Category: Goals

Navigating The First 90-180 Days In A New CISO Role

Late one Friday afternoon a call comes in and you find out you landed your next CISO role. All the interview prep, research, networking and public speaking has paid off! Then it dawns on you that you could be walking into a very difficult situation over the next few months. Even though the interview answered a lot of questions, you won’t know the reality of the situation until you start. How will your expectations differ from reality? What can you do to minimize risk as you come up to speed? How should you navigate these first 90-180 days in your new role?

Prior To Starting

Let’s assume you have some time to wind down your current position and you are also going to take some time off before starting the new role. During this transition period I highly advise you reach out to your peers in the new role and start asking questions to get more detail about the top challenges and risks you need to address. Start with the rest of the C-Suite, but also get time with board members and other senior business leaders to get their perspectives. Focus on building rapport, but also gather information to build on what you learned during the interview process so you can hit the ground running.

You can also use this time to reach out to your CISO peers in your network who are in the same industry, vertical or company type to get their perspective on what they did when they first joined their company. Learn from their experience and try to accelerate your journey once you start. Keep the lines of communication open so if you run into a situation you are unsure of you can ask for advice.

Once You Start

Build Relationships

First and foremost, start building relationships as quickly as possible. Target senior leadership first, such as board members, the C-Suite and other senior leaders. Work your way down by identifying key influencers and decision makers throughout the org. Play the “new person card” and ask questions about anything and everything. Gain an understanding of the “operational tempo” of the business such as when key meetings take place (like board meetings). Understand the historical reasons why certain challenges exist. Understand the political reasons why challenges persist. Understand the OKRs, KPIs and other business objectives carried by your peers. Learn the near and long term strategy for the business. Start building out a picture of what the true situation is and how you want to begin prioritizing.

Understand the historical reasons why certain challenges exist. Understand the political reasons why challenges persist.

Plan For The Worst

Don’t be surprised if you take a new role and are immediately thrown into an incident or other significant situation. You may not have had time to review playbooks or processes, but you can still fall back on your prior experience to guide the team through this event and learn from it. Most importantly, you can use this experience to identify key talent and let them lead, while you observe and take notes. You can also use your observation of the incident to take notes on things that need to be improved such as interaction with non-security groups, when to inform the board, how to communicate with customers or how to improve coordination among your team.

Act With Urgency

Your first few months in the role are extremely vulnerable periods for both you and the company. During this period you won’t have a full picture of the risks to the business and you may not have fully developed your long term plan. Despite these challenges, you still need to act with urgency to gain an understanding of the business and the risk landscape as quickly as possible. Build on the existing program (if any) to document your assumptions, discoveries, controls and risks so you can begin to litigation proof your org. Map the maturity of security controls to an industry framework to help inform your view of the current state of risk at the company. Begin building out templates for communicating your findings, asks, etc. to both the board and your peers. Most importantly, the company will benefit from your fresh perspective so be candid about your findings and initial recommendations.

Evaluate The Security Org

In addition to the recommendations above, one of the first things I like to do is evaluate the org I have inherited. I try to talk to everyone and answer a few questions:

  1. Is the current org structure best positioned to support the rest of the business?
  2. How does the rest of the business perceive the security org?
  3. Where do we have talent gaps in the org?
  4. What improvements do we need to make to culture, diversity, processes, etc. to optimize the existing talent of the org?

Answering these questions may require you to work with your HR business partner to build out new role definitions and career paths for your org. You may also need to start a diversity campaign or a culture improvement campaign within the security org. Most importantly, evaluate the people in your org to see if you have the right people in the right places with the right skillsets.

A Plan Takes Shape

As you glide past the 90 day mark and start establishing your position as a trusted business partner, you should arrive at a point where a clear vision and strategy is starting to take shape. Use the information you have gathered from your peers, your program documentation and your observations to start building a comprehensive plan and strategy. I’ve documented this process in detail here. In addition to building your program plan you can also begin to more accurately communicate the state of your security program to senior leaders and the board. Show how much the existing program addresses business risk and where additional investment is needed. I’ve documented a suggested process here. Somewhere between your 90 and 180 day mark you should have a formalized plan for where you are over invested, under invested or need to make changes to optimize existing investment. This could include restructuring your org, buying a new technology, adjusting contractual terms or purchasing short term cyber insurance. It could even include outsourcing key functions of the security org for the short term, until you can get the rest of your program up to a certain standard. Most importantly, document how you arrived at key decisions and priorities.

