How do you become a CISO? It doesn’t follow a linear pattern as many other professions. There are many different paths and there are many different entry points.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Yabing Wang, CISO, Justworks.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, SPMB Executive Search
[David Spark] How do you become a CISO? It doesn’t follow a linear pattern as many other professions. There are many different paths, and there are many different entry points.
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode, you know him, you’ve heard him many times on this show before, it’s Steve Zalewski. Steve, make noise with your mouth so people know what you sound like.
[Steve Zalewski] Hello, audience.
[David Spark] He sounds like that. And he’ll say something more intelligent than just that later in the show. But first, our sponsor for today’s episode is SPMB Executive Search. Yes, they’re the executive search firm for innovators. Technology focused and relationship powered for over 40 years. More about SPMB later in the show. I do want to bring up our topic, and that is, see, we constantly see questions on LinkedIn and Reddit asking how do you become a CISO. And what we’ve learned from the many CISOs who have been our shows is that there is far from one path. In fact, I don’t think there are two cases that are the same. But with that said, it’s still valuable to know how others did it and how you can glean that knowledge and apply it to your situation. So, Samantha Buckenmaier of Stanton House asked security professionals on LinkedIn to simply offer up their advice on how to become a CISO, and it was a cornucopia or different advice, wasn’t it, Steve?
[Steve Zalewski] Oh, it certainly was. Yes.
[David Spark] And would you say from your own experience there were some elements there, but you didn’t follow all the things that were in that list, did you?
[Steve Zalewski] No. Here’s what I would say even today, if you want to be a CISO there’s no certifications. You can make yourself a CISO. So, it’s a great time to be one because you don’t have to go through any hoops. You just have to decide that you want to be one, but then you have to figure out how to be a good one.
[David Spark] Well, we have another CISO to discuss this very topic with us, and I’m sure her path is different than yours and many others who are listening as well. Or many others who wish to become a CISO. I met her in Chicago just recently what I was doing a recording for Avanta [Phonetic 00:02:27]. Thrilled to have her on. She is the CISO for Just Works, Yabing Wang. Yabing, thank you so much for joining us.
[Yabing Wang] Hi, David. Very nice meeting you again. And Steve, very nice meeting you here as well. I am so thrilled to be part of this show. Thank you for inviting me.
How do I start?
Interviewer: Drew Brown of the Federal Aviation Administration said, “Learn the business.” We hear this one a lot, I should mention. “What are their objectives and desired outcomes?” I thought it’d be good to start with that. And John Prokap of Success Academy Charter School said, “It’s about helping the business solve risk, not being super executive hacker.” That we also hear a lot as well. And Ron Sharon of Mercer Advisors offered a cornucopia of advice, and I’m just picking a few things that he mentioned. One was learn basic account like OpEx and CapEx, learn basic finance, budgets, and protection. And understand that CISOs advise the business but are not the final decision makers when it comes to risk acceptance. So, Steve, I’m going to throw this to you. We have heard all these things on our show. Not so much though the learning the accounting and learning basic finance, but that does seem quite critical, isn’t it?
[Steve Zalewski] Yes. And I’m going to say how do I start even three years ago compared to today. I think we’re adapting. What I would tell everybody is if you want to be a CISO, instead of figuring out, “Well how do I do this,” start with the mentality that says, “This is the worst job I never had. Let’s keep it that way.”
[David Spark] Really?
[Steve Zalewski] And then transition that because now you’re walking in eyes open. Because there’s a lot about being a CISO that is not so good. I would say so start with the worst job I never had. Let’s keep it that way to a conversation of the most rewarding job I could want but with conditions. I would say if you’re going to be a CISO, think about that transition and what the conditions are to make it the job you want it to be.
[David Spark] Yabing, were you cautioned about getting the CISO job before you got it?
[Yabing Wang] Not really, I guess. But I do agree. Steve has a really, really valid point here that is… And this was my kind of third one as a CISO. I think you do need to prepare, no matter how good you are, you fail the first time from different reasons.
[David Spark] Which numbered CISO gig is this for you currently?
[Yabing Wang] Three.
[David Spark] Three. You’re on number three. So, did you have failures on number one?
[Yabing Wang] One way or another. I think you will fail in a certain way. I think the number one thing is when you feel like I become a CISO, I got to be perfect. And there’s just so much, like Steve said…there’s just so much you don’t know even from day one and also that things are changing so quick. You need to learn all the time. You will fail some aspects.
