August 4, 2025 • 44 mins
Join host G Mark Hardy in another enlightening episode of CISO Tradecraft as he speaks with special guest Christophe Foulon, a seasoned cybersecurity professional and podcast host. In this episode, Christophe delves into his journey from the help desk to cybersecurity expert, the challenges faced by newcomers, and the keys to successfully building and leading cybersecurity teams. Learn about the importance of continuous learning, managing career transitions, and the emotional rewards and challenges of being a CISO. Whether you're an aspiring CISO or looking to advance in your cybersecurity career, this episode offers invaluable insights and practical advice.
Christophe's LinkedIn: https://www.linkedin.com/in/christophefoulon/ Christophe's Website: https://christophefoulon.com/ Christophe's Podcast: https://podcasts.apple.com/us/podcast/breaking-into-cybersecurity/id1463136698
Transcripts: https://docs.google.com/document/d/1UytoyelIMezzbtxdPHo5FE_oLiXYS_58
Chapters
- 00:00 Introduction to the Episode
- 00:27 Meet the Guest: Christophe Foulon
- 01:30 Christophe's Journey into Cybersecurity
- 06:24 The Allure and Challenges of a CISO Role
- 09:55 Developing Political and Leadership Skills
- 20:30 Aligning Team Members with Their Strengths
- 31:34 Navigating HR and Diversity in Cybersecurity
- 36:29 Becoming a Fractional or Virtual CISO
- 42:27 Final Thoughts and How to Connect with Christophe
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Hey, at some point in time in your career,you had to break into cybersecurity.
you've probably moved on from that point,and you're helping to mentor others.
But let's talk to somebody who has donea tremendous amount in helping people get
onto their cybersecurity career tracks.
Stay tuned.
We're gonna cover that right now.
(00:27):
Hello, and welcome to another episodeof CISO Tradecraft, the podcast it
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
My name is G Mark Hardy.
I'm your host for today, and I havea special guest, Christophe Foulon,
and he is also a podcast host.
So with any luck, we mightend up doing a dual podcast.
I think that's a first for us.
(00:47):
I've only done what, 246 podcastsso far, so it's about time I
started, co cooperating with others.
But anyway, Christophe,welcome to the show.
Thank you so much for having me.
I would say, your podcast has been aninfluence on my podcasting career as I've
grown in the industry and I've followedyourself as well as Ross over the years.
(01:11):
And, excited to be part of this podcast.
Yeah.
I'm glad to have you on board.
They've heard great things about you, dida little bit of homework and found out
that, as I said, you'd had your pocket.
But first of all.
A little from your background and andwe'll go from there so everybody knows
why it's worth while to listen to you.
So grew up in the Caribbean, startedtinkering with computers, eventually
(01:35):
decided I. I'm great with tech,but I love helping businesses.
I love helping people solvetheir technical problems.
At the time, decided I didn't really wanta computer science degree, so went to
school, got my bachelor's in business.
(01:56):
Then economy went down thetank, decided, Hey, if I'm gonna
struggle for work, might as well dosomething I love and enjoy doing.
Quit my job.
Went, got some certifications.
'cause even back then, havingcertifications were one of the first
things that recruiters screened for.
Got some certifications, got my firsthelp desk role, and then started to
(02:22):
really see, wait, people are doing things.
Insecurely the easy way just to get theirjob done, and I found myself coaching,
helping, mentoring the business intodoing things more securely as part of
my help desk role and found out of.
(02:44):
This whole new industryfocused on cybersecurity.
Took me seven years to eventuallytransition from help desk into
cyber, but got there and that'swhen I wanted to start to give back
and help others who wanted to dothat, transition them themselves.
(03:05):
That's when I created the podcastwith my co-host, Renee Small.
that's when we started.
Collecting the knowledge forsome of the books that I wrote.
How to develop your cybersecurity career path at any level.
How to hack the cybersecurity interview.
all with multiple co-authors becausein my perspective, we need a diverse
(03:31):
perspective in how to do this.
None of our paths were unique.
None of our paths werestraight and narrow.
there's multiple ways to get thereand we can use hints, tips, and tricks
from everyone and implement them inour approach with our own passions,
(03:51):
with our own things that drive us sothat we have our own fulfilling career.
that's a good point.
So you went from healthdesk, which is it plugged in?
Is it turned on to unplugit and turn it off?
I'm meant security now.
We don't want that going that way,so we go the opposite direction.
But more importantly, like a lot of us incybersecurity, we started out somewhere.
(04:13):
And usually was in technology.
It doesn't always have to be,it could be GRC, it could be
compliance and other areas like that.
But there's an allure,there's an attraction to it.
And for those of us who have landedhere and find it fulfilling, one
of the things that I think isgreat for everybody is that it's
not a static type of a profession.
(04:34):
you learn something and that youmight be a master of everything today.
Six months from now, things are changing.
we've got Windows 10 is going off thegrid pretty soon, although it looks like
Microsoft has said, Hey, we'll give youdouble secret probation for a year, but
then you want another year, it doubles,and another year it doubles again.
And then you're gonna order twoto the 10th power if you wanna
(04:55):
stick around for 10 more years.
I think the Navy did that with Windows XP.
Microsoft said, yeah, we'll justdo it if you double every year, the
support contract, and somebody whowas bad at math on the government
side, now this is anecdotal, so Imight be wrong, said, okay, fine.
All of a sudden they're paying 1024times as much on their contract in year
10, but it's a good lesson learned that.
(05:17):
Technology moves along with or without us.
So you've written a couple books andyou talked about it developing, your
cybersecurity career path and how tobreak into cybersecurity at any level.
And I think that cameout about four years ago.
and Gary Hayslip, who's been on ourcall, and you and of course your, partner
Renee, were the author of that andthen hack the cybersecurity interview.
(05:38):
I kinda like that name.
and you did that with, Ken Underhilland Tia Hopkins, whom I've not had
on a show, but for people who are.
Listening to our program, usuallythey're into cybersecurity.
Usually they're up at a ways they'retrying to, either they are CSOs
maintaining their skill sets at thislevel, or they're hoping to break
into that level of the, boardroom orworkroom, if you will, or at least a
(06:00):
corner office or maybe an office with aview, or at least something that doesn't
end up being in the third basement.
as we.
As you had worked with people, gettingthem into their careers, what did
you find were some of the biggestchallenges that people face when
they said perhaps like yourself?
I like the idea of cybersecurity,but I'm not in cybersecurity
(06:21):
and I, gotta get there somehow.
first let's look at the allure.
There's the allure of the CISO title andthere's the allure of the CISO paycheck.
You don't understand the requirementsof the continuous learning, the burnout,
(06:45):
the long hours, the on call, the incidentresponse, the being the potentially sole
neck to choke should something happen.
All of these implications of that title.
Because they're not as broadly discussed.
(07:09):
And so a lot of people say, oh, Iwanna become a CISO when I grow up.
And then you have maybe the more.
Senior individuals going, eh, I don'tknow if I want to be a CISO anymore.
it was nice.
I learned my lesson, but,someone else can do it now, or
I'm fine with being a director.
(07:30):
I like to create the strategic programto implement the strategic program.
I don't necessarily need the title and,the burnout, the extra hours, that aspect
of it, unless there's some true level ofshared responsibility between you and the
(07:52):
stakeholders of the business where you'rediscussing who really owns the risk,
and whether you're advising them as to.
Where they take the risks and you'rereally listening to you how to take
the risk, and they become an effectivepartner in these risk decisions
(08:13):
versus going, oh, it's a CISO'sresponsibility for everything because
cyber was somehow related in there.
Yeah, so what we find then is, as youhad indicated, there may be some allure.
it needs to be more than, if youwill, the money or the title, because
that's gonna be very unsatisfyingdoing a job that you don't like.
(08:36):
You find stressful, which is going to be,we'll, just be quite honest about that.
it is gonna have long hours, notevery day, but when, something
hits the fan, you're the personon point and you've gotta be
there and make everything come in.
And quite honestly, these days, we, a lotof us are worried about being the Chief
(08:57):
Incident Scapegoat Officer, when we haveseen issues like with, Tim Brown, whom I
am going to be hopefully doing a podcastwith him next week, and we'll talk a
little bit more about his experiences.
but in general, we look at it and we go,do you really wanna be there with a little
red dot following you around from theboard with respect to your accountability?
