Sep 29, 2024
Episode Description
In this episode of the Hands on CISO podcast, host Adi speaks with Todd Fitzgerald, an experienced CISO and bestselling author, about his journey in cybersecurity, the evolution of the CISO role, and the importance of understanding the human factor in security. Todd shares insights on the challenges faced by CISOs today, the significance of networking, and the future of cybersecurity. He emphasizes the need for continuous learning and the importance of building relationships within the industry.
Watch On YouTube
hi everyone and welcome to the Hands-On cesa podcast my name is AD and today we're talking to Todd Fitzgerald Todd is an experienced ceso and the number one bestselling cyber security and privacy leadership author with five cyber security books published he is also a leading podcaster leading ceso Stories podcast which has almost 200 episodes Todd how are you doing today great it's great to be here today D amazing so before anything else you've come a very long way inside of security but how did you get started well it's interesting so the first half of my career I was really a um I I I started out as a computer programmer but then quickly moved into database Administration and data modeling and so then I was managing D dbas and data modelers uh and I did that uh first half of my career and then there was a job that I was I was applying for that uh they they said well do you know anything about security because I would be managing dba's security and business intelligence and I said well I know some things about security through you know working with dpas and so forth and I had a couple teams I had the security team I had the dbas and the and the business intelligence team and uh my my security team wasn't wasn't real happy that I was being hired because they said well oh he's a DBA he's he's he's going to spend all his time with the DBA people and what actually happened was I I was very interested in security and that's where I really started to grow my security skills and I spent all my time with the security team because I I really didn't need to spend a lot of time with the with the dbas uh and so then I never looked back uh and that was many many years ago wow so they were concerned that you're not going to pay attention to them and you ended up paying attention only to them yeah well mostly them yeah crazy and when you started what did your daytoday look like as a manager in security and also DBA it's so when when you have you know when you're managing these these things now this was a different time uh that it is now uh and we have to take ourselves back that we we the security role was really a a technical uh oriented role in organizations and it was seen as you know giving access and authorization to files and things like that and it's and it's grown much much larger than it is today so it was like early days of early days of security uh and so you're dealing with a lot of different issues you're dealing with you know end users uh you know problems with you know access to systems who needs what uh but you're you're pretty much at that at that level um but we've we've you know we've really evolved you know well beyond that to where it it it's a much bigger much bigger scope of a problem and I wrote the first uh book for ISC squared uh called ceso uh essent ciso leadership skills essential leadership and uh that was you know the first attempt really to to put some structure around you know what is this what is this job uh but I didn't write that until uh uh 2008 um uh started that in 2006 so that was a few years later based on those based on some of those earlier experiences uh and then now uh uh I know we'll probably get into the book stuff later but but the ciso compass book which became the bestselling uh book each of the last five years um is a is a guide book for for cesos um it was a complete rewrite it wasn't just uh you know take the old book update it a little bit it was a throwaway throw away that book rewrite this book and it's actually twice the size of of the prior book um so that's how much this field has has really changed and and grown well what do you think about the book made it so really relatable or so appealing to cesos like what was the thing they were so interested in so what I wanted to do with that is is make something that was a structured way of looking at this role so uh Innovation is taking two different things uh that and putting it together so if you think about it uh think of the iPhone for example Apple didn't invent the telephone they didn't invent the camera and they didn't invent music portable music we had all those things we had walkman's you know with cassette tapes and then with with CDs um but what they did was they they took existing Concepts and brought them together into something that was very usable so now we have it in our pocket right we can have our music we can have our videos we can we have apps and everything else um and sometimes we can even use a phone to make a phone call today right uh so so we we've combined all those things well I wanted to do something similar to um to uh to the this job of the ciso and so I took something called the McKenzie 7s model which is about uh Innovation or or is about organizational Effectiveness and what they said was there's there's seven things that you need to make a strategy come true in an organization it's structure systems style staff skills um and shared values and every one of those things is important to achieve your business objective so I thought well you know we have all these activities that we do in security why don't we tie these things together because we're really operating as a business within in a business we don't we want to be successful don't we want to