Lessons From a New CISO: A Conversation with OU’s Aaron Baillio

What does it take to succeed as a chief information security officer (CISO) today? Has the role become much more than running incidents, instructing junior personnel, and overseeing the traditional Department of No? Are we entering a new age when managing relationships and maintaining adaptability means as much or more to a CISO’s success than brandishing the latest technology?

We sat down with Aaron Baillio, CISO at the University of Oklahoma, to discuss the path he took to his current role and the lessons learned along the way. You can listen to the full conversation on The New CISO podcast. Listening to Aaron you grasp two unmistakable truths – he’s extremely passionate and knowledgeable about cybersecurity, and he has undoubtedly lived his mantra of adaptability.

Going from the DoD to education

Following an early career at the Department of Defense, where his job was keeping knowledge and secrets locked away; Aaron joined the private sector, when the University of Oklahoma came calling with a unique opportunity. Different from his past, he had to embrace a new paradigm where, ironically, the focus was on giving away secrets and imparting knowledge.

From the get-go, the differences were clear. Security in education didn’t rely nearly as much on specific governing policies such as CIS controls or the NIST framework, but rather more ad-hoc policies, based mostly on years of internal “tribal” knowledge.

Nine months later Aaron was made CISO. With no formal leadership experience, this is where he started cutting his teeth as an executive.

First, you must maintain a high level of performance, even in the absence of strategic guidance and leadership. People looking to fill a CISO position want to see how you handle the pressure and uncertainty when left to run operations. Will you show innovation and do your job as best you can with minimal direction? Secondly, you must shift the emphasis away from the technical and focus on building and managing relationships.

Aaron explains, “So, it becomes a lot more about relationship management, looking at how security can step into the bigger picture, and always finding ways to ingratiate yourself into the larger IT landscape instead of being that Department of No.”

The student CISO project

The University of Oklahoma’s cybersecurity community was small compared to other regions, and it didn’t have a fully-fledged cybersecurity degree program. So when asked to teach, Aaron had to build and shepherd the university’s cybersecurity program nearly from scratch.

Having started a cybersecurity essentials course at OU, attention turned to creating a student-run security operations center (SOC). Up to that point, cybersecurity lacked any hands-on internship opportunity.

“We didn’t hold back. We had the students sign NDAs and gave them the opportunity to jump into cybersecurity feet first.”

The student-run SOC program at OU succeeded by providing cybersecurity work experience for students hungry to better position themselves for industry jobs. This program stands out by filling a huge training void, creating a generation of cyber professionals ready to contribute and poised to become tomorrow’s new age CISO.

Parting lessons

Aaron’s diverse path from the Department of Defense to the private sector and the University of Oklahoma provided him a unique perspective for his current role as a new age CISO.

“What’s important is each individual find their unique leadership style. It should be based on your personality because that’s what got you there to begin with. Everyone can learn the principles of both leadership and technology. But it’s something about you, something about your personality that got you to where you are.”

He also recommends keeping an open mind and always being adaptable in the face of change. He stresses a looser grip on architecting while providing the guide rails and strategy for your direct reports. Lastly, a New CISO must lead with confidence, as teams ultimately look to you for the direction and competence needed to ensure security across the enterprise.

Find out more in The New CISO podcast episode “Building a Student-Run SOC to Meet Threats Head-On” featuring Aaron as a guest speaker.