In this episode, we dive into the high-stakes world of cybersecurity with Gary Hayslip, CISO of SoftBank Investment Advisors. With over 25 years of experience, Gary shares how elite security teams anticipate threats, adapt to evolving risks, and implement strategies to stay ahead. Discover key insights on leadership, risk management, and governance to protect organizations in an ever-changing cyber landscape.
Guest: Gary Hayslip, CISO, SoftBank Investment Advisors
LinkedIn: https://www.linkedin.com/in/ghayslip/
Website: cisodrg.com/biographies/gary-hayslip/
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
In this episode of Soulful CXO, host Dr. Rebecca Wynn speaks with Gary Hayslip about how elite cybersecurity teams stay ahead of constantly evolving threats. Gary shares insights from his extensive experience across government, military, and corporate sectors, discussing the critical role of proactive defense strategies, risk governance frameworks, and resilience-building techniques. He highlights the importance of aligning cybersecurity initiatives with business objectives, fostering executive collaboration, and developing a security culture that enables organizations to thrive in an unpredictable digital landscape. With practical leadership advice and real-world examples, this episode provides valuable strategies for CISOs and security professionals looking to strengthen their cybersecurity posture.
________________________________
Resources
Gary Hayslips books, CISO Reference Guides: https://a.co/d/clcNIBd
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
________________________________
For more podcast stories from The Soulful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
Cyber Wars: How Elite Teams Stay Ahead of the Game | A Conversation with Gary Hayslip | The Soulful CXO Podcast with Dr. Rebecca Wynn
Dr. Rebecca Wynn: [00:00:00] Welcome to the Soulful CXO. I'm your host, Dr. Rebecca Wynn, and we are pleased to have with us today Gary Hayslip. Gary is well over 25 years in information technology, security leadership, risk management , and security risk governance in supporting organizational goals and objectives. He's currently the CISO for SoftBank Investment Advisors. Previous rules include multiple CISO, CIO, deputy director of IT and privacy officer roles for the US Navy, both as active duty and as a federal government employee. He has co-authored books under his co-founded label CISO Reference Guide.
Additionally, numerous other writings such as CIO Review, CSO Online, LinkedIn, CyberWire, Forbes, Dark Reading, and numerous other places.
Gary, welcome to the show.
Gary Hayslip: Thank you. I'm really happy to be here.
Dr. Rebecca Wynn: Gary, for people who don't know your background, you're one of the few people I've met who actually started out the education and, and doing cybersecurity
Gary Hayslip: yeah. I was in the US Navy worked in [00:01:00] advanced electronics My job title was fire controlman. I worked on advanced weapon systems.
And the way the Navy does it is they, train you, to where you learn the whole system. you could be in school 6, 8, 10 months at a time , learning, new systems, electronics computers heat exchangers radar systems I got fascinated with computers, and more and more I got a chance to work on things and break things, so I, I just kinda look at it as I already had that, need to get involved with computers before I joined the military.
And then the military opened up that spigot and just turned it loose and, and, and just let me run.
Dr. Rebecca Wynn: You've talked to this a couple of times and you and I have talked separately about this, but in today's age, we have so many people who are virtual and you don't always have everybody in the office keeping our staff engaged and constantly learning.
You and I come from the school. The more you know, the more you know you don't know us. So teach me,
Gary Hayslip: you'd be amazed at how many, free resources are out there. even from vendors. I look at my security stack. vendors I'm a customer of, and every time I look at a [00:02:00] renewal, every time I look at bringing in a new technology, not only am I looking at the technology and the professional services to install it, I'm always asking about training.
I'm always asking about recurring training, you know, to make sure that my. You know, get a chance to actually work on these assets learn the technology and get educated I'm alwaystalking with, the company of where I'm at . Hey, What funding do I have for conferences, or what funding do I have for online training?
You know, mentoring and working with my staff. one-on-ones group, meetings when we're together new technologies. reading and discussing, books.
We'll look at different things out there. But it's, the thing with this is that, you wanna spend time with them. For their professional growth. Because when you, have somebody on your team, they're not gonna stay in one place.
They're going to wanna grow, they're gonna wanna learn new things. And you should encourage that. I'm always reading working on things and doing stuff, and so I, , not only do I, I try to set the example, but I also encourage them as well.
we put it in our, our goals that we have for the year. There's always at least one professional goal, you know, that each of us will have [00:03:00] where. We're working on a cert a degree or we're working to finish certain, you know, classes that we're working on. I let them choose though.