Take Care Of Yourself

Lastly, on a personal note, make sure to take care of yourself. Starting a new role is hectic and exciting, but it is also a time where you can quickly overwork yourself. Remember building and leading a successful security program is a marathon not a sprint. The work is never done. Get your program to a comfortable position as quickly as possible by addressing key gaps so you can avoid burning yourself out. Try to establish a routine to allow for physical and mental health and communicate your goals to your business partners so they can support you.

During this time (or the first year) you may also want to minimize external commitments like dinners, conferences and speaking engagements. When you start a new role everyone will want your time and attention, but be cautious and protective of your time. While it is nice to get a free meal, these dinners can often take up a lot of time for little value on your end (you are the product after all). Most companies have an active marketing department that will ask you to engage with customers and the industry. Build a good relationship with your marketing peers to interweave customer commitments with industry events so you are appropriately balancing your time and attending the events that will be most impactful for the company, your network and your career.

Wrapping Up

Landing your next CISO role is exciting and definitely worth celebrating. However, the first 90-180 days are critical to gain an understanding of the business, key stakeholders and how you want to start prioritizing activities. Most importantly, build relationships, act with urgency and document everything so you can minimize the window of exposure as you are coming up to speed in your new role.

Build A Proactive Security Program By Focusing On The Fundamentals

A common topic at security conferences, CISO dinners and networking events is: “how you are preparing your program for a new and upcoming regulation?” For CISOs, this conversation is a way to exchange ideas, gather information and compare programs. Unfortunately, CISOs often express feeling underprepared for the upcoming shift in the regulatory landscape causing them to scramble to meet the new requirements. I’m sure this feeling has existed since the first CISO role was created and has been continuing through SOX, PCI-DSS, HIPAA, GDPR, DORA and CMMC. If you have ever felt your program can be better prepared for new challenges or are looking to be more proactive then this post is for you. The goal is to prepare your security program so well that any new challenges are a non-event and I fundamentally believe there are lots of things CISOs can do with their security programs to achieve this goal.

What Causes Programs To Be Reactive?

Underfunding

There are several issues that can cause a security program to be reactive and understanding the problem is the first step to over coming it. One of the most common issues with any security program is underfunding. Underfunding a security program can have ripple effects on staff, technology, risk management and compliance activities. Underfunding can be a conscious choice of the business, but more often it is the result of the CISO failing to articulate or demonstrate how the security program creates value for the business. If you can’t link your security program back to business objectives and risk then your program is falling short. When a program is underfunded it can’t innovate or gain breathing room. As a result the program will be in a perpetual state of reactivity and constantly responding to the next problem that comes up.

Poor Understanding Of Risk

But wait! You say. My program is well funded. I have the staff and technology I need, but we are still reactive. This can be for a few other reasons, such as your program has a poor understanding of the risk landscape for the business. At a basic level this means documenting your program, controls, policies, exceptions and strategy so you are in lock step with what the business is trying to accomplish. The culture of the security program should be “help me say yes to your security ask”, instead of always saying no.

Thoroughly understanding the risk landscape for the business, such as where your security program effectively manages that risk and where the business can take on more risk, is critical to helping the business operate, expand and be successful. If you haven’t mapped your program to risk then your program will always be reactive because you will have to constantly evaluate the changing business conditions each time slowing down the business and pulling resources from other areas.

Shiny Thing Syndrome

One final reason your security program can be reactive is shiny thing syndrome. This is where someone in the org (it can be you, the CTO, the CEO, etc.) is constantly enamored with new technology, things they read in Harvard Business Review or whatever they think is “cool”. This means your program will constantly lurch from thing to thing without ever gaining momentum. It also means instead of following a clear and well laid out strategy and roadmap, your program will hop around and never achieve success. They best way to counter shiny thing syndrome is with a well documented program, with a clear understanding of where you are and where you are going.

Shifting To Become Proactive

So the big question is: how do you shift your program to become proactive? We can talk about a lot of ideas like automation, AI, processes, etc., but I truly believe the core of any security program should be the fundamentals and by focusing on these fundamentals you can stop being reactive.

Don’t Practice During The Game

Here is an analogy that I like to use for what a proactive security program means. Consider you are learning to play baseball. You could go out into the field look around and hope the ball doesn’t get hit to you. Worse, you could have no idea which way to face, what to do with the glove or even how to win the game. You are just standing there… waiting to react to whatever happens and hoping to figure it out. This is a security program that hasn’t mastered the fundamentals.

