The CISO’s Job Is Impossible

Over the past decade, the CISO role has evolved into a seemingly impossible job. But someone still has to do it. How must CISOs accept this Sisyphean role?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Yaron Levi, CISO, Dolby. Joining us is Joey Rachid, CISO, Xerox.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Backslash

Backslash offers a new approach to application security by creating a digital twin of your application, modeled into an AI-enabled App Graph. It categorizes security findings by business process, filters “triggerable” vulnerabilities, and simulates the security impact of updates. Backslash dramatically improves AppSec efficiency, eliminating legacy SAST and SCA frustration. Learn more at Backslash.Security

Full Transcript

Intro

[David Spark] Over the past decade, the CISO role has evolved into a seemingly impossible job, but someone still has to do it. Is it impossible, or do we just have to accept it’s a Sisyphean role, and we just have to find a way to approach it?

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series, and joining me for this very episode, very excited to have him on board, our guest co-host, none other than Yaron Levi, CISO over at Dolby. Yaron, thank you so much for joining us.

[Yaron Levi] Hi, David. Thank you for having me again. Always a pleasure to be on the show.

[David Spark] All right. Our sponsor for today’s episode is Backslash AppSec, using a digital twin of your application. Sound intriguing? Well, I’m going to explain that. Especially if you’re in application security, you’re going to want to hear more about that. Stay tuned. But first, our topic at hand.

The expectations of a CISO are unrealistic, noted Nikoloz Kokhreidze of Mambu on LinkedIn. These expectations include, get ready for a long list, being an expert in all areas of cybersecurity, translating complex technical risk into the language of the business, influence change to impact risk in your organization, evaluate a constant flood of new solutions, retain and hire talent in an increasingly competitive industry, maintain ever-growing compliance, and do it all while managing shrinking budgets.

Yaron, does that sum up your position? And do you agree with Nikoloz that it’s an impossible job to do well? What do you think?

[Yaron Levi] Oh, David, are you asking me to do like my own performance review on the air?

[David Spark] [Laughter] Yes.

[Yaron Levi] Because I think there are like laws in the US, I guess. Like broadcasting public executions. I mean, so.

[David Spark] Oh my God. How amazing would that be if I got CISOs on to do their own performance reviews on the show? That would be incredible.

[Yaron Levi] There you go. Yeah, yeah.

[David Spark] But each one of these is one job in itself, what I listed off.

[Yaron Levi] Yeah. No, but I think in all seriousness, I think Nikoloz is highlighting the symptoms to a much deeper problem. So, first of all, the security domain is relatively young. We’re only about, what, 25, 30 years old, give or take. So, we’re still trying to figure things out. And it’s also extremely broad and multidisciplinary.

And second, in its nature, it’s still kind of very reactionary, right? I mean, so if you think about other safety industries, for example, automotive, aviation, a lot of that was built over time. A lot of the rules that we have are built over time, right? So, usually it’s not happening right out of the gate, but in our case, it’s much, much, much faster.

So, that’s another thing that we kind of have to deal with. And then we don’t have a standard because, I mean, if you think about it, there’s no security standard. I mean, finance, they have gap rules – generally accepted accounting practices. We don’t have gap rules for security. So, it’s very, very different.

And I think organizations in general, and even society, we often struggle to define, like, what’s good enough look like for us from a security perspective? So, I think it’s going to be a really interesting conversation to dive into.

[David Spark] By the way, that’s kind of a key part of it, what’s good enough, because being perfect, it’s not a possibility.

[Yaron Levi] It will never be perfect.

[David Spark] It’s not. And the thing is, there are other jobs where you can strive for perfection and get darn close to it, too. Very, very difficult in security.

[Yaron Levi] Yes.

[David Spark] All right. The person to help us with this conversation, I’m thrilled that on board, first time we’ve ever had him on a show. So excited. It is the CISO over at Xerox, Joey Rachid. Joey, thank you so much for joining us.

[Joey Rachid] Hey, thank you for having me.

What’s the CISO’s role?

3:33.937

[David Spark] Peter Granlund of If Insurance said, “The main problem with how top management in many organizations define the role, especially putting total accountability for the organization’s ICT, cybersecurity, combined with almost complete lack of influence and resources, except for a small team of experts.

