CyberWire Daily - Is the role of the CISO adding to the confusion? [CISOP]
Episode Date: March 13, 2026Show Notes: As cybersecurity has matured, the field has become more formalized within businesses with CISOs leading the way. However, despite the value of the CISO and its widespread adoption, the ro...le has continued to lose agency with other board members. In this episode of CISO Perspectives, host Kim Jones sits down with Patty Ryan, the CISO at QuidelOrtho, to assess the value of the role. Throughout the conversation, Patty and Kim will discuss the challenges facing CISOs, why the role has lost its agency, and what can be done to reverse the current trajectory. Want more CISO Perspectives?: Check out a companion blog post by our very own Ethan Cook, where he breaks down key insights, shares behind-the-scenes context, and highlights research that complements this episode. It’s the perfect follow-up if you’re curious about the cyber talent crunch and how we can reshape the ecosystem for future professionals. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
This exclusive N2K Pro subscriber-only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter, building full-stack zero-trust networks from the ground up.
Trusted by security and network leaders everywhere, meter delivers fast, secure by design, and scalable connectivity without the frustration, friction, complexity, and calm.
of managing an endless proliferation of vendors and tools.
Meter gives your enterprise a complete networking stack,
secure wired, wireless, and cellular
in one integrated solution built for performance, resilience, and scale.
Go to meter.com slash CISOP today to learn more and book your demo.
That's METER.com slash CISOP.
Welcome back to C-So Perspectives.
I'm Kim Jones, and I'm thrilled that you're here for this season's journey.
Throughout the season, we've been taking the deep conversations out of the conference,
or more realistically, the conference bar,
and have begun tackling complex issues from every conceivable angle.
As we continue our inaugural season, we're examining the challenges surrounding the cyber talent ecosystem.
Today we explored the question, is the role of the CISO adding to the confusion?
Let's get into it.
My first in-house gig as a civilian, after 10-plus years in Army intelligence and five years as an consultant,
was as chief information security officer for a financial services company.
When I first took the role, it had only formerly existed in the market space for five years.
Remembering that the only two things of the world I know are A, my wife and
son love me unconditionally, and B, I can be wrong about absolutely everything else.
I sought out mentors in the cyber community who could help me navigate my young career.
One of the best pieces of advice I got was to figure out where I wanted to end up at the end of
my career road and backward plan to see which path I should start down now to get me there.
In general, cybersecurity folks tend to gravitate to three broad categories of focus.
They like playing with leading, if not leading, edge technology.
They like making money.
Or they like solving problems.
Each of these FOSI has different prerequisites and termination points.
Being aware of those prerequisites and termination points
helps shape a young professional's progression towards one general career pathway or another.
For instance, if you enjoy technology, you are most likely inclined to
pursue a path into a research and development or R&D role.
As most R&D roles require advanced degrees, either going to grad school straight out of college,
working for a company that offers tuition assistance, or taking a role that allows you to go to
grad school part-time will let you meet the requirements of this career path.
Taking a job that requires a significant amount of time on the road, thus limiting, if not
eliminating, your ability to go to grad school even on a part-time basis.
would be antithetical to these goals.
If your objective is to make money,
then you're looking at either A, inventing a new technology,
or B, taking a business leadership role,
such as founding your own company
or taking a senior consulting partner role in a major firm.
For security technologists pursuing this path,
working inside a business line and getting an MBA
would be more beneficial in the long run
than, say, taking a role as a senior penetration tester.
If you enjoy solving problems, then you are probably most comfortable heading down a path that culminates in sitting the CISO chair.
The prerequisites for such a gig conclude?
Well, honestly, nothing.
And therein lies at least part of the problem.
The CISO is the senior executive who oversees an organization's information, cyber, and technology security.
Most of us can agree on this definition and can get our organization,
to agree as well.
That said, we still seem to collectively struggle with most other relevant portions of the CSO gig,
so much so that the job description is vague and amorphous on even the best of days.
Consider, while the definition above identifies the CSO as a senior executive,
which is usually at vice president or above,
in many organizations the role is assigned to a director or even a senior manager
within the organization.
This can limit the ability for CSOs
to influence affairs within their remit.
Additionally, in smaller organizations,
sometimes the person actually doing the job
is not given the appropriate title,
further limiting that person's efficacy in the role.
CISO reporting structures are absolutely scattershot.
