All Resources

CISO to CISO Webcast with Eric Sorenson, CISO at doTERRA International LLC

Webcast and Podcast | Altitude Networks, May 18th, 2021

We are having Eric Sorenson joining us in this episode of CISO to CISO. Chief Information Security Officer (CISO) at doTERRA International LLC, Eric architects, develops, and implements the technologies that keep private data safe from intrusions and theft. Eric joined doTERRA in 2016 to build the organization’s first comprehensive, global cybersecurity strategy. From his earlier days at HealthEquity to the CIO/CISO dual role at Arches Health Plan, and now at doTERRA, Eric has evolved a set of information security programs and technologies that truly enable business and work within the commercial needs of our organization and our customers. Through this strategy, the private data of every contributor, customer, vendor, and stakeholder is equally protected within a powerful, shared cybersecurity ecosystem. Thus, all participants feel their information is more protected.

Read, Listen, and Subscribe to the Podcast

GMT20210505-194009_Recording Audio only-Eric Sorenson.m4a: Audio automatically transcribed by Sonix

GMT20210505-194009_Recording Audio only-Eric Sorenson.m4a: this m4a audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Michael Coates:
All right, welcome, everyone. Thanks again for taking time to join us. This is the CISO to CISO webcast podcast. I'm your host, Michael Coates, former CISO of Twitter, hence my ability to be here in a CISO capacity, current CEO and founder of Altitude Networks. Super excited to be here today with Eric Sorenson. We're going to learn about a lot of exciting things. He's been doing it at doTERRA, his journey, his perspective on the security industry. So I can't wait to get started on that. Eric, thanks so much for joining us, by the way. Really appreciate your time.

Eric Sorenson:
Thank you, Michael, I appreciate the opportunity. Thanks.

Michael Coates:
Definitely. And those of you, for those of you that have been listening or following along, I hope you've enjoyed the previous editions. As you know, this is brought to you by Altitude Networks. We are protecting data and cloud collaboration platforms like Google Workspace, Office 365 and others. So if you're concerned about accidental sharing, purposeful data theft in the cloud or just wrap their heads around, how do you do security in this new paradigm that's our world. We are deployed in a number of organizations protecting data all over the world. Would love to tell you more. So with that, let's dive in. So, Eric, you're currently at doTERRA. You're the CISO there. But tell us about your journey. How did you end up as a CISO at doTERRA? I always like to say to people like, you know, as a child, did you wake up one day and say, I'm going to be a CISO? That is my life's work. Probably not. You probably found yourself there through some interesting past. But tell us about how you got to where you are today.

Eric Sorenson:
Yeah, certainly, Michael. It has certainly taken an interesting path for me, as a child, I didn't know what I wanted to be. And then as I continue to get older, I really enjoyed computers. I got into computers around 17, 18, 19 years old and just continued on. And so then I pursued a career path in information technology. That's what I studied in my undergrad at. And I loved it. I fell in love with computers. And so I thought, all right, I'm going to go that route. And and then, of course, I ended up being a database administrator out of college, graduated from Utah State University with Bachelors there and information technology went to IBM is my first company and I was doing database work, database support there for their global services. So large organization, lots of interesting things happening there. But it was a lot of fun. And so I was pursuing a career and I was going to become the best DBA that people would know. And then and then that took an interesting turn a little bit later on as I went to a couple of different companies. And then I landed at a company that didn't have any formalized information security program.

Eric Sorenson:
And that's where I raised my hand and talk to the CIO about that. And and of course, my dream was, as I was into that computer world, was to become a CIO. I thought, hey, that's where I want to go. That's my career path. I went back to school, got my MBA, thought I was doing the right thing, and I was going to become the CIO somewhere. So I was just working on that career path. And then I saw a need and I saw where our company was not doing exactly the right things. And I took the initiative to say, you know what, I would like to learn and try something new. I want to jump into information security. And the CIO was very supportive. Surprisingly, I didn't think that he would be very supportive, but he was very supportive. And so my information security journey began some years ago as a result of that. And it's now led me to the doTERRA. There's more where we could get into, I'm sure, and you may have some further questions.

