By establishing trust, organizations can develop more efficient security programs and improve risk management outcomes. In this post, Billy Spears, CISO for Teradata, presents critical elements for building trust, such as adopting a results-oriented approach, clarifying intent, and actively listening to others.
Community Member Contributor: Billy Spears, Chief Information Security Officer at Teradata [@Teradata]
On LinkedIn | https://www.linkedin.com/in/billyjspears/
Hosts
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
______________________
Episode Description
By establishing trust, organizations can develop more efficient security programs and improve risk management outcomes. In this post, Billy Spears, CISO for Teradata, presents critical elements for building trust, such as adopting a results-oriented approach, clarifying intent, and actively listening to others. The crucial role of trust in the cybersecurity industry is also explored as Billy emphasizes its significance in cultivating effective communication, collaboration, and innovation within teams and organizations. Billy stresses the importance of balancing trust in human relationships with the implementation of zero-trust security solutions, paving the way for a more collaborative and productive environment in the cybersecurity landscape.
______________________
For more podcasts from Crucial Conversations with The Blue Lava Community, visit: https://www.itspmagazine.com/crucial-conversations-podcast
To access the full collection of Blue Lava Community resources, visit: https://itspm.ag/blclog22
To learn more about Blue Lava, visit: https://itspm.ag/blue-lava-w2qs
______________________
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
SUMMARY KEYWORDS
trust, security, conversation, business, billy, people, ambiguity, leaders, solving, thinking, talk, community, listening, point, objectives, move, risk, work, Sean, marco
SPEAKERS
Marco Ciappelli, Bill Spears, Sean Martin
Sean Martin
Marco,
Marco Ciappelli
Sean.
Sean Martin
Zero.
Marco Ciappelli
Trust.
Sean Martin
The amount of trust that I have in you.
Marco Ciappelli
I want to keep going with this game, you know, like the was a call to another? Yeah, yeah. You're Not You said zero trust came first. Maybe I've been in this entire
Sean Martin
I'll add worthy. How's that?
Marco Ciappelli
Yeah, you have to gain my trust. And then I have to gain yours. So there was gonna be a loop that is not working here. It's a broken feedback. Why should I trust you if you don't trust me?
Sean Martin
That's right. That's right. And And thankfully, marketing teams all around the cybersecurity industry have figured that out with a thing called zero trust. And it sounds alright, they're
Marco Ciappelli
all right on having to worry anymore.
Sean Martin
Of course, we say that in jest. But there is a lot of good work going on, on the technology front to help help us better understand where we might be at risk and, and hopefully how to program manage our way out of those risks, to run a successful business. And today's conversation, which is on crucial conversations here with the blue lava community where, of course Marcos, you know, and our guests, Billy Spears knows it's all about helping the community of CISOs and security leaders excel in their roles and actually achieve at helping businesses run efficiently and securely at the same time. Today's topic is all about trust, zero trust 100% Trust somewhere in between. And I trust that we're gonna have a fantastic conversation with our good friend Billy spirits. It's been a while Billy but great, great to connect. Of course, we chatted a few days ago to, to kind of kick this into gear. And I'm excited, because you have some really cool ways of thinking about this. And some things you're doing that I think will be extremely insightful for folks listening and watching to this episode. So Billy, for those who may not know you yet, a few words about your role, what you're up to, maybe maybe a quick peek into your your journey to this point, leading to leading you into InfoSec.
Bill Spears
Sure, thanks. Thanks, Sean. And Marco, nice to meet you. The I've been around this business a fairly long time. I think when I got in the business, I had no gray hairs, and now I'm full of them. So I don't know if that's a marker of time or just the volatility in our space. For me, I've, I've worked in a lot of industries. I've worked in both public and private sector. I've worked in big gov solving. I think, from my perspective, our consistent security challenges. We've changed the name of the business throughout my tenure. And inside of the space, we've we have an official title now of security, whether it's information security, cybersecurity, or some other blank dot security. We have that when I first started, we didn't. We were all network sort of people looking at things on the wires going back and forth. So a lot of the folks listening, if you ever pulled cables or you built networks, or you served as an architect, I started there too. I also started as a software developer both early on so software guy that went network traversed around those bases to to a lot of different companies solving some really complex challenges. And now I'm at Teradata and my role at Teradata as the chief information security Officer is to understand the risk associated with security and across all of our environments. And making sure I think our top focus is making sure that the product we produce is is builds trust and thinks about resiliency for our customers.