In some organizations, they report to the CEO,
in others to the CIO.
Sometimes they report to the chief legal officer or even to the chief financial officer.
I've even heard of CISO's reporting to a chief medical officer and a chief human resources officer in a few organizations.
The CISO role seems to be treated as a necessary evil that organizations must place somewhere with no idea where.
Worse, depending upon the culture and outlook of the organization, that somewhere may be strategically
placed either to aid CSOs in their remit or to deliberately limit, if not eliminate,
their ability to influence outcomes.
The scope of responsibilities for a CSO wax and wane with the whims of the CEO, usually influenced
by the current state of regulatory requirements and trends and liability and risk.
Some organizations wish to limit the CSO remit to the tech stack until an event occurs
outside of the tech stack that causes harm,
such as the Choice Point data breach in 2008.
The industry as a whole attempted to address
disconnects within the CSO job description
by postulating that there are three types of CSOs,
strategic, business, and technical.
Unfortunately, or fortunately, depending upon your point of view,
as technology is advanced, regulation has increased,
and data has become omnipresent,
the fundamental need for any CSO to be equal parts strategist, technician, and business leader
has become a stark reality.
There is a strong need to codify what it means to be a CSO.
As a profession, we already missed the boat to solidify ourselves as senior executives
with a normalized reporting structure.
The overall lack of systemization within cybersecurity distracts and muddles the profession as a whole,
with the lack of standardization in the role of Chief Information Security Officer
as the cherry on top of the mountain of confusion.
Standardizing the role of the CSO,
even if it's weighted according to the size and complexity of the organization,
would do a lot to start reducing the confusion within the profession.
We as senior cybersecurity professionals need to do a better job
of defining what it means to be a CSO
and what requirements are reasonable to expect of the individual aspiring to the role.
The pathway to the CSO chair should be as clear and explicit as the paths to the R&D or consulting career paths,
with equally precise career prerequisites.
To paraphrase Lewis Carroll, if you don't know where you wish to go, any road will get you there.
However, if you can determine where you want to end up,
The roads you need to travel to get to your desired endpoint becomes a lot more clear.
Ultimately, the real danger to the CSO career pathway remaining undefined is this.
In the absence of definition, we run the risk of the CSO's scope being absorbed into other roles,
and the CSO position potentially going the way of the VP of telephony.
My two cents.
I know we went from not seeing each other for weeks or months.
lungs to, I think this is the third time.
Yeah.
Kind of interesting considering before that.
I didn't even know who you were.
On today's episode, I'm excited to sit down with Patty Ryan.
Patty is an OSG like myself, having been a CSO for over 20 years, and who has seen the
field expand, evolve, and face new challenges.
Today's conversation revolves around examining a CSO's role and asking the question,
Is the role of the CISO adding to the confusion?
I've been a CISO level role for about 20 years.
I started in IT, but before that was in sports television in college as an economics major.
I found my name to IT because it paid, and an intern in sports television did not,
and my father was not going to pay for anything more.
When I was in IT, they were struggling to figure out what to do with me.
Female, non-technical background, operational mindset of focus, very eager to learn, very aggressive
when it comes to pushing things forward, a very partnering.
I did not fit the traditional business analyst role.
I didn't fit an intern while they didn't know what to do with me.
So after about 15 years at IT, I had a boss who walked into my op-thal of Monday morning at 8 o'clock
and said, Patty, you're going to be the chief information security officer.
They'll be named at 9.
and here's the 20-some-odd people that report to you.
I said, that's great, Barry.
I could spell information security officer.
I had no idea what the job is.
They didn't even have to spot you the first word.
It's good.
Yeah, and it was 20 years ago.
So it was even a newer, nondescript function.
But everyone knew if you were dealing with the U.S. government,
if you were dealing with finances, you needed a C-S.
And then it became, well, what is that role?
And it was totally driven on the organization.
and it's still to a certain extent, like you said, flexible.
That's one word for it.
So I believe the studies are saying with the average tenure for CSO right now is two years,
maybe two to three years.
And I've also done a lot of CSO rotation in that regard.
But I did that rotation because I was a break-fix CSO.
I like to tell people my first boss that would say,
I'm the third Cesar you called after you fire the first one,
and the second one quits after 30 days after they see how bad the problem is.
And there's a lot of truth to that.
But I'm a little unusual in that, you know, that break-fix path.
