Simplifying Cyber
This show features an interactive discussion, expert hosts, and guests focused on solving cyber security and privacy challenges in innovative and creative ways. Our goal is for our audience to learn and discover real, tangible, usable ideas that don't require a huge budget to accomplish. Shows like “How It’s Made” have become popular because they explain complicated or largely unknown things in easy terms. This show brings the human element to cyber security and privacy.
Simplifying Cyber
Crocodiles in the Board Room! With Andy Ellis
What makes a truly effective security leader in today's complex threat landscape? In this enlightening conversation with Andy Ellis, former CISO of Akamai Technologies and author of "1% Leadership," we explore how the role of the security executive has transformed from a technical specialist to a strategic business enabler.
Andy shares his remarkable journey from Air Force information warfare specialist to becoming Akamai's first security hire, where he spent 20 years building a multi-billion dollar security business within the infrastructure company. His unique perspective challenges conventional thinking about security leadership, organizational structure, and how security teams should communicate risk to the broader business.
"Your job as a security professional is really to enable the business to make wiser risk choices," Andy explains, reframing the security function away from being the department of "no" to becoming a trusted advisor that helps organizations understand and navigate risks effectively. Using colorful analogies about crocodiles in the boardroom, he illustrates why security leaders should focus on making relevant risks believable rather than raising alarms about threats that don't align with business priorities.
We dive deep into the evolution of the CISO role, discussing why the traditional reporting structures may be outdated and how smaller companies are blending security leadership with IT functions as traditional infrastructure moves to SaaS. Andy challenges security professionals to understand why controls exist rather than just implementing them, asking three critical questions: "What is the real reason you do this? Could we stop? What should we do differently?"
Whether you're an aspiring security leader or a seasoned CISO, this conversation offers valuable insights on leadership, communication, and how to deliver real security value in an increasingly complex digital landscape. Listen now to learn how small, incremental improvements in your leadership approach can transform your security program's effectiveness and business impact.
🔗 Connect with Us & Get in Touch
Tune in to Simplifying Cyber wherever you get your podcasts, or watch exclusive video content right here on the channel. Subscribe for hot takes on emerging technologies, tips and tricks for everyone looking to stay secure, and in-depth conversations about complex cybersecurity topics.
No gatekeeping and no BS. We’re here to simplify.
Official Website: www.revealrisk.com
LinkedIn: https://www.linkedin.com/company/reveal-risk
🤘 Stay Secure with Us
If this content helped you understand cybersecurity better, please give it a thumbs up, subscribe to our channel for more expert insights, and hit the notification bell so you don't miss our latest updates.
Reveal Risk delivers cybersecurity results, not just reports.
Awesome. Well, welcome to a special episode of Simplifying Cyber. I'm your host, Cody Rivers.
Speaker 2:And I'm Bronwyn Hudson.
Speaker 1:Excellent and we are ecstatic today to welcome Andy Ellis, a principal at Doha Consulting, author of 1% Leadership and just a legendary CISO. Welcome Andy.
Speaker 3:Thanks, Cody Bronwyn, really excited to be here today.
Speaker 1:Likewise, we've got a great kind of topic set up for us to chat today and we're super excited. You know we've not had the chance to meet yet officially, so Bronwyn speaks super highly of you and I read a little bit about you before our podcast and just really excited man to hear your story and everything. So give us a little bit of your background and let's hear about the Andy Ellis story.
Speaker 3:Sure, so I'm going to go backwards. I just came out of being a venture capitalist. I was a first operating partner and then a partner at YL Ventures, which does Israeli seed stage cybersecurity investing. You might've just heard about one of our companies. One of my early investments, AIM Security, just got acquired. Fantastic outcome.
Speaker 3:Yeah, I'm really excited when companies that I got to be like there at the ground stage, providing that value-add advising, turn out really well Mostly it means they probably didn't listen to me as much and you know succeeded well. Matan is great at having his own vision, but I'll take some credit for it. So that's what I've done for the last four years. Before that I was at Akamai. So I was Akamai's first security hire, first CSO, acting CTO when we were building out the web security products. I sort of got to do a startup within a large company of taking an infrastructure business and creating a multi-billion dollar security business inside it. I was there 20 years. Before that I was in the US Air Force. I did information warfare. So one of the things I love doing when I'm talking with Israeli startups and everybody says, oh, I was in 8200 or I was in Tal Piot or I was in 8-1. I'm like, yeah, I was doing that last millennium for the US Air Force. We just called it information warfare instead of cybersecurity.