Marco Ciappelli
I am excited. Yeah, I'm excited for this conversation because I have to say, I'm not a big fan of making, having a meeting where you prepare for a chat because I feel like you, you want to always record those conversation and sometimes you wish that that was the actual recorded. And I have to say that if this conversation is going to be half as intriguing and interesting as our prepping, it's gonna be good. And it may be I'm gonna say that it's not, it's not gonna go much into the technicality of cybersecurity, but I think it goes into more of a human interrelationship and, and pretty much let's say that, the truth is that technology is made by human and and we need to work together. So with this, I would like maybe Billy to, to tell us how you had the idea to go with this topic in this conversation, because it was your idea. I think it was connected to a book. And we really loved it again, it was a great prep. So let's make it as good. You go with that.
Bill Spears
Yeah, thanks. Thanks, Marco. You know, this topics interesting to me, when we first started talking about leadership and zero trust, folks, yes, I still read books, paper books, paper cuts are amazing, but not too deep. And I had the opportunity to sit in a session by Stephen Mr. Covey, who's who's the son of the other Stephen Covey that you might know. And his book called The Speed of Trust really just hit me. Because again, in our business, we talk about trust, in a lot of different ways. If you hone in on zero trust, it's really focusing the conversation around the increasing sophistication of cyber attacks, getting more visibility, putting those practice controls in place, in the human or the leadership perception. Mr. Covey really talks about credibility and behavior, and what we can do as leaders to improve our credibility and promote that behavior with other leaders around the business. And I found that fascinating, because, you know, we, we kind of put our toe in the water, and we use terms like trust, but verify. And in the session, it was really, the whole session changed my mind to trust and verify it, because if you if you trust, but verify, we tend to get stuck on the verify, and we never get to the trust. So I went back to my team. And I think I freaked them out, like I was totally indoctrinated. Because the first thing that I did is I got my team together. And I just put them all in all hands. And we went through the normal things that you guys did that we all talk about with our teams. And then at the end, I saved a few moments. And I told them, I trust them all. They don't have to build credibility with me, I trust them, go out and do great things. And then we all sort of started to work on different behaviors that we could enhance by building that trust and rapport with our leaders. And what I've found over the last few weeks, is it's expedited momentum and shifting innovation and change. Because a lot of the walls that we talk about with proving credibility and security, the why the how the how do you know you need some control, or some change or some innovative idea, those walls have come crashing down? And now the only thing that stands in front of us today, it's how do we get to the mutually desirable outcome and the mutually desired state? So that really is how much investment in over what period of time really fascinating discussion?
Sean Martin
And where does I mean so many places to go with this mean? So clearly, you talk about trust within your team, that then breaking down walls and silos, which we talk about all the time in security, that we need to break those walls down between the rest of the business to have meaningful conversations. Obviously, talking about it here in the context of trustworthy conversations. How, how did that process work? I know you're a few weeks into this now. I'm curious, did you talk about the definition of trust and and what you mean, specifically by swapping the but with the end? And how that impacts the way that your your own team first communicates? delivers things, documents things, or talk to us a little bit about that?