Yet most of my colleagues, you know, two to three years or three to four years.
Why is that?
Why are we constantly rotating versus, like, a lot of other business people, why aren't we sticking around?
It's funny, because I've seven years here now, and that's the longest I've been, and most I know that paradigm.
It's always as if the first year you're the shiny penny.
Everyone loves your elevator.
You could do these budgets.
You could do all this stuff.
But the gloss and the shininess melds away when you don't magically make things disappear, or you're constantly
trying to explain to executives who maybe don't appreciate the nuances of subtleties or just how
big the role is.
So let me push a little bit on that.
And this is me playing devil's advocate, not disagreeing with you.
In terms of depth and breadth and impact to the business and the organization, et cetera, there's
an argument that says that about 80% of what you just said applies to CIOs.
in the environment as well.
They're not rotating as often.
What's the diff?
I think it's a partnership.
It also responds for privacy heads and lawyers
and business heads.
I think because most of the world considers
IT to be still in the hands of the CIA
only, yes, the CIA kind of gets
working into this.
Must also understand all about security,
but that's not the only thing.
How many SaaS applications happen without
IT that you've got a business going directly
to a third-party provider,
and they're not really aware of it.
So it's easy to pigeonhole people to say, since it involves a server, it's an IT thing.
It's really not anymore because it's how the server is being used and the pervasiveness of the data, how it's flowing.
Okay. That's true.
But I guess what I'm trying to get at, Patty, is the stressors that you mentioned in the cyberspace are very real.
There's a lot of those stressors that our IT brethren have as well.
yet they're not burning out and popping after every two to three years.
So what's the delta there that's causing us to rotate?
Interesting.
If you look at anything that a TIO is battling,
cost effectiveness, efficiency, driving the business,
and a lot of times are picking solutions that the mortgage has as immature.
Cloud for years.
We didn't have the Cloud Security Alliance.
or things like that, we would still be working with open permissions, anything can be accessible to the internet and would be more of a field day. It takes time for sure. A lot of times the CIOs are dealing with this Gen. I.I. can change the world. That's wonderful. But how are you going to make sure that it's actionable, secure, access, and it's supposed to test it properly, like a normal mature IT asset?
So I look at it as a idea of the CIO is continually with the CISO,
trying to bring the business and the infrastructure along to a point
where it's safe to move forward in a specific way.
Some of that involves security, but some of that involves availability,
true DR, how you're going to be handles.
So it's not, it's similar because what you're dealing with is cutting edge for a lot
ways and how do you use the cutting edge when it's not you have to actually spend the time not
implementing but crafting and designing.
I'm not stressful if the business is saying they want something to go tomorrow.
You and I have done this for maybe a day and a half.
We've been talking about these problems and these challenges for about a day of that day
and a half.
I guess my question is, what do we need to do differently to keep us from burning out?
and, you know, solve the interaction.
I mean, there's an argument that says we are a young profession, and that's fair.
Compared to, you know, one of my guests, you know, Larry White's side,
one of my guests talked about the CIOs being pulled up at that level
versus us trying to figure out what we want to do, coming up hard scrabble, etc.
We're now getting the attention at the board level,
but we're still not necessarily prepared.
for that attention or to respond to it.
So I guess what I'm really looking for, Patty,
is what are we doing wrong as a profession
that isn't preparing our next generation
to tackle these problems that you and I have been dealing with
for the bulk of the time of the profession?
So what can we do better? Talk to me.
I wish we looked at security
and staffing and training.
That is hiring the perfect individual,
but hiring talent that's going to grow over time
and can think for themselves.
I think we have done ourselves a disservice.
Racing to 20 certification means that they can get a junior first-level job.
We don't have those anymore.
People are too scared for people to be human in the security space.
humans genuinely make mistakes.
Yeah, absolutely.
They are the weakest link and will always be the weakest link.
But our profession rushes to perfection
or assumption that my job is to prevent something from happening.
My job is to minimize the impact
and ensure a speedy recovery and effective communication.
if when actually something happens.
If we started as a profession
realizing that all the corporations
that just want to make things go away
have to be taught, have to be trained.
And that message, to your point,
I don't care if it's client server, a cloud,
Gen AI, it's all the same.
We have to architect and walk with our business partners,
the hard fact of the inevitable.
And let's make sure we have a plan, acceptable risk levels, crisis management.