Speaker 3:So that's sort of the brief thing. I have some really crazy accolades. I like to point out for anybody who remembers seeing the movie Fast Times at Ridgemont High that was set at the Sherman Oaks Galleria and I am the winner of the Sherman Oaks Galleria Spelling Bee.
Speaker 2:What so rad. Do you happen to remember your winning word?
Speaker 3:I don't remember exactly the winning word because we went back and forth for a while because the spelling team for the, the school I went to, we took first, second and sixth place. Awesome, so it's, it's really funny. As somebody who did a lot of spelling, I remember the spelling bees that I lost on. I remember the word varicose. I just I said ve and then my brain was like what are you doing? But you're late, you're out. But all the ones I won on I don't remember. But I remember having fun because my spelling teacher was Canadian, so anytime I had a word with a Z in it I would say Zed and you could watch. The judges were like what is this letter? And my teacher was all excited.
Speaker 2:Amazing, Great story. When you remember the word, I do want to know it though. Yeah, I got to see if I can remember.
Speaker 3:I don't really want to say how many decades ago that was, but it was a lot. More than one, more than one Actually, I was going to say it was a millennia ago.
Speaker 1:There you go. Excellent, excellent way of saying that.
Speaker 1:That's kind of a flag. Well, very cool. So kind of my thought here today again with your just like awesome background and talking about CISOs, and I think Brahman and I were talking even like the evolution of the CISO not only is it just a new role, you know, and within the past couple decades, but it's evolving so quickly, I think, from a skill set, from a coverage, you know, liability, trade standpoint. So kind of talk to us, you know, kind of give me your thoughts on being being a very decorated CISO, what your thoughts are on the CISO of 10 years or 10, 20 years ago, to how it's kind of come today.
Speaker 3:So, absolutely, it's a very different job now than it used to be, but I think that also tells us where it's going. The only reason CISOs exist is because CIOs functionally work for the CFO, and so if you go back 20, 25 years, cios were a major cost center for businesses and IT was not really seen as a huge value add. It's just this thing we had to have. And so CIOs whether they direct line to the CFO or not, the CFO was their mandate was how do you cut costs? So they became the personification of the 80-20 rule how do I solve 80% of the problem with 20% of the budget? And so innovation for most companies was not done by the CIO.
Speaker 3:There are exceptions and I know some fantastic CIOs who really were CTOs in that role, but in most places they basically were a support function. And someone said, hey, there's this web thing. I bet we could make money on it. It's usually an engineer and they built an e-commerce site. And the whole point of the e-commerce site was like hey, why do we have people calling up to book a hotel room where they could just do it on this web thing? And then somebody said you know, that seems really dangerous and that somebody was either in IT security or in engineering security or maybe just in engineering and that became your first security dedicated person who wasn't just doing help desk, yep. And it was an awesome role and that person became your first CISO. They were highly technical, they were showed initiative and their job was I will cover every security problem that nobody else is paying attention to, and it's a cool role, a great place to be.
Speaker 3:That's not where CISOs come from anymore. Cisos are now coming from teams that have a CISO that have specialization. You don't have to be a polymath, you don't have to do everything. The challenge is a lot of companies still want that unicorn. They want somebody who does everything.
Speaker 3:I've seen these job descriptions. I've done I do. This is what I call the strategic CISO assessment, where a company will hire me to come in they say, look, I've got a director of security. But they talk mumbo jumbo. I'm not sure if they're doing the right things. Can you just help me out? Right, it's this very fast, like less than a month. Come in, interview everybody, read all your current reports and help up level somebody.
Speaker 3:But what I have found in talking with every executive there they all want something different out of this CISO candidate. That is not what that person thinks they do, so I even wrote about that called the idealized CISO. I wrote the job description. It's up on howtocisocom idealized CISO. I wrote the job description. It's up on howtocisocom free resource for CISOs or people who are going to be CISOs in the future. That lists like everything a CISO might be asked to do and the challenge is almost nobody can do all of that anymore and you really don't want to like. You want specialists who are good at each piece of this pie, rather than somebody who's good at everything but not great at any one thing.
Speaker 1:Yeah Well, and that's a great comment about the CIO stuff too, and I'll probably kick it off with a provocative thought, which I think is probably a newer thing, which I want to hear your take, on Reporting structure CISO under the CIO, ciso under the CFO, under compliance what's the ideal reporting structure? I know that's probably relevant to the size of company, but what are your thoughts?