Bill Spears
Yeah, fair. That's great. Lead in Sean. The idea of trust is really, it's more than a word. It has all kinds of ideas and all kinds of sophistication built around it, but really trust is confidence. The opposite of confidence is suspicion, insecurity, we use both characteristics every single day in everything that we do. You either have a lot of confidence in something and you move forward or you're suspicious and you investigate it to the teeth if you need to. But how do you how do you include both the character and the competence? So when someone says, Hey, that Billy, he's trustworthy, or Sean or Marco, you're trustworthy. So it breaks down this model of, of the investigation that ensues before you can move forward with whatever you're trying to accomplish. Most importantly, I think the biggest variable that I've been trying to tell my team is if you want to get trust, you have to first give it, its like a trustful, you have to say that the folks you work with are are the best and the brightest and credible in what they do, or they wouldn't have been hired in the first place. You have to trust that they have positive intent, then that doesn't take away from us gathering facts and making informed decisions. But you have to trust. And it's weird, if you say, if you inherently say it out loud, I trust somebody, the thing in your body, that least with me that occurred is all of that steam that you normally begin with of saying I want to validate, I want to go do all these other things, it seems to drop. And then the conversation that comes out is mutually beneficial, whether you agree or disagree with someone that's kind of irrelevant at this stage, what we're saying is, I trust you. Now what are the things we need to get done, there's a tremendous amount of them from security professionals perspectives, there's a tremendous amount of them from your business perspective, or your technical leaders perspectives, or all the other folks you work with. I have rarely in my career ever met somebody that intentionally goes to work and says, I'm going to sabotage the success of the company, it just doesn't happen. Now, they have different motivations and different factors and different stress levels and all kinds of things on their plate. And then when a security person walks in, we usually bring our wheelbarrow of other controls and other things we'd like them to implement. And they have a process of getting it done. So I trust that they will do their best to to figure out how to get them done and meet the spirit in the intent of the control. And hopefully, they'll trust me enough to guide them in the right direction so that we get there at the same time.
Sean Martin
And you do you think that this understanding of what trust means and the bi directional level of trust, is important to talk about at the beginning? Do you need to set that stage first? Do you think? Especially if there's a change in how you've done things before,
Bill Spears
I think it's important to set the intent of the conversation? And those are those are things that we do really well. I mean, think about you know, when you come into the conversation, and you you, you broach a great idea or a great topic, the very first thing people start wondering What's What's your motive? What's in it for you kind of thing? Do you go into the conversation seeking mutual benefit, or you're just coming into a conversation saying, I have all these security things, for example, on deploying a zero trust model, it's absolute, there's no negotiation, get it done, the natural repercussion of something like that is going to be resistance, whether it's silent resistance or resistance in your face, people are going to give you all the reasons of why change is not a pragmatic solution in their space, mainly because you're not giving them an opportunity to voice their concerns or the considerations or priorities or whatever else needs to come out of their heads at the time. So you can get to the place that you both want to be. I think, for me, it's important to declare that intent right from the beginning. My goal is this, my objective is this, I have this larger, more ambiguous thing. I want to deploy zero trust inside the company. And then there are other tasks and other considerations that need to be worked out. And I can be involved in part of those conversations, some of them or all of them, but we trust the people that are around us to to work out those details. So everybody moves in accordance with the overall business objectives.
Marco Ciappelli
So I'm thinking one of the places we went on the prep call, and you kind of you're going there, again, is defining trust. And I cannot think about defining trust without defining security. And when you add the word, zero the value of zero to it, you're assuming that it's either perfect security, perfect trust, or is none. Right? Is it 01 And I think that you cannot expect the perfect security otherwise you just don't do anything. And even in that case, you're still probably doing an unsecure thing if you're leaving. And and the same thing goes to trust. You got to eventually just say you have to trust enough to know that people are going to do their best, right? But if you're just expecting for that excuse to say up, see, I should not trust you or see is not perfectly secure, then you're always starting from scratch. I mean, I'm looking at this as a relationship, which is as a leader, is that what you build? Right? So security and trust, the two words go together, but they also need to be reinterpreted in in a better way so that you can work.
Bill Spears
Yeah, Margo, I think if I was just trying to simplify it, and audience, you know, don't send all the negative comments into the group. But if I try to, if I try to really simplify it, I think security is protection. Right? And then trust is confidence. So they're, they very closely resemble each other and go hand in hand. And regardless of what kind of security because we in this business have have this unique way of making things really, really sophisticated. Right? And what kind of trust are in what avenues are what framing of trust exist? Again, there's, there's a lot of sophistication, places you can go. However, if you take protection, and you take confidence, and you package them together, what do you get? You get trust, or the idea of what we're talking about, as an economic driver? It's not merely just a virtue, right? And what does that mean? Well, in economics, we have taxes, and we have dividends, right. And the idea is, if you don't have trust, it slows down the speed, it increases complexity, thereby increasing the cost of dot dot dot delivering or executing. If you do have trust, you get past all those other drivers, people are on the same page, it increases speed, thereby decreasing cost, which allows you to realize more value a whole lot quicker. It's a very simple concept. But for me, it's been this I don't know, it's like I couldn't drink water before. It's pretty crazy. Because I've never really thought of it in this context.
