In this special CISO Circuit Series edition of the Redefining CyberSecurity podcast episode, Sean Martin and Michael Piacente welcome a special guest, Omar Khawaja, VP of Security and Field CISO at Databricks, to chat about the evolving role of a CISO and aligning security with business needs.
About the CISO Circuit Series
Sean Martin and Michael Piacente will join forces roughly once per month to discuss everything from looking for a new job, entering the field, finding the right work/life balance, examining the risks and rewards in the role, building and supporting your team, the value of the community, relevant newsworthy items, and so much more. Join us to help us understand the role of the CISO so that we can collectively find a path to Redefining CyberSecurity. If you have a topic idea or a comment on an episode, feel free to contact Sean Martin.
____________________________
Guests:
Michael Piacente, Managing Partner and Cofounder of Hitch Partners
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/michael-piacente
Omar Khawaja, VP Security, Field CISO at Databricks [@databricks]
On LinkedIn | https://www.linkedin.com/in/smallersecurity/
On Twitter | https://twitter.com/smallersecurity
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Pentera | https://itspm.ag/penteri67a
___________________________
Episode Notes
In this special CISO Circuit Series edition of the Redefining CyberSecurity podcast episode, Sean Martin and Michael Piacente engage in a thought-provoking conversation with Omar Khawaja, VP of Security and Field CISO at Databricks. Driven by a conversation with 75 of his CISO peers, Omar brings his unique perspective to the table, discussing the evolving role of a CISO and the importance of aligning security efforts with business needs.
Drawing on his experiences transitioning from a CISO at a large healthcare organization to a Field CISO, Omar shares insights on how he assists other CISOs, particularly in managing their data and implementing AI. He emphasizes the necessity of effective communication, audience awareness, and collaboration. Using the metaphor of a plane journey, Omar illustrates the importance of delivering a clear, simplified view of security efforts to stakeholders.
A significant part of the conversation revolves around the importance of building strong relationships with other executives and being open about vulnerabilities. Omar stresses the value of maintaining a relentless curiosity and refraining from judgment to foster better relationships and collaboration. He also shares some practical techniques for CISOs, encouraging them to continuously work on the craft of asking the right questions and demonstrating curiosity.
This episode serves as a valuable resource for anyone interested in the ever-changing role of the CISO and the critical task of aligning security efforts with business needs. With its blend of practical advice, insightful metaphors, and real-world experiences, it's a must-listen for those looking to understand the complexities and challenges in the world of cybersecurity.
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
Omar's LinkedIn Post: https://www.linkedin.com/feed/update/urn:li:activity:7129749407146627072/
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
CISO Circuit Series episode 2
[00:00:00] Sean Martin: Hello everybody, this is Sean Martin, host of the Redefining Cybersecurity podcast here on the ITSP Magazine Podcast Network. You're very welcome to this new episode of the CISO Circuit Series. It's a collaboration between myself and Michael who's on with me. Good to see you, Michael. Hello. Good to see you, Sean.
And, uh, we, we try to do this roughly on a monthly basis. Where we, where we get to talk about, uh, the role of the CISO and things that are interesting. And, uh We've done a couple on our own and, uh, we, we've decided to invite a good friend to join us and is with a lot of things for me anyway, I get, I get inspired by my posts on LinkedIn, not, not junk posts, but good posts from smart people that get a lot of engagement on the platform and, uh, Omar posted something about some.
Some work he's doing with CMU and, and working with some CISO students and I'm like, this is a cool topic. Michael, let's see if Omar can slice some time out and, uh, and share some of those, uh, learnings with us here.
[00:01:11] Michael Piacente: Um, yeah, that's, that was a, uh, a great post and, uh, first of all, welcome Omar, uh, for those of you who do not know Omar, uh, Khawaja.
Um, he is the, well, long history as a CISO, uh, one of the beacons of light in the community, uh, extremely positive and brilliant. Uh, guy, I've gotten to know him over the last five or six years. Uh, he is currently the VP of security and field CISO at Databricks. Um, uh, very successful technology company. Uh, and he's also, uh, recently presented as Sean mentioned at the, the CMU, uh, cohort.
Um, he's on the faculty there for the CISO program, which, uh, uh, I'm a little biased because I've, I've worked with them before, but, uh, they're by far one of the best, if not the best, uh, program in the, in the U S, uh, for aspiring CISOs and, uh, continuing education in that. So, um, first of all, welcome Omar. I don't know if you wanted to further introduce yourself probably more appropriately, but we can jump in, uh, to the topics as well.
[00:02:08] Omar Khawaja: No, I, uh, thank you. Thank you for having me. It's, uh, it's always fun to talk to people that are excited about cyber and trying to make lives of, uh, other CISOs a little bit easier. So we, uh, it's always less painful to learn from somebody else's mistakes since, uh, versus one's own. And I feel like if there's one superlative I can associate with myself as a CISO is it would be that I do not know any other CISO that's made nearly as many mistakes as I have.
[00:02:35] Sean Martin: It's a badge of honor. It's a badge of honor.
[00:02:39] Omar Khawaja: I'm going to wear it proudly. It's the only one I have.
[00:02:43] Sean Martin: There you go. That's great. Yeah, well this, um, this, uh, list, I'm going to actually hand this over to you, Michael. I actually have to answer the door. Yeah. Live TV right here.
[00:02:57] Michael Piacente: Kick off with number one. Yeah, yeah, yeah.
Um, one things he brought up in the, in the post, and if anyone hasn't seen the post, we can repost it as part of this, um, uh, as this, when we, when you send this out. But the first thing he brought up was, uh, CISOs are, you know. Risk leaders first, security leaders second. Uh, and you also mentioned, uh, Thomas Aquinas quote, which I love.