Michael Coates:
Yeah. You know, it's fascinating how many people in security ended up here out of passion, like just a general interest in technology and that notion of being the the kid that fiddled with how does this thing work? Or I just want to figure out how I can use my computer and interesting different ways to make the dang thing work depending on when you start using computers. I'm not surprised that your origin came from this. Hey, I want to really dive into databases and just be excellent at that. That's cool. It's so often that we see that passion be the spark that starts down this path.

Eric Sorenson:
Yeah, a lot of fun, and I really enjoy it. I mean, it's fun to think about some of that. It's I feel like I've been out of it so long. I don't know if I'd remember what to do if I had my chance to get my hands on some database work. I probably would fail miserably because things have changed. You know how technology is progressing super fast. And so I probably would blow something up or delete a table or do something I wasn't supposed to do.

Michael Coates:
So it's just select star just to select star.

Eric Sorenson:
You know, not select star deletes.

Michael Coates:
Oh no. So doTERRA is a fascinating company. Tell us a little bit about that. I think what's interesting is there's, of course, the commercial side of it that you'll share, but there's also kind of this charitable do-good side of things, too, which is which is really cool, which is always nice to be associated with. But tell everyone more about that.

Eric Sorenson:
Yeah. Thanks for bringing that up. That's that's very true. doTERRA is a great company. It's a fantastic company to work for. I've been here for almost five years now and I have enjoyed myself, loved every minute of it. It still feels like a start up a little bit just because we still are new. We've been around 13 years or so, but we've grown so quickly. We have a lot of those things that companies go through as growing pains that you have to work on some processes, et cetera. But doTERRA, being a health and wellness company, focusing primarily on essential oils, we have roughly over one hundred and forty oils in our toolbelt. It's amazing to watch how we use and utilize those oils to change people's lives. And there's a number of ways that we do that here. We have a couple of initiatives. We have a co-impact sourcing, which is just phenomenal as we go into these different countries. These are developing countries that we typically these oils are sourced from. I think it's around forty five or so or half of those are considered. I think we sourced from about forty five and half of those are considered developing countries. So that there's a lot of needs there, there's a lot of economic needs, there's a lot of needs as it relates to education and other types of social opportunities there. So co-impact sourcing is really it creates value for all the stakeholders in the supply chain.

Eric Sorenson:
If we can go into these small farmers and we can work out a fair price with them and help them be more sustainable in the environment, offer them a fair price, which then in turn lifts them and their families up and creates a sustainable impact, economic impact for them in addition to even their community. And then, of course, the doTERRA Healing Hands Foundation is amazing in the sense that all donations, one hundred percent of that is essentially going to that actual charitable foundation. So it's going into things such as health clinics where we build health clinics and we build schools. We're improving infrastructure, working on clean water, even trafficking, working on stopping trafficking, human trafficking. So there's a number of initiatives that are healing Hands Foundation is involved in and they do a phenomenal job of really helping us as a company go in and establish these relationships, work with these local farmers, and allows these small farmers to be able to receive wonderful payment and receive a fair payment. And so has just lifted lives all over, created many jobs as a result of that. So you really feel like you're doing a wonderful service to not only those who are who are consuming your oils, but also those who are involved in those charitable organizations and then, of course, the impacted lives that come from that fantastic. Love it.

Michael Coates:
It's so nice to have the balance almost. I mean, you're you're in technology all the time looking at a computer screen even, but then knowing that your efforts are supporting something very tangible and real and directly helping a community somewhere in the world. That's that's really cool. So as you think about the role of security and as you've seen it from a few different places, how do you how do you position it and get it away from the, you know, the team of know that classic thing and move it into kind of a partner or an adviser, an enabler? I think you're shared was we were talking before you shared that. It's kind of like your vision of where things are going. How do you how does that play out? How do you make that transition in your teams or in the perspective of others?

