The Modern CISO with Brent Deterding

Welcome to The Did You Know Podcast by Varisource, where we interview founders, executives and experts at amazing technology companies that can help your business save a lot of time, money and grow faster. Especially bring awareness to smarter, better, faster solutions that can transform your business and give you a competitive advantage----https://www.varisource.com

Welcome to the Did You Know Podcast by Varisource, where we interview founders and executives at amazing technology companies that can help your business save time and money and grow. Especially bring awareness to smarter, better, faster solutions that can transform your business. 1.6s Hello, everyone. This is Victor with Victor AEROSOURCE. Welcome to another episode of the Digital Podcast. Today we have a special guest. We have Brent Deterding, who is the ciso with Afni. Athene is a global outsourcing consulting company with more than 10,000 employees. And as you guys know, a lot of times we have suppliers on the show talking about the latest technologies for businesses. But today we've we have a customer and a CISO sitting on from a customer point of view to provide insights, to provide his knowledge and his thought on the overall theme of what does a modern CISO look like in 2023 and beyond. So we're super happy and glad and appreciate you being on, Brent.

Cool, thanks. 3.6s

Brett, obviously your background is awesome. You've been in security space for a long time. If you can kind of maybe just give the audience a little background by yourself. 1.2s Did you study security in college? Is it like your whole career or kind of walk us through how you became kind of the Cecil of a 10,000 employee company?

Yeah, it was very unique. There's not many of us who went from the vendor side to the client side. Right. So I started lungo. I was employing Route 21, a little company called Lyric that turned into a company called SecureWorks and Del Bottas and all sorts of stuff. I spent 19 years there and 15 years in operations, four years in technically sales, but I spent 19 years with lead in my title in some way. Right. So interact with sellers, product management, marketing our clients from an operations perspective, also from a go to market perspective, all that. And I really took all of that expertise and experience and instead of filtering it through a practitioner lens, filter it through an executive lens. And that enabled me to go out and be a CSA. Now, that said, I interviewed for a long time to find the right culture fit. I have a friend, Malcolm, who talks about success as the Cisco looks like. I believe in the mission. I belong. I fit culture and I matter. Like 1.6s they care what I have to say. So that's really what I was looking for. I didn't have those words to articulate it, but that's what I was looking for and that's exactly what I found here. Daphne. 2s

That's awesome, man. 1.3s So one of the reasons why you and I kind of got together and started talking is you're branding on overall. You're sharing of knowledge and information across social media. And again, 1.5s to me, that's branding. You're doing a great job of building the branding of yourself. Obviously you were on the supplier side, but now you're on the customer stop, but you continued that posting and education. 1.2s Can you kind of walk me through what got you into kind of the branding or just sharing and posting? Because 1.3s it's not easy. It's also not easy. People think, yeah, I just post something online, but sometimes people are afraid or shy or whatever. Right, but what's kind of your view on the whole thing?

Yeah, so I've never been short of opinions and I've always really loved engagement. Right. So I'm not married to any of my opinions. Exactly. 2.9s I'll re answer that. 1s

No problem. 8.3s

I've never been short of opinions and I love discussion, right? I love engaging because I might be wrong, right? I tend to have a lot of opinions that other people do not have, and I like to beat those ideas up and kind of see what comes out. And that's always been the case. And I've done that in a couple of different forms, forms and formats throughout my entire career. I began doing that on LinkedIn specifically because I kind of shifted, frankly, with COVID I was engaging a lot on Facebook and stuff about non professional things, politics, religion, whatever else, but having a lot of meaningful conversations and relationships and the civil discourse kind of quit happening. So I kind of shifted my energies into my professional life where I had lots of opinions, lots of experience, lots of tidbits of wisdom. And I started throwing those out there and they resonated pretty well. And having a professional network is kind of like being strong, right? Being strong is never a weakness. Having a good, solid professional network is never a weakness. So I started something just recently to start 23. Over the Christmas break. I wrote 74 LinkedIn post. Right? All formatter pictures and tags and all that, about things that I had just kind of in my head. I wrote down a list of topics in November, a week between Christmas and New Year's. I sat down, I wrote all these posts. Then I used to schedule those out on LinkedIn every Tuesday, Wednesday, four through September. The first post I made for the New Year got 130,000 impressions, which. 3s So and the second one got 40,000. So, like, that's fun. And I engage. I've had a couple of hundred new connection requests. I've had a lot of meaningful conversations. I've been introduced to a lot more people, and it's fun. Like, I I enjoy being a Cisco. I enjoy building my personal brand. I enjoy these conversations. And quite honestly, it makes me better. It makes me way better to put my ideas up against people and say, well, maybe you should think about X. My God. Sweet. Awesome. Let's talk about that. So it's very enjoyable for

