Month: February 2023

Thinking About Compensation

In the last quarter there have been a significant number of layoffs at high profile technology companies. The economy has also made these layoffs particularly challenging. If you didn’t receive a raise of at least 12% last year to keep up with inflation, then you didn’t get a raise or even got a pay cut. A job market flooded with candidates combined with top candidates seeking new positions means the job market is heating up for tech positions across the board. Some of these positions will be CISO level jobs and if you are in the market to make a career change you will inevitably run into salary negotiations at some point during the interview and negotiation process. Here are some things you will need to think about as a new or repeat CISO when negotiating for compensation in your new position.

Job Level

The management level of the CISO role varies across industry and company size. Some CISO roles are Director level, the majority are VP level (including Sr. VP and Executive VP) and a few are truly C-Level as named officers of the company. The role level should be commensurate with the level of responsibility – the more responsibility, the greater the impact to the company and the more senior the role should be. Likewise, the more responsibility, the more risk you are assuming (or responsible for) and so compensation should recognize and reward this.

Company Size

The first choice you will need to navigate is what type of company you want to work for. Public vs private companies will be the main tradeoff, but government or public sector may also be something else you are considering. The main thing to consider with company size is you typically can get a higher title at a smaller company, but this comes at the expense of a lower base salary or more risk in terms of the longevity and stability of the company or the ability to liquidate your equity. However, this risk comes with the potential for a bigger payout and so it is important to really do your research and make sure it is something you truly believe will succeed.

Government and public sector also offer interesting advantages. These roles can come with high visibility, but will typically offer lower salaries or total annual compensation than the private sector. The tradeoff here is you are forming highly visible connections across government and the public sector. You can also establish your reputation on a nationwide level. Lastly, government and public sector positions offer a pension or some form of retirement after the fact. Private sector companies typically do not offer the same level of retirement unless you self fund or have a match via an employer plan. There is a real tradeoff between private and public sector in terms of immediate compensation or deferred compensation, which will come down to your overall financial goals and associated timing.

Risk vs Reward

Let’s briefly talk about risk vs. reward. The type of company you choose to work for and the sector you choose to work in will dictate how much risk you are assuming, which will directly impact your compensation. On the one extreme there are startup companies. They offer the most risk, but also the most reward. On the conservative end of the spectrum there is government and public sector. These jobs are really stable, but can’t match the big pay offs that are associated with start ups or publicly traded companies.

Reward vs Risk

In the graph above I placed public companies as having more risk than private companies due to the fluctuating nature of equity that typically makes up a large portion of the compensation at these companies. However, the real answer is “it depends” and so I encourage you to do your homework on the company you are considering.

Total Compensation

The next thing to understand is: what is the total compensation for the position and what makes up that total compensation? I often find interview candidates are hyper focused on base salary because it offers the guaranteed paycheck each month. However, there are a lot of other ways to build a total compensation package, especially at the executive levels. My recommendation is to take the time to understand all of the components that go into total compensation at the new role. Carefully evaluate the risks and to determine what you are comfortable with, then use that to discuss options with your prospective employer.

Cash Equivalents

Base salary is the big one here, but not the only one. This is the safest form of compensation because it is explicitly written in your offer letter and arrives at regular intervals. I will also lump sign on bonuses into base salary because they are typically granted when you start employment or are guaranteed payouts over a period of time (subject to remaining with the company for a specific term).

Annual Bonuses, Incentive Compensation Plans, Long Term Incentive Plans and Profit Sharing Plans are next on the list in terms of risk. These are basically cash payouts that are given at some interval (monthly, quarterly, semi-annually, annually) depending on the performance of the company. For example, if you are supposed to get a $100 bonus quarterly and in the first quarter your company misses their financial goals, they may choose to only finance 75% of the bonus amount and so you only get $75 that quarter.

Likewise, commission (if applicable) is essentially cash in your pocket, but assumes an amount of risk depending on your sales cycles, lead times, what vertical you are in, your customer, etc. CISOs who are in a public facing role at a product company may be eligible. Similarly, CISO Advisors who help drive sales may also be eligible for commission.