Eric Sorenson:
You know, one of the successes that we've had is risk plays a huge part of that. I think if you can take and do a risk assessment from overall risk management perspective, part of an information security management system, if you have a good, solid risk program where you can look at risk, take those types of things, the risks that are assessed, put those into terms that the business understands or business stakeholder understands and allow them to make decisions at that level. All of a sudden, it's a paradigm shift. You typically get this, oh, well, hey, I want you involved in more things, you know, and sometimes we're like, well, hold on. We just focus on the information assets and those types of things for the company. Right. And so but we really as we do that, we find that it typically breaks down barriers when we do in a risk assessment and we provide that information to them. And then they're saying, well, wait a minute, you're telling me I've got to make this choice? You know, you're putting some ownership back on me. And part of our governance program is really critical to where we have that leadership vision and driven at their level.

Eric Sorenson:
When you do that, you typically get people who just respond to that instead of the security teams that are just like, no, and they don't give you a reason why. Or they just say, well, that's not secure. And if we can actually help them understand that and put it in terms that they understand, that's where our partnership tends to come in. And so here doTERRA being the first CISO and implementing a security program, that was a challenge. You know, a lot of people were just waiting for us to say no one of these guys is going to tell us, no, you can't do that. And it's been it's been really fun to watch the company respond and the various departments respond positively to that as we as we outlined that and we help them through that process. They're actually making those decisions, but they're informed. And then they can come back and have a dialogue with with our team to understand things better or to get clarification or to even look at some future potential changes to that. And that's where we see the greatest success as we've implemented those things.

Michael Coates:
I totally agree, and I think it was almost a failure of us in the industry initially when when we casted security as a black and white, there's a secure or not secure answer. It's it's not that simple at all because everything in business involves calculated risks of varying degrees of of confidence or knowledge of the facts. And I like what you're saying because our goal really gets to be advise them of the reality and the options at a business level, because there's trade offs like, sure, we could be more secure and go to market 10 months later. But does it matter if nobody buys it at all? What would be the security weakness if we launched in a few weeks? So I love what you're saying there, that that makes perfect sense.

Eric Sorenson:
Yeah, well, that's how you'd mentioned it earlier in your opening about being an enabler. You know, that's how you start to enable the business to be successful.

Michael Coates:
Yeah, and I'm guessing and I've seen this I'm curious if you have to, but most likely you've gained a pretty good understanding of how the business operates in different parts because it sounds like you're really communicating to the other leaders on their level and having a conversation where they like. To your point, they're making a decision because it's in terms they can relate to and understand. Is that is that right?

Eric Sorenson:
Yeah, absolutely. It can be challenging. It certainly presents for us because we may be looking at some kind of endpoint issue. Right. That or I mean, it could be a whole a whole number of things where some of it is technical. Well, how do you how do you translate that technical talking about let's just say it's multifactor we're talking about? Well, the business is we don't want to implement multifactor and it's like, OK, you know, and you're going through an assessment on that and working through that. It's like, well, how do you start to put terms that they understand when you can do that and do it well, that that's when the change starts to happen? I think that's that's really where you're allowing people. You're drawing them in, you're making them part of that story and helping them gain a greater understanding without having to use, say, technical language or security language. Yeah.

Michael Coates:
Yeah, one of the fascinating things of the role is you are the top of the technical security food chain. But of course, you're going to hire experts that are stronger than you, of course. But you also have to master this business understanding to be really effective. It's perhaps unexpected for some people in their security journey. I'm going to start learning all about business now.

Eric Sorenson:
Yeah, you have to be an expert. I'm sorry. Maybe I didn't address it properly, but you really do have to understand the business really well to be successful. You know, we have to get out there. And I'm always encouraging my team members go visit with those people, go understand what they do, go listen to them. You know, that's the thing. Part of conscious leadership, right? Is, is listen, we've got to listen. And so go get out there and listen to to the the various departments go get an understanding of what they do. Go tour the manufacturing facility where these oils are bottled and, you know, go learn about the sourcing initiatives that we have from throughout the global and and go learn about all the markets that we have throughout the globe. I mean, that's another challenge that we have, is we have a number of markets that are running. We have basically offices in a lot of countries throughout the world. And, you know, so we've got to really get to know exactly how the business operates to be successful, especially when it comes to opening a new market. We really need to be working with that team right up right from the start and especially been a risk assessments. I mean, there's a whole gamut of things that we can talk about.

