VIDEO A CISO Journey: Priorities and strategies for private and public companies This episode of PlexTrac Friends Friday considers the CISO experience from a new angle. Instead of asking what keeps Ryan Davis — CISO at NS1, an IBM Company — up at night, Dan DeCloss chatted with him about his personal journey as a CISO and what lessons he learned along the way. Hear about Ryan’s experiences as a security leader at both private and public companies and through multiple exit events. Series: Friends Friday (A PlexTrac Series), On-Demand Webinars & Highlights Category: Thought Leadership BACK TO VIDEOS Transcript Hey, everybody. Happy Friday. Thanks for joining us for another fun episode of Friends Friday here with PlexTrac. We’re really excited about today’s episode. We’ve got a good friend of mine and longtime peer and colleague Ryan Davis with us, and we’re going to be talking about the CISO journey as well as like, hey, you know, what are, what are, you know, what are some of the experiences that CISOs, you know, have, have had throughout the years, you know, based on Ryan’s experience, and then just kind of in general, like, what. What CISOs should have on the top of their minds today? So it’s. It’s a fun topic. Ryan and I have known each other for years, probably going on over ten, I would say. I think so now. But, Ryan, why don’t you introduce yourself and kind of just tell us a little bit about yourself and excited to kind of get into the topic. Yeah, no, I appreciate that. Thank you so much, Dan. Yeah, it’s scary to think about how long we’ve known each other because it frames up parts of your career, and we’re definitely over ten at this point, but ten good years, for sure. Not trying to sell it short. I’m at a point in my career I’ve done a number of different roles. Everything from, I started an internal audit. Well, you know, honestly, I started in help desk, right, as many folks in the it world do, started at the bottom of the totem pole, held a number of different roles, everything from being a systems engineer, mail server, admin, got opportunity to do some consulting, you know, on the security side of things was an internal audit. Have managed information security teams, have managed entire it teams, and then, of course, you know, my current role in the past couple, I’ve, you know, been in the CISO role. So it’s, you know, no person’s path to the CISO seat is identical. There’s all different paths to get there. But for me, I’ve tried to think about the building blocks, if you will, and for me, being able to say, yep, I’ve done that. I’ve written firewall rules and had the opportunity to do full-blown audits myself. It’s one of those things where I try really hard to be able to speak from experience. So, I mean, which is great. And so, like, you know, so you. So you. I mean, you’ve been a CISO now for a while, or at least a CISO-type person. Right. You know, like, I was a security director, but, you know, equivalent in. In the role of the company to the CISO, but, like, kind of talk to us a little bit about, one, your journey there, and, you know, what. What were some of the things that you felt were, you know, were really important that you picked up on in your career to not only become a CISO, but then how it impacted, like, the decisions that you make and things like that? Yeah. So for me, kind of the real segue into pursuing the CISO role. I was at a software security company and had been working actually on the consultative side, working with our customers, helping them build, in that particular case, application security programs. Right. That was during our time at Veracode together. And really, when you’re in the consulting role, you don’t have the authority to directly affect the program. You can say, okay, here’s what I think we should do, and here’s. And I just kept arriving at, like, I want to be the person making these calls, not just making suggestions. Right. And, you know, very much leading without authority. So for, you know, for a number of years, I was in that capacity, and then kind of took a pivot into management, took on managing in the information security team at Veracode, and then actually through a number of different events that were kind of external to my own personal direct influence, Veracode got acquired by CI Technologies, which meant ultimately that our CIO, CISO at the time, departed the organization. So then kind of that left me next in command to, you know, to man the helm. From an information security perspective, of course, CI had a global CISO for which I kind of had an indirect reporting line up, too, and then did that for a couple of years. And then ultimately, as a part of Broadcom’s acquisition of CI Technologies, one of the things that ended up occurring was Veracode got spun back out. And so that kind of presented me with an opportunity to step more directly into that CISO role, even though I had kind of been doing it indirectly for a number of years. And it was really my first foray into speaking before the board and talking with investors and things like that, which is probably, to your question, one of the very first things. You don’t really know what that’s like until you live it. As the former CEO of a company, now CTO at PlexTrac, speaking before a board can be very intimidating. Right. These people have large sums of money that are invested in the thing that you’re telling them needs more work. Right. Whatever that may be or, you know, isn’t quite up to snuff or has some particular thing that needs to be addressed. And so that’s really intimidating. But the thing that I really was kind of the