At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.
We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.
Segment CISO Coleen Coolidge returns to CISO Insider part two of our chat on controlling your affect within your org. Here’s part two with Coleen.
Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at firstname.lastname@example.org.
Chris Martinez: Welcome to CISO Insider, Nightfall’s chat with Chief Information Security Officers. We host CISOs from different industries to discuss their pathways to the role, the challenges they face in their everyday work, and lessons they can share with anyone aspiring to become a CISO. This podcast brings you into the world of cybersecurity and gives you a window into the most brilliant minds in the business.
Chris Martinez: In part two of our chat with segment CISO Coleen Coolidge, we discuss what it takes for CISOs to be successful in ever-changing times, planning for the post COVID world, managing obstacles to success like investing in mental health and building resilience and social education are among the topics we're getting into today. Also, catch up with some of the best writing from the segment security team and the show notes for this episode. Please join me in welcoming Coleen back to CISO Insider.
Chris Martinez: When you get offers for speaking opportunities and engagements, how do you determine what's a good use of your time and where you can make your most impact?
Coleen Coolidge: I think it depends on where you are in your career. In general, if you are first starting out in the security field, anywhere you can go and speak is a good idea. I think there should be a bias towards saying yes. From a small local meetup to a podcast to writing an article or something like that, definitely say yes. The reason why: it benefits the community because you're sharing your learnings from your work?
Coleen Coolidge: And maybe that can help at least one person in the room, but it will also help you start to articulate your message well. For most of us, the principles and ideas that you have as a security person may not be as crystallized as we want it to be. We could talk to other security people and they'll understand where we're coming from. But then when you try to talk to your executive who might be two levels or three levels above you, how crystallized is your message for that person? Do they stare at you blankly? Do they understand the most important points from what you're trying to tell them? Or are you just another confusing security person who has too many things going on in your head and you're trying to do too much and say too much, and they think you're all over the place?
Coleen Coolidge: I think it benefits you at every stage of your career to pause and reflect on what you've been doing. Think of the value and themes of your work, and put that in the form of a talk. Whether that is a formal talk or informal talk, like a podcast, I think that’s even better. I love the podcast format. It's more conversational. The flow is really good. They're enjoyable. As you get busier, though, and as you get more well-known, what'll happen is instead of begging for stage time, people will come to you. You might get offers every day or every week, and you simply won't have the time because you still have to do your job, which is securing your company. And even though you'll have even more to talk about at the later stages of your career, you should actually be a bit more choosy and ask if there is a particular benefit to your company with this speaking engagement.
Coleen Coolidge: If you're a company person, will speaking at this particular venue help your company? Will it help someone on your team if you speak on a particular topic or if you work with a particular vendor? You should be a little bit more surgical about it and protect your time. I used to do Toastmasters, where they had this concept of a pocket speech. They emphasize that you always need to have a running list of things that you could talk about. Not just a laundry list of topics, but maybe you have three slides that you've been working on in the background.
Coleen Coolidge: You keep those slides open every day. When you have an epiphany as you're doing something else, like a shower thought, that you can add it to the slide. What's an evergreen talk that you would want to give that really defines you as a security expert? You find yourself like your parents saying the same thing over and over again. When you're that security parent, what is that security parent set of slides that you want to tell everybody. Always do these three things. But be ready with that pocket speech, because I think it's easier to have something that's partially developed.
Coleen Coolidge: Most of us who have a day job where it feels like we're just keeping our head above water, it helps to have a pocket speech or two in the background. It will really help give you a boost.
Chris Martinez: Have you noticed a dramatic shift in the role of CISOs post COVID? What changes, if any, will be permanent?
Coleen Coolidge: At the beginning of the pandemic, I thought we would see certain types of changes. I thought for sure that there was just going to be this huge movement to secure the home network. And that we, as CISOs, would be teaching everyone about how to be safe at home. Like if you have five roommates or something like that. But really what I've seen as the biggest change is that security teams have had to get really good at effective asynchronous communication. If everyone's in the same office together and you have a security footprint in each of those offices, just by proximity, it's easier to do your job. They pass by the security people's desks. You go to the same lunchroom and sit down and happen to talk about projects. So, because you're there, you have this gift of proximity. You've been able to build these bonds with one another and these security conversations happen.