(09:21):
And the answer might be that we're okay.
from my military career, I had servedin command nine different times.
I went back and lookedthrough some old records.
I found out the selection rate forcommand was a single digit percentage
back when I was up for commands.
And so if you got one, you were.
Unique.
If you got two, you're one in a hundred.
(09:42):
If you got nine, thenyou're a, singularity.
but that said, that didn't lend itselfto putting on stars, for example, because
there's a career inflection point,and this is one of the things that we
wanna make sure that people understand.
I've said this many times over manyshows, is that your technical skills
do not beget management skills.
Management skills do notbeget leadership skills.
(10:04):
And leadership skills do not begetpolitical skills, and quite honestly,
I was politically, not competent.
I will just be verybrutally honest about that.
And to a certain extent, no matterhow great you are as a leader, your
people will follow you anywhere.
They'll be there 72 hours nonstop workingaround the clock because they absolutely,
(10:24):
you've motivated them to be on the point,but yet somehow you might find yourself.
Sitting there just below the glassceiling wondering what's happening
because you spend all your timewith your people and spend all the
time with the right executives whocould influence your career path up.
And so at what point in time doyou think that somebody who's
(10:45):
entered a cybersecurity careerreally starts the need to develop
this political awareness and savvy?
Or could they just simply say, I justdon't want to go there from here.
I'll be very happy.
Being a director at some point, I'llbe very happy retiring at that point.
I don't really wanna playwith the C level thoughts on
I, I, would say it, it'sup to that individual.
(11:08):
it's where they feel that.
They're emotionallyrewarded with their career.
Some people don't like the politics.
Some people don't like the dealing withthe board, they don't like dealing with,
This department's fighting with thisdepartment and you become the mediator.
(11:32):
they don't like those conversations.
They rather focus on the technicalcomponent or they rather focus
on creating, those businesssolutions or creating that security
architecture to deal with, thebleeding and edge technology and
how we can solve those use cases.
(11:52):
And we need all those different types.
Of characters within an organizationfor it to be successful.
And you might wear more than one ofthose hats, but as a senior leader in
the organization, you need to blend.
Many of those hats together, and youcould be technical, but if you don't have
(12:18):
the political or emotional intelligenceto work at the board level to work with
your other executive leaders in fightingfor budget, fighting for headcount,
fighting for who owns the risk and theremediation and those sorts of activities,
(12:39):
then you'll end up being the one.
Burnt out 'cause it allgets shoved on your plate.
That's a good insight.
And so what we find out is that in somecareers, as a military officer, at least
it was from mine, it was up or out, andthe idea was as you either progress to
the next level or they, said, Sianara.
thank you very much for playing.
(13:00):
have a nice life.
We're gonna keep everybody else moving.
And it wasn't because that there wasn'troom for you at that level, but there was
always a constant replenishment going on.
And so what we found out then is atcertain points in certain careers,
yes you can plateau and stay there.
If we look at something like a Microsoftor an IBM, they have fellows, they
have brilliant technical people.
Some of these people are Nobel Prizes.
(13:22):
They've got PhDs.
They're not leaders.
They don't want to be leaders.
They probably couldn't manage theirway out of a paper bag, but yet they
contribute brilliant technical insightsthat the managers, the leaders, the
political, folks turn into revenue,turn into products, turn into jobs
for others, and things such as that.
So it's actually, it'sa virtuous ecosystem.
(13:43):
You're not being exploited here.
And when I've come up withstuff, and for example, I got.
My name on my first patent recently,and everybody's you worry about that.
I said, I don't really care about,assigning that patent out to a
company or something like that.
'cause there's no way that I canbuild the infrastructure to go
ahead and maximize that value.
And I didn't invent it to make money.
(14:05):
I invented it because it was a tough,problem that needed to be solved.
And I figured it out and theysaid, that's pretty cool.
Or Nobody else has figuredthis one out before.
Off we go.
So what we find thenis that for people who.
Get into cybersecurity.
And this is an interestingquestion for you here.
'cause based upon your books andthings like that, you say how to
break into cybersecurity at any level.
(14:27):
A lot of us think you gottastart at the beginning.
You enlist as a, an E one, and thenyou work your way up through the ranks.
But in cybersecurity, can you say, Hey,I wanna be a director, or I wanna start
out as a CISO, or is that unrealistic?
And if it's not unrealistic.
What are the pre-quals that makesomebody able to laterally move
into our career at a higher level?
(14:48):
So there's all types of differentCISOs and, yourself as well as Ross,
have covered this in, the past, thedifferent archetypes, the builders, the
breakers, the union, the, rebuilders,
the solutioner.
(15:09):
So you can have someone that say.
Comes from GRC, that comes from IT,that comes from the business side that
understands the risk that the businessis taking or the bus, the direction
that the business is going and.
Understands that perspective.
(15:29):
And then they have the leadershipbelow them to advise them on
the technicals, on, Hey, theseare the technical risk concerns,
these are the legal risk concerns.
And if they heed that advicein a meaningful way, they can
still be an effective CISO.
(15:51):
if they take that into consideration.
Not everyone looks well on that, and ifthey become the scapegoat officer, the
community of course goes, oh, they werein music or they were in liberal arts.
(16:11):
That has nothing to dowith their qualifications.
Their qualifications are more.
Do they and understand the complexitiesof the business requirements, the legal
implications, the legal requirements,the and the other risks that the
business is taking at the time.
(16:32):
Do they have the right advisory,internal or external to make?
The right decisions.
And then are they able to influencethe business leaders at the table, at
the board to get the right funding andthe right decisions for the risks that
they're looking to tackle at that time?
(16:54):
And that's really where all the.
Everything comes to center.
And where a good CISO is built less thanwhere they got their education 30 years
ago, what certifications they mighthave got 20 years ago or what they're
studying today because you, can't studyevery single thing that's happening.
(17:20):
one example in the pre-call we talkedabout a new innovation or a reuse of an
innovation for a Microsoft technologyto embed it for a different use case.
And I didn't know about it six monthsago and you didn't know about it now,
but we can share this knowledge witheach other, overlap, our competencies
(17:47):
and advise each other as a communityon how we can tackle this together.
So what we have then isan interesting model.
I'm sketching it out here as we talk, asa, to be effective as a chief information
security officer, it is not necessarythat you came up through the ranks as we.
Determine, and we see thatin, in the real world.
(18:09):
But it is helpful to havecredibility with your people.
And so it doesn't mean ignore thetechnology, but it doesn't mean
you're not gonna be asked to sitdown their hands on keyboard and
then reprogram something that way.
It is essential that you be crediblewith your leadership in the board and
the organization that you speak thelanguage of risk, that you speak the
(18:29):
language of the organization, most likelybusiness unless you're in government.
And that is non-negotiable.
And as you just pointed out.
Okay, I may not have atechnical background.
I need to have some technicalcredibility, ideally with my team so
that A, that I can earn some respect.
But B, they don't pulla wool over my eyes.
But if you pointed out the very importantvalue of having a network of peers, a
(18:53):
network of other places of people whohave had a chance to explore and learn
different areas so that I'm not justGoogle searching, how do I do something?
Or today, everybody justlooking at their AI engine.
Hoping it's not hallucinating on youwhen it gives you an answer, but having
some genuine conversations back and forthwith people who have done the background.
I was not a lawyer, but I can talk tofriends who are lawyers and gain some
(19:17):
insight in some of the legal implications.
I was not in GRC.
I do have my CISA, my auditorticket, and I got that.
Wow.
You talk about years ago in 2001.
So it's been a long time,since I've had that ticket.
I remember when I got to Ernst andYoung, when I went to work there,
they said, don't tell anybody you gotthat, or that's all you're gonna be
doing is these dumb audits you wannago do in the fun cybersecurity stuff.
(19:40):
But what if I like audits?
then, of course, to each their own.
So now what we see then is that when youcome into the cybersecurity career path.
Your focus really needs to be up.
If you're gonna be operating effectivelyat a CISO, it does then call into
question what happens if you comeinto a position where you don't
have a well running organization?
(20:01):
We're not always gonna step in wheneverything is running perfectly.
Everybody's highly motivated.
You've got the world's best qualificationsMet has offered them a hundred million
dollars each, and they all said nobecause they wanna stay and work for you.
