Security Masterminds

Supercharge Your Cybersecurity Program by collaborating with a BISO with special guest Nicole Dove

James McQuiggan Season 2 Episode 8

Send us a text

Discover the critical role of a Business Security Officer in aligning security with business goals. But what happens when this vital bridge between security and the organization finds themselves facing unexpected challenges? Find out in this intriguing episode of the Security Masterminds podcast.

Nicole Dove, a cybersecurity expert with an intriguing career path, helps businesses navigate the intersection of risk and technology. Starting her career on Wall Street, she transitioned into risk management consulting and auditing before eventually shifting gears into cybersecurity. As a Business Information Security Officer (BISO), Nicole focuses on aligning business and security, advocating for both to the benefit of the organizations she serves. Her business-first approach to security, understanding of diverse business units, and innate curiosity make her a critical asset in identifying and managing organization-wide threats.

Security is like really a team sport and you can't wait until game day to practice and think you're going to win. - Nicole Dove


Connect with Nicole Dove

Connect with us:

Website: securitymasterminds.buzzsprout.com

KnowBe4 Resources:

This show's sound is edited by ProPodcastSolutions -https://propodcastsolutions.com/
Show Notes created with Capsho - www.capsho.com

Nicole:

I love talking to people, I love helping people and I love things that just make sense from a business perspective. And I love pulling people together and helping them win. And that's literally what I do every single day. hey, I'm Nicole Dove. I'm a cybersecurity leader, podcast producer and university lecturer.

VoiceOver:

Welcome to the Security Masterminds podcast. This podcast brings you the very best in all things cybersecurity. Taking an in-depth look at the most pressing issues and trends across the industry.

Erich Kron:

Within organizations, there's the misconception that the cybersecurity team can be the department of"No." Organizations that utilize a BISO, a business information security officer, provide an excellent capability to communicate effectively between the IT and cybersecurity teams and the business.

JJ (Jacqueline Jayne):

Nicole Dove is an award-winning information security leader with experience across cybersecurity, audit, global operations, and relationship management functions. Excelling in the role of BISO, she's focused on developing and deploying cybersecurity strategies that align with business priorities and also elevating cybersecurity professionals to their full potential.

VoiceOver:

This is episode 21, Supercharge Your Cybersecurity Program by collaborating with a BISO with special guest Nicole Dove.

Erich Kron:

hey everybody. Thanks for joining us here for this episode of Security Masterminds This was a really fun one where we got to interview Nicole Dove and she's just an amazing lady and really enjoyed this discussion and this time around on Security Masterminds we have and old time original OG type person on this show. I'd like to introduce back to you, miss JJ or Jacqueline Jane. How are you jj?

JJ (Jacqueline Jayne):

I am fabulous. Eric, how are you?

Erich Kron:

Oh, I'm just wonderful.

JJ (Jacqueline Jayne):

I felt the love coming to you from the other side of the world in the future where it looks awesome.

Erich Kron:

Yeah. Yeah, that's right.'cause JJ is in Australia and I am in Florida. So I mean, we are kind of like all over the place right now. It's great to have you back though. Unfortunately, Jelle is on vacation or holiday in his part of the world. So anyways, Nicole was a fantastic guest and I really, really, really love talking to her. But, you know, so often we find that people have interesting ways of getting into this industry. So one of the things we've done here is we, we've talked to so many different people, in different areas, and what I always find it cool is how they got into cyber.'cause we got some pretty interesting ones sometimes in theater or, or insurance or whatever and I always find it interesting to find out how people got into cybersecurity. So would you be willing to share your origin story, if you will?

Nicole:

So I don't know that mine is as interesting as like coming from a background in theater, but I do count myself to be a non-traditional technologist. So I studied business, right? I went to school for finance and accounting. My career started on Wall Street. I actually got to Wall Street and absolutely hated it. And so then I got into risk management consulting and audit, and I absolutely loved it. I did that for about 14 years. Later on down the line, I started just getting curious about doing different things, right? So like as an auditor, you find people doing bad stuff. You write a report about people doing bad stuff and you send it to their boss all the way up to the c e o to the audit committee. That just doesn't innately feel good. So I just wanted to try something different. And so I took a step out and I was a project manager on a team where we built, staffed and manage international work centers. So I got to build teams and offices in India, Philippines, Brazil, Romania. Got to live in Romania for a little while. And then after a few years, our program just got pretty mature. We weren't gonna grow, and I wanted to just do something different. And so I thought to myself, how can I leverage my experience in risk? I could see from building teams overseas that technology was just a critical part of every single thing that we did as a business. And I realized very quickly that cybersecurity is what happens when risk and technology have a baby. And so I saw a post for a BSO role. I never thought they would hire me, and I prepared for the interview and I talked about, you know, what I had that they wanted, what I didn't have, how I would get it, and what they were gonna get from me that they wouldn't get from the typical traditional technologist. And my gosh, they believed me. And here we are years later, I, um, after getting that role, I did take a foundational security course online through Harvard to just firm up on the foundations. That was back in 2018. The rest is history.

