Emilio Escobar [00:00:00]:
We learn so much from failure, and yet I see so many CISOs who are afraid to fail because they’re worried about, but what if we get breached from a failure? And my answer to that is, you’re going to get breached no matter what. So learn how to fail and how to pivot quickly from it.
Karissa Breen [00:00:19]:
Joining me today is Emilio Escobar, Chief Information Security Officer at Datadog. And today we’re discussing the modern CISO and engineering the future of security. So, Emilio, thanks for joining me and welcome.
Emilio Escobar [00:00:45]:
Thanks for having me.
Karissa Breen [00:00:46]:
Okay, so I’m really keen to maybe start, Emilio, with your version of modern ciso. What do you think this sort of looks like? Because, again, depends on who you are. People got different versions, people have different opinions. So I’m keen to hear yours.
Emilio Escobar [00:00:59]:
My definition of a modern CISO or modern ciso, it’s a little twofold. So one of them is a CISO who’s actually a part of the C suite or management team of the company. Historically, the title has been given to the highest organization or the highest person who’s responsible for the security program. But normally they’re not actually part of the executive team. They usually report into one and everything is done by proxy. So I think the modern version of this role is actually a member of the C suite, where that means you don’t have to just be a security person, you have to be a business person and think about the company as a whole, and you’re a peer to everyone else who’s doing that. The second aspect of a modern ciso, and I think this is more specifically to the profile of the person in the seat, and he’s been heavily influenced with the advancements in technology, the migration to the cloud, not just using cloud providers, but using applications that are hosted in the cloud by the vendors themselves. With the boom of AI and everything in between is where I’m seeing companies shift their needs for their CISO to be.
Emilio Escobar [00:02:12]:
Instead of being an audit IT background person, they’re seeing the value of having somebody who’s come up through the engineering ranks where they can actually understand technology a whole lot better and then being able to speak to the technology and the regulatory risks that apply to the use of technology, but in a way that comes from understanding the technology itself, not just basing it on, like, what a framework or a set of requirements say is this is actually how the technology is going to be used or built or implemented. These are the actual meaningful risks that we think are going to come out of it. Think more in a threat model way rather than just a checkbox approach of complying with things. What are the actual threats that would impact a company wherever the CISO is and based on the, on the industry, the company type, who they serve as customers, who they have, where they raised and things like that.
Karissa Breen [00:03:06]:
Okay, so a couple of things in there. Okay. So you said before you got to be a business person. Right. So would you say historically people are insecurity and I mean, I’ve worked as a security practitioner myself historically before doing this side of things. Do you think they’re like, well, that’s fun, but I kind of just want to do security stuff because I’m a security person and that’s what I enjoy doing. So do you think perhaps there is a little bit of resistance from people? As you said, people usually come from an engineering background. And historically what we’ve seen is a lot of people, again in more of these senior roles, historically speaking, have had that engineering background.
Karissa Breen [00:03:39]:
And some of them are just the leaders because they got there by default. There was no one else. Now we are starting to see a shift around these business sort of folks coming through. But do you sort of see people thinking, well, I don’t actually want to be a business person at the end of the day, I just want to do security stuff. So do you. How does that sort of sit with people from your experience? Because again, you make valid points, but I’m really keen to understand maybe some of the psychology around that.
Emilio Escobar [00:04:02]:
Yeah, I mean, I’m sure it’s not for everyone. Just like being a, say, a member of the red team on a security team is not for everyone either. Right. I think, I think people have their own definition of what motivates them and where do they actually see the most reward for the day to day, what excites them, what they actually want to spend their time doing? And I think there’s a time and space for everything. You can say the same thing. It’s similar to say, is every person in the finance team thinking, I want to be a CFO one day? And I don’t think that’s the case. Right. I think you have people there who are very motivated and passionate about asserting aspect of finance.
