All Resources

CISO to CISO Webcast with Chris Houlder, Head of Global CyberSecurity at BioMarin Pharmaceutical Inc

Webcast and Podcast | Altitude Networks, March 26th, 2021

On this episode of CISO to CISO we would like to welcome Chris Houlder, Head of Global CyberSecurity at BioMarin Pharmaceutical Inc. With nearly 25 years of experience spanning information security, team management, information technology and product/software security, Chris has been developing and executing strategies to solve complex security challenges and leading operational and company changes. Previously, Chris served as CISO and lead teams at Clarivate Analytics and Autodesk. Chris current serves as a board member for Rapticore, also a venture advisor for YL Ventures.

Read, Listen, and Subscribe to the Podcast

CISO to CISO-Chris Houlder-trimmed audio.m4a: Audio automatically transcribed by Sonix

CISO to CISO-Chris Houlder-trimmed audio.m4a: this m4a audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Michael Coates:
Welcome, everyone. This is another edition of CISO to CISO, I'm your host, Michael Coates, and super excited today to be joined by Chris Houlder, who's going to bring lots of interesting discussions. Thanks, everybody, for joining us again. And Chris, thanks for being here.

Chris Houlder:
Yeah, thanks for having me, Michael. I'm really excited to have the dialogue.

Michael Coates:
Yes, we're going to dive into some some really interesting topics for those of you that have been listening and watching, following along, please remember you can watch these webcasts recorded on the Altitude Networks' website or you can subscribe to the podcast or listen to them in audio. So whatever format works for you and these events are sponsored by Altitude Networks. We're bringing data security to cloud collaboration. So if you're using G Suites, Google Workspace or Office 365 and you're concerned about people sharing, stealing, leaking, losing your data, that is our sweet spot and we can help you. With that, let's jump in. So, Chris, you've been you're currently head of security at BioMarin Pharmaceutical. You've been a CISO at Clarivate, you've got a CISO at Autodesk, even adventure advisor. You've done a lot of cool stuff. Talk to us about that journey. How did you get to where you are today? Were you were you coming out one day saying, my life's goal is to be a CISO? Or did you find yourself on a winding trail to get there?

Chris Houlder:
Yeah. So so, you know, I was kind of taking stock of this in preparation and realized that. So I've been in my career for about twenty five years. And I'd say in tech, although I think we we would argue that or I would argue that security is not quite just tech and have been really in security leadership roles for about 20 years of that. And now I've worked at a broad type of organizations, primarily, as you said, really in or actually you didn't say that yet. I think, you know, I've worked primarily in tech and I've worked in life sciences, but I've worked in a range of roles and company sizes and say ownership structures in that path. So I really came up through the practitioner ranks and doing that, as you know, and I'm sure are well aware, especially right now, is, is that you can be a leader, manager and practitioner in startups. Right. And so so, you know, I've really I've been at this for a while. I would say, looking back, I think I had the ingredients for security, but now I didn't go into it with an expectation that I was going to be focused on security the way that I actually got involved in security as I was a network manager at a at a startup.

Chris Houlder:
And I was the first person in that morning. And we we had the VP of Engineering come in the door frantically looking around for who is there that could do some level of operations support. And he said, we've been hacked. Right. And and we brought in Foundstone and we did an assessment and it turned out we had not been, in fact, hacked, that it was just, you know, an outsider using an exploit and giving us a little bit of information about our environment and offering to pay us consulting fees. And but, you know, we're working with the early Foundstone guys and just seeing that play out connected the dots for me. And I knew going forward that that was going to be a big part of my career going forward. And as my career progressed, I've always owned a portion of security or I should say I've always owned security as a portion of my role and then inevitably made the shift into the the just security. That's the CISO role later in my career.

Michael Coates:
The technical track into the CISO role is one I'm seeing more and more and you know, I may be biased. That was my path as well. I think earlier on years ago, we saw we saw leaders taking over the role of security because they needed a leader, but they weren't really equipped with the technical backing. And of course, I think you would argue the same, that we should no longer be the most technical person in the room. If so, we've done a horrible job at hiring. But having that background to call B.S. to ask the right questions, to pose some considerations, you know, I found that to be very helpful. I imagine from from your path, you might have seen that as well.