Erich Kron:

Okay, so she says that she had a typical kind of origin story, but I don't think so. She kind of came out of the business side a little bit more. What do you think jj?

JJ (Jacqueline Jayne):

Look, I think that is, for me personally, puts a smile on my face'cause that's how I got into cybersecurity and understanding the, the business side of things gives such a different lens to everything. And when she said risk and technology, have a baby that's cybersecurity. It is so true. I'd also add in a little sprinkle of the human element and understanding the person also brings in that cybersecurity. So it fascinating way into cyber and. Kudos to the person who decided, yeah, let's give her a go.'cause that's what we need more of these days. Understanding what happens in the business.

Erich Kron:

Absolutely. And I can't help but to think how lucky they were to give somebody that chance and bring them in and be able to open them up in a role like this. Somebody who traditionally might've been overlooked in a security related role. But now we have this, this BISO role, which I don't think a lot of people are that familiar with. So what does a BISO do that's different from the other types of IT and liaison roles? What, what makes it special?

Nicole:

I love the be so role. It's actually one of my favorite roles and I love it selfishly, and I'm probably biased coming from a business background, right. It's security that puts business first, right? So one of the main things that we do as BISOs is think about information security from the context of the business, right? So instead of saying that, you know, we've gotta do this foundational security and like establish the firewalls, like, yeah, all of that is great, but we also have to think about our customers, right? We also have to think about the products and service that we develop. We also have to think about the market. We have to think about the evolution of threats in that space. What does the business wanna do down the line? Then how do we secure that both now and later, right? Because those may be two different things. One of the biggest pieces of value that the Beso brings is that we are constantly justifying why the investments we ask the business folks to make are worth it. And that's both to information security and to the business. So we're often working with the domain leaders and our fellow peers and leaders in InfoSec to constantly pressure test the things that they're asking the business to do, and give them perspective that they may not have from a business lens to say why now may not be the right time for that thing. Because even the right things at the wrong time or the wrong things. And so we've gotta put that constantly in context. And to your point, you know, the threat landscape is ever evolving, but our customer needs are too. Our business needs are too. And so a BISO, a really good BISO is always tuned into this evolution because one of the second pieces of of value that we bring is figuring out how we can develop security capabilities for the future business needs and the future security needs. And then there's that bilateral advocacy. So we're constantly advocating for the business to InfoSec, but we're also advocating for InfoSec to the business. And I've not really seen many roles that has to balance this dance of serving two masters for the greater good of everyone. So that's what I think really makes this role super, super special and very different from your typical liaison relationship management role.

Erich Kron:

now, jj, when I heard her talking, I thought a lot about you because you've oftentimes had these kind of liaison roles as well. What do you think of this BISO role?

JJ (Jacqueline Jayne):

Eric, it reminds me a lot of the the business partnership that often HR people and culture people and development, whatever people call them, different things around the globe. So to the point of Nicole understanding what's happening everywhere in the business. There's no surprises. And being able to communicate to different areas of the business, what's happening in the world of people, of HR, of the company.'cause everyone's focused on their little silo, let's be honest. It's a fact, and so they should be. But with this role, I loved it because when I think about that conduit, that people between people and technology, that is what we need. It's fabulous to understand what you do really well, but often just to lift your head up and have a look what's happening elsewhere, that can make all the difference when it comes to stopping things very early, having conversations very early, and making sure that people understand what is going on on both sides. Because let me tell you, it's two different languages, two different focuses. And what Nicole is doing is being able to bring it all together as the middle person without leading with one side's more important. It is such an important thing. And yes, Definitely reminds me of how I got to where I am right now.

Erich Kron:

That's excellent. Now, in my mind, in many ways, these are the same things that a good CISO would be doing. This is a skill I think CISOs also need to have is bridging this. And so I can understand a lot of people might get a little confused between what a CISO is and a BISO. So I asked her to clarify that a little bit. I asked her, how do you differentiate between a CISO and a biso? Like what makes them different so that we all understand.