Let's get organized so that we're worrying in the moment about how to minimize things and not what to do.
Yeah, I like that.
I mean, I remember one of the last larger CISO roles that I took.
I was sitting in from the board, and the board said,
so you're telling me we're never going to be briefed, right?
And I said, no, that's exactly what I'm.
I'm not telling you.
And anyone who sits in my chair who tells you that is lying to you.
I want to make it damnably hard.
I'm going to limit the blast radius.
And I'm going to find it as quickly as officially as possible.
But anyone who sits here and tells you, no, I'm never going to be breached, is a liar.
Yes.
And we need to understand that.
And also, I think there's this whole, of all the proof of the value of a CSA brings is these KPM metrics.
I, not.
Translate that for people who may not understand KPM like I do.
Keep performance indicators.
KPIs, yeah.
So for me, it's a, yes, we do monthly fishing simulation.
I don't track the click rate.
I'm trying to instead understand what's driving the clicking
and how do I minimize the impact's local endpoint to triage properly.
So what do you do to minimize that?
Because someone is going to click.
And it just takes one.
Yeah.
So it's, in fact, last week I was in some executive meetings, and someone challenged me on the, I guess, the norm, the acceptable norm for clicking KPI's, you know, success of actually sacrificing your credentials.
Uh-huh.
I had to kind of tuck the person through why, even if I knew, I don't care.
Exactly.
So if I were to reflect back on what you just said, it seems like we and the business are looking at the metrics we're asking for at best operationally, if not tactically.
We're not thinking about them strategically.
We're not thinking about the pieces and parts necessary to be better.
at what we're doing. How do we drive that conversation or if we lost our agency to the point where we can't?
We have no choice. We have to drive it. You have to be stubborn and continue to push it forward because the tradeoff is just too immensely horrible.
I think it's really taking the cyber is risk. Information security is about risk. You would have a conversation with finance about financial risk tolerance.
You have conversation with legal about risk tolerance.
We never have a conversation really around cyber for businesses to understand what's acceptable risk thresholds or not.
This is how best to leverage, or let me understand long term, where you're going so I could build an architecture, the same way.
Security, are we moving to point of care devices?
Are we continuing with big analyzers?
Are we going to be working more with third parties to develop ASAs?
Are we doing it?
Tell me what we consider the road.
roadmap today. Where do we want to be five years from now? So at least I have a framework to
tell you these are the risks you're going to have to deal with. Nice. And let's start discussing it
now. A lot of, I don't, I don't know if it's, they can't, they can't formulate that message
or their business isn't hearing them and not open to hearing them, but we have a disconnect
with the Csos and executives throughout the world. Agreed. Agreed.
Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch?
What if you could build the hardware, firmware, and software with a vision of frictionless integration, resilience, and scalability?
What if you could turn complexity into simplicity?
Forget about constant patching, streamline the number of vendors you use, reduce those ever-expanding costs,
and instead spend your time focusing on helping your business and customers thrive.
Meet meter, the company building full-stack zero-trust networks from the ground up
with security at the core, at the edge, and everywhere in between.
Meter designs, deploys, and manages everything in enterprise needs
for fast, reliable, and secure connectivity.
They eliminate the hidden costs and maintenance burdens,
patching risks, and reduce the inefficiencies of traditional infrastructure.
From wired, wireless, and cellular to routing, switching, firewalls, DNS security, and VPN,
every layer is integrated, segmented, and continuously protected through a single unified platform.
And because Meter provides networking as a service, enterprises avoid heavy capital expenses and unpredictable upgrade cycles.
Meter even buys back your old infrastructure to make switching that much easier.
Go to meter.com slash CISOP today to learn more about the future of secure networking and book your demo.
That's M-E-T-E-R dot com slash C-I-S-O-P.
Let me shift the conversation a little bit.
About, shoot, probably 15 years ago.
A former, now late, C-S-O once wrote an article in C-S-O magazine,
about the three different types of CSOs that are out there.
And recently, Forrester just published a report saying that there aren't three different types of CSOs,
but there are six different types of CSOs out there.
Do you agree that there are multiple types of CSOs?
Why or why not?