Emilio Escobar [00:04:40]:
It could be the accounting part, it could be that, it could be the planning and analysis part, you name it. They don’t necessarily need to be a cfo. Right. So And I think when you make it to that level, then you are a business person whether you like it or not. And the reason for it is if I’m a CEO of a company and I’m forming my team of leaders around me, my lieutenants, right? For, for the lack of a better term, who do I want to have? Do I want to have a person who’s only keeps bringing up one topic like a one, one trick pony or do I want somebody who’s actually can help me think about where do we go as a company and what happens is that as a ciso, as a cfo, as a coo, as a cto, what have you, you bring your expertise but within that landscape or picture of company wide, business wide, industry wise, rather than we have this one threat, we have this one thing or I’m tracking this one threat group and this is the one thing that worries me, you have to put that into the context of what it means to the company and where the company is. So I don’t think it’s dissimilar to any other C level role and I don’t think everyone is volunteering to be part of the C suite. Cause again it’s based on the motivation of the people and it’s totally fine. I’ve seen people being extremely successful building a career without even managing people right.
Emilio Escobar [00:06:01]:
Like they’re a very senior individual contributor and they’re really good at it. That’s totally fine. So going to the psychology of the or the people. Back to your question. Yes, I’m sure there is some element of people who think I’m just a security person. I don’t really feel motivated to learn or know about how to read a balance sheet. For those of us who work for a public company, understand the aspect of forecasting and investor sentiment and meeting those numbers and exceeding those and earnings calls and what the they mean. I’m sure there are people who just don’t care about it.
Emilio Escobar [00:06:32]:
Just like there are aspects of certain things that I just don’t really pay attention to because they’re not the things that motivate me. So it goes both ways. And I don’t think it changes the definition of a modern ciso. I think it just changes the. Maybe it becomes a little bit harder to find what that quote unquote modern CISO is for these companies that are looking for these engineering background people who are also interested in being a business leader, not just talk about security.
Karissa Breen [00:06:59]:
So would you say in your honest opinion, perhaps. And I mean I’m just thinking out loud, people like the idea of the title of a sizo, but then in reality it’s like, got all this other responsibility. It’s nice to get the title swan round, do the media interviews. I mean, I’m saying this very generally and broadly speaking in terms of their perception of the role, when actually that’s not the reality. Do you think that people just enjoy maybe the title? You know, get to go to vendor events and have nice dinners and do things like that? But then it’s like, actually, I’ve got to do the reality of this job, which is the responsibility, the accountability, the operation side of things, the managing, like you said, the P and L, all these sort of things. And then as a result of that, do you think we’ll start to see people fade away that aren’t perhaps to your earlier point, around a modern siso? Because maybe they’re discovering, hey, this job’s actually not for me. I’d rather just be the ops guy in the back.
Emilio Escobar [00:07:52]:
I think that at every level, you see that, right? We see it ourselves, where we’ll have individual contributors thinking, I want to be a manager one day. And we’re like, great, we’re gonna work on that and give you the tools and the opportunity to do so. And once you will have a version of it where it’s like, hey, I’m super happy managing a team of four or five people, right? A small team. This is great. We can motivate each other. I know how to do this, I know how to lead, I wanna grow. And it’s like, okay, great. And then the opportunity presents itself and now you’re managing 30, 40 people and there’s like, oh man, this sucks.
Emilio Escobar [00:08:27]:
So I think you have that just as you have that for, for the CISO role itself, where I think the idea of being. It may sound super interesting to some people. And then once they actually get to see what it’s about, they’re like, hey, you know what? This is probably not the role for me. And I always respect when people self select themselves out of that because they find like, hey, I’m better at this and this is where I want to focus on. And sure, that’s totally fine. And so when people, like, they come to me and ask me for career advice and they say, oh, I’m only talking to you. I want to talk to you because I want to be a CISO one day, the first question I ask is, why do you want to be a cil? What about it is what you’re striving for? Because I try to make it very realistic to people and it’s not a bad role. But also just like anything, it comes with the pros and the cons.
