In this episode of The New CISO Podcast, Steve Moore is joined by Kevin DeLange, VP and CISO of IGT. They discuss how Kevin’s love of problem solving led him to a career in cybersecurity. Serving in the U.S. Army was Kevin’s entry point into the world of security. After completing his service, Kevin earned a degree in Anthropology. “This was a discipline that really allowed me to define a paradigm and solve an issue,” says Kevin. “That’s what security’s all about. You’re faced with a puzzle and you have to solve that puzzle.”
In this article:
- Job qualifications include more than what’s on a resume
- Speak to senior management in their language
- Relationship building is essential to success
- Why Kevin chose to work in information security
- Simplify problems when communicating to senior management
- Know when to let things fail
- Understand the hiring company’s definition of the security leadership role
Job qualifications include more than what’s on a resume
Although now there are college degrees in the information security field, Kevin recognizes that there is no substitute for real-life experience. Among the traits that Kevin looks for when hiring a security professional are soft skills: “If I find somebody who is self-motivated, driven, really wants to solve problems, and can communicate effectively, to me that’s the most important.”
Speak to senior management in their language
Steve asks Kevin the best ways to present a problem in the workplace and how to stand out to senior management. Kevin mentions the two components of the job: the business side and the technical side. He stresses the importance of speaking to your audience in a manner they can understand, saying, “You need to present a problem or resolution to them in business terms that they can clearly understand, whether that’s money or a percentage; you need some sort of KPI that they can relate to. If you can’t speak in simple terms like that, you’re never going to get your message across, get funding, or get support because nobody knows what you’re talking about.”
Relationship building is essential to success
It’s also essential to ensure you have advocates to support you, which comes from building relationships, Kevin says. He advises, “Gather relationships throughout the years. It’s important when you’re new to the business that you find somebody that is generally interested in what you do. Then, you nurture that relationship so that they will act as somebody up the food chain to give you support.”
Kevin discusses how new employees can build these relationships. “You have to search out these people,” he says. “You look for people who have good relationships at a higher level. You have to take the initiative and you have to put the value proposition in front of them of why it would be good to have a good relationship with them. You have to put in the effort or you’re not going to be successful.”
Why Kevin chose to work in information security
Balancing three full-time jobs, Kevin eventually had to choose what he wanted to pursue. Ultimately, he decided on information security because he found it exciting and was well-equipped for its problem-solving component. “When I was asked to make the decision, I found information security to be far more of an interesting proposition,” Kevin remembers. “I had no idea at the time about the volatility of the profession and how quickly things change. Although I couldn’t foresee the magnitude of it, I could foresee the challenge, and that’s something I wanted to do. Information security oftentimes presents problems that you had not experienced before and don’t know how to solve. There’s not a manual for it.”
Simplify problems when communicating to senior management
The most challenging thing for Kevin is to simplify the problem before trying to solve it, though that is what he strives to do most. Kevin laments that it’s “difficult to prove a negative,” but the more he condenses what he’s communicating to senior management, the more he can get the support he needs. Kevin says, “I can’t go to the CFO and say, ‘That $5 million you gave me really worked out well because you don’t see any bad things happening.’ If you can, simplify that paradigm and say, ‘We have done all of these audits, we’ve done all these assessments, we’ve communicated, and we’ve managed to successfully avoid anything catastrophic.’”
Know when to let things fail
You cannot oversee your own work as a CISO, so it’s critical to pass that duty to someone on your security team. Since you cannot do it all, it’s sometimes better to let things fail to move forward. Kevin mentions, “We all have our job to do. You absolutely cannot do everything as we just said. You can’t be the one assessing whether you’re doing your job. So if you don’t pass that off to other teams, then I don’t see how you can be successful in information security, because you need to keep that discipline oversight function. You can set up policies, guidelines, standards, whatever you have, but if somebody else isn’t doing the groundwork and you are not assessing how well the controls are working, then you’re doomed to failure because there is no way to objectively look at that.”
Understand the hiring company’s definition of the security leadership role
Steve asks Kevin what his red flags are for people applying for security leadership positions. Kevin provides his main criteria, which is paying attention to the hiring company’s definition of a CISO. “You really have to define your perimeter and you have to understand what you will and will not do,” he explains. “So what I’ll do with business continuity may be totally different than what I’ll do in patching, and what I do in patching may be totally different than what I’ll do in incident response. If you don’t understand your perimeter for all of those areas, then you’re going to end up owning things that you really shouldn’t be owning. You have to understand what the hiring company is defining as a CISO.”
Listen to the Podcast
To learn more, listen to the podcast and read the transcript.
Similar Posts
What’s New in Exabeam Product Development – March 2024
Take TDIR to a Whole New Level: Achieving Security Operations Excellence
Action, Remediation, and Lessons Learned: Implementing Incident Response
Recent Posts
What’s New in Exabeam Product Development – March 2024
Take TDIR to a Whole New Level: Achieving Security Operations Excellence
Generative AI is Reshaping Cybersecurity. Is Your Organization Prepared?
Stay Informed
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!