Um, we'd love to hear your thoughts around that. Uh, just some context around that. I have some, I have some thoughts as well. I'd love to share, but yeah, just maybe open us
[00:03:27] Omar Khawaja: up with that one. Yeah, I, I, you know, there's, uh, there, there's the most of us as CISOs likely grew up in the security program. And prior to that, maybe we came from the application side, or maybe we started our careers in the world of security, but we likely gravitated to some area of controls.
Maybe it was in the network or the infrastructure side. Maybe it was on the application side. Maybe we. We, uh, sort of were more aligned to the GRC space, but we likely had some kind of focus and affinity towards a certain set of controls that we found our sort of technical expertise in. And then, we sort of grew up and became CISOs and started working, uh, working in a very different role.
And sometimes what happens is We, we continue to think that the controls are the most important thing, and that's sort of what security is, is it's a constellation of controls that make up the program. However, if we start to think of ourselves as risk leaders, all of a sudden we're not going to make controls and the technologies that uh, implement them the central thing in our lives.
We're going to actually put the business and our customers at the, as the central thing in our lives. So oftentimes security programs are referred to as information security and risk management. That's what I call my program, ISRM. And so there's a Thomas Aquinas quote that does a nice job distinguishing between the two, which is.
If the job of a ship was to keep it from sinking, he would never leave Harbor . So from a security perspective, if my goal is to secure the company, that's not that hard. I just have to disconnect us from the internet and we're super secure. But that's not the job of secure, of, of the CISO isn't security, it's actually risk management.
It's um, and I was. Uh, on hosting a session yesterday with about 30 college students, and we were talking about the CIA triad, and one of them said, well, if you make something way too confidential, then it's no longer available. So, how do you do that? And I said, well, that's a really good point. That's sort of the job of a CISO and as a security leader is to say, how do I make this super confidential?
But I don't actually take away from availability because these can seem like they're at odds with each other. And that's the job of risk management is to say, we're going to go, we're going to go do this. And we are going to figure out exactly what controls you need to do this safely and with minimal disruption along the way.
Yeah, I love it. And I've
[00:05:58] Michael Piacente: been saying for. for years now, but, um, it is about risk management and, uh, the systems that are able to narrate risk into digestible bites and appetizers for the business. Um, they, they've honed that skill. That's, that's really a superpower that, um, that most don't think about. Uh, and that others are aspiring to get to, uh, this sort of Chief Translation Officer model.
Um, and a lot of, a lot of folks try to do it just with the security and it really is about business risk, right? Um, so I appreciate that. But by the way, you, you mentioned, uh, in the post, uh, Thomas Aquinas, uh, quote. So what was the quote? I always
[00:06:34] Omar Khawaja: love to do it. The quote was that, uh, if the job of a ship's captain was to keep it from sinking, he would
[00:06:40] Michael Piacente: never leave harbor.
Got it. I, that's what I thought you mentioned. I, I'm a, I'm a big fan of, uh, Sorrow can be alleviated by good sleep, a bath and a good glass of wine.
[00:06:49] Omar Khawaja: Nice. Nice. I like that one. That's pretty good.
[00:06:52] Michael Piacente: I like his quotes. So awesome. Um, I wanted,
[00:06:55] Sean Martin: I wanted to pick your brain on, on this point. So were there any stories shared?
Any, you can. Reshare here, because I know we've had a number of conversations, uh, when you're deep in the health care space and My perspective, I know it's still a hard job But it's easier to connect the story of technology and cyber security and risk to the outcomes when you can see a patient Sitting there, right and you ultimately you have to making a decision on how can I provide the best care?
How can I protect that patient both in in the operating room and? When they're at home, perhaps even connecting through an online doctor session. So, any stories from that session that you can share? Yeah,
[00:07:46] Omar Khawaja: I actually shared a story very much akin to what you talked about. So I shared with them when we acquired, when I was at Highmark Health, we were initially primarily insurance Blue Cross Blue Shield companies, and then we acquired a bunch of hospitals.
Eventually we ended up with about 14 hospitals and a few hundred physician offices. And I marched in to the meeting of the institute chairs that basically are, think of them as business unit heads across the hospital system, the head of cardiology and the head of medicine and the head of surgery and, and so on.
And I said to them, Hey, I'm going to come in and I'm going to deploy this amazing security program with all of these controls. And if I do that, we're going to prevent data breaches from happening. And they looked at me and they said, we don't really care about data breaches. And I said, well, what do you mean?
Like on the insurance side, we cared about data breaches. And don't you know that this company and this company and that company had breaches and those are really, really bad and it impacts customer confidence and it hurts our reputation. And they're like, no, none of that's true. Don't you know what we do in these buildings?
We save people's lives. Who cares about privacy? And I was coming in as a security person. Pretending to understand the business, I'd never talked to the business. I just decided to tell the business what they cared about without actually listening. And so I went away and I said, they don't care about data breaches.
They were unequivocal in telling me that. And I could talk about HIPAA and I could talk about OCR and they'd say, yeah, whatever they don't care. And then about seven, eight months later, Um, I did two things. One is I started to go spend time with doctors and I befriended them and would hang out with them and made my kids become friends with their kids just so I could have reasons to run into them on weekends.
And then, uh, ransomware started to happen. So I said, okay, let me take another take at this. So for seven, eight months, I said, if they don't want security, then I shouldn't give it to them because I am here to serve them. They aren't here to serve me. And even though I had this itch as a security person to go deploy all those controls because It would make my boxes and charts look nicer to say, I've got these controls in every business unit.
I said, Hey, there's this thing happening. It disrupts business. And when it happens to organizations, they no longer have access to their technologies and their applications. And they turned around and they said, Omar, what the hell are you going to do about that? And I said, okay, so that is something you care about.
And they're like, yes, where's our program? Like you can't do anything. If anything disrupts our ability to deliver care to patients, that's bad. You've got to make sure that doesn't happen. So then I went away and I said, okay, what would a program look like? To prevent ransomware. Um, and I went and did that because now I was addressing a risk the business cared about versus before I was addressing a risk that I cared about.
