From GTA to MFA

Show Notes

In this conversation, Nicole Dove shares her unique journey into the cybersecurity field, highlighting her transition from a finance and audit background to becoming a leader in information security at Riot Games. She discusses the importance of continuous learning, the challenges of writing a book on cybersecurity, and the evolving role of Business Information Security Officers (BISOs) in aligning security with business goals. Nicole emphasizes the need for innovative problem-solving and relationship management in cybersecurity, while also reflecting on her personal routines for maintaining sharpness in her role.

Transcript

Matthew Chiodi (00:00.864)
Nicole, thanks for coming on the show.

Nicole (00:02.989)
Thanks for having me, Matt.

Matthew Chiodi (00:04.642)
All right. Well, I'm really looking forward to this. you, have, first of all, I always look for people who have interesting backgrounds in, in cyber, where they came from. And you definitely check all the boxes in terms of being interesting. So you, you kind of grew up on the audit side of the house. You've done voice work on grand theft auto. definitely want to hear a little bit more about that. Like how did that happen? Where is it in the game? Cause now I want to go back and actually listen to it.

And then you became the head of security for, for riot games. Tell me a little bit around how that diverse background has shaped your experience, especially being in the gaming industry. It's so it's known as being creative. It's known as being super, super rapid in terms of its pace. How does that approach changed? How does your approach to security change with that?

Nicole (00:55.031)
Yeah, so interesting is definitely one of the words that I would use to describe my career trajectory. I will tell you, it probably leans a little bit more towards chaotic and unexpected if I were to pick three words, right? Or have three words to explain it. I was one of those kids, I never really knew exactly what I wanted to do.

Right? I graduated college. didn't have a full-time job. I took an internship on Wall Street. for me, it was just about doing things that I found interesting and fun. And I figured out very early that consulting was interesting, but probably not so much fun. And I decided, I'm going to go work for a video game company. I went to interview.

At the time it was Rockstar take to their parent company. was chaotic, dogs running around the office. Everybody's in jeans. And you can imagine coming from Wall Street where we were suited and booted, right? It felt so refreshing.

Matthew Chiodi (01:49.18)
my goodness. Yes.

Nicole (01:53.849)
And that's initially how I just got into gaming. I wanted to do something different. I wanted to do something new. I wanted new energy, new environment. So I went from this really huge Wall Street investment bank to this really big public accounting firm to this teeny tiny video game company who had an office on top of a Best Buy in the middle of New York City. So that's initially how I got into gaming and I was in the risk management and audit space.

Matthew Chiodi (02:13.486)
You

Nicole (02:20.109)
Just being nice and talking to people on the elevator, I developed some buddies, we would go to the gym together, and they actually worked on the games. And they needed some extra voices for a few extra random characters, and they were like, will you do it? And I said, will you pay me? They said, we will not. We will not. But we will put your name in the credits. And so I have an IMDB page with only two credits from Grand Theft Auto. But I thought that was pretty cool.

Matthew Chiodi (02:36.362)
That's a good question.

Nicole (02:49.749)
And it began to show me that there was so much more to video games than just coding and development, right? There was like this artistic piece of it, which I appreciated because I come from a musical family. So that started my career in gaming and entertainment. And about three years ago, I came over to Riot Games and I'm essentially helping them build.

their information security, business information security office. So I lead a team of engineers in LA, Dublin, and Shanghai. And I am completely focused on elevating the security across all life cycles of game development.

Matthew Chiodi (03:29.23)
I love that. I love that. Now you got my attention immediately. You said you came, you come from a musical family. What does that, what does that mean?

Nicole (03:35.449)
Mm-hmm. Yeah. So I don't know why we don't have a band and like five albums at this point. My father has been a musician his entire life. He was originally self-taught from the age of three and he ended up going to a performing arts high school. Interestingly enough, the same performing arts high school that I went to and he's done everything from Broadway to jazz, the classical. I mean,

Matthew Chiodi (03:42.3)
Ha

Matthew Chiodi (03:57.016)
How fun.

Nicole (04:03.638)
all kinds of stuff, plays multiple instruments, sings. I play a few instruments. I sing, I've done, I may or may not have sang Back Up for Michael Bolton live, you know, once or twice. It's definitely not on LinkedIn. My team would roast me if I put that on LinkedIn. But everybody on the paternal side of my family either sings and or plays an instrument.

Matthew Chiodi (04:14.254)
That's not on LinkedIn.

Ha ha ha.