me. 1s First of all, maybe you need to teach me about social media. I don't know. You know, I don't get 100,000 views, but, you know, so you can teach me that later. But but yeah. So, you know, obviously back on the the security topic, so this is, you know, one that I know we can spend 5 hours talking, but what is your view on the current world of security? It's very broad. I mean, from COVID before COVID after COVID, security has always been important, but obviously after COVID and just all the hacks that you see every single day, right, from big companies, if big companies with billions of dollars are getting hacked, like a smaller company, you're probably not too far behind. Right? But it's just such a scary yet convoluted and complicated world. So what's kind of your thought on that?

I have a very different opinion from a lot of people in that I think that significant risk reduction is fairly simple, easy, and cheap. 1.4s Okay, that doesn't mean total, right? But that means that so simple. It refers to the technology, right? Implementing many things like multifactor authentication, even phishing resistant multifactor. Everyone would say, yes, that's the best bang for the buck. That's the most cost effective thing that we can do. And it's simple. That's a technology statement. It's easy. That is the people process statement. And frequently as human beings, we make simple things hard, right? I try my best to not do that. So maybe a background in sales, maybe understanding people's incentives, whatever it is. But I try to make simple things easy. And what you find is that a lot of simple and easy things that are big risk production items are also cheap. Multifactor mitigation is not expensive. Now, there's always a discussion about there is no 100% security with any functionality. True, fine. But we can get to 100% in a couple of things. Multifactor is one of them. For example, I have kind of three, four, maybe five hills that I'm willing to die on as a Ziso. And what you find is that when you do those things, the need for so many other complexity controls, spend, cost, time, effort, material, all this stuff is dramatically reduced. So when I see a big breach, I see generic security, I see best practices security. I don't see things that are well designed and well engineered to that specific organization. And so part of my kind of thing is I make big statements to Cisco, captain this like, at least in 2024, when some of my contract expire, I'm going to give back a quarter of my budget to my company, right? I don't need it. I'm good. And that just blows people's mind. So I think that especially as if we encounter a recession in 23, I think that this is a very necessary and popular message to deliver. And there's kind of some simple tests that you can use to do this. Like, if you go and ask a CFO, what is the EBITDA of the company? They can tell you right away. I think the same for CISOs is saying, what are the top three to five risks? What's the likelihood of those happening? What's the approximate kind of sort of impact in financial terms? And what do we spend to mitigate? And that applies at the board level, but it applies on an end individual of them. Look at everything that I'm spending. Look at every single thing in my tech stack, and I say, is that a $10 solution to a five dollar problem? Oh, this one thing requires the threat actor required would be a nation's table actor. I don't face the nation state level actor. I don't need to spend that money. 1.6s And when you apply that that process, or you ask the question, tell me a story where this risk costs my company money, or Tell me a story where this product saves my company money. Right. Avoids cost. And I think that those kind of simple litmus steps are really good ways to say, do I really need to spend this money or can I spend it on some of the things, things that are simply easy and cheap? 2.9s

Yeah, 1s that's why 1.2s we call you the Modern Cecil, right? Because everything you just mentioned there in that last couple of minutes, we definitely need to have a webinar with you on specifically that alone, obviously, to make complicated things easy is not easy. It's not easy, but it's not easy. 1.6s There's so much risk. Things at risk. But I love your approach. It's leadership. Right.

It's vision. It's really understanding the business. Right. And so all of that great topics and great answer. 1.1s

So the next thing I'm going to ask you is, look, you're a very positive guy, 1.6s but what are the top three things that keeps you up at night? Kind of metamorphic, I mean, metaphor wise. Right? But what are the three top three things that you're concerned about or that's kind of top of your mind all the time?

