Aug 2, 2024
Episode Description
In this episode of the Hands-on CISO podcast, Adi interviews Stephen Owen, CISO of IQUW. With over 20 years of experience in the security field, Stephen shares his fascinating journey from software engineering to becoming a top 100 global leader in InfoSec. Listen in as Stephen discusses his background, the importance of constant learning, and the evolving landscape of cybersecurity. He delves into team management, risk assessment, and the impact of AI on security practices. This episode is packed with valuable advice for aspiring security professionals and seasoned leaders alike. Don't miss it!
Watch On YouTube
Adi (00:02)
Hi everyone and welcome to the Hands -on CISO podcast. My name is Adi and today I'm talking to Stephen Owen, Group CISO of IQUW. With over two decades of experience in security, Stephen advises executive leaders and has expertise in many different aspects of security. He was also recognized as one of the top 100 global leaders in InfoSec. Stephen, how are you doing today?
Stephen Owen (00:27)
very well thank you good to meet you AD.
Adi (00:30)
Amazing. So I think first question I'm going to ask you, because I think you're the first group CISO we've had. What does it mean to be a group CISO versus a regular
Stephen Owen (00:42)
I think you often see in CISO different titles, whether it be CISO, Group CISO, Global CISO. Often it depends on your remit, often whether it's a group of companies like groups. And a group could be across geographical locations, it so happens ours is in the UK, but you could be across a few companies and countries and it could be blurred, then it goes into a global. Often you could be a global CISO with a headcount
1 ,000 people. So it really depends on what sector size a company, team size, and the challenges you're faced. So at the end of the day, you're solving a lot of the similar problems, but sometimes it's the scale of the problem.
Adi (01:28)
got it. And well, two questions. One is how did you even get into security? And then once you got into security, how did you end up where you are
Stephen Owen (01:41)
Sure, very good question. At heart, so I left home at 16, many, many years ago, for whatever reasons I won't go through. So I was a late bloomer, as we'd say, as certainly my mother would say. And eventually I made my way to university, which I loved, microelectronics and software engineering. So I went the software engineering route.
which was multi -disciplined. And I started writing software. And many, many years later through different career progressions, 15, 20 years ago, I wrote some software as a hoosted technology. Now we call it software as a service, but it was for an investment bank. And it was the first time they used this hoosted technology. So one of their security people came along
and looked at my database of how I did the passwords. And I was using, we call it MD5 to hash the passwords. This is to keep the passwords safe in the database. This is some time ago. And he said, he waved his finger at me and said, Steve, you can do better here. You're good or elsewhere, but there's a thing called rainbow tables. And I thought, what are rainbow tables?
That was it. I was hooked. And it started to change my mindset of the adversary of what they could do. And from that day onwards, I've been and I'm still learning constantly more and more about security. The more you know, the less you know. And that's so, so true in security. And I think that's one of the nuggets of is just continue learning and constant learning. But that was my routine.
through software engineering. I know some people go through from networking, IT. I come through software and I would say that's coming into its forefront now because of cloud is software or automation, GPT automation. So now it's like, at last, okay. And of course, if you speak to my team, they just like, come on, automate it, Python. Half my team can do Python as well. So it's good.
So it's a benefit in kind.
Adi (04:13)
Interesting. Yeah, I would see a lot of benefits of knowing software engineering when you become a CISO.
Stephen Owen (04:21)
Yes, yeah, but you do have with it you do have weaknesses. But as long as you acknowledge them and you work with your team and they get to know your strengths and weaknesses. So I have some blind sides. So I'll work with my team, but virtually so it's a team effort. You can't be an expert of all. And it's just working on your strengths and weaknesses of the team and your team matrix.
So that's what I would say one of sort of advice is I would say to any up and coming security lead, you don't have to be an expert of all at all. It's one of your best security controls is your team.
Adi (05:04)
Amazing. Would you say the different roles you've done in security have been significantly different from one another?
Stephen Owen (05:15)
They sort of blended in a way. So one is solution architecture with a strong emphasis of security and security architecture and cloud.
