How to become a Chief Information Security Officer

Joshua Knight, cybersecurity business leader at Dimension Data, discusses his career journey as well as the steps you can take to move your career towards the path of a chief information security officer (CISO).

– Get your FREE cybersecurity training resources:
– View Cyber Work Podcast transcripts and additional episodes:

Chris Sienko: Hello, and welcome to another episode of Cyber Speak with InfoSec Institute. Today on the show we're talking to Joshua Knight, cyber security business leader with Dimension Data. Joshua has 30 years experience in security, including national security experience. Today, we're going to talk about his security career journey, as well as the steps that you can take today to move your career toward the path of Chief Information Security Officer, or CISO.

Based in Dallas, Texas, Joshua Knight currently utilizes 30 plus years of security consulting, professional services, and managed security service experience, serving as Vice President and General Manager responsible for the Dimension Data Security Services practice. Before joining Dimension Data, Joshua served as Global Vice President over Cognizant Security Solutions business, 2016-2018, Partner inside IBM's Professional Services Organization, 2013-2016, the Executive Director of Ernst & Young's IT Transformation business, 2012-2013, and is a Director responsible for AT&T Managed Security Service businesses between 2006 and 2012.

Starting in 1999, Joshua built the Sprint Security Services business, where he was responsible for constructing and the implementation, advisory and managed security service teams. Joshua also served in two start-up companies, where he served as GM of North American sales and Chief Information Security Officer, or CISO, between 1993 and '99. This includes significant hands-on new venture experience with Angel and Series A and B funding.

During his career, Joshua has enjoyed using life-changing technology to transform businesses, cultures and societies. He currently holds a Masters in business administrations from Friends University and an undergraduate degree in physics, mathematics and chemistry from Friends University. Joshua, thank you for being here today.

Joshua Knight: Good, great. Thanks for having me.

Chris: We'll start out with something from the bio there. It says you enjoy using life-changing technologies to transform businesses, cultures, and societies. What do you mean by that?

Joshua: So as the evolution of technology has occurred, some of the things that I've enjoyed the last 15 years especially is through virtualization, when I went through GSX, ESX, and that's moot now, everyone's cloud today. And also through mobility, using such as Handspring, Pocket PC, and then watching that transform as we went into the Kyocera device as the palm evolved into what is the phone today around iPhone, Android, and then also artificial intelligence and the work that I do through IBM and many of the others, as we also ... the pieces coming from analytics and so on and so forth, so that digital transformation journey. So I've enjoyed using those aspects of technology, and of course that stems all the way back from when I began in technology years ago as just a little kid and playing around inside computer labs.

Chris: Yeah, so let's talk about that. What got you excited about computers eventually, or originally, and also how did that transition into security interests?

Joshua: Sure. So for some people, they started their technology, they would tinker around with computers at an early age or they moved into it through college or university, what have you. For me, as a kid, I was in trouble, like any other little kid, who couldn't keep his nose clean. So my father the college professor, asked me to come into the computer labs. With that request, I was able to access into DARPANET, into the World Wide Web 2, BBCs, and BBSs. So because of all of hose opportunities, I was only 10 or 11 years old, my breadth of understanding and knowledge around how hacking takes place inside of the Ixis, and I was playing around with MUNIX and of course, as Linux evolved and moved into Windows later on in my career, I was able to really get my arms around what most folks don't have an opportunity because I had those technologies at my fingertips through the university.

Chris: Yeah, you were putting your hours in very, very early it seems.

Joshua: I was. I was. I wasn't getting the grades in junior high and high school. I did in college for sure. Even then, I was always playing around, and there were books that were out there that made it easy. It was all around trial and error, and of course, the university professors who were there with PhDs always were helping and really peeling back the layers of the onion. I always had a resource I could go back to talk with.

Chris: As people of our age who have grown up with computers but also had a time when computers really weren't a thing, obviously that means that you've been there since the beginning of what's now known as cybersecurity. That wasn't always part of it. So how does the cybersecurity landscape changed or evolved since you first got involved?

Joshua: So it's interesting. With security, you're right. In the very beginning when I entered my career and I moved, eventually, into government, even then they didn't have a GS system set up in order to arrest hackers that were coming in, and I was considered white hat hacker, [inaudible 00:04:45] through a contract [inaudible 00:04:46] called MTS 2001 that opened that door inside of Sprint.

