Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Paragliding: Security Leadership Without Fear” with Jamie Fullerton, Head of Security, Branch
100 Plays1 year ago
Dr. Stacy Thayer chats with Jamie Fullerton about how security leaders can improve communication, how to get in the mindset to handle a breach, and how paragliding and extreme mountain sports compare to security leadership. Contact us here: https://netography.com/contact/ #Netography
Recommended
Transcript
Welcome to Cyber Psych
00:00:13
Speaker
Hello, and welcome to Cyber Psych, an autography podcast where we talk with industry professionals about the human side of technology, how it relates to the field of security, and how it impacts the overall business. I'm your host, Dr. Stacey Thayer, and I'm a cyber psychologist and senior manager of research and engagement at Autography.
Meet Jamie Fullerton
00:00:31
Speaker
So I'm excited to say that I'm here today with our special guest, Jamie Fullerton, head of security at Branch. Jamie has had a long career in information security, starting his early days as a professional hacker to today where he helps organizations build security programs. Jamie's built security programs for startups and enterprises and his work in software vulnerability research and exploit development has been widely published.
Building Security Teams
00:00:54
Speaker
And he's here today to talk about some of the challenges of building security teams from both the business and human perspective.
00:01:01
Speaker
So Jamie, it's awesome to have you here today. Hey, thanks. I appreciate it. Thanks for having me.
00:01:07
Speaker
So we were talking a little bit before actually hitting record as we do. Wanted to just kind of kick off though with what are the foundations of building out a security program? So let's kind of start at ground zero and what is it that you've done? What's your experience been? And then we'll kind of get into the nitty gritty of the cheers and tears of it all. Yeah, sure.
00:01:31
Speaker
Well, first off, I'm a big believer that it starts with the team that you build. And that's a very non-cool aid topic, I think. There's no cool aid here. It really is about the team that you build. When you're building a security team, especially a new security team or new security program, you have to admit to yourself a few things. You're probably never going to have the size of the team that you want.
00:01:58
Speaker
and you're likely going to have to do whatever you can with whatever you have. You're going to have to start by focusing on the fundamentals, the important things that all security programs hold as important. At the same time, you're going to have to be ready to pivot strongly in any given moment. And you can't be chasing shiny things and bright lights, but you have to maintain those fundamentals at the same time as being ready to pivot quickly for the business as things evolve.
Security in Startups vs. Enterprises
00:02:29
Speaker
It's different for folks who are just getting into building the program or building the first or early stage security program at a smaller or perhaps loosely formed company than it would be at a Fortune 50 company where you've got a lot of past experience, you've got sizable teams and sizable resources. So I think that's where it starts is
00:02:51
Speaker
is that initial spark of what you're going to create, the strong foundations of what you need to be successful, and then being ready to adapt quickly, grow quickly with that small team and take on different scenarios as they come at you, typically at high speed with tight deadlines. Yeah.
00:03:09
Speaker
A really good point, I think, about setting expectations, realistic expectations, that one of the things is I've talked to people about burnout and stress and everything. On one hand, we need more talent, but there's just not enough resources to be able to hire the talent that you need. So so many programs are just understaffed. Yeah, it's true. And I think the common joke in the security industry is that it's job security. There's not enough of
00:03:39
Speaker
of us in the industry to solve the problem. I think that's great and funny. But at the same time, it is a very difficult sell to come into a place that's trying to get its footing overall, that maybe it's a business that's trying to reach profitability.
Proving Security's Value
00:03:55
Speaker
Maybe it's a company that's trying to find a fast exit strategy like an IPO or to run through an M&A.
00:04:02
Speaker
Or maybe they've got a really tricky market they're working in. It's highly saturated and they're focusing all their efforts on the competitive advantage. How do we gain the upper hand here as a business? And here you are coming in to build a security program. And to be frank, a lot of times that's a method for adjusting the risk-reward relationship for that company. And you're there to
00:04:24
Speaker
slow things down and be more careful and guard against risk and that's sometimes the antithesis to moving faster and reaching that profitability goal or that IPO goal. You have to go into it ready to get your hands dirty and you have to go into it knowing it's going to be a tough sell the entire way until you can convince
00:04:46
Speaker
the organization, the business, that your presence is impactful in improving the overall decisions and outcomes that the company makes. And as we're a new thing, security teams and programs being a relatively new thing, there's not a lot of backstory there. Like there would be a core financial organization or a sales organization. So you have to go into this thing like being ready for that, being aware of that.