Nicole:

So to your point, they are very similar, right? We work, I even work very closely in lockstep with my CISO. I report to the CISO and many BISO roles do. Here's where I think the rubber meets the road. When we think about the CISO, they are essentially the one throat to choke for anything that happens for security across the entire organization. Right? We see that happen. We see it in the news, right? They put on the cross. But when you think about these large multinational organizations, the CISO cannot understand the idiosyncrasies of each different business unit, right? And you'll know from talking to different leaders across the business, everyone says, well, my business is different from everybody else's, or My team is different from anybody else's. Sometimes it's true, sometimes it's not. But the be so is responsible. Even more so than the CISO at understanding the inner workings and nuts and bolts of each division that they support very, very intimately. That I think would be a little bit unreasonable to expect from the ciso, right? So my CISO and I work in partnership to where typically he is managing those very, very senior strategic relationships across the entire organization, the company, the board. However, we kind of start to partner a little bit at the senior, most senior leadership within the specific business unit. And then I get a little bit more down into the weeds with the different folks and leaders across the organization. The specific line of business that I support, so again, very, very similar, but a BISO typically is a mini CISO for the different divisions or lines of business that they support. So very similar, just a little bit more intimate.

Erich Kron:

Yeah, that really makes sense to me. More of a focus on the business units, individually, even as opposed to a CISO or, or CIO, they're gonna, they're definitely concentrating on the larger organization as a whole where she seems to really be in the weeds, in the various departments.

JJ (Jacqueline Jayne):

It is. I think the challenge though, Eric, is the skill to be able to be in the weeds and then take that helicopter view, which is a very unique skill. Some people might say it's the unicorn, yes and no. It's more about understanding what is happening. Amongst the whole organization. And then how do you translate that back up to information that the CISO or CISO, depending on where you are folks, can make all the difference. The CISO is focused on so many different things, and whilst they need to know everything, it's just not possible. And on the flip side, she's also able to communicate to those business units what's happening in IT and what are the challenges they're facing. Moving the needle away from the department of"No." Wheras we all are apt to aware of that is what IT is often seen as and it is incorrect. They're there trying to help. So being able to break down those barriers as well is such a difference. And that's why it's such a key role that every organization really should be having.

Erich Kron:

Continuing on down this path, so what are some of the most common mistakes you see organizations making when it comes to like, the data security part and, and how can they be addressed? How can we fix that? How can we make it better?

Nicole:

So there are a few things. I think the first for me is like not knowing where their data is, right? Like just having data everywhere. I mean, geez, guys, you would be surprised at some of the things I've seen. Another thing you know is collecting and holding on to data that you really don't need. And I think a lot of companies are well intended, right? They wanna leverage this for innovation and research, right? But there's a cost that comes with that. I think another thing is also not educating the folks who gather and work with the data that we work so hard to protect'cause that's honestly the biggest risk to companies from a security standpoint, right? It's the people that are tasked with using all the data that we want to protect, whether it's our own ip, customer data or whatever. I just think that security is like really a team sport and you can't wait until game day to practice and think you're gonna win. So it's really just about being proactive, being prepared, being thoughtful, and being knowledgeable.

Erich Kron:

You know, that's very interesting. I, I have a friend who was doing a cloud migration within his organization, and as he was doing this, He discovered all of these little pockets of data, all these little spreadsheets that were tying into something and all of these little areas that he had no idea existed and weren't being secured, but were clearly a threat to the organization.

JJ (Jacqueline Jayne):

I think from my personal experience, there's a lot of assumptions made that we all know what to do, how to keep our files safe and folders organized. We probably will do it. I can't. I can't do it because someone explained to me many years ago the importance of how you file your information on your devices and to go in and actually edit, update, archive every quarter. So that's what I've been doing ever since I've been online. I know not everybody does this, but it's because someone told me about it and I've shared that knowledge across the years and there's an assumption most people in an organization who have access or protect and and manage that data, Has anyone sat down with them and said, Hey, do you know the importance of how to manage this data and why? And then how It's just manage your data better. Where is it, how are you managing it? All of that element, which just isn't done. And I think things have evolved so very quickly in this space that it moved too fast for people to try and stop it.'cause you can't tell me that the CISOs wanted to, they know the importance of this, but there's so much on their plate. It's not possible to be able to do all the things or a role like the Biso Nicole can make such a difference in this area.

Erich Kron:

Excellent. I wanted to ask her like what should cybersecurity pros that are several years into the industry be doing or should know to continue their growth?

