CISO Executive Primer with Bill Bonney, Gary Hayslip, and Matt Stamper

There's nothing better than having three of the greatest experts in the field riffing on the finer points of the CISO. The CISO Sandbox was thrilled to be joined by the co-authors of the CISO Desk Reference Guide Executive Primer, Bill Bonney, Gary Hayslip, and Matt Stamper. They discussed the joys and challenges of everything from CISO reporting structure and third-party risk, to security training and the human element. Also discussed was Gary Hayslip's CISO Manifesto: 10 rules for vendors. Oh, fish tacos and beer were mentioned, too. This webinar had something for everyone! Here is the video and key takeaways.

Post hero image

Table of contents


While the CISO Desk Reference Guide spoke to CISOs, to whom is the CISO Executive Primer speaking, and why?

16:26 – 18:43

Bill Bonney

The Primer was written for the CISO’s peers and the Board of Directors, so that the CISO could communicate directly to his or her peers both from the perspective of: 'This is the role I have and these are the challenges I face.' And also: 'This is what I need from you to be successful in that role.' And it also gives the CISO’s colleagues an opportunity to understand: ‘If we’re going to go out and recruit a CISO, if we’re going to elevate a CISO from somebody who has a purely technical role to somebody who is playing more of an executive role, what are the kinds of attributes that we should be looking for? What is the kind of help and support that we need to give to that individual? And what should we expect from that individual as we mature them into that kind of role?'

So it really was meant towards that next level of interaction, as we are expecting the entire CISO role to grow industry-wide to mature from IT-specific to a business portfolio kind of role.

The human element

24:15 – 28:22  

Gary Hayslip

Honestly, one of the hardest parts of the job that most CISOs have is changing the business culture… You’re dealing with these carbon-based life forms and you’ve got to figure out how to work with them. A lot of it comes down to: You’ve got to build trust. They’ve got to understand why you want them to make changes. They’ve got to understand the context of it. And not just internally, within the business context, but also how a lot of the things you’re teaching them they can also use at home. They can help protect their teenagers and their husband and their wife at home, especially when you’re working from home.

I find the human element piece is one of the most challenging but it’s also the most fun… When you break it down to the human element of it, and help people relate to why these things are happening and what you can do to protect yourself at work and at home, I honestly think the human element piece is what makes the job of the CISO very fascinating. You step away from the technology piece and you have to deal with people…  

To be effective you have to be out there, you have to evangelize. They have to know who you are and who your team members are and what’s your purpose. What’s your vision? What do you want for the company and why is it good for the company? Why should they follow you? When your’e good at it and they trust you, you can do really cool things. You can get stuff done.

The biggest thing I tell CISOs when they are in the middle of this is: Don’t push too hard. Take it piece by piece. It’s going to take time. It takes time for them to get used to you and why you’re there.

Take the fish tacos and beer approach. That’s the way I used to do it here in San Diego. You find your champions. Find your specific people who want to work with you. Find your core people within the company, within the org. You partner with them and you help them do well, you help make them look good and they in turn evangelize why cyber is important and what you’re there for and what your team is there for, and you get each individual victory eventually to where you get where you need to be to protect your whole company.

The CISO Manifesto: 10 things vendors need to know. What’s the main thing?

30:57 – 34:30

Gary Hayslip

I originally wrote this for reasons beyond wanting to get a couple more beers (and fish tacos) out of RSA… It was more out of frustration from the people I was talking to who were interrupting my day, they were interrupting my meetings. They’ve got something to sell me, they’ve got something to tell me, but they really don’t understand me and they don’t understand the problems I’ve got, the issues I’m trying to fix in my company, and what I’m trying to do in my organization or company. And that’s the frustrating part.

When you’re dealing with CISOs and you’re selling to them, if they’re looking at buying a technology the only time they buy technologies is because they’re trying to solve a problem. They’re trying to manage a risk they’re trying to fix a control or alleviate an issue with a regulator. It isn’t because they just want to talk to you and they want some great swag. You need to understand what that problem is and how that’s impacting them. And are you a fit for them? Sometimes you are and sometimes you are not. And to understand that problem you need to know who that CISO is. You need to establish a relationship. You need to know who their peers are. It drives me crazy when people reach out to me and they don’t even  know who I am or where I’m working at. They’re just reading something they got off of Sales Force and they say, ‘Well you’re working for the City of San Diego,’ and I’m like, ‘No, that was three roles ago, try again.’”

Who needs to read the Executive Primer?

35:17  

Matt Stamper

I think Boards of Directors and members of the executive leadership team really do need to understand this. The quintessential role of the CISO is to translate digital and technical risk into enterprise risk that those stakeholders can understand. And I think that making sure when the CISO is communicating with the board, or communicating with the CEO or the CFO, that he or she is really working to understand the dynamics from that CEO or CFO’s perspective. What we’re doing is tearing down those barriers that create confusion that allow risk not to be identified and not to be treated appropriately. And so I think this book is designed to start that proverbial dialogue.