And that was very, very helpful because you learn about their techniques. Again, it's that adversary mindset of what could potentially happen, how to analyze systems quickly from a black box of what would an adversary see versus as they peel back the covers. Think of it as like an onion as appealing back the rings of that onion to understand how they were
to get to the crown jewels or different elements to exfiltrate data out where the key areas are. So it teaches you very, very good techniques. then I morphed into, because I think if I backtrack here, as a security professional, I believe you need several disciplines depending on your career projection.
For mine, wanted, because of my software engineering background, architecture, security architecture. With it, I naturally think you should understand privacy. So I specialized in privacy and also cloud, AWS, Azure, different clouds, containers. So I think you need several understandings. And then I went into threat analytics, threat modeling, risks. And I think it's
you do need some understanding on some of those and a strong appreciation. So at one point through the National Lottery, I was working with David Bode, who's a fantastic CSA, who's moved on from supporting him and his team. Then I was the data protection officer at the National Lottery for Camelot. So that gave me a strong appreciation of privacy. But at the end of the day, there's such a strong overlap with the security team, whether it's dealing
where the data is. It's a bit more abstract problems of, we call it processing reasons, why are you using that data?
Sometimes that's not so important for security because you understand the value of the data, but it's the reason why you're using it. So it gets your mind thinking. I think that's now becoming a lot more important with AI of understanding the reasoning behind things as well. And I'm now seeing from my CISO friends privacy.
under the remit of CISOs a lot more. Before some years ago you wouldn't have seen that. You'd see it to legal counsel report into a DPO and privacy teams. But depending on the size of the organization, it's happening more and more now that privacy is coming into the CISOs remit because it's such a strong overlap and the CISO is used to dealing with difficult situations and it's a lot more efficiency for the company as well and benefit.
Adi (08:29)
Amazing. Have you seen different ways companies approach security? Like some companies that are more, you know, security aware, very on it. And some companies are like, yeah, we have to do security.
Stephen Owen (08:46)
Yes. I've got to be careful. Luckily, of the companies I've worked for, have a strong security approach, or they do throughout this journey. And I think the bottom line is companies and directors, board directors go through this journey. Often they don't know. And sometimes they don't know how to phrase the questions they know from all of the news reports.
Adi (08:51)
No name.
Stephen Owen (09:16)
that is important. And I go back 10, 15 years and I've seen directors learn as how the market is approached. And it's again, very, very prominent now. know, it's often when you go into companies, often cybersecurity is typically in the one of the top five risks of that business. Okay. It's very rare that it's not. Okay. And what are they doing about it? So some companies have different cultures. Some companies are, I call it,
tick box culture. But often I often find those sort of companies eventually it's any amount of time they do get compromised. Even with they have a level of compliance, again, they run about, well, we are PCI compliant or ISE compliant or different essentials compliance. With that mindset of tick box, they run around and what used to be annually or monthly before.
instead of living and breathing it daily. But I think, again, that's a journey companies have to go through. And execs as well. So it's up to security leaders. And I think it's up to security leaders to talk this, try and talk the same language as execs. And I think that's part of the history of the problem, because I often say security people talk Klingon and execs talk English, maybe different
And that's part of the historical problem that some execs have shied away from security folk to say, I don't understand the language. So I think security people also are at fault. And again, I'm always trying to improve as well how to tell that story in plain English to executives so they understand the context. And that is an art in itself, as he says, and security leads.
Adi (11:13)
That's so interesting. I remember I was talking to a CISO and I told him that I've been talking to a lot of CISOs and there always seemed to be very like nice people, know, want to talk. And he was like, you must have been talking to some really good CISOs. It was interesting. Okay, cool. do you, what does your day to day look like? Like what do you do in the office? What are the actual actions that you need?
Stephen Owen (11:27)
Thank you.
