what is your role what is your job and I know this sounds crazy oh Eric I'm a cyber security professional I'm a siso but no what is really your job because what we always joke when we talk about business is there's your job title there is what you think you do and it's what you really do welcome to life of a ciso I'm Dr Eric Cole your host and we'll be taking you on a journey each week on what it takes to be a siso and what are solutions that you can Implement today if you are currently a chief information security officer or if you want to be one in the future this is life of [Music] aiso welcome welcome welcome welcome you know what time it is yes yes yes you what time it is it is time it is time for life of a sistera with yours truly Dr E is in the house hope you are doing awesome and amazing what I want to focus on on this episode is understanding and knowing what is your target what is your role what is your job and I know this sounds crazy oh Eric I'm a cyber security professional I'm a siso but no what what is really your job because what we always joke when we talk about business is there's your job title there is what you think you do and it's what you really do so I'll give you an example when I started off my career after I left the CIA and started in commercial I mean going from government to commercial was a huge shift I was basically the siso for a startup telecommunication company that was very very well funded so they had a lot of money lot of infrastructure growing really really quick and pretty new in my career right brand new to Commercial and I'm thinking my job is to secure the data my job is to secure the information so I start going in and little bit of a bull in a china shop where going in I'm like okay we got to have uh 12 character passwords we got to do this we got to do this and remember this is still back in the late 90s so things are still new and different and then I'm like I need access to this I need access to that and what's what happening is I realized I wasn't getting any support I was isolating myself and I was really frustrating everyone because I didn't put things in perspective I came in with my job to secure the Enterprise but what I didn't realize is two weeks before I started they spent almost every day setting up and rolling out the ENT servers right just to show you the the time frame we're back at entt there and they they had meetings on the configurations and the settings of the security the passwords and they went back and forth and they put all these measures in place and and for whatever reason they agreed that it should be 10 character passwords that change every six months with no complexity and they were up evenings weekends rolling this thing out they get the entire thing set up and running customers are sorry their customers or uh the employees of the company are already starting to get frustrated about the passwords and the and and the length and all that other stuff and I I didn't take any time to understand that I didn't take any time to acclimate or know the environment and I just come in and because I'm from the CIA and I've read nist and I wrote nist and I know what they say it has to be 12 character it has to be complexity no forgiveness the rules are the rules or the rules and you must follow it so I come in and do this and to them to the IT team that had to implement it they were looking at me like have you lost your mind like there was one guy that literally wanted to fight with me because he's like do you know how hard it was to even get 10 character passwords do you know how much push back we're getting do you know how much time it took us and now you're coming in after we set everything up where were you two weeks ago where were you two months ago why weren't you here earlier once again not my fault right but my responsibility so all these things come into play and it ended up making a very very rough start to the engagement because I didn't really understand my role my role primarily was to build relationships with it and to understand the culture and the environment and to integrate Security in a seamless way into the organization now if I came in with that mindset with that understanding I would been very different I would been much more successful much quicker and I might have stayed at the company and ended up only staying there a year or two just because of all the friction and all the conflicts that I created now once again not my fault but definitely my responsibility that I was just not aware of what was happening and what was occurring so it's very important as a chief information security officer that you actually step back and ask yourself what is actually Your Role what is actually your job because the reality is making the environment secure is probably not your primary objective it might be the outcome it might be what's listed on your statement but the reality is this if you're going in and you think your number one job is to secure the Enterprise and you will do anything to secure the Enterprise you do anything to secure the data can you sort of see how that's problematic right that was my issue with my first job I went in and I am focused I am dedicated I like that Pitbull you you give me a Target and I wanted to prove myself right coming out of the government in commercial brand new to this organization lead is security right great opportunity I'm ready to go and to me all I was focused on was making this organization the most secure telecommunication organization on the planet making them so secure that they never have a breach they never have a compromise they never have an