Secret CSO: Charles Blauner, Team8

Is the security skills shortage affecting your organisation? "The hardest roles to fill at the moment are the most technical."

1 2 Page 2
Page 2 of 2

What was your first job? My first job was programming customised versions of mainframe operating systems at a company called Sperry Electronics Systems. It was all assembler language programming and debugging work and it was a huge amount of fun.

How did you get involved in cybersecurity? In the late 1980s, I was working for Bell Communications Research (Bellcore) and the Regional Bell Operating Companies (AKA the local telephone companies) were being targeted by the first generation of hackers. Bellcore was asked to put together a team of experts to think about security for the first time and because I was an expert in the Unisys mainframes, which were used by the telephone companies, I was asked to be a part of a team … Thus began my journey in the security space.

What was your education? Do you hold any certifications? What are they? I have a BS in Computer Science from Rensselaer Polytechnic Institute and I have a MS in Computer Science from the University of Southern California. While I have no certifications (I've been around too long for them to have any real value), I did contribute to the development of the very first CISSP exam.

Explain your career path. Did you take any detours? If so, discuss. I've always viewed my career journey as more of a trip down a river with many branches and tributaries, rather than a fixed journey along a well-defined path. You have to be willing to go with the flow.

I started out my journey as a systems programmer first at Sperry Electronic Systems and then at Bell Communications Research (Bellcore). At the first branch in the river I transitioned into an information security person. As I mentioned above in Q2, this happened during my days at Bellcore. The next branch in the river was the choice of moving into financial services, which I did when I joined JP Morgan in 1994. I started at JP Morgan as the chief security architect and eventually became the Chief Information Security Officer in 1997. In 2000 I was asked to be part of a team considering what e-commerce meant to the future of the bank. As a result of that work I took the only major detour in my career when for two years I stepped away from my CISO role and became an investment banker. After JP Morgan merged with Chase, I left the newly formed JPMC and went to Deutsche Bank where I resumed my information security career as the CISO in 2001.

After a number of years at Deutsche Bank, I left and joined Citibank in early 2006 where I was until late 2019… the last 9 years I was the Global Head of Information Security. When I left Citi and considering the next branch in the river, I decided to step away from being an operational CISO. After all, it had been over 20 years since I first took a CISO role. I am proud to say that the river has now taken me to join Team as an operating partner and the CISO-in-Residence, as of January 2020.  

Was there anyone who has inspired or mentored you in your career? It's impossible to have had a career as long as mine without many people that inspire you and mentor you. However, if I had to pick one person, it would be Steve Katz, the OG CISO, who I met in 1993 and was my first boss when I moved into Financial Services in 1994; Steve has been a friend and mentor ever since.

What do you feel is the most important aspect of your job? That's a question of perspectives… at its core is understanding the firm's cyber risk posture, being able to communicate that understanding to senior management and the Board of Directors in plain English as well as being able to develop and execute a plan of action as required by the firm's risk posture versus its risk tolerance.

What metrics or KPIs do you use to measure security effectiveness? When I retired from my last role, the monthly metrics deck I reviewed with my management team was approaching 400 pages with almost 200 key indicators of one form or the other and their supporting details … so there is not one metric. The key though is to answer two key questions using the underlying detailed metrics. 1) Are we adequately protecting our customers and our own confidential data? 2) Are we ensuring the operational integrity and availability of our critical systems and their related business processes?

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Absolutely. The hardest roles to fill at the moment are the most technical such as applications for security architects on the one hand, as well as people with real communications skills and business understanding for Intel Analyst roles.

Cybersecurity is constantly changing - how do you keep learning? By staying connected to my network and being focused on the innovation coming from start-ups around the globe and across different industries.

What conferences are on your must-attend list? I was never a big fan of conferences, but the Enterprise Security Action Forum (ESAF) meeting the Monday of RSA week as well as the SINET CISO workshop are two meetings I am always going to make time to attend.

What is the best current trend in cybersecurity? The worst? I am not sure if it's the worst trend, but the worst named trend is "zero-trust"… it's a nice way to say 100% verify while hiding how hard it can be to do it right at scale.

What's the best career advice you ever received? Remember who you're talking to… speak in their language.

Remember your job is not to make the business 100% secure.

Don't take the sh*t you'll get personally… the CISO is seldom the bearer of good news.

What advice would you give to aspiring security leaders? Ditto previous

What has been your greatest career achievement? My great career achievement is all of the people that used to work for me that are now CISOs or senior of IS leaders out there in the world today

Looking back with 20:20 hindsight, what would you have done differently? Nothing… Good, bad or indifferent every decision I've made has led me to the place that I'm at and I love the place I'm at right now.

What is your favourite quote?"Do or Don't Do…There is no Try" - Yoda.

What are you reading now? Ben Hogan's Five Lessons.

In my spare time, I like to… Collect, taste and share wine, scuba dive, travel, and learn to play golf.

Most people don't know that I… Do underwater photography.

Ask me to do anything but… Jump out of a working airplane (skydive) or ride a roller-coaster.

1 2 Page 2
Page 2 of 2