Now at that point, the evolution of security took place. I can remember sitting down with the head of the FBI inside the Midwest up at the Kansas City office back in '97, '98, and he bean to really open my eyes to what this evolution might look like. And that's where network security started. Now in my career over the last 27 years I'll say, before it became the commodity it is today, we moved from network security, and eventually moved into what was internet security and then of course, that went into what is information security and now that evolution into what is digital security.

So the transformation through four major phases or paradigm shifts, they've each built on each other and been very relevant to each other, but it's become that new way or new focus in security as we move to that tomorrow.

Chris: Yeah, how did you get involved with, you said you have national security experience, how did you get involved with that aspect of cyber security?

Joshua: Sure! So, back when I was in the startup space, we had a parental control product that was housed inside the network and not at the end point. It did well for us, but it came to a place where Microsoft gave that away in MSN 9.0. When they gave that away for free, although the end user didn't understand the real differences, they're like, "Why would I pay for your service, although far better, when I can get it for free? "

So I came to that place where I was out of a career and needed to find a next level. So I sent my resumes out to the FBI, the DOJ, and the NSA. And from there, they then contacted me through Spring, asking me to come work for Sprint through this contract vehicle. So I didn't work directly for those agencies, but I did do a fantastic amount of work for those agencies through Sprint and the contract vehicle. So I ended up inside of the nation security space.

Chris: Are you able to say what you did in that [crosstalk 00:06:40] in that role?

Joshua: Yes, so in the beginning of that role as a white hat hacker, I was actually hacking into the FBI, into the DOJ, into those different websites from the outside in, finding vulnerabilities as a penetration tester or a vulnerability assessment expert, and then eventually that evolved into an example during the Olympics. They wanted me to break into the Winter Olympics to make sure that we couldn't get to the data around the US Olympians. One of my highlights of my career was I actually broke in and got to all the Olympic data for everybody across the world. Now today that wouldn't happen, right? We would hope ... things have [inaudible 00:07:16] exchanged, right?

Then of course, I did work for the DOD and some of the other agencies around breaking into foreign governments and so on and so forth. And from there I pretty much put an end to ... I can't say anymore.

Chris: Sure, no, I figured there would be a hard out on that question. So we brought you to the show today to talk about one of many roles you've had, but namely you've had several times, it seems, you've been an information security officer or CISO. InfoSec is all about boot camp security information, training, and we want people to not only take classes and get certifications, but understand what it takes to get into certain career tracks, certain industries, and so forth.

So what were some of the major steps along the way, and more to the progression of skillsets that got you to the point of being a CISO?

Joshua: Sure, sure. So for me, because I started out as a information security or security expert, you'd say, around technology, I started out as a CISO right, very early in my career. Right, and during college. They needed it, there was really no such thing out there, it was hit and miss. And because of my security expertise and my opportunities that I'd seen in the marketplace, and expanded my own knowledge set. It was a good shoo in. Because it can also help expand the products that we were selling, which was a very security-focused product around [inaudible 00:08:35] controls and helping protect the individuals from the misuse or the malware or what have you on the outside. I was that guy that understood that, so not only did I drive internal security, but also the external products.

And then the evolution of that was, eventually, when I ended up working for Sprint, I worked for a chief security officer who was, and there's a vast difference between a CSO and a CISO in many organizations. In working for that CSO, he was a retired FBI agent and he helped me understand. I was very full of myself, I'd say, or arrogant. Because I knew technology very well. [inaudible 00:09:11] early and said, "You know, you may know technology, but you do not know governance and you do not know physical security." And so he opened my eyes in understanding, this is how governance works. This is how it applies across HR, legal, into audit, into the board of directors, how you work with a CFO. How a CIO is different from a CTO. He began to really open my eyes in understanding as he opened his own eyes, because he had spent years in the FBI and it was this real new experience. The first major role he had taken from the FBI over into that sector, into the Fortune 500 was Sprint.