Coleen Coolidge: So if you're at home for an entire year and so is everyone else, you don't have the ability to bump into anybody at work. That's completely gone. You need to make sure that your processes are really solid. Is there a possibility that something could slip through the cracks? Be intentional about talking through security dependencies before the quarter begins. If you're in an organization where you plan your OKRs or your business process management together, what does security need for each of these teams in the coming quarter, or in the coming year? Is that written down somewhere, where the teams will actually go look at when they're doing their work?
Coleen Coolidge: How can you be sure that the written words that you use, will pop up in that lucky happenstance, the way that you were at the refrigerator getting your string cheese, and someone from a different team that you needed to talk to was doing exactly the same thing? How do you create that happenstance through paper documents or Google docs, and then showing up to the right meetings to make sure that team accomplishes their security priorities? It's more intentional. I think it's more work, but at the same time, you don't want to leave to chance. I think you need to make sure that it's more systemic, and define the way things will get caught in time.
Chris Martinez: How can security leaders effectively communicate the issues and problems they face in their role to the rest of the organization, especially fellow executives and other stakeholders who may not be the most technical or have visibility into the work?
Coleen Coolidge: I think metrics, scorecards, Slack communications, emails, all of those things are really helpful. I think that most security pros know that the people you work with by and large want to do the right thing.
Coleen Coolidge: These are not people who are trying to outsmart or avoid security or hoping you don’t catch them doing the wrong thing. Security is not their day-to-day job so you really needed to make it easy for them. And that's where that crystallization of the message comes in. If you feel an organization you’re working with is not speedy enough, or maybe they don't have the resources and the help or these things aren't being prioritized, rather than us falling back on our old habits of complaining about them behind their backs, or escalating on them to their managers and saying, "You're not doing anything you're supposed to be doing," why don't you start producing metrics instead?
Coleen Coolidge: That is a lot harder than it sounds. The hard part is knowing what to measure. And then once you know what you want to measure, asking if your company is set up for success to do that? For us, in order for that to happen, we needed to make sure that we were using JIRA really well. That’s where we were tracking all those local vulnerabilities. We have logic built into our JIRA to make sure that before an outstanding task would become late, you would get a countdown through email.
Coleen Coolidge: JIRA became the main place for people to find their answers. That JIRA dashboard shows by department what tasks are late. We can click into tickets and see the progress for each one. This made it easier for people to get unblocked. There was a lot of pre-work that had to be done in order to make that happen. But thanks to that work, we understand our whole organization by different departments and different teams. We can make sure that the tickets are assigned appropriately because sometimes teams will change. You need to make sure that those tickets are ported over to the correct new team.
Coleen Coolidge: And from all of that data from those tickets, we have a dashboard where we can see which teams and tickets were late. We could see which tickets had the most extensions and which teams those tickets were associated with. Being able to provide that type of at-a-glance information is helpful for your executives who don't have time to sift through all your JIRA tickets. It's also helpful for you because now you know exactly, from a vulnerability management point, where your biggest risks are.
Coleen Coolidge: Once you start measuring, you can start holding yourself accountable to the things that you say. It's easy to take a snapshot of that dashboard and then send it to the executive to make your case stronger. It’s much more effective to say something like, "Most of your org is doing really well, but it seems like this team is struggling to get their vulnerabilities fixed on time. What can we do to help them?" instead of, "These are clearly the bad guys. They don't want to do the job. Maybe you should do something about them." It could be a question of resources. It could be that they have way too many priority one items that are heaped on top of them. But metrics shouldn't be looked at as something that are bad or dangerous. They allow you to have a really intelligent and hopefully, a calm and emotionless conversation about what needs to get fixed.
Chris Martinez: What are some key attributes of an effective cyber security leader as a technical leader, a people manager and for other functions of the role?
Coleen Coolidge: I think that there are so many different kinds of effective cybersecurity leaders out there. You definitely don't print them from a mold. I think you have to be brave. I know that sounds a bit goofy. But if you think about what the job is, it's a position of public trust and your team is looking to you as a paragon of virtue, even if you don't look at yourself this way.
