Don't miss this engaging conversation that covers everything from leadership to diversity, skills-based hiring, and data ethics. You will gain valuable insights and inspiration.
Guest: Bryan Kissinger, SVP & Chief Information Security Officer at Trace3 [@trace3]
On LinkedIn | https://www.linkedin.com/in/bryan-kissinger-phd-0b75245/
________________________________
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
Don't miss this engaging conversation that covers everything from leadership to diversity, skills-based hiring, and data ethics. You will gain valuable insights and inspiration.
The show digs deep into the significance of diversity of thought in achieving success, emphasizing the need for a well-rounded team and the value of different perspectives and ideas. Surrounding oneself with individuals who think differently is deemed crucial for success. Unique insights can be gained from those who have learned through their experiences.
Their lessons in being leaders who promote diversity through setting expectations, establishing guardrails, and being available to answer questions foster an environment that encourages diverse thinking by providing opportunities for individuals to approach tasks in their own way, positively impacting others' success.
________________________________
Resources
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
Discounts:
NordVPN: Get 1 to 3 months free - https://ref.nordvpn.com/QXNbkhQaGBj
________________________________
For more podcast stories from The Soluful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
Soulful CXO with Bryan Kissinger
Dr. Rebecca Wynn: [00:00:00] Welcome to the Soulful CXO. I'm your host, Dr. Rebecca Wynn. We are pleased to have with us today, Bryan Kissinger. Bryan is Senior VP and Chief Information Security Officer at Trace3. This elite technology consultancy group provides IT strategy, solutions and services the world's most admired companies, and empowers organizations to embrace the ever-changing IT landscape.
Prior roles included serving as VP and CSO at Banner Health, VP and CSO at Sharp Healthcare, Executive Director at Kaiser Permanente as HIPAA security program leader and information security leader at Mayo Clinic. Additionally, he serves on Airi CSO Advisory Board and aramis Partner Advisory Board. He's the author of Business Minded ciso, how to Organize, evangelize and Operate an Enterprise Wide IT Risk Management Program.
Brian, my friend, it's great seeing you again. Welcome to the show.
Bryan Kissinger: Hey, thanks [00:01:00] very much Rebecca. Good to see.
Dr. Rebecca Wynn: I have to start out with education background 'cause you're one of the. Several people now that I know who actually started out in accounting and finance and somehow got into the technology world.
And for you, you got your PhD in technology. Can you walk us through that journey and what led you to the CISO that you are today?
Bryan Kissinger: Yeah, it's one of my favorite stories actually, because I, always tell people you're never sure where you're gonna end up and, don't be too, concerned about what you end up majoring in and, graduating your undergrad degree.
And but I did I did go to my undergrad and, get a finance degree. I thought I was gonna be an accountant. I did stand, spend a little stint in the financial services world. And then I saw the light. I ended up spending some time in the military. And when I came out of the military I.
They actually recruited me at Arthur Anderson, so [00:02:00] that, date dates me a little bit. But they wanted to turn me into a technology risk consultant and I didn't really know too much about it. So I went on a self-education Journey both from studying and taking certifications. And then as you mentioned, I finally ended up using some of my GI bill money from, the Navy to go ahead and get a PhD in information Technology management.
So I was already learning on the job, but it was very helpful to have the formalized education to back that up.
Dr. Rebecca Wynn: Thank you for your service. Absolutely appreciate that. Because you mentioned the military, did you do anything in the military that was technology or did you do something else?
Bryan Kissinger: So I was a surface warfare officer which means I drove ships around and got to do some pretty fun, exciting things on, on Western Pacific deployments and, whatnot.
But what's so funny is that my last job [00:03:00] and again I'll, be dating myself here, was to work on Y2K conversions for our command. That was really my first foray into technology and believe me when I was in the Navy, it's when email was new. The internet was pretty new in the mid nineties and so I really didn't know much about it.
