Secret CSO: Jason Hicks, Kudelski Security

Cybersecurity is constantly changing - how do you keep learning? "? I do a significant amount of reading every day... It's also important to build a network of other CISOs you can share information with."

1 2 Page 2
Page 2 of 2

What was your first job? My very first job was working at a gym. I split my time between personal training and equipment maintenance. I remember walking a mile there each way, sometimes in the snow. This is starting to sound like a story you'd hear from your Dad or Grandpa, but I do think it teaches you the value of hard work and makes you appreciate sitting in your nice warm office all that much more.

How did you get involved in cybersecurity? I spent some time working in law enforcement and based on my IT skills, spent most of that time working on cyber cases. Back in those days there we're very few people with IT skills, so it was a high demand skill set.

What was your education? Do you hold any certifications? What are they? Like most people in Cybersecurity, I'm self-taught on most of the technical aspects that allowed me to pursue my career. Schools during the time I was matriculating did not offer extensive classes in IT or Security, and what they did offer was pretty limited in its technical aspects. Your main options we're classes in programming that mainly leveraged out of date languages.

At the same time, I think it's important to understand the educational requirements for your career path and act accordingly. I witnessed multiple mentors run into career ceilings based on their lack of formal education, or specific levels of formal education. Much of this is driven by HR departments, but the reality is if you want to be a CISO at a large organisation, you're going to need some formal education. (This is coming from a fist generation university grad for what's that's worth). With all that in mind, I completed an associate's degree, bachelor's degree and ultimately a master's degree. I considered a PHD but could not justify the high cost given its limited potential impact on my earnings. I do think it would be enjoyable and rewarding to teach college courses on security and I plan to get into that when I retire. I've held a number of certifications over the years, currently I've paired it down to just the CISSP. I think you need to tailor your certifications to your career situation. The more experience you have, the less certifications I would expect you to maintain.

When you're just getting started potential employers need something to judge your technical aptitude by, and certifications are a good way to accomplish that. They are also a good way to show you have deep skills in a high demand area (i.e.: AWS or Azure certification). It's also good to point out that someone with an extensive amount of certifications will receive higher scrutiny during a recruitment process, as the time required to obtain and maintain all of those certifications would definitely reduce the number of impactful projects you would have time to actually work on, as with everything balance is key.

Explain your career path. Did you take any detours? If so, discuss. I've spent the majority of my career in the Information Security realm, even before we called it that. Most folks either come out of the infrastructure or application development space, plumbers or painters respectively. I got my start in networking, at the risk of dating myself I'll say Novell was a hot seller back then. From there, I transitioned into forensics, then into architecture, then product security and finally into information security management. I spent about half of my career on the internal client side, and the other half on the consulting side. Both are helpful experiences for those who aspire to become a CISO.

As a CISO you and your team will make extensive use of consultants and product resellers, by working on their side of the fence you will be better positioned to ensure you're getting the best deal possible. You also will understand the different models consulting organisations employ and will be able to ensure a positive outcome when leveraging them to perform work on your behalf. I also think working on the consulting side is a great experience for learning how to communicate and relate to your business stakeholders. Experience is the best teacher, and by running your own consulting practice you will learn to appreciate how a business is run and will gain unique insights into the experience your revenue generating people are having. Consulting is also a great place to learn communication and adaptability. Projects live and die by the quality of your communication skills. You also learn how to project confidence and gain familiarity when interacting with large groups of people you have never met before. I used to tell my team that every time you start a new project you're basically interviewing and starting a new job. This should make it easier for folks to move into new roles and organisations and hit the ground running.  

Was there anyone who has inspired or mentored you in your career? I'd have to credit an uncle for me getting into tech. My uncle is one of these self-taught network wizards, back in the day when companies we're mystified by what they did since very few people understood the technology. He'd tell us stories about how an entire manufacturing line that employed thousands of people and cost millions was shut down until he could fix some technology issue. I wanted to learn how to do that, and he took the time to get me started on my road to learning.  

I also had the opportunity to work for some really great leaders, and some not so great one's as well. I think both offer learning opportunities for those who maintain an awareness of what's going on and evaluate what works and what does not. The good one's taught you to be self-aware and to develop the maturity to see yourself as a coach, not the star quarterback. I think that can be one of the hardest transitions for people who started out as strong engineers. You also learn that leadership is something done from the front, and you should not be asking people to do anything you would not do yourself.

What do you feel is the most important aspect of your job? Protecting the jobs and livelihood of our employees, maintaining the trust of our clients, and growing the value of our shareholders investments.  