However hope is not a strategy and you shouldn’t practice your skills at the game. You should practice the skills you need before the game, hone them over and over until they become instinctive allowing you to proactively shift your strategy during the game. This is what a proactive security program can do. By focusing on the fundamentals like knowing what you have, where it is and what the status is, you know you won’t have to scramble to figure these things out when a new regulation comes out or a new incident hits. By thoroughly documenting your program against an industry standard framework and continually measuring compliance and risk against that framework you will eventually master the fundamentals and become proactive. Focusing on and mastering the fundamentals allows you to continually refine your program so you can anticipate where the business, industry and regulatory environment is going. In fact, any changes in the business, industry or regulatory environment should be a non-event because your program is so robust that you can help the business take on and manage whatever new risk comes up.

Wrapping Up

Next time you are faced with a challenging incident, new regulation, new compliance activity or are at odds with the business, ask yourself if your program has mastered the fundamentals. Do an honest assessment of your program, conduct a retrospective of past activities and assess where you need to improve. Find new ways to articulate the value of your program and link your program back to business risk so you can get the funding and support you need. By mastering the fundamentals you are mastering important skills when it doesn’t matter, so you can be proactive and anticipate events before they matter.

How CIOs, CTOs and the rest of the C-Suite Can Better Support CISOs

There are a variety of reporting structures for CISOs, such as reporting to the CTO, CIO, CFO or CEO. No matter who the CISO reports to, the CISO is still an integral part of the C-Suite. Yet despite this, CISOs don’t always receive full support from the rest of their C-Suite peers, which can cause friction and open up the business to risk. In this post I’ll cover how the rest of the C-Suite can better support their CISO peers and how doing so will actually help them achieve their goals as well.

Strategic Planning

First and foremost, the CISO needs to be included in strategic planning sessions about new markets, mergers and acquisitions (M&A), divestitures, new product launches and new customer types. Each of these areas will create new security risks and regulatory requirements that can have lengthy lead times for addressing. The CISO needs to be informed about product roadmaps, new features and new technology initiatives. If the CISO and security group are left out of these strategic discussions the business could be forced to delay a new business opportunity or worse enter the new opportunity without properly managing the risks.

Master The Fundamentals

Second, CTOs and CIOs need their teams to master and execute on the fundamentals. This means things like asset inventory, logging, observability, QA, QC and operations support (event notification and cost analysis). The reality is the rest of the business needs these things and these are not problems the CISO should own, yet if they are not in place they will cripple a security program. For this reason, a lot of CISOs will try to tackle these issues, but they won’t be successful without support from the C-Suite that actually owns these functions. So, one of the best ways the CTO and CIO can support the CISO is to lead the way on the heavy lifting for these fundamentals that way the CISO can draft off of these and focus on making their security program as effective as possible to manage risk.

Accountability

Speaking of mastering the fundamentals, what we are really talking about is accountability. The rest of the C-Suite needs to hold their teams accountable for completing or resolving security issues. This could be things like resolving technical debt, completing training, fixing vulnerabilities or appropriately prioritizing security requests. If accountability isn’t enforced at the C-Suite, then the rest of the business will become siloed and ignore other initiatives across the company. This can cause security issues to pile up and open up the business to risk that will be impossible for the CISO to manage. By holding your teams accountable and partnering with the CISO function you will create a partnership that can accelerate the business instead of creating unnecessary friction.

One easy way to get visibility into what your teams are doing, so you can drive accountability, is with an exceptions process. Exceptions are a common process for a security function and it allows the security team to have escalating levels of approval based on risk. It also allows for reporting and metrics about how many exceptions a team has requested, how many have been approved and how long it takes the team to resolve an exception. This can provide other C-Suite members valuable insights into how their function is performing with respect to their security commitments and it also allows the C-Suite to drive accountability into their functions by acting as the senior executive approver for critical risks in their function.

An exceptions process doesn’t have to be just for security. The entire company can benefit from an exceptions process such as for purchasing, contracts, sales, finance and engineering. Exceptions across the company can give visibility, promote good friction and drive accountability.

Support Good Friction

There are two different types of friction in a company and we have all experienced them. Good friction exists to help slow people down to consider their actions or minimize risk. These are processes like confirming large financial transactions or requiring validation of someone’s identity before using a critical resource. Bad friction wastes people’s time and is adversarial. These are processes that are inefficient, people that exercise unnecessary control over others or people that never follow through on activities. This type of friction needs to be avoided.