So the Navy actually sent me to a Microsoft training school to learn the basics of, the Microsoft operating system and things like that. So that was really my first experience working with technology. And it, it's funny because today it's ubiquitous, it's everywhere and, you learn through osmosis.
But back in the mid nineties, early two thousands, you had to be deliberate about learning technology.
Dr. Rebecca Wynn: Just curious. So I did a lot at Fort Gordon. Obviously that's the Army, DoD, but I also did the Naval Post Graduate School. What, school or training did they send you to?
Bryan Kissinger: It was [00:04:00] a local training that was held by a local university out in Coronado.
I was stationed out in San Diego. So I didn't go up to Monterey or, anything like that. It was much more I would say bare bones and in the trenches. So they said, here, read these books. Take these exams and we'll have a proctor for you. It was more along those lines.
Dr. Rebecca Wynn: It's interesting how many people I talk. To who we, started back then and we started to where you had to read the manual and you had to the school of hard knocks. I come from polytechnic schools, so I'll tell you, show you now, don't 'get err done'. I think that's really worked really well in my career.
It made me a great hybrid. Do you find that yourself too? That helps you being technical but very strategic because you had that hands-on experience.
Bryan Kissinger: Yeah, absolutely. And I'll, even go back to my experience getting a business degree. I've always felt myself a business leader in addition to an IT leader, and [00:05:00] I think that's a, good mix to have.
I. Because oftentimes IT leaders get stereotyped into this. I used to be a system administrator and I rose up through the ranks, but I don't know anything about anything except it. And, so I think the, more well-rounded experience you get, whether educational or on the job training the better.
And back in the day there was no study manual for the CISSP and there was no way to really learn your profession except to do it. And so one thing that's been successful in my career is I was always a self-guided learner. I'll, never forget the, first thing I ever did.
When I first got outta the Navy was I went to a, Cisco iOS bootcamp that I paid for outta my own pocket. It was like $800. I thought that was like the most expensive thing ever, but I went for a week [00:06:00] and I learned how to program and troubleshoot Cisco routers, and it was pretty random. But I'll tell you what, even today some of that technology and some of that terminology hasn't changed.
And, I just went from there, self-learning those different types of technologies.
Dr. Rebecca Wynn: It's amazing how some of us have those stories. My first one was with Dr. Eric Cole doing the SANS GSEC course, which was way more money than I made in a month, but I found myself. Just being there day and night luckily was down from my house so I could go down to the hotel, but I pretty much stayed there 16, 18 hours because not only did we have this fast learning environment, but we had so many people around us who just had a thirst knowledge and sharing and getting on the computers and showing each other things.
I think that really. Is missing in today's world quite a bit. Do you see that as well too that's, missing with the [00:07:00] exams being out there? I know we talk about that on LinkedIn in quite a bit, but I, miss that hands on. Just 'getting err done', getting in the room and just having these great think tanks.
Bryan Kissinger: Yeah, I personally, I do find it challenging. When I came to Trace3, four years ago I was joining already a remote workforce, and that was prior to Covid hitting. And I struggled because I'm a water cooler guy I, like to walk around the people's desks and chitchat and stand in front of a whiteboard and think about things together as a group.
But. Like everything. And probably like a lot of us we, adapted and, we got used to it and now I do a lot of things virtually. But we, do engineer in together time. I was just Trace3's headquarters is out in Irvine, California and I was just out and those of us in the office of the CTO leadership team got together in person.
Did a whole day of strategic [00:08:00] workshopping, had dinner together. And so I think you have to be deliberate and take some of those times to get together.
Dr. Rebecca Wynn: One of the things I find challenging right now as a CISO when I talk to other CISOs is a lot of times the companies don't know what they want us to be. Being strategic to them a lot of times it's being tactical and just putting a bandaid on it. And when we look at budgets and roadmaps, they're like, yeah, but how am I just gonna fix today? Do you find that when you speak to other CISOs too, where you know, do you want me to be a security engineer or do you want me to be a strategic thought leader where I can take you to 2025, 2030?
