CISO Tradecraft: 1% Leadership

Summary

🌟 In this episode of CISO Tradecraft, Andy Ellis talks about the concept of 1% leadership and how small, consistent improvements can lead to significant results in cybersecurity leadership.

Highlights

  • πŸš€ Making small, incremental improvements every day can compound over time to create significant growth and success.
  • 🎯 Delegation is important for leaders, but it’s essential to focus on the outcome rather than dictating every step of the process.
  • πŸ’‘ Creating a culture of inclusion means reducing the energy cost that individuals have to pay to exist in a particular space, thereby making them feel welcome and valued.
  • πŸ’Ό Asking powerful questions to business leaders helps build rapport and identifies areas for improvement, such as addressing the stupidest risks and eliminating unnecessary security controls.
  • 🌱 Recognizing that your role as a leader is to stop hurting your team and to make incremental positive changes to create a supportive and effective work environment.

Transcript

(00:00) G Mark Hardy: Hello, and welcome to
another episode of CISO Tradecraft, the podcast that provides you with the
information, knowledge, and wisdom to be a more effective cybersecurity leader. My name is G Mark Hardy, and on
today’s show, we’re going to be talking about 1% leadership with Andy Ellis. Now, if you haven’t heard
about the concept of 1%
(00:27) improvement, Here’s a quick idea. You don’t have to make huge
sweeping changes to improve. Now, imagine if you could get
1% better every day at something and do this for an entire year. Well, that’s 365 days. And you go, okay, fine. 1%. 1%. That’s going to be like 3.65%, right? No, because it compounds.
(00:52) And if you go ahead and open up
your calculator and you take 1.01 and you raise it to the 365th
power you’re going to get 37.78. That’s crazy when you
consider that compounding 1%. Makes huge, huge improvements. Now that’s not twice as
better or 10 times as better. That’s almost 38 times
better than the year before.
(01:15) Now, presumably you might take off
weekends and holidays and you’re not going to get that, but just the
whole concept tells you that making these little gains on a regular basis
are going to produce huge results. And that’s the lesson that we’re
going to learn from Andy from his new book on 1% Leadership.
(01:34) But before we get going, Let’s
hear a quick word from our sponsor. Risk3Sixty is a cybersecurity technology
and consulting firm that works with high growth technology firms to help leaders
build, manage, and certify security, privacy, and compliance programs. They publish weekly thought leadership
webinars and downloadable resources
(01:51) like budget and assessment templates. Go to risk3sixty.com/resources
for more details. That’s risk3sixty.com/resources. Okay. Well back here to our show. Andy, we’re excited to bring on board. You’ve been in the cyber game for
quite some time, and you’ve even been inducted in the CSO Hall of Fame. Can you tell us a little bit
about your background and how
(02:15) you got into cybersecurity? Andy Ellis: Thanks G Mark. I’m really excited to be here today. So I got into cybersecurity
through the Air Force. In fact, it was a, a sort
of an entertaining day. I was at in Luke Air Force
Base in the middle of summer. And for those of you who aren’t
familiar with Luke, it’s in Phoenix.
(02:32) And in the summer you have days that
the planes can’t fly because the tarmac is too soft for them to land. And I was there because I wanted
to be a weapon systems officer. I, you know, did not have the
eyesight to be a pilot, but I wanted to be a back seater. And I get this phone call in the, you
know, the hotel room I’m staying in, you
(02:49) know, visiting officers corridors because
as a cadet that’s where we got to stay. It was kind of cool and it was
this major at this base in South Carolina and it sounded oddly like
an interview, like totally uncalled. I’d had no idea what was going on
and the Air Force had just stood up. Its first information Warfare Squadron.
(03:10) They had a by name request allocation. They could basically pick anybody in
the Air Force and say, this person is working for us at their next assignment. And they said, we want every graduate
in computer science coming out of m mit. And unfortunately that was me. I was the only person assessing that year.
(03:28) And so I get my commission, I
go to South Carolina and I start doing information security. So that’s where I started, you know,
did that for, you know, a few years. Once I got out, I went to Akamai and I
was there for 21 years, built the security program, started by, you know, hardening
this massive deployed network, providing
(03:45) strategy and governance at some point,
pivoting and saying we could use these technologies for security solutions. And now Akamai just announced
recently that their largest line of business is the security business. G Mark Hardy: Well, it’s interesting. Yeah, I know the, the by name request,
I had one of those as well as an o I
(04:04) guess just made oh three and it was
to Fort Meade, and I didn’t realize at the time just how special that was. But what I got a call from Washington,
from my detailer and the Navy have detailers who run your career, is like,
Lieutenant, what are you trying to do? He says, well, I want
to go, you know, to NSA.
(04:22) Why would you do that? Well, I want to do computer security,
and here’s the quote for the ages. The Navy has no need
for computer security. You’re going to go back out to see. And it’s like, I have been at Sea for
five years I got a shore tour coming up and they made such a hassle about
it in Washington and they said, ah.
(04:34) So I went into the reserves and then they
decided I’d do a security career that way. And it’s kind of interesting because
I look at a guy who is a year behind me who also had five years at sea,
who also put in for the orders and, but he took them and he went there
and he retired a couple years ago. His name was Mike Rogers.
(04:53) so it’s one of those little
butterfly effects in life. You never know what opportunity
is way, way, way ahead of you when you make your decision. So, a lot of us aren’t thinking
30, 35 years ahead, and there’s really no way you could see that. And there’s nothing to say. Andy Ellis: I, I think you have to
just set yourself up wherever you are.
(05:08) Like what am I going to learn? Like, I’ve always been interested in like,
how do you take systems and make them better and different and find the edges? I used to work at Disneyland
many, many years ago, and I was there, I did costume inventory. And so we gave people their clothing and
this is the everybody in the park, so
(05:25) the ride attendants, the food service,
and we went from a paper-based inventory system to a mainframe and like I was
one who sat there and I was like, God, we’re typing in, like to get from the
first page to the second page, you have to hit like 17 of the exact same
keystrokes for every single person.
