Embark on a captivating exploration of the IT and cybersecurity landscape with our distinguished guests, Andy and Hellmuth. Their unique narratives, from Hellmuth's pivot into the role of Siemens' global CIO to Andy's transition from the world of chemical physics to the fintech sector, are not just career chronicles. They serve as a testament to the symbiotic relationship between physical and digital security realms and the indispensable nature of cybersecurity in a world where connectivity is king. Their stories are a reminder that the roots of modern IT are deeply embedded in the hands-on experiences of tech's early days, and that these experiences continue to shape the future of the industry.
In a world where remote learning has become the norm post-COVID, we take a moment to reflect on the unmatched value of in-person mentorship in the tech industry. Our guests reminisce about the days of VAX and PDP systems and how guidance from pioneers like Bill Lang and Scott Davis honed their skills. They point out the potential shortcomings of the hybrid work model for professional growth, making a strong case for the irreplaceable impact of face-to-face interactions during the formative stages of a tech career. This conversation is a tribute to the artisans of the past and a call to preserve their legacy through mentorship.
To round off our discussion, Andy and Hellmuth delve into the art of advancing one's career by hiring individuals who bring a wealth of knowledge to the table and the importance of continuous learning in an industry that never stands still. They share wisdom on leadership, the strategic navigation of career risks, and the cultivation of diverse teams. Furthermore, the journey from traditional web proxies to the pioneering frontiers of Zero Trust security is unpacked, revealing not only the challenges but also the victories that come with tech innovation. Join us for this session, brimming with the rich experience, insights, and forward-thinking needed to traverse the dynamic ebb and flow of IT and cybersecurity.
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going, Andy and Hellmuth?
00:00:02
It's really good to finally have you guys on the podcast.
00:00:05
I'm really excited for our conversation today.
00:00:07
Same here.
00:00:08
Speaker 2: Excellent, good seeing you.
00:00:11
Speaker 1: Yeah, it's that time of the year where you debate
00:00:15
about taking time off of work or if the work is going to be so
00:00:19
light that there's no point in taking any time off, and so I'm
00:00:24
in that conundrum right now with my day job.
00:00:28
Speaker 3: It's a weird wind down this year because the stock
00:00:30
market keeps going up, so I think people are keeping people
00:00:32
glued to the screen a bit, isn't it?
00:00:34
Speaker 1: Right.
00:00:34
Yeah, it's an interesting time.
00:00:36
I'm waiting for it to all come back down.
00:00:38
Honest, it's a little alarming that it's going up right now.
00:00:41
I feel like it should be going the other way, but whatever.
00:00:43
Speaker 3: I think, enjoy it while you can.
00:00:45
It's probably the adage, isn't it Right?
00:00:47
Speaker 1: Right, yeah, I got a couple of friends that are
00:00:50
definitely enjoying it.
00:00:51
Right now we have a group chat and it's always fun to see what
00:00:55
they're saying about it Absolutely.
00:00:57
Speaker 2: What are your expectations for 2024?
00:00:59
Speaker 1: Yeah, I think 2024 is going to be an interesting year
00:01:03
.
00:01:03
I think it'll be a year of reinvention and emergence of new
00:01:09
skills and new demand and whatnot.
00:01:10
But before we dive into all of that, how about we start with
00:01:15
your guys' background?
00:01:17
How did you get in IT?
00:01:18
How did you get into security?
00:01:19
What made you want to go down that path?
00:01:22
And the reason why I started everyone off with this question
00:01:26
is because I have a section of my audience that is trying to
00:01:31
get into security.
00:01:32
They're trying to get into IT, they're trying to make that jump
00:01:35
, and I've always found that hearing someone else's story and
00:01:39
maybe you relating to that story, makes it easier, opens up
00:01:42
that possibility in your mind to say, hey, I could do this too
00:01:46
.
00:01:46
So, helm, youth, why don't we start with you?
00:01:49
Speaker 2: So actually I didn't start off in IT.
00:01:53
I started more running different businesses, a large
00:01:56
conglomerate at Siemens, where I was responsible for different
00:02:00
regional businesses, and then businesses managed from outside
00:02:06
of headquarters, namely mostly from the US.
00:02:09
Siemens started to explore the future of their industrial
00:02:15
business, going more and more into software and data analytics
00:02:17
.
00:02:17
We acquired a software company had quoted in Plano, texas, and
00:02:22
Forma, eds offspring, and that brought me closer and closer to
00:02:27
the IT world, but really coming from the software angle, and the
00:02:32
idea was to bring the physical and the virtual world together.
00:02:34
And so I had then different responsibilities in the
00:02:38
industrial sector, in Siemens, and my last role in Siemens
00:02:42
before I retired after almost 30 years was their global CIO.
00:02:46
So coming more from a business angle into the IT world, and the
00:02:51
idea here was to make sure that IT and business is really
00:02:55
closely interconnected and creating value, one together
00:02:59
with the other.
00:02:59
Most of the businesses in the industrial world today, even so,
00:03:03
they come from very much from a physical world.
00:03:06
They're now enhanced by data analytics and enhanced by
00:03:09
software and bring, then, these two worlds together.
00:03:12
That was the task at Siemens and this was also the task of
00:03:15
bringing IT and the business closer together and in this
00:03:18
context you can imagine, cybersecurity plays an
00:03:22
absolutely key role.
00:03:23
Cybersecurity on the IT side, but as much and as important on
00:03:27
the OT side.
00:03:28
And that brought me closer and closer to the cybersecurity
00:03:32
world which we will be discussing today.
00:03:36
Speaker 1: Yeah, it's a.
00:03:36
It's an interesting time right In history when the worlds
00:03:43
started to kind of merge together.
00:03:44
I feel, and you know it like opened up the world of
00:03:49
possibilities, of, oh, I can control that pacemaker and I'll
00:03:55
control it in a way to where no one knows that I ever did it
00:03:59
right.
00:03:59
I'll erase all the logs, I'll erase everything that was on it
00:04:03
and whatnot, and so it it opens up a really a really big world
00:04:07
for IT and everything, interesting space where you know
00:04:11
I think it's even described pretty well in the zero day book
00:04:14
by Kim Zader you know she talks about how you know these
00:04:18
generals and these colonels you know watched as this generator
00:04:22
just blew itself apart because someone with a computer you know
00:04:25
from a mile away decided to hack it and put some malware on
00:04:29
it that made it operate at speeds that it shouldn't have
00:04:32
been operating at.
00:04:33
So, andy, how about your journey?
00:04:34
What was that like?
00:04:36
Speaker 3: Well, I started off with a typical scientific degree
00:04:39
in chemical physics and did some programming on the BBC
00:04:43
micro when I was at college, but not much, but I know basic
00:04:46
pretty well.
00:04:47
So from there I went to work in pharmaceutical research and
00:04:52
actually built a molecular graphic modeling system, which
00:04:54
was a ton of fun.
00:04:56
They taught me how to program and I learned in 4Trend, 4 with
00:05:00
variables that weren't even declared and stuff like that.
00:05:02
So within a couple of years I discovered that assembler was
00:05:06
quite interesting and that understanding how computers
00:05:08
worked was pretty interesting as well, and I spent 10 years just
00:05:12
writing code.
