The career path
A common (but not exclusive) theme in the career path of many of today’s top CISOs is they never planned to get to this position. In one sense that is not surprising since cybersecurity was a new and evolving field when they started. It was often a case of simply being in the right place at the right time. Nevertheless, it highlights an important concept for any young careerist: if an opportunity appears, you must be ready to grasp it.
“I was walking down the hallway in the office one day in 2006,” remembers Idemia’s Kallelis, and the CEO said, ‘Hey, you have federal security clearance, right? And you’re an engineer.’ (I had been VP of Engineering.) I said, ‘Yeah’, and he said, ‘Guess what? You’re our new chief security officer.’”
Of course, getting a position isn’t the same as owning that position. Kallelis was aware of a breach in a sister company that led to its security officer’s dismissal. His first thought was he was being set up as a scapegoat. But his reaction was different: “I’m going to do such a good job they can’t live without me. And that’s how it all started.”
There are some similarities with Kees’ start in cybersecurity. “I just sort of fell into it, because there was a need,” he said. “My early background was not cyber-focused, it was compute focused – I was an engineer at heart.”
He entered cybersecurity because he saw “a lack of dedication to the security space”, and he wanted to change that. When he started it was the pre internet days. ARPAnet and other precursors to the modern day internet were appearing, but they weren’t in the consumer space.
“I lived through the experience of the internet becoming a consumer thing. It was the Wild West at first – and some people might still say it’s a bit of the Wild West today. But for me, it became a simple desire to ensure that people could remain safe as they operated on the emerging internet platform.”
Notably, both CISOs came from an IT engineering background; and many CISOs consider this to be essential. The argument is that you cannot really talk the talk if you cannot equally walk the walk. While CISOs increasingly need to add business skills to their repertoire, it is often easier for an engineer to learn business than for a businessman to learn engineering.
Running the shop
Becoming a leader
The best managers are also leaders, but not all new managers are natural leaders. New CISOs who aren’t already leaders need to learn the skill very fast. Kallelis was a leader when he entered cybersecurity – he has VP of engineering.
It was different for Kees. He became a leader because it was necessary. “In fact,” he said, “I tried to avoid a leadership or management position for a long time because I had this passion to be ‘fingers on the keyboard’ and really know every little detail about what I was doing.”
But once in a managerial position, he realized he could achieve more with a team than on his own, especially if he could properly articulate his vision and lead the team.
This raises an enduring question. The quotation, “Some are born great, some achieve greatness, and some have greatness thrust upon them,” can equally be applied to leadership – but in what proportions? Is a leader born, or made?
The usual response is ‘a bit of both’. Kees goes deeper. “There are certainly some beneficial characteristics that people may be born with, such as being charismatic or outgoing. But I think a lot of leadership can be learned traits – such as learning how to sympathize with people; or better yet, being able to empathize with those people you’re trying to lead,” he said.
“Those are all things you’re not necessarily born with. They are a product of your environment, and they can be improved over time. I certainly think that leadership skills are something you can teach yourself. Partly, it’s focusing on the larger picture for your organization and for your team’s well-being rather than your own personal space and gain.”
The security team
The team the CISO leads is essential to the success of cybersecurity. There is a growing acceptance that diversity within the team is beneficial.
“Diversity breeds different viewpoints,” comments Kees. “Diverse social, ethnic, economic, gender, religious backgrounds mean different people might approach a complex problem from a slightly different angle. It brings a broader and vaster scope of ideas on how to solve problems.”
Kallelis has similar views. “I’m a white kid, and we have Hispanics, African Americans, and Asians on the team. Twenty-five percent of the team are women.”
Both CISOs have positive view on expanding this diversity to include LGBT+ and neurodiversity. Kallelis points out that his firm started an LGBT community within academia and runs an online course on harassment and unconscious bias in the workplace.