Matthew Chiodi (04:28.014)
Awesome. like that. you know, so you come from this musical family, you've, you've, you've done some great things yourself and in that space and you've been in gaming for how, for how many years now have you, you've been, if you've been in the gaming industry. And, and so that's a space that is not, you know, that's not a regulated space, right? In terms of, it's not like, it doesn't have like FINRA or any of those kinds of rules that are, it's under.

Nicole (04:28.62)
Yeah, it's pretty cool.

Nicole (04:40.856)
Collectively about eight. Entertainment, a few more.

Nicole (04:55.01)
There are some rules around when you release games in different countries, for example, the blood may not be able to be read on the cover in some countries. So there are some nuance like that, but there's no, obviously we still need to align with like 2DPR and MLPS in China, but it's nothing like FINRA. It's nothing that significant.

Matthew Chiodi (05:04.31)
Okay. Okay.

Matthew Chiodi (05:17.102)
How is being in that space now for, I think you said the past eight years, how has that shaped how you approach security in terms of how you're building your program? And I know we're going to get in a little bit more specifically into your BSOV program, but how has that background shaped how you approach security?

Nicole (05:33.847)
Yeah. So coming into the InfoSec industry as a non-traditional technologist, I went to school for finance and accounting, right? I did not grow up with ones and zeros, right? So initially coming into the industry, my approach had to be foundations and practicality because honestly, that was all I had. The advantage though,

was that cybersecurity really is the intersection of risk and technology. And I overextended my experience, Or I was overly qualified from a risk perspective. I just needed to grow up on the technology side. The great thing about this industry is technology and things are growing so quickly that everybody's always learning, right? So that's helped a lot. So essentially what I did was I

Matthew Chiodi (06:25.422)
Yeah.

Nicole (06:30.496)
I leaned on the business acumen experience that I had from consulting, that I had from audit, the relationship management expertise and training that I had from my career experience. And I leveraged all of that to learn as much as possible, to lean on risk, to figure out what can go wrong and learn about different solutions. And I essentially let that drive how I build out.

my Be So program. The great thing is that working at a video game company, people are super passionate about the product. We're all there to help people have fun, right? And it's very obvious. And so that actually makes my job a lot easier because people generally want to do the right thing. It's just helping them figure out how to do it. And that's not to say that I'm not open to taking risks, right? I am.

I need to be as a good security leader, but I just try to help them figure out how to do the risky things in the most secure way.

Matthew Chiodi (07:37.262)
What was the hardest thing for you, you know, coming again from a finance and audit background, what was the hardest thing for you when you, when you kind of, I guess, had to learn the technology side of it, or was that the hardest thing?

Nicole (07:49.303)
Yeah, it was my own inner voice doubting myself, you know, feeling like I don't belong here. There are not a lot of people that look like me. People are using all these words and terms. I don't know what the heck they're talking about. It was very, very intimidating, very intimidating. And so what I had to do, it was, you know, put your big girl panties on and figure it out. So if I'm sitting in a meeting with people and they're saying a bunch of words, I don't know.

Matthew Chiodi (07:51.182)
Hmm.

Nicole (08:18.54)
I'm writing them down and I'm going to Google them and research them after. I'm going to sit and listen to Professor Messer on LinkedIn and learn about all this stuff. Even now, as the work continues to evolve, that's within the span of my responsibility, I'm still going on LinkedIn learning or even tapping into the IELTS portal, honestly, as like a cheat sheet to learn and figure things out. And understanding that I don't.

need to be an expert in everything. We've got experts on the team, but if I'm going to be working up close with the business and figuring out how to align our capabilities with their initiatives, I need to be able to understand and speak intelligently to it and understand the risk associated and be able to tag the appropriate InfoSec domain teams that are going to help develop a solution.

Matthew Chiodi (09:09.518)
I think that's a really, really critical point about, I can remember in multiple times of my career, even very recently feeling like I've got to know everything. But then at the same time, like, first of all, that's not possible. No one, even the most, the smartest person in our field doesn't know everything, but we have something now that's pretty close, right? We have all these different LL models, all these different public models, which are, if you're looking for facts, if you're looking for information, right? They're the most, one of my guests said this a couple of years ago is like,

Nicole (09:18.112)
Yes.

Nicole (09:22.338)
Mm-hmm.

That's right.

Nicole (09:30.903)
Yes.

Matthew Chiodi (09:39.614)
the best thing about like a chat GPT is it is the most patient tutor. Right? Teach me about, you know, X. You teach it to me like I'm a third grader and it does a phenomenal job. So I love that.

Nicole (09:48.824)
Yes, it really does. Where were these language models when I came to security years ago? We did not have them. Just the other day I was talking to an engineer about a new type of attack strategy. While we're talking, I wanted to chat, GPT, and I was like, give me the TLDR of this kind of activity. It was amazing. Yes, we definitely need to leverage that to our advantage these days.

