On this episode of CISO to CISO we would like to welcome Chris Houlder, Head of Global CyberSecurity at BioMarin Pharmaceutical Inc. With nearly 25 years of experience spanning information security, team management, information technology and product/software security, Chris has been developing and executing strategies to solve complex security challenges and leading operational and company changes. Previously, Chris served as CISO and lead teams at Clarivate Analytics and Autodesk. Chris current serves as a board member for Rapticore, also a venture advisor for YL Ventures.
CISO to CISO-Chris Houlder-trimmed audio.m4a: this m4a audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Michael Coates:
Welcome,
everyone. This is another edition of CISO to CISO,
I'm your host, Michael Coates, and super excited
today to be joined by Chris Houlder, who's going to
bring lots of interesting discussions. Thanks,
everybody, for joining us again. And Chris, thanks for
being here.
Chris Houlder:
Yeah, thanks for
having me, Michael. I'm really excited to have the
dialogue.
Michael Coates:
Yes, we're
going to dive into some some really interesting topics
for those of you that have been listening and watching,
following along, please remember you can watch these
webcasts recorded on the Altitude Networks' website
or you can subscribe to the podcast or listen to them in
audio. So whatever format works for you and these events
are sponsored by Altitude Networks. We're bringing
data security to cloud collaboration. So if you're
using G Suites, Google Workspace or Office 365 and
you're concerned about people sharing, stealing,
leaking, losing your data, that is our sweet spot and we
can help you. With that, let's jump in. So, Chris,
you've been you're currently head of security at
BioMarin Pharmaceutical. You've been a CISO at
Clarivate, you've got a CISO at Autodesk, even
adventure advisor. You've done a lot of cool stuff.
Talk to us about that journey. How did you get to where
you are today? Were you were you coming out one day
saying, my life's goal is to be a CISO? Or did you
find yourself on a winding trail to get there?
Chris Houlder:
Yeah. So so, you
know, I was kind of taking stock of this in preparation
and realized that. So I've been in my career for
about twenty five years. And I'd say in tech,
although I think we we would argue that or I would argue
that security is not quite just tech and have been
really in security leadership roles for about 20 years
of that. And now I've worked at a broad type of
organizations, primarily, as you said, really in or
actually you didn't say that yet. I think, you know,
I've worked primarily in tech and I've worked in
life sciences, but I've worked in a range of roles
and company sizes and say ownership structures in that
path. So I really came up through the practitioner ranks
and doing that, as you know, and I'm sure are well
aware, especially right now, is, is that you can be a
leader, manager and practitioner in startups. Right. And
so so, you know, I've really I've been at this
for a while. I would say, looking back, I think I had
the ingredients for security, but now I didn't go
into it with an expectation that I was going to be
focused on security the way that I actually got involved
in security as I was a network manager at a at a
startup.
Chris Houlder:
And I was the
first person in that morning. And we we had the VP of
Engineering come in the door frantically looking around
for who is there that could do some level of operations
support. And he said, we've been hacked. Right. And
and we brought in Foundstone and we did an assessment
and it turned out we had not been, in fact, hacked, that
it was just, you know, an outsider using an exploit and
giving us a little bit of information about our
environment and offering to pay us consulting fees. And
but, you know, we're working with the early
Foundstone guys and just seeing that play out connected
the dots for me. And I knew going forward that that was
going to be a big part of my career going forward. And
as my career progressed, I've always owned a portion
of security or I should say I've always owned
security as a portion of my role and then inevitably
made the shift into the the just security. That's
the CISO role later in my career.
Michael Coates:
The technical
track into the CISO role is one I'm seeing more and
more and you know, I may be biased. That was my path as
well. I think earlier on years ago, we saw we saw
leaders taking over the role of security because they
needed a leader, but they weren't really equipped
with the technical backing. And of course, I think you
would argue the same, that we should no longer be the
most technical person in the room. If so, we've done
a horrible job at hiring. But having that background to
call B.S. to ask the right questions, to pose some
considerations, you know, I found that to be very
helpful. I imagine from from your path, you might have
seen that as well.
