Dive into the CISO Circuit Series, part of the Redefining CyberSecurity podcast, where co-hosts Sean Martin and Michael Piacente are joined by special guest Betsy Bevilacqua to explore the evolving landscape of cybersecurity within business frameworks and the dynamic interplay between CIO and CISO roles. Their rich experiences and stories illuminate the critical importance of collaboration and innovation.
About the CISO Circuit Series
Sean Martin and Michael Piacente will join forces roughly once per month to discuss everything from looking for a new job, entering the field, finding the right work/life balance, examining the risks and rewards in the role, building and supporting your team, the value of the community, relevant newsworthy items, and so much more. Join us to help us understand the role of the CISO so that we can collectively find a path to Redefining CyberSecurity. If you have a topic idea or a comment on an episode, feel free to contact Sean Martin.
____________________________
Guests:
Michael Piacente, Managing Partner and Cofounder of Hitch Partners
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/michael-piacente
Betsy Bevilacqua, Co-Founder and Business Strategy Lead, Tabiri Analytics [@tabirianalytics]
On LinkedIn | https://www.linkedin.com/in/betsybevilacqua/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Pentera | https://itspm.ag/penteri67a
___________________________
Episode Notes
The latest episode of the CISO Circuit Series, part of the Redefining CyberSecurity Podcast on ITSPmagazine, brought together prominent figures in the cybersecurity industry, Michael Piacente, co-founder of Hitch Partners, and special guest Betsy Bevilacqua, a seasoned security professional with a rich background in both operational and information security realms. The discussion, led by Sean Martin, took a drive through the evolving world of cybersecurity within businesses and the intricate relationship between the CIO and CSO/CISO roles.
The episode kicked off with Michael Piacente sharing insights into the convergence of the CIO and CISO functions, emphasizing the unique challenges and opportunities this blend presents. The evolution of these roles reflects broader changes within companies, influenced by industry, size, and the maturity of their cybersecurity journey. Following, Betsy Bevilacqua offered a deeply personal account of her career trajectory, which traversed diverse sectors—from her early days in the data center and help desk roles to leadership positions at eBay, Facebook, and her entrepreneurial ventures. Bevilacqua’s narrative underscored the multifaceted nature of cybersecurity work, highlighting its essential role in enabling businesses to expand safely and successfully.
The conversation also touched on the crucial, yet often overlooked, partnership between CIOs and CISOs/CSOs. Betsy illustrated this with examples from her career, explaining how strategic alignment and collaboration between these roles are pivotal in safeguarding a company's digital assets while supporting its growth objectives. Whether in a startup or a large corporation, the synergy between IT operations and security strategy paves the way for innovation and efficient risk management.
Lastly, the dialogue also turned towards future directions in cybersecurity. Both guests agreed on the importance of listening, adaptability, and the human element in navigating the complexities of today's digital landscape. As businesses continue to grapple with emerging threats and the integration of new technologies, the role of cybersecurity leadership is ever more critical.
This episode of the Redefining CyberSecurity Podcast not only highlights the professional journeys and insights of Michael Piacente and Betsy Bevilacqua but also sheds light on the broader implications of cybersecurity in business strategy and operations. Furthermore, it underscores the need for open dialogue, cross-functional collaboration, and forward-thinking leadership in tackling the cybersecurity challenges of tomorrow.
Key Questions Addressed
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
The Critical Need for CISO-CIO Synergy in Cybersecurity and Business Leadership | CISO Circuit Series: Episode 4 with Betsy Bevilacqua | Michael Piacente and Sean Martin on the Redefining CyberSecurity Podcast
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new Redefining Cybersecurity podcast here on ITSP Magazine, or more specifically a new episode of the CISO Circuit Series with my good friend Michael Piacente. How are you, Michael? Good. Good to see you, Sean. Good to see you too. And, uh, we have a distinguished guest today, Betsy, and I'll let you do the honors.
But, uh, for many Many who know the show, I get to talk with all kinds of cool people and Michael. And, uh, now we're, we're, we look at the role of cybersecurity in business and the roles in cybersecurity that enable the programs in the business and, uh, For me, the ultimate goal is to operationalize technology, operationalize security programs, and enable the business to grow and succeed successfully, uh, safely, as you'd say.
And, uh, it's not an easy task, especially with a lot of the pressures of, of attacks and threats [00:01:00] and compliance, uh, that keeps the, keeps coming up and all the work associated with that and, uh, I think other parts of the business. So they don't, the role doesn't stand on its own, right? We work with other teams and we're going to talk a little bit about the relationship between the CIO and the CSO slash CISO.
Um, so Michael, any, any thoughts, uh, you want to share to kick things into gear?
Michael Piacente: Yeah, I mean, there's definitely a, a huge convergence going on between these two functions. I feel like it comes up. Literally every day of my conversations, both with CISOs, uh, and CIOs, but also with clients and what are the functions, how are they dissected?
A lot of it depends on the size and shape of the company, the industry, where they are in their, their journey. Um, so we certainly can double click on that. And I think Betsy has probably the best perspective having done it before, having talked to many companies in that space. So I'm excited to hear her [00:02:00] perspective.
Sean Martin: Yep. And so for those who don't know, Betsy, uh, maybe a few words from you about some of the things you've worked on and what you're up to now and, and what, uh, what prompted you to join us for this? I'm honored to have you on.
Betsy Bevilacqua: Thank you so much, Sean and Michael for hosting me. I've been looking forward to this ever since Michael floated the idea.
Um, so. Starting off with your first question, just about my background, um, it's been almost a little bit over 20 years, which sounds crazy saying that because it's been a wild ride. Um, but I started off, um, working as many people in security, uh, did when, when we were coming up, I, that's how I refer to it as, uh, in the data center.