So, that team is not given the mandate to prioritize security over business functionality.” Nor should it necessarily. That’s my commentary. But Peter goes on to say, “Instead, realize that the board and/or top management are accountable for managing enterprise risk. The CISO role is a sidekick.” I like that.

“There to support decision making, make sure what’s been decided operate in accordance to defined needs, and have a responsibility matching the mandate of the role.”

And Glenn Axelrod of Emissary.io said, “It’s the ultimate balancing act. Stressful yet demanding expertise in all trades, despite limited resources and endless risk. Prioritizing and building strong teams is essential, but organizations must recognize that no single leader can shoulder the entire weight of security alone.

It’s a collective effort.” So, there is this sense, Yaron, some people believe the CISO is handling all the security all by themselves like a superhero, but the CISO knows that that is actually not physically possible, but I love this description that Peter has that the CISO is a kind of a sidekick to management.

Do you feel that way in some sense or no?

[Yaron Levi] Well, again, it all depends, right? We always say in security, it depends. I think what we need to say first and foremost is let’s talk about what the role is not. And I think the role is not the organization’s moral compass, as some people may feel or think about, and I also think it’s not the enforcer of the rules.

I mean, that’s not our job. I think the CISO role ultimately is to be a trusted advisor to the organization leadership and support delivery of the organization mission. And with that, they work across the organization. I mean, we need to partner with all the relevant partners across the organization.

And in many ways, we are not different than the legal department. Our role is to advise, support, we need to build, we need sometimes to take defensive actions, as necessary. But the ultimate decision lie with the executive leadership, not with the CISO, for that matter.

It’s true, I mean, that in many organizations, historically, their role has been viewed as an IT function, but I think this is something that continues to evolve, I mean, over time and how security is becoming more and more aligned with the business, with business priorities, and I think there’s a growing sentiment towards supply chain risk and things like that.

So, I think that’s making the business or making security much more aligned and closer to revenue generation.

[David Spark] All right, Joey, I throw this to you, just summing up what Peter and Glenn say here, you’re essentially a support role, a sidekick, and you’re balancing, and you can’t do it all yourself. Again, we don’t need all the answers but set us up here. Where do you think the role physically sits and what do you agree of those statements by Peter and Glenn?

[Joey Rachid] Yeah, what I’d like to say first is when I was a deputy CISO, I had the pleasure of being mentored by our CISO and he taught me this concept of a business aligned cybersecurity program. And it was the first time I’d ever heard it, but I learned that, and I really took it to heart in all of my subsequent CISO roles that I’ve had.

And I really distill the responsibility of the CISO into two pretty broad buckets. One is to enable the business, and that will differ depending on where the business is in its current lifecycle. Some businesses are growing rapidly, some are shrinking and so you’re downsizing, some are going through financial troubles, and you have to mindfully lead your program that is aligned to understanding what the higher-level business objectives are and enabling it to be successful.

The other broad bucket is risk management. We’re there to manage risk, to advise on risk and hopefully help the business reduce risk, right? And that can be through many different mechanisms as we know as CISOs, right? But how do you accomplish that? I don’t see that the weight is all on my shoulders.

You accomplish it through delegation. One of the things that I learned in my courses at University of Texas Austin McComb School of Business is leadership is about how to get stuff done through other people, and it’s about influence. And so, we have a team. And so, as CISOs, we have to ensure that we build a strong leadership team that are the respective experts in their area and that they advise you as a leader and help provide you opinions and you have thoughtful dialogue and discourse and sometimes disagreement.

But ultimately, the CISO is accountable to making that decision and then also advising the board or the senior executives as to what the company should do.

Who owns this issue?

8:39.703

[David Spark] John Overbaugh, who’s the CISO over at Alpine Investors said, “This is exactly why I love my job. It’s a massive puzzle encompassing business operations, finance, technology, but most of all, human psychology. What’s ‘broken’ for one is simply the challenge for another. I have a hypothesis that a lot of the problems is our own darn fault.

