How To CISO with Andy Ellis — Leadership Lessons for the Next-Gen Security Executive Artwork

The Strategy Layer Live

The Strategy Layer Live helps CISOs and cybersecurity leaders rise above the noise and drive measurable business value. Hosted by Identient, this podcast explores how to lead with intelligence, influence, and clarity—aligning security with the priorities that matter. It’s not just about protection—it’s about performance.

All Episodes

The Strategy Layer Live

How To CISO with Andy Ellis — Leadership Lessons for the Next-Gen Security Executive

July 02, 2025 • Steve Tout • Season 1 • Episode 3

0:00 | 56:32

Send us Fan Mail

What does it really take to lead as a modern CISO?

In this episode of The Strategy Layer, Steve sits down with Andy Ellis — former CSO of Akamai, CISO Hall of Fame inductee, and author of How to CISO 1.1 — for a wide-ranging, no-fluff conversation on the future of cybersecurity leadership.

Andy brings clarity, candor, and decades of experience to the table as we explore:

The core leadership principles behind How to CISO 1.1
The Zero Trust paradox — and how it’s creating more confusion than clarity
Why the next-gen CISO might not be who you expect
How to lead with presence — in the boardroom, and in the moments that matter most

Whether you’re new to the role or a seasoned executive, this episode is packed with insights to elevate your mindset, sharpen your strategy, and lead with intention.

Listen now and rethink what it means to be a CISO today — and tomorrow.

SPEAKER_01 0:00

Wouldn't it be great if you were the CISO and your organization ran so well that you could go and support the product line as a CTO de facto, or that you could go sit on the beach and nobody would notice? These are all great outcomes

SPEAKER_00 0:20

for you. Hi, everyone. I'm Steve Tout, and welcome to the Strategy Layer, where we get real about what it takes to lead cybersecurity in a world on the edge. Today I'm joined by Andy Ellis. He's the former CSO at Akamai, a CISO Hall of Fame inductee, a leadership coach, previously partner at Weill Ventures, and he's the author of his latest book, How to CISO 1.1. Andy's been in the trenches. He's operated at scale, and he's one of the few voices in the space who can distill deep security experience into clear, pragmatic leadership guidance. In this episode, we unpack one of the big ideas from his latest work, including how to think beyond the frameworks, leading through complexity, and showing up with clarity when it matters the most. We'll also dive into the Zero Trust Paradox, how the language of distrust is clashing with the leadership that we actually need right now. And Andy shares his prediction for the next generation CISO. His answer? It might surprise you, so I hope you stick around to find out what he says. This is one of those episodes that will sharpen your leadership edge, whether in the boardroom, with your team, and with yourself. But before we dive in, my ask, please subscribe and leave a review wherever you listen to podcasts and share it with a colleague. This has been a passion project for me, and I would love for you to join and help make an impact on our CISO community. So with that out of the way, let's get right into it. Just by way of brief introduction, Andy Ellis, you have a very distinct title of Hall of Famer as a CISO. Your current role is as partner at Weill Ventures. Multiple CISO roles in your background, including at Akamai and others, which I think makes you, I ideal guest for the strategy layer, because by, as the name implies, we're talking about strategy here. So, and you just announced about a month ago that you updated how to see, so. Yep. version 1.1. And we're going to get into that a bit before we do. In recognition of kind of the craziness and chaos and instability that's happening around the globe, this is a conversation for cybersecurity leaders, CISOs, sometimes CIOs have that responsibility, and others within this mix. How do you go through a process of getting grounded in these uncertain times? Like even just to get into the mindset to sit down with me for one hour means you have to shut off what's going on outside your doorstep and is there a practice or a focus or you know some way that you can get grounded when the stakes are high and when it's called for yeah

SPEAKER_01 3:02

so i think it it really is very personal for how different people are going to react to that one for me i've always actually been pretty good about like just put things in a box for a little bit like oh i gotta walk into a meeting like pause take 30 seconds deep breath and just shut everything out like This is where I am. I'm present in the moment. It gets really hard when you have like a computer that's reminding you all the time. So one of my practices is like I've got you up on my teleprompter in front of me and that's it. Like that's my screen. I do have a second screen that's off to the side here, but it right now just has the LinkedIn page for this. So if people comment, I can interact with it. So a big piece of it is actually physically close the world off. If you want to be present in the moment, then you have to reduce distractions because humans are actually really bad at multitasking. There's a fun experiment, a cognitive party trick you might have experienced this. I love these. They're usually done as icebreakers that some leadership person is going to come in, and they want to show you how the human brain works. One of my favorite ones, a simple one just for our audience to know what we're talking about. So, Steve, I'm going to ask you four questions. I just want you to answer as quickly as you can, okay? Okay. What color is snow? White. What color is snow? White. What color is snow? White. What do cows drink? I almost said milk. Water. Why did you say milk? Because I primed your brain with the color white. And so you got white milk beverage. So your brain's like, oh, quick answer. Let's throw out an example of a cognitive party trick. Yeah. These are like gotchas. But there's one that's fun, which is about multitasking. Yeah. Which is get one person with a stopwatch and somebody else is your participant. And you have them count as fast as they can from 1 to 26. Right? And you time them. And then you have them count as fast as they can, obviously with enunciation or not count. Do the alphabet, A to Z, fast as they can. Then have them alternate A1, B2, C3, D4, etc., Time it. And you might say, oh, well, the time should just be the addition of the two. But it's not. It is so much longer because of how much brain you have to use to switch between counting and doing letters.

SPEAKER_00 5:17

Is there a priming trick to get you to transition from a state of distraction into focus before you head into the board meeting or to an important conversation? Is that where you're going?

