CISO Insider S1E2 - “You have unlimited questions left” with Ty Sbano, Part 2

December 23, 2020
On this page

At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.     

We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.     

Here’s part 2 of our chat with Sisense Chief Security & Trust Officer Ty Sbano, where Ty shares thoughts on finding community within the infosec industry, plus some must-listen security podcasts, and things for early career professionals to look out for as COVID-19 extends into 2021.  

Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at support@nightfall.ai.

Chris Martinez: Welcome to CISO Insider, Nightfall's chat with chief information security officers. We host CISOs from different industries to discuss their pathways to the role, the challenges they face in their everyday work, and lessons they can share with anyone aspiring to become a CISO. This podcast brings you into the world of cybersecurity and gives you a window into the most brilliant minds in the business.  

Chris Martinez: I'm Chris Martinez, today on CISO Insider, it's part two of our chat with Ty Sbano from Sisense, please join us in welcoming Ty back to CISO Insider.       

Chris Martinez: You wrote in your first LinkedIn article about educational resources for people interested in InfoSec. Please share some of those with the audience and talk about why traditional education might not be the best path to success within the industry.

Ty Sbano: I think everyone has their own path, and there is no right path for information security at this time. But 15 years ago, even 20 years ago, when I started more of the technical work, and learnings, and trying to figure out how do I hack into a website? How do I manipulate a phone? All these little things there wasn't a lot of information readily available. Even the internet was much different. The internet growing up didn't exist initially. And then all of a sudden we had 14.4 Modems, and 56K modems, it slowly built up. But in that early stage, access to info and legit info was really difficult to disseminate. Now, even in the general sphere of things, there's just too much. And it's hard to actually render what is valuable.

Ty Sbano: When I look back, Hacker Quarterly was always valuable. It was this weird magazine, still out there, still awesome. But I don't subscribe to it anymore because I have access to so much, and I don't want physical media. Bulletin boards were cool. Forum boards were great. But again, trusting information, and also there were trolls in a lot of those environments that, just because you're running a script, doesn't mean it's a good script to run because it might do something to your local system. So I think a big element there is understanding how to disseminate information before you even get into what you would be looking for resources. So for me, early stage, I think you want to have a good understanding of why you're getting into InfoSec, and why you want to do this because it's not always going to be super favorable.

Ty Sbano: It's going to come with a lot of highs and a lot of lows, but you have to stay even keel. If you're a very hyper emotional person and you're going to panic at the first moment of challenge, let me tell you about botnets that are attacking authentication systems. And you're just like, "40 million accounts just got logged into, is that a breach?" I don't know. Let's go talk to the lawyers. Are you going to panic? And for some of us, the first time you go through that, you're just like, "Wait, what happened? Yeah. Four gigabytes of data left this database, and now we got to go have a discussion." Those are the things that can get pretty tricky. That's experience that comes from time and energy and it doesn't come from traditional books. But as I was starting my career 10 years ago, a lot of the resources are still legitimately good.

Ty Sbano: I think Daniel Miessler has an amazing blog post out there for building a successful career in InfoSec. There's also some GitHub lists out there as well that are just aggregating and social from the standpoint that people are all contributing and leaning in. So I included one in the reference that I sent over. One of my secret websites that I really like going to, it looks not great. I don't know who runs it. It's one of those things I should probably figure out at some point, just so I can say, thank you. But it's Irongeek.com. And I think that's something that's really valuable. The other part is finding strong practitioners that put out a good message that you align with some of their integral values. And for me, early in AppSec, Robert Hanson, salute to him, he is super successful in this domain. Ty Sbano: He was the AppSec guy at eBay, but he created one of the first XSS lists before most web app scanners had anything. And you're using proxy tools and you keep referring back to this website. And for me, it was really cool the first time I met him through a friend, and sitting down and just like, "Can I just say, thank you?" And he's like, "Hey man, thanks. I appreciate that." I'm like, "Well actually you helped my career in just making it easier." And I think that's something I'll ask for a lot of folks too, is if you're going to take, make sure to give back. Regardless of what you're doing in your career. And sometimes there are stipulations, if you're working on some of those larger organizations where you cannot. And I get it, and that's why one of those elements where I think about, if I go back, how do I negotiate that stuff?

