Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Why Great CISOs Are Never Bored
109 Plays4 days ago
Jake Bernardes, CISO at Anecdotes, brings a uniquely adventurous spirit to this week’s show! And his ethos of “Don’t be an a**hole” is certainly one we can get behind.
George K and George A talk to Jake about:
- Jake's "inherent risk-taker" philosophy that's guided his career moves
- Why the best CISOs are "repulsed by the idea of being bored" and how that drives innovation
- The changing face of security leadership - from risk-averse consultants to today’s disruptive problem solvers
- His refreshingly honest take on how CISOs should interact with vendors: "Just don't be an a**hole"
Whether you're in the trenches, pitching security tools, or running a whole damn cyber program, Jake drops serious insights you can use.
————
👊⚡️Support the show!
For as little as $1 a month, you can support the show and get exclusive member benefits, or send a one-time gift!
https://ko-fi.com/bareknucklesbrasstacks
Your contribution covers our hosting fees, helps us make cool events and swag, and it lets us know that what we're doing is of value to you.
We appreciate you!
Recommended
Transcript
The Disruptive Mindset of Modern CISOs
00:00:00
Speaker
For me, like the newer way of CISOs, maybe you're only familiar, you would associate with people who are like-minded to you. are like us. Like, we want to break things. We want to disrupt. We want to say yes. Like, I would, when I hear people, i' cringe when I hear people say we banned AI or we did this. I'm like, why? like It's like, why are you trying to block the future?
00:00:17
Speaker
Like, just just deal with it. Like, get okay with it and make it work. Like, be part of the movement. Don't try and reject I just gave a presentation at a Pulse event in New York where, George is my president, for them they're just just pictures. And it was 10 pictures from this from the, from the, from Fight Club.
00:00:32
Speaker
um One of my favorite movies. And my whole ethos was I'm not going to anything about anything other than saying this is how you build a revolution. This is how you build a movement. And that's what has to happen. If you're a good security leader, you build a movement.
00:00:45
Speaker
And I think when you talk about kind of saying that everyone's like this, they're kind of on the edge, like... Good security leaders are okay with kind of setting the working class of a company whatever it might be free and see what happens next.
00:00:58
Speaker
ah They don't want to kind of hold the man down. They want to let him go and see what happens. And they're going to deal with the consequence wherever they are.
Meet Jake Bernardes: A Journey Through CISO Roles
00:01:08
Speaker
Hey, it's Bare Knuckles and Brass Tacks, the cybersecurity podcast that tackles the human side of the industry. I am George Kay on the vendor side. And I'm George A., a Chief Information Security Officer.
00:01:20
Speaker
And today our guest is Jake Bernardes, who is the CISO at Anecdotes, but also has been B CISO, a field CISO, a consultant. He's kind of done like every CISO-ish role there is in security. And that's what we really get into is all the various experiences he's had and how he brings that to bear.
00:01:40
Speaker
We talk about go to market approaches when you're on the startup side, but also what does he like as a buyer? And ah there's a lot packed into just ah like a half hour here.
00:01:52
Speaker
Yeah, um um' I was really blown away by the fact that um a lot of the sort of weird mannerisms that I use as CISO now that I've developed over my life and career and my weird background and how I got here.
00:02:06
Speaker
um Jake, who has a completely different life, who's absolutely cool as hell, he kind of comes to the same conclusions. And so I think it's quite validating that this is the right thing. human first, authentic first approach to being a CISO, regardless of what side of the aisle you're on, the way he develops and runs his teams, the way that he builds and runs his business.
00:02:27
Speaker
I mean, this is someone that I think people should listen to. And I think there's a lot of value in this episode, regardless of what side of the of the you know security business you're on.
Career Path: From IT to CISO
00:02:37
Speaker
Jake really hits it home today.
00:02:38
Speaker
Let's get into it. Jake Bernardes, welcome to the show. Thanks for having me. Pleasure to be here. Yeah, so this is an awkward position to be in. Usually, if you're the practitioner, i start. If you're the vendor, George A starts.
00:02:55
Speaker
You are somewhat both, right? You've been a CISO multiple times, and you have been like, every side of that die. You have been a field CISO, a V CISO.
00:03:07
Speaker
consulting client side CISO. um So I think I'm going to start with the obvious question, which I think I posed to you in the CISO Society Slack and also in person at the Anti Summit in New York, which was what lessons have you taken from each of those roles that informs how you're now operating as a CISO at a startup?
00:03:28
Speaker
Gosh, um, Well, look, I think the role of a CISO in the modern world, and I've worked almost entirely and exclusively in tech in various forms and guises, is getting broader and deeper every year.
00:03:43
Speaker
um I remember taking over IT at a single store, and that's now the norm for most CISOs, even enterprise companies. I remember then taking over cloud and SRE. I remember then taking over various parts of product development, product security. It just keeps getting deeper and wider privacy to AI.
00:04:01
Speaker
i think you have to know not a little, but enough on a lot of topics. And I think to be able to be good at that, you have to have a background that's diverse, um varied and complex.
00:04:13
Speaker
And I think if you go back to the linear route, so I started in, like many of them, consulting. I've done pen testing. um I was much better as a social engineer, which did quite a lot for a long time. Instant response, generic kind of security consulting, did lot of VCS work in the Bay Area.
