Embark on a captivating exploration of the IT and cybersecurity landscape with our distinguished guests, Andy and Hellmuth. Their unique narratives, from Hellmuth's pivot into the role of Siemens' global CIO to Andy's transition from the world of chemical physics to the fintech sector, are not just career chronicles. They serve as a testament to the symbiotic relationship between physical and digital security realms and the indispensable nature of cybersecurity in a world where connectivity is king. Their stories are a reminder that the roots of modern IT are deeply embedded in the hands-on experiences of tech's early days, and that these experiences continue to shape the future of the industry.
In a world where remote learning has become the norm post-COVID, we take a moment to reflect on the unmatched value of in-person mentorship in the tech industry. Our guests reminisce about the days of VAX and PDP systems and how guidance from pioneers like Bill Lang and Scott Davis honed their skills. They point out the potential shortcomings of the hybrid work model for professional growth, making a strong case for the irreplaceable impact of face-to-face interactions during the formative stages of a tech career. This conversation is a tribute to the artisans of the past and a call to preserve their legacy through mentorship.
To round off our discussion, Andy and Hellmuth delve into the art of advancing one's career by hiring individuals who bring a wealth of knowledge to the table and the importance of continuous learning in an industry that never stands still. They share wisdom on leadership, the strategic navigation of career risks, and the cultivation of diverse teams. Furthermore, the journey from traditional web proxies to the pioneering frontiers of Zero Trust security is unpacked, revealing not only the challenges but also the victories that come with tech innovation. Join us for this session, brimming with the rich experience, insights, and forward-thinking needed to traverse the dynamic ebb and flow of IT and cybersecurity.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Embark on a captivating exploration of the IT and cybersecurity landscape with our distinguished guests, Andy and Hellmuth. Their unique narratives, from Hellmuth's pivot into the role of Siemens' global CIO to Andy's transition from the world of chemical physics to the fintech sector, are not just career chronicles. They serve as a testament to the symbiotic relationship between physical and digital security realms and the indispensable nature of cybersecurity in a world where connectivity is king. Their stories are a reminder that the roots of modern IT are deeply embedded in the hands-on experiences of tech's early days, and that these experiences continue to shape the future of the industry.
In a world where remote learning has become the norm post-COVID, we take a moment to reflect on the unmatched value of in-person mentorship in the tech industry. Our guests reminisce about the days of VAX and PDP systems and how guidance from pioneers like Bill Lang and Scott Davis honed their skills. They point out the potential shortcomings of the hybrid work model for professional growth, making a strong case for the irreplaceable impact of face-to-face interactions during the formative stages of a tech career. This conversation is a tribute to the artisans of the past and a call to preserve their legacy through mentorship.
To round off our discussion, Andy and Hellmuth delve into the art of advancing one's career by hiring individuals who bring a wealth of knowledge to the table and the importance of continuous learning in an industry that never stands still. They share wisdom on leadership, the strategic navigation of career risks, and the cultivation of diverse teams. Furthermore, the journey from traditional web proxies to the pioneering frontiers of Zero Trust security is unpacked, revealing not only the challenges but also the victories that come with tech innovation. Join us for this session, brimming with the rich experience, insights, and forward-thinking needed to traverse the dynamic ebb and flow of IT and cybersecurity.
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
How's it going, Andy and Hellmuth? It's really good to finally have you guys on the podcast. I'm really excited for our conversation today. Same here.
Speaker 2:Excellent, good seeing you.
Speaker 1:Yeah, it's that time of the year where you debate about taking time off of work or if the work is going to be so light that there's no point in taking any time off, and so I'm in that conundrum right now with my day job.
Speaker 3:It's a weird wind down this year because the stock market keeps going up, so I think people are keeping people glued to the screen a bit, isn't it?
Speaker 1:Right. Yeah, it's an interesting time. I'm waiting for it to all come back down. Honest, it's a little alarming that it's going up right now. I feel like it should be going the other way, but whatever.
Speaker 3:I think, enjoy it while you can. It's probably the adage, isn't it Right?
Speaker 1:Right, yeah, I got a couple of friends that are definitely enjoying it. Right now we have a group chat and it's always fun to see what they're saying about it Absolutely.
Speaker 2:What are your expectations for 2024?
Speaker 1:Yeah, I think 2024 is going to be an interesting year. I think it'll be a year of reinvention and emergence of new skills and new demand and whatnot. But before we dive into all of that, how about we start with your guys' background? How did you get in IT? How did you get into security? What made you want to go down that path? And the reason why I started everyone off with this question is because I have a section of my audience that is trying to get into security. They're trying to get into IT, they're trying to make that jump, and I've always found that hearing someone else's story and maybe you relating to that story, makes it easier, opens up that possibility in your mind to say, hey, I could do this too. So, helm, youth, why don't we start with you?
Speaker 2:So actually I didn't start off in IT. I started more running different businesses, a large conglomerate at Siemens, where I was responsible for different regional businesses, and then businesses managed from outside of headquarters, namely mostly from the US. Siemens started to explore the future of their industrial business, going more and more into software and data analytics. We acquired a software company had quoted in Plano, texas, and Forma, eds offspring, and that brought me closer and closer to the IT world, but really coming from the software angle, and the idea was to bring the physical and the virtual world together. And so I had then different responsibilities in the industrial sector, in Siemens, and my last role in Siemens before I retired after almost 30 years was their global CIO.