impact right and and that's all I was focused on well the reality is that was not aligned with the company goal right if you talked uh to the CEO at the time and you said okay buddy that was that was actually his name Buddy pickle uh you would go in and say okay are you saying the most important thing for us this year as a brand new company the most important thing for us is to make sure we are the most secure telecommunications company is that what we want to be known for he would have laughed he would have been like of course not that's not even close they want to be known for the most reliable Wireless convenient safe way to do telecommunications they were very they were revolutionizing telecommunications from wires to microwave so that was their whole Focus but I never spent the time to really understand the corporate culture never really understand HR never understand what the mission and focus of the organization was and never understand what I was stepping into so I ended up causing a lot more issues and a lot more problems so question in your current role or a new role and this is where if you can get this mindset this is where you Ace the interview this is where you knock it out of the park the first 90 days this is where if you're an existing siso you take a role in which you've been ineffective and you could become highly effective within six to n months just by making the shift of what should you really be focused on what is really the role of cyber security I would say in most companies the role of cyber security is to be a integrator is to be somebody who integrates security into the business into the corporate culture to help increase and improve productivity profits and revenue once again a different shift for most cisos a different mindset of how you're looking at it but here's the reality how you look at a problem how you address a problem how you show up every day is going to massively dictate and change what you work on and this was one of the big big tricks I learned in doing my coaching when as a coach you get better and better you learn patterns you learn tricks and I'll I'll give you one of them uh for free you could try it on your own of course if you ever need help and you want me to sort of work with you and take you to that next level I'd love to work with you in our group coaching or one-onone coaching clients so to get you to that next level but I'm all about telling you and giving you my secrets and here's why that doesn't impact my business because the reason why you're coming to me is not for the secret I I I can give you the secret you're coming to me because I know how to implement it and get it in your life as quick and as fast as possible because that's the thing you you go and if you play any sports and you can go in and Coach somebody and you can say okay the secret to winning pickle ball is boom and I actually give you my secret I I I crack up because I always used to make fun of people that played pickle ball and now I actually love it it's great exercise I actually like one-on-one I don't like doubles because it's actually more uh exercise and a lot more fun than than than playing with uh uh other people on the court so so I like playing singles but here's the thing everyone who plays pickle ball rushes to the net I I don't know who created it I I actually do know the reason it's because pickle ball was created to be played by people that are older and not as in good shape so that's why it's half the size of a tennis court and you don't want to run as much so the idea was that after the initial volleys the idea is that you move up to the kitchen right that that's the the short area in front of the net and you basically focus more on skills and volleying and quickness of arm for agility as opposed to running around now if the sport was designed for older people that couldn't run and was as mobile but you wanted to stay flexible and you wanted to stay nibble and you you sort of wanted to stretch a lot to keep the muscles that makes perfect sense you volley one or two you slowly run up to the net you get a little exercise and then at the net you're focused on moving and Agility and switching hands and back and forth so you're actually stretching as you're playing the sport so if your goal to play pickle ball is for a little exercise a little stretching to stay healthy then the idea of coming to the net makes a lot of sense however me being the strategist little competitive right I uh study pickle ball I I've watched people and I drive folks crazy because here's the reality if you actually stay back and you don't rush the net you actually have more control I can actually control you move you manipulate you and get better angles on you and have a better chance of winning so now when I play with folks they get really mad like Eric you got to go to the net I'm like I don't see that in the rule book that that's not actually the rules of pickle ball the rules of pickle ball just say this so I don't have to go to the net everyone goes to the net everyone goes to the net because everyone has always gone to the net because of what they thought it was but I'm playing a different strategy and it throws everybody off and some people get frustrated and what I realized is what I need to do now is I need to be clear is what is our objective so when I go in and I play opens or I uh go and sign up and play against new folks for pickle ball I always go in and put a comment my objective for playing pickle ball is to have fun be a little competitive and get maximum exercise and if your goal is to just uh say you play pickle ball not really