Managing messaging with management, becoming a CISO with Mary Gardner from Goldiknox

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(01:00:00):
[MUSIC]
Hello everybody, it is Brian and I am
back with another one of my fantastic
interviews that we've lined up with

(01:00:21):
people in the industry.
This is the BreakSec Education Show and
thank you all for being here.
I have with me this week,
Mary Gardner from Goldinox.
And Mary, thank you for taking the time
to come and speak with me this week.
Thanks Brian.
Mary Gardner, I've

(01:00:42):
been in the industry for
about 25 years,
mostly in management roles.
Worked in industries from
finance to tech to healthcare.
I'm currently working with
a company called Goldinox.
We're a security consulting company

(01:01:02):
that's really focused on helping
customers achieve right size security for
their organizations.
And building an organization that's
focused on real
security and risk management.
So thanks for having me.
Right on, just posting up a link to
goldinox.com on the chat there.

(01:01:27):
And so I had you on because
one, we have a mutual friend.
And I used to work with her at Leviathan.
Amazing individual, far better
than I am at most everything,
which is why y'all started.

(01:01:47):
I guess the big question for me is, it
hasn't, the pandemic,
we're coming out of the pandemic,
depending on who you talk to,
hiring is good or not good.
Why was now the time for you to go ahead
and establish Goldinox?
Was it just you felt like it was a good

(01:02:07):
time in the industry and
or you were just tired of the corporate
life and you wanted to be the navigator
of your own boat?
What was the impetus to start Goldinox?
That's a really good question.
And I think it's kind
of all of the above.

(01:02:28):
The right time, the SEC is really
focusing on security and
organizations, especially publicly facing
publicly traded companies.
And I think between myself, the friend
that you mentioned from Leviathan,

(01:02:49):
we found that consulting companies were
really lacking in the good advice and
really focusing on what organizations
needed from a security company,
rather than what they pro forma provided
as a consulting company.
So I think we're really trying to take a

(01:03:10):
bespoke approach and
understand our customers and how we can
really help them build
a security organization that will meet
the needs of their customers and
the compliance
requirements they have to fulfill.
Right, okay.

(01:03:31):
So you mentioned SEC, are
these the new requirements for
like breach
notifications or material control or
are there other ones
that I was unaware of?
That's primarily the one.
They did have a proposal
to require cybersecurity

(01:03:52):
educated members of the
board on publicly facing boards.
They've since rescinded
that, they've taken it back and
are trying to massage that I think.
I think we'll still see
some sort of requirement for
board reporting from the SEC, but it

(01:04:13):
hasn't gone through yet.
They haven't figured out
exactly how to word it.
Right, but I mean, it sounds great.
I mean, having somebody on the board who
actually understands security because
it feels like a lot of these boards are
just there because either you've invited
your friends to hang out with you at your
company or you've

(01:04:34):
paid the toll fee to get
in to the executive washroom.
I mean, why do you
think they push that back?
Do you think that there was just a lack
of people in the information security
industry that could be on a board?
I think there's a couple reasons.

(01:04:56):
I think one is there is a lack of people
experienced in information security.
They could sit on a board and understand
all of the rest of the board concerns.
And maybe that's not truly the case.
Maybe it's the general feeling among

(01:05:19):
corporations who are trying to find
members for their boards.
They want well-rounded board members that
will help them take care
of their company and be good
stewards and help them
manage and grow their companies.
And I think in a lot of cases from a

(01:05:40):
security perspective, we have
a tendency to speak in terms
of security jargon, vulnerabilities and
breaches and incidents
and response and resilience.
And that's not always the way a
corporation wants to have

(01:06:02):
their board meetings go.
So I think it's incumbent upon us if we
want people who care
about information security to
start speaking the business language and
really show that we deserve
a place at the board table.
I know we do because frankly, I've had

(01:06:25):
the pleasure of working with a lot of
security people who are
the smartest kids in the room.
Not just information security, but also
they understand finance.
I think we have to understand finance and
business and technology
and product development

(01:06:47):
because of what we do.
It's such a broad ranging field.
So I think we can speak to it.
We just need to
convince everybody else we can.
Right.
So you mentioned the language of the
board and I'm kind of interested in that.

(01:07:08):
I'm sorry, we're going we're going a
little bit further than what
I put on the original Google
notes.
But you talk about the language of the
board and, you know, security people.
So I kind of see that it's like, you
know, you've got your
levels, you've got your tactical,
you've got your operational, you've got
your strategic kind of
stuff, you've got your,
you know, whatever's above strategic,

(01:07:29):
strategic is fairly broad at that point.
But what do what does
the board care about?
Generally, the bottom line and any any
risks that could impact that.
You know, when I think when we think
about information

(01:07:50):
security risk, it's always top
of mind for us because we know
what's out there and we know.
I lost my word.
We know the impact it could have.
Right.
And we know that it
could be very detrimental.
But in reality, we have, you know, boards

(01:08:12):
that are taking care of chains or grocery
stores that have slip and fall issues
from their customers on a daily basis.
So they have hundreds of
thousands of potential lawsuits.
There are also risks that
risk that they care about.
Right.
Right.
And we have to we have to understand that

(01:08:34):
and understand where we fit
in that business landscape
and how we ultimately
impact the bottom line.
We have to understand that every time we
create a policy to
require a longer password,
we're adding time to everybody who has to
input a password 10 times a day.

(01:08:54):
Right.
We're taking that time
from their productivity.
So those are the things
that the board cares about.
They want to understand
that we're a business partner.
We understand the business and we
understand how to enable the
business with security with
good security practices and also that we

(01:09:18):
can speak to them about
what we've done to impact
the business positively.
Right. Right.
That makes sense.
Yeah. Yeah.
And sort of.
No, I it makes complete sense to me and
I've kind of I don't want
to say I've railed against
this and other shows, but it's like we're

(01:09:39):
we don't have a lot of
positives that we tend to be able
to look at.
And I guess if you're on a board and
you're always thinking doom
and gloom or you're always
expecting the worst and you know, there
in some ways some of the
board people are expecting
cheerleaders and to be behind an idea.
And when I think of something, especially

(01:10:00):
at work and I'm not
even at a board level,
I'd like to be one day.
But you know, when a product team or
something comes in and
goes, hey, we've got this great
idea for a floating
toilet seat or whatever.
And it's like why?
And, you know, a product person or a
person who's like, you
know, marketing or whatever
would be like, yeah, that's great.
Yeah, let's let's do that.
Let's sell a million
floating toilet seats.

(01:10:21):
And the security person is like, we don't
really need a floating toilet seat.
You know, I think in some ways, yeah,
we're there's some
realism there or some, you know,
I don't want to say grounded or whatever,
but security doesn't
come off as being overly
positive.
We're we're restrictive.
We add things.
We we tend to create stumbling blocks

(01:10:42):
instead of enabling things.
I can I can understand why being on a
board that might be a
limiting thing for the company.
You know, it seems like that would be
best left to legal type folks.
Hey, what kind of risk does
this cause to the organization?
You know, and the lawyers are necessary.
Evil security is not in this case.