And help desk. So that was my background. Um, at the time, uh, when I, [00:03:00] I went to school in Buffalo, New York, originally from Nairobi, Kenya, uh, went to school in Buffalo, New York. Um, I was on a path when I was in Kenya to be a lawyer. But I fell in love with computers and so, and I'm so glad I did because, you know, things ended up working out, uh, as, as they have, uh, today and so started off, um, data center work, help desk work, uh, cable industry, and then I met, um, uh, a professor who was, uh, I went to a Jesuit college in Buffalo, New York.
Um, and she was doing, uh, moonlighting work with the FBI on cybercrime. And, uh, she's introduced a course in cybersecurity. And the moment, um, you know, I took one of her classes. I knew that that was it. I knew that this was exactly what I wanted, what I wanted to do with my life. And so, um, You know, fast forward, it was difficult to find jobs in security because the role even today is still in its early stages.
Um, and so, [00:04:00] uh, spend some time, you know, living in Buffalo, New York. I worked in a number of industries, uh, health, uh, healthcare. I was in an insurance company. That's actually where I got my first piece of role was a health insurance company. And then, you know, I was born in the tropics and I'm solo powered, I like to tell people.
And so after 10 years of Buffalo winters. You know, by then I was married. I looked at my husband. I said, um, I think it's time for us to try a different, uh, environment where I don't hibernate during the winter, um, or dig out of, uh, snow. And so we went out west. Um, and this was after, um, remember the, uh, the housing crisis.
Um, so it wasn't very clear. It was a very uncertain time. Um, and that's, you know, we sold our house, um, and then just move into an apartment, uh, because it was still the West coast and we just didn't know what was going to work out, whether it was going to work out. So I went to work at eBay. Um, I was running their, uh, risk, um, [00:05:00] program, uh, eBay.
Uh, and PayPal, we're still together at that time. Um, and I had a really interesting role. So eBay and PayPal had grown by MNA. And by the time I got there, they had about 35 little companies all over the world, um, that they had acquired. And the security posture in each one of these was sort of like very opaque.
And so I was brought in to build out a standard by which you could measure out the security risks for all of these. They call them adjacencies at the time. Love that job. Got to meet and work with many amazing people. Um, and then Facebook came calling. Um, and from there, um, you know, I think that's where I learned the most about what it means to build a security program in a high threat environment.
And so think of everything by the time I joined Facebook. Um, I think we were looking at the monthly active users. I forget. Maybe it was around 600, 000 monthly [00:06:00] active users. By the time I left, it was over 1. 2 billion. Um, you know, they had acquired, um, uh, WhatsApp, uh, Oculus, and I got to be on the front lines of, of watching and building out security capabilities for some of these, um, acquired companies.
So I, at Facebook, I ran, um, the, uh, security, uh, assurance program. Um, which is basically all of the SOC two work, uh, and you have the things that fell between, um, regulatory work and technology work, so that was really cool. Um, and then towards the end, um, I worked on operations. I run a team of, uh, program managers and anything and anything that security team was involved in, um, we had our hands and we were sort of like the nucleus, uh, of the security team.
Um, and so after that, after, um, I spent about four years there, I started thinking about moving, uh, my husband and I started thinking about moving, uh, back East because [00:07:00] our families are all located here. People are getting older. We by then had two children and we looked at each other and said, what are we doing?
We love the West coast, but it's time, it's time to go back East. And I said, you know, New York is a really interesting. place to go. I'm interested in fintech and it's funny. I did not get into fintech right away. I got into a, um, uh, health, uh, insurance, not health insurance, a medical device company, um, that was digitizing ultrasound.
Um, you would connect the company's name is butterfly and they have a really cool product, um, where you literally connect an ultrasound probe onto an iPhone and you as a doctor out in the field, Don't have to wait for a bulky machine. And so, you know, to me, that was, um, sort of the best, um, uh, interaction of you're helping you're finding a product that is helping to change [00:08:00] lives as well as having all of these complex problems because you have regulation, you've got hardware security, you've got, you know, there's a cloud back and you've got AI.
Nobody was talking about AI. Back then, as they are today, but all of these things were coming together. Uh, and I thought, wow, this is a really interesting company. So I was there, help them build out their security program, their IT program. Um, and then I got this incredible opportunity to build out another security, uh, function for them.
This time in blockchain and crypto, and, uh, that was chainalysis. So I wrapped up my time of chainalysis, um, in January. Um, and now what I'm doing is, uh, advising startups. Um, I also co founded, um, my own startup, uh, doing incident response, um, in primarily, uh, East Africa, although we're starting to see some interest, um, in, in the, the U.
S. Uh, with more, um, smaller shops, so that was a long drawn out way, uh, but I hope you got sort of like the, the story [00:09:00] of where we, uh, you know, how I got to where I am today.
Michael Piacente: Yeah, Betsy, by the way, I, I've sort of heard, uh, bits and pieces of the story. I've had the pleasure of knowing Betsy for about seven years.
Seven years, I think six or seven years. Um, and, um, I love that story. It's just such a inspiring story. First of all, um, a couple of things I wanted to point out. First of all, Betsy's first CIO role, I believe it was, um, with the health care company, it was like one of the first. HMOs, right? That was only about five or six years into your career, if I'm not mistaken, is that correct?
Betsy Bevilacqua: Very accurate. Yeah.
Michael Piacente: Which for those out there, you know, a lot, and I work with a lot of folks whose end goal is to be the CISO. Um, and sometimes it comes later in the career. Sometimes it comes earlier and that's his case. It came earlier. You know, the opportunity is there and she. Took the most, you know, took most of the opportunity and really built upon her career in a totally different industry and then was able to pivot [00:10:00] into, uh, basically, you know, to eBay and PayPal, which was a very different industry, but he probably equally or maybe as not, um, you know, governance wise, um, be able to, so everything, every step along the way with Betsy, she used.
