The New CISO Podcast: Trusting Your Tech to Tackle Human Problems
In this episode of The New CISO, Steve is joined by Dr. Adrian Mayers, VP and CISO at Premera Blue Cross, to discuss what to consider when interviewing for CISO positions and how to trust your tech in the security field. Since fifth grade, Dr. Mayers has had a passion for computers. Now a CISO, he shares the role computers play in a security professional’s everyday life. On the podcast, he talks to Steve about his top leadership qualities, advice for aspiring CISOs, the relationship between human behavior and tech, and his thoughts on the transition to automation.
In this article:
- What makes a good leader?
- How to approach the CISO job interview
- Technology exists to solve human problems, but it can’t replace human beings
- Acknowledge and ease analysts’ stress around automation
- What makes a good cybersecurity program?
- Do your homework and keep your mission in mind
What makes a good leader?
Dr. Mayers describes a leader as someone who has integrity at their core. He believes it’s important to evaluate who you are and ensure that you bring your values into your leadership position: “What are the decisions and the behaviors that you exhibit when nobody’s watching? What kind of character, integrity, and truth are you bringing into that role? How am I showing up? How is my character potentially being tested at this moment or not?” All good questions to ask oneself.
How to approach the CISO job interview
Steve asks Dr. Mayers what advice he would give someone interviewing for a CISO position. Dr. Mayers recommends communicating how security plays into your day-to-day life and asking questions about how the team has handled security problems in the past. The main thing, he says, is to be comfortable with who’s in front of you because this is the team you will build relationships with if you get the job. Culture is important. “Is cybersecurity and security holistically seen as something that is just the primary domain of the CISO, or is it truly everyone’s responsibility?” Dr. Mayers would ask. “And when I was able to make that determination,” he says, “I was able to continue with a lot more information because the culture at Premera was very much ‘Everybody’s got to lean into this.’ The other piece was, ‘What’s the mission here? What are we trying to accomplish? Is it just to protect and defend?’”
Additionally, Dr. Mayers suggests trying to understand the history of the company. “How have things been in the past? Have there been some hurdles or negative cybersecurity incidents that they can share to give you some insight? You can learn a lot,” he urges. “The ability to understand where you are today and where you’re potentially going in the future requires a deep appreciation of the history.”
There are different considerations if you’re seeking a government position rather than evaluating a job at a startup. Ultimately, it depends on each security company’s process and context when navigating the interview stages. When looking for your next position, Dr. Mayers advises asking yourself, “Do I want to go into an office every day? Is there something in between, a hybrid way of doing things? You want to set those things up in your brain before you go in and know your deal breakers but also be open minded. Organizations are made up of people, and you can see these great brands and these large companies, but at the end of the day, it’s just a group of people trying to execute on a mission, a goal, and an objective.”
Technology exists to solve human problems, but it can’t replace human beings
Steve asks Dr. Mayers about his thoughts on using technology to solve human problems. Dr. Mayers reminds the listeners not to get so wrapped in the technology that they forget what they’re trying to do: tackle human problems. Ultimately, technology helps CISOs do this work, but focusing on the human elements will keep you centered and effective. “Technology exists to solve human problems,” Dr. Mayers reminds. “We’re doing things to make things easier. So keeping that distinction very clear in your mind as you’re leveraging technology to do your job and specifically in cybersecurity, to be able to solve those really complex problems or protect and defend your environments from threat actors.”
Dr. Mayers recognizes that many security professionals wonder if they can trust data platforms versus the insights of actual human beings. He also understands that there is a difference between installing programs and implementing them. Overall, if you take the time to understand the tools, you can see how tech helps make effective security decisions regarding human problems. “I think we buy these tools and the reason they go unutilized is because there’s a trust issue there,” he opines. “Do I trust this platform to make decisions that I had human operators and analysts making? Am I willing to allow some of that responsibility to be shared with this technology and my human beings? If you take the time to truly understand the attributes of a SOAR platform and how it’s truly going to help your organization, you will start to see the value, but it really starts off with trusting the platform. You have to trust the technology and trust that this thing’s going to make the right decision consistently, not make a mistake, and potentially lead us into some major security incident.”
Acknowledge and ease analysts’ stress around automation
Steve asks Dr. Mayers how to convince security professionals to automate low-level tasks. Dr. Mayers assures the listeners that these changes are being made daily in the security field. By clarifying to security professionals that they will not be replaced by automation, but will have more space for high-level problem-solving, the transition will be easier for teams to accept. Dr. Mayers suggests easing analysts’ anxiety first: “You’ll find that starting off with empathy and compassion, and trying to put yourself in that individual’s shoes allows them to lower their anxiety and they start to listen. They become a lot less defensive and they’ll say, ‘What would I be doing potentially if we implemented this technology and allowed some of those lower-level workflows and workloads to go away? I’m glad you asked.’”
What makes a good cybersecurity program?
Dr. Mayers explains that the definition of “good” for cybersecurity programs stems from people. If security professionals have a sense of purpose to show up every day and learn how to use the technology, then that is the measure of a quality program. If you build a dialogue with your security team and understand their concerns and issues, they will have a sense of ease when moving in a technological direction. “What does good look like in cybersecurity or what a CISO is doing?” Dr. Mayers ponders. “I think you really have to distill it down to the simple things, are they showing up? Are they engaged? Are they asking the right questions? Are they invested? Are they checked in? Although technology and processes, and all of those things are great, it’s not a program without the people. You’ve got to have the people engaged and ready to be in the fight every day. There’s a sense of purpose there.”
Do your homework and keep your mission in mind
To Dr. Mayers, the most vital thing when interviewing for a CISO position is always to do your homework. If you are clear about your experience and how you can benefit the security team, you will be able to communicate why you are suitable for the role. Ultimately, you want to show how you are ready to roll up your sleeves and get to work, despite potentially difficult days ahead. Dr. Mayers stresses, “Always do your homework. We all get nervous going into these settings, but I always feel better when I’ve done my homework and I can say ‘I am prepared.’ Here’s the other key thing: if I don’t know something, I say ‘I’m not aware. I will gather some additional information. I don’t have an answer for you right now. Is it okay if I get back to you?’”
Dr. Mayers offers one last piece of advice for CISOs: “When you’re coming into this space, taking on that responsibility of being a new CISO, you’re more interested in contributing to solving the problem than being an innocent bystander and looking at it. There will be bad days, but remember why you’re there and what you’re trying to accomplish, and the contributions that you’re trying to make.”
The New CISO Podcast: Success After CISO – How to Become Your Own Boss
The New CISO Podcast: Leading with a Military Mindset: It’s “We,” Not “Me”
What’s New in Exabeam Product Development – January 2023
Exabeam Survey: Prevention Prioritized Over Detection While Breaches Rise
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!