00:04:29
Speaker
I was looking to live and work all over the world, the Middle East, the Far East, the US, s all over Europe. I then went from there. It's a different story, but I've actually hacked my way into my first CISO job. I ended up there as ah as a client-side C-Service, you put it, at MemSQL, which then became single store. I was employed at 50 and left at 600, 700. Saw massive growth during COVID as they went into a cloud product.
00:04:53
Speaker
At that time, learned a huge amount about how to build and scale a program.
Insights from the Vendor Side
00:05:00
Speaker
As a consultant, you learn how different companies approach the same problem in different ways.
00:05:04
Speaker
Once you fully own the domain, you have to learn how to build and scale and not be able to just say, here are your problems, go and fix them. But now you own the fixability of them. um I then moved into vendor side. I to Wisting. What I realized, ah single store was
00:05:25
Speaker
As a security practitioner, you either love security or you hate it And that sounds like thing to say, like a lot of C-Sers in reality hate security. They hate products. They hate automation. They just just want to do their job as an exec and as a leader.
00:05:37
Speaker
And I love security. I love disruption. I love how the products are changing our space. And so for me, going to the side became a natural thing. I think in the vendor side, you learn a lot about commercial relationships.
00:05:50
Speaker
Like the reality is that everyone is a salesperson. It doesn't matter what you do, what your title is. In the modern world, everyone is a salesperson. And what I mean by that is you have to be able to speak to what you love in a convincing, articulate and honest way.
00:06:05
Speaker
Like I am not a big car guy, but I'm a massive bike guy. um I ride ah an S-Works, an S-Works Tarmac, which is a stupidly expensive bike. But my point is that I love it. And I would tell everyone that's the best bike you should buy.
00:06:19
Speaker
I'd tell everyone buy road bike and buy that one. And similarly, i think in security, there's a natural... danger that a CISO, a vendor CISO, even field CISO is even worse, is to say was going with the quota.
00:06:30
Speaker
But the reality is we often took our jobs because we believed in the product, right? I went to Wistik because I believed that TPRM needed changing and breaking, that we needed to fix questionnaires. I went to anecdotes because I believe that GRC is broken and I don't believe that some of the tools in the space that we're seeing, the prescriptive kind click box, are the solution.
00:06:47
Speaker
So I've gone through those because i believe in them. um And when you're in vendor, it's different because your budgets are tighter. You're much more driven on ROI. you've got to have this double hat where you're really smart and how you build your own security program to do what it needs to do.
00:06:59
Speaker
Secure internally, but also enable
Risk-Taking and Bold Career Moves
00:07:01
Speaker
trust externally. Then you've also got to wear the hat being the guy that actually has the credibility in the room in a really honest and real way. So got to sit in a lot of these. seat so I sit in a lot seats of communities, events, dinners,
00:07:13
Speaker
And I will pitch my product openly because I say, look, I believe the product is good. like I'll tell you, this will solve a GSE problem, but you have to do it in a real way that doesn't come across like you're a sales guy. I think that's there.
00:07:24
Speaker
but If you take like a linear journey, what I've learned is how to solve problems as a consultant, no matter what the company type is. How to build a program which takes all those problems and oh it takes ownership of them inside of a client side into a vendor is how to keep doing that, but build the commercial kind of skill set to actually talk about your product and its value in the marketplace in an articulate and honest way.
00:07:45
Speaker
And then as you continue to progress in that route, i i think I've just learned then lot more about the executive line, like how to build a business, like how to pick your battles. um Yeah, that's a long answer to short question.
00:07:56
Speaker
No, no that's that's kind of the journey I i was looking for.
00:08:02
Speaker
Yeah, I got to say, though, i'm Jake, I'm really impressed with kind of your diversity and background, which I think is probably what gives you the flexibility to do what you're doing and how you're doing it. um You know, like for me personally, I'm currently in doubleheading roles myself, like as ah pretty much as ah as a CISO at ah and a major, ah we'll say client side enterprise organization.
00:08:25
Speaker
And then also as the field CISO at a ah ah law firm where essentially i'm the head of technology consulting. Right. um And in that job, it's the same thing where like I kind of have to help build the security operation in the firm, while the same time selling and consulting and service sort security services to our clients.
00:08:43
Speaker
um And I found that, you know, having a bliva different background has helped enable me to do this role. And George can tell you, like, you know, when we're out doing stuff for the show,
00:08:55
Speaker
I very naturally slip into sales mode and I go and do the thing in BD when we have to. Right. and And to me, like I enjoy it. I enjoy the human connection part of it. I'm not the antisocial guy. When I when I worked in singles intelligence operations for the army, I was that hoodie wearing weirdo and like five layers of a skiff and like all that kind of thing. That was a nice phase in life.
00:09:16
Speaker
I look at your background, though, and honestly, man, like I'm like, how are you not a spy? How did you not work for GCHU? To it's i just to me it's it's I want to ask, you do you feel a certain sense of adventure right when you choose your next opportunities? Because I feel that you are also the kind of person, like we have a saying at our show, we do cool shit with cool people.
00:09:40
Speaker
And I feel like at the end of the day, that is also your approach to how you've managed your career and how you've taken on the opportunities that you've taken on. Like, how do you go from doing mission work, which, bless, that's amazing that you did that,
00:09:52
Speaker
And then you get to school, you have multiple degrees, you make CISO from working product management, like in six years. And
Embracing Challenges and Curiosity as a CISO
00:10:02
Speaker
now you're in this multiple role. Like, like, how did you do it, Jake? Like, what is the logic behind why you do what you do? That's a question feel like we should prep for.
