CISO to CISO Webcast with Emilio Escobar, CISO of Datadog and Formerly VP of InfoSec at Hulu

GMT20201104-173102_CISO-to-CISO Emilio 3 Audio Only.m4a transcript powered by Sonix—easily convert your audio to text with Sonix.

GMT20201104-173102_CISO-to-CISO Emilio 3 Audio Only.m4a was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.

Michael Coates:
Welcome, everyone, to another edition of the CISO to CISO Webcast. I'm your host, Michael Coates. I'm the CEO and co-founder of Altitude Networks and former CISO of Twitter. So that's that's my ticket to get here today, the CISO discussion, but super excited for our guests today. Welcome, Emilio. So happy to have you here.

Emilio Escobar:
Hello. Thanks for having me. Definitely an exciting to chat. I know it's been something we've been planning for quite a while.

Michael Coates:
Yes. Yes, definitely. So a little bit of background, Emilio, I can't wait for you to share more, but Emilio is the CISO at Datadog, was a former VP of security at Hulu. And then quite a bit more experience in the field before that. We're going to a really interesting discussion today. But Emilio, tell us about your journey to becoming a CISO. How did you get there? It's a very different path for everyone and I think it's pretty cool the different ways people get into that role.

Emilio Escobar:
Yeah, for sure. Yeah, I think so how I got, I guess I'm going to get started with how I got into security, it was a different time, right, and something that I'm very cognizant of that getting into the industry, that I think is something we're going to talk to a little bit later is much different than when I was right. In the early 90s, mid 90s, there was a lot of interest in security, right. A lot of information out there. So when I was exposed to the online world, I naturally gravitated to how do I get information that isn't just there and how do I learn from other people? Right. So you could get into security back then by reading a bunch of text files, BBSes and IRC channels. So I guess in a way it was easier than it is now and less pressure. But I come from a software background, right? So I have a computer science degree in writing software for many, many years, sort of super early and naturally gravitated to getting a good understanding of and curiosity for how applications work. You know, back in I remember IRC was a bigger thing than it is now. So finding bugs in IRC demons and those who crashed a server was like what I did for fun.

Emilio Escobar:
And so sorry if anyone if you were watching this was part of that. But it was just that curiosity. Right. And and, you know, after a while I took it seriously and made it a career. I work at the NSA when I was in college, doing a semester at work and the semester back in school until I finished my degree. And then from there I always wear multiple hats. So while in college, before NSA or even after I work for an Internet provider and then a cell phone carrier and I was wearing multiple hats, doing development, but also, oh, you know, security. Maybe you should do some security for us and you know, things like hammer and all that stuff we're impacting back then. And so it was cool to play with those things but also deal with the response of it. So naturally move up the ranks there. Did consulting, security consulting for a little bit. And through that I met PlayStation, who was interested in and growing the team and building a software security program. So I joined to do that and did it for a couple of years and grew a team and it has grown since then.

Emilio Escobar:
But I think the progression toward CISO was, I always had an inclination for how do we solve problems together. Right. An understanding more of the why we're doing things and explained to why working with people to sort of go through that, that hump of understanding that why and getting to the point where we're wanting to work together. And I think that naturally led me to grow a team, build teams and take on the CISO role, because, you know, that is what a CISO is there to do. Right? By influenced then by extent rather than execution. So building relationships, understanding the psychology behind of what are the needs of their organization and the teams and how do we meet them halfway so we can get some value for they also get some value. Right. So I think that's all I got to be where I am and I'm grateful to to do it and be where I am right now. But it's more about solving problems and working with people that the technical skill set that got me to the CISO role.

Michael Coates:
Yeah, I think that's fascinating because many of us start with that technical tinker mindset. But it's I feel like it's very much well, how do you solve this problem? You're trying to pick it apart and it's got the the mystery of the technical details. I mean, we could, of course, you could read the manual and maybe you do. But the manuals are often wrong. And so it's very much like, let's figure it out. And that mindset, sometimes I think it's fascinating. It translates into, well, how do we solve bigger problems that involve humans? And man, I certainly found that's like a whole new challenge because the humans don't operate the same way that computers do, that's for sure.

