Frank Kim and Charles Blauner are CISOs-in-Residence with venture capital firms YL Ventures and Team8, respectively.
Such CISOs are a unique form of CISO. They are responsible for both their own company and for the companies in which their firms invest. The role requires a deep and extensive understanding of how security is best managed in many different verticals.
Blauner had been an operating system mainframe coder with Bell Communications Research, a firm formed after the breakup of AT&T. Hacking as we know it today did not exist – but phone phreaking was hot. In those days, using a telephone was expensive – especially for long distance calls. Phreakers had discovered that a tone at 2600 Hz would trick the telephone system into allowing a free long distance telephone call. 2600 Hz and phreaking are no longer relevant, but the name lives on in 2600: The Hacker Quarterly (the world’s oldest hacker magazine).
The telephone companies formed a team to combat phreaking. Blauner had the right technical knowledge, “But honestly, the person who was asked to form the team knew me because of cheesecake and scuba diving. Which is completely random, but true.” This was his entree into cybersecurity.
“It was all very technical. It was really focused on how to secure the telephone system,” he continues. “I was also doing a lot of standards work in the Open Software Foundation [now known as The Open Group after merging with X/Open in 1996] and the IETF on applying cryptographic protocols to secure communications protocols – stuff like that. That was the beginning, and then there was a long journey since then. In many ways, the beginning was just a happy accident. You couldn’t go and study this stuff, because we started it.” The happy accident is an important concept to Blauner, and plays a major role in his career progression and personal philosophy.
Kim also started as a coder more than 20 years ago. “I wrote a bunch of code. Some of that code had security vulnerabilities although at the time I didn’t realize these were issues. But when I realized the implications, I had to figure out how to fix them. Over time I naturally became the security guy on the team. If a security issue came up, everyone would say, ‘Oh, well, Frank knows something about security stuff’.”
Anything to do with security got tossed in his direction. “As time progressed,” he continues, “I started to do more and more security. Eventually I thought, hey, this is fun; and I began moving into security full time, doing application assessments, code reviews, pen tests, and building an application security team.”
The reason we discuss routes into cybersecurity is to consider whether that route is still applicable. The majority of top tier CISOs today began their career before cybersecurity existed as a concept – at most it was known as IT security – that is, security was just considered an appendage to IT. There was no definition of the work, and no certifications to demonstrate or teach it. But there are a few common factors: most CISOs started with a deeply technical background, came across security, became interested in it, and found or created an opportunity to pursue it. In most cases it involved a variation of what Blauner calls a ‘happy accident’.
The question, though, is whether happy accidents can still occur now that cybersecurity is a recognized and structured profession with university degrees and third party certifications designed to prove personal worth. Can you still get into cybersecurity by happy accident, or do you need to start planning a cybersecurity career while still at High School?
“There’s still a lot of opportunity out there, and there’s still an ability for people to break into security provided they want to continuously learn, stay ahead of the business changes, stay ahead of the threat changes, and stay ahead of the technology changes,” says Kim. “You may need to be a bit more proactive these days, but it can still be done.”
“For me, there was a happy accident that got me into security,” says Blauner. “Then there was another happy accident that got me into banking. I absolutely think people can have happy accidents in their careers today.”
Both agree that this is partly due to the changing nature of cybersecurity. What was once an overarching monolithic structure has now become a cluster of multiple distinct functions and roles. “Yes, you have the technical team: engineers and pentesters, but you also need people with completely different skill sets: communicators, intelligence analysts, risk advisors,” says Blauner. Kim throws the more recent needs for an understanding of cloud, and AI expertise into the mix.
“Add to this that cyber is a space desperately in need of skilled people,” continues Blauner. “So, I think as long as people are proactive, it’s not easy, but I think there’s still plenty of opportunity,” adds Kim. “I feel very strongly that the answer is yes. The accidents are important, and they should never go away,” concludes Blauner.
With determination and persistence, any skilled person can find a door into cybersecurity – and once in, it becomes a case of ensuring you are part of the cream that rises to the top.
As the role of the CISO continues to expand, so does the position of the CISO continue to evolve. In the beginning, security was a part of IT (the proverbial security guy at the desk in the corner of the IT room). The function rapidly became more important – it became known as ITsecurity. It had its own existence, but it was still an appendage to IT. The CISO appeared but reported to the CIO.
Security continued to increase in importance and expand in functionality. It became cybersecurity. The CISO continued (for the most part) to report to the CIO – albeit with growing dissent. Today, the modern CISO has become a peer to the CIO (in relationship even if not on the hierarchy chart). But there are tentative signs of continuing evolution – in some organizations the CISO/CIO hierarchy is beginning to flip. There are variations on this. Sometimes the CISO also assumes the role of the CIO, and sometimes the CIO now reports to the CISO.
The need to understand this history is because every aspect is still relevant today. It all depends on the type of company, its size (and therefore resource capability), and its maturity.