Aligning Security with Business Goals
00:05:11
Speaker
Yeah, that's actually a problem I hear a lot is how do they communicate the value to the board if they even have a board seat? And what's, what's the business argument for security? Like I had a previous job had worked in the developer community and it blew my mind how easily they just got funding. Oh, I need a new hire. Boom, no problem. You want a $40,000 sponsorship for a six foot booth? Sure. We have that for our developers. And it was like,
00:05:36
Speaker
the land of milk and honey compared to the security industry and what resources they get. How can they communicate their value or what advice is there for that? Because that's a big stressor for a lot of security leaders. Yeah, it's true. So you mentioned the board and I think that's really important. And this is another recent history thing where it wasn't too long ago where the CISO role really became a thing.
00:06:04
Speaker
an accepted industry standard thing. And it was even less common for that type of role in the company to be connected to the board. So as quickly as you're able to as a security leader, this is highly dependent on, again, just the structure of the organization. You want to have your program elements, your discussions, your talking points, your goals aligned as closely as possible with the overall business goals.
00:06:32
Speaker
And then you really want to get FaceTime at the executive level and the board level. It's really challenging because we're still at that phase where a lot of security leaders are more IT focused, more technology focused. Maybe that's not the right way to say it, but they're not as sales and revenue and book of business and focused as they are technology focused.
00:06:58
Speaker
So I'm sure we'll talk about balance there a bit, but really get yourself in there and aligned and be at the table when these discussions happen, when budget planning happens, when resource planning happens, when people talk about expectations for revenue and they talk about expectations for bringing a product to market. You've got to be there in that maybe new and uncomfortable way where you're not talking about securing the network or securing the platform or securing the thing.
00:07:25
Speaker
with technology solutions. So it's a really interesting thing, I think. It's funny that we've known each other a really long time and longer than either of us, I think, could count as we were talking about earlier. But for so many people who got into the security business, it was all about your technical acumen.
00:07:48
Speaker
It was almost just like, you know, the days of your, uh, you never, we never talked to business. No, it was always, it was always technical gaps. And now is, uh, people are in these management positions or that what stressing them out is, is basically this balance of technical knowledge or people who have worked their way to that leadership role due to their technical acumen. Um,
00:08:10
Speaker
And so it seems to me that a lot of security leaders really, they have to be able to have that technical acumen to be able to speak to their staff and the people who are working for them because that you go to, you know, a conference like black hat versus, you know, some of the other conferences or a DEF CON or RSA or, you know, everybody's kind of got their, their.
00:08:27
Speaker
about whether or not something should be more technical or business. What do you think is, I mean, that seems like a huge challenge for security leaders to be able to balance that acumen of business and knowledge. And then of course, I'm here throwing in, you also need to know the human side of it. But we'll get to that later. But anyway, that's my question for you.
Balancing Technical and Leadership Skills
00:08:46
Speaker
Yeah, it's it's for me, it's a balancing act. And I came into this, much like a lot of our friends and colleagues, it was a it was a
00:08:55
Speaker
a technical ability thing. My career started with the ability for me to hack fast and hack well. There's a lot of early ego around that and a lot of early pride around technical skills. I'm still very much involved in the day-to-day technical things
00:09:12
Speaker
as the head of security. I actively still read and write code. I actively still get involved in our cloud infrastructure. I have hands on the keyboard frequently, and it's a muscle that I still train actively. I still go out and learn new programming languages, learn new technologies. And I feel like I had to be fast on my feet and also leverage my experts on my team and know when my boundary ends and theirs begins. But that other side of it is
00:09:39
Speaker
as important, if not on a daily basis for me and my role, more important that I have to speak to the business about the business. For me, the turning point was coming out here to the West Coast and working for one of the well-known companies out here in the Redmond area and meeting the executive team and coming in as a hair dyed, traditional 1990s hacker persona.