Emilio Escobar:
Yeah, absolutely. There's a lot of more variables to consider when it comes to humans, I put it in computer terms. But yeah, I think, you know, for me, I always wanted and build organization and teams where you can just plug my teams in any part of the organization and they will fit in and work well with the stakeholders. And that's the kind of relationships that I like to build. And once you open those doors, you know, way from a continuity standpoint, the CISO can go elsewhere and those relationships stay, right? And I always think that that's important. But yeah, working with people you have to consider, especially with what's happening this year, right? You have to be conscious of the fact that there are a lot of more external pressures and just work and companies are a growing but also identifying that the pandemic as a business risk that we need to be cognizant of, and how do you grow within that, and the pressures there. So dealing with humans is much different than computers. I wish the world will be binary and it is not right securities. It works in all shades of grey. Right. So we have to be comfortable with that.

Michael Coates:
Agreed. Let's see. So we have the opportunity to get together so graciously flown to where we are on location. You know, this webcast is being sponsored by Altitude Networks. Very briefly, Altitude Networks is solving the challenge of data security in the cloud, in collaboration platforms like G Suite and Office 365. So if you're sharing documents and wondering who has access across your company, wondering how you do secure offboarding in the cloud, that's our world. So check us out at our website. And Emilio, this location that you chose for us to go to first class flights, of course, where in the world did you take us? Where are we?

Emilio Escobar:
We are in Madrid, Spain, right now. So we're enjoying some coffee out in the, what appears to be the empty streets of Madrid. So it's a very, very, very soothing for today's times. But it's a nice Spanish coffee for a good price and just having a good chat.

Michael Coates:
And is Madrid a location you've been to several times before?

Emilio Escobar:
Yes. So I've actually been once I have family there, but I went to Madrid when I was 11 or 12 and haven't been there since. And we're planning on hopefully going back, but definitely loved it and would love to go again and see how much has changed in the last many years since I've been there and how it changed with what's going on. But, you know, this is the typical Madrid where you can actually go enjoy a coffee or snacks and out in the street somewhere and spend a whole day there if you want to. Right. That's that's a kind of laid back vibe that I enjoy.

Michael Coates:
I think we all could use that that laid back coffee, sit in a chair, just chill. That would be good. Absolutely. Yeah. So, you know, one thing that, you know, as I think about the journey you've had and some of the items you mentioned, that movement from a very technical security person into leadership. It's a path that many people have taken, but and we've seen the security leadership role elevate, you know, previously in years before it's kind of in the IT or buried inside the organization, maybe they're like the head security nerd, but now it's moving up into leadership and we're trying to have a seat at the table. But I feel like there's more for us to do. What is your path showing you and where do we think we need to go to actually have infosec leadership at the company level?

Emilio Escobar:
Yeah, that is true, right? We've historically been a part of technology or part of IT and I think functionally most of us still report up that chain. Right. But organizationally, we, you know, some of us and continually seem to grow, have a seat at the table and have conversations that participate in meetings where business decisions get made. I think, you know, a couple of things is, leadership is about people. Right? I mean, we touch up on that. Right. You have to understand that we want to we get motivated by growing people and by working with people. And but ultimately, you know, I think the biggest sort of hurdle that mentally we have to go through, going from a deeply technical role into a leadership role, is that your area of concern is just one area of concern of the business. And there are many others. Right. And in your area might not be a priority right now. And you have to be OK with that. Right. Casing point. You know, you can be the most secure company in the world and make zero dollars revenue, and what is the point? Right, so what's actually costing you to not increase or gain revenue should be a priority at the moment.

Emilio Escobar:
Right. So I think understanding that helps a lot. So when you do have a seat at the table, you're not just the security person in the room. Right. Saying like, well, this is all everything that's going on with the security. You have business conversations, right? You you know, my recommendation to to leaders and CISOs is, you know, partner with the sales team, understand what their challenges are. How do they actually go to market? How do they sell. Partner with marketing. What are we hearing from research or receive from research and customer feedback and support teams? Get to know your company and business and get to understand what drives it. Plug in with customers and understand that because then you become part of the business and not just like focus on security. Right? Again, it's just one of the concerns that a company has to deal with. So that's what I learned. And actually, I really enjoy doing that. Right. I think being doing security for so long, it kind of becomes, it's like solving new problems. We're solving different versions of the same problems. Right. You talk inventory management or asset management, change control, configuration control, access controls. There are the same problems all over the place. Right? It's just a different iteration of it because of the advancement of technology. But I like to learn new things and understanding how the business moves and how it breeds is really what what motivates me. So I highly encourage people to get involved in that.