(01:11:04):
And in many cases, they they're
unnecessary where where
legal and PR would be the people
would be like, hey, what is this?
How is this going to affect the company
as a whole instead of?
Those things is that is that
how you're you're seeing it.

(01:11:26):
I think that that can be the.
I think that that can definitely be the
way the board sees us.
Right.
We're the we're the Department of No.
Right.
Exactly.
We're exactly.
We're the reason we can't do things.

(01:11:49):
Right.
And I think we get a bad rap.
Because honestly, I a lot of the security
people I know want to help
people figure out how to do
things securely.
Right.
And what we've got to do.
There's a tension between the product

(01:12:14):
people that want to make
the floating toilet seat
and the security people that want to
attach it to the right plumbing.
Right.
Right.
Right.
And we have to I think we
have to figure out a way to
move through that tension and be a team

(01:12:34):
that that functions as a whole.
It's not us and them.
It's ultimately I think what the board
wants to see is a cohesive
team that's working to build
the business and make the business more
profitable because you
need both sides of that point.
But I think sometimes what

(01:12:55):
the board sees is a brokenness.
Like a line.
Or a friction.
Yeah.
And I think you felt that friction.
Yeah.
I feel it all the time
and I'm not even on a board.
It's like just trying to get people in a
product team to
understand, hey, you're not.

(01:13:17):
It's not that you can't do that.
It's that you're going.
I understand the evil that bad people are
going to do with something
that might actually be a good
thing.
But yeah, it's hard, especially with
ideal and IoT security.
So privacy, security, the floating toilet
seats exist everywhere and

(01:13:38):
everybody thinks they're a
great idea.
And it just ends up being a trading game.
It's like, OK, yeah, OK, you can put that
out, but you're going to run into issues.
Or at times I've ended up having to
leverage legal or PR and
say, hey, there's a similar

(01:13:59):
product out there or there's
a real risk of this happening.
And sometimes we resort to FUD and
sometimes we resort to things
that don't make any sense or
yeah, asteroids are
going to hit the earth.
We need to worry about that.
And I can understand we've shot ourselves
in the foot with that for years.
It took us 20 years to get people to

(01:14:21):
adopt really complicated passwords.
And then it's like, oh, no,
no, now you need to do 2FA.
And it's like, we just got passwords.
So now we need to go to--
yeah.
Anyway, so yeah.
It's interesting because you

(01:14:44):
can play the spin game with 2FA.
And you can make it--
in the past, I've been able
to make 2FA a business enabler.
Yeah.
Because you're putting it in place and
you can reduce the
times you use the passwords.

(01:15:06):
Right?
Right.
So I think it's--
I'm not a marketing person and I don't
want to play one on TV.
Please don't make me.
But I think it's about how you approach
the business when you're saying,
hey, look, we need to change because this

(01:15:26):
is going to make it better.
If you give them real reasons and show
them it'll make it better,
you can really get a
business win out of it.
I've actually had customers

(01:15:47):
send my team thank you notes.
And I'm talking executive customers send
my team thank you
notes for deploying 2FA.
Nice.
Yeah.
Because we made it simple.
We held hands.
And we enabled some things we wouldn't
have otherwise been
able to help them with.

(01:16:09):
That's great.
It depends on how you
approach things, right?
Right.
Yeah.
But that doesn't help with
the floating toilet seat.
I have to use that because if I actually
mentioned something,
yeah, I don't want it to be--
I tried to think about the most useless

(01:16:30):
thing ever for an IoT connected device.
And a floating toilet seat seems like the
most obvious choice there.
It's a good one.
Yeah.
I completely agree.
And you mentioned, I think before we
talked, you've worked with
medical organizations and
what have you.

(01:16:51):
And I used to do audits for those things.
And one of the biggest things that we saw
as problems was password enforcement.
Because doctors didn't want to have to
enter their multi-character password
multiple times a day.
And to your point, things like MFA or
badges or something, some kind of system,
tap and go increases security and it

(01:17:13):
decreases the amount of mistakes.
There are specific things we can do in
security that will help.
And things like badging or that if we can
make MFA more seamless
where we're not having a 15
character password that we have to
enforce and everything, those are great.
And it's great that you could implement

(01:17:35):
that at your organization.
I don't think we have enough wins like
that in an
organization from time to time.
And it's unfortunate.
So.
Yeah.
And I think part of it
is how we approach things.
If the first word out of our mouth is no.
Right.

(01:17:56):
Instead of help me understand why.
Right.
And how do we get to...
It's not even
necessarily how we get to yes, but
what's the right thing to do for the
company and how do we get there?
Right.
Yeah.
Yeah, I know that that makes sense.
That makes sense.

(01:18:16):
So I'm going to start off with the bullet
point that we have in
the in the Google Doc that
kind of leads us to
where we're at right now.
Security people are not going to be on
the board currently.
At some point, the SEC will hopefully
allow that to happen or
find some way to make that
legitimate.
But I saw our Harvard
Business Review article from 2023.

(01:18:37):
I love Harvard Business Review.
I don't know why they just
have really great articles.
It says boards are having the wrong
conversations about cybersecurity.
And one of the things that I read in
there was they said 69%
of board members responding
board members.
So they sent out a survey.
Okay.
Members, board members see 69% of
responding board members see

(01:18:57):
eye to eye with their chief
information security officers.
So just 69%, which I'm
thinking that's pretty good.
You know, three quarters, three quarters
see eye to eye with their CISOs.
Fewer than half of members serve on
boards that interact
with their CISOs regularly.
47%
in, you know, serve on boards that
interact with CISOs regularly.
And a third of those 47% only see their

(01:19:21):
CISOs in board presentations.
It is that indicative of what you've seen
in your career is like, you
know, we only see the CISO
when either something bad has happened.
Again, back to security, we only see the
CISO when something bad happens.
Or, you know, is it, you know, formal

(01:19:42):
presentations about
initiatives or goals for the next year?
I mean, what is it?
Is that indicative of what you're saying?
Yeah, typically, it's generally the
boards meet quarterly.
You from a CISO perspective, what I've
seen is we generally
present twice a year.

(01:20:04):
It's a formal presentation.
10 minutes to a half hour on the agenda.
And, you know, it's, it's very scripted.
The, probably I've, I've worked with four
boards over the past 15 years.
And the most productive board meetings

(01:20:28):
I've had are those where
I've established relationships
with the board members
outside of the board room.
I.e., you know, meeting with them,
meeting with a couple
interested ones monthly
so that we can go over some metrics, what
interests the board,
what are the topics they're discussing,

(01:20:52):
you know, and what's hitting the media.
And how are we
addressing it as a company?
So I've, I've been able to
establish that with two boards.
Really positive.
And they were boards that I was able to
either whiteboard with, you know,
or have involved in tabletop exercises.