SPEAKER_01 5:27

Yes. You have to figure out what works for your brain and then don't let yourself get distracted. Don't pay attention to something else. And so I like to walk in and say, what are my goals here? What am I trying to do? What am I going to have to reference? So I knew we were going to talk about how to see. So, so I pulled up the, how to see so website 10 minutes ago and just quickly went through some of the stuff I had there to remind myself and prime myself. This is what we're going to talk about. Maybe we're going to talk about my book. And so like I should flip open my book and look at a couple of paragraphs. So I've got things I can reference, you know, that would come up naturally, but it's basically, you know, priming your short-term memory with the things you're about to go talk about rather than when the topic comes up now you have to pause and try to remember what it's about if you know what the meeting's about you write down your success criteria get the knowledge you need primed in your brain and not just rely on the fact that oh yeah i'll remember that when it comes up where that then applies is you're also now dumping out the state of the rest of the world so you can say oh, the fact that there's a war going on and that I have friends in harm's way, it's always there a little bit. But for this meeting, that's not what the meeting's about. So I'm going to set

SPEAKER_00 6:39

that aside. Yesterday, I was processing, as I always do, and I was thinking, man, how do you go and do some things that are not as high a priority when there's some really wicked things going on. So again, I think in the context of all that's going on, I appreciate you taking the time and the focus and that you've prepared. I think that leadership is such an important topic and if we can, give ourselves the time and the focus and discipline to improve on this we're going to come out better on the other side to uh tackle what's really gnarly and some bigger challenges that's the goal that's the hope anyways that's why i do this um before we uh dive into the book another thing the that i couldn't help but wonder I am an INTJ, and as I read through from our prior interactions and your leadership style, I am trying to assess this all the while. I think you're an INTJ too. Am I correct in that assessment?

SPEAKER_01 7:43

So I'm one of those weird folks that I'm borderline. I'm borderline between INTJ and ENTP. But some of those are trained behaviors. My favorite thing is if you take the Myers-Briggs questionnaire, you look at just the IE, the introvert versus extrovert. They're exactly half of the questions are about what you prefer to do. And half of the questions are about what you do. And on the prefer to do, I'm a straight up introvert. What do I like? I'm sitting up in my attic. No other humans get near me. I would be happy to go sit on my couch and read for the rest of the day and not interact with another human. I'm totally fine with that. That's a great day for me. But I work in an industry and instead of jobs where I'm the life of the party, you make me walk into a party. I'm not a wallflower. Because I'm at the party to engage with people. So I'm going to be the center of everything. It's a running joke. I'm on a nonprofit board. And every motion that gets made, I'm the person who seconds it. Well, I, because that's my job. Like I'm there, I have a bunch of rules. So I look like the extrovert. Oh my God, Andy's always involved. I'm like, no, I'm saving us 30 seconds of everybody looking around the room for who's going to second emotion. Like, nope, nope. I'm just going to go do that. So I'm borderline IE and similarly I'm border, borderline, you know, JP of, I try, I really want to judge people, but I try instead to see, meet them where they are and see them.

SPEAKER_00 9:03

Like I said, an introvert through and through, but there are times when I feel so compelled by the mission and, and by the work that I don't get out on a stage because I like the limelight or I don't talk on forums like this because I love to hear my own voice. In fact, I'm kind of horrified by it. And then I have to go edit these things afterwards. But I shut it out because I focus on the mission and there are people who learn. And in any case, that's a little sidetracked there. But Not so much. As leaders, I think self-awareness, preference, leadership style, how we have to adapt in moments of need and moments of crisis are important skills.

SPEAKER_01 9:48

Absolutely. And it's actually the foundation for great leadership outside is you must first understand how you behave, how you're going to be different, because then you have a place to build empathy from. If you understand introversion and you understand that that's not the normal, that like, oh, normal is something else. Now you can deal with the fact that the normal for some, that you have somebody who's an extreme extrovert. And so just in the fact that you say, well, I know that I need quiet time, but I'm not the normal. And I have other people who also need quiet time, but now I can accept that there are people for whom quiet time is painful. Right. They're like, no, no. If they're going to show up, they want to be nothing but shown up. It's like, oh, we're doing a five day off site. I've got somebody who wants there to be activities the whole time because otherwise I'm wasting their time and energy.

SPEAKER_00 10:38

So we've established that you like reading. Well, you obviously like writing. And I think I saw elsewhere that you play video games. You seem to have a setup that allows you to indulge. I've got that monitor

SPEAKER_01 10:51

here. I used to play a lot more video games than I do right now. My son is the avid gamer. He plays Valorant. He also does video production for Valorant competition. He's been doing that for a while. And we're in fact, end of the week, he and I are headed to Toronto for the Valorant Masters. This will be my first time going to an eSports competition where I'm going to sit in the same room as the people who are playing. It seems like a very interesting thing. I can't wait to see what that vibe ends up being like.

SPEAKER_00 11:18

That's cool. I'm into game theory. I used to play games as a kid, but I'm more intrigued now by the game theory in real life and then layered in with like the math behind it. And I'm very fascinated by that. And I think some of that, you know, as we kind of shift into your thinking in your book, what I find is a very pragmatic, you talked about architecting environments and there's a, you know, kind of a very famous illusion before we were talking about auditory illusions. Now there's a visual that if you look at this figure, Right. You can see like the figurine, but it's in black and white. So if you focus on the figure, you see two faces.

SPEAKER_01 12:02

Right. So they're candlestick or two faces or a lot of different ones that do that. Yeah.

SPEAKER_00 12:06

Yeah. And I and I think that's, you know, as I shift into talking about your book and this is what I talk a lot about, too, in my writing and consulting, which is the background variables matter. quite a lot. And if you focus on, you cannot isolate technology. Tech is great. Zero trust is great. Firewall, well, maybe firewalls are not as great as they used to be. And we could just create that list, right? But as we look at the first 91 days of the CISOs role and beyond, how much more than technology this job really entails. Getting into that, I'm going to just, you know, for context setting, I'm going to bring up this book view that I have. Well, I'm just going to, for the viewers, I'm just going to show these books. So Andy, you wrote this 1% Leadership. I bought it. Your personal stories, your story about problem solving at a baseball game with your daughter. You just bring in such stories that illustrate these. And How to See So, which was the one that sparked my intrigue about a month ago because you wrote this and at first I was saying, okay, this is 2.0, but this is actually 1.1. So very briefly in your words, like what is how to see so and why is it 91 days instead of 90? And then why did you write version 1.1? What's different?

