Julien Soriano and Chris Peake are CISOs for primary collaboration tools: Box and Smartsheet. As always in this series, we discuss the route toward, the role within, and the future of being a successful CISO.
Like many kids, the young Chris Peake had an early interest in computers – in his case from an Apple IIe at home – but with no intention to actively turn the early interest into a long term career. He studied sociology and anthropology at university.
It was only after college that events guided him first toward IT and later toward security within IT. His first job was with Operation Smile, a non-profit medical service organization that helps provide cleft lip surgery for children around the world. He found himself building databases, maintaining systems, and even being involved in early telemedicine efforts with Operation Smile.
He didn’t see it as a long term career. After nearly four years, he moved on; but now with IT experience. “I started working as a government contractor, which I did for the next 16 years,” he explained. “I worked with organizations ranging from DARPA to NASA and the DoD on some great projects. That’s really where my security career started – although in those days we didn’t consider it security, it was just, ‘How do we manage these systems?’”
He became global senior director for trust and customer security at ServiceNow in 2013 and moved to Smartsheet in 2020 (where he is now CISO and SVP of security). He started this journey with no formal education in computing or security, but acquired first a Master’s degree in 2010, and subsequently a Ph.D (2018) in Information Assurance and Security, both from the Capella online university.
Julien Soriano’s route was very different – almost tailor-made for a career in security. It started with a degree in physics and quantum mechanics from the university of Provence in 1999 and was followed by an MS in networking and telecommunications from IMT Atlantique in 2001 – both from in and around the French Riviera.
For the latter he needed a stint as an intern. A child of the French Riviera, he told SecurityWeek, is not attracted to Paris or London or Germany – the obvious place to go is California (where he still is today). But while an intern, disaster struck in the form of Code Red.
Code Red was a self-replicating worm that exploited a vulnerability in Microsoft IIS web servers and spread out to similar web servers in July 2001. It very rapidly propagated around the world, affecting businesses, government agencies, and individuals – and caused losses running into billions of dollars. It could be claimed that Code Red kickstarted the modern cybersecurity industry.
From great disasters come great opportunities. “The CIO came to me and said, ‘Julien, we don’t have anyone who understands security. You understand networks. Help us with security.’ So, I started working in security and I never stopped. It started with a crisis, but that’s how I got into security.”
Since then, he has worked in security for PwC, Cisco, and eBay. He has advisory positions with Permiso Security, Cisco, Darktrace, and Google – and is full-time VP and CISO at Box.
The lessons we learn from these career journeys are that academic relevant training can certainly help, but it can also be taught in the normal course of an education (Soriano), or learned ‘en route’ (Peake). The direction of the journey can be mapped from college (Soriano) or adopted mid-stream (Peake). An early affinity or background with technology (both) is almost certainly essential.
Leadership is different. A good engineer doesn’t necessarily make a good leader, but a CISO must be both. Is leadership inherent in some people (nature), or something that can be taught and learned (nurture)? Neither Soriano nor Peake believe that people are ‘born to be leaders’ but have surprisingly similar views on the evolution of leadership.
Soriano believes it to be a natural result of ‘followship’, which he describes as ‘empowerment by networking’. As your network grows and gravitates toward you for advice and assistance, you slowly adopt a leadership role in that environment. In this interpretation, leadership qualities emerge over time from the combination of knowledge (to answer queries), the personality (to do so with grace), and the ambition to be better at it. You become a leader because people follow you.
For Peake, the process into leadership started mid-career. “I realized that one of the things I really enjoyed was helping my teammates. So, I naturally gravitated toward the roles that allowed me to do this by taking the lead. I didn’t need to be a leader, but I enjoyed the process – and it led to leadership positions as a natural progression. That’s how it started. Now, it’s just a lifelong learning process. I don’t think I’m ever going to be done with learning to be a better leader,” he said.
“The role of the CISO is expanding,” says Peake, “both in importance and scope.” It is no longer just an adjunct to IT, but a role that applies to the whole of business. IT provides tools that are used; security must persuade IT to implement those tools securely and persuade users to use them safely. To do this, the CISO must understand how the whole business works.
Soriano uses the common metaphor relating security to the brakes on a race car. The brakes don’t exist to stop the car, but to allow it to go as fast as safely possible, and to slow down just as much as necessary on dangerous curves. To achieve this, the CISO needs to understand the business just as well as security – where it can or must go full speed, and where the speed must, for safety’s sake, be somewhat moderated.
“You have to gain that business acumen very quickly,” said Soriano. You need a technical background to be able implement security, and you need business understanding to liaise with the business leaders to achieve the right level of security in the right places in a way that will be accepted and used by the users. “The aim,” he said, “is to integrate security so that it becomes part of the DNA of the business.”
Security now touches every aspect of the business, agreed Peake. Key to implementing it, he said, is “the ability to earn trust, with business leaders, with the board, with employees and with the public that buys the company’s products or services.”
Soriano adds, “You must be like a Swiss Army knife, where you can keep adding tools and blades as necessary to support the business, support the technology, support your own team, and support the users.”
An effective and efficient security team is essential – but gone are the days when you could just recruit technical people with security understanding. The technology element in security is expanding in size and complexity, with cloud, distributed endpoints, biometrics, mobile devices, artificial intelligence, and much more; but the non-technical roles are also increasing with a demand for communicators, governance specialists, trainers, people with a hacker mindset and more.
This raises an increasingly important question. Should the CISO seek a team by focusing only on individual excellence, or should the CISO seek a team of people who work and gel together as a single unit? “It’s the team,” Peake said. “Yes, you need the best people you can find, but when hiring individuals, I look for the fit.” Soriano refers to the Swiss Army knife analogy – it needs many different blades, but it’s one knife.