takeaway from that first experience, Dan, was they want you to succeed. Right? Like they may be tough on you at times and they may be, you know, critical of a decision or a choice that you’ve made, but ultimately they want to see you succeed because their success, your success is their success. And so I think that was one of the things that I really came to learn, you know, throughout that process, and then of course in subsequent roles as well, was just how much the board can be an ally. Right. And as long as you’re explaining it in terms that are not just like, oh, we have this number of vulnerabilities or we have this particular concern, but express it in terms that they’re going to understand in terms of the overall business. Like, here’s why we need to do this, here’s why we need to go get ISO certification. Not because, yeah, you know, it checks all the checkboxes and, you know, whatever, it’s because it’s a customer trust issue. Right. And that makes a lot of sense to them. And then you’re able to have those candid conversations about, okay, here’s what it’s going to mean from an investment perspective. We need to hire x number of people, we need to invest x number of dollars, and then that conversation becomes a lot easier. Yeah, well, and like you said, I think if you can paint the picture of like, hey, here’s why we’re investing in these aspects, right, here’s the impact to the business if we don’t have, and then subsequently, here’s how we’re getting better. Like, here’s where that investment is going. I think that paints a good picture. That is the same kind of conversation for any, insert any department within the company, whether that’s sales, marketing. Right, exactly. So having a seat and being able to have those conversations is important, right. Hugely valuable. And I think more now than ever, right, CISOs are being afforded that table, you know, that spot at the table to be able to speak with not just the audit committee, not just the risk committee, but the entire board. And I think that’s really important, whether you’re a small privately held company or you’re a publicly traded one, having that communication, because what day goes by that there’s not some headline about somebody having a breach or some loss of data or whatever it may be, and the board needs to be apprised of where you’re sitting before those events so that they can be prepared to answer questions of investors and quite frankly, the public, when you do have an event. Yeah, you brought up an interesting point there. You’ve had experience both from working at this level in both private companies and now public companies. You know, is there a bigger difference? Like, have you noticed a big difference in that? And, like, is there, are there things that you think CISOs private companies, you know, may have different areas of focus versus public or, like, you know, I’d be curious, like, you know, what your thoughts are there and maybe advice to those that are in that seat. Yeah, the short answer is yes, there is definitely differences when you’re privately held versus, you know, publicly traded. When you’re publicly traded, there’s a tremendous amount of scrutiny, not just from regulatory bodies. Right. You know, the SEC and whomever else, you know, especially if you’re in finance or health or whatever. Right. There’s many regulatory bodies that oversee those different sectors, but you have the scrutiny of your customers ubiquitously right across the board. But investors as well is a much broader audience when you’re publicly traded. And so statements that you might make on your personal Twitter or your LinkedIn or whatever, you could put the disclaimer of this reflects my own personal beliefs. But you’re very much in the public eye at that point. And so everything that you do gets that scrutiny. And so I think when you’re privately held, you kind of have that cloak, if you will, right, where it’s not, you know, the world is looking, but they’re not looking because they have a vested interest in your success. Right. When you’re publicly held, you know, you could have tens of thousands or hundreds or millions of people who are invested in your company and have a vested interest in your success. And so they might agree with the points you’ve made or they might disagree with the points you’ve made, or they might think you’re completely off the wall. And so at the end of the day, I think once you’re in that public eye. Right. And I, you know, even now, our conversation. Right. Being a part of a publicly traded company, I have to think very carefully about what I say because I’m not authorized to speak on behalf of the rest of my organization. Right, right. And so it’s all about how you can have those conversations and have them intelligibly without needing to be specific in such a way that you might paint the company in a negative light or something like that. I can talk about challenges all day long and have conversations with peers about challenges that I see on a daily basis without giving specific attribution or identifying weaknesses or things like that, because ultimately, in a security role, you get a broad exposure to challenges that are internal. And those challenges may not just be information security ones. They might be PR issues or they might be lawsuits or whatever, you know, whatever the particular issue. And so I think that’s probably one of the biggest differences, is you just have to really be cognizant of the tone and where you’re saying when. Yeah, yeah. Have there been any responsibilities that maybe you didn’t anticipate? I mean, just in general as being a