Adi (11:42)
But need to have
Stephen Owen (11:44)
No day is the same. So that's one of the benefits of security. It's very rare that I have what I did yesterday is very similar to the next day. There's always something happening. It can vary. It goes through cycles depending on the time of month or quarterly because of reporting. Certainly in the regulated space, there's a lot of reporting and awareness.
oversight by different groups within the company, risk and compliance, audit, risk committees. But suddenly you have to turn around and work with a team and understand the day -to -day problems. So I took some time before this and I looked through some of the interview questions and I mapped out one or two of my things which I did today, just today. But tomorrow might be different, there'll be a different flavor because
If I just go back to last Friday, I know a lot of CSAs were hit with the global, the Microsoft and CrowdStrike issues. could have been carbon black. could be another, but that's a typical of you wake up in the morning. It's to be a different day today, different types of stress. So that just highlights the dynamics in a way. Sometimes it's a bit like a drug day to day addiction, you know, fighting in the trenches and the bear fights. But today.
was what was my day today? So I look, I'm looking at my notes now. So first thing in the morning, if I can, I will do some planning of what's today's next week's and a bit further in the rise and just some quiet time focusing. Then before I open my emails, I'll look at the cyber dashboards and some threat feeds. So I'm trying to compartmentalize my time.
So gets my mind in the right space. So I'm trying to first begin with strategic thinking, thinking about today's problems, near problems, what's coming
Then I look at some of the threat feeds. I believe again in automation and data. So I look at all the data dashboards. Is there anything coming
Then I have look at the teams to see, they sent up any red flags at all or orange flares. Then I'll start looking at what are the projects we're delivering, are they on track and trying to have some foresight of where they could go wrong and try and sort of guide some of the team leads of where they need to improve to keep it on track. So it's just that foresight strategic thinking. Then it's the upward management.
of talking to the different stakeholders, my different bosses. Often CISOs, let them have a direct report. They could have many, you know, many, many bosses from different board risk, CIOs, COOs, suddenly the CFO has asked you a question and they can range. So everybody is my boss, even my team. I work for my team. So it's different. They're all my bosses. And I think it's that mindset.
So I'm looking to see if anybody's asking questions or I need to fill back questions. As I'm approaching the evening, past six o 'clock, I roll up the sleeves, might do some coding, some data analytics, look at some insights, threat insights, do some mentoring or attend a round table. So come eight o 'clock, I'll switch off, ready for the next
Adi (15:30)
Amazing. Wow, that does seem like a very diverse day. every hour is different than the other and also every full day is different from another.
Stephen Owen (15:42)
It is. I know what's coming up next week, but I full well know that it could change 48 hours before. There's always an escalation. It doesn't mean that it's a negative escalation, but there are often, you know, when it's getting bad, you have two or three different escalations in different subject areas. Thinking, well, in actual fact, could I, I often say to myself, could I have foreseen this? Could I have done something about it? But often you can't. It was a left field event. But that, again, you have to think of the positives.
that's made the day interesting. How have I learned from
Adi (16:17)
Interesting. Do you have a large team?
Stephen Owen (16:20)
I have a medium sized team, there's what 10 people in my team. I wouldn't measure because I would say a couple of my team members, they are the power of three or four different security people. So I've worked with teams for 10, 20, 30 people. It depends on where that company is. I know some CSAs get hung up about team sizes.
But I would say, look at the efficiencies of that team and the problems they're solving. So again, instead of doing, let's say, daily checks to a degree, I would say, let's automate that so I can remove half a person from those daily tick boxes to looking at a dashboard and they can spend better time elsewhere. So it's how you marshal your team and the depth of those skills they have and how you grow them as individuals.
And that's how you get to having a high performing team, grow them professionally so you can deliver better. They can grow professionally and it's really exciting and makes great dynamic.
Adi (17:30)
Amazing. What are the different roles you'd have on a team like
Stephen Owen (17:36)
So smaller teams, you've got to be versatile and stand up and be counted. You can't, it's very strange to have in isolated. So for example, you might have cyber in the supply chain and they will be doing risks. So to give you an idea of that individual might be doing partnering with a posture assessment or doing third parties, automating it into real -time dashboards, automating if we're doing questionnaires.
But suddenly the other half of the day, instead of the traditional heat maps risks, we do quantitative risk and doing that. So we take it to the next level. basically I encourage the team to take it to the next level. So security engineer. I've got some fantastic security engineers. are brilliant. So they'll might be doing some automation, press intelligence feeds. So for one recently,
instead of buying a tool off the shelf, which have taken weeks to deploy and expensive, we took some technology we call it NetFlow logs. It's telling us who accesses what. We automated it with open source and it gives us a level of analysis to help us with other tools. But it so happens the rest of IT said, can we have it as well? So by definition, we've actually also sort of underpinned and supported.
provided air under the wings of other team members to deliver who's accessing what. But for us, this was an instrument, a vehicle to get to answer some other questions we had. So that was the security engineer.