[00:10:50] Michael Piacente: That's great. The old trial and error. Yeah. Uh,
[00:10:56] Sean Martin: I want to, if I can, and, and Michael, you can obviously jump in here, but there, there's another. Another point, number four, um, I don't know if you want to continue that story, if there are other, other stories you can wrap into it, but it's, it's where you, you begin the journey, right?
And I presume everybody's going to have some level of interest, some more than others. Um, you have to, at some point describe down and describe up why you're doing something, how it works, how it might impact. The way they do things now. So, and so the, the point specifically is efforts are often derailed because internal stakeholders nitpick on minutiae and miss the big picture.
It's not like you had the big picture sorted, but I'm wondering about the, that minutiae
[00:11:50] Omar Khawaja: detail. So it's sort of, um, you know, um, like one, one, one example of this, I'll share maybe a couple of metaphors. Cause I love mixing metaphors and confusing people. Uh, the first one is, you know, I pointed at the stars.
And all my dog stared at was my finger. Right. So that's one. The second is this sort of became clear to me. Maybe this was five, six years ago. I'm sitting on the tarmac at Orlando Airport. We're about to take off to get to, uh, to get to Pittsburgh. And the pilot comes on and goes through the regular stuff.
He tells us that we have to shut off our cell phones or put them in airplane mode. And then he goes on to add this one detail, which I don't think I've ever heard a pilot share. So he says, we're going to get to Pittsburgh at this time. We're going to have a delayed departure. We're going to make up the time.
We're going to be flying at this many feet. This is what the temperature is going to be. And oh, by the way, we're going to be flying, the air pressure is going to be this many PSI. And at that point, I turn around to the passenger next to me and say, Is that good? Is that bad? Like, clearly the pilot wants us to give him some advice, because I don't need to know that information for myself, but if the pilot is sharing it, the pilot must obviously be looking for is this good or bad, and so we should figure out if the pilot needs to take a different route, go higher, go lower, delay the flight.
And I'm like, that's kind of crazy. And that's sort of the equivalent of what we do way too often. So there's information and there's metrics that you need to know when you're a passenger in the passenger cabin, the business side of things. And if you're in the cockpit, you're flying the plane, you're running the security program, you're running the IT program, there's hundreds of different gauges that you're looking at.
But what we do is we routinely invite the passengers into the cockpit, and then we get annoyed because the business doesn't understand the gauges, and they ask stupid questions like, Why is that yellow? Why is that at zero? Shouldn't that be at 16? Shouldn't that be higher? I just googled this. This should be there.
And, and you're like, You don't know what you're talking about. I don't really want to ask these questions. You guys are dumb. I hear this over and over again where CISOs think the business is dumb. I remember a CISO said the business doesn't even understand the difference between EDR and antivirus, between network DLP and endpoint DLP.
How dumb are they? No, no, no, the business isn't dumb, you're the dumb person that invited the business into the passenger cabin, because they should never have heard those words, a passenger should never see those gauges, ever. And what should happen is, if I as a passenger don't feel comfortable, I as the business don't feel comfortable with whoever is running and piloting my plane.
I shouldn't go in there and help him fly it, I should just go get a new pilot, because I'm not a pilot, I'm not trained, and no matter how smart I think I am and how good I am at Googling things, I'm probably not going to be the best person to land this plane safely.
[00:15:05] Sean Martin: Yeah. Interesting. And I, I can, I can picture a user awareness training on the plane.
New users every day, yet we're responsible for the safety of
[00:15:16] Omar Khawaja: everybody else. Keep it, keep it simple. That's why I have that laminated
[00:15:20] Michael Piacente: placard that you get to look at. That's, that's all the awareness training you need. So yeah,
[00:15:25] Sean Martin: my good buddy at Symantec, we'd, we'd travel together and he'd say, oh, I need to turn this upside down so I can read it.
Like it will be in real life.
[00:15:36] Omar Khawaja: Thanks.
[00:15:37] Michael Piacente: This is, um, uh, Omar is such a great, I, by the way, I have the same, uh, analogy. I love your, your, your communication and the analogy. I, uh, I'm a big fisherman and surf and try to surf. I am not a great surfer, but when I talked to, uh, like my family, it's like, you know, it was windy. Uh, or it was choppy and when I'm talking to other fishermen or surfers and I'm talking about swell sizes and time between the waves and wind waves and atmospheric pressure and, and because they want to know all that.
They get it. They're in that piece. And, um,
[00:16:08] Sean Martin: but when I'm diving how
[00:16:09] Omar Khawaja: cold it is.
[00:16:11] Michael Piacente: Yeah, exactly. But the water temperature is at different water columns, right? And it's so, it's so technical. And I used to do that and people would just, their eyes would just gloss over like, who cares? Did you catch a salmon or not?
That's all I care about. Are we eating dinner or am I getting to go? So,
[00:16:25] Omar Khawaja: um, And Mike, what you just described is, you know, it has to be audience centric. And I could tell you my first six iterations of a metrics program every single time. I thought this was perfect until I realized what I was doing is I was trying to create a metrics dashboard for everyone.
And I was imposing what I cared about and what I needed to know on all my stakeholders. And when I stopped and I said, no, no, I need the right set of metrics that the board cares about. I need another view for the business unit leaders. I need another view for the IT leaders and the platform owners. I need another view.
for the leaders that have people reporting up to them because they own the human risk. So once I identified the stakeholders, what they actually care about, what risk they actually own, and what actions I want them to take, I sliced and diced my metrics to be very specific to each one. And the moment I did that, I actually got them to start taking action versus pointing to stuff and saying, that's wrong.
