What if cybersecurity wasn’t just about protection but about enabling the business to thrive? In this episode, Andy Ellis shares how reframing security as an operational and leadership function—not just a risk control—can unlock real innovation, trust, and long-term value.
⬥GUEST⬥
Andy Ellis, Legendary CISO [https://howtociso.com] | On LinkedIn: https://www.linkedin.com/in/csoandy/
⬥HOST⬥
Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com
⬥EPISODE NOTES⬥
In this episode of Redefining CyberSecurity, host Sean Martin speaks with Andy Ellis, former CSO at Akamai and current independent advisor, about the shifting expectations of security leadership in today’s SaaS-powered, AI-enabled business environment.
Andy highlights that many organizations—especially mid-sized startups—struggle not because they lack resources, but because they don’t know how to contextualize what security means to their business goals. Often, security professionals aren’t equipped to communicate with executives or boards in a way that builds shared understanding. That’s where advisors like Andy step in: not to provide a playbook, but to help translate and align.
One of the core ideas discussed is the reframing of security as an enabler rather than a gatekeeper. With businesses built almost entirely on SaaS platforms and outsourced operations, IT and security should no longer be siloed. Andy encourages security teams to “own the stack”—not just protect it—by integrating IT management, vendor oversight, and security into a single discipline.
The conversation also explores how AI and automation empower employees at every level to “vibe code” their own solutions, shifting innovation away from centralized control. This democratization of tech raises new opportunities—and risks—that security teams must support, not resist. Success comes from guiding, not gatekeeping.
Andy shares practical ways CISOs can build influence, including a deceptively simple yet powerful technique: ask every stakeholder what security practice they hate the most and what critical practice is missing. These questions uncover quick wins that earn political capital—critical fuel for driving long-term transformation.
From his “First 91 Days” guide for CISOs to his book 1% Leadership, Andy offers not just theory but actionable frameworks for influencing culture, improving retention, and measuring success in ways that matter.
Whether you’re a CISO, a founder, or an aspiring security leader, this episode will challenge how you think about the role security plays in business—and what it means to lead from the middle.
⬥SPONSORS⬥
LevelBlue: https://itspm.ag/attcybersecurity-3jdk3
ThreatLocker: https://itspm.ag/threatlocker-r974
⬥RESOURCES⬥
Inspiring Post: https://www.linkedin.com/posts/csoandy_how-to-ciso-the-first-91-days-ugcPost-7330619155353632768-BXQT/
Book: “How to CISO: The First 91-Day Guide” by Andy Ellis — https://howtociso.com/library/first-91-days-guide/
Book: “1% Leadership: Master the Small Daily Habits that Build Exceptional Teams” — https://www.amazon.com/1-Leadership-Daily-Habits-Exceptional/dp/B0BSV7T2KZ
⬥ADDITIONAL INFORMATION⬥
✨ More Redefining CyberSecurity Podcast:
🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/
Interested in sponsoring this show with a podcast ad placement? Learn more:
⬥KEYWORDS⬥
andy ellis, sean martin, ciso, ai, sas, shadow it, vibe coding, patch management, political capital, leadership, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
[00:00:00] Sean Martin: And hello everybody. You're very welcome to a new episode of Redefining Cybersecurity here on ITSP Magazine. This is Sean Martin, your host, where if you listen to the show, you know, I get, you know, I get to talk to lots of cool people about cool stuff. At least in my mind. I like to nerd out about, uh, security and risk management, and not just in the, in the sense of how. Protect the business, but actually how we protect its growth and revenue and, and, uh, even the teams, uh, it's all about en enabling in my perspective, from my perspective. And, uh, I'm thrilled to have someone you probably all know and have heard of and maybe even met at some point in, uh, in your career in cybersecurity.
Andy Ellis. Andy, good to see you, man.
[00:00:40] Andy Ellis: Sean, thanks for having me. I really appreciate it.
[00:00:42] Sean Martin: I appreciate, appreciate you taking the time in, in your new podcast studio. I was checking out, uh. Your video studio on your, on your blog. It's pretty cool. And you pretty chill in the podcast studio there.
[00:00:54] Andy Ellis: Yeah, well the video studio is currently, uh, in transition, so I just moved. So I'm in my new [00:01:00] house. I set up the podcasting studio here. The video studio is actually gonna be run across this, so the camera's gonna be to my right here, but the actual green screen will be to my left, and so it'll sort of shoot across.
And so I'll be able to do videos over here.
[00:01:14] Sean Martin: Nice one. I love it. Well, you're, you're very prolific and very, uh, very giving back to the community, which is, which is great. For those who have not met you yet, maybe, uh, maybe a few words about your journey to this point. Um, and then, uh, maybe what you're up to at the moment.
[00:01:32] Andy Ellis: Uh, uh, just a few words. It's gonna be hard.
[00:01:35] Sean Martin: I.
know. Well, the, the, the highlights.