We don’t explain things, so the rest of our ‘first team,’ the execs, understand it.” And Erik Bloch of Illumio said, “CISOs have put themselves in this boat. They don’t want to leave the kids’ table and join the adults and become an actual business unit. I mean, why would they? They get paid without being held accountable to the same standards other C-level positions do.” So, I kind of like what Erik and John said.

They kind of like said, “Hey, you’re putting yourself in this position of thinking that it’s too difficult, that there’s too much to do, but the reality is you just have to be a business leader and force yourself that way.” Joey?

[Joey Rachid] I couldn’t agree more. This is probably my favorite quote from the whole thing. Number one, if you feel it’s too hard or too difficult, step aside. Someone else will gladly take your CISO role.

[Laughter]

[David Spark] That’s true.

[Joey Rachid] Okay? If you put yourself in the boat and you want to jump out, jump out. Someone else will take the oars and paddle forward. And we have to realize, like, sometimes we shoot ourselves in the foot with this, talking about our job being impossible, talking about our job causing burnout and things like that.

I see that as an opportunity to really look at how are you leading your program and really aligning your mission, vision, and values, and making sure that your team has purpose? Because if you look at other business functions, they have a very strategic or tactical roadmap, and they don’t allow the noise from the left and right to distract because you have to push the ball forward towards the end zone.

[David Spark] Let me pause you just for a second. What do you mean by “the noise”? What are you referring to?

[Joey Rachid] The noise is just all these things that we get distracted by. You can always be distracted, but the thing is, is nothing is impossible if you have a plan and you have a roadmap or however you articulate that to your team and to your leaders. And then also understand who your audience is and communicate that up and how that’s enabling the business and managing risk.

And for me, that’s really what it distills down to, and that’s how businesses operate. And I took it a step further to learn more about, well, how do businesses methodically and purposefully manage and execute and deliver results? And I took it upon myself to go get educated in the various different areas of business so that I can learn that as a cybersecurity professional and leader, but also so that I can engage with them better on their turf versus asking them to come on mine.

[David Spark] Yaron, I know this is how you feel, about security being business, but I really like what Erik said. He said, “You’ve got to be a business leader.” It sounds like that’s your first role and responsibility. Yes, Yaron?

[Yaron Levi] Yes. I mean, you have to be aligned with the business, but I don’t agree with what Erik said about CISOs are not accountable because I think there are multiple examples where CISOs have been held accountable. I think what makes this role a little bit more difficult is, first of all from an organizational perspective, does the organization have a right idea in their mind of what they want the CISO to be?

In some cases, they just want the CISO to be the scapegoat. It’s fine. I mean, if that’s what they want, if that’s what they want to pay for. And there are some other cases that they want to have the CISO do different things, build the program, help with business enablement, do different things, right?

But it goes to, again, it goes back to the question, like, what is good enough? And really working side by side with the business, knowing it will never be perfect, you have to do some foundational things. You don’t want to be gross negligent. But between perfection and not being gross negligent, there’s somewhere in the middle that is probably, for the organization, is good enough.

[Laughter]

[Joey Rachid] Yes.

[David Spark] And it’s different from organization to organization. By the way, can I just close on that quote? Between perfection and gross negligence, there’s something in the middle. Yes, I would hope there’s a lot in the middle. [Laughter]

[Yaron Levi] But I mean, any difference from… It’s different from organization to organization, right? Do the right thing. I totally agree with what Joey said about having a strategy, having a plan, and stick to that. The only caveat to that is, it’s funny, because every time when we look at our plan at the end of the year, yes, you have a plan, but then we tend to have things that have happened throughout the year that jumps to my priority one.

So, it always kind of impacts your plan. You get audited, the business is doing something, or there’s an M&A or something, or the board wants something or whatever. So, there’s things that are happening that you can say, okay, well, just we’ll wait for it for next year. I mean, you just kind of have to put it in priority number one.

So, there is that fluidity a little bit and flexibility that we need to have in the model, but overall, I completely agree with Joey. I mean, we have to have a plan, we have to have a strategy, and we have to constantly move down the field.

[Joey Rachid] I mean, what I would say to that, though, if those things from the board and such are always replacing your number one, you really tend to not accomplish anything, and then you look back at the year and that’s like, well, have we really moved the needle forward in maturing our program, addressing the key risks and things like that?

