The New CISO Podcast: Broad Knowledge is Power – Building a Better Security Team

On this episode of The New CISO, Steve interviews Bryan Willett, the Chief Security Officer (CSO) of Lexmark International, Inc. The focus of the conversation is on the significance of collaboration and team building in the CISO role. With more than 25 years of experience, Bryan possesses a deep understanding of the CISO role and the ways in which to support a team. He shares his insights on how CISOs can continue to grow and develop their skills once they reach this level.

In this article:

• Working his way to the top
• Project management
• Career goals
• Developing as a CISO
• Becoming a salesperson
• Creating a security team
• Advice for a new CISO

Working his way to the top 

Bryan has spent more than  25 years at Lexmark, prioritizing minimizing risk for the business. He is responsible for overseeing IT security, including security governance, architecture, and operations. With a broad scope of duties, Bryan has risen through the ranks and stays informed on security trends, such as supply chain measures. He highlights the importance of collaboration in ensuring the safety of all areas of the company.

Bryan started his career in firmware development and longed to learn more about the product development pipeline and work with people. This led him to transition into product management, setting him up for a leadership role in the field. Reflecting on his past, Bryan says, “I knew coming out of school and electrical engineering, I was definitely more attracted to low-level coding at the time. I started off doing very low-level code for business inkjet printers.” He adds, “What I loved about it was that I was surrounded by amazing engineers who challenged me all the time, and I was constantly learning new capabilities.”

However, Bryan reached a point where he felt he needed a change. He recalls, “I remember probably the second product I worked on is when we started to adopt Linux for the firmware operating system. Going from a proprietary operating system to Linux, the learning curve was amazing, so that was fabulous, but I came to a point where I said, ‘I can’t sit in this dark room anymore. I’ve got to get out.’” As he thought about his career, Bryan realized, “I was looking at my own career and where did I want to get in my career?  You could call it intimidation, but I realized that the engineers I was surrounded by were top-notch and I viewed that they might have had a leg up on me when it came to technical career succession. So that’s why I started thinking about the management track.”

Project management

Project management experience was a stepping stone in Bryan’s career as a manager. Reflecting on his time in project management, he says, I did project management for about four years and it was good…. You were on a tough timeline that you had to hit. It’s learning how to deal with that stress, that problem set, and learning how to manage through that.” For Bryan, successful project management was a crucial step to his advancement in the management track.

The ideal team 

“I find in security, I want people with broad knowledge,” says Bryan. “I want them to be a jack of all trades, maybe not the master in any.” He believes it’s important for his team to understand policy and the impact it has on the business, as well as to have some technical depth in areas like the network, endpoints, and identities. “I need some of them to… understand how all of those work together, but also …what [it means] to the end user [and how it’s] going to impact them,” he explains. 

Bryan values diversity in knowledge and experience, saying, “A diverse set of knowledge that you could have can set you up for a lot of success, whether it’s in security, or whether it’s an executive leadership position.” He emphasizes that executive leaders should have an understanding of how the business operates as a whole, not just in specific areas like finance, marketing, sales, or supply chain. “I can’t emphasize enough the importance of someone thinking about getting that diverse set of experiences in their own life in order to set them up for where they may want to end up,” Bryan says, adding that even if some experiences are uncomfortable, it’s still valuable for personal and professional growth. 

Developing as a CISO 

Bryan shares his perspective on the role of the CISO, stating that, “anybody who is going to be a good manager is always in the mode of preparing their successor.” He adds that   “if you’re not doing that, chances are you’re not going to keep your employees anyway because they also want to move up in their career. If they don’t see the opportunity, they’re going to leave.”

To keep employees motivated and engaged, Bryan suggests finding ways to satisfy one’s creative needs. He says, “I do this through my employees by trying to spur good dialogue with them, especially in one-on-ones to make sure that they’re thinking about themselves, their careers, where they want to go, and I enjoy that.” Bryan believes that by doing so, CISOs can leave a better industry behind them than what they came to.

Becoming a salesperson 

According to Bryan, being a successful CISO requires strong sales skills. As you pitch executive leadership on programs you want to implement, Bryan suggests keeping the explanation simple and avoiding technical jargon. He recomends creating a clear and concise elevator pitch. As Bryan puts it, “Imagine that you’re trying to describe this to your parents. Are they understanding what you’re talking about? So that includes limiting the key points to the things that are most important to get in front of them and really trying to avoid the technical jargon because as soon as I do that, I’m starting to lose them and they won’t understand.” This approach helps to effectively convey the key points and make the sale.

Creating a security team

Bryan was tasked with leading the security team after several years of working in the company. He recalls,“I went into the network and security team. We built out a really awesome team there to develop capabilities and features on the product to better integrate the printers with the IT environment whether it’s joining the printer to active directory or hardening of the system and figuring out how to better harden the system, and then getting into the whole security development life cycle.”

Bryan emphasizes the importance of a team approach to security and highlights the need for a group culture where everyone is valued. He explains, “You have to set the culture that it’s everyone’s responsibility so through a security development life cycle that we created, we created a whole training curriculum around it. We were working on teaching every developer in the languages, in the frameworks that they were operating in what the risks were, and how to deal with those risks from a coding perspective.” By doing so, Bryan believes the team can be successful.

Advice for a new CISO

Bryan believes that having a diverse team is crucial for success as a CISO. He says, “Your words mean things. When you say something, just make sure that it is aligned with what your strategy is because you can quickly get teams ramped up on things that you didn’t mean them to get ramped up on that may not be the priorities. Bryan emhasizes the importance of bringing the entire business, including the users, along with you to achieve success. He explains, “If you don’t bring them along with you, you’re going to fail because as you put controls in, if the users and the business aren’t aligned with you, they will work around you.”

In building his team, Bryan looks for individuals who bring different strengths and skills to the table. He advises, “Look for diversity. You want people on that team who are different than you. You want them to understand other areas of the business where you may be weak, or have skills where you’re weak in to help make the team overall whole, and, actually, more than whole performing at an excellent level.”

Listen to the Podcast

For more insights, listen to the podcast or read the transcript.