The rest of the C-Suite can support the creation of good friction with respect to security and how security engages with their teams. Good friction can actually accelerate the business by front loading activities where they will take less time, instead of trying to resolve issues later in the lifecycle where they are incredibly difficult and expensive to resolve. Some examples of good friction are security checks as part of the CI/CD pipeline, like SAST, automated attack simulation, or automated compliance reviews. When the rest of the C-Suite supports good friction it will actually make everyone’s job easier and less risky.

Help Advocate For Security

Another way the rest of the C-Suite can support the CISO is by helping to advocate the value of the security function beyond being an insurance policy or compliance function. While the security function may be viewed as a cost center, it can actually drive revenue and generate value. By including the CISO in the strategic planning process, CISOs can advocate product features with customers and engage with customers in a more proactive way. CISOs can also work with the go to market and finance teams to create processes for tracking customer engagements by the security team. This can shed light into the direct and indirect ways the security function is driving revenue, which can change the perspective of the security function from simply being a cost center. Having other C-Suite members advocate and support the CISO with customer engagements, building revenue tracking and involving the security team in all phases of the business can help improve the value of security and reduce overall risk.

Cultural Change

The last area the C-Suite can help the CISO with is cultural change. The Chief People Officer or Chief HR officer can work with the CISO to create and adapt comp structures for the security team that reflects the competitiveness of the market. They can also work with the CISO to create career paths, training and job specific performance metrics for the security function. The Chief People Officer and the HR function are also critical partners for the CISO to backstop security policies and enforce these policies across the company. HR can create and enforce consequences for policy violations, such as lack of eligibility for promotion, and they can also help manage the worst offenders with termination. HR can also set incentives to reward good security behavior such as giving spot bonuses, rapid promotions or even tying bonuses to completion of key security goals.

Outside of the culture of the security function, the rest of the C-Suite can set the tone for the culture with respect to how the company should view and engage with security. In particular, the C-Suite can lay the foundation for a security first culture and hold people accountable for implementing this throughout their functions. They can also shift the culture by holding business owners accountable for the things they own. Lastly, if the rest of the C-Suite carries KPIs, OKRs or other annual performance metrics as part of their annual goals this can help cross pollinate and incentivize the entire company to execute on effectively managing risk.

Wrapping Up

Close partnership with the rest of the C-Suite is essential for the CISO to be successful. The rest of the C-Suite can support the CISO and the security function by involving the CISO in strategic planning, driving accountability, mastering the fundamentals, supporting good friction, advocating for security and helping to drive cultural change. By supporting these areas, the rest of the C-Suite will set the tone from the top and work with the CISO to govern the risk of the business in a way that allows it to eliminate bad friction, accelerate growth and remain competitive.

Start Preparing For Your Next Role During Your Current Role

If there is one piece of advice I can pass on to anyone – it is don’t wait to start preparing for your next role. No matter where you are in your career, your job will constantly expose you to new things and those new things will change your perspective, give you experience and make you grow in ways you can’t anticipate. Embrace the growth, but also have the foresight to set yourself up for success no matter where your career takes you. This post offers several lessons learned about how to constantly position yourself for success and most importantly – don’t wait to prepare for your next role.

Start With The Interview

Preparing for your next role begins the second you start interviewing for your current role. The interview process is a time for both the company and the candidate to ask questions. The process will reveal areas of growth on both sides and candidates should embrace the areas they are less confident in or need to work on. This will set them on a path for mastering those skills and to be able to use their current role as a stepping stone to the next role. Candidates can also use the interview to ask how the company views the role evolving and what is the path for promotion (either title or job level)?

During the interview process or after landing the job, candidates should evaluate and learn the skills exhibited by their immediate manager or the senior member of their team. Have conversations with these individuals and make a list of skills you need to master if you were promoted to their role. The time to work on new skills is now, not when a role or promotion is offered. By that time it is too late! Whether you are aiming for a promotion, looking for a new job or if you get laid off and need to find a new position, don’t wait to prepare until you need a job because you will be behind the curve.

