Cyber Security, Investment, and DEI dynamics with CISO Charles Payne, Neptune Media

Show Notes

Today's guest, Charles Payne, brings a unique perspective to cybersecurity with his background in finance, his current roles as CISO and CTO at Neptune Media, and his experiences as an angel investor. Charles shines a light on his transition from finance to cybersecurity, unraveling how his technical knowledge has given him a unique perspective on investment opportunities. He also shares strategies to overcome the challenges of selling to different regions and how to build an effective BS meter.

The conversation gets captivating as Payne emphasizes the importance of building relationships within the cybersecurity industry. He explores the gender dynamics at play, shedding light on how men and women measure success differently, and the disparities women face in the industry. We also discuss the necessity of Diversity, Equality, and Inclusion (DEI) initiatives in closing the gender gap and fostering a supportive sisterhood within the cybersecurity realm.

As we delve into the ever-evolving cybersecurity landscape, our discussion takes an intriguing turn with the Joe Sullivan case and its potential implications for C-suite executives. We explore the legal responsibilities of corporate executives and the importance of having a proactive approach to cybersecurity. We also discuss the initial steps a new CISO should take to set the stage for success. Join us for this insightful conversation as we uncover the intricacies of cybersecurity and strategic partnerships.

Chapters

• 0:08: Insights Into Cybersecurity and Strategic Partnerships
• 9:39: Importance of Relationships in Sales and Cybersecurity
• 17:17: DEI and Relationships in Cybersecurity
• 30:14: Changing Role of CISOs in 2024
• 35:18: Challenges and Strategies in Cybersecurity
• 41:45: Improving CISO Programs and Business Impact

Transcript

Speaker 1: 0:08

Welcome to this episode of Security Market Watch. This is the show that goes straight to the source for security market insights and trends. Today we're talking to Charles Payne, who is the CISO and the CTO at Neptune Media, and Charles is also an angel investor. So if there's anybody who can give us a lay of the land and to give us some insights into the cybersecurity industry and the business of security, it's Charles Payne. Charles, welcome to the show.

Speaker 2: 0:42

Thanks for having me. It's quite an introduction. I really appreciate that. That's some big shoes to fill.

Speaker 1: 0:47

Yes, and you'll fill them. Well, this is going to be a great conversation. I've been looking forward to this, and if you're listening to this or you're watching, feel free to rewind, watch it again. We'll put out some clips, and so let's get right into it. Maggie, what's going on in your world?

Speaker 3: 1:09

It is constant, nonstop, as I'm sure it is for both of you. I feel like every time I think we can't get busier, I eat my words. So I'm excited to talk to you. I know you had just mentioned you've been on back-to-back Red Eye flights from California to New York. Sounds like you've had a lot of great things going on, charles.

Speaker 3: 1:27

So one of the things that we had talked about briefly was strategic partnerships. Josh and I we do this all day, in every single facet, and it's truly one of our favorite parts of what we do, because we love to connect with people and just hear real-life case studies and things that don't go right, and then the solutions that get created, and that's the best way to learn. So I just wanted to kind of how did you get into? Obviously you're in a very hybrid role. I love the pairing of the angel investment with the strategic partnerships, but tell us a little bit about how that kind of progressed for you and how you ended up where you are today. So just all of our listeners kind of have a full scope, if you don't mind.

Speaker 2: 2:08

Yeah, absolutely so. I mean it all started essentially when I was younger. I started actually as an investor. I started really early on. I was in the stock market, I worked for a financial company early on and then I went into computers and cybersecurity. After that, I mean, I entered as network security and eventually evolved into what we call today cybersecurity. So I've been in both for quite some time, but I was in finance first.

Speaker 1: 2:34

So the CISO, cto, all of that came after finance. And what was the transition from CISO to investor, or was it investor to CTO? What came first, the chicken or the egg?

Speaker 2: 2:48

Yeah, it was definitely the chicken. So in my case I was on the investment side first. I was on finance first and then I went to the CISO slash, cto role aspect of it. So that was where I balanced out. I learned I took a lot of life lessons. There's many different types of CISOs. Right, there's a business CISO, business minded, there's technical, a variety of other ones. So I actually had the ability to combine a couple of different acutals. I'm technical but at the same token I'm also business oriented because I've got the financial background. So it gives me a little bit different perspective than some of my peers might have, just because of just some of the experiences that I might have had in my life.

Speaker 1: 3:33

And especially for those who are listening. If you're in sales, I know I get a lot of these questions from my friends who are in cybersecurity sales. We don't know the technical side enough, we don't understand it enough, and so this is a point that I would love to touch on today and make it a focus for those people, for that audience. So what was it like going from the technical to the business? Do you still use that technical knowledge to evaluate companies that you're looking to invest in? Or how exactly does that technical knowledge come into play in the business realm, specifically in the investment domain? Great.

Speaker 2: 4:17

So yeah, so when I'm doing the investment aspect of it, the technical process and the technical knowledge really comes into effect when I'm actually evaluating somebody's solution or I'm listening to someone's pitch, because at that point in time I have enough technical skills to understand if what they're trying to tell me is actually legitimate, kind of by fact, or if it's just something that they pulled out of the air and they might be exaggerating a little bit. So it gives me quite a different broad scope of like yeah, nope. And there's been many times where I've been, I judge, at one of the investment summits that I've called people out and I try not to do that too often, but there have been a few times where some people just it's a really outlay to stuff and I'm like I just can't let it slide. But I try to.

