Your single source for new lessons on legal technology, e-discovery, and the people innovating behind the scenes.

Whose Title Is It Anyway? Information Security in the C-Suite [Security Sandbox Podcast]

Sam Bock

Subscribe to Security Sandbox

We hear a lot of “alphabet soup” when we talk about the modern corporation’s C-suite. There are plenty of new C-something-Os out there these days, and the field of information security is no exception.

What is a CIO? What’s a CSO? What’s a CISO? What makes them different, and why can’t just one title and role do the job of cybersecurity? In this episode of Security Sandbox, our own mini-panel of C-something-Os—host and Relativity CSO Amanda Fennell, Kraft Heinz CISO Ricardo Lafosse, and Andrew Watts, Relativity’s CCO (and former CIO)—digs deep into these questions. Tune in for their thoughts, and let us know your opinions in the comments.


Amanda Fennell: Welcome to Security Sandbox. I'm Amanda Fennell, chief security officer and chief information officer at Relativity, where we help the legal and compliance world solve complex data problems securely. And that takes a lot of creativity. One of the best things about a sandbox is you can explore and try anything. When good tech meets well-trained, empowered employees, your business is more secure. This season, we're exploring ways to elevate the strongest link in your security chain—people—through a creative use of technology, process, and training. Grab your shovel, and let's dig in.

In today's episode, our sandbox heads to the boardroom for a white-collar discussion with Ricardo Lafosse, chief information security officer at Kraft Heinz, and Andrew Watts, Relativity's chief customer officer and former CIO, on the current state of information security in the C-suite. What should it be? CIO, CSO, CISO, or a combination? We don't know. But the current perception and narrative around this specific title actually influences a lot about your technology and process within your departments. So grab your executive briefs, and bust out your corporate buzzwords. Let's dive in.

Ricardo, we're going to start with you.

Ricardo Lafosse: Of course. Of course.

AF: It's going to be awesome. I know. I love the fact that I only know you because of Watts, and, like, that was the intro of all of this entire discussion for us to get to know each other. But I feel it's so organic to have the two of you together.

AF: So, Ricardo, you're a CISO. I, Amanda, am a CSO and a CIO, which—that's a fun one we're going to talk about. Andrew—a CIO previously. Let's talk about how we view these roles that we're in or were in. What's the difference and what's the overlap? And let's just do the disclaimer now. These are our opinions that do not reflect the opinions of the entire industry. Is that correct?

RL: A hundred percent.

AF: Okay. All right. You're first up, Ricardo. So what's your title technically mean?

RL: Man, I should have just—my amazing, super awesome title, as I like to describe it to others—CISO. Also known in reality as: if it's a technological or digital asset, for the most part, it's my problem to protect it. That's how I simplify it as much as possible. See, Andrew got so upset. He just walked away.

AF: He just left. Andrew said, I am done with this. But—so wait—so you specifically caveat digital asset?

RL: Yes, yes. And I put a little asterisk because there's digital to physical—you know, especially in manufacturing with OT. There's that collaboration, that movement that a logical cyberattack could impact something physical. So it's not completely physical, but aspects of physical.

AF: Aspects of it. Okay. So kind of an interesting one, though.

RL: Yeah.

AF: So this is where I've always differentiated myself in the terms the CISO versus CSO when people have asked me, what's the difference? From my understanding and the way I've developed in my career, CISO was, as you say, digital assets or corporate assets and so on. But the CSO typically ends up being a, like, a product side as well. So we end up having something in addition to—either it's the product security, the corporate security, and the physical security, et cetera. So it's kind of a conglomerate. I almost want to say it's a catchall. Like, if you use CSO, it's a catchall. But CISO definitely does double-click on the digital. But I don't know...

RL: I'd agree. The product one is a very interesting item that you brought up because say—for example, in your industry, a product is a digital asset. So I don't see that—the physical side for that product. Or are you saying it's a product because it's an item that is delivered or goods service to an individual?

AF: I'm going to pull Andrew in on this one because he created the security around our product, for the record. And I just took over a really cool program from him. But I would actually—I know, right? I'm resting on his laurels. I actually think it's because it's about the off boundary for what we use in terms of our program. So our off boundary includes some of the physical, which bleeds into our product.

RL: Got you.