SPEAKER_01 13:26

So there's a minor, I'll tell the answer sort of backwards. So the reason it's version 1.1 is I published version one like two years ago. And I'd gotten a bunch of great CISOs who had given me feedback. And so I just wanted to update it, refresh it, tell people this is different than what it was. But it wasn't like a major fundamental rewrite. It still has the same structure. It's got some new sections. And I still have more work to do on it. It's really what 1.1 means is I have a vision for what 2.0 might look like. And I'm not yet close to it. And it will take a while because this is a series of books. And let's come back to what is how to CISO. It started because I looked around at the industry, and there's two fundamental problems that I've seen. One is that a lot of the content that's aimed at CISOs, whether it's people who are currently CISOs or looking to become a CISO, first of all, it's all very ephemeral. When I wrote this two years ago, there were like seven LinkedIn posts about the first 100 days or the first 90 days. Those are all gone for all intents and purposes. People wrote these posts. They went viral. Nobody can find them now. So we're losing content because it's ephemeral. And then the second problem is, you know, a lot of the content gets written by people who, you know, have a commercial motivations. Oh, I want to drive clicks. Like I wrote this when I was at Orca. Absolutely. The marketing team wanted it to drive clicks. There were occasional battles about what the content was because I wanted it to be. This should be just evergreen, amazing content people want to read. And the fact that it drives click is almost secondary to that. So that's sort of the goal for how to see. So is relevant content. written by a CISO for CISOs and potential CISOs. Why the first 91 days? Well, first of all, it's a quarter. It's 91 days. But the reason that I use it is I think that people do the wrong thing from an SEO perspective, which is they try to write to capture what people are searching for. But so is everybody else. So now you're just in this race to farm a couple of clicks that might or might not matter. I like to write content that people know they can come find. So if you Google CISO 91, I'm pretty sure that's what comes up. Like literally I own the term CISO and the number 91 is me because I was the first one to use this. If you search on vendor rebuff, you'll get me. Like that's a post I wrote like 13 years ago. So I'm a huge fan that if you know what you're looking for, you should be able to go find it. And modern content management strategies have made that almost impossible because nobody wants to have these unique titles. Like Google, the death of the CIO. I come up pretty quickly on that one because it's like, write these things that are going to catch the imagination.

SPEAKER_00 16:12

Love it. I think that's brilliant. I had just written a book as well and used a similar technique. I don't think I was quite intentional. I was just trying to maybe make it memorable. But I guess there is a science there that I haven't thought as much about as you have. To be

SPEAKER_01 16:26

memorable, you have to be distinct as well. And so it's like hunt for the things nobody's searching on. For 1% Leadership, I had a publisher involved and they got a lot of say in the title there. So we ended up with something that was still relatively searchable, but not as distinct as I was hoping for.

SPEAKER_00 16:42

And we have Yeah, so you're, you're evolving your thinking here about 1.1. And by the way, I, you know, I was reviewing the website. And I think if anyone's interested in the book, it's for free material, yeah, some of the most valuable content and a short read that you'll ever that you'll find online. from someone with a huge experience and wisdom to learn from. But you have a series of books. There's also some on how to apply zero trust to the clouds on the How to CISO series.

SPEAKER_01 17:18

Yeah, so what I did is I basically have like three layers of things I'm writing. So one is what I call the volumes, which are the very big topical. So volume zero is the idealized CISO job description, like everything you might get asked to do. Volume one, we just saw your first 91 days. Volume two is too long. I haven't published yet. Like my long form and it's still too long. So it's like 40 pages and it's like how to measure and manage risk. how to talk about risk and what's the language. And it's like, let me walk you through every risk scoring methodology everybody has ever used, what they're good for, what they're bad for, why they don't really work, but why you might use them in your organization. I want to get that one out a little later this year. So that's probably my next big project. So we have the volumes for these big topical issues. And then I have these handbooks, which are, hey, let's just talk about what does zero trust mean? What is SaaS security? What is AI? primers more for probably people who are mid-career, but also it's great refreshers for CISOs of, hey, when I talk about zero trust, what am I really talking about? Oh, minimize unused privileges, make it hard for people to steal credentials. Like it's only a couple of things that really matter from a zero trust perspective. And then tied into that is how do you know apply these in different environments

SPEAKER_00 18:38

on the topic of zero trust we briefly and maybe I just opened a can of worms on the tail end of our last conversation. But in this particular book, How to CISO, you don't talk a lot about zero trust per se. This is more about the leadership aspect. And in your other book in the series, you talk a lot about ZT for the clouds. Before we dive into this, and just to give you an idea of where I'd like to go with the conversation, I've just outlined in David Letterman style, the top 10 unique insights from Andy Ellis's How to CISO. And I wanna walk through each of those 10 with you. I love it. In the rest of the hour. But before we do, one thing that's been sitting on my mind and a lot, like one of the sections in a book I just wrote, I talked about the paradox of, zero trust one hand you have uh systems that we're trying to and i don't disagree with this methodology or this philosophy right about the need to avoid or not having zero trust implicit in systems yep But on the other hand, we live in a world where you have a, you're not going to have zero trust nirvana or perfectly across the enterprise because everything's changing all the time. You live in a world of, in some places, zero trust maybe isn't needed. And so the cost or expense or effort to do it doesn't justify doing it. But then when you look, when you toggle how trust is more or less the currency of business, and you do talk a lot about trust as a framework and leadership in this book, which I love. Do you see a paradox here where there are some CISOs or cybersecurity leaders who carry over their zero trust mindset into their interpersonal relationships? And does it affect trustworthiness or can undermine their efforts to build trust in the boardroom or with their peers?