Speaker 1: 4:54

Sometimes it's too good to be true and it's good to have that technical knowledge to be able to filter out the. You've got it. Let's put it this way You've got a pretty healthy bullshit meter. That's what the technical aspect kind of helps with, right, yes, yes, okay, my word's not yours.

Speaker 3: 5:14

Well, and I have a question. So you're obviously very well traveled and something that I know I learned in my own travels is you can't sell to one region like you would the next, and that's something that I feel a lot of sales executives that might be working on a national spread, or even on your national basis, tend to forget from time to time. So, for instance, I used to sell in Indiana that's where I'm from. I moved to LA Totally different spread and then sell in, like you said, new York or even a Texas or a Florida, and then you talk international. That's a whole other box of worms. But what challenges have you maybe seen? And kind of back to the BS meter that Josh was talking about, because there's different types I've noticed in my own experience, but just your take on that have you seen kind of a difference in that at all or experience something maybe to that regard?

Speaker 2: 6:04

In that specific and the actual BS portion of it. No, because they tend to use the same marketing jargon across the company about which country or which location you're in at least in my experience. It's just that some areas are probably more versed in the BS and then they already know upfront that's why it doesn't work and that's why it gets kicked. So that might be why you're experiencing like it doesn't work in Florida versus Texas versus California, because some of those folks might have already heard those lines before and then they're like yeah, I don't, I'm not interested. It's kind of like that mantra of talking about like AI and ML, everything's got artificial intelligence in it, like not really, it's just machine learning. Let's just call it what it is.

Speaker 1: 6:40

Right, yeah, that's a really good example. That's a really good example If you slap AI on anything. It seems to you know. Let's talk about that for a second. Ai is it overhyped, is it just a trend? Do you think that most of the tools actually do AI, especially in cybersecurity? Do you think that the AI is where it needs to be, to be actually contributing to the business, or is it just all overhyped?

Speaker 2: 7:13

That's a question for how well the models were trained. So at CES, when you're in the company, but they actually had a cognizant version of artificial intelligence and it wanted to turn all of the humans into, basically its slaves. I'm like, oh great, it's like someone that let it reach Skynet. It was amazing. But so, going back to your question specifically, it's going to depend on how they trained it, what they trained it on, because all the data that we feed or we let the machine learning learn on is bias. The question is, is it bias in the direction in which we need it, or is it biased in the wrong direction, which is going to hurt us? So that's, no matter what we do, it's going to have a bias. The only question is is the bias that it's going to have that's predisposed to? Is it going to be beneficial or is it going to be negative towards what we're doing and our outcomes?

Speaker 3: 8:00

I want to target what you just said specifically that absolutely everything I'm seeing is what you just said as well, but one of the things that, especially on the governmental side I work with a lot of governmental contractors, these types of things, and we have poked around with a lot of partnerships regarding potential products or services with AI risk mitigation or AI threat mitigation. Are you being approached with these types of products or services? Have you really heard this terminology recently, or is that something that's just kind of a key word or key focus right now?

Speaker 2: 8:39

Anytime I hear someone say AI without some type of definition, my BS meter just says no, but I'm not interested. But I have heard that where you can do AI for GRC or GC for AI, it's like well, they have all these models that are supposed to be trained and it'll tell you what you need to do and you just got to follow a code cutter. I have one of those conversations with actually for investment side earlier today and they're like yeah, we just feed the artificial intelligence, the language model, all the information that you need and it's going to give you all the building codes and all the other regulations. It's not finance or regulators, it's building codes, which is standardized across the US. But I'm like okay, great.

Speaker 2: 9:17

So in Florida, do you guys support Miami-Dade code? No, we only support the international building codes, I'm like. Or the national building codes for, like the US, I'm like. So if you're in, say, california or Florida or any state that has any other regulations other than the bare minimum default, your solution doesn't work and the answer was no. So that's where it becomes a little bit tricky. Again, it depends on what it was trained on and how much data sets it's actually ingested, and that's always the fun part.

Speaker 1: 9:45

And that's the question that I'm guessing the CISO should be asking when they're approached with a product like this.

Speaker 2: 9:51

You know it should be, but the probability of ever getting a straight answer is probably slim to none.

Speaker 1: 9:56

Oh geez, it's like.

Speaker 2: 9:58

It's like, yeah, we trained it on a data set. But, okay, great, what data set do you turn on, trade it on or train it on, but you're not going to get a valid answer.

Speaker 1: 10:05

Or a straight answer most of the time.

Speaker 2: 10:07

That's why I kind of just look at the part, sorry.

Speaker 1: 10:10

Is that if they're talking to the sales guy, or is there someone that CISOs should be talking to to get a straight answer?

Speaker 2: 10:21

So, in my perspective, when I do go to the showroom floor where my staff brings me out there, I look for the other executives, so I look for the other C-suite folks. If I can't talk to the other C-suite folks, I just don't stay, because they're the only ones that are going to give me the bare tax. They're the only ones that actually held accountable in court for what's been said. The account executives and such aren't going to be held accountable for what's been promised or what's been exacerbated per se, whereas the other C-suite guys are going to be held to a different standard.