The security operations manager, very, very key, hands on, analysts of different levels. I have a BISO, which is quite strange in an organization, but this young lady is just amazing. I dare I say it shall ask for pay rise, which I shouldn't say out too loud. She's the glue in the team and in the business. She
friendly face of security and also IT. So often you have in security teams there can be not a rift but there can be sometimes friction in the business which you don't
this young lady just melts those barriers and it's fantastic. So it allows you to get better traction on your security initiatives, the engagement and indirectly you can measure that as well. fantastic security control. So I come back to my best security control is my team.
Adi (20:23)
Amazing. Wow. First of all, it's so nice to hear you speak so kindly about your team. Like it really shows the way you view them.
Stephen Owen (20:34)
I'm not sure if they'd say the same, but I ask a lot of them, but they do give a lot. it's like, do, and I have a professional responsibility for my, even my past team members at different companies. If they knock at the door, I would always give up time to help them on their career. You know, it's a responsibility of all leaders.
Adi (20:54)
Amazing. Do you ever feel like you have to be like a bad cop or be very, you know, saying no a lot to different people in the company or even your team?
Stephen Owen (21:11)
I learned and I'm sure I'll have to pay for it if I praise him. David Boda, okay, is a very, good see -saw and I learned some observed how he negotiated, okay. There's no such thing as no, you give them an options. Depending on how you present that options, might be three or four and it's how the psychological
aspect work. you know, remember that security people that plays a big, you know, big part of how you present options to people, you know, not extremes. And at the end of the day, this is a risk decision. And I back to security leaders and potential CISOs up and coming. Risk is your best friend without saying everything is red.
And I would probably challenge that you want to start using this language of risk exposure, the annual loss in a financial monetary terms. It's a one in three year event or one in five year event if we do this. And this is the potential monetary loss with some evidence in there. So it's more of a objective view than a subjective personal opinion. And I think as you present some options, people see you've been pragmatic.
So I'm not saying no, I'm giving them a range of options. There's some things, often you say, would I die on the hill for that decision? And some CSAs, some points in your career, depending on your ethical standings, you will have to say, no, I draw the line on that, that just doesn't chime well with me. It might be one of your bosses has made the wrong decision.
Regardless of my career, I will always then voice it to the risk officer or somebody else saying, no, this is my integrity. I would recommend you do this. As long as you've laid out those risk options objectively. And I go back to my chemistry teacher, many, 40 plus years, 50 years ago. When we used to do chemistry and the science, he said, you should write down your science experiment and so somebody could repeat
risk is like the same as you write down your risk statements and how you evolve to it another security professional should come in within reason came come to the same judgment that's how risk should be so that allows you to you're not saying yes you're not saying no you're giving them a set of options okay it's a business risk decision but some things you might have to die on the hill for or
Adi (24:00)
Have you ever been in a company, obviously without any names, but have you been in a company where there was a serious security, what's the word, event where you had to real time, you know, get working?
Stephen Owen (24:20)
Yes.
Adi (24:24)
I guess that's inevitable if you've been working in the field for 20 years.
Stephen Owen (24:31)
Yes, there are different degrees. Okay. I'm always cautious because it doesn't take much to pin it for which company it was in my career. So have I had security incidents on my watch? Yes. Have I had a major one? No. Have I had security friends who have had? Yes. Have I learned off from their lessons?
Adi (24:59)
You
Stephen Owen (25:00)
Yes, I have.
But when I say that, doesn't mean it was their fault at all. It's how they cope to their teams and their lessons learned. And that's what I'm trying to always evolve of. And often what you see in the press is different to see. So round table, you close the room door. So you take a pinch of what you're hearing. The news of CISOs, know, what? Historic, historically were thrown under the bus. Less so now.