Michael Coates:
Yeah, for sure. Very cool. So switching gears just a little bit, for those of you listened or watched before, you'll you'll recognize that we're not just in the the studio or, you know, in an office. We busted out the Altitude private jet. Yeah, well, I guess it's virtual virtual private jet. So not very, very close. But we we go somewhere in the world that is meaningful to the to the guest. So, Eric, tell us where we are in the world and why you chose this location.

Eric Sorenson:
Oh, I love Yosemite. As a kid, our family would go there. We've been there are a number of times. And so I grew up loving Yosemite. I grew up in Southern California. So I love the beach, enjoy the beach, still do, still vacation there with my family often throughout the summers. But we love Yosemite. We were just there in 2019, got together with my mom and dad and my siblings and we had a fun week there. Yosemite climbed Half Dome. That's why you see that mountain. And I and I, it's a it's a great place, great, great adventures and great memories. And there's plenty of fantastic things that I remember as a kid growing up and even as an adult now that I've been able to share with my own kids. It's been fun.

Michael Coates:
Yeah, it's a very cool place, actually, coincidentally, I just went there a few weeks ago with my family as well and visited the waterfall that's behind me. Yeah, very cool spot. Great. We're cool, so jumping back into things, you know, one thing that was fascinating about your journey is that you have in fact, been the first CISO at multiple places. And so a lot of people that I talked to in the security industry are saying, hey, I'm kind of the head security person, but, you know, they don't really know why they need a CISO if they've got me in this capacity or what a CISO is going to bring. How did you make that transition and do it several times. It seems like you found the recipe of how to explain the value to the business, how to make that transition. So what does the what's the magic there?

Eric Sorenson:
You know, I don't I don't know if I have the magic or what it is. Know, maybe maybe people would call it more luck or less or whatever. I think I think being able to have a good foundational knowledge of business in general, being willing to listen and listen. I mean, you have to listen intently. You have to listen to what people are working on and what they are wanting to do, what they want to accomplish within an organization coupled with just general knowledge and understanding of security, along with and I would say more doesn't even have to be in a framework. It could be more just understanding a security program of all the elements that are key to that, because certain organizations, they may not be big enough to be able to just have a wonderful security team where you have all your governance and risk and compliance teams and you've got cybersecurity and you have your red team and you know, you've got all these different teams that are working for you. Some companies, you don't have that luxury. Sometimes it might be you and you only or maybe one or two staff. And and that's kind of where I started younger my career starting security programs. So I don't know if there is one right answer to say this is this is how you will fundamentally be put in or promoted to be the CISO.

Eric Sorenson:
But I think the key is, is being a partner, making sure that you can say, hey, I'm there to actually help protect the information assets of the company. If you go to HIPAA, right, I mean, keep you from going to jail perhaps, or fines if you're doing your job right, but it's hey, I'm here to listen to you and understand your needs and then work with you so that you can accomplish those needs in the most secure way. Are incidents going to happen? You betcha they're going to happen. We're human and we make mistakes. So we're going to have incidents. We can't always just guarantee zero incidents. You can put on all kinds, like you said, many mitigating controls. You can put everything in place. But at some point you're taking you're spending way more for lowering very little risk. So it's I think for me, my success that I had found is being willing to to listen to partner and to to be there lock step with the business and say, here, I'm here to help. I'm not here to hurt you. I'm not here to tell you. No, but I'm actually here to work for you as a resource to listen to and for me to really have you listen to me and understand these things.

Eric Sorenson:
And if you if we take a risk based approach to things, we'll be much more successful. So I don't think there is a magic answer for that. I wish I had a magic wand and I can say, OK, Michael, here's where it's at. But it's just been a journey. And I think it's been a journey of mistakes and failures that I have learned from. And I'm probably now at doTERRA as a result of that. And even our CIO the other day in a one on one said to me, you know, he knows I've worked around a number of CISOs before and nobody has taken the approach like the way that you do it around risk and being a partner and being there and listening. Most of my CISOs, it's like, no, we're not going to do that. No, we're not going to do that. And you've just taken a total risk based approach to things. And he says that has just it's been a breath of fresh air for our organization and for me. So I was like, oh, that's a great compliment. I appreciate that. It was very nice.

