We are excited to welcome Emilio, CISO at Datadog and former VP of InfoSec at Hulu on our next episode of the CISO-to-CISO webcast (later posted also in podcast version). After 4 years at Hulu, where he was heading Information Security, Emilio recently accepted a CISO position at Datadog, a leading service for cloud-scale application monitoring. Emilio is a security leader with a strong technical background, which always makes for a great conversation with Michael: they will touch on topics from security leadership to what brought them to their roles today, and advice for others trying to do the same.
GMT20201104-173102_CISO-to-CISO Emilio 3 Audio Only.m4a was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.
Michael Coates:
Welcome,
everyone, to another edition of the CISO to CISO
Webcast. I'm your host, Michael Coates. I'm the
CEO and co-founder of Altitude Networks and former CISO
of Twitter. So that's that's my ticket to get
here today, the CISO discussion, but super excited for
our guests today. Welcome, Emilio. So happy to have you
here.
Emilio Escobar:
Hello. Thanks for
having me. Definitely an exciting to chat. I know
it's been something we've been planning for
quite a while.
Michael Coates:
Yes. Yes,
definitely. So a little bit of background, Emilio, I
can't wait for you to share more, but Emilio is the
CISO at Datadog, was a former VP of security at Hulu.
And then quite a bit more experience in the field before
that. We're going to a really interesting discussion
today. But Emilio, tell us about your journey to
becoming a CISO. How did you get there? It's a very
different path for everyone and I think it's pretty
cool the different ways people get into that role.
Emilio Escobar:
Yeah, for sure.
Yeah, I think so how I got, I guess I'm going to get
started with how I got into security, it was a different
time, right, and something that I'm very cognizant
of that getting into the industry, that I think is
something we're going to talk to a little bit later
is much different than when I was right. In the early
90s, mid 90s, there was a lot of interest in security,
right. A lot of information out there. So when I was
exposed to the online world, I naturally gravitated to
how do I get information that isn't just there and
how do I learn from other people? Right. So you could
get into security back then by reading a bunch of text
files, BBSes and IRC channels. So I guess in a way it
was easier than it is now and less pressure. But I come
from a software background, right? So I have a computer
science degree in writing software for many, many years,
sort of super early and naturally gravitated to getting
a good understanding of and curiosity for how
applications work. You know, back in I remember IRC was
a bigger thing than it is now. So finding bugs in IRC
demons and those who crashed a server was like what I
did for fun.
Emilio Escobar:
And so sorry if
anyone if you were watching this was part of that. But
it was just that curiosity. Right. And and, you know,
after a while I took it seriously and made it a career.
I work at the NSA when I was in college, doing a
semester at work and the semester back in school until I
finished my degree. And then from there I always wear
multiple hats. So while in college, before NSA or even
after I work for an Internet provider and then a cell
phone carrier and I was wearing multiple hats, doing
development, but also, oh, you know, security. Maybe you
should do some security for us and you know, things like
hammer and all that stuff we're impacting back then.
And so it was cool to play with those things but also
deal with the response of it. So naturally move up the
ranks there. Did consulting, security consulting for a
little bit. And through that I met PlayStation, who was
interested in and growing the team and building a
software security program. So I joined to do that and
did it for a couple of years and grew a team and it has
grown since then.
Emilio Escobar:
But I think the
progression toward CISO was, I always had an inclination
for how do we solve problems together. Right. An
understanding more of the why we're doing things and
explained to why working with people to sort of go
through that, that hump of understanding that why and
getting to the point where we're wanting to work
together. And I think that naturally led me to grow a
team, build teams and take on the CISO role, because,
you know, that is what a CISO is there to do. Right? By
influenced then by extent rather than execution. So
building relationships, understanding the psychology
behind of what are the needs of their organization and
the teams and how do we meet them halfway so we can get
some value for they also get some value. Right. So I
think that's all I got to be where I am and I'm
grateful to to do it and be where I am right now. But
it's more about solving problems and working with
people that the technical skill set that got me to the
CISO role.
Michael Coates:
Yeah, I think
that's fascinating because many of us start with
that technical tinker mindset. But it's I feel like
it's very much well, how do you solve this problem?
You're trying to pick it apart and it's got the
the mystery of the technical details. I mean, we could,
of course, you could read the manual and maybe you do.
But the manuals are often wrong. And so it's very
much like, let's figure it out. And that mindset,
sometimes I think it's fascinating. It translates
into, well, how do we solve bigger problems that involve
humans? And man, I certainly found that's like a
whole new challenge because the humans don't operate
the same way that computers do, that's for sure.