Nicole:

I think the biggest thing is just like stay freaking curious man. Like you mentioned earlier, like when I first got into cyber, I was very intimidated, right? Like I, I come from the risk arena. I've got like these risk certifications. I started moving up the ladder really quickly. Like I could do an audit with my eyes closed and then here comes curiosity, wants to do something different. And I'm sitting in these meetings. People are using all of these terms that I've never heard of, right? And I'm expected to be somewhat of an influencer and an expert, if you will, and an advisor. And I'm like, yeah, I didn't think it was gonna be like this. I've literally sat in meetings where I'm writing down terms that I'm gonna Google later. Like, I can't tell you how many meetings I've walked into and I've watched like three Professor Messer videos on YouTube prior to, just to like try to know what the heck I'm talking about. And listen, even when you get comfortable with those terms, there's something else 20 minutes later that's now evolved that's a solution for this. Like it's, it's just a crazy world and it's always changing. So don't get caught up in the intimidation factor. You've just always gotta be learning. So one of the values at my company, we've got five, but one of the ones that I really adore is stay hungry, stay humble, right? And. How we think about that in the course of our work is approaching problems and challenges with curiosity, optimism, and ambition, right? So instead of being intimidated by a problem, be curious about it. That's just an opportunity to learn more, right? Be optimistic there is a solution. And we don't always have to eliminate risk, right? Because that's pretty impossible. But can we mitigate it to a decent level that we can monitor, right? And it's also about celebrating the wins, learning from our failures, and just being committed to evolving because things are always changing. So, yeah, stay curious, stay hungry and stay humble.

Erich Kron:

I really like that. That's one of the things that draws people to this field is the fact that it's ever growing and it's ever changing. But even for those of us that have been around since like the dawn of time, I think we still run into some issues with this problem, if you will. But it's just recently that most of us have heard about LLMs, right. And prompting and all of those things. You know, one day somebody started throwing around the term LLM, and I'm like, okay, that's what I'm gonna have to go figure out. And it makes sense now, you know? And but six months ago, half of our industry had no idea what a large language model was, or any of the kind of stuff that goes along with that. So it happens even for those that are are seasoned and have been around for a thousand years. This is such a diverse industry and there's so many things to know. We can't always know it all. So stay curious. When you hear a term you don't know jump into it. I love that part of it. And JJ, again, we, we mentioned earlier you didn't come out of a typical cyber role and now here you are speaking to people on, you know, the entire corner of the earth over there.

JJ (Jacqueline Jayne):

I think the curiosity factor is something that really hits home for me. However I've come to learn it is not something everyone does. And quite frankly it can't be because some people in the world need to focus and not be curious and just continue on their path and not deviate. It's the curious people on the side that need to dip into that and dip out and find more and find the dots, connect the things, and that always be learning. I tell you what, when Nicole mentioned she'd be in a meeting and hear something and didn't know what it meant and have to write it down. I think just understanding how the human mind works. If that happens, your brain actually stops and will not take in what it listens to next. And this is where we have the breakdown because people don't have that time to translate. There's no IT translation and there should be, quite frankly. But yes, it's curiosity. Always be learning and stay hungry, stay humble, learn all those things and say, oh, dunno what that is-find out we wanna know. We need to be empowered with knowledge.

Erich Kron:

Yeah, a hundred percent and it's a type of industry that can feed our minds forever. Now it can get a little bit intimidating for those people that are getting into cybersecurity. So I wanted to ask about that too.

Nicole:

You know what? It's interesting. So interesting you say this, I speak to so many young people and they're like, I wanna work in cyber, right? I never got around to asking them why, and, and this is probably a dig on me because most of the time when we have the conversation, they're like, it's a shortage. They pay really well. Right? I get it. And listen, for some people being paid well is super important. To your point, it's gotta go beyond that. When I ask a lot of young people, well, what area in cyber do you wanna work in? They just say, I wanna be a cybersecurity analyst. Well, in which domain? Right? Like there are quite a few domains and a lot of them don't know. And so this is where I think we go back to that staying curious because listen, I never thought. Me coming from business would be able to make waves or find success in cybersecurity. But it was because I was like, you know what, let me dig into this a little bit. And when I realized that cybersecurity is really all about risk, I'm like, I know risk. I love talking to people. I love helping people, and I love things that just make sense from a business perspective. And I love pulling people together and helping them win. And that's literally what I do every single day. So I'm with you on that one.

Erich Kron:

No, I love that. Now, I don't know about you, jj, but conferences all the time, I get people going, Hey, I, I'm just getting into cyber. I want to get into cyber. You know, I'm checking it out. This sounds really cool. And I do try to ask them, why, what is it that makes you interested in this? And unfortunately, I have heard, well, you know, I, I hear that there's all these jobs open and as soon as I get my degree, I'm making six figures. And, and then, you know, I try to be honest with them about it, that frankly, if you don't have a passion for this job, it can chew you up.