How
[00:01:36] Andy Ellis: Yeah, went into the Air Force right out of MIT, did information warfare, which is what we called cybersecurity. Last millennium, uh, then was at Akamai for 20 years where I built the security program. I've got a handful of patents for security technologies that sort of underpinned Akamai, you know, global CDN, as well as the security services on top of it.
Then took four years into the VC [00:02:00] world, uh, where I was at Weill Ventures, you know, investing and backing and helping, you know, startups be amazingly successful. Uh, and now I'm on my own doing independent consulting and advising, you know, bringing folks, uh, sort of that touch of genius that you just need to sort of get your cybersecurity or your marketing or your product or your leadership program moving.
[00:02:20] Sean Martin: Got it. And in, in that last role, I mean we can touch on some other things as well, but in, in the last role in, in terms of what you're seeing now, do you find individuals and or organizations need help with. The, the first steps or the last mile or fine tuning the middle bits or what, what are you
[00:02:41] Andy Ellis: So, so it's actually, honestly all of the above. The, the single biggest mismatch that I often see is many organizations don't know what they want. They often have a security professional, and they have no way to understand and put in context what the security professional is telling them. And often the security professional is not [00:03:00] an expert in communicating up to a board or to an executive team.
And sometimes all that they need is that spark to come in and say, Hey, let me listen to everybody and then just translate for you. Here's where you are. Here's what you need to be focused on for the next two years of your journey, especially in sort of mid-size startups. You'll often see this, which is, you know, they're like, oh, we're getting ready for an IPO sometime in the next 10 years, which means you're not actually getting ready for an IPO, but you're hopeful that one day you'll get to there.
Uh. But they need to figure out like what are the critical things we need to do right now? Not for the next 20 years, not what does a mature program look like? So I could say that's in the middle or that's the start, depending on how you sort of think about where they are in their journey.
[00:03:47] Sean Martin: And do you, do you tend to be attracted to be called from certain sectors of the market, uh, regulated or size or anything
[00:03:58] Andy Ellis: No, honestly, I've [00:04:00] had conversations with everything from like three person startups to several thousand person companies simply because they're looking for like, just how do we, we rethink what we're doing.
[00:04:13] Sean Martin: and. So as you heard in my, my intro, I, I feel that we have an opportunity and people who listen to the show probably have heard me said this many times, but um, I feel we have an opportunity and even more so the data in security to really help define the business. And when you're talking to small startups, two, three person team, there's really an opportunity to get that right.
And, um, so tell, tell me a bit about what some of the things you do there that
might be
[00:04:40] Andy Ellis: Yeah, so a great conversation that, that I love having very early on with the company is to think about how are you gonna run your business? Because historically, the mental models we all have are still stuck in the paper. People still remember, oh, we wrote down on paper, we had ledgers, we did this, we did that.
And that's not how you run your business anymore. It's not [00:05:00] even just that we took the paper and computerized it, which is what was happening, you know, early two thousands. The, the entire scope of your business is. Basically SaaS based, like your business, sits on top of other people's businesses. So you can run your company for a long time at three people where you're not, you know, going out and having to hire, you know, A CFO and a lawyer and an ops manager, and all of these people who are not part of delivery.
Whereas it used to be you needed those fairly early or you would contract with them. And more and more we're seeing people are like, well, like what do I need a, A lawyer for like a contract, obviously for a corporate lawyer, but for contract negotiation. Like there's just services that will do this for you.
And now it's like, oh, I've got my standard contract template, I've got my standard like vendor management system. You have all of these things, so you have to rethink what is security. And what is it support? 'cause honestly, I think when we talk about cybersecurity as a profession, mostly we're like the, the pickup crew.
We [00:06:00] do all the security stuff that nobody wanted to do that was really part of their day job. And that gives an opportunity now to say, well, why don't you make doing that stuff your day job as well? Like you wanna do cybersecurity, then maybe you want to be into SaaS management, you wanna manage all the SaaS vendors, become the CIO.
Do the security as part of that and basically sort of take over that IT function and make that one function, which is we will manage our vendors and we'll do it in a secure way. And now we don't separate, you know, cybersecurity from IT management. We just make that one discipline.
[00:06:34] Sean Martin: And I've certainly seen and heard in the last few weeks I've been
to a legal, legal conference and a healthcare. Conference and in both, one more legal, more than than healthcare. Um, there there's a lot of push to enable individuals and certainly lines of business to pretty much be their own. It
because, because of what you're just describing, [00:07:00] everything is sas.
Um. How do, how do those teams and I, I even had conversations or heard, heard people talk about lawyers actually vibe coding to write AI agents to do things for, and I'm like, I don't know where this is gonna go. But
I mean, that's an
[00:07:14] Andy Ellis: be entertaining.
[00:07:15] Sean Martin: it's gonna be entertaining. But that's an extreme case I think, and we'll see how, how it happens.