Kees is equally open to LGBT and neurodiversity, and would include reformed hackers. “A lot of my early experience in engineering, while never on the illegal side of things, was all hacking – looking for vulnerabilities. People who have been on that path will have a lot of skills and vision to bring to the table on what an attacker would be looking for. There may have been a time when hacking was the only opportunity open to them. But people can change, and I believe in second chances.”
The simple point is that blackhat hackers are incredibly diverse themselves, and diverse defenders are better equipped to counter them.
Building the team
Seeking diversity can help recruitment during the skills shortage. Neurodiverse applicants, military vets and women are all areas that could be better used. But whatever the source, the task is to build and maintain a strong, well-rounded, and cohesive team.
“I don’t like to think about people working for me,” comments Kees. “They work with me. So, I spend time making sure that an applicant’s culture fits with ours. I focus on where they fit in the cyber space: are they passionate and are they business enablers. I don’t want people who can only say ‘no, we mustn’t do that.’ I want people who will spend the time to understand how we can do this in a sane and secure way.”
Recruitment is often colored by local conditions. Is the company situated in area where talented and ambitious people wish to work? Kallelis has noted a related difficulty in his own area. “I’m on the advisory board at Brandeis University here in Massachusetts. We used to have about 200 people a year for the master’s program in information management. Now it’s about a dozen. People aren’t going into the degree programs.”
The reasons are complex and may be as much rooted in the population as the education system. “Immigrant families push their kids toward engineering and the sciences. Legacy Brits don’t seem to go into the sciences.” (Legacy Brits in New England seem to be more interested in arts, culture, and politics. This is probably a remnant of the British attitude towards education that still exists today: a degree in the Classics is thought to be more worthy than a degree in engineering.)
It’s a double-edged sword for Kallelis – he must fish for new recruitment more imaginatively from a smaller pool, but one that is by its nature culturally diverse. The route chosen is internships.
“We have an internship program where we bring in students and co-opt students that are in school. Last year we had 120 summer interns across the US and this year, as they graduate, we hire them with their pre trainings. They know what we do; they like us; and we made sure they were well compensated. It’s impossible to hire someone with 20 years’ experience in ITsec or compliance – they just don’t exist.”
He also notes the need for compliance has added new requirements. “We must produce reports for government auditors to be able to read and understand. Writing skills within the team have become important, where they weren’t in the past – engineers are not always good writers, and good writers and not always good engineers.”
The internship route for cybersecurity recruitment is a useful option for any organization with the resources to adopt it. Young people grow and learn within the culture of the company and are willing to continue learning. Most importantly, both parties are confidant in each other before any final commitment. The important point, however, is that every CISO must develop the right recruitment process for the company’s situation and locality.
Mental and physical health is essential for a successful security team. Over the last few years, there has been much focus on the mental illness of burnout. It’s not peculiar to security departments, but the unique combination of constant uncertainty, the alternation of boring repetitive work with sudden high levels of mental stress of unknown duration, and the lack of recognition (in security, success means nothing happened – usually, nobody sees you succeed) are all contributors to burnout.
CISOs need to prevent burnout in three areas: themselves, the individual team members, and the team as a group. The best way to achieve this is to foster a support group, and to ensure that everyone gets adequate personal downtime. Working in the office can help this, with constant interaction between leaders and contributors within the team and across the wider organization.
It is always difficult, but essential, for the CISO to have personal downtime. CISOs often spend their evening family time responding to emails and reading reports; and this can become problematic. Kees believes that CISOs can help personal stress levels by training their own successors from within the security team. “Having a successor or multiple successors inside your organization, people that you trust that can take things off of your hands for a week or two while you take a break and mentally reset – that helps to alleviate personal burnout.” A good security team is its own support group.
Kallelis’ company has changed its policy on vacations. It used to be a set number of days depending on how long you had been with the organization. “We have a new policy called Unlimited PTO,” he said. “Vacation time, sick time – you take what you want, what you need, and the company encourages it.”