That doesn't make sense. I don't like this. I don't have control over that. We edited all of that stuff out and gave them the 3, 4, 5 things they actually cared about. And all of a sudden you get alignment and people actually want to, want to, want to do the things you want them to do because now they feel like.
A, they've got responsibility for it. And B, they actually have the ability to actually go do things and who doesn't want to have someone else have a metrics dashboard that makes them look good and shows the progress they're making. Yeah.
[00:17:54] Michael Piacente: For, for a lot of systems and people have heard me say this before, but it's, it's, um, it's almost like a math equation.
You have to have the exact. nuance in the level of communication at the right audience. You have, uh, you have to have the right awareness as to who your audience is and what is digestible and you need to be able to perform and execute on the collaboration. So communication plus awareness plus collaboration equals sponsorship.
That's how you get funded. Um, and sponsorship plus the company's prioritization equals success for the CISO. Unfortunately, Only half of that is under the control of the CISO. But, um, but they have to be perfect at that part. And, uh, I think a lot of people miss that piece. It's, it's all three of those things.
It's communication, awareness, and collaboration. All in sync, uh, in, in different examples. And by the way, that changes from one meeting to the next, from one hour to the next, from one incident to the next. Um, and that's when you find out, uh, you know, who you, who your team is, who your sponsors are, and what you're really made of as a leader in those, you know, kind of wartime.
issues. But I think it's a great point. Um, that you make on that.
[00:19:02] Omar Khawaja: Yeah. And you know, the point that you just made, Mike, on so much of it, you can't do yourself, the collaboration piece, the others, you have to rely on folks outside of your organization as the CISO. And I think this was point number five that I made in the post is that there is a inverse proportional relationship between the amount of collaboration required outside the department and And the maturity of that particular cyber function.
So my favorite example is we're phenomenal at identifying vulnerabilities. At running scans and at running red teaming and pen testing. However, we're not nearly as good when it comes to actually remediating findings and actually patching systems. One is wholly contained within the security, within the CISO org.
The other one actually requires working with others. And that's true in example after example. We're way much more mature when we can do it all ourselves. A lot less mature when we need to actually collaborate with others.
[00:20:04] Michael Piacente: Uh, yeah, I'm a little biased, but I actually thought number five on your point was the most profound one on there.
Um, cause it's the most, it's the one that's the hardest to get. And by the way, I mean, now that you're, you're in a different kind of role now, I'm not, I know this isn't, uh, uh, interviewing you for that role, but the fact that you have this, this field CISO view, which is super cool because I only know you before this.
As the pure operator and strategic and technical leader. Right. And now you have this other, this other gear that you get to go deploy these, these, this type of communication. I'm curious, has that, has that been a change for you? Um, with, with talking about this and these types
[00:20:42] Omar Khawaja: of concepts. The first three, four months were a really big struggle because I really had to change a few gears and operate it sort of in a very.
Different world, different culture, different industry, different dynamics, different stakeholders, different relationships. So I'm just getting used to that, figuring that out. I think what really helped me, Mike, is along the way, one of my mentors said to me at one point, uh, after She heard me stumble through what I thought my role was as a field CISO because I was really just figuring it out.
I hope my boss is not listening to this. Um, but um, but she said, Omar, so what you're saying is your job is to be a CISO for CISOs. I'm like, that actually sounds really exciting. I think I know how to do that. So like when I frame it that way is my job is to go out and help CISOs be successful, particularly when it comes to how they are managing their data, how they're going down the path of AI and so much of being a CISO is exactly that.
So as I think of these points, these are some of the things I talk to CISOs about on a regular basis, maybe in the last 30 days, I've probably connected. Uh, directly, mostly through one on ones with maybe about 50 or 60 different CISOs all across the globe. And so, I love doing this stuff. I love then sharing the learnings or hearing about their challenges and just brainstorming through it and helping them sort of unpack things.
And really, like, my goal is, I want them to figure out the solution themselves. If I give it to them, that's not making them a better CISO, that's just making them a better question asker. I want to coach them so that they can figure it out themselves and, and become better and feel like they're getting, they should get all the credit for it themselves.
[00:22:24] Michael Piacente: Yeah, you're, you're building a toolkit for him. And by the way, there, uh, your boss will hear this. There's no editing. I mean, Sean answered his door for crying out loud. So I took a break from the beginning, like, you know, florist or something.
[00:22:39] Sean Martin: UPS delivery, a very important package. I want to connect this to point number three.
Um, cause I think you now are making a bunch of new BFFs in your role. And guiding them on how to make a bunch of new BFFs in their role. And the reason I want to bring this up now is it, it strikes me a bit that yes, you want to have the collaboration and the communication and a common understanding.
And one of the other points is on alignment. Um, do you actually need to be BFFs? Tell me a little
[00:23:16] Omar Khawaja: bit more about that. Yeah. You know, um, Um, it's sort of, uh, here's my definition of A BFF. Uh, the definition of A BFF is someone. That is going to be honest with you and someone that you can also confide in and feel safe sharing your sort of worries and concerns and weaknesses and vulnerabilities with.
And to me, in many ways. A relationship, particularly when you have it with other executives, if it's any less than that, it's really hard for it to be value, right? Sort of the casual, you know, Sean, if you and I have a casual relationship and I just tell you the things that I know you want to hear, we're always going to be smiley and happy together.
And we're always going to laugh at each other's jokes and we're going to be cordial. And if someone asks you about me, you'll say, yeah, he's a really nice guy. And that's that. But to really get value out of a relationship. You know, I have to be willing to say, here's the things I suck at. These are the things that I'm struggling with.
I can't really figure this out. Because until I show, I'm willing to show my vulnerabilities, I really can't truly have a growth mindset where I'm opening up and saying, Sean, here's now a bid, an opportunity for you to respond with, Omar, I might be able to help you with that. But if I'm not willing to tell you I've got weaknesses and I've got gaps, I don't feel safe doing that.