AF: So you can't access—you know, I mean, like, you have to access and have badging and controls, man traps, et cetera. That is part of our off boundary for our product with the way that we approach our actual headquarters and things like that. So, Watts, you're up. What is a CIO and a CISO—what's the difference?

Andrew Watts: Definitions are interesting, right? So chief information officer has probably been around the longest and, in my opinion, has just a myriad of meanings in a lot of different companies. So, for example, chief information officer in some companies is responsible for applications—whether they're productivity applications, business applications, product-supporting applications—the integration of those to each other and the management of the data that is used by those applications in service of both employees and in service of customers who are using those tools, either through the employees or directly. In some cases, chief information officer also has security responsibilities. But increasingly, we're seeing the chief information security officer or the chief security officer be an independent position—reports to the CEO or the board.

And I think it depends on the size of the company, the scale of the company, and how they use technology. I think if you're a company who uses technology for a smaller part of your business and can get away with it, you could possibly have one person or the other. And what I mean by that is one CSO or one CIO to tackle both things. Or if you're a large-scaled company, you could decide that you need two or even more of those roles. So in some cases, you're also seeing chief digitization officers, chief technology officers, and so on also sort of around the mix there, as well. In my personal opinion, these days, for most organizations, the chief information officer is purely responsible for data application integrations and the IT organization, and the chief security officer is responsible for cybersecurity, product security, sometimes physical security. And the two of them work very closely together, with one having the responsibilities for making sure that the technology's managed in a cost-effective way and that it works well for the employees and the customers, and the other one responsible for risk management, basically, and ensuring that the company is set up well and protected from bad actors or unintentional mistakes made by good actors.

AF: So Watts, I'm going to use this shameless moment when I have you on a camera, a microphone—you were a CIO whenever I interviewed. What made you think that I could be a CSO here?

AW: I think that for Relativity, we were about to need information security to be a strong centerpiece of what we did in all aspects of running our business, running our product on behalf of our customers, whereas before you joined the company, we had a security program. We had a chief security officer. That was vastly different when we shrink-wrapped software and provided others to operate. When you operate customers’ software, you operate on their data. You need someone who understands that, for anything that can impact that data and how the customers think about it needing to be protected—whether it is inside your corporation, inside the physical boundaries of your premise, or in terms of how the product works—it's got to be a 360 approach. And I think in your background, Amanda, you had done a significant amount of cyber breach work. You had done a significant amount of work in protecting critical assets for financial services companies and others and had a background also in e-discovery. So those things came together really nicely.

AF: But reporting structure—and by the way, thank you. Appreciate that. But reporting structure, you made the decision as the CIO to not have a CSO report to you. You actually said, I'm going to step to the side. You're going to report to the CEO. And Ricardo, we're coming to you next, just to broadcast that. Actually it's coming in a second. But you made this decision to not have security report in to you. Why? I feel like I'm, like, grilling you. This is an interrogation. Where...

AW: We had...

AF: ...were you on the night...

AW: ...No. We had—yeah it could...

RL: Yeah, Andrew.

AW: ...could be...

AF: (Laughter)

AW: ...Could be seen that way. Could be seen that way. You know, you could say, well, Andrew or someone like him didn't want that responsibility, didn't want to deal with those things. He was scared of it or, you know, he was busy...

AF: But...

AW: ...whatever the reasons are...

AF: I would have—Ricardo...

AW: ...It...

AF: ...Would you have ever said that you thought he was scared? I would have never said that.

AW: Terrified...

RL: No, no...

AW: ...Terrified.

RL: ...He's just saying this because we're recording it.

AF: I know, I know.

AW: That's right. That's right. But I think for us, at the time, we were entering a phase where there was going to be a full-time job. It's as simple as that. Our information security program, the execution of it, talking to our customers about it, investments made in it, and the expansion of it was a full-time job. And at the same time, the role of ensuring our applications and data was set up for our customers and for our customer's interactions with our team members, and then finally, the productivity of our employees, was also a full-time job. And so it really was two roles, and it made a lot of sense for it to be a co-report to our CEO.

