In a first for this blog here is a post I worked on with Mike Aiello, a former colleague from Goldman Sachs and Google and someone, like me, who has worked multiple security and engineering roles and, especially in one of his most recent roles at Secureworks, worked with a range of security teams across many different types and scale of security companies. From these experiences we’ve both seen the good patterns and the not so good patterns of security leadership. _________________________...| Risk and Cyber
One of the more common patterns of security program success vs. failure is how much leadership is prepared to stick with the work over...| Risk and Cyber
There is a plethora of sample job descriptions for security leaders that are often strictly correct but can also be uninspiring or too detailed to capture the actual essence of the role. I developed this role description a while ago to try and address that. It's mainly designed for growing companies rather than more established organizations but the more I look at it the more I think it's applicable to all. It's not meant to be a long list of attributes or specific tasks but, rather, somethi...| Risk and Cyber
I have a regular set of go to books both for myself and what I recommend to others at all stages in their career. Here they all are with what I think, at least for me, is the key take away. Of course, there are not many classic security books here. Most of the challenges of a security leader’s role is, well, leadership along with a healthy dose of program management, culture development, technical attention to detail, risk management and more. In fact, the accumulation of security knowledge...| Risk and Cyber
There are organizations that seem to have disproportionately created a large number of leaders who have gone on to be CISOs or other security executives across many other organizations. These “CISO factories” include Salesforce, Google, Goldman Sachs, Lockheed Martin, @stake, Yahoo, and quite a few others. Let’s take a look at some of the characteristics of these types of organizations. You might not need all of these, but definitely need many, to kick start the flywheel of your own ta...| Risk and Cyber
I’ve given variants of this talk at a few events in 2024 and received a lot of requests for the slides and a blog post. So here we go. There are many factors to being successful in most fields at various stages of your career. These can be long lists, and you will all have your own variants of these, but for me it all comes down to this top 6:Before we unpack each of these it’s worth showing some humility here. I’ve had a long career with plenty of ups and downs across various industri...| Risk and Cyber
A major success marker of great security leaders and their teams is one simple prioritization technique: the ability to know what needs to be done really well vs. what needs to be simply ok. In other words knowing when to go for an "A-grade" vs. when to simply "Pass", and making sure that the A-grade goals are dominated by what gives you the most leverage not just the things that are evidently critical. It has been over 4 years since I wrote the first version of this post. Since then, these...| Risk and Cyber