Chris Houlder:
Yeah, absolutely,
I think it's I think it's a really interesting
debate and and, you know, you say, well, how did I get
here? And one of the elements of getting here is is for
me has been finding good mentors and finding people that
I can take advice from. And one one coach that I had at
one point said to me that if you want if you want to
find your areas of development, look in the shadow of
your strengths. And so I think I think coming up through
the technical ranks, to your point, can give you a
really good perspective, we can help you to relate to
teams more, it can help you see those things. But if you
can't release that and put it in the right context
and put leadership first, then I think it becomes an
over leveraged strength. And I think it actually is more
likely to become an obstacle when you're being
successful than, you know, it being something that's
going to lead to success. And and interestingly, you
know, for me, I've I think I think I recognized that
early on. But I think you do need to maintain a balance,
because I think that I also went to a degree where I was
focused almost entirely on leadership and really
empowering and trusting people, which I believe we
should do, but not necessarily fully staying connected,
even, you know, at my level for what was appropriate
with what was happening on the ground. And so I do think
it requires, you know, I think it's different from
company to company, and I do think it requires a level
of calibration and self-awareness.
Michael Coates:
Yeah, you know, I
totally agree. And you even alluded to that other part
of describing security as a technical field. More, more
or less. I forget your exact words, but you hinted at
something that has always rang true to me, too, which is
as technical as we could be or used to be. It's
still very much a field about risk and business and
humans. And those things are a little unexpected at
first when you're in there, like clacking away at
the keyboard, you know, stereotypical green screen
Hollywood movie, like opening your eyes to what security
is with everything else, like, well, look at all these
business factors that are playing into this.
Chris Houlder:
Yeah. And I think
and I think that's probably going to be a theme that
emerges pretty heavily as we discuss this on on how I
try to approach what I do at this stage and the advice
that I would have for other people.
Michael Coates:
Yeah. Now
you've had another interesting experience that
perhaps many people have now had, but you have started a
new security leadership role, totally remote in the
midst of a global pandemic. And now you're, you
know, six or nine months in. What has that all been
like? I mean, starting a new role as head of security is
something on its own doing a totally remote with all the
other things. I mean, that's a whole other bag of
things.
Chris Houlder:
Yeah. So, you
know, I guess if I I guess if I look at the role itself
in what I try to achieve. And you know, everything I
say, I think needs to be adjusted and I recognize that
it needs to be adjusted from company to company. But but
but I have a starting point now at this stage that I try
to operate in. And I'd say within the first three
months, zero to three months. First thing I do when I
come in now is I make sure that there's an IR plan
in place, because I think no matter what you're
doing, if you get caught by an incident and you're
unprepared, that could really seal your fate at an
organization. So, you know, I'm looking at that.
I'm figuring out the urgent and important. I'm
starting to meet with key stakeholders on assessing the
team by the end of that three months. I want to have a
roadmap that I've publicized with with an
understanding that it's progress, not perfection.
And I expect to revise it three to six months. They
start going into execution. I start looking internally
at the team I'm working to build. I'm
establishing metrics that you can see before and after.
Chris Houlder:
And then 6 to 12
is really me starting to continue to execute and move,
to move, to plan in year two. So. So as I've been
doing that and I'm about in the middle of that
process and for the most part on track, I would say
starting remote has been o`dd, but but also quite
familiar, because I'd say that I do really like
being nomadic in the way that I work and I've worked
for multinationals for a good part of my career. So
I'm used to having to be connecting with people
through means other than face to face. I'd say that
the really good elements of this is that I feel like I
have a lot better control of my time at a time when
that's really critical, where I really need to
process, do deep, some deep thinking, a range
stakeholder meetings. I think the stakeholder
discussions, because it's the beginning of
relationship building, have been good where I've
seen, you know, and I think video I thought about this.
I thought, wow, if I if I was trying to do this over the
phone, then I think we'd be having a very different
conversation. But I think video at least creates some of
that connection.
Chris Houlder:
I think some of
the challenges that I'm seeing is in this does
really start talking about some of the differences in
what I'm seeing in life sciences as opposed to high
tech is, you know, I can't go visit our labs and our
manufacturing environments. And I'm a very visual
person. I want to see our processes. And so I
haven't been able to do that. So that's been on
hold. And then there's always the deeper team
building. Right. I'm sure while I want to need time
by myself, I also like to connect with people, have fun,
be there in person. And so I'd say that the
experience feels a little two dimensional. And and
I'd say that I expect that I'm actually going to
have to start dates at the company. I think I've had
my first start date, but I do expect that when we return
to the office. And I do I think that will be different
than it was prior to covid. Then I start seeing people
in context and I see people in group settings and
that's a whole new set of observations and cultural
lessons for me. So it's been mixed for me. It's
been mixed.
