The New CISO Podcast: Success After CISO – How to Become Your Own Boss

In this episode of The New CISO, Steve Moore is joined by Aaron Bailey, CISO and co-founder of The Missing Link, to discuss what it takes to start your own security business. A technology native, Aaron explains how he started in cybersecurity, working his way up from entry-level positions. After high school, Aaron struggled to find a job. He finally got hired at a computer shop, which launched his career. Through explaining his professional journey, Aaron shares the benefits and difficulties of being a cybersecurity founder. 

In this blog post:

• An early start in computer technology
• Some character traits can outweigh a job candidate’s lack of technical knowledge
• A bold move, and the panic of a startup
• Just jump out of the plane
• Success comes from trust — and a solid legal contract
• A CISO should be a peer, not a report

An early start in computer technology

Aaron’s parents enrolled him in a programming course when he was eight years old. At age 11, he got his first computer, which was running “something like…DOS 3.3…in the days of modems,” he says. Born from a desire to play the games his brother sent him, which wouldn’t work due to memory and storage limitations, he began tinkering with that computer. He started playing games online via bulletin boards on dial-up and started learning about hacking techniques. “Really, it was just a puzzle that was continuously there to solve and almost never ending,” Aaron says.

Naturally, Aaron’s first job was in a computer shop. He started repairing computers at age 17, and moved up to a junior security technician role as the company grew. “I was doing things like file audits…upgrading checkpoint files on Sun Solaris systems, patching Solaris, all that sort of stuff,” he explains.

Some character traits can outweigh a job candidate’s lack of technical knowledge  

Aaron has learned from his previous work experience and says he is “now taking direct lessons from that and converting them into interview questions.” Although he is a staunch techie, he doesn’t think every job applicant needs to share that trait. “Obviously, I’m very technical. I just love understanding how stuff ticks, but not everyone is,” he acknowledges. “I don’t think you need to be a hardcore techie for every role,” he says. There are three things he looks for in an interview: 

1. Passion — “Do they have a passion for the topic?” he wants to know. “You can tell that by how someone just talks about it.”
2. Intelligence — “Intelligence is a bit hard to judge, but hopefully, you can get some of that by some of the quippy answers,” he says.
3. Perseverance and determination — “Someone who’s going to take it, not expect to be given it quite simply. That’s hard to judge, especially if you’re just having a one-hour conversation in an interview,” he says. “Who’s going to find a way and smash through barriers and get it done? Or is this a person that will expect two hours a day of mentoring a career, a progression plan that requires a five-day boot camp once a month of paid training constantly?”

A bold move, and the panic of a startup 

When they were both around 18 or 19 years old, Aaron and his friend Sam were working at Dimension Data, which had been acquired by NTT. Sam approached Aaron, saying that he was going to resign and start his own cybersecurity business with The Missing Link. “He said, ‘Let’s do this together. Why don’t you come with me?’” Aaron explains. He was hesitant, telling Sam, “No, you’re crazy. That sounds risky.” Aaron’s career was going well at the time. He was managing a team of more than 30 employees, revenue was up, and he had recently won an award. “I was inducted into the Technical Hall of Fame with Dimension Data,” he says. Although he saw a career path for himself at his current company, his meeting with the partners at The Missing Link was promising. He was still hesitant, but his wife told him, “‘You’re braver than this,’” Aaron reminisces. “And I was like, ‘Okay, I love it. Let’s go.’ And so we did. It’s been a lot of hard work, but I’m loving it.” Aaron explains, “From the two of us at the tail end of 2013, we’ve grown to 80 plus cybersecurity pros, and almost 50 million in revenue ourselves for the cyber division. So it’s been a wild ride, but it’s very rewarding, very scary, and nerve-wracking as well.”

In the early weeks of joining the Missing Link, “It was not all smooth riding,” Aaron says “I remember three weeks in, I thought this would be easy. I know cyber. I know people, people know me, let’s go. And then, no one would give me a meeting, and I’m not sending out many proposals or quotes. Three or four weeks in, I was literally losing my mind, sweating, stressing, and panicking because I didn’t have one purchase order yet.” Again, Aaron remembers, his wife was the voice of reason: “‘It’s been three weeks, you idiot. Just keep going. You’re fine.’”

Although Aaron struggled in the beginning, the company now has great success. “Now I know, and I should have known this then. It was just the panic of startup… We are the epicenter of success or failure here. It’s up to us to either make it or break it here,” Aaron says. 

Just jump out of the plane

Before Aaron and Sam started at The Missing Link, the company “had done some level of security… like firewalls and antivirus… and email gateways,” says Aaron, but “they didn’t have anyone with security in their title… no dedicated cyber professionals at the time.” It was only seven weeks from the first time Sam mentioned this to Aaron about them starting their business — and they each took a 40-50% pay cut to do so. “Just jump out of the plane,” Aaron says.

Although Aaron had some experience with P&L from his previous role, he had to learn on the job about things like OPEX vs. COGS. “I didn’t have a clue,” he says. “I had a lot of learning and appreciation for how P&L worked… but I couldn’t control it. I had P&L responsibility, but zero control… That was frustrating. I felt like I wanted to go somewhere, I wanted to do things, but I kept having people say no to me.”

About six months in, Aaron says, he had “a real light bulb moment of like, oh shit. With great power comes great responsibility. If Alex doesn’t say no to me too much, then I can really screw this up. So P&L knowledge is one thing, but responsibility where you can make your own calls is a whole other scary level,” he says.

Aaron admits he’s still learning how to do it all. “It’s tough. It’s interesting. It feels bonkers sometimes talking and haggling and discussing percentages of something that doesn’t exist, that hasn’t happened yet,” he explains. “It’s an interesting ride, but it’s just basically [trying] to learn as much as possible.”

Success comes from trust — and a solid legal contract

The original shareholder agreement for Missing Link’s new cyber division “was more of a gentleman’s agreement and less legalese,” Aaron admits. “You’re going into business with somebody, and we had a lot of trust between the four of us, Alex, Dan, Sam, and myself.” But, his advice for those seeking to start their own business “is to get advice because these are legal documents.” Their agreement “is a lot more evolved nowadays,” he says.

“I’ve seen some awful stories in the market of people messing with other people, screwing people over,” Aaron says. “It can go horribly wrong. I’ve seen people ousted from companies. They’re a director and a shareholder, and then they just get forcibly removed, voted out.” He explains that it’s sometimes due to “greed, hostility, and other bad things” and that the most important thing is “the hearts and minds and the people and the talent that you’re going into business with.” Also important, though, is the “contract itself about who can do what and what decisions trigger other things and what the formulas are around actions or decisions.”

A CISO should be a peer, not a report

People coming into a CISO role must understand the importance of that position to the business. “Cybersecurity is becoming more prevalent,” Aaron explains. “There’s more board awareness. I think CISOs should strive to have a seat on the board or have that direct line of communication with companies as much as they can, founder or not. I’ve seen so many companies and customers of ours where the CISO reports to the CIO, CFO, or COO, but they’re a report, they’re not a peer. I think that needs to happen more,” he asserts.

Aaron’s final piece of advice is “to share more. We need to teach and learn. There’s too much to cybersecurity. You’re never going to learn it all. So you’ve got to keep learning, but you’ve got to share that as much as you can as well,” he says.

Essentially, says Aaron, a new CISO should “strive for the top, become peers with the board  [and teach] others around you because we need more CISOs in the world. There’s not enough people [and there is a] skills shortage. So we need to do our best to train those around us to be that next generation.”

Listen to the Podcast

To learn more about Aaron Bailey and get more insights, listen to the podcast or read the transcript.