Yeah. And I'm going to flip that around, because that's a negative question. Right. And I'm not upset with you by humans, but I like to flip it around and say, why do I sleep really well tonight? Why is my stress syllable really low? Now, let me caveat this by saying that my organization in particular, we run call centers in the Philippines, amongst other places, and we have clients that are very desirable for attackers. So 1s we routinely face moderately sophisticated, extremely well coordinated, very, very dedicated attackers. I know exactly, exactly the level of attack I face. And it's no jump. So I've been through those incidents. I've been through all the stuff. I do the IR. I did two last week. Right. And yet my stress levels are very low. I have no burnout. I'm happy. I don't turn to drugs and alcohol to deal with my life. 1.4s I love everything about being a CISO. It's great. I think everyone should do it, or everyone is well suited to it. So given that background, why am I able to have that approach? One is that I think a lot of CISOs get a bit stressed and overwhelmed by things that are outside their control. Right. You don't control the bad guy. Yes, I get it. But that means that I also control my reaction to the bad guy. I control my reaction to the incidents. Now, do I saddle up and get on and do the incident commander thing at 11:00 p.m. And all that? Yes, of course. That's the job. That's not a problem. But the level of stress that I incurred from that is not significant. Right. By the same token, your airline pilot who flew you on your last trip right? He's not leaving the airplane shaking and getting all stressed out and burned out. That's his job. He does that. It's a stressful situation. But he handles well. 14, right? 1.3s So that's one aspect, right? And part of it so one is a choice. Two, I trust my team. I came in, I've been assisto for eleven months or something like that, right? I trust my team of being able to mentor and lead them well for my philosophy and I trust my program, right? We have put in place the simple, easy, cheap things that are extremely effective at reducing risk and as a result, I know that I reduce the risk to a level acceptable to my business. So I know that broadly speaking, anything that happens is not going to be a material event for my company and that is a very big deal. That's like my success for good, right? So in recent incidents, for example, we've had minimal to zero business impact and we bounce and we plug them and at the end of the day, that's victory, right? Because we're better as a result of it. We were tested, we are all back. 1.2s But we're better for it. And there was not business impact. That's a huge picture. That is not a cause for stress or burnout. That's a cause for celebration. Like hey, we did great and we got some stuff done and we found a little weakness since this but we're good to go and it validates the overall roadmap and overall approach as well. We are doing exactly what we said we were doing and it's successful. So am encouraged by those things. That's why I do sleep well at night. That's why I am not stressed, that's why I'm not burned out and nor will I ever really be because I'm well suited to the gate. And as a perfect you said a bit ago what we have to acknowledge is that the vast majority of problems in security or things that we might address, not even problems are not technology problems. They are people process, right? The whole easy versus hard thing, that's a people process thing, that is not technology. And at that point, what makes a difference is not technology but your executive bearing and your confidence and your ability to respond, to understand what incentives are and to align with the business and to get along with people and all of those things. Although software, that's what enables you to be successful. Whereas for the first 27 years of my career it was technical acumen, right? It was a security practitioner am I and how well could I maybe articulate that kind of sort of what helped me then won't help me now. And I think that a lot of systems would benefit a lot from fully putting that down. So example when I started interviewing, I quit telling other people that I was technical. Being technical was part of my identity for 20 years. I quit telling I was technical but then I didn't quit telling myself I was technical. So I started and I was like people would say something and I was like, yeah,

I get it. I know I

got chops, I can still do it, right? 1.8s I had a friend that asked me and goes, how do you keep your technical skills sharp? And I was like, I don't. 1.3s That's not me. That's not my gig. Right. I'm an end of health, and Bill Bulletch doesn't hop on the field and start running plays. That's not his job. Right. His job is to be the coach and the leader and lead the team and do all that. It's well, it was Tom Brady's job to go execute that, right? So I don't have access to my team's tools. I trust them to do the job. It's not fair for me and don't have a lot of mental bandwidth. I don't have enough bandwidth to be a tech guy and the executive guy. That's not going to happen. Yeah,

I love that analogy, man. With your confidence, I think the attitude, the leadership, you're on your way to be the Bill Belichick of the C Six. 1.6s That was an awesome analogy. So,

obviously, 1s

whenever a category like security, which is very broad, I mean, literally, there's security for every little thing. Every little software has another security just for the software. Right. It's like there's so many things, there are so many vendors also. There's new suppliers that come out every single day with cheaper, better, faster AI technologies. How do you, as a CEO, find the best solutions in the market or find the solution that or even when you're looking for a solution to find the right suppliers, how do you look at that relationship with suppliers and that technology just ever expanding?