Sean Martin
Like, I'm just wondering, I'm sitting here thinking, all right, I'm a leader of a team. I like what I'm hearing from Billy. Now, what are some signs that might be exposed in my team? Say, we believe we trust or we know, we don't trust we the we're on some run some point in the spectrum, right? How do I identify where I might need to have this kind of conversation with different parts of my team?
Bill Spears
I think the first part is you start from, you know, the end? Are you getting the results that you need? Or the results that you expect? If you're not getting the results, then you sort of talk backwards? And you say, well, is that a capability issue? Is it an intent issue? The discussion we just talked about? Is it an integrity issue? Again, there's a lot of things to validate up and down that sort of stack. But the the ultimate place to start is, are you from my perspective is are you getting the results? are you achieving what's expected? If not, you can unpack this into so much detail. Most often. And this happens a lot in my world every single day, you you get three different people from three different parts of the business, all working together. And there's articulation differences about a single word or a single phrase. And so you have to sort of mediate the differences, or facilitate the conversations to get to the same place. insecurity, we might say, again, we want to deploy a zero trust model, that seems very simple at the very nature, but you'd be surprised security pros, we use acronyms. And we use this there's been guidance, and most people don't follow what we're talking about. Because we're so deep in what we talk about day to day, and they just really touch or they connect on the breadth of what we're saying. So it's important to to state your intent to drive the conversation, to frame out some objectives of where you're trying to get to before you even start the conversation. And you're more likely to have success than you are to have those meeting for follow up meeting for follow on meeting to eventually get to the same place. But again, it just slows down the speed and increases the overall cost.
Marco Ciappelli
So that's a good point. The communication part, how can you trust something that you don't understand you're either following a colt in their case? Sure, whatever you're telling me that is, but you know, I'm thinking about that telling story between the board the business side and the security side and find that communication that allows them trust, you don't, you don't need to do each other job. But you do need to kind of have an idea so that you know enough that you're trusting. Do you have some examples maybe of that?
Bill Spears
Yeah, I think, you know, again, trust isn't it isn't a blind thing It's trust and verify. I think the idea here is you have to validate, you have to have credibility with each other. Without the credibility, I think that blindly trusting would just cause a whole lot more harm than positive outcome. So like, for example, when when I talked to the board, you know, you're you're establishing some report. So for me, I talked to the audit committee. And when I go into the audit committee, where we're talking about what we talked about the last time, some risks or whatnot, what we did between the last time I spoke to them till now, so what are the results, so things went, Well, maybe some things didn't go so well. And maybe the reasons why, most importantly, we're talking about what the current risks are. So here's what we're seeing across the, the landscape. Here are some specific areas where we're working to improve, and maybe we have some projects to support that. We have some open action items, Audit Committee items, reviews, etc. And then what they can expect moving forward. And if I have time, in that, you know, 15 to 20 minute presentation, what I'll try to do is highlight something new and innovative. Because again, these board members typically sit on lots of boards, and they're seeing similar things from our peers. So you want to validate the height, the important points, you also want to build credibility by maybe bringing up things that they might be curious about with other things we're seeing in other places. But you want to leave them with the confidence to know that if something comes up, you have a plan to understand the risks, you have a methodology to address them, you can respond to an incident, and you have a communication mechanism to raise levels and issues as they occur.