Speaker 2: 10:52

So when I go to the showroom floor if I do go I always look for the other C-suite folks, because they're the ones that are least beneficial to lie to me, because they're the ones that have the most to lose.

Speaker 3: 11:03

And how do you have different return on objectives for people getting that type of information, especially if you're just meeting them for the very first time? How do you build that relationship, maybe for somebody who is wanting to become an investor like yourself, or get into these types of CISOs, cto rules? I feel that this is going to be a very progressive role in the years to come. Obviously, it's transitioned quite a bit just in the last two years here, but what would you think would be some good advice for someone that would look to gain similar skills to you or work those types of events?

Speaker 2: 11:36

The best advice I can give people who are in sales rules at the moment are just treat us like people. I mean, we want to have it open in a conversation. When I go and this is where I had a conversation again on a different discussion it's like from a CISOs perspective my goal when I go to a conference is to build relationships with the vendors and the partners. It's to partner with them to do a specific objective or to complete a specific task For them. Being argumentative or not wanting to create that relationship is counterproductive to what I'm trying to do. I really want to create those relationships because it's those times at 2 o'clock or 3 o'clock in the morning when you need to reach out and call somebody. You need those relationships to help.

Speaker 2: 12:16

It's been a few times where I've reached out to a few vendors in cybersecurity at about hours and I want to call on the VPN and he wanted to go get a bunch of people awake. But trying to get through the support lines and stuff like that sometimes is just a nightmare. It's like we want to create those relationships. As an executive, I judge my ROI, my return of my time per se, so my ROT, but based on how many relationships I can create. Obviously, vendors judge it on how much money they can make, but it's not mutually exclusive. They're the same thing, they just measure differently, the metrics are different, but they're the same result.

Speaker 1: 12:48

It's never about what it's about, and I'll explain that. If you want to add to your bottom line, I've learned in my time in sales if you want to make sales, you can't really focus on sales. But I found that if you focused on engagement whether that's on social media, whether that's connecting with people at conferences, whether that's calling somebody up at 3 o'clock in the afternoon just to check on them how are you doing? I find that that exponentially impacts my sales, because there's this concept of you never know. You never know what's going to happen. If you really focus on the outcome of sales, it's very narrow. But if you focus on engagement and you focus on people, I find that you end up helping each other in ways that you hadn't anticipated, which, coincidentally, is positively correlated to revenue in a lot of ways. But even if it's not, if you think about it I hear this a lot A lot of people are always thinking about the money.

Speaker 1: 13:53

Everybody wants to get rich, everybody wants to make a lot of money. The people who focus on those things exclusively tend to always they're always fighting the universe a little bit. I love when people are just like you, know what it's about the money. But it's not about the money. It's about meaningful and positive human relationships. The money is indicative of how well you have solved a set of problems. Is that your attitude when you're going on to a show floor, or do you have a different or adjacent philosophy that you follow?

Speaker 2: 14:37

No, I think that's my philosophy Relationships equal ROI. I just measure my return based on relationships, and winners measure on dollars and cents, but at the end of the day they're the same.

Speaker 3: 14:52

This is a very interesting conversation. I'm going to speak on behalf of women. Women do not think at all like how you both just described that. I know this about a lot of men and angel investors. They think exactly like what you said relationships are ROI For women, relationships are I buy people. I don't even think about the numbers, because the numbers always follow. I look at it from an opposite angle. That's something that we've talked about a few times on the show.

Speaker 3: 15:19

Cybersecurity only has, I believe, about 19 to 20% women in it. Industry-wide. We're trying to bring more women on board in every capacity possible. We're having CEOs like Tina Williams Karoma, and we had Dana Mantilla on last couple weeks ago. She was fantastic To really bridge some of these communication gaps, because I feel that that's something that there's an issue between men and women. This is not just in cybersecurity. This is in a lot of different facets, but it's truly about how communication is perceived and also retained. And then how is that then communicated back during a sales process? Have you seen any challenges with this on your own, just as you've traveled around the country or any dealings that you've maybe seen some ways that women could help impact sales or bring additional revenue in?

Speaker 2: 16:13

I don't want to sound gender bias, but I noticed that when I'm out socializing because I mean, again, I don't go to the bars because I want to get drunk I go to the bars because that's where everybody else is and I'm just trying to grab a drink with somebody else to build the relationship, it's just touch points. It's all I focus on is touch points. Just going back to what Josh just said, it's those interactions and those touch points that are so critical because at the end of the day, statistically, I think it was 13. If you have to have 13 interactions or touch points, they typically tend to buy Once today. This was like 15 years ago, but it might still be the same, I don't know. But the touch points are critical. So the more times you can see them, they're like hey, Bob, or Jim or Joe or whatever. That's all I'm looking for.

Speaker 1: 17:04

Back in the day it was all about rapport. You hear that word thrown out quite a bit. It's not something that, unfortunately, I don't hear it very often. I don't hear about rapport building, which is very valuable. So I'm really interested in this.