(05:42) And I’m like, and there’s four function
buttons that don’t do anything. I wonder if I could program a macro in. And so I literally did. And every time the machine rebooted,
I’d have to go and like put the macros back in and everybody loved it. And at some point I get called in
and the, you know, supervisor’s like,
(05:59) yo, this is really great efficiency. We wish you would’ve asked for permission. G Mark Hardy: Yeah. Then no good deed goes unpunished does it? Yeah, now you’ve just come up with a, a
new book called 1% Leadership, and it’s got a lot of, you know, piece of short
advice that cyber leaders can follow to get a little bit better at cyber.
(06:17) And one piece of advice that we
really like that you shared as we were talking earlier is how you shorten
the amount of time it takes to respond to vendors by using email signatures. Now, can you tell our listeners
a little bit about this concept, because I think it highlights just
how we can be 1% more efficient.
(06:32) Andy Ellis: Right. Well if, if you’re somebody who looks
like a buyer, could be a CISO, could be a CEO, could be an operating partner. I happen to have all of those titles on
LinkedIn, so I got a lot of vendors spam. And what happens is people will email
you and it’s, look, it’s the lowest paid job in sales is the person
who’s sending you email, right?
(06:51) It’s the business development rep. They’re just trying to break in and
they’ve got some script probably in Sales Loft, and they’re just hammering you. With things that you’re
seeing a million of. And it had gotten to the point at
Akamai that I think I was getting like 50 a day and I just ignored them.
(07:07) And I would make fun of it, like
run into a CISO and I’m like, God, I have this guy who just keeps
replying to himself every single day. Like, I don’t know if you saw my message. And I’m thinking, well, either I’m
not seeing any of them, in which case, why are you saying that? Or I’ve seen all of them, in which
case, why are you saying that you’re
(07:24) trying to make me feel guilty? It’s clearly not going to work. And it was, it was actually Nick Selby. And Nick said to me, he said, well,
why don’t you just tell them no? And I’m sitting there and I’m like,
because I don’t want more email. And he’s like, try it,
see if they’ll honor a no. So I said, okay, but I
don’t just want to say no.
(07:41) That feels rude. So how can I be, do something
surprising and polite and friendly? That’s still a no. And so I wrote this template
and I said, you know, good day. I know you have a job to do. Namely, get a qualified first appointment. But I’m letting you know
I’m not a lead for you. And then here’s a q and a of all of the
questions I think you’re about to have,
(07:57) and let me just answer them for you. And then I made it a signature file. So that I could just click
reply and change signature to what I called vendor rebuff. And in fact, if you Google
vendor Rebuff, but I misspelled rebuff, it’s with only one F. But if you Google that, you will
get the blog post that I put up,
(08:15) which has that template in it
back from when I was at Akamai. I use different templates now and
I’m still rewriting them cause I have different ones based on, you know,
people trying to get me to invest. And I said, look, I have
an investment thesis. You don’t fit my investment thesis. Have a nice day.
(08:32) G Mark Hardy: So your macros again, Andy Ellis: Yeah, it’s all about
macros, like how can I as quickly as possible, and it gets them to go away. First of all, it reduces my long-term cost
because I reply and most of them go away. Sometimes I get an A thank you, like
I get BDRs that are like, thank you.
(08:46) This is the nicest email I’ve
ever received, and I’m thinking it was a template, like I sent
you a form message and it’s the nicest thing you’ve ever gotten. We have a problem as an industry. G Mark Hardy: exactly. By the way, don’t feel
bad about spelling it. The referer field is also
spelled wrong if you go back and
(09:03) Andy Ellis: that’s true. G Mark Hardy: and so it’s
a, it’s a, it’s a tradition Andy Ellis: I know. I feel like I should correct it,
except there’s enough people who have linked to it that I’m terrified to
correct the spelling at this point. G Mark Hardy: Well, yeah, you
just create two links, so you
(09:16) just come to the same places. So you landed here and you can’t spell. Boy, I can. So here he goes. But so anyway, we were talking about
little life hacks and then the idea here is you get more efficient. And they don’t have to be massive,
huge projects as you had indicated. Just something that allows you with a
point in the click to deal with a problem,
(09:33) which then starts to go away by itself. And these are some great concepts and
love to talk some more ideas about them. One of the concepts you have in
your book is about don’t beat irreplaceable, be unclonable. What are we saying here? Andy Ellis: So we see this thing in a
lot of organizations that you have a
(09:50) person that does some set of work that
nobody else can do any of that work. And so they’re irreplaceable and
like you get terrified when they say, I just got engaged to be married. We literally had somebody like this,
like this was the person that when we had a problem that you wanted to solve
with a weird integration of technology
(10:09) and process would build great systems. But he was then the person
who would have to manage them. And he comes in one day and
he’s like, I just got engaged. We’re getting married next year. And like the first thing his entire
management chain thinks is, oh no, like he’s going to disappear for a month.
(10:29) What happens? Right. And so the, the idea here is to say
there’s no individual task that only one person should be able to do. The uncloneability is you should
have people that have a set of skills that nobody else has that
exact same set of skills, right? So that if, if two people leave, you don’t
want to lose like 18 capabilities at once.
(10:48) You want to lose like the one or
two things that they overlapped on, G Mark Hardy: And it’s the overlap. That’s key. And we, we go back to training,
you know, like we’re talking about military and the SEAL teams, and they
go out there and do an operation. There’s cross training going on because
there’s no guarantee that everybody’s
(11:04) going to be able to complete the mission Andy Ellis: Right? And you don’t say, oh, if this
person goes down, everything they were doing falls on one person. No, it gets split across the whole
team, and that’s basically your idea. And now once you really embrace
this idea, what you’ll realize is this then applies to hiring.