Ty Sbano: Which most places will not let you do. The external aspects of doing interviews like this, you're not always able to do and give back to the community, but I think that's an element that's really important. So find the communities out there that align with the vertical and information security that you want to orient with. And then naturally you'll start to transition into practitioner communities, where you'll find your peers, and then you'll find more relevant information. But starting from the outside in, it's going to be very overwhelming. Reddit can be a place, but it's not the place that I would start at this point, because I think there's a lot of disinformation. General bulletin boards, there's too many trolls. I think you have to find trusted communities of people that are really working on solutions. And I think that's where things like OWASP work really well, but there are a lot of groups in there that may not be as great.

Ty Sbano: There's a lot of projects in there that may not be as valuable. And I think that's, again, back to the first point, there's too much information out there. So if you can find that strong mentor in your vertical, let it be your manager, let it be someone local to your environment to at least do some spot mentoring of what worked for them. Start there and then figure out what works for you. The last thing I'll mention, a couple podcasts that I really like just in general, Humans of InfoSec by Caroline Wong, I'm a big fan of that one. It just goes into a lot of these types of discussions. One of newer ones, my buddy Chris Foulon is doing, is the Breaking Into Cybersecurity. So it actually covers this topic of how did you get in? And I think that is very valuable.

Ty Sbano: And the other one that's constantly good information is Security Weekly, and they have verticals of so much information, but Mike Shema, Paul Asadoorian, and Jason Albuquerque and Matt Alderman, they've got a good curriculum and a great guest list of people. And then if you know podcasts, you're going to start to listen into these things, and then you'll find those people that you can anchor on. And then maybe you'll go find some more of their information. And even if you spend two, three weeks looking at their info and you come back and say, "That's enough for me." Cool. You'll be better for it.      

Chris Martinez: What do you think the impacts of COVID-19 will be on early career professionals in the InfoSec industry?

Ty Sbano: It's tough. I'm going to say it's going to be tough. And I think the direct impact are new hires, I hope some folks didn't have their offers pulled if they were about to start in Q2. But I suspect that may have happened. I think internship requirements are going to be really rough as far as onboarding to most companies like ours, where we're a hundred percent remote right now. I think that's going to be tough, even starting in an internship right now and learning an environment that may have been an in-person culture that is now, "Hey, welcome to the company. Here's your laptop. Leave our office now, go home and get set up, and set up a bunch of Zoom meetings". And they're like, "Is this how this works?" And it's like, well, this is how this works now.

Ty Sbano: So I think it's going to be a tough go for sure, given how the market is right now. I think a lot of companies are learning and figuring it out. The differences for early stage professionals in the mix now, I think this is new for all of us. I don't know if there are too many security practitioners that have ever been through a pandemic of this level. If there have been, I haven't found them yet. And I think those are the folks that may have some secret sauce, but I think the rest of us we work through this. We had some high-scale plans that kind of get us through, but we've also had to be creative along the way where there wasn't a lot of documented guidance. I will say through my career, as much as I've appreciated a lot of the external guidance or things that are out there that can be used as open source, oftentimes it's using basic principles of security hygiene. What makes sense for the organization and contextual management, as far as driving the org to support it specifically.

Ty Sbano: Instead of saying, I read this in a book, this is how we're going to do it. And I think that's where taking these learnings is only going to add so much value to your career because now business continuity, some people just never really cared about, yeah, we use AWS. We don't have to worry about it. It's like, yeah, if your office shuts down now, what can you still do your marketing? Can you still do your sales? Are you still able to engage? Those answers right now are getting answered very, I'm not going to say poorly, but I think it's a rough go. Because now you're seeing a lot of layoffs happening. How do the waves of layoffs go?