And I think there is a slight difference of the US and the European market as well. I would say that. you can infer that the recent CISOs that have claimed have been thrown under the bus. But most CISOs will know some of those decisions weren't taken in isolation. Most CISOs don't have, for example, 150 ,000, 200 ,000 spend.
without any other oversight. If you did, had bad financial controls without the size of the company. So there are other fingerprints on that dagger. That's all I would
Adi (26:13)
Interesting. How do you, what would you say the differences between what is said within CISOs, closed doors, the way you learn from each other versus what comes out to maybe the news or when it's big breach is the media.
Stephen Owen (26:34)
I think you gain a level of confidence with fellow CISOs and they're all at different journeys in different sectors. And once you often see familiar faces, certainly in the UK roundtable, in the circuit, you all have very similar overlapping experiences. Yes, I've had that. yes, I've had that. They talk about the challenges and you share your challenges.
And there's always, we call it Chatham House rules that, you you can't attribute who said what and you try not to anyway. But often you're taking away those learnings of constantly how to improve your delivery, your different viewpoints on it as well. And sometimes occasionally I pull in a CISO and say, can you give me a Dom who is a great leader. He's moved on recently. He was, think, part of the Travelex around somewhere.
He does some great talks about mental health, really great talks. So I pulled Dom into give me a talk about the team if it's mental health. But also you'll talk about the event as well. What went well, what went wrong, how to improve besides the other benefits as well. The hidden mental health aspect as well, which is a big thing in cyber teams is not always on a breach. It can be just growing and growing because the constant pressure.
We're always under limited resource to a degree, constant pressure, ever -changing demands. So that does take a toll on security leaders and teams.
Adi (28:15)
Interesting. What would you say are the biggest issues right now in the cyber security field, which is so quickly changing?
Stephen Owen (28:30)
In the last, again, it depends on the sector, way are. If I was on an educational health hospital in the US would be a different problem, a of problems, I've been the insurance and finance sector in the UK. there is a level of the backstory to this. The classical ransomware is always on the top of the mind for a lot of CISOs.
changing in waves, it comes and goes. Because my analogy is as different administrations in the US and European do take downs, it's a bit like squeezing jelly. These groups splinter and the jelly reforms out of your hand and they're reform and splinter and a new type of attack of forms and it's ever changing. So there is that and what they go after. But I think that under
Fred.
I would say I think what I'm wary about is we talk about ransomware as a service. I think there's going to be a lot
expansion of that, not as a ransomware, capability, whether advanced phishing through AI, readily available models, I think they will get a lot more intelligent and a lot more quicker to take hold and exploit those vulnerabilities. So instead of the crude phishing emails you get, which a lot of good security controls will block.
a good GPT box and I write a lot of prompts and AI and APIs. I can look at different profiles and craft a conversation with an individual with no links. Then once I've got them on the hook, then I send them the payload to click on once that trust has been established. But to try and do that at volume is difficult and sniper shooting. But I think it will get there. But then suddenly,
They will also look at vulnerabilities on your web surfaces and others. So I think the advanced attack will get a lot more advanced with this capability. I've seen this in some ransomware groups that a few years ago, was some chat histories. This is when the Ukraine and Russia war and they fell apart. And the quantity notes when you did that analysis, some of them were doing research about
Bitcoins and others and doing their own ledgers So they are some of them are fall forward thinking of investment of return on investment So some of these groups are thinking that way so it wouldn't surprise me over the next 12 months 14 months they will get more No, there are some very good. I think was a power outer unit 42 recently were saying, you know, getting better these dormant URLs domains
So whenever a GPT model is announced, the dormant domains, the lookalikes, the spikes. So they are, it's a very crude and you can say you can't correlate it too much, but they're very, very aware. They're getting better. That's what I'm saying.
Adi (31:58)
Interesting. How do you cope with that? Are there any actions that you are already doing now?