(11:22) When somebody leaves, you
don’t try to replace them. Because you can’t instead find
somebody who brings a set of skills and ability to learn, that will
compliment your existing team the best. And they might be shaped like
the person who just left, or they might be completely different. You might lose an engineer and
replace them with a tech writer
(11:41) because that’s going to be the value
multiplier your organization needs. G Mark Hardy: Right. And a lot of times, you know, for
people who are new to the industry, they’re thinking, well, I got
to have all these buzzwords and things like that in my background. Really effectively, you’re hiring for
attitude, not necessarily for knowledge.
(11:56) Somebody who loves to learn, who’s got
to lean forward, I’ll make stuff happen. They’ll go figure it out. As compared to somebody who says, well,
I went to school for it and I passed, but the books are just gathering dust and
they don’t want to punch the pubs anymore. And which kind of brings up the idea of
the importance of personal improvement
(12:14) because the idea that personal
improvement is a prerequisite to leading professionally, doesn’t just pertain
to operating at a technical level. It pertains also at the leadership level. So how did your idea
about that come about? Andy Ellis: So it really has
sort of two different axes. So one is about authentic leadership and
one is about demonstrating the value of
(12:35) personal improvement in its own right. Which is, if you as a leader have
stopped growing even in your skills, then the people are going to around
you will look and say, oh, this person doesn’t value development. So when I try to go do development,
they’re going to sabotage me. Like, even if you never say it,
your actions do in fact, you
(12:56) know, convince people around. It’s like, oh, this person’s
totally happy with their job. But the, the more important thing
here is as a leader, you’re going to give a lot of advice to people. So, And if they look at you and say,
wow, I have never seen you take this advice or any piece of advice, right?
(13:14) So if you say like, wellness is
important, everybody should take time off from work, and you never
take a day off of work, right? You have just signaled to them that no,
you can, if you take days off of work, I’m totally going to punish you for it. In the long run, you’re not going
to get the promotion, you’re not
(13:32) going to get the opportunities. So every piece of advice you give to
people, you should at least practice that. Some of them won’t necessarily fit. It doesn’t mean that you have to
do everything, but it means you’ve got to try and you’ve got to figure
out how you are going to develop. And I think I landed on this one.
(13:49) Colonel told me, actually as
a general told me this story from when he was a colonel. And I don’t know how what it was
like in, in the Navy, but in the Air Force apparently, as I was
told, is that when you get promoted to general, you’re actually. Personally told by another general,
there’s a general who will fly around,
(14:04) who comes into your office that knows
you and says, Hey, by the way, you’ve just been selected to be a general. And then you’re going to actually,
like when you become a general, you fly around and meet every
other general in the Air Force. So they all know each
other first name basis. And he’s sitting in his
(14:20) G Mark Hardy: here what they
call an all flag officer’s conference, and they announced
their promotions just before that. So you’re told go to
Annapolis on this weekend. Quick side story. So buddy of mine, he got, he picked up
his star, they call, he got, gets a call. From the chief, Navy reserve. Hey, congratulations,
you are now an admiral.
(14:35) Be here this weekend. And he’s like, but I’m a, a troop
boy scout leader, and my boy scouts are on a camp out that
weekend, and I’m the only adult. I can’t make the all
flag officers conference. I’ve got a commitment to the Boy Scouts. And, and you’d think he, I
remember he’d tell me, he said, I thought my career was over.
(14:52) Right? Then he went on promoted. He actually took over the Abu prison
after the army had had the issues there. And my friend retired as a number two. And the Navy Reserve being, because he
basically said, Hey, I know I need to be here, but I have a preexisting commitment. And it was quite a valid one.
(15:08) It wasn’t a barbecue, it was, you’re Andy Ellis: Right. No, I, I, I, and I love that he made space
for that, and that’s an important thing. And, and in this story, the
generals telling the story and he says, look, he was working late. His buddy comes in, who’d, who’d made
general like the year before shows up,
(15:20) like walks into his, you know, squadron
and you know, he’s like 8:00 PM and he’s the only one in the building. General sits down and the first
thing the general says, he says, where’s the rest of the squadron? And the colonel’s like,
well, I sent, made sure. They go, I make sure they
go home at five o’clock.
(15:38) He’s like, so you’ve been working
for three hours after they left? He’s like, yeah. He says, you have like 200
people that work for you. If they had each worked for
one minute longer, you could have gone home with them. And instead, all of them are stressed that
they left the building before you did.
(15:52) G Mark Hardy: A little 1% on each. Andy Ellis: Right, 1%. And as a leader, like everything
you do is through your organization. The way that you change the world directly
is much less effective than how you change the world through other people. So, G Mark Hardy: and then I think is sort
of the essence of leadership and when.
(16:10) I used to do leadership training
in the Navy in my prior role at the Center for Naval Leadership. We would go through and we would
ask different characteristics. What do you believe a leader is? And we get the, the white Butcher board
paper and we’d be writing on with a Sharpie, and a lot of things would come
out of there, but one that consistently
(16:27) came out time and time again was vision. And the difference really as a
leader is you’re trying to create a motivation for your people. And one of the dangers are, is that
some people, when they transition from a management role to a leadership role,
still want to hold onto that attention to detail and make sure all the i’s
are dotted and the T’s are crossed.
(16:49) And they’ve got to look excellent on
paper for their opportunity going forward. And because they own all of that,
they don’t develop their lieutenants. Andy Ellis: right. G Mark Hardy: They become the people
who say, well, I got to look great. And I, and I saw that with, with
new commanding officers in the Navy
(17:06) Reserves where this promotion, the
selection rate for command as a Navy commander in the reserves was about 6%. You’re better, you’re easier
to get your kid into Harvard than you are to get a command. So if you get one of these coveted
commands, what do you want to do? You don’t want to screw it up.
(17:23) And so what I had seen is these new
COs basically turning into, Hey, you know, don’t turn that report in. I’m going to take care. And they, they try to do everything. He says, no, your job is
to develop your people. And you know, I had had the privilege
of, had nine command tours and you get to the point where I know what
it’ll break and what won’t break.
