This episode of Redefining CyberSecurity Podcast with Sean Martin features Nicole Darden Ford and Aric Perminter to discuss the role of a Chief Information Security Officer (CISO). The conversation highlights the importance of understanding what is being protected, communicating risk in a financial context, and caring for one's team, as well as sharing stories of successful initiatives they have undertaken as CISOs.
Nicole Darden Ford is Vice President, Global Information Security and Chief Information Security Officer at Rockwell Automation [@ROKAutomation]
On LinkedIn | https://www.linkedin.com/in/nicole-darden-ford/
On Twitter | https://twitter.com/Nicoledgray
Aric K. Perminter, Founder & Chairman of Lynx Technology Partners [@LynxPartners] and Board Member at International Consortium of Minority Cybersecurity Professionals (ICMCP) / Cyversity [@OneCyversity]
On LinkedIn | https://www.linkedin.com/in/aricperminter/
On Twitter | https://twitter.com/aricperminter
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Edgescan | https://itspm.ag/itspegweb
In this podcast episode, Sean Martin, the host of the Redefining CyberSecurity Podcast, speaks with Nicole Darden Ford, the Vice President, Global Information Security, and Chief Information Security Officer at Rockwell Automation, and Aric Perminter, Founder & Chairman of Lynx Technology Partners, about the role of a Chief Information Security Officer (CISO) ranging from business defense to national security.
The trio discusses the importance of understanding what is being protected and why it is important in industries such as healthcare, retail, banking, and critical infrastructure. They also talk about the need for cybersecurity professionals to be like cyber first responders and the importance of communicating risk in a financial context. Additionally, the conversation delves into the pressures and hardships that come with being a CISO and how those that take on the role can maintain a positive attitude and feel good about the work they do. Both Nicole and Aric emphasize the importance of caring for one's team, being personable, and having the passion and courage to do what is necessary to protect an organization's data and infrastructure. They also share stories of successful initiatives they have undertaken as CISOs, such as uplifting the competency and training program for a cybersecurity team and enabling a team to work from home during the COVID-19 pandemic.
Overall, the conversation sheds light on the complex and challenging role of a CISO and the importance of effective cybersecurity leadership for the benefit of the team, the program, and the organization.
Enjoy the conversation! And don't forget to subscribe and share!
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist
ITSPmagazine YouTube Channel
Be sure to share and subscribe!
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
Watch the webcast version on-demand on YouTube: https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
Are you interested in sponsoring an ITSPmagazine Channel?
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
nicole, organizations, ciso, cybersecurity, role, people, protecting, cyber, team, eric, leader, security, ecosystem, courage, inspires, day, risk, enable, excites, passion
Voiceover, Aric Perminter, Sean Martin, Nicole Darden Ford
Welcome to the intersection of technology, cybersecurity and society. Welcome to itsp magazine. You're listening to a new redefining Security Podcast. Have you ever thought that we are selling cybersecurity insincerely buying it indiscriminately and deploying it ineffectively? Perhaps we are. So let's look at how we can organize a successful InfoSec program that integrates people process technology and culture to drive growth and protect business value. Knowledge is power. Now, more than ever.
Imperva is the cybersecurity leader whose mission is to protect data and all paths to it with a suite of integrated application and data security solutions. Learn email@example.com
Edge scan offers continuous vulnerability intelligence as a service, accurately identifying Vulnerabilities and Exposures across the full stack. All threats are verified by cybersecurity experts providing exploitable risk and remediation guidance. Virtually false positive free. Learn more at edge scan.com.
Everybody, you're very welcome to a new redefining cybersecurity episode here on ESPN magazine Podcast Network. And I'm thrilled to have two guests. With me today we're going to talk about what it's going to be like being a cybersecurity executive what inspires us what excites us? What do we need to do be successful in that role? Very small topic, indeed. Right? A lot. Not much to cover there. And I'm joking, of course, Nicole Ford, Eric permanenter. Thank you for joining us on the show today.
Nicole Darden Ford 02:09
It's a pleasure to be here.
Andy, thank you for having me, Sean.