Coleen Coolidge: If you notice things that aren’t right over the course of your work, and you don't use the political capital that you have to address the problem because you're too afraid of being fired or losing your stock or whatever it might be, your team will start to lose faith in you. And when your security team starts to lose faith in you, they're going to leave you or worse, they're going to stay and they're going to do very uninspired security. They will think the worst about you: "My security leader is just going through the motions. When it really matters they don’t stand up for what's right. They don't speak up for me or on my behalf. They don't challenge an executive who’s doing something that they consider to be dangerous.” When your team doesn't see you taking a risk to do the right thing, I think that that's when you run into trouble. It doesn't matter what your background is as far as how you kind of came up, but you really need to push for the right thing in your work.
Coleen Coolidge: And you need to get good at presenting it in a really diplomatic but extremely strong way. The second thing is I think humility helps. Through LinkedIn, everyone who works in security is constantly being marketed to with questions like, “Are you interested in looking at this and giving your opinion on it?” Or, “We're looking for people to be on our advisory board.” And they appear to offer you roles by saying, " We love your background as a security leader. Would you consider being a director, or a CISO, or a senior manager?” As you’re looking at your LinkedIn, you're thinking, "Wow. People think I'm really good at what I do." If you believe all of those things that you get on LinkedIn, it can get to a person's head. When you have that in your head and your boss is giving you some tough feedback, the attitude could sometimes be like, "Don't you know who I am? I don't have to improve. I could leave right now and get a way better job."
Coleen Coolidge: If you get to that point, you need to check yourself. Nobody needs to hear that from you. Take the feedback that you get, even if you don't want to hear it. It's super valuable. Someone is taking a risk to give you critical feedback to help make you better. That means that they care about you, or they care about the effectiveness of your program and it's your obligation to listen.
Coleen Coolidge: Humility goes along with bravery. As far as skills go, most security leaders I know came up through particular paths in security, like application or network security. Some have a strong governance, risk, and compliance background. Once you get to a very high level in security, I think that being able to command an army, rather than trying to show off your glory days has more value. What was once your deeply technical work is now your team's domain and their area to shine. It's not all about you showing off to your team and everyone else. It's great for you if you've been able to stay technical. But are you also as good at your main job of commanding that army of the different parts of your security teams? Are you able to inspire and lead all of them? Are you able to put together a roadmap and a vision that speaks to every single person on your team? Can they map their daily work to your five-year vision? Do your executives understand where you're trying to go? Do they understand why your set of security teams is good? Do they understand the main principles of what you're trying to get across? When you become that leader on that side, you need to be very effective at those levels.
Coleen Coolidge: If you spend all of your time looking down and spending time with people who are earlier in their career, trying to show them that you're as good as them, are you spending your time appropriately? I'm not saying you shouldn’t continue to be technical, but remember that your obligation at that level is to do the job that your team isn't doing. You must have command of the message with the rest of your company, the board, and the executives, and be crystal clear about what it is that your team is trying to accomplish, and how far they are and how far they have to go. Be very clear about how much more money or resources your team needs. That's what your job is. Make sure that you're not dabbling in minutia and actually looking at the broader picture.
Coleen Coolidge: If you want to have a hand in something that's technical, you must have a risk-based reason for it. Is the thing that you're digging into on the technical side related to a top risk that your team is tracking and mitigating, or is it just fun? Are you just essentially having the company pay you to dabble in something that's not going to have a positive security effect on the company? In the five-year vision, I think you need to make sure that people understand that they're not going to be doing the same job five years from now that they're doing today. Show them how the work that they're doing now, will benefit the team, particularly if they're doing bootstrap type work. What's the next level above that and the level above that? And what are you trying to achieve? Otherwise, people feel like they're on a treadmill for five years and they can't get off.
Chris Martinez: As a security leader, what makes you get out of bed or motivates you to start your day every day?
Coleen Coolidge: For me personally, the work is always interesting because there's always something to do in every one of the domains. The multi-year roadmap is the menu for the next few years into the future that you can start salivating over. But it’s the people that I work with every day that make a difference because they're the ones who I want to do this work with. They make this work magical because we can come up with what we want to solve in the next three to five years. If you don't like who you're working with, if you don't have a high level of respect for them, and if you don't learn from each other, you could be doing this job with the same roadmap anywhere. I've been really lucky that the people who decided to come work with me at Segment are people who I would happily talk to in my free time and go out to dinner or go golfing with them. I look forward to seeing them and talking to them.