AF: Yeah. But man, we moved so fast because of that relationship, because—and I will say this. Ricardo, I don't know if you feel this way, but having a CIO that gets security, follows it, understands it, and knows where to go and what the prioritization is—we moved so fast in security with that help in that partnership. So I don't know if you have—what your reporting structure is. Now is the time for you to lodge a formal complaint for you to do that if your reporting structure is bad. But what is your reporting structure, and is it the way that you think it normally is, and does it work well?

RL: Yeah, absolutely. So I report to the global CIO, who is a staunch advocate of cybersecurity, and I couldn't agree with you more. We get a lot of traction, a lot of buy-in, specifically the old homage of, oh, is it operations or security? Who wins in the battle? And CIO has to, like, punch him or her or their self in the face to decide who wins or flips a coin. But no, in reality, you get a little bit of both because you get the support from the traditional IT side of the house but you are also enabled to go to the chief legal officer. You can go straight to the CEO if you want to get the right agenda and the right traction needed. So for me, it works to report in to the global CIO because of that level of support and that level of engagement. And also something that really wasn't highlighted to me until I got to an organization this size is an X multiplier if I need to bring in additional resources within traditional IT to support security functions. A great example is vulnerability management, where security doesn't just do it themselves. You need a whole slew of other departments to work collaboratively, and that CIO helps you be that glue instead of, oh, Ricardo's saying we have all of these critical vulnerabilities, and he wants them done now. Ha, ha, ha, ha. No, it gets done now because of that level of support.

AF: So you mentioned something randomly there that I'm going to click on a little bit more here.

RL: Yes.

AF: Here we go. You opened it up. You mentioned the ability to go directly to, like, a chief legal officer. Who expected there to be so many politics behind this role? 'Cause I did not. So—and, Watts, you've been a CIO. Ricardo, you're in this role now. I mean, did you know there was going to be this many politics for—I got to go convince everybody that this is the thing to do and that there's fear, uncertainty, and doubt? Or how do you go about it? Is it a political game? Or do you have to just work through the different personalities?

RL: I'll take the first stab. I think it's a little bit of both. And I did a lot of cutting my teeth in local and federal government, which—so there were politics. That's all I got for today. But it was a lot of—why is security important to them? Specifically in Cook County, we had separate legal entities that did not really have to report back to the office of our president, per se. And you had to create those relationships to really highlight why security was important. And then our board of directors was also very separated on their level of expertise. Why is, Ricardo, this crazy new guy, out of the blue, asking for funding when we never had to really fund this? He's crazy. But being able to convince them and do a little of the politician side—but more of that influencing and showing the real value to each of those elected officials in those specific different departments on why security is important, not strictly from a protection perspective but an operational perspective or a process improvement, showing more value than—I'm protecting you from the hackers.

AF: So, Watts, I think that we've spent a lot of time here at Relativity working on educating, like educating our peers, educating the board, educate—and not just because they don't know about security or about tech as a CIO but, specifically, like, we have to make sure that they're on the same page as us before we can tell them the direction of our vision. So I don't know if you feel the same. But do you feel it's political? And do you think that that's where you spend a lot of your time, is the education and the influencing?

AW: You know, I think we're lucky to work in an organization that's incredibly open to ideas and doesn't have a ton of hierarchical politics. I think the information that needs to find its way to peers and others is more of an education problem. I've been in organizations that also have the political issue of, for example, a certain person shouldn't talk to another person without going through a hierarchy and things like that. I'm not a huge believer in it myself. I think that anyone working in a company should be able to try to influence and make change. But I think when you are in an unfortunate situation where you have a lot of hierarchy, structure, and expectations around how data and information flows up and down, it can get really sticky.

AW: And position and title can matter. I think at our company, it doesn't matter as much. But when it comes down to, for example, decision-making rights or, you know, who's the authority for the final say so, it really should be rested in a title or a role. For example, as we operate our security protocols, it's necessary for our certifications. You have to have somebody who's designated. It's the way their certifying auditors look at it. And so there's different aspects of why the role exists, why it's titled, and so on. I think, lastly, to say to anyone who is struggling with this, I think it is worth breaking it into those different areas. Is this because of culture? Is this because of external necessity? Is it because of decision-making rights? Or is it simply because it works better in your organization? But it is worth thinking about why you need the title, the responsibilities, and the decision-making rights to be set up correctly and who needs to know that. Is it you? Or is it the people around you?

