Redefining CyberSecurity

Effective Communication Strategies between Salespeople and CISOs | CISO Circuit Series: Episode 3 with Don Boian | Michael Piacente and Sean Martin on the Redefining CyberSecurity Podcast

Episode Summary

Explore strategies for effective communication between cybersecurity salespeople and CISOs in this episode of the Redefining Cybersecurity Podcast. Sean, Michael, and special guest Don Boian, discuss the importance of trust, understanding corporate structures, the expanded role of CISOs, and the language that resonates with these decision-makers.

Episode Notes

About the CISO Circuit Series

Sean Martin and Michael Piacente will join forces roughly once per month to discuss everything from looking for a new job, entering the field, finding the right work/life balance, examining the risks and rewards in the role, building and supporting your team, the value of the community, relevant newsworthy items, and so much more. Join us to help us understand the role of the CISO so that we can collectively find a path to Redefining CyberSecurity. If you have a topic idea or a comment on an episode, feel free to contact Sean Martin.

____________________________

Guests: 

Michael Piacente, Managing Partner and Cofounder of Hitch Partners

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/michael-piacente

Don Boian, Chief Information Security Officer of Hound Labs

On LinkedIn | https://www.linkedin.com/in/don-boian-05820714/

____________________________

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin

____________________________

This Episode’s Sponsors

Imperva | https://itspm.ag/imperva277117988

Pentera | https://itspm.ag/penteri67a

___________________________

Episode Notes

In this episode of the Redefining CyberSecurity Podcast, co-hosts Sean Martin and Michael Piacente talk with Don Boian to discuss effective communication between salespeople and CISOs. The main focus is on building trust and understanding in an environment that often sees these roles at odds.

Boian highlights the importance of understanding the corporate structure and knowing who to approach. He suggests that salespeople target not only the CISO but elements of their team, citing examples where security engineers are equally valuable contacts.

Boian stresses that the key to successful communication is trust, built over time and through demonstrated value. He encourages cybersecurity salespeople to become an integral part of the cybersecurity community and invest in long-term relationships with CISOs.

Piacente adds that the CISO’s role has greatly expanded in recent years, requiring them to be business leaders in addition to technical experts. He notes that board members are often pleasantly surprised at a CISO's business acumen.

The conversation also explores the importance of salespeople using a language that resonates with CISOs and clearly articulating their product’s value propositions.

Key Ingishts:

____________________________

Watch this and other videos on ITSPmagazine's YouTube Channel

Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq

ITSPmagazine YouTube Channel:

📺 https://www.youtube.com/@itspmagazine

Be sure to share and subscribe!

____________________________

Resources

____________________________

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:

https://www.itspmagazine.com/redefining-cybersecurity-podcast

Are you interested in sponsoring an ITSPmagazine Channel?

👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network

Episode Transcription

Effective Communication Strategies between Salespeople and CISOs | CISO Circuit Series: Episode 3 with Don Boian | Michael Piacente and Sean Martin on the Redefining CyberSecurity Podcast

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] Hello everybody. You are very welcome to a new episode of Redefining Cybersecurity here on the ITSP Magazine Podcast Network. More specifically, the CISO Circuit series that I have the pleasure of, uh, co-hosting with my good friend, um, Michael Piacente. Michael, it's good to see you. You too. How you doing, Sean? 
 

Happy New Year. Uh, yes. Happy New Year. We get, we got a couple out before, uh, before the end of the year last year. And, uh, we're kicking, kicking twenty-four off with, uh, with a bang today. And, uh, we have two good topics we're gonna talk about, uh, with, with a special guest who's done, done quite a bit. To, uh, help the, the community understand, uh, what's going on with security, how to talk about it with each other, and, uh, up and down the, uh, the executive stack, if you will. 
 

So those are, those are the kind of topics we're gonna be digging into today. And, uh, for everybody knows this show's all about, uh, communicating and operating [00:01:00] security in support of a business that. Hopefully drives revenue as we protect it, but also does well for the community and society as a whole. So, um, hopefully we get to some of those points today. 
 

Michael, um, a few words to remind everybody who you are, and then, uh, I'll, I'll leave the pleasure of introducing Don. People see Don there, uh, but people listening don't know that Don's on yet, so why don't, why don't you share a few words about what you're up to, Michael, and then, uh, do the honors please. 
 

Yeah, 
 

Michael Piacente: sure. Um, Michael Piacenti, managing partner and founder of, uh, Co-Founder of HitchPartners. We're an executive, uh, kind of a curated executive search firm focused in the cybersecurity leadership space, primarily CISOs and BISOs and deputies, um, where most people know us from. And, um, yeah. What do we have going? 
 

It's a interesting year. We'll get into, we can always get into the market stuff, but, uh, on, on the initiative side, we have our. Uh, our fun, uh, national U.S Compensation and [00:02:00] Trends report coming out in about a month, I think late February. Um, so we're excited about that, uh, seeing what, uh, what trends, uh, persisted with new trends exist. 
 

So, um, it's a fun time of the year for us. A little bit of a crazy time actually, as well as many people went away for the holidays, uh, doing a little bit of soul-searching on their career. Objectives, uh, companies as well. Um, you have the SEC, uh, final role went into place on December 18th, so it's been a little bit of a perfect storm for us the last couple weeks, but, uh, it's great to be here. 
 

This is actually, uh, definitely the best part of my day, uh, to come and speak with you fine gentlemen. So, um, yeah, without, uh, further ado, let me introduce, uh, Don Bowen. Um, and I'll go through how I know Don as well, but just a little bit about his background. So Don's a highly accomplished IT and security technology leader. 
 

Um, Award-winning as well. He, um, he runs, uh, uh, information security, compliance and risk for a biotech startup called, uh, Hound Labs. It's been there a few years and built it from scratch. [00:03:00] Um. Prior to that, uh, he built out, um, uh, actually multiple functions, uh, and a a highly diverse team at Huntington Bank. 
 

Uh, for those who don't know Huntington Bank, it's, uh, based in Columbus, Ohio. It's, I think almost 200 billion in, in assets, and I think it's the 17th largest bank in the US if I'm not, uh, mistaken on those. Don, you can, uh, you can correct me if I'm not. Uh, but he implemented, um, a number of security programs, uh, really designed to protect that enterprise. 
 

Um. From communications and systems and assets. So, um, but interestingly enough, uh, even though Don has now been with a startup, uh, has built that out, has built out a large financial institution, he also spent 30 years at the NSA. Um, actually retired as a defense intelligence, uh, senior executive, uh, working both offensive and, and, uh, defensive cyber ops. 
 