00:10:12
Speaker
times I think there's, I think there's, I think there's three things. I've been asked a few times of like on a similar vein. I think number one is I'm an inherent risk taker.
00:10:24
Speaker
ah I've always had it in me. I mean, I just said that mass into road cycling, right? No one else puts on a bit of spandex, and a bit of foam on your head and goes 60 miles an hour we're down a mountain with people on their phones and the trucks next to them, right? You've you've got to be an inherent risk taker. I think that that's inside of me.
00:10:37
Speaker
I think career-wise, it's always been who I am. um I think never say no. I've told this story on other podcasts before, but like if I look at my career trajectory, particularly at NCC Group, I just didn't say no.
00:10:49
Speaker
So I had a daughter who was three weeks old and I said yes without, reading it's a longer story, but i didn't really ask I didn't really ask the question about where he'd asked me to go. turned out he'd asked me to go and spend a year in Amman. I didn't know what that was, but it turns out it's in Jordan.
00:11:00
Speaker
um And I'd agreed and been put into a contract for instant response for a major airline. No idea what I'd agreed to because I'd maybe break it at the time. um My wife was fuming. And then we said, let's do it We'll just do it. I went back and said, I'll do it, but I'm going to take my family. I'm going to stay in a hotel the entire year. My kids were both <unk> younger than school age. I had three years and and one based in Newborn.
00:11:21
Speaker
So we went and lived in a hotel on the Dead for nearly a year doing this stuff, right? And for me, that was a risk that I taught, but I had a chance to do something which I would never have got into otherwise.
00:11:32
Speaker
I got back. got back. And I think I was back for like six weeks. And then this phone call came again and said, know that you're the yes guy. no. Ben Jepsen used to like, he was our, he was a director. He's good friend of mine to this day and a massive mentor and person who's really, I owe a lot to. He's like, can you, will you go to the US?
00:11:50
Speaker
I was like, yeah, I've been to the US before. And he was like, no, no, will you go to the US? I've been back like six weeks. He's like, no, can you move? I need someone onco it i need some on the West Coast to to be part of our consulting division. You're the perfect fit for what people are looking for.
00:12:05
Speaker
um there was a lot of gdpr and privacy work going on pre-cpra ccpa at the time so i went to a bunch of bc so gigs that started in silicon valley and moved my whole family again but it's in salt lake like a year and a half and covered here we moved back home um and if you look at like how i ended up a single store i effectively hacked my way into memc call it was a project for ncc group i broke the company and then left nikita shamagonoff the then ceo he said well it's broken do you want to fix it i was like Never been a C-Saint. Sure, why not? Let's give it a go.
00:12:35
Speaker
So I think it's an inherent risk-taker. Attitude, I think, you number one. I think being comfortable, being uncomfortable. Like, it's a cliche VC nonsense phrase, but it's it's real and it's honest. You referenced that to being like a missionary. I don't talk about religion a lot and I'm not particularly one to like advocate everyone's stamp faith, but if you've, anyone who's who knows what LDS missionaries do, if you've been through that, like you are you are comfortable in the most uncomfortable of times.
00:13:02
Speaker
Like when you've walked in like a freezing gale in Germany, when everyone just tells you to sod off and go away because they don't care. Like you have to get comfortable in your own skin and be comfortable in difficult places. And I think that's something else that I've taken throughout my career is just like always being comfortable when other people are. And think the last one you spoke to is like, you've got to love what you do. You've got to be excited. Like as soon as I'm bored,
00:13:29
Speaker
Like I look for what's
Approach to Marketing and Sales Outreach
00:13:30
Speaker
next. I want it to be hard. Like I want to build from nothing with no budget and no team. Like I want to go and say, we've got a double RAR next year because that's every VC in Tel Aviv wants.
00:13:40
Speaker
How the hell do we do that next? like and Like I want the challenge because it makes you feel like you're still alive. The day I kind of just wear a suit and turn up to a bank in New York as a, as a CISO, like kind of feel that's the time to hang up the coat.
00:13:55
Speaker
Yeah, I to agree with you, man. Like I, I see a lot of parallels in our life journey. I mean you got, you got biking. I fight, I fight people, same, same degree of risk. It's an absolutely terrifying experience. And before I'd compete, like, you know, I'm throwing up the day before, like, why, the why the fuck am I doing this to myself? But it's the same thing when you're staring down a massive mountain and you're like, why am I doing this to myself? I was comfortable and warm and safe.
00:14:19
Speaker
And I think fighting boredom is, um, you know Every CISO I've ever met, don't know if you like I'm sure you meet other like-minded kindred spirits. Every cool CISO I've ever met is the same way.
00:14:31
Speaker
We are absolutely repulsed by the idea of being bored. I think that's that's kind of what makes a good CISO a good CISO, wouldn't you think? I think that's why CISOs are changing. I've said for a long time, I've said on a lot of places, that I think there is a wave of traditional CISOs came from McKinsey, Accenture, Bain, Deloitte, the classic risk-averse mold.