Previous, um, experience and then grew. And I always thought I was looking for that from a candidate perspective, from a leader perspective, it's actually a wonderful story. Um, the other thing that, um, uh, that I will give you the humble pie piece on is that, you know, at Facebook, you were pretty much one of the leaders, um, under Alex Deimos and that team.
Um, that's kind of how I met you and heard about you and your amazing reputation. Um, your humanity. Um, and so that was a massively, that was probably the, one of the largest scaled environments on the planet at that time, if not the largest. So, so I was just, uh, love to kind of get your thoughts, like what's.
When you're working at a fang at that level, at that time, is there someone, is there some nuance, uh, in [00:11:00] surviving and working in growing yourself, um, during that time that you, any experiences that you could take away from that you wanted to share?
Betsy Bevilacqua: That's a great question. And, and, um, and thank you for putting it the way you did, because it made, you made me sound like, you know, this, this genius, um, who was very strategic, but in reality, it was a number of just.
Steps and people, you know, I think I can't underscore. Um, there are people who took, I call it, they took a risk on me because going into the Bay Area, you know, I was only about three years into eBay when, um, when Facebook came, came, came calling and so it was, you know, at that time, um, Most people in security, we're not thrilled with the idea of a Facebook, right?
I just want to put that out there because. Um, and it's for all of the reasons that [00:12:00] we still, you know, worry about today, where there's just a lot of, uh, data, personal data that we're sharing. And so, um, there was all sorts of things that went into that, uh, decision to join Facebook. But, um, your question was, was around how do you survive or thrive in that situation or in a, in an environment like that?
And it really goes down to the culture. Um, you know, before, um, Alex, Alex and I, great friends, uh, there was Joe Sullivan, also another friend of mine, um, I think they, uh, they built an environment in which we knew that the work that we were doing was difficult, but we also knew the work we were doing was having an impact.
Um, and, you know, there's tons of really great stories that have come out, um, of that security team. The other thing is. The innovation. Um, you know, I sat next to a number of people who just created tools. They were hobbyists. So they would create these security tools and they were beautiful. They [00:13:00] were, they were, you know, very elegant.
So we had something called security bot. Where if, uh, data was being accessed, um, maybe there was some issues and there was a red flag that somebody was accessing this data. Security bot would pop up and, you know, and, and interact with you. These are things that today, you know, we're working, we're seeing more and more of that being built out.
But, um, at the time at Facebook, there were people who were just so talented and so passionate and were able to create. Just create or invent, um, uh, really elegant solutions to security and understanding that we had to lean on our partners. It wasn't just a. You know, security team versus the entire organization.
No, we ended up building lots of really strong, um, relationships. I ran, um, a program called Hacktober, which was, um, I would say probably one of the best marketing tools for the security team at Facebook. And I've taken that playbook into other companies [00:14:00] where, you know, at Genealysis, they created Cryptober, um, which is a refund on Hacktober.
But the idea is. You know, you create a fun environment during Cybersecurity Awareness Month. And it's not just about phishing people and making people embarrassed, you know, that they clicked on a link. You know, at Facebook, it was interesting things like leaving USB sticks, um, just around the campus. Um, it was movie nights, you know, bringing in, um, uh, you know, people could bring in their families and, uh, giving away swag.
It was just, we created a really great culture and environment where people felt comfortable raising security issues with us. Um, you know, we had different channels where people could reach out to us if they suspected something and built that idea of a partnership versus a sometimes you can have. And I'm not saying that, you know, it was all roses the entire time, but at least when you can connect to people on that level, on that human level, you're here, you know, I respect, I empathize what you're doing.
Here's what [00:15:00] we're trying to do. Let's figure out a way to make this work. Um, and so I think a lot of that, those lessons that I picked up, um, from Facebook, uh, made it such that, um, yes, the environment was tough. Uh, it was, um, very busy. Um, but it was a lot of fun with a lot of fun.
Michael Piacente: That's great. And by the way, uh, one thing I just learned about you is you're really good at the marketing of names.
When I, when I come up with a product, they're like terrible, terrible. Like, where did I even come up with that? So, uh, cryptography, uh, cryptober is pretty awesome.
Betsy Bevilacqua: Thank you. Maybe, maybe I'll go into marketing with this.
Michael Piacente: Yeah, I'm with you on that. I now know who to call when I have a good idea, but no idea.
Betsy Bevilacqua: Anytime.
Michael Piacente: Um, but if it is true, I mean, you, um, you know, one thing for people like take away from this is, uh, you know, the, the, it's not so much, um, always about the company that you work for, that you're helping to build a security organization, but the security culture in that company [00:16:00] is, uh, what also drives your own personal growth, but also drives.
Uh, your ability to, to, um, to, to make your, your management track or your architecture track, whatever it is, because the enablement of that culture is key and you, you worked for two of the more extraordinary security, uh, programs in the world. Uh, you know, eBay. Is widely known as a, you know, CISO factory to the extent and CIO factory, uh, as is Facebook and the extraordinary people, Joe and, you know, Alex can call friends as well.
And they're, they're amazing. And, um, and so it's, it's, it's really, it's pretty fantastic to see that. And then you being able to take that and apply those. Those lessons learned the mistakes that everyone made and then the growth opportunities into your own organizations when you're building out butterfly and analysis.
So it's a it's a really cool story. Um, and a unique one. So, uh, yeah, neat. Um, sorry, Sean. I'm capitalizing on
Sean Martin: fantastic [00:17:00] as you're describing some of your journey. I was singing that's a story on its own. That's a story.