Matthew Chiodi (09:56.27)
We didn't have them.

Matthew Chiodi (10:18.318)
So you are, you are also an author. have an upcoming book, learning cybersecurity, a practical guide to essential cybersecurity concepts. I've always wanted to write a book. We'll, talk about that in a minute. So I've just got questions about the publishing process, but I think you said in a LinkedIn comment that it's the guide you wished you had when you were starting. What, what was, you know, maybe what's like one of the biggest misconceptions that you hope to correct with it, with this book and when is it coming out? When's the public release?

Nicole (10:28.544)
Yes.

Nicole (10:37.803)
Yes.

Nicole (10:46.807)
So we're going to be doing a pre-release of a couple chapters, fall 2025. So probably by the time this episode is out, it will be available. Full release will be December 2026, so end of next year. The thing that I want to correct, if you will, or respond to with this book is,

Matthew Chiodi (10:58.062)
Perfect.

Nicole (11:15.421)
really centered on the inaccessibility of cybersecurity. I think that in our industry, there are not a lot of entry-level roles. I also, when I talk to a lot of young people about everybody wants to work in cyber, and I love the excitement about the opportunity to work in the industry.

When I ask people what they want to do, they have absolutely no idea, right? I want to be an analyst. Okay, that's great. In which domain? Eyes glaze over. And I get it. It's known to be a well-paying industry. But I think if people walked into an entry-level or junior-level opportunity interview and they're able to speak to each of the domains,

Matthew Chiodi (11:41.484)
Yeah, yeah.

Nicole (12:05.047)
That's going to set them ahead of many other people. So on one aspect, I want to help prepare people for navigating into the industry, whether they're new or career changers. But most importantly, for people like me who found an opportunity to come into this industry, there wasn't a cybersecurity major when I was in college. There was no InfoSec. It just didn't exist. It was computer science.

Matthew Chiodi (12:27.074)
Yeah

Nicole (12:32.791)
But for people who end up in this industry and who are starting out and feel lost, I want to give them essentially the 30 % that they're going to need 70 % of the time. And if I can give you that foundation, everything won't feel so intimidating. You'll have a better idea of how your skills align with the different practices and domains in InfoSec and why we do the things that we do.

Matthew Chiodi (12:45.582)
Hmm.

Nicole (13:02.025)
And honestly, had I had that my first year in this industry.

I would have had such a better, such a better experience. There were a lot of sleepless nights, man. It wasn't pretty at all.

Matthew Chiodi (13:18.828)
I can remember this was actually, so there was a period in my career where I actually stepped out of cybersecurity for about two years. Cause I was like, I like this, but let me just, I want to really challenge myself. And actually stepped into the world of e-commerce for about two years at eBay. And I experienced what most, I guess most people experience when they probably first come into cybersecurity. Just like you said, I remember coming into a room and I heard all these terms.

Nicole (13:24.513)
Mm-hmm.

Nicole (13:32.737)
Okay.

Nicole (13:40.929)
Mm-hmm.

Matthew Chiodi (13:44.864)
And I literally was, this could be great. And I'm like, here I had been a technologist too, for at this point, a decade of my career, but now I'm stepping into a completely different domain and they're talking about OMSs, order management systems and like front end, this, this and that. And I really had no clue. So,

Nicole (13:50.043)
huh.

Nicole (13:57.568)
Mm-hmm.

Yeah.

Matthew Chiodi (14:02.542)
That for me was, really instructive. And I did similar things. did have to take notes in the meeting and then I would spend the next hour or two reading everything I could to try to become an expert on those, on those topics. What, um, you know, as you were writing the book, my guess is that there were maybe some memories that came back to you that you probably hadn't thought of as a, in a while.

Nicole (14:10.983)
Mm-hmm. Yeah.

Nicole (14:22.785)
Mm-hmm.

Matthew Chiodi (14:25.358)
What revelations did you have maybe when you were just writing the book, going through that methodical process chapter by chapter?

Nicole (14:33.227)
Yeah, there were a couple things. One of the things was the NIST framework, the CSF framework. When I expressed to one of my peers when I first joined the industry that I just felt lost and I was really frustrated.

Matthew Chiodi (14:41.72)
Hmm.

Nicole (14:53.779)
He told me to download the NIST CSF framework and just read it. Now, this is not exciting stuff. Let's be clear. I love cyber, but I'm not staying up late with the flashlight under the covers just because I can't put it down. But what I appreciated was the practicality of it.

Matthew Chiodi (15:01.87)
It's definitely not.

Nicole (15:20.064)
And I've tried to continue the theme of practicality all throughout the book.