Commission is a lever you can pull on depending on how much risk you want in your compensation. Sales people typically carry very high commissions as percentage of base salary to incentivize them to get out there and sell. Sales engineers or indirect sales people typically have a much lower commission percentage as part of total salary.

Another common compensation option, particularly at public technology companies, is equity. Equity can come in many forms such as Restricted Stock Units (RSUs), Shares or Stock Options. All of these require some sort of sale to convert them to cash and their value will depend on the vesting schedule, how the company is performing, how the stock market is doing (if a public company) or the terms of your ownership in the company that specifies when and how you can sell your stake.

Equity is a form of compensation that allows the employee to assume an amount of risk in their total compensation and it ties their performance (and compensation) to the performance of the company. For a CSO this can be an incredibly rewarding form of compensation particularly if you help take a company through IPO or help mature a company to grow revenue or increase shareholder value.

All of these cash equivalents are negotiable, particularly things like amounts, vesting schedules, strike prices or even equity percentages. Whether or not you get some or all of these will depend on the company and job level of the role.

Indirect Compensation

Other things that will contribute to your paycheck are the benefits your company will provide. Here is a list:

  • Healthcare – Do they cover healthcare, what type of plans do they offer and how much does the company cover? Do they have an on site gym or allow employees to expense gym memberships?
  • Vacation / Leave – Does the company offer unlimited time off or are you limited to a certain number of weeks per year? What is the accrual rate, are there blackout periods, are there times when the whole company is expected to take off?
  • Retirement – Does your company offer a 401k match and what other type of retirement investment options do they offer? Does your employer offer a deferred compensation plan, which can be useful as you approach retirement age?
  • Training & Continuing Education – What type of training does your employer cover? Do they support you going to conferences? Does your employer offer tuition reimbursement or even pay for a full executive education program if you are considering going back to school? Do they cover professional memberships and certifications?
  • Work Permits / VISA Sponsorship – Do you require and does your prospective employer offer VISA sponsorship?
  • Relocation Assistance – Do they offer relocation assistance if you are being asked to move? What type of accommodations and support will they provide if you are being asked to move to a foreign country?
  • Travel & Expense Policies – What type of travel policies do they have when you travel? Do they provide you with a cell phone or allow you to expense your current phone and plan? Do they pay for your internet connection if you are a remote employee? Do they cover mass transit passes or parking (if located in a major city)?
  • Discounts & Perks – Do they offer employees other perks like discounts, free tickets to sporting events or awesome swag?

All of these options will vary depending on the company you are considering and it is important to ask questions and consider all of these additional benefits that will indirectly boost your paycheck.

Other Things To Consider

When negotiating for your new CISO role, there are other things you may want to consider asking for depending on your job level and amount of responsibility.

First, you will most likely want to negotiate a severance if you are laid off or terminated as a result of a security event. Typical severance packages offer some amount of base salary payout, but can also include accelerated vesting schedules, guaranteed bonuses, relocation, cash payouts, etc. Severance packages typically don’t come into play until the more senior levels, but given the high risk nature of the CISO role it is something to ask about during the interview or salary negotiations.

Second, if you are in the senior management ranks it is important to ask if the role is going to be a named officer of the company. If it is, you will want to ask about being included in the liability policy for Directors and Officers. If not, you may want to ask if the company has a standard corporate liability policy and if you can be included in it, which can help protect you during lawsuits or other legal issues you may encounter while employed in the role. You may also want to negotiate for the company to cover your legal fees if you are sued and have the ability to select and retain legal counsel of your choosing that the company pays for, but represents you.

This brings us to the last point of consideration which is contracts and contract terms. At the more senior ranks it is typically to negotiate for all these things, but agree to stay for some period of time as specified in an employment contract. This contract may also have specific non-compete agreements, specific non-disclosure agreement terms and other terms you may have negotiated. They key takeaway is to get everything that has been agreed to in writing and included in the contract.