achieve our strategy so for example if you don't have the right systems in place and by that I mean the processes and routines that we do in an organization they may be it systems but they're also the processes if if you don't have those in place to support your strategy then you're not going to achieve your cyber security strategy or if you don't have the right skills in your organization you could have a very nice strategy on paper but you're not going to achieve it because you don't have the right people to do it and so it's it's bringing all those things together so that's what I structured the whole book around what are all those things that you need to do and then in addition to that I invited 75 other top cesos and Industry leaders to take a a problem and say what what was what was the problem what did you do about it what would you do different ly what was what was the result of what you did so that other people can learn from your experience so where you might may not be uh you know in a in a in a conversation with the global ciso for Tik Tock or the seeso for cocacola um I brought those people or JP Morgan Chase I mean we had all those people in the book um I brought those people together uh and they shared their individual experiences on different dimensions of security and that's what has made the book so powerful it's not just a collection of stories uh that you know I've seen some books where people shove together a whole bunch of stories but it's it's not integrated right it's just a collection of stories right well this is this is a very structured way of looking at it and then recently uh we released the Privacy leader Compass which is targeted around Chief privacy officers and and cesos can also benefit from that as well by understanding all the laws and so forth so that's what I think you know that's I guess I get very passionate about this because it's a way to help uh you know the next generation of people uh you know I'm not you know in that job anymore uh and somebody has to fill those has to fill those shoes uh to make sure that we're protecting things for all of us amazing have you um when you were talking to all these different sees Sals from such different companies did did they seem to have similar issues similar views or was it really very different depending on sector and Industry and everything what's interesting is the number of different issues that that cesos are deing with I mean it's not it's not like I had you know 10 cesos app Pine on on on a particular you know singular issue there there were all kinds of different issues and so you get all these different different perspectives uh and what I asked the cesos to write about is something they were passionate about and a problem that they solved and so you know I got really good content from them so some people were working on things for example example in data science uh and automating their environments and using sore to to automate many of the tasks that could be automated well they shared that knowledge and how they and how they went about that um other people had issues with identity and access management and what were some of those issues some people talked about um how how do I work with the board uh and and what sort of tips would you give when you're when you're giving that that board presentation uh I've had some people that looked at risk uh and some people that have written some of the the risk management books that we use uh weigh in and talk about their experiences so so you know they they become different and then you get differing opinions as well uh I had one one person for example was talking about uh budget right everybody wants a lot of budget is a ceso uh well he wrote a very interesting piece in there uh what happens when you get too much budget uh and that's not a problem a lot of people would think about but um and he articulated this scenario where he went before the uh before the board and and and everybody and and he said hey I I you know I need this much money over three years uh to to to fill to fill our Gap s uh and they and to his surprise they came back to him and said we'll give you the money but we want you to get it done in a year and he said it was a big mistake um because even though he could get the security products and everything in the organization couldn't change fast enough couldn't adapt to all these new processes and ways of doing things and so you know that was a great lesson like you know if if you're going to do this kind of thing well maybe maybe you don't don't accept that that burden of all those activities in in a one-year time because the organization can only handle so much change so so there were lots of those kinds of perspectives in there and that's why I love about talking to cesos because uh you get experience cisos we can all learn from them wow that story sounds like as a cesa you're a lot of the time you're between on the one hand you have your own feel like you have to make sure security is happening the way it should and on the other hand you you have management that has more business oriented goals and then you have the people to educate and manage how how does everything merge together um very difficultly that's not even a word but just we'll use that word um it it's and that's where that's that's why the ceso role is such a a a critical role today because the the ciso is really that business translator uh and the successful ones are really good at that um because you're working with your upper management and so you're trans you're understanding what the organizational business goals are you understand enough about the technology to know what the technology can do for you and then you've got to manage your teams in your people to make sure that that you've