(17:38) So here, take this and if it, if you
drop it and break it, what did you learn? Well, let’s go fix it. And the next time, by the
third time they’ve got it. And then it builds up the
ability to get things done. And so your comment about, Hey,
what are you telling your people and what are you doing is excellent?
(17:57) Because it’s almost the idea of that
feedback should be not a a one-way mirror. It should be a window. It ought to work both ways because
sometimes we find out that our direct reports can give us ideas that we never
thought of that help even ourselves. Have you seen that work
well in the workplace? Andy Ellis: Oh, absolutely.
(18:15) So it’s, it’s really important to
recognize that whether you’re giving or receiving feedback, that it’s impossible
to eliminate the bias of self-reflection. That I look at something you do
and the feedback that I give you is almost always going to be colored
by me thinking why would I have done the thing that G Mark just did?
(18:34) G Mark Hardy: Mm-hmm. Andy Ellis: And you might hear
that feedback and be like, that makes no sense to me. Like I recall at one point I had
somebody who was a, a peer in an organization who literally attempted
to take half of my organization from me just through bureaucracy. Like literally went to HR, said, here’s
all the people that are moving into my
(18:50) team, had never talked to me about it. And the way I find out is my
finance partner calls me and asks if the budget was moving with them. And I’m like, what are you talking about? And they’re like, oh, like
these seven people are moving over to this organization. I’m like, no, they’re not. And we had one of these
like peer feedback sessions.
(19:10) You like a leadership offsite with a
group of people and they pair people up and say, give each other feedback. And this person says to me,
you’re an empire builder. And I’m literally sitting here listening
to it and I’m like, that is feedback you would should be giving yourself. So it clicked for me in that moment that
he wasn’t talking to me, he was talking
(19:27) to himself as if he also had my job. And of course, he had tried to
empire build by taking my team. And how he would’ve responded to
that was by sabotaging it and making sure there was no possible way that
this work would ever move over. And so he saw what I did as being
consistent with how he might act
(19:46) and gave me feedback about it. Whereas I’m sitting here and
I’m like, That had nothing to do with what I was doing. Didn’t you see like I handed over seven
people to a different organization the same year and got rid of a whole
function that’s like not empire building. When you’re giving feedback,
pay attention to that.
(20:03) And when you’re getting
feedback, listen for that. That when somebody tells you
you’re doing something wrong, they’re probably wrong about why. They might say, you were
a jerk and you did X. Well, ignore that. You were a jerk part and just
listen to the, you did X, and recognize that X was a problem.
(20:21) G Mark Hardy: You know, it’s interesting. I, I carry in my wallet a little
thing that I got out of yeah. In addition to some. One time emergency code. But a a little thing that I got as
a fortune cookie a few years ago said, advice comes in all forms. Some help you and some hurt you. And in a way you have to consider that
even if the advice is offered, it may be
(20:41) well-intentioned but incorrect for you. Or it could be ill-intentioned, is
somebody’s way of trying to sabotage you by trying to convince you to say, yeah,
just go ahead and jump off that cliff. It’ll, it’ll be fine. And, and things like that
and, and something that was, I kind of found entertaining.
(21:01) In your book, you talk about whether
you jump out of a plane or get pushed out, you still need a parachute. Can you tell me a little
bit more about that concept? Andy Ellis: Yeah, so this is all
about just being prepared for sudden changes in your environment. How many people have a
plan to get laid off?
(21:13) Almost no one, but let’s just be honest. If you’re working for an
employer right now, at some point that relationship will end. You might retire, you might die. Like those are the, the outcomes you
don’t really have to plan as much for. But odds are, you know, especially
economic turbulence, you’re going
(21:30) to get the call that says, you
know, Hey, we have to part ways. Do you have a plan for that day so
that when that happens, nobody on the outside understands whether you
got laid off or you voluntarily left. Because you had a plan and
so you execute on your plan. It’s, oh, hey look, I got laid off. I’ve got you opportunities lined up.
(21:51) I already had a resume ready to
go, you know, whatever it was I had prepared for my next opportunity. Or even just inside your company, like,
have you prepared for incidents to happen? So when the incident happens, like
you’ve already got like pieces of a plan, you quickly put it together and
everybody’s like, how did you know
(22:08) this incident was going to happen? And you’re like, I didn’t know the
incident was going to happen, but I was prepared for an incident. And I’ll give an example for COVID 19. Like this is starting to happen. We get the outbreak in Boston at the
Biogen conference, and I immediately said to my team home and I tell them all to
stop at the supermarket on the way home.
(22:30) You know, pick up food, toiletries, you
know, whatever they’re going to need. Assume you’re going to be home
in your house for three weeks. And this is before we, people have
even said two weeks to stop the spread G Mark Hardy: Right. Andy Ellis: Right. And so a lot of people are like, wow,
Andy, like, how did you know this?
(22:44) And I’m like, because we simulated
this for the avian flu when that was running around and we built a zombie
apocalypse plan for slow moving zombies. And like we did all these little pieces
to, to say, what if, what if this happens? What does my parachute look like? So that when I find myself in
that situation, I’m not trying to
(23:04) build a parachute from scratch. G Mark Hardy: And that’s why, and I
think we do that in the business world sometimes with tabletop exercises,
with some of our strategic planning where we just go through the thing. What if, what that if
then else, if then else. We had the same thing here is that
in, I guess it was the second week of
(23:20) February, I just finished updating. The disaster response
plan for the organization. And I remember the COO had said,
Hey, can you come up with a pandemic response plan just in case? And it was really just a global search
and replace of disaster with pandemic. And we ended up invoking it the
following week and we operated
(23:40) for over 65 weeks remotely. It worked because it was already there. We weren’t panicking, we
weren’t scrambling trying to get space up in the cloud or, or
figuring out how to do access. And you’re right, it’s a bit of an
insurance and I always thought about life insurance as something you don’t want
to collect on because think about it.