Um, he had done a lot of things there, which I'll let him get into all things I can't tell you 'cause he'll kill me. But, um, uh, he was also a, a cyber, um, consultant for the [00:04:00] U.S Department of Energy for six years. Uh, Don's been super active in the community. Uh, he serves on the board for the NTSC, which Don graciously introduced me to, and the, and the great team over there. 
 

Um, if you don't know NTSC, definitely check them out. Very fascinating organization. Uh, he does a lot of, uh, uh, non-for-profit and advisory boards. Uh. And has a whole list of awards, um, which are incredibly impressive. I most of all. Um, oh, and, uh, we'll say that, uh, Don's also kind of a double EE, uh, Ms from, uh, Johns, Hopkins and, uh, Bachelor's of EE from OSU. 
 

So go, go, uh, blue Jays, go, uh, Hawkeyes. Um, and, um, I, I met Don in, uh, Columbus, Ohio. Uh. Like probably eight or nine years ago. Um, which by the way, for random facts, uh, is also the birthplace of Hitch Partners, the Marriott in downtown Columbus, Ohio. But we, we were co-hosting, uh, one of our, uh, CISO sanctuary [00:05:00] dinners with a local VC there in Columbus, and Don was part of that roundtable. 
 

Since then, we have, uh, we've remained, uh, in touch and just, um, he has an extraordinary story. Um, but he is, I've also found on the CISO's VJ. Strong and very pleasant advocating voice for the community. So I am. Super thrilled to have, uh, him as a, uh, as a guest today and, um, uh, thanks for being here, Don. Um, hopefully I didn't mess that up. 
 

Too  
 

Don Boian: bad you didn't, uh, an exceptionally kind introduction. I appreciate it. Thank you. Uh, I guess I'll give my really quick pitch around the national Technology security Coalition, which is awesome. NPSD organization that, that Michael talked about. Uh, it's really the voice of the CISO on Capitol Hill. I got in involved with that organization, I think it was six or seven years or so ago. 
 

Um, and have been on it since. Um, it's really CISOs who are trying to make sure that when nationally we put together legislation on cybersecurity. [00:06:00] It makes sense and it can be implemented. And in fact, we've had a, had had fun. And it's challenging sometimes as, as any of you who work legislative types of things know, um, getting anything through Capitol Hill is, is a challenge to begin with. 
 

But complex things like cybersecurity make it even more challenging, and you find out that. Both congressional leaders and staffs don't necessarily know what all those things mean. So when they start throwing out ideas about incident notification to the SEC or some other regulatory body, um, they aren't necessarily, uh, practitioners, so they don't quite know what that means. 
 

And when we say, Hey, you realize we deal with incidents of CISOs. Day in and day out, sometimes with large organizations, huge volumes of incidents. So, um, trying to put some sanity to that. It's a fun organization. Um, I get experience sitting down with congressional staffs and congressional members talking to them about cybersecurity issues, which is fascinating. 
 

Uh, but it's also a great [00:07:00] group of individuals. Um, and, and quite frankly, from a peer group, you, you can't really, uh, beat the, the group of folks in CISOs there. So that's NTSC. If you're interested, check it out. ntsc.org.  
 

Michael Piacente: Yeah, John, thanks for covering that. I've, I've had an amazing experience with Patrick and the crew over there. 
 

It's, uh, they are absolutely incredible individuals. Super interesting and I learned a ton just in the short, uh, 10 tenure that I've been helping out, so thank you. Yeah.  
 

Sean Martin: And I, I, I'm curious, Don, 'cause I mean the, I read the, the bio and there's so much stuff in there and, and Michael did a great job in kind of painting picture for you. 
 

But I, I'd like a few words from you on, is there a defining moment in your career where you go, where you can say something big happened either to yourself, to the program, to the role of the CISO, to something that you can say? This, this changed the way we, we look at things today.  
 

Don Boian: Um, I, I, I'll, I'll [00:08:00] make that one personal. 
 

I think, um, and I think my answer to that question really is probably a change that happened in my government years in my career. Um, and I'll give you a few examples. Um, it's defining us and them properly. 'cause I think humans are, are classic. We're always, you know, there's always us, you know, our team and them. 
 

And I think early on in my career in the government, there was always some, what I'll refer to as interagency rivalry, right? It's, uh, we're the good agency, they're the bad agency kind of thing. Um, and sometimes you take that way too far, uh, and if you define us and them properly, as I did, I would like to say the second half of my government career. 
 

Um. You know, we're all on the same team. We're all working for the same government. We're all part of the United States. We should be pushing the same way, and we should be cooperating, not arguing with each other. Um, and honestly, I've, uh, I've used that same philosophy when I went to private industry, [00:09:00] when I worked in a large bank. 
 

You know, it wasn't, the marketing won't let me, uh, you know, produce the following, or this business segment is producing things without security, checking in on it, stuff like that. You know, I ended up, you know, trying to help my team de decide, you know, hey, they're not the enemy. We're all on the same team here. 
 

Let's, let's figure out a way through it and let's work through it. Um, and I think actually that philosophy, I think we're gonna talk about a little bit here when we start talking about, you know, what sales and cybersecurity does and CISOs and cybersecurity do, and how the two potentially can work together. 
 

And, uh, we do need to work together a lot better on that. So I'd say that defining moment to me is really the, when it kind of clicked with me and I went, Hey, wait a minute, us and them. There's lots of adversaries out there. Let's, let's, let's make that them. Um, and, and the US piece is us all working together, figuring out a way through it. 
 

We're gonna disagree, but let's figure out a way through it.  
 

Sean Martin: Yeah, [00:10:00] yeah. There are probably countless examples we can pull on. Uh, each of us, the three, probably everybody listening as well. I mean, I can point back or look back to my days in, in engineering and quality assurance. Where QA was. QA and engineering, right? 
 

Or is it QA versus Right now it's security. There you go. And, and app development or is it security versus app development? I think we countless stories like that and when I switched, uh, it's very interesting you went there. 'cause my next I. My next point that I wanted to bring up was kind of, well, who are cyber security people selling to? 
 

And it's naturally, well, let's go to the CISO because of they're at the top. But I've brought thousands and thousands literally of products to market. And as the companies I work with mature, they realize that there are multiple personas. Responsible for security. Absolutely. Yes. CISO sits there, but the CISO has [00:11:00] peers. 
 

The CISO has a team. The CISO has a team that has peers, and some are users, some are key stakeholders. Some are the benefactors. Some are the, the, the teams that call that say that CISO is the the guy who says no all the time. So talk to me a little bit about how cybersecurity salespeople. Approach selling into an organization? 
 

'cause I, I often feel like I said that, that they started the CISO and, and hope, hope it's your job then to navigate stuff.  
 