Ty Sbano: It's typically those folks that are underperforming, redundant, no longer required, but then you start getting into the very new, and the folks early in their careers, they might find themselves in that situation. Someone that's navigated four or five times for career changing moments where maybe you have a really rough conversation with your leadership team saying, "We have to do this." And if it's a number that is bigger than 10%, it's not going to be easy. Especially if you have a tiny team. And I've used the same strategy, I'm not going to get into it for this chat, for every company I've been at. And I've never been through one of those on the end where I found myself on the outside, but I've definitely tried in certain cases where it would've made sense, and I've definitely gone to bat for my team.

Ty Sbano: And especially right now, I have a team of three people and I'm looking around and it's a rough chat, so you can extrapolate this however you want. But I offer myself in those scenarios where it's like, cool, if we got to make a cut, here's how you're going to save the most amount of money, I'm going. And then the reaction from your own manager every time, it's usually pretty funny, but if they're ever like, "That's a good call." That's going to be a rough conversation. But you're playing a game of chicken at the same time. You're analytically looking at it from a data-driven standpoint. But if you're a people manager, if you want to be a CISO, you're going to have to learn how to deal with really tough decisions.

Ty Sbano: And sometimes there are cases where you’ve got to deliver a really bad message to good people. And I hold those near and dear to my heart. And then I create strategies and tactics of how to navigate that effectively, hopefully with some of them. But sometimes you're just going to have to deal a really tough message. And it is what it is, and towing that line can be emotionally stressful. But I think that's just a people manager aspect. It's not limited to CISOs.      

Chris Martinez: What do you think CISOs, as well as early career InfoSec professionals, care about?

Ty Sbano: I think it's learning to grow, and I think learning to learn. One of the things I think that's really important as part of career development is defining a development action plan, and understanding why you're doing something, and what is the purpose, and what is the benefit, but also planning for how to be resilient. And resiliency is an understated value within the security community. I think business resiliency, or security or cyber resiliency is a word, but individual personal resiliency is something that I think is really important to learn and care about. Because again, you're going to have a lot of stressful situations. They're going to be times when someone reports something to you through the Whispernet, and all of a sudden you're like, "Oh crap, have we been breached?" And then how do you manage that message and communication? And I think dealing with that type of stress, again, it comes back to experience.

Ty Sbano: For folks that want to think about becoming a CISO, take your time. There's no rush to be a CISO because if you get to that point and you jump in way too early, and I've seen a few peers do this, your track record isn't going to be too great if you're a CISO that goes under the average of 17 months, every time you're there for six months, you're there three months. I know some folks that only make it nine months each time, and then they get a package and they're out, but it doesn't really resonate externally. And your story only holds together so strong because you're not thinking about the full narrative of your career with your development action plan.      

Chris Martinez: What problems are you looking to solve in this role?

Ty Sbano: It's going to be contextual. I think it's going to be time-based based on whatever person you're talking to, and the moment you're dealing with. So I think that's where as you're doing this, you're going to find right now everyone's business continuity, everyone's work from home challenges. Everyone's dealing with doing more with less. Budgets just got slashed, headcount got slashed, but I think it's contextual. So I think problems are always going to be oriented around either the traditional thing that we're all saying, or it's time-bound with what's happening in the world.      

Chris Martinez: What are you looking for to succeed along each step along this path?

Ty Sbano: I think that's individually based. If you want to just make a ton of money, it's much different than actually having influence or driving change. For me earlier in my career for the first 10 years was how do I inspire security to be top of mind for software engineers? And if they are ones making our software better, I am very happy. But even if they make software better in their next org and that one story, that one training, that one coaching element, that one tool that we rolled out, whatever had an influence on that person to carry it forward, to make the world a little bit more secure, a little bit more high quality when it comes to software. That was my goal then. Now my goal is actually pretty similar. I want folks to think in a broader sense. So it's not just engineers, I'm looking across the board and for me, it's every organization I work for.