(01:21:14):
Having board members actually involved
with some of the response preparation,
I think is really
important and really eye opening.
So they get to see what you deal with
when you think there's an
issue and how you deal with it.
So I think the more interested you can

(01:21:42):
get the board members, the better.
But I think those numbers are accurate.
They're very
indicative of what I've seen.
Right.
Huh.
So, okay.
So I'm, I'm, I'm, you have
Goldie Knox and I'm, I'm,
I'm, I'm going to assume,

(01:22:03):
please tell me if I'm wrong here.
This is a, like a virtual CSO thing.
So this is for companies that maybe don't
have a functional on full-time CSO.
They're either startup
or something like that.
Is that sort of understanding?
We do do some virtual CSO work.
We also, you know, one of, one of my
goals is to help a transitional CSO.

(01:22:25):
So somebody that's new to the role or
somebody who is moving
from one industry to another,
help them establish more patterns.
But we also do offer the virtual or the
fractional CSO services.
Okay.
Cool.
So you're like a CSO
mentor or something like that.
You mentor CSOs.

(01:22:47):
I hope so.
Well, so I was just wondering from a,
from a virtual CSO point of view,
that relationship must be even more
complicated and difficult because
you're not really part of the company.
You know, it's, it's very
similar to, and I apologize.
I only have my own experiences to go on.
It's like somebody in the company tells

(01:23:09):
you something's wrong with a system.
You know, management's
not listening to you,
but then you bring in a third party pen
testing or security assessment firm who
comes in, finds the same thing.
They give a $50,000 report
and now management cares.
And you're like, hello, I
was, I was here the whole time.
So what is a, you know, for the, for the

(01:23:30):
folks out there like,
Hey, I think I could be a virtual CSO or,
you know, I'm, I'm
thinking about becoming a CSO.
What is it?
I mean, what are some of the first things
that they can do when they're, you know,
trying to get in good with the board?
Is it, is it definitely meet the board
members over coffee somewhere else?
It's outside the, the work or what, what,
what kind of things can they do to when

(01:23:51):
they hit the ground running, you know,
not, you know, you know, mess up.
Yeah. I, I think it's fine
to champion on the board.
Um, you know, and I, I found them a
couple of different ways.
Number one through a CFO that I had a
really good relationship
with gave me some introductions

(01:24:13):
before the first board meeting so that we
could, we could talk
through and sit down and
walk through some meetings.
I don't, I don't know that you want to go
as informal as a coffee shop,
but a zoom meeting, um, you
know, because it's not really,

(01:24:34):
it still has to be a formal relationship
because of the, um, oversight.
And there's still some stuff that you,
you have to take to the
general session of the board,
rather than just with a couple of people.
But you can ask those couple
of people how to approach it.

(01:24:55):
Right. What's the best way to walk
through it and, you know, have a mentor
on the board or somebody
who can help you understand what that
particular board is
concerned about. But generally I've,
I've found those mentors through
management. So either working with the

(01:25:17):
general council or the
CFO, or in some cases the CIO and the
CEO, it's dependent.
Right.
But yeah, I would say when you hit the
ground and you know,
you know, you're going to be in charge of
security, you need to

(01:25:39):
establish those relationships,
both from a board perspective and a
leadership and executive
leadership perspective,
because you need to work with everybody
on the leadership team.
I think we all, all security
professionals at some point
say security is a team sport.

(01:26:00):
Right.
And it really is. You have to engage the
entire company to
help make you successful.
Right.
Right. So so you have to find your your
cheerleaders, your your, you know,
you have to figure out, you know, where
everybody is on the spectrum. So you've

(01:26:21):
got your attractors,
your your cheerleaders, your your math,
your your people are kind
of middle of the road kind of
thing. It seems like being a see so it's
one of those things that
what got you there won't get
you here kind of things or I know I'm
messing that up, but it's
like at some point you're going
to have to change the way you operate

(01:26:42):
being a see so or being
even a director of security if
they don't have a see so is on a
completely different level
than than a lot of things that
you've been doing. You've you've made
that transition at some
point in your career. So
what did you find the most difficult when
you made that transition

(01:27:03):
like you you made the conscious
ever, hey, I'm going to be a see so and
one, I'd love to understand,
you know, what motivated you
to go that route. And, you know, what did
you find difficult there?
Or what did you find easy,
you know, and I understand, depending on
the personality, it's
different. But, you know,
I'd love to hear your insights on that.

(01:27:26):
Um, so what motivated me I, I found
myself in management, from
a security perspective, it's
I had some really amazing people who
served as my mentors
throughout my career and sponsors.

(01:27:48):
And they helped me build myself into a
director of security or position. And
I realized that the next step for me was
going to be see so if I
wanted to continue to grow.
So my biggest challenge and

(01:28:13):
it's still a challenge. I'm
I am not comfortable in front of big
audiences. I am I am not a natural
speaker, public speaker.
I like conversations. I like, you know,
building a team. But I've

(01:28:33):
had to really work on presence
and building the ability to sit in front
of a board and not have my
heart beat out of my chest.
And just finding ways to get through
that. And probably the other big

(01:28:53):
challenge I had was taking
geek speak and learning how to take that
to a boardroom and make it
relevant to the board and
to leadership. The first time I presented
to the board, I walked in

(01:29:15):
with a presentation and it
talked about this date, or 853 and the 17
control families and the 250
controls and I'm boring you
talking about this. No, I can't tell you
what the faces on the board look like.
It was it was a hard lesson to learn, but

(01:29:41):
I think I put most of the
people in that room to sleep.
Well, so I guess I guess the question is,
did they did they ask
for that? Is that what they
wanted or is that what I'm trying not to
sound is that what you think they wanted?
It's what I thought they wanted. It's

(01:30:03):
reading the room,
right? It's reading the room.
Yeah, it was what I
thought they wanted based on
conversations with my management chain
and some of the people
who were advising me.
I don't think any of us really knew what

(01:30:23):
the board wanted in terms of
cybersecurity, right? This is
the 2012-2013 time frame. We were trying
to figure it out and I
wanted to talk to the board about

(01:30:44):
what our framework would look like and
what we were trying to
achieve. That was way too detailed.
Okay. They want to know that we
understand what our
risks are, that we understand

(01:31:05):
where we need security to speak to our
customers and enable business.
They want to understand if there's any
risks that they need to help with. I
think ultimately the
board really wants to help the security

(01:31:25):
program. They just don't know
how. Right. That makes sense.
At that point in time, it was rolling the
dice and seeing what we
ended up with and adjusting
from there. We adjusted. We made it
better. We were invited

(01:31:47):
back to the next board meeting,
so it wasn't a total loss. That's cool.
Yeah. Yeah. Yeah. I think I'm an
extroverted introvert,
so I have my moments. I have my splashes
of energy. My biggest
issue, and I probably

(01:32:08):
resonates with quite a few folks here,
it's like you can say one thing and
depending on the audience,
it has to be translated five different
ways. What I might say to a
product team won't be what I
tell the CISO and what I tell the CISO is
not what the CISO is
going to tell the board or