Wrapping Up

Salary negotiations can be stressful, but they don’t need to be. Doing research, asking questions and knowing your worth can help make salary negotiations go smoothly. Some states now have pay transparency laws which can make it easier to understand the compensation range for the role. At the higher employment levels you may want to consider retaining a compensation lawyer who can draft and review contract or compensation terms on your behalf. Not all of the options I’ve mentioned above will be available at your employer or at the job level you are applying for and so taking the time to understand what is available is important to make sure you are being compensated and protected appropriately.

How Playing Video Games Can Help Your Career In Security

One of my favorite things to do after work is to sit down and play video games. I’ve enjoyed playing video games ever since my father purchased the first family computer in 1986. Now many years later, high powered video game consoles combined with fast internet connections have made playing video games a truly incredible experience and I believe playing video games helps develop and reinforce the skills that are important in a successful security career. Let’s look at some of the skills required by both video games and security professionals.

Problem Solving

One of the most important skills when playing video games is problem solving. Whether you like first person shooters, role playing games, racing games or any other game, all of them require you to determine how to achieve some sort of objective like getting to the next level or unlocking a secret. The thought processes required to solve riddles and level up in video games are also useful in security.

Problem solving in security is important in every discipline. CISOs need to determine how to best manage risk, while supporting the needs of the business. An incident responder needs problem solving skills to determine the nature of an attack and how to best recover from the incident. Security engineers identify problems, establish requirements and then solve the problem by building the solution. All of these roles (and the rest of the Security Org) need well developed problem solving skills to be successful in their role.

Curiosity

Curiosity is also an important skill in video games. What is in this crate? Where does this path go? How do I open this door? What does this new skill do? Exploring the limits of the game are essential to ultimately beating the game and that is also why curiosity is an fundamental skill for working in security. The security industry is inundated daily with new vulnerabilities, new technologies, new attacks and new methods to defend against them. Persistent curiosity is required to continually advance your knowledge, test the limits, learn new skills and ultimately persevere in protecting the business.

As a CSO, curiosity is an important skill to exercise everyday. Asking questions to understand how regulations will impact your industry, how business processes work, how products function or how customers interact with your business is important to inform your decisions on how to best protect the business and manage risk.

Collaboration and Teamwork

Over the past three decades some of the most popular video games have been multiplayer games that rely on collaboration and teamwork to win. When working in a team you increase your odds of capturing a flag, completing a quest, winning the race or beating the game. Team mates can help you, resupply you and even save your life. Just like in video games, security requires team work and collaboration to be successful.

A CSO needs to collaborate with the rest of the business in order to understand how to best manage risk. CSOs need to understand every part of the business to be successful, incident responders need to work as a team to protect the business, compliance professionals need to work with the business owners to gather evidence and governance teams need to work with the rest of the business to establish processes that are minimally invasive. All of this requires teamwork and collaboration in order to be successful.

Attention To Detail

Video games offer unique challenges and the ability to pay attention to small details is often important to complete quests, solve puzzles or beat a level. Racing games require the ability to absorb small details at incredible speed, sports games require players to pay attention to detail to score a point and strategy games require players to pay attention to small details to beat enemies or unlock new skills. Attention to detail is an important skill when playing video games and it is also an important skill in security because all roles in security require attention to detail, which can be the critical difference in resolving a vulnerability or reducing risk.

Often, the small details make the biggest difference in security. GRC professionals need attention to detail to understand specific regulatory requirements or frameworks and how they apply to specific controls or technologies. Incident response professionals need attention to detail to understand how to respond, how to gather evidence and how to recover. Sometimes, it is the small details that someone notices that lead to an investigation and that investigation leads to an incident. Finally, CSOs need attention to detail to understand how to allocate resources, how to budget appropriately and how threats relate to business risk.

Other Important Skills

In addition to the four skills I’ve described above. Video games and security roles also require a number of other common skills. Here is a short list:

Time Management – Using your time wisely and completing tasks within a specific time period.

Discipline – Setting boundaries for yourself and adhering to them.

Competitiveness – Competing with others, rising to the challenge, conducting yourself with honor and being a good sport.

Perseverance – Never giving up, pushing through and completing the job.