Emilio Escobar [00:09:19]:
Right? So I want people to be aware of what I think the cons of their roles are compared to just being an individual contributor or a little bit more hands on operational role versus being it. The second thing that alludes and I think brings some reality to the comment that you made or the question is when the, at least in the United States, when the SEC came out with, with some updated guidance and requirements for disclosures and potential liability against the role, I saw a lot of people who are in that role being a little bit allergic to the liability. And I think there’s a nuance there because in most, in a lot of organizations, unfortunately the CISO role isn’t as supported as it is. And you would say a company like Datadog, but so they kind of feel like, how come I be, how can I be liable when I don’t have control? My kind of argument to that is no C suite actually has control. You might think the CEO of a company has control of the whole company, but in reality a CEO of a company, especially if a big company, they’re liable for the actions of every single employee. And they don’t necessarily, yes, they’re the CEO, but they don’t control everything that happens in the company. Right? Like a big company has a lot of moving parts, things happen. Just like a CFO is responsible and liable for the integrity of the accounting books and their financial statements.
Emilio Escobar [00:10:34]:
Sure, you have control over your department, but do you really have full control over every single mistake that could happen everywhere? Like no. This is why these roles have spent time and decades building processes and frameworks and really execution mechanisms to make sure that they are checks and balances, to make sure that this is these reports are accurate and of proper integrity. The ciso, I think, started worrying about going to jail instead of thinking about, wait, how do I build this set of framework and processes and decision making internally so that I don’t feel unliable for something that some employee can just randomly send data to a public and then I’m liable for it? Is no, you have to. A, the regulation, isn’t that as black and white as other people make it sound? But B, your job as a, this goes back to being a business leader, right? Is to build that into the business, not just think if this happens then this. Right. It’s not an if then statement. So there might be some truth to that question. Right? Because I’ve seen some of that reaction, at least in the US for, for the SEC regulation, where they’re like, well, I don’t want to, I don’t want the liability.
Emilio Escobar [00:11:48]:
And my response was always like, well, welcome, welcome to the C Suite, right? Because every C suite member has some sense of liability and you’re a team, so you can’t really say, hey, I’m a team. But this is where I draw my, my line. Like putting in baseball terms, you can’t go to your team and say, hey, I’m going to go up at bat and swing for the fences. But I don’t like to get hit by a baseball. So I’m actually not going to go up that. Because in the event that I get hit by a baseball, I don’t like that. So you’re either part of the team or you’re not. So there might be some truth there, but there might also be some truth into more of the what does a role actually look like day to day? Right? Where I grew up as a, as a software engineer and quickly pivoted to security, I don’t get to write software on my day to day.
Emilio Escobar [00:12:32]:
That’s not what I do anymore. I have my hobby projects and things like that. But my job isn’t measured on the quality and functionality of my code anymore. My job is measured on the output of an entire program and making sure that we’re prioritizing the right things. So again, it goes back to where your motivations are.
Karissa Breen [00:12:50]:
Okay, this is interesting. I want to get into this a little bit more. Going back to your comment, Emilio around allergic to liabilities. So would you. Are you sort of saying that what we’re starting to see now is your true hardcore security people that are like, yeah, there’s liability because I really love what I do. That’s just part of the job. So for example, I mean, look, if you were to be a firefighter and you’re like, well, actually I don’t really want to potentially get burnt, you’re probably not going to do that job, right? And it’s like you can over, you can see like I guess drive around in a fire truck and wear a uniform and all these sort of things. But at the end of the day, if your heart is really not in that I want to protect people and save them from fires and potentially I could get burnt or die, then the job’s probably not for you.
Karissa Breen [00:13:31]:
Are you starting to say that hardcore I’m going to die on this little security sort of person needs to be in These size roles moving forward because there is a lot more responsibility. And like you said, you know, some people are worried about going to jail.
Emilio Escobar [00:13:43]:
Liability. I mean, yes. And a little extreme. On the firefighter example, is there anything.
Karissa Breen [00:13:48]:
I could think of off top of my head?
Emilio Escobar [00:13:49]:
But yes, it’s actually pretty good. It’s a good one. I can see where the analogy, where it actually overlaps. But I think there’s an element of that, I think and what’s happening is in a good way is that the importance of the role, not just the role. Right. Because the role is a role and a CISO without a proper security program and talented people behind them, they’re not going to do anything. I mean, just like any other person in any company. Right.