got the right skills on your team to to implement those things and and move it forward and then once once you've done that you have to educate your Workforce so that they're they're actually um working within that W within that security system and and not trying to go not trying to go around that and so it it really takes all I really love your question because it it really takes all of those perspectives when you're looking at security and and I think it's a m it the hard let's face it a lot of the security people come up for through the technical ranks and so things tend to be a little black and white uh at down at the at the hardware level right and the software level if you don't do something right it doesn't work right um and so we get into this mindset that this is the way it has to be uh but people are people and people don't work consistently they don't follow the rules they they make up their own rules some people follow rules some don't follow rules so so you have to have a system that that takes all that into account if you've seen a shift in the way cesos look at the human factor throughout the years um I think you know if we look at things like fishing campaigns for example I I think that is one of the best things that that could have arrived uh for cisos uh is the ability to do fishing campaigns I know people have different views of those um but for me I use those to to um to draw attention to the fact that you may not be as knowledgeable as you think you are talking about the end user um around security and so if I've if I've failed on a on a fishing test or I've I've been duped as some people might might call it um then then now now all of a sudden I'm like well wait a minute I missed something I I you know maybe maybe I need to pay more attention to this um and and now I'm open to learning and I think that's what that really does for us where uh you know it gives us the opportunity to then say okay let's talk about other things let's talk about you know let's use that as the as a launch point to talk about you know mobile security and talk about your home security and talk about updating your PCS and you know talking about use of you know public WiFi and and so we can we can use that as a springboard to talk about lots of other issues and and and and you you know that's I I've always been a big proponent of security awareness I I I used to do a lot of uh presentations and at one time they called me the I was written in a in a computer magazine they called me the prop comic uh because um I always use props costumes because I wanted a visual way to to make the point um I I've dressed up as Darth Vader and come into the room and and talked about the 10 ways why why Darth Vader was a was a uh great uh security manager uh which is actually off of another piece that somebody wrote around project management a while ago but I thought well that will be fun and so you you do all those things or if you have a breach and I go out into the audience and I'll have a megaphone and I will go up into people's you know right into their face and say we got this breach you know what what are we going to do about it what's your next step you know and they're like I don't know and and and then I go to different people and it's but that's the reality of it that's that's you know and and people remember those things so in your organizations we have to make security awareness memorable um so have it be entertaining have it be funny have it but make sure that 's a message in there otherwise you can't just have a clown show uh but you you need to have a message that that comes through there how can you create a culture of people who are security aware if the company is currently not versus if you're starting from scratch you're very early in a company I think you have to you have to articulate what the risks are and not through fear uncertainty and doubt but actually using real incidents that apply to your industry is a really good way to do that um and show that these things happen to people show how people get scammed um uh talk to people about you know how their own bank account information uh can be missing one day if they're not if they're if they're you know clicking on the wrong things on their on their phone um or they're going to some dodgy website or they're ordering something online that they you know that they really don't know who this provider is um you know have it be personal to them because people let's face it people want to know and and executives are this way too you've got to answer the question what's in it for me you can't go to your marketing executive your Finance executive and talk to them about security and why they need to fund this or they need to support you in this you need to reverse that conversation and say you know what is what why does how can I help my chief marketing officer how can I help my finance guy um you know what's in it for him okay well maybe the finance guy needs to be able to r on his financial records uh in order to to make a a the right Financial reports right well maybe you sell Integrity to your to your to your to your CFO maybe that's the trigger for him that he's able to rely on that information he's actually reviewing and he can trust those numbers that they haven't been changed and that there isn't fraud in the system um so so you have to look for ways to do that interesting without mentioning any specific companies of course have you ever been um in a company where a very bad security incident happened yeah I can I can tell you you know we had one one organization well there's been many incidents but but it just this one particular time it it just sticks in my memory because I think it was uh earlier in my career and I I was a ceso of an organization and we