Emilio Escobar:
Yeah, absolutely.
There's a lot of more variables to consider when it
comes to humans, I put it in computer terms. But yeah, I
think, you know, for me, I always wanted and build
organization and teams where you can just plug my teams
in any part of the organization and they will fit in and
work well with the stakeholders. And that's the kind
of relationships that I like to build. And once you open
those doors, you know, way from a continuity standpoint,
the CISO can go elsewhere and those relationships stay,
right? And I always think that that's important. But
yeah, working with people you have to consider,
especially with what's happening this year, right?
You have to be conscious of the fact that there are a
lot of more external pressures and just work and
companies are a growing but also identifying that the
pandemic as a business risk that we need to be cognizant
of, and how do you grow within that, and the pressures
there. So dealing with humans is much different than
computers. I wish the world will be binary and it is not
right securities. It works in all shades of grey. Right.
So we have to be comfortable with that.
Michael Coates:
Agreed. Let's
see. So we have the opportunity to get together so
graciously flown to where we are on location. You know,
this webcast is being sponsored by Altitude Networks.
Very briefly, Altitude Networks is solving the challenge
of data security in the cloud, in collaboration
platforms like G Suite and Office 365. So if you're
sharing documents and wondering who has access across
your company, wondering how you do secure offboarding in
the cloud, that's our world. So check us out at our
website. And Emilio, this location that you chose for us
to go to first class flights, of course, where in the
world did you take us? Where are we?
Emilio Escobar:
We are in Madrid,
Spain, right now. So we're enjoying some coffee out
in the, what appears to be the empty streets of Madrid.
So it's a very, very, very soothing for today's
times. But it's a nice Spanish coffee for a good
price and just having a good chat.
Michael Coates:
And is Madrid a
location you've been to several times before?
Emilio Escobar:
Yes. So I've
actually been once I have family there, but I went to
Madrid when I was 11 or 12 and haven't been there
since. And we're planning on hopefully going back,
but definitely loved it and would love to go again and
see how much has changed in the last many years since
I've been there and how it changed with what's
going on. But, you know, this is the typical Madrid
where you can actually go enjoy a coffee or snacks and
out in the street somewhere and spend a whole day there
if you want to. Right. That's that's a kind of
laid back vibe that I enjoy.
Michael Coates:
I think we all
could use that that laid back coffee, sit in a chair,
just chill. That would be good. Absolutely. Yeah. So,
you know, one thing that, you know, as I think about the
journey you've had and some of the items you
mentioned, that movement from a very technical security
person into leadership. It's a path that many people
have taken, but and we've seen the security
leadership role elevate, you know, previously in years
before it's kind of in the IT or buried inside the
organization, maybe they're like the head security
nerd, but now it's moving up into leadership and
we're trying to have a seat at the table. But I feel
like there's more for us to do. What is your path
showing you and where do we think we need to go to
actually have infosec leadership at the company level?
Emilio Escobar:
Yeah, that is
true, right? We've historically been a part of
technology or part of IT and I think functionally most
of us still report up that chain. Right. But
organizationally, we, you know, some of us and
continually seem to grow, have a seat at the table and
have conversations that participate in meetings where
business decisions get made. I think, you know, a couple
of things is, leadership is about people. Right? I mean,
we touch up on that. Right. You have to understand that
we want to we get motivated by growing people and by
working with people. And but ultimately, you know, I
think the biggest sort of hurdle that mentally we have
to go through, going from a deeply technical role into a
leadership role, is that your area of concern is just
one area of concern of the business. And there are many
others. Right. And in your area might not be a priority
right now. And you have to be OK with that. Right.
Casing point. You know, you can be the most secure
company in the world and make zero dollars revenue, and
what is the point? Right, so what's actually costing
you to not increase or gain revenue should be a priority
at the moment.
Emilio Escobar:
Right. So I think
understanding that helps a lot. So when you do have a
seat at the table, you're not just the security
person in the room. Right. Saying like, well, this is
all everything that's going on with the security.