Michael Coates:
Yeah. Your notion of we're solving kind of the same problems in different variations, I, I so agree. Like the core concepts of security keep holding true. But you need to understand what stuff you have to protect you and you have to understand where it is. You have to do minimum access control. But the, the way in which you do that keeps changing as technology changes, as the organization keeps changing. You know, some of the things that always perplexed us was just how do we do that at scale? How do we have an automated system that can work? Because the naive way is to say, well, just do it by humans, and man, that doesn't work. That slows your organization to a crawl.

Emilio Escobar:
Yeah. You know, there's one reality security will never have. And and and I've seen this, you know, and I've been lucky enough to have security programs that have been well supported and budgeted for and. And you will never have enough people, right, but even if you look at engineering or product development, if you're a product company, you will never have enough people to build all the products that you want. And it's a skill that you want. So you have to look for efficiencies through automation, repeatable processes, or having other teams own certain tasks that historically security has own right and build new champions, and scaling the program that way. So you have to get really creative. So, yeah, I absolutely agree with you.Y

Michael Coates:
So you're looking at the like the transition mindset from, well, many years ago, your transition, but your basis in very technical knowledge, this understanding of what a security leader needs to do. You've walked into a, you know, a new job. So you're in your first six months and you're probably taking it all in drinking from the fire hose. How do you process that? How do you prioritize? What does your first six months what do you think it will look like? And I guess maybe we can come back in a few months, if that's what it did look like.

Emilio Escobar:
Yeah, yeah. And I'm not going to be like what we've seen in the news. And what if you don't quote me on what I just said to me, you know, to me right now, the first few months is really getting to meet the people, understanding the business. Where is it we are tying to go, what's holding us back, right? You know, luckily, you know, Datadog is a high growth company. Right. So there is also the notion of you can't just wait six months before you start making influence and driving changes. Right. So there's a little bit of an acceleration there that is needed because of our growth. So really for me has been like, OK, what are the things that are really holding us back and what changes that we need to introduce to drive those outcomes. And that's what I've been going through. Right. So meeting people, like I said, and by meeting people, I mean way outside of the security team, but I've I'm still meeting the team and continually, continuously to do so, continuously meet and have one-on-ones. But my state, my peers, leaders, board and I said sales, marketing, customer support and all those teams and then drive and then sort of come up with a plan for what are the things that we need to do. But with a mindset or the hindsight that, you know, I can't wait six months, I have to start making changes, which is actually some pressure right now.

Emilio Escobar:
You know, talking to us as an individual is a lot of pressure to join our organization to say, OK, I only have like 18 weeks before I start influencing some changes here. Right. Or whatever it is. But that is a value in the benefit of a high-growth company. Right. Where you have that opportunity. So what I think six months are going to look like. It's really just building capabilities that maybe there are in at the level that we need to be in and being in a high growth company. Right. Six months from now, the company is not going to be the same. So basically keeping up with the change organizationally as well. And how do we meet that on the security and compliance side? So, you know, I also oversee IT. Right. So it's what those six months look like, from an IT standpoint and hiring standpoint. How many procurement and how much lead do we need to have there? So a lot of learnings and we just have to get ready for it. But I don't know. I don't have a clear picture of what six months is going to be because it's not set in stone, but definitely building our capabilities that we we might not have and hopefully a lot of hiring in the future as well.

Michael Coates:
Yeah, and so I didn't know this, but you just mentioned that you also have I.T. in your reporting structure. So that's fascinating. And that's a model I'm seeing actually more and more. Were you surprised when you were walking in and seeing that was the proposed approach or are you relieved?

