Allan Alford, CISO/CTO and host of the Cyber Ranch podcast, changes things up this week with a session of AMA, or “ask me anything”. Instead of hosting a guest, Allan takes center stage. On LinkedIn, Allan posed two questions: If you could ask a 5-time CISO any question, what would it be? How about a cybersecurity startup CTO? Using the responses he received, he walks through every topic under the cybersecurity umbrella and gives further insight into what it means to be a CISO.
[00:00] Seeing the best of the job in the often thankless role of CISO
[06:04] Building teams through learning strengths vs the negative perception of employee poaching
[09:50] Starting out in IT & transitioning to CISO through consistent skill-building
[15:18] Learning from past CISO mistakes & embracing business first, risk second, cyber third
[27:23] Understanding the industry with a technical CISO point of view & a hacker’s mindset
[38:06] Managing the many highs and lows of becoming a CISO
Axonius gives his customers a comprehensive, always up-to-date asset inventory, helps uncover security gaps, and automates as much of the manual remediation as you want. Give your team's time back by checking out Axonius at axonius.com/platform/cybersecurity-asset-management
What skills and education level helped you land your first CISO position? [from: John Rosario]
Although he’s taken numerous CISO roles since his first position, Allan is quick to admit that he never applied for his first CISO gig. Instead, he was tapped on the shoulder and asked. Beginning his career in IT, Allan found opportunities when the company he was working for seemed to be lacking in the security space. Diving into product security after his roles in IT, Allan found himself asked by a CIO to combine his backgrounds and become a CISO.
“I was always the guy that played with the security stuff back in those days. I had a good product security background, and ultimately, parlayed those into a combined role when I became a CISO.”
Talking to your younger self: What’s the most important thing you would do differently after the knowledge you have from five gigs? [from: Ori Stein]
Compromise is king, even in the C suite, but Allan didn’t understand this as an early-stage CISO. Instead, Allan feels regret in recalling his lack of willingness to see other business concerns beyond security. He feels as if a successful, impactful CISO needs to not only prioritize security as their mission, but also needs to see the bigger picture of why a budget line or resource has to be used for something other than security at certain points in time.
“I think that was probably my single biggest failing as an early CISO: taking the security mission to be the penultimate mission of the company and refusing to acknowledge there were other business pressures and needs, where perhaps security had to take a backseat.”
What keeps you going in the field beyond passion for security, amidst the talent shortage, lack of cultural understanding, internal corporate budget challenges, and high stress? [from: Stephan Timler]
Cybersecurity is already a high-stakes, high-stress industry. However, pressures from staffing shortages, skills gaps, and budgeting challenges (all of which got worse during the pandemic) create an environment that burns out employees, including CISOs. For Allan, keeping himself going relies on a combination of his calling to help others, his love for the industry, and his own hacker-mindset curiosity to find out not only how something works, but also how to make it work in his favor.
“Number one, for me, is that it truly is a noble calling. I don't think we should ever lose sight of that. We are the good guys doing the right thing for the right players and the right people. It's a noble calling.”
What's the best and worst thing about being a CISO? [from: Ofer Shaked]
There’s a great deal of ups and downs that come from being a CISO, but thankfully, a major positive has been being able to answer the noble calling to help organizations become more secure. When a CISO can look back and see how well an organization has done because of them, Allan describes this feeling as invaluable. On the unfortunate flipside, being a CISO for an organization that doesn’t understand the role and only wants someone to check boxes can be extremely disheartening. Allan warns that he’s yet to meet a CISO that hasn’t encountered that at some point in their career.
“When you can look back on your body of work, and see that it had a meaningful impact; you can look at this organization and know this place is more secure than it was when you walked in the door…that’s probably the best feeling [for a CISO].”
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord