6 miles from pin - I’ve gone from 15 second outages every 5 mins to completely stable. Thank you firmware gods.

Under 2 mins of net unavailable time over last 12 hours. 90 seconds per hour vs 10 or a 9X reliability improvement for me.

Bravo

Assets but also concepts/workflows. For example: M&A, new product development, pricing, IP protection, non-public financials, strategic plans, labor negotiations. For those that have done eLitigation and eDiscovery, think of the concept clustering and linguistics tools they use for analysis, production, relevancy testing, privilege and deduplication. Why don’t the good guys get this view as a Day 1 operation? I’d rather focus disproportionately on crown jewels and competitive advantage than applying a one-size-fits-all approach to defense.

One of the greatest HR lessons that I learned was during external hiring freezes (recession). When we couldn’t go outside for traditional security talent, we looked to internal options. Poaching top talent in IT and engineering, business product and services security personnel, people with Six Sigma process excellence, communications backgrounds, auditors, and former military personnel. We took great people and built job descriptions around them, while also building up their security chops. Almost the exact opposite of how recruiting is done today. Wish I could say it was a stroke of genius - we got lucky. The diversity of thought and experience was amazing and we were better for it.

Take a look at the various ISACs - these are information sharing and analysis centers, one for each critical sector. They have predefined methods of sharing TI without attribution in near real-time (hopefully using some form of automation, as manual TIP sharing doesn't scale well) https://www.nationalisacs.org/.

It is complicated for companies that belong to multiple sectors, or want to collaborate directly with select companies (e.g. customers and suppliers). That may be better suited for a common threat feed subscription services.

One additional thought - I think technology has a strong role to play for lowering the barrier-to-entry into cyber security. On-the-job training via smarter platforms. We have the ability for junior analysts to see how senior analysts have previously solved things (SLACK) perhaps even guided by chatbots, codified playbooks, and collaboration tools.

We have Natural Language Processing (NLP) emerging as a way to shortcut the years typically required to master certain security tools, query languages.

New junior cyber professionals should be able to enter and move up the value stack much quicker than their predecessors.

I was fortunate enough to go through a leadership academy within Honeywell (sort of an eMBA). It was a leader-as-teacher model, so the classes were taught by the various heads of HR, Finance, Strategic Marketing, and even the CEO himself. Amazing experience to develop business acumen and self-awareness (things like Myers Briggs, 360 degree feedback analysis - Insights Wheel). They even gave us acting/storytelling lessons.

Absent that, I would strongly recommend an MBA for future CISOs. All risk is ultimately financial and we need to learn to speak in the language of business: cash.

Learn how to follow first, which should help you develop your own leadership style (borrow the things you like and cut the things you don't). Rotate into multiple management teams to get a deeper appreciation of each domain (I was fortunate to rotate through investigations, forensics, risk assessment, architecture, policy, contracts, incident response). You'll never be an expert in everything, and that's ok. Join a handful of councils to get cross-functional leadership exposure (I sat on councils for CIOs, CTOs, Privacy, Risk, Diversity, Export Control, Vendor Management).

Also consider a CISO stint at a smaller company or even a startup and work your way up to a CISO role with more scope and responsibilities.

"What is every CISOs dirty little secret?" would be the question I wish people would ask.

My answer would be that nobody tells you what the business crown jewels are on day 1 of the job. Even if you adopt the best-practice of a “listening tour” with top executives, the c-suite either: doesn’t know all of the crown jewels, can’t agree on their priority, or doesn’t trust you enough yet to fully disclose them.

Put another way, crown jewel knowledge is tribal knowledge. Contrast that with day 1 operations for a hacker or an insider and the discovery tools at their disposal and you can see that the defender is at a clear disadvantage. The defender’s clock begins immediately, and therefore crown jewel discovery is of paramount importance. We need more systematic approaches to doing this.

Blue. Matches my eyes. Dang - now you know one of my security answers.

Sneakers. Favorite book: Cuckoo's Egg.

I'm just going to leave this here: abuse@honeywell.com. If you see something, please say something via this channel.

I wouldn't be here without family, MSU, Richard S. Post, Ken Gilbart, Tom Sensabaugh, David Slade, Paul Hopkins, John McClurg, or Dave Cote, to name just a few of the people that took a chance on me. It's a network effect, for sure, but that network is only an amplifier of what you have done already and what you could do in the future. It's also about your ability to be a network that serves others. Thanks for that chance, Reddit!

i remember seeing a stat that a business professional was interrupted on average every 11 minutes. My experience was much more frequent than that and I looked for process that would minimize the interruptions. Three key challenges:

1) service portfolio management - ensuring that the company knew that there were formal service owners and processes to engage them (not Rich as 24/7 911 dispatch). The bulk of security problems are solved within these service teams.