He helped me open my perspective from that point of view. Then I moved over and worked for a CISO inside of AT&T. That CISO Ed Amoroso, was one of my greatest mentors as well. He helped then me dig deeper into the technology. He's a PhD, he's published like 12 books at this point, and really began to help me understand okay, now that you understand governance, you understand physical, you definitely know technology, let me show you how to meld this together and how it applies to the national security space. How it applies into the federal space, how it applies into big business, small, medium-sized businesses, enterprise, and so on and so forth.

So those are the knowledges and experiences I recommend back to many and how you get into the CISO space.

Chris: Interesting, so do you feel like you say, you became a CISO or CSO, in part, because it was just starting and you were there when it started and so forth, do you feel like these milestones are still applicable to the present day? What are some of the sort of higher bars that have happened now that CISO is kind of an established field that would not have applied to you?

Joshua: Absolutely. You know what's interesting is I spent a great deal of time with many CISOs and CSOs across multiple verticals, right, and part of the reason I made that major career shift into the PNL space is because I could help them rethink and retool their business while giving information sharing across other verticals and global industries. Because a vertical inside the United States is many times very different from a vertical inside of EU, and inside of the APAC or CEUK, it just depends on where you're at.

So for me, the most interesting part about the CISOs today is if you want to break into this field, there's a way you have to view it. So many CISOs didn't know what the security story really was just a few years ago. We may have been in security for years, but the security story, we helped paint that. And so I spell out like this, It's around governance, technology, physical. But then, it's not just around cyber, many people go, "Oh, security's all about cyber." No. [inaudible 00:11:43] the CISOs I tell them is, you want to find your way out of IT if possible, rather than technology, and find your way into HR or into legal, or some other [inaudible 00:11:50] organization, even directly into the CEO.

Because the relevance is, cyber is only one of four major areas or towers of ordinance. Cyber being application, infrastructure, databases, so on and so forth. We also have identity access management, governance risk and compliance, and then digital. And digital is a mixture of cloud, IOT, analytics, social media, artificial intelligence. And all those other, IIOT as we move into operational technologies. All those components. Now I realize there's bleed over among all of it, but if you spell it out in four distinct towers, you find your way into the way a security professional really thinks. And how you address that in the new world.

And I tell folks, "CIFOS are the old world. The CTO, being the chief trust officer, is the new world." The chief trust officer has security, privacy, and risk. Three major components. And we're going to begin to see over the next three to five years the evolution of that role as the CISO steps into the chief trust officer and has security folks, and has privacy, and has risk. So that's how I'm viewing the today and the landscape to come.

Chris: So it's really shifting a lot in the last couple of years it sounds like?

Joshua: Yes. The chief trust officer is going to become the go-to focal point that drives the budget and works as a peer to the head of HR, a peer to the head of audit, a peer to the head of legal, a peer to the head of CTO that works in the lines of business, CIOs, and has a seat on the board of directors. And has the budget concerns in the real inter workings. The thing is that's most important that people forget is that we need to be NIST and ISO aligned, so it's all around baseline policies first, then your deep dive standards around those, then the procedures themselves. And that applies back out to all areas of the business. And having that focal, okay, it's not just around security, it's not just that technology, it's governance first, and then into these other areas. The one who knows that is the one that wins, and those are in the big Fortune 500, those are going to be the multi-multi million dollar a year jobs.

That's that evolution, where the security expert becomes the real powerhouse. It's also a place where you can get yourselves into a lot of trouble, right? So much exposure, it's up to you to solve the challenge.

Chris: You. The buck literally stops with you. So we're coming right toward my next question here, so you've sort of described the strata of responsibilities of a CISO and so forth, could you sort of walk me through the day-to-day activities of a CISO? What types of jobs and responsibilities are you actually doing with your fellow CTOs, CIOs, the board of directors, what are you doing on a daily basis with HR and so forth?

Joshua: Sure, so the day-to-day piece around is pretty much the same when it comes to security. You've got your operational pieces, you've got your relationship pieces, you have your technology pieces, and then you have your government pieces. And it's about steering committees and making sure you have the right senior executives on the steering committees so that we know where budget allocation goes, and then it's working back with all the key go-to executives in the organization.