But that, how do you see organizations embracing this idea that there is a line of business that uses SaaS? That is it that you're in your.
And your view is also security, uh, rightfully so.
[00:07:32] Andy Ellis: Yeah. Well, I think when we, when we think about the business, one of my least favorite phrases, but it's very illuminating, uh, is shadow it right now. Uh, people will say, shadow says shadow, you know, ai. But the reason why I say it's illuminating is specifically because it's about perspective. The people who coined the phrase shadow it, were IT professionals who used it in this derogatory fashion to say, like the IT that is being done [00:08:00] in the shadows.
But it was not that people went skulking off into the shadow to go do it away from you. No. They came and they asked you to do it. They said, I want to go build an e-commerce site. You know this 1999, I wanna do an e-commerce site. And it was like, we don't have time for this. Like the web doesn't really matter.
Nobody's gonna give you a credit card. So some engineer went and built an e-commerce site. That was the first real shadow IT that most people think about in the modern world was your e-commerce site, which now this is how you make money. Like this is the core center of your business. Started a shadow it.
Why was it in the shadows? Because your IT team wouldn't shine a light where it needed to be. The problem was not shadow it, it was always shadow business. We have parts of our business that we don't see and we refuse to see in support. And so the fact that you have people who are out actively saying, Hey, we're gonna let it happen inside the business because it is now [00:09:00] so consumerized for most folks like you, get better support by going to your Apple store than you get from your IT team.
So why would you say, oh, you have to have a professional take care of buying a computer for you. And when you do the math of how much logistics time is spent, it doubles the price of a computer just getting it into somebody's handoff and you are spending a 100% premium on humans just doing support to get it there.
You're better off handing your person an allowance and saying, look, every two years go buy whatever computer you want. Like make it yours, let it support you, and that we're better off. And that's what people are starting to realize is let's let it happen. Outside of the central organization that was not providing security, was not providing high level support, was not staying ahead of technology trends.
And so we're seeing businesses saying, oh, well AI is just the next thing, so why don't we just get ahead of this? It will never be able to [00:10:00] figure out how to deal do ai. Right? So we'll just let the lines of business do it. And I do think it's going to be a train wreck in some ways, but it will also be amazing in others.
[00:10:10] Sean Martin: And let's touch on both of those. Where, where do you think we will see success? I mean, clearly new, new business innovations and things
like that, but, but if you have any
[00:10:21] Andy Ellis: I mean the success will be just the speed of how people will be able to do things. That there's just always been this activation energy. And I've got a great example 'cause we had a, a couple friends staying over, you know, great hackers, which means that today I've gotta go deal with the fact that like my entertainment system is no longer configured correctly.
'cause they got into a playlist war. And so each one was compromising a different system and reconfiguring it to play music. I'll have to go deal with that.
[00:10:46] Sean Martin: a great, great weekend there it sounds like.
[00:10:47] Andy Ellis: Great, great time, but like one of them, one my wife was talking about one of our long-term projects is creating a cookbook like my wife has, ma has so many recipes that she's inherited and she's tweaked herself, you know, [00:11:00] family tradition.
And so she has like this handwritten cookbook with notes that are half in Slovak, half in English, and there's a couple in French like, and she wants to put this all together. And so the friend's like, well, you should just vibe do this. We're looking at her and she pulls out chat, GPT, and she takes a picture of a recipe and says, make me a recipe page for this.
So it took my wife's notes on the recipe, like turned that into a very nice summary, copied the recipe faithfully, and put in commentary, put in nutritional information. And this basically was like 30 seconds of prompt engineering. Like this wasn't even the serious stuff
[00:11:37] Sean Martin: And it, and it produced H tm, LCSA. What did it, what did
[00:11:40] Andy Ellis: So in this case it just handed like, here's here was text.
But then it said, what format do you want this in? Would you like to have this in A PDF? Do you want to have this in A-J-S-O-N file? And I'm like, this is amazing. And I'm looking at that and I'm like, okay. So like a couple hours of vibe coding and I can basically have a recipe manager that will output a book at the end of it.[00:12:00]
And I was looking at like, you know, probably a couple hundred hours of work dealing with each individual recipe, and most of that's now gone away. It'll still obviously happen to be edited. But just that's an example. And it's a silly one, and people are gonna be like, oh, Andy, great. You'll get a recipe book published that like five people will ever read.
Those are five really important people to me, by the way, that I really do want them all to read it. But now take that for every single hair-brained idea everybody in your company has. They can go execute on and see if it will work, and they don't need your approval. And even if the failure rate is 99%, 99% of those ideas are.
Throw away ideas. They do their couple hours of work. They're like, eh, whatever. Maybe it makes my life easier. Maybe not. If one of those transforms your business, that's power.