00:14:53
Speaker
They have a great executive presence, but they're not like, who are they? um They came from a risk consulting or an audit background. There's nothing wrong with being an auditor or risk consultant, but for me, like the newer wave of CISOs, and maybe you're only familiar, you would associate with people who are like-minded to you.
00:15:07
Speaker
are like us. Like, we want to break things. We want to disrupt. We want to say yes. Like, I would, when I hear people, i've cringe when I hear people say we banned AI or we did this. I'm like, why? Like, it's like, why are you trying to block the future?
00:15:20
Speaker
Like, just deal with it. Like, get okay with it and make it work. Like, be part of the movement. Don't try and reject I just gave a presentation at a Pulse event in New York where, George is my president. for them They're just just pictures. And it was 10 pictures from this from the, from the, from Fight Club.
00:15:35
Speaker
um One of my favorite movies. And my whole ethos was I'm not going to say anything about anything other than saying this is how you build a revolution. This is how you build a movement. And that's what has to happen. If you're a good security leader, you build a movement.
00:15:48
Speaker
And I think when you talk about kind of saying that everyone's like this, they're kind of on the edge. like good security leaders are okay with kind of setting the working class of a company or whatever it might be free and seeing what happens next.
00:16:00
Speaker
They don't want to kind of hold the man down. They want to let him go and see what happens. And they're going to deal with the consequence, wherever they are. And so
Building Sales Relationships as a Field CISO
00:16:06
Speaker
you all play fighting and throwing up? but i'm I'm a big, I i run a lot of marathons now as well. Like I'm always trying to go slightly tighter. I'm right the barrier of the three hour marathon.
00:16:14
Speaker
My wife's like, why are you doing this again? but Because I just want to get underneath there. Like he moves by a second. She's like, why? Like, who cares? a Because I care. Like, I want to see how far I can go.
00:16:26
Speaker
Yeah, it's sort I mean, there's a lot there in terms of like both intrinsic motivation and what we've said on the show repeatedly. Curiosity, I think, comes with that risk taking. I've been in positions where I could have sat at a marketing agency and just collected a paycheck and done relatively little work and sat in meetings and moved slides around a PowerPoint.
00:16:45
Speaker
And I was like, I'm going to die at this desk having done nothing cool you know, and so took the risk into startup land and have been kind of addicted to that building ever since um for maybe the same reasons. It's like it's so much more engaging than just i don't know It's so boring. Why you bored? It's so short.
00:17:09
Speaker
But um Jake, so it takes me kind of to my next question. So as a CISO, you have almost certainly been on the receiving end of all the marketing glare and ah BDR outreach and everything.
00:17:25
Speaker
Now you are on startup side, which ostensibly is going to go do some of that. How are you
00:17:35
Speaker
I guess wielding the influence of your past experience. Like, look, I have been receiving this stuff. I don't respond to it, but this is how I respond. I guess what level of influence are you trying to exert having this rich field of experience to bring to bear on it?
00:17:51
Speaker
Don't be an asshole. who are There, put that on a t-shirt. I think that's it, right? like Historically, if you just send me like a same like template LinkedIn message or like an email, I'll probably ignore it.
00:18:05
Speaker
If I feel like you made some effort, even if I've got no budget, if you call me, I've never rejected a cold call. If you call me, I'll say, look, I've probably not any budget, but if you want to pitch me, like I'm happy to listen, like listen to what you've got. Send it on an email. If you've taken some effort to like have something genuine and honest real,
00:18:23
Speaker
I'll respond to you. i might not have any budget, but I'll respond to you. And I think that the way that I've learned that I behave and respond to things is now what I try and do. So I just try and be authentic and be real. Like I did want to, I presented an ISSA event a while ago on GRC is broken. What do we do now?
00:18:42
Speaker
I talked about how automation is completely broken in GRC. And it finished and someone said, you like you really don't believe automation products are going to work. you know It's like well that's ironic because I actually work for a GRC automation vendor. But you have to be yourself in a way that you build credibility.
00:18:55
Speaker
So like now I think there's two parts. I think firstly, that is critical. numero uno, you've got to be authentic and be real be you are. And you have to believe in your products. You cannot be a vendor CISO if you don't believe in product. Like it doesn't work. You have to be able to be credible in using it. You should be an expert in using your own product.
00:19:10
Speaker
Um, The second piece is... I'm sorry, I do want to pause there because I don't think that is something that... It sounds obvious, but... Okay, i just want to say that your vendor CISO needs to be an expert in their own product. I'm just saying... If you don't eat your own dog food, like you have no right to speak. like If you're a vendor CISO you don't use and understand your... but I can demo the product, I think, as well as anybody in the company.
00:19:31
Speaker
And if you can't do that, like you have no right to be there as the CISO because what credibility do you have? If someone says, like, oh, how do you do this? I'm like, I don't really know. I'll ask one on my team. but That doesn't make any sense. It doesn't seem real. And that comes back to an authenticity point. and The second point is you have to learn how to articulate your statement.
00:19:46
Speaker
It's like um i had Jason on ah on my podcast ah last night, in fact, and we talked about how CETA is often pontificating. They get up and like they start reeling off, like trying to teach you in the world about like threat intelligence or like, in my case, GRC and kind of understanding enterprise risk.
00:20:04
Speaker
Everyone knows this crap. Like get to the point. You know what the problem are. How are you solving it? Why are you different? What can you? And more importantly, what can't you do? Like i'm I'll sit there and go, our product is really good ah be using data in a way that no one else does.