00:10:05
Speaker
and going in and talking to those executives and having them look at me like I was some strange on fire creature. And I spent a lot of time after that reflecting like, what am I doing wrong here? And it was literally just did not have the lexicon to talk to people who made multibillion dollar business decisions, you know, from meeting to meeting throughout today. I am a huge believer that you maintain the balance there. And you have to shift that balance occasionally
00:10:35
Speaker
for the moment or for the situation. So there are times when I put down the keyboard, the code side of things entirely for weeks and months on end, and I focus purely on strengthening my business interface game. And the human thing, I think, I'll probably generalize here, but for a lot of us who are nerdy hacker types, we're not people people.
00:11:00
Speaker
And that thing in between the business side and the tech side, the people connector there is the thing I think gets most overlooked and under-exercised there. And that's the thing that joins both those sides together. So what I'm saying is you can be really good at the business side of things. You can be really great at the technology side of things and still not master the whole puzzle because maybe your people interface skills are not where they need to be for the situation that you're in.
00:11:28
Speaker
What I'm saying is that if you're going to be the head of security or a CISO or however you want to name that thing, you got to be ready to play the full game. And it's not always a fun game to play, but you've got to admit to yourself, you've got to take that leap from one side to the other, whichever direction that is, you've got to commit to that. But that scared away a whole bunch of people away from wanting to be a head of security, maybe, but I mean that from my experience, you have to engage in the full spectrum of the game. Yeah. Yeah.
00:11:57
Speaker
Yeah, it's funny in talking about how you and I have known each other. And so those listening, Jamie and I worked together back when I was working on source conference. This is 2000.
00:12:07
Speaker
No, 2009 we did Source Seattle and we had two tracks, business and technology or security. We weren't quite as old as we are now, but still seeing this coming down the pike of the business of the security industry is coming. It's coming fast and furiously. And how do we bridge that gap between security and business? And we were trying to answer that question in 2008, 2009 with the group of
00:12:35
Speaker
the advisors and everything. And it's so great to talk to you now. You know, we've got a few more gray hairs here and a little more experience, but there's still that the same the same problem and looking around like
00:12:49
Speaker
that understanding of everything, as you alluded to, it's stressful for the security industry and for people and leaders. How often do you see, when you're working with your team, when you're working with other security leaders, why do you think it is so stressful to them? And what do you see is the effects of that? How do you see that stress burdening and playing out for them? Yeah, I see it every day. And even earlier today, I had discussions with people I work with about stress.
00:13:19
Speaker
I can say this safely, confidently, that this is the most stressful part of my career I've ever experienced. The point where I've remodeled a lot of my life around him.
Stress Management in Security
00:13:31
Speaker
I'm a very physical person outside the office. I spend a lot of time in the mountains climbing and flying and doing extreme mountain sports and things. And that for me is like,
00:13:42
Speaker
a stress balancer. Same with my teams, you know, I encourage discussion about it. We talk about it frequently and openly as a team, how we manage our stress. And we talk a lot about what people do outside of work or during work, how they manage that stress. And if you if you ask me, you know, what what is the source of that stress, like what makes that stress? Again, I'll defer to something I said earlier, this this thing that we've
00:14:11
Speaker
been a part of and that we largely have helped build over the last few decades is new and shiny. And there's a lot of unanswered questions. There's a lot of unexplored territory, and we're still having businesses and other organizations collectively learn how to get the most out of that. And again, tying that to the earlier comments of your team's never going to be as big as you want it to be. And there's not enough of us to field the whole problem. I mean, it's really kind of a
00:14:39
Speaker
if not a perfect store, I'm like a pretty strong one. And until we have fundamental shifts in the investment of security teams and programs, widely adopted by differing organizations and how they perceive like size and effectiveness or resourcing effectiveness, I think it's going to stay this way for quite some time. So, you know, I don't have the best answer about why the stress exists beyond this is a new thing and we're all trying to figure it out.
00:15:06
Speaker
And it's in high demand and there's a lot going on and we're a fast paced type of environment anyways, but, um, also just how many security teams and how many security leaders take the time out of their day or their week to sit down with their team and just dissect the stress, the stressors and the way that the team moves and understand like, how can we affect change here beyond the standard offerings of things that you get from say your HR teams, which are really helpful.