(01:32:28):
that kind of thing. It almost feels like
a weird game of telephone
where it's like I have to speak
English over here. I have to speak
Spanish here. She's going to go speak
German to these folks up
here and it's like, okay, well, it's all
kind of similar. They got the romance
language thing going
on. We got some cognates. You got some
things that say, you
know, sound somewhat similar,
but the message is going to be different

(01:32:48):
to your point. Yeah. It's
like they didn't want to know
about NIST 800-53. They just wanted to
know that there was some
kind of risk framework in place.
They, we were going to implement
something I would imagine that's, you
know, and, you know, same thing.
Same thing, I think with a lot of folks
that are, you know, upper,
lower middle management, like
myself, it's like, okay, you have to say

(01:33:09):
the same thing five different
times or five different ways
because the CISO only cares about maybe
the, not the how or the, you know, but
maybe the, you know,
I don't know, I don't know which one of
those questions it would be,
but it'd be like, you know,
I've got it. I've got it under control.
This is the what, okay.
This is the what's happening or
whatever, but not the how I'm going to
fix it. And, you know, with

(01:33:30):
the product team, you're like,
okay, this is how you're going to have to
fix it or this side, you're
going to have to address it or
what have you. And then, you know, the
board's a completely
different, you know, what a more
generic what I think in that case. But
yeah, I, I think that a lot of people
have that issue in our
in our field, and it's it's it's a trial
by fire, I think. And I think to your

(01:33:50):
your story, you know,
that's a trial by fire. You're like,
okay, I won't do that again. Right.
Unless you learned. Yeah.
Room to grow, I think. I'm reminding
myself of a story that I read
where the tenure of a CISO is
two years. And I've also been told that
you really have to be at a

(01:34:12):
job two years before you can be
considered the owner of the thing. So I'm
trying to find out if those two are
corollary. It's like
by the time the CISO gets to actually own
the program or the
project, they're either being
kicked out because they didn't get the
job done or they're moving on because
something has happened.
So what what what is with the short

(01:34:35):
tenures with a lot of CISOs? Is it
because of stress? Is it
because, you know, they they realize that
they've bitten off more
than they can chew? I mean,
and maybe this is just a media story like
the you know, we have a
talent gap like we had with our
recruiter friend a couple of weeks ago.
It's like it's just trumped
up, you know, metrics where,

(01:34:56):
you know, that's what they say is
happening. Do you see a lot of CISOs
lasting more than two years
in their jobs? Not really. No, come on. I
I'd love to spin a pretty tale that it's
all a lie. And we're
we find a company and we stay there for

(01:35:17):
life. Dang it. The grass
is always greener, right?
There's there's always a better
opportunity in some cases. I
I probably left one job that I
completely loved and I was doing really

(01:35:38):
well to to chase the money.
And, you know, I got offered
stupid money and that was it was cool. I
learned a lot. But I want to
go back because I love that
job. I love the team I was working with.

(01:36:00):
I love the mission of the
organization. And we were
making some really good progress. Right.
But, you know, I I made that
decision. I have to live with
it and you move on. But in some cases,
you just end up the CISOs generally

(01:36:25):
buried in an organization,
right? They're expected to be an
executive, but they're three
deep on the executive ladder,
right? There are three levels down. So if
you don't like what mom says, go ask dad.

(01:36:46):
Right. And you get into that game of
telephone. So it can be hard
to be in an organization where
you're down so far on the chain. Right.
So one of the things
you really have to do is
you have to build trust right away

(01:37:08):
because you have to be the authority.
So you don't have two years to get to own
the function. Right.
Right. You have to own the
function right away because if the
function fails, you're the one that's
going to be escorted to the
door. Right. Right. So some of my

(01:37:33):
leadership classes I learned at the
Harvard Business School
online was, you know, you're generating
trust through either
positional authority, which,
you know, if you're brand new CISO, you
don't have any positional
authority. I mean, what you do,
but it's like you've just been there for
two weeks. You've got, you know, your
your reputation. So if

(01:37:54):
you're like a mud or, you know, Mary,
Mary Gardner or somebody
who's brought in to be CISO
or what have you, they may know you
because you're a celebrity or a rock star
or something like that,
which you've got that kind of authority.
Yeah. Do you how do you
build that trust? Right. I mean,
is it is it do you know coming in what

(01:38:17):
your playbook looks
like? I mean, this probably
isn't the first time you've been a CISO
or or I mean, if you have
been, you know, the first time,
I mean, what are the things you do to
build trust in an organization? Who do
you start with first?
You start with the CEO. Do you start with
the folks underneath
you? Is it a bit of both?
So you have to start with both, mostly

(01:38:40):
because when the day is
done, if I don't have a team
that is committed to working with and for
me, we're not going to
be successful. Right.
It doesn't matter what I do. I need that

(01:39:02):
team. Right. Because I can't do it all.
So I have to establish
trust with the team and
I love the concept of managing up. I
think a lot of people say
that they're going to manage up.

(01:39:23):
And you can do that, but only if you have
a team that trusts you and
you know, that you trust.
That you trust. So there has to be that
teamwork from a security perspective.
And once you establish that, then you
have to you have to establish

(01:39:43):
the trust among those people
that are going to be key to your job. And
that's going to be your
direct report, who's probably the
CIO or the chief legal officer or the
chief financial officer.
Right. So those are the three
places. Generally, the CSO reports. I

(01:40:09):
honestly think the CSO at some point
needs to be elevated
to a position or reporting to the CEO.
Right. Right. They need to
have a seat at that table.
Right. But you have to establish trust
among minimally those
three people because the chief

(01:40:30):
legal officer can be your best friend.
Right. They're going to
help you when there's breaches.
They're going to help you when there's
issues or incidents.
They'll help you understand the
regulations that are coming down the
pike. And the CFO.

(01:40:54):
Generally, most of the regulations are
tied to the CFO's office. So, you know,
socks, a lot of the sock
work we do has financial control
implications. So it's really important to
build trust there. And, you know,

(01:41:16):
ultimately, if the CFO
is assisting you in getting budget,
they're always a good
person to build trust with.
But ultimately, everybody on the
executive team should be somebody
you seek to build trust with. The chief

(01:41:38):
people officer is going to
be a huge, hugely important
to you. But one of the things you asked
about the strategy of how do
you start going about this?
I make friends with the executive
assistants first and foremost.

(01:41:58):
Oh, yeah. It doesn't matter
who they are. But if you make them angry,
you're never going to get
a meeting with their exact right. Right.

(01:42:18):
Treat them well. Right.
Yeah. Yeah. They have more power,
I think, than the CEO or the CFO or the
CRO or whoever. Yeah.
Yeah. They know where the
skeletons are buried. They know, you
know, they manage the
calendar, that kind of thing. Yeah,
they're super powerful people. So. But

(01:42:40):
also, they have the
knowledge. And if you help them,
they'll help you. They're. Right.
Amazingly talented, overworked,
underappreciated people that
just really want other nice people to
work with. Nice. Yeah. Yeah.

