• Application security is evolving, requiring a focus on both technology and human factors.
• Understanding the organization's current state is crucial for building an effective AppSec program.
• Coverage and efficacy are key metrics for assessing AppSec initiatives.
• Engaging developers is essential for successful security practices.
• In larger organizations, security efforts can become check-the-box activities.
• The lines between cloud security and application security are increasingly blurred.
• Posture management tools are emerging to address skill gaps in AppSec.
• An asset-centric approach to security is gaining traction in the industry.
• New security professionals should prioritize understanding key business use cases.
• The future of security will require blending traditional practices with new technologies.

• "Good judgment comes from experience."
• "You have to have the humility to recognize."

• Security teams must engage with customers regularly.
• Understanding business incentives is crucial for security leaders.
• Security should be seen as an enabler, not a cost center.
• Building relationships across departments enhances security effectiveness.
• Product security should empower developers with the right tools.
• Usability is key to successful security implementations.
• Incident management processes must include materiality assessments.
• Availability impacts must be considered in security discussions.
• Third-party risks need to be managed proactively.
• Security leaders should balance technical skills with effective communication.

Summary

In this conversation, Robert Wood and Joe Lewis discuss the complexities of leading cybersecurity efforts within a large organization like the CDC. They explore the balance between security and mission enablement, the nuances of risk management, and the importance of compliance. Joe emphasizes the need for humility in leadership, the value of building a strong team, and the significance of understanding organizational dynamics. The discussion also touches on the challenges of innovation in crisis situations, the importance of effective communication, and the need for continuous personal and professional development in the cybersecurity field.

Takeaways

• Humility is essential for effective leadership in cybersecurity.
• Balancing security with mission enablement is crucial.
• Understanding risk transfer dynamics is important for CISOs.
• Compliance should be viewed as a foundation for security, not a hindrance.
• Using compliance strategically can enhance decision-making processes.
• Innovation often requires accepting certain risks during crises.
• Post-crisis assessments are vital for understanding risks taken.
• The language of risk must be tailored for different audiences.
• Non-technical skills are critical for success in cybersecurity roles.
• Intentional organizational design can break down silos and improve collaboration.

Sound Bites

• "I think the one piece of advice I would have given myself is humility."
• "We are evolving into a managed cybersecurity service provider."
• "Not everybody should grow up to be a CISO."

Chapters

00:00 Introduction to Cybersecurity Leadership

02:36 Balancing Security and Mission Enablement

07:38 Understanding Risk Transfer in Cybersecurity

12:57 Navigating Compliance and Security

16:29 Using Compliance as a Strategic Tool

21:36 Innovation and Risk Management in Crisis

25:59 Post-Crisis Reflection and Risk Assessment

28:29 The Language of Risk in Cybersecurity

34:42 Developing Non-Technical Skills in Cybersecurity

39:43 Intentional Organizational Design

45:14 Managing Change and Reducing Process Waste

51:12 Identifying and Nurturing Future Leaders

56:29 The Importance of Humility in Leadership