Speaker 2:So coming more from a business angle into the IT world, and the idea here was to make sure that IT and business is really closely interconnected and creating value, one together with the other. Most of the businesses in the industrial world today, even so, they come from very much from a physical world. They're now enhanced by data analytics and enhanced by software and bring, then, these two worlds together. That was the task at Siemens and this was also the task of bringing IT and the business closer together and in this context you can imagine, cybersecurity plays an absolutely key role. Cybersecurity on the IT side, but as much and as important on the OT side. And that brought me closer and closer to the cybersecurity world which we will be discussing today.
Speaker 1:Yeah, it's a. It's an interesting time right In history when the worlds started to kind of merge together. I feel, and you know it like opened up the world of possibilities, of, oh, I can control that pacemaker and I'll control it in a way to where no one knows that I ever did it right. I'll erase all the logs, I'll erase everything that was on it and whatnot, and so it it opens up a really a really big world for IT and everything, interesting space where you know I think it's even described pretty well in the zero day book by Kim Zader you know she talks about how you know these generals and these colonels you know watched as this generator just blew itself apart because someone with a computer you know from a mile away decided to hack it and put some malware on it that made it operate at speeds that it shouldn't have been operating at. So, andy, how about your journey? What was that like?
Speaker 3:Well, I started off with a typical scientific degree in chemical physics and did some programming on the BBC micro when I was at college, but not much, but I know basic pretty well. So from there I went to work in pharmaceutical research and actually built a molecular graphic modeling system, which was a ton of fun. They taught me how to program and I learned in 4Trend, 4 with variables that weren't even declared and stuff like that. So within a couple of years I discovered that assembler was quite interesting and that understanding how computers worked was pretty interesting as well, and I spent 10 years just writing code. I kept being asked to take management positions but didn't want to, and in the end I became a contractor for six years when I worked at Mark Coney's and BT and built a whole bunch of different things as well Outside of my day job, just so that I could continue programming. So by the time I went back into the corporate workforce in 1994 when I joined Paribas, I had a lot of programming experience, and during my time at BT we'd also run the ARPANET Janet project, which was the first connectivity across the Internet in the days when gopher and FTP were probably the only mechanisms you had for collaboration and sharing. So it was a very interesting time. Obviously the rise of Mosaic and Netscape and so on happened in that period as well. Then eventually the Microsoft all out gushed out to go to the Internet, which was also quite fun to watch.
Speaker 3:I had 20 years in financial services in various different jobs, always technical at one level or another. So CTO roles, for example, had security report to me two or three times over that period of time as well. So pretty honestly, going back to the ARPANET Janet connection, I think from that point on security was born. As soon as you could address everything from the network, then it became the protection, became like one of the most important things. In the beginning, as you probably remember, there was no real commerce or payments, but as soon as that stuff started to emerge then people started to worry about fraud and so on.
Speaker 3:So I feel like I kind of grew up in the environment where security started and many of my friends who've been SISOs on Wall Street all came out of Bell Labs in the US and the same is true in the UK. Many of them came out of multiple labs, actually into the SISO roles in UK companies too. So I feel like I've been at this for 30 years or so actually, and for the last 10 or so have been investing in companies, have been on the board of Zscaler, watched Zscaler grow from nothing really to something pretty substantial, and also watched Zero Trust grow as a way of thinking, a philosophy, if you like, for defense, which I think any football coach would understand, strategy around defense and attack being very important. I think that's now true in the enterprise as well.
Speaker 1:Yeah, it's really interesting. So it sounds like you were at the start of the internet and you were in the space, I guess, learning as everyone else was. What was that time like? Because learning back then is a lot different from learning right now. You know, if I want to learn a topic, I'll go on YouTube, right, I can hear lectures from MIT, Harvard, you know whatever it is right, but that's all on the internet, right? I'm basing all of my learning of a new topic on the internet. You're at the forefront of the internet. So what was learning about what this thing was? What was that like?
Speaker 3:Well, I mean there's a lot of reading, to be honest. So I mean I read, I think, every VAX manual, every PDP manual, front to back basically, and while I was programming Assembler, I mean you need all the help you can get. I also discovered early on that Microfeesh was really useful because you could actually read how the systems programmers were writing code, and I followed like Bill Lang who designed Bliss, and so I would basically look at the code they'd written in a new release of the operating system to learn the tricks and techniques from them. Obviously, being surrounded by great people really helps. The person who sat next to me at ICI was a guy called John Farringdon. He taught me what symbolic debuggers were, and before then I was just, you know, using print and stuff like that, and you take these kind of massive increases in performance just by meeting people and, to be honest, that that's something that I've continued to this day.
Speaker 3:If you want to know a subject, go to a subject matter expert and find out what their points of view are, what they think is interesting. And so I remember one particular incident at Paribas where DEC actually bought in a guy called Scott Davis and I'm like are you the Scott Davis that wrote DECnet and he's like, yes, I am that Scott Davis, and who's the man, who's the TCPIP consultant into Paribas and I'm like, dude, I mean, you're my hero. And so I think you've got to kind of think about every protocol in terms of how it could be breached. And often people forget about those legacy protocols, by the way, and that actually is a mistake. But largely they're gone, but not totally. I mean we still see mainframes in probably most of the Fortune 500. And where there are mainframes you'll find SNA not far away. So just a quick in touch with the past comment there.
