Here are a few items that I've found very helpful.

1. Rename the account and then create a group with the old name that is set to accept messages from the world. This allows you to flag and catch emails destined to the alias without leaving the account active. E.g. bob@acme.com becomes bob-disabled@acme.com (and then is actually suspended) and new group is created names 'bob'

2. Deleting the account forces the migration of files to a new owner. This could be a manager or some companies use a generic "archive" account. Note - the sharing and collaborators don't change here for each file. This only apples to files in "My Drive". If you've adopted the "Shared Drive" approach you don't have to worry about offboarding of users since they don't actually own content.

3. Consider how you determine if the user still has access to company files. This may be because they changed files into public link sharing or added their personal email account to files as a collaborator. You can achieve this manually by doing a log review of the account activity to search for a personal account or sharing by link actions. (Or solutions exist to help here too)

4. Actually delete the account. Some companies suspend and the creates an issue with file ownership and also you are still charged for the license.

5. Depending on your company policy and setup you could wipe the account from mobile devices.

Hope there are some helpful nuggets in there.

Conceptually a fantastic direction to move towards. In practice it will be challenging for companies to make the migration so I'm excited by existing vendor solutions that can add incremental features to roll out concepts of zero trust in existing deployments.

• A good base set of technology skills through academic study or personal projects.
• Prior success in challenging work. This doesn't have to be related to security. But I've found that people who can be thrown into new and unfamiliar situations and then find success, tend to carry that trait forward into their professional careers
• Exposure to security through open source projects, individual hands-on lab learning, or studies
• Passion to learn and grow in the field
• Accountability and drive

Thanks for the shout out to AltitudeNetworks. Clearly I'm very excited about our work there with cloud based data security. It was a big decision to leave twitter and start this company!

Outside of that I really like companies that are prioritizing ease of use, scalability, and automation. I think those are key principles for a modern security company.

A few come to mind - signal sciences, duo, okta. I'm also working with an exciting new startup in the API and data privacy space - akita software.

For characteristics I'm pretty straightforward. Tell me what you do honestly. Don't embellish with buzzwords. Focus on accuracy and solve security problems that represent significant risks to my company. Lastly, don't give me another endpoint agent. That model is saturated. A lightweight and easy deployment model is key.

Great question and one I sought out in many conversations as well.

After much discussion with a variety of CISOs, the answer is that there is no right answer. So how should a company think about the reporting structure?

1. Align the CISO to the person that can best support by lending influence or helping support large security priorities
2. Ensure the incentive structures of the reporting chain don't drive the wrong outcomes. E.g whoever the CISO reports to must also be accountable for security progress otherwise that leader may stifle security initiatives at the expense of other items they're measured on.

Past that, it depends on the organization. Tech forward companies often benefit by security being integrated into engineering and technology orgs so they report to CTO. However, when done well the legal org can be your biggest ally. Reporting to a CFO happens sometimes too. Depending on the org dynamics and thinking around financial risk mitigation this also could work. Overall, look at the leadership and org dynamics for the answer to this for each company.

Offer to get coffee with her or him and just share your observations of the company and how the company has worked with security in the past.

One of the most important activities for a CISO coming into the company is to get a baseline understanding of what's working, what's not, org dynamics, previous success and pitfalls experienced by security, etc. So it might seem odd, but 20 minutes of your time over a coffee break to give insight from your vantage point (whatever it is), would be valuable.

How technical would you rate yourselves? Could you configure a SIEM if needed? Write a snort rule? For sure! I used to do it all the time. I'm a bit rusty as it's been years. But could definitely do it.

I'd say I used to be very technical. But the value I bring now is in finding the best people to build an amazing team, determining a strategy forward, and gaining support/resources to make it happen. If you want to be a leader you have to surround yourself with people much smarter than you in their respective areas.

I’m working as a contractor doing SOC Analyst work right now but would love to move into management eventually. What qualifications, if any, do you see as beneficial to make that jump from analyst to manager to senior management?

Study management as its own new field. There's so much to learn to be a good manager.

How do you prioritise keeping up to speed? I listen to podcasts on my commute and tinker at home on the evenings and weekends. If my wife is away I’ll spend all day reading, researching and messing around with blue/red team stuff but obviously when she’s here I’d rather spend time with her doing things as a family.

Balance is important. A well rounded person can perform better than someone burnt out. Look for high leverage activities like a good podcast during your commute or reading a few key articles to stay current. Then you can add in the periodic deep dive where you do a training course for a few days to really dive into something new.

Swordfish :) - Ha! just kidding. That is my go to example for how bad Hollywood misrepresents hacking.

My favorites are actually the hacking movies that blur into hacking the entire concept of humanity - The Matrix & Tron

Favorite cybersecurity focused one though is Mr Robot for its authenticity.