were doing a lot of Government Contracting and uh we had to have things like system security plans and risk assessments and uh policies and procedures and all that documented and reviewed by the government the auditors would come in well we had about 80 audit findings uh and some of those were high risk and um and I'm looking at my stuff and I'm saying well I nothing's wrong with my risk assessments my security plans all the all the deliverables that I had to produce as the chief security officer were all good all of those it audit issues those were in the cio's area that was that was his issue um because he had all these infrastructure problems and you know identity management stuff and it you know all that stuff that he was supposed to fix well then we were pulled in the CIO and I were were pulled into the president's office and she looked at us and said what's what's going on with these ad audit findings and and we had a discussion and I said well you know they're all in the it area or whatever and she and she looked at me and she's and she looked at the two of us and she says I don't care whose issue this is both of you right now this was mid year she says both of you are getting a below average performance review if these aren't fixed by the end of the year and so we walked out of that room and it was an important lesson for me that we had to partner together to make these things go away um or it wasn't going to be good for either of us and so that's when I learned the seeso can't really separate themselves from the issues in the organization and and luckily by the end of the year we had resolved those those uh audit issues we spent a lot of money a lot of time got a lot of resources uh in fact the CIO made a mention to me once he says Todd everybody's working for you now not me because they're all doing security work so so we made it happen uh and we both got above average uh reviews by the end of the year but the but the president really did a really good thing for us and said that that you guys have to work together and and figure it out and that was a very important lesson for me um uh to learn and that about the the role of the ceso uh and that you have to partner with these other people in the organization it sounds like in the cesa role the thing that keeps coming up is the amount of responsibility that you have both for for the things you know about and the things you don't know about which can create a lot of stress have you seen any what was your way of dealing without stress and have you seen any cesos doing any other interesting things to do that I think you know one of my hobbies really a kind of a side hobby if you look look at half of the books behind me are our leadership books their personality profile type books like the Myers Briggs the dis profiles the anagrams uh you know the the different um Team uh team team uh assessment tools um and I I find that I'm I I'm a very calm person uh that's my my personality I guess uh and I remember I was on one call and there was an auditor that was that was uh making a point from a major uh big big four AUD audit firm uh you know they're supposed to they're supposed to audit an in in a a sample when they look at uh uh if you're looking at identity and manage identity and access management they were looking at the separation of Duties issue right and they looked at a 100,000 of our our requests that have gone through the identity and access management period in in this one period period and they found four situations where there was a separation of Duties issue and they were going to write up a finding and everybody else on the call is listening and I'm going toe-to-toe with the auditor saying this this is crazy I said you know uh the team should be gaining an award not a finding uh for only having four uh and I had one person afterwards saying I don't know how you didn't just jump through the I she said I was ready to jump through the phone and strangle the auditor you know for even for even going after that but you just calmly dealt with it and I so I think we have different different personalities in in dealing with those issues um you know I I've done a few podcasts in the ceso Stories podcast uh with people we've talked about stress and and different views and and wellness um uh you know and some that led some very large companies and and people have different views on some people say ah you know it's it's not that bad and some people say we have the most stressful job of any of the executives I I I don't I'm not in that camp that says that we have the most stressful job I think they're all stressful once you get to an executive role you you have a stressful job if you're the CFO the chief marketing officer the chief operations officer you have to look at the ceso role as being on that level um and and maybe it's not there yet in your organization but at some point it will be but but that's what you're handling and it's and and and the Big Driver of that is you have a lot of unknowns you don't know walking into work one day if that's going to be a really really bad day or a really really good day what do you think is the biggest challenge in the security field right now biggest challenge I think um I think you know one thing that's underestimated a lot uh is just the the external suppliers that that companies are dealing with and and how are we managing all those vendor relationships I think cesos are very good at looking at their own programs but looking at at those connections and and how they interact with your company and and how can you possibly know the security posture of every one of those organizations that are your touch points um it's it's it's it's almost an impossible job but it's one that it's one that has to be done and I I think