From Chief Petty Officer to CISO

Hard lessons learned by a military veteran in private industry

After serving my country on active duty, I retired and departed the US Navy entering civilian life. I was provided a one-week school to prepare myself for transition and an eight-page resume that was so convoluted and full of acronyms that it’s a wonder I got my first job. It’s been years since I put my khaki’s away and, in that time, I have had the fortune to continue serving in my career field of choice, cybersecurity. With that said, it has not been easy as I still miss being on an Arleigh Burke Guided Missile Destroyer (DDG) heading out to sea with my people. Of course, reality settles in, and I face the fact that my knees can’t handle sea duty anymore; so, I have found another path in cyber.

Since I transitioned from the US Navy I have served as a Deputy CIO, CISO, and Chief Risk Officer (CRO) for the federal government, Deputy Director of IT and CISO for the City of San Diego, Vice President and CISO for Webroot, and my current role of CISO for SoftBank Investment Advisers. In all of these roles, I have enjoyed significant successes but have also had to manage failure on more than one occasion. Each time, whether good or bad, I have learned something to improve myself, my security program, and my teams. Along the way, I have had and continue to have exceptional mentors whose patience has been remarkable. They have ignored my stubbornness and have helped me adjust to the business world. I have come to realize my mentors are right on more than one occasion and through their guidance, I have matured as both a cybersecurity and business executive. It has been their selfless example of helping those in our community that has motivated me to mentor as well, write articles on cyber and leadership, and freely give content in the hopes that I can help make our community a better place.

This article is about the hard lessons I have learned as a veteran finding my way in a strange new world. Many of these lessons have been insights I was vaguely aware of when I was in the military but became strikingly clear once I transitioned to civilian life. They are not any hard set of rules to lead by but are observations that I hope new CISOs and veterans who are transitioning might find valuable as they walk their own paths. We all can use guidance from time to time, whether it's from faith, family, friends, or peers I find they can help you establish a balance with your life. With that, here are some observations I have experienced since putting my uniform away.

1.???????You are whom you associate yourself with?– Growing?up I can’t count the number of times my mother would tell me something like this about picking your friends. Then, in the military, I was also taught by my superiors that this applied and would reflect on me as a leader, so I should be careful. However, in civilian life, especially private industry, as you move up into management and executive positions, this becomes critically important. I learned the hard way that sometimes people who are friendly and want to help you expect something in return. This can lead you to some serious ethical issues that can impact your career and reputation. As a CISO you must be above reproach and hold yourself to a standard that positively represents yourself and your organization. This may seem unfair, but it’s part of the job and if you are going to serve in the role of CISO then accept that responsibility. As a manager, leader, and mentor I feel this applies as well and becomes apparent as you build your professional networks and mentor teams.?

Takeaway: Would you be embarrassed to introduce an associate to your parents, your spouse, family, friends, etc. if so you may want to think about making a change.

2.???????Your relationships/networks get things done, maintain them, and be careful whom you invite into them?– I have learned time and again that one of the more critical assets for a CISO to be effective is to have a network of peers, champions and stakeholders who understand the mission of cybersecurity and are happy to help when needed. This is why I recommend one of the first duties a new CISO should do when they accept a new job is to meet their peers in their organization’s business units and departments. Cybersecurity is like water, and it flows throughout a company’s various departments, divisions, teams, workflows, projects, etc. as a CISO you will need to work with these other stakeholders, and it truly helps to have an established partnership with them. Now keeping this in mind, I believe it is also essential to have a network outside of the job. It helps if your network isn’t just job related but contains people from your professional organizations, faith-based groups, hobbies, peers, and other external relationships; what’s important is it’s about balance. Having a wide-ranging network gives you many options if searching for a job, an answer to a problem you are working on, or looking for a new mentor; however, be advised the networks you build are fragile. They need to be maintained, and we must be careful about whom we introduce to them.?

Takeaway: Networks are all about trust, and one bad introduction can do severe damage to years’ worth of relationships, so be careful.

3.???????Continuous learning is an asset?– After I finished my necessary cybersecurity certifications and my bachelor's degree, I thought I was done with education for a while. What happened to me was the opposite; I came to realize that with today’s evolving new threats and changes in technology if I expected to be successful, I would need to work on acquiring new skills. Along with this realization, I also had an epiphany that it doesn’t have to be a lot of hard work and that you can achieve a lot with the right attitude and a focused approach to completing your goal. How I have worked this issue is I build mind maps of the topics, certifications, and technologies I am interested in and occasionally select one that I feel is needed and I set a goal for its completion. To accomplish a goal like learning a new certification or skill set, I broke up the reading and studying over a specified time period and then made sure to complete at least one hour a day towards the goal. In keeping the time commitment small it is easier to create a schedule where you can set a rhythm for what you want to accomplish and adjust for travel, family time or just taking a night off. What I believe is important here and what I work hard to put into practice is to not keep the joy of learning to myself but pass it on to my staff and the people I mentor. In business, today education is an asset, and if you have demonstrable knowledge, you are on a winning path and all of us should look to pay it forward and contribute to those around us.?