Both consider security certifications useful in recruitment (indicative of the candidate’s ability to learn and acquire a baseline of security understanding); but neither believe certifications alone are enough. “I don’t want to have a whole team of folks that have CISSP. I value having some different perspectives, some different backgrounds, different training, and different career paths coming into the security team,” said Peake. “The security remit continues to broaden, and it’s really important to have a variety of perspectives in there.”
Soriano encourages his team to gain certifications, if only to improve their personal CVs for the future. But certifications don’t indicate how someone will react in a crisis – that can only be seen through experience. “I support both certifications and experience,” he said. “But certifications alone won’t tell me how someone will react to a crisis.”
Mentoring is good practice in any business but is almost essential in cybersecurity: CISOs need to encourage and help the individuals in their team to make them better, to improve the team’s overall efficiency, and help individuals progress their careers. It is more than – but fundamentally – giving advice. We distill this subject into discussing the best career advice ever received by our subjects, and the advice they now give to their own team members.
Advice received
Peake believes the best advice he ever received was to ‘seek disconfirming information’. “It’s really a way of countering confirmation bias,” he explained.
Confirmation bias is the tendency to interpret evidence as confirming our pre-existing beliefs or attitudes, and to ignore evidence that might suggest we are wrong in those beliefs.
It is particularly relevant and dangerous within cybersecurity because there are multiple different causes of problems and different routes toward solutions. The objective best solution can be missed because of confirmation bias.
He describes ‘disconfirming information’ as a form of ‘disproving an in-built null hypothesis while allowing proof of a genuine hypothesis’. “It has become a long term mantra of mine,” he said.
Soriano notes three pieces of advice he had received. The first is to be data driven (which echoes Peake’s advice to avoid confirmation bias). “I think everyone has feelings and emotions about security and I think data helps depersonalize the situation. It provides grounding insights that help with better decisions,” explained Soriano.
The second is ‘always do the right thing’. “The truth is not pleasing to hear or to say, but I think being transparent and doing the right thing always pays off in the long run. And if you don’t, you’re going to get found out anyway.”
The third is to focus on the mission. The mission is to protect and empower the business. But it’s an endless race with no finish line and contains multiple shortcuts and misdirections. “You always have to keep the mission in mind no matter what,” he said.
Advice given
“I believe in and recommend the fail fast, fail often, and fail forward idea,” said Peake. “Teams that try things, that learn from what doesn’t work, and move quickly, really are far more successful.”
The second piece of advice he gives to his team is ‘protect the asset’. The asset in this sense combines ‘self and family’, and the ‘team’. You cannot help the team if you do not look after yourself, and you cannot look after yourself if you do not look after your family.
If we protect this compound asset, he said, “We’ll be able to do great things. And we’ll be ready physically and mentally for the next big challenge, the next big vulnerability or attack, as soon as it comes round the corner. Which it will. And we’ll only be ready for it if we’ve taken care of our compound asset.”
Soriano’s advice is, “Le mieux est l’ennemi du bien.” He’s French, and this is Voltaire. The usual English translation is, “Perfect is the enemy of good.” It’s a brief sentence with a depth of security-relevant meaning. It’s a simple fact that security can never be absolute, or perfect. That shouldn’t be the aim – good enough is all we can achieve and should be our purpose. The danger is that we can spend our energies on chasing impossible perfection and miss out on achieving good enough security.
A CISO must learn from the past, handle the present, and have an eye on the future. That last involves watching current and predicting future threats.
Three areas concern Soriano. The first is the continuing evolution of what he calls ‘hacking-as-a-service’, or HaaS. Bad actors have evolved their profession into a business model. “There are groups now with their own HR departments for recruitment, and customer support departments for affiliates and in some cases their victims. HaaS operatives sell toolkits, and there are other groups offering AI services to improve those toolkits.” Criminality has become big business, and a primary purpose of business is to increase efficiency and expand operations – so, what is bad now will almost certainly get worse.
His second concern is over understanding defender efficiency. “How do we measure our efficiency?” he asked. “It shouldn’t be in terms of how often we have been breached because that’s too late. We have some methods, but overall, as an industry, we still don’t have a good way to measure our efficiency, to know if our defenses are good enough and can be scaled to meet increasing volumes of threat.”
The third threat is the human risk from social engineering. Criminals are getting better at persuading users to do the wrong thing – so much so that most breeches today stem from a social engineering attack. All the signs coming from gen-AI suggest this will increase.
So, if we were to summarize Soriano’s threat concerns, it is not so much about new threats, but that existing threats may increase in sophistication and scale beyond our current capacity to stop them.
Peake’s concern is over our ability to adequately protect our data. There are several elements to this. Firstly, it is the apparent ease with which bad actors can socially engineer credentials for easy access, and secondly whether we adequately protect stored data from criminals who have simply logged into our systems.
But he is also concerned about new threat vectors that distribute our data beyond our current visibility. “AI is an example and a part of this,” he said, “because if we’re entering information to train these large models and that data can be used or accessed elsewhere, then this can have a hidden impact on our data protection.” New technology can have secondary impacts on security that are not immediately recognizable, and that is always a threat.
Related: CISO Conversations: Frank Kim (YL Ventures) and Charles Blauner (Team8)
Related: CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy Rosen
Related: CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)
Related: CISO Conversations: The Legal Sector With Alyssa Miller at Epiq and Mark Walmsley at Freshfields