00:20:19
Speaker
We are designed for enterprise GRC practitioners and we are completely custom and customizable in a way that no one else is. However, if you are a small SMB and budget is really tight, go to Draft2Adventure because they're better than we are.
00:20:30
Speaker
Right. And you've got to have that level of like articulation in terms of this is your problem. This is our product. This is what it isn't. And to get to those quickly, that's what I've learned, I think, is like give people what they actually want to know. And because you can lose them in two minutes of pontificating on what GRC is. Everyone knows what GRC is.
00:20:46
Speaker
I mean, again, you say that, but, you know, at this CISO Society, I tell startups all the time, look, you're about to go in front of a group of CISOs. Please do not attempt to explain why application security is important.
00:21:00
Speaker
But ironically, the ones that do it are always CISOs. They're always being able to support background. i was like, don't go through the history of AppSec. Don't explain this. Just get to the point. um But yeah, that's ah that's also... And one thing in there that I want to tease out for listeners is you said what you're not good at, right? I've said it time and again, you got to qualify out fast because otherwise you just waste everyone's time. You waste your time and energy. You waste their time and energy. You get like two weeks, two months down the road and you discover it's not a real fit. Like just...
00:21:30
Speaker
We're not good for you. That's okay. There's more than enough companies for us to serve, you know, just. And I think to double click on that, I've spent time as a field CISO and a field CISO, while it's a consultative, whatever you want to define as a role, that the end of that salary is to help generate pipe opportunities. That's what a field CISO does, right?
00:21:46
Speaker
They retain relationships, they build new ones. And you learn quickly that point. It's like, I can get a lot of CISOs in a route to listen to out-of-dose pitch because they're friends of mine and us a favor.
00:21:57
Speaker
But actually getting the one who's in the right buying cycle, in the right ICP, with the right problem and the right mindset, it's very different. And I think
Trust and Authenticity in Vendor Relationships
00:22:07
Speaker
that is that everyone who's in a vendor side of CISO should spend some time as a field CISO, in my opinion, to learn that bit.
00:22:14
Speaker
Learn what your ICP is and it's not just a size of company. ah It's specifically a size of company at the right point with the right problem and most importantly with the right mindset.
00:22:26
Speaker
And that applies to any product, not just ours.
00:22:30
Speaker
um Hey listeners, this June we will once again be supporting Pride Month with our t-shirt campaign to raise money for scholarships for LGBTQ plus students in cybersecurity programs.
00:22:44
Speaker
In the month of June, all profits from any Pride gear purchased from the BKBT swag store will be donated. That is all profits. Last year we put this together in a hurry and we still managed to donate $1,000. This year we're looking to do much more.
00:23:00
Speaker
Why? Because this year is not like last year. Queer communities are facing backlash and big corporations are shrinking back into the shadows. To that, we say, fuck that noise. We've never feared a fight for just causes and we believe hiding is pre-surrender.
00:23:17
Speaker
So, we're looking for courageous vendor partners and individuals who will consider matching donations to help us multiply our contribution. If you'd like to remain anonymous, that's cool too. After all, it's about getting resources to those who need it. So stay tuned for the campaign launch in June.
00:23:35
Speaker
And if you'd like to help out, get in touch. remember um Yeah, I think like there's a lot there that just want to pack, man. Like, legit, first of all, I just sent George like a message. We have our little WhatsApp that we just talk endlessly all all day on.
00:23:57
Speaker
And I was like, this dude's cool as fuck. I just want to be my friend. looks straight up We can be friends, George. It's fine. We always need more friends in the world. Yeah, man. I think what I find interesting, so I've said a lot of the same things as you, um which is kind of weird because I've never met you, but I always tell people, like, just don't be an asshole, simple enough, and, and you know, practice what you preach, drink your own Kool-Aid. Like, I literally, um so I do some...
00:24:24
Speaker
some Some consulting to some of my friends who are on the sales side, especially if they're local and I've known for a few years. A friend of mine is a COO a technology company. and I've known her for a few years and you know I just gave her a little session. She was like, hey, can you listen to my pitch? Tell me what you think of it.
00:24:40
Speaker
She wasn't selling to me. She was just asking for a critical opinion. and I told her, I was like, hey, like this is great, but you know do you know your own buttonology? like Can you, if you're going to sell to me, open up your platform and actually show me some functionality?
00:24:57
Speaker
And I think part of the transition that's happening, and and perhaps I think you're seeing the same thing for sales organizations. Now you need to have sellers that aren't just like cool people that are party animals. Like you need to have sellers that actually are into the tech and are willing to learn the tech so they can speak to it in their own words.
00:25:17
Speaker
Cause I think the era of, of, really what I think is a lot of toxicity and and sales and their approach where it's just like, let's just take you out to a fancy dinner. Let's get you drunk. Let's just spend a bunch of money on you to the fancy events.
00:25:30
Speaker
And I've done that thing too, just as like, I'm sure you have. um I just don't think that sticks anymore. Like, like George and I are finding that, really now, CISOs are looking for authentic, qualified opportunities and and vendor organizations, I think are gonna start moving away from sales and they're gonna start looking for people that can connect them to qualified CISO buyers.