AF: Yeah. I've had people ask me—there's two sets of camps, I think, about the—to be clear, CISO was the role that I came in with and as you moved into a chief customer officer role, it was an opportunity for me to expand and to flex and try this muscle out in a CIO role. There's two camps of people, one who thinks you can't do both. You can't be responsible for the infrastructure, the applications, all of those different things, the deployment of all the things that we do as a company, and securing it. I personally don't find it to be difficult because I worked with you for so many years so closely. So I feel like it's not that difficult to do both of these roles together. Of course, I'm definitely not the CIO that you were, which is one that I aspire to. So blush, blush—right?—single tear. I know, Ricardo, don't cry. But I guess from your perspective, can the two exist as one?

AW: Yeah, I think they can exist as one. See my earlier comment or repeat—or listen to earlier comments about...

AF: (Laughter)

AW: ...Some CIOs have security in them or some CSOs have information technology in them. I think they can absolutely be the same. I think that it takes a deft person such as yourself to distinguish between—I'm making a decision now about productivity, for example, or tools that our customers use from outside of our business. Or I'm governing those tools. I am applying risk management to those tools. And you have to sort of step in and out of those roles when you do so. But if you've set up amazing teams who have people in them to actually play out most of those areas of both monitoring and compliance or securing or, on the other side, implementing, managing data, integrating—those teams will take care of most of that and leave you to decision-making and strategy and so on. I think that in our organization, also, our IT organization does not build our software products that our customers use. They participate in some aspects of that, but because your role doesn't also build those products, you can sit in a compliance and risk management role working with our other peers, our chief technology officer, and our chief product officer. So there's an interesting mix there for our company. I think in other companies, it really would depend on whether the idea of being a risk management and governance authority, overseeing all of the implementation of technology and data, would work well for your company. But I think in our case, it works quite well.

AF: I have to ask a little bit of questions here about the tech stack that we use and so on, and, like, how we enable people. So, Ricardo, I love asking you questions you're not prepared for. Are you ready?

RL: Oh, sure. Why not?

AF: Here we go. Okay. You get one technology that's in your stack that you're like, this is the best. This helps us do the best job—secures it, enables people, any of those things—like, the one that comes to mind that you're like, this technology actually really helps us do our job.

RL: Oh, this is a good one.

AF: I know.

RL: Huh. I'd say one tech that really helps us—all right, this is going to be memorialized. I'll get the haters out there, as well.

AF: Okay.

RL: Active Directory.

AF: Gasp. Oh, my gosh. Alright.

RL: Yep.

AF: Explain it.

RL: And let me tell you why.

AF: Oh, I'm ready.

RL: Our whole program has transformed from a typical controls ops run, your typical IT security shop, to everything that's based off an identity. If I don't—if I can't properly identify, I can't apply the appropriate controls, lease privilege, across the board. It all starts with the identity. I know you can yell, ugh, gross, and you can say as your AD—you can say all of this stuff. But the identity, whatever you...

AF: I did those for you out there...

RL: ...Whatever it is for your organization...

AF: ...How dare you.

RL: ...The identity is key. Yeah.

AF: Ugh. How dare you.

RL: Yeah. Hold on, let me wash off.

AF: (Laughter) I know. You're in a lot of trouble. Watts, what's your thoughts? Do you agree on this one? Do you think that's the tech to double down on? Oh, that's...

AW: I think it's...

AF: ...A cringe.

AW: I think it's vital. I mean, I do think that foundational...

RL: I told you.

AW: I think foundational technologies are important, and identity and access management is really key to it. Vital—gee, that's a tough one. I mean, I think increasingly, it's becoming the data itself, I mean, which is not, of course, technology. But the technology that stores, protects, transforms, makes visible...

AF: Relativity?

AW: ...Surfaces data to—yeah, it could be Relativity—to the employees and the customers that need it and the leadership that needs it for your business. I mean, I think anything that can enable better views of the data about your business that your customers are using—and your employees—is just vital these days. So the data products, I suppose, or the data technologies would be my answer.

AF: Okay. I would go with the IAM side of it. I don't know that I would double down on just Active Directory specifically.

RL: I think—you know, you told me a tool. Look, Andrew ran away, see, 'cause you...

AF: I can't believe you two.

RL: ...said Active Directory. That's why.

AF: I know.