00:05:13
I kept being asked to take management positions but didn't
00:05:16
want to, and in the end I became a contractor for six years when
00:05:20
I worked at Mark Coney's and BT and built a whole bunch of
00:05:22
different things as well Outside of my day job, just so that I
00:05:26
could continue programming.
00:05:27
So by the time I went back into the corporate workforce in 1994
00:05:33
when I joined Paribas, I had a lot of programming experience,
00:05:37
and during my time at BT we'd also run the ARPANET Janet
00:05:40
project, which was the first connectivity across the Internet
00:05:43
in the days when gopher and FTP were probably the only
00:05:47
mechanisms you had for collaboration and sharing.
00:05:49
So it was a very interesting time.
00:05:51
Obviously the rise of Mosaic and Netscape and so on happened
00:05:55
in that period as well.
00:05:56
Then eventually the Microsoft all out gushed out to go to the
00:06:00
Internet, which was also quite fun to watch.
00:06:03
I had 20 years in financial services in various different
00:06:06
jobs, always technical at one level or another.
00:06:08
So CTO roles, for example, had security report to me two or
00:06:12
three times over that period of time as well.
00:06:14
So pretty honestly, going back to the ARPANET Janet connection,
00:06:17
I think from that point on security was born.
00:06:20
As soon as you could address everything from the network,
00:06:23
then it became the protection, became like one of the most
00:06:27
important things.
00:06:28
In the beginning, as you probably remember, there was no
00:06:30
real commerce or payments, but as soon as that stuff started to
00:06:33
emerge then people started to worry about fraud and so on.
00:06:37
So I feel like I kind of grew up in the environment where
00:06:41
security started and many of my friends who've been SISOs on
00:06:45
Wall Street all came out of Bell Labs in the US and the same is
00:06:49
true in the UK.
00:06:50
Many of them came out of multiple labs, actually into the
00:06:53
SISO roles in UK companies too.
00:06:55
So I feel like I've been at this for 30 years or so actually
00:06:58
, and for the last 10 or so have been investing in companies,
00:07:03
have been on the board of Zscaler, watched Zscaler grow
00:07:07
from nothing really to something pretty substantial, and also
00:07:11
watched Zero Trust grow as a way of thinking, a philosophy, if
00:07:15
you like, for defense, which I think any football coach would
00:07:19
understand, strategy around defense and attack being very
00:07:23
important.
00:07:24
I think that's now true in the enterprise as well.
00:07:26
Speaker 1: Yeah, it's really interesting.
00:07:29
So it sounds like you were at the start of the internet and
00:07:33
you were in the space, I guess, learning as everyone else was.
00:07:36
What was that time like?
00:07:38
Because learning back then is a lot different from learning
00:07:42
right now.
00:07:42
You know, if I want to learn a topic, I'll go on YouTube, right
00:07:46
, I can hear lectures from MIT, Harvard, you know whatever it is
00:07:50
right, but that's all on the internet, right?
00:07:53
I'm basing all of my learning of a new topic on the internet.
00:07:57
You're at the forefront of the internet.
00:08:00
So what was learning about what this thing was?
00:08:03
What was that like?
00:08:05
Speaker 3: Well, I mean there's a lot of reading, to be honest.
00:08:07
So I mean I read, I think, every VAX manual, every PDP
00:08:11
manual, front to back basically, and while I was programming
00:08:14
Assembler, I mean you need all the help you can get.
00:08:16
I also discovered early on that Microfeesh was really useful
00:08:20
because you could actually read how the systems programmers were
00:08:24
writing code, and I followed like Bill Lang who designed
00:08:29
Bliss, and so I would basically look at the code they'd written
00:08:32
in a new release of the operating system to learn the
00:08:34
tricks and techniques from them.
00:08:35
Obviously, being surrounded by great people really helps.
00:08:38
The person who sat next to me at ICI was a guy called John
00:08:42
Farringdon.
00:08:43
He taught me what symbolic debuggers were, and before then
00:08:46
I was just, you know, using print and stuff like that, and
00:08:49
you take these kind of massive increases in performance just by
00:08:52
meeting people and, to be honest, that that's something
00:08:55
that I've continued to this day.
00:08:57
If you want to know a subject, go to a subject matter expert
00:09:00
and find out what their points of view are, what they think is
00:09:02
interesting.
00:09:03
And so I remember one particular incident at Paribas
00:09:06
where DEC actually bought in a guy called Scott Davis and I'm
00:09:10
like are you the Scott Davis that wrote DECnet and he's like,
00:09:13
yes, I am that Scott Davis, and who's the man, who's the TCPIP
00:09:16
consultant into Paribas and I'm like, dude, I mean, you're my
00:09:19
hero.
00:09:19
And so I think you've got to kind of think about every
00:09:26
protocol in terms of how it could be breached.
00:09:28
And often people forget about those legacy protocols, by the
00:09:32
way, and that actually is a mistake.
00:09:33
But largely they're gone, but not totally.
00:09:37
I mean we still see mainframes in probably most of the Fortune
00:09:39
500.
00:09:40
And where there are mainframes you'll find SNA not far away.
00:09:43
So just a quick in touch with the past comment there.
00:09:48
Speaker 2: But, joe, actually let me add to this I think some
00:09:51
things have changed, some things have not changed.
00:09:53
So number one is you get a lot of basic knowledge going on the
00:09:57
internet, watching YouTube, using chat.
00:10:00
Gpt gets you, gets you all into into the area, but to really
00:10:06
develop deep thinking and new reflections, what has not
00:10:10
changed talking, go and see number one and see.
00:10:13
The second part is what Andy just described be with people
00:10:17
that are really in the subject matter.
00:10:19
And I remember, andy, we spoke a lot virtually together, but it
00:10:23
was so different when we met the first time and I tell you,
00:10:26
being two hours with Andy, you learn a lot, much more than you
00:10:30
can learn in several days on YouTube.
00:10:32
So I don't think this is really replaceable.
00:10:36
I think you know then you might get a certain basic knowledge,
00:10:39
but if you really want to get deep into any subject, it's the
00:10:42
best thing for developing your critical thinking and this
00:10:45
domain is being with people that are experienced and willing to
00:10:49
share.
00:10:50
Speaker 1: Yeah, it's really interesting.
00:10:51
You know, do you think that that also translates into work
00:10:55
from home culture that we kind of got it became more prevalent
00:10:59
with COVID, right, where more and more companies are working
00:11:02
from home and now employees don't really want to go back to
00:11:06
the office because they're not finding the value in it.
00:11:08
Right, and I think from my perspective, right, my stance on
00:11:12
it is I'm very pro work from home, but there could be
00:11:16
absolutely something that you're losing with not going to the
00:11:19
office and for me it's difficult to try and put a value to that,
00:11:24
right.
00:11:25
So then it's, it's harder, at least for me right now.
00:11:28
So, like, put a value to that, to say like, okay, should I go
00:11:32
in, should I stay at home?
00:11:33
You know all these sorts of things, right?
00:11:36
What's your opinion on that?
00:11:38
Speaker 2: Yeah, Joe, I think you know that, that I teach at a
00:11:40
business school and it was very interesting, Of course, when
00:11:44
COVID hit.
00:11:44
We had to go virtual from one day to the other.