Speaker 2:But, joe, actually let me add to this I think some things have changed, some things have not changed. So number one is you get a lot of basic knowledge going on the internet, watching YouTube, using chat. Gpt gets you, gets you all into into the area, but to really develop deep thinking and new reflections, what has not changed talking, go and see number one and see. The second part is what Andy just described be with people that are really in the subject matter. And I remember, andy, we spoke a lot virtually together, but it was so different when we met the first time and I tell you, being two hours with Andy, you learn a lot, much more than you can learn in several days on YouTube. So I don't think this is really replaceable. I think you know then you might get a certain basic knowledge, but if you really want to get deep into any subject, it's the best thing for developing your critical thinking and this domain is being with people that are experienced and willing to share.
Speaker 1:Yeah, it's really interesting. You know, do you think that that also translates into work from home culture that we kind of got it became more prevalent with COVID, right, where more and more companies are working from home and now employees don't really want to go back to the office because they're not finding the value in it. Right, and I think from my perspective, right, my stance on it is I'm very pro work from home, but there could be absolutely something that you're losing with not going to the office and for me it's difficult to try and put a value to that, right. So then it's, it's harder, at least for me right now. So, like, put a value to that, to say like, okay, should I go in, should I stay at home? You know all these sorts of things, right? What's your opinion on that?
Speaker 2:Yeah, Joe, I think you know that, that I teach at a business school and it was very interesting, Of course, when COVID hit. We had to go virtual from one day to the other. Then there was a way, for everybody wants to be back. Now what turns out is we get more and more into a hybrid situation where a lot of the material is actually prepared, for example, in videos. You get to this basic knowledge Once in a while. A lecture can be perfectly done virtual. It works very well, but only in the combination with being back in the classroom, especially in group work, being in a group where students work with other students in a life setting, and then going again for a while virtual. That works, but I think it's really critical, this direct personal interaction. So I'm, I'm neither one nor the other. I think the hybrid is really the most effective way of working together now and going forward. Andy, what do you think?
Speaker 3:I think randomized hybrid is the worst possible outcome. So when people go to work when they feel like it, that never works. The companies that seem to be doing this successfully are saying let's go into the office Tuesday and Thursday, and they actually specifically look out for social moments, teaching moments, you know, water cooler moments and so on. So my point of the honor is that there is no substitute for John Farranden teaching Andy Brown. There isn't, but you know, during there isn't. I mean, I would never have advanced as quickly without his help. Right, and he was.
Speaker 3:You know, he's a genius. He actually worked at ICI, invented Diquart, and then he did a computer aptitude test with borers and he got 100%. So borers recruited him. So suddenly he came back when he was, when he was older. He's an absolutely brilliant guy, and so I don't really think there is a substitute for that. But I do think that once you've built relationships with people, you can work very effectively with them remotely because you know them. But if you don't spend the time at the beginning to build the relationship capital that you need, I think it's hard to approach people with a problem that you don't know well. So I think that that's that's the point I would make. I think familiarity is very helpful in relationship management, and being prepared to not know the answer and ask somebody for help is a sign of strength in every organization that I've ever run.
Speaker 1:So yeah, I think that there is a lot of benefit going to a hybrid model, especially for the people starting out Right, I couldn't imagine trying to get into this field, right? So, you know, I got my bachelor's in criminal justice, right, nothing computer related. I didn't code before and I still don't code today, right, like thankfully right, somehow I have missed that, that skill curve, and I couldn't imagine how difficult it would have been getting into the field with without having that face to face interaction with my leads, with my, you know, engineers, and saying like, hey, what is this thing, you know? And they actually pull it up, pull it up on their screen, show me, talk me through it, guide me doing it, doing it myself. You know, those sorts of things are really, they're irreplaceable.
Speaker 1:You know, a screen share doesn't do it justice because, you know, with a screen share, once it's over, it would to me it would be rude to start it back up again and, you know, ask more in depth questions, right, it kind of puts that barrier and I consider myself not to be very, I guess, extroverted or whatnot. I mean, people would probably contend with me running a podcast if I'm actually extroverted or not. But you know, once the conversation is over. You know, most people are not going to fire it back up. Start diving into it again. Right? It's a complex social situation, I feel.
Speaker 3:Hi, gary, with you, I mean, I think the one thing that's probably good is that you can ask multiple people the same question and actually essentially crowdsource the answer, which can be very helpful. And if you look at how Slack is often used on tech channels, that's often the way it's being used. So I think, pros and cons. Personally, I think I would rather have not read the microfiche my glasses may not be so thick right now if I had. So if I hadn't rather. So you know, they're definitely better off today and it's much easier to come up with learning curve faster. However, you have to be intellectually curious and sometimes you have to look onto the cover, because often I think cloud programmers haven't gone deep inside to really understand how the computer works to allow them to optimize their code, and many people would say you don't need to do that. But I've seen code written by people that do do that and they're usually extraordinarily thoughtful about how they write code. So I like a combination of the two.