How do we deal with that whenwe're now in a CISO role?
We start out and we realizethings aren't working the way they
(20:23):
should be, but I don't have thetechnical chops to go fix them.
Any insights in terms ofhow somebody could proceed?
This is where your peopleleadership skills need to come in.
'cause you need to understand.
What are their personal motivations?
Maybe they're in the wrong role.
Maybe they're in a security role when theyprefer to be in an infrastructure role.
(20:48):
Maybe you have folks on theinfrastructure team that have more
interest in being on the security team.
Maybe you can cross match your resourcesand have shared responsibility.
Between the teams or have a fusionbetween the teams so that you can blend
those experiences and start like that.
(21:11):
oftentimes new leaders when theycome in, they'll have an assessment
from an external organization wherethey can point out weaknesses, where
they can point out best practices.
That could be one approach.
I know another leader that lovesto start from the people aspect and
(21:33):
do personality assessments to seewhat are the personal drivers for
all of the members on their team.
Figure out those drivers and thenwork on those drivers to drive.
The team building the comradery andthe personal motivations behind his
team first, then build the skills andcompetencies where he see he or she
(22:00):
sees gaps in the team to build those up.
And then if they do haveadditional budget to recruit in
or grow up from the organization.
I think it's an excellent point becausein a certain way you're acting as a
coach, and if you were to come in asa coach of, let's take an example,
American football team and theteam's doing poorly, and you realize.
(22:24):
Person you have playing quarterbackis one heck of a kicker.
And the person that you have as awide receiver is an amazing, tackler
linebacker, and all of a sudden yourealize you've got the right people.
They're just in the wrong spot.
So that's part of, assessing that.
And since you'd come from the, helpdesk world, originally you'd appreciate
this at a friend of mine many yearsago that I knew up in, in the Baltimore
(22:46):
area and Toby was in charge ofthe team and he had read up about.
The Myers-Briggs and the 16different profiles that could be
done, and he did those inventories.
For those who aren't familiar withMyers-Briggs, you look at four different
axes of personality preferences.
It was, initially used in World WarII to try to help the US Army put the
right people into the right type ofa job because they're trying to place
(23:08):
millions of, people at that point.
And what he found out thenis that much like the.
Football analogy where people in thewrong position, people were not in
the areas that they enjoyed the most.
They were doing one thing, butthey hated it and just grounded out
because, it was a paycheck, but whenhe put them in areas where they.
Aligned with their preferences,the productivity of the team, sort
(23:32):
morale went up, things got doneand he didn't change his people.
He didn't change the payroll.
And so that's an important idea.
Have you seen other tools other thansomething like a Myers-Briggs Personality
Inventory, the MBTI that have beenhelpful for CISOs or other people
in that position to reorganize their
by name, but just, by more sohaving informal conversations.
(23:57):
For example, if you have someone thatdoesn't like to be meticulous and detail
oriented and following the tracks,they might not be a good SOC analyst.
They might not be a good forensic analyst.
They might be a good help desk personbecause they can, talk to the user,
(24:22):
find out what was happening, gather.
All the details and thenescalate it to the right team.
but they wouldn't be the one kind offollowing all the breadcrumbs to exactly
what the error was in the memory stack.
so there's the informal way andthen there's a structured way and
(24:42):
I think cost, of the organization,maturity of the organization, all
those considerations are part of it.
Even the.
Mentality of the leader andthe mentality of the team.
I know some folks see thesepersonality assessments as fufu.
(25:06):
doing these as informal assessments,conversational, one-on-ones.
By just asking them these typesof questions to gather what their
personal motives are or where theyfeel that they gain the most power or
where they wanna grow their career.
(25:27):
and just doing your own table analysisof if you have the right players
in the right place, could, be alow cost, low code way of doing it.
Yeah, and you can also look up,someone like Daniel Kahneman,
who passed away a couple yearsago, I think at the age of 90.
but as a young psychologist, he wasthere with the, early days of the
(25:50):
Israeli army and they had a very.
Touch and go process of gettingthe right people in the right jobs.
They weren't doing very well and hesaid, Hey, let's make it methodical.
Let's do this.
And they all fight thought, andyou're gonna turn us into automatons.
But he said, no, this is a process.
Stick to it.
Ask this question, this.
Take a little bit of time.
Reflect on it.
Then come up with a decision andtheir decision process went way up.
(26:10):
it's interesting that as a psychologistend up getting a Nobel Prize in economics,
because you take a look at why we arepredictably irrational and why we have,
thinking Fast and Slow was his book.
And Ariel, I think did the,predictably irrational book.
But there's a lot of different thingswe can make ourselves available that
are outside of the CISO bookshelf.
(26:33):
these are not all cybersecurity books.
A portion of them are, but a lotof 'em are that interesting thing.
The other thing to keep in mindalso is that cybersecurity, for
whatever reason, tends to attract andhopefully retain neurodiverse people.
And so what we find out is that whenwe're kids and didn't understand that,
people would just get labeled, okay, thisguy's just weird, or a nerd, or whatever.
(26:54):
And then we realize that in certaincases, in the cybersecurity world, that
natural tendency becomes a superpower.
Somebody who could focus on 20different things simultaneously.
Track them all, like an air trafficcontroller, do extraordinarily
well or turn off the whole world.
Focus on just this one thing and drill in.
(27:16):
Drill in and stay focused untilyou say, Hey Christophe, when's the
last time you went to the bathroom?
And you go no, I guess I gotta go.
And so those, which in atraditional world, people look
at you as scan and go, yeah.
We find out.
Particularly in leadership roles that wecan empower people to do extraordinary
(27:36):
things if we can align them with thoseunique characteristics that they have.
And what historically people wouldargue would be a limitation or even a,
workplace handicap, becomes a superpower.
You as the leader, not only can increasethe productivity of your team and
the results you get, but you're gonnahelp the morale of everybody else.
(27:59):
'cause people are doing whatthey wanna do and you're doing
some good for your people.
And so I think that's one of the rewardingthings you get in the cybersecurity.
Absolutely and that's why Iused a coaching moniker, as
part of my own personal brand.
And I do a lot, I did a lot of selfeducation courses on coaching and
(28:24):
mentoring to understand the psychologythere, to bring that out to help
facilitate and mentor and strategicallydevelop relationships, conversations,
ideas from a diverse set of individuals.
(28:45):
Within a group, within a newteam, within a new client, because
as, a CISO, you have to do that.
And like you mentioned withinthe cybersecurity community, this
neurodiverse population, not all of'em might be comfortable speaking.
(29:07):
Outwardly to unfamiliar people.
They, might be very introverted untilyou touch on that one subject that
they're very passionate about, andthen they'll explode and talk to
you all night and you're like, whoa.
They're not introverted.
They're, totally extroverted.
No, they're introverted because talking.
(29:30):
To the general public in generaldoesn't provide them emotional power.
It's very emotionally draining for them.
Now talk to them about cybersecurityand say static code analysis, and they
could probably talk your ear off becausethat is, an area that provides them
(29:51):
that emotional charge to keep going.
So finding what those are.
Creates that superpower within yourteam and allows you to take someone
that might have been, looked at as arecluse or introvert, and you can turn
them into an amazing public speakerbecause you're focusing on sharing
(30:14):
knowledge that they know, knowledgethat dear comfortable talking about.
Maybe some practice maybe.
Some repetition on how todeliver, how to interact, and
they can get really good at that.
It would not probably be something thatthey would be the first to raise their
(30:34):
hand for, but it could be somethingthat you can bring out in them and
use as an asset for your organization.
That's an excellentpoint, and I have always.
I've shared many times.
The advice I got when I firstgot to, to Booz Allen was,
speak every chance you get.
And I had found out that many yearsof speaking did a couple things.
(30:58):
One is you become much morecomfortable on the platform.
Number two, you know how to deliver,how to have impact and how to get
that and also from the perspectiveof we were talking about jobs
and things like that, people saidlike, how do you get paid to speak?
I said, do it for free for 20 years.
It's a long apprenticeship.
It's not easy necessarily.
Some people say, I want to crack in.
(31:19):
I wanna make a fortune.
maybe you can at some point in time,but don't focus that initially.
Do what you need to do is getout there, master a technique,
have a personality, don't be.