I want to, um, maybe go to this point of I'm going to stick with the culture because Did it, did it exist, the culture, or was it something that you helped shape, because I, I can't recall a time when somebody said the security tool is beautiful, and it's something, and it's something that they, they created, and they had the freedom to do those things, and if anybody listening to the show is listening to this episode, they'll realize that many times I'll say, you know, When, when is security going to have its transformational moment?
When can it shine as a, as a place where it, it actually drives business value. And if the team feels good and the tools coming from it are good and the programs are operating in it within it are good, [00:18:00] I think it has to be good for the organization. So my question is the culture that allowed. The team to be creative and be innovative and feel good about the work that they're doing.
Was that, did that exist? Does that help? Did you help shape it? How, how did that come around?
Betsy Bevilacqua: That's a great question. Um, how did it come around? So I joined Facebook in 2011 and part of the onboarding process is I'm thinking, you know, it feels like it was forever ago, but sometimes these memories come back to me.
And I remember, um, me. The entire, there were, it felt like there were no restrictions once you got into the company about where your passions and where you could spend your time. So, and what I mean by that is when you're going through onboarding, especially as an engineer, um, at Facebook, and I don't know if it's the same for, for other of these same companies, but you go through [00:19:00] something called bootcamp.
Um, and the idea there is like for you to learn, um, because it's a massive code base, you know, so there's, they just don't throw you into the world when you have to go through this, this process. But, uh, you know, and depending on what role you are, you were going into, you had a, you know, a few different paths, but there were some things that were very specific and they were around, um, uh, some of the, the actual Facebook culture itself, so I think, and that, that, that culture itself is just, you know, around, um, the word hacking was thrown around a lot, but not hacking in the security sense.
It was finding a better way to do something. You know, being more efficient, being more effective, uh, and not being afraid to do it. So you'd walk around the campus and there would be posters. What would you do if you were not afraid? That's a big one by Sheryl Sandberg. Um, and I think people really lived those values.
So we essentially took the company values and infused them into the security program so that we [00:20:00] wouldn't look, because, you know, depending on the industry you're in, you can, the security team can sometimes, you know, it can sometimes feel like you're isolated. Because you're holding your hand up saying no, no, let's put the brakes on this But if you then, you know flip that on its head and say no No, we're just we're just like the entire company.
We also like to hack we also like to build things and that just gave people the The courage I guess that they needed to go out and get creative Um, and also performance review, uh, processes also had a place to to play here where you were rewarded. Um, on the impact that you had. So that word was everywhere.
Um, you know, I'm starting to remember some posters on the wall, you know, fix more and wine less. Um, you know, so that was just me. If you find something that's broken, you know, figure it out. I, um, [00:21:00] another example I'll give you is, um, I had got, there were opportunities, uh, if you were interested where you could go and work on other teams.
And so I decided, uh, when Facebook was rolling out, um, internet. org, which is, um, a very, it was, it was a very bold idea to get the entire world connected. Um, but that's the kind of environment that, you know, these companies are built in, but, uh, they were expanding into, um, into Kenya, into East Africa. And, you know, I'm from Kenya, so I created a pitch, I went to the growth team, I said, I want to learn.
How did, how you, how you were doing, how you're building partnerships, how you, you know, grow and scale out, um, products, um, on the ground. Spoke to my manager and he said, yeah, that sounds great. Go do that. And I went and did that for six months. This stuff doesn't happen in your, you know, everyday company.
And I know that what I'm describing, um, is sort of like, you know, the perfect case. [00:22:00] Um, where you have so much talent and you can move people around where the interests take them, and yet you still have the operations going, right? That
some of the big, bigger, um, consulting companies will do that. Um, but it's, it's not easy to do, um, for every company, but the ones that figure out how to do it, I think, um, sort of like build that into their DNA. And that's where the creativity, um, starts to show up.
Sean Martin: So how I'll go ahead, Michael.
Michael Piacente: I was just going to mention from a, you know, from my purse, from a recruiting perspective, I guess, uh, the simplest way to say it.
I mean, we work, we've had the opportunity to work with things and also recruit out of them. And, you know, this, this idea of culture around building and fixing and hacking. Uh, is really truly special. And there's so many companies that try to replicate that at, you know, at their own scale. Um, but I mean, I don't, I don't think people realize, [00:23:00] uh, the general consumer of knowledge is, don't realize how important the Fang culture is.
Facebook very much included. And, you know, we have, we have products that were. Built because those companies exist. Um, I mean, we have processes that are built because those companies exist. Cause no one had ever seen anything that dynamic at scale before it was nothing like it in the corporate environment.
And, um, and so it's really, I mean, that is why the Silicon Valley is the Silicon Valley has a lot because of these companies, uh, you know, eBay's being the first of them and then they, you know, move on from there. The Cisco's of the world where they're, you know, it's just amazing when you I'm a history major.
I'm a dork. Around that. So it's such a history nerd, but I love that aspect of it. And you really now see it with, um, uh, leaders like Betsy and those that even before her and after coming from those environments are really uniquely set up, um, in, in a totally different mindset. So I just wanted to point that out.
Betsy Bevilacqua: It's interesting that you say that because [00:24:00] when you're going through, you know, the, when you're in those roles and those environments, it's just, What you do that, that's the job, that's the culture. It's only when you leave and maybe you go to another, um, in my case, another, another, you know, city, uh, and another company.
And then you go, wow, that was a really interesting and special experience. And I'm, you know, now, you know, it's been many years since I've, I was at Facebook, probably, you know, hitting year eight, nine. Um, but I still have very fond memory that's not connections with people there. And sometimes we will talk and say out here in the real world.