Stephen Owen (32:07)
I think the first one is elevating your team awareness and giving them constant skills. So all of my team members have, I call it a three year roadmap. This is professional roadmap of what skills, they want qualifications, exposure, black hat, pep Friday afternoon projects, which I'm always keen for. And part of that is some of them are GPTs or haystacks or APIs. How can we make use? So growing the team's awareness.
in these new technologies, you've got to be 12 months ahead of saying, when you do face these skills, they understand it. So I think it's creating skills within your team and awareness is the first part. So whether you're assessing third party vendor security tools, which claim they have it, it could be a claim, they've just got AI in the buzzword, or is there genuine behind it, but at least they've got the base foundation skills to do that analysis.
So I'd say it starts with a team and making them stronger and aware as a professional growth. That's what I'd suggest.
Adi (33:15)
Do you think most CISOs are aware of the severity, potential of this thing? Or is it something that... not so much.
Stephen Owen (33:27)
I think majority are. think they are. A lot of security vendors will have it in their badge name even though they're not. But you can't but see it. Everything's AI. Well, challenge, all right, when you peel back the covers. Maybe not. So I think CISOs are aware. But businesses, yes. So there's awareness of
I think the biggest one for CSAs at the moment is Microsoft have Copilot, which behind the scenes is language models, but Copilot allows, I call it knowledge workers to complete emails faster.
look at their documents within SharePoint, their One Drives, look at other people's documents. So CISOs are now beginning to wake up and saying, yes, business wants this. Great productivity, set aside the cost for a moment. But with it comes challenges that if you don't have your access controls, you need to solve that. Otherwise, you ask your co -pilot who's earning the most salary. And if your access controls of your Word documents
aren't battened down correctly, they could soon discover that. So there's some foundations that CISOs need to be aware, but that's one item where I think this technology will drive CISOs or the CISOs on the forefront. So I would always advocate CISOs try and be that one step ahead of the business. But businesses are adopting at a fast pace, whether it be copilot, chats, integration, automation.
It's certainly happening in the FinTech, InsurTech market.
Adi (35:18)
How do you think the field will look if you're looking two years, five years, 10 years into the future?
Stephen Owen (35:27)
Very good question.
Adi (35:29)
Thank you.
Stephen Owen (35:30)
Really good question. I think it's going to impact us a lot. And you can see the seeds are ready. I'm a coder. Sometimes, what was this function? How do I do this? I've got plugins into my integrated development environments. My coding, my speed of coding and delivery has gone up without a shadow of a doubt. So that's of today. So what was, let's
If I saw squads of developers and junior developers, I think with AI plugins and extra tools in the future, what was a junior grad will become suddenly a senior. Okay. So I think product productivity, it doesn't mean job loss, but I think people with ideas to harness that tech will benefit.
And if I flip over to security, I think you'll be doing more with less. So the team sizes will be staying the same, but there'll be a lot more analysis. So instead of looking at three or four different tools, Azure has already got on their co -pilot equivalent of, give me all of the Azure instances which are publicly exposed. I can write that as a human sentence.
So I think we're going to see more of that as we tell me all of my environments, which are publicly exposed on my data center, which I've got a vulnerability, which is exploitable in the Kev database or an EPSS. So I can start phrasing that. And this comes back to it's a data. Often security is a data. So anybody with data or you can hold that data, which can be mined, you're setting yourself up for success for the future.
Adi (37:27)
I think.
Wow. How do you find, or what you say? Yeah, no, I'm thinking like, how do you find the time within everything you do, like the actual work that needs to be done and staying up to date? Because it seems like there's so much, like every day things are coming out, things are happening. This company got breached. This thing happened. This, you know, everything is moving.
Stephen Owen (37:32)
We have it a
We've covered a lot.
It is constant. You can't stay abreast of it all. The more you know, the less you know. You'll always have pet subjects in different verticals. think, again, it's back to that team. As long as you build your team matrix right, they have different strengths and overlapping. You do lunch and learns within your team. They'll say, I found this recently. And they'll talk about.
a different threat actor, they're different techniques, or suddenly you'll share how to write, we call it Mitra attack and using APT to mine different techniques. So I think you've got
Bring your team along this so they share what they learn, bring it to life. You've got to set aside time yourself to read these threat feeds and sometimes what's relevant to the business. So it's not for security leaders, depending on where you are in your career, you might have to start learning not just on security, but changes in the industry. So I'm within the Lloyd's market syndicates.