Yeah. So I tell you what, this will be very valuable to anyone who is starting to market into cybersecurity people. And I spent 19 years on the vendor side for that wasn't sales. I have strong opinions about this. 1.3s Now, let me tell you this with that. In 2022, I met with about 100 vendors. I liked vendors. I am very, very atypical among Ciscos, most CISOs do not give nearly that number, that many vendors, any amount of time. And the reason being is that we get burned. I get between two and five, five cold calls a day. I get 25 some odd emails. I get invited to a couple of events a day. I get bombarded with junk. And 1.3s even beyond that, even the people that I give a little bit of time to, there is a ton of very bad behavior amongst vendors, right? And they get lambasted for that. You've you get into a room of 50 sitos where no sellers, no vendors are allowed, and say so vendors. And I mean, they get out of the torches and pitchforks, right? They cut. 2.5s It's annoying. It really, really is annoying to get that many calls and reach out and all that. So my solution, I'm an easy target. My target is I have a Pin post on my LinkedIn saying, this is how I want vendors to contact me and work with me. And beyond that, it's really any warm reach out if you send me a LinkedIn note and it has anything to do with my organization or me. And it wasn't like copy pasted. I'll reply, Read what? You're right. I'll give you time, and this works all the time. But that is atypical, right? That said, here's how most CISOs talk to vendors. Like, how do you get them on the front door? Word of mouth is huge, right? I went from evil sales guy on Friday to trusted thought leader on Monday and quite literally got access to Slack channels full of hundreds of CISOs that are very willing to help out, speak, mentor, all the things, right? So when I needed a solution to do X, I went to my channel and I went to a couple of my networks and said, hey, who do you guys use for Blah? And I got boom, boom, boom. These people. Don't worry about it. These people? Awesome. Great. So I have an advisory company. I have ions, which I love, similar to Gartner, but specific to security, in my opinion, better. I have my sister network, word of mouth, right? I have a reseller that I love and trust. And so if he says, hey, you need to check these guys out, I do that. So those are three networks, but beyond that, 1s if you reach out, a warm reach out to me, something about me that indicates you read anything I ever wrote or my organization, I give sign, so I have no issue staying on top of. Maybe a quick follow up on that. Brent I love that approach, the fact that you're very open, because I hear a lot of executives say, like, yeah, I find vendors at events. I find vendors just like, on the news. I'm like, wow. That's it? Like, that 1.9s not sure that's the best practice. But 1.2s even when you're talking to these suppliers, what are some things about those suppliers that

really make you think, like, oh, wow, okay, that could apply to my business? Is it something that's top of mind for you at that moment? Or are you thinking a year or two years from now? Like, hey, you know what? This is probably I get the products, but this is probably not a now thing, but maybe down the road? Or is it like, how do you kind of look at these suppliers to determine the next steps? Or, like, something like, people that I want to work with? So,