Don Boian: Yeah. And the CISO is usually a tough person to get a hold of. Right. And it's a tough piece person to pin down or, um, and, and, and you're right, there are multiple avenues to go there, especially in a large organization. 
 

You know, when I worked at Huntington, we had, I don't know, 200 and some odd people in cyber security. Side of things. Um, quite frankly, selling to one of my, uh, one of the folks who worked for me in, you know, security [00:12:00] engineering, uh, or some other area, was honestly just as valuable if not more valuable. 
 

Even though I had the power of the pen and it was my budget as the CISO, right? They still had to go through me. They still get my seat, my signature. Uh, but you know, quite frankly, if you could get their buy-in and you poked on something, that's actually a very valuable lesson for folks in the sales side of things. 
 

Um, if you can figure out a way to get a business segment in a, in an organization and the security organization pushing the same way, again, back to that us and them, if you can get them both pushing the same way and both trying to, uh, bring your product on board. You're even better, right? Show that this will, you know, uh, obviously when I was with a, a bank, it was, you know, reduce fraud or do something in that side of things. 
 

Something where you can tie something together. There you've got, you've got a business case that's unstoppable, right? Then it's you just, you differentiating yourself from other people who are out selling similar products. Um, so, you know, [00:13:00] definitely, uh, don't just consider the CISO, uh, but we're gonna probably talk as, as we jump in here about kind of the do's and don'ts of, you know, what works or what doesn't work. 
 

I'm obviously gonna give it to you from the CISO side of things, and I'll probably share with you what I refer to as my, uh, my, uh, uh, tales of shame, uh, in several approaches that have come towards me. So we can go over that. But what I really like focusing on a little bit more is that. Here are the do's. 
 

Let's, let's, let's all laugh at the don'ts 'cause there are a bunch of 'em out there. But, uh, then let's move on to the do's. And I've actually given presentations before to entire sales organizations. They're selling cybersecurity products to say, yeah, yeah, we've gotta do this better. This partnership has to improve. 
 

So. 
 

Um, let's talk, right? Yeah. Let's, let's ahead, let's go ahead and jump right into some of those, uh, if you don't mind. Um, and I guess the first thing I'll say is we really do need a healthy relationship here between sales and, and the CISO side of things, right? [00:14:00] Let's figure how to do that. But here's the important part. 
 

I said in that, that key word in there is relationship. And we all know a relationship and, and getting your foot in the door with a CISO is difficult. Um, there's lots of different ways to do that. I would say, uh, I can throw some of them out and things they need to think about, you know, get involved with the local community. 
 

Uh, the one thing I absolutely love about cybersecurity is we have a fantastic. Community. And that community is, you know, in, in multiple different, whether you go to some of the security conferences, whether you're a member of some of the, you know, ISACA or ISSA or you know, pick your stands or pick your favorite kind of organization. 
 

They all are a great group of folks and they're all willing to help each other out. And I'll be honest with you, actually, when I left the government and went to a bank, the first thing I thought was, ah, you know, I'll never. Never ever have a chance to actually pick up the phone and talk to my, um, my competing bank CISO.[00:15:00]  
 

And interesting thing was within a, when the month of being on the job, I was picking up the phone and talking to somebody. And in fact, you know, there was a, there was a shooting at another bank and I knew it was directly at their office and I'd pick up the phone and I'm like, are you guys okay down there? 
 

You know? So it's very fascinating to me that we, although we may be competitors in a market space. Uh, on the cyber security side of things, we're all one community sales and, you know, the folks who produce cyber security capabilities and defenses are just as much a part of that ecosystem as the CISO trying to defend things and their, their staff. 
 

Um, so we've gotta make this work and we've gotta make it work a lot better. Um. So, you know, first of all I'd say is establish that relationship. And everybody says, well, how do I get my foot in that door? I can tell you a few things that don't work, or at least don't work for me. And I think they generally don't work for most of the other CSOs. 
 

You know, a lot of the cold calls and cold emails. There's just because something pops up in my [00:16:00] inbox. I mean, come on. We're all training people around phishing emails and everything else. You think just because you send an email into my inbox, you know, alright. Yeah. Way to go. I wanna buy your capability. 
 

It's probably not gonna get me to establish that relationship. And I'll be honest with you, some of the intro lines that try and get your attention. In fact, I got one this week that said final warning, and I looked at it and went, oh, final warning. No. Yeah, uh, I had to kinda laugh at that, and I did add it to my folder of emails of shame, uh, because I actually use a bunch of them. 
 

I, I cut out the names and redact them, so you can't actually see what organizations they came from. Uh, but it's, uh, I put it on my presentations when I talked to sales folks. So cold calls, cold emails, they rarely work. Um. The voicemails often either don't get listened to or, you know, don't get return calls on that side of things. 
 

Um, you know, some of the other stuff that I've seen is patronizing emails. You know, I'd said the final warning one, but there are lots of other examples, [00:17:00] um, or, or the ones where we're trying to bribe and, you know, CSOS and Michael can tell you and his, uh, compensation survey will, uh, will prove that out. 
 

CISOs aren't generally low compensated individuals, so you know, your $25 Starbucks gift card probably isn't gonna go a long ways to swaying me to either take your call or look at your product. You might be in actually insulting me, right? Um. But I, I will tell you here, I'll flip the coin on you to say there are a few, uh, folks that I've seen, and I will give credit to a peer of mine who does this. 
 

I won't name him, but the peer actually sets aside one day a month and he has a new, what he calls New Tech Day, right? And he allows vendors to, you know, schedule, uh, a half an hour or an hour long call, and he actually has a fee for that. And what he makes you do though, is donate that money to a charity, a charity of his choice. 
 

I thought it was a great idea, right? It allows him to survey the landscape and, [00:18:00] and understand what new technologies out there and things that he should be focused on. Uh, but then also does a little good on the side there. Uh, gathering some funds from charity. So, you know, if you had that, if you had that, those sales dollars or burn a hole in your pocket and you wanted to give it to somebody, uh, great. 
 

Give 'em to a charity and it got your foot in the door and it might get you that second callback. Um, great opportunity. On that side. Yeah.  
 

Michael Piacente: We we're seeing, um, at RSA and Black Hat, we, um, I'm involved in a lot of the pitch for charities as well, and that's, that's a great, that's a great way to give back to the community and learn at the same time. 
 

Um, I love the fact that he is time blocking to do that. Uh, so kudos to him or her that's doing that. That's a, it's a great, um, that's a great methodology that, that. Others should take note of that.  
 

Don Boian: Yeah. I even saw one that actually was a specifically, they were give to a local chapter of an information security organization that had a scholarship. 
 