CISO, not necessarily public versus private, but, like, as you’ve kind of grown in this, in the CISO role, has anything come up where you’re like, man, I didn’t actually anticipate this being part of my job or things that I would have had to worry about or focus on. Yeah, I don’t think I anticipated needing a law degree. And while I don’t think there’s any, well, maybe, I’m sure there’s probably CISOs out there that do, in fact, have a law degree. We spend a lot of time working with customers and third parties because at this day and age, it’s a risk conversation for everybody. And third party risk is probably one of the biggest challenges of my role and, quite frankly, of the industry at this point. And so having very strong relationships with the legal team is not something that I really, especially, you know, when you, as you’re working your way up, you know, in security, it’s something you’re kind of maybe not explicitly exposed to. Right. But when you get to that level, there’s all of a sudden like, oh, we need you to, you know, make sure that we can agree to these terms and we’re going to be contractually mandated, you know, with a $5 million contract that has that much liability affixed to it. Then all of a sudden, you’re like, oh, man, I got to make sure that we’re being very specific as to what we can and can’t do and what we’re willing to agree to. And I think that’s probably one of the biggest things that I didn’t anticipate and I think continues to actually grow. Right. Especially as the CISO role continues to evolve. And many organizations now are, you know, hiring folks whose responsibility is risk. Right. Chief risk officers. And, you know, sometimes that that component rolls up to them. But still, at the end of the day, right, my job is to still make sure that we can adhere to whatever we’re contractually committing ourselves to, whether it’s with a customer or a third party and making sure, you know, with third parties that we have the appropriate protection measures in place that, you know, will be afforded to us, you know, to protect, you know, the company that I’m working for as well as the customers that we’re serving. Well. And I think it. I think it highlights, too, you know, we always talk about, you know, hey, as a good security professional, you need to be a really good communicator, you know, things like that where it’s like, yeah, you’re talking with lawyers, you know, almost all the time, you know, and so being able to understand, like help, help a lawyer, you know, that may or may not have a deepen technical background, but being able to understand the risk or the, you know, the impact that certain, certain vulnerabilities or implications would have on the business, you know, it just. It’s just one more audience that you may not have anticipated that you really need to be able to communicate well with. Right. Yeah. And again, you know, when you’re dealing with large enterprises, they have teams of lawyers, right? And you get presented with, you know, a 50 page, you know, enterprise contract or non disclosure agreement or data privacy agreement or whatever, and they want to affix their terms, right. They want to have their specific stipulations. And, you know, wherever possible, you try to accommodate the customer. But oftentimes you’re going through things with a fine tooth comb, and they’ve worded them in legalese such that things always end up in their favor. So you have to try to think critically. It’s funny because security professionals were really good at thinking like the bad guy because that’s how you defend your organization. And it’s funny because it’s similar exercise. You have to think the customer in this case and say, okay, well, what, what is it that they’re trying to actually get at here that would make it beneficial to them? Right. Why is it that they’re asking for, you know, five years worth of logs be retained? Well, because they want to be able to go back five years and like, okay, is that something that we want? You know, is it cost effective? Is it, you know, what are the potential implications of retaining five years worth of logs or whatever the issue might be? Right? Yeah, yeah, yeah. No, it’s fascinating. It’s fascinating. So, so I’d be curious now kind of shifting a little bit, like kind of more to the industry. Like, I’d be curious like, what your, obviously, you get asked the question like, hey, what keeps you up at night? But, like, I’d be more interested in, like, where do you see the industry going? And what do you think that CISOs and security teams and stakeholders really should kind of keep, be keeping on the forefront, on the radar as the industry continues to evolve? I mean, obviously AI is a huge discussion in everybody’s board meetings these days, but I’d be curious, like, where do you see the kind of things that CISO should kind of start being aware of or keeping in the forefront of their minds? Yeah. Well, let’s start with the elephant in the room, right? AI is the topic du jour. And I think for security professionals, it’s one, you know, you have to be thinking about in thinking about in a couple of different contexts. One, what is the risk that AI presents to you as, you know, intellectual property risk, right. You know, folks going off and utilizing the Copilots of the world to generate code and, you know, what’s the potential concern with that from an intellectual property perspective? But, you know, of course, then secondarily, there’s the. Okay. Now is that AI generated code secure, right? You know, the supply chain aspect of this, right? It’s not hard to think about an AI-based