00:15:33
Speaker
but we are in this weird niche here. So, you know, we got to take ownership of it obviously, but we're still exploring that. And so again, like this is definitely the most stressful thing I've ever done in my life. It is incredibly stressful to be a CISO, but I love it. I love every minute of it. So I spend a lot of time like thinking on it and dissecting it and trying to guide my team through it, hopefully to positive effect. I like the fact that it,
00:15:59
Speaker
The only way to get through it is to go right through it, right? To the heart of it and address it full on. Um, and that, that's taking on a lot. So I'm thinking at the CISO, so you know, one, not only are you just, you're responsible for making sure, uh, that there's no breaches that all your vendors are in line, you know, so there's that technical side of it. Then there's the business side of it. And then, right. We're throwing in the human side of it.
00:16:26
Speaker
Do security leaders, A, have the bandwidth to take that on? So if you're managing a team of five or six people, not only you've got the business over here, the tech here, and then your team. And then also, as we said, not everybody is comfortable with that human personal side.
00:16:46
Speaker
If you've got a security leader who maybe isn't comfortable going through and saying, okay, we're all going to talk about what stress it is. I mean, I've heard everything from like, there's no such thing as soft skills, you know, suck it up in a deal. And not everybody thinks that way and that's good, but there are definitely some people who work for people that have that attitude and they're flailing. How can we help security leaders manage everything like that coming at them? All of those pillars to worry about.
Addressing Bandwidth Issues
00:17:14
Speaker
Yeah, it's interesting. I guess I'll lead with, there isn't enough bandwidth right now, just generally speaking. I think some security teams and programs have it easier than others. I think that that's a fair assessment. There's never enough time in the day to get it all done. And the landscape is shifting and changing. The situations are changing so quickly throughout a given fiscal cycle. It's not like you can
00:17:41
Speaker
prepare for the majority of things you have to tackle beyond on paper. When it comes to managing it and managing it within the team and across the business, I think there's a few important things. First off, you've got to have the same level of discussion with business leadership, the organization as a whole, and the audience that's being serviced by the security team.
00:18:05
Speaker
You've got to have the open discussion about what the capabilities can be and what the expectations are and what what outputs can be achieved from a security team. So when I work when I work with C teams.
00:18:19
Speaker
oftentimes the CEO is very vocal about their time and their bandwidth and their availability and they've got this very nice nicely established shield of corporate administrative services and SWAT teams around them to help manage peril and like excitable things and they've got folks in front of them that field certain questions and direct it to the
00:18:41
Speaker
the the ceo and you've got lots of filter set up and it's very active discussion like the ceo is always projecting if they're good at their job to projecting how much they can give and how much you take. I don't know that we found a stride in in security leadership how to have that dialogue in the same way and be perceived at that level in the company so that's one part of it. The other thing is. Bad things happen all the time.
00:19:09
Speaker
And when you're the team that handles the bad things while also trying to project deflecting the risk and also building the systems that anticipate and measure and like gauge the risk and all these things, like, uh, you'll find yourself in firefighting mode the majority of the time, no matter how good you are at the job. That's it. Uh, and so how do you, how do you fix that? Um, constant dialogue with the business and the team, constant analysis, constant hindsight analysis of what's gone on.
00:19:39
Speaker
And then just being willing to accept what you can change and what you can't change and have the business be there with you to accept how much risk versus reward is happening. And at some point you just kind of got to let some things fall. I always feel empathy towards folks that have big breaches and immediately people heap on and say, well, you should have done this. If you had done this, it wouldn't have happened. All you had to do is this one thing and you failed at it.
00:20:07
Speaker
And I often look at that and say, Oh, that's this 99.9% of the time. That's not the case. Like that was the thing that got dropped of all the things that they're holding up all the time in no sleep mode as a security team. That was the one thing they let fall. And it happened to be the tragedy. So I think that's a big part of it. Um, but again, you know, we've only been around for a little while brief moment in history here. So I think there's also just a lot that we can't answer a lot of things we have to learn.
Cross-Departmental Engagement
00:20:34
Speaker
One of the things that I pulled this from a really great LinkedIn post that you had made, it said, it's important for the security program to not only span all major pillars of the business, but to also take part in significant decision making for all of them. So that's one part. So I'll stop there. And can you talk more about that part? And then I have another quote that I pull from it that I'd love to hear more about. Yeah, back to that point about us
00:20:59
Speaker
typically being IT or technology facing and not always having a lot to do with other business functions. I'm a big believer in being involved in as much as you can. So what I'm saying there is get out from technology patrolling land, get out of maybe your main focus of guarding the network or the platform or the technology or the thing.