Bryan Kissinger: The frank answer is that I, see it across the spectrum. I, think it depends a little bit what company you're working for, what industry you're working in. I've met some very technical CISOs and they're perfect for the company that they work for, and the, industry that they're in they make me look really dumb.
And then there [00:09:00] are CISOs that work for other companies and industries where it's more important that the security strategy, the IT strategy supporting the business outcomes, the mission of the organization itself, and that takes a different kind of leader. I do very much endorse having a business-minded approach to, it, and to security.
But I, don't think that there's a wrong type of security leader. I think it depends on what I. The senior executive team, the board of directors what are they looking for? And sometimes it depends what evolution the company is in. If you come into a very mature security program you can probably be a bit more strategic, a bit more business minded.
If you come into an organization that has historically not focused on security tooling and, what needs to happen from a technology perspective. You probably need more of a technologist and someone who's a little more technical that [00:10:00] can get you to a certain level of maturity.
Dr. Rebecca Wynn: So you mentioned being business-minded, what is being business-minded in a technology or as a ciso? What does that really mean? What do we need to do to become business minded?
Bryan Kissinger: What it means to me is before I even take a CISO job I, do a lot of research on the company and, the industry.
What, do they do? So I, spent a lot of my CISO time in, in companies, in healthcare organizations, and I think it's very important to understand what the mission of those organizations are. Where are they focused, what are they looking to serve the community and. When you come into that job I think it's really important to craft and design your security program in a way that's gonna fulfill that mission.
And I'll give you a quick example. It's easy to say no as a security person you can just say you're not allowed to do that. But I always try [00:11:00] to say yes, especially in a healthcare environment, you're working with doctors and nurses and other clinicians and they're out there really doing important work, saving lives making people well.
This is not making widgets. This is like dealing with real human beings. And I would think long and hard about how I could make their jobs easier and, take some stress off of them. And I. As a clinician running around from pod to pod and from floor to floor, let's say in a hospital setting they were spending any time between three and five hours a week logging in and logging off of systems in different locations.
So I my team and I embarked on a journey to get them prox card. Single sign-on access so that we could enable every system in the hospital setting to log them on and log them off just by simply holding their prox card up. And then we had a bunch of other controls around [00:12:00] it, like how long it would stay logged in and things like that.
But we estimated and, we proved this out after walking and spending time with the clinicians, that we were saving them hours a week in signing in and signing out, and we actually made the environment more secure. So when I think about business minded, I think about how am I helping the business run more efficiently and help my business colleagues be more successful?
Dr. Rebecca Wynn: Another example along those same type of lines, especially when you talk about healthcare, because saving life. Will come first, always will come. I did several hospitals. Where are those doctors? Where are the nurses? Where are they located? And one of the things I was able to do is put basically with permissions, a geolocation tracker around the landlord, for example.
And so I was able to do is actually be able to, be able turning on systems as they actually went ahead and got to those critical areas. And also being able to go ahead and help them navigate. Who was closer as a doctor or as a [00:13:00] nurse to actually get there. Now, it's one of the examples about how you can think about security and privacy and compliance and availability, but also think about getting them to those critical systems as quickly as possible.
Bryan Kissinger: Yeah, I used to I spent a lot of time with the HIPAA privacy and security role, obviously working in healthcare, and at the end of the day, it's about taking care of the patients. So again, it's keeping the business. What's the mission of the business in the forefront of your mind?
Dr. Rebecca Wynn: One of the concerns with healthcare right now is basically during 2020, 2021, let's face it hospitals were over inundated. Had a lot of patience and stuff along those lines, and being able to upgrade from legacy systems had to take a backseat.
For obvious reasons, but now what we do is we see a lot of hospitals or there's mergers, acquisitions, legacy systems. All those upgrades are actually happening right now, but at the same time, there's been layoffs, cross technology. [00:14:00] How, can you advise people to managing that, efficiently? You're short staffed and you don't wanna get burned out and you don't want your staff to get burned out.