Preventing burnout is more difficult with remote working. Support groups are fractured, and downtime becomes a personal responsibility that cannot easily be monitored. Maintaining the health of a remote team becomes more difficult.
“Overall, I think remote work is good,” comments Kees. “But I seek to have my team members get together on a regular basis in person. When we do that, I encourage them to work more on team building and those interconnections between themselves than trying to solve a complex technical problem while they’re together.”
Every career requires mentors. Sometimes it is a formal or semi-formal top-down relationship; and sometimes it is an informal bottom-up, watching, asking, and learning, process. Advice, whether given or perceived, is an important part of the process of gaining insight. All existing CISOs have benefitted from receiving advice – and all existing CISOs have valuable advice for aspiring leaders.
Best advice received
“I’m on year 18 of successful cancer management,” said Kallelis. “But when I was first diagnosed, I was bawling my eyes out in the server room. The chief privacy officer came to me and said, ‘This is your new normal’.” It’s a variation on ‘It is what it is’.
“It made me realize that whatever the current situation – and everything in life and work continually changes – you have to understand the new normal and find ways to use it and manage it, whether its personal or work.”
Kees was told to focus on articulating and narrating his vision rather than completing it himself. The exact words were, “You’ve been a battlefield commander, but it’s time to become a general managing the overall battle plan.”
It’s the difference between tactics and strategy. He came from the background of a tactical engineer who loved being down in the weeds doing things himself. But being a CISO requires different skills – the ability to separate a strategy into its component tactical elements and ascribe those tactical elements to the right team member. It requires the ability to communicate a strategic vision to both the security team and the business leaders.
Advice for the next generation
For advice offered, Kees gives Reagan’s quote, ‘Trust, but verify’ (originally a rhyming Russian proverb useful in nuclear armament discussion with Russia). For leaders, this implies gathering a strong team and then trusting them. In the age of remote working, it has added meaning for communications.
But he also recommends that people look beyond the technicalities of security computing. “Learning and spending time in other spaces that are direct partners to cyber is critical to understand that there are complexities to what you might be asking of those people.”
Kallelis’ advice is on people management. “Be nice to people. Control your temper. Don’t say what you’re thinking. You must encourage people and foster good behavior. If you’re nice to your staff, they’ll be nice to you and they’ll stick with you in rough times. That’s the biggest advice.”
The flipside is to discourage bad behavior. “I can’t stand it when there’s a new executive who is just yelling at people,” he added. “I always step in and say, ‘Hey, this isn’t working for me, and it’s not gonna work for you.’ Those individuals usually don’t last long in this company. We have a no asshole policy.”
Ultimately, however, the function of the CISO is to protect the security of the organization’s information from internal and external threats. We ask the CISOs in this series what they consider to be the primary security threats they will face going forward.
For Kallelis it is the rush to connect everything possible: the Internet of everything. The refrigerator is connected to the network just so that it can send an automatic message to the CEO’s assistant when it has no ice. “While these things are designed for ease of use so that your grandmother can use them, they are not designed for security. They are not designed to protect things and they become the weakness in your network.”
For Kees it is the unknown quantity of artificial intelligence (AI). “I think AI like ChatGPT is probably the biggest threat. Although AI is still limited in capability it will have a huge advantage when it is are able to simulate human activity – it doesn’t need to sleep. The defenders, our security team, are human. They need to sleep, and have a life outside of work, and other things that are important. AI bots do not.”
This brings a double threat. Firstly, the increasing attacks from always-on bots makes it statistically more likely for one to succeed. But secondly, it will bring a human cost to the security team. “AI will generate attacks that are non-stop and constant. The inability to walk away from them is going to generate increased and continuous stress among the defenders, and that in turn will increase the already high levels of mental illness and burnout.”
The standard response from the security industry is that increased use of defensive automation and AI will counter the increased use of adversarial AI. That has yet to be proven. It may well become the next area of leapfrog between attackers and defenders, but it will certainly be at a much faster pace.