Bios:

Bill Bonney, Cybersecurity Evangelist and Author

Bill Bonney is a security evangelist, author and publisher, currently serving as the President of CISO DRG, Inc., a publisher of practical guides for information security executives, written by practitioners. Prior to CISO DRG, Bill was Vice President of Product Marketing and Chief Strategist at FHOOSH (now UBIQ), a maker of high-speed encryption software. Prior to FHOOSH, Bill was the Director of Information Security and Compliance at Intuit, and then Vice President of Product Marketing and a Principal Consulting Analyst at TechVision Research.

Bill holds multiple patents in data protection, access and classification, and is a member of the Board of Advisors for CyberTECH, a San Diego incubator, and on the board of directors for the San Diego CISO Roundtable, a professional group focused on building relationships and fostering collaboration in information security management. Bill is a highly regarded speaker and panelist addressing technology and security concerns. Bill co-authored the CISO Desk Reference Guide: A Practical Guide for CISOs – Volumes 1 and 2, which are considered among the leading books for CISOs and aspiring CISOs. He holds a Bachelor of Science degree in Computer Science and Applied Mathematics from Albany University.

Why I chose Cybersecurity as my field: I began my career in the “big iron” mainframe era, working for Sperry Univac and then a relational database company called Unify. After 15 years or so, I went into consulting and built a web design and development firm. While we were celebrating some milestones with a little vacation in Cabo San Lucas, the 9/11 terrorist attacks occurred. I took this very personally because one of my last clients at Sperry was Cantor Fitzgerald, the bond trading firm that was decimated by the attack. I made a vow to friends and colleagues that when I reentered the corporate world, I would don the white hat. I had a feeling that the next theatre for mindless destruction would be the cyber realm.

Gary Hayslip Global CISO for SoftBank Investment Advisers & SoftBank Group International

Gary Hayslip brings over 25 years of information technology, security leadership, and risk management experience to his role as the Director of Information Security, CISO, for SoftBank Investment Advisers. Hayslip’s previous executive roles include multiple CISO, CIO, Deputy Director of IT and Chief Privacy Officer roles for the U.S. Navy (Active Duty), the U.S. Navy (Federal Government employee), the City of San Diego California, and Webroot Software.

Hayslip is a proven cybersecurity professional; he has established a reputation as a highly skilled communicator, author, and keynote speaker. Hayslip co-authored the CISO Desk Reference Guide: A Practical Guide for CISOs – Volumes 1 and 2 and recently authored The Essential Guide to Cybersecurity for SMBs, which are considered among the leading books on enabling CISOs to expand their leadership and business expertise. Hayslip is currently on four security and technology advisory boards and writes for Forbes Technology Council. Hayslip is an active member of the cyber community, with memberships in the professional organizations ISC2, ISSA, ISACA, and InfraGard. He currently holds several professional certifications, including CISSP, CISA, and CRISC and has earned a BS in information systems management from University of Maryland University College and an MBA from San Diego State University.

Why I chose Cybersecurity as my field: In many ways it was a destination I found myself in after walking a long convoluted path through software development, network engineering and audit. I started out in IT because I loved computers and over time gradually moved deeper into how they were used in network environments and one day in helping triage a security incident I got the chance to troubleshoot and cleanup a breach. It was while working as part of a security team that I became fascinated about how to protect networks and I enjoyed serving my organization, it was then I felt like I had found my place.

Matt Stamper, CISO | Executive Advisor for EVOTEK

Matt Stamper, CISA, CIPP-US, brings a multi-disciplinary understanding to cybersecurity. His diverse domain knowledge spans IT service management (ITSM), cloud services, control design and assessment (Sarbanes-Oxley, HIPAA/HITECH), privacy, governance, enterprise risk management (ERM), as well as international experience in both Latin America and China. His executive-level experience with managed services, cybersecurity, data centers, networks services, and ITSM provides a unique perspective on the fast-changing world of enterprise IT, IoT, and cloud services.

Matt received a Bachelor of Arts from the University of California at San Diego, where he graduated Cum Laude and with Honors and Distinction in Political Science. His graduate studies include a Master of Arts in Pacific International Affairs from the University of California at San Diego and a Master of Science degree in Telecommunications sponsored by AT&T.

Why I chose Cybersecurity as my field: I’m intensely curious. I love learning how things work and how seemingly disconnected ideas can be woven together to create a better understanding of our world. Cybersecurity is the perfect profession – few disciplines span from application development to network and infrastructure security to legal and regulatory compliance. Knowing how these seemingly disparate disciplines connect and impact the organization is fascinating. I love working with organizations to help them become more resilient and effective in their risk treatment by linking seemingly disparate disciplines into more effective enterprise risk management. The role of the CISO requires that we are well-versed on business initiatives, technology, and regulations…there’s never a dull day.

