CyberWire Daily - Are we a trade or a profession? [CISO Perspectives]
Episode Date: April 24, 2025We're sharing a episode from another N2K show we thought you might like. It's the first episode of the new season of the show CISO Perspectives with Kim Jones. Enjoy! Show Notes: Cybersecurity has a...n identity problem where the industry as a whole is struggling to determine whether it is a trade or a profession. In this episode of CISO Perspectives, host Kim Jones sits down with Larry Whiteside Jr., the Chief Advisory Officer for The CISO Society, to discuss this identity crisis and how the industry as a whole connects to both of these labels. Throughout the conversation, Larry and Kim will discuss the merits and drawbacks of both labels and how cybersecurity does not solely fall into one category or the other. Want more CISO Perspectives?: Check out a companion blog post by our very own Ethan Cook, where he breaks down key insights, shares behind-the-scenes context, and highlights research that complements this episode. It’s the perfect follow-up if you’re curious about the cyber talent crunch and how we can reshape the ecosystem for future professionals. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Welcome to CISO Perspectives.
My name is Kim Jones, and I am thrilled to be your host for this season's journey.
Here we provide in-depth conversations and analysis of the conflicts, issues, and challenges,
technological and otherwise, that the average CISO faces.
We're bringing the deep conversations out of the conference,
or more realistically, the conference bar,
and tackling a single complex issue
from every conceivable angle across a multi-episode arc.
For our inaugural season, we here at CISO Prospectives
have chosen to tackle the challenges
surrounding the cyber talent ecosystem.
We've been complaining about talent issues for the better part of a decade,
but our piecemeal solutions don't seem to be solving the problem.
Today we explore the question, is cybersecurity a trade or a profession?
Now as a reminder, this is just one of three episodes that will be available
to everyone. After the next episode, CISO Perspectives is available only to CyberWire
Pro subscribers. If you haven't already done so, head on over to the cyberwire.com slash pro
to sign up so you can keep going deep with us on these conversations.
And now, onto the show. In 2013, 18 years after the Chief Information Security Officer role was created, the National
Academy of Sciences, or NAS, released a report. This report stated that cybersecurity should be seen as an occupation, not a profession.
In this report, NAS stated that the cybersecurity field was too young and that the technologies,
threats, and actions taken to counter them were changing too rapidly.
Further, NAS felt that professionalization would, and I quote,
impose certain barriers to entry which would prevent workers from entering the field at
a time when demand for cybersecurity workers exceeds supply."
This caused dismay and even disgruntlement amongst the old security heads who had built
cyber from the ground up.
As we discussed this report, we routinely conflated professionalism with being part
of a profession.
Indeed, many advocated that we were already a profession and were eager to prove NAS wrong.
However, 12 years later, we're no closer to true professionalization.
It seems as if nothing has changed but the magnitude of the challenges we face and the
enormity of the stakes.
True professions have certain characteristics that cybersecurity does not fully meet.
On the side that supports the belief that we are a profession, there are two compelling
arguments.
One, professions have a unique body of knowledge that can be codified, studied, and therefore
learned by others.
While degrees aren't necessary for an individual to practice in the profession, degrees tend
to ensure that individuals understand the basic principles of the profession. And two, professions have a service orientation and not just to those who employ us.
Professions and the professionals within are committed to the betterment of the profession
itself.
Professionals commit time, money, and effort to contribute to both the profession's body
of knowledge and its administration.
Unfortunately there are two requirements for a profession that we have not met.
One, professions have a code of ethics that defines appropriate behavior, meaning a profession's
commitment to these standards would cause a professional to leave their employer before
they violate them.
While we may have organizations that have codes of ethics, there is no overarching uniform
code of ethics for the cybersecurity profession.
And two, professions have sanctioning organizations.
In addition to promoting research and the exchange of ideas and acting as a
collective voice, sanctioning organizations have the ability to limit or eliminate an
individual's right to practice their craft if they violate the code of ethics or commit
egregious acts. The sanctioning organization provides oversight and guardianship. No such
organization exists in cybersecurity today.
Given the hands-on nature of many cyber roles, there has been an equally strong argument
that it should be considered a trade, versus a profession.
Indeed, we have seen a resurgence of this belief by a new generation of cyber warriors
who insist that their knowledge and experience should be the only arbiter of selection and
advancement.