Speaker 1:It's interesting, you know it sounds like I mean, this was one question that's taken 20 minutes right, it sounds like the winding path through your career is the best route to you know security, right Overall. I think we would all probably agree on that, which is it's not what the younger generation wants to hear. Right, I've done mentorship sessions, right, with people that are fresh out of college or maybe they're just about to finish up college and they're asking me what's the best way to get into security. You know, and I take them down, this, you know, kind of winding path right, of being one option, and they're like, well, if I do this boot camp over here, you know it's eight weeks or 16 weeks, whatever it is, and I'm in.
Speaker 1:So, yeah, you might, you might be in, but you're not going to have the level of experience that the industry is expecting of you. You know you're not going to have the skill sets that everyone else is expecting you to have. You know, for instance, right, if I went to work at Siemens and they deal in in nothing but IoT devices pretty much, you know the the hardest devices to secure on any network, that's what they deal with, that's their bread and butter, right, if I, as an experienced engineer, if I go in as an analyst, I'm going to be in over my head most likely, I feel you know, because it's a section of security and IT that I've never touched before. Is that also what you guys recommend to people getting started in security? To have that winding road, to not worry, you know, about maybe not having that, that direct path?
Speaker 2:I'm not sure. I think what you just described is exactly. What's necessary is curiosity. I mean going, even if it's just an eight week or 16 week workshop. I mean, if you expect, then you know everything. That's probably a pretty unrealistic expectation. But if you're willing to keep on learning, that's probably the best.
Speaker 2:It's the best road to get into it and it's always a mix between getting a foundation, a theoretical foundation, understanding the topic, similar to what Andy said before. You know at some point in time if you, if you're an IT, it's probably best you have coded at some point in time. You don't have to do everything, but going deep for a certain period of time and understanding the dynamics helps you enormously afterwards and putting the applications into context. And I think that's true what you just described also on cybersecurity. You just have to go deep and for a certain period to get the foundations, and then it's all about practical applications. It's about understanding what is it actually really used for? Where does it create value? So, not staying in the theory, but creating a theoretical base and starting from there in certain directions understanding where's the application, where the risks, but also, and most importantly first, where the opportunities and where's the value created.
Speaker 2:We start a little bit off this on kind of the negative side all about. You know it needs to be protected. Well, the first question is why do you want to protect it? So where do you create the value that actually creates business value? And you just described the IoT world.
Speaker 2:I think there's an enormous opportunity for using the data that are collected, be it on a factory floor and one of the Siemens factories. It's a factory in the thousands of Bavaria, in Hamburg it's several times the factory of the year and in Europe and now from the World Economic Forum. Why? Because they have a lot of people that have deep domain knowledge in their segment, and then they bring this together with IT knowledge and then all the cybersecurity knowledge, and I think that's a combination which is really the winning one. Coming back to your question winding road or not, creating a good foundation, building on it and then being exposed to the real applications that create value for clients, and then thinking about how do you secure it to make it consistently successful. I think that's really always a good approach, and then you probably want to go back and go back into learning mode again.
Speaker 3:Yeah, I mean, I think there's kind of two things that I would just pick up on there. The first one is that this generation of workers has to be lifetime learners, and AI is going to change the jobs that are useful. They're going to change the pay rates for jobs as AI's get more and more clever and able to orchestrate. So whatever you're doing right now, in five years time it could actually be valueless. So you have to stay ahead of that and you have to keep thinking about what's going to get commoditized next. If it's a skill that I'm currently have, that's good because you can build from it, but the question is, where's the part going? I think. So reskilling and relearning and learning new things is super important. The second thing is that you can't restrict yourself to a single industry. Many people in financial services work in financial services their entire career. Many of the best sites those I know came from telecom into financial services and then went on to do a whole bunch of other things after that.
Speaker 3:The way I looked at programming when I was 21 is that programming itself is a completely transferable skill into any industry. I used it to learn how to model protein binding sites, how to automate refineries, and how to automate an entire telecom company that used to be a public utility, which is not easy, by the way. So, in financial services, same thing, but again, each business parable, very different than Merrill, very different from Credit Suisse, very different from UBS. And now, in the last 10 years, working on everything from how do you optimize wine growing to how do you build security companies. So, to me, the transferability of the skill gives you the opportunity to learn many different industries.
Speaker 3:Iot is obviously an up and coming one and a good one to learn, but that's about where the puck is moving. The puck's moving to IoT. That's a good skill to learn. As a security professional, you can start to push your career in that direction fairly easily. So the winding road is often, I think, dictated by future market trends, but your intellectual curiosity and your ability to keep reading is what helps you identify what those trends are. So that's the way I would say it.
Speaker 1:Yeah, I guess it's not fully accurate for me to say that I've never coded or anything like that. I say I've probably learned Python like five times over. The issue is that I don't use it regularly so I forget things that I learned six, seven months ago and now it's like I have to go relearn strings or functions or whatever might be. But I do fully agree with what you're saying. Coding is one of those basic foundational principles where you take that learning and then everything else starts to kind of make sense and it fits into its place.
Speaker 1:I just haven't thought of it like that in such a long time, because now I just do it so innately of deconstructing a problem or deconstructing a system to seeing how it works, when I'm picturing it in my head, right of what that is you know in Python or what that is in code, and I'm doing that without even thinking about it. But in the beginning you're learning these things. It's like an epiphany. But it's like, oh my God, that's how, that's how the network stack works, that's how this server works, that's how it communicates to something else, all those sorts of things. It just becomes an epiphany.
