Secret CSO: Chad McDonald, Radiant Logic

What advice would you give to aspiring security leaders? “Take the PMP test. It is one of the hardest courses I have done, but the one that has given me the greatest value.”

Headshot of Chad McDonald, Chief of Staff and CISO at Radiant Logic
Radiant Logic

Name: Chad McDonald

Organisation: Radiant Logic

Job title: Chief of Staff and CISO

Date started current role: January 2022

Location: Winter Garden, Florida, USA

Chad McDonald brings more than 20 years’ experience building and managing information security programs. McDonald has leveraged his security leadership to dozens of organisations across the technology, education and medical sectors. Prior to Radiant Logic, McDonald defined security and technical integrations of 5 acquisitions and attained FedRAMP-in-Process status for Digital.ai. While serving as the Executive Director of the Office of the CISO at Optiv, he defined the security strategy for a $70 billion dollar merger between two technology giants.

What was your first job? My first CISO job was at Georgia College & State University, and I was there for eight years. However, my very first job was as a construction worker at a hospital, so quite a radical career change from what I am doing now.

How did you get involved in cybersecurity? It was at Georgia College & State University where I got really involved in cybersecurity for the first time. The university had a substantial cybersecurity working group, and we would hold regular events in which security would be discussed.

We were even lucky enough to have a computer science department with some very proactive students who took it upon themselves to disrupt a critical DNS (Domain Name System) server for the State of Hawaii. This incident prompted US federal agents to turn up at the university and I was the guy lucky enough to respond.

I ended up helping them find out who did it and was involved in the search warrant; I got to wear a bullet-proof vest and search these students’ apartment, which included going through their computers, floppy disks and even their rubbish. The whole event was a blessing in disguise because I have been involved in cybersecurity ever since.

What was your education? Do you hold any certifications? What are they? My work with the law enforcement agencies allowed me to take part  in some of their courses and certifications. I first achieved a certification in forensic investigation and then earned a Certified Information Systems Security Professional (CISSP) certification.

Later in life, I earned the Certified Information Systems Auditor (CISA) certificate and the Certified Ethical Hacker (C|EH) certificate. I even earned a certification in Product Management Professional (PMP) certification. Even though these are not a security certification, it has helped me significantly in executing cybersecurity strategies.

Explain your career path. Did you take any detours? If so, discuss. After working at Georgia College & State University, I became the Information Systems Auditor at the Georgia Department of Audits and Accounts. It was a big shift for me because I went from a relatively small university to a large organisation.

From there, I moved to governmental roles and worked as a security analyst for the Centre of Disease, Control & Prevention and stayed there for nine months. However, afterwards I went back to my roots, which is building security programs, and I have stayed there ever since. In total, I was out of the CISO seat for three years, but those detours helped broaden my scope of what I understood about the world and cybersecurity.

Was there anyone who has inspired or mentored you in your career? One person who has mentored me throughout my career, and still does this today, is Stanton Gatewood. He and I were the first and second, or second and third, CISOs in the State of Georgia’s university system, and he even signed my CISSP certificate.

We have been good friends for over 22 years and always catch up at least once or twice a month to discuss the cybersecurity world. Stanton is one of the OGs (Original Gangsters) in the cybersecurity industry and is one of the few celebrities in the CISO world.

What do you feel is the most important aspect of your job? Understanding the business is the most important aspect of my role as a CISO. I can build a set of security programs which can protect every part of an organisation. However, I probably would shut down the business while doing it. I have to understand what the business does, so I can maintain business performance and enhance security.

Once you understand the organisation, the second important aspect is the execution strategy. There are a lot of people who can build a security strategy on paper but then can’t implement it. Therefore, having the ability to execute your strategies is crucial. If you can’t execute what you’ve got on paper, then you waste both time and money.

Finally, it is about building relationships. I wish I had known earlier in my career how important relationships are with other people in the cybersecurity industry and the wider organisation you are working for. I’ve mentioned my relationship with Stanton and how important that has been to me. I also have a mentee who I work with on a monthly basis. Helping others in the industry helps you to better understand your career progression and support the next generation of talent.