that's the biggest challenge um I know there's a lot of talk today about AI um I think AI holds a lot of Promise um I use AI uh I I think it's it it's it can be a great timesaver um but there's also a big risk there too uh uh so I you know I think it's I think a lot of people are trying to get their their arms are on AI today but we can't forget that if we just go back two years uh a few people were talking about AI but we had a whole industry that was talking about security so those problems did not go away um so every solution can't can't just be the AI solution or how do we handle AI uh it gets it gets back to what are all those other things that we're supposed to be doing do you see AI as an issue apparently or how do you view it because I've seen a lot of cesos that are not that concerned about Ai and some cisos who are absolutely sure that it will be like the absolute game changer of completely new attacks different ways to do things While others don't really seem to like don't really care about it that much I think the reality is AI is actually been built into a lot of our systems for for several years now it's just that chat GPT brought it to the consumer Forefront right and uh in fact in the ciso compass book I have a chapter devoted to emerging Technologies and Trends uh that's one of the things where that informs a strategy and the the piece that's important about emerging Technologies and Trends is they work both sides of that coin they're they're both a threat um and they're a tool so so we have to look at them both ways uh we should be adopting those Technologies to where they they benefit us where they can save time where they can help minimize workloads um and and and and make ourselves better um but we also have to look at okay if those are being used against us how do we how do we counteract how do we counteract that if the attacks are getting richer you know for example the the fishing attacks that could be tailored more to my personality and and where I shop and what I do you know and and tailor those messages better um you can guarantee yourselves that the that the well-funded uh uh nation states organized crime so forth are are using these tools trying to figure out how to use these tools um but we shouldn't lose sight of the fact that we have fundamentals that we're not doing very well today uh take vulnerabilities for example uh how many how many vulnerabilities do or if I went into any organization today and said show me your list of of vulnerabilities that you haven't patched for yet I'd get a pretty big list so but we're worried about AI um we don't need AI to get into your system so so you know we have to put it in the right in the right context so right now it's the hype um eventually if if you're familiar with you know the Gartner hype cycle it'll it'll fall down into the uh uh trough of disillusionment and it'll move into a plateau of prod productivity where we figured out where AI fits and where it doesn't fit uh and and and how and how it can best be used how do you keep updated in a field that's changing so quickly like everything every week you have a new breach and you find out oh maybe that's also a vulnerability that we have that I didn't think about or maybe some new technology comes out or like a lot of things are happening at the same time and you have all the regular things that you already have to do so how do you make sure that you're actually up to date that your team is up to date that people know what is happening in the world and do you even care well so I've um so for the last five years I've I've contracted to the the Cyber risk Alliance and which is the the organization within it called the Cyber risk collaborative as their VPS cyber security strategy and one of the the things that we produce out of that is a daily morning uh security report uh which which which takes all the news feeds and condenses it down into seven or eight stories that are top of mine so that so that cesos can go in there look see see where are the top stories and react to those um I usually take those and I post post one on uh LinkedIn and give my own commentary on it so so there's that like you're activating a muscle every day right you're you're keeping up with that uh LinkedIn I think is also just a just a great resource uh it's to me it's it's it's more I mean there's a lot on LinkedIn these days quite honestly that's a lot of uh promotion of this event or I spoke at that event or that event okay that that's out there that's fine um but there's also stories that people are publishing out there and and news relevant items that I think are worthwhile uh to take a look at so I think looking at social media um whatever platform it is if it's Twitter or LinkedIn or wherever people get their news information um just listening to the Evening News you're you're going to you're going to find out those things although there's usually other sources that that have that before then um but but I think you have to stay in tune with with what's going on to to really be effective today uh to really be in that conversation the other thing I would say too is is people have to network and I know that's a struggle for for some people the especially people are very introverted to get out to go to those industry events like Issa or isaka or the IPP that whatever professional organizations are in your area you've got to go to those meetings and and learn from other people and network with other people and it's not people I think make the mistake with networking and they start networking when they've lost their job and that is the wrong time to start building a network uh people should be out there go I I'm going to dinners with cesos all the time and events and where we talk about issues and and that's