[00:00:00] Rob Aragao: Welcome, everyone, to another episode of Reimagining Cyber. Rob here with Stan, and Stan, before we jump in, we've got a little rivalry between you and I, you being focused on your Dallas Mavericks, me and my Boston Celtics, right? We got Game 3 tonight, as we release today's episode. And let me just clarify, because people like our producer Ben need to understand that we're talking about the National Basketball Association, the NBA.
[00:00:24] Michael Jordan came from there, right? So that's what we're talking about, Ben. But anyhow, the Boston Celtics are up two games to nil on the Dallas Mavericks, and they're back in Dallas, Stan. So this is where I get a little nervous. What do
[00:00:37] Stan Wisseman: you should be nervous. I mean, you know, Luca is going to start up, man.
[00:00:41] You know, the threes are going to start falling. It's been painful to watch. I mean, we, we were, we were spanked. Dallas was spanked in the first game. And I really thought that after we got the lead in the first quarter. And the second game's like, all right, it's going to be different. This is it. And you know, you have some players.
[00:01:03] Rob Aragao: That's the big, you know, aspect of the, this team. It's truly a team. They don't talk about, you know, one player, you know, singled out. It's, it's truly their work well together. So anyways, enough about that onto our topic of the day and Stan, an interesting topic came up, um, back in April, I was at an event, a CISO event specifically And we had this little sidebar conversation going, myself and three other CISOs, combination of former CISOs, one actually is now a CTO.
[00:01:29] Um, and um, the, the topic of transitioning from a CISO role to a CTO role came up. Um, again, one of them had gone through that transition. And just a week or two ago, I came across an article in Dark Reading that was talking about this. This very topic, uh, was becoming more prominent. So I thought, you know, maybe we could kind of discuss it because, you know, a lot of the conversations we've had, uh, with different guests over, over the, the years really have been about, um, the role of the CISO, but that connection point.
[00:02:02] Of coming from a foundation of technology and transitioning to understand the impact of the business side of it. And I think that's really one of the kind of aspects or key aspects that sets the foundation for what is desired in that transition potentially to the role of the CTO. So I wanted to talk a little bit about that.
[00:02:22] You know, there's been some examples out there of CISOs from organizations such as Bank of America. Uh, Fifth Third Bank, Equifax most recently as well, where the CISO has actually now transitioned into that role of the CTO for those organizations. And so. Let's kind of just discuss, you know, maybe some of the different attributes that we see that connects the dots between the two of them.
[00:02:45] And I'll start with, I think a lot of the, um, the aspect of collaboration is important and understanding how you connect with the different stakeholders across the business. Right? So from the, the role of the CTO, they're driving new innovation. They're driving, you know, um, Increased revenue. And so they need to understand again, what's the business desire, uh, from them to develop these new solutions and bring them to market
[00:03:11] Stan Wisseman: and many times, let's face it, the systems are trying to close gaps and.
[00:03:15] As far as their security controls and they have to work with the broader ecosystem within the organization to get this to happen. Right. So they have to collaborate. They have to work well in the sandbox.
[00:03:26] Rob Aragao: Exactly, exactly. So very similar again, right in that regard where they're working with different functions and stakeholders out there in different parts of the business.
[00:03:35] So I think that's that's another key. Really, you know, attribute strategic thinking, you know, how are they going to really start thinking about, um, bringing these solutions forward? You know, there's, there's the whole mindset of, um, the CTO kind of driving, you know, creation of value, the CISO protecting that value for the organization.
[00:03:54] Um, but, but they do cross over quite a bit. They work with them, you know, each other quite frequently as well. So maybe we kind of delve a little bit into the why, why, why do we, we, we Potentially start seeing this bit of a trend out there in the marketplace.
[00:04:09] Stan Wisseman: I think, you know, as far as, again, some of our audiences is, you know, are those folks that are in the CISO role.