And if you do agree, or if you don't agree, are there certain basic forms?
fundamental characteristics, traits, or to use my favorite phrase, knowledge, skills, and abilities
that all CSOs should have if they want to succeed. Talk to me. One, I do think that there's
going to be different types of CSO is based on people's personalities. There are people that
gravitate to the technical, the people gravitate to the operational, people gravitate to the
strategic. I don't see the person in the role as being something that needs to be.
cookie cutter. I do see the firm needs to have a structure so that everything is still dealt with,
rather than that they give it to the title of the CISO or not. There's functions that need to happen
in an organization around protection, around risk. And as long as it's covered and there's a
harmonious team across it, doesn't necessarily need to be in the CISO. So let me, I'm going to
push on that a little bit. I would agree with you.
except for that A word called accountability.
You're absolutely right.
The absolute structure, as long as everything is getting done,
you know, really doesn't matter.
The title doesn't matter.
You know, the positioning doesn't necessarily matter,
though I do believe you can place these too low in the organization
so that you can't impact change.
But the issue gets down to accountability.
And accountability is becoming a more visible concern
given the one prosecution and the second ongoing litigation here in the U.S. around the role.
So the regulations are beginning to hold the CISO's feet to the fire, at least here in the States.
And if our feet are going to get held to the fire, now we have an issue of, well, yeah, I'm just a technical CSO here, and I've got a technical background, and that's all the company wanted me to do.
versus there's, you know, an issue.
And I'm going to take us way back in time.
You remember choice point.
And, you know, one of the arguments by the CISO that was made is that, hey, you know, this was a physical breach in terms of process where the data came in from a request and we didn't validate.
That's not my job.
Everyone pointed their fingers in the other directions.
And you know as well as I do, that dog just ain't going to hunt.
particularly today.
No, I see where you're going with that.
And I'm the first one to say my biggest thing I do is communicate.
My job up, down, sideways, is to ensure everyone is fully briefed,
especially the executives on what they need to know and why.
My team is focused on where they need to go to support the business
because I understand the business needs, and I understand the strategic imperatives.
and I need to be able to communicate formally or informally with anyone.
And I do see there are CSOS that are, to get a really strong technical CSO
with that communication overlay has been difficult.
Those are a rare breed.
And I think that's because a lot of technical executives have never thought to invest in soft skills.
But I also think corporations have never allowed them or consider it important.
Your job is, again, this is in the back.
to make sure that something runs appropriately,
that there's redundancy,
and that you make everything work.
So let me shift gears slightly one more time.
Actually, I lied.
It will be more than one,
but I'm going to shift gears at least right now.
You mentioned something earlier on called burnout.
And it's a, you know,
we've been in conferences very recently that have talked about that.
I admit freely,
I am the first person to say,
I understand the realities of burnout.
I understand that burnout is a real thing.
I understand that if we're not careful,
it will sneak up on us.
So I don't want anyone listening to this podcast
to think that I don't believe
that burnout is a real thing.
That said, I unfortunately have a different perspective
as someone who's trained as a soul.
soldier and spent a lot of time soldiering on different levels of stress, et cetera.
You know, I used to tell people the story of what I was doing in my 20s and saying, you know,
nothing I do today, you know, compares, you know, in that regard.
You know, as my friend used to say, nations don't rise or fall and people don't die based
upon what I do today.
So I don't have, and this is me admitting my,
my own fallacy here.
I don't have the frame of reference mentally or emotionally to understand the pressures
that people are under right now from a burnout standpoint.
Now, not understanding that doesn't mean I don't accept it.
But what I'm trying to figure out is how the hell do we better prepare people for it?
Because I look at the folks coming out saying, this is happening, this is happening, this is
happening. And I'm like, that's the gig. You know, that's the gig you signed up for Patty. It's the
gig. I signed up for a Patty. So are we lying to the next generation and telling them that that's not
the gig? Or are we not fully preparing them or both? I just want to figure out how to make it better.
So talk to me. And I also think as we get more detective technologies, as we get more configurations,
as we get neurotechnologists, and more interconnected, yes, there's going to be more stuff happening.
A lot of bells and whistles, a lot of noise.
Shocked, I am.
Yes.
You know, my biggest thing has been reassessing for myself because I did burn out.
I burned out bad.
And I had to come back with the idea that if you're going to stay in this job, what you love.
And I hope you take no offense at my characterization.
We've been, yeah.
No, no, no, no, no, no.
No, it's a what do you love about it.
Yeah.
And I don't love the running around, thinking everything is on fire.
That's not an effective CESA.
Agreed.