You have business conversations, right? You you know, my
recommendation to to leaders and CISOs is, you know,
partner with the sales team, understand what their
challenges are. How do they actually go to market? How
do they sell. Partner with marketing. What are we
hearing from research or receive from research and
customer feedback and support teams? Get to know your
company and business and get to understand what drives
it. Plug in with customers and understand that because
then you become part of the business and not just like
focus on security. Right? Again, it's just one of
the concerns that a company has to deal with. So
that's what I learned. And actually, I really enjoy
doing that. Right. I think being doing security for so
long, it kind of becomes, it's like solving new
problems. We're solving different versions of the
same problems. Right. You talk inventory management or
asset management, change control, configuration control,
access controls. There are the same problems all over
the place. Right? It's just a different iteration of
it because of the advancement of technology. But I like
to learn new things and understanding how the business
moves and how it breeds is really what what motivates
me. So I highly encourage people to get involved in
that.
Michael Coates:
Yeah. Your notion
of we're solving kind of the same problems in
different variations, I, I so agree. Like the core
concepts of security keep holding true. But you need to
understand what stuff you have to protect you and you
have to understand where it is. You have to do minimum
access control. But the, the way in which you do that
keeps changing as technology changes, as the
organization keeps changing. You know, some of the
things that always perplexed us was just how do we do
that at scale? How do we have an automated system that
can work? Because the naive way is to say, well, just do
it by humans, and man, that doesn't work. That slows
your organization to a crawl.
Emilio Escobar:
Yeah. You know,
there's one reality security will never have. And
and and I've seen this, you know, and I've been
lucky enough to have security programs that have been
well supported and budgeted for and. And you will never
have enough people, right, but even if you look at
engineering or product development, if you're a
product company, you will never have enough people to
build all the products that you want. And it's a
skill that you want. So you have to look for
efficiencies through automation, repeatable processes,
or having other teams own certain tasks that
historically security has own right and build new
champions, and scaling the program that way. So you have
to get really creative. So, yeah, I absolutely agree
with you.Y
Michael Coates:
So you're
looking at the like the transition mindset from, well,
many years ago, your transition, but your basis in very
technical knowledge, this understanding of what a
security leader needs to do. You've walked into a,
you know, a new job. So you're in your first six
months and you're probably taking it all in drinking
from the fire hose. How do you process that? How do you
prioritize? What does your first six months what do you
think it will look like? And I guess maybe we can come
back in a few months, if that's what it did look
like.
Emilio Escobar:
Yeah, yeah. And
I'm not going to be like what we've seen in the
news. And what if you don't quote me on what I just
said to me, you know, to me right now, the first few
months is really getting to meet the people,
understanding the business. Where is it we are tying to
go, what's holding us back, right? You know,
luckily, you know, Datadog is a high growth company.
Right. So there is also the notion of you can't just
wait six months before you start making influence and
driving changes. Right. So there's a little bit of
an acceleration there that is needed because of our
growth. So really for me has been like, OK, what are the
things that are really holding us back and what changes
that we need to introduce to drive those outcomes. And
that's what I've been going through. Right. So
meeting people, like I said, and by meeting people, I
mean way outside of the security team, but I've
I'm still meeting the team and continually,
continuously to do so, continuously meet and have
one-on-ones. But my state, my peers, leaders, board and
I said sales, marketing, customer support and all those
teams and then drive and then sort of come up with a
plan for what are the things that we need to do. But
with a mindset or the hindsight that, you know, I
can't wait six months, I have to start making
changes, which is actually some pressure right now.
Emilio Escobar:
You know, talking
to us as an individual is a lot of pressure to join our
organization to say, OK, I only have like 18 weeks
before I start influencing some changes here. Right. Or
whatever it is. But that is a value in the benefit of a
high-growth company. Right. Where you have that
opportunity. So what I think six months are going to
look like. It's really just building capabilities
that maybe there are in at the level that we need to be
in and being in a high growth company. Right. Six months
from now, the company is not going to be the same. So
basically keeping up with the change organizationally as
well. And how do we meet that on the security and
compliance side? So, you know, I also oversee IT. Right.
So it's what those six months look like, from an IT
standpoint and hiring standpoint. How many procurement
and how much lead do we need to have there? So a lot of
learnings and we just have to get ready for it. But I
don't know. I don't have a clear picture of what
six months is going to be because it's not set in
stone, but definitely building our capabilities that we
we might not have and hopefully a lot of hiring in the
future as well.
Michael Coates:
Yeah, and so I
didn't know this, but you just mentioned that you
also have I.T. in your reporting structure. So
that's fascinating. And that's a model I'm
seeing actually more and more. Were you surprised when
you were walking in and seeing that was the proposed
approach or are you relieved?
