As of this writing, I've spent six months in the role of Chief Information Security Officer (CISO) at Axonius, a rapidly growing technology company. Though I've held a variety of leadership positions over the years, working in this capacity and setting is new for me. I've been capturing aspects of my journey in talks and articles so that others might learn from my experiences.
What was my first month like? Having joined Axonius a few months earlier to lead Product Management, I benefited from knowing the company's business goals, people, and culture. Still, it took some time to get adjusted to the new role and start feeling a sense of ownership. I captured my impressions and the resulting tips in this DarkReading article:
One of my team's first projects was to unify identity management and deploy Single Sign-On (SSO). Our IT infrastructure is consistent zero-trust architecture principles, so it made sense to treat identity as the focal point of many security decisions. This effort mostly freed our employees from juggling multiple passwords, helped with enforcing access controls, and made it possible to automate user provisioning tasks.
In the process, I discovered that enabling SSO in many SaaS products can involve significant expenses. I shared my frustration in the following Infosecurity article:
As the company's cybersecurity program started gaining shape, I had the opportunity to form a budget. I used to advise others on such initiatives during my consulting days, but owning the program and being the one justifying expenses was another learning experience. I captured my observations in this Help Net Security article:
Given that Axonius' product is a cybersecurity asset management platform, I'm continuing to not only benefiting from our own tool but also considering how this foundational measure can advance a security program. Asset management is deceptively unsexy, yet incredibly useful when done right. I shared my view on the reasons for this on the company's blog:
My perspectives on asset management and the role of a CISO in a technology company was also captured in the following 17-minute interview, conducted by Ed Amoroso of TAG Cyber:
Other ways in which I've publicly reflected on the CISO experience include the Life as a CISO interviews that I host at Axonius, such as my conversations with Sam Curry of Cybereason and Ray Espinoza of Cobalt.io. (Perhaps you should tune in.)
I've shared some of my lessons learned with a group of CISOs at a Bessemer Venture Partners event (that's the photo at the top of this post). I'm also planning to give this talk, titled Reflections of a New CISO, at several events in the near future.