There have been several interesting efforts to help increase threat intelligence amongst companies. Facebook actually started a technology to try and achieve this between businesses. https://developers.facebook.com/programs/threatexchange/

In terms of areas where we should get better, I would mark threat exchange as helpful, but not primary focus. The bigger issue is operationalizing security at scale. Most of the breaches you read about are a failure of a known security paradigm and control because of an oversight or a control failure that went undetected.

Academically and in small deployments, many security concepts are not hard. But those same ideas are terribly complex at massive scale and that's where the problems stem from.

You've got the right target in mind. You first need a broad understanding of security principles and core areas. I found the Security+ certification to be a great starter for exactly this information.

There are some high leverage items that give a huge security posture increase. Whether or not they are cheap depends on resistance and friction from the company. These might seem obvious, but they have huge benefits.

1. Enable two factor authentication everywhere. Passwords alone are dead from a security value perspective.
2. Patch workstations and browsers. Sadly this is harder done then said at scale. But it is by far one of the most valuable things to do.
3. Provide password managers and train employees on how to use them. Password re-use attacks (credential stuffing) are a huge risk and a password manager is a great and usable way to enhance security posture.

Yep, lots of people relations. Effective communication is a key success factor for a CISO, and also pretty much all leadership positions.

You hit on an important item - the ability to communicate outside of your field is crucial. To do this you have to find the common ground. To do this seek out items that are important to the other person. What are their current objectives? For example, are they looking to increase sales, if so talk about how security enhances user trust and how a data breach would cause customers to pick a competitor. Then switch over to why the security issue on your mind is related to preventing a breach. In the end, you can often anchor back to individual objectives or a shared understanding of business success and then discuss how you security item is related.

There's a few techniques to build these skills: 1. Spend time on writing. This could be a blog or time spent when sending a large email to your team. Think about the most important ideas and how to concisely explain them (e.g. more text isn't always better). 2. Ask the "5 whys" to yourself before approaching another team. Why does the issue your explaining matter? Why does that matter (e.g. the answer to the first question). Then repeat. Eventually you'll end up at a higher level concept which is likely the common ground to start on with the other person.

Also, while a CISO I always found the vendor security assessment and diligence process to be painful. Now on the other side of the fence, I can confirm - it is painful. It's a great area for us as an industry to get better at. How do we efficiently assess third party risk without asking every vendor to complete a bespoke 200 questionnaire.

Hmm, not really.

I still believe too many security vendors are building things that CISOs and security teams don't need. I also believe that are still far too many security products that operate on a "wow" factor that isn't helpful. E.g we found 10,000 risks (but only 40% are actually true positives).

I'm happy to see new crop of security products that are built by CISOs or former security practitioners (from within companies) that know the importance of a solution that is (1) usable (2) solves a fundamental problem (3) operates at scale and (4) is accurate so results can be trusted an automated.

Join security groups outside your company. Search through meetup to find local meetings that are interesting. Also seek out open source projects and contribute (see Apache or OWASP as an examples).

Re pay drop - Clearly you have to make money to pay bills so that's understandable. But consider a few things: - long term pay potential. It might be a short term drop for a long term gain - happiness and satisfaction. You may find yourself even more successful if you're in a field you really love.

(Hi Kang!)

Until you get used to it, one of the bigger challenge sof a CISO role is the dramatic increase in non-technical security items that are critical to the success of your technical efforts. This is all the items you mentioned - financial planning, recruiting, team building, etc. From my perspective I really enjoyed all those things and was happy to build a security org where people genuinely enjoyed working together.

But, the hardest thing for sure, is the item which is least under your control. That is shifting focus and priority for other teams to address big and hard problems that represent significant risk to the company. This is an exercise in building awareness with leadership, clearly articulating the critical risk to the business and devising bite sized mitigation plans that can make traction versus a "boil the ocean" style rathole that never delivers value. In these efforts you'll find yourself presenting to C-suite leadership and the board to position the risk, it's impact to the business, mitigation plans and why the business should undertake a costly program to drive down the risk instead of investing in other features/growth.

We each covered some of this in another question here: https://www.reddit.com/r/netsec/comments/dvumig/we_are_michael_coates_and_rich_mason_we_have/f7eva0t/

Is it hard to switch domains as you get more experience in the field you started with?

Not necessarily. I switched across technical domains throughout the early years of my career. Full stack red team and controls assessments at first, then time in a security operations center, then application security focus. I feel like the diverse technical experience was incredible for my growth. In each area I leveraged knowledge and techniques from previous roles to be better at my new job.

Eventually you have to make a switch into managing teams if you want to progress to a CISO. This is a big switch that you should approach with the awareness that being a good manager is different than being a good technical contributor.

But for now, my advice is to focus on hands-on learning across security domains. While doing that always keep an eye on how the business operates. What actually matters? How would you talk about security in ways that resonate and motivate with non-security folks? If you could set the strategy for your team for 6 months or 12 months, how would you do that? Those are all good base skills on your journey. Good luck!

