Hackfest 2024 - 16-bit Edition

From Hacker to CISO: Navigating the First 90 Days
10-12, 13:30–14:20 (America/New_York), Track 1 (206b)
Language: English

A question recently posed on X prompted an unexpected number of responses. The question simply asked what 5 things would you do if you started a new role as a systems administrator. Responses were all over the map. Unfortunately, the overall tone of many in the hacker community although well-intended, was confrontational, condescending and not likely to lead to being promoted into roles with more leadership responsibility. That’s a shame as that wealth of knowledge could provide great value in these leadership roles. This talk examines the disconnect between the “hacker mindset” and the “business leadership” mindset and provides those wanting to move into leadership roles with actionable steps that will lead to success.


Intro:

The hacker community is a thriving group of intelligent folks who have a knack for finding the unexpected and solving problems that others overlook. The hacking skill set has great value and those possessing that skill set often aspire to leadership roles. As people move into roles with higher responsibility, they often encounter unexpected roadblocks that impede their advancement. Many of those roadblocks stem from a lack of adequate leadership or business experience. This can result in a clash of mindsets.
A recent X post demonstrates that quite clearly. The question: What’s the first 3-5 things you’re doing to get comfortable with the team? The context: Starting a new role as ____. The responses fell into two main categories – those that understand what needed to be done to assimilate into a team and be a contributor and those that came in guns a blazing determined to tell everyone how wrong things are in their current state and ranting about a bunch of needed technical controls.
This talk will examine these conflicting mindsets while providing clear steps that anyone with a technical background moving into a leadership role can implement. The focus will be on moving into a CISO role, but the basic concepts apply to a variety of leadership roles.

The Problem:

Hackers rarely understand business goals and business leaders rarely understand hackers.
This conundrum continues to create a great divide between technically savvy security practitioners and technically challenged business leaders. Many in the hacker community mean well but are not good at communicating in a language that business leaders understand. This creates frustration and leads to the “everything’s a dumpster fire” mentality. Many in the hacker community see security as absolute - your business is either secure or it’s not. Business leaders don’t see security through the same lens. Deploying technical controls where risk doesn’t need reducing doesn’t fly in the business world. Moving into a leadership role from a more technical role requires a change in mindset that tempers the “secure all things” mindset with the understanding that all businesses operate at some level of risk with more risk oftentimes leading to more reward.

So You Want to Be a CISO?:

You’ve set your sites on moving up the leadership chain. You want to be the one that runs the security and compliance program within your organization (or another organization). Finally, the opportunity arises, and you are offered the role! Now what?

Can you handle the role? Will you succeed? Can you learn what it takes to be a business leader while handing the responsibilities of your new role?
Success isn’t guaranteed. Mistakes are inevitable but, in the end, anyone who is willing to check their attitude, plan appropriately, learn from those around them and communicate in a manner that moves the business forward can and will succeed.

Plan for Success:

We will work through a first 90-day plan that provides anyone with the steps need to provide value in the new role while also building consensus and developing a long-term strategy that reduces corporate risk to a level that adequately protects employees, employee PII, corporate data, and customer data.
The plan is broken up into 30-day chunks and covers the following areas:
1. Organizational overview
2. Building relationships
3. Current security posture
4. Governance & structure
5. Risk assessment
6. Quick wins
7. Developing or enhancing long-term security strategy
8. Building security culture
9. Reporting and accountability
10. Automation
11. Continuous improvement
The talk will integrate stories highlighting past experiences, the lessons learned and things that could be done differently. Where possible, I’ll pose questions and gather audience input to enhance engagement.

Takeway

People attending this talk will hear firsthand how I used this process in my journey as I developed a security program in several organizations after moving from a highly technical role. Attendees will leave with a clear understanding of steps they need to take in their journey into security leadership and be better prepared to succeed in those roles.


Are you releasing a tool? – no

Director of Information Security at Graylog, Inc. responsible for the teams providing IT Services, Security and Compliance. Holds CISSP and CISM certifications. Well-versed in ethical hacking and pentesting w/ more than 25 years experience.

Presented at NolaCon, ITEN WIRED, BSides Las Vegas, BSides Atlanta, BSides San Francisco, CircleCityCon, DEF CON, DerbyCon, CypherCon, HackerHalted, Blue Team Village, Blue Team Con, Graylog GO, BSides Charm, RSA, HouSecCon, and smaller conferences.