Sean Martin
civility, I'm gonna I'm gonna tap into my innate attributes of being a program manager. Everything looks like a project to me. And, and as, as you're describing some of this, it's easy for me, because I often like to look at the to your point, what's the ultimate outcome? What are we trying to achieve? And I love the fact that you say, what's our shared intent here? What's mine, yours, and how did that come together to achieve that outcome. But it's often a long, long journey, right? And we may have to start blindly trusting and maybe and at some point, we have the initial conversation when we begin to establish trust, but then the project starts to take and take on and move forward. And as a program manager, I found that two things, one, having a quick win, to, to establish some, something that is accomplished together really solidifies that initial level of trust. And then ongoing milestones that show we're actually marching toward the same objective and are working well together. So that's my own view as a, as a former program manager, applying it to this model, what are some of your thoughts. With that in mind,
Bill Spears
I tend to agree with you what from if you think about the model that said my head right now, a lot of what you displayed, Sean is really about character building. And again, the character is the foundation. So the not to slug for Mr. Covey. But the idea of is the foundation of the tree without character, you can't really have confidence. So without integrity and intent, you can't get to capabilities and results. In the extending trust, to get trust, you have to be Besa sync, don't try to over talk things, you know, talk straight with people demonstrate mutual respect. Far too often do I walk in a meeting, and there's a really smart person in the room who knows more than everybody in the room. And while that might be true, they're not listening to what other folks problems are. They're not listening to the situation in the room. In truly I think the most impressive thing I've ever seen in my career is when you walk into a room, and you open yourself up and you're willing to be influenced by something you learn in the room. It's impressive to me when leaders do that, quite often I try not to talk for the first 10 or 15 minutes in a room I try is the key word there. Sometimes that's just not possible. But I really want to listen and I want people to, to influence me change the outcome, change my approach, change a decision, drink some set of facts that says here's a better, smarter, more efficient way to get things done. I want to be convinced that what I've learned throughout my career was just impossible. Now we have these new whatever. And let's take this approach to get to the same result. Great, that's amazing. Also, I think on the other side, it's important to always think about continuous improvement and getting better. I'm sure that I can echo the sentiment and most People would agree. When you walk into a room and you say, I can't do something, and you say why. And they say, because this is why we've always done it. Oh, that hurts. That's like a gut punch for me. Because I know that there's so much Hill to still traverse, and there's so much road ahead that we have to get through before we can really find common ground to be successful. So in those situations, I really like to get to let's clarify again, what those expectations are. And then let's practice accountability with with each other, I'm willing to take a trust fall and say, Here, I'll do two things. And maybe I can get them to agree to one or two things. And we can come back together and show that well, we can work together for the common good.
Sean Martin
They're not I don't know if you've had any experience here that you can, you can lean in on Billy, but the idea of, because I love what you're saying about listening, and there's, there's listening, and perhaps maybe hearing and then understanding and in there, there might be some assumptions being made. Well, I heard that person say this, and therefore, I'm taking that as a positive or a negative and not really understanding what is being said and how I can use what's being said to to apply what I'm trying to do with my intent to the situation. So assumptions.
Bill Spears
I don't, yeah, Sean, I don't disagree with that at all, I think happens a lot. If you especially when they executives walk in the room, they walk in the room, and I don't care what word they use, they'll say, here's what I'd like to see. And people take the words you say, almost as long, like so literal, it has to be those words, because they said it. And I think, inversely executives, they walk in a room or any leader for that matter. They walk in the room, and they're trying to be helpful, and they're trying to provide different ways of thinking or challenge the norm or create some positive disruption that spurs thought. And they don't realize sometimes when you talk that people will they work so hard to move mountains for you, that you almost have to come in the room with 15 disclaimers, and say, here's, here's, here's the frame of thought on that. Here's how I'm trying to approach you. Here's my objective. Like there's there's no directives, I say this a lot just because I'm saying it doesn't mean you have to do it. It's just an ideation session. And I think what happens there is minus all the disclaimers is people are more willing to let their guard down. And they're more willing to think of ways to to produce the expected result, meaning I want to accomplish this large thing. We work in a very sophisticated company, we have all these layers and years and generations of how things were done. How do we consider all that stuff? Move forward, not create risk, or better yet mitigate some risk? And how do we help our business succeed? That's not an absolute. That's definitely takes momentum of many, many people in the organization.