RL: For the record, it's the identity piece. And for me, in my industry, it is Active Directory. Andrew can't get to his data if I can't identify him.

AF: You know, it seems like an existential crisis there. Like, you have to know who you are, right? I need you to know...

RL: Yeah.

AF: ...who you are. I need to know what you're allowed to do. I need to look...

RL: Yeah.

AF: ...I need to know all those different things, your role—was it least privilege? What's our CISSP words?

RL: Same, same.

AF: And what are all of these privileges?

RL: Yeah, whatever. But more—it's not awesome. It's not, like, super cool. There's not laser beams...

AF: Yeah, it's not sexy.

RL: ...coming out of it. No.

AF: I can say. This is not—I'm not watching, like, "Star Wars," the new—like, "The Mandalorian" and "Book of"—this is—yeah, you're, like, back—this is "A New Hope." This is backwards.

RL: Hey, hey, hey.

AF: (Laughter) Hey, easy.

RL: Essential to the story, OK?

AF: It's foundational. But yes.

RL: (Laughter)

AF: It's foundational. So, all right, Ricardo, I'm going to go in, like, an interesting route to ask you a question. When you talk to people—I think before I was—maybe, like, the first few years I was in this industry of security, I feel like all Cs were confusing to me. Like, I didn't know what any of them were, you know, in terms of...

RL: Yeah.

AF: ...Like, C what? You know, COO, CFO, CIO, CSO, like, okay, I don't—so it's a C, that's it. Out of curiosity, what's something that was the biggest misconception you had for the role—like, something that you thought this is what it meant at some point, but then you got into it, and you're like, yeah, no, that's not it?

RL: Oh, this one's fantastic 'cause I do a lot of mentorship of WESes and FEOs who are like, oh, this is so cool to be a CISO. I was like, let me tell you what it really is.

AF: Heads up.

RL: I thought...

AF: Take a knee, take a knee.

RL: I thought it was, like, super-secret ninja stuff where you're leading, you're architecting, you're, like, doing—jumping into a boardroom saying, secure this.

AF: But wait...

RL: No.

AF: ...It's like "Mission Impossible" when he goes...

RL: Yeah.

AF: ...into the room...

RL: Yeah, yeah, yeah.

AF: ...Toast, toast. Yeah. No.

RL: That's exactly what I thought. No—more than, I say, probably, 70 to 80 percent is influencing and educating, which I knew there was a little bit of. It's essential.

AF: Yeah.

RL: Budget, HR-related stuff, vendor management-related stuff, removing roadblocks—ridiculous and legit—and then creating reports. My strongest tool is PowerPoint and Excel.

AF: Oh, right?

RL: Right?

AF: PowerPoint is—I've asked this question in interviews. Like, if you were a Microsoft application, what application would you be? Oh, I'd be PowerPoint. No question.

RL: PPTX for life.

AF: Oh (laughter). But this is, like, how you have to tell a story and convince things and be like, this is the data. Here's the bottom line upfront, the bluff, right? Here's the data. Here's the story. Here's what we're projecting. But it goes back to influencing and trying to...

RL: Yep.

AF: ...You know, budget and things like that. But I did think that it was a little bit ninja, and it's not, so...

RL: Yeah. You—every once in a while, you'll get it. But, no.

AF: Every once in a while.

RL: I have, like, eight Excel tabs open right now.

AF: Oh, I don't—I'm on vacation. This is my vacation. We're not—I have no...

RL: Nice.

AF: I know, nice...

RL: Yeah.

AF: ...Spending it with you gents. Wattsy (ph), I—so Wattsy, up to you, biggest misconception—you were a CIO. You came in as a VP of IT. You worked your way through this. You moved into the CIO role. I stole it from you in a game of chance, in blackjack. I'm kidding. No, I didn't. But what was your biggest misconception you had when you started in the role that you were like, this is not what I thought it was going to be?

AW: So I've been an IT leader of sorts for a decade or two before that. So there wasn't much left that I didn't know it would be. I would say probably the biggest misconception was how different companies utilize their IT and security resources. So, for example, Relativity is a software company. We have a lot of very smart, creative employees as a whole. Our employees at Relativity largely would prefer to solve their own technology problems if they can.

AF: Shadow IT, shadow IT.