This is good. It was good. And Eric, you and I were we're catching up earlier, before the show started. There are a lot of topics to cover in this in this arena. I think one of the more challenging is the role of the seaso. And, and I've told many of my guests who are CISOs that have been on the show that I'm in awe of them. And I'll say that to the two of you as well for the work that you do. I don't know that I can handle the pressure of the seaso. There's a lot going on there. Not just technically but operationally Of course, and then then you have the human element thrown in the mix. So let's get into what what it means to be successful as a cybersecurity executive. Before we do that, let's hear about each of you and your role in this crazy world that we live in of Cybersyn. Nicole, I'm gonna start with you.
Nicole Darden Ford 03:09
All right. So it's a pleasure to be here. Certainly talking about something that's top of mind and it is definitely a passion for me. I'm Nicole Darden Ford, I am the Chief Information Security Officer for Rockwell Automation. We're an industrial automation company. We've been around for a very long time. And there's so many exciting things happening in our space. So just super excited to be here to talk about the evolving role of CISOs.
Sean, thanks again for having me. It's an honor to be here with you and Nicole. I am Eric Permenter. I'm the founder and chairman with Lynx technology partners. We're an information security and risk management consulting firm. Really excited to talk about what it takes to be a cybersecurity executive. Today, and I'm sure we're gonna get into some pretty hot topics.
Yes, we are let let's start and I don't want to ask either of you to share anything that that makes you uncomfortable or puts your your firm's at risk. But I do Nicole have to maybe ask you I mean, we often certainly in the business world, banks, healthcare, retail, when you talk to security leaders, we often look at the spaces or the role is how do we enable those businesses to succeed securely? And retail there's obviously there's finances involved. Banking, there's finances of all you moving into health care, health care, we start to talk about human life and connecting cybersecurity to health care operations. in protecting life, making that connection can sometimes be hard. But when we talk about defense and national security and International Security What, what's it take to kind of map those two worlds or merge those two worlds together? We're, we're heavy, heavy into ransomware. And, and other threats that face our business. But on the other hand, we have also other physical threats that we're trying to help others deal with. So maybe it's a big, big ask, but share share with you.
Nicole Darden Ford 05:38
Yeah, I think it's a very interesting space. Because, you know, I've been in part of different organizations, right, in different industries. So you know, life, life, health, safety, right. And we think about just revenue impact, and then we think about, you know, the societal impact of of a cyber disruption and specifically ransomware, and what it can do, and I think it really takes understanding what you're protecting, and why I think that that's important. Whether you're protecting a business or organization, or you're protecting critical infrastructure, or you're protecting, you know, national security, all of those things, I think there's a critical component, and that is the human element element is always involved. So it's, it's really understanding that and then really taking a look at security program to support those efforts, right. And it's visits is vastly different. But I think, overall, we should be thinking about cybersecurity professionals being really first responders. We're here to defend and protect our organizations, which ultimately, many of our organizations support our society, and overall support our nation. We're a global national organizations, many of us and so it's all of those things, to me are part and parcel of what we think about every day. And what's so important today is that, when you look at like the net, and what the Biden administration has come out with, regarding how do we protect our organizations, or you think about the now we're talking about the 20, the 2023 strategy, document that just came out by the administration, and what they're asking us as private organizations, as well as the public to do to protect our society and in the ideals that we hold dear to us. So I think really looking at cyber as being front and center in so many areas, right. And the visibility that we're getting, I think, is unprecedented. And just it's an important time in history for us to really understand that the daily steps that we take in protecting our organizations really extend to how we protect the world, and just the global impact that we have. And I think that if we think about it in that respect, it's really everyday being on the frontlines making sure that we have the right programs, we're making the right investments. We're communicating what risk looks like holistically to all organizations, and we're sounding the alarm when things aren't right. Right. I think that it takes it takes a lot to be successful to me as a CSO. And one of the key elements is having courage, having courage to do the right thing, even when it's not popular. It's it's sounding the alarm and speaking, you know, business language to tell people when things aren't right. It's it's sticking up for and standing up for doing the right things, even when the impact means that we're not going to make as much revenue or, you know, it means that we've got to take investments from other areas to get it done. And then it's grace and how we do that, right. It's making sure that we do it in a way that is respectful of other parts of the organization that we got to take from to get right and making that case appropriately. And really taking the responsibility of having that seat at the table and what it means to make the right choices, decisions and enabling our executive leadership teams to make the right choices and decisions when things are on the line.