Marco Ciappelli
So I don't think we could have had this kind of conversation, this crucial conversation, this one in particular, eight years ago, 10 years ago, maybe not even five years ago, because we have that conversation. It. There is a different culture, I think that is maturing in the industry. And I'm very happy to see this because it's more human. And I think it comes with knowing that you don't know everything, which probably wasn't the attitude a few years ago in this industry, like I know, you don't know anything, just trust me. I don't need to trust you. But just trust me because I know more than you. So it's kind of like goes together in a loop here to asking you the question of how not only how did you get to, to these different perspective, it wasn't that you just listen to this presentation, and all of a sudden, the light blinked that you were probably already on that path. And so can you tell me like what what in your opinion is changing in the industry that can allow us to have this conversation?
Bill Spears
Yeah, thanks for that motto. This is a great point. And I think a great segue. No, it wasn't, I'd love to be like, yeah, it was this one book and it solves everything, but that's not true. I think the book highlighted just a one variable of a lot of points that you just bring up, you know, and really, for any security leaders or CISOs, or depending on where you are in the world sighs So those are if you just spell it out CIA so like, the idea is it's a very confusing topic, even for us. We don't know how to say it. We have many different ways of approaching it. Acronyms whatever. We don't know where organ is working organization organization where we sit? How far away from the CEO? Are you one level two level seven levels? I don't know. So the organizations primarily don't know what to get out of a CISO. And they don't know what to get, depending on which industry vertical you sit in? How do we know, I challenge all the listeners to prove me wrong. In this particular situation, we have over 700 certifications and growing 700. And I'm probably under guessing at this point. So name another industry that's even close. They have another industry that has 10 certifications to do their job, anyone. And I would absolutely love to be influenced. But the fact that we have so much complexity says you cannot know everything in this business. There's not a single person that knows everything. That's why we have all these different frameworks, like think of all the frameworks we have to comply with, then go back to my first point of how to where do you sit in the organization, there are CISOs that are senior level executives, there are chief security leaders in companies or whatever they're called, that our managers or this is their first role. And they came from the audit side, and they're saying, Wow, I have all this stuff. And this is a lot and I need help. The challenge I had with growing up in this business is there weren't a lot of places to go to get help. Today, that's very, very different. There weren't a lot of places to learn how to be a great business leader. Today, that's very different. There weren't a lot of security leaders that sat on boards of companies, that's very different. And it's becoming more and more of a shift around the momentum of putting security leaders on audit committees or as the outside directors on boards and whatnot. There weren't there wasn't really a business for security. Remember, 20 years ago, it was the business of the CIO. And the people were trying to learn what a CIO does, and how they how they bring value into an organization. Now look at all the chief security or chief information or Chief Technology, whatever it is the technical leader, you have the CIO and CTO and says, Oh, and you know, the product officer, you know, you have all these people who think about data and technology and move and innovate, or excuse me bring value to a company. It's complex. So today, to shift very long winded answer to your question, to shift, you have to be a great business minded leader, to inspire that next generation. And you have to coach and mentor and let them know that the struggles are feeling and the sophistication of the day or the anxiety and stress, it's going to be okay. You've been there, you've done that. This is how business works. Let's get new ideas. And let's get new, new approaches to solving things. Let's rotate people out to give them more experience. I think that's important, rotate people in saying inversely, does that make sense?
Sean Martin
Absolutely does. And looking back in time machine for early days. For me, we've kind of on this point of, of innovation, all kinds of I'll frame it as transformation, business transformation that we've seen, moving from licensed business models to subscription, moving from applications to platforms, right? In that platform, business model, moving to cloud and AI and looking at data and all these things. There's a lot of lot of transformation and a lot of moving parts. And we've had conversations with many of the local community members on those topics. And even moving to to your last point, Billy, that the hiring and the training and the retaining and keeping everybody up to speed. And my my point of prefacing my question with all of that is all that change. To your point, we it's hard to keep up right and hard know everything. And in there is a tremendous amount of ambiguity. And again, putting my program manager hat on every project as ambiguity, it's a matter of how you expose that and have a conversation around that. And again, understand whose role it is to, to partake in, either accepting it or digging deeper to uncover the realities of it so you can make some good decisions. How does ambiguity play into trust and some of the conversations you're having?