Um, yeah. So I was like, that's awesome. You know, I, I might, I might actually look forward to [00:19:00] several of those calls if you're, if you're actually gonna donate to that scholarship side of things. Um, yeah. Another quick, don't. Don't ambulance chase. We see that a lot in this industry. Unfortunately, uh, there's a lot of emails that go out right after, you know, the next breach is, uh, publicized and they send out that email that says, if you had just had our capabilities right, if they would've had it, they wouldn't have had this problem. 
 

Um, so, you know, that's, that's one of 'em that's just like really? 
 

Michael Piacente: Yeah. I think, um, I was gonna make a point there, Don, uh, because I love, I love that point. Uh, I also will warn CISOs not to do that too, so 
 

Don Boian: that is true. Well, any CISO that tries fear, uncertainty, and doubt and, and uses that fear as a motivator. 
 

Yeah, that's not a very good senior executive I'd say right there. You know, you need to get them past that fear.  
 

Michael Piacente: It's not even, uh, there's that point too. I, the other one I see, especially with so many CISOs looking for new opportunities is they'll see a breach that's public. [00:20:00] Uh, and they'll call someone like me and say, what do you know about what's going on with the replacement? 
 

And it's like, you know, let's turn the tables for a million. If you were in that such, would you want someone calling and knocking on the door like. Let them figure through. By the way, they probably already figured it out if it's come out publicly anyway, but, you know, not to pick on them. But I probably got no less than a hundred calls when Clorox went down, um, about what's going on with the search, what's going, and I don't, and I wasn't even running the search, right. 
 

So it's like, yeah. So I think everyone, human nature tells us that there's, you know, smoke, there's fire. Um, we're gonna go find out about that. I think it's a great life, life lesson for anyone, um, sales folks and CISOs and anyone in between. Uh, just not the ambulance chase. 'cause it's, uh, it's not, it's not a good look and it usually doesn't result in any positive outcomes anyway, so I'm glad you brought it up. 
 

Don Boian: I have seen on the, on the positive side of this, I have seen when some of those breaches happen, I've seen the behind-the-scenes network with CISOs and security departments say, say to each other, how can I help? [00:21:00] Yeah, that's outreach. I do. Yeah. And can I, can I, you know, is there something, can I send a few people over who sit in your sock and monitor today's operations while you're focused on containing everything else? 
 

Um, and I, I've engaged that a little bit myself. I. I won't mention names or, or places, but a, after a breach, you know, pick up the phone call at the, at the request of a, of a mentor of mine to say, Hey, can you talk to this, uh, CISO and understand after a large breach how you guys are defending against this or what they should do. 
 

So, um, absolutely those, those are good. Um, and, you know, there is a, there is a positive lining there. Um, definitely the, uh, I've seen a lot of the, you know, I mentioned the gift cards, but the trinkets. I had a funny story when I was with Huntington, a vendor, and I don't even remember who it was, but they sent this huge box of these little tiny mini cupcakes. 
 

Um, interestingly enough, Huntington was real. Picky about how they did in inbound mail. So I think those, uh, [00:22:00] cupcakes, which had, uh, some, you know, gel packs or something trying to keep it cold, sat in our, uh, mail facility for at least a week. Oh. Um, and I looked at it and it was one of these. Very fancy cupcake places. 
 

Right. I'm, I'm looking at it going, you spent a lot of money on this. And then I'm, and then I'm like, well they only gave me like two dozen, these little tiny cupcakes. And I'm like, I've got 200 people. How am I gonna hand all these out to folks? And I'm like, I can't even hand 'em out. 'cause they're probably bad at this point. 
 

So, um, yeah. Uh, don't bother with that. If you wanna do something like that, um, here's my positive side of it and here's the dues side of it. Um, if you do have started a relationship with an a company or the security department or the CISO, um, I recommend you offer to sponsor a lunch and learn, right? That sometimes is a much more palatable way for folks to, to bring it in. 
 

You can spend your dollars there. Um, even, I'll give bonus points to the company who does the soft sell of their product, right? It's not, you know, [00:23:00] slides plastered with whatever it is the company name and the company logo, but it's a, let's talk about how people are implementing zero trust. Here are three or four vendors who do it. 
 

Yes, we're one of them, but here are three or four vendors who do it. And the differences in those types of capabilities, um, you'll get a whole lot of more credibility and trust. And that was the second part of that relationship piece. I was gonna, I mean, we're in the trust business, right? That's what cybersecurity is all about. 
 

And as a cybersecurity salesperson, you should really be establishing that trust as well. Um, and part of that is being, um, open and honest that yeah, there are three other four competitors. Here's how we do ours better, right? You're always gonna wanna differentiate yourself, but don't ignore the fact that there are lots of other competitors out there. 
 

Actually use that as to your advantage. Establish that relationship, build that trust.  
 

Sean Martin: And I wanna, I wanna pause you there on that, Don, 'cause all in your thoughts on this. 'cause I see a lot of [00:24:00] salespeople move from vendor to vendor to vendor, and I see security leaders move from gig to gig to gig, and they kind continue to find each other from wherever they are and wherever they land. 
 

And I have to believe that that's rooted in the trust, right? 
 

Don Boian: It is.  
 

Sean Martin: Whatever. Whatever you. Whatever you're selling, I trust you and we'll see how it fits. Here's what I need. I trust you, help me. And maybe you work with some partner or some other, some other vendor, but so the, the trust is huge there, right? 
 

Don Boian: I. It is, uh, I would say both the sales and the, the, uh, the sales engineers, uh, the ones that I've established a trust with are ones that will actually come back to me and say, I can't say this officially, but ours isn't the best product to buy for what you're trying to do right here. Right? Yes. They lost a sale right then. 
 

But they gained two or three more down the road because I knew I could go to them, you know, I was gonna get it [00:25:00] straight. They were gonna tell me. And in fact, many times, even when I did buy their product, they'd say, all right, here's here, here are where the bumps in the road we're seeing from where we've implemented this at other customers. 
 

Um, you know, and one of the things I think I talked with Michael at one point about was, you know. Having white papers and things like that out there are wonderful, right? You need to have those as a salesperson. I don't expect in cyber security, I do not expect you to be the expert, right? 'cause you're not, right? 
 

You're the salesperson. I hope you have a sales engineer right behind you who's really good at what they're doing and can really delve layer deeper, um, into that. But also have things like white papers. Out there that discuss that. It, it not only describes your, the environment and the ecosystem where your product goes into and hopefully places it appropriately in that ecosystem. 
 

Uh, so it describes exactly where your, your solution fits. Uh, but also, you know, gives enough detail to say, Hey, you guys [00:26:00] really understand this space, right? You guys, you guys understand the, the challenges of it and everything else. It really establishes that again, that trust. From A, Hey, I trust that individual. 
 