JJ (Jacqueline Jayne):

I think the challenge that a lot of young people or anybody really, when you think about what do you do, what are you doing in life where time just passes you by, that is where you focus and find out'cause that is your genius area. That is where your brain is just naturally doing what it does. And there are so many roles in cyber. It's like saying, I want to be a doctor, or I want to be in the medical field. No one says that they will say, I want to be a brain surgeon. I want to be a nurse in critical care. Because, because they're, they're aware of all the different roles in that space. Cybersecurity in that echo chamber have not done a good job in explaining the skills and the passions that make certain roles work. So yeah, people come along and say, I wanna work in cyber, I wanna be a hacker. What does that mean? Why do you wanna do that? I mean, to Nicole's point. That helpfulness'cause that I'm a born helper. I want people to succeed. You just might find yourself in a position like Nicole and she's doing awesome things right now, but she just asked questions and made it happen. The skill sets from all different areas are so important of different ages as well. I think that's what we've gotta understand too. Have more conversations with the upcoming cyber people. Find out what their passion is, what they love to do every day. And it can be linked to nearly every role that we have available in cyber.

Erich Kron:

So knowing that this role exists and yet not being aware of it a lot until recently, I kind of wanna know how do we showcase the role of this BISO or, or BISO, and what common mistakes, uh, seen by CISOs about that role.

Nicole:

I was actually talking about the BISO role. The title of this session was your Cybersecurity Secret weapon. That's truly what I believe the beso is because we connect the dots, right? Like you mentioned this earlier, like the department of No. I have seen many business leaders circumvent cybersecurity because they think we're gonna give them options that are unreasonable, right? And nearly impossible, that are cumbersome. They think cybersecurity is scary and they just wanna get their product to market right? They wanna do the right thing. They just see us as a roadblock. And honestly, we probably earn that a little bit, right? Like, just like, yeah, no, you can't do that. And I think we've gotta figure out, you know, how to actually showcase the value that we bring to the business. Like, you know, how do we propel or enable, as you mentioned, right, their goals and the journey forward, and then how do we actually help them do whatever they wanna do as securely as possible, right? Like if you walk into a meeting with a business leader and tell them, tell me what is it you wanna do? Let me figure out the securest way to make that happen, right? With a reasonable amount of effort, they're more than likely to work with you. But when they come to you and they say, we wanna do this, and you say no, and you don't come up with any alternative, guaranteed, you're not gonna have a repeat customer, it's just not gonna happen.

Erich Kron:

Yeah, I love that because we do get kind of trained to just go, no, you can't do that. That's silly. What do you, what are you thinking? That's so insecure. Everything's gonna happen. But we should, maybe we say that in our heads, but what we actually say to them is, you know, I don't know how that's gonna work, but let me look at some options maybe. And to her point, that's how you get them to come back to you. That's how you get them to not have shadow IT and, and try to do things behind your back. Because there are times where we have to just say, I'm sorry. No, we're, we're just not gonna be able to do that. But if we've worked with them in the past and found other solutions, they're more likely to understand that no, there really isn't a great way to do this. At least not now with our technology we have in place. But you're not just blowing them off and moving on. I think that's a very important thing.

JJ (Jacqueline Jayne):

And I think the, the gap there comes down to not understanding what all the different business units actually are doing. Like, what is their goal? What information do they have? What are their biggest challenges? And you can't just turn up and ask those questions. If a relationship has been built by the, the BISO, the BISO to know what's going on, then there's no surprises. And because you're educating along the way, if you are that enabler to get the job done, I need to get a job done as a, if I'm in marketing, if I'm in sales or finance, whatever it might be, I need to get my job done and I need some support and assistance to do it. Everybody wants to do the right thing. But if I'm told no all the time as a human, I will find a way to get that done. You know, people with the shadow IT with the personal Dropbox, putting, saving things where they shouldn't, emailing the files.

Erich Kron:

And I've always had that thought that I think a lot of security people especially forget we're actually supposed to be business enablers not disablers. And it's a big shift in thinking quite honestly for, for some of us old grizzled folks that have been in here for a long, long time. That's a little bit of a shift to thinking, and I get that, but we need to start modeling that a little bit more.

JJ (Jacqueline Jayne):

Yeah, and someone like Nicole and these roles, that's what they do. They make such the difference so that we can focus on what we need to do day to day. And to your point, Eric, be the enabler of the organization. That's the key.