SPEAKER_01 20:38

So I think it really does, but it comes back to what's actually the true paradox of zero trust, which is people actually are not trusting the right things. And that mindset comes in because people who are rolling out zero trust end up in this model where they say, I don't trust the user. And everything becomes about how do I stop trusting the user because all users are adversaries. And it just sort of ends up in the state where you're so paranoid and angry and adversarial about everybody that walks into your interpersonal relationships. All that Zero Trust was, and look, I get to say, I think with some authority, what Zero Trust was, because Akamai built the first Zero Trust platform. Like for ourselves, we were building it. Google was building it. I think Heather Adkins is the godmother of Zero Trust, but I'm a close second. It's the dad of Zero Trust. Like, yes, there's a white paper about Zero Trust, but the actual practical implications of what we built and what we built was trying to say, Applications should not have implicit trust. It shouldn't be that, oh, because you're on the internet, you get access to all of our data. Like that was the world we all lived in, was that computers trusted anybody. But that was in a world in which the easiest way to compromise an entire company was to compromise one administrator. And as people have rolled out zero trust, they've forgotten that. The problem was not the user. The problem was the systems trusted each other and trusted the admins. The user has never been the problem. They're just a side effect. So when I talk about zero trust and I pulled it up here just so I remembered what I have, I have three principles which shock most people because I don't talk about like monitor everything that your users do. Very simple. Individualized strong authentication. You should know who is doing a thing and by who that's not a human. That's a set of a human and some computers. The computer I am on is part of me. It is not part of something else that's proving I'm me. You have to trust that I'm here with the computer. Like there's some things you might do. But the biggest challenge is if I've got a bunch of administrators who could log into my machine and do stuff, you never know if it's me. Because that's the second thing, which is limit the assumption of privilege. That if you give one person a right to do things, you want to make it that nobody else gets that right except for that person. And so anytime an admin can clone somebody's credentials and pretend to be the person, you violate zero trust. And then the third principle, which is what people over-focus on, is minimize unused privilege. And most people know this as leased privilege. I hate the phrase leased privilege. I've hated it since the day I started in cybersecurity. Why? Because it immediately creates tension between us and the business. If I say leased, and yes, I'll put after it, but to do your job. but nobody believes the but. What they hear is you're taking away my rights. No, no. I just want to minimize how many of your rights you're not using, which is either let's maximize you using rights. Let's figure out what you need and give it to you. But what I care about is the stuff you're never going to use. The fact that it's sitting and provisioned. So when somebody does assume privilege, I have a risk. That's it. Do those three things and you have zero trust.

SPEAKER_00 23:56

Perfect segue into the top 10. of the insights from how to see so, because you just demonstrate, I mean, you understand the technology, you've written another separate book on that, but if number 10, and this is not a exact quote, this is more or less a paraphrase of a concept from how to see so to make it a little more conversational friendly. But one of the key insights that you talk about is if you're using the wrong language, your governance meeting is a mind performance.

SPEAKER_01 24:27

Yes.

SPEAKER_00 24:29

And you just toggled right there from talking tech and zero trust. But when you change the language, when you're talking to the business, right, you can't use security jargon. Otherwise, you're going to lose them and undermine trust.

SPEAKER_01 24:42

Exactly. It's you basically want to learn to tell fairy tales. Like, why do we tell fairy tales? We tell them to our children because they're cautionary tales. Like, forget the Disney versions of them. Almost every fairy tale is, if you do X, bad stuff will happen. The point of Little Red Riding Hood is don't talk to strangers. And when you have a hint that a stranger is sketchy, they probably are. That's it. That's the whole point of it. But if you say don't talk to strangers, your kids won't listen. So instead, we tell the story of the wolf. It's like, look, the wolf asked questions of you, got information. Then when you walked into grandmother's house, it was the wolf who was pretending. This is a classic cybersecurity story told to kids. We teach this to children without ever mentioning security and safety. That's what we have to do in the boardroom.

SPEAKER_00 25:31

And maybe this is counterintuitive at first, but the need to develop a new lexicon or a lexicon that's more appropriate to, I think it's probably our responsibility as technologists or cybersecurity leaders to adapt to a business language and a business environment than to expect them to learn a cybersecurity lexicon. Absolutely.

SPEAKER_01 25:53

Well, and I'll be honest, most of the cybersecurity lexicon is, I don't know if I'm allowed to use profanity, but I want to put profanity in right here. We use words like risk as an individual noun. It's crazy. Why are we talking about that? We should say, this is a hazard. It can lead to unacceptable losses. We don't want to trigger. There's a whole language that the safety world has that we can just borrow, but instead we try to create our own, and then we try to force it on people. They didn't want to talk to us to begin with, and now they have to learn a new language to do so? Not going to happen.

SPEAKER_00 26:25

There's another one here, too, which is knowing your environment, knowing your audience. And I think this helps to illustrate, I think, the genius in this book, or at least what sets it apart from other books, is... understanding of the environment and the culture. So number nine, you're either in a carbon org or a silicone org, know which one or you'll secure the wrong thing. So this framing changes everything, user first versus machine scale security. I have never heard it put this way. And I think maybe there's a assumption that all orgs are the same or at least they don't see this distinction. Can you elaborate? on the carbon versus the silicone org.

SPEAKER_01 27:11

Yeah, and I got this actually partially with this idea from reading a science fiction novel a long time ago, post-apocalyptic. It's by Sean McMullen, and it posits this computer that's made of humans.