For a mature company today, Blauner believes there are eight different personas that must be mastered by the modern and evolved CISO: risk manager, business leader, leader of people, storyteller, technologist, innovator, advisor, and collaborator. “I believe great CISOs, and there aren’t many of them, need to be good in at least five of these eight,” he says.
But he adds that the two most important are technologist and business leader. “You don’t have to be a deep technologist, but you have to understand enough about technology to be able to say bullshit when people are trying to pull the wool over your eyes.”
The most important aspect of being a business leader is influence. “The CISO does most of his or her work through influence,” he continues. “So, being a business leader puts you in a position to influence the key people. But you still need some capability in all eight personas to be really successful.”
Kim is largely in agreement with this assessment within mature organizations. “Depending on the size and maturity of work, for example in a large organization, most of your time is not going to be spent doing security work. It’s going to be about relationships and building relationships, understanding the business, navigating the politics, and working through the process of getting things done.” Of course, you still need that technology and deep security knowledge to ensure you are getting the right things done for the business.
A company’s cybersecurity can only be as strong as its cybersecurity team; and a CISO can only be as efficient as his or her team. Team building is difficult but essential. “You’re not going to get rockstars in every position,” comments Kim. “That’s not the way things work.” So, you build the team with an eye to the future – not necessarily what someone is, but what that someone could become within the team.
Obviously, you seek the best talent you can find, but there are other aspects to consider. Synergy from the team is more important than individual rockstars. “Individual skill sets are important, but the team comes first. It’s like sport – individuals are important, but it’s teams that win championships,” comments Kim.
There are two important elements to building this team: aptitude for the work and a capacity for personal growth; and diversity within the team. The first is a value judgment in hiring (it is often said, ‘I look for someone who has the potential to exceed me’); the second is a consideration in all hiring.
Kim expands on this diversity theme. “We don’t just need diversity in skill sets, but also a diversity of thought, which a lot of times comes from a diversity of background.” Blauner adds, “I want diversity of ethnicity, religion, nationality, gender, social background and so on; but what I’m looking for in that diversity of background is diversity of thought process.”
Both CISOs illustrated the point. “I once inherited a team where all the members were network security experts,” said Kim. “That isn’t bad if the team is only responsible for network security. But they were responsible for the wider concept of business security.” That includes a requirement for empathy with how users try to circumvent security controls, hacking skills to understand where and how you might be attacked, communication skills with both business leaders and end users, governance skills, compliance understanding, analytical and presentation skills, and more.
“Of course, the guy who started this team was a network security expert,” he added. “As a result, he only hired other network security experts without considering that he needed to diversify, even within the technical domains of security.”
Blauner’s story comes from a meeting in a large organization involving the organization’s top 1,000 managers. One of the managers stood up and said, ‘I have a major diversity problem’. “The CEO looked at him and said, ‘but you’re the only manager I have in this entire company whose leadership team is 50/50, male, female.’ The manager replied, ‘yes, but 100% of the leadership team all went to the same high school and the same university. They all think the exact same way.’”
This uniformity of thought is what needs to be overcome within a diverse security team. To stop a hacker, you need to be able to think like a hacker; to help a user you need to be able to think like a user; to deliver a technical presentation you need to understand what technologists need; to deliver a business presentation you need to be able to understand what business leaders want and can understand. The list goes on, and the team must include all of these skills. That diversity of abilities requires diversity of thought processes. The diversity of thought processes may come from diversity of background but isn’t necessarily dependent upon it. Neurodivergence (ASD and ADHD – see Harnessing Neurodiversity Within Cybersecurity Teams for more details), for example, provides a diversity in thought process that stems from ‘brain wiring’ rather than any social, ethnic, gender, or nationality background.
Building a growth-enabled diverse team is only half the problem. The CISO then needs to ensure it can work as a team and stay together and grow together despite the diversity within it. Churn in security teams is high. This is where the CISO needs to operate one of Blauner’s eight CISO personas: the ‘leader of people’. Kim’s sports analogy is relevant: a championship-winning team is dependent on a good manager/captain.
Mentoring is a key part of the CISO’s role. It plays into keeping team members motivated by their own potential career paths; and it delivers on a key element of team building – harnessing and encouraging the abilities of people able to succeed, and even exceed, their current CISO.
A mentor’s advice to each mentee will be personalized to the personality and expectations of each person. We can’t do that justice here. Instead, we ask each CISO for the best advice they ever received, and what general advice they would give to a potential future leader.
Advice received
“Don’t take it personally,” says Blauner. He gives an example of the effect in practice. He attended a monthly CIO Council meeting, chaired by the COO and including multiple CIOs in a large international banking group. He always briefed each CIO on the topic of his own presentation ahead of the meeting. This month, it was on a particularly sensitive subject.
The meeting turned into chaos. “Basically, two of the CIOs went to war with each other, using me as the bludgeon.” After the meeting, a senior manager asked why he wasn’t upset – he had just been attacked, but he seemed fine.
“I didn’t take it personally,” he replied. He may have been the foil, but he knew he wasn’t the target. That advice becomes a cornerstone of survivability and sanity. “CISOs need to deliver a lot of tough messages, and tough messages don’t always get friendly responses. So, I just don’t take responses personally.”