what that's what you need to do once you drop out of that then it's going to be difficult because you're not going to know what was that what's that breach that what's this solar winds breach thing I I don't know what that is you know you know you're going to be a little disconnected right if you're if you're not up on those things interesting how would you say people who are just starting to be cesos CU I've talked to cesos who said they would like to be more connected in that um group and they know that there are things of the sort of what you said where cisos meet and talk Network and they're not sure how to sort of get in the room what would you recommend so what I would recommend and what I see being more effective is is when there are you know there there's different types of dinners there there's different types of events there's some that are SE just ceso oriented people that are currently cesos or who have been cisos and then there's and then there's ones that are uh you know i' say like Issa is is much more of a broader audience uh it's more technical but you're going to have some SE there um having those relationships and having that relationship with your own ciso within your own organization and and and ask them to to be brought along to one of those events to get exposed um to to other people and uh because I've seen people do that bring you know bring their own leaders and and I think we should be encouraging that uh uh you know to to to to get into that and then even if it's not a like a ceso event go to a security event because there's going to be other cesos there and and that's how you start to make those relationships and then you know at some point there's going to be some invite to some event um that somebody's going to bring you along uh but that will never happen if you're at home and you're working remotely all the time and you're not going to any of the social events uh and you don't see those as important uh or see them as a waste of time uh that is completely wrong uh most jobs are actually uh achieved through networks uh and not through some posting on a on a job board uh LinkedIn um most most of those things are filled through personal networks because why is why do you think that is well the risk the reason is it's it's all about risk right and cesos are risk averse by by Nature I think we're risk averse group well you want to reduce your risk of making a bad hire if I get to know you and some other setting I may not know your work but I know what kind of a person you are and I think you're you're probably you know we've had some conversations I can see you got some kind of intelligence and and you're you have a strong work ethic you've now lowered my risk uh to be hired versus a resume coming in that I have no idea who you are very interesting I would say that is relevant probably to all Industries like the fact that if you want if you want people to recommend you or you want to get more opportunities people need to trust you which is interesting okay so do you have time for two final questions sure okay so first of all what do you think the field is going to look like in a few years what is going to be different I think I think it's it's I I hate to say it's evolving I I I actually wrote the the first first chapter in the ciso compass book is is I've dedicated it to the ceso evolution uh because I think that people need to learn history how how did we get to why is this role what it is today and I go through five phases I've actually added a sixth phase now um and in in dividing up the years of how we move from this technical you know through to risk through to the cloud and socially mobile and into the Privacy a whereare ciso uh and now we're into this um business resilient uh uh supply chain uh ciso and each of these phases adds uh new skills that are required uh to to be able to to to be able to function and I and I think more and more the CES is being depended on to secure their organization and to reduce the risk of what happens when there is a Cyber attack uh against your company and planning for when it does happen how how well equipped are you to deal with that is it going to shut down your business um we've seen many examples where it is shut down the business uh if we look at when you know W to cry and na pet it came out a few years ago uh the shipping company MK was shut down for three weeks uh they couldn't you know you've got containers on ships uh with whatever's in there not moving anywhere uh you know the the cost was it was enormous uh and then we have you know there's a whole bunch of other examples of that and and you know we've had recent examples of you know cyber events um you know one with a major security company uh you know not not not too long ago uh that that had a an error and change control that impacted uh you know people in a very personal way you know flights weren't getting out uh you know systems weren't coming up and so forth so I think the world is starting to see the importance of this this role uh and and this is just going to be a staple in organizations but it's really about managing risk and and how do we limit the damage uh how do we make sure we've got the right investment in the company uh and that's and that's an that's an art and so you know that's that's where we're we're really going is is to that person has to be the one uh that is that is not making all the decisions related to that but is really more of the uh orchestra leader uh and making sure the organization says oh we want our risk to be this much um then we have to spend this much um or you know we're going to be out of syn and so the the ciso has to is the one who's making that balance work balancing everything at the same time interesting yeah I I told you I use