00:21:24
Speaker
and get involved in other key areas of the business where you or your colleagues might not even know the inherent value you bring to the table. And the example I use most often is sales.
00:21:35
Speaker
I'm a huge fan of sales teams and I'm a huge fan of being there to generate revenue. Security teams are almost always viewed as a cost center. They're an incurred cost. They're a pay-to-play. This is the price you had to pay to be secured in your industry to be accepted by your customers, et cetera, et cetera. Go to those weekly sales stand-up meetings and talk to your sales team and your sales leaders about how you can be present in the sales cycle to accelerate revenue generation.
00:22:05
Speaker
go to your chief revenue officer or your CFO and have regular discussions about levels of security problem or abuse or fraud or other things that you deal with that are definitely cost centers and have those conversations about your relevant data and their needs and find out how you can achieve some things there. Go to your HR team and
00:22:29
Speaker
talk readily about onboarding and offboarding and employee training and all these things that you might be kind of tangentially connected to by way of owning some of the content. But maybe you're not like a direct engine for accelerating those programs. So all I'm saying there is like, be ready as a security leader to tackle any number of problems across the entire organizational landscape.
00:22:55
Speaker
That might not be first and foremost in your mind, but where you are as a business are maybe more pertinent than your day-to-day security operations. Does that make sense? No, it does. Every organization is called system psychology. If your hand's moving over here, it affects your other hand over here.
00:23:16
Speaker
Work environment it is it's a system that is impacted one way or another and the more that you can step out of those silos and It creates something some empathy as well like when you can actually understand. Oh, this is what you're going through actually, I just had to go through something where we had to practice just sales pitch just to be able to have empathy and compassion for what our sales reps were going through and
00:23:39
Speaker
And it took me out of myself and what my day-to-day is, what I focus on, to go, oh, okay, let me see what this new role is. Because we don't always see what it's like from other perspectives in the organization and how we're all one big system together. So I think that that makes a lot of sense. Yeah, absolutely.
00:24:00
Speaker
you want all that exposure, you want all those new perspectives and experiences, and then also you have to have a handle on it because for every new organization that you visit and every new thing that you try to be a part of, there's a propensity for the business to say, great, that's working. Now we want more of it. And then as a security leader, you have to balance that, right?
00:24:21
Speaker
I work with sales teams very frequently and they always need and want the extra help. And so you find yourself having to balance that now to make sure that you're also not moving into the sales organization and then leaving someone else out in the cold. So again, back to that fixed resource concept that you'll never have as much as you wish you had
00:24:43
Speaker
you're back to that balancing game. And all the while, while you're doing all these things that you should be doing, you've got to maintain the foundation and keep it strong so that as you're off doing different things that your core team and your core functions are all being maintained. So it's easy to say that out loud, like, Oh, yeah, you should just get up in the morning and go talk to more people across the business and learn what their problems help solve them, right? I mean,
00:25:06
Speaker
But that's the right answer. But then you have to be a sensible leader and do it correctly. Yeah. One thing I've done is I always, with people on my team, have sometimes 15, 30 minutes, once a month, even just to kind of reach across the aisle and say like, hi, I'm alive.
00:25:27
Speaker
How are you doing over there? And even though there's sometimes I'm like, I want to skip it, you know, whatever. I'm always enlightened to hear what my teammates are working on and what's important to them. But especially in a remote environment, it's so easy just to get wrapped up in what's right in front of you and what you get those blinders on. Plus, if you don't like speaking to
00:25:48
Speaker
No, I'm just gonna sit here and I am 100% guilty of this of like, oh, great, another meeting, another person to talk to. And I'm glad I do, but I gotta, it's a force function.
00:26:01
Speaker
Yeah, it's muscles you have to exercise. I'm an introvert and I'm absolutely incapable of mapping faces to names right up front. It takes me so long to map a name and a face and a thing. The context is helpful, but that's how my brain is wired.