Michael Coates:
So, yeah, that's awesome. Now, it sounds like you might be reporting to a CIO here or at least working closely with them. One thing people are always curious about, and since you've seen the CISO role at several companies, has a reporting structure been the same across them, or have you found that you kind of are in different teams or places in the org in each of those companies?

Eric Sorenson:
Yeah, I think sometimes it depends on the type of industry the company is in that that's another thing that I have seen in my career, is I've started a security program. I was at a couple of places now and now the third at doTERRA, is sometimes it's industry specific. I do recall a few years ago there was a cartoon going around on LinkedIn and you probably would remember this is a CISO where it was a picture of the executive management at the big kids table, and then you have like a little kid dinner table where the CISO was sitting with the kids, you know, and it was sort of like, you know, when's the CISO going to be invited to that to that table? You know? I mean, look, I think that's still a challenge for many organisations. I think as security continue to receive really spotlights on it in these organisations as breaches continue to happen. I think you're seeing a change at the board level or even at the executive level where they are starting to bring those individuals into that space and bringing them part of the team and making them maybe appear with the CIO, here, doTERRA is just a little bit different, you know, but there is some stipulations when I came here with budgets and other things that I had, knowing that if I'm going to report to the CIO, we can have some conflict of interests here. So we had to put some controls in place that eliminated that. And the great thing was, is at the executive team, there was tremendous support around that, hey, I, I have some reportability up to them if needed. Right. So there are some things that are in place here that I would say softens that type of like initial this is not a good situation to be in. But I also have a CIO that really understands and I think has gained a greater understanding of information security specifically and what a security program brings to the table. Then I think when you when you when you really help educate and create that some of those mindsets are changed for sure. And certainly here at doTERRA, it is it has been changed. And we have a great working relationship. I enjoy reporting to our CIO, he is a great man and just I respect him completely. He's just a wonderful person and a great coach to me and in my career. So I really look up to him. But that can be a challenge. Like you said, that can certainly be a challenge for many and it can be a frustration. And so don't give up. Yeah, I would say my advice to to those that are dealing with that is don't give up or go have those crucial conversations with your CIO if you do report to them or maybe another executive manager. But you've got to have some really tough conversations to talk about those things specifically some of those things that could be a problematic for you as a CISO.

Michael Coates:
Mm hmm. Yeah, you know, in my conversations, I've seen the same thing, that it just it varies so much, even amongst a set of companies in the same industry. When you pull the room like, no, I report to engineering, I report to legal. Some people, like some people, report to the CEO and they're like, it's great. And others, like is actually not really good at all. It really has turned out from my perspective to be like what matters, what works for the business itself. And really, to your point, to raising like. All right, based on our setup here, what things should we be aware of? And I think that's really smart of saying, like the the direct line to report awareness of potential conflict of interest before they happen. That's all super smart.

Eric Sorenson:
Yeah, absolutely,

Michael Coates:
As I understand, one of the kind of technical initiatives that you're working on be a longer term project, but the realization that the perimeter security is really no longer what it used to be, we can't we can't rest on our laurels of the past, let's put up some big walls, put everybody inside the office. Well, I mean, nobody's at the office at all, so it couldn't be more apparent. How are you tackling this challenge of the new perimeter, the dissolution of the perimeter, et cetera?