Emilio Escobar:
I, you know, I
wasn't surprised because he was you know, it was
described to me as that. Right. And I was actually
relieved. Right. Because if, we are a cloud first
company, cloud native company. Right. And we're also
a product technology company. Right. So most private
technology companies don't have a CIO. Right. And
they usually write all product engineering and security
and it falls under the purview of the CTO. And we want
that CTO to be focused on the growth of the engineering
discipline and the product development, and not
necessarily be focused on it. So I was actually
pleasantly surprised and quite relieved to have it
because there are so, so many implications to where
security if you don't have a good I.T. practice.
Right. And so plus also other business compliance
requirements and frameworks that we have to apply to
require a maturity I.T. Program and being CISO of the
company, right, having to directly face those things and
being able to influence that roadmap of these teams and
makes a lot of sense. Right. So it's good. But being
a child first company is awesome having an I.T. team in
that environment because it's, but it creates some
challenges as well. So it leaves for a lot more
automation, a lot more I.T., engineering. Right. So
it's actually a lot of fun work then, I guess
traditional four-walled I.T. team that I've seen
also in other companies. Right. So it's a lot of
learnings and a lot of fun. So I'm learning a lot
through it because I've never overseen I.T. Before.
Right. Obviously, my team has always been close to I.T.,
but being a part of having it reported to me, it's
been fun and a lot of learning experience for me.
Michael Coates:
Yes, I recall,
you know, in my time at Twitter, it didn't report to
me there either, but they were one of the teams we
worked with extensively. And what I really love about
this idea of having them report to the same structure is
it takes the two elements that are balancing acts and
forces them into the same leader. So they have to figure
it out. So I.T. is largely all about like, let's
make this easy and usable for the company. And on the
other side, security is like, well, it's got to be
secure. And of course, there's a spectrum here. And
when they report in different parts of your
organization, you can have people butting heads like,
no, we can't do the security, it's not usable.
When it's reporting in one org, all right, let's
figure out what the middle ground is. And I think I like
that. I think that's a really neat approach.
Emilio Escobar:
Yeah. And, you
know, my philosophy of security is that, yes, it has to
be secure, but it also has to be usable. Right. So I
think having both teams report, then you organize for
that mindset and that skill set across the entire
organization. So I think it enables the communication
and the processes too. Right. So, yeah, it's been
it's a lot of fun to have that.
Michael Coates:
So you mentioned
a few times you are very much a cloud first company and
you've probably been heavily exposed to that through
your previous roles at Hulu as well, but. It's no
doubt a migration that companies are making and perhaps
one you made in your transitions dramatically as well.
How is this shift to cloud changing your way of thinking
about security? Are there things that are totally thrown
out of the window and you have to reimagine from scratch
or other processes or technologies that you're
leaning heavily on now because of the cloud reality?
Emilio Escobar:
Yeah, I mean, A,
it's a, moving to to cloud native solutions like
SaaS and cloud problems and providers like there is some
operational risk you're taking from a company,
right, now you're relying on somebody else's
availability and continuity for you, for your business
to continue as well. So there's that right. So I
think that was a big awareness in my career. When we
were transitioning, companies were transitioning to more
cloud services is like right now we don't have
control of things like how comfortable are where are we
with and how much have we evaluating those capabilities
from this vendor? Second to it is, you know, there's
a shared responsibility model. Right. And I know this is
a term coined by by one particular provider, but I think
it applies across the board where, you know, that
platform is going to provide you a service, but it's
up to you to actually utilise it very well. Right.
They're not you know, if you're a G Suit shop
and you're allocating 20 thousand licenses, like the
vendors are going to come back to you and say, hey, by
the way, you're only using 100 like, are you sure
you want to pay me for twenty thousand? Like that never
happens. Right? And nor do I think it should. But so the
responsibilities are on you as a company to drive those
efficiencies. There are two that is a data security
aspect, right, where now you have data that before, you
know, you had the controls or at least the comfort of
providing only asserting entry way into where your data
is and now is available from, but technologically
available from any device anywhere in the world because
it's in the cloud on the Internet.
Emilio Escobar:
Right. Sure. You
have access controls or you should have access controls
and all of those things. But but before you relied on
that separation, more so than the actual access and
authorization controls, now, use of don't have that
anymore. And you have to worry more about access
controls which go into I.T. and everything. It means
that you have to have a good I.T. and an engineering
hygene to make sure that you're authorized, given
access to these applications to the right people.