00:26:20
Speaker
And this stuff is not easy. It's often out of the comfort zone. And you mentioned stress a few times. It's stressful. I'm not designed to be in sales. That's not my persona. That's not my makeup as a person. And so getting involved in the sales side, even today is still really stressful and really sometimes
00:26:45
Speaker
emotionally and physically draining like the energy level is a different kind of energy and a different level of energy. So you also have to take stock in what you're able to accomplish because you don't want to run in there and just create a catastrophe. And I've had my fair share of those. You don't want to do that either. So that's also part of the equation. Yeah. Well, and then another thing you said was understanding where your security program ranks is something to
Organizational Perception of Security
00:27:12
Speaker
consider. Can you talk a little bit more about that?
00:27:14
Speaker
Each time you're entering a new organization, or maybe building a team, or maybe you're adopting a team as a new security leader, I think one of the first things you have to do, and hopefully you get a bit of this during the interviewing process for the role, is how the organization perceives the security function, the leader, the program, the team. How does the organization perceive what that function does for the business?
00:27:43
Speaker
they interface with it and leverage it and get value out of it. There was a really great corporate sentence right there. But also, to be perfectly frank, what is their attitude towards the security team? I've had my fair share of organizations where I've been welcomed warmly as, great, this is a continuation of a thing that we know how to flex and we like to use.
00:28:06
Speaker
I've also had my fair share of experiences where I've come into what looks like a Phoenix situation where something has just finished burning down to the ground and your job is to rise from the ashes and show an organization that it's not going to be like it was before. And that's a tough one for everybody. So again, I use this phrase taking stock in something, take stock in
00:28:31
Speaker
take stock in the notion of how the organization views you, your program, your team, and from all angles. Are they impressed with what's happened to this point for the sake of the company? Do they know how to leverage you properly? Are they going to use your resources in a way that's beneficial for everyone? And again, like the points of
00:28:52
Speaker
Are you raising the quality of the decision made by the business? Are you showing and demonstrating value? Is it measurable? All these key performance indicators of a person at a company, regardless of role. What's their take about security teams and programs and leaders? It's super important to know and also to steer and guide as much as you can to positive intent and benefit. And then as a security leader, having all that in mind,
00:29:21
Speaker
Do you then use that and communicate that to your security team to guide them? Yeah, for sure. And security teams, as you know, are always interesting creatures and almost always a really interesting blend of very deeply technically oriented introverted minds. And then more extroverted, non solely technically oriented people who have to deal with business problems.
00:29:49
Speaker
And back to that set of ingredients that makes your ideal team who you bring on board and how you scale them out, how you build them as people and how they build themselves. So at the ground level, I think all of us have had a security team where we've had a really, really smart person who just stays in the background with the door shut and just does incredible technical things. And how do you get that person out into the open and engage with the sales team?
00:30:18
Speaker
That's one of those long standing challenges. Yeah. And how do you how do you bring in folks? I think another interesting one is folks who live in compliance land who are really interested in technology and really want to ramp up in deep technical stuff, because they gather that interest from their interface with audits and policy and things. How do you how do you provide a platform where they can get out into business and say start impacting security changes and product like hands on keyboard? How do you do that?
00:30:45
Speaker
And how do you do that in a way where everyone in the business sees the value of that and wants to support it and resource it and fund it and all these things? By the way, I don't have the final answers for any of these things. But that's the core idea, right? How do you flex both sides of this thing as the person between the team and the company to great effect? Yeah, right.
00:31:06
Speaker
Well, and therein lies, I think, the heart of why it's such a stressful industry and what a lot of security leaders are going through, managing up, down, sideways, and then also trying to keep their own oxygen mask on, if you have, you know, like to stay sane.
00:31:26
Speaker
What advice do you have for people who are building out security programs?
Resources for Overcoming Challenges
00:31:31
Speaker
Do you have any recommend any books or podcasts or resources? What gets you through it? Because you're speaking to these because you face these challenges and you're living them every single day. How do you cope with it? What do you use for your resources and coping mechanisms? I read a lot and I talk to a lot of my colleagues, many of whom you know.
00:31:53
Speaker
It's extremely useful to have the ears of folks that are in your similar surroundings who have been there. And I'm talking both about people who've had a really good outcome and people who haven't had a really good outcome. I think that's essential. I read a lot. And I do read a fair amount of technical specs and programming guides and all sorts of nerdy stuff. But I've been spending a lot of time
00:32:20
Speaker
reading books about professional sports coaching and books about how to go to market, books about how to IPO, books about how to run an M&A, books about how to build a board of directors. And I do that because I'm trying to reach either above where I'm at or off into another parallel from where I stand so I can understand the perspective there.