[David Spark] So, let me go to you, Steve. How do you sort of…? Because this falls into the imposter syndrome for which I think almost every CISO has felt it. Yes? How do you cope with that?
[Steve Zalewski] I would say again it gets back to the what are we seeing to be a CISO. And to Yabing’s point, it used to be that when you became a CISO, you were a firefighter. You were doing the greater good. You were protecting. You were going to run into that house and put that fire out. And from that perspective, the companies and the industry as a whole respected you for that. But what we’re seeing is that is not the best way to look at the job now. And with that, it used to be, “Hey, if I went in with a lot of energy, I would make mistakes my first time as a CISO.” Everybody does. The first time you do anything. You learn from those mistakes. Then you want to become a CISO again because you want to do it the right way.
[David Spark] That’s a good point.
[Steve Zalewski] Okay, the challenge we have with being a CISO is the right way five years ago is not the right way today. There’s still so much challenge in the changing environment that you can’t rely on history to be able to know that this is how you’re going to do it right the second time or the third time. You have to reinvent yourself every time based on where you are in the industry, in the community, in your own personal maturity.
[David Spark] All right, Yabing, I want a quick answer to this.
[Yabing Wang] Yep.
[David Spark] Pick one thing that you feel you didn’t do right. I don’t want to say failed. But you didn’t do right the first time that you did right the second time.
[Yabing Wang] You want to move quick. You want to show people you can do it. But really you need to slow down to understand the business, to build the relationship before you can really do anything.
This is not just a security issue.
[David Spark] Kenton McDaniel, CISO of Henry Schein One, said, “Find ways to interact with executives in your current role. Learn about legal terms and concerns, presentation skills and tailoring a message to an audience, basic contract reading and editing. Get the technical knowledge to be able to figure out which products and vendors fit the exact needs you have. Communicating complex situations with brevity.” So, lots of tips there from Kenton. And Jeremy Thompson of CoVantage Credit Union said, “Learn how to spot opportunities to engage business leaders in discussions about risk. These discussions don’t have to be about security or cyber risk. It could be any kind of risk. Socializing risk, identification, management and mitigation are key to helping business leaders understanding and comprehend when time comes to talk about cyber risk.” All right, Yabing, both of these quotes are great. Lots of great tips. But the second one from Jeremy, I love this just like socialize risk – have risk be a normal conversation you have with business executives. Have you been able to do that?
[Yabing Wang] Yes. And I absolutely agree. You started with a statement that this is not a security issue. I say absolutely. I came from the technical background, and we do a lot of the things trying to solve a technical issue. And I say that’s not even a technical issue. Same situation here. We’re trying to address business issue, and businesspeople don’t understand security, and they don’t understand technical terms. What they need to understand is translating our stuff into their terms. So, one is about a risk. Two is about the business capability or business features. Things like that. SO, at the end, I would say not only the security issue being translated into risk or business issue, I think CISO in a big way…we are the storytellers. We’re trying to… We
[David Spark] We hear that a lot.
[Yabing Wang] [Laughs] It’s like I think one-third of the job really about telling a story. Because security, you cannot do everything. You don’t have unlimited budget to do a lot of things. At the end, what you can focus on is you trying to sell to everyone and get them to be on the same page with you and to do the things together with you. So, I think that big part is storytelling.
[David Spark] All right. Steve, I want you to touch on Jeremy… Because I love this whole thing about just making risk kind of a natural part of conversation. But Kenton also just says you got to have all these skills that you don’t normally thing you need in cyber security.
[Steve Zalewski] So, if you’re going to be a CISO going forward, this is your opportunity, it isn’t just a security issue. It’s a security challenge. The issue we have is that you have to understand what type of CISO you want to be. There is no one size fits all anymore. And so in thinking about the security issue and in thinking about what Kenton says, you have to be three types of CISOs today. You have to be a technical CISO. You have to have the technical chops to understand security controls, security friction. You have to understand how to talk to your CIO. So, that is technical security. Then you have to have cyber risk security. You have to be able to talk about identify, detect, prevent, respond, recover so that you can have a risk conversation with your leadership to be able to understand this concept of insurance policies and what can I do as a security leader on these security issues relative to risk.
And then third is you have to be a business CISO, which is you have to learn the business better than the business knows itself so that you understand where the key business processes and you can talk to them not about the value of security but about how you are protecting their profit and how you are managing that hard earned profit to maximize everybody’s bonus. You have to be all three now. And so in doing that, to become a CISO, you start somewhere. The key is you just have to be hungry to learn. You have to listen. And understand that that journey starts in any one of those places but ultimately ends with the ability to do all three well.