I trust that company that they're telling me. Here's how it goes. Adds that bona fides that you understand things are going on there. Um,  
 

Sean Martin: do you look to the, the se, the system engineer, sales engineer for that? Or do you find that some organizations have solution architects, security architects that can look at the organizational level, not just the operational. 
 

Don Boian: Yeah, you're gonna get a little bit of both. I'd say for both sides it's a little bit of a push to pull. I've seen a lot of sales folks who come in and say, yeah, I'd like to spend 30 minutes with you, with you telling me you know what your current challenges are for 2024, I. I'm like, uh, I'm a security guy. 
 

Yeah. I don't typically go out saying, here's exactly the holes I have. Yeah. In my architecture and how I think I need to fill 'em. That's not a very good approach to that. Right? You're gonna get [00:27:00] rebuffed or they're politely just gonna throw you off with things. Right. They're not. We're gonna give you the full Right. 
 

Here's exactly where all my problems are. You know, can you fill these gaps? Can you fill these holes? Um. So definitely I would say there's a little bit of push to pull, you know, if you have a large enough organization, uh, yeah, absolutely. I need to have folks on staff who understand where my gaps are and can ask all those questions. 
 

Um, but likewise, you need to have, from a vendor side, you need to have that sales engineer who can meet 'em halfway and who can answer them honestly and say, yeah, you know, you're gonna get this out of it, but you're not gonna get that out of it. 
 

Michael Piacente: Yeah. And, and, and to put things in perspective, I mean, look, we're, we're entering, uh, 2024 here. 
 

We're in, we're in 2024. Uh, 2023, arguably was one of the worst in cyber history as far as, you know, uh, the reality that hit with the economy and everything else that went around it. But, you know, if, if you have a, if you have a new product or platform or you are one of those 3,800 security vendors [00:28:00] out there, um, it's difficult to make inroads into this community. 
 

It is. Um, they're hard to get in touch with. Uh, they're completely overwhelmed. Um, and many companies are simply expanding their existing footprints and their existing platforms versus looking at new technologies. That's why it's great to hear stories of like, you know, new Tech Day, right? Uh, someone taking time to time block for that. 
 

So bringing in a reputable, uh, sales or customer engineering leader, um, is. I think critical. It's, it's where we see the most success. Um, it's also one of the areas of, or it's one of, one of the reasons we're seeing such a huge increase in not only SEs, but kind of, let's call it, um, CISO-like figures, um, and what we would call a field CISO or even a portfolio CISO. 
 

Um, and I think it's, it's a, it is a, a pretty loud and clear message to the, um, uh, to the community that, look we have. We we're gonna need folks that, that definitely know how to speak, uh, the [00:29:00] language of the customer. Um, externally facing, it used to be when we first started the, uh, our firm, it was maybe 5% of the searches that we had had a sales component effort or, uh, enablement, um, scope, uh, percentage. 
 

Uh, and now that that is definitely in the 25 to 30%, that's the externally facing, but you also need to know how to communicate with sales and other sales engineers as well. And, and so I think this. This cycle that we're seeing right now, this, this massive explosion of field CISOs, um, is really interesting. 
 

Um, and it really stems from all these products that are out there that are fairly complex. They're fairly point solutions. Maybe some of 'em have a robust platform, but, um, this is here to stay. I mean, for any CISO that's wondering. Should I be focused on a little bit of customer enablement? Yes, you should. 
 

You're gonna have to sell your own posture, you're gonna have to listen to other people's postures. You're gonna have to do it all. So I'm, I'm glad that you're talking about sales engineering, that there's a bigger, um, sort of gravitational pull that's going on here as well.  
 

Don Boian: [00:30:00] Yeah. And um, you know, one of the things that I would recommend for all those folks is be ready with referrals. 
 

Yeah. Um, and, and I would say that when I say be ready, I mean already have them in hand when you walk in to go sell your product, right? Because, you know, we've already mentioned that behind the scenes, So to sis, so side of things, right? We all talk, we all communicate with each other. And trust me, I'm constantly, we, I get messages from all of my peer group that says, Hey, is anybody using this? 
 

I, I get 'em through the ISACs, right? People were like, Hey, uh, anybody else using this capability? Can you tell me how easy it was to implement? Um, you know, things like that. So if you're ready with white papers and referrals, those referrals to say, this other customer has implemented our solution. 
 

Obviously you wanna stilt it. They've had a good experience with it, right? They've implemented it's successful and they're willing to talk to you. And then it's a, you know, a peer-to-peer talking about, Hey, we implemented it. It was, you know, it was seamless, [00:31:00] it worked great. Here are a few things to think through. 
 

You know, there's, nothing's ever a hundred percent rosy. We all know that. Um, so it's okay, you know, be ready for those types of things. Have those referrals up front. So ask your customers after you've done a good install in places and somebody you don't mind being, to some extent, a proxy spokesman for your product. 
 

Um, ask them if they'd be willing to take a call from somebody else considering buying.  
 

Michael Piacente: Yeah. Um, there's, there's no shortcut, right? I think that's, that's what you're trying to say is like, there's no silver bullet. There's no, I mean, I, I'm so old that I remember the sales guys in my original storage. Uh, enterprise storage company getting leads off the fax machines. 
 

Right? So, so I won't, I won't go into how embarrassingly old that is, but, uh, you know, mid-nineties, that's what you did, right? And, um, you still had to build that relationship. You still had to figure out a way to earn that trust, to show value, to understand their problems. Uh, and, and that's, it's tough. It's tough in this environment. 
 

It's much more crowded. Um, uh, the [00:32:00] CISOs are much better blockers. Um, they're really, uh, what people don't realize is that CISOs are extremely, extraordinarily good, uh, at blocking out the noise. Um, extraordinarily that they've watched CIOs do it for so long, and they're like, we can teach a Master's class on that now. 
 

Right? And so, um, so yeah, you have to figure out how to get through. It's not easy. For sure.  
 

Don Boian: Yeah. I, I, I'd have to do those things or I'd spend my whole day reading out, you know, what's, what's this, what do I need to deal with? Versus what are all these emails versus the phone calls versus everything else. 
 

There's, there's no way you can survive. You'd, you'd waste a lot of time. Um, to your point, I guess kind to tie a bow on this, I would absolutely say it's back to that relationship building, the trust. You are in a marathon here. This is not a quick sprint. To build that relationship, to build that trust, it's gonna take a little bit of time. 
 