While this argument has some appeal, I contend that the argument for us being a trade is
the weaker one.
Trades have clearly defined standards of entry, clear documented knowledge requirements for
both entry and advancement, a mandatory apprenticeship structure that is supported by the trade,
and additional mandatory certifications required for advancement.
While I was a CISO at my last large company, I gained exposure to a true trade structure.
My executive assistant's husband was working as an apprentice with a local power company
to become a lineman.
The levels of rigor of the program, the formal learning, and the number of hours he needed
as an apprentice before he could become a journeyman were highly structured. Cybersecurity has elements of this structure, but it lacks formality and it lacks mandate.
So what are we today?
Are we a trade?
A profession?
Neither?
Both?
Folks, as much as it pains me to say this, the truth is this.
The best adjective to describe us today is stagnant.
The arguments made today are practically identical to those pointed out by NAS over a decade
ago.
While technology has only continued to flourish, we still can't decide what we want to be
when we grow up.
We are too busy to train newcomers and would rather steal experienced resources from one
another.
We remain collectively afraid of professionalization and its exclusionary potential.
We refuse to adopt standards regarding needed knowledge, skills, and abilities, yet we rail
about the inadequacies of up-and-coming talent.
Folks it's 2013 all over again, or rather it's 2013 still.
Is it any wonder why we have lost our agency with those who would regulate and legislate?
Without clear answers and standards,
we cannot blame our constituents for seeking guidance elsewhere.
As a longtime practitioner, I contend that there comes a point in a career when technical
depth, breadth, and expertise should equal our ability to lead and build. Our nation's
armed forces provide a good model for us.
Within a particular service branch, there are shared skills and abilities in which all
members are trained and must regularly demonstrate proficiency.
As service members advance in rank, their roles shift away from hands-on and into leading,
training, and planning.
That shift becomes more drastic within the senior non-commissioned and officer ranks.
While junior ranks will poke good-nature fun at senior ranks, there is, for the most part,
mutual respect and an understanding of the need for these different roles.
It's time to appreciate that cybersecurity is a combination of requirements that shift
based upon role and scope.
This is neither unique nor new, but it does require a level of definition and baseline
requirements for entering the profession and proper and detailed scoping for advancement.
Things we have been unwilling to do for ourselves
and the next generation of professionals. Until we do, we will remain nothing more than
a glorified occupation that will continue to lose agency.
My two cents. From early morning workouts that need a boost, to late night drives that need vibes, a good
playlist can help you make the most out of your everyday.
And when it comes to everyday spending, you can count on the PC Insider's World Elite Mastercard
to help you earn the most PC optimum points
everywhere you shop.
With the best playlists, you never miss a good song.
With this card, you never miss out on getting the most points
on everyday purchases.
The PC Insider's World Elite Mastercard,
the card for living unlimited.
Conditions apply to all benefits.
Visit pcfinancial.ca for details.
Conditions apply to all benefits. Visit pcfinancial.ca for details. One, two, three, set, go!
Riding a bike in the ride to conquer cancer is like being part of humanity's greatest.
The money you raise, the time you spend, the energy that you give is helping people live.
It's giving people hope.
And that's just so beautiful.
Care of the fire for cancer research.
Join the ride at ride to conquer.ca.
On today's episode, I'm joined by Larry Whiteside, a veteran cybersecurity leader, passionate
advocate for diversity
in tech, and co-founder and president of Confide.
Today's conversation revolves around a big question.
Is cybersecurity a trade or a profession?
Let's get to it.
First and foremost, Larry, thanks for making the time, man.
I know how busy you are, and I appreciate you giving me a Thank you so much for having me. Thank you so much for having me. Thank you so much for having me. Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me.
Thank you so much for having me. Thank you so much for having me. Thank you so much for having me. Thank you so much for having me. Thank you so much for having me. way. So A, I'm a faith-led cyber executive. I've been in this industry for, I think, 33
years at this point. Ex-Air Force officer, ran information warfare at the Pentagon. That's
my last role. Jumped out, have held the role of a cyber leader slash CISO about eight times
across my career. And I've just been, I've been very fortunate and very blessed, um, to
have had the roles I've had and being in the positions that I've been in to help
others.