Speaker 1: 17:17

Maggie, I know you can't speak on behalf of all women. This is interesting to me. I'll give you a little bit of context, because I was at the Cybersecurity Summit last week and I heard some fabulous women just speak on all kinds of topics, from DEI to the hardcore tech stuff to thought leadership, and that was the only room that was packed. So there were other rooms there, other seminars, but the women in cyber it was packed and I mean there was a tribe there, right. So these women are there, they're on it, and I know a few of them personally. So shout out to Tina and Eileen, the fabulous security leaders here in the Midwest. And so I guess one thing I didn't hear is that emphasis on building relationships. So is it and I know this is a caveat you can't speak on behalf of all women, but I think there are a lot of women who are listening here. I'm just saying it like I'm trying way harder than Charles to be gender neutral here, right?

Speaker 3: 18:35

I think I kind of see where you're going, Val yeah.

Speaker 1: 18:39

So what holds women back from making those relationships? I know it's intimidating, because the relationships they would be making probably would be mostly with men. Is it because there's the man factor there, or is there something deeply psychological that may be preventing women from going out and forming those meaningful relationships?

Speaker 3: 19:01

I think it's a little bit of both and for the love of God, dear sisters, don't ring me up for this. This is just my opinion and my perception. I think that number one we're already working in an industry where there's no trust. So there's that, when you're talking psychologically, men don't trust women, women don't trust men. That's a very common commonality, I see. Then you put it into this industry.

Speaker 3: 19:30

A lot of what I see with women in this industry in particular is they bond together, which is fantastic. I'm all about that sisterhood. Women investing in other women owned companies, things of that nature. I see a lot of women intimidated, partnering with men, and what I see with men is it's a good old boys club, still very much so in a lot of angles. That doesn't mean, I feel, men are more oftentimes willing to listen to women than women are to other women, so it's very much a who do you know? Type of thing. Still, in this industry in particular, I've noticed that against other industries it's just a little bit different, and so I think that it's how do we break those barriers? How do we efficiently communicate at different angles?

Speaker 3: 20:18

I I have always been the type where, if I would not go to dinner with you or have a drink with you or that type of thing. I'm not going to do business with you. That doesn't mean no favors once you reach a certain level. Right, and that was Maggie back in my 20s. Now it's okay. Well, even though I don't ever see us being friends outside of work, how could I still work this project with you, or how could I still get this deal together? Or how do we strategize that partnership?

Speaker 3: 20:42

Then you bring in factors like people from different cultural backgrounds, different parts of the world. Now you're adding a whole other bag of worms to that. And especially when you're talking other parts of the world, there's a lot of countries where women are looked at differently. That's a whole other issue, especially in cybersecurity, because we have a lot of people from all over the world that are very high level, that are investors themselves. I've seen this industry in particular has, and I love that because it's really a tapestry of talent, and I think that I wish more women would host summits and invite more men and present a different type of strategic panel to talk about this and strategic partnerships. That's a really roundabout way. I could go on this topic for hours and I'm going to show.

Speaker 1: 21:35

Yeah Well, one thing I was wondering when I was there last week. I was like it's good to have a consortium of women who meet together and form their own thing, but at some point, like you said, the men and the women have to meet. It would be really nice to not have to have women in cyber, but just to have people in cyber and to have it equal and to provide opportunities for everyone. But the thing that I get stuck on all the time and maybe, Charles, maybe you can speak a little bit to the DEI strategies that companies are employing these days and how that's impacting the bottom line but I see that a lot of people want to include women. They want to include people of color.

Speaker 1: 22:17

Obviously there are these huge DEI initiatives, but if I'm being honest, I can't speak for women, but I can speak for myself. I can't speak on behalf of everybody of color, but I'll say, nothing really ever held me back that I know of Caviat I could be intentionally delusional. Delusion does provide some sense of confidence, but in my world I don't think there are a lot of things that are holding me back. So I always ask why is there not this push of women and people of color into cybersecurity, and I'm wondering if it's sort of the mindset. That is the way it is. There are these inequities, and so to even challenge it and to say that the inequities are more of an idea rather than a reality I can see the arrows blotting out the sun right now.

Speaker 3: 23:23

Why am I here right now? This is a real problem.

Speaker 1: 23:28

These are the opinions of my own and they do not represent Charles Payne or Maggie Dillon or anybody else. But it's just my observation, it's my true experience. So, now that I'm going to lay that aside, anybody who wants to come after me, come after me. But Charles, what role does DEI? Or I was just like with the DEI. What are the trends? Is it going anywhere or is there more of a push? Are companies increasing their quotas and I hate that we have to even talk about it in that sense of quotas? Is that a factor when you're looking to invest in a company, or is it something that you should just disregard and sort of let the universe play it out?

