CISO Secrets Revealed! (Insider Secrets for Climbing the Corporate Ladder to CISO!)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

the path to ciso uh can be various various different uh ways to get there right and one such way is through devsec ops now i know that might seem crazy but hold on stay with me if you remember a couple weeks ago we had ashish on on to talk about what devsecops is as a career path as a job a role and this is this is how he came up to become a ciso so we're going to have him back on the show we're going to be doing a little bit more of the senior level look uh video on how you can go from being you know devsecops or devops and migrate and a career path up into being the top dog the ciso [Music] so let's get in there be sure to stay tuned to the end because we've got another cyber sn job of the week that i'm going to share with you let's go [Music] i started my career as an identity and access management person so for for people who don't know security has a lot of different facets one of them is identity and access management people play like in thousands of dollars to solve the identity access access management challenge i started there i went on to become a cloud security architect cloud security engineer not knowing available these are some of the challenges that people feel and come around now as i was doing that i was kind of going up the ranks as well and as a senior um like a security person in the company and this is the advantage of being part of a say a small to medium-sized company instead of a big enterprise when i was in the enterprise doing identity access management or cloud security architecture what i found was that you're boxed into a particular sport and they don't want you to come out of it transitioning once you say death cycles would have been like oh my god that's very left to field there's no way ashish can do that whereas in a small to meet medium-sized businesses there's a lot more open to the like the idea of hey i think ashish can do a bit more if he wants to so i started doing death cycles and i stabbed into a started running a security operations team as well so it was a combination of that and while i was doing security operations had a couple of incidents and that introduced me to the concept of risk and compliance the grc of the world and i would not call myself a grp expert but i also would say without grc i don't think i would have been a great ciso because i don't think you can have a conversation to a business about how amazing a cross-site scripting or how amazing a static code analysis they have no idea what these words mean all it would just sound like is this guy is really technical and probably a nerd so i'm going to walk away from this and tell me look at your boss and go hey you know whatever she said just can you summarize that for me in a you know layman term and that's what i feel uh was something that i learned as i was doing grc and that's kind of what helped me kind of come into like a cso or a head of security kind of role which is probably the i guess the the top of the ladder for any security person out there yeah it certainly is it's really interesting you kind of hit uh like serendipity because you came in as identity and access management that is a hot hot area right now for people who are watching that don't know that that is a hot area and really as we move to the cloud the idea of zero trust architecture it's really about securing the identity so i mean you were you were teed up in a perfect time uh to be able to move into that devsecops and become a cloud architect but but what i wanted to ask you i i agree 100 not being able to speak to the business they don't care how awesome your zero day is or how sick a box you popped or whatever like they want to know dollars and cents financials so you know for someone who is more in like the engineer tight um you know technical role whether it's devsecops or it's a senior sec ops person who is kind of eyeballing that ciso role and wanting to make that change what would you say like how how do they get started with grc when they're already kind of a more senior technical person awesome uh that's a great question and i think the easiest way and that's what i tell people that i mentor as well is every organization that you work for usually has a grc or a risk and compliance department now depending on whether it's a big organization or a small organization what you might find is there are people who are already doing a lot of compliance activity in the company already now whether it's an iso 27001 or whether it's a stock 2 now let's take the example of a devsecops uh that's the cost person or even a cloud engineer on your day-to-day you're probably working on say either a software development life cycle and there are compliance elements in there like i'll probably quote an example of iso 27001 where it's a requirement that you should be doing security testing uh of the code that you're deploying some form of verification that you're not introducing vulnerabilities into the production environment now that's the compliance thing when you go into application security kind of a role or death cycle kind of role no one tells you hey uh you should this is like iso compliance seven 2027 one kind of a requirement so if you try and identify those people as to hey why did we go down the path of doing um like a devsecops is there like a compliance driven activity or our ceo really loves security so he or she just wanted us to do this so i would say use that as an opportunity to start learning about how your company may be currently doing uh grc because another reason why people go down the path of getting a certification or security certification which is kind of where how the one of the reasons why people do risk in compliance is because that's how companies build trust with other customers so if i say um i don't know like the capital one for example and i want to work with bank of america now just because i'm capital one they would not trust me what's what's that verification or trust that i can produce my by myself to say hey bank of america look at the certificate that i've got from this independent external auditor which has come in looked at all my controls and can verify that i am doing what i i'm telling you that i'm doing i'm giving security as my number one priority and all these controls including for devs across people the application security side my software development life cycle is pretty secure for cloud security engineers all my cloud environments is pretty secure we have prevention detection like all those kind of things form some part of a compliance standard that your company may be looking at so that's where that's one way for you to get yourself introduced otherwise attending uh meetups and events for governance stephanie shells shows you um at least gets you around osmosis for what are some of the vernacular say someone like geralt would use or i would use in a conversation when we're trying to talk about a vulnerability