You know, nobody is doing X, you know, um, I think a lot of people actually struggle when they leave, um, uh, these things where you have custom built tooling because for a long time, it took me a while to learn AWS. Because Facebook had its own cloud in front, internal cloud, right? Um, or even just some of like, um, you know, [00:25:00] very basic tools like Slack, um, which now, you know, everyone uses, but Facebook had Workplace.
And it took me a long time to figure out how to, um, Operate outside of the environment where things were, what's the word? Homebrew or, you know, custom made for that environment. It can be a really interesting, um, sometimes, uh, challenging experience.
Michael Piacente: Yeah. Yeah. It's fascinating to me to watch what, how that transpires.
Sorry, Sean, I kind of cut you off there.
Sean Martin: No, no, this is a fascinating conversation. And the one thing that I'm curious about, because you touched on it a bit in the performance reviews, is I often think, well, if you're going to, a lot of companies, and we mentioned marketing earlier, Marketing today has become not, not so much about how we present ourselves.
I'm talking to security vendors here, primarily, not so much how we present [00:26:00] ourselves to the market, it's how many leads can we generate. And how do we measure that? And I think security generally, I'm generalizing here, but security has become some of that as well. How do, how do we measure things to the fine point of technology and data are our team successful?
And in your example, It may not, may not directly relate to fewer attacks, fewer breaches, quicker time to respond, less downtime. I don't know what it, maybe it does. And then that's kind of my question. How do you, how do you support that culture and enable that creativity and innovation and, and being part of the organization, not separate from it?
And also demonstrate in some way that you're successful.
Betsy Bevilacqua: Yeah, that's a big question. Um, and I think it plagues a lot of us in security. [00:27:00] Um, you know, it's a very recurring conversation, you know, you mentioned Sean, you're in a number of security groups. It's the, what are we sharing with our board? You know, what are you managing?
What sort of metrics are you looking at at the team level, at the audit level, department level? And so I don't know if there is, there's no one, you know, one size fits all. Um, going back to the whole performance piece. Um, I think there's, there's work that is just keep the lights on. We know that we have to do.
You know, whether it's a bowl management or, or, um, I mean, it's like processes, there's work that exists. It just has to be done. It's keep the lights on. And then there's the transformative work, which is the two, three years from now, you know, we're going to need this thing. So I'm going to spend some time thinking about it now.
Um, and sometimes depending on the size of a team, uh, depending on the, [00:28:00] um, environment or the. Whether it's highly regulated, you know, it could be that you don't have enough time, um, to focus on those strategic things, but those are the, the more transformational initiatives. And so I think we in security live in this constant, you know, sometimes I call it like, it's like a Tasmanian devil where I'm just going around, around, around and going, Oh, this thing happened, that thing happened, that thing happened, and it's hard to block out all that noise and say, Hey, You know, the head of sales said we're going to expand into this geographic market and here are some of the challenging issues that we might face and just having build that time.
So as a leader, I spent most of my time trying to Help the team focus on what are the two to three things we need to get right now, highly prioritize those. And then let's not burn ourselves out on these other red herrings. And there's plenty of them in security. You know, you have to do it every morning.
If you open up your Slack or open up your browser, there's been so many [00:29:00] stories. Um, and that can really start to wear on you. So half the battle is just going, you know, Yeah, this stuff is happening over here. It's not really a big of a deal. And it's it's hard to sometimes draw the line because in security, everything can go from being a small issue to blowing up.
Sometimes it's perception. Sometimes it's real. And so it really you have to have that stomach to say, No, I don't care that we don't have this tool implemented right now. We're going to focus on identity and access management, because that's the most important thing we have to get to. We have to get right today.
Um, and it's a, it's a constant reframing. So we used to joke when I was actually analysis that we would, you know, do annual planning, but it was really, you know, it was, let's, let's look at the next, you know, month or two and then reassess and constantly keep in communication about what, um, what we need to focus on and deliver on.
Sean Martin: Monthly, annual planning.
Michael Piacente: Yeah,
Betsy Bevilacqua: basically,
Michael Piacente: by the way, um, to, to translate that, uh, but, [00:30:00] but that was great, that's he, I, I, um, it's great insight. I, this is, um, This is the superpower of the CISO and to the CIO, to an extent, right? It's being so confident and knowing the muscle memory so well of the blocking and tackling items that are your day job, that you can focus in on orchestrating, getting the right level of resources, right?
The level of detail so that you can actually focus on those, those red herrings. In a way that you can provide digestible data back to the decision makers for impact to occur on the other side of it. So it's like you're so strong and, and so able bodied and confident on fixing the 70 percent that, that, that, that focus now is on the 30 percent of the things that come at you and you have to figure out a business solution to it.
That's the sign of an incredible CISO. Uh, it's where most people struggle. They focus on the first part first, um, and they [00:31:00] get things over complicated. And then the business is like, I don't understand what you're trying to do. Uh, I have all these other big things I'm trying to solve, but you're focused on these things.
And I hear the complaint all the time. And so, uh, I think it's just, uh, it's really fun to hear it, uh, kind of regurgitate it back from, you know, um, this is how it says so succeeds. So for those listening out there, um, this is, this is how it works.
Betsy Bevilacqua: Yeah. I think it's, it's an interesting, uh, observation you had there.
The way I think of it is it's like when you're an investment, I don't know if people listening are into, I watch a lot of CNBC talking heads. Um, But it's almost what if you have a thesis right about what you're going to invest in, then it's very easy to block out the noise, you know, Oh, you know, Iran attacked, um, Israel and so all the stocks have gone down and I need to go sell like, that's how it feels when you're in some of these [00:32:00] environments.