SPEAKER_02 27:24

That

SPEAKER_01 27:25

you're not allowed to have computers because there's apocalypse weapons in orbit that will blow you up. So you build a computer out of people who are the components of the computer. So it's a giant system in an auditorium where each human is like an adder or a subtractor and you're doing math. It's a really cool feature called the Calculor. And what's fascinating about it, it's like that's an organization which the humans provide value, but only in as much as a computer can't do their job. The computer is what's important. And if you think about a call center, that's how a call center mostly operates. Most companies would get rid of the humans in their call centers if AIs were actually good enough. We might be kind of close to that one. But when you think about call center security, like most of them have things like, oh, there's a locker outside for your phone because you're not allowed to bring your phone in because you might take a picture of what's on your screen. We have draconian security because we wish that we could wipe the brains of the people who are coming in. We just want a random human come in, follow the process, and when you're done with the ticket, forget what you just did because you're a walking data breach. So the amount of security we put on that person is insane. If you tried to put that on a developer who works in a carbon-first organization, They're going to be like, no, I'm not going to come into an organization where I can't have my phone. I can't browse the web. I can't use newest and latest tools, like whatever it's going to be. Very different environment where you have no IP unless I put it into the computer. Whereas the call center, the person's not adding any IP. It's all already there. You're trying to protect that. So a lot of our security is focused on this call center, the silicon-focused environment. And then we try to apply it to these carbon-focused environments. And we wonder why the whole organization rebels against us.

SPEAKER_00 29:09

I was just having a conversation with another CISO last week. We have a mutual interest in the Severance series, the TV show. And I think there are probably... they got zero trust perfect right and wiping the memory having i you know network isolation and segmentation and yet they still suffered some pretty devastating consequences we're looking forward to what's going to happen in season three to see where this ends but it shows right that uh that distinction you mentioned the wiping of the memory which triggered this thought Interesting. You know, from zero trust and zero knowledge proofs and least privilege, we could see why that's important.

SPEAKER_01 29:52

Yep. But it doesn't work in most environments.

SPEAKER_00 29:55

So the wisdom here is understand the environment that you're in and what security strategies are going to work and what are not. And hopefully this comes as no surprise to you and that you've prefigured this out before you accepted the job.

SPEAKER_01 30:10

I hope so. But most people haven't like, especially your second CISO job, I think is the hardest for a lot of people because they figured it out in the first job, but they haven't yet figured out which parts are repeatable and which parts were unique. And so now they switch. And so that's one of the really groups that I wrote the first 91 days for was to say, Hey, when you switch jobs, you have to figure out all the ways this job is different than your last job and how that's going to affect what you do. Because while you want to focus on what's common, that's actually what's going to get you in trouble, is if you think you can apply a practice from your old job into this new environment, that's going to blow you up faster than anything else.

SPEAKER_00 30:49

Well, coming back to the topic about keyword and SEO and... making sure people know what they're getting into. I almost, and maybe this is feedback for you, but you do say 91 days. I almost think that framing this live stream as a conversation with Andy Ellis about the first 90 days may give the impression that we're targeting first time CISOs or someone's trying to break into the

SPEAKER_01 31:13

world. Yeah, I've gone back and forth on that one. Like, how do you do it? And I just decided somewhat you over-specify And realistically, SEO is now so much AI augmented, the AIs are reading the content to reference it.

SPEAKER_00 31:24

Well, my take, and this is just from my discipline of like, I'm a runner and I love running and it's like, You can't get into running a 20, 30 or even a 50 mile segment in an ultra marathon unless you've figured out how to do a 10 mile or even a marathon distance. So I hope that the wisdom that comes through is that getting the practice in to know what that first 91 days looks like is important regardless of where you're at in your career. And the more times that you repeat it, I hope that the better you get at that first 91 days because they're quite consequential.

SPEAKER_01 32:02

And I've had people read this who are not CISOs and they love it. They're like, oh, my God, I just changed jobs. I'm a product manager. And about 80% of this was applicable to my job. I'm like, great. I didn't necessarily use the right language for you, but I'm glad that was effective because there are a lot of things that are like, oh, you come in. You should learn what all your tools are. You should learn how the organization works. Here's the questions you should ask. Like just change the security off of it. I don't know if it's going to be on your list later, but my favorite is the two questions you go ask everybody. Go ask all your stakeholders and say, what are the stupid things we're doing that you wish we would stop? And what are the obvious wins we could be doing that we're not doing?

SPEAKER_00 32:42

Well, let's not get ahead. We're on number eight. So this one is within the context of risk assessment, risk quantification. I was just having an interaction with Richard Syerson about this. I don't think we have a disagreement. Oh,

SPEAKER_01 32:57

no, we have a disagreement here. I'll

SPEAKER_00 32:58

be fair. I think there may be a disagreement there. bubbling up between myself and Richard. And I'm just trying to find a way, you know, look beyond the CISO as a risk translator and looking at this next generation of CISO and what that job entails. Maybe we can get to that, this next gen CISO, which is where I spend a lot of my time thinking. And it's why I wrote the book I wrote. But number eight, don't just look for assets. Ask what would make this company's worst day. You know, if you, you know, talk about if you reframe risk by CISO, starting with unacceptable losses, not inventory. It puts min-max and maybe even a more strategic way than just running Monte Carlo simulations. Thoughts about this? So this one is... I

SPEAKER_01 33:47

have a lot of issues with risk quantification. This is not one of the places where it does it. I do know people who are risk quants that always start with assets and then... You're trying to calculate the damage to an asset. I'm like, just skip the asset. The asset's a hint for you. Just let's talk about unacceptable losses and damage. And the example I like to use, because this all comes out of the safety world. Like this is not novel language. This is how complex system safety people think is take an airline, right? You've flown on planes before. So you have some passing familiarity with airlines. What are airlines assets, right? Planes, fuel, gate times. Like there's a ton of assets, right? Reputation. Reputation. What is the greatest unacceptable loss for an airline? What's their worst day? Lawsuits. Lawsuits are not their worst day. Killing people is their worst day. So much so that when a passenger is alive, the phrase for them is PAX, short for passenger. When they're dead, they're souls, right? Plane crashed with 75 souls aboard. I don't say passenger. The industry takes it seriously. This is how they think. It's not an asset. They don't say, oh, we own these humans. They know their biggest unacceptable loss is crashing a plane and killing people. They got it right. And now everything flows from that. So that's the language that matters. And obviously, you don't want to walk into every organization and say, our worst thing is killing people because most people don't believe that. But you have to figure out what are those unacceptable losses that will resonate with everybody. Like, yeah, that's what a bad day looks like.