00:11:46
Then there was a way, for everybody wants to be back.
00:11:50
Now what turns out is we get more and more into a hybrid
00:11:54
situation where a lot of the material is actually prepared,
00:11:57
for example, in videos.
00:11:58
You get to this basic knowledge Once in a while.
00:12:01
A lecture can be perfectly done virtual.
00:12:03
It works very well, but only in the combination with being back
00:12:09
in the classroom, especially in group work, being in a group
00:12:12
where students work with other students in a life setting, and
00:12:16
then going again for a while virtual.
00:12:17
That works, but I think it's really critical, this direct
00:12:22
personal interaction.
00:12:23
So I'm, I'm neither one nor the other.
00:12:26
I think the hybrid is really the most effective way of
00:12:29
working together now and going forward.
00:12:31
Andy, what do you think?
00:12:33
Speaker 3: I think randomized hybrid is the worst possible
00:12:35
outcome.
00:12:36
So when people go to work when they feel like it, that never
00:12:39
works.
00:12:40
The companies that seem to be doing this successfully are
00:12:42
saying let's go into the office Tuesday and Thursday, and they
00:12:46
actually specifically look out for social moments, teaching
00:12:49
moments, you know, water cooler moments and so on.
00:12:53
So my point of the honor is that there is no substitute for
00:12:58
John Farranden teaching Andy Brown.
00:12:59
There isn't, but you know, during there isn't.
00:13:02
I mean, I would never have advanced as quickly without his
00:13:05
help.
00:13:05
Right, and he was.
00:13:07
You know, he's a genius.
00:13:08
He actually worked at ICI, invented Diquart, and then he
00:13:11
did a computer aptitude test with borers and he got 100%.
00:13:14
So borers recruited him.
00:13:15
So suddenly he came back when he was, when he was older.
00:13:18
He's an absolutely brilliant guy, and so I don't really think
00:13:22
there is a substitute for that.
00:13:24
But I do think that once you've built relationships with people
00:13:28
, you can work very effectively with them remotely because you
00:13:31
know them.
00:13:31
But if you don't spend the time at the beginning to build the
00:13:33
relationship capital that you need, I think it's hard to
00:13:36
approach people with a problem that you don't know well.
00:13:39
So I think that that's that's the point I would make.
00:13:42
I think familiarity is very helpful in relationship
00:13:45
management, and being prepared to not know the answer and ask
00:13:50
somebody for help is a sign of strength in every organization
00:13:53
that I've ever run.
00:13:54
Speaker 1: So yeah, I think that there is a lot of benefit going
00:13:58
to a hybrid model, especially for the people starting out
00:14:02
Right, I couldn't imagine trying to get into this field, right?
00:14:05
So, you know, I got my bachelor's in criminal justice,
00:14:08
right, nothing computer related.
00:14:10
I didn't code before and I still don't code today, right,
00:14:14
like thankfully right, somehow I have missed that, that skill
00:14:19
curve, and I couldn't imagine how difficult it would have been
00:14:22
getting into the field with without having that face to face
00:14:27
interaction with my leads, with my, you know, engineers, and
00:14:32
saying like, hey, what is this thing, you know?
00:14:34
And they actually pull it up, pull it up on their screen, show
00:14:38
me, talk me through it, guide me doing it, doing it myself.
00:14:43
You know, those sorts of things are really, they're
00:14:46
irreplaceable.
00:14:47
You know, a screen share doesn't do it justice because, you know
00:14:51
, with a screen share, once it's over, it would to me it would
00:14:55
be rude to start it back up again and, you know, ask more in
00:14:59
depth questions, right, it kind of puts that barrier and I
00:15:03
consider myself not to be very, I guess, extroverted or whatnot.
00:15:06
I mean, people would probably contend with me running a
00:15:10
podcast if I'm actually extroverted or not.
00:15:12
But you know, once the conversation is over.
00:15:16
You know, most people are not going to fire it back up.
00:15:19
Start diving into it again.
00:15:21
Right?
00:15:22
It's a complex social situation , I feel.
00:15:28
Speaker 3: Hi, gary, with you, I mean, I think the one thing
00:15:30
that's probably good is that you can ask multiple people the
00:15:33
same question and actually essentially crowdsource the
00:15:37
answer, which can be very helpful.
00:15:38
And if you look at how Slack is often used on tech channels,
00:15:42
that's often the way it's being used.
00:15:43
So I think, pros and cons.
00:15:45
Personally, I think I would rather have not read the
00:15:47
microfiche my glasses may not be so thick right now if I had.
00:15:51
So if I hadn't rather.
00:15:52
So you know, they're definitely better off today and it's much
00:15:56
easier to come up with learning curve faster.
00:15:58
However, you have to be intellectually curious and
00:16:01
sometimes you have to look onto the cover, because often I think
00:16:04
cloud programmers haven't gone deep inside to really understand
00:16:08
how the computer works to allow them to optimize their code,
00:16:12
and many people would say you don't need to do that.
00:16:13
But I've seen code written by people that do do that and
00:16:16
they're usually extraordinarily thoughtful about how they write
00:16:20
code.
00:16:20
So I like a combination of the two.
00:16:23
Speaker 1: It's interesting, you know it sounds like I mean,
00:16:27
this was one question that's taken 20 minutes right, it
00:16:30
sounds like the winding path through your career is the best
00:16:35
route to you know security, right Overall.
00:16:39
I think we would all probably agree on that, which is it's not
00:16:44
what the younger generation wants to hear.
00:16:46
Right, I've done mentorship sessions, right, with people
00:16:51
that are fresh out of college or maybe they're just about to
00:16:54
finish up college and they're asking me what's the best way to
00:16:57
get into security.
00:16:58
You know, and I take them down, this, you know, kind of winding
00:17:01
path right, of being one option , and they're like, well, if I
00:17:04
do this boot camp over here, you know it's eight weeks or 16
00:17:08
weeks, whatever it is, and I'm in.
00:17:11
So, yeah, you might, you might be in, but you're not going to
00:17:15
have the level of experience that the industry is expecting
00:17:17
of you.
00:17:18
You know you're not going to have the skill sets that
00:17:21
everyone else is expecting you to have.
00:17:23
You know, for instance, right, if I went to work at Siemens and
00:17:28
they deal in in nothing but IoT devices pretty much, you know
00:17:33
the the hardest devices to secure on any network, that's
00:17:38
what they deal with, that's their bread and butter, right,
00:17:42
if I, as an experienced engineer , if I go in as an analyst, I'm
00:17:46
going to be in over my head most likely, I feel you know,
00:17:49
because it's a section of security and IT that I've never
00:17:52
touched before.
00:17:53
Is that also what you guys recommend to people getting
00:17:58
started in security?
00:17:59
To have that winding road, to not worry, you know, about maybe
00:18:03
not having that, that direct path?
00:18:06
Speaker 2: I'm not sure.
00:18:07
I think what you just described is exactly.
00:18:10
What's necessary is curiosity.
00:18:12
I mean going, even if it's just an eight week or 16 week
00:18:15
workshop.
00:18:16
I mean, if you expect, then you know everything.
00:18:18
That's probably a pretty unrealistic expectation.
00:18:20
But if you're willing to keep on learning, that's probably the
00:18:24
best.