Emilio Escobar:
I, you know, I wasn't surprised because he was you know, it was described to me as that. Right. And I was actually relieved. Right. Because if, we are a cloud first company, cloud native company. Right. And we're also a product technology company. Right. So most private technology companies don't have a CIO. Right. And they usually write all product engineering and security and it falls under the purview of the CTO. And we want that CTO to be focused on the growth of the engineering discipline and the product development, and not necessarily be focused on it. So I was actually pleasantly surprised and quite relieved to have it because there are so, so many implications to where security if you don't have a good I.T. practice. Right. And so plus also other business compliance requirements and frameworks that we have to apply to require a maturity I.T. Program and being CISO of the company, right, having to directly face those things and being able to influence that roadmap of these teams and makes a lot of sense. Right. So it's good. But being a child first company is awesome having an I.T. team in that environment because it's, but it creates some challenges as well. So it leaves for a lot more automation, a lot more I.T., engineering. Right. So it's actually a lot of fun work then, I guess traditional four-walled I.T. team that I've seen also in other companies. Right. So it's a lot of learnings and a lot of fun. So I'm learning a lot through it because I've never overseen I.T. Before. Right. Obviously, my team has always been close to I.T., but being a part of having it reported to me, it's been fun and a lot of learning experience for me.

Michael Coates:
Yes, I recall, you know, in my time at Twitter, it didn't report to me there either, but they were one of the teams we worked with extensively. And what I really love about this idea of having them report to the same structure is it takes the two elements that are balancing acts and forces them into the same leader. So they have to figure it out. So I.T. is largely all about like, let's make this easy and usable for the company. And on the other side, security is like, well, it's got to be secure. And of course, there's a spectrum here. And when they report in different parts of your organization, you can have people butting heads like, no, we can't do the security, it's not usable. When it's reporting in one org, all right, let's figure out what the middle ground is. And I think I like that. I think that's a really neat approach.

Emilio Escobar:
Yeah. And, you know, my philosophy of security is that, yes, it has to be secure, but it also has to be usable. Right. So I think having both teams report, then you organize for that mindset and that skill set across the entire organization. So I think it enables the communication and the processes too. Right. So, yeah, it's been it's a lot of fun to have that.

Michael Coates:
So you mentioned a few times you are very much a cloud first company and you've probably been heavily exposed to that through your previous roles at Hulu as well, but. It's no doubt a migration that companies are making and perhaps one you made in your transitions dramatically as well. How is this shift to cloud changing your way of thinking about security? Are there things that are totally thrown out of the window and you have to reimagine from scratch or other processes or technologies that you're leaning heavily on now because of the cloud reality?

Emilio Escobar:
Yeah, I mean, A, it's a, moving to to cloud native solutions like SaaS and cloud problems and providers like there is some operational risk you're taking from a company, right, now you're relying on somebody else's availability and continuity for you, for your business to continue as well. So there's that right. So I think that was a big awareness in my career. When we were transitioning, companies were transitioning to more cloud services is like right now we don't have control of things like how comfortable are where are we with and how much have we evaluating those capabilities from this vendor? Second to it is, you know, there's a shared responsibility model. Right. And I know this is a term coined by by one particular provider, but I think it applies across the board where, you know, that platform is going to provide you a service, but it's up to you to actually utilise it very well. Right. They're not you know, if you're a G Suit shop and you're allocating 20 thousand licenses, like the vendors are going to come back to you and say, hey, by the way, you're only using 100 like, are you sure you want to pay me for twenty thousand? Like that never happens. Right? And nor do I think it should. But so the responsibilities are on you as a company to drive those efficiencies. There are two that is a data security aspect, right, where now you have data that before, you know, you had the controls or at least the comfort of providing only asserting entry way into where your data is and now is available from, but technologically available from any device anywhere in the world because it's in the cloud on the Internet.