I think sometimes it's very easy for us as practitioners to use so much jargon and so much complicated language because we're in a room with people who understand what we're talking about, right? It's the same as if I sit in a room with my dad and he's, you know, leading a musician's rehearsal, right? They're talking about chords and modulation and they're talking about tempo and forte and mezzoforte. I understand that because I studied music, but to the average person,

They're like, what the heck are y'all talking about? So I want to make sure I keep the threat of practicality within it, because ultimately, when you get out in the field as a practitioner, it's always going to come down to the foundations. Even as we think about artificial intelligence, we're thinking about integrity. We're thinking about if you have an instance, if you're using it for work, you may not want to put

your intellectual property or sensitive information into a public model, right? So just thinking about how the foundations and the essential concepts are what we need to thrive and be successful in our day-to-day jobs, or even just thinking about entering the industry is something that's been totally key for me.

Matthew Chiodi (16:43.022)
I think when you look at breaches, so there there's the DBIR stat that's been, it's changed a little bit over the last two or three years about the human element. think this past, this year's said 60 % of breaches involved the human element. And if you dig in a little bit more into that.

Nicole (16:52.277)
Mm-hmm.

Nicole (16:57.62)
Yeah.

Matthew Chiodi (17:00.534)
It's not, those are not like, there's not usually like a zero day that's underlying those types of things. It's the really mundane, boring things in cybersecurity that get organizations into the news. It sounds like that's what you're saying, right? It's like, there's a certain basics that even though we're talking about, you know, AI is on the picture now, it's, it's, it's helping accelerate certain campaigns. I think you're saying that there are certain fundamentals that just.

Nicole (17:12.683)
Yep.

Matthew Chiodi (17:25.302)
you need no matter what domain you're going into in cyber and that they don't they don't change or at least they haven't changed over the last 20, 30 years.

Nicole (17:32.053)
Right. The attack strategy may evolve, but the vector that they are attempting to compromise remains consistent. We will always talk about identity and access management. We will always talk about

code security. We will always talk about third party security. Those things never change, right? And so if we understand the fundamentals of those, I think we're much better positioned to essentially enhance our offense and defensive strategies.

Matthew Chiodi (18:02.542)
Well, I'm curious about the publishing process. You know, I've, I've always wanted to, write a book. I've thought about it. I was approached maybe six or nine months ago, by a publisher to do it. And I'm just curious, what was it like? Like how time consuming is it? I'm sure I'm not the only one that's curious about the publishing process.

Nicole (18:05.745)
Mmm.

Nicole (18:23.732)
know how I'm still here, honestly. I am not going to sugarcoat it for you. so initially you have a concept or your publisher may approach you with a concept or an idea, right? But they want to get your spin on it as a writer. And I'm sure there's some, you know,

Matthew Chiodi (18:25.645)
man, that's, that's not making me feel good.

Nicole (18:45.885)
justification of who you are beforehand, right? Because they don't want just anybody, you know, coming to write a book. So I'm sure that's a part of it that we get sheltered from a bit. But once you start engaging with your acquisition manager, editor, you know, you start to put these ideas together. And then

Matthew Chiodi (18:50.446)
Right.

Nicole (19:11.654)
My process was once we formulated an idea and agreed upon an idea, you have to write an audition chapter. And depending on the publisher that you're working with, each publisher has different series and each series has different styles and different pedagogical elements that need to be incorporated. And so I had, I've never written anything in such long form.

Matthew Chiodi (19:21.582)
Hmm.

Nicole (19:41.363)
in my life and then layering on the pedagogy on top of it, I had a really, really hard time. I will say the process from initially engaging with the acquisition editor to getting a contract signed was probably a year and some change. And it got to the point, and I was like, okay, I'm the problem.

Right? Because I have this new job, right? I'm building a team in China. I'm on the Ions faculty. So I've got those responsibilities. I try to be very committed to taking a break in summer and winter. And I went just to the acquisition editor and I just said, listen, I am so sorry this is taking so long.

I would be happy to recommend somebody else in my network who could deliver this. I don't want to leave you guys hanging, but I just feel like I'm just taking a long time." And she reassured me. She was just like, no, this is how it goes. I'm like, wow, OK, so this is the standard. The problem is not me for once. So essentially, we

Matthew Chiodi (20:50.39)
It's not me, the problem is not me.

Nicole (20:56.95)
created this audition chapter. It had to get edited a bunch of times. They did a pre-review of it and then they presented it to a particular series and it got denied. It got denied.

But the acquisition editor believed in it so much that she shot it to another series within the publishing house and they loved it and accepted it. Now things begin to move fast, right? So as long as it took us a year and a half, two years to probably get through all of that.