Sponsor – SPMB
[David Spark] Now, before I go any further I do want to mention our sponsor, SPMB Executive Search. Remember, I mentioned them at the top of the show. And they can help you no matter what side of the equation you are in your search effort. SPMB is the number one executive search firm, serving the technology market and one of the largest independent retained search firms in the country for 45 years. They have specialized in recruiting C-level executives and board members to large multinationals across all categories – media, consumer, financial services, healthcare, renewables, on their path to digital transformation. SPMB also partners with disruptive growth oriented startups, building up the leadership teams at the most innovative companies in the tech space.
They bring the knowledge of a large global firm and combine it with, well, the personalized service and attention of a boutique to connect top executive talent to the best and fastest growing innovators across the country. Closing hundreds of C-level searches annually, SPMB has recruited key leaders into companies that have generated over one trillion in market share for our clients. Now, a key area that SPMB brings executive knowledge and expertise to is its dedicated security practice. That’s what you wanted to hear, right? Leading both functional searches, CISO, MVPs, defining security strategy, and building out executive teams at top security software companies. Now, to learn more just go to their website, spmb.com.
What needs to be considered?
[David Spark] Shakira Kelly, deputy CISO over at Costco, said, “Be a mentor and find yourself a mentor. You learn so much from your mentees and get to see the world through a different lens.” Which by the way, I should mention one of the reasons I hear a lot of CISOs like to listen to the show is just they get to hear other viewpoints of being a CISO because they’re kind of in their own little bubble. And it’s like, “Well, this is the only CISO world I know right now.” And so they like to hear other stories. Going back to the storytelling, you said, Yabing. Let me also read this quote from Christopher Zell of Dell Technologies, who noted, by the way, and rightfully so that nobody talked about leading people affectively. That is kind of the job of a CISO. He said, “Affectively leading and managing people is critical. We should never forget that we’re actually people leaders, and you must be comfortable with being their cheerleader, sounding board, target of frustration, source of energy, and inspiration.” What a great list right there. Steve, you got to do all of those if you’re a CISO for your team. And not just for your team, the whole company for that matter.
[Steve Zalewski] Yeah. And so there’s two thoughts here. One, you’re going to be a CISO, you’ve got to learn. It means you have to have good mentors. You have to be aggressive at wanting to learn. You can’t be afraid like a firefighter to go into the building. So, there are going to be parts in your career potentially… And I’ll use my own. I’ve been put on performance improvement plans multiple times in my career in security, believe it or not, because as you’re in certain roles as an architect or a senior manager, there’s an expectation that you stay in your lane and you do the job. And yet you’re trying to learn the other jobs and the other parts of the business where some folks will see that as, “Sit down, do your job. Don’t be going out and making waves and learning other things.”
So, you have to be ready to do that. The second part is leader versus influencer. This is what we’re getting at here. Which was you have to be a great leader of your team. But even more important, you need to be a really good influencer. Because more and more, you don’t have direct control over securing the company. You have to protect the business. You have to influence business, the CFOs, the CROs to understand the decisions that they’re making and influence them to make the best possible risk based decision. And then meet them halfway.
[David Spark] All right, Yabing, two good points here about the need of mentorship and the point of, “Hey, you got to play a lot of roles here as a leader.” And how much of this did you know when you first went in, too?
[Yabing Wang] I would say along the way, probably from leadership perspective, the higher you go, this becomes more important. Both of them become important.
[David Spark] Correct.
[Yabing Wang] So, I kind of know that. But…
[David Spark] And you were probably doing it already prior to your CISO role.
[Yabing Wang] Right. You learn a lot along the way anyway. But I think there are also two things I want to add here. Number one is if I use the word leader or manager, there are three kinds of quality – strategic, more program management, or operational. Nobody is good at all three. So, if you can identify which part is your forte, which part is your kind of weakness, you want to hire the team more on that end so you have a great team together to do things. So, if you are not really operational and they have an operational leader under you and then that team will support you. So, that’s one aspect. The second part is that truly security, number one, you cannot be doing that by yourself. Therefore you have to rely on your team. Secondly you even cannot rely on your team only. You need everyone in the company to do security. On both sides of it, you really want to build the team and attract talent. That’s why back to Steve’s point of influence the leadership I think is such a key to success. I’m not sure just the CISO. Probably a lot of top leaders. You do need to spend time with your people, understand what they want, what they need, and find ways to support them. I think only through that, they will just do everything they want for the company, for the team.