Get Certifications

If you are targeting a new role or promotion, look at the qualifications and certifications of individuals in those roles. LinkedIn is a great place to do research on what is needed for career progression. Evaluate the certifications, degrees and experience of people who have the job title you want. Also review job postings to see what companies are looking for. Certifications take time, money and effort so plan accordingly. If your company offers to pay for these certifications take full advantage and build it into your performance goals. Make a plan to obtain the necessary certifications and qualifications so you can position yourself and effectively compete for the role you want.

Demonstrate Expertise

In addition to certifications you also need to demonstrate expertise. When doing your research about your next job, don’t just look at the job title. Look at the skills they require, the company size and the industry. Learn the skills, learn about the company and learn about the industry they operate in. Demonstrate expertise in these areas by writing blog posts, submitting conference talks, participating in local chapter events or participating in a podcast. You can even use popular social media platforms to generate your own content. The point is to build up a body of work that demonstrates your knowledge and most importantly to create an independent profile, separate from your job that represents who you are and what you can do. Think of it as a living resume.

Network

Networking continues to be one of the most powerful ways to advance your career. Attending conferences, chapter meetups, get togethers, and other social events puts a face to a name and builds rapport. This can be invaluable when looking for your next job, but just like everything else it takes time and effort to network.

Outside of the meetups, there are a few other recommendations I have for networking. First, don’t target the people that have the job you want, target the people that hire for the job you want. For example, if you want to be the CISO at a publicly traded company, do research on who the current CISO reports to and then figure out a way to connect with that person so you are on their radar. Second, make a list of companies that you would like to work for and research people at those companies. Start connecting and networking with those people either virtually or physically. Ask for a quick intro call to introduce yourself and learn about their role. Lastly, connect with recruiters that hire for the position you are targeting. Set up an intro call to get their perspective on the market and how you can position yourself better. This will put you on their radar as a candidate when new positions come their way. This all takes time and effort, but if you set a small goal to meet one new person a month, this can quickly lead to a lot of new people in your network by the time you are ready to make a move.

Don’t target the people that have the job you want, target the people that hire for the job you want.

Challenge Yourself

My last piece of advice is to constantly challenge yourself. First, expand your experience by learning about different aspects of the business that will help you to be successful in your next role. Learning about other aspects of the business such as finance, HR, product, sales, engineering, etc. will make you more effective in your current role and give you valuable experience for your next role. It will also generate empathy on both sides, which can pay dividends towards making your next security project a success.

Second, don’t focus on team size. Instead, focus on scope and impact of your role. You may think it is better to have an extremely large team, and while this can be good experience, it doesn’t really tell people anything about what you accomplished. Instead, focus on developing and articulating the scope and impact of your role. For a CISO and the security organization, this means becoming a trusted advisor for the rest of the business and translating your successes into career highlights.

This brings us to the last piece of advice I have, which is to keep a running “brag sheet” of your accomplishments. As you progress in your current role, write down your accomplishments and the things you learn that can be useful in future roles. Continually update your resume and social media profiles to capture these achievements so you don’t have to try and remember them when a new opportunity presents itself. Keeping your resume continually updated means it will be fresh and ready to go when a recruiter reaches out or your dream role opens up.

Wrapping Up

The biggest thing you should take away from this post is to continually improve yourself by gaining experience and credentials that will be useful in your next position. Have the foresight to think about your current position and the moves it will take to get you to your dream role. Start planning for that role today because it takes time to build up the right skills, credentials and expertise for your next job.

2023 End Of Year Review & 2024 Look Ahead

At the start of 2023 I created personal and professional goals for myself to speak at conferences more, attend more professional events and capture my professional experience in a series of blog posts. In this post I’ll share what worked, what didn’t and how my results compared to my goals. At the end I’ll discuss what my goals are for 2024

Blogging (and Podcasts)

Just before 2023 kicked off I created this blog, primarily to capture my experience as a way to give back to the industry and to catalog my professional experience as a historical reference for myself. The two biggest lessons learned are: just get started and be consistent.

Just Get Started

I talked to a lot of people in 2023 about this blog and a surprising number confessed they also wanted to write a blog or create a podcast, but hadn’t started for a number of reasons, such as:

  • “I’m not a good writer”
  • “Nobody wants to hear what I have to say”
  • “I don’t have time”
  • “I need to get permission”

It is easy to hide behind these excuses and never start so my advice is to stop procrastinating and just get started. No one cares if your grammar isn’t perfect or if your content isn’t perfect. If you need permission, then track down who can approve your content and remove that barrier. Getting started will allow you to iterate, try new things and learn how to get better. The only way you will be able to get started is to set some ground rules for yourself. I personally found I work best by setting aside time on the weekend to write a post and then reward myself with some screen time such as video games or a movie. I also found that I write better when I have an idea and start writing it as soon as possible. If I wait, I often forget my thought process and then don’t write about that topic. Lastly, I found keeping a running idea log on my phone worked well. Whenever I have an idea I write it down in the idea log with as much context as possible, often creating a rough outline on the spot. Then when I get in front my my computer I can fill in the rest of the post.