The writing process is maybe gonna take a year and a half. Then you tag on a couple months for editing and all the publishing and technical review. And then you have a beautiful book.

Matthew Chiodi (21:43.67)
no idea the process was that long.

Nicole (21:48.67)
I wish somebody would have told me. I felt so guilty for so long, but now I can understand why the timeline is what it is. You get out what you put in, you know? So I'm enjoying it. I don't know.

Matthew Chiodi (22:01.166)
Would you do it again knowing what you know? Or does this make you want to do it again? Do you think it'll be easier if you did it a second time?

Nicole (22:09.75)
don't know. So it's funny. I found a list that I wrote in 2018 of goals that I had for myself and published author was one of the goals. And, you know.

When the opportunity came up, I reached out to a couple friends who are authors and I asked them about the experience and they said, you know, well, you don't write a book to make money. And I was like, well, what the heck am I doing this for? Right? But a friend of mine reminded me, you...

wrote on that list many years ago that this is something that you wanted to do. And because I had the opportunity to write about a topic that would have been so transformational for me in my career, I felt like this was bigger than a dollar sign. So I'm going to see how I feel after all of this and how it goes before I commit to maybe doing it again. But I do think maybe once I'm out of corporate for

good and I have more time, I probably would definitely do it again. Maybe. Kinda.

Matthew Chiodi (23:19.822)
Well, that's, I appreciate that little, that look behind the scenes into the publishing world. It does seem like that there are a few cybersecurity authors that have done multiple books. And I'm guessing that if you get into a routine of it, it probably is easier, but if you probably have big gaps between when you do it, it's almost like starting over again. That's my guess. That's my guess. Well, we'll, we'll have to check back in with you in probably a year just to see like, has, has Nicole changed her mind?

Nicole (23:31.218)
Mm-hmm.

Nicole (23:37.192)
Yeah.

Mm-hmm. Mm-hmm.

Nicole (23:45.758)
Okay. Yes. Awesome.

Matthew Chiodi (23:49.166)
based on this process, but I'll be looking for that when it comes out later next year. So changing gears a little bit, or maybe going back to where we were a few minutes ago on the whole topic of BISOs, but you have a philosophy of business first security. whether it's a road or not, it's still true. We often hear about security as a roadblock, but you talk about it as an enabler. What was maybe...

Nicole (24:05.949)
Yes.

Nicole (24:14.441)
Yes.

Matthew Chiodi (24:15.743)
a key moment in your experience. Maybe there's a story you can tell around that really solidified this belief for you.

Nicole (24:29.375)
The thing about what I've learned being a BISO is a lot of listening is required, right? And I spend a lot of time learning the business that I support. So if I'm just starting out at a new company or building a new program or kicking off, the first thing I do is I just need to learn. And what I have seen consistently

regardless of the industry, company size, culture. When I talk to business leaders about what their priorities are, they are focused on customer experience and retention, financial performance, right, and product viability. That is everything that they're doing needs to align.

Matthew Chiodi (25:25.197)
Hmm.

Nicole (25:25.395)
with one of those three things. And they have a finite budget, they have a finite head count, and they have a finite timeline to get these things done. And typically, as you mentioned earlier, cybersecurity gets a rep of like, you know, for a long time, we got the bad reputation of the department of no, right? Like, they're just gonna tell me to do all this stuff. I don't even understand what they want me to do. It's gonna push back my timeline.

xyz and to be honest I think for a while cyber security teams did earn and deserve that reputation and so as a now it's not to say that some of the things that we need to do to keep the lights on it's not important it is but I think we have a responsibility to understand what our businesses are doing

and validating that we have the security capabilities to support that. self-preservation is the first law of the land, right? If I want my business leaders to invest time, money, people into securing whatever they're doing, I have to make sure what I'm asking aligns with financial performance, customer experience and retention and product viability.

Matthew Chiodi (26:26.605)
Hmm.

Nicole (26:51.517)
Right. And so when I approach and work to collaborate or influence the business, if I lead with, we want to secure this or we want to, you know, reduce the risk. They're like, I'm willing to take a risk. That's what we're doing. Right. Risk is walking outside and getting in the car and driving to the store. But if I lead with the goal of

Matthew Chiodi (27:10.54)
Right.

Nicole (27:21.255)
hey, our customers are saying or customers are becoming more hip and more concerned about how their data is treated and stored. Or threat actors are attacking medium critical vulnerabilities that are unaddressed and taking products offline, which could have a revenue impact. If I lead with something that aligns with the business's priorities,

I am much more likely to get engagement and collaboration from them. so I, especially as the B-cell, because you're sitting in between security and the business. So not only am I leading with business when talking to my business partners, but also when I'm working with the domain teams across security to figure out what initiatives we want to prioritize and actually helping them.

be able to translate the business value of what it is that they do. Because we can't just do security for the sake of security. It needs to make dollars and cents.