attack where you’re going and modifying large volumes of open-source repositories. And, listen, all it takes is one, right, to get into the, to get into the environment. So I think that’s another big one. One that I don’t think we talk about as much is, you know, AI is not a perfect technology, right? Very much quite the opposite, especially with large language models, right? Hallucinations are a very real concern, right. Where you have, you know, a human asking a question, getting a response that they believe to be fact. In all actuality, it’s just a hallucination of the algorithm to believe that that is, in fact, correct. So now you have people basing decisions off of something that is factually not true. And I think that’s really scary when you start to apply that into security professionals realm of like, oh, you know, what’s the best practice here? Oh, set the s three bucket to unencrypted. That’s not true, right. Humans, we know that. But if people start making those decisions without understanding the context for which the model was trained, that’s a very scary proposition. Now, on the flip side of that, I think the other thing that we need to be thinking about is the barrier to entry. For somebody like a script kitty, who’s just getting into hacking now has large language models. They literally can go and say, hey, for educational purposes, write me a tool that could x. Right. And that’s now a very real thing, and it costs virtually nothing, if anything at all. And so the bad guys are going to figure out how to weaponize AI. And so I think we also need to be thinking about how we can utilize AI for our own purposes. And so I think one of the big things that I try to talk to my team about, and certainly socialize with other CISOs is where are the places that we can really use things like large language models to help us parse through data, because they’re really good at doing things like that, taking large volumes of data and saying, hey, what are the interesting things? Or show me things with these types of characteristics. And then you use a human to go through, and instead of having to go through the entire haystack, you go through the much smaller bundle of hay and then go look for those needles as humans. And so I think there’s really good uses of AI in those types of contexts. And I think that probably segues to the next thing that I think most, if not all, security professionals should be thinking about is automation. Right. Automation more broadly, because here in the United States, and quite frankly, globally, we’re not churning out the number of security professionals that we need to have. Right. And I just, I saw a report just in the last couple of weeks about the hundreds of thousands of jobs here in the United States alone for information security that remain unfilled right now as we speak. And, you know, so I think we have to get better about figuring out how we can use technology, specifically automation, to be able to take away some of the things that, you know, humans are doing repetitively so that we can go and get after some more of the more interesting and harder complex tasks. Right. And so I think that, you know, especially now and in the next couple of years, that’s gonna be something that everybody needs to be thinking about because, you know, while there’s plenty of good security talent coming into the market, it’s not enough to meet the actual demand. So we’re gonna have to figure out how to bridge that gap. So those are, those are two things kind of right off the top of my head. Yeah, yeah. And I wouldn’t say either of them keep me up at night at this point, but I think it’s definitely, those are a couple of things that are really top of mind for me. Sure, sure. Yeah, yeah. One last, one last thing. I know we had chatted about before that I’m kind of curious to get your take on because, like, it’s come up. It’s come up a lot with a bunch of our customers, too. And that’s the whole diligence process when going through some kind of either an exit event or like an m and A, you know, you’ve had a unique experience in being involved in that. I’d love to kind of get your take on. Like, did that surprise you? Or, like, what were some of the, was there anything that, like, kind of, like, took you off guard or like, just how important was the security posture and what, I mean, how did, how important of a role did that play in the overall, like, you know, transactions or whatnot? What you can say, obviously, but, like, you know, yeah, I’ll do my best to speak on that. You know, not attributing it to any one company because I’ve been through a couple of acquisitions at this point. But I can tell you categorically it is definitely a major pillar of acquisition strategy. And everything from code quality to amount of public exposure to what are the characteristics of the program itself. How often are you doing scans? What types of scans are you doing? What third party audits are you conducting? What is the frequency for which you have people manually touching code in production? And some of you sit and kind of scratch your head, almost like, why is somebody asking such a very minutia question when they’re looking at buying a company overall? And the answer is not that difficult to discern once you’ve been through it a couple of times, which is they care because this is one of the biggest areas of risk for them to buy that, that company, a company that can present a mature, cohesive program, strategy. Process. And that was actually another thing. Process was another thing. I could not believe the amount that they wanted every sop they wanted