Emilio Escobar:
Right. Sure. You have access controls or you should have access controls and all of those things. But but before you relied on that separation, more so than the actual access and authorization controls, now, use of don't have that anymore. And you have to worry more about access controls which go into I.T. and everything. It means that you have to have a good I.T. and an engineering hygene to make sure that you're authorized, given access to these applications to the right people. You're looking at those you have things like single sign on multifactor. So there's a lot more to it than before. And I think fourth to that is what cloud services enable is now you have before, in a, I guess, a brick and mortar shop, you had I.T. sort of owning the technological decisions and all your decisions for the organization. Now, in a cloud world, you can have marketing go get their own technology. You have sales getting their own technology, you have finance getting their own technology, HR as well. So you have to now partner with those teams more with the decision making is coming from them, not you. And you're only there to make sure that they're doing it effectively and securely. So it changes the responsibility model internally as well. So it's a lot of interesting challenges. Right. But ultimately, I think it wins. To me it's a win because he puts the responsibility where it goes right of, if on finance and I want to drive when I get an ERP or what have you an HR. Then I should be allowed to make the decision of what system things I think meets my need, it is your job to make sure it's secure and, you know, since I.T. and security job is to make sure you are secure and efficient, but I now have a say, whereas before, you know, you had I.T. teams making those decisions. So that's been the learning. But the data security aspect is obviously, you know, companies like yours are in the space for that. Right. Because it is a difficult problem to solve. It can carry a lot of legs and it's hard to keep track of.

Michael Coates:
You know, going back to what you said before, where we're using the same fundamental problems, but just in different ways, we're talking the same fundamental problems. Like now what I heard and what you're saying, there's all about access control just in the new paradigm of this self-service cloud world. Like you said, the marketing team can go self-serve themselves with whatever technology choice they want. And then. All right, well, how do we do access control and authentication here? You know, somewhere in the data context, moving from this centralized model where I.T. controls every gate to now every employee controls the gate. You want access to this? Sure. I'll give it to you, Bob, there you go. You've got access. So lots more empowerment, which is great. But I think all of us in our security minds can really see how that can go wrong. Yeah, it really pushes us on this trust but verify this kind of second pass approach because we know we can't go to these cloud systems and just say, all right, well, if you want to share a document, you just got to submit a ticket and wait two weeks like that. Would that would not go well for anyone.

Emilio Escobar:
Yeah. Yeah. And I think adding to that complexity, right to your point of being able to gain visibility to what's there, is in a centralized model or in a corporate world. Right. Pre-cloud, all you have to worry about was like, my sys logs making it to a central place and can we can we see them, right, and detect. All these providers, they're not sending you logs, you've got to hit their APIs now, so you've got to have API, the API integration. So that requires that force a security engineer, and I.T. to have an engineering presence, to be able to cope with that. Right. Otherwise, you wouldn't be able to have any visibility or ability to respond to things.

Michael Coates:
Yeah, you triggered something for me. Isn't it crazy that for security to even have a chance, we have to get engineering involved and build something custom, and we say it here on the West Coast because sure, we can do that. But think of what we're saying to the rest of the country, the rest of the world. You want to have a secure company, you want to go build your widget. You want to go sell your thing. Oh, you've got to find engineers inside of security to connect wires because we can't just give you security that works on its own. That has been like a sticking point for me. And I think I've seen it more in the last many years in Silicon Valley on the West Coast, like we just have this different world for sure. We'll throw engineers at the problem. That's not fair. The rest of the country and world doesn't have that luxury. And, man, we have a long way to go.

Emilio Escobar:
We do. And, you know, and I think it's part of the reason is, you know, engineering practices have sort of evolved way faster than I think security practices have, right. And also engineering solutions or technology that engineers want to use are way more advanced than security technology. And, you know, you still have companies that will sell you products that are, excuse me, to solve problems back in that corporate brick and mortar world where it doesn't apply. So we're in a world where now the buyer and the seller or both, that says that both the buyer and the seller are now uninformed about the actual capability of their product. And yet you're buying it. Right. So you're making a lot of bets and putting your neck out there in this decision. So but, yeah, you know, there are industries that do not have the luxury or cannot hire the engineering resources that say Silicon Valley can. Right. Or technology companies. So absolutely. We got to find something that works across the world and. What I guess, like you said, I think we're years away from from figuring that out.

Michael Coates:
Plenty of work to be done, that's for sure. Yeah, so when you look back at the journey you've taken, perhaps the pitfalls you've made, the things that you've figured out that have worked, what would you say to someone else who's a few years in their security career and says, you know, I really want to be I want to move into a leadership role in security. I want to really grow my impact in that way. What advice do you have for them from where you've been?