Emilio Escobar [00:14:14]:
Like the CEO alone is not going to make a company successful. You have a bunch of people who do. And I think what, what this is doing is, is elevating and really bringing to the, to the surface or to the spotlight the importance of the role, the importance of, of cybersecurity as, as a business function within a company that has other functions. And that it’s one element of risk that every company needs to take and prioritize just like any other type of risk. Not the top risk or the only risk. Right. But an element of risk that also needs to be managed among others. Running out of money for a startup is a big risk.
Emilio Escobar [00:14:54]:
Probably before security. Right. Because if you don’t have money, then you really just closing your doors and security matters second then at that point or not at all. So I think it’s really reflecting the importance of the role and the program and the function itself. So that’s good. But then what that’s causing is probably some of that. What you’re saying is I didn’t realize this is what it actually entails. And that’s not.
Emilio Escobar [00:15:15]:
For me, that’s totally fine. I also worry a little bit when I talk about this because I don’t want to be seen as a gatekeeper or anything. Like anyone can be very successful in any role, including the CISO role. But I think it’s starting to reflect the reality of what it’s like to be a business leader or an executive for a company and the amount of liability and exposure that comes with say, you working for a private company versus working for a public company or working for a company that deals with very regulated data or environments versus not. Right. Like I think people are starting to sort of realize what they’re getting themselves into rather than just jumping into the role. And then a Year later, realizing this wasn’t for me. And unfortunately it doesn’t go well when that happens for both the person and the team and the company, because then something, there’s a gap, right.
Emilio Escobar [00:16:05]:
And then things suffer. So I think it’s good, it’s a good debate for people to have internally and among themselves. But yeah, I think that there is that element of if you’re not really up for the liability now, it could be that, hey, you’re not ready for the liability in this company that is truly not supporting their program at all and not prioritizing it appropriately, not funding it. Well, then you can self select yourself out of that company and go somewhere else. But what I think if you’re just worried about the liability in general or the exposure in general, then maybe the role isn’t necessarily where you want to be.
Karissa Breen [00:16:38]:
Okay, so. Okay. I really want to explore this more because I do think that these are things that we’re starting to see in the industry in terms of the change towards the executives and the CISOs. Would you say now, because people are self selecting out, we’re going to see perhaps a higher caliber of talent than becoming into these more senior leadership CISO roles. The people that really want to be there understand there’s liability and there’s risk. It’s not just a fancy title. And you know, as I said before, like, there’s a lot more to it than that underneath.
Emilio Escobar [00:17:08]:
Yeah, I, that’s actually a good question. I, I don’t know yet. There, there are reports out there that always talk about how many unfilled roles are in cybersecurity. I’m, I’m, I’m not 100% subscriber of that because I, I also think a lot of companies look, always look for the diamond in the rough rather than give them building a system that gives people opportunities like new hires, college grads, interns, what have you, or their profile of people who you hire. Right. So instead of looking, instead of making sure your candidates meet every single requirement that you have for your role. And some of these requirements are crazy that I’ve seen in job posts. Like you need to have 20 years of experience in a technology that’s only existed for five, for example.
Emilio Escobar [00:17:51]:
So I think there’s a, there’s an element of pain that we’re doing to ourselves when it comes to that. But I think what, what I’m seeing, I don’t know if I’m seeing a lot of people self selecting themselves out of the role. What I’m seeing are companies getting A little bit more fine tuning to who do they want in the seat and really having that difficult conversation internally when that’s not the case and then start looking. But it is starting to become, at least from what I’ve seen based on, I’ll caveat this with the fact that I’ve had a career track in technology. So the companies that are attractive for somebody with my profile are companies that are in a technology space. That means I don’t have a lot of hospitals calling me for like, hey, do you, do you want to be a CISO for us? So I think there’s like a element of expertise based on industry, but even within each industry there are certain profiles that they’re starting to look for, which means that the market is becoming smaller for these companies. So think about it from a real estate standpoint, right? If people start looking only for properties that have heated floors, the supply is going to become very short and it’s becoming extremely competitive. But in the favor of them, of the employee, not in favor of the employer.