Speaker 3:I think many theoretical things, Joe, also. You only actually get them when you see a practical application of them. String theory, graph theory, I mean you know, graph theory, yeah, okay, kind of get it, no, it's okay, but as soon as you see the power of building a graph, you're like, wow, this is really cool. So I totally think what you're saying is 100% right.
Speaker 1:Yeah, it's fascinating, right. Like you talk about being a lifetime learner. I mean, it's never ending. I guess that's what drew me to security personally, right is being able to be a lifetime learner, because for a long time I was in the mentality that IT was like the most boring thing, because I had only seen help desk and I only did that one thing and I'm like man, this would be miserable If I have to spend my entire career in help desk. I didn't even think that there was another side of IT or anything like that. It's that always learning part that drew me in is because once I figured out like, oh wait, like I can literally dive deep into hacking cars Right, just hacking cars, and I'll spend an entire career there. Or hacking factories, hacking IoT, all these different things it's really fascinating. So I do have a question, though so you guys have your PhDs.
Speaker 1:A German doctorate Well that's like what Three American PhDs right there, no, no, no, no, no. I can't say that 100% is.
Speaker 2:Not at all. Some people would say it's proper American PhD.
Speaker 1:So yeah, well, those people don't know the German education system. So I was studying German in college in my undergrad, and part of it was spending six weeks in Germany, and I couldn't tell you the amount of times that I was impressed with just the intellectual knowledge that Germans and other Europeans had compared to my own knowledge, joey, you just made a lot of Germans very happy because the latest PISA study was actually not that positive about German education.
Speaker 2:I question that study.
Speaker 2:Okay, but coming back to the point I think I just want to, this is lifelong learning aspect, because, as you know, andy and I we just sat down and wrote actually a book for board members and good board members are actually lifelong learners and they know that I don't know. So part of being a board member is asking a lot of questions, ideally good leading questions and sometimes completely open questions, but really the willingness always to keep on learning, to keep on understanding what's the opportunity in the business, but also what are the risks in the business. And this is why Andy and I sat down and wrote this book about seven steps for cybersecurity for board members, because they are lifelong learners and want to have deep understanding on many subject matters and one of them is actually cybersecurity.
Speaker 1:That makes a lot of sense for board members to be lifelong learners. I find that as you become more experienced, as you get higher level roles and whatnot, it's more important not for you to know everything, but for you to surround yourself with the right people that are experts in those other areas. So you could say, hey, can you handle this question for me? Can you drill them in this way, because I don't know this side of it like you do? And, andy, do you find that true with Zscaler right from the beginning to the end right now, because you're a board member of Red Zscaler? Zscaler is a fantastic product. By the way, I've used them personally, and I mean for a web proxy solution to say that I enjoyed it. That's not something that you hear every day, that's true.
Speaker 3:Look, I think board members generally need to be people with lots of experience, and my experience is that you get the most experience on the winding road, which is what leads you to the level of curiosity that Helmuth just described. But I think your point was going a little deeper than that and I just want to touch on that for a minute. When you're building an organization that's growing quickly, what you have to do is hire people smarter than you in every role underneath you. If you want to be carried on the shoulders of giants and it takes a lot of confidence to do that and for many SISOs who are being promoted early in their career into the lead role because of the lack of qualified resources and because they're ready but they're ready in an environment where people are fishing upstream to try and get people to take these jobs the danger is that you're not ready. You're not mature enough yet to know that you need to hire people smarter than you to work for you in every single role reporting to you. And this is how you actually are able to first of all, make sure you've got a great succession plan in your organization and, second of all, make the next step, which many companies you're moving from SISO maybe to chief risk officer and promoting somebody from within.
Speaker 3:The promotion from within parts in the industry is not happening often enough, in my opinion. Right now, there are so many searches out at any given point in time for SISOs. I'm aware of about 10 right now as an example. I think not only do you need that from board members to the point that you made, you need people with enough experience, but oftentimes board members who've been in the role for a long time maybe haven't had to deal with the level of cybersecurity threat that exists today, and those are the people that we were at the board with. Right, I mean, it's written for everybody, but most of all, it's written for people who want to come up to speed with. Okay, how do I get my head around this? How do I think about the right questions to ask and how do I make sure that we are hiring people really smart, one down and two down from the SISO to make sure that every defensive angle that we can pursue has been pursued? Yeah, it's a fascinating world, right.
Speaker 1:Because I guess for me right, I'm not a person who's not a person. I'm not at that level yet, and so it's always interesting to hear how that world operates. And as I become more experienced in my own career, I start seeing things from a different perspective. I start seeing things kind of from the top down, being able to rationalize different decisions that are made within businesses and with organizations and whatnot. Is there any value to jumping ahead, Like, let's say, for instance, you go from being an individual contributor to a manager faster than what you probably should have been. Is there any value in biting off more than you can chew and trying to work through it? Or are there critical skills for you to have that will make you successful, like what you mentioned of being able to hire people that are smarter than you in every role beneath you?