Speaker 2: 24:18

You know, I've actually spoken to a few people in Ghana for investment purposes and I'm going to admit that I'm probably a gnostic. I don't look at color, race or gender as a deciding factor. I look at what's going to make money. I mean, that's the only disturbing factor I discriminate against is if it can make money, I was going to lose money. That's the only thing I have that I discriminate against in that part. But going back to your DEI question, it's like I used to teach as a professor for a while and I would notice that more inherently as a white male, speaking for myself in this case, I would apply for every job. It doesn't matter what it is. It could be like, you know, trash collector to CEO. I would apply for everything down the line because I know at one point in time I'm going to hit the recruiter that's going to say, hey, this doesn't make any sense, why do you apply for this you should apply for over here. And that's how I got the job at Amazon, which I didn't take, and it's a long story there. But I actually applied for some crazy stuff. And the recruiter says why'd you apply for this? You're supposed to be over there Like I don't know, I was just clicking buttons. He's like let me go move this application over there for you.

Speaker 2: 25:22

And that was the difference I see between a lot of the different cultures. Women, maybe some minorities, don't apply to everything. You know for me and I'm just speaking for me I apply to everything, I don't care what it is. It's like if I'm trying to get a job at X, y and Z company, it's like I apply for everything that's there. I just apply it. So I hit all the different recruiters because I know the way the system works. But I know that some of my students that were female would look at it and be like I don't qualify for this. It says it's an intro position but it wants five years worth of experience. I'm like it doesn't mean five years worth of hands-on experiences. Click, apply, apply. You have to apply. If you don't try, you'll never succeed. You have to apply. It's like I know I'm teaching them, I'll talk with them on a daily basis, like they have the skills but they're just, they're a little bit skittish about applying because they're like oh, I don't meet the job description. Job descriptions are crazy. So just circling back to everything that we're saying, back again for DEI. It's a crazy race, and I focus on diversity and inclusion, obviously, so whenever I can. That's necessary, absolutely, because, at the same token and Disney's favorite saying is you know they get. They get their imagination and they get all their creativity from diversity, which is true. I mean, I live in this little box myself and I wouldn't see things the same perspective that Maggie does, or even even you, josh. So it's like we need everybody to be part of the same page, because that's the only way we're going to grow as a community.

Speaker 2: 26:52

I've said this, I don't know how many times, but if you look at the difference between an adversary or a black cat, you know criminal first, like the white hat, the white hats. You know, when I was in high school, I was working in financial, financial sector we couldn't disseminate our information or our TTPs or IOC's and indicators of compromise until, like you know, a week or two or longer after it's been sanitized and down the line. By that time a whole bunch of other people have been hit. But you flip that script and you actually talk about what the adversaries are doing. They're actually talking amongst themselves. They're like hey, I tried all this stuff. It doesn't work, try something else. So it's like the way that they're communicating is in real time. The way we communicate is like next month, literally.

Speaker 2: 27:29

So it's like it's crazy, and that's where we have a huge problem at on top of everything else.

Speaker 1: 27:36

Yeah, yeah. And if you're an employer and let me just say this you say that whatever makes money, that's basically your discriminating factor, right? If you have half the population excluded, that's half the talent probability wise, there might be an Einstein among women and minorities that you never tapped into. So including everybody will always impact the bottom line positively. Number two so three things. Number two if you're dumb enough to not hire the right person just because they're not male and white, that's your company will pay a tax, a stupidity tax, an idiot tax, for not taking that opportunity. Number three for all the minorities and the women who are listening to this, for everybody, not even just minorities, just everybody, everybody who is a human being and of age, apply, apply, apply, apply and talk to people, because you just never know. So, okay, I'm off my soapbox.

Speaker 3: 28:41

No, I wanna, I'm gonna caveat exactly what you just said. I have 15 years of executive head hunting experience and I cannot tell you how many times someone would apply to a position I was looking to recruit for and, even though they didn't match that position, I would look at their resume and say, hey, they don't match this search, but they match this search. And I would fill several searches with a candidate that didn't even apply for the one they thought they were.

Speaker 1: 29:03

God bless you.

Speaker 3: 29:05

And truly I encourage especially if you're coming into cybersecurity with no experience, do not let these parameters that society has developed, these old school recruiting techs a technology or societal standards. It doesn't match anything that we're doing. We are innovating at rapid speeds and we need as much help as we can, and we're seeing positions being created at thin air based off of experience or personality or whatever the it factor is for that particular company. So I just love what both of you have said in that regard, because it's true, I've done it, I've seen it, I've helped people, so I apply.

Speaker 1: 29:44

All right, you've got three out of three endorsements for applying. Okay, let's switch gears. Ciso the CISO part of your gig. What is the toughest part of being a CISO in 2023, going into 2024?

Speaker 2: 30:03

Solar winds.

Speaker 1: 30:07

Say it again Solar winds. So solar winds, yeah, solar winds, okay, that kind of thing I looked at that like man.

Speaker 2: 30:14

Here we go again. I'm like it's crazy. So it's like I know we're doing our job, I mean, and I don't know any of the facts of the case, but I looked at it like I just saw the headlines. I'm like uh-oh.

Speaker 1: 30:27

Oh geez, another one.

Speaker 2: 30:30

Yeah, I don't see. The thing is, I don't know if there's any. I'm assuming that there's probably some type of legitimacy behind it and there's probably some of the allegations might be true, but I don't know. So all I see from the surface is like how widespread could this be? Could all Fortune 500 companies get arrested? How many times have I been at companies where they've started trying to we just delete the logs, so like no, no, when you have a breach, delete the logs. But it still happened. I mean like it didn't go away.