Then how real is our relationship going to be? How collaborative are we truly going to be if we go into work pretending to be, Hey, I'm grown up executive, I've solved all these problems and I want to show up with confidence and anything that shows lack of confidence means that people are going to think I'm incompetent and I'm going to lose my power and my authority and I'll be out the door.
Well, that's. That's not true. That's not how relationships are made. That's not how, you know, the most successful, uh, executives and enterprises, um, function. And if
[00:25:21] Sean Martin: you think about it, there's a second part to that point that I left out purposefully, which is perpetual curiosity. So kind of leading off of what you just described, what's the re, what's the reason there's a relationship?
If you're formally building one, it's to achieve better outcomes, right? So if you don't have that curiosity, You lack excitement in achieving greater things and you just kind of go through the motions. So I don't know if you want to expand on, on that point. Yeah,
[00:25:52] Omar Khawaja: I, I love that. It's, you know, this is actually advice I was just giving my daughter over the weekend and she is more introverted than, than not kind of like, uh, her dad had been most of his life.
And I said, well, you have to cast away judgment. It's so easy. For someone that's not willing to engage, to look at others and cast judgment on them. That person doesn't know this. That person doesn't understand this. That person can't balance his budget. That person's own team doesn't like them. They don't know how to speak publicly.
Their presentation sucks. They forgot to send a weekly update. You know, whatever it is But so much of what's, what we are tempted to do and what's so easy to do is cast judgment on, on others. That doesn't help build relationship. That's an obstacle to actually creating and opening relationships. The antidote to that, Sean, is, is exactly what you said.
It's sort of this relentless curiosity. One of my favorite quotes from last year was, um, a picture of a light switch and it said, curiosity and judgment. can't coexist. So you have to pick. You can either be curious or you can be judgmental. There's just no way to do both as, um, as, as human beings. And once we're curious, we likely will, we'll spend time listening and hearing the other's point of view, right?
So Sean, what makes you and Mike really good at interviewing other people is because you're genuinely curious. You're not coming with answers. You're not coming with judgment. You're coming in with, I genuinely want to learn and figure things out. And when you do that, you sort of endear yourself to others.
Others are way more willing. To be open, they're disarmed. You know, if you weren't good at your jobs, I probably wouldn't be sharing this openly, but I am because you are showing, uh, you are showing relentless curiosity.
Thank
[00:27:50] Michael Piacente: you for that. Uh, I'm a little judgy. Sean's not as judgy as I am.
[00:27:55] Omar Khawaja: Well, that was very vulnerable of you to admit.
[00:27:58] Michael Piacente: Oh, everyone will be, everyone will be judging me on that. I reserve my
[00:28:01] Sean Martin: judgment for Michael.
[00:28:04] Michael Piacente: Just, I love his. This is a great discussion. A couple points to make just for the sissos out there who might be listening to this. One, this part of the role that Omar is talking about is not supposed to be all roses.
It's probably not going to be very fun and it's completely out of your comfort zone. So that's perfectly okay, right? Going out and creating BFFs. Maybe the first time you've ever flexed that muscle. So just know that and everyone's learning how to do it at the same time. Um, but I will say that one of the superpowers that a CISO time and time always shows is their curiosity and their ability to ask the right question at the right time.
Um, probably better than any other executive that I've seen in the organization, especially a technical executive. Um, and so the time that you should be curious, uh, Maybe not wait, uh, until you're in the job, but actually start that at the interview process, right? Um, if you're worried about asking questions or offering examples during an interview, because you might, you know, lessen your chances, um, just really start thinking about some of the questions you want to ask about the business, being really curious.
One of my favorite interview questions is, um, you know, talk about a relationship that you first had at a company where it was a disaster, or you felt like it was going to be a disaster. Um, but you made it into a strong, uh, workable relationship. Uh, what does that look like now? And how did you go ahead and do that?
It has nothing to do with technology, has nothing to do with, it's just, it's just people communicating with people, um, from different walks of life, from different, um, you know, spaces in the, in the, in the world. And I think that's, uh, just for CISOs to understand, this is not going to be easy and to constantly work on that craft of, of asking the right questions, showing that you're curious.
I just don't think that you're curious, but actually have to execute
[00:29:52] Omar Khawaja: on it. Awesome. Hey, can I share like a couple of very specific techniques? Cause I know I would be judging myself for saying all of these really nice things that of course, everyone already knows these are true. More best friends are going to be better, but how do you actually make them?
So I'll share a couple of ways that almost always have, uh, have worked for me. Uh, one is. When you go to talk to someone is, uh, is, is do what Mike says, which is be curious. So, I was sitting with the head of cardiology and when you sit in a doctor's office, you see this more than in anybody else's office.
Everything on the walls is about them. Unless it's an OBGYN or a pediatrician, you're probably not even going to see a picture of their own family in their office. No offense to any doctors that may be, uh, that may be listening. Um, and, um, but, uh, so it's all about them. And so you have to like have some situational awareness to know what's going to work.
So if you're going to meet with someone that has a big ego, just a pretty good chance that they're going to have a big ego. If they happen to be an executive working in an enterprise, one of the best things to do is just sit there and ask them a question. I had a one hour meeting with the head of cardiology.
This person could be making ungodly amounts of money during that one hour that he chose to be with me versus going and doing a procedure in the, uh, OR. And so I'm thinking he booked an hour, which is a nice courtesy, but within 20, 30 minutes, he's going to fake a text or his assistant is going to walk in and say, you know, doctor needs to go.
Omar, thank you. Uh, thank you for your time. Maybe we'll reschedule later and later would never happen. I had a meeting with him for an entire hour, which I was absolutely shocked that he would give me that much time. I mean, you know how hard it is to get an appointment with a, with a specialist. Imagine getting a meeting with a specialist where that specialist is, physician is getting paid exactly 0.