Emilio Escobar:
Yeah, that's a good question and I always advise and I might be an unpopular opinion in this, to focus more on leadership. Lessons. And read books around leadership, communication, understanding the psychology of the other side. One day, if nothing has been written so far about it, one day I'll have time hopefully to kind of map Maslow's hierarchy of needs to how you actually drive influence from a security standpoint to our organization. But think about it, right. If you join the organization and let's say they can't even keep their own applications up and running efficiently, going in there and saying, OK, but we're also not secure, isn't really going to move the needle. Right. Help them solve that problem. And by the way, and by solving that problem, you're also solving security problems as well, right? So I would say read more about leadership and communication and how to work with teams and partner with not just your team, but external teams, then, you know, learn security skills, and I'm not saying not getting skill sets, but to me it's more about learning how to work with others versus how to work with your own teams. Like you can always hire people who are going to say yes to everything you say and work with you well, but then when you open the door to talk to the team next door, everything falls. Right? And then what's the influence and what's the impact? So focus more about leadership. There's a bunch of books that I've read. I recommend, but there's one that is a very tiny book that's called The Right Thing To Say, I believe it is, is actually very eye opening because it talks about instead of starting a sentence with this started with this way. And here's the actually the psychological impact that you're your audience is going to get or go through. It was really eye opening. So think about those things, how you communicate with people and how that message gets received by others.

Michael Coates:
Well, yeah, I agree. When I look back at my time at Twitter and I talk about the role, the biggest things I say that matter are exactly that, like understanding the importance of psychology, understanding incentive structures, people who do what you incentivize them to do. So if they're going to go complete their teams, OK, and you're not in it, you shouldn't be surprised that they are not doing any of your work. Yeah. In the book you suggested like that makes sense if the notion of why does starting a sentence a different way even matter at all? Like there's a lot to unpack there that will help you because, man, the ability of empathy and understanding for other leaders, it goes a long way. I think the companies that have shredded this notion of the security team of NO and have moved into that like how can we help the business be successful, they go a lot longer. A lot harder.

Emilio Escobar:
Yeah. And that notion, that stigma of NO or being a gate, it's something that, A, you have to you know, it's a lot easier if you admit to yourself of the fact that that's how people see you. Right. And, you know, sort of like take and prove, prove them wrong mindset. Don't be surprised when that is that the reception that you get from from other teams, especially when you join an organization as a new person and work on changing that. Right. And absolutely right. Like, you know, understanding how they get incentivized, but also understanding the pressure that those teams are going through as well. Right. So security teams have the pressure of like we want to make sure we don't get breached. Right. When when in reality, security teams, you have the pressure of keeping a good risk management portfolio. Right. And but also understand that the teams that you're talking to are dealing with external pressures as well. So if you're talking to a product development team, well, they have features that they promise the customers to be done by the end of the quarter. You're going there a week before the end of the quarter with security things. You're not going to be a priority. And those things should have been addressed beforehand. Right. So I understand that. And I know I know it's frustrating. Right. So, you know. You know, the topic of burnout gets discussed a lot, right, and security and and, you know, I don't want to dismiss it because I think it's very real because you do have organizations that do not support security at all. Right. And it can be very toxic. But I wonder how much of that burnout is also self-inflicted because we want to keep a breach-zero mindset and worry about that all day. And instead of thinking about, you know what, this team is not, they are ignoring us and also they don't care about us. It's like they have other priorities. So how do we work with them to make sure that ours get accounted for? And maybe, like I said, if they're dealing with a systemic issue, we work on that and we work on the other thing. So that that's, again, it might be unpopular. Right. But I wonder if that's part of the reason why security professionals get burned out as well, because they only think about security, security.

Michael Coates:
Yeah, I think you've opened a topic we could spend a whole other session on. Yeah, and I think you coined it in a way that's great. I haven't heard it before, but like the breach-zero mindset, that's wrong. And it's natural to pursue that. It's because you put the weight, all of their responsibility, the weight on your own shoulders, like there cannot be a breach anywhere. I am the sole defender of this. My head's on the chopping block and that's not realistic. Like, you can't have a business where one person is responsible for all risk, because if so, they have to be running around approving or not approving every decision, which obviously can't work either.