get exercise and and just sort of stretch like the original objective then we're probably not going to be a good match CU I am not going to do what you want I'm not going to come to the net that is not the rules you don't have to play to the kitchen but everyone does so it's one of those where I'm going in and to me it relates so much to cyber security where we're going in to an organization where everyone does things a certain way business Executives do things a certain way they have business meetings they have formalities they are program management they're basically playing pickle ball the way everyone plays pickle ball go to the kitchen go to the net or you come back going wait that's not my objective here I want to be get I want to get exercise I've studied it I know the game and guess what I'm not going to play by that objective I'm gonna do a different strategy I'm going to still play by the rules but I'm going to implement a new strategy that I find is more effective and the reality is this my strategy is more effective people often adapt my strategy and they become better players I often win matches against very good players because my strategy is a lot more effective but the reality is if that's not what they want and that's not what they're expecting you can have the best strategy and be completely ineffective be totally and completely ineffective at your job job so back to your role if you're going in to the morning thinking that your job is to secure the organization or your job is to put out fires and the company thinks your job is to make the organization secure transparently behind the scenes without impacting Revenue that's going to be an issue that's going to be a conflict so I told you I I like giving you a little suspense here I told you I was going to give you the secret and like I said even if I give you the secret if you're not coached on how to do it doesn't matter so like I said with pickle ball I can go in and I can tell you the secret to winning one-on-one pickle ball is don't go to the kitchen stay back strategically move the ball now if you've never done that you don't know how to do that even though I've given you the secret you don't know how to implement it so you hire me as a coach and I come in and I show you how to do that I show you okay here's where my eyes are here's how I and I show you how I think about it what's going in in my mind when I'm playing pickle ball I'm going to come forward I'm going to go back I'm going to shift to the left where the ball is I'm actually going to go to the opposite angle and I'm getting you inside the mindset now all of a sudden you can do it much quicker faster and better so it's not the secrets that matter that's why people will publish books really good people publish books where they give everything away bad people publish books they hold everything back so I don't know if you've ever read a book where you're like they're just not giving me what I want like they're teasing me the book is a sales pitch because they think if I give you the secret you won't hire me because many people write books for marketing promotion or business reasons and that's why these books fail books are not marketing tools people read my books and they're like Eric you've given so much away I even have people go in and go Eric why would we hire you as a coach when you're giving everything in free in your podcasts and the reason is this how's that working out for you right how how's it going because you could read the book you could know the secrets but if you don't get into the mindset and understand what it is you need to be doing you're still going to struggle and that's what great coaches do great coaches don't give you Secrets great coaches help you understand what are the obstacles what are the roadblocks what are the reasons why you don't understand the secret and how can you implement it so the secret to being a world class siso is every day every week and every month you define what your role is because your role is going to change depending on where your company's at depending on what's Happening and what's occurring Your Role is going to change give you a simple example if you're at a company that just suffered a cyber security breach and you're in incident response mode law enforcement is there investigation lawsuits legal isn't your role a lot different than it was two months ago before the incident if you're preparing for a board meeting your role is going to be a lot different if you're at the end of a fisal year and revenue is down and everybody is focused on hitting the numbers and so you're doing promotions you're doing sales you're you're you're increasing manufacturing you're doing everything to increase Revenue you're not doing normal operations you've done you're in in triage mode isn't your role as a siso different absolutely so the secret is yes you're the Chief Information Security Officer yes you're focused on cyber security but for this month for this week for this day what is the role now this is different than Targets this is different than planning and outcomes and New Year's resolutions and all those other stuff because what we're not talking about is not what are you producing but who do you need to be how do you need to show up so an example is If today or let's step back so currently in your organization one of your biggest problems is you're not respected by the executive team they all sit in one building your offices by the data center they all meet on a regular basis you're not included here's the reality and I've covered it on other podcast so I won't go into it here Chief officers