So an example, if you go into CISO today, many of them will work up and through IT and they'll drive the functions that are there, but then the challenge is the network is something that ends up separate, or it's not a part of it. So they have to see, how do I work back into the CNO, chief network office? Or work back into the lines of business that now have CTOs? So if you [inaudible 00:15:17] operational technologies, CTOs are driving that with IOT or IIOT. And so they have to have those relationships in their day-to-day business.

And at the same time, if you look at it, you've got compliance, you have [inaudible 00:15:30], you have vulnerability assessment, vulnarability management, threat management. You have enterprise security management, you have device management. You just go down the stack of all these pieces that are very, very, very important to the bigger picture. And them in their day to day role is to integrate and cooperate and ensure there is a cohesiveness across all those areas of business. And so that's the real CISO today is doing that. Or the real security czar is doing that in order to drive business.

Well at the same time, there's only one reason that we're there, it's ensuring revenue. And many of them lose sight of that, so I'll tell folks, "You've got to make sure that whatever you're doing is driving, or helping to drive, revenue." And that's the new way of ISOs and biz ISOs, tech ISOs is ensuring that they're finding ways to that revenue. Being internal, finding ways to revenue, or ensuring that the external business is enabled to find revenue.

Chris: Yep. Regarding CISO as a position, are you sort of the manager of the security department, or do you work more closely with your fellow C suite people? Do you sort of work in the upper strata, do you manage much day-to-day operation, or are you sort of working on a more sort of ... longterm plan level for the most part, or a bit of both?

Both. Both. So the CISO, they need to one, work with their peers and work with management in order to development a long-term road map, 36 month road map around how their strategy looks and how it aligns back into the business. While at the same time, going back into their own organization and treating themselves as centers of excellence so that they're easy to do business with and they're working out across CIOs and CTOs.

That's their primary focus. Are we easy to do business with? Do we ensure the state of security? And at the same time, do we drive revenue by getting out of the way, but at the same time, enabling. So many times, we have to get in the way, but at the same time that protects our brand. And that again drives revenue. So it's a multifaceted, multi-tiered approach for the CISO. A proper CISO needs to do.

Chris: What are some of your favorite, best, most interesting parts of the job when your a CISO, and what are the most difficult and repetitive? Like, what are the things you like, and what are the things you don't like?

Joshua: I would say the most important or the thing that I enjoy the most is the community. The community at large outside of my organization, the community at large inside my organization. And I call it GSIC, the global security intelligence community, and working with those across the verticals of the business itself, inside the United States, the regional sides and verticals inside Europe, same thing with APAC. And being able to take knowledge added or knowledge learned, lessons learned, and apply those back into what I do today.

It's interesting, one of the things people say, "Well it's very different how we do security here. It's very different how we do security in HVAC." And I say, "No, it is not. Security is security." It is very much the same. Now you can pretend that it's different, and you can isolate and silo yourself from the rest of the greater community or the organization at large, but that thinking is very career limiting and is guaranteed failure.

The only way to guarantee success for yourself in a bigger picture career move is to remove the doors, remove the windows, and in best case, remove the walls to where you become a non-siloed thinking, non-siloed organization that communicates-[inaudible 00:19:00] back out. Yes. We are about information protection. We're about certain things we have to ensure safety are secure and that no one can get access to, but the one thing that we have to maintain is constant communication and open dialogue with our peers, with our employees, and with those we work for to ensure success.

I tell folks, with three-letter agencies and when you get into top secret, when you get into national security, it's easy to get a siloed thinking. That is not the way to do business. If you're working at any type of enterprise or small, medium-sized business. The only way to be successful is to remove the doors, remove the windows, and open all dialogue. Level five leadership. I love that from Jim Collins. A great CISO maintains level 5 leadership. That's the answer to success. If you find that, your guaranteed.

One of the thing I've said to CISOs is a CISO's longevity can be cut very short. The reason being, an example, is ITO. IT outsourcing, if you talked to a CISO 36 months ago, they'd say, "I will never outsource any of my security. That's crazy, I'm not sending it offshore, so on and so forth." You know what happened is the board of directors, the CFO, they stepped in and said, "I don't care what you don't want to do. This is what we're going to do." And those who argued and fought back lost their job. And I know many CISOs that said, "All right. I want to continue to work, I did lose my job. I'm going to do it right the next time."