And it lasting an entire hour versus the three minutes you typically get with a, uh, with a, with a specialist doctor. All I did is I was curious about cardiology. I mean, we all have hearts. How often do you get to meet the head of cardiology? I was like, this is an amazing opportunity. I just talked about heart, cardiology, OR, working in hospitals, and he just kept talking and talking and talking because cardiologists love to talk about themselves.
And at the 45 minute mark, something magical happened, and everyone has this This is a really important point at which they say, Wait a minute, I've been talking a lot about myself. What about you? What do you do? I'm curious. How can we work together? But the key is to not talk an iota about yourself until you get that signal from the other person and even at that point what you should say is, No, I really want to talk about you.
Let them insist and then at some point give in and say well since you really want me to talk about me and what I do in the security program, I'm happy to do it. So, like that stamina to be inquisitive and don't ask, uh, don't, uh, don't start talking until the other person says so. Rely on the fact that humans are reciprocal animals.
That's how we're wired. At some point, that reciprocity is going to kick in. That's one. The other is, uh, find the person that is your biggest detractor, that will sit in meetings and you're thinking, I can't wait for this person to retire or go get another job. Find that person. We all have that. Hopefully one, maybe not more than one person that, uh, that exists.
I had this, I was sitting in a meeting with chief medical officers and one of them literally started yelling at me in the middle of the meeting. And I had the opportunity, the other CMOs felt so embarrassed, they tried to get him to be quiet, and I said, no, let him keep going. And so this person's coming at me.
I could explain to you all the reasons why he was wrong, but I didn't stop him. I let him keep going. And what you want to do with that person is they're actually the easiest to turn into your biggest champion. I had an expert on my team in change management and he shared something with me which took me about two years to actually understand because on its surface it does not feel like it should ever work but I promise you it does.
He said resistance is the paradox of commitment and so if you want someone to commit to anything Give them lots and lots of opportunity to resist and to tell you that what you're doing is stupid, it's horrible, it's bad, and here's why it won't work. I don't know why this works, but I can promise you what is happening in people's mind.
Every time they're telling you your idea is bad, they're literally moving up what the change experts call the commitment curve. That's actually what's happening. So giving people that safe space to say, tell me everything that's bad. And I am just going to get a piece of paper and I'm going to write down everything that that's bad, and I'm going to come back to you with a plan.
You will find that it actually works wonders. But again, you have to do it sincerely. You have to do it genuinely. You want to be curious and willing to willing to listen to them. Um, and amazing things happen. They turn. I had the same CMO who I was trying to get aligned on our MDM policy so we could manage the doctor's phone.
He said, we'll never do that. You're going to make us work too much. We don't trust you on and on. And then at the next meeting, I got to him, I said, let's just have a one on one, walk me through it. I clearly don't understand anything about what it means to be a physician leader. Can you explain it to me?
Well, I spent three hours with him. All he talked about was his kids. And I said, that's fine. And we're supposed to prepare for the next meeting with which, was with his subsequent physician leaders, where I was supposed to go in and present this motion for deploying MDM. And we never did. He said, it'll be okay.
We'll just come to the meeting. So, I go to this meeting prepared with all my notes, freaking out that, you know, the person that yelled at me, now, he's the most senior person in the room, there's no one else to defend me, and we've got to get this motion passed. How is this going to happen? The meeting starts, he introduces me, he says, hey, this is Omar, and I get ready to start talking, and he says, hey, we've got this motion, Omar brought it to me, I think it's super important, you guys should all pass it.
And I said, what? Like, aren't you the guy that just yelled at me like three weeks ago in front of everyone? And I felt embarrassed and ashamed and I thought I should just resign because I'm not cut out to be a CISO. And now, like you're my biggest champion? How did that happen? I've done that over and over again.
One, one quick other tip on this is the way that people behave virtually is almost always going to be worse than the way that people behave in person, and the way people behave in person with multiple people is almost always going to be worse than how people behave in a one on one. So if you want to build a relationship with someone, tell them you're going to take them out for lunch and pay for it.
Buying someone lunch, the 15 investment that you make in buying them lunch is one of the best investments you can make in establishing a BFF friendship.
[00:37:12] Sean Martin: You got me at food. I love lunch. Where
[00:37:16] Michael Piacente: do you go for 15? I want to go there. Oh, I'm sorry. This is,
[00:37:20] Omar Khawaja: this is like, I'm, I'm, I'm baiting myself. So my earlier years of CISO, that was possible seven, eight years ago before inflation kicked in.
[00:37:28] Michael Piacente: I'm taking you to lunch, Omar. So.
[00:37:32] Sean Martin: Nice one. We have, we have a few minutes left. Should we, um, is there any burning in your mind? Mike, do you want to, want to touch on? Uh,
[00:37:42] Michael Piacente: no, there was one that was really interesting. I was wondering if you could clarify, you were talking about the CISOs should be hypersensitive to ownership. Using the right pronouns can solve more problems than you or we think, which I love that.
I pretty much, without being in the room at that time that you presented it, I was curious if you had some clarification on that. Yeah,
[00:38:01] Omar Khawaja: yeah. You know, I think, um. Like the one thing we've sort of figured out and we, we, we, we talk about this almost axiomatically, which definitely warms my heart compared to where we were as a, as a discipline, even four or five years ago, is we all know that risk is owned by the business.
So that's good. It's not my risk. It's not the CSO's risk. It is the business's risk. Um, uh, so that's sort of one example of not using our, not using mine, your risk, your business, your people, your technology. Same thing with the technology team. It's not my systems, my risk, my patching, my program. It is your technology, your assets, your systems.
You have to patch them. These are your vulnerabilities. We are here to help them. We're here to help identify them. We're here to help you figure out how to overcome them. And we're here to help you. be, uh, be very successful. So just getting sort of that right is is important. And the way that we name our dashboards is really important.