[00:12:49] Sean Martin: Absolutely. And yeah, I think, uh, I'm just thinking of, we used to call 'em Skunkwork projects where
we had and sad that we had dedicated [00:13:00] people. Yeah. We,
[00:13:01] Andy Ellis: Right. And that's the whole thing, which is skunkworks was the, oh we, we made this official it, but we hid it from everybody. We protected it from the business and then shadow it became, well, we'll just do it ourselves. 'cause you won't support us. And now we're in this world where it's like, we'll just have AI do it for us.
[00:13:18] Sean Martin: And I guess the, the, the cool thing about your example and, and bringing that into a business, it each little function of. Each person's role, um, could be seen differently or, or depending on where they live or who the customers are interacting with, or, I don't know. The, the types of customers they serve could slightly very nuanced ways change the way their workflow
works or looks or functions.
Or maybe, maybe they want mobile versus web or whatever it is, and. Perhaps there's an easy way to help them work through some of those challenges.
Jump those
[00:13:55] Andy Ellis: So in a sense, there's a, there's a space in the world for an advisor to say, let me be [00:14:00] your guide and help you. Like you wanna go vibe, code, great. But that five hours you're gonna spend a bunch of it is not efficient or not effective, right? You, you don't know how to do the right prompt engineering. Let me teach you.
I think there's an opportunity for security professionals to step in who've always been sort of adversarial, incline towards technology. Here's new tech, we know how to break it, but part of knowing how to break it is we know how to exploit it in great ways. So take that mindset and help your company exploit these new technologies.
[00:14:31] Sean Martin: And what about, um, we didn't cover the negatives. Maybe we, we will touch on that as we dig in here a little bit more, but I'm, I'm curious about the, the, what you're describing here in the security operations or security management, uh, world, um, where security, it's actually doing the same thing and creating new things and
[00:14:51] Andy Ellis: Yeah, I think security ops is gonna be really fascinating because half of security ops is, and I'm, I know I'm gonna have people send me hate mail for this. [00:15:00] It's make work. Which is we, the business does not allow us to fix certain problems, and so we go find them and now we tell people about them and we track them, but we're never gonna actually fix them.
Think about patch management and how much of it never really happens. Right. In a sense there's this benefit which is, oh, we can use AI to do the make work and like it'll track and manage and all of this stuff. Um, but at the end of the day, it's still not gonna make it better because the problem isn't that it's too expensive for us to fix things.
It's that the business doesn't actually want to fix things. And until we move past that, the AI in the operations is gonna have some utility. I'm not gonna say it's worthless, but it's not gonna be the game changer. People think it's.
[00:15:44] Sean Martin: Hmm. Yeah. 'cause I, I have this utopian vision that, and I kind of alluded to a little bit that we, we have a lot of. Data. And I think, and to your point, I think we, we can guide the business to make changes that [00:16:00] are better for the business and better for security. And the, the patch management's the, the great example I like to use where if you're, if you're run maintaining a list of a thousand. CVEs or patches you need to make, and you never fix 'em just over and over and over. You're scanning, you're assessing, you're adding, maybe fix five this month, five next month, whatever you're adding 10
each time. Um, perhaps the, in the data there's something that says you're just using the wrong component or the stack is built in the wrong way, or you're collecting a piece of, or you're
connecting two things together that shouldn't be connected.
And, and if you just change that, you can eliminate.
50% of
[00:16:39] Andy Ellis: And we've, and like I've had experience doing that in our, in my career. Like when I was at Akamai, we ran into this with open SSL, every time there was an open SSL vulnerability, we'd have to go patch stuff. And the number of engineers who would fight with us, 'cause they're like, I'm just using open SSL for the math library.
It's, it's the most efficient math and we're doing big math, so we're [00:17:00] using open else sell for this. We don't have to patch it. We're like, yes, but we can't tell from outside. Now you make our life harder. So at some point we said, well, what if, and we employed open SSL engineers on staff. Like this is a way of getting the, the things we wanted fixed into open SSL was we just paid them, you know, paid our engineers and said, well, 20% of your time we would like you to go give back, but 80% is we're want you to add the things we want into open SS L.
And so we said, well, what if we just split open SSL and separate the math library from the network library? So when there's vulnerabilities in the network stack and in how you know cryptography is being done, then we will know that only the components that use that half of the library are vulnerable rather than all these other ones, which was these, you know, massive things we were doing.
And all the engineers love that. They're like, oh, this is great. We can now use the library that only has what we wanted. So that's an example of like, you know, you can do code analysis to figure that out. We just did it qualitatively. [00:18:00] Maybe it gives us this opportunity to start refactoring larger and larger code bases down into something more manageable.
[00:18:07] Sean Martin: Yeah. So what, what was the trigger for that?
[00:18:10] Andy Ellis: Oh, uh, 2014 when open SSL had to be patched critically, like three times in a year.
[00:18:17] Sean Martin: right, so the, the team just fell over, got, got upset.