What metrics or KPIs do you use to measure security effectiveness? When measuring security effectiveness, you can easily split it up into qualitative and quantitative measurements. In terms of qualitative measurements, it would be “execution against plan”. It’s as simple as what your goals were for the year and whether you achieved them. Personally, I think this is the best way to measure security effectiveness.

On the other hand, quantitative measures, or KPIs, mainly measure the effectiveness of your strategy. For example, one measurement could be the participation rate in security awareness training programmes. Other examples could be, the time it takes to patch vulnerabilities and the completeness of those jobs. There are also proactive goals rather than reactive ones which CISOs can put in place, such as the number of attacks against firewalls. I slightly lean more to the idea of being proactive against attacks, and these metrics can help.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? The security skills shortage hasn’t had a critical impact on our organisation. We are lucky enough to have an average tenure here at Radiant Logic of six and a half years. I haven’t really seen the impact of a skill shortage at my previous employers too.

The only challenge I have ever seen is finding someone with broad skills. For example, I can easily find someone who can support firewalls, build security programmes, or audit and enforce policies, but I would struggle to find someone who had all of those skills.

Cybersecurity is constantly changing – how do you keep learning? Lots of reading is the key to it, but I’m sure there is still plenty that I miss. With cybersecurity being a broad industry, I try to focus on the relevant changes that will impact the organisation I’m working for. It’s about focused reading - what is going to impact my day-to-day life and responsibilities.

I also have a personal interest in the cloud and cryptography, and keep up to date by reading opinion articles, as well as listening to webinars and podcasts, and attending conferences. Beyond that, I follow emerging threats and the rabbit-hole of how we have gotten to our current situation in the cybersecurity industry.

What conferences are on your must-attend list? With there being a temporary halt to conferences over the last two years, some of the big ones for me this year were RSA and BlackHat. However, there are plenty of other conferences that I want to attend in the future.

What is the best current trend in cybersecurity? The worst? It is so difficult to just say one current trend which is the best, so I’m going to pick three. One of my favourite trends is Pen Test as a Service (PTaaS), and the industry seems to be getting a lot of value out of it lately. Beyond that, it is Endpoint Detection and Response (EDR) which is a positive move away from the old-school anti-virus-based software. Finally, the explosion in security awareness vendors and the recognition about tying security awareness to risk user-base scores. That area of the industry has matured significantly, and it is only a positive thing.

I don’t necessarily think there is a bad trend in the cybersecurity world, however, I would like to see more maturity in the Zero Trust space. Currently, there is so much marketing spin around what Zero Trust is, and it seems to mean something different to each company. It would be great if the community could hone in on what it means and every vendor buys into that.

What's the best career advice you ever received? It was from Jim Tiller; I had applied for a job at BT, and Jim was the Chief Security Officer there. Unfortunately, I did not get the job, but we had a long conversation on the phone, and he recommended taking the PMP certificate. This is a non-security certification that has been critical to my success as a security practitioner, and I have advocated it to anyone who would listen.

What advice would you give to aspiring security leaders? Take the PMP test. It is one of the hardest courses I have done, but the one that has given me the greatest value. Also, the security industry is so noisy right now that it is crucial that you specialise in a certain area, then afterwards just trust the process.

What has been your greatest career achievement? My greatest achievement is being asked to be someone’s security mentor. I have had that privilege a few times in my career. It always feels a bit odd that someone sees me as a leader in my field, but I am always honoured.

Looking back with 20:20 hindsight, what would you have done differently? Nothing. Everything I have done has led me to this point, and I am pretty happy where I am.

What is your favourite quote? “Trust the process.” I have no idea where it comes from, but I live by it every day.

What are you reading now? Measure what matters: OKRs: The Simple Idea that Drives 10x Growth by John Doeer. It’s a big one for me and my team right now – it’s about looking for results and the quality of the outcome instead of measuring the quantity of work.

In my spare time, I like to… Barbecue. I am a certified barbeque judge, so you can guess what I do in my spare time. Independence Day is always a big holiday for me because I spend the day exercising that certification. My specialty is barbecue brisket.

Most people don't know that I… Am a certified barbecue judge.

Ask me to do anything but… Something that would infringe on my integrity. I work very hard on being open with my leaders, my staff, and my family, and I would never put that at risk.