The changing responsibilities of the CISO position

We're talking about chief information security officers CISOs, one of the top-dog roles in cybersecurity, and for many professionals, it’s the brass ring they spend their careers trying to reach. The expectations of a CISO are changing, too, and requirements are growing in many different ways. Mike Scott, CISO of data security provider Immuta, has seen the role change a lot in the past 15 years, and he’s seen the role of CISO move from out of the shadows and into the spotlight for the C-suite, but at a price: when a breach happens, the CISO is often the one who takes a fall. Is this a reasonable expectation? Will the role of CISO change even more? I talked to Mike about all this and the eight years he spent as the CISO of the Wendy’s fast-food chain! We won’t judge you if you want to bite the corners off first, but I’ll be crying in my chili if you don’t keep it here for today’s episode of Cyber Work.

0:00 - Responsibilities of CISOs 
3:15 - How Mike Scott of Immuta got into cybersecurity
6:55 - Leading Wendy's fast food restaurant as CISO
13:30 - Data security problems right now
18:40 - Shift left strategy
24:10 - How the CISO role is changing
31:00 - Increased CISO oversight
38:06 - The CISO's responsibility
48:30 - How to work as a CISO
51:50 - Cybersecurity in the federal government
54:48 - Learn more about Immuta
56:53 - Learn more about Mike Scott
57:35 - Outro 

– Get your FREE cybersecurity training resources:
– View Cyber Work Podcast transcripts and additional episodes:

Preparing for the worst is a drag. No one likes to think about it. If you don't watch out, inaction means that when you do get ransomed and breached, your first thought is not, “Let's go get the disaster manual and see what it says.” It's just a panic. Today, ProServeIT’s Eric Sugar walks you through a crash course in developing a disaster recovery plan for your small business. Don't panic. Help is on the way in the form of today's Cyber Work hack.


Welcome to a new episode of Cyber Work hacks. The purpose of this spin-off of our popular Cyber Work Podcast is to take a single fundamental question and give you a quick, clear, and actionable solution to that problem. So today's guest is Eric Sugar of ProServeIT. We recently recorded an episode with Eric on the concept of disaster recovery as a vocation, as something that small and medium businesses need to do. So for our hacks episode, we want to just get down to the very rudiments and talk about what's involved in getting started with a disaster recovery plan. So thank you for joining me today, Eric.


Thanks, Chris. Excited to be here.


So first of all, can you give us a very brief explanation of what a disaster recovery plan means, especially as regards like a small and medium business? What are we trying to accomplish here?


Yes. So a disaster recovery plan for a small, medium business is ideally a short document, less than 10 pages, or a checklist that tells everyone in the business what activities they need to do to go from business stopped and failed to business working, sending invoices, people doing their jobs again, and the estimated timeline it should take to do that. That's the very kind of basis description and should be very consumable by non-technology people.


Right. Yes, and we mentioned this a little bit on the main feed as well. But lest you get overwhelmed by the idea of like the thousands of things that could conceivably happen to your business, like ultimately at the end of this, you should have a very actionable kind of checklist of if this happens, then we do this. If this happens, we do this is. Is that right?


Yes, absolutely. Then the last one would be if something else happens, like figure it out actually. We've covered off the top five for all these people to figure it out if it's either seven or eight or nine.


Yes. We're escalating the problem at that point. So how challenging is it to get started on creating a disaster recovery plan? Is this something that companies can do in-house? Do you recommend hiring an outside source, especially if you don't have like a strong IT and security department? Is this something that you get assistance from outside?


I'm a big fan in this space of this should be outside your business. The recovery process will be whatever it is will be painful, and it will not be happening during business hours. So you want your team focused on supporting your clients, and you want someone else focused on bringing your business back up. If it's a catastrophe or disaster, you need to be all hands on deck, supporting whatever you can do for your business to keep it moving while people recover.