Matthew Chiodi (28:29.771)
Is there maybe a, is there a story, even if it's anonymized that maybe sticks out that you could tell to illustrate this for the audience?

Nicole (28:43.637)
So there once upon a time...

and I'm trying to be careful. like, can somebody reconcile this to my LinkedIn profile? But there was a process that a business had where, so let me take a step back. One of the things I love to do is start with SecOps data, right? Because it's going to show you, they just see everything. And I always find like a great place to start as a security leader is what's the top, what are the top incidents at this organization?

Matthew Chiodi (28:53.643)
Yeah. Right, right.

Nicole (29:21.213)
And is there an opportunity for us to reduce that, right? Because now we're essentially looking at our threat landscape and improving our risk profile. And we kept seeing a ton of misdeliveries of sensitive information to wrong clients. And so we, as a cybersecurity team, partnered with our technology, product technology team, to actually build in data verification checks.

with emails and with attachments to validate that the data within the document corresponded to the account associated with the two address in the file. And it significantly reduced the number of misdeliveries that we had.

Matthew Chiodi (30:11.915)
Hmm. That's a good one. That's a good one. Now you mentioned so that the whole concept of a BISO is something that's gotten, it's getting more and more popular, right? I think it's something that's been around for maybe only three to five years now, maybe five years. And you're building that BISO office at Riot Games. And you mentioned before the show that people often

Nicole (30:15.1)
Yeah. Yeah.

Nicole (30:23.73)
Mm-hmm.

Nicole (30:31.496)
Mm-hmm.

Matthew Chiodi (30:34.263)
put the BISO role into the compliance bucket. They're just there to be, to know the compliance rules for this business unit, that business unit. In your view, what does a correctly structured BISO office do and how does it drive business goals instead of just checking a compliance box?

Nicole (30:37.224)
Mm-hmm

Mm-hmm.

Nicole (30:53.638)
Yeah. So I tend to see more the compliance thing happen in heavily regulated industries. And I think that makes sense. But I would be remiss if I didn't mention that I think even in those industries, the BISO role has to do a little bit more than just compliance, regulatory compliance. A good BISO team is going to make sure that the cybersecurity function

is aware of what's happening across the business, right? It's going to be connected to the right players across the business. It's going to have access to business roadmaps, right? You get access to particular meetings where, and you become influential in some cases of sometimes where the business is going, but many times how they choose to get there.

Matthew Chiodi (31:51.947)
Hmm.

Nicole (31:52.629)
Because again, typically when you think about traditional cybersecurity teams, we're doing the foundational domains. We want to make sure that we've got EDR. We want to make sure that our firewalls are configured appropriately. We want to make sure that we're doing architecture reviews and code reviews and we're doing assessments on our third parties and all.

that foundational keep the lights on stuff. We need that stuff to be in place regardless of what organization you're at. But let's talk about video games for a while, right? But we need to understand what's our play test strategy, right? You have an unreleased video game that you want to test out with players. And you may want to do that with people who are not a part of your company, right? And so

Matthew Chiodi (32:45.581)
Hmm.

Nicole (32:47.518)
We need to understand from a cyber, this is a data protection effort. We wanna make sure there's no leakage of unreleased or IP, right? We wanna make sure that the bills are not stolen, right? We wanna make sure people aren't taking screen captures with their phone and releasing that data, right? And so in order to help the business best prepare for that, we need to know when they're doing it, where they're doing it.

how they're gonna do it so that we can build cybersecurity controls that will be within that process and are not an add-on. So it's all about understanding what the priorities are of the business and making sure that we have tools, capabilities, and services to protect that. And if not, finding those new tools, building those new services, and enhancing capabilities so that we can best support the business.

Matthew Chiodi (33:42.486)
What's one way that, know, since you've done this role at least, you know, one or two times before that you've what I've seen with the BISA roles, sometimes they get so. I don't know, ingested into that part of the business. They almost seem like they can sometimes lose their, their cybersecurity side. What have you found because they want to enable the business, they are so deeply embedded. Like you said, they've got to access to things that are, you know, a centralized.

a cybersecurity team may never see until, you know, way down the road. Are there things that you, might recommend or suggest, or how do you just approach trying to walk that fine line of yes, being a, you know, being the cyber stakeholder to this business unit, but at the same time, like how do you walk that fine line between like, yeah, there are some things that we, still kind of have to do at a minimum. I still want you to be able to do this. Like, how do you, how do you kind of work through that, that, that fine line?