Erich Kron:

Now, you know, speaking of this knowledge and skills things, you know, we talked about the BISO and we talked about this role that they're in where they have a lot of business stuff going on, but I also kind of wanted to find out, What she thought about the amount of technical knowledge that a BISO also needs.

Nicole:

To your point, I don't expect my business leaders to be technical experts. I don't expect my staff engineer to be a business expert, but I know that I need these folks to be on the same page, right? One of the things I learned just throughout becoming a better speaker and taking classes and being a part of Toastmasters, is you've gotta know your audience, right? You've gotta know your audience. And that's something even in sales, right? You've gotta understand what the person across the table wants to accomplish, and you cater your message to that. And so I think as more of us insecurity, think about who we're speaking to, what they wanna accomplish, and how we present. What we're asking them to partner with us on, we'll see a lot more success. And not only do we have to know our audience, but we've gotta be flexible in our approach because the way that I talk to an engineering leader is not gonna be how I talk to the C F O, right? I'm gonna be selling two very different things. So just that little piece of understanding your audience and being able to connect what you wanna accomplish to their goals is significantly important.

Erich Kron:

Yeah, I mean, that, that's a great point there. I, I don't know what else to say about that other than well said. What do you think, jj?

JJ (Jacqueline Jayne):

Exactly, and this comes down to what do I need to know? And someone once said to me many years ago, what is my role in this? And in my, what I do now, one of the biggest challenges, you know, sharing my story into the world is I doubted that I was going to be a success because I didn't come from IT. I don't need to understand how to do a complete marketing campaign on Google and do all the things I need for SEO,, SEM, all of that stuff. I don't need to know that, but I need to understand what it is in a high level to have a conversation. To Nicole's point, to be able to have flexibility in your approach to change language and know that when you're speaking to a group of frontline manufacturers through to the C-suite they are two completely different conversations. The message might be the same, but the language, your approach, how you hold yourself, how you sit in the room is different. But that's a skill on its own. There's not many people who can do that, and often I've been told that being the chameleon and mimicking who you're talking to, that's what makes the difference.

Erich Kron:

Now let's face it, we've all messed up a little bit and you know, the thing is, we, we do mess up and so what would you say if you can talk about it or what's your biggest failure you can talk about and what did you learn from that going down?

Nicole:

So it's kind of a ball of two things. My biggest failure was one like doubting myself overwhelmingly so. Right. And I think that's probably common for people who are new to the field, especially for us non-traditional technologists who come in from a non-technical background. Because we walk in, again, we're hearing all these words and terms and things flying around, people are explaining things and I'm like, I don't know what the heck you're talking about. And you know, joining cybersecurity as a BISO, it's a pretty senior leader role. And you think about the weight of everything that lies on your shoulders, right? Like a lot of times I am the final say. If something is a green light or a red light, that's a lot when you think about a multinational company with 60,000 people globally, like that's very, very big. And so sometimes I would get caught up in the doubt or the imposter syndrome. When I could have just really redirected that energy to tapping into my network, doing research, finding solutions, asking for help, right? Like no one's an island in cybersecurity. The second thing, which is a lot more recent, um, I started at my current company about a year and a half ago, and my task is building the business information security office for a company that doubled in size over the pandemic. We have a lot more new folks than we do tenured folks, and we're working with so many more vendors. I mean, we're doing, we're navigating all these new spaces and entertainment and eSports that we haven't before, and I just thought I should come in. Build it in five minutes. But like I gave myself no sense of pace and I gave myself absolutely no grace. And honestly, I think that was probably the biggest mistake I could have made because I have the most supportive team. I have the most supportive business units. Like these people really wanna know how to do the best in cyber. And my boss is absolutely magical. And so I had the perfect setup to fail forward. I had the perfect setup to like make smart mistakes, but I just wanted to be perfect. And I think I lost a lot just in having that expectation of myself instead of just letting it flow and pulling everything I learned on Wall Street and at previous video game companies and everything else. I let it all out the window and put myself in a box where I thought I needed to be perfect. And it was. I. Furthest from the truth. And even with that, you've gotta kind of learn your limits, your boundaries too. Like there's this constant reshuffling and like readjusting because like even me, I think I was pushing myself a little bit too far, build a whole business information security office in a couple months. Like yeah, sure that's not gonna happen, right? But like, let's just start out with building the engagement model and learning the business and understanding what we wanna accomplish, right? Like that's a little bit of a stretch, but there's some learning in there, right? And if I felt I was picking up too much, then I have the opportunity to course correct with some people who I like to call my team. Uh, one of the guys on my team, my encyclopedia, right?'cause he's been there forever, he kind of like knows the lay of the land, like check in with those people. But you're right, it's about being wise enough to understand that like I. You can't just be status quo and uncomfortable, but you don't wanna drive yourself, you know, down to the Looney bin.'cause that can quickly happen too. I remember once I was working on a team, oh man, it was so stressful. I actually got Bell's Palsy. I woke up one day and I went to brush my teeth. And as I tried to wish the mouthwash around it just get up and like, and I'm looking in the mirror like, why is one eye blinking and one eye not went to the emergency room induced by stress. It's crazy. And this is another thing, this is now that I'm a senior leader, right? This is something I have to be mindful of and I have to encourage the folks that support me and that I work with, that they've gotta find that balance too, right? And I've gotta make sure that I'm pushing them enough to where they're tapping into kind of that unknown potential that they have. But not so much to where it stresses them out. So there's this nice kind of combination of encouragement and pushing, but reassuring and allowing people to rest, right? Like that's so important. We talk, consulting was the best of the best for me, and the worst of the worst.'cause I learned so much. Typically, a lot of times I can tell when people come out of like big four or big consulting firms just in how they work and how they approach things. But it was just grained into, it was ingrained into my brain that FaceTime, FaceTime, FaceTime, FaceTime. And nowadays we're seeing what this new hybrid work environment, it's not all about that, right? It you could give me a ton of value from five hours of work at home versus half of that, and you're in the office and I can see you. I want the ton of value from home, right? So I. I think, with the pandemic and you know, we're shifting generations and how we work, there's a lot to learn about just what we expect from people, how we motivate people, and how to encourage people to think about their own work because to your point, it can be very detrimental and to security is serious, but nothing is that serious.