prime example, I worked here at SecureWorks for 19 years. I love SecureWorks, right? Love it. I help build a place. Like, it has my fingerprints all over technology culture, the whole narrative. Right? Yeah. 1.2s Don't buy them. And I don't buy them because I'm in three year deals that the last guy signed, and I get out of the deals. So even though I love the company, I'm not a buyer now. I have IRS retainer and all that kind of stuff. That's fine. But for the main product, I can't, because I love it, but the timing is not right. So my caveat to so many vendors is like, hey, most of my budget is locked up in three year deals. I'm not a buyer, but I am willing to be educated because guess what? I get on podcasts. I go to sister conferences, I get LinkedIn messages, I make posts, I do all this. I have a lot of ability to refer, say, hey, I think they're credible. I didn't buy them, but I think they're credible, right? I have a lot of ability to do that. So it is worth your time to edit, educate me, and for me to be educated. Now, here's the flip side. CISA's bitch and Mounted complaint about bad vendor behavior. No doubt that exists. That's the thing. But once you have decided to take that meeting. 1.6s You have a responsibility to Cisco as well. So what I do when I get on with vendors is I tell them that kind of stuff, which really is MEDPic or whatever academy you want to use, but I tell them all the stuff that they need to build their sales force. Right? I say, I'm the economic buyer. Here's my motivation. Here's my timeline. 1.4s Timing is not good right now, but educate me. Sure. And if you're director calls me, I will ban your domain forever. 2.1s I don't want to play with that stuff. Right? And 1.7s I joke that, well, I really do like whiskey, but that's not the thing. Right? It's a good way for people to talk to me about whiskey, because I like it, but I'm not after trying to get whiskey for meetings and stuff like that, that's not my game. 1.1s But when I bring that to them, then I'm helping them. I'm matching their effort. So they put some time into me. I'll put some time into them. And the goal then and this is the big, big thing my goal is to so and their goal as a vendor should not be a sale, because timing can be all jacked up. Yeah. Right? The goal should be the relationship. If the goal is the relationship, that's good. Let me give you a quick example. Last June, I was three, four months into into being a CISO. My dad died. I haven't posted that on LinkedIn because I was making a larger point about life and communication, whatever. And someone that I not talked to from Red Canary took the time, looked up the office address of my company, wrote me a handwritten note, sent that to me to my office address. Was like, hey, I don't know your home address, but I hope this gets you. And I did. That guy will get my time for the rest of my career no matter what. He wants my time. I don't care if he's selling ladders for the rest of his career. He gets my time because he was invested in me. And me. Tell you what. Last year, all of last year, despite 100 meetings I took. 1.7s Three lunch, meetings, lunch or dinner. That was that was not part of an event. My reseller a good friend of mine, and that guy, that was it. Wow. Right. Because he was invested in the relationship. Now, there are plenty of other people that I know and like and all that, but, like, that's who I said, I'm going to I'm going to sit down and take time and just hang out with this person because I want to hang out with them. Right? Yeah. So with the relationship, that works because I've been around the sinister you a long time, right. Business cards change, names stay the same, and you should be at Cisco conferences, man. Like, we get to know one another pretty well. It's like, oh, where are you at now? Oh, where are you at now? And we all talk. Right? So bad behavior will get you negative publicity and not a good way, but good behavior. I mean, I just went on a podcast and said Red Canary in this case, right? Because I wouldn't broadcast that. That was awesome.

Yeah. 1.4s I just love these insights because, like you said on Friday, you were on the vendor side trying to sell to see. So then now, Monday, you are a CSO, and yet you're getting into the inner circle. You're like, wow, I didn't even know there was a circle. 2.7s It's a fascinating insight. So a couple of last questions. 1.3s We talked about some challenges, and obviously things process, but what are some challenges of running a 10,000 employee company? Right. Obviously, this is not a 500 employee company. Every company, every industry, every size have different challenges. But a 10,000 employee, that's not small. Right. That operation is more people I'm more complexity, more loopholes. Right. 1.3s What have been some of the challenges of running a 10,000 employee company? 1.6s

Sure. So one of them is trust my team. Right? So I am very much not a micromanager. I do kind of commanders and tent, right? So, like, here's what I want, here's the end result. Here's what good looks like, here's what bad looks like anywhere in between there. Go forth and do let me know if you have problems. Right. I trust my people. That helps. The other thing though, is people around faint probably get tired of me saying this, but I'm like mash the easy button. Like whatever the easy button is, I want to mash it. I am all about 80% solutions right now rather than a 95% solution in six months. Right? And often that looks like Microsoft, right? So like, we have a full Microsoft stack. So it's like, hey, can I do this with Microsoft, with licensing that are are there better alternatives? Maybe, I don't know. But this is good enough for me. So let's get that done. And then we'll tune and tweet and we'll look at that after the fact. Right? But I moved very quickly. 1.6s And when I can standardize things, when I can make things work, I learned it from the vendor side, right? So, like, secure catches bad guys early in the kill chain, right? That's what we did. We after 19 years, 1s

your mind, your soul is still there.