Try to be a poor version of somebodyelse, be the best version of yourself.
But another thing just before we wrapup on neurodiversity is the question I
have with regard to the HR departmentis that in cybersecurity we may have a
(31:42):
special appreciation and even a need forpeople who fit that, but when you go into
a traditional HR department, they may.
Fail a whole bunch of the gatekeeperfunctions to say, Nope, this person
didn't pass well on this test.
They didn't do well on this interview.
They didn't show up here on timewhen they were supposed whatever.
How do we go ahead and help shepherdour best candidates that we understand?
(32:09):
Can not only add value to theorganization, but will have a great
personal fulfillment past the staticdefenses, which are not set up to allow
them to be necessarily successful ingetting to that day one on the job.
let's talk about those static defenses.
So those static defenses were developedfor compliance reasons to make it
(32:35):
fair, but in the end, don't make itfair because if you don't parse your
resume in the right way, if you don't.
State your experience in the right way.
If you as a minority, whethermentally or from a different sort of
(32:59):
background, stated in the right way.
The parsing mechanisms used byHRIS systems end up excluding you
from the application pool Almost.
Immediately.
And that has been discussed anddiscussed and we're almost getting to
(33:24):
the state where we're, telling leaders,okay, for those niche population
sets, if you do the same thing you'vealways done, you're gonna get the
same results you've always done.
So change.
Your approach go to smaller conferenceslike BSides or, women in Cybersecurity or,
(33:48):
smaller conferences that attract that typeof diverse population that have those.
Superpowers that you'relooking for and have a informal
interview with these candidates.
And if you find that diamondand or rough, tell your HR, Hey.
(34:10):
I found someone, I'mgoing to put them through.
You can, screen them, you can do all thetraditional background checks you want,
but I'm putting this candidate through,as part of the next stage interview.
As a leader, that should be acapability that you have, and still
(34:32):
be able to satisfy all the compliancerequirements that you're validating.
I think the other concern that HRISsystems are facing is with the scaling
of AI and AI tools to both scaleapplications by applicants, by hyper
(34:59):
tuning resumes, now you're getting athousand applicants in an hour and the.
I'd say the poor folks in HR thatwere already overwhelmed with 500
candidates over the span of twoweeks now are totally overloaded and
(35:22):
have to shut down the applicationin an even shorter period of time.
But you have an even smaller setof really qualified candidates
in your talent pool that you haveto try to weed through again.
which goes back to as much as a.There's been a growth in diversity,
(35:47):
equity and inclusion initiatives,and then we saw a swing back.
Organizations need to find this happybalance of how to blend in, finding
what's right for them, not because it'spolitically right, not because there's
(36:09):
some requirement set by the government.
Some compliance requirement thatthey need to set, but because
they're finding the right resourceto satisfy the job needs and the job
requirements for their organization.
Very good insight.
So let's go ahead on the other end of acareer track and say at some point in time
(36:35):
we've gained experience, we've worked withCISO, we've maybe, held down a number of
jobs, but at some point there might be adesire to say, Hey, I wanna be a V CISO or
a fractional CISO, either independently byjust hanging out your own shingle or by.
Aligning yourself with some othergroup that provides that service.
If someone's gonna make that leap intothe virtual or fractional CISO world,
(36:59):
what words of advice would you offerthem to think carefully before they do
Stay true to your passion.
Back to what keeps your emotional.
Battery charged.
You don't want to dosomething that drains you.
'cause at this point you're maybe retiredor semi-retired, and you're either
(37:23):
doing this for fun to maybe provide asecondary or tertiary income stream.
So you don't want this to leadto detrimental health effects,
emotional health effects.
So you want to choose an area that.
You're comfortable in that makes you happyand that you can really show your clients
(37:48):
that you're an expert in or sufficientlyqualified in to provide them with that
external advisory support in there.
Now, this gets into the legal.
Accountability responsibility,components of it.
(38:13):
as a virtual CISO or as a fractionalCISO, when you engage with a client,
you have to set a clear scopeof engagement, what your client.
Who's responsible for the risk?
Who owns the risk, and what's the scopeof services that you're providing?
(38:34):
Are you providing advisory services?
Are you providing technicalimplementation services?
Are you providing scoped project services?
Really putting that into paperand a legally binding contract.
(38:55):
And then just to protect yourself, havesome sort of cyber insurance, some sort
of indemnity protection for yourself.
A, you're walking into an environmentwhere you might not know if there is
a previous information exposure eventthat might come back and haunt you.
(39:17):
You don't know what.
The other individuals in the organizationmay or may not be doing while you're
a fractional CISO there, so youwant to protect yourself as well.
so you wanna have these sorts ofindemnity insurance to protect yourself,
(39:38):
in the event of something like that.
And really insurance.
For those of us who grew up in therisk world, we understand we're
simply assigning risk in exchangefor some fixed premium amount.
if a company that is insuring youwill take on the variable risk that
may pay out, nothing may pay morethan your premium, but ideally.
(40:00):
We always have to remember thatthose are priced in a way where
they're designed to make a profit,and that's nothing wrong with that.
And reality is it's a little bit liketaking the time to put on a seatbelt.
You never wanna need that seatbelt.
You never want it to have to save yourlife because even if you've put a seatbelt
on for 50 years and you've never had it.
(40:21):
Hold you back from anything.
It doesn't mean you're gonna stopwearing it saying, Hey, you know it.
That's the 10000th time I've put ona seatbelt and nothing's happened.
So who needs seat belts?
reality is it's there, to mitigatethe impact of some risky event that
might be a low probability, butvery high impact kinda we call the
black swan, so to thing finances.
(40:43):
if you, look at, say a, small to mediuminformation exposure event of sensitive
information like social securitynumber, and then now you have to reach
out to a 100,000 to 200,000 people.
This is considered small to medium breach.
(41:05):
You have to reach out to themvia the US Postal Service.
You have to provide them witha year of credit monitoring.
You have to do a forensic analysis of theevent all of this adds up really quickly
Oh yeah.
More than likely will surpass$50,000 really easily.
(41:28):
your insurance premium, even foran individual fractional CISO,
will not likely get to that level.
protecting yourself.
The organization, on the otherhand, their cyber insurance should
cover their portion of this.
You as a fractional CISO, it's co,it's covering any errors and emissions.
(41:51):
That you might have done in youradvisory or your implementation of the
solution that you provided to them.
You had mentioning the postalservice, and here's my kind of
sheet of my favorite stamps.
These are.
Women Cryptologists of World Warii, they came out four years ago,
and of course they're foreverstamp, so they, hold their value.
(42:14):
But I always like putting thaton a letter because they're
like, yeah, that's from G Mark.
He figured he'd find something to do withcryptography and women, things like that.
So anyway, as we wrap up here,any last thoughts as you could
give to our viewers/listeners?
Plus also, how do we find outmore information about you?
Where's your podcast?
And what do they say?
Hey, this Christophe guy is really great.
I wanna follow up with him.
How do people get in touch with you?
(42:36):
so advice.
Think strategically, whether itbe your career, your cybersecurity
program that you're looking to develop,find a medium to long timelines.
So three to five years that you wannaplan some growth on, and then break
that down into smaller timelines.
(42:57):
and anything longer, anything shorter.
There's too many variables inthere that are beyond your control.
For the podcast, it'sbreaking into cybersecurity.
It's on YouTube, it's on ApplePodcasts, it's on Spotify, for my books.
They're on Amazon.
(43:18):
under my author profile,Christophe Foulon.
And if you want more information about me,you can find me at christophefoulon.com
Which I have up right now, Excellent.
Christophe, thank you very much fortaking the time to be on our podcast
and if it worked out well, I'll alsobe on yours if we, if this becomes a
breaking into cybersecurity episode.
But for our listeners and our watchersout there, thank you for being part
(43:38):
of our CISO Tradecraft audience.
We do this for you and hopefully ifwe are meeting your requirements and
your needs help other people find us.
By giving us either a thumbs up or a fivestar, some other feedback into the system.
So they'll prioritize how CISOTradecraft will show up in other
people's feed so that we can go aheadand reach them in their career as well.
(44:00):
I will be at hacker summer camp.
That will be, I guess theweek that this show comes out.
So hopefully if you're in LasVegas and you're listening
to the show, come look me up.