So it's been, it's been a great journey.
And the most impactful thing I've done, of course, is co-founded a not for profit
called what was formerly called ICMCP, which is now called Cyversity.
Fantastic.
I was, uh, mentioning to someone, I remember the day and age as do you when
you could put all of the men of color who were sitting in that cyber leader
chair in a single room and still have there be less than 30 of us in the room.
So yeah, it's a, we've been around a day and a half, brother.
So, yeah, we've been around a day and a half, brother. Yes, we have.
So, you and I have had this conversation before,
and you've been around almost as long as I have,
so you've seen the changes that have gone on in the environment.
So let's start with the basic question.
Are we a trade? Are we a profession?
Are we both? Are we neither?
Would love to hear your perspective on that.
Yeah, so I've actually given some thought to that simply because, and I'm going to say,
I think we're both.
I think we're both because of a couple of factors.
When you think about the entry-level components, right, the entry-level component of getting
into cyber is very trade adjacent, right?
Meaning that there are certain skills that you need to have coming into this.
It's not about certifications, it's not about degrees, it's about skills, which is why we
say you can come out of high school and do this.
Because if you create or foster certain skills on your own in high
school, you can technically come into a cyber role and become proficient in the way that
an organization needs you and go execute.
So at that level, I see it akin to a trade.
The problem has always been for entry-level roles, we try and introduce them via
internships. Internships do not align to trades because what I've noticed across the industry,
the way an intern is treated, is definitely more of a let's give the work that no one
else wants to do to that person, not let's train them, let's hone the skills
that they've brought to the table so that they can be better at that craft and
they can utilize it to better support us.
So with that, I think that we've had a mismatch there and from a professional and trade perspective, right?
Reflecting back, yes, it is possible because particularly
at the entry level, we are more skills and abilities focused
than certification, college degree,
and we'll talk about the goods and bads of that later on.
So that is, and I love the term you use
That is trade
adjacent if we believe that
then
Why are we not seeing folks come out of high school enter cyber?
Why are we not advertising for folks out of high school in cyber?
Why do we refuse to hire people
who do not have a college degree
or at least X number of years doing this
at the entry level?
Because if you are correct,
why aren't we acting in a manner that agrees with you?
So yeah, yeah, so there are a number of factors
that I'm gonna drill in on a few of them.
So number one, we as cyber leaders, and I'm pointing at, at people who sit
at the top of the food chain have let HR take over and run how we hire.
Right.
Explain.
So, so when I see, so goes in and gets their role as a CSO. What happens is they allow HR to categorize, map, and align the roles in cyber to the roles
in the other technology roles in the organization.
And so for those, they create this singular expectation, these singular job requirements, these singular things of what education must
be, what that, all of these different components that make up a job description and the requirements
that you must have coming into the job.
Is that really still happening?
And let me explain where I'm coming from.
From my perspective, and it might be, you know, my background is break fix.
So in most of the gigs I take, I write the job descriptions
and I fight with HR for those job descriptions.
So my experience base may not be typical.
So is that still happening?
Yes, go look at the job description.
So because I'm Cyversity, I mentor a lot of people
and I engage, I've got multiple Slack groups and, uh, signal groups and all sorts of groups
in which I am engaging with people who are out looking at jobs and for entry
level roles, there's still tons of jobs out there that say entry level
with three years experience.
How does that align?
Entry level with a college, with a four year college degree or equivalent.
Well, what is the equivalent of a four year college degree? Four years of experience? Well, that's still not an entry level with a four-year college degree, or equivalent. Well, what is the equivalent of a four-year college degree?
Four years of experience?
Well, that's still not an entry-level role, right?
So we've got this mismatch.
I need to find out what are the risks that exist, right?
And how can I best mitigate them?
Not thinking that the reality is,
if you can't build a team properly,
you're not gonna get any of that stuff done anyways.
Yeah, I've had similar conversations with CISO
to say I want an entry-level position,
but I want them to be able to do certain things,
and in order for them to do certain things,
they need to have these experiences.
Then I go back and say,
then why aren't you sitting there
labeling that not as an entry-level position?
Because I'm a believer worst case that entry level requires zero to
six months, preferably zero, then I get the, well, I don't want to budget for
the experience.