Erich Kron:

I always find this question kind of funny because frankly I have failed so many times in my career in this. It's one of those things that you've got to kind of accept and frankly, where do we learn the most generally when us or someone else around us has failed? Right? When everything goes smoothly, we don't necessarily learn lessons from that. And I'm not saying go out there and break stuff on purpose unless that's a role you're in, right? But I will say this, we can't paralyze ourselves in fear. Of messing up because that's just as bad, if not worse, than actually making a mistake and, and maybe missing a deadline or missing something that goes by. I mean, we're all human. We're gonna make mistakes. It's okay, it happens, but we can't sit there and be so afraid to make mistakes that we accomplish absolutely nothing.

JJ (Jacqueline Jayne):

I think the most important thing with failure and when you do make a mistake or you perceive you failed, is reflection and saying, okay, what happened? What could I have done differently moving forward and move on? I think too many people sit in that failure state or that imposter syndrome state. We can tell others not to, but we do it ourselves because we wanna be seen as the best, doing the best. And that's just not always possible.

Erich Kron:

No, that's a good point. The other thing I would say is if you fail when you fail, own it. So speaking of threats, we've seen lots of things going on these days. Lots of changes as you mentioned, but I always like to ask people like, what's the biggest security threat to organizations in the next decade?

Nicole:

I'm gonna give you the most BISO answer that you could ever expect in life. It's not aligning your security program with the business strategy, don't get me wrong, there is an element of security that I believe we need to keep the lights on, right? Make sure we're getting our logging, your MFA, you've got, you know, authorization and access control. Like all of that is key and it will never go out of style. Configure all that. If we don't understand what the business is doing and if we're not building reasonable, feasible implementable security programs that align with those goals, we are in big trouble. We are in huge trouble. And so we've gotta have someone saying, what is the business doing? What do we need them to do from a security standpoint, and how do we actually help them do that? Right? We have to, otherwise we're just gonna have all this great configuration and, and vulnerability management, but we're not gonna understand how to prioritize any of that because we don't know what's going on in our business environment.

Erich Kron:

It's kind of interesting that we, we have all these threats going on and it's very tempting sometimes to just go, I am gonna secure the heck out of this place. And then you do it to the point that you can't sell anything and then payroll doesn't happen and the doors get closed, but it was secure to the end. Right. Not understanding that, and especially as cyber is getting more and more involved in all of the facets of what we do, we're collecting data at rates we've never even considered before. So, Personal data, intellectual property, all this stuff is piling up. And if we don't do something about it, obviously we're stuck. But if we make it to where it's unusable or unworkable, that's just as bad.

JJ (Jacqueline Jayne):

And look, I take it a step further from what Nicole said about aligning security with the strategy. You need a seat at the table when the strategy's being written from a security perspective, because everything should have woven amongst it. And how are we gonna keep that safe? How are we keeping our people safe? How are we keeping our customers safe members, if that's what happens, how are we keeping our vendors safe with that overarching umbrella of risk and cyber? Understanding the strategy and being part of it, that's where the, the BISOs role really would come into play. Not just to apply the strategy, but to be there for the building of the strategy.