Takeaway: No one should just say I am “done!” You can achieve amazing things by focusing on small objectives one at a time and reap the benefits of following a flexible schedule.???

4.???????You are only as good as your people?– For the veterans reading this article I know many of you recognize this sentiment and it applies in the business world as well. For those of you unfamiliar with this statement it means that if your department, business unit, division, project team, etc. is a dumpster fire then guess what, so are you. As the leader, manager, CISO, etc. it is on you to manage your teams and understand that their good and bad issues will reflect on you because it is your responsibility to lead. Now in this context of managing teams for success, I do believe it is important that when there are accolades, you give them to your teams. It's their success that has helped you, and I would do this even if you feel you deserve the recognition. I also think that when there are criticisms, then you as a leader, accept them and do not blame your people. Instead, later, you use those criticisms for focused training and try to provide opportunities for improvement. Now I can hear many of you laughing; this observation was hard for me I have had people who worked for me that literally drove me to distraction with their issues, so this one is not easy, and I still work hard at it every day because it takes patience which as a CISO you may have none, but if you expect to be successful you need to find it.?

Takeaway: Taking care of your people pays dividends, and being a servant leader helps build both team and self-resilience.

5.???????Don’t take failure personally; it’s just a learning opportunity?– After I first transitioned from the military into civilian life, I didn’t take failure well. I was used to controlling my career, having it all mapped out, and knowing at each turn what was expected of me for the next career step. Of course, that went out the window when I started my career in private industry. The last ten years for me have been a collection of ups and downs as I learned to operate where the rules are vague, and it helped to have mentors who could explain the signposts I was ignoring. What I have observed is failure happens, so don’t take it personally but instead use it as an opportunity to reflect and improve. I have had failures that resulted in some severe anxiety and self-doubt as I knew I needed help but was sure how to get assistance. Upon reflection now I realize that understanding how to deal with failure is learning to talk about it, break it down, realize what decisions I made that were bad, accept my mistakes, and then plan how I will improve. Being willing to take a brutal look at myself has significantly helped me manage adversity as I continue to excel in my career. How this can help you is to understand that failure doesn’t have to be bad, it does suck but learn from it and use that knowledge to not only fix your issues but make the people around you better – as my friend Rick McElroy says, “leave a legacy”.?

Takeaway:?Not doing anything is unacceptable, to get better you need to practice self-assessment and be ok with accepting your mistakes.

6.???????Your reputation can open doors, or it can end your career?– Your reputation is an asset you build from your first day at work. It represents what's good or bad about you and can change over time depending on the amount of effort you put into developing it. In my career in cybersecurity, I have known peers who were good people, who were fun to hang out with, and great friends but professionally their reputation was a mess. They had burned bridges from the previous job they left or had public arguments on social media that went viral and damaged their ability to be accepted as a thought leader. To me, your reputation is an investment that’s built on trust and grows in worth over time as you become known for being an excellent worker, leader, manager, CISO, etc. That investment however can also be severely damaged and can impinge on your ability to be successful. To understand your reputation's health, I believe it’s essential to talk with coworkers, peers, mentors, etc., and ask for their opinion of how you are perceived in your community. If it's good news then you are on the right track; if it’s not then it’s time to get to work to repair the damage.

Takeaway: Be authentic, be aware, and continually assess. Don’t pretend to be someone you are not and treat your reputation as an asset.

7.???????Don’t just dream big; plan & execute for success?– This observation has been one of my more significant issues when working with peers. I find people have grand ideas for what they want to accomplish but lack the ability to develop a plan on how they will achieve their dream. Now, this doesn’t mean I have quit dreaming since I transitioned to private industry; far from it, instead, I have learned from my mentors and peers how to break dreams down into manageable goals that can be transformed into strategic plans. So, it's ok to dream, it's ok for you to have big ideas but when you’re ready bring them down to earth and get to work on what can be achieved and accept the win even if you don’t fully get what you originally wanted.?

Takeaway: Dreams are a natural part of the brainstorming and planning process, use them but be willing to accept changes for your security program's success.