Speaker 2:I think the first step is to recognize what you know and what you don't know. And we all have a certain profile and background and have some depths in some areas and maybe are not that strong in other areas, and that's hard sometimes. You know a really realistic view on yourself and then you take the next step and you try to find exactly those people and put around you that don't look like you, that exactly have those skills that you are missing. So it's always in every company, in every organization. It's not CSOR, not only the IT organization or cybersecurity. I think in any organization the only one who wins is a team. It's never one individual.
Speaker 2:There might be one person who is a CEO, but still who wins is a team and a good CEO. She is able to bring the right people together and covering those areas where he or she is maybe a little weaker and strengthens and makes a team really a strong team. I think that's number one, and number two is exactly what Andy said. Then you look for the best people that are much smarter than you are, especially in the areas which you don't cover that well, and that takes a certain level of maturity. That's not just knowing a subject matter. Now you have to have the maturity to accept that you actually work with people that report to you, that know their subject matter much better than you do, and this is the only way, I think, to really advance strong people strongly and get ready, as Andy described, potentially even for a next level.
Speaker 3:I mean, there's a bit of science on this, joe to some. Mckinsey has a fantastic report on this that talks about skill distance, which is the distance of the role you're going into versus the one that you're in. Basically, one of my mentors always said to me if you're a sixty percent sure that you can do the role, take the job, but if you're fifty five percent sure, do not take the job. Right, because the thing is you have to have enough competence, which comes from the experience of your current role, that you can transfer into the new role while you learn the new skills. So you're both teaching and learning at the same time when you take the kind of step that you just talked about before.
Speaker 3:You know, and my one of the favorite, my favorite quote of all time is from Julius Caesar, and the quote is experience is the teacher of all things, and and and the order I've become, the more I realized how true that is. How you attain the experience is very important, right? So people who take more career risk earlier, but not too much career. This sixty, forty things like very important. You take too much and you don't do well, you lose confidence and actually go backwards. So so the people that take more risk earlier, other people who do well later. Not surprising, but it is.
Speaker 3:It is a fact from the, from the McKinsey analysis, that that that that is true, and the thing that they do more of is acquire new skills more frequently and more often and faster. That's what that's what that's what they do well. So. So I think many CEOs that I've worked for, and what with, have that skill. They've been able to basically acquire skills quickly and acquire knowledge quickly in roles.
Speaker 3:But I think the theoretical learner is different than the person with experience. And this is a point I'm with made earlier, and that's what season you about war. He knew that the people with the most experienced on the battlefield new all the tricks that the enemy was going to deploy. So I think I think that is super important and that's what you're trying to get. As a thirty something or forty something, you're trying to become as experienced as possible to allow you to deal with anything that life throws at you and in a security role, anything that life throws that you could be the survivor of your business. So it's it's kind of a. It's super important to understand that, I think.
Speaker 2:I have a corollary to this and I fully agree with Sandy to the sixty, forty and I think as bad as if it's a ninety, nine one. So if, if you're a hundred percent sure you will do great in this job, then you're standing. So the you have to feed your gross mindset by continuously challenging yourself. Just don't over stretch to extreme. Then you fall into the trap that Andy described. But if you do the other extreme, it's not helpful either, because you're not advancing anymore. You're not. You're not growing mentally, you're not growing this experience. So my recommendation to the listeners that are at this stage where they considering a next step, always try to find something where you have a strong base is sixty percent, but where you also see it. Maybe it's just thirty five percent, but you see that there's a material increase in challenge, in responsibility and then, out of this, also in professional personal growth.
Speaker 1:Yeah, it's very true, and I find myself even going down that rabbit hole right now with debating of if I should get my PhD or not. You know I don't want to get my PhD just to have a PhD. I feel like there's no value in that. You know, I want to get a PhD. I want to get a PhD to stretch myself, to really push myself to learn a topic in depth that builds on my previous experience. But I'm also not sure of the value that it holds in the marketplace, necessarily, but obviously if I go into education it holds a lot of value.
Speaker 1:And so I'm weighing all of this out right, because I'm always looking for the newest ways to push myself in learning a new topic and kind of redefining my skill set right. I've done it a couple times now in my career and it's been beneficial every single time that I've done it. You know, I went from being just an IT help desk to, you know, doing a specialist with this little security kind of flavor to it, to being dedicated security engineer for organizations, to going into cloud security. That graduation is, you know, different skill sets all along the way. For sure it's an interesting balance, I think. What advice would you give to someone debating about getting a PhD or taking another level of education.
Speaker 2:I think you know it's, it's less title. If it's, if it's a PhD or whatever it is, that is actually secondary. I think number one is the process. But if it's only the process, without a product at the end, there's a high risk to stop somewhere at seventy five percent. The advantage of an and it's again it can be a PhD or something else on a level where you have to, you know, where you have to let do the very tough last five percent to. You have to really fully complete it, and I think there's there's something in there in this process until the final end. And there it doesn't matter exactly which type of final end is in there. But I think what you describe before, this process, is critical, because going through the process and going through the process was all the hurdles you have to jump over. I think that's that's really strengthens your knowledge base and also your confidence that you can actually master these challenges.