I think as leaders, we also need to understand that it’s okay to sometimes say no and why. And to say, “Hey, I understand that this is your item number one, but here is my item number one, two, and three, and here’s why I think these are very important. Would you agree that yours is higher risk, higher priority than this?”

It’s a negotiation and it’s a dialogue, and that’s what business leaders do. Business leaders need to articulate why things are important for their area and what’s their ROI that you’re going to get out of it and then compare that to what is being asked from another leadership board, executive committee, what have you.

And it’s really actually impactful when you can show that you have a plan, you have reasons, you have the return on investment that you can show. And it’s like, “Oh, wow, okay, yeah, no, my priority isn’t more than that. Let’s negotiate. Let’s see where that fits in and where we can deliver that.” Right?

I think it’s really important to come to the table with that viewpoint and that type of organization in how you’re executing your program as a business to some degree.

Sponsor – Backslash

14:57.539

[David Spark] Who’s our sponsor this week? Well, it’s Backslash and let me tell you a little bit about that. It’s pretty cool. Now, let me ask you a question. Are you unhappy with your AppSec tools and processes? Is your team fatigued from endless false positives? Are you finding it hard to convey the urgency and relevance of findings to developers, creating unnecessary friction and frustration?

Well, if you answered yes to any of these questions, you’re not alone. Application security is in a rut because while the world of software development has progressed by leaps and bounds, facing even more disruption with the use of AI-assisted coding, AppSec tools are having a hard time catching up, and piling on more features onto existing tools will just lead to more of the same.

Now, Backslash, our sponsor, is here to change that. With a completely fresh approach, Backslash models your application, creating a digital twin of your code. It’s kind of like CAD for app development. So, using an AI-enabled app graph, it then uses this model to traverse the code, finding vulnerabilities that are both – this is key – reachable and triggerable, categorizing findings into human-understandable business processes, and allowing developers to simulate the security impact of updates.

So, organizations looking to modernize their AppSec use Backslash to dramatically improve their efficiency and eliminate the frustration caused by legacy SaaS and SCA tools. Go check them out. It’s easy. Just go to their website. It’s backslash.security. Go there, check them out.

What must a security leader be able to do?

16:51.573

[David Spark] Alen Mustafić of CyberSec4People said, “The CISO role has grown too complex for one person to handle effectively. Cybersecurity spans tactical operations, risk management, compliance, and strategy. Expecting one individual to excel in all these areas is unrealistic. Now, a team-based CISO model could address the challenge by leveraging specialized expertise across domains, improving decision making through diverse perspective, and sharing responsibility across departments.

And as leadership becomes a core business priority, is it time to rethink the single CISO model?” We’ll get into that in just a second.

Geoff Airey of Evotix said, “You’re boiling down a whole team’s responsibilities to one person, yet that person is responsible for those things, but they need to delegate and share,” which we brought up. Jeff goes on to say, “A good CISO should know what to take on personally and what to delegate. They don’t need to be an expert in every area of security.

They need to have team members or contracted third parties who are.” There’s a lot of good stuff in here, Yaron. And I want to just first start with is that the rethinking the CISO model, you were just mentioning, Joey, the deputy CISO. We’ve seen BISOs that literally split off and take a good portion of the CISO’s responsibility.

We’ve seen the office of the CISO. So, there has been a way of splitting up the responsibility, but also, I got to assume, when you become a CISO, unless you’re a CISO with one person underneath, you are just delegating, delegating, delegating. Yes, Yaron?

[Yaron Levi] Yeah. And the way I think about it, and I agree with the gentleman, no one in security can be expert in everything. I mean, this is just not feasible. I mean, there’s so much, it moves so fast. I mean, things are changing all the time. It’s just not possible. And I don’t know if Alen meant, by suggesting a team-based CISO model, exactly what he meant by that, but the way I think about it, it’s like running a football team.

I mean, you have the head coach and then they’re not expert in everything, but they have a lot of experience. And then they have an offensive coordinator, and they have defensive coordinator, they have quarterback coach and running back coach. I mean, so they have a staff, a support staff around them, and each one of them has its own expertise.