Emilio Escobar:
Right. Or you will be a company that doesn't grow or move right? Risk-zero Companies is a non moving company. Might as well shut everything down and and close the door. So, yeah, but, you know, it's funny because a lot of times I've seen where the business gets that, where security things or risks are a way of business, but you still see security teams that have that breach-zero mindset and they keep pushing for it. Right. And I understand the pressure, because it could be like something happens, the security team gets going at all. Security teams always gonna get asked, why did this happen? And what you need to do, I think is focused more on damage reduction than on avoidance of that breach. Right. And because, again, these are risks. But if you detect it and you can mitigate it, you can contain it, then you did your part, right? I think that's I value security more so than the did it happen or not? And focus more on that, which is actually something that most security teams have more control of, at least from a process standpoint, versus worrying about why isn't that team who has a priority by the end of the quarter isn't talking to me a week before the end of the quarter.

Michael Coates:
So, yeah. Definitely, Emilio. We covered a lot of good ground, anything that we might have missed that you wanted to make sure to get out there.

Emilio Escobar:
I think, you know, going through to the leadership conversation, one thing that I guess I wanted to bring up and hopefully get questions now or later comments an insult or what have you, is on the security leadership side, right. I saw a thread on Twitter from Leslie Hacks for pancakes. Talk about how somebody who is a junior and infosec, how to approach her on the management culture in a toxic environment that person who was going through. And I pay close attention to it, because again with everything that we've said so far about leadership and how I think about it and being about the people, it's easy for people who are at a deeply technical skill set to get thrown into managers because you've been a senior for a couple of years therefore, you can be a manager, and not really transitioning from like A, when you're a leader or a manager to the team, that's how people are going to see you, even though you've worked with these people maybe for three or four or five years, you're now the manager, you're the leader. They're going to look up to you as a leader. So things that you say, how you interact, how you joke with the team, they're not going to mean the same thing as a joke as they used to maybe a couple of months prior before you being a manager. Now you're the manager, right? So you're holding their life, livelihood on your hands as a manager. Right. And their employment status with you, but also making sure to understand that your job is to grow them, not to grow yourself. Right. I forget what forget what book it was. But I remember reading this book that said that a leader gets evaluated or should be evaluated by the output of the team and the contributions of the team, not the individual contributions of the leader themselves. So thinking about that, that naturally leads to what you want to call your people because you want the team to be better, because therefore you look better by indirect involvement there. And I so, you know, that's why I called out for, like, people not getting performance reviews or not getting feedback from managers. Right. And that's really concerning. Right. Because I don't know if it's a trend across the industry and something I wanted to throw out as an open topic that hopefully will draw more discussion.

Emilio Escobar:
Is it an industry trend or maybe an individual example? But just be aware that you're a technologist and now a leader. You're there to grow your people and they should be aware of where they stand performance wise and they should be praised publicly. And your job as a leader, in my opinion, is to grow them, even if it means that there are growing you. Right. And that should be a good sign of if a good leader and you should be afraid of that. But I want to throw it out there because I saw it on Twitter and it will like quite a few, they caught quite a few. It got some traction there and a lot of comments. Right. So I wanted to make sure I threw it there. And thank you for those industry members who who get involved in leadership conversations and people go to for mentorship and all of these conversations, because I can put myself in the shoes of a junior person in this industry, which is a very difficult industry to get into and very intimidating as well, and not having a voice to to be heard is can be extremely difficult. So, give them a shout out,