Speaker 2: 31:00

And then they were like oh yeah, it's okay, we don't have the logs anymore. I'm like that doesn't actually remediate anything, it just means you can't fix it because you don't know what happened. But it didn't fix it, it didn't go away, it's still there. You just don't know where it's at now.

Speaker 1: 31:14

Yeah, yeah, isn't that illegal? I mean, if you delete the logs, I mean that's not kind of naughty in the eyes of the law.

Speaker 2: 31:25

I don't, good question, I don't know. My whole thing was like I'm gonna write my report this way and it was one of those things where we had a part ways at that point for my employers. I'm like I'm just not gonna be part of this.

Speaker 3: 31:38

Well, and I would think that there's so much pressure on these C-suite executives, where you're the actual authoritative figure that's in charge of all the responsibility, you're the one being held legally liable for these types of mishaps and whatnot. So, in your regard, or in your opinion, is there anything that we should be taking drastic measures to train C-SOS on as we move into 2024, given what's currently happening around the world? Recently in the last month here?

Speaker 2: 32:13

I think what we need to do is we need to look at the Joe Sullivan case and then take maybe not so much take it at face value, but understand some of the inconsistencies and understand some of the nuances that actually put him in peril For instance, not hiring outside counsel, not having his own insurance policy that protected him specifically. So there's a few things that we can do as C-SOS to help mitigate some of our exposure moving forward. One of the biggest things that the judge mentioned to Joe Sullivan was to get outside counsel. Yeah, you should have seeked outside counsel. He's like it's a hindsight, 2020 thing where he realized like, yeah, I should have, but I didn't because I was blind faith. So that's where it gets kind of crazy.

Speaker 2: 32:56

Normally. Naturally, we wouldn't have to think that or think that it would be like that, but think that's where we're moving into 2024. It's like the C-SOS trying to fall in the sword and say to the company but, the same token, the company's just letting him rot there and it's like wait a second. It's not supposed to be like that. So I think that, fundamentally, the industry is changing in that regard, because I mean, at the same token, most C-SOS don't have a full seat at the table, their opinions, while they're heard. They're just advising the risks. They're not actually accepting or actually saying, hey, we want to do this. It's like a byproduct of like, yeah, you don't sit at the table, this is just your opinion and we're going to do what we're going to do anyway the name of making money and moving the business forward. And that's where I kind of like oh God, I'm sorry.

Speaker 3: 33:40

Well, I was just saying we literally talked about this a little bit on our last episode, about CIO versus CBO and how a CBO would almost have more of a seat at the table and everything that you've just described. I've heard it so many times because it's like, at the end of the day, when the crap hits the fan, they come to the CISO when there's been something a ransom attack or anything to that magnitude, and meanwhile they've not had a seat at the table. They haven't had that relationship building to the magnitude maybe some of the other executives have had. So there's a disconnect right out the gate and it almost implodes from within, depending on the severity of these types of situations. So would you say that that also needs to be taken into consideration as companies build out, maybe higher for these types of roles? Or is there additional training that CISOs should consider not only implementing on their team for future development, but maybe recommend to companies to help them have more of a seat at the table?

Speaker 2: 34:38

I think it would boil down to when you take that role, you need to be named on the insurance policy for the corporation, for the officers. But on top of that you also need to have some kind of opinion, some type of say, because at the end of the day you're going to get stuck holding the bag. You should just make sure that you don't want to put the bag in your hands and just be thrown it at the last minute and be like, yeah, everything's on fire, good luck with that. Right, absolutely. And I think that's something where we've just taken it and stride and we've just accepted it because we'd get our pension, we'd get our severance and we'd just get laid off or fired or whatever the case might be and move on to the next company. But now it's starting to be like, ok, well, you can get your severance, but at the same time you might be going to jail at the same time. So like, yeah, wait a second. So the perspective and the optics have changed.

Speaker 2: 35:21

Now we've got a bigger push for cybersecurity and some things might be the CISOs fault, but in a big organization one person can't control 10, 20, 30,000 people. They've got down lines, down managers, separate management teams for that. It's like how much onus are we really putting out when persons like we don't look at like a CEO? For example, I'm not going to name the companies, but there's a couple of CEOs that are making $29 million or more. The company was still losing money, it was still harming money, in fact, and the shareholders were the ones essentially paying for a salary. Like isn't that criminal? Like what are we talking about here? Like why is it? One thing happens. Then the CISOs goes to jail or gets arrested or you know rain, whatever, and then the CEOs that are making some of these decisions are just claiming these huge salaries but also perpetuating the problem.

Speaker 1: 36:10

Right, yeah, yeah.

Speaker 3: 36:13

And well, and I would I want to ask a question to you on this. As far as CISOs, with regards to regulatory compliance, especially in the fintech space, we see a lot of budding heads with cybersecurity and compliance. It's like by the time one of them releases what they need, the other one doesn't. Then it doesn't match. You know a lot of these types of things are happening. Is there a way that compliance standards could do a better job, or compliance the industry as a whole could do a better job with cybersecurity leaders to make sure everyone's overall protective for some of the situations that you've just described?