Chris Houlder:
Yeah, absolutely, I think it's I think it's a really interesting debate and and, you know, you say, well, how did I get here? And one of the elements of getting here is is for me has been finding good mentors and finding people that I can take advice from. And one one coach that I had at one point said to me that if you want if you want to find your areas of development, look in the shadow of your strengths. And so I think I think coming up through the technical ranks, to your point, can give you a really good perspective, we can help you to relate to teams more, it can help you see those things. But if you can't release that and put it in the right context and put leadership first, then I think it becomes an over leveraged strength. And I think it actually is more likely to become an obstacle when you're being successful than, you know, it being something that's going to lead to success. And and interestingly, you know, for me, I've I think I think I recognized that early on. But I think you do need to maintain a balance, because I think that I also went to a degree where I was focused almost entirely on leadership and really empowering and trusting people, which I believe we should do, but not necessarily fully staying connected, even, you know, at my level for what was appropriate with what was happening on the ground. And so I do think it requires, you know, I think it's different from company to company, and I do think it requires a level of calibration and self-awareness.

Michael Coates:
Yeah, you know, I totally agree. And you even alluded to that other part of describing security as a technical field. More, more or less. I forget your exact words, but you hinted at something that has always rang true to me, too, which is as technical as we could be or used to be. It's still very much a field about risk and business and humans. And those things are a little unexpected at first when you're in there, like clacking away at the keyboard, you know, stereotypical green screen Hollywood movie, like opening your eyes to what security is with everything else, like, well, look at all these business factors that are playing into this.

Chris Houlder:
Yeah. And I think and I think that's probably going to be a theme that emerges pretty heavily as we discuss this on on how I try to approach what I do at this stage and the advice that I would have for other people.

Michael Coates:
Yeah. Now you've had another interesting experience that perhaps many people have now had, but you have started a new security leadership role, totally remote in the midst of a global pandemic. And now you're, you know, six or nine months in. What has that all been like? I mean, starting a new role as head of security is something on its own doing a totally remote with all the other things. I mean, that's a whole other bag of things.

Chris Houlder:
Yeah. So, you know, I guess if I I guess if I look at the role itself in what I try to achieve. And you know, everything I say, I think needs to be adjusted and I recognize that it needs to be adjusted from company to company. But but but I have a starting point now at this stage that I try to operate in. And I'd say within the first three months, zero to three months. First thing I do when I come in now is I make sure that there's an IR plan in place, because I think no matter what you're doing, if you get caught by an incident and you're unprepared, that could really seal your fate at an organization. So, you know, I'm looking at that. I'm figuring out the urgent and important. I'm starting to meet with key stakeholders on assessing the team by the end of that three months. I want to have a roadmap that I've publicized with with an understanding that it's progress, not perfection. And I expect to revise it three to six months. They start going into execution. I start looking internally at the team I'm working to build. I'm establishing metrics that you can see before and after.

Chris Houlder:
And then 6 to 12 is really me starting to continue to execute and move, to move, to plan in year two. So. So as I've been doing that and I'm about in the middle of that process and for the most part on track, I would say starting remote has been o`dd, but but also quite familiar, because I'd say that I do really like being nomadic in the way that I work and I've worked for multinationals for a good part of my career. So I'm used to having to be connecting with people through means other than face to face. I'd say that the really good elements of this is that I feel like I have a lot better control of my time at a time when that's really critical, where I really need to process, do deep, some deep thinking, a range stakeholder meetings. I think the stakeholder discussions, because it's the beginning of relationship building, have been good where I've seen, you know, and I think video I thought about this. I thought, wow, if I if I was trying to do this over the phone, then I think we'd be having a very different conversation. But I think video at least creates some of that connection.

Chris Houlder:
I think some of the challenges that I'm seeing is in this does really start talking about some of the differences in what I'm seeing in life sciences as opposed to high tech is, you know, I can't go visit our labs and our manufacturing environments. And I'm a very visual person. I want to see our processes. And so I haven't been able to do that. So that's been on hold. And then there's always the deeper team building. Right. I'm sure while I want to need time by myself, I also like to connect with people, have fun, be there in person. And so I'd say that the experience feels a little two dimensional. And and I'd say that I expect that I'm actually going to have to start dates at the company. I think I've had my first start date, but I do expect that when we return to the office. And I do I think that will be different than it was prior to covid. Then I start seeing people in context and I see people in group settings and that's a whole new set of observations and cultural lessons for me. So it's been mixed for me. It's been mixed.