Chris Martinez: What's the biggest issue ahead in 2021 for cybersecurity leaders? How should we as security professionals approach these issues?
Coleen Coolidge: Two things come to mind. One is an increased focus on third-party security among all the vendors we're all using. When you think about what your tech stack really is, or even just the tools that you use, you might have some software actually installed on your desktop. There would be a certain number of licenses and everything would be contained in your data center. Now, when you think about what makes up just one department’s security, like all the different tools that your HR department uses, none of those things are things that you built.
Coleen Coolidge: These apps were installed onto a person's desktop and none of it is closely locked down and monitored. These are all SaaS tools that you don't have a huge amount of control over. I think that we need a reckoning with any third-party tool that you depend on, making sure that you avoid sending the vendor several questions because I don't really think adding a ton more questions helps your understanding. I think it's really about how you put controls in place to guard against the apps’ deficiencies. How do you guard your organizational data, and your users’ data?
Coleen Coolidge: The second thing has been related to business continuity planning. A lot of security people are suffering from burnout. We are counting the days until we get fully vaccinated, and until the things that we want to do open back up. I actually think we're going to have a personnel shortage where everybody is trying to take off at the same time and travel abroad or just go visit family. They want to go on an extremely long vacation and want to take two months off of work. If you think you already have a shortage of people now, imagine when everybody wants to take vacation at the same time. And people are entitled to this because if you think about how hard the last year has been on everyone, we might need to do a shutdown just so people can really spend time with their families and friends.
Coleen Coolidge: But who wants to take a vacation during COVID when nobody's vaccinated? It's not safe. I think once we reach a tipping point of enough people in the U.S. getting vaccinated, a lot of people are going to take off work at the same time. That's going to become a bigger problem. Everyone has put their lives on hold. Think about all of your friends who are getting married this year, or who have had a new baby and want to visit relatives with the baby. Everyone is going to leave. So I would encourage the CISOs and really any other business leaders to know that it's going to happen. Try to make plans, if you can, to have minimum coverage at all times, because you don't want an entire department out at the same time.
Chris Martinez: Do you have any advice for young security practitioners coming up in the COVID era?
Coleen Coolidge: The COVID twist on this wasn’t as apparent before. If you want a really good security job relatively early in your career, the idea is that you need to be in the vicinity of the role. If you graduated and you're somewhere in the South or the Northeast when the job's in the Midwest or Pacific Northwest, you need to be in the orbit of that home office in order to be able to be successful. That’s the way people set up to work. Everyone comes to this area and this is where all the senior employees and mentoring is. You want to be here to hear the water cooler talk. As I mentioned earlier, we as security professionals relied so much on the luck of proximity. I think that we've had to be a lot more intentional about our messaging and teaching. During this past year, every security professional who is in charge of training has had to figure out how to do this effectively without being in front of the class.
Coleen Coolidge: And so I think that things have opened up a bit more. It's probably become easier to get a remote job. Some companies might have a bias toward requiring early career professionals to be in the office for at least a year or so, to get a boost on the mentoring. I think companies are reevaluating that and asking what they can do to support a remote employee so that they can still be successful, even if they never set foot to the office.
Chris Martinez: What are you most proud of as an infosec leader?
Coleen Coolidge: Being able to work with a team who can take a situation that's not good and decide what the plan is, and how we go from trash to class with the situation. Deciding what that plan looks like, and how we’re going to get buy-in to do it. All the planning work and then working the plan and actually seeing it happen is great. I think to feel pride, you have to overcome thinking, "Oh, this is crap. How come nobody listens to me? This is taking longer than I thought. Why does everything have to be so hard?" You have to overcome that voice that always tries to make you quit your job and open up a surf shop somewhere. The reward for hanging in there is watching that roadmap come to fruition and seeing that people are seeking you out and to ask questions like, "I want to use a third party that we don't use. What's the process I need to go through? I'm happy to follow your rules."
Coleen Coolidge: I look forward to the good days where Jeevan on our AppSec team teaches folks how to do their own threat models. Those are really proud moments. Another thing that gives me joy is when I've been working with a security professional for a long, long time, and we watch them grow from new in their career to the middle of the career, and eventually to the point where I could just sit back and let this person run things. And when that person becomes a security leader on their own terms, it’s just so gratifying to see somebody who starts early in their career, learns the really hard lessons, overcomes a lot of difficulties, and gets to the point where they're running their own security organization and they’re doing it well.
