As of this writing, I've spent six months in the role of Chief Information Security Officer (CISO) at Axonius, a rapidly growing technology company. Though I've held a variety of leadership positions over the years, working in this capacity and setting is new for me. I've been capturing aspects of my journey in talks and articles so that others might learn from my experiences.
What was my first month like? Having joined Axonius a few months earlier to lead Product Management, I benefited from knowing the company's business goals, people, and culture. Still, it took some time to get adjusted to the new role and start feeling a sense of ownership. I captured my impressions and the resulting tips in this DarkReading article:
Your First Month as a CISO: Forming an Information Security Program
It's easy to get overwhelmed in your new position, but these tips and resources will help you get started.
One of my team's first projects was to unify identity management and deploy Single Sign-On (SSO). Our IT infrastructure is consistent zero-trust architecture principles, so it made sense to treat identity as the focal point of many security decisions. This effort mostly freed our employees from juggling multiple passwords, helped with enforcing access controls, and made it possible to automate user provisioning tasks.
In the process, I discovered that enabling SSO in many SaaS products can involve significant expenses. I shared my frustration in the following Infosecurity article:
SSO Out of Reach: SaaS Pricing Strategies Weaken Customers’ Security
Want to enable Single Sign-On (SSO) in a SaaS application that your organization uses? Be prepared to pay for this “privilege” as the fees will likely be more than you think.
As the company's cybersecurity program started gaining shape, I had the opportunity to form a budget. I used to advise others on such initiatives during my consulting days, but owning the program and being the one justifying expenses was another learning experience. I captured my observations in this Help Net Security article:
Without business-relevant details and the right context, the people reviewing your request won’t understand its necessity and significance to the organization.
Given that Axonius' product is a cybersecurity asset management platform, I'm continuing to not only benefiting from our own tool but also considering how this foundational measure can advance a security program. Asset management is deceptively unsexy, yet incredibly useful when done right. I shared my view on the reasons for this on the company's blog:
Security leaders who’ve implemented effective asset management will live longer, healthier, and more fulfilling lives :-)
My perspectives on asset management and the role of a CISO in a technology company was also captured in the following 17-minute interview, conducted by Ed Amoroso of TAG Cyber:
Other ways in which I've publicly reflected on the CISO experience include the Life as a CISO interviews that I host at Axonius, such as my conversations with Sam Curry of Cybereason and Ray Espinoza of Cobalt.io. (Perhaps you should tune in.)
In addition, I joined the Hacker Valley podcast, where I shared my perspective on the role of a CISO in today's enterprise. Tune into Episode 45 to listen to the conversation (link 1, link 2).
I've shared some of my lessons learned with a group of CISOs at a Bessemer Venture Partners event (that's the photo at the top of this post). I'm also planning to give this talk, titled Reflections of a New CISO, at several events in the near future.