And courage courage and grace two words that I love that you said there and, and Erica, I want to get your thoughts on those two words from your perspective in this space.
Yeah, I couldn't agree more. In fact I envy CISOs like Nicole, in the courage that they have to just get up every day and fight this fight. Oftentimes, a lot of the programs are underfunded, when you look at what they're actually up against, right, some some really large nation state actors that are trying to go after the goods. And oftentimes, in addition to just protecting them the day to day, they have to worry about two or three of those coming after them a day. So I commend the CISOs and the courage that they they bring with them every single day. When I think about grace, and I love, you're using that that term, Nicole, because I put Grace right next to the word of governance, because, you know, organizations are going to have have to gracefully mature their governance risk and compliance programs to be in a position to effectively manage the risk that their organization is managing on their behalf. And Nicole hit the nail on the head, right, having this front and center, across all ecosystems is certainly key. And then being able to ensure that key stakeholders and the proper organizations are prepared for the risks that's coming their way. Is, is probably where, where I place grace, as it relates to governance.
Go ahead, Nikhil.
Nicole Darden Ford 11:52
I was gonna say that we're all risk managers, I think it's important to state that right, when we're talking about, you know, our mandate is to is to enable resilience across the the ecosystem. And we do that by being an effective risk managers communicating risk to the organization in the most effective way. And using, you know, common lexicon that I think is important, so that everybody understands, you know, what is the impact of making a specific decision? Right, and what happens? How do we drift, Dr. Risk down, right, which I think is really a financial discussion, right? Many organizations can speak, they understand finance, they understand risk relative to finance. So when CISOs are able to communicate articulate risk in that lens, I think we're we're able to really help the organization understand what it really means.
So we could easily spend the entire time talking about the pressures and hardships and all the pain that comes with the role. But I want to get into how, how does the seaso feel good about what they're doing? What what actions can one take to say, I've made a difference? The work that I just did, whether it's a project that took me two hours or a program that took two years? How do you feel good about what you're doing so that you do wake up in the morning and say, I'm excited to go to work, I'm excited to tackle that next problem. Two or three things may come up that I don't even know are gonna come my way today. But I'm ready for it. And he wants to tackle that first.
I'll get started on that one, Nicole, if you don't mind when I talked to a bunch of CISOs. And I often ask that question as well, showing this like, how do you do it? And how do you know you're, you're having a good day, a lot of times they say it's starting the day with a caring heart, right? Because you have to you have to care about your team. You have to care about the the mission and protecting the organization. And if you can wake up every day, knowing that you're caring, you're already you're already winning. The other part is, and I heard this again, just last week, when I was talking with the seaso. Don't ask your team to do something that you wouldn't do yourself or you haven't done yourself, right. Oftentimes, your your team is looking for leaders. And if you're able to say I've been there and I done it, no better leader, no better leader than that. And then lastly, and this is circled in everything, just being personable. I cannot tell you how many times that the final decision for someone to join a CISOs team was just them being personable. So I'd love to hear your thoughts. as well, Nicole,
Nicole Darden Ford 15:01
listen, I think every day you have to, you have to invoke your superpower. Right? Like we are, you know, when we think, again, the work that we do is like frontline work. And so I often times say I have to bring my cape in the room every day, right? Because it's a part of who I am. The passion, you have to have the passion for the work. And you have to love helping people, right? It's a thankless job, at times, people aren't always going to come back and say, Nicole, look at the difference that you've made. But you got to know deep down, that the work that you do is felt by all and and that we're, you know, we're serving in a different capacity, I served in the military. So, you know, defending the homeland is just a part of who I am. And I feel like I do the same thing being a CISO, that it's that important. And that, if not me, who. So when I think about like my ability to make a difference, it's in, you know, having a really good optimistic attitude, every day about the work that I'm doing, is bringing the right passion and energy to the job. It's helping people, it's using the leadership skills that I've learned throughout my career and bringing that to bear to help drive change, when change is necessary in the role. And it's really embracing change, because every day is different. And I expect that there's always going to be something that's going to shift my focus every day and look forward to bringing the right amount of energy and experience and leadership to the table to make sure that I'm showing up every day is my best self.