Speaker 3:there. So the first thing we have to ask is which roles do we actually need Between the CISO, the CIO and the CTO? We only need two of those jobs, so one of those does not need to exist. And the reason we have this debate is because the CISO is only half of a C-level executive, so we're trying to figure out where to put them. Like, the answer is if you have a C in front of your title, you should work for the CEO. There's no other way to answer that question. You're in the C-suite, which means you work for the CEO. If you don't work for the CEO and maybe you work for, like, the COO or president, like there are companies that do a weird split that way that's okay. But if you're working for the CFO, you're probably not actually a C-level executive. You just have that title. If you work for the CIO, then you are the head of IT security. The CIO is really the CISO as part of their job.
Speaker 3:Now here's what I'm seeing in smaller companies there's no CIO and there never will be. Because what do you need a CIO for? You don't own any applications. All of your corporate apps are in SaaS, so you need somebody to do procurement and somebody to do configuration. So I know a bunch of CISOs. They don't even have the CISO title yet but IT works for them. That, I think, is going to be the wave of the future is it will be a blended role, that the non-innovation parts of the CIO role are just support and that's going to be part of the security role. And it'll be this blended CIO CISO that'll end up there and they should be still reporting, though, to the CEO. But I think in a lot of companies that are reporting to the CTO or the head of engineering. I like that take.
Speaker 1:I've not heard that yet before, but I do like that Now in that same vein, then who looking at who drives innovation and then who's kind of looking at protecting the digital assets of the company? So because to me if you're CISO, cio, that's still a kind of an internal conflict of when I balance innovation driving versus protect data.
Speaker 3:So I don't think there's a conflict there, and I think the fact that security people believe there's a conflict is part of why we've not been successful as a career field.
Speaker 3:Okay, I like this your job as a security professional is really three things, but it comes down to only one that's important, which is enable the business to make wiser risk choices. That's it. Your job is not to say no risk choices, that's it. Your job is not to say no. Your job is to make sure that they are making the better choices because they're informed of risk, that the things that they have outboxed to you are taken care of. So that's your support role is if they say, look, I don't want to have to deal with malware. And you're like great, I'll take care of malware, here's the cost. And they're like great, go do it.
Speaker 3:Okay, you have an execution role there, but your governance role has nothing to do with your execution role. Your governance role is when people are making decisions. Do they understand the environment they make decisions in? I'll give you an example. Let's go back to when we were like, not even kids. I'm going to far, even further back, like when we were wandering around the Tundra. Actually, let's go to the jungle instead. Right, way back. Right, everybody knew about Jaguars, right? And you're like okay, great, we got to deal with Jaguars. When the grass is moving in weird ways, everybody circle up, point your spears out because the Jaguar might be coming down.
Speaker 3:Lock it down. Okay, Unless you were in the Nile, you weren't worrying about crocodiles, right? And the problem is too many security professionals today are basically running out into the, into the forest and the Savannah and say watch out for crocodiles, You're not allowed to do anything because of crocodiles. And the rest of the business is like why should we listen to you? Instead, you should be the guy who's saying look, we're migrating and what's coming up ahead of us is crocodiles. Let me give you the reports to make you believe and understand in crocodiles. My job is not to protect you from crocodiles, it's to make sure you're aware of crocodiles and that you believe in crocodiles when they're relevant.
Speaker 1:I believe in crocodiles. I like this man.
Speaker 3:But, Bronwyn, you don't actually believe in crocodiles. You don't like check both ways for a crocodile Like you've heard of it. You believe that they exist but you don't believe that they're a risk to you.
Speaker 1:I can tell you, in Indiana I, when I go outside, the least of my worries is a crocodile in my front yard. So I can, I can, I can vouch for that.
Speaker 3:That's appropriate, like if I came to you and said I want you to burn brain power worrying about crocodiles.
Speaker 2:Andy needs to look for some help or I would think that you were about to set a bunch of crocodiles loose.
Speaker 3:That's true, that is definitely the sort of thing I would do and many security professionals. Let me prove that I am right by releasing crocodiles in the boardroom. Yeah and right. There there's our quote for this episode releasing crocodiles in the boardroom oh my gosh, that's great thank you, bronwyn it was a combined effort there.
Speaker 2:I think yeah, yeah.
Speaker 1:Well, and to your point, talking about the boardroom, this is the thing that Bronwyn and I actually were having kind of a good battle on about. Like disagreement was in the C-suite what's the responsibility of other C-suites to be educated on at a foundational level on cybersecurity risks? So you've got the CISA, which is the expert to hey, but what's the what's the onus or liability or the obligation of other C-suites to be at a foundationally educated?