But ultimately, the one who’s calling the shots on the field is the head coach, and they’re the ones who eventually have been held accountable for whether the team succeeded or not.

Now, if you want to run an NFL team only with the head coach with no supporting staff, you can try, but I’ve never seen any one of those teams ever win any championship or whatever, right? So, it’s all a question of, like everything else, security needs to have the right support structure in place, have to have the right people, process, technology to be successful.

And the question is whether the back office, front office, the owners, whatever, are providing the right support. So, yes, it’s not…one person cannot do it all. It’s a team effort.

[David Spark] And I just also want to throw out here, Joey, that, I mean, I don’t know what the size of Xerox’s sort of security team is, but I am definitely seeing more and more of these splintered CISO roles, deputy CISO, BISO, and the office of CISO and whatnot, to essentially take huge chunks of the responsibility off the plate.

And it just makes sense for an organization that it’s just too much for one human. Yes?

[Joey Rachid] Yeah, I would say the old analogy of one plus one equals three in this scenario. If you are a CISO and you feel like you’re the one who’s making all those decisions without input from others, then you’re actually doing it wrong. You’re probably making less optimal decisions because you’re not leveraging the team that you’ve hired who should be experts in certain domains and then are advising you.

And again, you’re going back and forth and you’re having that diversity of thought and contribution to the solutioning, the next step and so forth. Yeah, I’m not sure what this idea of the rethinking the single CISO model, but it’s a team sport, and I like the analogy with regards to football. And if you think about the players on the field, there’s a quarterback, there’s many different positions, and they’re all experts in those positions, but they work together to make the plays work and get the football down the field and make scores.

And so, a CISO’s the same thing. It’s just you got to build the team, get the right people in the right positions, and align them to the right strategy, vision, mission, and those things, and then you’ll see performance excel. You’ll see a lot more get done on your team and there’ll be a happier team.

[David Spark] But you know what? Both of you brought up a really good issue. So, we started talking about the CISO’s role is to advise the business, but then I’m hearing from both of you, like having this defensive coordinator, the offensive coordinator, the running back coach, all these different people.

I realize your team is advising you, for which then you use that to advise the business. And I mean, I can just say as a leader, I love it when my staff makes decisions for me. I mean, don’t you like that, Yaron?

[Yaron Levi] Yeah, absolutely.

[David Spark] You’ve done the research. You’ve done this. I agree. That’s phenomenal. You’re doing such a great job.

[Yaron Levi] No, absolutely. I mean, your team is definitely advising you and supporting you at the same time. I mean, they’re the one who are also engaged with the business. Because when we say business engagement, it’s at all levels. I mean, it starts all the way from the top and it goes down to the front-line engineers.

I mean, so yes, I mean, to get that type of coverage across the organization, and sometimes in some companies, even globally, yes. I mean, you have to interact in all those levels. The CISO cannot be just the bottleneck that everything kind of flows through and from, but it’s building the team. It’s building, it’s empowering the team.

It’s supporting the team to be able to have those conversations.

[Joey Rachid] Correct. And you should have your direct leaders, you should trust in them so that they can engage with various levels in the business and own those conversations and so that you’re not the bottleneck. And it also enables them to strengthen their leadership and skills to potentially if they want to climb up and become a CISO themselves.

So, you’re really also enabling them to learn that and how to engage with senior executives or boards or what have you. And so, it’s a development opportunity. And so, you got to let them sometimes do that. And we learn best by sometimes making mistakes and sometimes you got to make mistakes, and your leaders need to make mistakes so they can learn and improve.

And it’s not detrimental. It’ is what it is. It’s not perfection.

[Yaron Levi] Can I say just something else because I can’t emphasize enough what Joey just said. I think sometimes we are getting into this, oh, you’re not allowed to make any mistakes. If there’s like one strike, you’re out. And I think this is wrong because oftentimes, I’m not saying… Again, don’t be negligent, don’t be stupid and make mistakes because you’re negligent, but it’s okay to make mistakes sometimes.

