to get from here to there, whatever this, whatever the story is.

How do you, how do you know if they're being honest in their presentation of what's really going on?

Phil Beyer: If there are no, it's a pretty simple litmus test for me, Sean, if. If I ask, if I dig a little bit or ask a little bit for flaws and I don't get any, then they're, then they're, then I can't believe anything that, that they've just said.

Right. Um, so basically when I've gone beyond the surface and had a, let's, let's talk real here. What are the problems? If, if that list isn't, if there isn't a list, then they're probably withholding, they're probably missing something, or it's somebody, either a stakeholder or a hiring manager who hasn't been involved, both of which are again, I don't know that there's any red flags or fewer red flags these days for, for, for people, but that's [00:31:00] certainly something, a yellow or an orange or something that, that is to be worried about in the sense that If you're interviewing with somebody theoretically or they're supposed to be someone who is well connected to the security program Um, you're not just you're not going to interview with uh, you know the janitor You're not going to interview even most times you're not interviewing with the ceo because for the most part the ceo is not Intimately involved with the with security program in most companies So the person you're interviewing with either hiring manager or a key stakeholder Has some vested interest in the security program success.

That's why they've been involved. Right? So a key aspect of that conversation needs to be, can I build a rapport in the 45 minutes or hopefully not 30 because that's hard, but 45 minutes to an hour or so, can I build enough rapport to actually ask a question like, Well, tell me what you're [00:32:00] expecting from the person in this role or in the first 90 days or, um, tell me about how you've been working with the security team over the past few years, or tell me about, um, not a flaw or something like that.

Like that's a little bit too little, little too pushy. But basically, again, asking a little bit for her. Well, well, what's behind the curtains? You know, pull the curtain back for me and show me a little bit of what is there. If, if, if that's not, if that doesn't happen, then it's either difficult to build the difficult for you to build a rapport with this person, or they're hiding something because almost always.

People are hiring this role, especially now because they need the role, not because they just have to have the role, at least for the, again, for the kinds of things that, that, that, that we're talking about,

Sean Martin: so I want to turn the wheel slightly now and, and take the, uh, take the off ramp to, uh, maybe the entrance on the freeway, [00:33:00] you look at it to the state of.

Programs based on your, your exchanges with, with organizations. So where, where you've had conversations, where you believe truth was spoken, where you got some of the insights are with respect to we're here. We need to get to here. We we've, we want this outcome. We're not there yet. These are the challenges we face.

These are the areas we need help with. What, what's the state of cybersecurity? Where, where are the biggest areas where. Organizations are struggling. Is it in AppSec? Is it in cloud security? Is identity a thing? What, what are some of the things that you uncovered?

Phil Beyer: Yeah. Um, I'll, I'll be, I'll admit my bias right away in the sense that because my, again, archetype or type of CISO or whatever, because I'm a, a more technical and or engineering driven style CISO, [00:34:00] those are the kinds of, Opportunities that people reach out to me for.

So, um, I'll try to eliminate that bias as best I can, but I'll admit it in the, in advance here that, that that's oftentimes the kinds of conversations I'm having the, when I'm talking to folks, it's usually because they've had either had a CISO or They, they thought they needed in the past to see. So there was more kind of compliance driven or, uh, or, or even risk driven.

I realized we all should kind of focus on risk. So bear with me in the sense that, that there are definitely folks who grow up through compliance or legal or, or risk management who have a different lens. With information security than those who grew up through operations or IT or engineering. And in, in that latter case, when, uh, when a, a CISO is brought in or when they, they promote someone to CISO who [00:35:00] really came to things with that compliance focus.

Even with the, the understanding that they want to be very, a very technical person, but when their focus is on compliance, when their focus is on risk management, then, then what ends up happening is the program doesn't make, doesn't achieve things that that hiring manager or that, or those leadership that those leaders are expecting because.

We should have to go on a brief kind of bunny trail here that we, we, we often talk about security as being a very difficult job, not, I mean, purely based on, on the following that when we do a great job, nothing happens, right? When security does really well at what we're, what we've set out to do, ideally nothing happens.