Ty Sbano: My value that I bring to the world is more, this balanced thing. I talk about it a little bit externally. It's called ikigai. It's a Japanese term of what the world needs, what you bring value in, and what you get paid for. What brings you joy is a big part of that too. So this Venn diagram, I know we don't use Venn diagrams too often, but for success, each person has a different definition. And for me, I'm looking for that perfect sweet spot. And I think I have it right now. It's early stage companies that are building a product that I can work with people I trust, because it's not too lofty. It's not too big to fail. It's not getting hated on, because it's this vertical and the CEO is a wild person. It's an element that I'm helping other people that are dedicated to this function, this effort for a life-changing journey.

Ty Sbano: And when we take a step back every quarter, every six months, every 12 months, and we look back and we say, "Holy crap, did we do all that?" And to me, that feels really good. And when you do that, not just with a small team, but you start doing that with a larger security team, you start to extrapolate that experience a little bit more. But to me, success right now is kind of grooming a lot of the next generation security leaders. So when I bring someone into my team, it's not, you're going to do valuable work for three to six months, and I see you're gone for 12 months, and you're getting hired quick and you're gone. I'm looking for the folks that are going to be the deputy CISO. I'm looking for folks that want to be the next rockstar security engineer and that's where they're going to focus on.

Ty Sbano: They're like, "You know what, Ty? I don't want to be CISO." I'm like, "Good. I think your personality doesn't say you should be a CISO. I think everything that we've done together, you should be an awesome engineer, that you go get your name, your brand, your value out there to the street. You publish open source, versus someone that's mortgage, multiple kids, wants to be a consistent person that delivers, but slowly grows their career a little bit differently." And maybe it's in a governance role. Maybe it's more focused on training and awareness. So for me, success now is paying a lot of it forward because I've had such strong mentors that helped me get to this point. But also I can go deeper into other things that I'm going to leave off the table for now,      

Chris Martinez: Are there any questions you wish you had answers to earlier in your career?

Ty Sbano: Man, I mean there's so many and again, that's that curiosity element. It's unlimited. And I think one of the things I really like in my current culture, is one of the founding engineers, I don't know where I got it from. You ask a question, especially early on. And the response after we finished everything, he's like, "Hey Ty, just a heads up, you have unlimited questions left." And I'm like, "Oh, that's dope." So like, you're not going to turn me away, because as a security practitioner, sometimes you get tired of people asking the same questions. That mantra, that mentality, I think that for me is again, a really interesting aspect of, again, that empathy piece, because as security practitioners, it's easy to fall into the trap of, go read the security policy, go read that documentation. As opposed to, let me take one minute, Chris, and just let me explain it to you. Here's how this thing works. Getting down to that level of having that interaction is really important. I think the questions I would answer are did I do enough practitioner work outside of security to be successful? And sometimes I question that. Was the web manager work enough? Was the consulting work enough? Did I do enough at JP Morgan Chase? Did I learn enough technical work at Capital One before I became a director? Did I do enough work at Target? I think there's a level of certainty that comes out of it, but I don't think there's ever going to be like those milestone questions of, did I ask the right questions? And did I do the right... I think it's a matter of you're always questioning something. So it's the open-mindedness and the empathy.  

Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry's first cloud-native data loss prevention solution. If you're enjoying the show, please leave us a review and rating on Apple podcasts. The ratings and reviews help more people find us.   

Follow Nightfall on Twitter, Facebook, LinkedIn, and Instagram at Nightfall AI and email us at support@nightfall.ai with questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you'd like to hear from. Stay safe out there and we'll see you again next time.      

Stay tuned for the next episode and the rest of our exciting slate of guests for season 1, beginning January 6, 2021. You won’t want to miss this! Follow CISO Insider for updates on our latest episodes.      

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack & GitHub as well as IaaS platforms like AWS. You can schedule a demo with us below to see the Nightfall platform in action.