Nicole (34:10.13)
Mm-hmm.

Nicole (34:38.43)
So this is the fine line of being embedded in the business, but still being a cybersecurity representative, if you will. It's all based on relationships. It's all relationships. It's to the point where...

Matthew Chiodi (34:45.249)
Right.

Nicole (34:57.64)
And I'm actually proud to be able to say this, that I've reached this with some of the teams that I've worked with. You have to get to the point where people say, I understand that if you're telling me that it needs to be done, Nicole, it's important. And that takes time, right? And it takes time because that means I've sat with them and I've deprioritized things that

Matthew Chiodi (35:15.415)
Hmm.

Nicole (35:27.814)
I maybe would have wanted to ask for, right? Or I've shared with them that there are some things that I want to put on their roadmap, but I understand they're going to have a busy period for the next three months. So I'm going to be cognizant of that.

Matthew Chiodi (35:30.317)
Hmm.

Nicole (35:46.269)
and plan around it. It's also taking accountability where we may have proposed or implemented something that wasn't a right fit and saying, hey, that wasn't right. Here's the miss and here's how we're going to make sure that doesn't happen again. So it's not even about always getting it right the first time, but

Matthew Chiodi (36:00.012)
Hmm.

Nicole (36:15.582)
The business needs to see that you understand what they're trying to accomplish and you are effectively balancing business and cybersecurity priorities. But honestly, it's really, it boils down to trust and rapport.

Matthew Chiodi (36:35.053)
And that's something that you can only build over time in my view, right? That's something that like, if you're, you know, and I guess this would go for any, any other part in business as well. But you know, if you're a cybersecurity practitioner, you, you know, you know, here are the things that I want to do, or I'm being asked to do by my CISO or my boss, whoever it may be. If you don't have the relationship, trying to get those things done in any part of the business is going to be exponentially more difficult. And as you mentioned,

Nicole (36:52.424)
Mm-hmm.

Nicole (37:02.121)
Yeah.

Matthew Chiodi (37:03.509)
you know, you've got to build those relationships ahead of time.

Nicole (37:06.804)
And you've got to build goodwill, right? That's why when I initially start meeting, you know, business folks across the business, I'm not shoving cybersecurity down their throat. I don't even want to talk cybersecurity. Honestly, I want to talk about you, your leadership style, your business, your teams, how your structure, what's on your roadmap, what are your priorities? What are your challenges? Have you worked with InfoSec? How has that experience been? How can we do better?

Right? That's what I want to do. And I don't even want to ask you to do a thing. I want to know how I can support you. I want to build goodwill. Because the reality is, if you don't ask somebody for something and you offer to solve problems or challenges for them, and you do so, by the time you come back and ask for something, more than likely they're going to say yes.

I need you to say yes. I'm always working towards the yes.

Matthew Chiodi (38:10.605)
I love that. I love that. do think we often forget. I mean, it's just a basic part of, think of just relationships in general, in them, but it is an investment, meaning you've got to do it before you need it. And I think that's really powerful. So maybe for some of our listeners who are aspiring security professionals, maybe they want to get into a BISO role. What would you say? We talked about the ability to build relationships, which I think is huge.

Nicole (38:24.147)
That's right.

Matthew Chiodi (38:39.607)
What are maybe two or three really critical skills, technical, non-technical, that you think someone needs to maybe work on if they want to get into a BSO role in the future?

Nicole (38:50.131)
So there are three core capabilities or core competencies, I think, that aspiring business information security officers should have. The first is going to be domain expertise, right? I think there probably just needs to be one domain that you have really deep knowledge and expertise in. For me, coming from an audit background, it was very much GRC, right? Like that was my thing.

I knew how to chop up risk, I knew how to think about remediating risk, monitoring risk. I could do that all day long. So figuring out what your domain of expertise is. The second thing is relationship management, right? And all the things that flow into that, executive presence, active listening, being able to read the room, intellectual curiosity.

those things are so important. who needs to be what type of partner, right? Like there are some parts of the business, they wanna do everything first. They wanna be able to say, we did this first. So I'm gonna go to them with new ideas. There are other parts of the business that are gonna say, well, what did that business do? Right? So I know not to go to them first, but not to come with them until I have something tried and true. So there's like a psychological element of it as well. The last and probably.

the most important is innovative problem solving. Because when you are operating in a philosophy of business first cybersecurity, the business is always evolving and doing something new. And so what happens is, Matt, you're going to have challenges that you've never had before because you're doing things you've never done before. And if you're one of the people who need a script or like a checklist to solve a problem, this role is not for you, right? Because

Matthew Chiodi (40:42.53)
Yeah.