Um, use your peer group, get involved in the community so that you're not just a face that's out there. Hocking a [00:33:00] product, you're somebody who really cares about this. You're somebody who's invested in it. Um, I've seen a ton of that, and quite frankly, I'd go to those folks first when I'm looking for a solution. 
 

Sean Martin: I wanna, I wanna ask you, Don, um, how, how much do you expect somebody coming to you? I. How much do you expect that they know about you and your organization and your operation, um, as well as the potential threats that you face? Because I've seen many, many a pitch deck that I don't know, the first five plus slides are setting the stage for the problem, which every time I see that I figure. 
 

People like, you know that already.  
 

Don Boian: Yeah. Yeah. And  
 

Sean Martin: then there's the transition to, we're gonna guess at what that looks like in your environment. So I, I wanna understand what, what you expect in that kind phase there.  
 

Don Boian: Yeah. I, I think two techniques are, are, are effective [00:34:00] for that. One is, uh, every, uh, sale cybersecurity salesperson should have. 
 

A one-pager. I know this is gonna be difficult to get past the marketing department, but a one-pager that speaks in plain English of exactly what your product is and what it does, and what type of place, you know, what architectures it fits into. Um. Work hard to get that through and approved, uh, right. 
 

With less buzzwords. Right. We're all tired of hearing them. Get rid of all of that and show me a diagram and give me outline on it. Does the following things, I'll be happy. Um, the second part of that I would say is, uh, give examples in the industry. Sorry. So if you're trying to sell to financial services, say here's, you know, 'cause you don't know how, you know, if I'm, if I'm. 
 

Cold-calling Huntington or cold-calling some other bank. I don't know what their architecture is, right? As a salesperson, um, you'd be a lot better off to say, here's how we think this fits into [00:35:00] the financial sector. Here's how we think it fits into health, right? And those types of things. So you come with your pitch deck, which is predominantly focused upon those industries. 
 

'cause you know, there are clearly differences in how they've implemented things, systems they have, how they operate. But in general, you know, they've all got kind of the same types of problems and the same types of issues, especially if they're a regulated industry, uh, because that'll drive them kind of to some common architecture and. 
 

Some common things there. So those are the two things that I would give you that really help out with that. That one pager. That's plain English without the word salad. 'cause we're horrible. And I'd say that on both sides, right? CISOs? Yeah. Gosh, I lived in the, I lived in the government for 30 years. I thought I knew acronyms. 
 

Right. 'cause the government was a master at it. And then I exited and went to a bank and I'm like, holy cow, you guys are worse. I'm like, this is amazing. You guys have come up with your own, you know, AML, BSA.  
 

Michael Piacente: [00:36:00] I'm glad you brought that up, Don. And, and part of my role here in these sessions is, uh, you know, advocating but also, uh. 
 

I guess pushing the CISO community to also think about things on their side. And I'm glad you brought up the word Salad. I don't know how many resumes I've looked at just this week that had a grouping in the middle of every technology that, uh, the CISO has, um, they've been exposed to. Right. Um, uh, we're not gonna go through each one and figure out the depth, uh, nor should any company do that during the interview process. 
 

But one for vendors specifically, you know, I might recommend, 'cause you are gonna need this for interviewing at some point, is. For CISOs to also come up with a one pager as to what. You know, nothing confidential, but just, you know, uh, products that they use or technologies they use, um, in each of the, in each parts of the stack, in each part of security operations and application security and compliance. 
 

Um, because it'll make the conversations a lot more efficient with vendors, with partners. Um, when you get to your interview, you don't have to explain, when did I use Palo Alto networks versus CrowdShite, you know, it's just, it's too [00:37:00] hard. Um, and, and also the audience doesn't really understand it as much. 
 

Right. So. You're trying to explain a technology that you use in one area. Um, and it's, it's actually, you know, a platform you use for all the areas, um, that's difficult to explain in a two-minute session. So just, you know, for systems to be more, um, more concise about that as well will, will help this, uh, become a more, um, efficient process overall, in my opinion. 
 

And I've seen a few of them do that already. Um, which is, which is great. 
 

Don Boian: And please, I hope whoever's watching this, and if you're in sales, I hope you don't think I'm bashing on the sales, the cybersecurity sales industry. Um, I just think quite frankly, on both sides of this fence, we can both do better. 
 

Yeah. Us and them,  
 

Sean Martin: us and them. Let, let's shift. We have a few minutes left and uh, we'll, we will. Well, well, we saved some bashing for the board. I'm joking. Of course. Nice transit. But, um, so the, so now you, you're, you're speaking to your peers. Well, we can [00:38:00] extend it to the ELT executive leadership team if we want. 
 

Um, but focus in on the board. How does a CISO. I mean, you're, we're talking about technologies and controls and audits and all this stuff, and talking to salespeople and reading emails, and then the other end of the spectrum, translating all of that to a board. So yeah, let, let's, let's go to, let's go there now. 
 

Don Boian: There's some common pieces there though, and again, it's, I think goes back to it's, uh, about building a relationship to some extent, um, if you can, right? If you have that opportunity, uh, I've been lucky, uh, to work at a few places where I could establish a relationship with the board. First and foremost, though, even if you can't establish that relationship, know who you're working with, right? 
 

Know who, who's on your board. Research their bios, know where they've worked before. Boy, I, I would focus in on it as a CISO, uh, and I'd look at the board members like, all right, which one of these people has been a CIO before? Right. That's, that's somebody I wanna pay attention to. They know the tech side of things. 
 

They're [00:39:00] gonna be asking me some tough questions and I wanna make sure I satisfy all of their questions on that. Uh, 'cause you do probably on a board especially, have a wide variety. There's a long, big spectrum. Uh, of folks, you know, and, and all, all of 'em, probably very smart people, but some of 'em are for more focused on finance, some of 'em more focused on sales and marketing. 
 

Uh, some of 'em clearly focused on the tech side of things. And as a CISO, you wanna pay attention to those committees that you'll have to, to be part of, or you'll have to, to give presentations to, whether it's a tech committee or a risk committee, those types of folks. So you wanna make sure you know who's on that. 
 

Uh, a committee or who's on the board so you can understand where they're coming from when they ask you those questions. Um, do your homework right. Um, you're probably not gonna find out a lot on board members from LinkedIn, uh, but generally your company will give you bios on each and every one of those. 
 

I actually worked for a company at one point that actually, uh. Sent you to dinner with the board as the CISO, so you had a [00:40:00] chance to sit down and eat a meal with these folks, and they get to know you beyond the, Hey. Yeah. I'm gonna grill you during the committee session. I'm gonna ask you lots of questions. 
 