[David Spark] So, in these first three segments on the show… And our fourth segment is going to kind of take it a different turn. But one of the things I just want to point out… And I mentioned the whole thing with imposter syndrome. The number of skills you need as a CISO is so ludicrously high. It doesn’t seem like there’s another position that requires this many different skills. So, it seems inevitable that you’re going to have imposter syndrome because no one can be an expert in all those skills. Quick comment from both of you, Steve. Agree or disagree?
[Steve Zalewski] Disagree because we are setting the bar as if you’re going to be for the Fortune 50. When you’re in a Fortune 50 or Fortune 100, you got to be awesome. You got to walk on water for this job. Many of the CISOs have three, five, six people. Three to five hundred people in the company. They don’t have to be experts at everything. What we’re saying is you don’t have an expert at everything. Know what you’re good at, know what the expectations of the company are, and go on that journey. Because…
[David Spark] But don’t you think imposter syndrome comes because of this? Because of the need to know all these different things? Maybe not be an expert, but you do need to know a lot of different things.
[Steve Zalewski] Well, what’s the phrase? Fake it until you make it. Five years ago, ten years ago, I’d say there was a lot of that. In the last two years with a lot of what we’re seeing on accountability, fake it until you make it not something that we want CISOs to do. And so for all the young ones that want to come in, that’s what we’re trying to highlight is bad things can happen to you. And so it wants to be the best job but eyes open, which is why I started the, “It’s the worst job I never want to have,” to, “It’ll be the most rewarding job but with conditions,” to know what you’re coming up against.
What aspects haven’t been considered?
[David Spark] All right, so there were a couple of people who commented on this thread that were questioning, “Why do you even want to be a CISO?” So, we’re going to address this issue. Adam Drabik, CISO of Monument Re Group, had a long negative list, really dissuading others from entering the profession. I’m just pulling out a choice part of his quote here. He said, “Becoming a CISO is a one-way road. Once you have been one for a few years, you won’t be able to step back to previous levels. CISO is really just a fancy name of a junior accountant watching after security budgets and resources. You will be lucky to spend more than 20% of your time on security proper.” Hold that thought. Now, similarly Kevin F., CISO of FNZ Group, adds, “I’d start by asking why. Is your goal to be CISO just because it’s the top of the security tree? Don’t get me wrong, I love it. But there are many less positive aspects of the role.” So, I’ll start with you, Yabing, here. Do you believe that you’re lucky to spend 20% on security and you’re mostly just a junior account?
[Yabing Wang] It is exaggerated, but actually it shows that angle. However, I think like Steve mentioned, different companies have different needs of a CISO. Sometimes there’s a period when you fix problems. Sometimes you’re just focusing on certain things. And then of course when budget comes over, it’s absolutely cutting first. But there are situations in companies that they truly want that to become part of this business. So, I think you will get lucky more than the 20%. But there is aspects that I agree. I probably [Inaudible 00:22:41] exaggerated that. That is… So, depends on what you want as a CISO job. But if you look at like CEOs, board, even the CIOs, in a way they are trying to shape the future of the company. Where in a way you can say that’s kind of powerful. But I don’t think like a CISO from that end is that powerful. But on the other side, when bad things happen and CISO will be the first one to take that hit. So, if you combine both of them it’s like it’s a lose/lose situations for CISOs. It’s like from that angle if you want to say, “Hey, do I need to be a CISO?” probably not. So, it’s really trying to define what will satisfy you, what will make you happy.
[David Spark] What about the CISO role makes you happy, Steve? As opposed to just working in security in general.
[Steve Zalewski] I thought that working in security, being a CISO for a bigger company, that was the hardest job I’ve ever had. It challenged me. Because for all the reasons why, which is give me another role that you can have that in trying to do the right thing every skillset that you’ve learned over the years, every skillset that you didn’t think you had to have comes to play. So, my engineering background says you take the biggest, hardest problems, and you go after it. And you do the best you can. Security is the biggest, hardest problem I’ve ever had to worry about. And even now in retiring from Levis, I spend an incredible amount of time advising and working because there’s so much to do, I just am not ready to give up on the battle. And then what I would say is there’s a couple other things. I love the 20% of the time on security. Well, there’s a few other facets of this.
