Secret CSO: Stan Black, Delinea

Name: Stan Black

Organisation: Delinea

Job title: Chief Information Security Officer (CISO)

Date started current role: March 2022

Location: Florida, USA

Stan Black is Chief Information Security Officer (CISO) at Delinea, a leader in the Privileged Access Management space. Black joined Delinea from Lattice Security, where he was CISO and provided executive security consulting and advisory services for private equity, commercial, and research firms. He previously was Chief Security Officer and Chief Information Officer at Citrix for six years, leading global operational security and risk management. Black has held several C-level security and technology positions over the past 15 years including Nuance Communications, EMC, RSA, Forcepoint, and more.

What was your first job? My first job was mowing lawns, but in college I would put my skills in Autodesk’s AutoCAD to use by selling services to companies without in-house CAD capabilities. I would divide it up among various schoolmates and we would swarm the CAD Labs late at night and crank out a ton of work and deliver it to customers. Our margins were huge because we had no capital expenses!

How did you get involved in cybersecurity? In the 1980s I worked on what was at the time some fancy filtering to identify malicious network activity. Today it would likely be labelled as “Machine Learning” or “Artificial Intelligence,” but I’ll stick with fancy filtering.

 What was your education? Do you hold any certifications? What are they? I have an Associate of Science and a Bachelor of Science in Engineering. I did have a CISSP, but the CSO/CISO gig keeps me busy and I forgot to enter CPEs.

Explain your career path. Did you take any detours? If so, discuss. My dad used to bring home old adding machines made from steel and brass so that I could take them apart and see how they work, and then try to put them back together. I loved the idea of being an Engineer, but then I found out it was essentially a business of evolution. Then I discovered cybersecurity, where there is a new threat every few minutes.

Was there anyone who has inspired or mentored you in your career? I won’t name anyone in particular, but life hackers have always inspired me. People who can see a problem and can decompose it to find a solution with a bit of ingenuity and stuff readily at hand.

What do you feel is the most important aspect of your job? Being a CISO or CSO is about putting the customer first. It’s hard for anyone to argue that the customer is not job-one. If you lose them, you don’t have a job.

What metrics or KPIs do you use to measure security effectiveness? Automation – What operations can we eliminate to enhance our understanding of risk and eliminate root cause.

Simplification – Everyone says, “security is complicated.” Of course it is, we made it that way. Every year we add a new layer to the point that now our layers are our risks.

One of my main measurements comes down to ACCESS, without it the bad guys can’t infiltrate or exfiltrate. We spend a lot of time and money on hardware and software, by never enough on wetware or people.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Not at this time, I am fortunate to have great talent from my past that want to join a strong team like Delinea.

Cybersecurity is constantly changing – how do you keep learning? I have a lot of cybersecurity feeds: for emerging threats, new cloud security practices, etc. There are always people smarter than you who are willing to share their insights and expertise.

What conferences are on your must-attend list? I generally find most conferences lack value except for customer and partner meetings surrounding the event, and creating an awareness opportunity for our company and solutions with an Expo booth. For those purposes RSA Conference and Gartner IAM Summit are among those that come to mind.

What is the best current trend in cybersecurity? The worst?  Best: security and development are aligning to objectively quantify cyber risks.

Worst: spending money on assessment to justify budget, even though you already know what is vulnerable.

What's the best career advice you ever received? That there will aways be another crisis. If you don’t focus on your mental and physical health, the crisis will win.

What advice would you give to aspiring security leaders? Build a local and cloud-based lab and learn how things work, then break them.

What has been your greatest career achievement? Mentoring people and watching them recast cybersecurity in their vision with a few tricks they learned from me.

Looking back with 20:20 hindsight, what would you have done differently? I would have spent more time in coding, especially now that we live in a software defined world.