Secret CSO: Gary Hayslip, Webroot

Secret CSO: Gary Hayslip, Webroot

Name: Gary Hayslip

Company: Webroot

Job title: CISO

Date started current role: April 2017

Location: San Diego, California

Gary Hayslip is an enterprise cybersecurity expert with 17 years of experience. Currently CISO for Webroot, a provider of threat intelligence and endpoint security, he previously held multiple CISO, IT Director and Senior Network Architect roles for the City of San Diego, the U.S. Navy and the U.S. Government.

What was your first job? My first job at 16 years old was that of a fry cook for Krystals Hamburger restaurant. My first IT related job was when I was active duty for the US Navy and I was a Website Builder and Network Technician.   

How did you get involved in cybersecurity? I originally was involved with software development and network engineering. Then as I was doing those jobs in the military I was expected to start implementing security controls for the networks I was managing and this gave me my first look into the world of cybersecurity.

What was your education? Do you hold any certifications? What are they? I have a Bachelor of Science degree in Information Systems Management, from the University of Maryland and a Master's in Business Management from San Diego State University. I hold several certifications to include CISSP, CISA and CRISC. I also have an Advanced Computer Security Professional Certificate from Stanford and a Senior Systems Managers Certification from the U.S. Naval Postgraduate School.

Explain your career path. Did you take any detours? If so, discuss. My career was actually in electronics engineering but I became fascinated with computers. I first started developing websites for my US Navy command as I worked on my bachelor's degree. It was at this time my command basically grabbed me and put me in the IT department where I got exposed to networks, application development and cybersecurity. While I was in the IT department I started working on network certs and really enjoyed building networks and standing up a datacenter. Later as a network engineer I met several people who were very good at hacking and into cybersecurity. While spending time with them I became interested in cyber and also how networks were assessed for risk. This led me to working on more certs in security and accepting management positions to build security programs and lead security teams.

Was there anyone who has inspired or mentored you in your career? I am inspired daily by my wife and my sons. As for mentors, Scott Hammer was my mentor who got me interested in hacking and cybersecurity. Palmer Taskerud was my CIO who I worked for as his CISO. I learned from him how cyber and enterprise IT are intertwined and work together. One of my current mentors is Julian Waits, he is a CEO and a cyber/IT professional with decades of experience. From Julian I am learning everyday about how the CISO role is maturing and aligning to business operations and as a security executive how I should support my organization.

What do you feel is the most important aspect of your job? One of the most important aspects of my job as a CISO is understanding the risk exposure of my organization, aligning my security program to manage it and then being an evangelist that can speak to this risk to non-technical audiences in a language they understand.

What metrics or KPIs do you use to measure security effectiveness? I like to use the CIS 20 metrics list as a foundation for building metrics that apply to my security program. CIS has a reference document that lists five metrics per security control. Not only do they list metrics, they also list the low/medium/high risk measurement of that metric. I find using these as a reference I can create my own that are focused on measuring risk for my company's business operations. To me it's all about measuring the maturity of my program and demonstrating value.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? For cybersecurity the positions I am having issues with those related to cloud security. Talking with my fellow CISOs I am finding junior level positions are easier to fill but mid/senior level positions are challenging. This led me to promote one of my senior security engineers into an open cloud position I needed to fill. I figured I could train him to the position and it would provide more value to my teams.

Cybersecurity is constantly changing - how do you keep learning? I have a training budget and I pay for my staff to have access to online training, to attend conferences and for all of us as a team to attend Black Hat and DefCon together. I also have a professional development goal added for all team members, including myself, as part of our annual goals. Because our field is changing so fast we must stay educated and I feel it is important to keep my team members up to date, and I find it is also a good recruiting benefit.  

What conferences are on your must-attend list? RSA, Black Hat, BSides, Defcon, Splunk .conf, AWS re:Invent, OffensiveCon, Tel Aviv Cyberweek, Gartners Security & Risk Conference, SANS, and SMOOCon.

What is the best current trend in cybersecurity? The worst? Best - zero trust, AI and ML for cyber automation, orchestration for cyber response, AI bots for threat hunting, and deception technologies for IoT. Worst - ransomware evolving, AI being used to accelerate the life-cycle of new threats, increasing number of IoT based attacks, cloud-based vulnerabilities and massive breaches leading to data theft/data blackmail.

What's the best career advice you ever received? Don't take it personally, you will have challenges and you will fall down. Get back up and keep moving forward. It's not about the destination it's about the journey so have fun.

What advice would you give to aspiring security leaders? I would tell them that this field is not easy, they will have to develop an understanding of fields outside security such as cloud, network engineering and risk management. That to be good in cyber they will need to understand their field interacts across department boundaries in organisations so they will also need to know soft skills because they will need support to grow their security programs to help protect their organisations.

What has been your greatest career achievement? Being the first in my family to graduate college with a degree.

Looking back with 20:20 hindsight, what would you have done differently? I would have learned Python sooner, I would have moved to private industry sooner, and I should have bought my kilt when I was younger.

What is your favorite quote?"In Chaos there is Opportunity" - Shaynei

What are you reading now? "Case for Faith" by Lee Strobel and "Presenting to Win" by Jerry Weissman

In my spare time, I like to… Write, read and collect science fiction books, collect action figures and graphic novels, play World of Warcraft, go hiking, and enjoy sports with my sons.

Most people don't know that I… Like to raise roses, my favorite are Mojave Golds.

Ask me to do anything but… Clean the cat litter box



« CIO Spotlight: Sidney Fernandes, University of South Florida


The CMO Files: Penny Wilson, Hootsuite »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?