So is that an HR problem or is that a CISO problem because they want
to have their cake and eat it too.
It's both. It's both.
It's both.
Right.
I've seen organizations where HR is very hard around the salary bans and around
the job requirements based on salary bans.
No, we can't have someone who doesn't have a degree in the salary ban across
the organization globally, you have to have a degree to fit with in the salary band. Across the organization globally,
you have to have a degree to fit with inside the salary band.
And I'm like, we're unicorns.
That doesn't work for me, right?
And so I've had to have that battle.
And I've had this conversation with CISOs
who have also had to have that battle.
But to your point, we also are impatient
because we as CISOs also know.
Hey, hang on, hang on, hang on, hey, whoa, whoa, whoa.
Your tax dollars trained me to do this as they did to you, so let me try this.
Us?
Really?
Say it isn't so.
But there's a reason that the CISO role is the tenure of a CISO is under two years, right?
And with that, you know as a CISO when you two years, right? And with that, you know, as a CISO,
when you go and you've got a limited amount of runway
to get things done.
So with that, if you are focused on building a team,
you're trying to build a high-performing team.
And in an effort to build a high-performing team,
what you leave out often is the lower level, entry level,
and figuring out how to get people into your pipeline
to get people skilled up to become that high performer.
You don't take time for that.
But let's play with that a little bit.
Let's play with that a little bit.
Because again, and yeah, for the sake of our audience,
Larry and I have had this conversation
more than a dozen times, and we've gone back and forth,
but my job is to push because I wanna make sure
we're hitting all sides of this.
So let's back up for a second.
The tenure of a CISO is two years.
Whose fault is that?
That's us.
So I'm back to the, and I'm gonna rant a little bit here,
I'm back to the tenure of a CISO is two years, why?
Because we look at ourselves as hired guns,
we get bored, we get scared because of,
oh my God, the sky is now falling
and we have to actually dig in and do a little work.
So again, HR has a component of this,
but if that's the case, then are we a profession?
Because professionals don't act as hired guns.
So are we trade adjacent?
Or are we truly just a trade?
Because we're looking at the job to move on.
And if we're not, what do we need to do to fix that?
So, no, no, no.
So it's interesting.
You bring up some good points.
So do we get bored?
Yes.
Because there are some of us who are builders, some of us who are fixers, right?
And some of us who are, are, are all of the above, right?
And there's a mix of everybody in there, right?
So yes, there's multiple reasons why the 10 years only 24 months.
But one of those reasons is also why we call it the chief information
scapegoat officer. Because 364 days of the year, everything can be fine. On day 365, when
something does happen and the entire organization looks at you and says, how could you let that
happen? And you go to your email list and you go to your risk register and you show all the things
that you've shown them around the risk that ended up getting exploited that we needed
to repair that.
So the role of having all of the responsibility and not only the authority is also partially
why.
Right?
Well, I understand there's some uniqueness to that, and I understand because you and I
have both grown up with that.
What I'm also wondering is, are we scapegoating that?
Are we at a point where there is uniqueness to our position?
But I'm wondering if we're leaning on that uniqueness
as an excuse to do things like put ourselves apart from the business
versus learning what's important to the business.
We've fought during the timeframe you and I came up, Larry, to say we need to have a
seat at the table and be professionals, yet we're still acting like tradesmen that says,
I really don't care whether you understand or not, and I really don't care what you do
for a living today. This is the problem, solve it, and if you don't care whether you understand or not, and I really don't care what you do for a living today
This is the problem solve it and if you don't like it fine And if I think you're telling me that you don't want to solve it and you're not gonna listen to me and my spidey sense
Begins to tinkle back here that you know, I may have a concern that I move on
Yeah, so so I look at it a little differently, right?
so I look at the top of the food chain and, you know, a few levels down as
100% of profession and here's why.
Um, part of the challenge that we have is this role is not as old as the
quote unquote C level roles that exists in corporate entities, right?
Yep.
Very true.
corporate entities, right?
Yep.
Very true.
Additionally, there's not a true, um, uh, holistic training mechanism that gives
what used to be a technologist role.
The business acumen, the ability to articulate the ability to communicate, the ability to understand finances, the ability to understand business, the
ability to understand P and L, the ability to understand finances, the ability to understand business, the ability to understand P&L,
the ability to understand all of the different nuances
of business that most other C-level
and senior executives go through.