[00:18:20] Andy Ellis: Right? Like we had people yelling at us and so we sat down and we're like, well, you know what? If we did this. The easiest way to keep track of it is to just take that code away from them and say, if you're never gonna use this code, then you don't have it in your code base, which means vulnerability never impact you.
[00:18:36] Sean Martin: Yep. So the reason I ask that question is, I mean, that's pretty significant event or set series of events and
impact on the team. Um, there may be more subtle ones that. If addressed, perhaps have the same results. Um, but it's just drawn out over time. So you don't have the bang, bang, bang three,
three
[00:18:57] Andy Ellis: and so that's a place where data analytics can [00:19:00] help us find things. But you still need the need to really have the organizational buy-in to do it. Like, you know, in a sense it's easier to patch than to refactor. So what I'm proposing here was not actually easier than fixing once, but it was certainly easier than fixing so many times.
So that's where it becomes useful. So the challenge is something that is subtle that people don't really see up front. It's gonna be a lot harder to convince people to say, oh, you know, it's like, why don't we minimize all of our packages? Like this is an obvious thing everybody should do, is minimize your packages open.
SSL is actually a great example. There's like competing libraries for most people. You should probably think about not using Opus ssl. Now, I had a board member who was always like, well, why don't, aren't we using S 10? And I'm like, well that's because we actually use every feature of open SSL, like we have to be compatible with everything.
We can't just say, oh, we're just doing one thing. Right. It's the same thing behind, like when Dan Bernstein wrote his DNS packages to say like, why are we all using bind? [00:20:00] Which does a million things for name service, when what you want is you want a authority. It does not need to be bind. It should be, you know, D-J-B-D-N-S.
[00:20:10] Sean Martin: So do, do CSOs have a voice to drive those change sounds like No. But,
um,
[00:20:18] Andy Ellis: So in general the answer is no,
[00:20:20] Sean Martin: sorry.
[00:20:21] Andy Ellis: but you can get the voice. And here's, here's sort of the secret, which is you spend political capital to get people to do things. You earn political capital when the things people do on your behalf are successful. It's really simple, like you're just making investments and you hope they pay off.
So every time you spend political capital and there's no win, boom, you've lost that capital forever. So, you know, one of the things that I've recently wrote, I re republished, I should say, is like the first 91 day guide for CISOs. It says like, look, you're in a new role, whether it's your first time as a CISO or your 15th time, whether you don't even have the CISO [00:21:00] title.
Like here's a guide to walking into your company and saying, what are the CRI critical questions? Like, who is this company? What do they do? How do they operate? But core to it is two questions that I recommend people ask of everybody they talk to. Like you go and you talk to your peers, you talk to stakeholders, anybody, you ask them two questions and they're really simple, easy questions.
You're basically saying, what's the stupid stuff I should go do first? And the way you phrase this is like, what is the security thing we're doing that gets in the way that you have no idea why we're doing it and you wish it would go away? Now it might be an important thing. They're wrong and your job is gonna be to explain to them how important it's, but odds are, they're gonna say something like, well, like I have to type in my password seven times every morning.
I thought we had single sign on. And you're like, I didn't know that. Let me go figure out, like my team told you, we had single sign on when I showed up. Let's go figure out what's going on so I can get rid of typing in your password seven times. [00:22:00] Uh, and you flip. Then you also ask the, the flip side of that, which is what's the most obvious security thing we should be doing that we're not?
Right? And the reason you ask these two questions is to get political capital. It does not cost you anything to ask these questions, and people will basically hand you a set of projects that are all quick wins because they've evaluated and they say, this is all easy problems to go fix, even if they're wrong 50% of the time you have so many projects, you just walk in the door, you listen to those and that is your roadmap.
You don't walk in and say, well, I, I have this vision of what I'm gonna go do. No, your first 91 days, the only projects you start are the clean up the messes. Your predecessor or your lack of a predecessor left for you unless they were completely amazing, in which case, okay? Now you'll have to work hard to find your quick wins, but every one of those you do gives you the ability to ask for something else.
[00:22:57] Sean Martin: Interesting. And then, [00:23:00] yeah, so you could pretty much ask that from from any part of the business.
[00:23:05] Andy Ellis: Exactly. You go talk to your CFO, you ask. They may, they may not have a ccf, finance, security related quest answer for you. They may just say, as a user, I hate that we do this. Or they may be like, you know, we have all these security projects and like everyone promises some ROI and I never see that money.
So can we stop saying, talking about ROI on your projects? Great. Like they just told you not to use the language of dollars and now you're not gonna have to worry about that. Okay, great. That's a, an easy change to make and you can say, Hey, how would you like me to, you know, communicate in the future, you know, the, this cost benefit trade off.
[00:23:44] Sean Martin: And so I wanna talk about the book a little bit more and, uh, or the guide and, but first 91 days. Yep,
Um. In one sense, you could think, all right, I'm a new ciso. I'm gonna [00:24:00] do this for the first 91 days. And then I set it, said it, I leave it behind me. The kind
[00:24:05] Andy Ellis: you could.