00:25:54
Speaker
Do you find in your experience working vendor side, and this is a conversation I've had with many folks who are working on the sales side, it's probably like something I've ahve started doing myself of connecting other CISOs who you know, the problem statement of your, we'll say, client partners fits into what those CISOs need. And so us as the technical practitioners who know, who understand,
00:26:21
Speaker
We're now kind of going over the head of the sales organizations and we're the ones that are making the connections between those CISOs and those sales organizations that are, i shouldn't say sales organizations, those actual technology companies, because we're the ones that hold the trust.
00:26:36
Speaker
And I think, you know, I think if traditional sellers don't become technical, which isn't to say that, you know, they can they can't come from a non-technical background, but once you're in it, you got to get into it.
00:26:47
Speaker
I think they're going to be going the way of the dodo. I think if they're going past, right? Do you see the need for everyone who's trying to sell technology to now get into technology?
00:27:00
Speaker
Wow, that's a deep question. um Look, I think there's this is that pain in our world where we say people are technical and non-technical. So i just think it's nonsense, right? Everyone is technical. the The world has changed to such a point that everyone is technical.
00:27:14
Speaker
So it's case of the levels of technicality. And I agree a salesperson or AE, whatever you want to call them, has to be technically competent. Now, that has two verticals for me.
00:27:24
Speaker
One is speaking the language of the domain. So in our case, that's GRC, compliance, et cetera. They have to know what the hell half this stuff means. They have be able to tell what the acronym is. And the other half of it is actually be able to demo the product, be able to show and understand what that is and what it means. Like, why should I care that the API to customers is open? Like salesperson should be able to understand and explain why that's relevant to an enterprise buyer.
00:27:45
Speaker
I do think, however, though, and I'll come back to the CESA relationship part, there is a skill set in good AEs that I and no other CESA, no matter how many friends we have, can ever em like emulate. And that is this process.
00:27:57
Speaker
like The best people I know, and I know a few incredible AEs, both in AED and outside, um they have this process. It just seems like it should piss people off, but it's just phenomenal. like their way of knowing when to send the right emails the right messages when to link to the right thing share the right videos when to check in when not to check in what to say what not to say like to make that buyer go from initial first conversation to closed arr that is a skill in itself which is deeply technical and deeply hard to to emulate i don't think you can um but to your point of kind of the cisa relationship i think that just comes back to the the thing we've talked about a lot already which is authenticity
00:28:33
Speaker
but they I have been involved in referring lots people about trying to support the product. I ended up here because I became a buyer, thought it was good and referred like several people to buy anecdotes, at which point the CEO may be an advisor, ah which by end of coming on board.
00:28:46
Speaker
right So that that's that for me, that that's ah that's a logical transition sometimes, but it's also about not just your company, but others, right? i will I frequently respond in the CISO society and say, this is a good product, this isn't. but This is what we bought, this isn't what we bought, this is why that product is good, this is when it's not good.
00:29:01
Speaker
And I think having that level of authenticity is important and key. like I always come back to, I'm really good friend with Matt Hillary, who's the CISO at Draft. We go way back before either us started, and it goes in Draft.
00:29:13
Speaker
But we now compete effectively. But there are lots of times I'll find myself saying, go talk to Matt. like We're not the right fit for you. Go and talk to Matt. And I think that is what makes a CISO in a sales capacity good.
00:29:27
Speaker
It's not just holding the relationship because we can all hold lots of relationships. It's being trusted in that relationship because you are real and genuine and you're willing to take the stripes. Like I've sold people products before. And so this is a good product. And come back and say, Jake, that was a piece of crap. i Why did you do that? And I'm like, look, I thought it was good. um So it's having like, it just comes back to being genuine, like real relationships are not built on, on dinners or on golf courses or events. They're built on like the conversations that happen in Slack channels and then what's happening in messages when you ask like, how's your family?
00:30:01
Speaker
Like, what do you think about this? Like, how are you responding in Israel? Like classically, like what's been going on last like 18 months? Like that all these kind of things build real relationships. And they they're never vehicles for sales at that point, because it's not it's almost unintentional.
00:30:15
Speaker
It's the fact that you believe in something. And so you talk to your friends about it. And those friends trust you because of the inherent relationship you've built. ah You can't push relationships. non-authentic kind of sales pitches through that channel.
00:30:29
Speaker
Like i can't go and taste and I don't believe in salespeople because they're my friends and they're going to still be there in a year's time.
Team Development and Authentic Leadership
00:30:34
Speaker
It's going to really awkward.
00:30:37
Speaker
Yeah. I mean, it comes to, well, trust and credibility, right? That's all you have because if you just became a shill for something that didn't work, then that's your name and rep on the line that's built over years and can be destroyed very, very quickly.
00:30:53
Speaker
Yeah. Great. um All right, so we tend to wind down with brass tacks, hence the name of the episode or the name of the show. So what are some brass tacks recommendations you have for your CISO colleagues in how they deal with vendors?
00:31:15
Speaker
It feels like you should be on a t-shirt, but just don't mean an asshole. like venenders it Like, everyone serves a purpose in the ecosystem. um And you never know what's going to happen next.
00:31:27
Speaker
So you look at Wiz. i I remember when I first saw Wiz, I was Lacebook customer and thought, not work that one. They've not got any IP. The space is already too busy. How wrong was I? I think humanizing.
00:31:43
Speaker
So I think like, actually realized that these are people who are friends, colleagues, um always looking around, ah being willing to admit when you are right and often wrong and maintaining those relationships.