Emilio Escobar [00:19:07]:
It’s becoming a seller’s market instead of a buyer’s market if the candidate is the seller, right? Selling themselves to these companies, or maybe the buyer, if the company is the one doing the selling, but definitely in the favor of the candidate. Because now you have all these companies looking for requirements, at least in the industry that I work for, that I’ve seen when CEOs call me and say, hey, can you help me sort of define what do you think we need? And we always end up in a similar space where I’m like saying, you’re looking at a talent pool for very few. So that’s, that’s great. It’s becoming competition. But I think it’s also going to be in some time you’re going to see more people being able to be added to that pool. So I think it’s really going to be great when there is enough supply to meet the very specific demand. And it will get there. It’s just companies need to go through a few rounds of looking and then also being open to take some risk as well.
Emilio Escobar [00:19:59]:
Right. So if I’m a CEO of a company and I’m only looking for a CISO who has served in public companies, who have presented to boards, who have an engineering background, who knows about how to write software, who’s been in high scale environments or fast paced environment at high scale growth, you’re only going to be looking at a group of, of 15, 20 people. I’m just making up a number. But if you Say, hey, by the way, I’m also open to the idea of the fact that this person doesn’t have to have served as a CISO prior. We’ll give them the tools and the coaching that they need to get there. Maybe get a board member who’s. Who has had history doing that. So that way, from a governance standpoint, you know, you’re covered.
Emilio Escobar [00:20:39]:
But then you pair that board member with this new person, newly minted ciso, to grow them, then you’re expanding the reach a little bit of who can serve you as a ciso. So we’ll get there at some point. But sorry, it’s a long answer to say I think it is a good thing, but this definition is coming from the employers, not the employees.
Karissa Breen [00:20:57]:
So you said before, nowadays companies are fine tuning who gets to sit in the seat, right? So would you say historically, it’s just like, let’s kind of get anyone’s not the right word, but let’s just get someone with some sort of background and pedigree because we need someone. But now would you say this is a clear indicator of maturation of the industry now it’s like, well, yeah, we’re going to take our time to make sure we get the right person in that position. Not just sort of anyone that was sort of floating about, or perhaps it was a systems engineer that’s like, okay, well, you’re good enough to be the size of for the next 10 years because we don’t have anyone else. Would you say that that’s the case now as we moving into sort of where we are in today’s sort of space?
Emilio Escobar [00:21:35]:
I think so. I think we’re going to see companies take more time. You’re going to see companies rely more on search firms that are specialized in CISO searches. You’re going to see maybe the growth of the virtual CISO role, right? So like, hey, we don’t have anyone. We want to wait. But I still need to land customers. And in order for me to land customers, I need to have certain things done. And maybe this consultative role can help us in the time being.
Emilio Escobar [00:22:05]:
Say for a company that maybe doesn’t have much, for a company that has had a program for years. And it’s just like we are pivoting. So we need the leadership to pivot with us, including the ciso. Then maybe say, okay, the team is strong enough to be as is and we’ll manage with the leaders that we have until we find the right CISO to take the mantle. So we’ll see. I think the patience for saying I have a CISO is going to continue to grow until they find the right person for them. It is a very tough role to hire for because a mismatch can go so poorly and it’s really difficult to recover from a cultural mismatch. It takes years to, to undo a lot of that if you let it linger for too long.
Karissa Breen [00:22:46]:
I’ve also heard, and probably more prominently here in the USA would be this splitting of the role. So you’ve got your ops person, opsizer and then you’ve got like your business focused sizer that does all the influencing and you know, getting the money and all that sort of stuff. Right. Are you starting to see that more as a trend? Because again, they are two very different functions and you occasionally may find someone that’s got your super deep operational experience that can talk the talk, but that is rare. So is that something we’re going to start to see more that this modern sizer is a dual role or split role or what do you think on that front?