AW: Fix my laptop. Fix my application. Buy my application with my credit card. Put my data in it. Yes, so there's definitely some of that. I think that in other organizations, there are employees who wouldn't dare do those things. They wouldn't dare start shadow IT. They wouldn't dare try to fix their own computer. They rely on the IT department completely. I think what you can get done as a security or a technology leader largely depends on the way your customers, which can include your employees, like to work.

And, I think, I find, for example, at Relativity, we could get a lot more done in the service of making our employees more productive or our customers happier because our employees were more willing to do some of the work themselves. And so you can scale your IT team in a way like you can scale your security team. You have security champions instead of hundreds of security employees, for example. In other organizations, there's people who are too busy to become a security champion or to solve their own IT problems. They're too busy doing other things. And so you don't get quite as much scale. So that was probably a gap for me that I've learned being at Relativity. I think another one definitely jibes with what Ricardo said. The amount of work that goes into reporting, planning, the amount of time spent in coaching and helping mentor people so that they can do this type of work in the future and make great choices, is huge.

AF: You know, for both of you—it's interesting for me to be in a session with you both because you represent two different ends of the spectrum that I have within me that I like to access. And so Ricardo, I met you initially and immediately was like, awesome. This person's just as crazy as I am and—hi. And after absolutely spending time together, it's a question of if I said, Ricardo, we got to go to Brazil and get tattoos, I feel like you'd be like, let me just get my passport. I'll be right there. So you're...

RL: What time? We're leaving at 4:00?

AF: Yeah—no, 4:30.

RL: All right, cool—oh.

AF: But, yeah, so, like, this spectrum of crazy that is there is absolutely right here. This is—you're the representation in my head whenever I have, you know, the angel and the devil—like, you're the one over here that's definitely the crazy. Watts has always represented the calm. And he always brings the calmness from me. From the time I met him initially to now, I can still say, as soon as he starts speaking, I immediately, like—got it. Okay. This person's in control. They know how to do what they're doing. And I can trust them. And so I love this dynamic of what I saw initially is still present with the way I see you all today after years together. The reason I say this is my question—what did you think of each other when you first met versus what you think now? Ricardo's up first. What did you first think about Watts...

RL: (Laughter).

AF: ...Versus what you think now?

RL: Well, for me, it was really easy to blame everything that went wrong at Morningstar on Watts.

AF: (Laughter) 'Cause he exited the role. Right, Morningstar.

RL: Yeah, yeah.

AF: Yeah.

RL: Yeah. I was like, oh, well, who created this policy? It's either Michael Allen's problem...

AF: Yeah.

RL: ...Or it was Andrew Watts' problem.

AF: Yeah.

RL: So it was a really easy scapegoat. But I echo your very calm, confident demeanor at all times. I've never been in a crisis with Watts, but I could just imagine, like, everyone chill out. We're going to do steps A through F. Something goes awry—we got it.

AF: Yeah. If we have a bar fight...

RL: Cool chap, this guy.

AF: ...we want Watts with us, for sure. He's going to talk them down.

RL: Exactly, exactly.

AF: You and I, however, will get in the bar fight, but yeah.

RL: Oh, we're getting cut, but it'll be worth it.

AF: So he's always been the calm.

RL: Yeah.

AF: I like it. Watts, what did you initially think of Ricardo, and what do you think today? Is it still the same?

AW: I'm going to make sure that when you're in Brazil getting those tattoos, that those are clean needles, that you don't overpay, and that neither of you comes home in a body bag.

So actually, rather than how I thought about Ricardo when I first met him, I'll tell you what I thought about him when I first heard about him. So I had moved on from the other organization, and I heard that Relativity—sorry, the other organization—was recruiting for a person to take the role. And I think I heard things like, he has like, I don't know, something like 22 offspring, and he has a crazy hair style, and he's worked at about 22 different companies, one for each child, and...

AF: (Laughter)

AW: ...That he was louder-than-life and had all sorts of ideas about how he was going to basically turn security on its head of that organization.

And I was hearing all this from people who were still there, who probably fit more of the mold of myself, who were like, steady as she goes, keep everything on an even playing field. And the reason I was hearing it was a little bit of trepidation and fear, you know? That led to when I first met Ricardo. I was like, okay. He's edgy, but he's not that crazy. I'm still yet to...

