What key skills must you have to be a successful chief information security officer?
And actually, what is it even like to be a CISO?
On the latest episode of Security Sandbox, Relativity CSO Amanda Fennell catches up with two of her fellow chiefs: Tyler Young, a former Relativian who is now CISO at BigID; and Dominik Birk, deputy CISO of EMEA for PwC.
The crew discusses their first orders of business in their roles, the animal instincts required, and more. Read a bit of their conversation below and listen to the full episode for all the insights.
Amanda Fennell: As a chief security officer, what animal do you think best describes your style?
Tyler Young: This isn't an animal. More of a bug. I think I'm a mix between a butterfly and a bee. Like the Muhammad Ali “float like a butterfly, sting like a bee” concept. Build the partnerships like a butterfly, occasionally put your foot down and sting.
Dominik Birk: Multiple animals come to my mind. First: cockroach, somehow? Because it's the survival instinct. Also a kangaroo—you know, jumping from A to B. And if you get punched down, you stand up again.
Amanda: What were some of the first questions that were asked of you as soon as you started as security officers?
Dominik: Before I even started, the first question I asked was: what kind of C-level support do you have for security? As we know, it's mission-critical to have senior management support and attention toward this topic.
Amanda: Yeah. How effective can you be if you don't genuinely have that from the beginning? My husband always says, “you go where you're wanted and you're needed.” It has to be both. So they might want you, but they have to need you—and vice versa.
Tyler: Right, because you can't do this alone. On another side of that, you have to ask about the budget for head count, tool growth, that kind of stuff. Because the last thing you want to do is get into a role where you have no executive support and you have no money, so you really can't solve the problems. You’ll look at all these risks and uncover all these things, and you can't fix them without the right people, process, and technology. So if I can't do all three, what am I doing here?
Amanda: Let's pivot into being a chief security officer and being a great parent. Let's talk about that for a minute. There's a lot on our shoulders. The first day in the role at Zurich in incident response, I think I broke out in hives because I was so stressed out by this. How do you two handle it?
Tyler: I was recently talking with a founder of a company, and how he took the jump from CSO to building a company. He was talking about how he sets time aside every day for his kids, and at the end of the day, it showed his children how to work hard for what you want and how to be a leader.
But on the flipside, you have a long time to work. You only have finite time with a kid who's one year old and taking their first steps or three years old and telling you, “Daddy, I missed you when you went on a work trip.” And so I was torn between choosing to be an amazing role model and showing them that if they work hard, they can do anything they put their mind to—and never wanting to miss those moments that I’ll never get again.
You have to balance the two. You have to, because being an executive can suck you in, like, fully. You could spend 100 hours a week solving problems. So you have to gather people to help you duplicate yourself and then delegate tasks. If you try to do it all yourself, you're going to bury yourself doing it.
Dominik: From my perspective, these two topics have one thing fundamentally in common. This is the challenge of prioritization, right? In our daily jobs, prioritization is key. If everything is a priority, nothing is a priority and you will not get anything done. The business, our stakeholders—they expect us to make decisions to prioritize and then execute.
At the end of the day, what are we doing in our roles? We are reducing risk and protecting the brands we work for. When it comes to prioritization, you need to ask what kind of activities come next that will help my brand reduce the highest risk. So based on this principle, I try to make my prioritization decisions. And to be honest, I trust my gut. It works so far.
Amanda: I think that is the secret ingredient for this role. How many times, Tyler, have you heard me use the phrase “Spidey sense?” Like, “I don't know why, but I need you to do this thing.” And then, months or years or weeks later, something will happen, and it turns out that thing—we need that. It's absolutely instinct that I think makes a good security officer.
Tyler: A little bit of a different track: while protecting the brand is important, I think the biggest thing is protecting our customers. Being a software product, your customers and the security of what they're giving you and trusting you with is paramount. So building a good product security team was my first priority.
Amanda: What talents are you looking for on your teams? Say we've confirmed that there is executive buy-in. So you get into this role, and now you're looking at the talent. What do you need?
Tyler: From a technical perspective, developers. If you don't have development skills, I'd probably want to look elsewhere because I do believe that, being in a software company, you shouldn't be focusing on hiring mass amounts of people to solve problems. You should be looking to automate things and build products and solutions internally. So, first and foremost, if you can write code or you're a skilled developer, we can teach you to fish and we can teach you the security stuff. But it's very difficult to teach somebody to write code.
Dominik: Tyler brought in an interesting aspect because, you see, it depends on the specific needs that the company might have, right? So let me generalize it a little bit. What do we need first? A solid technical background in order to understand the risk landscape. Because it's ever-changing. Yes, some things have been the same for decades—they might remain the same, but there are also new aspects that you need to understand. Especially the full risk impact of it all.
The second one is understanding business. How does a company make money? This is something that sometimes we, as security people, have a tendency to forget. But it's very important because, at the end of the day, we are protecting our business. So how do we actually make money?
And last but not least, social skills. We are not machines. We are humans. You need to be able to transfer your message and influence the other side of the conversation.