Eric Sorenson:
Yeah, I love how you actually frame that. I think that's well framed and you probably are well experienced in that. And that, you know, it's it's really the you're now driving at the endpoint. You're driving at the employee. And I think that threat actors, they understand that. They understand that if they can make that, if they could compromise the employer, if they can compromise that endpoint. Wow. What better opportunity for them now at this point? Right. Once they go back into the office or once they do this or it could be a number of things. And so, you know, that's what I'm saying. And that's why I think we're starting to see is professional security professionals that perimeter security is really it's still important. It's not to say not to do it, but I think we're we're finding that it's so hard and so expensive to try to extend that to the employee everywhere they go and everything that they do. You know, yeah, you can have certain controls in place. But, you know, education, security awareness is such a big deal. And I know I think that's often talked about and and it's great. But you've got to really, really focus on that as a security team.

Eric Sorenson:
And security awareness is a big component of that, making people aware ongoing, make it fun, make it enjoyable for them, you know, have some good examples, even corporate examples. You know, we use a lot of times in our security training examples. We, of course, take out the the names of people or emails of people. But, you know, we try to utilize those types of things as example. So a security awareness, whether you have a platform, whatever, whatever you're doing, really work to enhance that, that's something that that really helps as you educate your people. And if you can use examples that are happening to your company even better, especially specifically targeting and training those that maybe deal with certain assets within the organization where it could be very impactful, whether it's reputational impact or it could be financial impact. As you do that, you'll find greater success. So that's one component of it, right? You got the endpoint. That's another component of it. Yeah. You can require VPN and that's great MFA. That's great. There's a lot of great things. But, you know, whatever you can do on the endpoint, additionally, whether it's some sort of EPP or EDR, whatever you have, vulnerability scanning.

Eric Sorenson:
I mean, being in touch with your help desk is so important as a security professional, understanding what they're doing, understanding the tools that they that they have and what they're deploying to that endpoint and being part of that and that discussion. So, yeah, I mean, look, perimeter is great. And you're right. I mean, a lot of people are not in the office anymore. We at doTERRA happen to be, which is great. We're back at work, but we still have many employees who are remote. And so that offers a number of challenges. And so, you know, there is so much to do on that. We could get into a lot of stuff. But I think recognizing that, that your perimeter security is still important for many reasons, but now looking at saying, well, how do we extend a perimeter to our to our employees? What can we do to create more of a perimeter within themselves as a human, but also on their endpoints, too? So if we couple those things together, you'll be probably successful? Not always. You're still going to have failures because we're going to fail and we're going to do something stupid sometimes.

Michael Coates:
That's right. Yeah. You know, as I as I've thought about this problem myself, I've come to a visualization now. Visualization would be great if I could show it. But to describe it, I thought of our previously, you know, the big perimeter approach. And then everybody's inside that that wall in the office. And then on one hand now we have employees trickling down and out and everywhere. So our employees have distributed and those are remote points of new perimeters of new places to secure. But then what's fascinating is I think about on the other side, the data has also distributed out the other way. And so now you have this tree looking structure with some roots and some leaves, if we're visualizing. But you've got employees that need to be protected that are no longer in a central place. Any data no longer in a central place, Be that SAS or infrastructure on other platforms. And it's really unique that there is no central point really at all. There's. You know, points of joining where some things come together, but fundamentally stuff, stuff is everywhere and that just gives no shortage of new work and new interesting challenges for us to think about. Yes, sir. In the industry.

Eric Sorenson:
That's right. There's always there's always risk assessment.

Michael Coates:
I think that's such a good point, because all of those things you could try and, you know, secure them into a box, like secure them to the to the academic extent possible. But really, it's about the risk assessment because, all right, so this data is over here like, do we care? Well, maybe. Maybe not. You do a risk assessment, like, oh, yeah, we actually care a lot. My gut was pointing in the same direction as the the risk assessment comes out. And that's the key that you lean on risk assessments. And I agree because it's defendable. It's not just sort of like what you feel like. There's some methodology to it that gets you to a point of saying this is why we prioritize this here and this here.