Michael Coates:
Mm hmm. Yeah. Yeah. You mention of team building is really spot on because the notion of working remote, working from home is certainly not new and companies that have done it really well. But even in those realities, you're not still entirely 100 percent remote from each other. For people that have worked with me or know me at Mozilla in particular, my team was in three continents and seven countries. And sure, we're very spread out. But we would come together in person multiple times a year somewhere in the world, which was great, but great treat in itself. But you always had that moment of physical cohabitation to lean on and then to go back to your separate ways. And that's been tough not having that for this past year.

Chris Houlder:
Yeah. And travel in general for the exact purpose that you point out. Right. You can do a lot remotely, but I'm with you. I'm a firm believer that you've got to have those face to face in person moments where you're you're working. But when you're also having dinner together, maybe having drinks together and and just getting deepening that connection through just socializing. I mean.

Michael Coates:
Yeah. The other thing I love that you said and I don't know if everyone thought it was you mentioned focusing on metrics before and after. I think that is a key item that too many people forget about. And I love that. That's something that I've used as well. Like if we're going to start a new program, figure out how to measure it today on day zero. So after you've done a bunch of work, we have some way to show that progress. The last thing somebody else wants as well. What's security like? Oh, they're doing stuff, because then if you're just doing stuff, the only concrete thing that they know is, oh, there was a breach. But what else you've been doing if you fail? Air quotes failed on this breach, which I think is a misnomer. But that metric is really a great focus.

Chris Houlder:
Yeah. And as with most things, Michael, I've learned that through failing a number of times, you know,

Michael Coates:
That is real progress.

Chris Houlder:
I've implemented the project and thought multiple projects and looked back and thought I really wish we would have captured what this looked like before, because who knows at this stage. So, yeah.

Michael Coates:
Now for it for those of you that are listening to us on the podcast, you're missing out on one key thing we're going to dive into, which is the Altitude Networks, virtual jet, the best money that a virtual can buy. And I've taken Chris around the world. And Chris, I'd like you to tell us a little bit about why you chose where we are and what this location is.

Chris Houlder:
Yeah, and I'll tell you this multiple times. I just love the fact that you do this because, you know, I think the you know, the key for me is this is this was a special moment in my life. So this is so what we're looking at is we're looking at the Kiyomizu-dera, which is a temple in Kyoto. Why it's meaningful for me is I had wanted to go to Japan my entire life. I missed a number of opportunities, both personally and for work. And as my children started to get older, they also really wanted to go. So I took my 12 year old son at the time on this trip. And so this is a Buddhist temple that was founded in like 1778. Not a single nail was used in the entire structure. This building itself was was constructed in 1633 to just kind of the rich history of that. I would say going there and being in nature was just it was kind of a spiritually moving experience. Right. And, and the meaning behind all of it. And so it's named after the name means clear water, pure water and it's named after a waterfall within the complex. And water comes down through three channels. And I'm going to show you my picture in a second.

Chris Houlder:
You've got the you know, the well Photoshopped view of the entire thing. Right. But there was when going to these temples, there's a purification ritual. And normally it's it's done in an area that's about the size of a table. And in this particular case, though, it's these it's water. It's a waterfall that's coming down from the mountain into three streams. And I'll shut myself out of this for a second. So that's me. You have to reach out. So I'm 6"3'. So I'm reaching out and you're getting this rushing water go by that you then capture in a cup and then you go through this ritual, you know, this cleansing of you clean your hands and then you clean your mouth and then you inevitably clean the stick in place and back. And so I'm just going through this was a great experience finding these photos and reliving that with my son. It was really meaningful. I did find out in doing research that long ago in this place that people would actually jump from the stage and it was a forty three foot drop. They believe that if they survived, they got a wish. And so what would be your guess, Michael, on the percentage of people who survived that jump? Forty three feet.