Michael Coates:
Mm hmm. Yeah.
Yeah. You mention of team building is really spot on
because the notion of working remote, working from home
is certainly not new and companies that have done it
really well. But even in those realities, you're not
still entirely 100 percent remote from each other. For
people that have worked with me or know me at Mozilla in
particular, my team was in three continents and seven
countries. And sure, we're very spread out. But we
would come together in person multiple times a year
somewhere in the world, which was great, but great treat
in itself. But you always had that moment of physical
cohabitation to lean on and then to go back to your
separate ways. And that's been tough not having that
for this past year.
Chris Houlder:
Yeah. And travel
in general for the exact purpose that you point out.
Right. You can do a lot remotely, but I'm with you.
I'm a firm believer that you've got to have
those face to face in person moments where you're
you're working. But when you're also having
dinner together, maybe having drinks together and and
just getting deepening that connection through just
socializing. I mean.
Michael Coates:
Yeah. The other
thing I love that you said and I don't know if
everyone thought it was you mentioned focusing on
metrics before and after. I think that is a key item
that too many people forget about. And I love that.
That's something that I've used as well. Like if
we're going to start a new program, figure out how
to measure it today on day zero. So after you've
done a bunch of work, we have some way to show that
progress. The last thing somebody else wants as well.
What's security like? Oh, they're doing stuff,
because then if you're just doing stuff, the only
concrete thing that they know is, oh, there was a
breach. But what else you've been doing if you fail?
Air quotes failed on this breach, which I think is a
misnomer. But that metric is really a great focus.
Chris Houlder:
Yeah. And as with
most things, Michael, I've learned that through
failing a number of times, you know,
Michael Coates:
That is real
progress.
Chris Houlder:
I've
implemented the project and thought multiple projects
and looked back and thought I really wish we would have
captured what this looked like before, because who knows
at this stage. So, yeah.
Michael Coates:
Now for it for
those of you that are listening to us on the podcast,
you're missing out on one key thing we're going
to dive into, which is the Altitude Networks, virtual
jet, the best money that a virtual can buy. And I've
taken Chris around the world. And Chris, I'd like
you to tell us a little bit about why you chose where we
are and what this location is.
Chris Houlder:
Yeah, and I'll
tell you this multiple times. I just love the fact that
you do this because, you know, I think the you know, the
key for me is this is this was a special moment in my
life. So this is so what we're looking at is
we're looking at the Kiyomizu-dera, which is a
temple in Kyoto. Why it's meaningful for me is I had
wanted to go to Japan my entire life. I missed a number
of opportunities, both personally and for work. And as
my children started to get older, they also really
wanted to go. So I took my 12 year old son at the time
on this trip. And so this is a Buddhist temple that was
founded in like 1778. Not a single nail was used in the
entire structure. This building itself was was
constructed in 1633 to just kind of the rich history of
that. I would say going there and being in nature was
just it was kind of a spiritually moving experience.
Right. And, and the meaning behind all of it. And so
it's named after the name means clear water, pure
water and it's named after a waterfall within the
complex. And water comes down through three channels.
And I'm going to show you my picture in a second.
Chris Houlder:
You've got the
you know, the well Photoshopped view of the entire
thing. Right. But there was when going to these temples,
there's a purification ritual. And normally it's
it's done in an area that's about the size of a
table. And in this particular case, though, it's
these it's water. It's a waterfall that's
coming down from the mountain into three streams. And
I'll shut myself out of this for a second. So
that's me. You have to reach out. So I'm
6"3'. So I'm reaching out and you're
getting this rushing water go by that you then capture
in a cup and then you go through this ritual, you know,
this cleansing of you clean your hands and then you
clean your mouth and then you inevitably clean the stick
in place and back. And so I'm just going through
this was a great experience finding these photos and
reliving that with my son. It was really meaningful. I
did find out in doing research that long ago in this
place that people would actually jump from the stage and
it was a forty three foot drop. They believe that if
they survived, they got a wish. And so what would be
your guess, Michael, on the percentage of people who
survived that jump? Forty three feet.
Michael Coates:
I don't know,
maybe one out of five.