Uh, but you know, they wanted to understand a little bit more about you. I. It's a little bit more about building that relationship and again, building the trust. Um, so please do that. Um, if you can meet outside of a board meeting and get to know them a little bit better, do that. Uh, that's definitely within whatever the tolerance of the company that you're working for, you have to kind of ferret that out yourself on that side. 
 

I've actually worked before with folks where the board members. If they had my cell phone, they'd call me. In fact, that's how I got that call at one point to say, Hey, could you talk to this other CIS over there? I'm on another board and they're having problems. Could you talk to them about, you know, what's going on over there? 
 

And maybe offering some, some, uh, assistance or, or ideas.  
 

Michael Piacente: Yeah, I'll echo that. Uh, real briefly in, in that, um, you know, as a CISO, uh, if you are reporting to the border, you hope to be a board member, [00:41:00] um, as a CISO someday. I mean that you have to remember why, why the relationship needs to exist there. Right. 
 

You are. I. By far and away probably the most effective, uh, uh, translator of risk to business terms in the organization, right? They know that, um, you have an unselfish approach to narrating that risk and on behalf of the company and, um, and the betterment for the company. You're, you're a good listener, right? 
 

You look for solutions. Um. If you understand the, the, the core principles of why the relationship should exist, um, then you'll find, uh, genuine ways to build relationships with those individuals. Um, and offering, uh, time every month on, on text or cell phone as to why you know, and how you can help through these situations. 
 

You are the. Brought in as the expert to tell 'em what, what they need to know as board members. A very different view of the organization. They're not in the day to day you are. Um, but you have to balance that, that communication. So we've talked about communication [00:42:00] aboard a lot, um, in this session and others, but, um, I think people lose sight of that, uh, quite often, is that it really is about that relationship, um, to your point. 
 

Uh, very, very important.  
 

Don Boian: Yeah. Yeah, the one word of caution I will, I will give, uh, CISOs in that established a net relationship is, you know, you do need to make sure your current leadership and, and different companies have different reporting structures for CISOs. You know, I've worked before where it was probably two or three people between me and the CEO and then I've worked for companies where I worked for the CEO is the CISO. 
 

Um, all those folks between you and that board need to be comfortable. You having an open dialogue and an open line of communication between that. Right. So that's another area I would just say you need to pay attention to and make sure that they're comfortable with it. Right? If you work in an organization that where you have four layers between you and the board and. 
 

Every board meeting they make you go through a process by every one of those levels, reviews your [00:43:00] slides and edits it before it gets to the board. You probably don't want to have a super open dialogue, uh, with those board members, right. Direct line of communication. They clearly have given you the signal that they want the ability to shape that message when it goes to the board. 
 

So just a word of caution. Great. A couple other things though that, that I think actually mirror what we talked about on the sales side of things. Avoid the, avoid the jargon, the cybersecurity jargon. Um, I think, Michael, you mentioned it before about translating that risk, uh, for board level. Um, you need to also be able to translate sometimes some of these very difficult technical conversations, um, and, and cybersecurity concepts to a board who may not have that background. 
 

Um, always try. And, you know, I know we get kind of in our own head spaces. CISOs always try to make it about the business though, put it in business context. Um, if at all possible. You know, I, I, I really wish, you know, we get to the maturity on the [00:44:00] cybersecurity side where we are. True. Boiling it down to dollars and cents. 
 

Um. Even if it's a, you know, if we're not a profit center, even if we're an expense on that side, that's one way to look at it. You're an expense, right? Um, what are we spending? But you need to be able to translate that from a risk perspective. Yeah. Here are the risks we're mitigating, you know, here, here, here. 
 

You know, and you have to, you have to describe those sometimes to the board so they understand. Yeah. You know, your manufacturing line is entirely computer controlled. It's automated and. We wanna make sure that network and those systems don't get infiltrated with malware or ransomware because you'll be down and you've already done the homework. 
 

You know what a day down in that plant looks like. Right? And you can easily translate that to them to say, here's what it is in dollars and cents. Um,  
 

Michael Piacente: yeah. I, I will say, um, just from my, my view that this is one area that I would give CISOs a pat on the back for, um, in that, uh, it's the one thing I feel the business has not really given enough [00:45:00] credit to CISOs, given the historical context here. 
 

So in the last five to eight years, and I'm a history major, so I was always look at it from that way, but it, it is very unlikely to find another group of, of, of individuals, especially executive technical executives. Have come so far in where their scope started. I mean, let's remember where this all started not too long ago and where we are today from our scope and the responsibility, like everything has changed. 
 

The complete, the, the role has completely done A one-eighty, right? As far as where it was and where it is now. I think CISOs have done a really nice job. Um, they're not perfect for by any stretch, but they've done a really nice job, actually. Um. Codifying that risk putting into digestible format for the board to really take action on. 
 

Uh, sure tons of improvement needs to be made, but given that they had very little time and very little direction and mentorship, uh, I mean, find me the percentage of companies that actually mentor their CISOs from an executive programming perspective, it's. Super small. Um, so I think they've done a really nice job. 
 

Um, and they're on [00:46:00] the right path, so I do want to recognize them for that. I think CISOs get a lot of crap for not, for not being a great board-facing role and like, well, let's look at other ones and compare it, uh, look at other executives and compare it. I think the CISOs have done a pretty fine job in that. 
 

Yeah. And are on the right path in short time period.  
 

Don Boian: Very short period time. Very short time. Yeah. Because I kinda liken it to, you know, we used to be as this, as we were technology executives. Right, exactly. We kind of like the, a CIO or, or somebody in that space, uh, one of their peers and, and quite frankly where I think we need to head and, and some have made that, but I think it's slowly Transitioning to the business executive. 
 

Exactly, you just a business executive with a very different portfolio than some of your product lines that are at a, at a business. So, you know, I think if you communicate, communicate well, especially around events that happen in board notification for those, always make sure you're involving your legal counsel. 
 

Make it about the facts. Uh, work on your metrics. 'cause really that's what boards wanna see. They want to digest that. And usually most boards get a deck [00:47:00] well before the meeting and they're trolling through it. You wanna make that as digestible and understandable without your voice track as possible. 
 

Yeah. So it's, we're really evolving and I think we're making good progress, but we got a little ways to go still.  
 

Michael Piacente: On the metric side, Don, I, I guess, um, not to put you on the spot, but do you have a favorite metric to measure or something that you, uh, like to talk to the board about that really kind of hits home, uh, in your experience? 
 

Don Boian: Well, I'll tell you the one, the one they always focus on is events. You know, if you can digest those down into cybersecurity events or something like that, do I think it's entirely useful? I think it's only useful in, in one avenue is, you know, if you've done a good job of putting together your threat matrix, right, which talks about all the threats that you believe are gonna come out for your business, uh, then usually your events that happen. 
 