You're looking at those you have things like single
sign on multifactor. So there's a lot more to it
than before. And I think fourth to that is what cloud
services enable is now you have before, in a, I guess, a
brick and mortar shop, you had I.T. sort of owning the
technological decisions and all your decisions for the
organization. Now, in a cloud world, you can have
marketing go get their own technology. You have sales
getting their own technology, you have finance getting
their own technology, HR as well. So you have to now
partner with those teams more with the decision making
is coming from them, not you. And you're only there
to make sure that they're doing it effectively and
securely. So it changes the responsibility model
internally as well. So it's a lot of interesting
challenges. Right. But ultimately, I think it wins. To
me it's a win because he puts the responsibility
where it goes right of, if on finance and I want to
drive when I get an ERP or what have you an HR. Then I
should be allowed to make the decision of what system
things I think meets my need, it is your job to make
sure it's secure and, you know, since I.T. and
security job is to make sure you are secure and
efficient, but I now have a say, whereas before, you
know, you had I.T. teams making those decisions. So
that's been the learning. But the data security
aspect is obviously, you know, companies like yours are
in the space for that. Right. Because it is a difficult
problem to solve. It can carry a lot of legs and
it's hard to keep track of.
Michael Coates:
You know, going
back to what you said before, where we're using the
same fundamental problems, but just in different ways,
we're talking the same fundamental problems. Like
now what I heard and what you're saying, there's
all about access control just in the new paradigm of
this self-service cloud world. Like you said, the
marketing team can go self-serve themselves with
whatever technology choice they want. And then. All
right, well, how do we do access control and
authentication here? You know, somewhere in the data
context, moving from this centralized model where I.T.
controls every gate to now every employee controls the
gate. You want access to this? Sure. I'll give it to
you, Bob, there you go. You've got access. So lots
more empowerment, which is great. But I think all of us
in our security minds can really see how that can go
wrong. Yeah, it really pushes us on this trust but
verify this kind of second pass approach because we know
we can't go to these cloud systems and just say, all
right, well, if you want to share a document, you just
got to submit a ticket and wait two weeks like that.
Would that would not go well for anyone.
Emilio Escobar:
Yeah. Yeah. And I
think adding to that complexity, right to your point of
being able to gain visibility to what's there, is in
a centralized model or in a corporate world. Right.
Pre-cloud, all you have to worry about was like, my sys
logs making it to a central place and can we can we see
them, right, and detect. All these providers,
they're not sending you logs, you've got to hit
their APIs now, so you've got to have API, the API
integration. So that requires that force a security
engineer, and I.T. to have an engineering presence, to
be able to cope with that. Right. Otherwise, you
wouldn't be able to have any visibility or ability
to respond to things.
Michael Coates:
Yeah, you
triggered something for me. Isn't it crazy that for
security to even have a chance, we have to get
engineering involved and build something custom, and we
say it here on the West Coast because sure, we can do
that. But think of what we're saying to the rest of
the country, the rest of the world. You want to have a
secure company, you want to go build your widget. You
want to go sell your thing. Oh, you've got to find
engineers inside of security to connect wires because we
can't just give you security that works on its own.
That has been like a sticking point for me. And I think
I've seen it more in the last many years in Silicon
Valley on the West Coast, like we just have this
different world for sure. We'll throw engineers at
the problem. That's not fair. The rest of the
country and world doesn't have that luxury. And,
man, we have a long way to go.
Emilio Escobar:
We do. And, you
know, and I think it's part of the reason is, you
know, engineering practices have sort of evolved way
faster than I think security practices have, right. And
also engineering solutions or technology that engineers
want to use are way more advanced than security
technology. And, you know, you still have companies that
will sell you products that are, excuse me, to solve
problems back in that corporate brick and mortar world
where it doesn't apply. So we're in a world
where now the buyer and the seller or both, that says
that both the buyer and the seller are now uninformed
about the actual capability of their product. And yet
you're buying it. Right. So you're making a lot
of bets and putting your neck out there in this
decision. So but, yeah, you know, there are industries
that do not have the luxury or cannot hire the
engineering resources that say Silicon Valley can.
Right. Or technology companies. So absolutely. We got to
find something that works across the world and. What I
guess, like you said, I think we're years away from
from figuring that out.
Michael Coates:
Plenty of work to
be done, that's for sure. Yeah, so when you look
back at the journey you've taken, perhaps the
pitfalls you've made, the things that you've
figured out that have worked, what would you say to
someone else who's a few years in their security
career and says, you know, I really want to be I want to
move into a leadership role in security. I want to
really grow my impact in that way. What advice do you
have for them from where you've been?