Chris Houlder:
Yeah. So it was
eighty five percent, eighty five point four percent. So
I'm happy I didn't know that metric at the time
because I like those odds. I think I probably would have
shot.
Michael Coates:
Oh man. I wonder
how many people are wishing to survive as they were
falling down. Yeah.
Chris Houlder:
And I guess, you
know, survive is is kind of a relative term. Right.
Like, you know, they lived, you know, a forty three foot
drop. That's pretty significant. So. Yeah. So
beautiful place. I have a twelve year old daughter and
once covid is done we will also be taking a trip to
Japan. So.
Michael Coates:
Oh that's
wonderful thing. I mean, thank you for sharing that.
That's, that's quite the memory. And you know,
what a fantastic spot for us to, to be at. Let's
see, so stepping back to something that you mentioned
earlier from your career, it's very it's
fascinating that you've seen the world of security
in two distinct domains. And by that I mean like
industries. I think for all of us that operating in
security roles, we know that each industry has its own
nuances, its own most important factors. So what has it
been like moving from tech tech dominated, focused
companies into the life sciences industry? Does security
look and feel different or you must have at least
different top risks or motivations that kind of guide
your day?
Chris Houlder:
Sure. So, I mean,
I think is a starting point. I love working at
innovative companies, with smart people, with big
challenges. Right. So so that definitely exists in both
in all of the companies that I've worked out in both
high tech and life sciences. I think, you know, you had
made a comment earlier, I think around, you know,
understanding the business or something that that kind
of stuck with me on, you know, really kind of
understanding the business and in the core of that. And
so I do try to dive in and understand the business
beyond a superficial level. And I would say in high
tech, it's, you know, you know, as technologists
where we have a lot more underpinning skills and
knowledge that we can immediately apply to what the
product is and how we get that out. I don't have a
background as a scientist. And so as you look at
biotech. There are just some there are some pretty
significant topics that are complex. There are a lot of
you know, we have a lot of the smartest minds in the
world in their space. PhDs have spent their lives and
careers working on acquiring this knowledge. And so one
of the big differences is and I do I did work at
Genentech, so I do have some transferable knowledge that
I'm able to bring over. But but, you know, it's
that's still a learning curve and it's an
exciting one. I would say 80 percent, you know, just
pulling that number out of the air, let's say a lot
of the fundamentals are the same. Right. I do think to
your point, you know, you have a different set of risks.
You know, you have different data sets protecting those
different data sets in different ways.
Chris Houlder:
I think you're
trying to keep certain services online for different
purposes. I think I think, you know, I don't think I
approach this. I'm a huge advocate of that in this
cybersecurity framework, primarily because of the levels
of abstraction that it introduces. I think you and I
might have had this conversation. I think it totally
misses the mark on software security. But that's
where you can use something like, you know, OpenSAM. I
think what I think what gets introduced in this space,
which is an interesting in life sciences, which is an
interesting new view, is operations technology. Right.
And so, you know, we've heard CIA confidentiality,
integrity and availability forever. And we've people
have played around with accountability and other
elements. But when dealing with operations, technology,
you do really need to take into account reliability and
safety. And you have to start thinking in terms of
Stuxnet. Right. Like what you're talking about
pieces of equipment or any of that long history where
we've really started to understand that security can
impact industrial control systems and can create a
physical events. Right. And that's interesting.
That's that's not something that I I mean, it
makes it ironically, you know, I'm listening to a
lot of these books in parallel saying where I'm just
the hacker in the state just just for enjoyment. And it
didn't immediately connect to me like, oh, no, no,
you're in that environment now where you really have
to make sure that what is getting deployed is not going
to affect the safety of people who are working on that.
So that's new and exciting along those lines with
operations.
Chris Houlder:
Technology is
you're dealing with very long life cycles. Right. So
if you kind of look at the timeline where we as an
industry have started thinking about security as it
relates to operations, technology, it it's fairly
recent. And yet some of the lifecycle of this equipment
is 20 years old. And so how do you you know, I think in
a traditional high tech corporate environment,
you've got a lot of churn, you've got cloud
providers. And all of those things do apply here. But
but they can start rethinking security and integrating
into that into their products. But when you're
dealing with a device that's controlling a valve or
a piece of equipment and the intent is to have that last
as long as they possibly can and try not to interrupt it
to impact reliability, it becomes interesting in how you
you take on that challenge of securing that from against
modern security challenges again, without necessarily
the vendor having put those things in place ahead of
time. Compliance, I think, are motivators in my
experience in both places with cloud companies. I think
compliance is customer driven compliance. But in life
sciences, it's it's really regulatory driven
compliance and it's far more substantial. And yeah,
I'd say those are the things that are starting to
emerge as the differences. But then again, I think
we're having the same conversations about what's
the foundation that we need to build, how do we move
from projects to talking about capabilities and then
inevitably, how do we flip that whole thing onto what
are the risks that the company faces and how do we
actually have a program that manages those risks?