Emilio Escobar [00:23:21]:
I think there it really depends on industry, right? So I have seen companies that have had that, where they’ve had a, a compliance based CISO to take care of an immediate outcome that the company is looking for, say going public, right? So you need to comply with socks and make sure that you have all the, all the paperwork and all the foundations to go to the market and say, we’re a good company, let’s trade in a public market. And then they might have like a technical person leading where the technology is and where the risk from that technology comes in. But then I’ve seen those companies eventually go, why do I have two people? The more people you have, the less accountability for that happens, right? Because if two people own it and nobody owns it, who do you follow? Who do you trust? Who do you go to with like, hey, what should we do? But then you have industries where the CISO is required to be, say a banking, in a banking company, the CISO is required to, at least in the U.S. for example, to attend, talk to a bunch of auditors and regulators. Not just in the US Because I was actually in Mexico a few weeks ago and talking to some of our customers and one of these customers has this set up where they have a CISO who comes from a banking background and then they have a technical person overseeing the technology part of the security program. And I think that makes sense, right? Because if the CSO is spending all day or most of the day talking to auditors, regulators in that industry, it’s going to be really hard to find somebody who can talk to a banking regulator and also be able to go in there and talk to engineers and say, okay, what a property distributed system architecture needs to be? So I think it’s very industry dependent. Where that may make sense. And I’m seeing it a lot in very regulated environments.
Emilio Escobar [00:25:06]:
Where I’m seeing it as the undoing of that is in the technical space. I’ve known of technical Companies that are SaaS companies, right, where they have this dual role or dual split responsibility, but then eventually they converge on the one because it really starts making very little sense. Because then how do you scope it out? And like I said, where does ownership lie?
Karissa Breen [00:25:26]:
So would you say, and this, this is interesting because depending on. And I’ve had this sort of discussion with multiple people on this show, would you say that companies, given the role, the size they role, lean more towards someone that’s like, hey, this person’s an excellent communicator, they understand security enough to be able to communicate it, or do you think companies lean more toward, hey, there’s some hardcore tech person, lived and breathed it for like 20 years, we’re going to hire that person, or do you think. It depends, because I’ve had people arguing about this on Twitter, LinkedIn, about what the background and the pedigree should be of this person. But where would that sort of sit with you in terms of their background and where companies should perhaps focus their attention to? Because at the end of the day, if you’re super technical but you can’t sell anything, you’re not getting any money for your security division. Therefore it’s a moot point, Right?
Emilio Escobar [00:26:14]:
Yeah. So I think it really depends on what they’re looking for and what they need. There is a time and space where a hardcore security say, oh, I used to be a pen tester, I used to be a hacker for the last 20 years. I have all these vulnerabilities in my name. I’m the de facto CISO of this company. There is a time and space where maybe that person can be effective, but then eventually it fizzles out, or maybe it doesn’t. Right? So it’s really depending on what the company needs, how they’re structured, how the program is supported, what is needed for their program to be effective. If I’m in a company where I have to go to the CFO and the board and ask for money for every time my team wants to do something, I probably wouldn’t be effective in that environment.
Emilio Escobar [00:26:56]:
Right. But at a company where security and the value of it is well understood, and we have our yearly budget plans and we go to the board and present on what we think the threats are and the risk are, and the board is there more to really make sure that we’re thinking about it the right way and govern, not execute. Then I’m good, because. Because then I now I have control of what the teams. Well, I don’t have control. The teams have control, but I can support that. I think I can sell, but I don’t know if I can sell every single nickel and dime that. That I’ll need.
Emilio Escobar [00:27:27]:
So it really depends on what the companies need. But isn’t that the beauty of the role where there’s so many that you’re talking to so many different people who may have different views of mine about the same. The same role is the same to think about companies who have a different need and a different version of the CISO that they may need for a point in time, who knows, right? And maybe in certain years the company will be like, okay, great, we have a great program. It’s very mature, it’s executing effectively. They plan well, they do what they say they’re going to do, they communicate well, everyone understands what needs to be done. Who do we go to for anything? But now the company is going in a different direction. Say now we’re going to sell more to the public sector. Now a good CISO will probably be like, okay, I’m going to build a network of expertise in the department who can support that.
Emilio Escobar [00:28:15]:
But say you want the CISO to be the front face for that, because we can’t afford to have a team of people who are. Then you’re probably going to need a different person, right? So it really depends on the company needs. I’ve seen examples of hardcore security people being successful CISOs off to a point. I’ve seen them being successful CISOs for a while and I’ve seen them not be successful at all. Because then it depends on how things are handled. If you live in a world of gray and you think black and white, you’re not going to be very successful in that space. But if you need to be in a black and white space, and that’s where you. And that’s how you think, you’ll most likely be very successful.