Is your job to be efficient versus affective as a CISO? As a CIO, it’s to be efficient. As a CISO, you have to be both efficient and affective, and those are different measurements. So, again, you want to be a CISO, you got to think about that. you want to be a leader or you want to be a manager? A lot of CISOs are great managers, but they don’t delegate well to become leaders. And they don’t step out to become influencers. Then the last thing I’ll say is you have to be a firefighter because you’re out there on the front lines, but you have to be a shepherd. The business is your flock. And you got to keep the business moving forward and protect it, not just be a firefighter to put out the fires. That’s why when you asked me how hard was this, what a great job. Because it takes everything you got to bring these skillsets to bear and ultimately do the right thing.
[David Spark] So, as I understand, both Steve and Yabing are both positive about going into the CISO role. And so if you want to do it, go for it. I hope I’m echoing you correctly.
[David Spark] But now we have come to the point of the show, Yabing, where I ask both of you which quote was your favorite, and why. I’ll ask you first, which quote was your favorite, and why?
[Yabing Wang] It will be quote from Christopher Zell about affectively leading and managing people.
[David Spark] Yeah, because nobody else brought that up. And why do you like that so much. Do you think that’s the core way to become a CISO is to have that number one skill?
[Yabing Wang] The reason I think it’s number one is that the whole security to be done is through people. It’s through people. Whether it’s on the CISO’s team or through everyone in the company. So, at the end, the soft part, the people piece becomes more critical.
[David Spark] Excellent point. I go to you, Steve. Which quote was your favorite?
[Steve Zalewski] I’ve got to go with Kevin F., the CISO of FNZ, by saying I start by asking why – why do you want to be a CISO. I say that because I think this show, a lot of what we’ve said starting with the how do you be a CISO is all the aspects that go into it. So, I lead it to it’s what does a CISO look like for you, and it’s a job that will be rewarding. And so I think that really gets on the all the skillsets we’ve talked about, you don’t have to be great at all of them. You have to be aware of all of them. And it can be hugely rewarding, understanding the conditions that are in front of you. So, that’s why I really liked the why do you want to be a CISO is so important in getting on the CISO track.
[David Spark] Awesome. Well, that brings us to the very end of this episode. I want to thank our guest, Yabing Wang, who’s the CISO over at Just Works. I let you have the very last word. And the question I ask all our guests is are you hiring, so make sure you have an answer for that. Huge thanks to SPMB Executive Search for sponsoring the CISO Series. Remember, they are available at spmb.com. Check them out, whether you are looking for a high executive position yourself or you are looking to hire that talent. They can help you figure out what it is you need even before you do that search. Thank you again, SPMB, for sponsoring the CISO Series. Steve, any last thoughts?
[Steve Zalewski] Yes. As always I always like to thank the audience. But here’s why – this conversation today which is how do you be a CISO could have been here is all different skillsets, here’s different ways to approach it. Which I think…
[David Spark] Of which we got some of that.
[Steve Zalewski] Which we got some of that. We clearly went there. But from a Defense in Depth perspective, I felt really good that we hit the meaty issues of what a CISO has to be and why if you want to be one, what you’re set up for. To go from the worst job I never had, let’s keep it that way, to the most rewarding job I could want but with conditions. I really felt like we did a good job with that and did our job with this episode on this topic.
[Yabing Wang] And I learned things from this conversation as well. So, thank you both.
[David Spark] Aw, I love hearing that. All right, Yabing, are you hiring? Want to make a plug for Just Works. Anything else?
[Yabing Wang] Yes, we are hiring. Just Works is a benefits and a payroll companies, particularly serving small business who are based in New York. But we’re in business in every single state. So, my team is hiring on security architects, securing engineers, and a security analyst.
[David Spark] And they should mention that they heard you on the show?
[Yabing Wang] Yes. [Laughs]
[David Spark] Connecting through LinkedIn, is that a good place? Because we’ll connect to your LinkedIn.
[Yabing Wang] Absolutely.
[David Spark] Awesome. Great to hear. Thank you very much, Yabing. Thank you very much, Steve. And thank you to our audience. We greatly appreciate your contributions. If you see a great conversation online, please forward it to me because we can turn that into an episode of this very show. So, please be my ears and eyes on great conversations. Ideally LinkedIn just because it has everybody’s name and information. That’s what makes that so good. Anyways, thanks for contributing and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review. Leave a comment on LinkedIn or on our site, cisoseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at email@example.com. Thank you for listening to Defense in Depth.