SPEAKER_00 35:24

Yeah. Well, in Richard's defense on this one particular, there is a slide where he shows, you know, pushing beyond just a valuation of assets that a worst day could look like the company loses 33% of its valuation.

SPEAKER_01 35:39

Right. But that's the problem is that is still an asset. Your valuation is an asset. Like this is what we're worth. Those are hints towards what you want to talk about. But, Let's just be honest. Losing valuation in the stock market, not actually that bad of it. Everybody's going to hate it, but we've all seen the rebounds. The unacceptable loss, we breached customer data. That's unacceptable. Okay, what is that? What do those phrases look like for your board? While they care about dollars, you're a CISO. Unless the CFO is talking about the dollars with you, you don't

SPEAKER_00 36:11

have credibility. How do you translate that insight into operational strategy once you've assessed what the company's worst day looks like.

SPEAKER_01 36:21

So I like to look at, you know, when you talk about risk management and your risk strategy is one of the biggest challenges people have is they try to have a one size fits all. Like this is the way I score my risk and I talk about my risk. The reality is if you think about the risk nine box, it's really a five box. There's four corners and everything in the middle, right? And so one corner is high, high, like things that are very likely to happen and are very bad. We call these incidents, by the way. If you have something that is like that, you don't have to do risk scoring. It should be really obvious to everybody. You get to say, wow, we're losing a million dollars a day because people keep stealing stuff from us. Let's stop that. This is not a conversation about whether you should do a thing. It's a conversation about what are you going to do fast to solve this problem?

SPEAKER_02 37:04

SPEAKER_01 37:05

you're not walking in trying to do exact risk calculations of how much money you're losing because people know it's over a million dollars. Like that's noticeable. And so whether it's a million or two million, like go stop the bleeding and then we'll worry about it. So don't do risk scoring for that. At the far corner is the low, low. What I think of is the debris on the street. And I go to Tel Aviv a lot. And if you've ever been to Tel Aviv and you go to Nachalit Bin Yamin, especially around Rothschild Boulevard, it's where all the nightclubs are. And when you walk out at like five or six in the morning, you will never see roads more filthy than what they are there. Like every nightclubber comes out, they're littering. It's awful. Like it's a disaster. Can you imagine trying to count them to say, well, how dirty are our streets? Oh, there are a million and 35 pieces of litter. Like, why would you count them? Either you do what Tel Aviv does, which is a street sweeper comes by every morning and they clean the street. You have a process to deal with litter or you don't have a process. You don't care about each individual piece of litter. And so don't score things that don't really matter, right? The other two corners are very interesting and there's where we get stuck a lot, right? One corner is happens all the time, like high probability, but low damage, right? Right. So for these sorts of things, like hopefully you can say, oh, look, these are minor incidents. Let's just go solve these things as they come up. Right. But this is what you have an operations team for. Right. These are just operations tasks that come up, go solve the problem because they're happening on a regular basis.

SPEAKER_00 38:39

Yeah. Yeah. OK, I understand. So maybe more of a coarse grained. prioritization matrix than a fine grain. If it's 78 versus 92, it still has to be

SPEAKER_01 38:52

done. Like these are things, but everybody can see it happening. But then when we get ourselves stuck is these low probability, high damage things, right? The scenarios that we like to talk about that nobody really believes it's going to happen to them. And so we spend all of our time trying to compare these into the other three corners and When this is the stuff that we lose credibility on, what I have found really works there is to tell fairy tales. I'll come back to that. You go talk to an engineer and you say, hey, there's like five different risk scenarios I've got for you. And if they only believe in one of them, that is your most important risk now. Don't talk about the other four. You're going to spend all your time fighting with them. If they have one that they agree, they're like, oh yeah, that's pretty bad and I have something I can do. Your job is now to tell everybody else in the company that is the most important thing for that engineer to work on. Our job is get stuff done, not prioritize risk.

SPEAKER_00 39:48

Number seven, quick wins aren't optional. They're your currency. Spend it well or run out fast. And I love that you talk about political capital as a real asset class. I could talk, but I just want to turn it over to you. Thoughts?

SPEAKER_01 40:02

You walk in and you have no authority. You have influence. You don't get to tell people to go do work. If they don't work for you, you get to ask them to do work. And so when they see that you successfully ask to do things that are easy and get successful, and then most importantly, you celebrate them because nobody else does. If I walked into a company and I came over to you and you're the head of HR and I said, wow, like our background check system, like why are we doing this? What's going on? Whatever I want to go fix with you and you go fix the thing or I fix the thing for you. And then I celebrate. I did all the work, but I'm going to celebrate Steve for being a great head of HR and taking care of security. Every other executive says, oh, I want to work with Andy because he gives me credit even when it's not due. And you want to work with me. So quick wins demonstrate that you are effective at getting things done. People want to work with effective people.

SPEAKER_00 40:56

And it ties back into trust. And you talk about that too, right? Which is you don't earn the right. You talk a lot about active listening. And in order to earn the right to lead, you have to build the trust.

SPEAKER_01 41:09

Yeah, people have to trust that you will not abandon them also. I like that you're familiar with the, like, do you have to outrun the bear? You just have to outrun the slowest person in your friend group. Like that is awful advice though, for leadership. You should be the slowest person in your friend group. You still want to outrun the bear, but don't ever leave somebody for the bear because they'll never trust you again.