(01:43:03):
So, kind of going back to what
we were talking about with the different
messaging and what have you
with like product teams and
with CISOs and stuff, your approach to
getting things done as a
CISO, depending on who you
report to is going to be different with
the CFO is going to be
numbers game. You know, I need this
new box. Our systems need to be upgraded

(01:43:24):
to blah. Well, we don't got
the budget for that. Legal is
going to be what kind of damage can this
cause the company? I'm
assuming that you really have to be
like you really kind of have to leave
that technical side and
be more of a people person.
Right. People, you know, it feels like
you really have to understand and read

(01:43:45):
people properly with
that, unless you're marketing CISO or
something like that. Did you
I mean, when you're mentoring
new CISOs, is that I mean, what is it?
What is it you tell
them other than, you know,
building trust is great. Yes. But yeah.
Do you ever size them

(01:44:05):
up and go, OK, look,
you're going to have a rough time of it
because you're not this or
you're going to, you know,
you're going to be really well on this
job because you can do this. I mean, do
you have evaluations
with CISO mentors or people that you're
you're working with in
transition that you say, OK,
you're going to run into this problem
with these people or what have you.

(01:44:26):
Yeah, I. I try and shoot straight with
people. And if I think there's.
I think if they're trying to come across
in a way that could be
damaging, I'll work with them on
that and. New CISOs have to be really

(01:44:50):
open to. I don't want to say being a
chameleon, but sort of
being a chameleon. Right. You know,
because you've got to
you do have to change.
Your tone and tenor, depending on who

(01:45:11):
you're dealing with, and it's not just
positionally, it's also personally.
Right. Because I have a tendency to be
extraordinarily informal.
OK. With people, I just I
like going in and telling them.
The way it is and having an open, honest

(01:45:31):
conversation with them, but.
It doesn't work with
everybody, so I have to adjust.
It's not incumbent on the people I'm
going to talk to to adjust to me.
It's incumbent on me to understand and
read people like you
were talking about and.

(01:45:52):
Right. Sometimes it's hard.
Yeah, yeah. But if you one of
the things I tell people is.
If you're walking into a conversation,
it's going to be crucial for your career
or your your project.
Talk to people who know that person.

(01:46:16):
Get advice, understand what they like,
what works, what doesn't work.
Talk to people who report to them.
But do your homework.
A lot of it's about just really doing
homework and understanding approaches.
The other thing is you have to be willing to listen to the advice.
Right. People have.

(01:46:41):
Cautioned me about walking into the room
with somebody and and given
me some really great advice
that I didn't listen to and.
I'm still regretting that.
So, you know, listen to
the advice people give you.
Is it one of those things?
Check your assumptions at the door.
Check that ego because, youknow, if if you think you're hot shit,
you're going to find out pretty quickly

(01:47:07):
whether or not you are kind of thing.
Oh, yeah.
Okay. All right.
Yeah, you.
You know, and I think.
Probably another.
Another piece of advice I give.
Is. For the first 30 days.

(01:47:34):
Ask questions and listen.
Right.
You know, there is.
There is nothing so.
There is nothing people.
There is nothing. There is nothing. There is nothing. There is nothing. There is nothing. There is nothing. There is nothing people like less than

(01:47:57):
somebody who comes into a situation
without understanding it
and making proclamations.
Right.
Right.
Yeah.
You know, it's been my experience that,
you know, yeah, you listen,
you observe, you ask questions and then,

(01:48:18):
you know, like any new leadership,
you know, you're you're going to have to
do a reorg at some point
because that's just kind
of how everything works.
That's kind of the playbook to go.
Yeah, you found the inefficiencies.
So you have to fix those inefficiencies
or, you know, to, you know, especially,
you know, below, not not necessarily
above maybe, but it's been my experience.

(01:48:40):
Anytime new management comes in, there's
going to be a reorg in anywhere
between three to six months.
So kind of expected.
At least that's how it's
been where I work right now.
And I guess it depends on the type of
projects that the people are working on.
But yeah, it's been it's been my
experience that reorganization
and realignment is is is the way.

(01:49:02):
So I mean, that's been my my experience.
Have you is there is there
a see so playbook like that?
Because there was a joke.
It's like, you know, you
spend the first 30 days, you know,
getting to understand the ropes.
You're going to, you know, try to
implement something
with a reorganization.
And that's that's where the joke of the

(01:49:23):
two years came from.
It's like, you know, by 18 months in, you
realize that there's a problem.
And, you know, you can't fix.
And then by two years, you're out.
But, you know, it I had
a point and I lost it.
And I don't know what that is.
Are there are there things that are
expected of you from the see so role?

(01:49:45):
I guess is this a thing?
Are you always expected to do a
realignment or reorganization?
Or have you actually seen where, hey,
everything's going good.
It seems to me if they've hired a brand
new see so they want to put their
paint job on the car, so to speak.
So I mean, is that is
that typical behavior?

(01:50:07):
It's typical.
Well, the the two times I've walked into
a well formed security team, in one case,
the security team actually had been
reporting up through it.

(01:50:30):
And the see so had
been reporting into legal.
So the security team
didn't report to the see so.
So when I came in, we collapsed them.
Okay.
Um, and there were some
minor tweaks that I made.

(01:50:51):
But for the most
part, I had a green field.
So that's nice.
Yeah, we brought I think we brought in
one, maybe two managers
and a program manager,
but we were able to really work with what
we had and add some staff

(01:51:11):
and augment some functions.
In the other case, the
team was pretty functional.
I made a couple changes adding a GRC role
that was in house instead of outsourced.
Um, but the other two see so positions

(01:51:36):
I've been in, really,
we built the organization
from the ground up.
So it really didn't exist
before that, before I joined.
So we were able to do green field work.
Um, I think every see so has their

(01:51:56):
optimal organization.
And that's the blueprint you carry with
you and you change it depending on the
organization you're in.
Do I build a sock
internally or do I outsource?
Right.
And normally I outsource that function.

(01:52:17):
But depending on the company I was with,
I would leave that
option open to build an house.
Okay.
But I've never had somebody tell me I
needed to build it this way.
Right.
Or I had to dismantle this.

(01:52:40):
I've made, I've absolutely made personnel
changes within the first 60 days.
Yeah.
But everybody's going to
because it's needs wants.
Right.
Well, I mean, they, they hired a see so
for a reason and it was

(01:53:00):
either because the security
team, yeah, I, I find it hard to believe
a see so's leaving if,
you know, they, well,
like you said, you were chasing, you
know, heinous money, but
there's going to be things
that they're going to find in there, you
know, hey, why are you doing it this way?
You know, why are we, why are we doing
all this stuff manually?
Why are we, you know, well, that's just

(01:53:22):
because of the way
we've always been doing.
Okay, well, you know, is there a way to
automate this or is there a
way to do these things or,
hey, I know about this technology that
y'all don't have that you
probably should have that I used
at my other company, which may or may not
work here or that kind of thing.
So makes sense.
Makes sense.
Yeah.
And I think the, I think those, those

(01:53:44):
changes definitely
happen over the course of
six to 12 months, maybe not in the first
90 days though. But if we're generally,
we're not given a direction to go in and
wholesale change everything.