Speaker 3:Yeah, I actually have struggled with that same thing in my twenties, joe, honestly, and I ended up managing a student who I see I was sponsoring for their PhD, who was on my undergrad course in London at Oxford. And so because my boss my boss left to have a baby and I was left in charge of the student, who was one of my friends from college, and every every two weeks I go to Oxford and I've meet with Graham Richards and who was her professor, and he would try to recruit me to do a PhD, and I was very tempted to do it, to be frank, and I think the thing is that that the role I had at ICI was actually in the research organization, doing research science, so I kind of felt like I was already doing what I would see. One of the reasons why I chose not to become a manager early in my career is that I wanted to be really deeper programming. I did not want to be broad, which is what management gives you Later on, coming back to it was better. Being older, by the way, too, in my opinion, for me, that was better, I think, if you have the desire to go really deep on a topic, particularly if you want to start a business on something and you're really curious to go explore a topic, then going really deep can be great. While I was mentoring this other student, they were actually building a competitive product to the one we built at ICI. It was called ChemGraph. So I was able to see both sides of it both the student who tried to turn that into a business when he left college and was very successful actually in the end, and the way the academics felt about that, which was not great actually, and then just doing a commercial product. We had so much resource, I mean it was just so much easier for us to be successful.
Speaker 3:So I think you can sometimes take your pet project and build a startup Instead of doing a PhD, as long as you're confident that you have enough knowledge to actually go after it. There's a lot of work, by the way, around depth in startups, particularly in security. Because there are so many startups, the space now is getting so thin in terms of what you need to be good at to build a company that's valuable. That could be another way to satisfy or scratch that itch, I guess. But I know exactly what that feels like and I used to talk to my dad about it all the time, like I should do that on art, and he's like well, I said, it looks like you're doing really well at work, so why would you do it? But on the other hand, he of course wanted me to get a PhD from Oxford and he used to push me very hard to do it but ended up not doing it and not regretting it actually. So it just depends on kind of where you land, I think, in the end.
Speaker 1:Yeah, it makes a lot of sense. So, Andy, in the beginning of our conversation you talked about how you were with Zscaler from the very beginning.
Speaker 3:Not from the very beginning, but early on 2013.
Speaker 1:That's still pretty early on. As someone from the outside, I've always found it interesting as to how Zscaler went from being obviously the best web proxy to kind of even developing this area that we now call Zero Trust. What was that like? Because to me as an engineer, once I understood it as oh, this is least privilege for your entire network. Once I understood it as that, it made a lot more sense to me and it kind of opened the door. But what was that shift like internally at Zscaler, making that shift from okay, we're a web proxy solution company to we're a Zero Trust?
Speaker 3:leader essentially so many of the engineers at Zscaler came from Net Scaler, and Net Scaler was a very, very performant the founding engineers I'm talking about and Net Scaler was an extremely performant reverse proxy solution. So one of the things they focused on was getting packets from the left hand side, or the north, to the south side of the Zenboxes very, very fast less than a millisecond, and with a web proxy, that's extremely important. So there are many benefits of putting the proxy in the cloud. The management of pack files I mean the whole policy management massive benefit. But this idea of what could you do to the packets while they were traversing the edge of the network became super important for the business. But you have to do it without impacting the performance. So what you can run in line between the north side and the south side of the interface still has to be faster than 10 milliseconds. It really wants to be more like two or three milliseconds or less, and so the challenge always was how much functionality, how many algorithms can you run on those packets while they're passing through the box to enable you to put things like DLP in line and all these other capabilities that we now deliver? And so, to me, the thing that amazed me the most was the original design of the engineers. You know Z Scaler stands for Xenith of scalability, as you probably know, and it's the scalability of both. The architecture, which is, you can add as many pods as you need worldwide to deal with the traffic that you have.
Speaker 3:Most people have never heard of Terabit networks, but we run them, and so the bottom line is that not only do you have to have boxes that are very fast, but you have to deal with a lot of scale on the bandwidth side as well. I haven't seen this recently, but they used to in every board meeting. Show us, you know, Z Scaler versus Google, facebook, tiktok and YouTube in all the major cities in the world, and I start watching when we hit number three, basically. So I don't know what the numbers are now, to be honest, I haven't looked them for ages, but that scale that we're running in the enterprise, there's no one else in that scale. I mean there are people who have consumer businesses at that scale, but not not.
Speaker 3:So the scale itself. I remember being in a meeting with Google when Google were on the board, where we exceeded Google's throughput and it literally blown away. I mean it was amazing, you know, I think you have to. You have to lead with performance. You have to think about then the SLA, that's open, which is about two milliseconds, and then you think about well, what else can we do in that two milliseconds to add all of the functionality that we've added today? And, by the way, mostly we're less than one millisecond today because what's happened in the meantime is Moore's Laws continued.
Speaker 3:Networking interfaces have become more performant. You can buy more capacity from fiber companies, so you know there's an all, all boats rise in that ocean kind of model there as well. That's helped us along the way. But running a network at that scale is I mean, I worked in telecom, I know what that is like, right and so and I ran networks, by the way, in financial services too. So the scale itself still is is unbelievable. It's kind of like the scale of some things that SpaceX are doing, for example, just in terms of how much of a reach it is to be able to do that. So I still find that amazing today. But that's basically the, architecturally speaking, that's kind of how that works, if that makes sense.