Right. Got it. Now, if you're – this is especially suited for people who are listening to this and saying, “Oh, that's exactly what I wanted to do. I'm studying a bunch of different things right now. Disaster recovery planning, that sounds right up my alley.” What should they be doing like right now to get themselves in a space where they could be qualified to do this kind of work?


So someone looking to get into disaster recovery needs to be a bit of a jack of all trades. They need to know a little bit of security, a little bit of business, a little bit of IT. I think do that through experience. So if you're in your school and you do different internships in different areas, try that.


You'll also probably find something you'll love to do which is really important. But, yes, get experience in multiple disciplines or ask for cross-training at your current job. So, “Hey, can I go spend a couple of days with someone on our finance side or someone on our operations side to learn the systems we use?”


Okay. Yes. You mentioned a little bit the main feed as well but that there should be some possibly give and take between not just strictly IT or cyber or tech but also some degree of knowledge of like how businesses run and the sort of the risk elements on that side.


What's the monetary driver? So how does the business make money, and how do you interact with your clients? That will help you understand what you need to recover first and how you build that 10, 20, 25-bullet checklist. That will then have detailed instructions after, but that's how you build that checklist by asking really deep questions and continue to ask why. So there are five whys behind each other's questions.


Yes. So widening the aperture a little bit, is it possible to say like pick a company and write sort of a hypothetical disaster recovery plan based on what you know about them? Or like you say, if you're interning for a certain department of your college, is this something that you can kind of practice before you actually like go to work doing this kind of thing?


Yes. There, you can absolutely practice it. You can create your imaginary company. It's okay. I need communications. That's either going to be Google or Microsoft. I need a finance system. Let's say QuickBooks, Zero, Business Central. I need something in operations of customer support. I need a website. Let's say Wix because it's kind of cheap and cheerful and easy. I've got a phone system. I got cellular. So I got five systems. I got five check boxes. How to recover Microsoft 365 if I get breached? Here's your steps. So you can start to really think about it and build it based on that.


Great. That's perfect. So for people who are not currently in the business but want to get there and are learning these things and are building their, as you say, hypothetical companies and documenting them, can you talk about some things that you would want to see on a resume from a newcomer that indicates that they would be good in this space?


On a resume, that's a great one. So we've found most of these people by talking to them. So the resume probably shows some experience in technology. It probably shows a bit of background in sales or business operations and something in security, just saying like they've studied seriously your Security+. So maybe a Security+, plus some Microsoft certifications or Google certifications, and some sort of business sales experience, whether it's a summer job or internship or something like that.


Right. Got it. Okay. Yes, that's a really good start now. Yes. I guess that's about all I think. Oh, I guess the one last question here. If you want to make sure that you're sort of future-proofing your skills, I know you mentioned that in our previous episode that AI is definitely going to be a big part of it. Like what are some things that you should avoid? What are some eggs that should not go in that particular basket to keep yourself fresh?


The one thing I would say is don't stop learning. Like continue to learn. Don't stop what you're doing, and don't anchor in on I'm a Microsoft 365 email support person. Or I'm a desktop security admin. You want to be learning new topics and pushing the boundaries and stretching yourself. So find a new topic and have dedicated learning time in your calendar, whether at work or at home. That's the key I think to future-proof yourself.


Nice. So if our listeners want to learn a little more about Eric Sugar or ProServeIT, where should they go online?


For ProServeIT, is a great spot to find us. You can find me on LinkedIn under Eric Sugar. Thanks, Chris.


Great. Thanks very much, Eric. I really appreciate it. Thank you all for watching and listening to this episode. If this video helped you out, please share it with colleagues, forums, or on your social media accounts. Definitely, subscribe to our podcast feed and YouTube page. You just type in Cyber Work into any of them, and you're on your way. There's plenty more to come. If you have any topics that you want us to cover, drop them in the comments. As always, we'll see you in two weeks. Take care.


Hey, if you're worried about choosing the right cyber security career, click here to see the 12 most in-demand cyber security rules. I ask experts working in the field how to get hired and how to do the work of these security roles, so you can choose your study with confidence. I'll see you there.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.