No, you gotta run back that for a second and here's why.
While I agree with you on that, okay,
you know I built a degree program to do just that and I couldn't get the support of
CISOs in the community in the environment
To back that because they weren't technical enough
Because I split the training to make sure they knew how to communicate they understood the business and the pieces and parts here so that they
Could be prepared to be the Renaissance men and women that they needed to be and I couldn't get support from the CISO community
Because they weren't technical enough
So I have to go back when you say my student my students
Yes, so my students and graduates who by the way, we're coming out
with decent technical background,
but not as much heavy tech as say a comp sci major would be
that creates that transition for the CIO
who's come up from hardscrabble bits and bytes,
arms in the wire, et cetera.
What is the, you're saying that there's no transition
from that technical to this piece, agreed.
So, and you said like in other places, agreed.
Give me that transition for the CIO.
So CIOs got pulled up.
So remember, CIOs, they were forced
to be business executives.
They were forced because they were reporting into CEOs,
boards of directors, and CFOs.
They were-
No argument on how they got there, Larry,
but you indicated that there was a transition.
They had to make that transition.
Yes.
So if I have to make that transition as a CISO,
what things did the CIO have, that training opportunity, that particular knowledge
that was forced upon them that were not seen to the person who wants to translate to your
role or mine?
So A, CIOs are at a different pay bracket.
Many of them went and got master's degrees in business, master's degrees in finance, and accelerated higher level degrees,
education and certifications in things that align
to the business of where they were being forced to go.
So, I use the word forced purposefully, right?
So for us, where the role has been downplayed,
not given the authority that it needs
to actually execute upon the
remit that they're asking of, right?
We have to choose to go and typically pay out of our pockets, right?
Or find some other way to go get that education in hopes of that accelerating us up into this
other conversation. So as they were forced up, there was a universal need, if you will, or rather
not need, understanding that to pull this person up, they need to do these
things and this person needs to be pulled up.
Therefore, if we would expect that that role to have certain things sitting around it
and they many of them are either paid to go do that
or go do that because of the pay bracket, et cetera.
Where conversely, the CISO sits every freaking place
within the environment.
And in some places it's way too low.
So while there is a need for the role,
that need may be the S that scapegoat,
and we just need to have someone on that title
to report to the SEC so that we can fire their butts
when the time comes.
That's right.
To individuals who truly have a seat at the table,
either next to the CIO or, you know, my role,
the CIO and the CSO reported to the chief operating officer.
There was the CEO, the COO, and then us.
And sitting at that level, operating at that level, different from other organizations
and other, in other verticals saying they belong in different places.
So that lack of understanding as to where they belong has impacted the definition
of not only what it means to be that business professional,
but has slowed down our collective need to maybe define
what that is because we really haven't defined
what the role is.
That's right.
So, okay, I wanna make sure I'm understanding.
Now in that regard, you were about to make a point
that says, and again, something else we've talked about,
you were about to make a point that says
different organizations, different business verticals
may have different needs
because there are different types of CISOs.
So talk to me about those different types of CISOs.
Yeah.
So, so, and we get into this debate a lot, me and a number of people, right?
It is you and me and about 50 others usually, right?
Because there's, are they really a CISO?
No, wait, wait, wait, wait.
Right.
And so we go down this path of what's their remit, what are they doing?
Because you've got this large dichotomy of what the term CSO is in every
organization with big air quotes.
Because typical can be a bank.
Well, guess what?
A Fortune 500 bank is different than a community bank is different
than a credit union, right?
I know I literally had dinner last night in Atlanta
with a couple of people that were in financial services.
And one was Morgan Stanley,
and one was from a community bank.
Well, a community bank, he didn't even have the CISO title,
but he had the entire remit of the CISO, right?
He had all of the responsibilities of a CISO.
So you then move into healthcare.
Healthcare again can be, I've seen healthcare where the CISO reports into the CTO of the
healthcare organization.
I've seen it where it reports to the CIO.
I've seen it where it reports to the chief medical officer.
Right?
So we'll go over to retail.
And it just continues to go.
Now don't even, and that's on the corporate side.
Let's go to, let's go if you are a technology business,
if you're a technology business,
and you are developing technology to sell to anyone.