And so, here we are again, the next level, around moving everything to the cloud, and moving into a software-defined world. Many have said, "All right, I learned my lesson from the first time in the ITO outsourcing. "We're still seeing ITO outsourcing. We're even seeing total lift and shift where even the CISO themselves are being outsourced into India-based outsourcing, or to some type of outsourcing organization. I know for a fact because I've done that with Cognizant. I've done that with IBM. I've done that now inside of DD with NTT.

And the interesting part as we move into software defined, 29% of the budget inside CISOs is moving toward software-defined or cloud-based security. So here we are again, I say to the CISOs, move with it, do the right things. We have [inaudible 00:21:04], we have all these solutions, we'll see this continue to evolve ang grow, be a thought leader, a forward thinker, and you can drive change. But if you dig your heels into the ground, you're going to become a dinosaur.

And so that's my greatest gift to many of the CISOs, and I have a lot of friends in this space. So we talk about it regularly.

Chris: All right. Everybody write that down. This is the key takeaway right here, so everyone listening. So what sorts of activities should you really be interested in or enjoy doing if you're thinking about becoming a CISO, what's the thing that you do every day? It sounds like communication is a big part of it.

Joshua: Communication is my primary. The one thing I tell people is if we get hit by the biggest HERF gun in the world and all technologies cease to exist, the one thing we have today, we'll have in 100 years, 1,000 years from now, and 10,000 years ago is relationships. The answer to all things is build a cohesive network of relationships. Not just within the security community, which is very important, but build those relationships outside the organization.

There's nothing worse than when I hear a CISO who's at odds with audit. That should never happen. They should be best friends with audit. Or a CISO who's at odds with HR because of the way policies are designed and driven out to the organization. That should never happen. Legal, e-discovery, all these things, it's important to have key critical relationships, and if you're not good at building relationships, I suggest you find a way to get good at it.

Because your career will come to a dead halt, but if you master those relationships, and that's of course what I love about what I do, you're going to make sure your career flourishes because people love you. And it's not that we need to be loved, it's that we must be loved. It's the only way we can make this successful.

Chris: So what role do you feel that professional certifications play in the enhancement of a security career? You obviously have a couple of degrees there, do you feel that getting cybersecurity degrees or sort of upper level degrees is a beneficial thing in this particular position? And what certifications do you think are going to be most important to CISO aspirants in 2019?

Joshua: Absolutely. So to young folks who are coming in, I say, "Get a degree in cybersecurity if you think that's the right move" Especially one that's NSA-aligned, because there's many programs that the NSA has funded and are backing, and there's guaranteed that you'll find many of those avenues that are relevant to getting you into the market space quickly.

For those who don't have those degrees, not a problem. My degrees weren't in security as well, and I did that on purpose because I wanted to learn to think outside the box. However, I say to those folks, the fastest way, and I've taught this to many people who want to take this path, and I'm not an advocate for any one of the certifications, but I will say one of the fastest ways is, you want to know the technology? Learn the security plus and if you want to know the governments learn the CSSP.

People have an opinion about both of those, that's fine. I'm just giving an example of a road to take. When you take those, then getting out into the greater community, ensuring that you're a part of those working groups. Those monthly working groups, biweekly working groups, the CISO working groups and your local community, local chapters.

And the more you dig into that, within 12 to 24 months, you'll have a job as a CISO, because not only can you then talk to security in a way that most people could never comprehend, you'll then know how to have those conversations in ways that other people know how to communicate with you. Then you can show, "I've been doing security my entire career."

Because reality of it is, we all do security to some degree. And if you know the ins and outs of security, you'll find that many people are afraid of what we do. Because they just don't understand how it's applicable. But the reality of it is, if you know the foundation around security plus CSSP, you're guaranteed success. You will find your way into a role that makes good sense to you.

Of course, the key there is you've got to get outside the box, right? Get outside, travel, go to know people, know their business, expand your horizons. And the every time you think you've hit the, "Oh, I've made it", no. Expand it. Build your box bigger. Know more. Go, go go! Drive, drive, drive! Never stop learning!

Chris: Meet everybody. Absolutely. So I guess to that end, what type of companies require a CISO? It sounds like it's pretty much every level of business shy of local mom and pop probably needs one, you know, of any certain size. What types of professional companies should you be trying to employed at to make yourself desirable as a future CISO?