00:32:47
Speaker
I think also if it has a strong tether to your personal life, something that you do, again for me it's the extreme mountain sports, I'm really interested in how to coach people. I'm really interested in how to coach myself and navigate myself through really stressful situations. So books I read are maybe oriented towards how to deal with the stress of a really hard mountain scenario. Like how do I get up the mountain and down safely?
00:33:13
Speaker
Uh, I think that that perspective helps me build more effective armor. So, um, I can give you a quick example. What I'm teaching a new student how to paraglide. One of the big things is, is how do I go up? Like, how do I take this, this soft fabric wing and how do I go up into the sky? 15,000 feet like they're doing up there. And these are new students and you've got to coach the,
00:33:38
Speaker
the sensible path to going from standing on the ground to being 15,000 feet off the ground underneath fabric and string. And you mentioned earlier, you used the phrase, you have to go through it. You have to move through it. And that's exactly what it's like to ride a thermal in a paraglider. You can't dance around the edge of a rising column of air and expect to go up like a bird of prey does.
00:34:02
Speaker
You've got to engage that thermal directly. You've got to feel and sense where it is, the size and shape and scope and upward trajectory of that thing. And you've got to develop the skills to get your wing into it and to pivot and ride that rising column of air steadily, thousands and thousands of feet. You've got to get in there and you've got to ride it and it's going to kick you out and it's going to deflate your wing and it's going to throw you all over the place. And it's, it's physically uncomfortable and sometimes it's really scary. And, um,
00:34:31
Speaker
if you focus on the fear and the apprehension and the overall sensation of it and map that against your actual risk scenario of being in a really well-built paraglider that has a lot of safety features in your secondary shoot you can throw, your emergency shoot and everything, if you drill down on the psychological side of it, why am I afraid? Why am I apprehensive? Why am I not charging into this thing that's going up meters per second? Why am I afraid to hit 15,000 feet and dot out into the sky?
00:35:00
Speaker
If you focus on that aspect of it and go beyond like that, I know I need to know how to fly a paraglider really well. Yeah. But you also need to deal with the stress of falling several hundred feet vertically before you get your wing up and again. And so that's why I mentioned things like sports, psychology, or a core fundamental classes and books on building business and navigating like boardrooms or exit strategies, or just go to market strategies. Don't have to be an expert in it.
00:35:27
Speaker
But you have to expose yourself to all the stressors and risks and like scary things and get a perspective about how other people deal with that. So that that's way more useful to me now than like the latest O'Reilly book and like how to how to crank out go. I mean, it's so far down on the stack now. Yeah. Yeah.
00:35:45
Speaker
What I'm hearing is pushing your comfort zones, recognizing your own stressors, but also recognizing what stresses other people out too. Whatever the CEO is stressed about is going to impact you. Whatever the revenue officer is stressed out about is going to impact you. Again, where he comes back to that system.
00:36:08
Speaker
I'm scared just listening to you talk about paragliding, so I know where I stand. But I think whatever it is, yeah, it's recognizing. So for me, my stress management, what heals me, not just like zoning out and binging my TV shows or playing my video games, but for me as travel. And when we were talking about it, I just went to Africa by myself.
00:36:32
Speaker
what I get a lot of is like, oh, that's so brave. And it's like, well, no, I know what to expect. I know where my risk factors are. I know when I get off the plane, somebody's going to be there waiting for me with a sign in my name. So, okay, so I know that. My plane was late at one point, and I'm trying not to panic, but I had to think out, okay, what's the worst that can happen? What's my plan? And so again, the old adage of the more you know. Absolutely. And you've built that framework.