And so having a very strong. Okay. I'm, you know, here's my plan. And we're going to focus on these three things. And when this happens, then we can, we can change direction, right? There has to be a specific catalyst for that to happen. Then I'm going to sell my stocks. I'm not going to sell my stocks out of fear and greed.
But again, it's the reason I say it reminds you of that because it's a very emotional process as well. You know, your, your job could be on the line, your company, your reputation. So a lot of it's at stake when you're making some of these calls. And you also have a budget and people, you know, as a security or CIO, you have this budget and you have people who are relying on you and have trusted you with their careers.
So carrying the weight of all of that and, you know, and making decisions as to where to deploy these resources, having a strong thesis and believing it and testing it. Um, and also just, I think this is why some of the CISO communities are so powerful, um, or CIO communities, because [00:33:00] going in alone is impossible.
Michael Piacente: Yeah.
Betsy Bevilacqua: You need somebody to validate, you know, that yes, you're not off the rocker here, like this is a good plan. Let, you know, I, I did this. So there's a lot of, um, you know, I'm very thankful to a lot of, uh, fellow CISOs who sometimes have just, you know, been struggling with a decision. Um, but just hearing somebody else, you know, just even if it's just a very, yep, that you're on the right path, um, can help you show up better, um, in, in the workplace.
Michael Piacente: Yeah, it does make that community CIOs included, but CISOs are the most collaborative executive I've ever seen. Um, CFOs are not getting together and be like, Hey, what's working out for you, Betsy? You know, Hey, what's not, you know, VP sales, sales are not doing that. Heads of products are not, I mean, they have smaller communities.
I'm not saying that they're void of that. There's nothing like the CISO community. It works both to the advantages of companies and the disadvantages of companies, by the way. Um, if you have the wrong, uh, [00:34:00] narrative out there about your search, for instance, that's not going to go over well in the community, but, um, but it is pretty incredible.
So, and by the way, I, um, I know we're sensitive time. I know we wanted to get into the CIO CISO convergence where we started. So, uh, I can steer us back there. We'd love to
Sean Martin: go for it, Michael. You want me to steer it? I'll take it from here. You go ahead and steer it. It's your show. My turn. Yeah, so I, I think, I think we all had slightly different perspectives on the relationship between CIO and CISO and We talk about the groups being separate, I don't know, are there combined CIO, CSO communities that join forces?
I guess the big question, Betsy, is kind of, what's your view of that relationship? How does it, how have you seen it succeed, in examples that you've been part of? And, uh, yeah, I think those, those two things to [00:35:00] start.
Betsy Bevilacqua: No, that's great. How have I seen it succeed? So I'll, I'll give you an example from, from my, my two previous roles, as you mentioned earlier, um, when I was a butterfly, I owned both the it, um, and the security functions.
Now, at the time, this was, uh, a small, you know, it was a small startup, so we didn't have this ginormous budget. But what I was, um, So I got the chance to bring in a director of I. T. And what was very important for me is making sure that the person that I brought in actually understood security and understood.
So in my in my search for for that leader for that function, I over indexed because I knew at the time that I was at that company that the challenges that we had, um, were more of a security bent versus a Let's, you know, uh, if I'm putting on a CIO hat, um, your main [00:36:00] role is to make sure that, um, organizations can reach their goals with, through technology.
Um, and you enabling them when I joined, uh, butterfly, the, my main mandate or my main, um, uh, function was to ensure that we could scale out, um, um, the business, uh, geographically, but the main focus was not on what technology they were going to bring in to help enable because. It was a startup. Um, and so they had, you know, your basic startup package.
And so I knew it was going to be a long time until we needed to invest heavier, uh, in the, um, CIO side of the house and, you know, and, and building out operations, um, and scaling those out. And so that's, In that situation, you know, the person that I brought in was, um, actually very, um, I think at the time the, I am, we were using, they were, they were very familiar with it and they had deployed it somewhere else.
And so they knew all the pitfalls and it felt like a very natural fit. Um, and so I think for, depending on [00:37:00] the, the company and the size and where they are on their journey, it makes a difference of whether you want to have one leader or have two leaders. Now, if you're in a broader giant organization, you know, there's more than enough work for, uh, for, you know, for two leaders.
And so I'll tell you what I did when I got to Chainalysis. Very similar, um, as when I started off at Butterfly where, um, I brought in, um, a director because at the time it was, okay, let's get our, we already have our starter pack of, of applications and everything is SaaS. There's no, no, no on prem. Um, but as I noticed the portfolio of, of, um, applications starting to get bigger, um, and some of the, um, business processes that we were building out, um, high to retire, um, order to cash, procure to pay.
Now you're starting to get to the point where you need to have somebody who understands [00:38:00] how to build out and in what order and to sit with your sales leaders and sit with your HR leaders. And I quickly looked around and realized that in order for us to meet the goals that we had for chain analysis that I needed to bring in, um, uh, a more strategic leader, I can do blocking and tackling, you know, all day, every day you have me deploy workday.
I will do it. I don't know if it's gonna work beyond the first six months that I set it up, but, um, you know, it will be done. But I, I knew in order for us to get that next level and our scale goals that we needed somebody strategic. And so I actually made the case and I hired, um, equivalent of a CIO, um, there, and actually Michael helped, uh, with that search.
Um, and so, you know, brought a really incredible, uh, person who was able to, you know, have these conversations that Um, I couldn't have, uh, you know, because I just don't have that background. And so there is a specific skill set and, and, you know, very, very much. [00:39:00] So on the CIO side is. From my observation, you know, helping to build out operational processes, you know, um, helping to sit down and talk to, um, business leaders to say, you know, what are our next 2 to 3 year plans and how can I help with, you know, how can I bring, what technology can I bring in to help us to meet those goals and then figure out what some of the pitfalls might be of, you know, making the wrong call.