(01:54:04):
Right.
But yeah, there's, you always find
inefficiencies or things you want to
change when you move into
a new position. I think
that's true of everybody.
Right. Right. Yeah. Yeah. I mean, if you,
yeah, you clear cut
everything, you're going to run
into things like or goals or, you know,

(01:54:26):
things that have been
established that, you know,
we're going to get into jeopardy. So it
makes sense. Yeah. You
want to know where to make
your cuts. You want to know where to add
on where to graph new
capabilities or technologies,
that kind of thing. And I guess that's
part of the whole trust
generation thing. You have to,
you know, listen to the people who
actually, you know, maybe need those
things have been asking

(01:54:47):
for them for years and haven't been able
to get them. So part of it is, you know,
working with your
teams to understand that.
And, you know, one of the things I, there
are certain people that I will always
try and tempt to come with me when I find
a new gig, you know, and
just figuring out how to,

(01:55:09):
and it's because we've developed a long
standing trust relationship, right?
Sure. Yeah.
So those are some of the things that I'll
look for when I start
with a new organization is
who do I need and are there places where
I can use these people that
have helped me succeed in the
past? Nice. And I think that's true of

(01:55:31):
everybody. We want to have our tribe.
Right. That makes sense. So I want to, I
want to kind of steer back
to a couple of things that,
you know, asking about. So you you've
worked with boards, you're probably
working with some boards
right now. What in generalities, if you

(01:55:55):
can, what are boards most
worried about these days?
Is it the AI stuff? Is it trying to
figure out how to stay, you know,
relevant with with that
new technology? Do a lot of them even
care or they're just
trying to figure out how to,
you know, productize it? And is there,
you know, what is the things
they are keeping the boards

(01:56:16):
up at night now?
So it depends on the industry. Right.
But I think if you're talking about
tech or manufacturing or any company that
has intellectual property to protect,

(01:56:40):
it's definitely AI is definitely on top
of their minds. I think
the other thing is just
an assurance of resiliency. Resiliency.
Ransomware, well, the ability to keep

(01:57:02):
managing through an attack.
Okay.
Whatever that is, or keep
managing through a loss.
Right. Right.
So do boards are definitely
concerned with the ability to

(01:57:23):
maintain the corporation
through a ransomware attack, through a
breach. You know, how do we
handle a breach? How do we
respond to a breach? And what are the
repercussions if we do have a breach?

(01:57:45):
Right. Especially with
the SEC breach rules. I think boards are
struggling with how to
define material because
it's not just a number.
Right.

(01:58:05):
You know, if you're a business that has
reputational impacts, you know, what
happens if your reputation
is damaged to the point that
you're losing business?
Right. Right. That becomes material, but it
becomes material over
time. So how do we set up those

(01:58:28):
triggers to know when a breach is
material and when we need to report?
Right. I think the other thing is
boards are concerned about whether or not
they're getting

(01:58:49):
a real picture of the risk of
cybersecurity threats.
Right. Especially after the Uber
situation. You know, is the CSO reporting
to us accurately? Do we
know everything that's out
there?
Right. Right.
You know, and I think the

(01:59:11):
board's going to have to
look and see whether or not they have the
right reporting
relationship to establish that trust
with the CSO. So the CSO does have an
open chain of
communication to the board without,
you know, a stop in

(01:59:32):
between for executive management.
Okay.
Or maybe not without a
stop, but with the right
stops in place.
Right. Right.
Huh. So has the Uber thing really damaged

(01:59:54):
the CSO role that badly?
That sounds scary. Like we
can't recover from that. It's been what,
three, four years since that happened?
Yeah. So it's been three to four years
since that breach happened,
but I believe the prosecution
was just in the last year? Three years?

(02:00:15):
Yeah. Yeah. They handed down. Yeah.
It was the prosecution more than the
breach that brought it
to everybody's attention.
Okay.
Yeah. Three years probation for covering
up data breach involving
millions of Uber user records.

(02:00:35):
Yeah. That was the that was Friday,
February or May 5th. Yeah.
Yeah. I mean, yeah, that was that was
that was terrible. I think
from a from a CSO point of view,
but yeah, I guess.
So I think what do we do?

(02:00:55):
I think we do coverable though, because
we can't all be painted with that brush.
Right. Right. So is it just a bunch of
dashboards and metrics or obviously they
don't want dashboards
and metrics. They want, you know, some,
some fairly generic
things, but that's one of those
fine lines, right? We can give them 800

(02:01:16):
dash 53 and all 17 articles and config,
you know, and they're
like, you know, they start glazing over,
but they probably don't
want a ton of metrics that,
you know, they want to be told the story,
but, you know, so it seems
like there's a happy medium
there. Again, that's one of those trial
and error things, I
guess, that you're going to,
you're going to find out either you've
done really poorly this month

(02:01:36):
and you'll improve next month,
or you, I guess there's
always room for improvement. So
and if you're doing it right, you're
having the conversations
to understand what they want before you
even walk into the room.
And that was, that was my big

(02:01:57):
failing because I never met with the
board before I presented to them in that
particular case. But
when you meet with the board and you
understand what they're looking for
and whether or not
they understand what you've presented, it

(02:02:19):
helps a lot. Yeah. The
other thing is you can expect it
in the full board meeting. So having
those two or three
advocates on the board that will
give you honest feedback is really
important because the full

(02:02:40):
board isn't going to spend the
time to have a feedback session with you,
which is unfortunate, but it's just not
the way it's going to happen. So having a
few champions on the
board is really important.
That's cool. Yeah. Plus at those board meetings, I'm actually going to talk about
those board meetings. I'm guessing the

(02:03:00):
CISO isn't taking up the
entirety of the time. You
get maybe what, two or three slides, if
that and a handful of
minutes to be able to go,
okay, this is what we're doing. Or was,
you know, I guess in the, in
the case of the NIST 853 story,
it was a meeting for the CISO to talk
about those things. But I would imagine
most board meetings,
you only get a handful of minutes and a

(02:03:22):
slide or two to be able to
go, okay, this is, this is what
we're doing. Yeah. In the NIST 853, that
was my introduction to
the board. Okay. So that was
actually an hour long, which was time not
well spent. But
generally standard board meeting,

(02:03:43):
you get anywhere between 10 minutes to a
half an hour. Oh, that's
not too bad, I guess. No, it's
half an hour is great. And if they're
engaged in asking questions, that's the
best of all possible
scenarios. Because if they're asking
questions, they're
understanding what you're saying. And

(02:04:04):
that's a really good indicator of whether
or not you've hit your
mark. Right. Right. I guess
there's, I guess it's, you have to figure
out how much content you
want to put in. If you put in
10 minutes of content and have 20 minutes
of questions, that's
great. But if you put in
10 minutes of content, you get like three

(02:04:25):
questions, you're
stuck there with another 20
minutes and you're like, yeah. And so
either you did a really good job of
explaining everything
in 10 minutes, or they didn't understand
a thing you were saying and
don't even know where to start
asking those questions. I, God, now I
don't want to be a CISO.
This sounds too nuanced for me.
I can't remember. No, Brian, you need to
be a CISO. No, you're