Detachment – The ability to look at problems from different perspectives.

Positivity – Don’t dwell on the losses. Focus on the good and believe in a positive outcome.

Cognitive Performance – The ability to focus, perform well under pressure, react quickly and even get into a state of flow.

Wrapping Up

A successful career in security requires not only focusing on domain specific skills (like GRC, Incident Response, etc.), but also more generalized skills that translate to all aspects of life. I personally enjoy playing video games for the reasons above, but also because of the social component that now exists in games. The ability to share the experience with others or discuss games with co-workers and friends is enjoyable. So, next time you are looking to advance your career don’t forget to work on the softer skills along with the security specific skills required for your job and I hope you will consider video games as a viable way to develop those skills!

How Security Evolves As Organizations Move From the Datacenter To The Cloud And Beyond

Despite cloud growth slowing in the past quarter, the momentum of existing and planned cloud adoption remains. As a new or existing CISO, your organization may be just starting to migrate to the cloud or may be looking to improve efficiency by adopting newer technologies like Kubernetes. Wherever you are in your cloud journey security needs to be in the forefront with careful consideration for how your security org, its governance and controls will evolve along the way.

Avoid The Free For All

I’ve been through multiple cloud migrations and before anyone in your organization begins to migrate, the IT, Security and Finance organizations need to come together to lay the appropriate foundation in the new environment. This means you need to set up the appropriate structure for mapping and controlling costs. You also need to map all of your existing IT and security policies and controls into the new cloud environment before people migrate to avoid having to do clean up later. It doesn’t have to be perfect right away, but doing some preparation and implementation of guard rails before teams migrate will pay dividends later.

Not Everything Is Easier

As organizations migrate to the cloud, security teams need to consider how the tools and processes they rely on may change. For example, if you currently rely heavily on netflow or packet captures to monitor your networks, the methods to get the same visibility may be different in the cloud. Similarly, transferring large amounts of data or security events can incur significant costs and so your logging and SIEM infrastructure may need to be re-architected to keep the events as close as possible to the environment, while only shipping the most critical events to a centralized location.

Penetration tests are also different in the cloud. If you regularly penetration test your environment or have third parties conduct pentests for contractual, compliance or regulatory reasons, then these will need to be scheduled and coordinated with your cloud provider so you don’t accidentally disrupt another customer. When you move to the cloud you no longer “own” or control the network and so you have to operate within the terms laid out by your cloud provider. As a result, pentests may be less frequent or may need to have their scope adjusted as appropriate for the environment.

Asset inventory may also change. If you are used to assigning your own DHCP addresses and having these addresses be relatively static in your inventory this will change in the cloud. Your asset inventory will change based on how frequently your organization spins up and down resources. This could be a few hours or days. Your associated inventory, reporting, vulnerability scanning, etc. will all need to be adjusted to the frequency of resource utilization and this can make tracing security events difficult if your inventory isn’t correct.

Processes aren’t the only thing that will need to be adapted to the cloud. Let’s consider how the scope of security changes as you move to the cloud.

In The Beginning

Consider a traditional technology stack where an organization has purchased and manages the storage, network, compute, OS and software running in the stack.

In this model the security organization is responsible for ensuring the security of not only the physical environment, but the security of all of the other technology layers. In some ways this environment offers simplicity because a production application maps directly to a network port, firewall rule, operating system, physical server and dedicated storage. However, this simplicity comes with the full scope of security of the entire environment and technology stack. The leading tech companies largely moved away from this model in the early 2000’s because it is inefficient in terms of resource utilization, portability of applications and velocity of deploying new software at scale.

Enter Virtualization

Organizations looking for more efficiency and utilization from their technology assets found an increase as virtualization came onto the scene. Now companies can run multiple Operating Systems (OS) and application stacks on a single stack of physical hardware.

For security teams, virtualization increases the density of their asset inventory compared to physical assets. This means the asset inventory no longer has a 1:1 correlation with physical assets and the attack surface for the organization will shift towards the OS, Application and Network layers. In this model security teams still need to focus on the full scope of security, but it also allows the organization to begin taking advantage of modern IT infrastructure and deployment concepts.