(23:59) The agent is betting you’re going to live. That’s how he makes his commission. And you’re going to give
money to bet he’s wrong. But in this case, we’re looking
for something that allows us to. Accept and then move
forward on negative events. Not because we’re worried about
how they caused or they didn’t
(24:16) occur on our schedule, but
our responses on our schedule. And we control that. And we, if you control and own what you
have, you don’t worry about other things. Andy Ellis: and more importantly,
you don’t waste energy. My God, I’m outside an airplane. How could this happen? Like you can complain all you want.
(24:33) You’ve got 30,000 feet until you’re dead. G Mark Hardy: Yeah. And then you hit the automatic stop,
as we called it at jump school, Andy Ellis: Yep. G Mark Hardy: Let’s hear a
quick word from our sponsor. Are you ready to answer the question? Are we protected? Introducing Prelude Detect. Prelude. Detect is a production scale, continuous
testing platform that gives organizations
(24:50) assurance that they’re protected
against the latest threats they’ve correctly prioritized or critical
vulnerabilities, and their defensive controls work exactly as expected. And if not, Prelude’s integrations with
defensive controls such as CrowdStrike, create an auto hardening defense. Get started for free or request a
demo at www.preludesecurity.com.
(25:11) That’s preludesecurity.com. Well back here to our show. but that it’s kind of related to
the idea of something that, the concept you talked about the. Museum of past grievances, and
you don’t want to spend any time visiting that because in our culture
we have people who like to complain and say, well, I’ve got it bad.
(25:34) Well I have it worse. Well, how bad. How do we change that mentality? Which really is sort of
a destructive approach. Andy Ellis: Yep. So I think it starts almost at
the personal level, like you have grievances against people in your life. You know, maybe you have the
relative who gives you gifts that
(25:48) you don’t appreciate, but you don’t
feel like you can dispose of them. Why not dispose of them? Because every time you see, like you have
a stack of books, you’re never going to read because you have somebody who thinks
this is the type of book you’ll read. Like they keep sending you these
leadership books and you’re like,
(26:02) I’m never going to read them. Fine, pass them, give
them to somebody else. But every time you walk past something
that reminds you of an unpleasant interaction you had, you’re wasting
your energy because you think about the interaction, it creates negativity. So get rid of it. Like it’s, it’s not saying that
you have to forgive the person and
(26:22) eliminate the grievance, but don’t
curate this museum of reasons to burn and waste your energy on people who
don’t matter that much to you anymore. Or situations that don’t. Like if you leave an employer and you
have a ton of branded gear and you’re like, oh, I’m not going to wear this,
then take it out of your closet.
(26:40) Like, don’t just keep, you know,
sorting your clothing around this logo. If you’re uninterested in
wearing the logo, dispose of it. G Mark Hardy: And there’s probably
people who could use it at a local, you know, collection, homeless
shelter, or a Goodwill or something Andy Ellis: or, or colleagues
who are still there.
(26:56) You can be like, Hey, I’ve
got a bunch of clothes. Anybody want them? Maybe they’ll be, maybe you went to all
the conferences, so you have all the schwag and you have people who never
got a piece of schwag, so pass it out. G Mark Hardy: That’s a very good idea. Now, another thought we have is that
CISOs, well, we, we can’t know everything.
(27:10) We have to trust our people and we trust
that they’re going to give us good advice. And, and you talk about this when you
say we need to create safety to let people warn us, if you will, of danger. What are some good ways that we can
create opportunities for sharing information between, let’s say,
developers and cyber professionals?
(27:29) So we get on the right page. Andy Ellis: So I think we have to get out
of the binary mentality of either this is perfect or it is completely dangerous. And oftentimes what happens is we
get into these conversations and you say, well, this is a risk. And someone says, well,
is that a showstopper? And like, you need to step back
from that conversation because
(27:50) nothing is really a showstopper. Okay? There’s a few things that are, but in
general, most of what we’re doing are not going to come completely stop something. But it’s a trap question. What you want to do is create a
safe place for people to have a conversation about what the risks are. To create risk awareness and to let people
then come up with small modifications.
(28:08) It’s like, oh, we’re
rolling this system out. It has this thing that’s unsafe. Well, maybe if we tweaked this
one thing or turned off this feature, then we’d be fine and we
could do more mitigation later. It’s not about, you know, stop
it versus let it go and let it stay out there forever. So that’s the danger is that if
you are the chicken little whose
(28:29) job is to show up and say, oh my
God, you can’t do this because x. Like nobody’s ever actually
going to listen to you. And so the dangers that you get into
are ones that are fully predictable because you had somebody who was
pointing out the dangers, but you made them say that dangers were
either catastrophic or unimportant.
(28:49) And so you never actually fixed the
things that mattered, but were not catastrophic until they happened. G Mark Hardy: Yeah, so one of the
concepts you talk about is practicing the future, if you will, to if you can
face adversity with a little bit more grace, and that’s, let’s just anticipate
someone’s going to do something.
(29:07) Bad. They click on a phishing at email. It gets past them. They got past their technical
filters, and somebody goes ahead and launches something. Anyway, so what’s this concept of
practicing the future to face adversity? How does that work? Andy Ellis: So you take that
unpleasant situation and you say,
(29:22) well, what are we going to do? What am I going to do? You know, whether it’s I’m, I’m
the one who clicked the link. Okay, well, what do I do next? Oh my God. Like the first time you go
through this, you’re terrified. Your heart starts racing. I’m going to get fired, whatever. Walk yourself through, well,
what does it really look like?
(29:38) And then keep doing this until, first
of all, it, there’s no emotion involved. You’re just running a script. You’ve practiced this, and at the end
of the day, the only thing you can control is yourself and your own affect. And you basically want to
say, I’m proud of how I acted. So it’s like, okay, you click the link.
(29:59) Well, what I’m supposed to do is
send mail to phishing or whomever that says, Hey, I clicked the link. We got to go solve this problem now. And if it turns out they’re going to
fire me, fine, they’re going to fire me. But if I don’t tell them they’re still
going to fire me, except now they’re G Mark Hardy: damage is a lot worse.