You can find me and I'lllook forward to you.
I'll be where at my CISO Tradecraft stuff.
Meanwhile, in the time that you haveavailable, if you're traveling out
to Vegas, or even if you're not.
(44:20):
Make sure you stay safe outthere and don't forget to help
other people in their careers.
It's one of the best thingsthat we can do as leaders in
the cybersecurity profession.
Christophe, thank you very much anduntil next time, take care everybody.
Thank you so much.
Hey, at some point in time in your career,you had to break into cybersecurity.
you've probably moved on from that point,and you're helping to mentor others.
But let's talk to somebody who has donea tremendous amount in helping people get
onto their cybersecurity career tracks.
Stay tuned.
We're gonna cover that right now.
(00:27):
Hello, and welcome to another episodeof CISO Tradecraft, the podcast it
provides you with the information,knowledge, and wisdom to be a more
effective cybersecurity leader.
My name is G Mark Hardy.
I'm your host for today, and I havea special guest, Christophe Foulon,
and he is also a podcast host.
So with any luck, we mightend up doing a dual podcast.
I think that's a first for us.
(00:47):
I've only done what, 246 podcastsso far, so it's about time I
started, co cooperating with others.
But anyway, Christophe,welcome to the show.
Thank you so much for having me.
I would say, your podcast has been aninfluence on my podcasting career as I've
grown in the industry and I've followedyourself as well as Ross over the years.
(01:11):
And, excited to be part of this podcast.
Yeah.
I'm glad to have you on board.
They've heard great things about you, dida little bit of homework and found out
that, as I said, you'd had your pocket.
But first of all.
A little from your background and andwe'll go from there so everybody knows
why it's worth while to listen to you.
So grew up in the Caribbean, startedtinkering with computers, eventually
(01:35):
decided I. I'm great with tech,but I love helping businesses.
I love helping people solvetheir technical problems.
At the time, decided I didn't really wanta computer science degree, so went to
school, got my bachelor's in business.
(01:56):
Then economy went down thetank, decided, Hey, if I'm gonna
struggle for work, might as well dosomething I love and enjoy doing.
Quit my job.
Went, got some certifications.
'cause even back then, havingcertifications were one of the first
things that recruiters screened for.
Got some certifications, got my firsthelp desk role, and then started to
(02:22):
really see, wait, people are doing things.
Insecurely the easy way just to get theirjob done, and I found myself coaching,
helping, mentoring the business intodoing things more securely as part of
my help desk role and found out of.
(02:44):
This whole new industryfocused on cybersecurity.
Took me seven years to eventuallytransition from help desk into
cyber, but got there and that'swhen I wanted to start to give back
and help others who wanted to dothat, transition them themselves.
(03:05):
That's when I created the podcastwith my co-host, Renee Small.
that's when we started.
Collecting the knowledge forsome of the books that I wrote.
How to develop your cybersecurity career path at any level.
How to hack the cybersecurity interview.
all with multiple co-authors becausein my perspective, we need a diverse
(03:31):
perspective in how to do this.
None of our paths were unique.
None of our paths werestraight and narrow.
there's multiple ways to get thereand we can use hints, tips, and tricks
from everyone and implement them inour approach with our own passions,
(03:51):
with our own things that drive us sothat we have our own fulfilling career.
that's a good point.
So you went from healthdesk, which is it plugged in?
Is it turned on to unplugit and turn it off?
I'm meant security now.
We don't want that going that way,so we go the opposite direction.
But more importantly, like a lot of us incybersecurity, we started out somewhere.
(04:13):
And usually was in technology.
It doesn't always have to be,it could be GRC, it could be
compliance and other areas like that.
But there's an allure,there's an attraction to it.
And for those of us who have landedhere and find it fulfilling, one
of the things that I think isgreat for everybody is that it's
not a static type of a profession.
(04:34):
you learn something and that youmight be a master of everything today.
Six months from now, things are changing.
we've got Windows 10 is going off thegrid pretty soon, although it looks like
Microsoft has said, Hey, we'll give youdouble secret probation for a year, but
then you want another year, it doubles,and another year it doubles again.
And then you're gonna order twoto the 10th power if you wanna
(04:55):
stick around for 10 more years.
I think the Navy did that with Windows XP.
Microsoft said, yeah, we'll justdo it if you double every year, the
support contract, and somebody whowas bad at math on the government
side, now this is anecdotal, so Imight be wrong, said, okay, fine.
All of a sudden they're paying 1024times as much on their contract in year
10, but it's a good lesson learned that.
(05:17):
Technology moves along with or without us.
So you've written a couple books andyou talked about it developing, your
cybersecurity career path and how tobreak into cybersecurity at any level.
And I think that cameout about four years ago.
and Gary Hayslip, who's been on ourcall, and you and of course your, partner
Renee, were the author of that andthen hack the cybersecurity interview.
(05:38):
I kinda like that name.
and you did that with, Ken Underhilland Tia Hopkins, whom I've not had
on a show, but for people who are.
Listening to our program, usuallythey're into cybersecurity.
Usually they're up at a ways they'retrying to, either they are CSOs
maintaining their skill sets at thislevel, or they're hoping to break
into that level of the, boardroom orworkroom, if you will, or at least a
(06:00):
corner office or maybe an office with aview, or at least something that doesn't
end up being in the third basement.
as we.
As you had worked with people, gettingthem into their careers, what did
you find were some of the biggestchallenges that people face when
they said perhaps like yourself?
I like the idea of cybersecurity,but I'm not in cybersecurity
(06:21):
and I, gotta get there somehow.
first let's look at the allure.
There's the allure of the CISO title andthere's the allure of the CISO paycheck.
You don't understand the requirementsof the continuous learning, the burnout,
(06:45):
the long hours, the on call, the incidentresponse, the being the potentially sole
neck to choke should something happen.
All of these implications of that title.
Because they're not as broadly discussed.
(07:09):
And so a lot of people say, oh, Iwanna become a CISO when I grow up.
And then you have maybe the more.
Senior individuals going, eh, I don'tknow if I want to be a CISO anymore.
it was nice.
I learned my lesson, but,someone else can do it now, or
I'm fine with being a director.
(07:30):
I like to create the strategic programto implement the strategic program.
I don't necessarily need the title and,the burnout, the extra hours, that aspect
of it, unless there's some true level ofshared responsibility between you and the
(07:52):
stakeholders of the business where you'rediscussing who really owns the risk,
and whether you're advising them as to.
Where they take the risks and you'rereally listening to you how to take
the risk, and they become an effectivepartner in these risk decisions
(08:13):
versus going, oh, it's a CISO'sresponsibility for everything because
cyber was somehow related in there.
Yeah, so what we find then is, as youhad indicated, there may be some allure.
it needs to be more than, if youwill, the money or the title, because
that's gonna be very unsatisfyingdoing a job that you don't like.
(08:36):
You find stressful, which is going to be,we'll, just be quite honest about that.
it is gonna have long hours, notevery day, but when, something
hits the fan, you're the personon point and you've gotta be
there and make everything come in.
And quite honestly, these days, we, a lotof us are worried about being the Chief
(08:57):
Incident Scapegoat Officer, when we haveseen issues like with, Tim Brown, whom I
am going to be hopefully doing a podcastwith him next week, and we'll talk a
little bit more about his experiences.
but in general, we look at it and we go,do you really wanna be there with a little
red dot following you around from theboard with respect to your accountability?
(09:21):
And the answer might be that we're okay.
from my military career, I had servedin command nine different times.
I went back and lookedthrough some old records.
I found out the selection rate forcommand was a single digit percentage
back when I was up for commands.
And so if you got one, you were.
Unique.
If you got two, you're one in a hundred.
(09:42):
If you got nine, thenyou're a, singularity.
but that said, that didn't lend itselfto putting on stars, for example, because
there's a career inflection point,and this is one of the things that we
wanna make sure that people understand.
I've said this many times over manyshows, is that your technical skills
do not beget management skills.
Management skills do notbeget leadership skills.
(10:04):
And leadership skills do not begetpolitical skills, and quite honestly,
I was politically, not competent.
I will just be verybrutally honest about that.
And to a certain extent, no matterhow great you are as a leader, your
people will follow you anywhere.