Michael Coates:
Yeah, I mean, it
commonality wise. We all talk about fundamentals like
you suggest, like why is it so hard to patch things like
we should just patch it's the basics. And I think we
know even at enterprise scale, just in general, like
sure conceptually simple to push the button of update.
But that's not the thing holding us back. It's
asset inventory, it's downtime, it's backwards
compatibility, all of these things. But I can only
imagine thinking about all of those challenges on top of
this is some sort of industrial control life sciences,
20 year old piece of machinery, like what's going to
happen if we try update something here that must be a
whole sorts of unique challenge.
Chris Houlder:
Right. And you
know what? I what I would imagine and I know I'll
get a deeper experience with vendors with this is that,
look, if you're buying a product now, I would hope
that a lot of vendors are have been giving this some
thought and do have the appropriate hooks in place and
so on. But if you're on year 15 of something that
you're going to be running for 20 years, you know,
that's an entirely different conversation.
Michael Coates:
And then, the
other thing you mentioned that that I liked was the
nuances around. Yes, CIA, but also safety and
reliability, I believe.
Chris Houlder:
Yeah, reliability.
Michael Coates:
Yeah. I think
that's such a great way of looking at it, because as
you also mentioned, that all ties in together to
fundamentally like what is the risk like each of those
are individual components. And far too often we I think
growing in the security field, you may look at something
in isolation. And really when you step back, the
question is, what is this risk? Where should we
prioritize this? And I know that's something that
you've been thinking a lot about, this connection
between figuring out what the risk really is and then
what should we specifically do, what are the specific
actions that should be taken or should be captured or
recorded along those lines. Talk to us more about that,
what have you been learning going down that journey?
Chris Houlder:
Yes, so probably a
great example of this is I sat on a panel for the NECB,
and I can't remember the exact title, but the topic
really was how do you communicate affect how do CISOs
and board members effectively communicate about
security? And it was a great discussion. One of the
board members, I think, summed it up well. And there is
a lot of head nodding in the room after she had made
this comment was you could you could hear the
frustration in her voice, as she said this was, you
know, we have all the other teams, all the other
functions in the organization come in and we know what
to expect. We know how they're going to talk about
the metrics in their area or the risk in their area. And
then we see security on the agenda or security shows up
in the room and we have no idea what we're going to
get. Right. And and it's I think it's a fair
comment and I think it's absolutely fair. And being
on the other end of that, that's equally as
frustrating for me, because I am a huge believer in the
idea that we want to be able to to show our most senior
stakeholders and actually down to the practitioner
level. Here is the whole of what we can be working on,
but this is what we're choosing to work on, right.
And I think, you know, for me, that started by talking
about capabilities. And in almost every organization
that I went to, probably more so 10 years ago, I would
ask people, well, what do you think goes into a key
stakeholders? What do you think goes into a program? And
I get antivirus, I get patching, I get a few things.
Chris Houlder:
And then I would
show a framework and they would be surprised by how many
moving parts were involved in security. And then I would
explain. But look, we're not going to get all of
the, not all of these are, we have different levels of
concern and we need to bring these to different levels
of maturity. And they would get that conversation and
then we would move forward doing that. And then the
conversation would naturally move to. But when are we
done? And why to this why this capability to this
degree? And I think, you know, I think when we're
dealing in terms of foundation, we can we could probably
agree that you just made the comment about asset
management. And I beat this drum all the time, which is,
you know, it's it might be boring, but it's core
and it's foundational to what we do. And if
you're not getting that right, how do you how do you
get all the layers on top of that? Right. And so, you
know, really being able to. We can probably agree that
that's an area that we want to get to a base level
of reproducible maturity, right. But there are there are
other areas where, you know what? Maybe we're OK
with it, you know. Maybe we're OK with it, too.
It's not that important to us.