props in my presentations I I'm probably going to bring this one out again I had one I was doing around all the different compliance requirements once and I had spinning plates you know remember the old spinning plates uh on on a pole and and I learned how yeah yeah and I learned how to spin like six plates at the at the same time uh uh to to do that I may have to bring that one back out again but but it's that's exactly how it feels like as a SEO wow I'm sure I can see how you got to where you got as a seeso when I look at all the things that like just making it super interesting and I feel like you can also feel it in this conversation like everything you say you have an example you have a story so everything feels very engaging and you can really understand like everyone can really understand hopefully what you mean when you talk about different scenarios in the security sense but also in the more simple like this example for example thank you okay so one final question thank you so much for this entire talk this has been super interesting what advice do you have to anyone who's either thinking about getting into security or is already a security professional but is looking at an interested in becoming a ceso one they well just buy the ceso compass book that's all you have link down below I and there's a coupon in the back and you mail in the coupon and then you get your ceso job it's it's that easy no I'm just kidding well I guess that's what you have to do no in in seriousness I I I would say I would say a couple things um one the one thing I've learned in in my career is learn to be uncomfortable um feel like you never know enough and somebody always knows more um I felt that way my whole career and what that does is it is it drives you to learn more and um you know it's a cliche that you know we should do continuous learning but uh certifications for example I I have a bunch of them and and I never tried to get all these letters after my name that was never the goal but for me the certifications were a way to say I'm going to really I want to really learn this and if I have to take a test at the end of it that test my knowledge I'm going to actually study this and I'm actually going to learn this really really well and so I encourage people do that and and so each year I would get a different certification in something you know that that that moves that moves you forward do the do the networking piece um but you know having that sense of being uncomfortable once you once you get good good at something and then there'll be something else and it's like uh I'm not quite sure how to do that or that person does it really well I wish I did it well like that well that's okay because that means that you're paying attention to something that that you probably probably should should learn um the other thing I say and and I've given a few presentations on this it's one of my favorite topics actually is you know do you want to be a techie or a ciso uh and my challenge is by the end of that presentation I ask people to make a decision so sometimes we go our whole careers without making a choice so do you want to go into management or do you or do you want to stay Technical and and and I would say from the outset either either path is fine if it makes you happy so find out what's really what is what do you really want to do because once you leave the technical path and go towards the cop paath you will always maintain some level of Technology proficiency but you'll never be as good as the technical person who is stayed Technical and does that every single day and so you have to recognize that and you're going to rely on them and you're going to rely on those people to give you advice and and and that's and and that's best for your team it's and so that you can do what you do uh I learned a long time ago one of your one of your jobs as a as a as a senior manager is to provide air cover to your team so that they can do what they want to do every day so if you've got a firewall engineer and that's what they want to do every day well then you then then you're actually working with the rest of management to say why you should get to do what you do every day and that you're doing it right so so those are those are just a a few ideas um but make that decision be uncomfortable uh that means that you're growing uh and you're learning new stuff oh thank so where can people find the book and the podcast so this ceso Stories podcast uh you can just Google ceso Stories podcast uh and it'll come up it's it's hosted by SC magazine um the book uh easily uh the way most people get books today is on Amazon uh it's called the the ciso compass book uh the new new book that we just came out with in uh uh 2024 uh is the Privacy leader Compass it uses the same structure uh and goes through all the privacy laws and and what I'm happy about that book is that we we engaged uh top privacy experts just like we did with the ciso compass uh you know from Microsoft uh to people in uh 15 different countries uh we have the Chief privacy officers uh we also have Regulators uh data protection authorities uh all on the Privacy side of the house and cesos need to know about privacy too so um that's why it was in they're very complimentary uh books but uh that one I co-authored with uh Dr Valerie Lions uh who has her PhD in information privacy uh and and is the COO of a of a privacy and consulting firm so uh over in Dublin Ireland so um so you can get both of those uh both of those uh on on Amazon and uh I I just really enjoy being able to to bring this knowledge my my experiences but also the the experiences and the stories uh from other other cesos and uh top leaders in the industry amazing thank you so much thank you it's it's really been a pleasure