(30:16) Andy Ellis: right? They’re firing me. Not for clicking the link,
but for not telling them. And I’m not proud of that. I’d be pr like, look, if you want to
fire me because I clicked a phishing link, I have no problem with that. Like that is not on me. That’s on you. If you fire me because I
lied about it, that’s on me.
(30:30) And I didn’t act with grace in the moment. G Mark Hardy: I think one of the things
I’ve tried to do in environments is to create an environment of no fear. Where I get someone who will
contact me, Hey, G Mark, I think I just clicked on something. Okay, great. Let’s go. Let’s go look at it and let’s go fix it.
(30:45) And someone can say, Hey, I screwed up. You know what? There’s no little secret file in hr. There’s nobody keeping tabs. And when they know that, when they know
that you’re there to help out, Then you’re able to stop a lot of these potential
lateral movements in their tracks. They might, attacker might get a
foothold, but then that’s it, and
(31:05) it doesn’t go any further because
you’re able to respond right away. And I think that culture
becomes very, very important. And I’ve had people who came through my
classes where the guy said, you know, we got a vp, they had some phishing. He said that if anybody gets caught
clicking on one of our test phishing
(31:20) emails, we’re going to fire them. They brought in one of the things
like, no, you do not want to create a culture of fear because what’s going
to happen is, alright, great, I’m not going to open any email today until
I get a phone call from the boss saying, Hey, where’s this project? And then you create a passive
aggressive environment.
(31:38) And, and we don’t want that. We want to be able to have people
feel that they’re empowered to get the job done, but security is there
to protect them, not to restrict them. Andy Ellis: And and the reality is
the fact that phishing is a problem is because we have not done our job
at securing our email infrastructure
(31:53) and our client infrastructure. It has, has nothing to do with the human. The problem is everything around the
human, and the human is stuck as the last line of defense where there’s basically
no effective defenses in front of them. G Mark Hardy: Andy, another
thing that a lot of new leaders struggle with is delegation.
(32:13) And you make the comment that
delegated work won’t happen the way you would do it, but it will get done. So any good stories for good or bad about
how that’s played out and what you’ve seen Andy Ellis: So I think this happens a lot. The first time you delegate
something, what comes back is awful. You’re like, how did this
person possibly think?
(32:31) This was what I asked for. And what you probably have to
start to learn is that you didn’t actually ask for what you wanted. You asked for some amount
of energy to get spent. So you were, you delegated
effort, not output. And that’s the, the real secret to
success and delegation is you say, here is the outcome that I want.
(32:50) And then if you need me to tell
you some of the ways of how to do it, I can mentor you on that. But most people, when they do it
badly, they start telling how. And everything they don’t
perfectly specify becomes an error. And the reality is,
it’s like what matters? Get what matters done. And if 80% of it is done differently,
you don’t care because it got done.
(33:09) G Mark Hardy: Mm-hmm. Andy Ellis: And so think about like
for me as I, I delegated so much like we had to raise architects. We hired in interns and we developed
them into architects over four years and I got a lot of credit
for building an amazing program to mentor and develop these architects. I had nothing to do with it other than
saying I want the program to exist.
(33:32) And what is important to me
is that we will take people. For their first job in the company
and often their first job right out of college or through an insertion program. And after some number of years, they’re
credible system architects and my team went and built an amazing program for me, G Mark Hardy: Yeah, and I, I think
it was Patton who said, don’t
(33:54) tell people how to do something. Tell them what needs to be done, and
they’ll surprise you with their ingenuity. And I, I think that’s the thing on, on
delegation is also there’s a difference between delegating and dumping. And, you know, people new in a
management role may do the dumping. They, they have this unpleasant task,
oh, we’ve got to fill this thing out.
(34:12) It’s due by five o’clock Friday night. I don’t want to do it. Alright Andy, get this thing done. Go finish it up and, and have it on
my desk by five with no sense of. Here are the tools you need. Let me empower you to be successful. Let me act as a feedback loop to
give you, Hey, take some initiative.
(34:28) But if you get stuck or you’re not so
sure, ask me and then we’ll work this out. But what I’m asking you to do is take
ownership of it and then produce a result. And it might need some, probably,
we’ll definitely need a little bit of editing at the back end. But the point is you’re developing
your people, they’re learning,
(34:45) and the delegation process and
what I alluded to that earlier. On the new commanding officers
who were afraid to delegate because they were afraid to have
anything less than perfect output. And, and they were thinking, that’s the
way they’re going to get a command again. And I’m thinking, this is how you’re not
going to get a command again, because
(35:03) Andy Ellis: What gets you a command
is taking advantage of your people. G Mark Hardy: yeah. And, and I, and which I’m seeing is that,
you know, allow some people to fail. Think about how we walk. You didn’t say, okay, you can’t start
walking until you get it perfectly. You can’t fly that aircraft
until you’re already ready to go.
(35:21) As a student pilot, I’m sure I did a lot
of dumb things when I was learning, but once I figured out what I’m doing, but
if I had to start out that way, there’s no way any of us would’ve started. So, it’s a matter of letting
go of your insecurities as a leader about the outcome. And you don’t want to delegate
something that is going to
(35:39) necessarily result in the success of
failure of the whole organization. Some things you have to own, Andy Ellis: Right, and you have
to sometimes own that output. Like imagine you have to
put together a board report. You might delegate parts of it or
even the whole thing to your staff, but you don’t show up in front of the
board not having looked at the report.
(35:57) G Mark Hardy: Exactly. You, you, it’s, it’s the
worst thing to have when, and I’ve, I’ve had people do that. I said, well, what do you mean about this? Let me take a look. Wait. It’s okay that you didn’t write it,
but if you didn’t review it before you Andy Ellis: You didn’t review it, you
didn’t pick it apart and understand what
(36:12) questions were going to come your way. That’s a problem. G Mark Hardy: Exactly. Let me jump over to a different area,
which has been, I think, in a lot of people’s agenda these days, and that’s
about diversity, equity, and inclusion. And it’s a challenge for some of
us in leaders in that we’re trying
(36:28) to go ahead and make sure that we
do this effectively and correctly. But you had suggested in your
book that inclusion is really about reducing the energy cost. That somebody has to pay just
to exist in some space, and that’s kind of a novel concept. Any tips that you can offer
to our listeners and to help
(36:45) them out in that regard? Andy Ellis: Absolutely. And for me, inclusion is the, the
start and the stop of DEI programs is usually when we talk about diversity
and equity, we’re talking about ways to measure the lack of inclusion, right? If you have an organization with no
women, your problem is not diversity.