Emilio Escobar:
Yeah, that's
a good question and I always advise and I might be an
unpopular opinion in this, to focus more on leadership.
Lessons. And read books around leadership,
communication, understanding the psychology of the other
side. One day, if nothing has been written so far about
it, one day I'll have time hopefully to kind of map
Maslow's hierarchy of needs to how you actually
drive influence from a security standpoint to our
organization. But think about it, right. If you join the
organization and let's say they can't even keep
their own applications up and running efficiently, going
in there and saying, OK, but we're also not secure,
isn't really going to move the needle. Right. Help
them solve that problem. And by the way, and by solving
that problem, you're also solving security problems
as well, right? So I would say read more about
leadership and communication and how to work with teams
and partner with not just your team, but external teams,
then, you know, learn security skills, and I'm not
saying not getting skill sets, but to me it's more
about learning how to work with others versus how to
work with your own teams. Like you can always hire
people who are going to say yes to everything you say
and work with you well, but then when you open the door
to talk to the team next door, everything falls. Right?
And then what's the influence and what's the
impact? So focus more about leadership. There's a
bunch of books that I've read. I recommend, but
there's one that is a very tiny book that's
called The Right Thing To Say, I believe it is, is
actually very eye opening because it talks about instead
of starting a sentence with this started with this way.
And here's the actually the psychological impact
that you're your audience is going to get or go
through. It was really eye opening. So think about those
things, how you communicate with people and how that
message gets received by others.
Michael Coates:
Well, yeah, I
agree. When I look back at my time at Twitter and I talk
about the role, the biggest things I say that matter are
exactly that, like understanding the importance of
psychology, understanding incentive structures, people
who do what you incentivize them to do. So if
they're going to go complete their teams, OK, and
you're not in it, you shouldn't be surprised
that they are not doing any of your work. Yeah. In the
book you suggested like that makes sense if the notion
of why does starting a sentence a different way even
matter at all? Like there's a lot to unpack there
that will help you because, man, the ability of empathy
and understanding for other leaders, it goes a long way.
I think the companies that have shredded this notion of
the security team of NO and have moved into that like
how can we help the business be successful, they go a
lot longer. A lot harder.
Emilio Escobar:
Yeah. And that
notion, that stigma of NO or being a gate, it's
something that, A, you have to you know, it's a lot
easier if you admit to yourself of the fact that
that's how people see you. Right. And, you know,
sort of like take and prove, prove them wrong mindset.
Don't be surprised when that is that the reception
that you get from from other teams, especially when you
join an organization as a new person and work on
changing that. Right. And absolutely right. Like, you
know, understanding how they get incentivized, but also
understanding the pressure that those teams are going
through as well. Right. So security teams have the
pressure of like we want to make sure we don't get
breached. Right. When when in reality, security teams,
you have the pressure of keeping a good risk management
portfolio. Right. And but also understand that the teams
that you're talking to are dealing with external
pressures as well. So if you're talking to a product
development team, well, they have features that they
promise the customers to be done by the end of the
quarter. You're going there a week before the end of
the quarter with security things. You're not going
to be a priority. And those things should have been
addressed beforehand. Right. So I understand that. And I
know I know it's frustrating. Right. So, you know.
You know, the topic of burnout gets discussed a lot,
right, and security and and, you know, I don't want
to dismiss it because I think it's very real because
you do have organizations that do not support security
at all. Right. And it can be very toxic. But I wonder
how much of that burnout is also self-inflicted because
we want to keep a breach-zero mindset and worry about
that all day. And instead of thinking about, you know
what, this team is not, they are ignoring us and also
they don't care about us. It's like they have
other priorities. So how do we work with them to make
sure that ours get accounted for? And maybe, like I
said, if they're dealing with a systemic issue, we
work on that and we work on the other thing. So that
that's, again, it might be unpopular. Right. But I
wonder if that's part of the reason why security
professionals get burned out as well, because they only
think about security, security.
Michael Coates:
Yeah, I think
you've opened a topic we could spend a whole other
session on. Yeah, and I think you coined it in a way
that's great. I haven't heard it before, but
like the breach-zero mindset, that's wrong. And
it's natural to pursue that. It's because you
put the weight, all of their responsibility, the weight
on your own shoulders, like there cannot be a breach
anywhere. I am the sole defender of this. My head's
on the chopping block and that's not realistic.