Bryan Kissinger: Yeah. So a couple of things. Fortunately the technology is really evolving quickly and with artificial intelligence, machine learning, things like that.
We're, starting to be able to close the gap a little bit on the security techno talent shortage that we have using some of this technology. But what I tell most of our customers is hey, it's difficult to find a specialist in, every piece of technology that you want to implement.
Sometimes you just needed a third party to come in and you might need help for a couple of months implementing a, new technology that you're not familiar with. You're probably not gonna go and hire someone. Full-time and pay them benefits just to spend a couple of months installing a new set of systems.
So oftentimes the most [00:15:00] efficient, cost-effective way to do that is to look for a partner to help you do that. And most organizations already work with a number of partners and so I think it's probably just selecting the partner you're most comfortable with and the one that has the most expertise in, in what you're implementing.
I am excited about Automation and how we're gonna be able to probably get a, lot more work done with fewer people. Not, that I wanna put people out of work, but we've already got a huge talent shortage. So if we could just shrink the shortage of openings that are out there, I think that'd be a win.
Dr. Rebecca Wynn: Yeah, I think I, tell people one of things that it's shifting. It's shifting humans away from some of the mundane tasks into the higher educational task or a critical thinking task. That's, what I see. I tell people, just because something's in ChatGPT or open AI doesn't necessarily mean it's correct.
It's based, as I talked with Chris Roberts the other day on my [00:16:00] show it's, really based on a data. It's not even Data Lake, he called it a Data Swamp. And you have to be able to get through that information very quickly, and you need humans to do that. So I tell people, it gives you an opportunity to shift.
Into those, other roles. Part of that i, it could be AI engineers, it could be AI validation engineers, could be AI security engineers, how to be able to write scripts, things along those lines. Is that what you see as well too? Is seeing
Bryan Kissinger: Yeah.
Dr. Rebecca Wynn: A shift in, in skill sets to where you can actually get to the thinking aspect of a human.
Bryan Kissinger: Yeah, there's there's still a lot of manual labor that takes place running a security program, whether it's provisioning and deprovisioning access, whether it's chasing down alerts, whether it's ticketing, whether it's remediating systems that need to be remediated, patching, all of those things historically up until very recently have been pretty manual, labor focused, and so I'm excited to see a lot of that, be able to be automated.[00:17:00]
But there's no question in my mind that the human being the, person a person or people need to be there to provide oversight to make critical decisions with data that's presented to them. I don't think any of us feel comfortable with 100% automation. So I, agree with you.
I think it's an opportunity to uplevel skill sets. I think it'll create new jobs. As you mentioned, some of those titles. And at the same time, it'll take people and give them an opportunity to, think more strategically, do things that are less manual and more in advancing the mission of the organization.
Dr. Rebecca Wynn: From a business continuity or even from a enterprise risk management are you doing anything about. AI acceptable use. And how that's being, how that's used. Because I tell people you might be able to control what's on your system, but because so many people remote, you can't control what other systems might [00:18:00] be open at that point in time and phones and things like that.
So how do you see that being handled in healthcare?
Bryan Kissinger: I think that we all know that, if somebody wants to do something bad, they'll do it. The malicious insider or the bad actor who has access is practically impossible to prevent. So I think it's our job as, security leaders to provide guidance and, leadership around this.
It's great timing. We, literally just published our AI acceptable use policy there's a lot of excitement around it and, you don't wanna tamper down. The passion that people have for, using this technology and using it for good there, there are a tremendous amount of things that are gonna happen that are gonna be great because of this, but, I think it's up to us as leaders to put the guardrails in place, set the expectations answer questions.
And, if folks are gonna do bad things, they're gonna do bad things. [00:19:00] But, at least at that point you've, given them member opportunity to, do it the right way.