00:18:25
It's the best road to get into it and it's always a mix between
00:18:30
getting a foundation, a theoretical foundation,
00:18:33
understanding the topic, similar to what Andy said before.
00:18:36
You know at some point in time if you, if you're an IT, it's
00:18:40
probably best you have coded at some point in time.
00:18:42
You don't have to do everything , but going deep for a certain
00:18:46
period of time and understanding the dynamics helps you
00:18:49
enormously afterwards and putting the applications into
00:18:53
context.
00:18:53
And I think that's true what you just described also on
00:18:56
cybersecurity.
00:18:57
You just have to go deep and for a certain period to get the
00:19:01
foundations, and then it's all about practical applications.
00:19:04
It's about understanding what is it actually really used for?
00:19:08
Where does it create value?
00:19:09
So, not staying in the theory, but creating a theoretical base
00:19:14
and starting from there in certain directions understanding
00:19:17
where's the application, where the risks, but also, and most
00:19:20
importantly first, where the opportunities and where's the
00:19:23
value created.
00:19:24
We start a little bit off this on kind of the negative side all
00:19:28
about.
00:19:28
You know it needs to be protected.
00:19:30
Well, the first question is why do you want to protect it?
00:19:32
So where do you create the value that actually creates
00:19:35
business value?
00:19:36
And you just described the IoT world.
00:19:38
I think there's an enormous opportunity for using the data
00:19:43
that are collected, be it on a factory floor and one of the
00:19:47
Siemens factories.
00:19:48
It's a factory in the thousands of Bavaria, in Hamburg it's
00:19:52
several times the factory of the year and in Europe and now from
00:19:55
the World Economic Forum.
00:19:56
Why?
00:19:57
Because they have a lot of people that have deep domain
00:20:00
knowledge in their segment, and then they bring this together
00:20:04
with IT knowledge and then all the cybersecurity knowledge, and
00:20:08
I think that's a combination which is really the winning one.
00:20:11
Coming back to your question winding road or not, creating a
00:20:15
good foundation, building on it and then being exposed to the
00:20:19
real applications that create value for clients, and then
00:20:22
thinking about how do you secure it to make it consistently
00:20:27
successful.
00:20:28
I think that's really always a good approach, and then you
00:20:31
probably want to go back and go back into learning mode again.
00:20:35
Speaker 3: Yeah, I mean, I think there's kind of two things that
00:20:37
I would just pick up on there.
00:20:39
The first one is that this generation of workers has to be
00:20:43
lifetime learners, and AI is going to change the jobs that
00:20:47
are useful.
00:20:47
They're going to change the pay rates for jobs as AI's get more
00:20:51
and more clever and able to orchestrate.
00:20:54
So whatever you're doing right now, in five years time it could
00:20:58
actually be valueless.
00:20:59
So you have to stay ahead of that and you have to keep
00:21:02
thinking about what's going to get commoditized next.
00:21:05
If it's a skill that I'm currently have, that's good
00:21:08
because you can build from it, but the question is, where's the
00:21:10
part going?
00:21:11
I think.
00:21:11
So reskilling and relearning and learning new things is super
00:21:16
important.
00:21:16
The second thing is that you can't restrict yourself to a
00:21:20
single industry.
00:21:21
Many people in financial services work in financial
00:21:24
services their entire career.
00:21:25
Many of the best sites those I know came from telecom into
00:21:28
financial services and then went on to do a whole bunch of other
00:21:31
things after that.
00:21:32
The way I looked at programming when I was 21 is that
00:21:36
programming itself is a completely transferable skill
00:21:40
into any industry.
00:21:41
I used it to learn how to model protein binding sites, how to
00:21:46
automate refineries, and how to automate an entire telecom
00:21:49
company that used to be a public utility, which is not easy, by
00:21:54
the way.
00:21:55
So, in financial services, same thing, but again, each business
00:21:59
parable, very different than Merrill, very different from
00:22:02
Credit Suisse, very different from UBS.
00:22:04
And now, in the last 10 years, working on everything from how
00:22:08
do you optimize wine growing to how do you build security
00:22:11
companies.
00:22:11
So, to me, the transferability of the skill gives you the
00:22:15
opportunity to learn many different industries.
00:22:17
Iot is obviously an up and coming one and a good one to
00:22:19
learn, but that's about where the puck is moving.
00:22:21
The puck's moving to IoT.
00:22:23
That's a good skill to learn.
00:22:24
As a security professional, you can start to push your career
00:22:27
in that direction fairly easily.
00:22:29
So the winding road is often, I think, dictated by future
00:22:33
market trends, but your intellectual curiosity and your
00:22:36
ability to keep reading is what helps you identify what those
00:22:39
trends are.
00:22:39
So that's the way I would say it.
00:22:42
Speaker 1: Yeah, I guess it's not fully accurate for me to say
00:22:46
that I've never coded or anything like that.
00:22:49
I say I've probably learned Python like five times over.
00:22:53
The issue is that I don't use it regularly so I forget things
00:22:58
that I learned six, seven months ago and now it's like I have to
00:23:02
go relearn strings or functions or whatever might be.
00:23:06
But I do fully agree with what you're saying.
00:23:08
Coding is one of those basic foundational principles where
00:23:13
you take that learning and then everything else starts to kind
00:23:16
of make sense and it fits into its place.
00:23:18
I just haven't thought of it like that in such a long time,
00:23:22
because now I just do it so innately of deconstructing a
00:23:26
problem or deconstructing a system to seeing how it works,
00:23:29
when I'm picturing it in my head , right of what that is you know
00:23:33
in Python or what that is in code, and I'm doing that without
00:23:37
even thinking about it.
00:23:38
But in the beginning you're learning these things.
00:23:40
It's like an epiphany.
00:23:41
But it's like, oh my God, that's how, that's how the
00:23:44
network stack works, that's how this server works, that's how it
00:23:47
communicates to something else, all those sorts of things.
00:23:50
It just becomes an epiphany.
00:23:52
Speaker 3: I think many theoretical things, Joe, also.
00:23:55
You only actually get them when you see a practical application
00:23:58
of them.
00:23:58
String theory, graph theory, I mean you know, graph theory,
00:24:02
yeah, okay, kind of get it, no, it's okay, but as soon as you
00:24:05
see the power of building a graph, you're like, wow, this is
00:24:08
really cool.
00:24:09
So I totally think what you're saying is 100% right.
00:24:13
Speaker 1: Yeah, it's fascinating, right.
00:24:15
Like you talk about being a lifetime learner.
00:24:18
I mean, it's never ending.
00:24:19
I guess that's what drew me to security personally, right is
00:24:24
being able to be a lifetime learner, because for a long time
00:24:27
I was in the mentality that IT was like the most boring thing,
00:24:30
because I had only seen help desk and I only did that one
00:24:34
thing and I'm like man, this would be miserable If I have to
00:24:38
spend my entire career in help desk.
00:24:40
I didn't even think that there was another side of IT or
00:24:43
anything like that.
00:24:43
It's that always learning part that drew me in is because once
00:24:48
I figured out like, oh wait, like I can literally dive deep
00:24:52
into hacking cars Right, just hacking cars, and I'll spend an
00:24:57
entire career there.