So there is. I think, you know, these two roles, depending on where the company is or, or along the journey or the size, um, there's room for two strategic people, but they have to work together because there's a gray area. There's I feel like every company or every time I'm talking to a C, so there's like.
Security should own Okta, or whatever, insert IAM name here, um, or, you know, security really should own a subset of these operations because they're so critical to the mission, and the mission is to protect [00:40:00] the company. And so, I think it, it really depends, that, that is probably one of the most important relationships is the CIO and the CISO.
The other important relationship is the CISO and the CTO. Um, and the same conversation we're having here about enterprise IT and enterprise security or, you know, most people refer to as corporate security. I think you can have the same, uh, discussion about, uh, application or product security and where do you draw the lines between what the CTO is responsible for and what the CISO is responsible for.
And so I think that's one of the things that makes. The CISO role, so, um, complex is that it can look very different, um, in, in every company. And there is no, you bring me a CFO, you bring me a CMO, I kind of know what I'm getting into. If you, me, a ciso, it's like, well, are you a technical ciso? Are you A GRC ciso?
Are you right? There's, are you an it, so there's all of these flavors and, and that's fine. That's just where we [00:41:00] are as in an industry and, and what's worked. Um, I suspect, you know, 50 years from now when, when, uh, another Michael, Sean and Betsy are sitting to talk about this, things will be very different and maybe there'll be, you know, a track and there'll be, you know, this is what a CISO means.
This is what it means to have a CISO in your, uh, executive team. And, you know, here are the licenses that they need. And maybe we'll see some more standardization. I don't know. Um, but for now we're in this, you know, uh, stage where it's a very fluid, um, role depending on, uh, what industry or what company you're talking about.
So
Sean Martin: I've, I've had this dream and thought, and I, I think I may have found the guest that's actually lived the dream. We'll see, um, that security isn't just about the blocking and tackling and the filling the holes and, and mitigating the risk and, and [00:42:00] delivering. Data to audits to prove that they did things a certain way, but instead have an opportunity to define the business.
And I see that in either if they own it themselves or work hand in hand with the CIO and CTO, where we could say, what are we trying to accomplish as a business? And how do we securely get there versus. Somebody going off and buying a tech stack and customizing it with some app, app layer, and then security gets brought in to do the volume assessments and, and uh, all the policies and stuff around it.
I, I have this vision and dream that, that that's the other as possible, that we can actually lead. Things. So Michael, uh, Betsy, both of you thoughts on that.
Michael Piacente: Well, I was going to make, make a point that, um, you know, uh, my experience, um, you have two different kinds of, or two different organizations that enable that level of behavior.
It's one that either saw the foresight of [00:43:00] hiring and bringing on someone like Betsy, who can, who can again, look beyond and say, what's the business looking to do and have those conversations be highly collaborative. Um, and be proactive about it. That is definitely in the minority of the companies that do that, uh, because they have not enabled an environment where, uh, that individual came in, uh, what the majority of the environments are, um, is, is the, oh, no stage of we've now hit a wall and, The business is unfolding to a place where we now have a very specific acute pain point to visit the emergency room.
And now I have to hire that kind of person and it becomes a forced function. Um, and that's, that's kind of where we are as you know, again, it's the maturity model of what does the CISO even do if more companies understood that there were CISOs that have this amazing skill set, you know, and a blended skill set like a Betsy, like others that are out there.
Yeah. [00:44:00] Um, we would get to that point a lot faster. Um, and, and by the way, I'm not rushing everyone because this chaos and, uh, uh, everything is, is why we're even in business. So, but, uh, it's going to take a long time to fix it, right? We don't get called for the easy ones. We get called in the, this all happened with my business.
And, and now I have to get this person in here that's like this magician in every single area. And then you realize, okay, that's really hard because the culture wasn't there to support it. So now we have to understand the cultures there to support it. Um, but it is wonderful to hear that there are companies that saw this in advance and say, Hey, we, we really need to bring in this level of this individual.
Yeah. It might be an overhire this month, but guarantee next month, this value is going to pay for itself tenfold. So that's what we see.
Betsy Bevilacqua: And actually that was a big reason why, um, I left, you know, butterfly is a great company, great product. Yeah. But when I, um, had a chance to sit with, um, the CEO of [00:45:00] Chainalysis, Michael Groninger, and he described the challenges that, um, uh, he was facing in building the company.
Um, and he understood the role of security. Um, you know, he has a background as a, as an engineer. And so maybe it was a little bit easier in the sense that, um, he's just not a 100 percent business focus, but he all kind of a background. But that's, that was a key reason why, um, because what I didn't want to do was leave a role and then going to an environment where, you know, yeah, you've been brought in to build out this, uh, organization, but we, you know, there's, there's no budget to do the things that you want to do.
So that was one of the things that I was very, um, you know, open about in the, in the interview process. And, you know, I see your vision. I understand your vision. I'm bought in. You don't have to sell me on the company. Um, but what I do need to hear from you is about how this will be [00:46:00] resourced and, you know, we have a growth path here.
Um, you know, we're going to move. We're to, you know, bring these number of employees in. And I think it was easier having me having lived, you know, hyper growth. So I understand. You know, at some point it's like, uh, there's somebody who described this really well, an ex Facebooker, I forget their name, but it's, um, when you're in a startup, you know, all of a sudden you've got your Legos and you're building your Legos.
And then all of a sudden, you know, you started bringing more people into the organization and you don't want to share your Legos. Um, and then things start to get, start to break down because now you have all these people, um, who have been, you know, brought into the company, but they cannot contribute because, you know, people are holding on tightly.