Dr. Rebecca Wynn: I, tell you that one of the things that, that really does scare me, I think more people think at times. From their own perspective on I wanna do this just to 'get err done'. Yeah. Versus holistic. Look what can be happening from a worldwide perspective. By putting data in there.
So you talked about having an AI acceptable use policy. Hopefully it's not thou should use AI respectfully. I've seen that in a couple of 'em. I said it doesn't do it, but how have you addressed that per training or your people about getting them to really be thinking about what is the greater good? By me asking this or actually putting this into some sort of open AI.
Bryan Kissinger: I think it's a combination of providing guidance training employees at these educational campaigns around it are extremely important. And, then controlling it where you can. I, know [00:20:00] some organizations that have such sensitive data that they are just completely blocking ChatGPTs and other sorts of AI technologies.
They're just not allowing it to access any of those resources. And, you can do that it, it just depends on what spectrum of functionality and security you want to provide to your end users. But it's a personal decision, I think a around. Organizations, what's the return on investment by allowing this versus what's the risk?
And and we make those kind of decisions every day, right? We de we decide how, much functionality we're gonna allow to, our end users regardless of where they are and how much we're gonna control what happens using technology. So I think it's all of the above. Bad people are gonna do bad things.
No matter what. And generally good people follow the rules and, try to do things. Now people make mistakes that's what makes us human. [00:21:00] But to the degree that we can put some backstops in place with data loss prevention controls there's a lot of enthusiasm around secure browsers these days.
That kind of containerize an entire session. So there, there's a lot of things that you can do to think creatively. To allow functionality and, use of these systems to happen. But it takes more work than just saying no.
Dr. Rebecca Wynn: Because you brought browsers , I'm always Dr. Ann Cavoukian, Privacy by Design and by Default, is a lot of the browsers now are building in, and some of the email programs are building in AI.
Instead of having you opt in, you are in and, you don't know where that data's gonna go, and you don't know how they're reading it. And what I find when I go ahead and consult with companies, did you read the terms of service? Did you read the privacy policy? And they're not reading that. They're not seeing where that data's going.
That ends up going under enterprise risk management. So as a CISO, I'm always a trust officer working with legal things along [00:22:00] those lines. So that's when we talked earlier about technical versus strategic. CISO roles h ave to evolve more to be holistically along those lines, is that what you see as well too? It's, those risks are gonna get you nailed in G D P R other fines along those lines, and potentially lose contracts.
Bryan Kissinger: Yeah I, attribute a large part of my success to the people I've had around me in my career, I think it's very important to have a well-rounded team around you.
And make sure that you're not always thinking the way that somebody else is thinking. And, so that diversity of thought I think is really, critical to success.
Dr. Rebecca Wynn: I agree with you. One of the things I think too, diversity of thought is really being very mindful , because you and I are very educated, both of us, but there's people out there who are very learned.
They have learned because they've been in the trenches and doing it. We have to get all this bias that you have to have a college degree to actually get [00:23:00] into the field instead of looking into see what the person has actually done.
Not butt in the seats. Hands on keyboard has done, what have they written? What have they been a part of? And looking at those type of skill sets, is that what you see too? Is HR in our field and technical partners has to expand more than thou must have a CISSP. Thou must have a college degree, or we won't even look at you and your resume coming in.
I always like to look at every resume gets kicked because that's where I find my golden nuggets. Is that what you find as well?
Bryan Kissinger: Yeah, I'm not a a guy that says you need to have as much education as me, or, I'm not gonna hire you, kind of thing. Frankly, I value work experience, work performance.
you ahead of that today you can be a 4.0 college student, but not have a work ethic or have the, passion and drive to do this job. We work long hours. It's, a lot of it is thankless. So I like to see. I like to see people that have a track history [00:24:00] of delivering results.
A passion for the field and that are complimentary to the skills and capabilities that we already have on the team. It's more about what is the whole package of the person.