Like, you can't have a business where one person is
responsible for all risk, because if so, they have to be
running around approving or not approving every
decision, which obviously can't work either.
Emilio Escobar:
Right. Or you
will be a company that doesn't grow or move right?
Risk-zero Companies is a non moving company. Might as
well shut everything down and and close the door. So,
yeah, but, you know, it's funny because a lot of
times I've seen where the business gets that, where
security things or risks are a way of business, but you
still see security teams that have that breach-zero
mindset and they keep pushing for it. Right. And I
understand the pressure, because it could be like
something happens, the security team gets going at all.
Security teams always gonna get asked, why did this
happen? And what you need to do, I think is focused more
on damage reduction than on avoidance of that breach.
Right. And because, again, these are risks. But if you
detect it and you can mitigate it, you can contain it,
then you did your part, right? I think that's I
value security more so than the did it happen or not?
And focus more on that, which is actually something that
most security teams have more control of, at least from
a process standpoint, versus worrying about why
isn't that team who has a priority by the end of the
quarter isn't talking to me a week before the end of
the quarter.
Michael Coates:
So, yeah.
Definitely, Emilio. We covered a lot of good ground,
anything that we might have missed that you wanted to
make sure to get out there.
Emilio Escobar:
I think, you
know, going through to the leadership conversation, one
thing that I guess I wanted to bring up and hopefully
get questions now or later comments an insult or what
have you, is on the security leadership side, right. I
saw a thread on Twitter from Leslie Hacks for pancakes.
Talk about how somebody who is a junior and infosec, how
to approach her on the management culture in a toxic
environment that person who was going through. And I pay
close attention to it, because again with everything
that we've said so far about leadership and how I
think about it and being about the people, it's easy
for people who are at a deeply technical skill set to
get thrown into managers because you've been a
senior for a couple of years therefore, you can be a
manager, and not really transitioning from like A, when
you're a leader or a manager to the team, that's
how people are going to see you, even though you've
worked with these people maybe for three or four or five
years, you're now the manager, you're the
leader. They're going to look up to you as a leader.
So things that you say, how you interact, how you joke
with the team, they're not going to mean the same
thing as a joke as they used to maybe a couple of months
prior before you being a manager. Now you're the
manager, right? So you're holding their life,
livelihood on your hands as a manager. Right. And their
employment status with you, but also making sure to
understand that your job is to grow them, not to grow
yourself. Right. I forget what forget what book it was.
But I remember reading this book that said that a leader
gets evaluated or should be evaluated by the output of
the team and the contributions of the team, not the
individual contributions of the leader themselves. So
thinking about that, that naturally leads to what you
want to call your people because you want the team to be
better, because therefore you look better by indirect
involvement there. And I so, you know, that's why I
called out for, like, people not getting performance
reviews or not getting feedback from managers. Right.
And that's really concerning. Right. Because I
don't know if it's a trend across the industry
and something I wanted to throw out as an open topic
that hopefully will draw more discussion.
Emilio Escobar:
Is it an industry
trend or maybe an individual example? But just be aware
that you're a technologist and now a leader.
You're there to grow your people and they should be
aware of where they stand performance wise and they
should be praised publicly. And your job as a leader, in
my opinion, is to grow them, even if it means that there
are growing you. Right. And that should be a good sign
of if a good leader and you should be afraid of that.
But I want to throw it out there because I saw it on
Twitter and it will like quite a few, they caught quite
a few. It got some traction there and a lot of comments.
Right. So I wanted to make sure I threw it there. And
thank you for those industry members who who get
involved in leadership conversations and people go to
for mentorship and all of these conversations, because I
can put myself in the shoes of a junior person in this
industry, which is a very difficult industry to get into
and very intimidating as well, and not having a voice to
to be heard is can be extremely difficult. So, give them
a shout out,
Michael Coates:
It seems like an
interesting reality for the security field. I mean,
clearly there is management and leadership in every
field, of course. But the transition that I've seen
in the security field is years ago you would get a CISO
that we brought in, that would be more of a traditional
leader, but they'd be coming from a different
discipline. So you get a business leader, maybe you get
somebody from legal and they wouldn't understand the
nuances or the fundamentals of security, so they
wouldn't have as much appreciation for it. And
I'm seeing that shift. I'm seeing now the new
batch of CISOs have come from the technical track. So
they have the foundation, they've made the
leadership jump. But now the challenge we have is
exactly what you said, which is sometimes you get the
most technical person who's been around and,
alright, you're the manager now, maybe you are not
CISO but you're a manager of a team or director. And
that is a fundamental shift. I've had people explain
it to me, like going from a IC engineer to a manager of
engineers is a new job. And so you should be investing
all the time you invested in university or
certifications or self-study, think of that all again.