So if you're selling to consumers
or you're selling to, in a technology business,
you can report it to a CTO
and they want you to be deeply technical.
And that's all you do.
You never get involved in the business.
And so there's so many different ways that this role is seen.
And now we are bastardizing ourselves because there's a feeling in the industry, and I've
created a panel for this last year, that CISOs of cyber tech companies aren't really CISOs.
And I'm like, wait, wait, wait, wait, wait, hold off.
Like, so are you telling me they're not protecting
the data that you're utilizing?
They're not making sure the tech is secure?
They're not, like, they don't have,
because I know tech CISOs on the cyber companies.
You have it worse.
I was an intel officer for an intelligence battalion,
which meant I had a thousand people
who thought they knew how to do my job better than me, including the light colonel. You
guys get it worse. Agreeing with you on the practicality of what you are saying, there's still a, and you and
I have talked about this, there's still a victim mentality here.
The arguments that you're making right now are the same arguments in 2013 in the paper
that I, or the lead into this that I talked about.
We were talking about, you know, when I took my first chair in 2003,
the National Academy of Science is formalized in 2013,
it is 2025.
And so there's a bit of this that says
we are painting ourselves as the perpetual victims.
So is it that we're just happy being victims?
What aren't we doing and why won't we do it?
Is it that we're just happy being victims? What aren't we doing and why won't we do it?
Yeah, so yes and.
Please.
It's not that we're happy being victims.
And I will say there is a movement, right,
to move and create a certification to the point of,
and not a certification in the guise of,
you know, a CISSP or something of that nature I say, I SSP or something of that nature.
Or a CC.
So, or anything about nature.
I'm not picking on any of those certifications.
Yeah.
I have several of those certifications and they serve a purpose.
And we're actually going to talk about certifications in a few episodes.
If you want to talk about that in general, but so yeah, please, nobody
get offended about the certifications.
Please.
that in general. But yeah, please nobody get offended about the certifications. Please continue. There's finally been some uproar and some movement towards
trying to create something similar or akin to what lawyers have. Where there's
a where they have the Bar Association, right? Where an organization is being
formed and formalized that is going to create curriculum around
something like that, where you have to go and be, um, pass something that your peers,
right? People of your peer group assess to say that, hey, yes, you are someone who has
certain qualifications to be a CSUN now.
So, so to reflect back on that, if I were to put that in other language, what we're
saying is we are now taking a movement to professionalize.
Yes.
Because what you are describing are the tenets of the profession.
That's exactly what you're hearing.
And the reality is this is we need to say thank you to the SEC.
Right.
The bullseye that's been put on the chest of the CISO has caused this uproar
because everybody finally recognize more broadly the risk that they are in, in
the role, right?
the risk that they are in in the role. So those cases that have been brought up through the SEC around the roles of CISO and things
happening at different companies, I'm not going to name the companies and the breaches,
it's easy to search, but that has driven a lot of fear.
And so now when people are going in to have conversations about the CISO role, they're
asking some very,
very direct questions about D&O insurance.
When you talked about the Fortune 500 CSOs, there are more than 40 that do not have a
CSO that I know of directly and are choosing not to advertise or hire for one right now.
When the last one left, they basically left it the, the, the roll blank.
So I've got to ask the question then.
So, yeah, so we don't have 500, we have 460, if not 400.
So thank you for that, which is scary in and of itself.
So the question then arises, I'm gonna ask it long,
is the effort or the groundswell
that you're talking about too little too late?
If 10% of the biggest corporations
from a revenue standpoint in the world
don't believe that there's value in the role,
have we waited too long to move down the path of professionalization?
So have we waited too long to wake up and say, we want to be grownups?
I don't think so.
Um, I think that what this is going to do is going to actually help, uh, drive
the point that we've been trying to make for a long time, which is we
deserve a seat at the table.
This is a mechanism to demonstrate that there are many of us
who have the skills to have the seat at the table
had you just sought it out or tried to ask.
Because-
But there are folks who are removing us from the table
because we have failed to professionalize up until now.
We're being taught, and there's movement out there.
And I'm sad to say some of this movement exists amongst our brethren who believe
that the only way to be a good CISO is to be an IT professional.
And after you and I struggled to pull us out from IT, they're fighting to put us back in.