They'll be there 72 hours nonstop workingaround the clock because they absolutely,
(10:24):
you've motivated them to be on the point,but yet somehow you might find yourself.
Sitting there just below the glassceiling wondering what's happening
because you spend all your timewith your people and spend all the
time with the right executives whocould influence your career path up.
And so at what point in time doyou think that somebody who's
(10:45):
entered a cybersecurity careerreally starts the need to develop
this political awareness and savvy?
Or could they just simply say, I justdon't want to go there from here.
I'll be very happy.
Being a director at some point, I'llbe very happy retiring at that point.
I don't really wanna playwith the C level thoughts on
I, I, would say it, it'sup to that individual.
(11:08):
it's where they feel that.
They're emotionallyrewarded with their career.
Some people don't like the politics.
Some people don't like the dealing withthe board, they don't like dealing with,
This department's fighting with thisdepartment and you become the mediator.
(11:32):
they don't like those conversations.
They rather focus on the technicalcomponent or they rather focus
on creating, those businesssolutions or creating that security
architecture to deal with, thebleeding and edge technology and
how we can solve those use cases.
(11:52):
And we need all those different types.
Of characters within an organizationfor it to be successful.
And you might wear more than one ofthose hats, but as a senior leader in
the organization, you need to blend.
Many of those hats together, and youcould be technical, but if you don't have
(12:18):
the political or emotional intelligenceto work at the board level to work with
your other executive leaders in fightingfor budget, fighting for headcount,
fighting for who owns the risk and theremediation and those sorts of activities,
(12:39):
then you'll end up being the one.
Burnt out 'cause it allgets shoved on your plate.
That's a good insight.
And so what we find out is that in somecareers, as a military officer, at least
it was from mine, it was up or out, andthe idea was as you either progress to
the next level or they, said, Sianara.
thank you very much for playing.
(13:00):
have a nice life.
We're gonna keep everybody else moving.
And it wasn't because that there wasn'troom for you at that level, but there was
always a constant replenishment going on.
And so what we found out then is atcertain points in certain careers,
yes you can plateau and stay there.
If we look at something like a Microsoftor an IBM, they have fellows, they
have brilliant technical people.
Some of these people are Nobel Prizes.
(13:22):
They've got PhDs.
They're not leaders.
They don't want to be leaders.
They probably couldn't manage theirway out of a paper bag, but yet they
contribute brilliant technical insightsthat the managers, the leaders, the
political, folks turn into revenue,turn into products, turn into jobs
for others, and things such as that.
So it's actually, it'sa virtuous ecosystem.
(13:43):
You're not being exploited here.
And when I've come up withstuff, and for example, I got.
My name on my first patent recently,and everybody's you worry about that.
I said, I don't really care about,assigning that patent out to a
company or something like that.
'cause there's no way that I canbuild the infrastructure to go
ahead and maximize that value.
And I didn't invent it to make money.
(14:05):
I invented it because it was a tough,problem that needed to be solved.
And I figured it out and theysaid, that's pretty cool.
Or Nobody else has figuredthis one out before.
Off we go.
So what we find thenis that for people who.
Get into cybersecurity.
And this is an interestingquestion for you here.
'cause based upon your books andthings like that, you say how to
break into cybersecurity at any level.
(14:27):
A lot of us think you gottastart at the beginning.
You enlist as a, an E one, and thenyou work your way up through the ranks.
But in cybersecurity, can you say, Hey,I wanna be a director, or I wanna start
out as a CISO, or is that unrealistic?
And if it's not unrealistic.
What are the pre-quals that makesomebody able to laterally move
into our career at a higher level?
(14:48):
So there's all types of differentCISOs and, yourself as well as Ross,
have covered this in, the past, thedifferent archetypes, the builders, the
breakers, the union, the, rebuilders,
the solutioner.
(15:09):
So you can have someone that say.
Comes from GRC, that comes from IT,that comes from the business side that
understands the risk that the businessis taking or the bus, the direction
that the business is going and.
Understands that perspective.
(15:29):
And then they have the leadershipbelow them to advise them on
the technicals, on, Hey, theseare the technical risk concerns,
these are the legal risk concerns.
And if they heed that advicein a meaningful way, they can
still be an effective CISO.
(15:51):
if they take that into consideration.
Not everyone looks well on that, and ifthey become the scapegoat officer, the
community of course goes, oh, they werein music or they were in liberal arts.
(16:11):
That has nothing to dowith their qualifications.
Their qualifications are more.
Do they and understand the complexitiesof the business requirements, the legal
implications, the legal requirements,the and the other risks that the
business is taking at the time.
(16:32):
Do they have the right advisory,internal or external to make?
The right decisions.
And then are they able to influencethe business leaders at the table, at
the board to get the right funding andthe right decisions for the risks that
they're looking to tackle at that time?
(16:54):
And that's really where all the.
Everything comes to center.
And where a good CISO is built less thanwhere they got their education 30 years
ago, what certifications they mighthave got 20 years ago or what they're
studying today because you, can't studyevery single thing that's happening.
(17:20):
one example in the pre-call we talkedabout a new innovation or a reuse of an
innovation for a Microsoft technologyto embed it for a different use case.
And I didn't know about it six monthsago and you didn't know about it now,
but we can share this knowledge witheach other, overlap, our competencies
(17:47):
and advise each other as a communityon how we can tackle this together.
So what we have then isan interesting model.
I'm sketching it out here as we talk, asa, to be effective as a chief information
security officer, it is not necessarythat you came up through the ranks as we.
Determine, and we see thatin, in the real world.
(18:09):
But it is helpful to havecredibility with your people.
And so it doesn't mean ignore thetechnology, but it doesn't mean
you're not gonna be asked to sitdown their hands on keyboard and
then reprogram something that way.
It is essential that you be crediblewith your leadership in the board and
the organization that you speak thelanguage of risk, that you speak the
(18:29):
language of the organization, most likelybusiness unless you're in government.
And that is non-negotiable.
And as you just pointed out.
Okay, I may not have atechnical background.
I need to have some technicalcredibility, ideally with my team so
that A, that I can earn some respect.
But B, they don't pulla wool over my eyes.
But if you pointed out the very importantvalue of having a network of peers, a
(18:53):
network of other places of people whohave had a chance to explore and learn
different areas so that I'm not justGoogle searching, how do I do something?
Or today, everybody justlooking at their AI engine.
Hoping it's not hallucinating on youwhen it gives you an answer, but having
some genuine conversations back and forthwith people who have done the background.
I was not a lawyer, but I can talk tofriends who are lawyers and gain some
(19:17):
insight in some of the legal implications.
I was not in GRC.
I do have my CISA, my auditorticket, and I got that.
Wow.
You talk about years ago in 2001.
So it's been a long time,since I've had that ticket.
I remember when I got to Ernst andYoung, when I went to work there,
they said, don't tell anybody you gotthat, or that's all you're gonna be
doing is these dumb audits you wannago do in the fun cybersecurity stuff.
(19:40):
But what if I like audits?
then, of course, to each their own.
So now what we see then is that when youcome into the cybersecurity career path.
Your focus really needs to be up.
If you're gonna be operating effectivelyat a CISO, it does then call into
question what happens if you comeinto a position where you don't
have a well running organization?
(20:01):
We're not always gonna step in wheneverything is running perfectly.
Everybody's highly motivated.
You've got the world's best qualificationsMet has offered them a hundred million
dollars each, and they all said nobecause they wanna stay and work for you.
How do we deal with that whenwe're now in a CISO role?
We start out and we realizethings aren't working the way they
(20:23):
should be, but I don't have thetechnical chops to go fix them.
Any insights in terms ofhow somebody could proceed?
This is where your peopleleadership skills need to come in.
'cause you need to understand.
What are their personal motivations?
Maybe they're in the wrong role.
Maybe they're in a security role when theyprefer to be in an infrastructure role.
(20:48):
Maybe you have folks on theinfrastructure team that have more
interest in being on the security team.
Maybe you can cross match your resourcesand have shared responsibility.
Between the teams or have a fusionbetween the teams so that you can blend
those experiences and start like that.
(21:11):
oftentimes new leaders when theycome in, they'll have an assessment
from an external organization wherethey can point out weaknesses, where
they can point out best practices.
That could be one approach.