Michael Coates:
It seems like an interesting reality for the security field. I mean, clearly there is management and leadership in every field, of course. But the transition that I've seen in the security field is years ago you would get a CISO that we brought in, that would be more of a traditional leader, but they'd be coming from a different discipline. So you get a business leader, maybe you get somebody from legal and they wouldn't understand the nuances or the fundamentals of security, so they wouldn't have as much appreciation for it. And I'm seeing that shift. I'm seeing now the new batch of CISOs have come from the technical track. So they have the foundation, they've made the leadership jump. But now the challenge we have is exactly what you said, which is sometimes you get the most technical person who's been around and, alright, you're the manager now, maybe you are not CISO but you're a manager of a team or director. And that is a fundamental shift. I've had people explain it to me, like going from a IC engineer to a manager of engineers is a new job. And so you should be investing all the time you invested in university or certifications or self-study, think of that all again. And you mentioned earlier this notion of why. And that reminded me of a really good video. I think it's a TED talk and it's called Start with Why, and as a leader trying to motivate your team and organize like that's fascinating. And man, when I worked at Mozilla, we had plenty of experiments and different rapid promotions that showed some of these problems. Just to put it clearly, a few people who are there went off. So Jonathan and Melissa Nightingale, they went off and built, I think, a company, but also wrote a book called How F*cked Up Is Your Management? And Man, is that a good book to read? If you are if you find yourself in a Silicon Valley company, a high tech company, like something's not right here, man. I love that book. And it really gets to some some good points that you mentioned as well.

Emilio Escobar:
Oh, I will definitely give that a read. Thanks for that. Yeah. Yeah. It always excites you to read about management and, you know, even older books like Andy Grove's High Output Management. Right. I think it is a great book to read and a crazy study was written when it was written. And and it's still a lot of it still applies. Right. And it's pretty amazing that tells you that there is a philosophy and a framework behind us that we should be paying closer attention to. Right. It's like the law of physics or the law of physics, because they actually are impactful and meaningful, right. In truth. So but yeah, yeah, I wanted to get that shot out because, like I said, it was a lot of activity on that thread and heard from and saw other people chiming in about like they're going through the same thing where their value, their contributions are not valued enough. They're not getting feedback in time. And this is pretty scary because considering everything we just talked about, how difficult security had to evolve to meet engineering and the business where it used to be. If you have poor management within security, then he just makes that outcome so much more difficult. Right. And for sure, you know, most likely that kind of environment leads to like being a gate or a team of NO of naysayers. Right. And just being a toxic across the organization. So, yeah, definitely. Michael, we need to have more leadership training when it comes to, you know, if you look at security certifications, I don't know of any certification that actually focuses on leadership and growth. Right. Everything is leading security from a policy standpoint or building a roadmap. Right. Or governance. But I don't think there is any certification of training talks about how to become a good leader in this very field. That can be very highly technical.

Michael Coates:
I think that's a good point. We can certainly look at leadership training across the board, but we need to purposely go out and find it. Yeah, it's a gap that needs to be discussed a lot more. Absolutely. Very good. Well, thank you so much, Emilio. It seems like it's time to go and refill our coffees. I know we could otherwise chat for hours here, but the the chocolate house here is asking for your last call.

Emilio Escobar:
Yeah. The staff is telling us to buy something or leave, so I totally get it. Yeah.

Michael Coates:
That woman over your shoulder has been looking at you for a while, so.

Emilio Escobar:
Yeah, I don't know what that means. We'll get another coffee.

Michael Coates:
Awesome. Well, thanks everybody for joining and thanks so much Emilio. Really appreciate it. If you've enjoyed this webcast, we have many more of them coming. Many more on the website. There's a podcast available if that's your style. So hope that you tune in and keep fighting the good fight. Everybody in the security field is a big challenging area and lots of work to do for us.

Emilio Escobar:
Absolutely. Yeah. Thanks for having me. And yeah, look forward to any future conversations. This is fun. Thank you.

Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.

Sonix uses cutting-edge artificial intelligence to convert your m4a files to text.

Create better transcripts with online automated transcription. Sometimes you don't have super fancy audio recording equipment around; here's how you can record better audio on your phone. Audio to text transcription just got more accurate. Automated transcription is much more accurate if you upload high quality audio. Here's how to capture high quality audio. Sonix has the world's best audio transcription platform with features focused on collaboration. Automated transcription with the best customer support team to help you at every step of the way.

Better organize your audio files with Sonix; it's really easy. Here are five reasons you should transcribe your podcast with Sonix. Get the most out of your audio content with Sonix. Sonix accurately converts most popular audio file formats (like WAV, MP3, OGG, and AIF) to text.

Sonix uses cutting-edge artificial intelligence to convert your m4a files to text.

Sonix is the best online audio transcription software in 2020—it's fast, easy, and affordable.

If you are looking for a great way to convert your audio to text, try Sonix today.