You know, you are trying to temper and really get an understanding of livable, actionable items as well as acceptable risk and you sleep.
And that's, I think, part of the issue.
I had a colleague once told me a story about a C-Syso who all of a sudden became obsessed with USB.
drives.
I was trying to get, it was about 10 years ago.
Okay.
Was focusing all the actions and conversations in this firm about USB drives.
And it struck me because that was something that they were so overwhelmed.
That was something they could cling to to feel they were making some progress and they
were addressing some risk.
It's tangible.
I can actually fix this.
I can control it.
I can control it.
I look at the C-Sides, say, no, you can't.
You have to be accepting of the unknown and that you have no idea what tomorrow's going to bring, but it's going to be okay.
Yeah.
If you stick with the fundamentals, you accept the fact that something's going to happen.
If you're prioritizing the work and the communication around that, and you are also building relationships, good, bad, ugly across the firm, that's not.
about the USB. It's about where do you want to go about let's have a real conversation
about WhatsApp and regulators. Let's just really start getting the facts out. I find when you
start to do that in my role, the stress diminishes because the conversations are different. They're
not angry. They're not reactionary. That's based on fact. And they're actually consistent over
time. So it's not a bomb drop in the middle of something. Makes sense. What do you say to those,
Because, and I'm going to put my old guy hat on for a minute.
It fits rather well these days.
But I'll put my old guy hat on for a minute.
And I've seen the swing.
You and I both lived through the swing where way back in the day,
we thought that security was just another set of controls to govern.
And the focus was governance and assurance in that regard.
And that the technology was just a means to an end.
And we went very, very process-oriented, and we left the tech in the dust.
the bad guy's got a bit of a leap on us.
So instead of swinging back to the middle,
we swung all the way to the end
that all you need to know how to do is run the tech and hack,
and you can be good at what you're doing,
and we have forgotten people and we have forgotten process
versus swinging back to the middle.
So the folks that we are attempting to educate right behind us, Patty,
who are coming up behind us, grew up in that,
All I need to know how to do is the tech.
I sat in an ISS presentation and saw a very senior engineer, you know,
supposedly tongue-in-cheek talking about, you need to, you know, leadership needs to have some pride.
It needs to understand better the technology pieces, et cetera.
It's like, well, yeah, I do need to understand the technology pieces.
But if this is the way you communicate inside your company, you're not a solution, you're a freaking problem.
And, you know, and that we stood up in front of a room full of people in a professional organization and said,
this is okay. So how do we teach the next generation behind us to stop obsessing over the USB
and have conversations with our constituents that we're here to support? Because I am still
running into 30 to 40 percent, and that's a scientific wild-ass gas number, of folks who have come up
during that period who think that I'm either crazy or I'm just an out-of-date old guy. How do we
educate them appropriately?
I right now
am taking an effort to do
a 360 review of every single
one of my
team. Started with
my directs. And it
was you had to find people
across the organization.
It had an IT-centric.
And the questions were
strategic high level
about health
partnership, etc.
There was absolutely not one question that was
technical. It was about
how do you integrate, how do you operate,
how do you partner?
And what are you perceived at as far as
a trusted SME?
I like that.
From that, it becomes a
here's the action plans. Next week,
I have some meetings with some executive
vice presidents who actually participate.
They were giddy happy to participate.
They want to talk with me about
how they're going to support members of my team
going forward with the idea
of mentoring, opening doors,
to get them involved in the right conversations
because they do believe that they can do that.
But that's conscious effort I've taken.
There's no corporate directive.
But I've recognized a security team
is help, part of my job is helping them transition.
Yes.
And help them change.
Yes.
I can't wait for some magic class somewhere.
And do I know how I'm really doing?
And I'm going by the seat of my pants.
but it's we're all in full MSU mode we all just make stuff up
and it's respected and it's had junior people come up to me saying my boss just had a
conversation with me about things I've not about jobs but what types of skills do I
like what do I like so we could start building those I said yes because my job didn't
exist when I got out of college your job may not you know a totally different job may exist in five
years that you fit into. What are the skills you need?
Yep.
And changing my conversation has meant a tremendous amount to take a really stressed out.
I don't know when I'm doing a group of people who are constantly under fire, constantly
worrying about things, just by their own nature, not necessarily my pressure, but security
people tend to be like that.
We tend to worry.
Hang on.
I can do this again.