Erich Kron:

We all have these kinda soapbox things and a very important topics that we want to talk about. So this is kind of one of those things where she was talking about some of the things that cybersecurity leaders need to think about that not everyone is aware of.

Nicole:

So one of the things that I think we as security leaders have to constantly think about, and I think we touched on this a little bit earlier is professional development of folks within the security industry, specifically as it relates to non-technical characteristics or, or performance habits, if you will. So a little bit of a shameless plug, but I recently completed writing and recording my fourth LinkedIn learning course, and the first three were all about cybersecurity, right? So one on ransomware, one on the beso role, and one on supply chain security, which since we're talking about things I, I, I kind of want to drive, I think those three are super important, right? We're see, we see what ransomware is doing, supply chain security, like, I can't believe some of the things that have happened are happening. I mean, it's crazy, right? That was something that really, really opened my eyes coming into this industry is that it's not the super complicated things that get us in trouble. It is the basic core foundational things. Which is why I was so passionate about like creating these courses, but I decided to take a walk on the wild side and do something a little bit different from my fourth course, and it's all about being a power performer in the workplace, whether you're in cybersecurity or not, but it just talks about understanding your personal why, why you show up like it's important to understand what your motivation is for why you wanna be in this industry. Understanding who your boss is and what their style is, and what their priorities are, right? Like that goes such a long way so that you know where to focus, right? It's a lot of the framework that I've leveraged as a beso to drive success for the teams that I support. And just translating that into how we can leverage that engagement model or that five point strategy for us as professionals. This industry keeps evolving. Our bad actors have one job, right? Meanwhile, we've got 30. And so it's important for us to make sure that we constantly evolve as technologists and effective professionals as much as possible. So that's my TED Talk.

Erich Kron:

I like that. What is it that motivates me to come in every day other than a habit?

JJ (Jacqueline Jayne):

Yep. I think it's a bit more than that. This comes down to I won't get what I want until you get what you need. That is important to know. So it's focusing on others rather than yourself. So whatever your reason, your passion, your why, that's great. And then to Nicole's point. Let's have a look at the people around us. What do they need from me to make them successful? So it's putting others first as well.'cause that always comes back in a positive light. And you know, we're human. We wanna put ourselves first'cause we think we're the most important things in the world. But if we just switch it a bit to say, how do I make someone else look great? Often you get a better result and a lot faster.

Erich Kron:

Well, this has been a fantastic talk with Nicole today about the BISO or BISO role, depending on where in the world you are. I thought this was great and I once again learned quite a bit. I gotta be honest, talking to these guests. All the guests that we've had on security masterminds, I have learned so much from them and about myself with these things.

JJ (Jacqueline Jayne):

I found this session today and listening to Nicole, very validating from the journey of where I've come to where I am right now. It makes a lot of sense. A lot of the words she used, a lot of the experience she's had, it resonates and I think she's given me some other language to use to share the importance of that engagement because that is key to what we do in the world of security awareness and helping our people make those better decisions online. We have to engage them and that's gotta be everywhere. It's not top down or bottom up. It's everywhere.

Erich Kron:

Outstanding. Well, and I'd like to remind our listeners at this point, if you enjoyed this show, if you enjoy some of the other security Mastermind shows, please subscribe to this. Subscribe to the podcast. You get notified when it comes out. We just talk to some amazing people, and I'm often humbled by the people that we get to talk to in this podcast. And this podcast is really about them and being able to share what they want with the community and the world at large. So keep that in mind. Please subscribe.

JJ (Jacqueline Jayne):

Absolutely couldn't have said it better myself. Well, it's time to wrap up and it's been a privilege to be here. I look forward to the next one, and I can tell you the future's looking fantastic. It's very bright. You'll need to wear shades and drop Bears aren't real people. It's time to say goodbye. Say goodbye, Erich.

Erich Kron:

Goodbye, Erich.

VoiceOver:

You've been listening to the Security Masterminds podcast sponsored by KnowBe4. For more information, please visit KnowBe4.com. This podcast is produced by James McQuiggan and Javvad Malik, with music by Brian Sanyshyn. We invite you to share this podcast with your friends and colleagues, and of course, you can subscribe to the podcast on your favorite podcasting platform. Come back next month as we bring you another security mastermind, sharing their expertise and knowledge with you from the world of cybersecurity.

People on this episode