Michael Coates:
I don't know, maybe one out of five.

Chris Houlder:
Yeah. So it was eighty five percent, eighty five point four percent. So I'm happy I didn't know that metric at the time because I like those odds. I think I probably would have shot.

Michael Coates:
Oh man. I wonder how many people are wishing to survive as they were falling down. Yeah.

Chris Houlder:
And I guess, you know, survive is is kind of a relative term. Right. Like, you know, they lived, you know, a forty three foot drop. That's pretty significant. So. Yeah. So beautiful place. I have a twelve year old daughter and once covid is done we will also be taking a trip to Japan. So.

Michael Coates:
Oh that's wonderful thing. I mean, thank you for sharing that. That's, that's quite the memory. And you know, what a fantastic spot for us to, to be at. Let's see, so stepping back to something that you mentioned earlier from your career, it's very it's fascinating that you've seen the world of security in two distinct domains. And by that I mean like industries. I think for all of us that operating in security roles, we know that each industry has its own nuances, its own most important factors. So what has it been like moving from tech tech dominated, focused companies into the life sciences industry? Does security look and feel different or you must have at least different top risks or motivations that kind of guide your day?

Chris Houlder:
Sure. So, I mean, I think is a starting point. I love working at innovative companies, with smart people, with big challenges. Right. So so that definitely exists in both in all of the companies that I've worked out in both high tech and life sciences. I think, you know, you had made a comment earlier, I think around, you know, understanding the business or something that that kind of stuck with me on, you know, really kind of understanding the business and in the core of that. And so I do try to dive in and understand the business beyond a superficial level. And I would say in high tech, it's, you know, you know, as technologists where we have a lot more underpinning skills and knowledge that we can immediately apply to what the product is and how we get that out. I don't have a background as a scientist. And so as you look at biotech. There are just some there are some pretty significant topics that are complex. There are a lot of you know, we have a lot of the smartest minds in the world in their space. PhDs have spent their lives and careers working on acquiring this knowledge. And so one of the big differences is and I do I did work at Genentech, so I do have some transferable knowledge that I'm able to bring over. But but, you know, it's that's still a learning curve and it's an exciting one. I would say 80 percent, you know, just pulling that number out of the air, let's say a lot of the fundamentals are the same. Right. I do think to your point, you know, you have a different set of risks. You know, you have different data sets protecting those different data sets in different ways.

Chris Houlder:
I think you're trying to keep certain services online for different purposes. I think I think, you know, I don't think I approach this. I'm a huge advocate of that in this cybersecurity framework, primarily because of the levels of abstraction that it introduces. I think you and I might have had this conversation. I think it totally misses the mark on software security. But that's where you can use something like, you know, OpenSAM. I think what I think what gets introduced in this space, which is an interesting in life sciences, which is an interesting new view, is operations technology. Right. And so, you know, we've heard CIA confidentiality, integrity and availability forever. And we've people have played around with accountability and other elements. But when dealing with operations, technology, you do really need to take into account reliability and safety. And you have to start thinking in terms of Stuxnet. Right. Like what you're talking about pieces of equipment or any of that long history where we've really started to understand that security can impact industrial control systems and can create a physical events. Right. And that's interesting. That's that's not something that I I mean, it makes it ironically, you know, I'm listening to a lot of these books in parallel saying where I'm just the hacker in the state just just for enjoyment. And it didn't immediately connect to me like, oh, no, no, you're in that environment now where you really have to make sure that what is getting deployed is not going to affect the safety of people who are working on that. So that's new and exciting along those lines with operations.

Chris Houlder:
Technology is you're dealing with very long life cycles. Right. So if you kind of look at the timeline where we as an industry have started thinking about security as it relates to operations, technology, it it's fairly recent. And yet some of the lifecycle of this equipment is 20 years old. And so how do you you know, I think in a traditional high tech corporate environment, you've got a lot of churn, you've got cloud providers. And all of those things do apply here. But but they can start rethinking security and integrating into that into their products. But when you're dealing with a device that's controlling a valve or a piece of equipment and the intent is to have that last as long as they possibly can and try not to interrupt it to impact reliability, it becomes interesting in how you you take on that challenge of securing that from against modern security challenges again, without necessarily the vendor having put those things in place ahead of time. Compliance, I think, are motivators in my experience in both places with cloud companies. I think compliance is customer driven compliance. But in life sciences, it's it's really regulatory driven compliance and it's far more substantial. And yeah, I'd say those are the things that are starting to emerge as the differences. But then again, I think we're having the same conversations about what's the foundation that we need to build, how do we move from projects to talking about capabilities and then inevitably, how do we flip that whole thing onto what are the risks that the company faces and how do we actually have a program that manages those risks?