There are changes in this area, what different businesses are doing with this level of data and a level of analysis and automation. So that helps you to deliver benefits indirectly back into the business. But I would say try and set aside time for yourself. I'm very bad at that, but try and set aside personal time as
Adi (39:30)
What do you think is one thing that CISOs maybe overlook a bit? Like something that isn't in the center of their attention that should be more in their center of attention.
Stephen Owen (39:44)
I think I come back to the centre ground for CISOs is risk. Risk and team culture. I think I come back to always your best security control is your team. You know, the servant leadership and the EQ strengths, building that matrix. You don't want to have people who say yes to
You want challenging behaviors and you need that balance in the team and a mix as well in diversity. It's quite scary when you get that mix and that matrix right, you can deliver magic. The issuer team are on that team and I'm growing in that same team capability. It takes time in getting that right dynamics, but it's very, very exciting for the individuals themselves and the security team.
if you get that right. So that was one advice for CISO. Your team comes first and getting that right mix and that balance doesn't happen overnight. It takes time. And I think the next one is my piece of advice is talk to other CISOs. You're not alone. OK, you do have overlapping problems. Considerate counseling. OK, we all have bad days. Pick up the phone to another CISO or attend a roundtable.
You'll soon find familiar faces, familiar stories as well. And I think the final one piece of advice is understand risk and quant, because if you can convey risk that a CFO understands, the CEO or CTO, CIO, if they understand that language of non -tech, they're more likely to give you budget and resource.
Adi (41:34)
Amazing. That was a great, almost summary of like the advices. So I have one final question before we finish. How do you look at bringing together, I see the CSO role as very much tech and business. You have to know how to speak both the languages and you have to know how to communicate with both.
Stephen Owen (41:46)
Yes.
Adi (42:04)
and even like be the person in the middle sometimes in a way. Do you do you agree with that? How do you think about
Stephen Owen (42:15)
I partially agree. I
different security leaders will have different roles. what I find, and I won't name the different boards, earlier on in my career, I remember sitting in a room full of execs. It was like herding cats. They all had different opinions. And it was. I remember it to this day. I can play it back in my mind. I'm whoa, you you put them on this plinth, maybe, to begin with, and you think, they've been anointed by God. They're fantastic.
No they're not. Okay. They've got their somehow. It doesn't mean they're great at making decisions. Okay. And sometimes they have different opinions, but they're different strengths. So just keep laughing by their normal. But what I would say is you need to know the personality of your board, of the individuals. You know, there is a trait, a model, you say CFO is going to behave in certain ways, obvious, but they might be more analytical.
love data. The CEO may not understand tech, but it is a great people's strategic thinking. Understand the personality of those individuals, those roles, build relationships, and that will help you tell that story. And just put it into context. So I'm making this up. I don't play golf, but you imagine you're telling a story about a security issue, you might relate it to a 22nd story about playing golf. Okay.
and the different hopping from one hole to another on a hold course, that's what an actor, threat actor will do to get to the final hole, to get to the clubhouse. So they have to go, they don't straight away go to the clubhouse. They have to go one to the other. But telling a story that way, which may resonate a bit stronger to the person wanting, you know, the green lights from.
Adi (44:16)
Amazing. Wow, Steven, I feel like I learned so much. So thank you. And yeah, I think that is it for today. Thank you for coming
Stephen Owen (44:28)
Thank you as well. And I would say to any other individuals who leaving college or sixth form, reach out to my LinkedIn. I do have mentoring time. I'm always key. And I feel when I go for mentoring individuals, when they land their first job in security, I feel I got the job as well. So there are certain recipes of how to land your success. I'm always keen for new people to come into the industry. So look, if you don't go to university,
Look at your brand, maybe do a comp TI or free course, open source project, reach out to mentoring and rotate them. But you can't, and if you get that right mix, you will land your first job. I know there's a couple of my mentees and they're, that's fantastic. Yeah, it's thrilling when you see they land their first job in a really hard core security roles.
Adi (45:22)
Amazing, that is so kind of you. Thank you so much.
Stephen Owen (45:26)
No problem. Have a great day and weekend as well. All right. Thank
Adi (45:29)
YouTube, wait, okay, stop the