Speaker 3:So that's an interestingly phrased question and I don't agree with the phrasing of the question. Ok, you're a gestalt. Like it is the cso's responsibility to ensure that they are educated right now. If it may be that they don't want to be educated, in which case, like it's their responsibility to pay attention, but if it's not being taught correctly, you're not being made aware of it. Like, and think of how many times in your life you took driver's training. How many of the things did that they told you did just went in one ear and out the other because it was badly taught and, as a result, like maybe you're not as good of a driver as you could be. I hope you're both still reasonably good drivers, um, but if you're in chicago, so I don't have to worry about it too terrible. Yeah, everybody in chicago is an awful driver from my perspective, but I drive through chicago like every score year.
Speaker 2:I think, cody, the phrasing of the question well, I liked it, but I think the context that we were talking about before as well is really important, because I think that question came out of this idea that the CISO, wherever they have come from in terms of their background, that it's kind of their responsibility to show up in the boardroom and educate everyone all the time and then be kind of the no person. Up in the boardroom and educate everyone all the time and then be kind of the no person. That's the context there, but I just felt like there's got to be some meat in the middle of like the CISO. We're pressuring all CISOs to like learn the business language, to be able to explain it really well, to have soft skills and communication skills, but is there a way that we can also, maybe in a more invitational way, get ceos and cfos and other c-suite members to also like maybe care a little bit, like come to the table as well?
Speaker 2:that's that's why that's where I was trying to go with it.
Speaker 3:So I hear, I hear where you're going um I. I have one nitpick. I hate the phrase soft skills me too.
Speaker 2:Oh my gosh, I said that earlier.
Speaker 3:I hate it. No, there's no there. There are three types of skills. There's technical skills, which is what people like to call hard skills. Those are easy to measure. That's why people call them hard skills. It's like I can measure how good you are at technology. Right? There are people skills, and the way I think about technical skills is can you change the world through your own energy? People skills is can you get somebody else to change the world by using your energy through them. And process skills, which are the hardest ones, which is can you get people you don't even talk to to change the world on your behalf? Those two are the hard ones, and communications is a huge piece. There are components of communication. It's a technical skill, but it's really fundamentally a people skill.
Speaker 3:How do I brainwash you into believing what I need you to believe? Yeah, and so here's my finding there are some really bad executives out there. Just to be very clear, I've talked to a lot of CISOs who I know are very good at communication and the things that their CEOs have told to them would astound you, and they don't care about risk. Their attitude is corporate. Risk is not my risk. I'm here to make a bazillion dollars, which means all I have to do is survive for 12 months. Right, and so any risk that's going to hit us 15 months from now I'm fine with, because I'll be checked out, because we're selling the company Totally Okay, fine, but recognize that for that person that's a wise risk choice. They're just violating their fiduciary obligation, which I think is to Bronwyn's point, which is we need the humans to accept that they have a fiduciary obligation to the business to make wise choices. Yeah, and the security risk is a component. That's the halfway we need them to meet.
Speaker 3:And then it is our job. In the same way it's general counsel's job to talk about legal risks, to come in and talk about it in a way that is accessible. Yep, in the same way that you don't walk into a preschool and talk to kids in language they don't have about the risks that are relevant to them, you have to meet people where they are and if any executive is listening and is insulted that I compared you all to toddlers sorry, that is the reality is like. In the same way that I expect the general counsel to come in and talk to us like toddlers about law.
Speaker 2:Yeah.
Speaker 3:Right, because we don't necessarily understand torts. This is one of my favorite things, by the way. If you're ever at a cocktail party and you see two lawyers and they start doing one of these like one, upping each other talking about some legal issue, just say, but is it a tort? And then just step back and walk away. That's great. They will now spend hours arguing Like the answer is half of them have a default yes, half have a default no, and they'll just fight over it.
Speaker 2:I bet you're a hit at parties.
Speaker 3:I have a lot of fun at parties. Cocktail party tricks are my specialty.
Speaker 1:Man, this is. This is great. So talk to me about your 1% leadership books. I do want to kind of get to that and, as we were talking about, like the CISO and the evolving CISO, I think my thought is this book may have came from your experiences. So talk to us about your book.
Speaker 3:Yeah, so I started writing this book because, like every company and in fact I had this when I was in the Air Force as well there are leadership fads and it's like you come in and somebody is going to teach you about leadership, maybe following a book or following some fad, whether it's the growth mindset or good to grade or you name it. And I'll actually be pretty honest. I find that almost every leadership book out there and almost every leadership training is awful, and they're all awful in the same way. They believe that there is one answer Do this thing and you will be amazing. Second, they badly explain, if at all. If it's a book, they don't actually explain the answer, because why would you read the book if they could write the answer down for you? Or they don't understand their own research. The growth mindset is a great example of that one. They misapply the fundamental research in a different way and then they just pretend that all you have to do is copy this thing.