One extremely important concept is the idea of immutable infrastructure. With immutable infrastructure the organization no longer makes changes to things in production. Instead, they update, patch or improve on their virtual machine images and production applications in their development or test environments and then push those into production. This means development teams can increase the velocity of the software development lifecycle (SDLC) by fixing once and deploying many times. It also means security teams can more tightly control the production environment, which is the highest area of risk for the business.

Moving To The Cloud

At some point your organization may make the decision to migrate to the cloud. Migrating to the cloud offers a number of benefits such as no longer having to purchase and manage depreciating assets, no longer having to staff people to physically manage hardware, no longer having to pay to protect and insure physical assets, increased development velocity and the ability to scale compute, storage and network as needed.

For the security organization, moving to the cloud means you no longer need to worry about physical assets such as network, storage or compute. Your cloud provider now takes care of those layers and so your team has reduced physical scope, but increased logical scope, which results in increased attack surface. Development teams can now deploy with increased velocity and so it is incredibly important to enforce good security hygiene. Shifting security as far left as possible within the CI/CD pipeline and automating the security checks are incredibly important. Similarly, putting guard rails in place to control the environment will be really important to avoid magnifying security issues at scale. Some things to think about are:

  • Tagging is required for security, finance, development, etc. otherwise the deployment fails or the instance is shut down
  • Object storage private and encrypted by default
  • Only specific and required network ports allowed
  • NACLs, ACLs, WAF and/or proxies configured and deployed by default based on service or application
  • Applications are not allowed in production with critical or high vulnerabilities
  • Security logging at each layer sent to object storage, filtered and then sent to a centralized SIEM
  • Control software libraries to minimize software supply chain risks
  • OS images patched, hardened and loaded with required agents
  • Identifying and controlling the flow of data to avoid data leakage
  • Setting and enforcing data retention policies to no only control costs, but reduce the volume of data that needs to be protected

Moving to the cloud allows organizations to dramatically improve the velocity of development and as a result security teams need to shift their controls left in order to improve security and increased visibility without impeding velocity.

Commoditizing The OS Layer

Lastly, once organizations are in the cloud they can begin to ask questions like – what if the OS didn’t matter? What if memory, compute, storage and everything below the application layer was taken care of automatically and all developers need to worry about is the actual application? Enter containers and kubernetes.

Containers and kubernetes allow organizations to scale their applications with incredible speed. All developers need to worry about is to package up their application in a container, deploy it into the cluster and let everything else happen automatically. This model presents both a challenge and an opportunity for security teams.

First, all of the security checks we discussed previously need to happen within the build process and deployment pipeline to make sure organizations aren’t amplifying a vulnerability across their applications.

Second, security teams will continue to make sure the underlying kubernetes clusters meet their security requirements, but the main focus will be on the application layer. Controlling ingress and egress of network traffic going to the application, making sure software libraries are approved and free of vulnerabilities, ensuring software security checks like SAST, DAST and even fuzzing of interfaces are performed before deploying to production will be incredibly important. It will also be important to maintain an inventory, but this wont be a typical inventory of who owns an OS or compute instance. Instead, this inventory will map which team owns a particular application. This will be important for events like Log4j so the appropriate dev team can identify and remediate software libraries or flaws in their applications quickly and then re-deploy. Remember the environment should be immutable so security teams will need to scan, monitor and respond to vulnerabilities detected in production quickly since the attack surface will be much larger in this model.

Wrapping Up

No matter where your organization is in their cloud journey security teams need to identify their scope of responsibility and apply security best practices within their environment. Organizations still in data centers will require security teams to address the full scope of security from the physical layer to the application layer and everything in between. As organizations begin to adopt technologies like virtualization, development velocity should begin to increase and security teams will need to adapt. Moving to the cloud is a big step, but will pay dividends to the organization in terms of increased velocity. Organizations no longer have to acquire or focus on physical hardware and so they can staff more software developers. Likewise, the security teams will need to adjust their requirements and controls to focus on the OS layer and above. Lastly, organizations that have moved to container technologies or embraced kubernetes will have tremendous velocity and security teams will need to make sure the appropriate checks are integrated into the CI/CD pipeline so vulnerabilities aren’t magnified across the entire environment. In order to avoid this security teams need to focus primarily on the application layer and automation will be key.