(37:02) Your problem is almost certainly
that you were excluding women in one fashion or another. And that might just be, you refuse
to hire them, you’re blatantly sexist, fine let’s go solve that. But once women come into your space,
you know, are you making them pay costs that they’re not willing to pay? You know, so think about what
are your work hours, right?
(37:23) If you have working moms, you
know, because moms often bear the burden of dealing with the kids. You know, if you’re lucky, your dads
are doing it too, but they’re going to have constraints on their day. Somebody has to get the kids
to school and pick them up. And so if you say, well, you have to be
here at seven 30 for a meeting and you
(37:40) have to stay until 5:00 PM for meetings,
then you have just told parents that they’re not welcome in this space and
they’re going to pay this energy cost whenever you send a meeting invite. Oh, can I afford to say no? Can I afford to decline it? And so every time somebody has to
sort of challenge themselves to say,
(37:59) can I afford to pick this fight? I’ll look. I’ll give an example. I was just invited to keynote at
a conference next year, right? And you should hear that and
be like, oh, that’s amazing. The conference is scheduled over one of
the hadin, one of the Jewish holidays. That’s a, like, you don’t work on
this day and you show, you go to shul
(38:18) and you daven and like, this is when
the conference is scheduled for now. This is such a norm in the conference
industry that if I get invited before I check to see if I’m available,
I go check the Jewish calendar. Because apparently the conference
organizers don’t bother to like, that’s an energy cost.
(38:37) I pay to exist in the conference space. Now I’m willing to pay it, but when
I have a conference that does it, it tells me that’s a space I have
to be a little more careful about. Or I have dietary restrictions and you
know, there are some conferences that I send them my dietary restrictions
and I get back this sort of very
(38:53) lovely note about what they’re
going to do to make sure I can eat. And I’m like, yes, you get it. I don’t have to worry
about eating for two days. And others I’ll get like this
weird answer like, well, You know, great, you know, we’ll have,
we’ll have some vegetarian meals. I’m like, my thing said no dairy.
(39:10) So when you say vegetarian, I now
know that I have to be prepared to eat, not in the conference venue,
because you might not have food for me. Well, that’s energy that I am
spending to be at your conference. That produces zero value
for the conference. And so whenever somebody spends
energy to be in your workplace,
(39:28) that doesn’t produce value. That’s a waste. That’s bad leadership. So how do you make it that somebody feels
welcome no matter what they’re doing? And sometimes that does mean you have
to put your thumb on a scale and say, look, we need to do representation and
make sure that our interview panels contain diverse voices so that people
look and say, oh, when I show up to to
(39:48) work, it’s not all going to be white men. But then you’d better make sure that
that energy cost, that you know the first woman you hire is going to
pay by having to do every interview. That you’ve put that in her job
description, that when you record her performance, she’s going to have less
output than the men around her, simply
(40:08) because you took 25% of her time to do
hiring and everybody else only spent 5%. G Mark Hardy: And that
works in organizations too. I remember in the Navy I sat on
a number of promotion boards and selection boards at 12 of them actually. And what would happen is some
records we’d be annotated when officers are up for promotion.
(40:29) As a minority, and it wasn’t to flag the
fact that this person was black or brown or white or whatever it was to point out. One important thing is that early on
in their careers, the Navy, to try to go ahead and get a more representative
culture would say, Hey, you’re a black officer, and instead of going on to
this career enhancing duty, we’re
(40:48) going to put you in recruiting duty. Because we want kids to see somebody who
looks like them in a position of success. And so what The whole notation there
wasn’t to say, Hey, wow, if you happen to be a bigot or whatever,
this is your chance to use it because hopefully that all got screened out. But it was designed to say, when
you try to weigh two careers and
(41:09) you say, well, this person’s a
little bit light on this experience. Oh, that’s why they were in recruiting Andy Ellis: right. It wasn’t that they chose to do it,
it’s because we chose them to do it. G Mark Hardy: You give them full
credit as if they were out there on a career enhancing war fighting tour.
(41:24) And so by doing that, it was a
careful means of ensuring that we’re going to disrupt things a little
bit as we go, but we’re going to try to make it right in the long run. Andy Ellis: and I think the challenge
is, is that most people either just try to disrupt things a little bit,
or they try to make it right, but
(41:39) they, they don’t know how to do it. So they say things like, well, we’re
going to have a career enhancing opportunity that is only available. To, you know, our black members. And now people look at that and they say,
well, that that’s probably not right. And there’s some good evidence
that these aren’t actually as
(41:55) helpful as you think they are. But if you tie the two together to
say, we know we incurred a cost and we’re going to pay that energy back
for you, that works wonderfully. G Mark Hardy: And, and, and so
yeah, there’s some wisdom and I, I was rather impressed when I saw
how that actually all worked out.
(42:09) Now you have a concept also in
your book you mentioned about don’t borrow evil where it wasn’t intended. What do you mean by that? Andy Ellis: So it’s funny actually
just, you know, talked about this in a newsletter I put out, I said, there’s
no, no such thing as a microaggression. Either it’s an aggression or
it’s micro, but there there’s,
(42:26) there’s not this combination. All too often when somebody
does something that hurts us in some way, we assume ill intent. And I’m not saying you have to assume
good intent, I’m just saying the moment that you assume Ill intent
that you say that they’re a villain. You have become a bigger
part of the problem.