00:24:58
Or hacking factories, hacking IoT, all these different things
00:25:03
it's really fascinating.
00:25:04
So I do have a question, though so you guys have your PhDs.
00:25:10
A German doctorate Well that's like what Three American PhDs
00:25:15
right there, no, no, no, no, no.
00:25:17
I can't say that 100% is.
00:25:20
Speaker 2: Not at all.
00:25:20
Some people would say it's proper American PhD.
00:25:24
Speaker 1: So yeah, well, those people don't know the German
00:25:26
education system.
00:25:27
So I was studying German in college in my undergrad, and
00:25:36
part of it was spending six weeks in Germany, and I couldn't
00:25:39
tell you the amount of times that I was impressed with just
00:25:44
the intellectual knowledge that Germans and other Europeans had
00:25:48
compared to my own knowledge, joey, you just made a lot of
00:25:52
Germans very happy because the latest PISA study was actually
00:25:55
not that positive about German education.
00:25:58
Speaker 2: I question that study .
00:26:00
Okay, but coming back to the point I think I just want to,
00:26:06
this is lifelong learning aspect , because, as you know, andy and
00:26:11
I we just sat down and wrote actually a book for board
00:26:14
members and good board members are actually lifelong learners
00:26:19
and they know that I don't know.
00:26:19
So part of being a board member is asking a lot of questions,
00:26:24
ideally good leading questions and sometimes completely open
00:26:27
questions, but really the willingness always to keep on
00:26:31
learning, to keep on understanding what's the
00:26:34
opportunity in the business, but also what are the risks in the
00:26:37
business.
00:26:37
And this is why Andy and I sat down and wrote this book about
00:26:42
seven steps for cybersecurity for board members, because they
00:26:45
are lifelong learners and want to have deep understanding on
00:26:48
many subject matters and one of them is actually cybersecurity.
00:26:52
Speaker 1: That makes a lot of sense for board members to be
00:26:55
lifelong learners.
00:26:56
I find that as you become more experienced, as you get higher
00:27:03
level roles and whatnot, it's more important not for you to
00:27:07
know everything, but for you to surround yourself with the right
00:27:10
people that are experts in those other areas.
00:27:13
So you could say, hey, can you handle this question for me?
00:27:16
Can you drill them in this way, because I don't know this side
00:27:21
of it like you do?
00:27:22
And, andy, do you find that true with Zscaler right from the
00:27:27
beginning to the end right now, because you're a board member
00:27:30
of Red Zscaler?
00:27:31
Zscaler is a fantastic product.
00:27:33
By the way, I've used them personally, and I mean for a web
00:27:40
proxy solution to say that I enjoyed it.
00:27:41
That's not something that you hear every day, that's true.
00:27:48
Speaker 3: Look, I think board members generally need to be
00:27:50
people with lots of experience, and my experience is that you
00:27:53
get the most experience on the winding road, which is what
00:27:57
leads you to the level of curiosity that Helmuth just
00:27:58
described.
00:27:58
But I think your point was going a little deeper than that
00:28:01
and I just want to touch on that for a minute.
00:28:03
When you're building an organization that's growing
00:28:05
quickly, what you have to do is hire people smarter than you in
00:28:08
every role underneath you.
00:28:09
If you want to be carried on the shoulders of giants and it
00:28:12
takes a lot of confidence to do that and for many SISOs who are
00:28:18
being promoted early in their career into the lead role
00:28:22
because of the lack of qualified resources and because they're
00:28:25
ready but they're ready in an environment where people are
00:28:29
fishing upstream to try and get people to take these jobs the
00:28:35
danger is that you're not ready.
00:28:35
You're not mature enough yet to know that you need to hire
00:28:38
people smarter than you to work for you in every single role
00:28:41
reporting to you.
00:28:42
And this is how you actually are able to first of all, make
00:28:46
sure you've got a great succession plan in your
00:28:48
organization and, second of all, make the next step, which many
00:28:50
companies you're moving from SISO maybe to chief risk officer
00:28:55
and promoting somebody from within.
00:28:58
The promotion from within parts in the industry is not happening
00:29:00
often enough, in my opinion.
00:29:01
Right now, there are so many searches out at any given point
00:29:04
in time for SISOs.
00:29:05
I'm aware of about 10 right now as an example.
00:29:08
I think not only do you need that from board members to the
00:29:10
point that you made, you need people with enough experience,
00:29:14
but oftentimes board members who've been in the role for a
00:29:16
long time maybe haven't had to deal with the level of
00:29:20
cybersecurity threat that exists today, and those are the people
00:29:24
that we were at the board with.
00:29:25
Right, I mean, it's written for everybody, but most of all,
00:29:29
it's written for people who want to come up to speed with.
00:29:31
Okay, how do I get my head around this?
00:29:32
How do I think about the right questions to ask and how do I
00:29:38
make sure that we are hiring people really smart, one down
00:29:40
and two down from the SISO to make sure that every defensive
00:29:46
angle that we can pursue has been pursued?
00:29:47
Yeah, it's a fascinating world, right.
00:29:51
Speaker 1: Because I guess for me right, I'm not a person who's
00:29:54
not a person.
00:29:54
I'm not at that level yet, and so it's always interesting to
00:29:58
hear how that world operates.
00:29:59
And as I become more experienced in my own career, I
00:30:04
start seeing things from a different perspective.
00:30:07
I start seeing things kind of from the top down, being able to
00:30:11
rationalize different decisions that are made within businesses
00:30:15
and with organizations and whatnot.
00:30:17
Is there any value to jumping ahead, Like, let's say, for
00:30:23
instance, you go from being an individual contributor to a
00:30:26
manager faster than what you probably should have been.
00:30:28
Is there any value in biting off more than you can chew and
00:30:34
trying to work through it?
00:30:35
Or are there critical skills for you to have that will make
00:30:38
you successful, like what you mentioned of being able to hire
00:30:43
people that are smarter than you in every role beneath you?
00:30:46
Speaker 2: I think the first step is to recognize what you
00:30:49
know and what you don't know.
00:30:50
And we all have a certain profile and background and have
00:30:55
some depths in some areas and maybe are not that strong in
00:30:58
other areas, and that's hard sometimes.
00:31:02
You know a really realistic view on yourself and then you
00:31:05
take the next step and you try to find exactly those people and
00:31:10
put around you that don't look like you, that exactly have
00:31:13
those skills that you are missing.
00:31:14
So it's always in every company , in every organization.
00:31:19
It's not CSOR, not only the IT organization or cybersecurity.
00:31:23
I think in any organization the only one who wins is a team.
00:31:27
It's never one individual.
00:31:29
There might be one person who is a CEO, but still who wins is a
00:31:34
team and a good CEO.
00:31:37
She is able to bring the right people together and covering
00:31:41
those areas where he or she is maybe a little weaker and
00:31:45
strengthens and makes a team really a strong team.
00:31:47
I think that's number one, and number two is exactly what Andy
00:31:50
said.
00:31:50
Then you look for the best people that are much smarter
00:31:53
than you are, especially in the areas which you don't cover that
00:31:57
well, and that takes a certain level of maturity.
00:32:00
That's not just knowing a subject matter.