Be Consistent

My goal in 2023 was to write one blog post or LinkedIn post a week. This felt sustainable without being a massive time commitment every day that would distract from my day job. My secondary goal was to increase my number of readers, followers and connections both virtually and in person. Being consistent is the best way to accomplish all of these goals. I was most consistent when I set aside time on the weekend to write for a few hours before rewarding myself with another activity. I found writing a post on the weekend or during the week allowed me time to refine it before posting it. I also relied heavily on scheduling posts, which allowed me to write several posts when I felt inspired and then post them when I was ready. This also allowed me some wiggle room if I was sick or traveling. By being consistent you continually pop up in people’s feeds and the social media algorithms will begin to recommend your content to people, which will increase your follower base.

So How Did I Do In 2023?

At the start of 2023 I set a goal to write one post per week. On this blog I achieved 38 posts and a combined 94 LinkedIn posts (which includes the blog posts). I started 2023 with 2010 followers and 1938 LinkedIn connections. I now have 2392 followers and 2091 connections. In general I connect with anyone on LinkedIn, but I do prune the connections if people try to sell me stuff or abuse the connection. Overall, I saw a 20% increase in followers and an 8% increase in connections and I’m very happy with these results.

Networking Events

I attended dozens of networking and industry events in 2023 and these spawned tons of additional follow on meet ups. If I meet someone new at an event, I try to connect with them on LinkedIn and then meet up for coffee or drinks to get to know them better. The top events I attended in 2023 were:

  • Gartner Evanta CIO / CISO Summits
  • HMG Strategy Denver Summit
  • Colorado=Security CISO Dinner Series

Public Speaking

One of my 2023 goals was to get back on the public speaking circuit. There are a few security related conferences in Denver with the top one being the Rocky Mountain Information Security Conference. In 2023 I gave a talk at RMISC about “A CISO Primer On Legal Privilege,” which gave a high level overview of legal privilege and had great audience discussion around the topic. I also spoke at a smaller, more intimate conference put on by BrainGu called RS2. This conference wasn’t security specific, but it did have a wide variety of speakers and thought leaders. The smaller conference setting allowed for great networking opportunities and I met a lot of great people there. Lastly, in July 2023 I met Hunter Muller of HMG Strategy as part of being nominated as a 2024 CISO of the Year. At the HMG Denver Summit I spoke on a panel with 3 other CISOs about “Innovation in Cybersecurity”. The HMG conference was a fantastic opportunity to meet other technology executives and hear their lessons learned.

Other Activities

In 2023 I explored joining a few new advisory boards. I’ve been on the CIO/CISO Advisory Board for the Denver Gartner Evanta community for the past few years, but at the end of 2023 I was also asked to join the HMG Denver Advisory Board. I also joined the advisory board of Phoenix Security and the STAR network for 1011 Venture Capital. My goal in all of this is to expand my network, keep up to date with industry trends and give back to the security community.

In addition to advisory boards I also explored doing video blogs and podcasts with other leaders. Most notably, Milan Patel and I have been doing a series of video blogs about the intersection of security and compliance. This has been great to cross pollenate our ideas and also draw from a different pool of followers.

2024 Look Ahead

I had a busy year in 2023 and am very happy with my results. So what’s in store for 2024?

  1. Continue the blog with a focus on being more timely with hot topics. My most popular posts were the ones that discussed my thoughts on topics that had immediate relevance in the news or industry.
  2. Do more blogs, podcasts or webinars with other industry leaders.
  3. Submit to speak at conferences. I’ll plan to continue to submit to speak at RMISC, a Gartner Evanta event and an HGM Strategy Summit. If another opportunity pops up I’ll definitely write a post about it.
  4. Explore joining additional advisory boards. I am enjoying advising various companies and industry groups on how to navigate the complex cybersecurity market. My experience as a CISO, CTO and lifelong technologist provides perspective so I can help guide these groups to be successful.