What cybersecurity leadership lessons has Jerich Beason, CISO of Capital One Commerical Bank, learned from the wisdom of great coaches? An illuminating deep dive into the finer points of strategy, management, and mindset. A well-respected keynote speaker and thought leader, Jerich is a LinkedIn Learning instructor. His course, Cybersecurity careers: Getting started as a CISO, is available here: https://www.linkedin.com/learning/cybersecurity-careers-getting-started-as-a-ciso
John Wooden said that "The game is won before the game has begun." His quote was referring to the competitive value of practice, but when it comes to fantasy football it’s all about the manager’s preparation and making sure you have the right team ready to go on game day.
Sometimes it’s the simple things, like making sure nobody in your starting lineup is injured. I had this hurt me in week 4 when one of my starting WRs wound up not playing. I lost by less than a point that week; every wide receiver on my bench would have won me the match. This is a perfect parallel to cybersecurity.
The game is won before the game has begun in cybersecurity because in reality, Gameday is when the bad thing happens. The breach, the compromised account, the attack, or what have you. Everything that we do is in preparation for game day. All the policies, all the processes, all the assessments, all the technologies you deployed and tuned, all of the awareness trainings, all of the risk conversations, all of the risk acceptances, and all the audits. It’s all to prepare for game day.
Bill Parcells famously said “how do you expect me to cook dinner if you don’t let me buy the groceries?” When it comes to fantasy football who and how you draft are the most important things that you can do.
It’s all about the personnel. It’s all about choosing the right players to make it into your starting lineup every week. But who you get to choose to start on your roster is all about the quality of your draft. And this is where fundamental strategy comes into play
A lot of people choose the auto draft, where a draft robot selects players for you based on the platform’s projections of player performance. I opted for a manual draft because I wanted to ensure that the people I thought were best, and who would best round out my roster from top-to-bottom, were on my team. And if we lose, I’m gonna lose knowing that I selected and did my part to put the best team out there.
Additionally, you want a diverse team so you can handle all scenarios. You don’t want a bunch of players with the same bye week. You don’t want a bunch of players who play outside in cold climates. You want defenses that play teams that score less than other teams. You don’t want a bunch of players playing on the same team, either. One bad week for that team is a bad week for you, too.
Lastly, you want players who can start when you need them. Everybody has a potentially prominent role.
When it comes to Cybersecurity leadership, we as leaders need to take a very active role hiring personnel. We cannot just depend on automatic talent systems. We need to take steps to ensure our values and expectations are well known within the leaders we delegate hiring to at junior levels on our teams. Diversity of thought is the result of embracing different lived experiences, backgrounds, and cultures; when we are problem solving, an echo chamber is the worst thing you can have.
Cybersecurity in many ways boils down to solving a bunch of asymmetrical problems. That’s when diversity shines.
Additionally, when I’m selecting talent, I’m not selecting talent for right then and there. There are future leaders and future successors to existing leaders, so it’s important for cyber leaders to have their finger on the pulse of all the people coming in if you want to make the best attempt at putting the best team together.
Al Davis famously said, “Just win, baby.” When it comes to fantasy football, by any means necessary you’ve got to do what you have to do to defeat whatever unlucky chap is matched up against you that week. If talking smack helps take your opponent off their game, go for it. Be aggressive with your trades. Constantly try to improve and do whatever you can do to win! Why play if you’re not trying to win?
When it comes to cyber security, we are in a battle with a lot of different adversaries. Most of them are outside of our organization but some of them are internal. We are in a war of sorts, and we’re just trying to win our battles. We are walking up an escalator that is steadily going down. If we are not deliberately taking steps up, we’re just going to get pushed lower and lower, and the longer you decline the harder it is to get back to where you were.
We can’t take our foot off the gas. We always have to be finding those open cracks. We always have to be improving the talent around us. We always have to be looking for the leverage, and the advantage in the cyber war that we are in. There is no rest for the weary if you’re just trying to win, baby.
When he's not dominating the CISO Fantasy Phish Bowl League, Jerich is the Chief Information Security Officer of Commercial Bank at Capital One. He has served in progressive roles at some of the most respected companies within cyber security include Lockheed Martin, RSA and Deloitte where he served as a trusted advisor to executives within the government and fortune 500 organizations on cybersecurity strategy, architecture and program development. In his previous role at AECOM, he was responsible for security architecture, risk management, compliance, and overall security strategy. At Epiq, Jerich has developed and is executing a a strategy to propel Epiq into a World Class security program. He currenlty overseens the enterprise and product security organizations.
In his spare time, Jerich also hosts a monthly podcast aimed at educating the legal industry on all things cyber.