So I'm gonna get back to you, I'm gonna take that word passion that Nicole used to get your thoughts on this, because then maybe, maybe now's a good time to maybe get some examples. That can be anonymous, of course, but examples of where success has been seen. And I'm gonna pull on the word passion for either one directly as a CISO. And Eric, this is why I'm coming back to you or kind of you said, don't ask your team to do something you haven't done or wouldn't do. Right. So that in a sense, you have to drive passion into them as a leader as well. So I don't have any examples, you can share worse, CISOs you've worked with or spoken with, said, You know, I've been able to do X, Y, and Z because of one, two, and three.
Yeah, I have a great example. I worked with a CSO or not I, our team had worked with the seaso at a major financial services company. And they were very passionate about updating the competency and training program for their cybersecurity team. And so we work with them to align their job categories with a nice framework. And when I tell you, the seaso was passionate about it, they're in the room with us reading through the different job categories, making sure right that no, that doesn't work, right that needs to match up and had their HR partner in the room with us and everything. We went through and did the assessments that would be rolling out to his team members and alike Long story short, rolled out a program with with that financial services organization in order to uplift the compensation and create career paths for his entire security, his entire security team. That to me is where you have passion, aligned to Team commitment. And someone who's really had their head heart and mind into doing whatever they possibly could to make the create the best environment for their team. I love hearing and I got a number of those stories. It's it's it's stories like that, that really make my day and and quite frankly, makes it a joy to to work with some of these courageous CISOs for sure.
Nicole, what about you and any any direct experience or examples that you can share? Maybe as a leader or know if you worked with the seaso prior to your current role as a CISO? Sure,
Nicole Darden Ford 19:42
no. I mean, I see passion every day. I can tell you in a story that kind of comes to mind is one where we were I was getting off of a plane and I tell this story. I love it. I was getting enough of a plane. And I heard about this thing called COVID Hadn't hadn't heard anything, because that was overseas. And I was told, Hey, we've got to help people work from home, because we're going to send people home. And so you can imagine how many things are going through my mind, right? And like, What is this COVID? You know, why are we sending people home? What is that gonna mean? Right? And we were, I was, it was at another organization, and we were getting ready to spin, meaning we were going to divest and go public, all this is happening, like right before, right? And that, I just, you can kind of imagine what was going through my head and how I was feeling. And I just remember saying, Okay, we've got to help these people go home, and work from home, how are we going to do that, and, and so all of the leadership skills, all of the things that I've learned along the way really kind of came together. And like, in nine days, we basically shut down our operations, right? If you know what I mean, shut down, we sent people home. And we enable them to work from home, right before the shutdown. And that was huge. So when I, when I think about it, that's why I use the word courage, right? Because it takes courage to not understand how that's gonna personally impact me, right, but go to work to make sure that other people are taking care of and are and we've enabled an organization to continue to move forward in their operations, right. And so I remember all of the people that came together to make that happen, you can imagine how many people had to come together, think through the problem statement and solve for that. And they were selfless. And I think about the, the IT teams in the in the HR teams, and all the people that came together to do that, and I was so appreciative of being a part of such an amazing team that could actually get that done and work together in a time of just challenging, unknown understanding of what was going to occur.
Yeah, see, it's the ambiguity and the unknown. That often fills the mind with the negative thoughts of, I don't know how this is gonna happen. Or, or worse, there's no way this is gonna happen. And I don't know the either of you have examples of where the low, a low point like that comes along. And and you have to find that courage and the strength to work through that ambiguity, right? And say, Here's, maybe I can't do it myself, I'm gonna look to my peers. I'm gonna look to my team. How do you how do you overcome some of those lows, you stick with Unicom and Eric, you can you can jump in?