[00:24:06] Sean Martin: you could, I'm just wondering, do have you found that people pick it up again in six months or a year and not, not that they're new in a role, not that changed roles, not that they'd made any significant change to the program, but perhaps there's enough change in six months. Collectively, or in a year that says it's now's a good time to purposefully reevaluate these for
[00:24:28] Andy Ellis: Yeah, so I've, I've certainly had a couple CSOs who've said that they use it and they touch back to it, but it's not really designed for that. Like the, the purpose of this is to get your heads on straight, like you've come into a new role. Like is this a company that will tolerate a draconian security policy, or do you have to do something laissez-faire?
Like you don't really need to reevaluate that in after six months, but maybe you wanna go back and say, Hey, did I actually get the right answers? Because it might be that my belief in the company is not the company that I actually ended up in. And so what I thought in those [00:25:00] first few weeks, I need to go back and reevaluate.
So certainly there is some value there, but no, this was designed for a very specific point in your career, which is you're doing the job transition, here's how to approach it. Now this is useful, you know, but 80% of that guide is not about being a ciso. It's just about how do you enter a new role. So I've had a lot of professionals reach out and say, Hey, I took a new gig as this.
I got promoted and I use this guide as my sort of handbook for it. But I don't have great metrics 'cause honestly I just give this away. It's literally on how to cso.com. You can go there, click on the library and like it's, I think it's the second thing in the library is the first nine to one day guide.
[00:25:40] Sean Martin: Which is super cool that, uh, you make that available. So we'll, we'll include a link to that,
uh, for everybody to access as well. Um, what are some of the other things you've, I know you've published some books as well. What, uh,
[00:25:51] Andy Ellis: So I've got a book, I've got it behind me for those of you who are watching. So it's, uh, 1% leadership, which is, uh, for me, I [00:26:00] honestly, I think it's the best leadership book anybody can ever read. It's because I've read a lot of leadership books, I know a lot of leadership training, and in my experience, they all have the same set of failures, right?
The first one is they usually pick somebody who's a successful business person, and it's a, Hey, geography. We're basically saying, oh, this person is amazing. Like Jack Welch is the best leader ever. And so it's a lot of a biography that is fluffing up someone. And so it's trying to say everything they did was great, but then they basically reduced this person's leadership style down to one thing.
So like, what do we know about Jack Welch? Oh, he stack ranked everybody on the ladder and fire the bottom 10% every year. Like Jack Welch did a lot of great things. This is not the defining feature of his leadership style. But it's, you know, the one thing that he did that's easy to point out. So we reduce it to that and then we pretend that if you just do this, you'll be amazing.
Right? So these are sort of the three, it's, it's this, hey geography, we reduce it down to one thing and we present. Pretend that one [00:27:00] thing is sufficient as a leader and like fire your bottom 10% of your staff every year. That only works if you need to get rid of 50% of your staff within a couple of years.
Which is what GE was facing in the eighties, like that's part of Jack Welch's greatness was he came into a company that needed to downsize and he had a way to go do it. So I wrote, when I wrote 1% Leadership, it actually started as essays to my team because we would bring in leadership training from outside.
And I'd go to it and I'm like, okay, here is the lesson. You need to learn from this, and here's how I think you should think about applying it. Here's just a short like essay, blog post. I'll send it to you. I would share it with some peers. Some of them would send it to their teams. And what I realized is that leadership is a set of skills.
There's not one style. You are never going to be the same leader I am. Like that's just not our personalities, the environments, we are all different. But like anything that's just skills, like being a quarterback is skills. Um, you know, Patrick [00:28:00] Mahomes probably the greatest quarterback of this generation.
Um, looks nothing like Tom Brady. But we can look at both of 'em and say, wow, these are amazing, great, fantastic quarterbacks. But they have a lot of skills in common. Like they both have pocket presence and awareness and like you can walk through the set of skills that they all, they each apply differently.
And so leadership is the same way, right? You have to recognize it as a leader, like you need to practice a bunch of skills. And so this is the book that is the collection of skills.
[00:28:29] Sean Martin: Okay. Based on a lot of trainings that, that you've
experienced.
[00:28:34] Andy Ellis: on trainings I've been to, you know, insights I've had as a manager, as a leader, a lot of it is sort of counterpoints. I watch somebody do it badly and I said, oh, here's the lesson. What they did wrong or in the one thing that they got. Right. And I can pull that out, extract that, you know, the, I didn't try to hide the messages.
So it's not like some of those books that you've read where you like three chapters in, you're like, I think I know what the message is, but they won't tell me [00:29:00] because why would I buy the book if they just, you know, made it a tweet at the beginning. Um, the chapter headers are all the tweet summary of the chapter.