Joshua: Absolutely! So, I would say any one of the small-medium-sized businesses would need a CISO. They might not need it full time, and they might need it as a manager or director of security. They might also just work through a consulting firm to help provide that value add back to you.

Then you get into enterprise, Fortune 500, global, all of them need CISOs to some degree, some will bring in as directors, many of them don't understand the value add. And an example is when I look at some of these manufacturing companies, they have a director of security or something through the ISO and they want to evolve and move into the IIOT space. It's just happening through the manufacturing. They're a little big behind the curve and I say to them, "Get ahead of the curve."

Get a CISO who gets up to the board of directors, who has accessed, probably reports up into HR and to legal, maybe directly to the CEO, that then works with the lines of this and the CTOs. Each one of those, people go, "Oh, this company, this type of vertical is a dinosaur." No. It's not a dinosaur. Security is becoming, it may appear to be a dinosaur, but they're still growing. That's why they're in business.

And security is becoming the number one focal point as the evolution occurs, as we move into this next space of everything connected. So I would say all of those areas have [inaudible 00:26:36] and for anyone who wants to get into the space, I tell them, "If you go into consulting, you can find your way quickly into an organization just by those small ones that need to know how security works." And then you can move your way up.

So I have a great friend who works across four major companies as a consultant. He built out full time into four companies and acts on the board of directors because they don't want to pay somebody, but they need his expertise. And getting somebody who's an expert like him is rare. So there's all types of different avenues around who needs a CISO.

Chris: So realistically, you could get started in almost sort of a freelancer consulting space as long as you have the knowledge and you can sort of start low and build your way up.

Joshua: Absolutely! And outside the knowledge, have the confidence.

Chris: Yeah, and the communication skills.

Joshua: Absolutely! With that, it's easy, right? Because people don't know, and if you know more than they do, give them that knowledge, go figure it out as you go, and then suddenly, you'll become even better at it. But just have confidence in what you know and allow the rest to happen.

Chris: So what are some of the common pitfalls that CISO aspirants make along the way, and how can you avoid them? Are there sort of unnecessary tasks or resume fillers that people think that they're helping, but they don't really make a difference?

Joshua: Yes. One pitfall, they do not listen to the board of directors. They do not listen to the CFO, they do not listen to their peers. And with that not listening, they may think they're listening, but they're listening through a lens, or watching through a lens in a way that's not relevant to one, security, not relevant to the business and driving additional revenue, not relevant to everything that's important to those in charge, right? And what's important to Wall Street. Just, they don't remove the blinders. That's the first thing.

Another one, they don't fight for what's relevant. They don't fight for what's important to their business. They don't use their voice so they grow their capacity in order to support the rest of the organization.

Then the next one, the third most important, I say it over and over, is they somehow interfere with making revenue in a way that impedes bigger business and that's very career limiting. They'll shut things down based on the STLC at the wrong time because they didn't inject themselves into the development cycle properly.

Or they interfere back into a connected device in a way that impedes progress. Instead of saying, "All right, go to market, let's figure out how to secure it as we go, we were a little late to the business, that was my fault, or I wasn't here. I didn't understand the business now that I'm getting it." Again, if they were communicating, many of those are going to come back to them in their right time and say, "Hey, we need you here."

But if they're not getting out there and building the relationships, and being relevant, they're not going to get injected at the right times. And then again, if you don't shut it down and they get hacked, who's to blame? Well, suddenly you're out of a job because they say, "Why didn't you get in the middle of it where you were needed, and why didn't you solve it when we needed you to solve it?"

So those are three of the major things that I say to people is one, you're not communicating. Two, you're not listening. And three, you don't find the relevance back to is how to make revenue in the business.

Chris: Okay, so a lot of the listeners we have on our show might not even be on a security track or they're very low on a security track, so what's one thing that you would suggest you could do in your current position that would move you one step closer to getting on the path of being a CISO, even if you're, you know, in a non-security position?

What would you say, get home from work tonight and do this thing? Start reading a thing, start doing a thing, volunteer a thing?