Yeah, like, it happens, right? But we cut bad guys early in the kill chain. Now it's like, okay, well, can you do this? And I was like, well, yeah, I mean, I can, but that's not my wheelhouse, right? So one big lesson I learned from 15 years and offs there, plus just in general, being around and seeing thousands, hundreds, if not thousands of clients is work within the wheelhouse, right? So I think there are solutions and it's like, is this in your wheelhouse? Is this what you do? And you can tell that on a call, right? When I ask a question of a vendor and the se is like, yes, absolutely. We do that all day, every day. We're the best in the world. At that's a good sign. If I'm like, hey, can I do this? I'm like, 1.3s yeah, well, let me see. That's a red flag, right? So the more I can stay within someone's wheel of house and the more I can match the easy button, the better off my log is going to be. Now, after I do that, those are like people process things, right? After I do that, I like scripting. I scripted a lot of stuff for a whole lot of years, right? So I'm aware of what now the cool kids will call automation or solar or whatever. 2.9s I have scriptures on my team and I'm like, hey, I need a script. I know enough to know that there's an API here. There's an API here. I need this to do that. Write me a script, get that done, right? And so that's good because that allows us to the ideal situation is that we all sit around and we're like, so 2.6s we're good. We're running all the programs that we need to run. We have all the stuff going and 1.1s this is cool 1.5s environment. And then they're like, oh, well, hey, then I can empower my people to go research or do whatever is self fulfilling or cross train or do whatever else. And at the end of the day, if we can accomplish our goals not work a whole lot, then that's awesome. That's the goal in my career of automated myself out of a job four, five, six times. There's always work. There's always new cool stuff to do. So, yeah, it's kind of threefold, right? Like, hit the easy button, work within the vendors wheelhouse, like what works and what is simple and easy. And then automate where you automate whatever you can. 3s

Again, I keep coming back to that leadership 1.1s that you have in kind of the approach. And I think a lot of people, after hearing this episode, whoever's in security was going to want to work with a boss like you, right? It makes a lot of sense. You're empowering people and you're not worried about politics. 1.3s If you can automate make everybody's job easier, you're not trying to not do that because of certain reasons. Right.

And the side effect of doing all that is that you're enabling the business. So I can cut my budget and I can say, hey, CEO, you can use this 100 grand somewhere else better than I can use it. So you could do that. 2.7s May not look at it that way, but the fact that you even looked at it, that's interesting though. Can you kind of speak to that? Like why 1.2s

you are open doing that or maybe even proactively doing that, I guess? Oh, yeah,

I totally proactively do that because I don't care whether the owner of the company puts it in its bank account. Right. I mean, I don't need it. So if I'm able to reduce risk to a level acceptable to the business and have confidence that is happening, then I don't need to go spend money just to spend money, right? And just because something is cool. So let's say allied most products on the market are let's assume they are elegant solutions to a real problem. I'm willing to go with that assumption. Right. But are they a $10 solution to a $5 problem? And my $5 problem might be someone else's $500 problem, right. But my environment is unique to me. 1.7s So example, we run call centers in the Philippines. If a tsunami hits Manila, that's really, really bad. Right. And there's nothing that I can do to prevent a tsunami. I can do all sorts of stuff with geolocation insurance plans, all that. But at the end of the day, if a tsunami hits Manila, it's a real bad day. We've accepted some of that risk. Right. And we mitigated some. We trained transfer, it all that. But a big chunk is accepted on the cyber front. China wants me out of business, I'm done. I'm not defending against it. That is a threat that I've accepted a risk that I've accepted right. Now. Does that mean I've done nothing for that? No, it just means that if it happens, we're done 2.5s now. Can get some moderately skilled adversary? Yeah, I can. Are there good things from them? Yes. But if China wants to burn 1000 people in as strong as a zero days to put me out of business, we're done. Right. I can't do that. So that is because of that, I can say I have addressed the risk to a level acceptable to the business. Right. And then anything above and beyond that. 1.2s The business can use better elsewhere, right? That is me being the executive who happens to be the security guy, right? And that's enabling the business. Now, I can also enable the business by doing UBI Geese and Streamlining log ons, which is more secure. Yeah, but that's not how I sold it. I sold it as efficiency gain, right? So I can do the things that are secure and enable the business, made people's lives easier. And at the very least, I can do things, I can bring people along, right? So here's an example email retention policies, right? So that is an emotional thing. People believe that their email from ten years ago is valuable. I look at that as a liability. I say anytime I have liability without business functionality, that's not acceptable. So if I have liability from something and all it is is causing a small amount of convenience for some people every now and again, maybe then that's not a good trade off. So to overcome that, it's a human emotion, right? You're overcoming cognitive dissonance. They believe that this is valuable, and I'm saying it's not. So overcoming that takes between minutes and months, depending on who you are as a person, right? So I started months and I gave people and I brought people along and said, so here's the deal. This is a liability for the business. Here's why. Now, I understand it's valuable to you, but if you're in my position or if you're looking for the whole company, what decision would you make? I'm like, oh, well, yeah, I get it. And once people buy in, then they're in. And that way is never adversarial. It's always like, we are doing this to help the business succeed. Because people are invested in their employer, generally speaking. They want to do good, they want to do secure, they want to enable the business. And this allows us to go faster and better and in a more secure fashion. And everyone buys into that. But they're in. It's not a technology thing, it's not even a risk thing, necessarily. It's a leadership emotion thing. 1.3s Yes.