So here is the lesson, here's the tweet summary of it. If that's good enough for you, don't bother reading the chapter or read the chapter. On average, there's 750 words. They're basically short blog posts that summarize, 'cause that's one of my skills is to be able to concisely summarize and message a storyline in a fast fashion.
[00:29:27] Sean Martin: Yeah. Well, it, it all comes down to the story and
then, uh, and. I presume in there is the, the context, so you can get the lesson
from the, from the top level, but the context
do. Is that designed to help them picture themselves in the scenario?
[00:29:43] Andy Ellis: so I write them, they're all written slightly differently, but in general, they sort of follow the model of, you know, a Zen Cohen or a Gamara story, which is like, here's the lesson, high level. Then here's a story about where the lesson came from. Then here's a message about how you should do it.
So [00:30:00] one of my favorite chapters, which is inclusion, is reducing the energy cost. People pay just to exist in your space.
[00:30:08] Sean Martin: Say that again.
[00:30:09] Andy Ellis: Inclusion is reducing the energy cost people pay just to exist in your space. Right when someone, and so the starts with stories of like, you know, imagine some employee Taylor, and then what's funny is all of the examples are from my own career.
Like, you know, they walk in or, or from, I've seen to other people or to me, but it's like they walk in and you're serving lunch, but they have dietary restrictions. So now they have to figure out what they can eat because you didn't bother to ask in advance or if they can even eat. And so while everybody else gets to work, they're spending five minutes.
Stressing and energizing about what they're going to do. Or you try to do a last minute meeting at the end of the day, but you've got a parent who has to go pick up a kid. And so now they're spending energy trying to reschedule this meeting with your admin who just got [00:31:00] told, get this meeting done by the end of the day.
And these are just the things that are, that cause people to spend energy. And our whole job as leaders is very simple. The people in our organization spend energy to produce value. Our job is to maximize that. And that sounds like horribly utilitarian and blood thirsty, like you don't care about people.
But the reality is you have to care about people to make that an efficient transaction because so much of the energy cost, it's because nobody cares. And so if I say you are spending 80% of your energy not producing value, and if I can just be nice to you, you will spend half of that. Goes away. And so now you're only spending 40% of your energy, you know, dealing with the fact that you're not producing value.
But now I get 60% of your energy produces value. Like you just go do this. Um, and I have a, a friend of mine who he calls it the angel and devil managers, like imagine you have an angel manager on your [00:32:00] shoulder who basically whispers in your ear and only tells you to do nice things. They're like, take care of the employee.
Make the employee the center. You want to be a servant leader? Screw your boss, because they don't really matter. The company's heartless. So take care of your employees. And on the other end, you know, shoulder, you have the devil manager who's like, eh, screw the employee. Like maximize how much value you get out of them.
Your job is to be a fiduciary to the company, maximize the value. You don't care about the humans. Now listen to the advice that those caricatures give you. And what you'll find is in a lot of situations they will, situations, they will give you the same advice, right? They will tell you things like when your employee is burnt out, send them home because you know the angel's saying, because that's the right thing to do for the human.
And the devil is saying, because they're not producing anything of value right now, make them go get some sleep so you can exploit them tomorrow. They're both telling you to do the same thing because exploiting them long-term for [00:33:00] value actually lines up with take care of them. What doesn't line up is exploit them right now, but exploiting them right now is bad for your business because you don't have them tomorrow.
[00:33:13] Sean Martin: Ah, so interesting. And do, do you find, um, thank you for that. Do, do you find, I mean, this clearly isn't a security leadership book. This is.
[00:33:22] Andy Ellis: It's not just security, but I have found that when you have to manage through influence, you really have to focus on your leadership, which is really why this was a, became a core passion for me was how did I manage a team that needed to lead through influence, and it was a cast of characters. So how do I get the maximal value out of them?
Create a safe place and you get side benefits. Like I spent my last 15 months when I was at Akamai with zero turnover, a 94 person team with not a single person who left. Now granted we overlapped with COVID, so that might have helped a bit. [00:34:00] But even before that, like we had lower turnover than all of our peer organizations.
And when you just do the math. Of how much extra value you get, especially the security team where you need to know where the skeletons are in the company. Like every time somebody turns over, your organization becomes remarkably ineffective. 'cause you have to now go rebuild relationships, relearn what the problems are, and so every day you can retain somebody.
Your organization is better off for it.
[00:34:28] Sean Martin: So I want to, I talk to you for hours about this stuff, especially opening this next question, I think. But, um, so I wanna, I wanna wrap up this and we can, we
can have another chat another time, but in the. Leading a team by influence versus by MBOs, let's say, is a,
um, describe the CSO role there because you do have direct reports, but then there's the broader,
so being a leader across that, maybe, maybe tell us a little
[00:34:57] Andy Ellis: So one of the biggest challenges I've run into [00:35:00] is like, how do you measure success as a ciso? And there are people who are super metrics focused. Um, in fact, I did a talk at RSA, I don't even know, two or three years ago. It's like you can't measure risk. That sort of fist, like a, you know, went through a bunch of the dashboards, people like doing, like here's why all of these metrics are awful.