Michael Coates:
Yeah, I mean, it commonality wise. We all talk about fundamentals like you suggest, like why is it so hard to patch things like we should just patch it's the basics. And I think we know even at enterprise scale, just in general, like sure conceptually simple to push the button of update. But that's not the thing holding us back. It's asset inventory, it's downtime, it's backwards compatibility, all of these things. But I can only imagine thinking about all of those challenges on top of this is some sort of industrial control life sciences, 20 year old piece of machinery, like what's going to happen if we try update something here that must be a whole sorts of unique challenge.

Chris Houlder:
Right. And you know what? I what I would imagine and I know I'll get a deeper experience with vendors with this is that, look, if you're buying a product now, I would hope that a lot of vendors are have been giving this some thought and do have the appropriate hooks in place and so on. But if you're on year 15 of something that you're going to be running for 20 years, you know, that's an entirely different conversation.

Michael Coates:
And then, the other thing you mentioned that that I liked was the nuances around. Yes, CIA, but also safety and reliability, I believe.

Chris Houlder:
Yeah, reliability.

Michael Coates:
Yeah. I think that's such a great way of looking at it, because as you also mentioned, that all ties in together to fundamentally like what is the risk like each of those are individual components. And far too often we I think growing in the security field, you may look at something in isolation. And really when you step back, the question is, what is this risk? Where should we prioritize this? And I know that's something that you've been thinking a lot about, this connection between figuring out what the risk really is and then what should we specifically do, what are the specific actions that should be taken or should be captured or recorded along those lines. Talk to us more about that, what have you been learning going down that journey?

Chris Houlder:
Yes, so probably a great example of this is I sat on a panel for the NECB, and I can't remember the exact title, but the topic really was how do you communicate affect how do CISOs and board members effectively communicate about security? And it was a great discussion. One of the board members, I think, summed it up well. And there is a lot of head nodding in the room after she had made this comment was you could you could hear the frustration in her voice, as she said this was, you know, we have all the other teams, all the other functions in the organization come in and we know what to expect. We know how they're going to talk about the metrics in their area or the risk in their area. And then we see security on the agenda or security shows up in the room and we have no idea what we're going to get. Right. And and it's I think it's a fair comment and I think it's absolutely fair. And being on the other end of that, that's equally as frustrating for me, because I am a huge believer in the idea that we want to be able to to show our most senior stakeholders and actually down to the practitioner level. Here is the whole of what we can be working on, but this is what we're choosing to work on, right. And I think, you know, for me, that started by talking about capabilities. And in almost every organization that I went to, probably more so 10 years ago, I would ask people, well, what do you think goes into a key stakeholders? What do you think goes into a program? And I get antivirus, I get patching, I get a few things.

Chris Houlder:
And then I would show a framework and they would be surprised by how many moving parts were involved in security. And then I would explain. But look, we're not going to get all of the, not all of these are, we have different levels of concern and we need to bring these to different levels of maturity. And they would get that conversation and then we would move forward doing that. And then the conversation would naturally move to. But when are we done? And why to this why this capability to this degree? And I think, you know, I think when we're dealing in terms of foundation, we can we could probably agree that you just made the comment about asset management. And I beat this drum all the time, which is, you know, it's it might be boring, but it's core and it's foundational to what we do. And if you're not getting that right, how do you how do you get all the layers on top of that? Right. And so, you know, really being able to. We can probably agree that that's an area that we want to get to a base level of reproducible maturity, right. But there are there are other areas where, you know what? Maybe we're OK with it, you know. Maybe we're OK with it, too. It's not that important to us.