Speaker 2: 36:54

Um, inherently no, I mean there might be some things that you can do to help mitigate it. Like, you know, make sure you know the insurance policy, like making sure you do your own due diligence. But you know, I've found that, you know, working with your own counsel and then trying to like actually implement procedures and policies prior to there being an incident, trying to get ahead of some of the stuff. But again, sometimes it's not possible. You know, I interviewed for, you know, not the current position, but you know a few couple, a couple of ones back it's a couple of corporations ago, actually interviewed with their, with their lawyers, with their company lawyers or corporate lawyers. So it's like I went through that. I tried to understand where their company was, what their mindset was, what their strategies were.

Speaker 2: 37:35

So it's like that was part of my own due diligence is trying to make sure I had the opportunity to talk about with them, to make sure that I was going to be as happy as I was, as I was expecting to be, with that organization. So it's there's a lot of things where I think people just get excited sometimes like, oh, I'm a CISO for BX, y and Z, and then they don't realize that that might have more perils than they might have originally expected. It might not be also glamorous.

Speaker 1: 38:02

Two questions to wrap up here. Well, yeah, two questions. One, I want to focus on the new CISO. So it's CISO who is maybe, you know, let's say, six months into the job, two to six months into the job. And the second part I want to focus on the CISO who is well accomplished, you know, like the person who has a security program that's just humming along. They're not there to change anything, they're not doing any huge transformations. Okay, the first group, the new CISO. What are the top two or three activities that a new CISO should engage in? And we're talking about, you know, large companies, say over a thousand employees. What should they be doing in the first six months of the job?

Speaker 2: 38:56

Those are. Those are really long questions or really boring answers, but I mean, in short, the first thing that a new CISO, a new organization we want to do. I'm not talking about like new in terms of like maybe, unless you're maybe that it maybe I use your question maybe you're talking about like brand new green, you know, two months ever being a CISO. Well, they could have held other CISO jobs, you know.

Speaker 1: 39:15

But this is their first. This is their first time at this company and not necessarily at the company. I know there's a lot of caveats here. The company might not even have to have had this CISO as the first CISO. But let's say I'm a seasoned, you know, I've been in the industry for five to 10 years and I'm starting at, you know, acme Corporation. What should I do in the first six months?

Speaker 2: 39:37

You know, the first thing I would, I would recommend to do, is, one, talk to general counsel and two, try to actually have a seat at the table so that whoever you're talking to or however you're presenting to for your board meetings are receptive.

Speaker 2: 39:49

Then again, this goes back to Relationships, eco or ROI, because, as a CISO, you're a sales person. Your job is to sell the board whatever you need to do, so they're the ones that give you the money. So you're you are again, you're a glorified salesperson. Your job is to sell the board whatever you need. So if you need budget for X, y and B because you need to do cybersecurity, for you know all of your end points, or whatever the case may be, that's your job. To sell that reason and that logic to the board. I mean, we are salespeople at the end of the day, which is kind of why I find it funny where some CISOs might, you know, be adverse or disparaging to some of the other sales folks that sell cybersecurity stuff. I'm like wait, you're a sales guy too. You just do it at a different level, but you're still sales guy.

Speaker 1: 40:29

Thank you. Thank you, the CISOs and the sales guys can be friends. That's beautiful, love it, yeah, yeah.

Speaker 2: 40:38

I mean, that's what it boils down to. So, like, if you're two to six months into a new company, you need a security and find out who your allies are. That would be the first thing, aside from just your normal due diligence of trying to find out where your assets are, where all the skeletons are buried, if any, and then just trying to do the other normal due diligence. So I mean, there are a multitude of different directions that you can do, but the very first thing that I normally do is find allies. That way, when I need a budget, when I need to do something, it's like okay, trolley, trolley, there was no problem, it's done. It's not like oh, please, let me have this, because begging it won't be positive.

Speaker 1: 41:12

Right, right and the legal counsel will help you cover your rear end. If you don't, if you go into that legal spider web blind, you're going to get eaten. Never thought of that before.

Speaker 3: 41:24

And just be sure to have your own legal counsels back up.

Speaker 1: 41:27

You learned that today. This sounds like you're speaking from experience, Maggie. I'm not going to dig into it, but you know what I don't know if the people believe what they want to believe.

Speaker 3: 41:36

You're talking about the Joe Sullivan case and things that we learned through that.

Speaker 1: 41:41

So we have to have backup. I'm not familiar with that case. Awesome, okay. So now let's say the CISO, who has been at this company for 30 years. They're about to retire. You know, maybe in the next year or so Is there anything they can do to make their program better, or even to make the community better? What would you say to those folks?

Speaker 2: 42:04

I mean, if you've been a resident CISO for that long, I mean, I guess let me step back for a moment. Understand, you know this has been a conversation that I've had with a lot of my other fortune 500 folks. We're CISOs because we're typically type A. We get hired to do a job and we get in and we get out. That's why our cycles are 18 months. It's not because we get fired every two months or every six months or 18 months. They fire us and we go move on. No, we get hired to do a specific job, we get there, we do the job, we move on and that's what's really going on. It's not like it's like the security is like crazy where we get fired all the time. No, it doesn't happen like that. We're there to do a job, we get a job done, we move on. That's what we get hired for and that's where our goals and expectations are when we get there.