The best advice Kim ever received was ‘stay curious and keep learning’. “It’s not just about the technical things,” he explains. “It’s about learning how to build a team appropriately; how to make sure that you’ve got diversity of people and thought; how to keep learning about the business, the wider and changing business landscape, and the whole expanding threat landscape.”
Advice given
Kim’s approach to giving advice is based on ‘pull don’t push’. He tries to understand what the person wants to do and then provide guidance – he doesn’t attempt to push anyone toward his own preconceptions. Knowing what the mentee wants allows him to discuss how to get there and whether it really would be a good fit. “I’ve had people say, ‘Well, Frank, I want your job’. And I say great, let’s talk about what the pros and cons are.”
It could be that the person is seduced by the prestige of ‘the C-Suite thing’, but Kim thinks that would be wrong. “There’s little prestige in being a CISO, just hard work and potential burnout.” So, Kim believes in getting to know the person, getting to know what the person wants in a career, and tailoring advice into exploring whether that would be a good route for that person – and only then giving advice on how to achieve it.
The primary advice Blauner gives is “Follow your heart.” He thinks there are two aspects to this: day-to-day work and career progression.
On the day-to-day side, this means having the courage to follow your heart’s convictions. “If your heart says, ‘this is too big to just ignore’, then you must have the courage to escalate it.”
For the career trajectory, he says don’t plan it in detail, but understand what makes you happy. “Allow your career to be a meandering journey; sometimes opportunistic, sometimes sought after. I coach people who may be in a job transition period to write a requirements document. The purpose is to clarify the characteristics they are seeking in their next position. I think people should always be introspective and understand where their joy comes from – and seek out opportunities that give them more joy.”
All CISOs need to be aware of threats to, and trends in, cybersecurity. This is especially important to a CISO-in-Residence since he or she is effectively providing expertise to multiple organizations simultaneously. What the CISOs tell us doesn’t enumerate or grade threats, but it does provide a peek into ‘top-of-mind’ concerns at the time we ask the question.
Kim believes we need to look inward to protect outward. “There are multiple adversaries out there: criminal gangs, nation states, hacktivists; and there is sometimes an overlap between them,” he says. “Some are financially driven, some are geopolitically driven, and some are both – such as North Korea. Hacktivists will attack companies anywhere in the political divide based on their own ideological views.”
The important point, he suggests, is to know what you’ve got that they want. “If something is valuable for your business, it’s probably valuable for the adversary as well.” In short, effective risk analysis and management should be used to help defend key assets against all forms of attack.
Blauner picked out some of the specific threats that concern him. The first is the adversarial use of AI. (See Cyber Insights 2024: Artificial Intelligence for discussions on the misuse of AI.) We know it is coming. It will increase the scale and sophistication of attacks – and if criminals can poison the data lakes that train our own AI, they can effectively make us attack ourselves. But we don’t know when it will really hit, nor what defensive AI we will have available.
His second concern is perhaps surprising but is not unique among CISOs. “Bad regulation scares me. I believe there needs to be a level of regulation, but while some regulators are good at talking about desired outcomes, others get overly focused on technical details. I think regulators need to be focused on outcomes, not details.”
Part of his concern about bad regulation is lack of detail, and he cites the SEC disclosure rules as an example. “What goes into your annual SEC filings?” he asks. “What do you have to put into breach disclosures? When do you have to disclose? What does a ‘material cybersecurity incident’ actually mean? There’s a huge amount of uncertainty that is going to cause all sorts of bad behavior. Those bad behaviors, while not a direct threat to any one enterprise, will just suck away scarce resources.”
He considers this to be a real threat. “I don’t know many CISOs who are high on the hog with as much budget and as many people as they need. Every CISO I know is running a very lean shop. They can’t afford to be wasting resources unproductively and the uncertainty and the waste associated with bad regulation limits their ability to implement real security.”
His third threat is that the internet lights may go out. “I don’t think we’re ready for large scale quantum computing and what it means to our cryptographic infrastructure. It’s not a major risk for the next couple of years, but the lack of preparation for what is going to happen scares me. No-one knows when it will happen, but based on my experience in banking, it can take a decade or more to swap out cryptographic infrastructures. If quantum at scale happens seven years from now, we’re in deep trouble.” (See Heartbleed is 10 Years Old – Farewell Heartbleed, Hello QuantumBleed! for more details.)
The problem is we have built an Internet based on the security of PKE, and that will be defeated by quantum computers. “The Internet goes dark, right? If you can’t validate a certificate, if you can’t trust the source of anything anymore, if you can’t trust software updates anymore… the Internet breaks. And we don’t know when the timer goes off.”
Related: CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)
Related: CISO Conversations: Legal Sector With Alyssa Miller at Epiq and Mark Walmsley at Freshfields
Related: CISO Conversations: Jason Rebholz and Jason Ozin From the Insurance Sector
Related: CISO Conversations: Three Leading CISOs in the Modern Healthcare Sector