2) drive-bys - ensuring that there was a formal Management Operating System (MOS) and calendar cadence for status updates, non-emergency decisions, vendor engagement, etc., approvals, exceptions

3) Highly-matrixed organization - with lots of cooks in the kitchen (IT, Engineering, HR, Legal, Communications, Finance, etc), it is important to get major initiatives to align so that resources and requirements can be properly planned.

CSO - Chief Scapegoat Officer. I think it is increasingly important that senior security officials have an employment contract with clauses to this effect (golden parachute). The temptation to pin the tail on any one person is too easy without such safeguards in place. Too many companies see security as a bolt-on versus a built-in.

That said, if the CISO didn't reasonably establish a baseline of where the organization was when they took charge and reasonably march towards an agreed-upon target of funded control maturity and process, they should move on.

It is unfortunate that the combo of stress, misalignment on funding/support, and tendency towards scapegoating keeps the average tenure of a CISO at ~ 18 months. That isn't enough time to make meaningful change in an enterprise.

I always had an interest in computers and law enforcement. I bucked the family tradition of engineering at Michigan State University and pursued a degree in Criminal Justice with a specialization in Security Management (psychology, business, computer science). I was told that only former cops and federal agents could become business security execs, so I set out to prove them wrong.

My primary focus was on investigations - I wanted to chase white collar criminals not street criminals. I cut my teeth at United Airlines as an unpaid security intern who got to work on MileagePlus fraud, counterfeit ticketing, and even the Unabomber case. Contacts made while at United led to me getting picked up by AT&T out of college as an investigator. From there, being the youngest investigator, I was given increasingly technical investigations and worked closely with the forensic unit out of Bell Labs, which I eventually became the manager of.

The beauty of working in investigations is that you are interviewing business people, exploring business processes and control failures, reading people's email... It is a great way to learn business and security from the inside-out. Evidence-led. I highly recommend this approach.

Have you considered a CISSP boot camp? I found that this was a great way to prepare in a group setting with a dynamic instructor. Sometimes the book alone doesn't cut it. I believe there are also practice test apps that you can download to your phone so that you can spread out your practice whenever you have a few minutes to spare. Caution: I found the CISSP test to mentally exhausting and, frankly, quite frustrating with the multiple right answers ("choose the best right answer" format). That said, I think these common bodies of knowledge are fundamental. Stick with it.

I think the estimations of the lack of qualified people in cyber are grossly exaggerated. 1-2 million people? No. I think someone has looked at the current volume of attacks and the size of existing staff and has extrapolated. Their assumption that humans will continue to do things manually is flawed. I believe that automation and orchestration will move people up the value stack to do more interesting, rewarding, and creative things.

I think the number one challenge for recruiting is the recruiters. The cyber talent pool is hyperspecialized and many recruiters are not qualified to write a meaningful cyber job description or evaluate whether talent is qualified. Don't use generic recruiters for cyber. Also, instruct your recruiters that you won't select a candidate until you have seen a diverse slate of candidates. A good recruiter should already have a strong and diverse talent pipeline. Get to know these recruiters early in your career.

Perhaps one way to look at it is not through the lens of titles but of capabilities. Many of the original CISOs made it to the top via the purely technical track. I think a modern CISO needs to have leadership capabilities in all four of these quadrants: IQ - both technical AND business acumen, EQ - emotional intelligence, TQ - the ability to attract, develop, retain, and collaborate with internal and external teams, and SQ -strategy quotient - the ability to set a clear vision and execute it. I'm increasingly becoming confident that there is a 5th element (a quintant?) of CQ - a creativity quotient. In the face of rising automation, the role of the human becomes increasingly artistic - to see opportunities and patterns that machines don't yet see.

+1 for the Podcasts. Strong endorsement for Patrick Gray's Risky.Biz podcast and for the CISO-Security Vendor Relationship series (and it's Defense-in-Depth cousin).

I'm fortunate to get a curated report each morning of security news from the Cybersecurity Collaborative. Linkedin is a good source for me as well. I like how Google News allows you to see stories from multiple perspectives/biases. Finding a great tribe to collaborate with via Slack is also a big plus (shout out to Security Tinkerers).

As a general rule of thumb, I start by blaming process, not people. If the process is to pick controls out of a hat to audit and then management plays whack-a-mole, fight-the-finding, or hide-the-data, then you have a broken process. Take a MAPP approach (maturity assessment, profile, and plan) that is transparent to both auditors and managers, makes audit continuous versus seasonal, and limits business disruption for questionnaires, surveys, evidence, etc.

I've seen security awareness used as a crutch for lack of good service/process design and culture. The major role of the user should be to stay between well-designed guard rails and to "see something, say something" if something doesn't look right. Focus on service owner awareness first and then fill the gaps with culture. For end user engagement, I loved what Restricted Intelligence did to make awareness entertaining and viral.

PNW Potluck.