[00:04:17] And so this is probably a good topic anyway, because it helps with, you know, why would they potentially want to go into a CTO role as they're looking at professional growth? And part of the reasons I think would be that it, you know, a CTO has wider influence over the organization's technology strategy.
[00:04:35] You know, beyond security, right? So, you know, you, you have more influence. I going back to the skills that you're looking for. The, um, the CISO does have to have technology. chops, right? You know, that transition to also including business acumen and strategic thinking has been happening over the last five to seven years as well, but it's still there.
[00:05:06] They have technology capabilities and understanding and the CTO obviously has to be able to drive the business to change to a vision of some kind of. New set of technologies to help meet the business needs. Right? And so the fact that the CISO has some of that already and, and, and, and is already working with the executive level, uh, and potentially the CEO, they may see that well, hey, this individual already has that and they already have, you know, a security mindset.
[00:05:36] If you think about the importance of security by design. And the, the, the need to integrate security into the thinking of what you're doing, whatever it is, you already have that with somebody who's been in a CISO role and you don't have to worry about whether or not this new rollout of technology is going to be incorporating security safeguards.
[00:05:58] Rob Aragao: Yeah. And I think that's really kind of the hinge pin for all of this is that secure by design principle and the initiatives that we're pushing there. You know, we, we've had guests on the past that are in the role of a product security. Kind of understand that they have to really embed security into the different products and services that their business is bringing to the market, but that drive of what we've seen from, you know, the White House's, um, national cybersecurity strategy and insistent taking on and moving that forward with the secure by design initiative, you know, that that is, and I think a key aspect because it really helps.
[00:06:29] The core behind that is really to try to help kind of push the burden back away from the end user or consumer and back into these technology, you know, stakeholders that obviously bear that burden of issues much easier or at a lesser risk.
[00:06:42] Stan Wisseman: I think another area of experience that both the CISO and the CTO have is, you know, again, the CISO has that operational experience and, and understands the impact that a rollout of capability can have.
[00:06:57] In many cases in the security context, you may have an impact with a WAF to an application in the production environment. And so, you know, you have to understand those ramifications and you've most likely been part of that change management process. Um, you know, and have to have the decision as to whether or not to push forward a change or not.
[00:07:20] Um, and so I think having that broader context and understanding helps the CISO in making a case, being able to say, I can, I can play in that bigger realm of the CTO because I also have an exposure. Now, one of the areas of weakness, I think, or potential weakness, depending on the individual, right, that the CTO is, is definitely doing more in the context of, um, product or software lifecycle, right?
[00:07:51] You're, you're, you're actually, you know, much more involved with the actual. phases of rolling out a solution, and that may or may not be a an area of strength for the system, depending on the back.
[00:08:04] Rob Aragao: That's it. That's a very good point. Matter of fact, to that point, um, one of the people that I was having this little cyber conversation with Their background and, and their strength is on application security specifically.
[00:08:18] Um, and they've done a great job of obviously kind of, you know, coming across and, and really partnering up with the development teams, someone like that really, in the, in the, the other things that they've done for supporting their business, um, with, you know, cyber behind it could fit into this CTO role pretty easily, actually, because of that experience into your point, you know, understanding that aspect of the SDLC tied into, you know, what they really need to, uh, tie into.
[00:08:41] Delivering products while they're still being secured is, is critically important.
[00:08:45] Stan Wisseman: I, I think they have to get up to speed on the whole, you know, product development side of the house. And if you already were doing some of that, um, security and, and, you know, sort of like injection into the product, um, or software development process, then you have some of that exposure, um, and, and have an understanding of how it works.
[00:09:05] Rob Aragao: Yeah, let me throw this at you. This could be a little bit of a, um, debatable topic here. Just, just something to think about. We, again, we kind of had this as a little bit of that sidebar discussion, which was, is this happening because it's logical in some of these examples we've been talking about, but is there also potentially something more so behind it that is attributed towards what we've seen with, uh, You know, the, the, the SEC cyber ruling, for example, the risk and personal liability of the CISO in an organization.