It's a quiet day. When there's. There's very few other roles in an organization in the classic enterprise that are like that. I suppose legal is kind of like that, kind of, um, [00:36:00] and, uh, uh, and maybe there are a few others, but for the most part, that's not the case. For operations, that's not the case for it, that's not the case for engineering.

It's not product. You know, you can go down the list sales with like, like everybody. They're, they're hitting some, they're going for some sort of, of metric. They're going for some sort of, they're releasing some sort of a new thing, right? A new shiny thing for the customer. Um, they're, they're delivering some value in some way, shape, or form.

The value we're delivering is intangible, very intangible. Yeah. Yeah. Massively. So, and, and, As much as this is the kind of the blunt truth that that many of us need to hear, including me at different times throughout my career, the blunt truth is as much as people like the idea of not having anything bad happen.

They won't really pay for it. Um, uh, if people have had [00:37:00] bad things happen in their lives, then they go buy insurance. Most of us don't because of, because of loss aversion and other kinds of cognitive biases and, and mostly, um, uh, like availability, heuristic stuff. We, if we've seen a wreck or if we've been in a wreck, then we buy auto insurance besides the fact that, that that's legally required.

Um, the similarly, we don't buy flood insurance. Unless I'm forced to in my house or, uh, I've been flooded in the past. You know, you get where I'm saying, right? Like we, we don't think of this risk. Until it's something actually happened. So for those organizations where something bad has happened, then they look to the see.

So to hey, make sure that nothing bad happens anymore. But that only lasts for a little while. Just like all these other classic scientific studies of this particular cognitive bias at some point that runs out at some point, the like, keep not just keep the lights on, but keep everything quiet. That only lasts for so long.

They only want to pay for it for so long. [00:38:00]

Sean Martin: And a lot of, a lot of the job openings in event driven,

Phil Beyer: uh, well, yeah,

Sean Martin: ransom or they lost data and had to report. Or

Phil Beyer: that's, that's part of where it's part of what I was getting to that, that there are job openings because folks are not seeing progress in the, in the, in the, the security program that they would have anticipated or expected because they, they.

To think of it this way, they're buying like a risk reduction. They're buying an insurance policy in the form of a CISO, but they also expect Sean to get something out of it. So like, they're buying a policy for their car, but they expect that the car is going to get improved in a certain way. Or like you get a new paint job or, or get new wheels and, or get a replacement engine or something like that.

I'm mixing my analogies, but the point being that they're expecting. They're expecting one thing and they're getting something entirely different. Really what they're just getting is a very stable, dependable car driving down the road. They're not getting improvements. They're [00:39:00] not, it's not flashy. It's not a sports car.

It's not looking pretty and cool. It's not a differentiator. You know, it's none of the things that they're expecting to get. What what's he says are often delivering is very dependable, very stable and very well reduced risk. And when that happens, that's when the dissatisfaction starts to happen. It starts to be introduced at the stakeholder level of Yeah, but really, this person or this program is not delivering for us.

Um, so we, let's, let's, let's, uh, let's either make it difficult for that person and burn them out and they'll, and they'll, they'll jump, they'll, they'll move or, um, let's, let's encourage them to move on and let's bring somebody else in. And, and that's, and that's what I was, that's where I started that I'm being brought in, or I'm, I'm, uh, oftentimes being talked to when somebody wants to bring in an engineering driven leader.

Because they're looking for a security team that works better. I don't know that I've encountered any security teams that really don't work at [00:40:00] all with someone else. They just work poorly with another group. Right. Um, and, and so improving that relationship of how security works with engineering or how security works with product or something, they want to improve that or they actually want the security team to deliver something, deliver on some sort of outcomes that hasn't, that haven't happened yet.

And then, um, That distinction or that maturity of our, of our role is going to continue to be a push and pull challenge. Because again, this liability stuff doesn't make it any, any easier. But the fact that, that oftentimes our incentive. Yeah. Is for nothing bad to happen, but everybody else in the organization is incentivized to make something happen, right?

We're being told nothing should happen and everybody else is incentivized to make stuff happen. That's when we, we just don't look like anybody else and not looking like anybody else in this case is a bad thing.