Probably, uh, give credibility to a lot of those things you had on your threat matrix. Mm-Hmm. Um, you know, they wanna know, well, wait a minute, how many events, what happened? Are those growing over time? You know, how did we deal with [00:48:00] them? Who all did we bring in? And, and the one thing I think a lot of boards will press you on is, wait a minute, did you escalate that to the appropriate level? 
 

Right. Did it go to the CEO? Did it go to the board If that was necessary? Right. And of course, now, and you mentioned it I think, or or or Sean mentioned at the beginning of the call with some of the new, uh, government regulation side of things, you know, that's incredibly important to make sure we're doing right. 
 

Sean Martin: And I, and I wanted to ask you, Don, about.  
 

Don Boian: Anticipation  
 

Sean Martin: because board members talk to each other. Right. And CISOs talk to each other. So, so there's a, the community on both, both sides of that. And when the, when the board's talking to each other, they're hearing about, to your point, a breach, some event hitting, uh, some threats or attacks hitting a particular industry and. 
 

You may or may not be aware of that. So can you anticipate some of those things coming? And then you might also get questions, [00:49:00] questions of, well, how do we compare to others in our, in our, uh, sector? And that's where I think mm-Hmm. Maybe some of your community stuff might come in handy. So it's around anticipation. 
 

Do you, how do you anticipate and how do you prepare for some of those things that aren't part of your deck, but are most likely gonna come up?  
 

Don Boian: As a CISO, you should be absolutely prepared for whatever the headline was. Right? Uh, that said, so-and-so got breached. You know, how, how did it happen? Those types of things. 
 

Uh, and most CISOs generally are pretty aware of that because quite frankly, they're probably just like me. As soon as that happens, uh, I'm doing my, uh, I hate to say my own version of ambulance chasing, but I'm doing the, you know, I feel bad for 'em. I hope that. Didn't happen. And by all means, I think sometimes we get away from the fact that we're all victims of this and we start victim shaming, but I won't go there. 
 

Um, I think you need, we as CISOs need to understand how did this happen, right? What were the vectors? Who was the threat actor? Can I make, can I learn from this so that I can avoid it myself? [00:50:00] Um. Those board members are trying to do the same thing. They may not formulate it in the same words, but they wanna know, wait a minute, they got breached over here. 
 

Could that happened to us? Right. What, what were the problems? So you need to be absolutely prepared for, especially the big name ones, the large ones, they don't, they probably aren't gonna, you know, if it hits CNBC, you're, you're, you know. You're probably gonna have to answer to it on that side of things. 
 

So I would absolutely be prepared there for those. Um, you'll get some off the wall questions too as well. Um, and the one thing I've always focused on, which I don't think most companies do well is cybersecurity of board members, right? Mm-Hmm. Generally we give them crappy applications that aren't controlled by your, the rest of your business stack. 
 

Um, we need to do better in that space too, as well, I would say.  
 

Sean Martin: That's great point. Just a few bits of, uh, sensitive information in, in those board apps. Yeah, yeah,  
 

Michael Piacente: just a little bit. Um, and that, by the way, this whole concept, again, an additional scope, [00:51:00] uh, that was not here just 6, 7, 8 years ago, which is the, you know, the focus of the CISO being the chief look around the corner officer. 
 

So, I mean, their main job is to articulate a very clear and digestible story around. Uh, aiming, you know, to make sure you're protecting your customers, your data, and your employees. But it also is what are the vulnerabilities coming and they expect you to know that answer. Um, whatever they is, whatever is on their mind, whatever ai, uh, story they're reading in the paper that day. 
 

Yep. Uh, there was just a massive announcement on, you know, on LifeLock I saw, um, of all these records taken the black market. So, I mean, we should be prepared. I, I have to be prepared for that and I'm not a SSO, so  
 

Don Boian: I Totally, absolutely. Yeah, absolutely. Well, I, I think again, again, I think we've come a long way. 
 

Um, I think we have a lot of, uh, you know, there aren't a ton of. Of CISOs out there. Uh, but I think the ones that we have out there, the experienced ones really have come a long way. And they are that business executive now who's having [00:52:00] mature dialogue and discussion. They are some, to some extent translating for their boards. 
 

Yeah. Um. I think we need to get better, you know, a whole other topic that maybe is another day is, you know, see so is on boards. 'cause you're starting to see that with some of the legislation and, uh, but that's another topic, I guess.  
 

Michael Piacente: Yeah, I agree though. I, I, I think overall, I think, uh, it's been, it's actually been, uh, a relief to see. 
 

Uh, most boards are actually surprised about how well-versed the CISO is on the business side. Um, I rarely hear, uh, they're, they're hesitant because there's a reputation that comes with a CISO. Um, but once they start interacting with several on their board, um, they, they are very surprised. Uh, often pleasantly surprised about how well versed they are and how well of a business, um, leader they are versus just someone that's looking at code analysis and endpoint issues. 
 

Right. So, yeah, I think that's a good thing. I think we're well on our way. Uh, we're, we're, we've paved and, and honestly Don, it's because of good folks like you in the industry that have, uh, [00:53:00] really been that mentor, uh, and many others that have kind of led to that, uh, you know, led to that, that channel. So, thank you. 
 

Don Boian: Thank you. Yeah.  
 

Sean Martin: Yep. And I, I think that, that's a great point to say. One more. Well, maybe two more thank yous. Thank you, Don, for, for sharing your insights here. And thank you Michael for, uh, for co-hosting and, and bringing Don, uh, wrong Don to us here to, to have some fun. Uh. Definitely tons of points for CISOs to, uh, to take with them and absorb and sales people as well. 
 

And hopefully there's some boards members listening to so they know what the CISO has to deal with as they're approaching them. And, uh, maybe even invite a few CISOs out that, uh, from the, from the companies that they represent as a board member. So, um, Michael, final thoughts. Wanna close this out.  
 

Michael Piacente: No, just thanks for having me. 
 

Everyone. Have a safe, uh, new year, uh, and, uh, be good to one. Be good to [00:54:00] yourselves. That's all. I'm, that's my advice for today. So there you go.  
 

Sean Martin: Perfect. Well, thanks Don. Thanks Michael. Thanks everybody for listening and watching. Of course. Uh, many more coming from Michael and I on the CISO Circuit series here on, uh, Redefining Cybersecurity podcast. 
 

And, uh, please do subscribe, share, and, uh. And comments if you have thoughts. Uh, what do you, what do you think of all of Don's points and my stupid comments and, uh, and Michael's insights on, uh, what it, what it means to get hired as a good CISO. So thanks everybody. See you on the next one.  
 

Michael Piacente: Thank you.