I said, I'm, Not going to be that person. Um, I just want to make sure that there's, you know, enough Legos and, uh, and that we've planned for, for, for what the future of the company looks like. So, again, it's, you know, it's a conference of events, but I think, you know, it's, it's, it's not a, it's [00:47:00] not a standard way of thinking because it can be very expensive as Michael said it, you know, earlier, not everyone has the budget to bring in a security executive.
Not everyone is ready to have a security executive in the conference room or in the boardroom because we're often the people, you know, as a counterweight, um, I always find it interesting, you know, when I talk to people who are in marketing or sales. Because we see the world very differently where they see opportunity, you know, I'm with the lawyers going, but this could happen and that could happen, you know, and so it can, if you get the wrong person in that room, it could also hamper or slow down growth.
It's a very difficult. Sometimes it can be a difficult process. Um, when you're bringing in, um, a risk man, another risk manager, uh, yeah.
Michael Piacente: Yeah,
I
feel like a buzz kill half the time. I'm talking to clients cause I'm like, well, what are we, what are we doing in here? Where's the, you know, where's the risk mitigation here?
They're like, Oh yeah, we haven't gotten [00:48:00] that. Well, what about here? What about, they're like, why are you showing me all my vulnerabilities? I'm doing it nicely, but the candidate is going to come in. It's probably not going to be so, uh, you know, they're, they're going to be pretty blatant, you know, about what's going on here and probably won't join your organization if you don't even know where the vulnerabilities are and here's this, you know.
Dummy recruiter out here doing it. You know, it's like, uh, no, it's great. Great. Great. I love the way you position that. That was, uh, it was really interesting.
Sean Martin: That's a super, super fun conversation. I don't want to let you go. I know I can talk another hour. But, uh, we, we are at the, uh, at the marking point here.
I'm going to leave this one question for you and then Michael can, uh, Do the do the final closing with his thoughts. Um, if there's one thing you think we need to do, Betsy, to redefine cybersecurity for the next couple of years, what would that [00:49:00] be?
Betsy Bevilacqua: Oh, my goodness. Uh, if I knew, right, if I knew the answer that I would be probably fairly wealthy right now on a beach.
Um, you know, when I think about where we are in terms of technology growth. And I think about everything that's happening now, and it's going to happen over the next 10 years. I'm talking about, you know, we started off with social, mobile, cloud, big data. Now we're talking about AI, you know, we're talking about EVs, we're talking about IoT, robotics, um, biotech, you know, we're seeing a lot of really interesting disruption.
Um, I haven't even talked about A. G. I. But I also don't know what our, um, artificial general intelligence really is. I don't I don't think anybody does at this point. But all of these things are happening and we're in a really, I think, interesting time. Um, you know, we'll look at look back at this in history and maybe Michael will write a book about it.
Um, [00:50:00] but there's an opportunity for security folks to step up and help to lead some of these conversations because sometimes I think If you look at a problem hard enough, it can become a security problem. So when COVID hit we had to figure out how to get people to work securely from their homes. Um, and so If there's anything we could do going back to your question, I think it's more of just trust our security leaders um and listen And give them an opportunity, you know, if there's somebody here who's listening and you know, you're a c level Um, and you've got security folks in your org You know, we tend to sometimes Maybe we can overthink the bad things that are going to happen.
But even within that space, you know, there's a grain of truth that we should, we should be confronting around all of these technologies that we're going to, that are going to change the way we live, the way our children live. And so a lot of security people I know are very passionate about what they do.
Um, it's, it's a hard job, but it's a noble job because at the [00:51:00] end of the day, you, you have a real world impact. And so I just, you You know, talked a lot there. I don't know if there's, there's, uh, there's anything more I can say there, but it's, it's more of just, you know, listen and resource these, these, uh, teams.
Michael Piacente: Yeah, I'll answer your question, Sean. I'll give you an answer of how to get 80 percent of the way there. And actually, Betsy just said it. You know, four things. Uh, one, remember that everyone has something going on, right? And it's probably bad or, you know, there's things that are bad in people's lives. Two, um, there's things that have happened and their experiences that shape the way that their decisions are being made, you know, biases and things, that's just human nature.
It's what makes us human, right? Um, three, uh, just listen to everyone, right? I think we'll be a much better security community. And the community that works with the security, uh, leaders. If we just all listen to one another, um, and, and, you know, don't let our egos get in the way would be the last thing. Um, I think there's a [00:52:00] lot still out there.
Um, there's a lot of people that think they know more than others and need to show it all the time. And it's just, you know, just connecting on a human level. I think it sounds kind of hokey, but that'll get us 80 percent of the way there. Cause the world's getting more complex. It's getting more serious.
Um, we just have to all listen to one another. Like pandemic was a great example. We got so much, we progressed so much further in security because there was this desire to listen to the few people in the organization that knew what they were doing and there was a lot of progression and I feel like we've kind of slid backwards a little bit here, but, um, but it's there.
I mean, the proof is there. So anyway, that's my, uh, Philosophical words of the day. Um, I agree.
Betsy Bevilacqua: A hundred percent. Plus one, plus one, plus one.
Michael Piacente: Yeah. This was, this was such a pleasure. I've been wanting to do this with Betsy and you yourself for a long time. So thanks for having us, Sean. This is great.
Sean Martin: It's uh, both.
Fantastic conversation. And hopefully people do number [00:53:00] three. Listen to this and, uh, and embrace each other. And yeah, I really enjoyed this. You're welcome back anytime. Uh, Betsy, of course, and Michael looking forward to the next one. We get scheduled as part of the CSO circuit series. And, uh, yeah, thanks everybody for listening, watching, please do comment, share, uh, subscribe, follow Betsy, follow Michael, and, uh, we'll see you on the next redefining cybersecurity podcast.
Betsy Bevilacqua: Thank you.
Sean Martin: Be well.