00:31:59
Speaker
I have a lot of vendor relationships still that I don't, i'm not current customer of for various reasons, but I keep the relationship with the salespeople because they're either very good or with the CISO because know them anyway, because they might come back and be useful in the future to me.
00:32:13
Speaker
So I think that's one always listen. um I think when you look at, I obviously spend a lot of time kind of helping educate our BDRs and AEs and so forth. And I think, gosh, that job is hard, dude. Like, especially BDRs. yeah Like in the age of AI, like they're now cold calling like 24 seven, because there's so much monitoring what they're actually doing. i thing think if someone's trying to learn in your industry, if they if they come to you and speak to you, hear it out, give them two minutes.
00:32:39
Speaker
And if it's a terrible pitch, tell them it's a terrible pitch where they can do better next time. think just that mantra is always just don't be an asshole. Like be kind to people. um Yeah, I don't know Like that's kind of me rambling, but I think that we just need to be better people to each other um and less quick to say, I don't need you. Go away.
00:32:57
Speaker
Yeah, no, I see that. I mean, I see both sides of the equation where people will complain that CISOs won't give them the time of day. And, you know, I would go back to them and say, like, well, are you just like spoofing the local area code and pounding them or taking time to listen? And then in reverse, you know, I would say um if you are just kicking tires and availing yourself of the steak dinners and the golf outings with no intention to buy and you're not making your budget priorities clear, i would say you're not also holding up your end of the bargain, right? Because then it engenders this
00:33:33
Speaker
distrust on both sides. Like i I have seller friends who are like, i don I don't know, like I don't really trust a lot of CISOs because they always say this and then they ghost me. And so like that doesn't help anyone on any side. of I mean, so there's a other problems in that as well, right? I think there's two sides you talked about kind of availing yourself of dinners in golf tournaments. I think if you're going to go to an event, even if you have no intention to buy, like be active, like give some feedback, talk about what that space means, like contribute valuably. And i think a lot of people just sit in silence at the back.
00:34:00
Speaker
In the way CISOs aren't trusted is often because they're not trustworthy. um Look, we've got multiple problems in our community where people have taken various backhanders or become advisors at companies they've then bought the product of and sit inside the VCs and have this rotating door of like money and equity. Like we've raised a CISO from being completely irrelevant and not even existing as a role 15 years ago to being suddenly on the exec board and being like sitting next to CEOs and CFOs who have earned their kind of stripes through years and decades and generations of that role existing.
00:34:27
Speaker
And I think sometimes the it's gone to our heads too quickly. So sometimes i agree with lot sellers and say, like, if there are CEOs you don't think are trustworthy, probably don't pitch them. Like, again, like the same way I say, be genuinely, be kind to people who are trying to sell to you. Do the same way in reverse, right?
00:34:43
Speaker
um Also, just be good people. I agree with that. like And, you know, I harp on that with George quite a bit about being ethical in how you handle your business. um Like i I, get invited to a lot of events as I'm sure you do. And there are times where like, I have no interest in this product as much as I love F1, as much as I love going to baseball games or whatever it is.
00:35:07
Speaker
i I, me being there is a waste of their time. And I'll tell them that and they'll still try to, no, no, no, come out, come out. I'm like, I don't know, man, I don't feel it. And unless I can provide them value, then ethically, we shouldn't try to take advantage of that. But I've seen a lot of CISOs and you know not i don't want to call anyone out, but it's like, you know why they're there and you know it's not serious. And it's like, it's like shaking hands with a slippery fish when you see them, right?
00:35:37
Speaker
It's not on, but I digress because I think you guys have nailed that point. I want to talk to you about how you develop teams and personnel, because i think I think what's interesting, and I feel that you probably resonate with this a little bit.
00:35:53
Speaker
yeah My approach has always been high performance coaching. George and I just did an entire keynote on high performance coaching as as ah as a leadership approach for security. How do you develop your teams? How do you develop your operators? Because I'm sure at some point, like you've handled a SOC as well, not just like a team of GRC specialists or compliance folks.
00:36:15
Speaker
In your experience, what is the most effective way to develop talent? How do you retain your talent? And how important is organic succession planning? So by that, I mean, um you know you have someone who is talented, but you know that they have a ceiling in the organization and you might have to make peace with letting them go if you want to see them personally flourish.
00:36:35
Speaker
like what What is your kind of approach to talent development? Yeah, man, George, you ask like long questions. um Let's break into like hire, maintain, release.
00:36:48
Speaker
um Hiring is the hardest thing you'll ever do. If you've been a consultant or led consulting team, it's one of the most valuable experiences you'll ever have because you churn a lot of people. So you hire a lot of people then go into industries. You're constantly almost hiring people, pen testers, GRC consultants, whatever they might be, right?
00:37:04
Speaker
So you learn what to look for. And I think... The most fundamental skill you can look for is diversity. I don't mean necessarily diversity of race, ethnicity, sexuality and that stuff. I think you want to build teams that diverse because I think it's important to have different ways of people seeing the world. And that's for me, real diversity is diversity of thought.
00:37:24
Speaker
So I think you will, I look at my background and go, I didn't come from traditional kind of standard it background. I didn't study computer science university, et cetera. And I want people who can problem solve and have a different way to look at a problem.