Chris Martinez: Which podcasts or books have you read lately that you can recommend to our listeners?
Coleen Coolidge: I finished a bunch of audio books, but they're not actually on the topic of security. There were ones like The New Jim Crow by Michelle Alexander that helped me become more socially educated. I’m continuing to do my homework and becoming more active. But the thing that helps me hang in there day to day as a security practitioner is not really learning more trends. It is controlling my affect. I have this app called Insight Timer. It’s a free app that helps through guided meditation. There's a ton of free meditations on there from Buddhist teachings, or for anger or relaxation, or just how to sleep better. And these are all things that security people have to deal with.
Coleen Coolidge: If you think about how frustrating your career is and how some other people make you mad. Even how you get mad at yourself. We all have feelings. I think what I realized at some part of my career was it's okay to be very passionate because it shows you're invested and you care. But if you can't really let go and you acknowledge when you're feeling angry or when something unfair is happening, it interferes with your ability to do your job. It also interferes with your ability to put your job away at the end of the day. Then you bring whatever that problem is with you and you carry it into your home life and with your family. Your significant other has to hear about it. If you have children, your children have to hear about it. Here you are grumbling about this stuff at work that really makes you mad. It interferes with your ability to recover quickly and it makes you less resilient if you hold onto that junk instead of properly processing it and disposing it. It’s important to put this negativity in its place, because the life of a security person is going to be filled with endless frustration of many different varieties.
Coleen Coolidge: You really need to get good at cataloging these feelings and figuring out what to do about it. Know when it's not the right time to worry about it, like when you’re on date or something. In those times, you should not be thinking about the problem with what happened that day, because that person does not deserve to hear how horrible your day was yet again. They’ll probably tell you to get a different job other than security. The most useful piece of information I have is yes, you definitely want your continuous learning. If you can sign up for classes, if you have podcasts, read and write articles, but also really get a hold of those feelings that you have. Don't let them overtake you because if you really care about doing a good job, you need to get a handle on it.
Chris Martinez: Is there anything you want to promote, like your social media channels, or any articles you've written?
Coleen Coolidge: One of our team members Jeevan wrote an article about self-service threat models. I really enjoyed that experience through his eyes, because to me that shows the value of doing security well. Our team is also getting ready to release at least one on access service, which is something we created in house. Access service is a tool that Segment essentially made to create time-based access controls. It's a way of addressing long lived access privilege. Just because you and I needed that access to do a task or work on a project doesn't mean that we always need access. Our access should expire after we've finished our work. Otherwise you start accumulating a lot of open access that's very privileged. If one of our accounts is taken over, we have all of these long lived privileged access areas. It's super dangerous. Access service was built with the premise of allowing access when needed for your job and closing the window should as soon as possible.
Coleen Coolidge: We're planning another article on how we think most companies are doing third-party security reviews the wrong way. It's a bit spicy. As I alluded to earlier, this idea came from our governance, risk, and compliance (GRC) team. They have some pretty strong commentary on the value of a 900 question questionnaire and having a million different check-ins on those questions. Is that really going to give you exactly the information that you need to feel better about the risks that you're taking with that vendor? The article proposes a few other ways to do it, especially if you have a small team and a lot of these reviews. There has to be a more efficient way to do it. They put their heads together and wrote the article, which is coming soon.
Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry's first cloud native data loss prevention solution. If you are enjoying this show, please leave us a review and rating on Apple Podcasts. The ratings and reviews help more people find us. Follow Nightfall on Twitter, Facebook, LinkedIn and Instagram at Nightfall AI, and email us at email@example.com with questions, feedback and suggestions about CISO Insider, including suggestions for CISOs you'd like to hear from. Stay safe out there and we'll see you again next time.
Next time on CISO Insider, MongoDB Deputy CISO Chris Sandulow joins us for a discussion on the challenges and opportunities he faces in his everyday work as a data and security steward plus an invitation to MongoDB live in July. All that is coming July 7. And stay tuned for the rest of our season 2 lineup. You won’t want to miss this!