Speaker 2:And Joe, maybe from a customer perspective. No, we at Siemens we are customers of Cscaler and we started really with a point solution with the so called Cscaler Internet Access, connecting directly to software as a service provider like Salesforce, and then Microsoft when we introduced 360. And what was really interesting, traditionally we had always this triangle between cost, usability and security and usually the discussion was always well, let's spend a little more than we get a little bit more security, but then usability went down because it became more complicated. So somehow the triangle was always unbalanced and for us it was the first time when we introduced zero trust and Cscaler that in all three dimensions we had improved. We had actually higher security, we had higher usability and we had less communications costs. So it was a very interesting game changer for us that what we thought were trade offs were not trade offs anymore and we could drive all three dimensions in the right direction.
Speaker 1:Yeah, it's a really fascinating area and I feel like we could have a whole other episode just talking about Cscaler and the capabilities and the future of it. Right, but we're coming to the end of our time here, but before I let you guys go, let's talk quickly about the book that you guys put together. What's the book title? And I'm wondering is there a common language when dealing with the boardroom that you have found to be very efficient? Right, and I asked this as someone that is graduating in their career. Right, I'm learning how to structure different conversations with different parties within the company, so what's your opinion on that?
Speaker 2:So let me start with the easy part. What's the title? It's Cyber Security Seven Steps for Board Directors, but then it has a subtitle and it's called the Guide to Effective Cyber Risk Oversight from Board Members for Board Members. So number one is, the idea was, as Andy and I described before, that we make a very practical description. That's really helpful for board members, that where many of them do not have very detailed knowledge of cybersecurity, but a lot of curiosity and, naturally, a responsibility, a fiduciary responsibility for the companies they represent on the board. And so the book is full of specific examples you know what's happening in the cybersecurity environment, and it also translates technical terms into real life terms.
Speaker 2:And I think they're coming back to your other question. How is it helpful? Actually not for board members, but for, for example, cisos that communicate regularly with the board. And I would say just number one, as when you walk into the boardroom as a CISO, you can assume that everybody in the room is prepared. You can assume that everybody in the room has a very strong interest to make the company even more successful, and cybersecurity is one part of it, but you also have to assume that not everybody in the room has the same technical depth as you as a CISO have. So make sure you have enough time to translate what you want to achieve, on what you're working on, into a relatively normal business language and how it relates directly to the business that the board has its fiduciary responsibility for. And I think there the book is helpful in both directions it's helpful for board members, but it's also helpful for the IT professionals that regularly have a dialogue with the board.
Speaker 3:Maybe I'll pick up on a few other points. The first one I'd pick up on is often members of the executive team in companies are also not cyber aware or not as cyber aware, and we're certainly seeing collective responsibility emerge as a theme around both the lawsuits against Uber and SolarWinds and, more deeply now with the SEC changes that require material disclosure after four days. So everybody on the on the executive committee of a company now needs to really be on the same page with filing an AK after an event like that has occurred. So I think there are now not just knowledge requirements of board members to Helmholtz point but there are also transactional decisions that the board are going to participate in, where board members are required to be well enough informed to make a decision on what materiality is. The second thing there, I think, is that not acting too soon is super important. We've seen with the Clorox incidents that that that when you react to early you often have to retract or react again, basically when you find out more things later on. And there have been a number of breaches and exfiltrations recently where the initial extent of the exfiltration has been found to be much, much greater than was originally disclosed. So I think that's another area that we've put into the book, which is about kind of the process that you put around the assessment of materiality as well, but mostly that the book is. The book is really organized around process and what process you should run, both to get people up the learning curve to what they need to know, to have a common language that they can actually converse with the SISO in.
Speaker 3:Often SISOs are very technical and converting the way a technologist speaks to the way a business risk needs to be encapsulated is a trick, and I think you know you can't expect SISOs to learn overnight, particularly given the conversation we had earlier about how often they are kind of quite young when they're put into that role.
Speaker 3:They can't overnight understand what the business risk is. So I think the executive team needs to work with them and that's also something that we cover in the book as well. And then the use of public framework, so like the NIST assessment framework and so on, to get a really tight view on what would an outside party say if they were doing an assessment of your company and actually having someone like EY, kpmg or PWC run an assessment like that. So you know where you stand and you know what you need to improve. So I think all of those things are important. I mean, the whole risk surface area is a topic that we touch on a fair amount in the book as well. It's just understanding what that is and where your current weaknesses and strengths are as well, super important. But I think that if you ask it at a macro level, I think that's probably about the scale of it.
Speaker 1:Sounds really interesting. I'll definitely have to pick up that book at some point. Well, guys, unfortunately we're at the top of the hour and I know that we already went over, so I really appreciate you hanging on Before I let you go. How about you tell my audience where they could find you if they wanted to learn more and reach out?
Speaker 3:Sure, I'm very easy to find on LinkedIn. By all means, reach out with questions on the book on LinkedIn and obviously you can channel those through ZSCADER as well.
Speaker 2:Yeah, same thing. Linkedin is the easiest and if you can make available the link to download the book if they're interested, it's publicly available, so easy, accessible, and if there are any specific questions, linkedin is always a good way to connect.
Speaker 1:Awesome. Well, all the links will be in the description of the episode and I really appreciate you guys coming on. Thanks everyone. I hope you enjoyed this episode.