Speaker 2:Yeah.
Speaker 3:And I hated it. And this book actually started because we had a speaker come in. A fantastic guy talked about inclusion. I still remember a bunch of the things he said. He said look the moment you have two people in a company, you have diversity. He said stop stop looking at people as race, as gender, as whatever and like if you have two black men, you have diversity, not because they're both black, but because it's two people. You have two black men, you have diversity, not because they're both black but because it's two people, they're not the same person.
Speaker 1:All right, right.
Speaker 3:Yeah, if you don't have inclusion, diversity is harmful. Inclusion is what matters. Like how do you get people to show up and actually be able to be present? And so it really resonated with me. I'm like this guy is amazing. And so I wrote this note to my team. I said, look, we decided to bring this training to the whole company. You're going to love it.
Speaker 3:And my team came back to me and said, dude, what were you talking about? This training was awful. And I'm like what do you mean? Well, this guy was a very high price, the expensive speaker. So when we brought it to the company, we'd hired a company.
Speaker 3:It was basically you had to watch a video with a guided trainer in the room who was somebody from our HR team who didn't understand this and how to explain it. And so they fell back on like the standard language that we now know is so awful. You know talking about like oh, diversity is the most important thing, and so make sure you're hiring for diversity, right, and everybody knows that. Like, yeah, if you tell people to do that, they'll put the thumb on the scale in a bad way rather than you're doing it the right way. So I took that lesson. I said, well, what if I wrote them for them an essay? Right, and so that was the first essay I wrote in this shed. Which the tweet for that one. So the chapter titles of my book. Every chapter title is a tweet, and it is inclusion is reducing the energy costs that people pay just to exist in the space.
Speaker 2:Interesting.
Speaker 3:Right and Bronwyn, I love when I have a woman here because I can give you the easy one how many times in your career have you walked into a room and been wondering how long?
Speaker 2:it was going to take somebody to ask you to get coffee.
Speaker 3:Well, yeah, no, right. Every woman resonates with that one. That is a lack of inclusion. You're spending your energy worrying about a thing even if it never happens. For sure.
Speaker 3:We need to make it that no woman ever worries about that. That's inclusion. Yeah, it is not having more women in the workplace, it is making sure that every woman who's in our workplace doesn't feel that. Yeah, people don't say, like I have, that I'm an observant Jew. Let me tell you I walk into a meal and I don't say, like I have, that I'm an observant Jew. Let me tell you I walk into a meal and I don't know if I'll be able to eat it. I've had people try to serve me shrimp and pork and I'm like come on, I've told you my dietary restrictions. What's going on? Every one of those moments is a challenge. And how do we remove those challenges?
Speaker 3:So I wrote that essay. My team loved it. I'm like, oh, maybe this is what I should do. So my book is 54 of those essays, so 54 lessons. Each one is a standalone. They're written in an order. I will tell you that they were not written in that order. I wrote them all and then I put the titles of everyone on a post-it note on the wall of my office and I moved them around until I loved the order.
Speaker 3:Love that, so you can put them in whatever order you want. This is the order that I structured them, in that I think there is a logical flow. 18 of them are about personal leadership how do you manage yourself? How do you lead yourself? Because all that leadership is if you really distill it down to its bare bones. We're going to define it by success, not by style. Too many people, I think, focus on style of leadership rather than success.
Speaker 3:Success is how do you maximize the value you get out of the energy that somebody contributes? That's it your job as a leader. I've got this much energy coming out of that person. I want more value out of them. Whatever, my value equation is whether I'm in the military, and my value is you know seize land, you know kill somebody, whatever it is. Or if I'm in the military, and my value is you know, seize land, you know kill somebody, whatever it is. Or if I'm in corporate America, I'm going to go make money. Or I'm in a nonprofit and I'm you know how many people do I serve. That's my value.
Speaker 3:Okay, leadership is how do I take people's energy and make it more valuable for us? That's it, and so the first person you have to lead is yourself. How do you make your energy more valuable? Then you can lead a team. How do you make the people you interact with more valuable, and then you can lead an organization. How do I set up an organization to produce more value? And so you notice, this matches to my technical skills, people skills, process skills. That it's like how do you technically lead yourself, how do you lead people and how do you lead process?