Joshua: Get your security plus. Get the ISSP. Plug into a mentor who's a CISO or a head of security. Many of us would love to help people. Most people don't ask. And most importantly, and I see there's three because this one's on the side, community. Plug into a community. Not only to a person as a mentor, but plug into the community, local community, national community, everywhere and anywhere you can. With those three things, you will be a CISO within 24 months.

Chris: Wow. So where do you see security practices going in 2019 and in the years to come? What are some innovations and ideas you're looking forward to seeing or driving yourself?

Joshua: So the way I view it is strategic perspective. There are three towers. Three towers, the first on is, first, you're going to see most organizations break out into a multi-tiered, multi-towered approach around cyber, GRC, identity access management and digital. And, of course, national security is always there. Right?

A multi-towered approach is what's leading into most importantly, digital transformation. So of those four towers, you can look at this one as the middle tower. So this is today, those towers like GIC, cyber identity, access management. The journey to tomorrow's around digital. As we move into IOT, and we move into cloud, we move into analytics and so on and so forth.

And tomorrow, all-around software defined Securing the software defined and putting security into the software defined. I tell people that if you look at it from that, those are the strategies of today, tomorrow, and the future. And if you can get behind that, you'll realize the answer to all of it is around platforms and advisory services.

If you're using platforms to your advantage and advisory services to your advantage as a current CISO, you're going to address all of identity access management, GRC and cyber, and you're going to get that to help you feed across the transformation journey through digital into software defined.

And then if you create exploratory committees and you have the right alliances with the business, you're going to define multi cloud and hybrid. And over here, which is going to feed right back across. Because both of those are very important to melding it all together. If your strategy addresses those properly with 36 months, if you need to bring in an outside consultant, or if you can do it yourself, fantastic! Or work with your local community? That's how you're going to ensure success for yourself and your business over 36 months.

Chris: So as we wrap up today, could you tell me a little bit about your current role with Dimension Data? What type of data and security services does your company provide their customers and what's your company's big initiatives for 2019?

Joshua: Sure. So for myself, personally, I'm vice president and GM over all the Americas including Latin America and Canada for all security. It's a blend of DDNTT as we become NTT Inc and with that, I currently, my nature initiative, which is driving from a global initiative, is moving into what we call 60/40 split.

And so 60/40 split means, sure, we sell technologies today at 60% of our business, but 40% of that we drive as actual DDNTT-lead services. Those services, of that, 50% of those are managed security services, 20% of those are consulting services, being business consulting, and the other percentages of it is the professional services or technology consulting.

And my business today is going into clients, helping them, many of them are buying Cisco, they're buying Palo Alto, they're buying all these other type of vendors from us, so many different vendors we work with. But the most important part is adding on the value add services that will help them as a CISO get to that next level. Right? And helping them understand, we're not just going to toss a technology into your lap, we're going to wrap around, more importantly, the consulting services that help you address your 36 month road map around the strategy I talked to.

And we have the feet on the ground around professional services and delivering it, and we can manage security services wrap around to help you deliver and maintain the monthly recurring with what you need to get done.

So we have that whole portfolio of services and that's the relevance to what we do today at DDNTT.

Chris: So how can people reach you if they want to find out more?

Joshua: Absolutely! Getting ahold of me at a personal level. I'm, you can find me at

Chris: Right. And do you have a social media at all, like Twitter or anything, if people want to follow?

Joshua: I do, and I don't have that on me, so I'll have to-

Chris: All right. Look around for Joshua Knight. Okay Joshua, thank you for being here with us today.

Joshua: Great, thank you. I appreciate it.

Chris: Okay, and thank you all today for listening and watching. If you enjoyed today's video, you can find many more of them at our YouTube page. Just go to YouTube and type in, "InfoSec Institute." Check out our collection of tutorials, interviews, and past webinars. I

If you'd rather have us in your ears during your work day, all of our videos are also available as audio podcasts. Please visit for the full list of episodes. If you'd like to qualify for a free pair of headphones with a class signup, podcast listeners can go to to learn more. And if you'd like to try our free security IQ package which includes free phishing simulators you can use to fake phish and then educate your colleagues and friends in the ways of security awareness, visit

Thanks again to Joshua Knight, and thank you all for watching and listening. We'll speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.