00:37:01
Speaker
of risk-reward scenarios, and you've built that framework of risk management. And you also have fallback procedures for when something goes wrong. When we're in the air and something goes wrong, we do train. We have specific things we do in specific orders to deal with a very fast situation to make things right again. And that's the same with the other sports like rock climbing or downhill mountain biking or whatever it might be. Think and respond in an orderly fashion
00:37:28
Speaker
wire yourself to the problem and solve it mid-problem. And that's as much about knowing your limits as a person, like when does stress push you into a non-functioning state? Where are the stressors that drive you to be unable to physically or mentally react clearly? And of course, we're talking about business here, so I know it's a little funny, but when you're dealing with billions of dollars worth of company and you're dealing with perhaps millions of customers,
00:37:55
Speaker
I feel like it's the same level. If you can equip yourself with those things, build those into your system, whatever it might be, it frees up a lot of bandwidth, which you don't have enough already. It frees up the bandwidth to think and process and develop solutions. If you are a long time pilot, when you have a collapse and you fall,
00:38:17
Speaker
It's not always a big stressor. It's more of an annoyance to get back on track to where you are and where you want to be. You've internalized that, you've practiced it, you've rehearsed it, and you've reinforced mentally your stress model. So you can kind of push it back and you can solve the problem. It's very similar to how people are trained to deal with combat situations, right? It's a very well published thing and very well discussed thing.
00:38:41
Speaker
mapping all the way back to like, you're never going to have as much as you need. And you're probably not going to have enough bandwidth in any given day. You might as well. Build and practice these systems as much as you can to open up as much bandwidth as you can to like thinking and logically processing and moving through the problem. Again, not professing to be the expert or have all the answers, but that's the system that a lot of us use out in the mountains. I find this really useful to bring it into the business environment. And I know there's a lot of executives out there who are very proud of like climbing big mountains.
00:39:11
Speaker
And that's part of what they've done to achieve that. Yeah. Yeah. Well, the more you put yourself in those situations of the, again, as we said, going through it and saying, okay, I'm going to face this, this head on, what the challenges are, what my fear points are, how can I lead my team?
Preparing for Breaches
00:39:26
Speaker
How can I communicate the value? How can I get people to support me? Um, facing all of those.
00:39:34
Speaker
builds the strength to be able to also handle it when they do go sideways or to be able to anticipate. And a lot of people who are in security also have that reaction mechanism of what am I going to do in case of a breach and to be able to not freak out, not panic, but think clearly. So to take that skill set and apply it in also a business and a human setting as well to take it on. I think that makes a lot of sense. It's going to happen. It's going to happen. You're going to have a day where you wake up and you're going to have a breach.
00:40:04
Speaker
or you're going to have a serious problem. And if you can admit, like day one on any job, that it's going to happen. Don't go in and be the security leader who says, I'm here. It's not going to happen on my watch. And I think we all say that, have said that out loud at one point in my career, like over my dead body or not, well, not on my watch and it's going to happen. So if you just go in there, you know, I've had, I've had incidents out in the mountains and things and, you know, there's injury and there's all sorts of stressors and things.
00:40:33
Speaker
And yeah, there are people out there that have definitely lost their lives doing that kind of thing. And I know many of them, and they still went out there and did it and admitted to themselves like, hey, I want to be a CISO. And there's a lot of humor around this part of being a CISO. It's got a shelf life, and you're going to get whacked. Both of those things are true. So if you build that entire system around that notion, at least again, you can free up the bandwidth to deal with as much as you can until you get whacked. And when you do,
00:41:01
Speaker
you can hopefully process that a lot easier and a lot better than if you didn't have that construct. But be ready for it. I guess the biggest part of this whole conversation is if you're going to be a security leader, get ready to get dirty. Get ready to get whacked and get ready for some really stressful times in your life. And if you love it, you love it. Yeah. Yeah. And prepare yourself with those coping mechanisms and all the resources that you talked about because you can get through it.
00:41:31
Speaker
There's a lot of really successful CISOs out there that even do you get whacked or do you struggle with stress, but when it's your calling or it's something you love to do, you find your way through it. You're definitely not alone. There are so many stressed and emotionally impacted and damaged CISOs out there who have seen a lot more than I have, who are still standing and are still performing marvelously in the industry.
00:41:58
Speaker
And they've just developed really good coping mechanisms. And then of course, as you know, we go off, we pull off steam and we got there and we do things that are seemingly crazy to like reset ourselves. And I think that's great. Yeah. Well, Jimmy, thank you so much for your time and your insight. It's been awesome to have you here. Love catching up and just chatting. So great to have you and to all the listeners. Thank you so much for tuning in and tuning into this episode of Cyber Psych. And I will see you next time. Thank you.