00:37:36
Speaker
You've got to build a team of people who see the world differently and see cyber differently and see clients differently because then not only do you have a selection of people you can apply to different projects, but more importantly, you have a selection of people who will contest with each other on different issues and you've got real debate.
00:37:49
Speaker
And I think you should build teams the same. that The second part of hiring, I think, is it's very hard. HR doesn't understand cyber. We don't understand cyber. Like we list roles and we put a job rec out there.
00:38:00
Speaker
I look at it and go I don't know who the hell fits that job rec. I wrote it. I'm not sure who you could put in it. So um I changed my tack on this a long time ago and started to say, I'm going to like, here's some people who I think are brilliant, who I've hired and been fortunate to work with my time.
00:38:14
Speaker
ah Even they don't work anymore, I'll get my HR or my recruitment to meet those people say, I want to find people like them. I don't care what their background skillset is. Just tell me they're like this person. Like, do they have the same attitude? Do they have the same mindset? Do they have the same way of thinking? Like, are they in that mall where they're interesting?
00:38:30
Speaker
um And then look at their background afterwards. I think that that one's really key. I think in retaining... I mean, I feel like a broken record in this podcast. I've not talked about it so much before, but like be a good person, like be a team should be families.
00:38:44
Speaker
Like I can tell you right now that I can tell you the names of my team's kids. I can tell you when their birthdays are like, I know what these people have in their lives. I know about their kids, mental health or physical challenges. Like I know about their spouses, their job employment issues. Like I know about their lives.
00:38:59
Speaker
And I think that means more than anything. If you want to build teams, you're highly effective. It's not about what you teach them. It's about what you show them. And that is about love, respect and honesty, not about the skill set that you've demonstrated.
00:39:12
Speaker
Like people want to work for you because they know that you care about them. I've set goals and i'll be. I'm sure some of my team at Wistit will watch it. I've set goals for Wistit where used to piss me off that it wouldn't take PTO. So I sent them literally a compensated goal in the year. They had to take seven or one week of full PTO consecutively and go and do something or they didn't get bonus.
00:39:30
Speaker
I got literally forced into the bonus sc structure. I do the same here. My team said they won like next week it's Passover in Tel Aviv. One of my team just said I might be and out. I said don't be in and out. Just go away. like Go and spend time with your family because you won't get those times back.
00:39:43
Speaker
um I think that level of sincerity and honesty means that I know that when they're they're in, that right like they're all in. um Doesn't matter what happens, they're there because they I'll do the same.
00:39:54
Speaker
I think the other side of leadership and you and this is a big problem, I think, often in our world, especially in CISO world. is who wins and who loses. Like I am a strong advocate for if you win, it doesn't matter how much of it I did, the team did it.
00:40:10
Speaker
And I don't mean me the team was in the broader sense. I mean, as i would I remove myself and say, this was my team's success. I don't know what happened. I could have 99% of it, but it meant they they win. If we fail, it's on me, even if I didn't even know it had happened. like And that that's that that ownership matters and it builds that family relationship in the same way that I do with my kids.
00:40:28
Speaker
Not that think you should compare your employees to kids, but in the same i do with my kids, right? If they did something good, it was all them. It doesn't matter how I helped them. And if they fail, it was because I failed them. So i think I think real progression is not built through skills or educational skills or demonstration skills, but actually just built through love and kindness and honesty and integrity.
00:40:46
Speaker
um In terms of the end of that phase, the best compliment you can have as a CISO or as a leader of any department or domain is when someone has to leave because they need your C. Like that is, that's a win, massive win.
00:40:59
Speaker
And I think then you have to help them, right? Like I've had guys before and I still have braces with guys who have previously worked me where they'll say, I want to get a CISO And like, that's great. Let's go and work out what you have to do to do that. And let's go and try and find you some opportunities. And I'll introduce you to the CISO society. We'll look at like various job opportunities and see like how we can help you in that process. And then she's recruiters.
00:41:17
Speaker
I think that's where we are because in the end it's, it's people, right? Who knows what's going to happen? like I've been very fortunate in my career and blessed at certain times to have opportunities that have given me a leg up in certain places.
00:41:30
Speaker
And I'm sure the opposite will happen. That one day, maybe one of my team will over would jump over me and they'll employ me one day. like you just You've just got to build relationships that stand the test of time because they're built on reality.
Conclusion and Listener Engagement
00:41:41
Speaker
They're not built on like... what you want out of them what they want out of you, but they're built on the fact that you know them and they know you and they care about you and you care about them. You nailed it. Yeah, that is a fitting place to end. um Jake, thank you so much for the time.
00:41:56
Speaker
Thanks for having me. Absolute pleasure. I've enjoyed this. I've some deep and difficult questions. Yeah, we we don't ah we don't softball it. Appreciate you, man. You're awesome.
00:42:09
Speaker
If you like this conversation, share it with friends and subscribe wherever you get your podcasts for a weekly ballistic payload of snark, insights, and laughs. New episodes of Bare Knuckles and Brass Tacks drop every Monday.
00:42:22
Speaker
If you're already subscribed, thank you for your support and your swagger. Please consider leaving a rating or a review. It helps others find the show. We'll catch you next week, but until then, stay real.
00:42:37
Speaker
And my favorite George A. note from Jake is that when his team goes on vacation, he uses the IDP to lock them out so they can't get slack or email. Oh, you're so savage. That's awesome.