Bill Spears
That's a great question. I think ambiguity, it plays a lot, you know, on what we do every day, there's tons of ambiguity. And then we have to have to create that specificity or the details that follow the ambiguity in the projects we create so that we can put it to the business objectives. You know, I hear how facts some facts, no facts is a partial fact or just an idea as you walk through the virtual hallways every day. And you know, you're walking from meeting to meeting trying to figure out, or virtually, if you're logging in and out, you're trying to figure out how the parts and pieces fit together, what's cool about a data driven society is you're able to get into contact with people maybe a little bit faster than you could previously. And if you if you remember, the pre COVID days, we would walk through the hallway and try to catch somebody in between a meeting or something, it still might take all day to get the folks where today you can just you teams them or slack them, or you get to them much quicker at wherever they are, to bring people together for for these ideas, sessions. In you know, guys in business, it's important for us all as leaders, to understand security is just that it's your area of business, you're supportive around all the other business leaders trying to drive your company in the right direction together. It isn't, without security, everything just goes boom, it's security is a piece of the larger puzzle, to build trust and resilience for your customers, for the other employees, for yourselves. And you. And I think that a lot of security, people take a lot of pride in their work. So taking the ambiguity, driving in the detailed steps of what's next, super important. But any security leader out there listening, if you think you're going to show up every day, and just have the finite details and tasks that just doesn't exist, they're looking to you to solve that. One of the best examples that I can ever give here is, you know, when I was younger, my career, I was one of those guys where the I would ask the senior leaders, why don't they care about security? Or why don't they care about the things I'm working on. And one of those security leaders looked me straight in the eyeballs? And they said, because I have you solve it, do security stuff. And that's, that's how the industry kind of thinks about us, right? We do security stuff, we don't have to bring, cling on to the table and try to over explain or teach people to, to the weeds that we know, we have to give people confidence that we know what we're doing. And we're supporting their objectives. And we're taking care of our sides so they can take care of their side. And together that builds that credibility, that mutual kind of credibility. And then I think that's how ambiguity becomes trusting over time. Or ambiguity drives trust?
Marco Ciappelli
Wow, that's a lot to think about here, I think. But let's, let's keep thinking with you, as we're starting to wrap here, like a vision for the future. That's usually my last question of any conversation I have. I'm just curious about the future and, and then to look back maybe in five years, 10 years, if we actually had a good view and vision for the future, you know, this technology, humanity, trust security, there's all thing I mean, with the last example, that you bring the one going back, and it's like you do your security stuff, it's I don't think anybody would say that anymore. Now, because you need to put security in context. So I'm wondering how much more you see this merging the business in the security and maybe the role of technology in it?
Bill Spears
Yeah, well, I think that's a lot to unpack. Marco. Thank you for that question. Oh, that's awesome. I think working from the middle and then working its way out, right. I think the first part is, if you think about the future, security follows technology, innovation, as technology continues to move to virtualize stacks, right. So folks, if you're still racking and stacking hardware, that's awesome. But that's not going to happen in the future. The idea is as you move to virtualization, you have as a service, dot, dot, dot, and that's how security changes, it becomes this very complex organism that has to fit in all those the new pieces or in the past, we would talk about layers, and in the future, we talk about edge and we talk about, you know, containers and we talk about virtualization, and whatever. The idea is, it becomes a risk management function. So all these things have to feed into the center, which drives the risk assumptions. And then that goes into a tolerance that fits into your larger organizational model of what tolerance means. And then everything else you do drives it, your incident response, your policies and procedures, your training and awareness platforms, like how do you recognize and react to different things, which is also going to drive things like budget and resource allocation. It's going to drive the larger ecosystem of crisis management, that's more than just security. That's bigger sophistication of things. And then lastly, I think what also drives the momentum of us is how sophisticated the vulnerabilities and threats are, and how pervasive they are. You know, I think fishing and I'm going to just say something over rarely, so the fact checkers can tell me if I'm right or wrong, but I think phishing is still the most prevalent threat that we have. Why? Because it touches humans. Now we have all these other ways to bypass passwords and get in systems and move laterally and do all the things that they do. But the easiest way, and the most common like vector is social engineering, and lots of vectors to do it. How many of you work in at home get the the text from your CEO or your boss? And you ever wonder, where did they get their names and phone numbers? How did you get on that list? Why are you getting a text on your personal phone on a Sunday asking you to run an errand or go get an Amazon gift card? Crazy stuff, that's not a real thing? How many people are still falling for it? Billions of dollars worth every year. So it's that's the risk. Wish that was the only one I had to solve Marco, that is not in my day to day life. We solve that plus other things. And that's what I see in the future, more of that more business conversations, more of getting comfort around what your risk tolerances are, and solving the most critical things first.