And you mentioned earlier this notion of why. And that
reminded me of a really good video. I think it's a
TED talk and it's called Start with Why, and as a
leader trying to motivate your team and organize like
that's fascinating. And man, when I worked at
Mozilla, we had plenty of experiments and different
rapid promotions that showed some of these problems.
Just to put it clearly, a few people who are there went
off. So Jonathan and Melissa Nightingale, they went off
and built, I think, a company, but also wrote a book
called How F*cked Up Is Your Management? And Man, is
that a good book to read? If you are if you find
yourself in a Silicon Valley company, a high tech
company, like something's not right here, man. I
love that book. And it really gets to some some good
points that you mentioned as well.
Emilio Escobar:
Oh, I will
definitely give that a read. Thanks for that. Yeah.
Yeah. It always excites you to read about management
and, you know, even older books like Andy Grove's
High Output Management. Right. I think it is a great
book to read and a crazy study was written when it was
written. And and it's still a lot of it still
applies. Right. And it's pretty amazing that tells
you that there is a philosophy and a framework behind us
that we should be paying closer attention to. Right.
It's like the law of physics or the law of physics,
because they actually are impactful and meaningful,
right. In truth. So but yeah, yeah, I wanted to get that
shot out because, like I said, it was a lot of activity
on that thread and heard from and saw other people
chiming in about like they're going through the same
thing where their value, their contributions are not
valued enough. They're not getting feedback in time.
And this is pretty scary because considering everything
we just talked about, how difficult security had to
evolve to meet engineering and the business where it
used to be. If you have poor management within security,
then he just makes that outcome so much more difficult.
Right. And for sure, you know, most likely that kind of
environment leads to like being a gate or a team of NO
of naysayers. Right. And just being a toxic across the
organization. So, yeah, definitely. Michael, we need to
have more leadership training when it comes to, you
know, if you look at security certifications, I
don't know of any certification that actually
focuses on leadership and growth. Right. Everything is
leading security from a policy standpoint or building a
roadmap. Right. Or governance. But I don't think
there is any certification of training talks about how
to become a good leader in this very field. That can be
very highly technical.
Michael Coates:
I think
that's a good point. We can certainly look at
leadership training across the board, but we need to
purposely go out and find it. Yeah, it's a gap that
needs to be discussed a lot more. Absolutely. Very good.
Well, thank you so much, Emilio. It seems like it's
time to go and refill our coffees. I know we could
otherwise chat for hours here, but the the chocolate
house here is asking for your last call.
Emilio Escobar:
Yeah. The staff
is telling us to buy something or leave, so I totally
get it. Yeah.
Michael Coates:
That woman over
your shoulder has been looking at you for a while, so.
Emilio Escobar:
Yeah, I don't
know what that means. We'll get another coffee.
Michael Coates:
Awesome. Well,
thanks everybody for joining and thanks so much Emilio.
Really appreciate it. If you've enjoyed this
webcast, we have many more of them coming. Many more on
the website. There's a podcast available if
that's your style. So hope that you tune in and keep
fighting the good fight. Everybody in the security field
is a big challenging area and lots of work to do for us.
Emilio Escobar:
Absolutely. Yeah.
Thanks for having me. And yeah, look forward to any
future conversations. This is fun. Thank you.
Sonix uses cutting-edge artificial intelligence to convert your m4a files to text.
Create better transcripts with online automated transcription. Sometimes you don't have super fancy audio recording equipment around; here's how you can record better audio on your phone. Audio to text transcription just got more accurate. Automated transcription is much more accurate if you upload high quality audio. Here's how to capture high quality audio. Sonix has the world's best audio transcription platform with features focused on collaboration. Automated transcription with the best customer support team to help you at every step of the way.
Better organize your audio files with Sonix; it's really easy. Here are five reasons you should transcribe your podcast with Sonix. Get the most out of your audio content with Sonix. Sonix accurately converts most popular audio file formats (like WAV, MP3, OGG, and AIF) to text.
Sonix is the best online audio transcription software in 2020—it's fast, easy, and affordable.
If you are looking for a great way to convert your audio to text, try Sonix today.
Get notified of future CISO webcast and other excisitng security content