SPEAKER_00 41:30

Yeah.

UNKNOWN 41:32

Yeah.

SPEAKER_00 41:32

Good point. Okay, so we're going into, you know, we talked about risk and we couldn't talk about risk without compliance. You don't own compliance. You're the product manager for the org's regulatory features. And, you know, my side commentary on this, just a simple little change the way you view things allows a CISO to go from being reactive and, you know, a footnote to suddenly being strategic and aligned with the business. So talk about that, right? There's a lot of talk now about, you know, compliance doesn't equal security, but when you look at, you know, if you're just talking about being like ISO 27,001, but when you expand out and look at regulatory features across the organization, now you're thinking big and like a CISO needs to think, right?

SPEAKER_01 42:25

So you always have to think big. But the real secret is that there's some compliance that is, oh, there's a regulator who's just going to show up on you. But for most companies, they're compliant because they want to sell a product into a specific vertical. That makes compliance a product feature. One of my favorite days was when a product manager came in and said, like, look, I've got this feature, but I don't want to do this thing, which was for PCI at the time. And I said, okay, you don't have to. And they're looking at me and they're like, you're going to bless us at product lunch? I said, yes, as long as you put in that you're not going to sell this to the commerce sector. And the product manager's like, what are you talking about? Of course we're going to. I was like, no, you want to be in the commerce sector, you need this feature. That's like, that's the product management piece of it. And we're going back and forth. And I said, let's have this conversation with your boss. So we went and we ended up really the president of products. And I'm like, This is not me saying you have to do this. This is our customer saying you have to do this. I'm just the product manager for the feature set that is PCI compliance.

SPEAKER_00 43:29

And you just illustrated the next gen CISO in one answer, which is you're no longer, you know, it's not compliance focused, like from an IT security perspective. You are now suddenly concerned. What is the product experience going to be like for your customers? I love it. Number five. five. You're not just joining a team. You're inheriting a political drama mid season. I loved this one. Yeah. You know, I think that it's yeah. I mean, I don't want to add commentary here. I just want to give you a chance to actually use those words

SPEAKER_01 44:03

because I love those words, but I don't remember writing them. I think those are some of those might be a little bit like I got to go read. Yeah,

SPEAKER_00 44:09

it's a reframe, but I love your framing by the way. That is

SPEAKER_01 44:13

even better than what I wrote. So that might go into the next version. The Like you inherit a team. First of all, you have people who wanted the job. Like they wanted your job and they didn't get promoted. You have to figure out who that person is. Who did the previous CISO? If there was one, who should they have fired and replaced? But they didn't.

SPEAKER_00 44:33

Your words were about the narrative arc. You talked about the narrative arc is understand what this narrative arc is that you're walking into. So you can see where you've been, the sociological experiment.

SPEAKER_01 44:43

Are you the first CISO? Are you a replacement CISO? Like what is going on here? Because everybody has expectations of you that are not about you, but about the narrative that you're walking into. You might be being hired to let go half of your team and nobody will tell you that until your first day.

SPEAKER_00 45:00

I think this one speaks for itself. And there's a lot more we could talk about. And we're wrapping up on our final 10 minutes here. Time flies when you're having fun. We have four more. Number four, technical debt doesn't move hearts. Call it deferred risk if you want execs to care. We briefly touched on this, changing your language. Companies are

SPEAKER_01 45:21

debt-fueled. Everybody carries debt. So when you say technical debt, you have now put it into language they can understand and accept. Like, oh, we have technical debt. Yeah, we also have venture debt. We also have warrants. We have all of these things that are debt. Debt is the lifeblood of most companies. So saying we have technical debt is like saying we are doing a good job of not over-investing in technology. That's not the goal of what you wanted to communicate. You want to say there's something going to blow up in our face someday.

SPEAKER_00 45:51

That's deferred risk. One of the former CEOs at VMware during my time there would talk about he really thought IT was a thinkless job. that it was a full contact sport. And when you peel back these layers, because you talk about that your language has to match the business's emotional economy, that you're not just solving a technical problem. And I think we're misdiagnosing a lot of data breaches today as a technical problem. But I think when you look, and that's why I think this book, by the way, How to See So, I think the title is oversimplified, but you talk about 1% leadership already too. The importance of, Having leadership conversations in cybersecurity so we are not just throwing technology at every problem is vital. It's so important. Number three, security failure lives in the seams. Go where the silos blind people to risk. So your model pushes CISOs to map organizational blind spots, not just attack surfaces.

SPEAKER_01 46:51

Yeah, one of the challenges you run into is security actually never should have been its own discipline. We always should have been part of IT. But the CISOs had a blind spot, or the CIOs, right? The CIO's job was save money. So they were the personification of the 80-20 rule. And so CISOs showed up in the 20%. Like, oh, we'll go get this stuff done that nobody else is doing. So lean into that and recognize that where two organizations are working side by side, each of them thinks the other one is covering a problem. They're both wrong. It's sitting in between them. Neither side is doing it. That's where some of your worst risks live is that integration between the engineering team and your professional services team where engineering says, oh, well, of course, professional services will integrate this correctly. And professional services saying, well, of course, engineering wouldn't be so stupid as to not like make the back end implication work better.

SPEAKER_00 47:42

Love it. And for those interested, I've just, for the last, I've had a couple of weeks here to prepare for this conversation, Andy. I've found you also have a very, you pronounced the CIO role dead. And you have a blog post where someone can go on howtoseesa.com. I think it's, was it howtoseesa.com? Yeah, I just copied it

SPEAKER_01 48:00

there. It's also, it was originally on CSO Online. But I have a deal with them where I can syndicate my own content back.