Speaker 2: 42:47

So if a person's been there for 30 years or a really long time, then you know I would if I was on the other side, if I was on the board or if I was. You know, there they're downline I would. I'd be kind of wondering what he's doing? Because my, if, my guess is, if you're just humming along and you're not innovating and I'm trying to save the money, you're not trying to save the business money then maybe you're just a technical seat, so you're just looking at the policies and stuff that maybe you're not business oriented, maybe you're, maybe you're spending money frivolously that you didn't have to spend. Yeah, I don't know how many times I've seen I've seen that happen in corporate America or enterprises, like they just buy something because you know they always buy it.

Speaker 2: 43:25

It's like you don't get fired for buying X, y and Z product and they just keep buying it and keep renewing and I'm like, I'm like, yeah, it's such a waste. I've seen it happen over and over again. So that's, that would be what my perspective would be. But I mean, obviously I know it doesn't happen to all the Seasaws that have been there for a long period of time, but usually when I see a Seasaw there for a really long time, I'm like I don't know, I don't know, I don't know. It's like they're really comfortable, they're not really ambitious and I'm like I Would.

Speaker 2: 43:49

I would tend to lean more towards someone, the person that's new, because he's he's got something to prove, the person who's been there for, you know, in the case, 30, 30 years, and like they don't have anything to prove. They're just collecting a paycheck kind of thing. But maybe they do have their, their determination, stuff that they go through. But I'm here, the same token, how much are they really trying to innovate and try to make some type of positive out pack? Yeah, business impact that's where I get kind of. I get skittish myself. I'm like, yeah, that's where my BS meter Kind of says well, wait a second if you're, if you're in a cushy position, you're comfortable and nothing's making you uncomfortable Then you're probably probably shouldn't be here is my, is my perspective right.

Speaker 2: 44:26

Because, my guess is you're not trying to move to you, you're not trying to innovate, you're not trying to help the business go forward. It's like you might just try to keep staffs quo, which is not beneficial for the business long-term short-term great why you're there, but long-term no.

Speaker 1: 44:37

Yeah, maybe my, my assumptions are incorrect, because I see these suit, these seesaws, like you know, at our moroso and you know these guys have been around for a long time and they seem to be humming along. You're just kind of like, oh, you know they're good, but I think maybe if, if I'm taking what you're seeing, it might look like that to us. They like kind of like a duck on the lake. You know these guys have been around long enough to make it look smooth, but underneath, you know, it's, it's crazy and it's and it's always turning and it's always changing. Huh, hadn't thought of that before. Yeah, but it's like any other business, I guess you know any other, any other department where, as the business changes, you have to change and adapt.

Speaker 2: 45:23

I guess Okay, well, I mean at the same, at the same token, giving the credit, giving the C-SOS credit that I've been there for 30 years. It means that really trained their downlines really well.

Speaker 2: 45:33

So the same token, I'm not saying that they didn't they didn't do something well, that they train their teams really well. So I'm like, in terms of their, their people, skills and stuff like that and their personalities, like they did a fantastic job. If they can just have a long like that, so I don't want to say that they didn't do anything great. I mean that's phenomenal that they can, they can do that. But but on the flip side, from the business aspect of it, like maybe we can do something better.

Speaker 1: 45:55

Right right, all right, charles, we're coming to the end. My friend, thank you so much for being gracious with your time. You're busy and you took the time to. You know, spend the afternoon with us and our listeners, and we really appreciate so. If people are looking for you online and they just want to drop you a note or, you know, send a bouquet of flowers to you, where can they find you?

Speaker 2: 46:24

Flowers be crazy. Um, they can find me on LinkedIn, so they can find me on LinkedIn. And you're maybe in the old school where people send an email like watch you. I mean my whole thing is text or call. I mean you can also send me. This is on LinkedIn or email. I mean I get probably 500 to a couple thousand emails a day. So I mean I'm meeting me, I will see the email right away. So if you needed something, I would just say call or send text. Sure, that's what. That's what I tell everybody. I'm pretty accessible to my staff and to our teams. It's like I Think that open door policy is is imperative to what we do, because you have to have that transparency, you have to have that trust in a way to get that as being accessible and being open.

Speaker 1: 47:04

Mm-hmm, and that's how we connected. You were, you're active on LinkedIn and we just got on each other's radars and I looked at your your line, and I said this is somebody I want to talk to, is somebody who Embodies the spirit of the show. So thank you so much for making yourself available. Maggie, where can people find you?

Speaker 3: 47:24

LinkedIn, and also you can find us, the security market watch, on YouTube, instagram. We're all over where easy to find. We put ourselves out there. We're easily accessible as well, so come find us.

Speaker 1: 47:35

Yes, and you can find me on LinkedIn as well. Linkedin comm slash Josh Bruning. You can find us also. You can find me on Instagram, but I, if you find me on Instagram or TikTok, you're gonna just get a bunch of like preachy thought leadership, you know, motivational, you can do it, you know type of stuff. But if you're into that kind of thing, you can check me out on TikTok and also on Instagram. All right, and thank you, dearly listener and Watcher, for tuning into this episode of security market watch. Thanks everybody, bye.