Influencing and Informing Non-Technical Business Partners on Security Issues


Manage episode 284108120 series 2643387
By Steve Moore. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

Curtis Simpson, CISO of Armis joins us to discuss the pros and cons of starting your career in a small organization versus a large enterprise. How can you influence and inform business partners from a security perspective? Why do people believe the CISO shouldn’t report to the CIO?


Curtis likes to say he was born with a keyboard in his hand. Growing up with his father working in IT, Curtis was already coding by age 8. He started his career in mass organizations and served in various roles at Sysco over the course of 10 years (including Vice President & Global CISO) before coming to Armis in 2019.


When asked what advice he had for his younger self, Curtis had one answer: stay close to what you enjoy. By spending nearly all of his time playing politics with larger organizations, he gravitated away from what he loves: tech. In large organizations, he had to constantly fight for every morsel of progress and spent a lot of time educating company members on why he was even talking to them in the first place.


The biggest difference between the two? The ratio of time spent in the political realm. In certain situations, a situation that could be signed off on in 30 minutes takes three months. The ability to balance an understanding of the market and enterprise is an important aspect of the role, but being a CISO is not about spending all of your time forming relationships to have minor decisions made. Instead, it should be about leading teams and learning the evolution of the markets.


A mistake Curtis noted for himself when he was at larger organizations: he was too title hungry. However, at smaller organizations, there is more opportunity for fulfillment and confidence-building. Smaller teams usually understand their objectives and are very hungry to prove themselves in the market. In the smaller model, you can also continue to discover your interests within the industry.


When asked what irritates him the most about the industry, Curtis notes the transparency. Companies are rarely focused on the right thing because they are rarely honest about what they do and don’t know. This has been a cultural norm, one that the industry must continue to disrupt. While the transparency has improved, there are still individuals in the industry that are guarded in their conversation.


One of the most painful elements of Curtis’ career is that the industry has long past the mark where CISOs should not report up through the CIOs. In many cases, CISOs are representing a message to a CIO that unfortunately doesn’t have as much of a grasp on security. As a result, the CISO spends a lot of time creating and delivering a message that can start to fall apart. For example, a CIO may want to paint a different picture to the board, so they will create a less transparent image of the situation.


For Curtis, the new CISO is all about servant leadership. This episode discusses the success and fulfillment of building teams and enabling them to perform at high levels. Teams with an established workflow and culture will follow you through the greatest challenges.


New CISO Podcast

Curtis Simpson - LinkedIn

66 episodes