So if we call it the security dashboard, okay, Omar and Mike and Sean can take care of that because they're the ones with security in their title. But if I call it whatever the name of the platform is dashboard, and I write platform owner equals there, and I don't mention anyone on the security team, all of a sudden they're like, Oh, I'm I guess that's mine, right?
And then, like, our job should be how do I make my colleagues look as amazing as possible? Of course, I'm not allowed to lie, I'm not allowed to do anything unethical, but how do I make them look good? How do I get their scores to be higher? What things can I, like, remove? Because I want them to look good. I don't really want any of the credit.
If they look good, if they do a good job, eventually the reports that I show to the board and others will look good as well.
[00:39:58] Michael Piacente: Yeah, I absolutely love this point. And just a final word on that is that in the reality of interviewing for a CISO role, CISOs need to understand that most business leaders are coming in with a pre programmed bias that you were the representation of the Department of NO, N O, not K N O W.
And it was because of this reason primarily, when we polled, Business executives as to what their concerns were is because they, yeah, they always label things in a way that we don't understand. It's always about them and their programs. It's really about the business. And the, the use of mine versus yours, uh, has come up multiple times.
And, um, and it, you know, we always try to instill that with associates. You really need to be create awareness around your audience and the way that you're putting these things together. They're actually valuable, but they lose their immediate immediately lose their valuable, their value. Excuse me. When.
Uh, when you don't label it correctly, it's just a simple thing. It's very subtle. Um, it's not an ego thing at all. It's just, it's kind of a lack of
[00:40:56] Omar Khawaja: awareness. Yeah. And here's one thing just along those lines, Mike, that CISOs can do to very quickly establish themselves as I'm here as a partner versus I'm here as a detractor and getting in the way and being sort of that old school CISO of NO is find an opportunity.
Where there is a risk in the business, maybe it's a lack of owner, certain vulnerabilities, maybe they want to partner with someone, maybe there's, you know, no private link to the cloud, like whatever it is, find something, understand the business value of taking that, uh, that particular risk and where there's a pretty big gap between the risk is down here and the business value is up here.
Go to the business owner and say, Hey, let me explain to you what some of these risks are. And ideally, go quantify them using something like FAIR or some, some other mechanism and say, and I understand from talking to your team, the business value is significantly greater. Now you're showing them an ROI equation and you say to them, this feels like a really good risk to accept.
What do you think? But it's your decision to make. So now they're like, what? Wait, did you just tell me that this is a good risk and you should accept this? Yes, I did say that this way when I come to you and say this is a bad risk I don't think you should accept it, but it's still your decision They're likely gonna say I can trust this Omar guy because he doesn't just say no He says no when he's genuinely looking out for me.
[00:42:30] Michael Piacente: Yep. That's great This actually reminds me of a conversation I had with my teenagers. So
[00:42:37] Sean Martin: Funny how life real life transfers into the business. Yes. I want to One final thought, and I'm going to ask you, Michael, as well, second, um, a lot of what you described isn't, isn't building your own team, isn't building a security operations center, it isn't deploying technologies and controls throughout the organization.
Building relationships, gaining alignment, having conversations. That one hour meeting with the head of cardiology, the one hour meeting with the, uh, with the, uh, CMO. How, I guess the question for you Omar is how do you And I was just thinking, if I start in a new business as a new CEO in a company, I might have, might be given by the executive team some time to do that stuff.
But if I'm in the role already, you still need that time. Why? Because new products are coming out. You're building new stuff. You're transforming stuff from on prem to the cloud or back. You're trying to adhere to a new regulation. So new people get involved, new problems need to get solved, new relationships need to get built.
So how do you adequately allocate time to do those things and get a quote unquote approval, or at least an understanding from your, your peers, that this is why I'm, what I'm doing, why I'm taking that time to do it. And then how do you, how do you measure the. That time and can communicate that that time was worthwhile.
[00:44:16] Omar Khawaja: Yeah, I think, um, you know, one, one of, uh, uh, I had a mentor that would always say to me, when it comes to people, there's really a few things that you're trying to do, it's the right person in the right role. Doing the best work of their career, becoming the best version of themselves. And so, that was something, that was my mantra all the time.
When I was leading the program, when I was meeting with my team, meeting with my directors, managers, individual contributors, I probably spent 40 percent of my time with my own team. And most of it through one on ones or ask to see so sessions. That was, I spent more time there than anywhere else. The second was business.
Uh, spending time with internal business leaders and technology leaders. And so as I think about the right person in the right role, doing the best work of their careers, becoming the best version of themselves. I realized I could be thinking about threat models. I could be reviewing architecture diagrams and saying, No, do this.
No ad encryption here. What about this? I could be reviewing vulnerability reports. And there are many CISOs that do that. And they're probably way smarter than me because I realized I wasn't really good at that. I could do that if I needed to. But more importantly, I realized that there's lots of people that could do that on my team.
And so I said, what is my role, right? So if you think about a soccer team, there's someone that's a goalie, there's someone that's a in playing defense, offense, midfield, but there's only one goalie and there's only one coach. And so if my job is to be the coach, what are the things that only I can do? I may think.
That I could be a great defender and I could take free kicks and I could take penalty kicks and I could do headers. And maybe I did that way back when, when I was playing and I could run super fast, but I haven't really looked in the mirror and taken stock and realized that I'm overweight and I'm slow.
All of those things, and I'm not the right person in here. So I could go in and out of respect, everyone will let me do it because I'm the boss and I tell them that this is what I'm going to do. But someone looking from the outside in would be like, what a dumb coach. Like, what is he doing? Why does he need to just go find the fastest, smartest, sharpest, you know, best sort of reflexes people that can go be players for each of those roles.
And go freaking be a coach. So I should pick the talent. I should define the plays. I should figure out the program. I should find how the team can compete. I should go find the right physical therapist to help the team heal. But I shouldn't be those people. I should be the coach helping the team succeed every single day.