Hang on.
You text.
Really?
Yeah.
That, again, helps that generation change the perspective on the role.
I'm not going to grade you about how many tickets you answered.
I'm assuming you're doing that, your job or else I will have an issue that will be presented to me and we will talk about it.
But right now, let's talk about the holistic picture of your skills and what you're trying to do and what security is.
And that's a conversation that many firms are too strong.
need to have, and in some cases, it's going to be a bomb blown into the middle of the HR process.
So, may have asked this before a little less directly.
I'm going to be direct about this.
I got two more questions for you.
The first question is three things, three skills, that every CISO, regardless of background, position, et cetera.
anyone who is fulfilling that role regardless of title,
needs to have or develop.
Number one is listening.
We don't listen.
We come with solutions.
And we're supposed to come with solutions.
We don't necessarily authorize questions
and sit in the business issues
and understand the business problem.
We're supposed to come with solutions to the right problem.
So, but we have to listen to figure out what the problem is.
Correct.
And that's partnership and listening.
And I think the other thing is the soft skills,
communication and partnership.
Solutions
come together across
functional teams.
That sounds very stupid to some people.
What do you mean?
I know what I need to do.
No, you don't.
I also think
an appreciation strategy.
A lot of CISS don't
think strategically.
They don't...
There is an issue with that.
Patty, stop being kind.
The vast,
majority of CSOs don't think strategically.
The vast majority of CSOs have a great operating plan that they put the word strategy on
that isn't forward-looking.
It's just figuring out how to get the next widget.
Exactly.
And that's the two to three-year time horizon.
I've had, if I did ask me anything recently.
And someone asked me, what would I expect if I started in a new role for the first
90 days, what would your output be?
So I'd kind of know where the bathroom is.
Yep.
I would have had meetings with all the senior executives
that understand existing business plans and strategy.
I would have met with everyone in the security team
to understand roles, responsibilities, frustration points, etc.
And I would have started conversations.
I would have started a forum with executive leadership
to start some type of security governance that doesn't exist today.
What is one thing that we haven't talked about that you would like to mention, discuss, or have my audience here regarding this issue?
One of my concerns right now, and kind of relevant, kind of not, is the fact that we as organizations need to be more CSOs need to be tighter connected.
I look at their huts of the federal government.
And CESA, I look at the re-imaging of the federal government, which good or bad or ugly.
It just is.
And that's making the CISOs to be far more reliant on peers, which again, gets back to what information we're sharing.
What are their skills?
What are we looking at?
And that's going to be a whole other paradigm shift.
That's going to become a greater as we look at the geopolitical change that are happening.
Yeah, no, agree completely.
For me, that boils on what you said, it's community.
And the challenge that we have is, as you said earlier,
not only are we not asking those questions,
we're not necessarily recognizing as a cadre of CSOs,
this generation and the next,
but those are the questions that we're being paid to ask
and that we're being paid to answer.
Yeah, I agree with that one.
I agree a thousand percent.
Patty, as usual, this has been a blast.
I have had so much fun, and I really appreciate the perspectives.
I hope you have enjoyed yourself as well.
Nice way to start the week.
And that's a wrap for today's episode.
Thanks so much for tuning in and for your support as N2K Pro subscribers.
Your continued support enables us to keep making shows like this one.
If you enjoyed today's conversation and are interested in learning more,
please visit the CSO Perspectives page to read our accompanying blog post,
which provides you with additional resources and analysis on today's topic.
There's a link in the show notes.
Tune in next week for more expert insights and meaningful discussions from CISO perspectives.
This episode was edited by Ethan Cook, with content strategy provided by MyOn Plot,
produced by Liz Stokes, executive produced by Jennifer Ivan,
and mixing sound design and original music by Elliot Pelsman.
I'm Kim Jones, and thank you for listening.
Securing and managing enterprise networks shouldn't mean juggling vendors, patching hardware, or managing endless complexity.
Meter builds full-stack zero-trust networks from the ground up, secure by design, and automatically kept up to date.
Every layer, from wired and wireless to firewalls, DNS security, and VPN is integrated, segmented, and continuously protected through one unified platform.
with meter security is built in, not bolted on.
Learn more and book your demo at meter.com slash CISOP.
That's METER.com slash CISOP.
And we thank Meeter for their support in unlocking this N2K Pro episode for all Cyberwire listeners.