(02:04:46):
asking the right questions.
Nobody wants me to CISO. I'm upper,
lower, middle
management. You have no idea.
So upper, lower, middle management is
kind of what we all are, I think.
There's always somebody above you on the
rung on that ladder, I guess.
Yeah. Okay. Okay. Well, I guess, I guess

(02:05:08):
one of the last things we
get, you know, to segue into
that is when do you, when does, when
should somebody feel
confident that they can be a CISO?
Because I know people who are CISOs of
companies where they're
like employee number two. And,
you know, you're like, are you really the

(02:05:29):
CISO? Because you're
also the head developer,
janitor, caterer, you know, head of
development, IT
person, that kind of thing.
You're in, okay, you have CISO in title,
but it's like, when is
the time to make the jump?
When do, you know, is it like, Hey, I'm,
you know, I'm tired of

(02:05:49):
being a technical person.
I want to go and be a people person now,
or, you know, what,
you know, I'm starting,
I'm not starting to feel this. It's like
the imposter syndrome in
me is like, I don't even
know if I could even be a CISO at this
point. Who would want me?
And what does, what does the
skill set look like for somebody like
that? It was, you know, I

(02:06:11):
guess, I guess I'm asking
maybe a question. I don't
know if it's the right question.
So a couple of things, but I'm going to
step back a minute because please do.
I don't want to paint a
picture of doom and gloom.
We started with doom and gloom.
Well, look, this is probably, I started

(02:06:37):
out my life as a
biologist, right? And I made several
career hops and I found security. Okay.
And I love this job.
I love the challenges.
I love the fact that every single day I
have to use a different
skill or use a skill that

(02:06:59):
I've grown in a different way. And it's
not just a technical skill,
but it's also the people skills.
Right. I think
there were two questions that I think I'm
going to tease out of what
you asked. The first one is

(02:07:22):
a lot of times people get a CISO role
along with a lot of other stuff.
Right. So they're doing the function of
information security
and they get that title.
I think you have to
honestly ask yourself,

(02:07:44):
does my CISO role conflict with any of
the other hats I have to wear?
Right. And if it does,
it could be problematic. I've been in a
position where I was the,
for all intents and purposes,
a CISO, a person in the IT department

(02:08:06):
left, and I was asked
to sit in their chair.
Right. And I said, I will do it, but you
have to understand that it
conflicts with my CISO role.
Right. So there are going to be times
when I ask somebody else to sit in their chair,
to help advise me of something because I
can't make that decision.

(02:08:28):
Right. Because there's a conflict of
interest and it's not fair to
anybody. So that's one thing.
But the other thing is from a personal
perspective, I don't know
anybody in this role. Well,
I do know a couple of people. I'll take

(02:08:48):
that back. But I think
everybody struggles with
imposter syndrome at some point. This is
a big role. I mean, we used to joke that
information security was an inch deep and
mile wide. Right. To
be good at this role,
you now have to go at least six inches

(02:09:10):
deep and mile wide. Right. Or
you have to be able to build
that team. I think you're ready for the
role if you're ready to
stand in and take the hits
and answer the hard questions. If you

(02:09:33):
want to lead a team,
because you have to lead the team,
you have to be transparent with them, you
have to let them know what's going on.
And you have to grow them. I think that's
probably a mistake
I've made in the past is
when I had the opportunity to take
somebody into the board meeting with me,

(02:09:54):
I haven't done that.
And that's a great growth opportunity for
people. But I think if
you go in every day to play with the
technology, you don't want
to go to a CSOL role yet.

(02:10:17):
Right. When you get past the point of
wanting to be that
hardcore technologist that's
figuring out how to solve everything with
technology, wait a couple of years.
Okay. And then see if you change your
mind and you really want
to work with people more.

(02:10:38):
Right. I think it's a great place to be
because there's nothing better than
seeing somebody's eyes
light up when they understand.
Right. And you can do
that with your team,
you can do that with leadership, and you
can do that with the board.

(02:10:59):
Very good. Okay. Okay. Yeah, it's kind
of, yeah, that makes 100%
sense when I was working
at CrowdStrike. I've told this story, I
think even to a couple of
folks who are on our stream here,
I realized that I did not have the
mentality to sit for 12
hours at a computer trying to
get a shell or to try to do pen testing

(02:11:20):
or red teaming or what have
you. And I realized, well,
okay, I probably should move to a PM type
management role,
which is why I ended up at
Leviathan with our friend. And I'd like
to think I'm good at being
a PM, but yeah, I've found
myself at a crossroads because I'm now

(02:11:40):
colonoscopy years old and I
realized that you've got to do
something right with your life. I've got
to grow up and do something. So it's
good, good feedback.
I appreciate that. And, you know, there's
a lot of folks who say,
yeah, they're willing to take
those punches and willing to, you know,
make those, take those
hits until they actually end

(02:12:01):
up having to do so. And I think that's
where you, you, you, you,
you have, you prove your
medal, right? If, if, you know, you,
you'll find out at your
first board meeting, if you,
you get your ass handed to you and you're
finally, well, okay, this
was, this was awful or, you know,
what have you. But yeah. So

(02:12:22):
maybe another key there is
you don't necessarily treat
your mistakes as failures.
Oh, you understand that they're learning
opportunities.
They're ways to get better.
Okay. Okay. You mean like Edison, I

(02:12:43):
didn't fail at making a light bulb. I
just figured out another
way of not making a light bulb or it said
in context, right? So,
okay. Yeah. Okay. Very cool.
Um, okay. Well, uh, wow. Um, time, time
does fly when we're
having fun. I want to,
I want to talk a little bit about Goldie
Knox again. Um, uh,

(02:13:04):
what, what did, I mean,
I'm on your website and it's got a very
hypnotic background, which
I love. Uh, and, and you're,
you're doing a lot of different services,
uh, for enterprises
startups, which is something I've
actually, you know, one of the things
moving to San Diego, we
have a fairly healthy startup
community down here. And I was like, Oh,
I'd love to, you know, be a really cheap

(02:13:25):
security advisor to some of these folks
and, and whatever. And, um,
uh, when you're, when you're
talking to startups, you've got cyber
liability audits and
certifications. They must come to you
as a startup at some point and go, okay,
we've got a customer that's asking
questions, you know,
about how we're storing data or
something. I'm assuming at some point a
startup will come to you

(02:13:45):
and go, okay, we've reached a point where
people are actually asking about
security. And, and I
don't know if it's actually gotten lower
in the, the initialization
phase or the unicorn phase,
you know, before series A or whatever.
Um, have you noticed, you
know, from, from a Goldie
Knox part of point of view, when they've
started asking about
security, is it, is it become sooner

(02:14:07):
rather than later in the, in this
journey? Absolutely. Um, and
you know, one of the things
so people are more and more concerned as
products are more, um,
software as a service.
Right. Um, about making sure that their,

(02:14:30):
their data is secure and
there's more certifications
for those types of providers. You know,
when people were buying
software and just deploying it,
in data centers themselves, I think there
was less concern about that.
But now that I'm trusting my

(02:14:50):
data to the service, um, I have more
concern about that. So I
would, as a CSO, I would ask
earlier in the process process for a SOC
2 or something like
that. Um, and I think for

(02:15:10):
many providers that are offering SAS
services, it's actually a deal
lender. If they don't have a,
a SOC or a SOC, um, to type two, I know
there's, there's been
companies I wouldn't
do business with because
they didn't have a SOC.