Sean Martin: So talk to me as we wrap here about the maturity of the [00:41:00] business, um, use the word outcome before, um, In terms of what you're looking for in the role is the, in your experience, is the business more mature in.

Defining and articulating what the outcome is from the program that they want to achieve

Phil Beyer: bluntly. No I I don't think anything has changed really in the last few years. It's it's better than it's been You know a decade ago, but I still think we have so much farther to go.

Sean Martin: What are they saying? That's misaligned.

Do you think?

Phil Beyer: Yeah um Largely, it's it's incentive based largely the the incentive is either You nothing bad should happen or, um, uh, uh, make us better compared to our peers or something like that. So like that, that's still generally what security programs come down to. There are certainly exceptions, but, but the, the vast majority of [00:42:00] expectations of a CISO ends up being, um, do incrementally better, a little bit better, uh, these things that we've talked about already.

And that, and that means that there really is very little understanding. About the role overall or about how an information security program could become beneficial for, for, for any given enterprise, because I do think there's, there's absolutely opportunity. I don't think we're really, um, stuck. As much as we haven't worked through this, the stage of immaturity, when folks don't really know what they should be expecting from information security, it's similar to CIOs before and probably before them, COOs or others.

Sean Martin: I'd love to hear an executive say, we're spending, we have to be compliant, but we're spending too much money. Compliance or [00:43:00] we need cyber insurance, but we're not unable to put in place policies and controls and articulate the program in that, in that regard, in order to get the best coverage with the best premiums.

Phil Beyer: True.

Sean Martin: Those are kind of like business things. We're not able to get the benefit of something in the market because we

Phil Beyer: Right, right. I think there's, I think there's some, some very near term possibilities that are, that are reasonable. And that is that at some point, our executive leadership should say similar things to what we try to tell ourselves in our CSO echo chamber or security, cybersecurity echo chambers.

And that is, um, We exist like brakes on a car, right? If, if we want the car to go speed down the highway, it has to have brakes. It can't go faster safely. It can't go faster without a good set of brakes. And we wanna be that really good set of brakes so that when AI happens, [00:44:00] or gen, when gen AI happens, we can adopt it faster because our security team is adaptable, flexible, and can really help us accept that risk or, or enter into that risk.

In a smart way, or our CSO team or their security program is a, is a strong, uh, in some particular aspect of what we do as a business. And so we're able to advance faster without. Without, uh, and make and make more money faster in some particular area or pivot quicker. Like that's really what we should be hearing from our executives.

And this is again, this is not news. This is what we're telling ourselves when we are trying to articulate our value. But that's still not something that's articulate that's spoken back to us. When we, when we finally start with Sean, when we finally start hearing that from CEOs collectively, not one individual, but collectively from CEOs, from CFOs, from, um, from [00:45:00] chief legal officers or COOs, that's when we know, okay, we've reached that next level of maturity when they're starting to speak back to us, my security program is intended to help me adopt technology in a safe way.

So that we can leverage technology faster to beat our, to beat our competitors.

Sean Martin: And I'm just, I'm just thinking, who, who is that? If we can't say it ourselves, we can't get them to say it. And they're not inclined to say it. Um, to me, it sounds like some business architect or something.

Phil Beyer: Well, I do think

Sean Martin: I'm just thinking of the car analogy is somebody that decided.

The better brakes we put on, the faster we can go, right?

Phil Beyer: Right.

Sean Martin: Because we can stop faster or the way we designed the car, it can go faster, but also handle the stoppage.

Phil Beyer: So there, there certainly are some CTOs that talk this way. Some CIOs that talk this way. Some, [00:46:00] um, even probably COOs or, or president's orders.

Like there are a few. And, and I think the, the. To say, to describe the progress here, that's relatively slow compared to what I want it to be, but probably not that slow compared to other professions. When more of these examples of successful leaders or companies, when they win, then their peers look around and say, huh, I wonder why, Sean, I wonder why they won and we didn't, how did we get beaten out by them?