Conquering Impostor Syndrome

Over the past eighth years I have been shifting my personal interests from reading technical books to reading books on mental performance. Navy SEALs like to say their training is 10% physical and 90% mental and I think this holds true for a lot of endeavors in life. The security industry is inundated with training courses about how to penetration test, how to be an incident responder or how to become a CISO. However, if you want to strengthen your mind to handle the stress of a security role you have to leave the community and seek answers in other places like extreme sports, the military or even self help.

Mental Health is an extremely important aspect of career management that often gets overlooked or neglected. The security community is notorious for burnout because the issues we deal with on a daily basis have a sense of urgency or feel never ending. One important mental health issue that is particularly pervasive within the security community is Impostor Syndrome, which is when people who are otherwise talented or successful still feel as if they are a fraud.

I have personally experienced both burnout and impostor syndrome throughout my career and in my experience impostor syndrome is caused by a fundamental lack of belief in oneself. Therefore, in order to overcome impostor syndrome one must somehow boost their own confidence, which can be difficult because it is tough to self assess.

Understanding the problem

In order to overcome impostor syndrome it is important to first diagnose and understand the problem by asking the question:

What part of your life, career or skillset makes you feel like a fraud?

Perhaps you recently received a promotion, but haven’t received training or coaching to build the necessary skills in that role?

Or, maybe you have the skills, but you haven’t received feedback or validation that these are the right skills to have?

Maybe you are worried your skills are sub-par compared to other people you see at conferences or who you interact with regularly?

Whatever the issue, it is important to be honest with yourself about what makes you feel like a fraud. This is an important step because once you identify the issue you can build a plan to address the problem.

Develop A Balanced Approach

One of the most impactful books I’ve read on mental performance is called With Winning In Mind by Lanny Bassham. This book discusses different parts of the human psyche that need to be in balance in order to avoid psychological performance issues like Impostor Syndrome. With Winning In Mind discusses how to balance the Conscious mind, Sub-conscious mind and the Self Image to achieve balance of the psyche and ultimate performance.

In my opinion, Impostor Syndrome is caused by an imbalance in the Self-Image. The self image has not developed in line with the knowledge, career progression or skillsets possessed by an individual. As a result the individual lacks confidence in themselves and needs to spend time building up their self image to conquer impostor syndrome.

Building (Or Rebuilding) Your Self Image

Below are the steps I recommend you follow in order to overcome Impostor Syndrome. These steps require work and dedication, but if you commit and follow through it will be worth it in the end. The steps are as follows:

  1. Identify the skills or character traits in which you lack confidence. Write these down.
  2. Develop a plan to train or develop each area so you can begin to build confidence in that area.
  3. Create positive affirmations to reinforce your training and build your self image. Put these in prominent places (fridge, desk, mirror, car dashboard, etc.) that you see daily and repeat them to yourself whenever you see them.
  4. Record your progress in a journal and review regularly.

Example

  1. Identify skills – I feel like an impostor when I speak in public. “I want to be a better public speaker”
  2. Develop a plan – “I will practice public speaking for 15 minutes a day, while recording myself. I will review the recording each time and make a plan for the following day for how to improve.”
  3. Create Positive Affirmations – “It is like me to be a great public speaker”
  4. Record your progress

Wrapping Up

Impostor Syndrome is a common psychological performance issue, particularly in the security community and it is caused by fundamental lack of confidence in oneself. By honestly identifying where you lack confidence, you can develop a plan that will help you improve your self image and ultimately overcome the feeling that you are a fraud. If you suffer from impostor syndrome I encourage you to speak openly and honestly about it with a mentor, trusted colleague or mental health professional who can help you create a plan to overcome the issue because impostor syndrome can cause you to psychologically hold yourself back from truly achieving your fullest potential.