I know another leader that lovesto start from the people aspect and
(21:33):
do personality assessments to seewhat are the personal drivers for
all of the members on their team.
Figure out those drivers and thenwork on those drivers to drive.
The team building the comradery andthe personal motivations behind his
team first, then build the skills andcompetencies where he see he or she
(22:00):
sees gaps in the team to build those up.
And then if they do haveadditional budget to recruit in
or grow up from the organization.
I think it's an excellent point becausein a certain way you're acting as a
coach, and if you were to come in asa coach of, let's take an example,
American football team and theteam's doing poorly, and you realize.
(22:24):
Person you have playing quarterbackis one heck of a kicker.
And the person that you have as awide receiver is an amazing, tackler
linebacker, and all of a sudden yourealize you've got the right people.
They're just in the wrong spot.
So that's part of, assessing that.
And since you'd come from the, helpdesk world, originally you'd appreciate
this at a friend of mine many yearsago that I knew up in, in the Baltimore
(22:46):
area and Toby was in charge ofthe team and he had read up about.
The Myers-Briggs and the 16different profiles that could be
done, and he did those inventories.
For those who aren't familiar withMyers-Briggs, you look at four different
axes of personality preferences.
It was, initially used in World WarII to try to help the US Army put the
right people into the right type ofa job because they're trying to place
(23:08):
millions of, people at that point.
And what he found out thenis that much like the.
Football analogy where people in thewrong position, people were not in
the areas that they enjoyed the most.
They were doing one thing, butthey hated it and just grounded out
because, it was a paycheck, but whenhe put them in areas where they.
Aligned with their preferences,the productivity of the team, sort
(23:32):
morale went up, things got doneand he didn't change his people.
He didn't change the payroll.
And so that's an important idea.
Have you seen other tools other thansomething like a Myers-Briggs Personality
Inventory, the MBTI that have beenhelpful for CISOs or other people
in that position to reorganize their
by name, but just, by more sohaving informal conversations.
(23:57):
For example, if you have someone thatdoesn't like to be meticulous and detail
oriented and following the tracks,they might not be a good SOC analyst.
They might not be a good forensic analyst.
They might be a good help desk personbecause they can, talk to the user,
(24:22):
find out what was happening, gather.
All the details and thenescalate it to the right team.
but they wouldn't be the one kind offollowing all the breadcrumbs to exactly
what the error was in the memory stack.
so there's the informal way andthen there's a structured way and
(24:42):
I think cost, of the organization,maturity of the organization, all
those considerations are part of it.
Even the.
Mentality of the leader andthe mentality of the team.
I know some folks see thesepersonality assessments as fufu.
(25:06):
doing these as informal assessments,conversational, one-on-ones.
By just asking them these typesof questions to gather what their
personal motives are or where theyfeel that they gain the most power or
where they wanna grow their career.
(25:27):
and just doing your own table analysisof if you have the right players
in the right place, could, be alow cost, low code way of doing it.
Yeah, and you can also look up,someone like Daniel Kahneman,
who passed away a couple yearsago, I think at the age of 90.
but as a young psychologist, he wasthere with the, early days of the
(25:50):
Israeli army and they had a very.
Touch and go process of gettingthe right people in the right jobs.
They weren't doing very well and hesaid, Hey, let's make it methodical.
Let's do this.
And they all fight thought, andyou're gonna turn us into automatons.
But he said, no, this is a process.
Stick to it.
Ask this question, this.
Take a little bit of time.
Reflect on it.
Then come up with a decision andtheir decision process went way up.
(26:10):
it's interesting that as a psychologistend up getting a Nobel Prize in economics,
because you take a look at why we arepredictably irrational and why we have,
thinking Fast and Slow was his book.
And Ariel, I think did the,predictably irrational book.
But there's a lot of different thingswe can make ourselves available that
are outside of the CISO bookshelf.
(26:33):
these are not all cybersecurity books.
A portion of them are, but a lotof 'em are that interesting thing.
The other thing to keep in mindalso is that cybersecurity, for
whatever reason, tends to attract andhopefully retain neurodiverse people.
And so what we find out is that whenwe're kids and didn't understand that,
people would just get labeled, okay, thisguy's just weird, or a nerd, or whatever.
(26:54):
And then we realize that in certaincases, in the cybersecurity world, that
natural tendency becomes a superpower.
Somebody who could focus on 20different things simultaneously.
Track them all, like an air trafficcontroller, do extraordinarily
well or turn off the whole world.
Focus on just this one thing and drill in.
(27:16):
Drill in and stay focused untilyou say, Hey Christophe, when's the
last time you went to the bathroom?
And you go no, I guess I gotta go.
And so those, which in atraditional world, people look
at you as scan and go, yeah.
We find out.
Particularly in leadership roles that wecan empower people to do extraordinary
(27:36):
things if we can align them with thoseunique characteristics that they have.
And what historically people wouldargue would be a limitation or even a,
workplace handicap, becomes a superpower.
You as the leader, not only can increasethe productivity of your team and
the results you get, but you're gonnahelp the morale of everybody else.
(27:59):
'cause people are doing whatthey wanna do and you're doing
some good for your people.
And so I think that's one of the rewardingthings you get in the cybersecurity.
Absolutely and that's why Iused a coaching moniker, as
part of my own personal brand.
And I do a lot, I did a lot of selfeducation courses on coaching and
(28:24):
mentoring to understand the psychologythere, to bring that out to help
facilitate and mentor and strategicallydevelop relationships, conversations,
ideas from a diverse set of individuals.
(28:45):
Within a group, within a newteam, within a new client, because
as, a CISO, you have to do that.
And like you mentioned withinthe cybersecurity community, this
neurodiverse population, not all of'em might be comfortable speaking.
(29:07):
Outwardly to unfamiliar people.
They, might be very introverted untilyou touch on that one subject that
they're very passionate about, andthen they'll explode and talk to
you all night and you're like, whoa.
They're not introverted.
They're, totally extroverted.
No, they're introverted because talking.
(29:30):
To the general public in generaldoesn't provide them emotional power.
It's very emotionally draining for them.
Now talk to them about cybersecurityand say static code analysis, and they
could probably talk your ear off becausethat is, an area that provides them
(29:51):
that emotional charge to keep going.
So finding what those are.
Creates that superpower within yourteam and allows you to take someone
that might have been, looked at as arecluse or introvert, and you can turn
them into an amazing public speakerbecause you're focusing on sharing
(30:14):
knowledge that they know, knowledgethat dear comfortable talking about.
Maybe some practice maybe.
Some repetition on how todeliver, how to interact, and
they can get really good at that.
It would not probably be something thatthey would be the first to raise their
(30:34):
hand for, but it could be somethingthat you can bring out in them and
use as an asset for your organization.
That's an excellentpoint, and I have always.
I've shared many times.
The advice I got when I firstgot to, to Booz Allen was,
speak every chance you get.
And I had found out that many yearsof speaking did a couple things.
(30:58):
One is you become much morecomfortable on the platform.
Number two, you know how to deliver,how to have impact and how to get
that and also from the perspectiveof we were talking about jobs
and things like that, people saidlike, how do you get paid to speak?
I said, do it for free for 20 years.
It's a long apprenticeship.
It's not easy necessarily.
Some people say, I want to crack in.
(31:19):
I wanna make a fortune.
maybe you can at some point in time,but don't focus that initially.
Do what you need to do is getout there, master a technique,
have a personality, don't be.
Try to be a poor version of somebodyelse, be the best version of yourself.
But another thing just before we wrapup on neurodiversity is the question I
have with regard to the HR departmentis that in cybersecurity we may have a
(31:42):
special appreciation and even a need forpeople who fit that, but when you go into
a traditional HR department, they may.
Fail a whole bunch of the gatekeeperfunctions to say, Nope, this person
didn't pass well on this test.
They didn't do well on this interview.
They didn't show up here on timewhen they were supposed whatever.
How do we go ahead and help shepherdour best candidates that we understand?
(32:09):
Can not only add value to theorganization, but will have a great
personal fulfillment past the staticdefenses, which are not set up to allow
them to be necessarily successful ingetting to that day one on the job.
let's talk about those static defenses.
So those static defenses were developedfor compliance reasons to make it
(32:35):
fair, but in the end, don't make itfair because if you don't parse your
resume in the right way, if you don't.