8.???????An organization's culture can make you or break you?– Working for multiple organizations over the last several years, I have seen numerous organizational cultures, and none of them were alike. Why this is important because as a CISO you are the voice of security for the business and in this role, you are a change agent. As the CISO you will be tasked to identify, remediate, and manage risk; that typically involves recommending changes that employees may not like and actively ignore. Over the last decade as a CISO, I have seen peers of mine walk away from jobs because they were tired of fighting their company's culture and just gave up. I personally can’t fault them because I know business culture is one of the hardest issues for a CISO to manage when building a security program. When I see CISOs who struggle with it I know typically the issue is the CISO and current business culture are not aligned. To put this in perspective, the culture of an organization is like a stakeholder that has enormous clout, and from experience, you need to understand this stakeholder so you can figure out how to get your security program to work with it. How I have done this is to hold lunch-and-learns, so employees get to know my security team. I have also done briefings with executive staff and departments explaining the projects my teams were working on and the business value these efforts would bring to our company. I have also asked peers and employees in other departments to be a part of our projects so they could see what InfoSec was currently working on and that we valued their input. This visibility into the security programs operations, projects, policies, team members, etc. helps employees accept cybersecurity as an essential business process that becomes part of the new updated culture.?

Takeaway: Gaining insight into your organization's culture requires you to walk around and talk to people and listen to them; this will give you context into the unwritten rules on how things are done so you can align with them and help change them for the good of the business – if needed. Sometimes the risk is low and it's okay to accept current processes if it allows you to get more critical issues remediated.

9.???????Company, Community, Family, and Self it’s all about balance?– Working in the cybersecurity field, stress is a constant reminder that we have to be one hundred percent right all the time. Of course, as everyone knows that is pretty much impossible hence the long work hours, the 24x7 operations tempo to manage risk, and the impact this stress brings to security teams and its leaders. As an experienced security executive, I have known peers who have died at a young age of heart attacks, and I have seen them burn out and give up on a career in cybersecurity. My doctor once told me that if I didn’t cease being a CISO, the stress would kill me; keeping that in mind I am still here, but I had to make changes. The reason I am here is through adversity I have learned that to survive and thrive in cybersecurity you need balance. What I mean by this is you can’t be solely focused on protecting the company and ignoring everything else; that’s a quick road to burnout. Instead, I have learned it’s better to be involved in the security community and to write, speak, mentor, and make close friends. It is also important to be engaged in your company, not just your cybersecurity department but to understand what your peers are doing and how your company does business so you can support them. Having this proper business understanding will provide context on adequately aligning your security program for better coverage and help reduce some of the work and stress on your teams. A final factor to help reduce stress and maintain balance is family time and time for yourself. I know both are not easy; however, taking the time to be physically active every day I have found helps me sleep better, and it frees my mind to think of things not related to work.?

Takeaway: It’s taken me years to see how vital it is to maintain a balance (self-resilience) so don’t ignore this observation; start working on it today even if it’s doing little steps at a time. The dividends will be amazing in the long run.

10.????Incremental improvement beats delayed perfection?– This observation has taken me years to develop, accept, and master as a standard for success. I train my teams that our projects and initiatives are made up of small components, and we should focus on the small pieces and not worry about the larger effort. I have seen too many times teams were looking at the horizon where they wanted to drive a project and lost sight of how to get there, and their efforts fail. So instead, we focus on the small pieces, each one is a win for us, and we accept that over time if done right we will get the big win.?

Takeaway: Having a micro-focus view on projects and initiatives you will find allows you to adjust with minimal resource requirements and it is less stressful on you and your teams.

In closing, I hope I have provided some food for thought; transitioning into a new career field and learning to build a new network has been educational for me and I have enjoyed every minute of it. I also wanted to take the time to thank Sam Curry a fellow CISO, friend, and mentor for helping me clear the cobwebs and put to words what I truly wanted to say. Our cybersecurity community is a vibrant entity that has driven me to succeed over these last several years, and in retrospect, I wish I had started to mentor and write sooner because I believe it is vital that we help those coming into the field behind us, who will be the security professionals of tomorrow. It's this drive to help that led my co-authors and me to write the CISO Desk Reference series; we believe it's necessary to get off the sidelines and get involved. With that, I look forward to reading your responses to this article, again, thank you for your time, and I hope to see some of you this year as our community opens up and more of us come back to our conferences and live events.?

***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners?Bill Bonney ?and?Matt Stamper ?on the CISO Desk Reference Guide Volumes 1 & 2, and the Executive Primer. I have also authored The Essential Guide to Cybersecurity for SMBs and Developing your Cybersecurity Career Path. All are available in print and e-book on Amazon. To see more of what books are next in our series, please visit the?CISO Desk Reference website .?