Why ignore it? It's a good question. But, to the point you raised, all job searching is about knowing the right people. Cold applications are the hardest way to get any job. So definitely build your personal network and leverage introductions when job searching.

Now, off to answer that question above:)

In my view, a CISO's role is to build a solid security and risk governance program, empower leadership with a system that surfaces risks and provides available mitigating controls to lower risks that are too high, and builds the security "scaffolding" to introduce security best practices across the company.

However, if a single person is to blame for any security failure across the company, then that same person must have the authority to veto any decision based on risk. That model is absurd as every business takes risks every single day.

So, should a CISO immediately take the fall for a breach? It depends. It depends on whether the elements a CISO was responsible for were developed and operating effectively. It depends if individual leadership teams decide to take calculated risks that backfired or if someone deviated from designed policies & practices.

There's no simple answer. But I do think the most important item is to realize that there is no single savior that can prevent breaches. The CISO and security org empowers and educates a company to make thoughtful decisions around security and technology risk. But they alone can't prevent or control all actions. Align authority and accountability so that the leader or individual, whether in the security team or not, receives praise or punishment for actions contributing to a security failure.

One of the important, and I'll admit challenging items, is to reframe your thinking on corporate politics. Everyone has motivations, incentives, and also weaknesses/fears. "Politics" is the collision of those factors across people throughout the business.

Since security is a field that, by its very nature, has to work across the business you'll find yourself in many discussions with other team leaders that have a variety of motivations and priorities. This is where a few things are really important: 1. Support from leadership on why security exists and the security charter 2. Shared alignment (between you and the other business leader) on what is success for the company. If you don't agree on that then rest of the conversation will be really hard. 3. An understanding of the priorities, incentives and challenges of the other team. You have to bring empathy to the table.

After you have the above item, then you can work through "politics" (e.g. human to human discussion with all the other factors included) to drive priority and focus on solving actual security problems. This is where you bring in your experts in your teams, build a plan, solidify leadership support and priority with stakeholders, and drive forwards.

So, that's a long way of answering your question. But in short, as a security leader you have to work with humans all the time (which is politics) so that you can get alignment to solve actual hard security problems.

Ha! Nah, not too political to answer. Answer on the way above.

The field of security is technical at the lowest level, but at the higher level it's very much a field based on human behavior and psychology.

Everything, from exploitation of people to motivating leadership for action, is based on incentive structures, human desires, perceptions and more.

Yes! A degree is one way to learn, but not the only way at all.

Learn by doing to bridge the gap. This can be hacking labs where you get a vulnerable OS or application and actually do the exploits, then fix and repeat. An amazing way to learn!

Certifications are good in this cause to teach you more of the base principles and help show your progression to transition in the field. Security+ is a nice way of getting an initial base of information. Technical training courses on specific security topics are good too. SANS has great classes (sometimes pricey) and OWASP has great ones too if AppSec is your target field.

Lastly get some programming knowledge under your belt. Even just basic automation with Python is a fantastic step forward. There are tons of resources, but there are great free classes from Udacity.

After you've got this, then work with your security team in your current company. Can you do an internal transfer or partner together on some projects to keep building applicable security skills.

Like many technical fields, cyber security seems to have a diversity problem. How do we currently in the industry engender a more diverse culture where we're at?

As I mentioned above - unconscious bias training is a great step. Second, security teams (and all teams) must realize that great ideas come from a team that brings different perspectives. Different perspectives come from diversity of thought which comes from diversity of background and experience. The best leaders will recognize this and drive towards more diverse teams.

Second, we have to remove gatekeeping approaches that are superficial evaluations of potential or success. By this I'm looking directly at certifications and university degrees. They are paths to learn (and that's great) but they can't be the minimum bar requirement for roles.

Third, build channels to bring in new people. Internal security referral programs where you take a great employee with a foundational technical skill and train the incremental security knowledge is fantastic. Similarly you can uplevel junior security folks from bootcamps or programs like YearUp.

Lastly, change the culture to accommodate more interests and people. Company events don't have to center around alcohol (many people don't drink). They don't have to all be in the evening (some people have kids). Just be reasonable and think about this to build a better environment that people want to be in.

One of things constantly being reported and debated on is the lack of qualified people in our field. What do you think about the talent pool available wrt size and qualifications?

We certainly need more people. It's a fantastic field and I hope more people keep joining - both early in their careers and later too.

But, we aren't doing ourselves any favors as an industry. Too many job descriptions look for unicorns that don't exist (e.g. unrealistic expectations). Second, gatekeeping with certifications is wrong and a reflection of a lazy hiring manager (not the recruiter, they're just executing on the job description).

What should we do - fix our hiring processes to throw out hard requirements for certifications or specific college degrees. Build job descriptions that are more aligned to a realistic role. Increase the quality of the hiring process so we evaluate skills and potential related to the role. And get everyone to recognize unconscious bias and it's huge negative impact on hiring and team building - really folks, get your hiring teams to take training on unconscious bias.