stick together birds of a feather flock together if your title begins with a c Chief and ends with an O officer you need to be with other Chief officers so look at your desk look at who you go to lunch with look at who you hang out with weekends and if they are not Chief officers there's a problem because guess what CEOs sit with Coos and CFOs CEOs hang out with other CEOs CEOs go to lunch and have dinner with other Chief officers so if you're a chief officer and you're not acting behaving or showing up like a chief officer that's a problem and that's with most of the people I work with because this is a cultural and an organizational thing where we just don't understand the role of a ciso and we didn't position them correctly so in this case your goal if I'm working with you your goal for the next quarter not even month the next quarter is to be a chief officer H how does that shift everything if you're now going in and every day is to be a chief officer that's your role it's not to be the Cyber person because guess what you got that now just to be clear here we're not saying it's the only we're not saying you're going to ignore everything else I'm not saying all of a sudden you forget about security you forget about data protection and all you do is Chief office no all I'm saying is that's the main focus you're still going to be doing security 70 80% of your job but now 20% of your time is chief officer now when you're walking into meetings let's say we we have a meeting on a security policy if your role is cyber security to make this the most secure organization on the planet aren't you going to walk into that meeting where you're talking about security policy differently then if you were going into that meeting going okay I know cyber I love cyber I'm information security but in this meeting my role is to be a chief officer my role is to build rapport with other Executives and to get agreement aren't you going to approach that meeting a lot differently isn't your mindset isn't your energy isn't your focus isn't the questions you ask and how you behave going to be completely and totally different absolutely so now we decide for the next quarter might be the next six months but let's just start with 90 days for the next 90 days I am going to focus on being a chief officer great then you do your weekly planning and you say okay this week I need to focus on being more accessible because at a sight out of mind if all the other Executives sit at the corporate headquarters and you're sitting at the data center 20 mil away you're not going to be able to be a chief officer sending emails and text messages isn't chief officer you need to be present they need to see you they need to be visible so you might say this week or this month My outcome the way I'm going to show up my role is to be visible is to be visible and to be present so great so then when you plan out your week you say okay I'm going to try to sit at corporate headquarters for two hours a day two hours maybe it's from 8 to 10 maybe it's 3: to 5 but for two hours I'm going to be present I'm going to be at corporate headquarters great so now when you are going to sleep at night and you wake up in the morning you're now thinking okay today today my role is I need to be present for two hours that's that's my main objective today yes I'm still going to do cyber right I I know what to do there but my main objective is I need to make sure that I am at corporate headquarters sitting in one of those conference rooms that are available and just press it once again again notice how the role is something you can achieve and reasonable I'm not going in and going okay my role today is to be invited to every meeting that's not realistic that's where we we push it too far that's where we let targets that are unrealistic get in the way of our roles but our role is really how are we showing up how are we being present so now if you wake up in the morning and you're like okay my role today is to be present with the other Chief officers NOW Watch What Happens aren't when you're getting ready you're in a different mindset you're thinking differently you're actually acting differently you're probably going to dress differently because if you're going at the data center you might throw on a T-shirt and jeans but if you're going to be at corporate for two hours just being present you're probably going to put on a button down and maybe put on shoes and in setad of sneakers so you start seeing how everything shifts now if you're wearing a button down a nice starched shirt jeans and shoes and you look in the mirror don't you feel different and think different than if you're in a T-shirt and Jing sneakers and once again this is psychology coming in but here's the trick to to be a world class siso it's not just about being technical it's about understanding all aspects of the game psychological mental and physical so the idea is what is your role so what I want you to do this week this month is just start thinking about H how do I need to show up differently in my job what is really my role is my role to be a communicator is my role to be a leader is my role to be a manager is my role to be a finance person if we're working on budget Your Role is to be the ultimate Finance person now remember these are not permanent you're still the siso you're still the security engineer but when you start thinking at a daily weekly and monthly basis on what is really my job what is really my role how do I really need to show up and you start getting that as your mindset everything will shift and everything will start to change for you [Music]