Nicole Darden Ford 22:59
Well, I think that that's just the role of a CISO. And we talk about as CISOs role, right? We operate daily in ambiguity, right, where these change agents that are constantly shifting and redirecting, and I think what it takes is, it takes that courage, it takes leadership, it takes, you know, this, this for this, this optimism that you know what I'm going to, I'm going to jump into this, and I don't know how it's going to turn out. But I'm going to lead my team through this time of change. And however it comes out, I'll know that I did everything that I could, and I did my best. And at the end of the day, being able to say that, knowing that what you're contributing will continue to keep your org other orgs, right, a country, a nation to keep going is like, it's, it's phenomenal. So, you know, I often think about the seaso role and how it's evolving, and how we're getting that seat at the table. And how we're actually think about this, we're the first, really, we're the first set of CISOs, that are setting the groundwork for what it will mean to be a CISO 3040 50 years from now. And that is it's a special time and it's for me, I often reflect on that and say, you know, wow, this is what it means to be the first and to kind of be groundbreaking, because what we do will set the path for generations to come. And that to me is pretty special. So when I think about resilience and what it takes to really do that, you know, performing this role and and to really be selfless, right. These are the things that I think really embody some of the best people that I know who are CISOs today
Well said, Nicole, I want to borrow every word that you just said. And I'll piggyback off of it just a little by by by adding that, you know, I think, I think me serving in the military, or being a servant, servant leader, helps me realize that I'm not expected to win every single day. All right, and, and as long as I keep that in mind, and I stay focused on the small wins, I know that I can share those wins those wins with some members of my team. And I think that's what drives me winning together as a team enables me to just stay hungry, and in drive through those low though those low those low times. And then if I also I think, also, at the end of the day, you learn through every last one of those experiences, every last one of them. So I look forward to the learning versus the crashing and burning, if you will,
of hopefully less crashing and burning more learning. I want to kind of to this point, you can't. And I don't know that we'd survive. If we had to experience every learning directly, right. Hopefully we can learn from others experiences as well. It's part of part of why I do this show to help tell stories that inspire and excite how America we've connected previously through i CMCP, which is now diversity and, and Nicole, I'm sure you're part of a number of groups, how does? How does the community work in support of being a successful security leader? Just if you have to inspire a team, how do you come together and help with learnings and to help drive drive the team and the programs on Eric, maybe you start with that
sharing is caring Sharing is caring. Alright, that really is the heart of it for me. If I can enable my ecosystem for the folks that are within my circle of influence than if the ecosystem has served the right purpose, right, for me, it has served the right purpose. Think that's where I'll stop Nicole, I'll let you chime in on that one at the end of the day, because that went short and simple. For me. It's really about disconnecting everyone to the ecosystem. But please, Nicole,
Nicole Darden Ford 27:55
I will tell you that this is one of the best communities ever. Right? I have reached out to CISOs to learn what it meant to be a CSO how to be a CSO what to do, like, what's that first 90 days look like. And some of the best CISOs have weighed in and really supported me through that effort. Remember, this is like unchartered territory. So you have to think about there is not there weren't classes to say, hey, here's how you do your job. There wasn't even a degree. Back when I first started, cyber was like it. And that's what we knew to do. Right? So remember, I said we're writing the story was writing the story today, the things that we're doing today will will really impact that next generation. So it's making sure that forums like cyber city are available, right, and that people are constantly sharing information, et Cie. So sharing with other CISOs or helping to cross train teams, right. It's now encouraging people to get degrees in cybersecurity, because now they exist and making these ecosystems available for everyone, right? It's embracing diversity. And that's, I mean, when you think about it, how do you do that? Like, I have a neuro diverse team, we have one within rockville Rockwell. And that is super cool. Think about it. Because we're thinking about how do we solve the talent problem differently. So it's recognizing that as a CISO, we have to give back to the community in different ways, whether it's through webinars, whether it's teaching, it's reaching out and mentoring others. Those are the things that are going to make the community better and so I have a passion for making sure that I see more underrepresented people in the community and making that happen and in so many different ways. That's really using my platform to kind of amplify and support the messaging around how to give back and really help people by giving them a hand up.