Because I thought we had a superior product or I thought we really understood the market better than they did. And when, when, uh, when somebody wins because of, Yeah. Uh, some sort of security differentiator or something like that. That's when it's really gonna gonna gonna take hold and it doesn't have to be some massive Uh some massive crazy thing it could be a bunch of of minimal or a bunch of incremental wins around that that start to so like the image that I have in my book or the image that I have in my head [00:47:00] is of um, Jim Collins writing good to great so many years ago.

Um, and I realized that there are aspects of, of that, uh, that research or that study that, that, and that work that has been questioned over the years, rightly so, but, but ultimately, um, part of what, uh, either flywheel or other kinds of concepts that, that, that Collins introduced there, they've been latched onto by leaders because of folks succeeding.

Over time with those concepts, and that is the same thing here that are our profession gets better or gets more mature when we share. And this is like, I haven't actually said this yet, which is surprising to me. It's been 45 more than 45 minutes, and I haven't talked about like sharing and and collaborating and being together about this.

Like when we as leaders work together to advance practices that Are successful and tell each other how to do it, like help each other and do this together. That's when we [00:48:00] see that success spread and it becomes more. We increase the awareness of those executive stakeholders. Like folks learn more about what works by seeing it happen in organizations and seeing leaders implemented.

So like, we're really all incentivized. It would be better for us. To share common successful practices, not just the kinds of defensive style things like this countermeasure works or this product works more like this program style or this, this program objective works. This, this approach to influencing stakeholders works.

This approach to communicating a value or communicating decisions to executive stakeholders works. That kind of a thing that really benefits us in the long run as a collective group. Because each of those executive teams or boards and others, they eventually see it all, it bubbles up and they say, aha, these, this is the time it worked [00:49:00] and these other times it didn't.

So let's just do more of the stuff that works. Does that, does that make sense?

Sean Martin: I love it. No, I know. I know. And I, uh, yeah, I think you, you're onto something there. There's no question in the community, but it's. It's really those deep conversations that

Phil Beyer: this is hard stuff. Yeah. Yeah. I hope I'm not giving any impression because I certainly think in to myself.

This is very challenging and difficult things. And I, um, I'm glad to have Friends and colleagues and, and others I can lean on to say, Hey, this is what I've tried in this situation. This is to share both, like, this is what's worked for me, but then also what has worked for you, you know, how, how have you approached this thing or have you done this?

Because like, yeah, the, the, the, the job is already hard enough. Um, I don't need to make it harder by, by just relying on my own intelligence and my own experience. Cause then, then it's just going to fail even more spectacularly.

Sean Martin: So it's even more fun if you can. Find something you can [00:50:00] apply and, and see the outcome faster or better.

Satisfaction that too. Well, Phil, it's, uh, it's been great to catch up with you and, uh, appreciate you sharing your, your insights over the last few months and, and, uh, Yeah, I know. I know you're going to do continue to do great things for the community and in your role. However, whenever, wherever you land and whoever, whoever that is, whatever organization that is, they're going to be in a better position by having you on on their team.

I know that for sure. Thank you. And, um, Yeah. Any, any final thoughts before we wrap?

Phil Beyer: It's been an honor. I, I, um, it's great to be on here. It's great to be able to share these things, these thoughts with folks. And if, if any of this is provocative in a good or a bad way, I welcome, welcome a conversation, uh, by all means, reach out and, and let's, let's talk about it because the, I do think we, like I was [00:51:00] saying, it, it gets better through refinement.

We, we all improve myself as well as, as. This, uh, as everyone else, we improve when we refine these ideas together. So let's keep it, let's keep it going. And if, if, if this is something that's interesting, let's talk more.

Sean Martin: Most definitely. Most definitely. Well, Phil, thank you so much. And, uh, for everybody listening and watching, please do subscribe and share and comment, uh, connect with Phil and, and share your thoughts with him.

Post post on social media. What you think about this? What did I say that was lame? I said, no, I said something that was lame. So let me know and, uh, have a good old chat with Phil while you're at it as well. So thanks. Thanks, Phil. Thanks everybody. We'll catch you on the next episode.

Phil Beyer: Thanks everyone.