AF: He is.

AW: ...find out whether he has 22 children or not. So...

AF: No. It's not 22.

AW: ...Maybe we can discuss that today.

AF: Yeah (laughter), we're getting to the bottom of this, but it's not. But I loved this dynamic, though, of, like, you came in thinking, I'm going to flip security on its head or this is the dynamic that came with you. This is the preceding, you know, impression people had of you. Same for me—I think people didn't know what to make of me for the first, maybe, year, Watts, like, that they kind of really—I'm not sure what's going on here. She's doing some weird stuff. They keep doing some really crazy things or whatever, but it just might work. And I think this is, like, one of my tie-ins as we roll up this episode of a couple of things that are really the biggest takeaways that I've got for it.

There's a part of this where the role requires a little bit of both, whether it's the CIO or the CSO role or the CISO role or any of the alphabet soup or any executive role: it requires the calm and the process of Watts, who's making sure that our needles are clean (laughter) and that we're not going home in a body bag, but we have that steady hand that's required. But a little bit of crazy goes a long way, and it helps to make us accomplish some things that is—it's kind of a jump ahead that you didn't expect that you would get. So I think that's where all three of us kind of blend together, and we make this great mixture.

RL: I think that captured it quite well, and I think how cheesy it sounds. I think as more and more individuals go into this role, they need to have that open mindset of, there's a reason why there's a status quo. Challenge it. Break it. But keep Watts honest. Controlled chaos is all I ask for.

AF: So Watts is going to absolutely say, so don't break it, but (laughter)—Watts, what's your thought?

RL: Bend it a little bit.

AF: Bend it.

RL: Bend it a little bit. Yeah.

AW: No, I wouldn't change—I might have a different point of view in this case. I'll just simply add the timeline. I think the controlled chaos needs to happen at the beginning, when you're trying to solve problems. You're in that scrappy, dynamic, uncertain, ambiguous phase. And then, as time goes by, you need to standardize things and put them in a standard, routine, boring operational place and just do that forever. I think, particularly when you're working in really dynamic organizations, you don't always have time for the deep levels of process orientation at the beginning, and you're better off to try some scrappy things and know that risk is still managed in that way. But you're always trying to retire off things that are boring and routine, so it's a good way to think about things.

AF: That's my perfect segue to my closing quote that I have for this. So I like to make it look like I'm super educated, so I'm going to quote Socrates. Take the moment, Ricardo. This is my educated moment, right?

RL: I'm going to pet the unicorn while you do this.

AF: Be impressed (laughter). Be impressed. There is an awesome quote that talks about, what I think, encapsulates what all three of us have done over my last five years of knowing all of us here, including myself: “The secret of change is to focus all of your energy not on fighting the old, but on building the new.” I think that's where all of our roles have gone.

RL: Look at that.

AF: I know.

RL: That's so spot on.

AF: It's suit—it's not what it's about—what it was in the past. It's about where are we going, and how are we trying to direct this, and how do we iterate? Like, all of us can say, candidly, our job today is not what it was six months ago. It changes every few months or so. What we do today and what delivery looks like, what success looks like, it's always changing, and you have to be agile and you—buzzword—but you have to be agile. I know. You have to keep going. So I think that's one of those things. When I was thinking about it, I was like, this feels like Socrates. This is a Socrates moment.

RL: You know what? I'll re-quote that. I'll put smaller—Socrates—but then put—Amanda—underneath it.

AF: Oh, is this like the Wayne Gretzky—you miss 100 percent of the shots you don't take—but it's Michael Scott?

RL: Yep.

AF: (Laughter) It's perfect. That's all you need. All right. So, Ricardo, Andrew, I will say that when I thought about this idea of an episode that talked about what these roles are and what they mean, I got my first pick. I'm so glad you both had the time to spend with us. Thank you so much for being here.

RL: Thanks for having us.

AW: Very welcome—thanks for having us. Good discussion.

AF: Thanks for digging into these topics with us today. We hope you got some valuable insights from the episode. Please share your comments. Give us a rating. We'd love to hear from you.

Follow Along with Security Sandbox by Subscribing to The Relativity Blog

Sam Bock is a member of the marketing team at Relativity, and serves as editor of The Relativity Blog.