(42:47) You have escalated it. Now, it might be that they’re a
villain, but if you assumed it, you borrowed this evil, then you’re
creating an escalatory problem. Like, let’s take the example of,
you know, this, this conference that’s scheduled over a holiday. I could have said, oh my God,
this is a microaggression.
(43:04) And they’re going to say,
aggression implies intent. I didn’t try to do this. I wasn’t intentionally being anti-Semitic. And they’re right. They weren’t. And so when you borrow evil, you,
you create the story in which the other person’s a villain. And when somebody is a villain, it
justifies you doing evil things to them.
(43:20) Well, now you have become the villain. And this is hard. Like it’s really easy to be
like, look, there’s, there’s a million people out there who are
doing things that are negative. Why do I have to be the one to
take the, to have that serene moment and not escalate when
clearly they’re blindly escalating?
(43:35) And the answer is if you want to be a
great leader, that’s part of the price you pay, which is you have to swallow that
emotion and say, look, it is possible. This didn’t have ill intent. Like I’m not going to say it’s possible. It was from good intent
possible, didn’t have ill intent. You were just ignorant.
(43:55) You don’t understand how to do this. And so I can decide, I can just
move on and say, fine, whatever. I’m not going to do this. Or I can say something. But when I say something, if I’m
trying to affect change, if I tell you you’re a jerk and I need you to
change, you’re unlikely to change. G Mark Hardy: Yeah and some good insights.
(44:14) And as we’re getting close to the end
of the show here, there’s a couple things that I wanted to make sure
that we mentioned, and one was the idea of creating powerful questions to
build a rapport with business leaders. And three of the questions you had
that I, I liked, and you had said that when you meet with executive peers, we
should ask them these three questions.
(44:30) Number one, what is the stupidest
risk that we’re not taking care of, that no one has dealt with? Number two, what is the dumbest
security control that gets in your way? And then number three, what is something
that you wish we did better in security? Can you tell us how we can
use these type of questions to
(44:51) solve things better as a CISO? Andy Ellis: So in two ways. One is if you walk into a new environment,
like rather than trying to from whole cloth, figure out what the problems
are, ask the people around you. And here’s the secret. There’s no such thing as
a security professional. Like we like to pretend that we are like
cooler and we’re more knowledgeable.
(45:11) But everybody is a security professional. Every person you interact with who
interacts with security has opinions. Sometimes they’re misguided, sometimes
they only see part of it, but they know more about the risks that you
face in your new organization than you do because they’ve been there. So first of all, you’re just educating
yourself, like this is the shortcut.
(45:32) They’ll walk in and they’ll be like,
oh my God, I can’t believe that I have to log in seven times a day with mfa. Like, you need to hear that, because
your team probably won’t tell you unless you ask very careful questions
about how the MFA got implemented. And you’re like, wait, why are we like,
this makes no sense and our users hate us.
(45:49) Now here’s the important piece about
that, which is when you act on what they tell you, You instantly earn
political capital, like they’re going to give you low hanging fruit, and more
importantly, by delivering the things they asked you to do, they owe you. Like in their head, they’re like,
oh my God, this person has my back.
(46:09) They’re an ally to the business. And you’ll have this reputation
as being business focused. And so you ask the questions
both to learn, but also to build the ability to get stuff done. because some of the things
you will need to change. Nobody actually wants to go through it. Like they recognize it has to happen, but
it’s going to be this two year project.
(46:27) It’s a lot of work. And they’re like, well, if we delayed
it by three months, what does it matter? Like it’s, it’s a two year
project, like three months now is three months in two years. So, so why can’t we delay it? That’s why you want to deliver on
things that they really want so that when you come back asking for something
important, they’re on your side.
(46:44) G Mark Hardy: And some
very good insight on that. Andy, we’re getting close to the
end here, but I want our listeners remind you to pick up that 1%
leadership book you can get on Amazon. It’s available on Audible. I know you’d probably appreciate
seeing our community be about 37 times better a year from now as they are now.
(47:03) Any last thoughts that you’d have
that you’d like to leave us with? Andy Ellis: So I think the most
important thing for any leader, and whether it’s a security leader or
you’re going to be doing something else, is recognizing that your entire
job is to stop hurting your team. Most leaders hurt their teams.
(47:20) Most organizations hurt their teams. This actually makes it really easy. You’re not trying to take
great and make it perfect. You’re trying to make, take bad
all the ways in which we’re taking the energy of our teams and wasting
it and get from bad to decent. And it’s sad in one sense that I say that
and I’m like, people will think you’re
(47:37) an amazing leader when you’re just a
basic, decent human being, but they will. And so find those opportunities. They are all over your environment to get
1% better in any number of different ways. G Mark Hardy: Now, what’s the best
way if somebody want to get in touch with you if, if only to go ahead
and get one of your signature lined
(47:54) responses to say go take a hike. Is, would you like any
of our listeners to. Andy Ellis: The easiest way to find
me is I’m all over social media. I am CSO Andy. Whether that’s Twitter or LinkedIn
or Instagram or just about anywhere. That’s probably the easiest way to
find me is just search CSO Andy.
(48:12) My personal website is csoandy.com,
which is where I curate my past archive of everything I’ve ever
written in every talk I’ve ever given. And you can find me
professionally@duha.co. A Columbian email domain name to, G Mark Hardy: Can you
spell that out please? Andy Ellis: D u h a.co. And that’s my consulting business.
(48:35) So if you’re interested in having
me come speak to your organization or come to a book signing, you
know, you can reach out to me there. G Mark Hardy: Well, that would be great. Andy, thank you very much
for being part of our show. And to our listeners, thank you
for listening to CISO Tradecraft or watching us on YouTube.
(48:49) If you’re don’t already do so, please
subscribe to us on YouTube if you’re listening to us in your podcast channel. Please go ahead and give us
thumbs up or something like that. So that helps other people find us. And don’t forget, on LinkedIn, we
have a steady stream of what we think is high signal to noise ratio,
excellent content for you that
(49:05) goes beyond just these podcasts. So thank you very much for
listening or watching, and until the next time, stay safe out there.


by