Dr. Rebecca Wynn: Yeah, I agree with you. My DoD experience, six years of doing well over 450 assessments. I quit counting. And then those might have a hundred assessments each. I did more work in six years than most people will do in multiple lifetimes. So part of it is looking to see where, they did that versus maybe somebody who worked with one company, they did one assessment a year.
It's what you do in that year that is more important than anything else.
Bryan Kissinger: Yeah.
Dr. Rebecca Wynn: Just sitting and collecting a paycheck is not necessarily gonna take you to that next level, at least anymore.
That's what I see. I wanna know exactly what they did on the project and walk me through it.
Bryan Kissinger: Yeah. And I've had several [00:25:00] non-technical people that, were part of our security team who expressed a desire to become more technical and become a security person.
And, of course we encourage that. We start them off doing some shadowing. We mentor them, we give them homework. I always think to myself, you're gonna find out how motivated somebody really is. If you say, Hey, go out and. Study for this exam or go out and learn all these things and let's come back and have a conversation.
And if they go and do those things that tells you that, they're self-motivated and, that's what you need. And, this one gentleman in particular he did that for about six months, got a baseline set of security Knowledge, and we moved him into our governance risk and compliance team as a consultant.
And he did that for about a year and was just recently promoted to senior consultant. So this guy is well on his way to becoming a, security professional. [00:26:00] And a year and a half ago he really didn't know much about technology or, anything about security. And I, love those stories. I think that's, The way to really climb the ladder if that's what you want to do and, be successful, is to show the people around you that you're willing to put in the effort to, educate yourself.
And it's sometimes you gotta do two jobs at once, right? To, be able to pull that off. But if you're not willing to do that, if you're not willing to invest that time in yourself and your professional development why, would somebody else do that for you?
Dr. Rebecca Wynn: I agree with you. I think one of the things too that's a harm today is people are aspiring to be a title.
And I've always said, don't aspire to be a CISO. Aspire to be the best. Cybersecurity professional that you can be and good things will happen, and your career will lead you to where you're gonna be happy. Do you find that as well too, because I'm always curious about how people have sustained their resiliency and you've gone through multiple organizations, but [00:27:00] you've always sustained your resiliency.
Bryan Kissinger: Surround yourself with great people. That's one thing. But I, agree with you. I was fortunate to be given the opportunity to, have my first CISO role at Sharp Healthcare. The CIO at the time took a chance on me.
There were like 19 other candidates and he said I've got people that have been CIOs and competing for this job, why should I hire you? And I gave him the same sales pitch is that I'm a business-minded guy. I am gonna help the company achieve its business objectives while, doing it in a secure way.
And, all of those things. And I think if you you. Truly go into an organization wanting to, better yourself, better the organization, better those people around you. You're, gonna be successful. I, always try to lift people up. I, don't I don't, I. I would not take any pride in, in having my own success without the success of, the people around me.
And [00:28:00] so I, that's the nugget for me is, give people opportunities, treat 'em well help lift them up, help them get to the next level if that's what they want to get to. There's also a lot of people who are perfectly happy doing the job that they're doing, and I think you just you embrace that.
And you, just try and help people achieve what they wanna achieve in their careers.
Dr. Rebecca Wynn: Bryan, our time is running short, what's the best way to reach out to you for speaking engagements, things along those lines, and to learn more about your company.
Bryan Kissinger: Sure. Rebecca, first of all, thank you for having me. This has been a lot of fun. The time has just flown by. I think we could probably talk for hours, but you're anyone's welcome to hit me up on LinkedIn. That's really where I do most of my professional networking. My email address at Trace3 is, Just bryan.kissinger@trace3.com.
You can go to Tracy3 website. There's a tremendous amount of information out there [00:29:00] about what we do as an organization. And other than that I do have a website, bryankissinger.com. So if you feel like trolling, a website you're welcome to go there.
Dr. Rebecca Wynn: Bryan, you are a Soulful CXO.
Bryan Kissinger: Thank you very much. So are you. And, I'm happy to come back anytime.