Chris Houlder:
But this one, this one's going to be a 4 or 5. Right. And so that to me and this is where risk comes in, is that to me is where we should be talking about risk. And the and I say this with you know, I try to be humble as I say this because maybe there are people out there who have feel feel like they've solved this problem. And I've cast cast my net far and wide and and have yet to really hear someone come back with something that I think is practical. I've done a lot of research and don't feel like I feel like I'm getting closer to solving this problem. But what I think would be an ideal situation similar to a taxonomy or a framework for capabilities or controls, which we had prior to that would be for us to be able to go in and have a common language for what what are we even talking about with the risk? Because you can and all parties are right, you can have a risk register that's got 900 items that are very tactical in nature, or you can have 13 items in very strategic and no one's wrong in that. I think if you're talking to the board or executives, you probably don't want to present the 800 item, you know. But how do we get those high level strategic risks outlined in a way that can be understood easily? You know, and I've been exploring further. I think there's a lot of potential and there as an example in going the quantification, but I'd say some of the some of the risk statements that come out of fear, I don't understand.

Chris Houlder:
Right. And so it might be the best methodology out there, but if it can't be translated to people that in a way that they're like, I got it. You showed me five things. This is what you're saying we should focus on. I understand the math behind that, the rationale, and let's go that direction. And I think inevitably with risk discussions, that's what we need, where we need to get. I don't I personally don't feel that it needs to be so mathematically sound that it's defensible, you know, internally to be brought in mathematicians. Yeah. I think that it needs to be grounded in enough reality and critical thought to generally make sense and be beyond us just measuring what our interpretation of risk is. And then I think that needs to be matched with, OK, we know that these are our risks. What capabilities will have the biggest bang for the buck in our environment? And then let's go do those. Right. And and I've had lots of conversations on this. I feel like we're getting closer as an industry. I don't think we're there. And so that's my passion. As I had said earlier, you know, starting at about my 6 to 12 month period, I start gently introducing the idea of risk. I would expect that going into next year, my personal focus is going to be almost exclusively on putting the structure in place.

Michael Coates:
Yeah, the I mean, that notion of of prioritizing and thinking about it from risk makes fundamental sense. And I've leveraged that as well. And what I found helpful is I agree with you in terms of the mathematics and how precise it needs to be. I describe it as it needs to be directionally accurate. But otherwise, like there's such a margin of error anyways in each calculation. Just because you multiply ten numbers with medium confidence doesn't mean you have any more confidence at the end. Then there's ten medium things itself. One of the things that I found very helpful with that is when you do have a an ordering of your kind of key risks or key projects that back into those risks, it worked really well for almost budgeting conversations where someone said, hey, number 6 seems really important. Why aren't we doing it? Like, well, number 1 through 5, we can agree, are higher risk. And I've run out of resources throughout 1 through 5. And so we can debate if the risks are right or we can debate how much money we want to spend. I can do whatever you want. We can draw the line in the sand anywhere we want to.

Chris Houlder:
I couldn't agree more. And I think that's the ideal conversation, I think. At the end state, and I think what's important, in my humble opinion for a CISO is to not be too wedded to that outcome, because I think at the end of the day. It's our responsibility to in this role is different and every company, so I'll speak from my own experience, I think it's to be able to articulate that in a way that's understood and get that decision in front of the right business decision makers. And sometimes that business decision maker is the CISO, but in many cases it's distributed through the organization. And I think the best that we can do in that situation is articulate it with the best information we have, let them make the decision. And then their part in that is, hey, look, if the risk manifests, then just understand that can happen. And if we need to revisit, let's revisit. But you have to expect to some degree that it's going to manifest, I guess, based on likelihood. So I couldn't agree. We couldn't agree more on that.

Michael Coates:
Yeah, I think somehow we've been cast into the the destroyers of all risk, which is not true, like we are enablers of strategic risk taking decisions for the business. So however the business wants to strategically move forward, we're going give them all that information. So, boom, you can make that best informed choice. You know, for example, if we were making skateboards as a business and we were destroying all the risk, we'd have the most piece of junk skateboard with some padding everywhere.

Chris Houlder:
No wheels.

Michael Coates:
Yeah, nobody would buy that thing.