Emilio Escobar [00:28:56]:
But very rarely the CISO role is a black and white role.
Karissa Breen [00:28:59]:
What about the stigma in the industry around you’re not technical enough now, when I was working as a practitioner, there was some senior people that came in and people were like, oh well, why would they hire that lady, that guy? They’re not even technical. But they were doing a senior role, right? So do you think that’s going to start to fade away? Because you know, even in 10 years we’ve got a lot more people coming through the ranks that aren’t from a technical background and they are doing different roles. So do you think because, and I asked that with people historically having given the respect to these people in these positions because like, well, you don’t understand fiber optics cables to the level. I’ve been doing it for 50 years. So do you think that will start to fade away? Because I’ve seen that as a massive problem in organizations too. To be like, well, you don’t, you’re not technical enough.
Emilio Escobar [00:29:41]:
Yeah, well, this goes back to the comment I made about us creating our own pain and why I think there’s so many unfilled roles, because we do. I do see that a few other examples is an entry level position for a security program that requires a SIP certification where you can’t get a CISSP unless you have already five years of experience. That’s not entry level in our opinion. That’s why we don’t require any certifications. You have them, great, but that’s not what’s going to get you hired for us is at least for, for, for the teams that I’ve built. And how I think about it is what can you do? Can you actually do what we need you to do? And then we have mechanisms to pull those signals out. We don’t necessarily care. Like being technical enough just based on a resume is not, I don’t think it’s a good way of looking at it.
Emilio Escobar [00:30:32]:
And second, not every role in a security program needs to be a hardcore technical person. So there’s a need for everything in security. Think awareness and education for somebody who really specializes in that and is really motivated and is really good at it, can communicate well, can talk to a group of hundreds of people and teach them new things and get them to think about security differently. Do I want to go hire somebody who wrote the kernel for Linux? No, probably not. Right? Like when people get caught up and you’re not technical enough, it’s usually because they can’t think outside of the box of, of what I need. But there’s also a counter argument to that or another side of the coin where maybe you’re not used to hiring technical people, but you now are. And I see this in some of the conversations that I have with other, other CISOs where they only have, say, security engineers, whatever definition of that is for them. And now they’re like, oh, well, now we have to build a bunch of stuff.
Emilio Escobar [00:31:29]:
And I need a software person. And they don’t just, they just don’t know how to go about it. And I’m like, why, why can’t you just hire software engineers? And it’s sort of like they just don’t think about it. Right? And if you work for a company that builds software, why can’t you just attach yourself to that pipeline and hire software engineers that meet the bar for the software engineer for the company? Except the problem you’re throwing them at to focus on is security. Why can’t you do that? So it’s, it goes both ways. Where I see the toxicity of you’re not technical enough, but I also see the self inflicting limit limitations of I only hire security people. What do I call somebody or how do I hire somebody who’s going to be writing software? And I’m pretty sure your company has that already. Go, go use that.
Emilio Escobar [00:32:14]:
So yeah, it goes both ways. Am I going to see more of that or not? I hope I see less. I hope and I make sure that whenever I go to a company and I run the teams is like those teams think about it differently. And not just a, we don’t write job descriptions where there’s a list of like a hundred thousand things that people need to have and nor do I expect our candidates to meet every single bullet point on their resume. And we make sure language is neutral. Right. Like all those things, because I want everyone to apply and then let us actually then filter out the candidates for the attributes specifically that we’re looking for the role or their problems that they’re going to be solving for. Rather than let me make sure somebody’s resume looks pristine enough before they even talk to us so that we do that to ourselves.
Emilio Escobar [00:32:58]:
So I’m hoping we see less of that. It’s kind of hard to say. Every season that I talk that you talk to will probably say they don’t have enough people. So it is a really hard pedestal to stay on and say I don’t have enough people. But yet I require only the best of the best of the most technical people to go work for my team. Those roles have a time and space.