I need to make sure that there's funding and I need to make sure they've got the right jerseys and I've got need to make sure someone's arranging to travel. I need to do all of those. And what I realized is I sort of switched. the way that I would do things. So I started as a newer leader by saying, what are the things that someone else can do?
Let me get someone else to someone else to do them. But invariably what would happen is I would say, but I know how to do that. I've been technical before. I know what a firewall is. I know what this is. And I would do those things. But what would happen is I was spending so much time on the field. I wasn't actually being the coach.
I wasn't actually doing the stuff that only the CSO could do. Those things were being neglected. The alignment, the business, the risk, the relationships, the right sort of metrics and outcomes, the board content. None of those was I really excelling at. And so one day I said, well, what if I do the exact opposite?
What if I say by default, every single thing that comes to me, I'm going to give to someone on my team. I'm not going to accept anything. Everything is going to go to someone on my team. And if I can't find anyone on my team to do it, then there's a good chance. It might be my job. So I couldn't find anyone else to do the board deck.
I couldn't find anyone else to build a relationship with a cardiologist because I looked at my team. No one had that role. And I'm like, I guess that's my job. I'm going to let my team do their job. A nice outcome of this. The team was excited because Omar stopped micromanaging them. I let them do the best work of their careers.
I went and focused on my stuff. I would meet with vendors. I realized why am I meeting with technology vendors? I'm not the one that's going to do the evaluation. I'm not steeped in DLP and next gen firewalls and CSPM, and I'm barely keeping up with, you know, the latest acronym that the industry organization comes up with.
What am I doing? I got to stop kidding myself. I'm too old to be wearing cleats and running around, like, pretending I'm like 19 years old. That's not me. And so as I stopped doing that, I all of a sudden made space for doing the things that were super important, and I made them recurring meetings. And I targets for myself that I want to have 20 meetings with at least VP and higher business leaders in the next quarter.
And so on. And then I basically forced myself to make space and I ran out of space to do the things that I realized weren't really my job. I was trying to be the architect and the engineer and the manager and director. That's why I have architects and engineers and managers and director. I'm the freaking CISO.
I should just be doing CISO work.
[00:49:22] Sean Martin: Look at that. Look at that. Amen. Amen. Absolutely. And Michael, final word, I wanted to give you a space to say how, how CISOs can present themselves with this in mind when they're
[00:49:36] Michael Piacente: Yeah, actually, I mean, I'll, I'll turn it a little bit differently. I mean, I, um, um Yeah, this is why we interview the executives in a company before we do a search, right?
To Omar's point, right? Like there's always that one person that wants to take the ownership of it, but it's a very limited view. Um, and so the CISA walks in, uh, hearing that view and then needs to think they need to change their game plan for the rest of the process, the interview process, or even when they're in the job.
Um, and that's not the case, uh, to Omar's point. It's go out and meet with everyone, meet with those 20 VPs. and hear what their, their pains are. You're actually going to be so much more of an effective leader, um, by taking many people's view for it, um, versus just one. It's the, it's the reason why we, you know, I, I read like probably five or six books at a time.
I don't know. I'm always schizophrenic, you know, like running around, trying to, trying to soak up as much material as I can, uh, all at once. Uh, and, um, and so I think it's, um, I think it's important for us to realize that. That it's, um, yes, find your BFFs, um, focus in on some of the, the, the key attributes that make you, you, uh, and find your superpower, all that, but also just meet with and, uh, and force yourself, uh, to Omar's point to, to really up level, um, your, your interactions, uh, and pull yourself out of the weeds.
I think that's probably the hardest thing for many CISOs, especially the ones with technical backgrounds. It's a comfort level, right? It's not, it's not, this isn't supposed to be fun. That's what I always tell people when they're looking for a job. Um, this is the first time in the history that CISOs have really in mass.
Look for a Rahhil somewhere between 30 and 40 percent are actively or proactively looking. It's, wow unheard of, unheard of. Um, but I always tell him like the guys just take a break. You're actually not supposed to be good at this. Right? I am, you know, people will argue with it or not, but I'm supposed to be good at this.
Like you're not supposed to be good at this. Your superpower is laced somewhere else. So. Just take a step back, realize who you want to be and, uh, and, and go, and go towards that goal. Um, but it's going to take some time. It's going to take a lot of mistakes and that's why we're all human. So, uh, and I think it's great.
These are amazing points that Omar is bringing up. So, so relevant to today's market.
[00:51:45] Sean Martin: Absolutely. And, and thank you, Omar, for many things. One, pulling, pulling that group of 74, somebody probably helped you pull the group of 75, but you, you engage with them. You've surfaced these learnings. Thank you for sharing them on LinkedIn.
Thank you for giving us examples and, uh, and your insights, uh, from all your experience and what you uncovered with them. And I think for me, it all, all boils back down to community, right? Uh, you do a lot to give back. Doesn't mean anybody else should wait for you to connect with them. They should do the same.
Find, find your peers that are close to you, industry, geography, whatever it is. There's learning to be had from each other. And, uh. I thank you, Omar, for having this conversation with us to help us learn some more. Michael, great, great doing this series with you, my friend. We'll do, do another one in roughly a month and, uh, have another good chat about something, uh, something CISO fun on the CISO.
[00:52:50] Michael Piacente: Happy holidays to you both. Yes. Happy
[00:52:53] Omar Khawaja: holidays guys. Thanks for doing this. This was, this was really good. Thanks for, uh, the podcast and the series. You guys do real service to the community.
[00:53:00] Sean Martin: I appreciate it. Thanks, Omar. And of course, if you're listening or watching, please, uh, subscribe, share with your friends and enemies and enemies.
And, uh, we'll, we'll like, I'll see you on the next one. Thanks again, everybody.