State your experience in the right way.
If you as a minority, whethermentally or from a different sort of
(32:59):
background, stated in the right way.
The parsing mechanisms used byHRIS systems end up excluding you
from the application pool Almost.
Immediately.
And that has been discussed anddiscussed and we're almost getting to
(33:24):
the state where we're, telling leaders,okay, for those niche population
sets, if you do the same thing you'vealways done, you're gonna get the
same results you've always done.
So change.
Your approach go to smaller conferenceslike BSides or, women in Cybersecurity or,
(33:48):
smaller conferences that attract that typeof diverse population that have those.
Superpowers that you'relooking for and have a informal
interview with these candidates.
And if you find that diamondand or rough, tell your HR, Hey.
(34:10):
I found someone, I'mgoing to put them through.
You can, screen them, you can do all thetraditional background checks you want,
but I'm putting this candidate through,as part of the next stage interview.
As a leader, that should be acapability that you have, and still
(34:32):
be able to satisfy all the compliancerequirements that you're validating.
I think the other concern that HRISsystems are facing is with the scaling
of AI and AI tools to both scaleapplications by applicants, by hyper
(34:59):
tuning resumes, now you're getting athousand applicants in an hour and the.
I'd say the poor folks in HR thatwere already overwhelmed with 500
candidates over the span of twoweeks now are totally overloaded and
(35:22):
have to shut down the applicationin an even shorter period of time.
But you have an even smaller setof really qualified candidates
in your talent pool that you haveto try to weed through again.
which goes back to as much as a.There's been a growth in diversity,
(35:47):
equity and inclusion initiatives,and then we saw a swing back.
Organizations need to find this happybalance of how to blend in, finding
what's right for them, not because it'spolitically right, not because there's
(36:09):
some requirement set by the government.
Some compliance requirement thatthey need to set, but because
they're finding the right resourceto satisfy the job needs and the job
requirements for their organization.
Very good insight.
So let's go ahead on the other end of acareer track and say at some point in time
(36:35):
we've gained experience, we've worked withCISO, we've maybe, held down a number of
jobs, but at some point there might be adesire to say, Hey, I wanna be a V CISO or
a fractional CISO, either independently byjust hanging out your own shingle or by.
Aligning yourself with some othergroup that provides that service.
If someone's gonna make that leap intothe virtual or fractional CISO world,
(36:59):
what words of advice would you offerthem to think carefully before they do
Stay true to your passion.
Back to what keeps your emotional.
Battery charged.
You don't want to dosomething that drains you.
'cause at this point you're maybe retiredor semi-retired, and you're either
(37:23):
doing this for fun to maybe provide asecondary or tertiary income stream.
So you don't want this to leadto detrimental health effects,
emotional health effects.
So you want to choose an area that.
You're comfortable in that makes you happyand that you can really show your clients
(37:48):
that you're an expert in or sufficientlyqualified in to provide them with that
external advisory support in there.
Now, this gets into the legal.
Accountability responsibility,components of it.
(38:13):
as a virtual CISO or as a fractionalCISO, when you engage with a client,
you have to set a clear scopeof engagement, what your client.
Who's responsible for the risk?
Who owns the risk, and what's the scopeof services that you're providing?
(38:34):
Are you providing advisory services?
Are you providing technicalimplementation services?
Are you providing scoped project services?
Really putting that into paperand a legally binding contract.
(38:55):
And then just to protect yourself, havesome sort of cyber insurance, some sort
of indemnity protection for yourself.
A, you're walking into an environmentwhere you might not know if there is
a previous information exposure eventthat might come back and haunt you.
(39:17):
You don't know what.
The other individuals in the organizationmay or may not be doing while you're
a fractional CISO there, so youwant to protect yourself as well.
so you wanna have these sorts ofindemnity insurance to protect yourself,
(39:38):
in the event of something like that.
And really insurance.
For those of us who grew up in therisk world, we understand we're
simply assigning risk in exchangefor some fixed premium amount.
if a company that is insuring youwill take on the variable risk that
may pay out, nothing may pay morethan your premium, but ideally.
(40:00):
We always have to remember thatthose are priced in a way where
they're designed to make a profit,and that's nothing wrong with that.
And reality is it's a little bit liketaking the time to put on a seatbelt.
You never wanna need that seatbelt.
You never want it to have to save yourlife because even if you've put a seatbelt
on for 50 years and you've never had it.
(40:21):
Hold you back from anything.
It doesn't mean you're gonna stopwearing it saying, Hey, you know it.
That's the 10000th time I've put ona seatbelt and nothing's happened.
So who needs seat belts?
reality is it's there, to mitigatethe impact of some risky event that
might be a low probability, butvery high impact kinda we call the
black swan, so to thing finances.
(40:43):
if you, look at, say a, small to mediuminformation exposure event of sensitive
information like social securitynumber, and then now you have to reach
out to a 100,000 to 200,000 people.
This is considered small to medium breach.
(41:05):
You have to reach out to themvia the US Postal Service.
You have to provide them witha year of credit monitoring.
You have to do a forensic analysis of theevent all of this adds up really quickly
Oh yeah.
More than likely will surpass$50,000 really easily.
(41:28):
your insurance premium, even foran individual fractional CISO,
will not likely get to that level.
protecting yourself.
The organization, on the otherhand, their cyber insurance should
cover their portion of this.
You as a fractional CISO, it's co,it's covering any errors and emissions.
(41:51):
That you might have done in youradvisory or your implementation of the
solution that you provided to them.
You had mentioning the postalservice, and here's my kind of
sheet of my favorite stamps.
These are.
Women Cryptologists of World Warii, they came out four years ago,
and of course they're foreverstamp, so they, hold their value.
(42:14):
But I always like putting thaton a letter because they're
like, yeah, that's from G Mark.
He figured he'd find something to do withcryptography and women, things like that.
So anyway, as we wrap up here,any last thoughts as you could
give to our viewers/listeners?
Plus also, how do we find outmore information about you?
Where's your podcast?
And what do they say?
Hey, this Christophe guy is really great.
I wanna follow up with him.
How do people get in touch with you?
(42:36):
so advice.
Think strategically, whether itbe your career, your cybersecurity
program that you're looking to develop,find a medium to long timelines.
So three to five years that you wannaplan some growth on, and then break
that down into smaller timelines.
(42:57):
and anything longer, anything shorter.
There's too many variables inthere that are beyond your control.
For the podcast, it'sbreaking into cybersecurity.
It's on YouTube, it's on ApplePodcasts, it's on Spotify, for my books.
They're on Amazon.
(43:18):
under my author profile,Christophe Foulon.
And if you want more information about me,you can find me at christophefoulon.com
Which I have up right now, Excellent.
Christophe, thank you very much fortaking the time to be on our podcast
and if it worked out well, I'll alsobe on yours if we, if this becomes a
breaking into cybersecurity episode.
But for our listeners and our watchersout there, thank you for being part
(43:38):
of our CISO Tradecraft audience.
We do this for you and hopefully ifwe are meeting your requirements and
your needs help other people find us.
By giving us either a thumbs up or a fivestar, some other feedback into the system.
So they'll prioritize how CISOTradecraft will show up in other
people's feed so that we can go aheadand reach them in their career as well.
(44:00):
I will be at hacker summer camp.
That will be, I guess theweek that this show comes out.
So hopefully if you're in LasVegas and you're listening
to the show, come look me up.
You can find me and I'lllook forward to you.
I'll be where at my CISO Tradecraft stuff.
Meanwhile, in the time that you haveavailable, if you're traveling out
to Vegas, or even if you're not.
(44:20):
Make sure you stay safe outthere and don't forget to help
other people in their careers.
It's one of the best thingsthat we can do as leaders in
the cybersecurity profession.
Christophe, thank you very much anduntil next time, take care everybody.
Thank you so much.
Popular Podcasts
Fudd Around And Find Out
UConn basketball star Azzi Fudd brings her championship swag to iHeart Women’s Sports with Fudd Around and Find Out, a weekly podcast that takes fans along for the ride as Azzi spends her final year of college trying to reclaim the National Championship and prepare to be a first round WNBA draft pick. Ever wonder what it’s like to be a world-class athlete in the public spotlight while still managing schoolwork, friendships and family time? It’s time to Fudd Around and Find Out!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.