Everything you just said leads to perfectly to our last question, but before I go, there 2.3s just all your approach, I think the fact that you're willing to reduce your own budget because, you know, you don't need it to give to maybe CEO, CFO, HR, whatever, for that they can improve their business. I think it also builds relationship, right? I mean, end of the day, when you're at the management level, executive level, you got to build a relationship. You're working with other department. You might be the specialist in your area, but you got to work with all other departments. And that relationship, I think also maybe part of it comes from your sales background too, because to some degree everybody has to do sales. Whether you're selling externally, you're selling internally. 1.1s There's always sales of different kind you need to do. Do you feel like your previous sales experience has kind of helped you in this

area? 100% without needing? And it's funny because people think that to be, quote, good at sales, you have to have a salesperson. And that's not the case at all, not even a little bit. Because what it boils down to is empathy, right? Actually, two things understand that people respond to their incentives and empathy, the ability to see what other people care about and why. And that is not a manipulation thing. But it's somewhat interesting, right? 1.2s At some point, the difference between building an authentic relationship and social engineering is identical behavior. It's just the intent that matters, right? So I have always been one to form relationships pretty quickly and build a report pretty quickly. So they came naturally to me. But the more I understand, the more I can put myself in someone else's position, the better I am in to operate with them. So I'm routinely thinking, I'm like, all right, so if I am the CEO and the owner, we are a private held company. If I'm the CEO and the owner, what do I care about? 2s What do I need from my CISO, right? What do I need from my CIO? What do I need from my CEO? What keeps me up at night? If I'm in a public company and I'm the CEO, what is the board going to ask me? And then being reporting to the CEO, what can I provide them so they have all the answers they need? Right? And fundamentally, that is sales, but that is empathy, 1s incentives, 1.4s giving a damn, whatever you want to call it, right? So it's not really quote sales. It's just I think being able to build rapport and work amongst people, 2s it's always kind of cracked me up. Right. 2.6s When you can't become a citizen without everyone telling you what a terrible idea is. 2.6s But two, what you come to appreciate is 2.3s people always say, I can never deal with all the politics. 3.4s Yet I don't experience quote politics, right? And in every case throughout my career where quote politics was an issue, I have found that reasonable people exist and you can speak to them. And then once you understand incentives and you get on and you talk logic and reason and all this, then generally that works. Now, does that say that there's no toxic people out there? No, of course there are people stalking, right, no surprise. But as a general statement, especially amongst executive level, these are reasonable people who want to do the right thing. So approaching it that way works. Now, I know what I personally, right, so I'm sure if I put myself in the siva shoes, maybe I have this image or stereotype about it or security or something. And so if this new CISO comes in and starts talking about how the sky is falling and China is going to kill us all and all these bad things, then my stereotype is reinforced and I'm not going to believe that guy. And then there might be quote politics, but if I come in and I'm like, hey, there's a whole lot of bad stuff that is possible, but I want to focus on what is likely and address that in a cost effective manner because 1.6s I want to be a good steward of the company's resources. 1.4s Find me a CPO on the planet that doesn't like that guy. Right. Yeah, 1.9s totally makes sense. And I think everything you said really sums up not to have you repeat all of that again, but it really sums up our last question, which you and I started the conversation with, right? Which is the theme of this session, which is what does the modern and future Cecil looks look like in 2023 and beyond, in your opinion? And again, I think everything we went through today, you really demonstrated that. Right. But maybe just in a couple of minutes, 1.6s

maybe your suggestion for other CEOs or other people who are trying to be CSOs, what do you think that modern future CSO need to look like for companies to succeed?