Yeah, I would, I would say, and Shawn, I would only add that to Nicole, you, you hit upon one of the main points in what I think is one of the most valuable aspects of the ecosystem. And that is CISOs, allocating their time to mentor and coach others. It is it is the amount of time that they spend doing that is so understated, especially with their scheduled speaking what it is, you almost want to just give a daily hand clap for every one of them and just say thank them for spending the minute of the minutes that you do, to be able to educate and mentor the others who are trying to get in in the field and or mature their career. So I'll thank you on behalf of all of the CISOs, Nicole for spending time mentoring others.
Nicole Darden Ford 31:00
And you know what, and I'll thank the community because they mentored me, and they helped me grow in my career so that I can help others. What else?
I might I have 1000 questions still in my head. But we're running out of time here. So rather than head down a path that I won't recover from in time to wrap this up on time, I'll just leave, leave you both with final question, you may have already started to go that direction and your previous response. But what, what inspires you or excites you to keep going? Eric, I'll start with you.
The constant opportunity to solve problems that will ultimately improve the lives of others by making the world more secure.
Nicole, final word to you.
Nicole Darden Ford 32:07
Oh, gosh, this is so hard, right? There's so many things that excite me about the industry, I would certainly say that I love seeing the visibility of cyber, and the intersection of business and cyber over time, right? I've seen where cyber is now truly enabling the business. And we're innovating in so many ways I've seen so I've seen so many advancements, right, we're solving problems, real problems that are impacting organizations. And, you know, really this public private intersection is been super exciting to see. And it's really amplified the cyber message right and amplify the role of the seaso, who now has at least a seat at the table. Now, I think that there is a we need to still continue to see that evolve over time. But we're really being seen as a strategic asset and strategic leader. And those are the things that excite me as I continue to see the role evolve. And we continue to really train that next generation of leaders. I'm just super excited about the future. Of course, you know, we still see that there are nation states and threat actors that are impacting organizations and causing disruption. But I'm really optimistic about the future of the cybersecurity community and what we can do collectively.
Fantastic, and I'll put myself on the spot as well. I won't I won't let the two of you take the heat and not and not to answer the question too. Because I I have to say that what inspires me and excites me is meeting amazing people like the two of you. And sometimes it happens through PR firms. And sometimes it happens through friends this time. It's a combination of the two. Sometimes it takes a long time to pull these conversations together. But eventually we do meet and that excites me having the option or option the opportunity to meet people like you and to have these conversations to help others learn and grow in their role as a cybersecurity professional at whatever level. So thank you both for joining me for this conversation.
Thank you, Shawn. And thank you, Nicole. It was a pleasure.
Nicole Darden Ford 34:39
Appreciate it. Absolutely. And for those listening profiles for Nicole and Eric will be in the show notes of course, and you can connect with them there. And any links that they want to share? I'll take the liberty of putting in a link to the folks at Cybercity giving them a little plug different join That group participates in that group if you can, and anything else that or Nicole wants to share if you succeed as a cybersecurity leader, so Nicole, Eric, thanks so much. Thanks everybody for listening.
Thank you Take care everyone.
Edge scan offers continuous vulnerability intelligence as a service, accurately identifying Vulnerabilities and Exposures across the full stack. All threats are verified by cybersecurity experts providing exploitable risk, and remediation guidance, virtually false positive free. Learn more at edge scan.com. Imperva is the cybersecurity leader whose mission is to protect data and all paths to it with a suite of integrated application and data security solutions. Learn firstname.lastname@example.org We hope you enjoyed this episode of redefining security podcast if you learned something new and this podcast made you think then share itsp magazine.com with your friends, family and colleagues. If you represent a company and wish to associate your brand with our conversations sponsor, one or more of our podcast channels, we hope you will come back for more stories and follow us on our journey. You can always find us at the intersection of technology, cybersecurity