[00:09:35] We've seen examples with the CISO tied back into SolarWinds and what was going on there. Uber, another example, right? So, so are we
[00:09:42] Stan Wisseman: talking about motivation for why the CISO potentially would want to change roles, but also still be at the, uh, executive table?
[00:09:49] Rob Aragao: Absolutely. Still be executive table, but obviously be able to pull that personal liability.
[00:09:53] Off of their shoulders. Cause there's, there's so much of that obviously out there now with especially SEC cyber rule behind it and other examples that have been happening. So just food for thought, what do you, what do you think about that potential? That, that came up as something that we're talking about.
[00:10:04] Stan Wisseman: I mean, that could be it, but I also think that, you know, just the, um, day in, day out pressure of that CISO role, um, independent of, you know, whether or not you're, you're actually in higher, you know, um, risk of, of any kind of regulatory or legal. I think that over time, some people grow weary of it. Um, and so again, looking at, well, for my professional career, where could I progress?
[00:10:37] You know, it could potentially be like to the CRO. Um, but if you're, if you, if you like the technology aspect of it, uh, and, and sometimes the CTOs also don't have the burden of having a lot of staff reporting to them either. That's true. You know, depending on the organization, you know, they, they, they, they may be more of a big influencer and, and, you know, but they don't have necessarily the burden of having hundreds of people reporting to them.
[00:11:05] Reporting to them, um, depending on the size of the organization. Right. Um, so yeah, I, I, I, I, I, I think it could be that they're looking at this role of CISO as being too hot after a while and then saying, Hey, where else can I go now that I've actually proven myself in the organization, I like to stay here, like to actually continue to have a seat at the table with the executives and influence.
[00:11:32] And honestly, the CTO has broader technology influence, certainly, um, as far as the direction of the organization and where they're going to as far as helping support the business. You know, I do think that again, I mentioned, you know, we talked about the whole product development side of the house, there are other areas that.
[00:11:51] You know, if you think about where organizations need to be going, they need to be looking at AI, they need to be looking at data analytics and cloud. Again, those areas, the CISO may have touched upon as they're trying to secure cloud environments and put guardrails down. Same thing with use of AI potentially, but they may not have the.
[00:12:12] chops to be competitive as in that CTO role. Unless they hone up on those, those domains.
[00:12:17] Rob Aragao: Yeah, yeah, absolutely. It's a new, uh, area that we're kind of keeping an eye on. We've seen some examples as we touched upon, it was an interesting conversation. Uh, and then the article just kind of piqued my interest.
[00:12:27] That's why I thought, you know, it'd be good to just kind of put that out there and let's see how this evolves. So maybe in the future we'll, we'll pick up on someone that, you know, we can bring on as a guest that has actually made that transition to see what that's like, some of the drivers behind that.
[00:12:38] Um, the lessons learned. After you've been in that seat for a little bit of time as well, be interesting to kind of get their perspective.
[00:12:45] Stan Wisseman: Yeah. Cause I, I think it is anecdotal at the moment as far as these kind of transition to the CTO role. There's not a lot of statistical backup or any kind of data saying that, yeah, this is a definite.
[00:12:56] trend of CISO transitioning to CTO. Um, but to your point, you, you've spoken to somebody who's made that transition. We've saw this article and there are, um, other opportunities for the CISO beyond the CTO, right? I said, you know, the CRO and other positions, but, um, it's good to always raise this up. And, and I'm curious as the feedback from our audience, you know, again, if, if, if you're skeptical of this or if you want to affirm what we're talking about as far as this is being a valid opportunity for the CISO, please let us know.
[00:13:34] And if you see there's a more viable path or more likely path to a different role, let us know and we'll, we'll focus on that too.
[00:13:43] Rob Aragao: Absolutely. Well, Stan, interesting topic and until next time.
[00:13:47] Stan Wisseman: All right. Take care, Rob.