And at the end of the day, one of the biggest challenges is the more metrics you have, the less valuable work you get done. 'cause you force people to work the metric. There's a phrase, it's like you expect what you inspect, which started out people thought, oh, like if you don't look at it, you can't expect a good outcome.
But what it really ends up being is that whatever you are looking at is what you're going to get more of. So every MBO people will manage towards that. You know, my, my most recent gig, like we had a marketing team with so many MBOs that when I came in and said like, here's this great thing we do, everyone was like, it's amazing we should do this, but we can't.
I'm like, why not? They're like, there's no space for it. We have a set of of [00:36:00] OKRs. You know the other new phrase for MBOs like that we have to get done and we have to work on this and we can't do anything that's not in this list because we don't have enough time to do what's on this list and this is what we're measured on.
So you have to really pay attention to that. It's a CISO is you should only be measuring the things that are going to be producing value and you should make sure that you are not measuring everything your team does. When you do that, you remove all of their initiative.
[00:36:29] Sean Martin: And how about in, in that, in that scenario or that picture, then measuring just your own team
[00:36:38] Andy Ellis: Yep.
[00:36:38] Sean Martin: is not enough either. Right?
[00:36:40] Andy Ellis: It's not, but you have to figure out what is the meaningful measure? Like how do you measure the organization in a way that the organization will accept? 'cause sometimes they don't. Like, I would love to be able to do a scorecard for every line of business. And say, look, ha, you're a C. Nobody else in the company is a C.
You should fix that because that would work in a lot of companies. Like you just [00:37:00] say, like organizationally, here's where you stand. I could do this for security awareness training is my favorite one. 'cause ours was so lightweight. You literally just had to go click a link on a webpage and you, you were self certifying that you were trained, but that webpage had everything on it you needed.
And like so is the easiest thing as a company, we stayed above 96% all the time. Just with Aron job, like nobody ran this program. Aron job was in charge of the program. So it's like having an AI agent 15 years ago. But nonetheless, every so often I would notice that there was a team, I had a dashboard that would show that was like, they're only at 50% compliance.
And so all that I would have to do is I would just drop them a note and I'd say, Hey, I just noticed that you're the largest team that has the lowest compliance rate, and here's the compliance rates of all of your peer teams, and here's a link to the dashboard. You can go look and see who on your team hasn't done it.
Like it's just a form letter, like the dashboard produced this letter for me. So I would just say, give me the letter for this person, and then I would click send. [00:38:00] And just by showing them this one metric every once in a while, like I'm not beating them over the head with this once a month, it's literally every year I would go in and like five people would get this note.
It changed how they operated. 'cause that was personally embarrassing to them, that I had taken the time to call them out. That's what you have to think about when you do metrics. Any metric that looks bad that you show people over and over and over again, they get inured to and they're like, there's no consequence to me for being bad.
[00:38:28] Sean Martin: Right.
[00:38:29] Andy Ellis: So if instead you're like, well, here's the great metrics, always celebrate success because people are more incentivized by rewards than by punishments. So whenever people do a big security project, we would have cake with them and the CEO, and we would talk about the project in front of the CEO. Serve everybody cake.
And I had engineering managers coming to me saying, what security work do I have to get done to have cake with the CEO? Like how many people get that where random people are saying, I want to [00:39:00] work for you even though like you have not come to me and asked me to do anything. I want do stuff for you.
Because that's the only way for the CEO to learn my name 'cause nobody else does this.
[00:39:09] Sean Martin: let the meat cake.
I love it. Oh boy. My brain's going a mile a minute here. A bunch of questions. We're at 40 minutes in though. Um, Andy, it's always great to see you, my friend, and, and to chat with you. I'd like to have you back, maybe,
uh, maybe talk more about the program. I wanted to talk about culture and, and all kinds of stuff, but, uh, maybe, maybe we will, uh, I dunno, maybe we'll catch up in Vegas for, for black.
I
[00:39:34] Andy Ellis: Now I will not be in Vegas for blackout. I'm very happy that I have nobody mandated that I go right now.
[00:39:40] Sean Martin: There you go. All right, we'll take that break, and when I get back, maybe, maybe we will have a wrap about, uh, what I saw and heard, and I
can get your, your insights in that.
[00:39:48] Andy Ellis: Sounds great, Sean.
[00:39:50] Sean Martin: all right, everybody listening and watching. Thanks for joining me. Hopefully, uh, hopefully enjoy this as much as I did and do connect with Andy.
Grab the guide, grab the book, and, [00:40:00] uh, stay tuned. Uh, for more here on ITSP magazine, redefining Cybersecurity. Thanks everybody. Thanks. And.
[00:40:05] Andy Ellis: Thank you.