SPEAKER_00 48:06

Perfect. So on that topic, the CIO CISO partnership and Andy pronouncing the CIO dead, there's an interesting blog post about it on your website. Number two, your team's success depends on how well you remove yourself as the bottleneck. Self-awareness is leadership. That is something that you talk about. And on one hand, you talk about from a zero trust perspective, don't think of making yourself the bottleneck as being selfish. But on the other hand, you see the practical value of removing yourself. I talk about this a lot too, that If you depend on heroics and you being in the room in order for decisions to be made, you don't have a system.

SPEAKER_01 48:51

Well, not only do you have a system, but you don't get to take vacations. You don't get to pick up new work. You want to grow in your role, hopefully, or you want to retire. Both are fine strategies, but both of them involve you doing less of whatever you're doing today. So whatever you did today, tomorrow you need to do less of. The only way to do that is to get yourself out of being the bottleneck. When you're presenting to the board, who are you bringing with you? If you're a CISO and you walk into an executive room to brief them and you did not bring somebody who works for you, you're doing it wrong. Bring them so they can learn. And over time, maybe they take over more and more of that or they make your prep work for it easy. Like I know CISOs who spend 30 hours prepping their board briefing and nobody sees them do the prep work. No, everybody should be part of you doing that prep work and here you deliver it so they can prep you faster.

SPEAKER_00 49:41

With AI and a tool that I have built or I'm building, I think there's a, Ripe opportunity. And I'm not the only company. There are other companies who are taking the labor out of that prep work for CISOs to not just look good in the boardroom, but be effective.

SPEAKER_01 49:55

That would be fantastic to see. But even if you're having AI support you, like who's doing the brain, the prompts for it, who's collecting and reviewing to make sure there's no hallucinations. If that's always you. You're that bottleneck, and you're not getting to a place where you do less work. Wouldn't it be great if you were the CISO and your organization ran so well that you could go and support the product line as a CTO de facto, or that you could go sit on the beach and nobody would notice? These are all great outcomes for you.

SPEAKER_00 50:24

And now we're at number one. I want to talk briefly about this and then close with what's the next-gen CISO? What does the next-gen CISO look like to you? So the number one on the list, a CISO with no verification system is just guessing with confidence. You have a relentless focus on testing what you build. It's a rallying cry for truth over illusion. So

SPEAKER_01 50:47

this one really started a long time ago because I noticed that I had somebody who worked for the CIO who never told the truth thing, but he never lied. He just never challenged the things he was saying. He'd walk into a room, he'd say, we're doing X. And he believed it. He was not lying. But he left out the fact that they were only doing X on 3% of the systems. And that doing X would involve five other things first. And so after a while, I started to have this realization that's like, how many of those places do I have that blind spot? Where I know a thing to be true, but I haven't checked to see where's the limit of what I know. And as a CISO, I think that's what's really important. When someone says, oh, we are doing X, you need to be able to say, at least in your head, that is not true in the following 10 ways. Is that material? If so, I need to talk about it. But if I don't know where it's not true, then I can't help the company make better risk choices because they just heard a declaration that we're fine. And everybody now believes we're fine 100%. I know it's only 30%. Does the 70% matter or not is the value you provide. But first you have to know where the limits of that 30% are.

SPEAKER_00 51:59

I think this is really exemplary of the sign of the times and also comes back to the importance of trust, right? Do you, you know, does the board trust the CISO to be complete, thorough, accurate, accuracy, you know, maybe being, you know, not telling a lie is one thing, but is it accurate? It's another way to look at it. And you have to trust that the CISO is going to be accurate as well as correct, right? Because there is a difference.

SPEAKER_01 52:27

There is a very big difference and a lot of people missed that one.

SPEAKER_00 52:31

We could spend more time talking about it. As we wrap up, Andy, I'd love for you to just take a minute or two to share your vision for, and maybe this is going to become version 2.0 or where this book is going, but two-part question. What surprises you about how CISOs are set up to fail? And what would this, if you could just compose this next generation CISO, I've framed it like the first gen is the technician, the second gen is the risk translator, and then this third gen or next gen is the value creator, someone that's more business focused. And I just wonder where are your thoughts right now about what this next gen CISO is, does, looks like, and what's expected for the next five to 10 years?

SPEAKER_01 53:17

So I think that the next gen CISO is actually going to be the CIO. I know I pronounced the CIO dead. That's just because it got some extra clicks. I actually think that the direction of business is the CISOs are going to own what's left of IT. And that's really a powerful place to be. Because you now control a lot of the business. And so if you can show up and be, it's not just that I own IT as a cost center, that's going to suck, but that I own IT as a way to run the business better. I own all SaaS services, whatever it's going to be. How do I take my support for the business, do it safely, but help us make a lot of money too?

SPEAKER_00 53:55

I love it. And there's this idea as well about the CISOs future belonging maybe as a CTO embedded in the product. Exactly. Because if you have that technical background, it's hard to transform into a because once you have tech in your DNA, you're always going to have technology in your DNA. So I've posited that maybe the next-gen CISO is a CFO. I love hearing that the CIO, and that seems to be aligned with my thinking as well. Andy, I've enjoyed this time. It It's been an hour and it just flies by. Before we leave, any thoughts on your mind about what's next, maybe for you for the summer or for listeners who want to dig into this deeper?

SPEAKER_01 54:45

Yeah, so I think I'm going to be working some more on the how to see so stuff. I really want to get volume two out. Probably there's some handbooks I'll write as we're going along. Considering starting another leadership book, we'll see where that goes. And then I'll be doing some consulting on cybersecurity security and marketing and leadership in the startup and the not startup world as well.

SPEAKER_00 55:09

Well, I'm looking forward to it. If the new book comes out, we'd love to have you back. But Andy, thanks so much for your time. I appreciate it. Enjoy the rest of your week. And thank you, everybody, for joining. Hope you've enjoyed the session. It will be posted on the strategylayer.com and on the website for replay. Please share it or subscribe. I appreciate it. Thank you.

Steve Tout

Host