Speaker 1:Yeah, yourself, how do you lead people and how do you lead process? Yeah, so then, taking that, you know, into our earlier conversation about, like the new version of the CISO or maybe the evolution of the CISO, how do you, how do you those principles, how do those apply to today? And I know, in your book you talk about, you know, leadership isn't just for executives, you know. But I think how do you see those principles apply to you know, to security in today and then the evolution of CISO? Do they come from the technical side, the business side, or what do you think on those?
Speaker 3:trajectories. So I think the challenge of that thing is, if I said, well, they always come from the technical side, in your head you have already said, oh, they're architects.
Speaker 2:Yeah.
Speaker 3:I know folks on the GRC side who are what I would consider very technical, and the challenge is that we're so used to these high-tech companies. Right, if you're coming out of Akamai, you're coming out of Google, you're coming out of Facebook, technical means something very different than what it means in like any other company.
Speaker 2:Yeah.
Speaker 3:Right. So I like to think about that. When you talk about technical, there's technical depth, right. How well can I personally interact with the technology, yeah, tools, and across all of my environments? That's when I think people are more technical. It's really about the breadth. I don't want CISOs who are super deep on one thing at the expense of being broad. And so we're now sort of seeing that the folks on the GRC side, they're focusing on breadth. Now there are folks on the GRC side who are just pushing paper and documentation. They don't know what they do and there's roles for for that just to be very clear.
Speaker 3:If you're somebody who does that, this is me not saying you don't belong here. This is me saying that's not the path to a cso. Yep, if you don't understand what you're doing, you're just pushing paperwork. That's okay. There's a reason you're doing that, but there's a reason you won't become a cso, right, wherever you start, understand why you're doing this. What is the real reason you do this? Could we stop? What should we do differently? If you can't answer those three questions, you're not yet on the path to being a CISO.
Speaker 2:I have a left field question, Cody, that I didn't write down at all and didn't prepare for, but my question why do people want to be CISOs so badly, if not only are these job descriptions crazy too long there's now personal liability, like legal responsibility that CISOs have, why do people want it so bad? What's happening?
Speaker 3:So I think there's a couple of different reasons, and I'm not going to say everybody ascribes to all of these, but let's start with the first one. The money is good. Fair Like like why does anybody want to promote, should it work? Because you make more money doing it get that bag, it's true right. Second is your span of control grows, which means you're. You feel like your independence grows right like bronwyn. Why would you want to be a cmo one day?
Speaker 2:Oh yeah, just to feel extra powerful. I want to come on top of the world.
Speaker 3:Get that bag, bro. I want to get the bag you want to be in control of your day. Okay, the higher up in the org chart you are, the more you are in control of your day, versus somebody else telling you the reality is, the more the environment controls your day.
Speaker 2:I completely, yeah, totally agree.
Speaker 3:Just to be clear, when I was a CISO, like I would walk in and I had what was on my calendar for the day nine times out of ten. That is not how my day ended up looking and it was not because I chose to do something else. Yeah, oh, we have a customer issue. We've got a. Whatever some people, it is the calling. We want to make a difference, like I got to. As akamai cso, the amount of difference that I made on the planet is huge. Right, I? I'm the first person to design and build a TLS CDN the ability to secure web over a CDN, which everybody now does by default. But I brought forward the concept of, like an e-commerce driven secure web. Like, maybe call it four years. That's me.
Speaker 2:Is that an idea? Just out of curiosity? Is that an idea that you had and were able to bring to the business at a certain point? Was it an idea you had before, like how did that come about?
Speaker 3:So, so this one is really funny. So I actually did um when I was in undergraduate. I had nothing to do with the Akamai founders at the time, um, but I got to show them one of my writing example. So at MIT you have to pass a writing requirement to graduate, and so the report I had written was actually on how do we solve the problem of scalability on the web. It's blowing up all of our internet connections.
Speaker 3:And then I go into this thing and I'll actually be honest Danny Lewin, who was one of the founders, who was murdered on 9-11, but I knew him and he was the one who had the idea, just to be very clear, the idea that we could do TLS on our network. I was like nobody will ever buy this, danny, you are insane. Like I was the single biggest naysayer. But he said let's just assume, let's go design it Right. So he and I designed together the security model for it. And let's just say that we had disagreements. I'm happy to say I won on several of them. He thought we should just like hire guards with guns to stand outside of data center racks. He's like, well, just say they're network engineering technicians, they'll just physically guard our things. I'm like I don't think that'll work. So instead I designed a great key management system. I never believed it would work. A great key management system I never believed it would work.