00:32:03
Now you have to have the maturity to accept that you
00:32:07
actually work with people that report to you, that know their
00:32:10
subject matter much better than you do, and this is the only way
00:32:14
, I think, to really advance strong people strongly and get
00:32:17
ready, as Andy described, potentially even for a next
00:32:20
level.
00:32:22
Speaker 3: I mean, there's a bit of science on this, joe to some
00:32:24
.
00:32:24
Mckinsey has a fantastic report on this that talks about skill
00:32:27
distance, which is the distance of the role you're going into
00:32:31
versus the one that you're in.
00:32:32
Basically, one of my mentors always said to me if you're a
00:32:36
sixty percent sure that you can do the role, take the job, but
00:32:39
if you're fifty five percent sure, do not take the job.
00:32:42
Right, because the thing is you have to have enough competence,
00:32:45
which comes from the experience of your current role, that you
00:32:49
can transfer into the new role while you learn the new skills.
00:32:52
So you're both teaching and learning at the same time when
00:32:55
you take the kind of step that you just talked about before.
00:32:58
You know, and my one of the favorite, my favorite quote of
00:33:01
all time is from Julius Caesar, and the quote is experience is
00:33:05
the teacher of all things, and and and the order I've become,
00:33:10
the more I realized how true that is.
00:33:11
How you attain the experience is very important, right?
00:33:15
So people who take more career risk earlier, but not too much
00:33:19
career.
00:33:19
This sixty, forty things like very important.
00:33:22
You take too much and you don't do well, you lose confidence
00:33:25
and actually go backwards.
00:33:26
So so the people that take more risk earlier, other people who
00:33:30
do well later.
00:33:30
Not surprising, but it is.
00:33:32
It is a fact from the, from the McKinsey analysis, that that
00:33:35
that that is true, and the thing that they do more of is acquire
00:33:39
new skills more frequently and more often and faster.
00:33:42
That's what that's what that's what they do well.
00:33:44
So.
00:33:45
So I think many CEOs that I've worked for, and what with, have
00:33:49
that skill.
00:33:50
They've been able to basically acquire skills quickly and
00:33:53
acquire knowledge quickly in roles.
00:33:55
But I think the theoretical learner is different than the
00:33:58
person with experience.
00:33:59
And this is a point I'm with made earlier, and that's what
00:34:02
season you about war.
00:34:03
He knew that the people with the most experienced on the
00:34:06
battlefield new all the tricks that the enemy was going to
00:34:09
deploy.
00:34:10
So I think I think that is super important and that's what
00:34:13
you're trying to get.
00:34:13
As a thirty something or forty something, you're trying to
00:34:17
become as experienced as possible to allow you to deal
00:34:20
with anything that life throws at you and in a security role,
00:34:23
anything that life throws that you could be the survivor of
00:34:25
your business.
00:34:26
So it's it's kind of a.
00:34:27
It's super important to understand that, I think.
00:34:30
Speaker 2: I have a corollary to this and I fully agree with
00:34:33
Sandy to the sixty, forty and I think as bad as if it's a ninety
00:34:37
, nine one.
00:34:38
So if, if you're a hundred percent sure you will do great
00:34:41
in this job, then you're standing.
00:34:43
So the you have to feed your gross mindset by continuously
00:34:48
challenging yourself.
00:34:49
Just don't over stretch to extreme.
00:34:51
Then you fall into the trap that Andy described.
00:34:54
But if you do the other extreme , it's not helpful either,
00:34:58
because you're not advancing anymore.
00:34:59
You're not.
00:34:59
You're not growing mentally, you're not growing this
00:35:01
experience.
00:35:01
So my recommendation to the listeners that are at this stage
00:35:05
where they considering a next step, always try to find
00:35:09
something where you have a strong base is sixty percent,
00:35:12
but where you also see it.
00:35:14
Maybe it's just thirty five percent, but you see that
00:35:17
there's a material increase in challenge, in responsibility and
00:35:22
then, out of this, also in professional personal growth.
00:35:25
Speaker 1: Yeah, it's very true, and I find myself even going
00:35:29
down that rabbit hole right now with debating of if I should get
00:35:32
my PhD or not.
00:35:32
You know I don't want to get my PhD just to have a PhD.
00:35:36
I feel like there's no value in that.
00:35:39
You know, I want to get a PhD.
00:35:40
I want to get a PhD to stretch myself, to really push myself to
00:35:44
learn a topic in depth that builds on my previous experience
00:35:49
.
00:35:49
But I'm also not sure of the value that it holds in the
00:35:53
marketplace, necessarily, but obviously if I go into education
00:35:56
it holds a lot of value.
00:35:58
And so I'm weighing all of this out right, because I'm always
00:36:01
looking for the newest ways to push myself in learning a new
00:36:05
topic and kind of redefining my skill set right.
00:36:09
I've done it a couple times now in my career and it's been
00:36:12
beneficial every single time that I've done it.
00:36:15
You know, I went from being just an IT help desk to, you
00:36:19
know, doing a specialist with this little security kind of
00:36:22
flavor to it, to being dedicated security engineer for
00:36:26
organizations, to going into cloud security.
00:36:28
That graduation is, you know, different skill sets all along
00:36:32
the way.
00:36:33
For sure it's an interesting balance, I think.
00:36:36
What advice would you give to someone debating about getting a
00:36:40
PhD or taking another level of education.
00:36:44
Speaker 2: I think you know it's , it's less title.
00:36:47
If it's, if it's a PhD or whatever it is, that is actually
00:36:50
secondary.
00:36:51
I think number one is the process.
00:36:53
But if it's only the process, without a product at the end,
00:36:58
there's a high risk to stop somewhere at seventy five
00:37:01
percent.
00:37:01
The advantage of an and it's again it can be a PhD or
00:37:05
something else on a level where you have to, you know, where you
00:37:09
have to let do the very tough last five percent to.
00:37:12
You have to really fully complete it, and I think there's
00:37:16
there's something in there in this process until the final end
00:37:20
.
00:37:20
And there it doesn't matter exactly which type of final end
00:37:24
is in there.
00:37:24
But I think what you describe before, this process, is
00:37:27
critical, because going through the process and going through
00:37:31
the process was all the hurdles you have to jump over.
00:37:33
I think that's that's really strengthens your knowledge base
00:37:38
and also your confidence that you can actually master these
00:37:41
challenges.
00:37:43
Speaker 3: Yeah, I actually have struggled with that same thing
00:37:46
in my twenties, joe, honestly, and I ended up managing a
00:37:51
student who I see I was sponsoring for their PhD, who
00:37:54
was on my undergrad course in London at Oxford.
00:37:57
And so because my boss my boss left to have a baby and I was
00:38:01
left in charge of the student, who was one of my friends from
00:38:04
college, and every every two weeks I go to Oxford and I've
00:38:08
meet with Graham Richards and who was her professor, and he
00:38:12
would try to recruit me to do a PhD, and I was very tempted to
00:38:16
do it, to be frank, and I think the thing is that that the role
00:38:20
I had at ICI was actually in the research organization, doing
00:38:24
research science, so I kind of felt like I was already doing
00:38:28
what I would see.
00:38:29
One of the reasons why I chose not to become a manager early in
00:38:34
my career is that I wanted to be really deeper programming.