Chris Houlder:
But this one, this
one's going to be a 4 or 5. Right. And so that to me
and this is where risk comes in, is that to me is where
we should be talking about risk. And the and I say this
with you know, I try to be humble as I say this because
maybe there are people out there who have feel feel like
they've solved this problem. And I've cast cast
my net far and wide and and have yet to really hear
someone come back with something that I think is
practical. I've done a lot of research and don't
feel like I feel like I'm getting closer to solving
this problem. But what I think would be an ideal
situation similar to a taxonomy or a framework for
capabilities or controls, which we had prior to that
would be for us to be able to go in and have a common
language for what what are we even talking about with
the risk? Because you can and all parties are right, you
can have a risk register that's got 900 items that
are very tactical in nature, or you can have 13 items in
very strategic and no one's wrong in that. I think
if you're talking to the board or executives, you
probably don't want to present the 800 item, you
know. But how do we get those high level strategic risks
outlined in a way that can be understood easily? You
know, and I've been exploring further. I think
there's a lot of potential and there as an example
in going the quantification, but I'd say some of the
some of the risk statements that come out of fear, I
don't understand.
Chris Houlder:
Right. And so it
might be the best methodology out there, but if it
can't be translated to people that in a way that
they're like, I got it. You showed me five things.
This is what you're saying we should focus on. I
understand the math behind that, the rationale, and
let's go that direction. And I think inevitably with
risk discussions, that's what we need, where we need
to get. I don't I personally don't feel that it
needs to be so mathematically sound that it's
defensible, you know, internally to be brought in
mathematicians. Yeah. I think that it needs to be
grounded in enough reality and critical thought to
generally make sense and be beyond us just measuring
what our interpretation of risk is. And then I think
that needs to be matched with, OK, we know that these
are our risks. What capabilities will have the biggest
bang for the buck in our environment? And then let's
go do those. Right. And and I've had lots of
conversations on this. I feel like we're getting
closer as an industry. I don't think we're
there. And so that's my passion. As I had said
earlier, you know, starting at about my 6 to 12 month
period, I start gently introducing the idea of risk. I
would expect that going into next year, my personal
focus is going to be almost exclusively on putting the
structure in place.
Michael Coates:
Yeah, the I mean,
that notion of of prioritizing and thinking about it
from risk makes fundamental sense. And I've
leveraged that as well. And what I found helpful is I
agree with you in terms of the mathematics and how
precise it needs to be. I describe it as it needs to be
directionally accurate. But otherwise, like there's
such a margin of error anyways in each calculation. Just
because you multiply ten numbers with medium confidence
doesn't mean you have any more confidence at the
end. Then there's ten medium things itself. One of
the things that I found very helpful with that is when
you do have a an ordering of your kind of key risks or
key projects that back into those risks, it worked
really well for almost budgeting conversations where
someone said, hey, number 6 seems really important. Why
aren't we doing it? Like, well, number 1 through 5,
we can agree, are higher risk. And I've run out of
resources throughout 1 through 5. And so we can debate
if the risks are right or we can debate how much money
we want to spend. I can do whatever you want. We can
draw the line in the sand anywhere we want to.
Chris Houlder:
I couldn't
agree more. And I think that's the ideal
conversation, I think. At the end state, and I think
what's important, in my humble opinion for a CISO is
to not be too wedded to that outcome, because I think at
the end of the day. It's our responsibility to in
this role is different and every company, so I'll
speak from my own experience, I think it's to be
able to articulate that in a way that's understood
and get that decision in front of the right business
decision makers. And sometimes that business decision
maker is the CISO, but in many cases it's
distributed through the organization. And I think the
best that we can do in that situation is articulate it
with the best information we have, let them make the
decision. And then their part in that is, hey, look, if
the risk manifests, then just understand that can
happen. And if we need to revisit, let's revisit.
But you have to expect to some degree that it's
going to manifest, I guess, based on likelihood. So I
couldn't agree. We couldn't agree more on that.
Michael Coates:
Yeah, I think
somehow we've been cast into the the destroyers of
all risk, which is not true, like we are enablers of
strategic risk taking decisions for the business. So
however the business wants to strategically move
forward, we're going give them all that information.
So, boom, you can make that best informed choice. You
know, for example, if we were making skateboards as a
business and we were destroying all the risk, we'd
have the most piece of junk skateboard with some padding
everywhere.