every. What’s your incident response process look like? How, you know, because what they’re looking for is how much are they going to have to invest to get you up to where their expectation is? And that gap. Right. Equates to dollars. Right. And so, you know, and I’m sure you know from your side of, you know, you know, the spot that you sit in as well. Right. As investors are approaching PlexTrac, they want to know what’s the risk to their investment. That’s very much the conversation when you’re going through a diligence process, is they want to know how big the risk to them is to their brand. The strategy that I’ve taken is very similar to what we take with customers. You want to build that trust. And so if you can present a cohesive, well structured, well thought out. Like, here’s how we think about, you know, incident response. Here’s how we think about, you know, DDoS attacks, whatever it may be, right? Having a good. And you’re never going to have strategy for everything. Like, it’s just impossible. But having playbooks, having process that’s well documented and things that map to some type of framework, of course, is hugely valuable because then it’s not just like, oh, I came up with this on the back of the napkin. Here’s how I think about this. It translates well. And so whether using ISO or NIST or whatever the framework may be, that really helps to have a good conversation. And for us, we were able to take a lot of the documentation at multiple organizations, take the documentation that we already had in place that we were using to have those very same customer conversations and say, hey, yeah, we already have that all packaged up, ready to go. Would you just like a copy of that? And they’re like, oh, yes, we would, as a matter of fact. So, yeah, but I think the biggest takeaway from all of it is when you’re about to buy something, whether it’s a $50,000 car or an entire company, you want to know the amount of risk that you’re taking on the. And so the entire information security conversation as a part of a diligence process now is a pretty critical component. Right. Of course, what your business performance is and how much debt you have and what’s the customer acquisition cost, and all of those things, of course, are the primary driver of the conversation. But the information security program is, of course, a huge component. More so than ever. Yeah, exactly. I mean, it can impact the deal. Right. I mean, it could. It could sway it either from, like, you know, a different valuation all the way to the point where, hey, they’re just not going to do it. Right. So, I mean, I think, you know, it’s important for people to recognize, like, that they may not have been exposed to that. That, like, you know, like, the security posture of your company actually has an impact in m and a activity as well as investment. Right. On a lot of different fronts. So I think that’s. It’s probably something that not. Not a lot of folks you may have thought about, but unless you’ve been through it. Right? Yeah, yeah. 100%. Right. And I think that’s probably, you know, I was baptized by fire. Right? Like, I didn’t really have a choice, right. Because the, you know, how I ended up in the CSO seat was a function of being acquired. And so, um, it’s funny because when you’re forced into it, you know, and brought in as a part of that conversation, it’s like, oh, okay, yeah, I guess this is pretty important, right? Like, you feel. You feel on a daily basis, like, okay, yep. I’m helping, you know, close deals and, you know, keep the company secure, of course. And, of course, you know, not being in major headlines is a good thing. Right. But then you realize just how much that plays into the investment potential, procurement of a company. Yeah. Yeah. Fascinating stuff. Fascinating stuff. Well, Ryan, I mean, it’s crazy how fast, we always say how fast these conversations go, but it’s been such a fun time learning more about your career. Congrats on all the success thus far. I mean, it’s been fun to track you as well. Thanks for taking some time to kind of share your story. Just. And just, like, you know, observations and experience any. Any final things you want to say or, like, how can people find you and connect with you and. And then we’ll let people get on with their Friday. Yeah. No, Dan, I truly appreciate the opportunity to have the conversation. You know, likewise. I felt the very same way about kind of watching you and PlexTrac and just being able to kind of watch from the sidelines and see how the evolution of the company has gone has been really rewarding for me and continuing to, of course, have the friendship outside of that. But, yeah, folks can find me on LinkedIn. It’s LinkedIn.com. Ryan C. Davis. So feel free to reach out to me there. I have since. Since acquisition of Twitter. I’m no longer on Twitter. Elon Musk can go off and do his own thing. But, yeah, that’s probably the easiest way to connect with me, and I’m going to be. I think you’re headed out to Hacker Summer camp as well, so hopefully we’ll get an opportunity to see each other there as well. For sure. For sure. Looking forward to it. Well, once again, thanks. Thanks so much for joining us, and thanks, everybody, for taking some time. Hope you enjoyed it. Feel free to leave. Leave comments and questions. We’ll definitely try to respond to those as quickly as we can, but couldn’t thank you enough. Ryan, always good. Always good to chat. Thanks for sharing, and we’ll let everybody be on their way. But have a great rest of your Friday and a great weekend, everybody. Thank you. Yeah. SHOW FULL TRANSCRIPT