to a senior person in the organization so that's another way to kind of learn about compliance and risk yeah and and you bring up a good point about kind of like interoperations between two businesses you know another great one like make legal you know i would argue like talk to your legal office at general counsel whatever you want to call it and say hey like you know if if questionnaires come in send them to me and i'll help fill them out because businesses do send these security questionnaires now to another business and say fill this out and they use it as kind of some level of barometer to determine whether or not you're a secure business it's a bit of third-party risk management but someone's got to fill it out and if you want to volunteer you can start positioning yourself as that liaison into the office now one thing i want to talk to you about is jish and i feel like this is a dark dirty secret that people don't talk about and you never really know it until you're it's too late and you're there talk about as a cisso like when you're doing devsecops you were obviously very technical very hands-on keyboard very in the weeds and that's very fine to a lot of people including myself when you're a cisso you know i can speak to from experience like you're doing a lot of excel and a lot of emails how do you how do you um handle that transition uh i guess away from the keyboard or or did you find a workaround uh i think i still work on this but what i found uh one way was to start the cloud security podcast like i still feel relevant when i am i'm having conversations but i definitely find myself over the last couple of years uh i'm definitely more of an excel powerpoint i can definitely wipe up a script if required but i i think my brain is slightly bit smaller or slower the other day i posted a a gif on uh link chain which is just this person who's not coded for a while and then just go in and go up arrow on the terminal to see what was that command i can't remember what that command was you keep going up and you're like oh yeah that's what it was but yeah i'm slowly turning into one of those kind of people now and uh but i'm not ashamed to admit it because i definitely feel um i i wanted that uh i guess experience to become a senior leader and try and be able to explain that to a broader business and now i do want to call out if you are someone who's listing this and going oh so i should probably stop doing technical things and move to excel i probably would say for that phase of my career i think there was nothing more that i wanted at that point than being more technical and as you kind of mature and as you kind of get more say expertise in a particular topic now whether it's jeff cyclops or anything else you kind of start slowly finding yourself actually you know what i'm getting a kind of board is kind of getting repetitive and yes devsecops and it can become repetitive after a while it doesn't dramatically change in six minutes uh six months it takes years for it to change so you might find yourself looking at uh greener pastures on the other side and like hey maybe i should do a cso or actually another one that i found was i had a security kind of a role is also interesting if you go find companies because c-series usually have a lot more i guess layers underneath them there's already a they usually depending on the organization you go to there could be multiple people beneath you who are well i don't know i don't probably use the word beneath you but they report into you they talk about hey one person would be looking at application security one would be looking at cloud security one would be lucky at something else and they have their own teams that they're managing but if you go for a header security or if you go for a cso in a medium-sized company mean meeting to a large size company kind of like where i am where you can get like ahead of security and compliance flow what that means is you can still be close to the technical side if you want you won't see a head of security role have say more than 35 people in a team and 35 itself is quite a bit uh i think the minimum that i've seen in one of my colleagues who was head of security is have two more people in their team or one more person in the team and that's completely normal what that allows you to do is still remain technical um and as you start to kind of find yourself you know what actually i'm starting to get to that point where i don't want to be technical anymore i want to have more business level conversations then you can slowly start moving towards a cso kind of a role where still your top i am for lack of better word you are the top dog or top lady or top king top co top queen of the company for security but at least uh you you can choose your own terms for being technical and not being technical yeah perfect all right ashish i think this is all great information for people to take and you know start moving towards ciso and uh achieve those goals thanks so much no problem thanks for having me absolutely absolutely all right well i hope you enjoyed that really quick uh before we end the video it's time for the cyber sn job of the week and this one's a really good one they sent it over i checked it out um let's check it out right here so this is the technical support representative which is a super generic name but 150k to 175k which is really good money it is completely remote so uh giddy up on that who doesn't like a good remote job um it's basically if you look at it it's secops work ir but also user awareness training so you can get some of that grc uh usage and that secops usage so kind of like what we're talking about with the sheesh kind of balance between uh governance and really hands in the weeds and then finally 40 is also secops running the firewall sim and stuff like that so if you are working or want to work blue team or you've got some blue team skills and you want to start you know pivoting basically into grc to be able to do ciso work this is an excellent opportunity i'll drop a link to the wreck in the description no years of experience minimum requirements i didn't see any other minimum requirements so check it out that's going to do it if you want to learn more about devsecops check out this video right here of me interviewing ashish about this role and have a good time okay until next time stay secure

Info

Channel: Gerald Auger, PhD - Simply Cyber

Views: 7,470

Rating: undefined out of 5

Keywords: cybersecurity, information security, career, cyber, security, infosec, cyber security, career growth, cyber for beginners, blue team, red team, career development, cyber job, cybersecurity jobs, entry level cybersecurity, entry level, no degree, cyber careers, simplycyber, simply cyber, cyber security for beginners, get into cyber security, cybersecurity careers, careers in cybersecurity, ciso, how to become a ciso, devsecops, ashish rajan, GRC, grc analyst, compliance

Id: suqFCUGNFg0

Channel Id: undefined

Length: 12min 58sec (778 seconds)

Published: Mon Dec 06 2021