Karissa Breen [00:33:17]:
So Amelia, if you had to sort of boil it down to key ingredients or key attributes of like a modern size, given everything that we’ve spoken about today, we’ve sort of covered a lot of ground. Is there anything that you probably think this is something that we’re. You, you definitely need to have moving forward to be able to, to say, hey, I’m a, I’m a modern sizer now. This is what we’re going to be. This is a key thing or key ingredient you sort of need to have.
Emilio Escobar [00:33:38]:
So industry aside, right? Because every industry, like I said, will have some specific things of what a modern season for that industry will look like. But I think some attributes in general that is, we have to, we, we have to let go of, of that. Thinking of what’s worked for us in the last 10 years or albeit what hasn’t worked for me in the last 10 years is the thing that I’m going to keep trying to do and being open to try new things. Being open to fail. We learn so much from failure and yet I see so many CISOs who are afraid to fail because they’re worried about but what if we get breached from a failure? And my answer to that is you’re going to get breached no matter what. Might as well try something and keep trying. And as long as like I don’t say failure and just let the failure run is, is learn how to fail and how to pivot quickly from it. Those are attributes that I think everyone this modern version of a role needs to have is instead of I’ve been following this playbook for how to make a how to build ISO compliance security programs is no, let me actually go into an organization and figure out what their organization needs that also happens to meet ISO compliance.
Emilio Escobar [00:34:48]:
Right. It’s looking at the problem a little bit differently, but the outcome is the same. I think that open mindedness and not being afraid to fail and try is something that I don’t see a lot in this role and I think the modern version of the role is to.
Karissa Breen [00:35:03]:
Have And Emilio, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?
Emilio Escobar [00:35:09]:
For anyone listen to this or is listening to this. And we just talked about the difficulty sort of the redefinition of the role and how like the role isn’t necessarily for everyone is still a great role if you’re really motivated by building people but also trusting people because a CISO has to trust their team more so than not. One thing that I see a lot is in the space that I’m in, I talk to a lot of engineering leaders and we’re a very engineering company and that means we have a very bottoms up model of trust. I don’t tell my team where I think we need to be in five years because first, I don’t know what five years from now is going to look like. And second, I realize that I’m not close enough to the fire to know what is actually, what is the thing that’s hot. Right. That needs to be addressed. So I trust the teams to come to me and say for the next quarter, the next few quarters, these are the things that we’re going to.
Emilio Escobar [00:36:02]:
We’re going to be prioritizing and I can ask questions and what I can’t really. I recognize that I’m at the point where I can’t really adjudicate whether that’s the right thing or not. Unless it’s like something very obvious. Right. Or unless there’s like a new business direction that the team wasn’t aware of. But I see that more in the engineering world and I see insecurity. I see a lot of insecurities still. The CSO dictating what their 8 next 3 years or 5 year strategy is going to be.
Emilio Escobar [00:36:26]:
Some of them are like hard set on that strategy and they don’t pivot. It doesn’t matter how much the threat landscape changes. Not that you should be changing your priorities every day, but things do change quite often. So I think for anyone who’s really interested and motivated by building people, but building a group of people that you can trust, that they’re going to be doing the things that you’re going to be sticking your neck out for them. Right? Because what I told my team is I take the failures, they take the wins. I put them in that position. So if anything fails, that’s on me, that’s not on them. They were doing what they were asked to do or allowed to do, then I think this role is going to be great.
Emilio Escobar [00:37:04]:
It’s evolving, it’s changing. Is it peaches and cream every day? No. But no role is. And if you’re motivated in solving puzzles and trying to figure out how do you get a company behind a program and find good peers and good partners, then this is a great role. So that’s my parting thought because I don’t want people to think that. I think the role is horrible and I don’t want people to go for it. It is a very rewarding role. But like I said, I think the reward comes in different ways.
Emilio Escobar [00:37:30]:
So it’s totally okay if this is not what you’re about and you feel more rewarded doing something else, like within security. And that’s totally fine. I have great leaders under me and I wouldn’t be here or be successful if it wasn’t for them. So there’s a time and space for being a great leader in security and not necessarily be the ciso. But if that’s what you want, then go for it. It’s a great world.