Eric Sorenson:
You know, and Michael, one additional point to that is the fact now what you're doing is you're you're bringing somebody into that decision, that decision making, and you're now putting them on notice. Right. It's not just the security team saying yes or no. It's now saying, well, we have our we have our our recommendations and here are our recommendations. But we're going to let you make that decision. And, boy, if you choose to accept those risks, you are fully aware of those risks and it's documented in an assessment. And so if something happens, it's not to say we're trying to CYA ourselves. You know, that's not really the main point of that. But the main point is to really drive greater accountability, maybe at an executive level, or it could be further down the management chain. Right. But but it's there to put people on notice and to help them say I need to make a really informed decision here and I'm listening to my professionals that are telling me these things. And if you do that, I think that's where that accountability really helps out and helps a security team out. Significant, actually. Mm hmm.

Michael Coates:
Yeah, I totally agree. And. If you step back and look at that model, when we used to not give that ability to the business to make to accept risks or to make those decisions themselves, you know, if you pick apart the old model, it was such a crazy model that we had because like we're saying, we as the security team are going to make the business risk, trade off decisions for the whole company. Like that's no way to run a business. You're not going to have a successful business at all. The flip side, if you just give them carte blanche access, of course, things go haywire. But the middle ground of informed, intelligent risk decision taking with accountability, like that's that's perfect. That's a sweet spot.

Eric Sorenson:
I really agree.

Michael Coates:
Now, I know we've covered a lot of ground, so definitely if we missed anything that you wanted to put in there, please let me know. But I'd also like to pose the question. Many people are starting their journey. They are at the beginning of their security career, or maybe they're in the middle and they're saying, hey, I do want to aspire to lead security teams to be a CISO. So I'd love to end on what kind of advice you would give to the next generation of security leaders. What have you learned that you found out the hard way you could save somebody a few steps or what do you what did you find that worked great for you? What would you recommend?

Eric Sorenson:
Well, I'll use two of the commitments from conscious leadership. Take radical responsibility and be curious, learn, right. If you do those two things that will put you on a good path. I think some additional things is to really be willing to dive in and and study and learn, maybe find a mentor that especially in security. I think that's something that can be very helpful. There's a lot of old security professionals. I have a few here, doTERRA, that I have that work for me and they're fantastic. And boy, I still learn. I'm still taught by those individuals every day I, I enjoy it and I enjoy learning. So you've got to be curious. You got to learn. I think finding a mentor is good. I think those are probably things that and you know, I think the last one we touched on this is you really need to understand the business. You really need to understand the company, the company that you're working for. And depending on if you're going to go to a new company, be willing to get there and go dig in, go understand and learn the business and learn all those nuances, because that's where you're going to start to learn. Hey, as I get involved, this is where I'm going to have a better effect. And I can work on that on on changing behaviors or changing attitudes, especially as I'm listening and understanding what they're doing. Hey, I'm gonna have better success because as I do a risk assessment or as I as I have team members that do the risk assessment, I have an ability to review that and put some further thought into that or have that team make some changes based on some of the things that you've learned. So those are things that I would recommend, I think, to individuals. There's probably others, but I think that's probably a good start without overwhelming somebody.

Michael Coates:
I think those are fantastic points. Fantastic points. Well, Eric, thanks so much for your time today. Really appreciate taking your time out of your day, sharing all of your information with everyone. This is a fantastic discussion and lots of really good points raised, that's for sure.

Eric Sorenson:
Fascinating. Yep, I agree. Michael, thank you very much for your time and I appreciate you featuring me.

Michael Coates:
Thank you. Well, everyone, thanks for joining us today. If you haven't already, subscribe to the podcast and your platform of choice. And if you're not watching the videos, you can find those at AlterNet.to/ciso and you'll see all of our beautiful faces and our virtual tours around the world. But love to have you listening to the show. Please make sure to catch the next one again. Thanks, everybody. Have a great day.

Eric Sorenson:
Thank you.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your m4a files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you'd love including automated subtitles, secure transcription and file storage, transcribe multiple languages, powerful integrations and APIs, and easily transcribe your Zoom meetings. Try Sonix for free today.

Subscribe for More

Get notified of future CISO webcast and other exciting security content

Thanks for subscribing!

Ready to get your Cloud Security in Check?

Fill in some contact info below or schedule a meeting so we can reach out to provide more details on how Altitude Networks can protect you from data loss in the cloud.

We'll be in touch!
OR