00:38:36
I did not want to be broad, which is what management gives
00:38:39
you Later on, coming back to it was better.
00:38:43
Being older, by the way, too, in my opinion, for me, that was
00:38:46
better, I think, if you have the desire to go really deep on a
00:38:50
topic, particularly if you want to start a business on something
00:38:53
and you're really curious to go explore a topic, then going
00:38:57
really deep can be great.
00:38:58
While I was mentoring this other student, they were
00:39:04
actually building a competitive product to the one we built at
00:39:07
ICI.
00:39:07
It was called ChemGraph.
00:39:08
So I was able to see both sides of it both the student who
00:39:12
tried to turn that into a business when he left college
00:39:15
and was very successful actually in the end, and the way the
00:39:18
academics felt about that, which was not great actually, and
00:39:22
then just doing a commercial product.
00:39:24
We had so much resource, I mean it was just so much easier for
00:39:27
us to be successful.
00:39:29
So I think you can sometimes take your pet project and build
00:39:33
a startup Instead of doing a PhD , as long as you're confident
00:39:36
that you have enough knowledge to actually go after it.
00:39:39
There's a lot of work, by the way, around depth in startups,
00:39:43
particularly in security.
00:39:44
Because there are so many startups, the space now is
00:39:48
getting so thin in terms of what you need to be good at to build
00:39:51
a company that's valuable.
00:39:53
That could be another way to satisfy or scratch that itch, I
00:39:56
guess.
00:39:56
But I know exactly what that feels like and I used to talk to
00:40:01
my dad about it all the time, like I should do that on art,
00:40:04
and he's like well, I said, it looks like you're doing really
00:40:06
well at work, so why would you do it?
00:40:08
But on the other hand, he of course wanted me to get a PhD
00:40:10
from Oxford and he used to push me very hard to do it but ended
00:40:14
up not doing it and not regretting it actually.
00:40:15
So it just depends on kind of where you land, I think, in the
00:40:19
end.
00:40:19
Speaker 1: Yeah, it makes a lot of sense.
00:40:21
So, Andy, in the beginning of our conversation you talked
00:40:25
about how you were with Zscaler from the very beginning.
00:40:29
Speaker 3: Not from the very beginning, but early on 2013.
00:40:32
Speaker 1: That's still pretty early on.
00:40:33
As someone from the outside, I've always found it interesting
00:40:36
as to how Zscaler went from being obviously the best web
00:40:42
proxy to kind of even developing this area that we now call Zero
00:40:46
Trust.
00:40:47
What was that like?
00:40:50
Because to me as an engineer, once I understood it as oh, this
00:40:55
is least privilege for your entire network.
00:40:57
Once I understood it as that, it made a lot more sense to me
00:41:01
and it kind of opened the door.
00:41:02
But what was that shift like internally at Zscaler, making
00:41:06
that shift from okay, we're a web proxy solution company to
00:41:12
we're a Zero Trust?
00:41:15
Speaker 3: leader essentially so many of the engineers at
00:41:19
Zscaler came from Net Scaler, and Net Scaler was a very, very
00:41:23
performant the founding engineers I'm talking about and
00:41:26
Net Scaler was an extremely performant reverse proxy
00:41:29
solution.
00:41:30
So one of the things they focused on was getting packets
00:41:33
from the left hand side, or the north, to the south side of the
00:41:36
Zenboxes very, very fast less than a millisecond, and with a
00:41:42
web proxy, that's extremely important.
00:41:44
So there are many benefits of putting the proxy in the cloud.
00:41:47
The management of pack files I mean the whole policy management
00:41:51
massive benefit.
00:41:53
But this idea of what could you do to the packets while they
00:41:56
were traversing the edge of the network became super important
00:42:01
for the business.
00:42:02
But you have to do it without impacting the performance.
00:42:05
So what you can run in line between the north side and the
00:42:10
south side of the interface still has to be faster than 10
00:42:13
milliseconds.
00:42:13
It really wants to be more like two or three milliseconds or
00:42:17
less, and so the challenge always was how much
00:42:21
functionality, how many algorithms can you run on those
00:42:24
packets while they're passing through the box to enable you to
00:42:28
put things like DLP in line and all these other capabilities
00:42:32
that we now deliver?
00:42:33
And so, to me, the thing that amazed me the most was the
00:42:38
original design of the engineers .
00:42:40
You know Z Scaler stands for Xenith of scalability, as you
00:42:43
probably know, and it's the scalability of both.
00:42:46
The architecture, which is, you can add as many pods as you
00:42:51
need worldwide to deal with the traffic that you have.
00:42:54
Most people have never heard of Terabit networks, but we run
00:42:57
them, and so the bottom line is that not only do you have to
00:43:01
have boxes that are very fast, but you have to deal with a lot
00:43:03
of scale on the bandwidth side as well.
00:43:05
I haven't seen this recently, but they used to in every board
00:43:08
meeting.
00:43:09
Show us, you know, Z Scaler versus Google, facebook, tiktok
00:43:12
and YouTube in all the major cities in the world, and I start
00:43:16
watching when we hit number three, basically.
00:43:18
So I don't know what the numbers are now, to be honest, I
00:43:21
haven't looked them for ages, but that scale that we're
00:43:23
running in the enterprise, there's no one else in that
00:43:26
scale.
00:43:26
I mean there are people who have consumer businesses at that
00:43:29
scale, but not not.
00:43:31
So the scale itself.
00:43:32
I remember being in a meeting with Google when Google were on
00:43:34
the board, where we exceeded Google's throughput and it
00:43:37
literally blown away.
00:43:38
I mean it was amazing, you know , I think you have to.
00:43:43
You have to lead with performance.
00:43:45
You have to think about then the SLA, that's open, which is
00:43:48
about two milliseconds, and then you think about well, what else
00:43:51
can we do in that two milliseconds to add all of the
00:43:54
functionality that we've added today?
00:43:56
And, by the way, mostly we're less than one millisecond today
00:43:59
because what's happened in the meantime is Moore's Laws
00:44:02
continued.
00:44:03
Networking interfaces have become more performant.
00:44:05
You can buy more capacity from fiber companies, so you know
00:44:08
there's an all, all boats rise in that ocean kind of model
00:44:12
there as well.
00:44:13
That's helped us along the way.
00:44:14
But running a network at that scale is I mean, I worked in
00:44:18
telecom, I know what that is like, right and so and I ran
00:44:22
networks, by the way, in financial services too.
00:44:24
So the scale itself still is is unbelievable.
00:44:29
It's kind of like the scale of some things that SpaceX are
00:44:33
doing, for example, just in terms of how much of a reach it
00:44:36
is to be able to do that.
00:44:38
So I still find that amazing today.
00:44:40
But that's basically the, architecturally speaking, that's
00:44:43
kind of how that works, if that makes sense.
00:44:46
Speaker 2: And Joe, maybe from a customer perspective.
00:44:48
No, we at Siemens we are customers of Cscaler and we
00:44:52
started really with a point solution with the so called
00:44:55
Cscaler Internet Access, connecting directly to software
00:44:59
as a service provider like Salesforce, and then Microsoft
00:45:02
when we introduced 360.