Sean Martin
Super cool. I was thinking API and micro services and open everything open banking, open healthcare. That's that's the future everything. Yeah, not so much hardware anymore. But, Billy, I'm gonna reel you back in from the future. I know, Marco likes to take us all the way out there. But for this community, I want to maybe have you think for a moment and, and share with them a final thought of something that you really want them to take with them. And then also, perhaps an action that they can take, after listening and watching this episode with you.
Bill Spears
I think the takeaway for me, why No, this, the takeaway for me is, it's going to be okay. In your day to day you have all these stressors and influencers and technical details and risk related things. And you might feel like things are going a mile a minute or even faster, and you have too much work and you have no boundaries or personal space or whatever. It's going to be okay. Find a mentor. What I've found most helpful in my career even now, I have mentors now and people I talk to and people I bounce ideas off of and some folks I've worked with before they've worked for me, and they're I consider them mentors now, because they just have a different approach of solving the equation. And it's interesting, I'm open to be influenced.
Sean Martin
I think I'm in the community. By the way, Billy. Absolutely. Unity as a mentor, one big you got it. And
Bill Spears
I love I love the mentorship aspect of blue lava. I love all the other things that goes into this. I was almost going to name drop on my tongue. So that's improper. I won't do that. Community members. A lot of you I know. Some of you I don't, but I'd like to know. So go find somebody talk to them. It's going to be okay. The second part, I think there's nothing with a meeting. It's okay to trust, find someone, trust them. Watch, watch everything start to change. Again, it's not always a blindly trust, trust, but verify.
Sean Martin
I love it. And I was right to trust that this will be an amazing conversation. Crucial was it was an amazing conversation. And Billy, I mean, it's always great to talk to you. And and yeah, I mean, I was excited when when I had when I heard that we're going to have you be part of this and even more excited when I heard the topic and heard some of the things you were talking about. So I'm sure we've only scratched the surface. And again, that's what the community's for. We don't have all the answers, Billy, as a lot of them are for nine not so much. But that's what the community is for, to kind of bounce ideas off of bounce questions off of and share share thoughts and progress and actions and learnings. And I mean, that's it's a community of trust right there to lean in on. So like, Thanks for Thanks for joining us here and for sharing this crucial conversation with us. And for everybody listening. There'll be links to Billy's profile in the show notes and, and also, of course, you can connect with him in the community directly. So Marco, anything else to say before we wrap,
Marco Ciappelli
no thinking? Just conversation really, really I trust my dog sometimes, but a lot to process. I hope that we're going to have many more of this conversation and don't talk much about the technical part but the true leadership which is about humanity, so I really appreciate that he started from a book that he was not even about cybersecurity because though All the things we said they do apply to every business, every team, every relationship between humans. So thank you very much. I'm honored to be part of this community.
Bill Spears
I like to thank you, Sean. Thank you, Marco. Thanks to the love of community. This has been fun. And I look forward to many more conversations with all of you.
Sean Martin
You just committed to joining us again,
Marco Ciappelli
for sure. Gotcha.
Sean Martin
All right. Well, thanks, everybody for listening and watching this crucial conversations here on the blue lava community on itsp. Magazine. And stay tuned for more I think we're gonna we're gonna have some different format. Conversations coming soon. Some interesting topics as well. So listen back, I mentioned a few of the topics that we've already covered. Listen back to those episodes. And stay tuned for some more cool stuff, perhaps with Billy as well in the near future. So thanks, everybody.