(02:15:32):
That makes sense. Yeah. But yeah, so it's
definitely earlier and
I would, you know, I,
this is me being a salesperson without my
sales hat on. Um, the earlier
you bring a security advisor
in, especially if you're building a

(02:15:55):
product, the better you are, because if
you build those, um,
controls in from day one, number one, you
don't have to retrofit them
later. They don't, they're
not as expensive. Number two, you
establish good practices right up front.
Um, and our friend that

(02:16:15):
we've mentioned from Leviathan, um, is
really good at advising on
those services from a software
delivery perspective. Oh yeah. And I
think that's one of our shared passions
is making sure we're
building better software. Yeah. That's
yeah, that's awesome. Um, I also, you

(02:16:38):
know, just looking at
your partnerships on your page. Uh, I, I
also know one of the other companies
there that is, is, um,
pretty, pretty good too. So, uh, yeah, I,
I think, uh, yeah, I
think it's, it's, you know,
good to have, you know, good
partnerships. It's good to, you know,
bring in security as soon as

(02:16:59):
possible. But, um, you know, it, it
obviously shows due diligence, right?
When, when a company's like,
Hey, you know, when, when you're
self-aware enough to go, maybe we should
have security. Maybe we
should talk to somebody about that S
word, uh, before, you know,
maybe even before somebody
customer comes in and goes, Hey, you
know, we want to give you, you know,

(02:17:20):
millions of dollars,
but we need this. So having that
proactive approach is, I hope it's
something you see a lot of and not
like, Oh my God, we need to do this now.
And, you know, we've got
something coming up in a month
or whatever. I bet you get those too.
But, um, you know, I, I
imagine the, the more proactive
approaches are always the, the ones that
end up being better for you. So yeah.

(02:17:41):
And, you know, it's,
customers have a lot more leeway when a
company can say we're in
process with our SOC 2 type one.
Right. Right. You know, if, if you can
say that as a company, most of your
customers will say, Oh,

(02:18:02):
okay. When's it do great. And they now
have a path forward. Right. Right.
Especially if you can say,
we've already, you know, engaged somebody
services, we have an
audit company on the line.
Yep. Yep. Makes sense. Yeah. Um, I'm

(02:18:23):
going to ask any last question, any
questions from the chat
before we go. Any questions? Last call.
Because, uh, uh, Mary's
time is not billable here, but
you know, it should have been, uh, we
should have made this billable time for her. Uh, so,
uh, yeah. Uh, okay. So I'm going to call

(02:18:45):
it, uh, Mary, uh, you know,
golden knocks seems to be going
well. Uh, Oh, uh, okay. So one of our
friends GoPro Slo-Yo says, uh, what kind
of fraction do you do
fractional type CSO work? Frac is
fractional different than
virtual? I don't necessarily
see. I don't necessarily consider it much

(02:19:06):
different. Um, okay.
But it's, it's providing
services for part of a week. Yes, we do.
Okay. Okay. Very cool.
Um, very nice. Um, yeah. Uh,
yeah. GoPro, uh, check out golden
knocks.com, man. Uh, you
know, uh, you know, if y'all need

(02:19:27):
anything, um, amazing people who work
there, by the way, uh, Mary,
if people wanted to talk more
about being a CSO or, Hey, I think I
could be a CSO, please
mentor me or whatever. Uh, how,
how would they get ahold of you? How
would they, how would they contact? Um,
email M gardener. Okay.
At golden knocks.com. Okay. And my

(02:19:50):
LinkedIn profile and, uh,
that's pretty much the best
ways to get a, get ahold of me. Um, if
they want to call 206-218-6900. Okay.
Very nice. Very nice.
Uh, on, on other than LinkedIn, are you
on any social medias
or anything like that?

(02:20:13):
I have not a very active, uh, poster on
social media. That's fine.
It's, it's probably for the
better. You know, it's, it's just another
point of stress. You've
already got enough being a
fractional CSO and auditor and all this
stuff. So you don't need the
social media stuff as well.
So that makes sense. Well, somebody told

(02:20:33):
me a very long time ago, when you put
something out there,
it's really hard to get it back. Oh yeah.
Yeah. Yeah. That's true.
So, you know, my, my cat has
a Facebook account. Occasionally she will
post something, but that's
not it. That's fantastic.
Yeah. Yeah. My, my cats are actually

(02:20:56):
surprisingly gone. I would have brought
mom and Katie on here
and let you, let you check out mom and
Katie, but, um, very nice. Um, cool.
Well, yeah, like I said,
check out golden ox. Um, I'd like to
thank onyx for reaching
out and saying, Hey, and, uh,
get it making this happen. Um, um, very,
very happy to have met
onyx and yourself. And, um,

(02:21:18):
I wish, wish y'all the best and hope for
continued success for, for,
for golden ox. And, uh, we'll
definitely have to have y'all back on at
some point in the near
future, uh, to, to talk about
some other things, some compliance, some
GRC stuff. I'm, I'm all
in on that stuff. Uh, I've,
I've actually changed how I feel about
GRC now in the past few years on this.

(02:21:39):
So, um, very cool. So,
Mary, thank you so much for, for being
here. Uh, and, uh, yeah, that
was, that was it for breaking
security, uh, breaking education this
week. Uh, you know, Mr.
Betcher can be found at
betcher poned on Twitter, B O E T T C H E
R P W N E D. Uh, miss
Berlin, who would have been here,
except she's entertaining people who came

(02:22:01):
in for the silver eclipse
tomorrow, uh, can be found at
info sister INFOSYSTIR. Uh, she also runs
the nonprofit hackers
health, which does villages
at conferences for, uh, you know,
bringing awareness to
mental health issues. And you can
find that at, um, on, on hackers health
on, on Twitter as well. And

(02:22:21):
you can find me on Twitter,
Brian break. And you can find me on
LinkedIn, uh, linkedin.com
forward slash iron forward slash
break B. So it's really easy to find. Um,
but that was it for
breaking down security this week.
Hope you have a great week. Thank you
again, Mary for your time
and appreciate that so much.
And, um, you know, take care of
yourselves. Uh, as

(02:22:41):
we're fond of saying here,
you're the only you, you have, and we
will talk to you again soon. Bye.

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

Las Culturistas with Matt Rogers and Bowen Yang

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Managing messaging with management, becoming a CISO with Mary Gardner from Goldiknox

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

Dateline NBC

Las Culturistas with Matt Rogers and Bowen Yang

All Episodes

Managing messaging with management, becoming a CISO with Mary Gardner from Goldiknox

Stuff You Should Know