00:45:04
And what was really interesting , traditionally we had always
00:45:08
this triangle between cost, usability and security and
00:45:12
usually the discussion was always well, let's spend a
00:45:15
little more than we get a little bit more security, but then
00:45:18
usability went down because it became more complicated.
00:45:20
So somehow the triangle was always unbalanced and for us it
00:45:24
was the first time when we introduced zero trust and
00:45:28
Cscaler that in all three dimensions we had improved.
00:45:31
We had actually higher security , we had higher usability and we
00:45:35
had less communications costs.
00:45:36
So it was a very interesting game changer for us that what we
00:45:41
thought were trade offs were not trade offs anymore and we
00:45:44
could drive all three dimensions in the right direction.
00:45:47
Speaker 1: Yeah, it's a really fascinating area and I feel like
00:45:50
we could have a whole other episode just talking about
00:45:52
Cscaler and the capabilities and the future of it.
00:45:55
Right, but we're coming to the end of our time here, but before
00:45:58
I let you guys go, let's talk quickly about the book that you
00:46:03
guys put together.
00:46:04
What's the book title?
00:46:05
And I'm wondering is there a common language when dealing
00:46:09
with the boardroom that you have found to be very efficient?
00:46:13
Right, and I asked this as someone that is graduating in
00:46:17
their career.
00:46:18
Right, I'm learning how to structure different
00:46:22
conversations with different parties within the company, so
00:46:25
what's your opinion on that?
00:46:26
Speaker 2: So let me start with the easy part.
00:46:28
What's the title?
00:46:29
It's Cyber Security Seven Steps for Board Directors, but then
00:46:32
it has a subtitle and it's called the Guide to Effective
00:46:36
Cyber Risk Oversight from Board Members for Board Members.
00:46:40
So number one is, the idea was, as Andy and I described before,
00:46:45
that we make a very practical description.
00:46:49
That's really helpful for board members, that where many of
00:46:52
them do not have very detailed knowledge of cybersecurity, but
00:46:56
a lot of curiosity and, naturally, a responsibility, a
00:47:00
fiduciary responsibility for the companies they represent on the
00:47:04
board.
00:47:04
And so the book is full of specific examples you know
00:47:09
what's happening in the cybersecurity environment, and
00:47:12
it also translates technical terms into real life terms.
00:47:17
And I think they're coming back to your other question.
00:47:19
How is it helpful?
00:47:21
Actually not for board members, but for, for example, cisos
00:47:25
that communicate regularly with the board.
00:47:27
And I would say just number one , as when you walk into the
00:47:31
boardroom as a CISO, you can assume that everybody in the
00:47:35
room is prepared.
00:47:37
You can assume that everybody in the room has a very strong
00:47:40
interest to make the company even more successful, and
00:47:43
cybersecurity is one part of it, but you also have to assume
00:47:47
that not everybody in the room has the same technical depth as
00:47:51
you as a CISO have.
00:47:52
So make sure you have enough time to translate what you want
00:47:57
to achieve, on what you're working on, into a relatively
00:48:01
normal business language and how it relates directly to the
00:48:05
business that the board has its fiduciary responsibility for.
00:48:08
And I think there the book is helpful in both directions it's
00:48:11
helpful for board members, but it's also helpful for the IT
00:48:15
professionals that regularly have a dialogue with the board.
00:48:19
Speaker 3: Maybe I'll pick up on a few other points.
00:48:20
The first one I'd pick up on is often members of the executive
00:48:25
team in companies are also not cyber aware or not as cyber
00:48:30
aware, and we're certainly seeing collective responsibility
00:48:32
emerge as a theme around both the lawsuits against Uber and
00:48:37
SolarWinds and, more deeply now with the SEC changes that
00:48:41
require material disclosure after four days.
00:48:44
So everybody on the on the executive committee of a company
00:48:48
now needs to really be on the same page with filing an AK
00:48:52
after an event like that has occurred.
00:48:54
So I think there are now not just knowledge requirements of
00:48:59
board members to Helmholtz point but there are also
00:49:02
transactional decisions that the board are going to participate
00:49:05
in, where board members are required to be well enough
00:49:09
informed to make a decision on what materiality is.
00:49:11
The second thing there, I think , is that not acting too soon is
00:49:16
super important.
00:49:17
We've seen with the Clorox incidents that that that when
00:49:20
you react to early you often have to retract or react again,
00:49:24
basically when you find out more things later on.
00:49:28
And there have been a number of breaches and exfiltrations
00:49:31
recently where the initial extent of the exfiltration has
00:49:34
been found to be much, much greater than was originally
00:49:39
disclosed.
00:49:39
So I think that's another area that we've put into the book,
00:49:43
which is about kind of the process that you put around the
00:49:47
assessment of materiality as well, but mostly that the book
00:49:52
is.
00:49:52
The book is really organized around process and what process
00:49:56
you should run, both to get people up the learning curve to
00:50:01
what they need to know, to have a common language that they can
00:50:05
actually converse with the SISO in.
00:50:08
Often SISOs are very technical and converting the way a
00:50:11
technologist speaks to the way a business risk needs to be
00:50:15
encapsulated is a trick, and I think you know you can't expect
00:50:18
SISOs to learn overnight, particularly given the
00:50:21
conversation we had earlier about how often they are kind of
00:50:24
quite young when they're put into that role.
00:50:26
They can't overnight understand what the business risk is.
00:50:29
So I think the executive team needs to work with them and
00:50:32
that's also something that we cover in the book as well.
00:50:35
And then the use of public framework, so like the NIST
00:50:38
assessment framework and so on, to get a really tight view on
00:50:43
what would an outside party say if they were doing an assessment
00:50:47
of your company and actually having someone like EY, kpmg or
00:50:51
PWC run an assessment like that.
00:50:53
So you know where you stand and you know what you need to
00:50:56
improve.
00:50:56
So I think all of those things are important.
00:50:59
I mean, the whole risk surface area is a topic that we touch on
00:51:03
a fair amount in the book as well.
00:51:05
It's just understanding what that is and where your current
00:51:08
weaknesses and strengths are as well, super important.
00:51:11
But I think that if you ask it at a macro level, I think that's
00:51:14
probably about the scale of it.
00:51:17
Speaker 1: Sounds really interesting.
00:51:18
I'll definitely have to pick up that book at some point.
00:51:21
Well, guys, unfortunately we're at the top of the hour and I
00:51:26
know that we already went over, so I really appreciate you
00:51:29
hanging on Before I let you go.
00:51:31
How about you tell my audience where they could find you if
00:51:34
they wanted to learn more and reach out?
00:51:36
Speaker 3: Sure, I'm very easy to find on LinkedIn.
00:51:39
By all means, reach out with questions on the book on
00:51:42
LinkedIn and obviously you can channel those through ZSCADER as
00:51:45
well.
00:51:45
Speaker 2: Yeah, same thing.
00:51:46
Linkedin is the easiest and if you can make available the link
00:51:51
to download the book if they're interested, it's publicly
00:51:55
available, so easy, accessible, and if there are any specific
00:51:59
questions, linkedin is always a good way to connect.
00:52:02
Speaker 1: Awesome.
00:52:02
Well, all the links will be in the description of the episode
00:52:05
and I really appreciate you guys coming on.
00:52:07
Thanks everyone.
00:52:08
I hope you enjoyed this episode .