Chris Houlder:
No wheels.
Michael Coates:
Yeah, nobody
would buy that thing.
Chris Houlder:
Now, yeah, it
reminds me of a conversation I was having with someone
else about kids and bikes and safety third, but
that's a that's a whole other conversation.
Michael Coates:
So, you know,
looking at your journey and and how you've gotten
here, kind of circling back, someone starting fresh,
they're entering the security field and saying, you
know what, I do want to be a CISO one day, I kind of get
what I'm getting into or will be. But what kind of
advice might you have to them at the beginning of that
journey?
Chris Houlder:
Yeah, I'd say
maybe regardless of. Maybe regardless of if, you know,
along the way, you decide that, well, it's not not a
CISO role, but you want to be successful in this
industry. And I think definitely if you want to move in
the CISO role is. I think you always need to be
developing. Right. It's an industry that is always
developing. I think, you know, my advice to almost
everyone is you need to treat yourself like a business
and always be working to be relevant. And development to
me is not just, you know, certifications, technical
skills. It's about skills and qualities. Right. So,
you know, in doing that in a community and getting
feedback from what your blind spots are and being
courageous about that, I think are absolutely key.
Again, another person along the way said to me or asked
me the question, what's better someone with 2 years
of experience or 10 years of experience? And it really
depends. It depends on what each of those people do with
that experience. And are they analyzing it getting
better? So I'd say always be developing. I would
I'd say this is something I really noticed people do
failed to do early in their careers. And that's pay
attention to the business. And it can be intimidating
frequently. I think people will look at it and say,
I'll get there, but I got to work on these other
things.
Chris Houlder:
I'd say work
to understand the business. And probably most important
there is pay really close attention when your business
is going through some level of transformation and then
and then spend some time with that. How are people
acting differently? What's changed in the business?
And I think earlier in your career, you can really
impress people if you say, oh, hey, I was at this
company during this acquisition, in this transition. And
I think you could really be unimpressive if people ask
you, well, what did you think of that? And you're
like, I just kept working on my stuff. You know,
it's a missed opportunity. I think as you get more
senior, you're expected to really understand and
process and be able to speak to that in your
contribution to that. And you don't get comfortable.
It's just not a space that you don't specialize
too early. Find where you're where your weaknesses
are, kind of attack those, you know, just be in
development mode, especially early on in your career.
Yes. Where you can where you can afford slip ups, where
you can make fast career changes, all of those things.
Right. Like take advantage of that early in a career.
Michael Coates:
No fantastic
advice. No, I think that's great. Well, Chris, we
covered a lot of ground, anything that I sped us
through. And you had some additional thoughts, anything
we missed.
Chris Houlder:
The only thing I
would probably add, I think that this is, you know, in
our in our discussions ahead of time and probably here
is would be the advice for maybe when someone gets the
role of CISO. So this person who's gone through it
and now has the job is do the work that only the CISO
can do. Right. You know, lots of different books.
Let's mention it in different ways. It's like
promote yourself and so on. But but there are certain
things that a CISO needs to do that no one else is going
to do. And in some cases, no one has done at the company
before. And risk is a great example. It's a tough
area to nail down. Your company may not be well versed
in it, but if you're not doing it, no one's
going to be in your comfort level. Might be. Well,
I'm just going to stay in the trenches with my team
and, you know, be the kind of senior senior architect.
And I'd say that that to me, it's different from
company to company. But I don't see that being the
long term CISO role. So I would say when you get the
role, promote yourself and do the role.
Michael Coates:
Yeah, that's
great. I couldn't agree more. Very good. Well,
Chris, thanks so much for the time today. Thanks for
picking this beautiful location to fly us to. Yeah, this
is a really good conversation. I really enjoy it.
Chris Houlder:
Likewise, I really
did too.
Michael Coates:
For everyone
that's listening and watching, please don't miss
out on future or past episodes. Subscribe to the
podcast. Follow the webcasts and you'll see other
great guests, just like we had today with Chris. Thanks,
guys. Thanks, everyone.
Chris Houlder:
Thanks, Michael.
Take care.
Sonix has many features that you'd love including automated transcription, powerful integrations and APIs, enterprise-grade admin tools, transcribe multiple languages, and easily transcribe your Zoom meetings. Try Sonix for free today.
Get notified of future CISO webcast and other exciting security content