I know.
Well, and that, that is what I call the old school CISO, right?
Those, you know, I hate to say it, but they're starting to age out.
Right?
The majority, if not all of the CISOs that I know that are, I'll say the generation after us,
I'll say 10 years, you know, our junior, eight to 10 years, our junior, have gone down.
Or like 15 for old guys like me, brother, but keep going.
Yeah.
Yeah.
So they are all working and have done a great job putting,
working to ensure that they've got those other skills and capabilities to
present.
Many of them have gone and gotten master's degrees.
Many of them have done, you know, financial certifications in finance and things of that
nature to ensure that they know how to read a 10K and 8K and all those things that we
taught ourselves to do right back in the day.
So they are getting...
Yeah, our PhDs are from the schools of hard knocks, man.
We've banged into the wall and bounced off
and flattened our foreheads.
So I remember it well.
I don't think it's too late.
Because again, the risk and the threat
that we're dealing with is not going away, right?
Threat actors aren't gonna say,
oh, well, you know, there's not a head of cyber anymore.
So that can strategically deal with- The argument can be made that since we have
carved ourselves out as a profession,
what have we done to slow the flow of breaches, et cetera,
within the environment?
So is there a value proposition of elevating our positions
since what has been the relative impact there?
That is the argument that is being used against us.
Not saying I agree with you,
I think that's fundamentally wrong,
but I'd be curious to say, you know,
that is where I'm saying is it too late?
Yeah, and I'm glad you brought that up.
So the value is in elevating us
because we haven't had the authority
to get the things accomplished that we needed to.
I've had a CIO literally tell me, do not show that risk assessment to
anyone.
Ooh, ouch.
Right. Right. So what do you do in that position?
Throw your badge on the table or show them and then throw your badge on the
table.
No, I, I, because the head of, head of internal audit knows we get an annual risk assessment.
We had implemented some new infrastructure and some new applications that those things
had risk associated with them that I knew were going to show up as part of the annual
thing.
He gets a copy of it.
I knew he gets it.
We'd get a copy of it.
Now, this is again, this is back in the day a little bit, but those things happen.
Those things are still happening today.
Right.
So it is about time that yes, we professionalize so that we can level the
role up so that we can then get the authority that we need in order to
execute the way we should.
Love it.
Love it.
All right.
So I'm going to close this one off.
What is the one thing you would recommend that a young or aspiring CISO do?
And what is the one thing that we haven't talked about or haven't mentioned as
part of this trade versus professional discussion that you would like to make
sure it gets mentioned
in this podcast.
Yeah, so for any young CISO,
there are two things that I think are critical
to your success or failure.
The first thing is getting ahold
of your job descriptions holistically across the board.
You need to own it and take ownership of it, right?
Meaning on day one, when you get into the role,
you need to be asking for every job description
that's in your org, whether it's a field position or not.
Everything that exists inside your HR system
as it relates to a cyber role.
You need to understand them and you need to make sure
that they align with your strategy that you're trying to build. First and foremost, and then as you go down
building your strategy, if they do not, it is imperative that you change them to align
with it. So that's one.
Number two, and it goes with this because you need the support to get this done is you need to understand and build very deep personal
relationships with every business leader in your business.
And that is from the head of HR to the COO to the CFO, right.
To every head of the line of business.
And for me, I like to tell people, understand not just their remit, meaning
what their business does, how they make money, but understand how the executive gets bonused.
Because them making money is important, but the metrics to which they are measured to
get bonused is even more important. Because those are the things that they're going to be paying attention to when you are building a program to see whether you
are a hindrance or a helper to their metrics and the things that they're
trying to get done.
And that concludes our episode for today. Thank you all for tuning in and joining me and Larry as we talked about our industry's
identity crisis.
Before we end the episode, I want to remind you that there is only one more episode of
CISO Perspectives available for non-pro members.
If you're interested in becoming a pro subscriber and hearing how the conversation continues
to evolve over this season, please visit the cyberwire.com slash pro.
That's T-H-E-C-Y-B-E-R-W-I-R-E all one word dot com slash P-R-O.
There's a link in the show notes.
As pro subscribers, you get access
to key industry-driven shows like this one
and reports covering a variety of different topics
from cyber to space.