Speaker 3:But one day, after I'd been working a very an incident until like three, four in the morning. I get home, go to sleep, my, my phone rings. Um, and it's actually my, my, we don't have like great cell phones that work Um. So I actually remember it was my landline that he'd called. You know, we had a voice connector. So he dialed in and said Andy Ellis home. Uh, it rings. Like you know, we had a voice connector. So he dialed in, said andy ellis home. Uh, it rings. Like you know, 9 am and he says andy, I am here.
Speaker 3:I think I can probably tell who the customer is at this point. I'm here with capital one and this is in early 2001, okay, and he says and they want to know why they should trust essl that was the name for our product at the time. I'm like I literally just had a shouting match with him like 48 hours before. I'm like nobody should trust us with this and he's like they need to know why they should trust us. You give the best pitch go. And I'm like, are you effing, kidding me? So you've got three hours of sleep. You're on the phone, no notice that this was happening, and so I said I need to fix my connection. Can I have three minutes? And he's like, sure, so he stalls up.
Speaker 3:I literally run into the bathroom, flash water on my face. My girlfriend, who is now my wife, is in the bed. Like what is going on here? I'm like, be quiet, I got to go to a pitch. So I pull out the phone. So I come back to the phone. I'm like, okay, I'm ready.
Speaker 3:I got my slides here. I have no slides. I got a piece of paper on which I've written five things and I do a pitch here's why you should trust us. And there was no lies in it. Like, straight up, here's the security, here's where you should silence in the room. And I'm like. I'm like, did I get disconnected? Did I do one of these? I just talked for 20 minutes and there was nobody in the room. Like I don't know, yeah, and they said, huh, the cto was like huh, that's really interesting. We should consider this now. In fairness, it took us like 10 more years to land capital, one like 2000 and 2001 they weren't doing it, but that was the moment I believed and I went out and I started selling it and it reminded me of this moment.
Speaker 3:And Danny was brilliant A lot of people had issues because he was just such this intense force of nature and it reminded me of the story I had read in middle school which is titled Takeover Boson.
Speaker 3:This is the story of like this shipwreck, and there's a lifeboat that has this young lieutenant who has the gun and the food and there's this bosun's mate and like two or three other crewmen that are basically like the bosun's, leading this, this like I'm gonna throw you off the boat as soon as you pass out and we're gonna take the food, give it to us now, like who are you young kid? And like. So it's a very it's a short story in which, like this, this officer gets more and more delirious and as he's about to pass out, he steps forward to the bosun's mate, he turns the gun around, hands it to him and he says take over bosun. And when he wakes up, the bosun is standing over him and the food, protecting it from the rest of the crew members. It's this moment when you realize my job is not to be the contrarian anymore. Now my job is to go execute and so like. For me that's the epitome of disagree but commit. And then sometimes, when you commit, you realize you didn't actually disagree.
Speaker 2:I mean fascinating story, fascinating moment. I have to now ask you about going back to our leadership conversation. What was that moment that you realized either you were a leader or that you could be a leader?
Speaker 3:I don't know that. There's like a specific moment. Um, you know, it's sort of weird because I dodged leadership for a really long time or I dodged authority, I should say like I was an air force officer who never had anybody report to him.
Speaker 2:Interesting.
Speaker 3:Like I went into the air force, like my first job was information warfare. We were a squadron of 83 people, half of whom were officers interesting I'm a second lieutenant in the engineering section, which is five officers.
Speaker 3:So you know we've got two captains and three second lieutenants. I don't know anybody who works for me, uh. And then my second posting I was at electronic system center. You know I come in and I was supposed to have three people who worked for me At least that was what the assignment was. I show up. One of them was a master sergeant who basically rewrote the org chart so he could report to the colonel. We were a unit of like 15 people. One was a civilian who said don't tell me what to do, I've been here 15 years and I'm going to keep doing whatever I want and I've already moved my office across the hall. And the third was a second lieutenant. I'm now first lieutenant. I'm like excited he can't do this to me. Except he was a former Navy SEAL who made the mistake of wearing all of his ribbons one day, man, and he was spotted by public affairs and so they requisitioned him to be the tour guide for visiting dignitaries, so like. So here, like the Air Force trains you for leadership as an officer, I didn't get to lead a single person Interesting as an authority. And then I went to Akamai and I was an individual contributor for a while.