More expert interviews


Bios:

Bill Bonney, Cybersecurity Evangelist and Author

Bill Bonney is a security evangelist, author and publisher, currently serving as the President of CISO DRG, Inc., a publisher of practical guides for information security executives, written by practitioners. Prior to CISO DRG, Bill was Vice President of Product Marketing and Chief Strategist at FHOOSH (now UBIQ), a maker of high-speed encryption software. Prior to FHOOSH, Bill was the Director of Information Security and Compliance at Intuit, and then Vice President of Product Marketing and a Principal Consulting Analyst at TechVision Research.

Bill holds multiple patents in data protection, access and classification, and is a member of the Board of Advisors for CyberTECH, a San Diego incubator, and on the board of directors for the San Diego CISO Roundtable, a professional group focused on building relationships and fostering collaboration in information security management. Bill is a highly regarded speaker and panelist addressing technology and security concerns. Bill co-authored the CISO Desk Reference Guide: A Practical Guide for CISOs – Volumes 1 and 2, which are considered among the leading books for CISOs and aspiring CISOs. He holds a Bachelor of Science degree in Computer Science and Applied Mathematics from Albany University.

Why I chose Cybersecurity as my field: I began my career in the “big iron” mainframe era, working for Sperry Univac and then a relational database company called Unify. After 15 years or so, I went into consulting and built a web design and development firm. While we were celebrating some milestones with a little vacation in Cabo San Lucas, the 9/11 terrorist attacks occurred. I took this very personally because one of my last clients at Sperry was Cantor Fitzgerald, the bond trading firm that was decimated by the attack. I made a vow to friends and colleagues that when I reentered the corporate world, I would don the white hat. I had a feeling that the next theatre for mindless destruction would be the cyber realm.

Gary Hayslip Global CISO for SoftBank Investment Advisers & SoftBank Group International

Gary Hayslip brings over 25 years of information technology, security leadership, and risk management experience to his role as the Director of Information Security, CISO, for SoftBank Investment Advisers. Hayslip’s previous executive roles include multiple CISO, CIO, Deputy Director of IT and Chief Privacy Officer roles for the U.S. Navy (Active Duty), the U.S. Navy (Federal Government employee), the City of San Diego California, and Webroot Software.

Hayslip is a proven cybersecurity professional; he has established a reputation as a highly skilled communicator, author, and keynote speaker. Hayslip co-authored the CISO Desk Reference Guide: A Practical Guide for CISOs – Volumes 1 and 2 and recently authored The Essential Guide to Cybersecurity for SMBs, which are considered among the leading books on enabling CISOs to expand their leadership and business expertise. Hayslip is currently on four security and technology advisory boards and writes for Forbes Technology Council. Hayslip is an active member of the cyber community, with memberships in the professional organizations ISC2, ISSA, ISACA, and InfraGard. He currently holds several professional certifications, including CISSP, CISA, and CRISC and has earned a BS in information systems management from University of Maryland University College and an MBA from San Diego State University.

Why I chose Cybersecurity as my field: In many ways it was a destination I found myself in after walking a long convoluted path through software development, network engineering and audit. I started out in IT because I loved computers and over time gradually moved deeper into how they were used in network environments and one day in helping triage a security incident I got the chance to troubleshoot and cleanup a breach. It was while working as part of a security team that I became fascinated about how to protect networks and I enjoyed serving my organization, it was then I felt like I had found my place.

Matt Stamper, CISO | Executive Advisor for EVOTEK

Matt Stamper, CISA, CIPP-US, brings a multi-disciplinary understanding to cybersecurity. His diverse domain knowledge spans IT service management (ITSM), cloud services, control design and assessment (Sarbanes-Oxley, HIPAA/HITECH), privacy, governance, enterprise risk management (ERM), as well as international experience in both Latin America and China. His executive-level experience with managed services, cybersecurity, data centers, networks services, and ITSM provides a unique perspective on the fast-changing world of enterprise IT, IoT, and cloud services.

Matt received a Bachelor of Arts from the University of California at San Diego, where he graduated Cum Laude and with Honors and Distinction in Political Science. His graduate studies include a Master of Arts in Pacific International Affairs from the University of California at San Diego and a Master of Science degree in Telecommunications sponsored by AT&T.

Why I chose Cybersecurity as my field: I’m intensely curious. I love learning how things work and how seemingly disconnected ideas can be woven together to create a better understanding of our world. Cybersecurity is the perfect profession – few disciplines span from application development to network and infrastructure security to legal and regulatory compliance. Knowing how these seemingly disparate disciplines connect and impact the organization is fascinating. I love working with organizations to help them become more resilient and effective in their risk treatment by linking seemingly disparate disciplines into more effective enterprise risk management. The role of the CISO requires that we are well-versed on business initiatives, technology, and regulations…there’s never a dull day.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this