It’s not okay not to learn from them. Do make mistakes, learn from them, move forward. That’s how we learn. And I think there are many organizations and we lost that art because we lost that tolerance, if you will, to mistakes. We’re not encouraging mistakes, but mistakes happen. If they happen, we learn from them, we move forward.

What’s the next step?

23:52.107

[David Spark] Mark Fuentes of Appdome said, “The greatest shift in thinking in the past decade has been that some organizations are beginning to see that firing a CISO after a major security incident is a major mistake.” Now, my personal aside, and we’ll get into this, is I anecdotally have not seen that nearly as much as I used to see it.

Going back to Mark’s quote, “There are no breach-proof, cyberattack-proof CISOs. There is no such thing as an airtight cybersecurity strategy or program.” We mentioned this. He goes on to say, “Cybersecurity is a war against breaches. Some battles will be won and some will be lost. Changing generals too often may not be a winning strategy.” That is the quote.

So, let’s just say your CISO screws up. Who knows your environment better than that person? You really want to get rid of them right now? Like, after a massive breach? Probably not a good idea. And I think that’s probably why we’re not seeing a lot of CISOs getting dumped right after a breach. Yes, Yaron?

[Yaron Levi] Yeah. I mean, think about it. Again, if we’re talking about a mistake, and maybe it’s a mistake, maybe it’s an honest mistake, maybe whatever the thing happened, but there’s a big lesson that can be learned from that, from that breach or from whatever the case may be. Now, if you just suffered a breach or suffered an incident like that and you let the CISO go, that’s okay.

But the lesson that they learned, now they’re going to take somewhere else. Why won’t you benefit from that lesson? I mean, if you’re just going to let them go, I mean, just pay their dues to somebody else to benefit from that, as opposed to you already kind of paid the price, you might as well leverage the benefit from that and from the lessons that you can learn from it.

So, I think all in all, we talk a lot about security, but ultimately, it’s about building resiliency. And I think that’s what the gentleman, Mark, was referring to in his quote, is that things are going to happen. Sometimes you win, sometimes you lose. But how do you build that resiliency to keep going forward, to continue and sustain despite, I mean, all those challenges?

Because again, it will never be perfect. You cannot protect against everything all the time, anywhere, against every type of attacker. There are some attackers that no matter what you’re going to do, nothing’s going to help you. But again, you can always continuously improve, and you need to build yourself in such a way that you can build that resiliency, that you can measure that resiliency and know exactly what you can defend against and what you cannot.

[David Spark] All right. I’m going to let you close this one out, Joey. Again, I want to just double down on this last line of changing generals too often may not be a winning strategy. So, how do you get the business to swallow it’s going to be a bumpy ride, is I guess maybe the way [Laughter] I’d say it?

Like, is there a way to couch that?

[Joey Rachid] I mean, the way I approach this is business is all about risk. Life is all about risk, right? The minute you got out of bed and put your foot on the floor, you took a risk, and hopefully it was a small one. And so, cybersecurity is just like that, and I think we need to be mindful that just like any other business risk, we need to articulate it in business terms and ones that our leadership understands.

And that they also understand that even if we do all of these things, even if we’re right, and what’s the saying? “We got to be 100% right, and the attacker needs to be 1% right.” So, the odds are against us and a lot of business scenarios are like that.

I mean, if you’re trying to do a turnaround in a business, or you’re trying to do something as a public company, the challenges and the risks of that are there and leaders know that. And so, ours is not very different. And so, I just like to communicate with that narrative and say we’re doing these things, but as we know, it’s not typically a matter of if, it’s a matter of when.

And hopefully that “when” is minimal because we have built a resilient program, and we’ve protected certain things that are very important to us, and we can maybe deal with certain other things that may impact us, but we’ll recover more quickly. And so, it’s just about that narrative, and I don’t take this FUD approach.

I think that’s actually something that shoots us in the foot because people either one, don’t respect it or see right through it. And so, we got to recognize that’s not typically a great approach in a business context because you don’t see other business leaders doing that. And so, we shouldn’t do that.

As we had talked about earlier, we need to be more aligned to the business, conduct ourselves in the way that other business leaders do and communicate in those terms. And yeah, it can be a bumpy road, but there’s a lot of bumpy roads in business and [Laughter] we’re just another path or another pothole out there that you may want to swerve or you’re going to hit, and it is what it is.