Chris Houlder:
Now, yeah, it reminds me of a conversation I was having with someone else about kids and bikes and safety third, but that's a that's a whole other conversation.

Michael Coates:
So, you know, looking at your journey and and how you've gotten here, kind of circling back, someone starting fresh, they're entering the security field and saying, you know what, I do want to be a CISO one day, I kind of get what I'm getting into or will be. But what kind of advice might you have to them at the beginning of that journey?

Chris Houlder:
Yeah, I'd say maybe regardless of. Maybe regardless of if, you know, along the way, you decide that, well, it's not not a CISO role, but you want to be successful in this industry. And I think definitely if you want to move in the CISO role is. I think you always need to be developing. Right. It's an industry that is always developing. I think, you know, my advice to almost everyone is you need to treat yourself like a business and always be working to be relevant. And development to me is not just, you know, certifications, technical skills. It's about skills and qualities. Right. So, you know, in doing that in a community and getting feedback from what your blind spots are and being courageous about that, I think are absolutely key. Again, another person along the way said to me or asked me the question, what's better someone with 2 years of experience or 10 years of experience? And it really depends. It depends on what each of those people do with that experience. And are they analyzing it getting better? So I'd say always be developing. I would I'd say this is something I really noticed people do failed to do early in their careers. And that's pay attention to the business. And it can be intimidating frequently. I think people will look at it and say, I'll get there, but I got to work on these other things.

Chris Houlder:
I'd say work to understand the business. And probably most important there is pay really close attention when your business is going through some level of transformation and then and then spend some time with that. How are people acting differently? What's changed in the business? And I think earlier in your career, you can really impress people if you say, oh, hey, I was at this company during this acquisition, in this transition. And I think you could really be unimpressive if people ask you, well, what did you think of that? And you're like, I just kept working on my stuff. You know, it's a missed opportunity. I think as you get more senior, you're expected to really understand and process and be able to speak to that in your contribution to that. And you don't get comfortable. It's just not a space that you don't specialize too early. Find where you're where your weaknesses are, kind of attack those, you know, just be in development mode, especially early on in your career. Yes. Where you can where you can afford slip ups, where you can make fast career changes, all of those things. Right. Like take advantage of that early in a career.

Michael Coates:
No fantastic advice. No, I think that's great. Well, Chris, we covered a lot of ground, anything that I sped us through. And you had some additional thoughts, anything we missed.

Chris Houlder:
The only thing I would probably add, I think that this is, you know, in our in our discussions ahead of time and probably here is would be the advice for maybe when someone gets the role of CISO. So this person who's gone through it and now has the job is do the work that only the CISO can do. Right. You know, lots of different books. Let's mention it in different ways. It's like promote yourself and so on. But but there are certain things that a CISO needs to do that no one else is going to do. And in some cases, no one has done at the company before. And risk is a great example. It's a tough area to nail down. Your company may not be well versed in it, but if you're not doing it, no one's going to be in your comfort level. Might be. Well, I'm just going to stay in the trenches with my team and, you know, be the kind of senior senior architect. And I'd say that that to me, it's different from company to company. But I don't see that being the long term CISO role. So I would say when you get the role, promote yourself and do the role.

Michael Coates:
Yeah, that's great. I couldn't agree more. Very good. Well, Chris, thanks so much for the time today. Thanks for picking this beautiful location to fly us to. Yeah, this is a really good conversation. I really enjoy it.

Chris Houlder:
Likewise, I really did too.

Michael Coates:
For everyone that's listening and watching, please don't miss out on future or past episodes. Subscribe to the podcast. Follow the webcasts and you'll see other great guests, just like we had today with Chris. Thanks, guys. Thanks, everyone.

Chris Houlder:
Thanks, Michael. Take care.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your m4a files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you'd love including automated transcription, powerful integrations and APIs, enterprise-grade admin tools, transcribe multiple languages, and easily transcribe your Zoom meetings. Try Sonix for free today.

Subscribe for More

Get notified of future CISO webcast and other exciting security content

Thanks for subscribing!

Ready to get your Cloud Security in Check?

Fill in some contact info below or schedule a meeting so we can reach out to provide more details on how Altitude Networks can protect you from data loss in the cloud.

We'll be in touch!
OR