So maybe two things that are easy to say and hard to do. 1.4s The first may be have this question on the tip of your tongue for yourself, for your internal team, and for external vendors. Say tell me a story. Tell me a plausible story that this costs us money and this can be a vendor solution. This saves us money. This can be a risk or a threat. Cost us money, causes business impact. And by doing that, you will inherently force yourself to say, is this worth it? Am I buying a $10 solution to a $5 problem? Why am I doing this? It's kind of unleashing your inner child like why 1.6s are we doing this? Why are we sending questionnaires out to vendors and get them to reply? Why are we spending a mass amount of time doing vulnerability management when we could automatically patch? 1.1s Why are we spending a third of the budget? And yet I cannot quickly say what the value is 2.2s if you cannot in 5 seconds say we spend 100 grand on this tool to do this, which has approximately crazy amounts of risk. If you can't do that, like immediately, you really need the question. So that's one aspect, have that question on the tip of your tongue. And the second, and this requires a little bit more thought. 2.2s But they're very related. Say, what would be required for me to get to maintenance mode? I got my organization. We are that close. We're that close to maintenance mode in about a year. Okay? Now, I had some good stuff starting. By no means that I start from ground zero, but in his mode does not mean that you sit back and you don't work anymore, but it means that everything is business as usual. I don't need to go spend money. I don't need to get my hair on fire. I don't need to get stressed. Instance may or may not happen, but less likely if you're not. And it's really just about getting better at what you're already doing, right? And risk is already reduced and getting more efficient with that spend. Right? And what's interesting is that if you ask CISOs in general, either, can you give the maintenance mode? Or you might say, are we ever done similar but a little bit different? A lot of them will say no. I talked to one Cisco, had a $60 million budget, massive budget, and said I requested 90 million. And my board of directors said, what have we done? And she said, I will never, ever fail to ask for 50% more budget. And I said, okay, I'm 180 degrees opposite from that philosophy. Right. I'm not saying she's wrong and I'm right. I'm just saying, like, that's not my philosophy. My philosophy is that you absolutely can get to minions mode by asking all the time. 1.8s How does this cost me money? And if you can answer that very quickly, get ready to do it, because it's probably not helping you. And then it applies to process people, vendors, whatever else. So those are two of the things that I do that I think have been very successful and that I think the industry would be better for if everyone did that. That is

a great closing, my friend. Last question we like to ask every guest is more of a personal question, I guess. More personal thought. You've been through a lot again. You've done sales, you've done on the vendor side, you've done operations. Now you're see, so you've seen a lot of different things. And if you have to give everyone one advice, whether that's a personal advice or a business advice that you're passionate about, what do you think? That would be 3.6s

a lot of things to come to mind. But one thing that I come back to that has been very useful in my entire career, both personally and professionally, is that people respond to their incentives. So that applies to me, that applies to other people. It applies to my kids, applies to my wife, applies to everyone. Right. Like, what are people's incentives and understanding. So that kind of goes along with that empathy thing. Right. And that enables me to be empathetic and have a relationship with them. And at the end of the day, I like good, authentic, valuable relationships, be it professionally and personally, whatever. I like people I'm aggressively extroverted, and I feel like I can be a better leader. Husband, friend, father, all that, when I understand what people's incentives are and I'm empathetic to what they need.

Yeah. This has been an amazing recording. Honestly. Just love all the tips you've been giving and your energy. It's contagious. That's part of great leadership, right. You got to be able to hold a flag and run through the wall, right, so your people can follow you. Honestly, Brenda amazing and really appreciate you being on

cool. Thank you very much for having me. I appreciate the opportunity.

Spend Advantage Podcast

The Modern CISO with Brent Deterding

Listen to this podcast on