Speaker 3:And then they actually hired my boss, hired in somebody to take over the security team. We were up to like five people. He hired somebody in who? But didn't make him our boss, just was a principal engineer. And this guy guy everybody hated. All five of us hated him, like everybody else in the company did not like him. Um, he went on. He did amazing things later, but like that, that was not the right time for him. And so one day my boss calls me and he says well, you know, this person hasn't really worked out. Would you like to take over the team? Right, because at this point all six of us report to him. But he's got 40 other reports, he's got a whole organization. So I'm like, yes, I will take it over. So that's sort of the first time. And he says great, by the way, um, I've already put in my resignation, I'm leaving next month, oh, and also we're doing a riff next week, so you have to cut half of your team all right.
Speaker 2:Well, that's different. There you go what like.
Speaker 3:Clearly, I know one of the people'm riffing, which is the guy who's going to be a problem because he didn't get the job he was hired for. So I think that was the point where it started to be like, ok, I've got to do this, but now I've got to lead through influence, like I'm the senior security person. I was a chief architect, now director of information security, and it was this realization over, and this was during the dot-com crash. So my job was to convince people who weren't sure we would have a company the next day to do security work that would be valuable into the future. And I had no actual authority other than my title. It's a tall order, and so I sort of just had to learn, and I spent a lot of time trying to understand how humans think.
Speaker 3:And that was my single biggest realization is, if you rely on authority, at the end of the day you're going to fail. You have to rely on influence Even if you have authority, even if I'm allowed to tell you know, my job is to make you believe that no is the right answer, cause then, a you're not going to come ask me in the future because you know the right answer, but B now we're not at odds interpersonally. You believe that no is the right answer, and so you don't blame me for telling you no, you're like great, we're doing the right thing.
Speaker 1:Yeah, and one thing too this has been a great conversation of all the leadership and stuff, and I was talking to Bronwyn earlier about what's kind of missing in today for CISOs. I think there's a lot of like a lot of tools out there. Right, there's the next tool to have there, but, like hypothetically, you are launching a new podcast, you know, called the CISO series, and so I might know that podcast.
Speaker 1:I know yeah, you know hypothetically, you know here. So from that perspective, as someone who's deeply in the game, you know what's missing on current cybersecurity podcasts. Right, there's a lot about like threats and everything else here. But like what are those pieces that? Like, hey, young CISO, early in the game, go listen to this and soak it in.
Speaker 3:Yep, so that's. I love the question because A I like to think we try to hit for that sweet spot in the CISO series and the real question is how are you actually talking to the business? One of my favorite things we do is we do what's worse. Readers will send us in like this scenario, and there are always two awful scenarios. We're not allowed to tweak them. You basically have to say you're stuck with living in this scenario. Which one of these is worse? And today we just recorded one, so it'll be out in a while.
Speaker 3:But it literally came down to there was one that was technically bad for the security team. Right, here's a bad outcome. The security team is failing. Other one no impact to the security team, no actual impact to the company. But there was a brand hit. You looked bad in front of your customers, yeah, and I and the guest both went on that one. That's worse, yeah, if you are not thinking that that impacting my customers is worse than the security team dealing with incidents, if you don't have that mindset, that's what we need to teach you, right, that's who your responsibility is.
Speaker 2:It's your customers as a marketer, I feel like I have to. I I mean, I agreed immediately, but I don't know. Maybe if I was a c, I would think that, like protecting my team did I don't know was more important, or that there was a different risk there.
Speaker 3:I mean it's, it's is important. I'm not going to say that this is like an epical difference of oh, always protect your customers at the expense of your team. There is a balance here, but it's a. It's a key piece of that. And the challenge is you have to understand like why do you exist as a team? You exist because you, your company, serves customers. If you fail to serve customers, why are you there? Like this doesn't mean you do crazy things to make your customers happy, but the security role is protect the customers. Make sure the company makes wise risk choices about serving the customers to keep them safe. Yep.
Speaker 1:Man, Andy, this has been phenomenal today, I think. Your background, the book which we will make sure Rahm will make sure we get this on our post and everything here so people can click a link and get to the book as well as your co-host of the CISO Series podcast. So I think a lot of things that we try and push on this podcast is for either young, aspiring security professionals ones who've been in the game for a little bit, but just a kind of a fresh approach. I think a lot of times there's a lot of like the tools and the other side, but I think there's much more important things. There's much more things to be cognizant of as a CISO or for CISOs in the industry. So, yeah, thank you again for the time today. We've been super appreciative of this. This is awesome, your story is remarkable and I appreciate you spending time with us.
Speaker 3:Thanks. You guys were great hosts, great questions. I feel like we could talk for another five hours. Oh, easily, easily.
Speaker 2:Completely agree. Amazing. Well, thank you so much for your time and we'll talk to.