[David Spark] Good point.

Closing

28:32.839

[David Spark] All right. We’ve come to the portion of the recording where I’m going to ask you which quote was your favorite one. And by the way, there are a ton of quotes in here that I loved. Joey, you actually teased one that you liked a lot, but tell us, now we’ve come to the end, which is your favorite quote and why?

[Joey Rachid] So, my favorite quote is by John when he said, “What’s broken for one is simply the challenge for another.” That’s my career. I joined the military because I wanted a challenge while others were like, “Oh no, I just want to go to school, college, and have a great time.” And I’ve always sought the challenging path.

Being a CISO is very challenging. That’s why I enjoy the role. No day is the same. No company is the same. I really love that. And again, to my earlier comment, if you think it’s too challenging, get out of the boat, someone else will take over. I don’t mean that literally, but you have to be thankful at some time that you actually are the CISO because it is a coveted role.

You have to realize that it’s a privilege to lead a team of cybersecurity professionals in a technology environment. And in the day and age that we’re in with what’s going on, a seat is an opportunity. I don’t want to use the term growth mindset, but I said it. If you think about things that are more, “You can do it and it is achievable,” you’re more likely to be successful than walking into something saying, “This is impossible.” Well, guess what?

You’re more likely to fail if you think that it’s impossible. So, just approach it with that positivity and I like the challenge.

[David Spark] Awesome. All right. I throw this to you, Yaron, your favorite quote and why.

[Yaron Levi] I will tell you a funny story, right, before that. So, several months ago, I spoke at BSides Colorado Springs, and I asked the room if there is any other CISO in the room, and the answer was no. And I said, “Okay, is there anybody here who aspires to be a CISO one day?” And everybody like, “Hell no, we’re not touching this, I mean, with like a 10-foot pole, never.”

[David Spark] Really? [Laughter]

[Yaron Levi] Yeah. So, I don’t know, maybe there’s going to be some. I mean, I hope there’s enough people.

[David Spark] I hope we converted some people. We didn’t scare them off.

[Laughter]

[Yaron Levi] Yes. But my favorite quote was from Mark Fuentes, and really, it’s about building that resiliency. I think you keep changing the general, okay. Yeah, it may work for some, may not work for others, but ultimately, it’s about the long game. It’s about the infinite game. How do we stay in the game and how do we build resiliency over time?

Again, every organization’s different. Everything is different for every different business, and everything works differently for everybody. So, each one need to find whatever works for them and go from there.

[David Spark] Yes, it is an endless game. I believe that’s the name of Simon Sinek’s book if you haven’t read it.

[Yaron Levi] Yes. The Infinite Game. Absolutely.

[David Spark] I highly recommend it. It’s good. All right. I want to thank our sponsor. That would be Backslash AppSec using a digital twin of your application. Remember, go to the website backslash.security, and you’ll find it there. Check out what they’re doing. And I believe when we were chatting earlier, are both of you hiring – both you, Joey, and Yaron – security positions at your company?

Yes, Joey?

[Joey Rachid] As of today, yes.

[David Spark] Okay.

[Joey Rachid] [Laughter]

[David Spark] Hopefully, by the time this airs. For our audience, hopefully. For you, hopefully, you filled it beforehand. We’ll see.

[Joey Rachid] You never know. We may have additional positions in the future. But I also say if anyone wants to talk after this, look me up on LinkedIn, glad to connect.

[David Spark] But we will have a link to your profile as well. Yaron, you’re hiring as well, may or may not be filled by the time this airs?

[Yaron Levi] Yes, we’re also hiring right now as well. So, maybe by the time it airs, that’ll still be open. But we’re always looking for good people. And if not, we’re also happy to connect to other of our friends who are looking for good people.

[David Spark] Yes. By the way, I see that you go out of your way to try to help those trying to find their next position find it. So, thank you very much, Yaron. Thank you very much, Joey. And thank you to our audience. We greatly appreciate your contributions. I know I close on this every single time, but I’m not lying.

We do, and we greatly appreciate you listening to Defense in Depth.

[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.

If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.