What metrics or KPIs do you use to measure security effectiveness? I think the two most important ones are mean time to detect and mean time to respond. If you don't get these two right, you won't have time to worry about any additional metrics. These two are key to maintain your program and staying out of the headlines. Once you have your house in order from a security operations standpoint you can branch out and determine what metrics are most meaningful for your organisation. I also like to keep track of the different types and frequency of attacks we're experiencing, as I roll them up into trend reports and share selected tidbits with the management team. Finally, I think you should be able to track business value delivered (i.e.: I spent x dollars to prevent y dollars in damages).  This assumption underlined your original decision to buy something and you need to figure out a way to measure its effectiveness.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? We are not immune to the shortage of security talent in the marketplace, it has certainly lengthened our recruitment times for multiple roles. I'd say roles focused on cloud security or security DevOps folks are the hardest to find. Given that this is an emerging area for security resources it's not unexpected and it will take a few years for more people to get the skills and experience to work in this focus area. I've taken to looking at DevOps engineers or cloud engineers that have an interest in security to see if I can grow them into the role. You can get away with having a senior person to run that team and add some of these folks to round it out. It's not ideal, but it's unrealistic to recruit a whole team of folks with this background, they are just too rare in the marketplace. Even if cost is not a concern, it's hard to find them and woo them from their current employer in a time efficient manner.

Cybersecurity is constantly changing - how do you keep learning? I do a significant amount of reading every day, both on news and current events as well as security news. It's also important to build a network of other CISOs you can share information with. I can't tell you how many times I've fired off a note to that group asking if a new product or a service provider is legit. Conferences are also a good source of information, but you have to pick and choose your sessions as it's not realistic to spend the whole day there, your day job will have you back in the hotel room and on the phone at least half of the day. I try and pick a few interesting sessions each day and leave the rest of the time for networking or work.

What conferences are on your must-attend list? I find value in attending RSA, Blackhat/Defcon on an annual basis. For my role its more of a networking and recruitment event. I also try to attend the Evanta and HMG CISO summits in my local geography as I find them useful for networking.   

What is the best current trend in cybersecurity? The worst? This is a tough one, as there are multiple ones to choose from. I'm going to go with something that's close to home. The best trend in cybersecurity is how the CISO role has continued to progress into a real member of the C-Suite. For those of us that have been at this for a while, it's been a long road. Having a seat at the table allows security to get the attention and funding it needs, but it also comes with requirements for new business skills that not all have acquired yet. 

The worst trend in Cybersecurity is breach fatigue. As people are more desensitised to breach events, we run the risk of prevention and response not getting the focus they deserve. If breaches become common enough or accepted enough it runs the risk of setting back the importance and subsequent funding that we've all been fighting so hard for in the security profession.

What's the best career advice you ever received? To set realistic goals and have a plan to achieve them. You have to hold yourself accountable for your career, no one is going to plan it out for you. You also have to be very realistic in how fast you're going to achieve them and decide how far you're willing to go to get there. For instance, you should not assume you're going to get promoted every year, but if it's been three years and you're still in the same role, it's probably time to look outside your current employer. Also, if you're willing to move across the county every couple of years you will find more opportunities for advancement, but you trade off being close to family, friends, etc. Do you want to have a family, and how much time do you want to spend with them, all of these facets need to be considered and factored into your plan.

What advice would you give to aspiring security leaders? As I pointed out in the previous question, we need to take responsibility for our career growth and have a plan. As you work to advance in your career you will need to be willing to move from company to company as opportunities arise. Especially as you reach higher levels of responsibility, as there is typically a single role at each organisation. You also need to be cognizant of the political realities that exist in your workplace, especially as CISOs become more integrated with the rest of the C-Suite. Change at the top will often lead to change at other levels so have a career plan and be ready to pivot if need be.

The CISO role comes in many varieties depending on organisation size, industry vertical, etc. It's also a good idea to find a CISO to serve as your mentor, ideally one at the size company and industry vertical you aspire to be a CISO at. The level of technical and business skills required will vary significantly based on the preceding criteria. The role itself is pretty different in focus and day-to-day life from the various deputy CISO roles so it's a good idea to get someone to fill you in on what their role is really like so you can decide what company size and vertical are the best fit for you.

What has been your greatest career achievement? For me this one is pretty simple, I set a goal of making it to the CISO level and I've achieved it multiple times.

Looking back with 20:20 hindsight, what would you have done differently? I would have developed a higher level of humility earlier on. Engineers tend to think we're the smartest people in the room, and that's our entire value proposition. As you gain experience and especially if you want to be an effective leader, you learn that your value proposition is being a force multiplier that builds a high performing team and ensures all members are playing at the top of their game. If I'm the smartest person in the room on all topics, I'm not doing a good job at hiring and that lesson takes time to learn.

What is your favourite quote?I've got two I really enjoy: "If you think you can do a thing or think you can't do a thing, your right." -Henry Ford. "Never tell people how to do things. Tell them what to do and they will surprise you with their ingenuity." -General Patton.

What are you reading now? Farm &Workshop Welding, By Andrew Pearce. Without Remorse, By Tom Clancy.

In my spare time, I like to… I enjoy restoring classic cars, I'm currently working on a 1955 Ford F100. I also spend a fair amount of time working on farm equipment, so if you need your tractor fixed, I'm your guy.

Most people don't know that I… Own an organic farming business that's run by my wife.

Ask me to do anything but… My taxes, seriously we all need to know our limitations.

1 2 Page 2
Page 2 of 2