Nicole (40:45.049)
We are recipe makers, right? We've got to figure out, you know, which bits and pieces of capabilities, tools and service offerings align best with this situation, right? And will help us get to an ideal state. And sometimes that means trying things out. Sometimes that means things not working. But going back to that relationship management, how do you communicate?

Right? And work with your business partner so that they know this ahead of time and they're not surprised when these types of things happen. domain expertise, relationship management, and innovative problem solving.

Matthew Chiodi (41:26.072)
So you have a lot going on. You're in middle of writing a book, you're building a BISO group, you're doing a lot of other things as well. Your IANS work, we're both faculty on IANS. What's your personal routine look like to stay sharp?

Nicole (41:36.701)
Mm-hmm.

Nicole (41:42.162)
This is probably something that needs development. So sleep is important. Sleep is definitely important. Sleep is a big part of my routine. Staying hydrated and getting sunlight every day is definitely another. I do try to ground pretty often. I don't ground as much as I'd like to, but I definitely try to get that in. But I do like to spend time in nature, some type of movement.

For me, looks like walking. Like this morning, I walked three miles. The morning before, I biked 15 miles. So cycling is a big, big part of my routine as well. Also, continuous learning. Continuous learning is critical. I have an hour carved out every day for learning. Does not mean that I dedicate myself to that hour every day. But if I can get two or three hours per week,

That to me is really good and I can spend that time reading, listening to podcasts like yours, Taking courses, reading white papers on the Ions portal, but just constant feeding and tapping into different knowledge sources. And then honestly, just like spending time with my team, right?

Matthew Chiodi (43:04.459)
Hmm.

Nicole (43:05.735)
Just like making sure I know what's going on in their lives, making sure that they feel confident and supported. I'm building a team out in China. I've been spending time learning Mandarin. I don't think I'm going to be conducting meetings in Mandarin anytime soon, but if I could at least greet people and start out a little bit, it's appreciated. And I think most importantly is spending time with my family for sure, because that's what we do it all for. That is what's most important.

Matthew Chiodi (43:20.173)
Right.

Nicole (43:35.955)
And then having a spiritual routine, a spiritual life and therapy. We see some crazy stuff in our field. And so just making sure I'm mentally healthy is amazingly important with the balancing so much and most importantly having a very high stress role.

Matthew Chiodi (43:43.116)
Hmm. We do.

Matthew Chiodi (43:56.302)
I appreciate your honesty. think you actually have a very good routine, a very healthy routine. always ask, I've been asking this question for five plus years in the podcast and I appreciate your honesty that, you you've got that hour a day on your calendar for learning, but you don't always, it's not, it doesn't always happen, but I think the importance is, is you've created the, you created the routine and that's what's, I think is really important. And you brought a lot of things into that routine to stay sharp.

Nicole (44:00.594)
Mm-hmm.

Nicole (44:07.813)
Yeah.

Nicole (44:11.923)
Nicole (44:17.553)
Yes.

Matthew Chiodi (44:22.335)
So I appreciate that. What's maybe just the last question, is there anything that I didn't ask you that maybe you wanted to cover?

Nicole (44:22.578)
Yeah.

Nicole (44:31.281)
Honestly, Matt, you make me want to step my game up as a podcaster. These questions were so good. This has been such a thoughtful conversation and it's caused me to.

Matthew Chiodi (44:35.363)
Thank you. Thank you.

Nicole (44:46.479)
reflect and unpack the work I do on a level that I typically don't get the opportunity to do. It's made me much more grateful and appreciative of the opportunity that I have to work in this industry and that I found a space where I can combine my non-traditional background with the work that I do in cyber and it actually becomes an advantage and not...

Matthew Chiodi (44:49.206)
Hmm.

Nicole (45:18.031)
a hindrance, right? It's because of my non-traditional background that I thrive as a, as a be-so because the business isn't thinking about cybersecurity first. They don't understand that. They understand business, right? It's what's motivated and inspired me to write this book because I didn't have it and I needed it.

So thank you for inviting me here. This has been such a great opportunity to just be reflective and sit on the other side of the podcast table. I don't get to do that too often.

Matthew Chiodi (45:50.797)
Well, thank you. Thank you for coming on. Thank you for the kind words. for our listeners, Nicole's book is coming out. It sounds like the end of 26. So just about a little bit over a year from now, it's called Learning Cybersecurity, a Practical Guide to Essential Cybersecurity Concepts. Nicole, thanks for coming on the show.

Nicole (46:08.296)
Thanks for having me, Matt.