I, I do try to guide them depending on where they want to go, you know, within their career path
Dr. Rebecca Wynn: now, cuz you mentioned certifications and that's been a bugaboo of mine for a while now. Now that's, so many of the certifications end up having tests out there and I know you and I both are on ethics boards
how, how do you go about gauging people when you're interviewing people, putting out job descriptions out there, that you're really testing that the people really know the material and not that, you know, let's face it, but they just went to some sort of cert farm out there. How do you recommend people weed out for that?
Cause that's being a real problem in the industry right now.
Gary Hayslip: Yeah, and, it's funny you brought that up. several peers have ranted about this. when hiring look beyond just the cert piece.
You look at the whole person. I look at career progression what roles they've been in, what jobs they've taken. I look at, , involvement. In the community, , are they involved with different professional organizations?
Are [00:04:00] they taking, positions of leadership within those organizations In volunteering, what are they doing at home? What projects are you working on? You'd be surprised how many times, you know, I find someone, okay. They may not have, you know, the whole list of Certs.
They may only have a. But you know, they go ahead and they go to Meetups and they go to DEFCON and they're volunteering and you know, at, I capture the FLAG events and they got like three or four different projects that they're doing at home. And that's what I look for is that passion. So sometimes I don't need the search.
So instead what I need is the passion. And the reason is, is because we know cybersecurity as a career, You know, you're in it for the long haul. It's a stressful job. You know, it's a lot of hard work. You're continuously dealing with threats and with issues not just within the security stack, but the IT stack and then the organization itself, the various technologies and the things that business is doing today.
And so intertwined in business operations today You've gotta have people that love technology find [00:05:00] cybersecurity fascinating enjoy the field and are willing to put up with how rough the job is it does not get easier the more senior you get,
it does get harder and more stressful, you know, the reason why many of us have talked about self-care and everything you know, about yourself and for your teams. Certs to me are important because I look for the basics, but I also look beyond that, they may not have this, but they're doing other things and they interview well, and I really think that they're gonna be a good fit for the team,
I try to look at the whole person, you know, when, when you interview,
Dr. Rebecca Wynn: Those are excellent points. I tell people you need to keep in mind when you have a performance based exam versus a common based knowledge exam. Two different types of exam.
Yep.
the one thing I think is critical thinking. If you don't have people who can write well, who can't communicate well, Forget about it and anything on the else, unless they maybe want to be in a special area of our field. That really brings into tying into how that builds into our cybersecurity resiliency as building teams, and I know you've written quite a bit about in your books as well as in articles about five core [00:06:00] steps on.
Building a cybersecurity resiliency team. That's really important as we go into, you know, the next 3, 6, 9 months when people are looking at, do we really have a good cybersecurity resiliency going on? Do we really have a good roadmap? Can you walk us through that?
Gary Hayslip: Are we talking about the roadmap for building a program or what I do for building a team?
Dr. Rebecca Wynn: Both. When you build a cybersecurity team or strategy, if you're not thinking about your team, your strategy's gonna fail.
Gary Hayslip: Yeah. You know, it honestly, it comes from experience.
for me, I Do continuous assessment. Even when I do my first, you know, kind of assessment whether I'm using CIS or whether I'm using, you know, NIST CSF, , I, I'm looking for a baseline, you know, how, you know, or I, you know, like to joke about when I, sometimes when I'm talking about boards, I'm just like, how deep is the rabbit hole?
I'm just trying to baseline where we're at, what we're doing well and, not well. then from that, the list of issues, you know, I actually go with into the other departments. I talk with my peers and I have them help me prioritize, [00:07:00] kind of rack and stack it, and I try to align it to the business.
with that list I then take a look at my teams. I look at. What technologies I have in the stack, what current projects I have. I look at the people that I've basically got in my team, what skillsets they bring, not just tech skillsets.
I'm also looking at soft skills too. Who, can communicate well and who has issues with that, , who works really well together. And a team, atmosphere and who kind of likes to work on their own. then, you weigh these different things, together, and then, looking at , your technologies and then looking at, now this list of prioritized issues .
Some of these may be project. For new technologies over the next 18 to 24 months, depending on budget, and the business. Some may require, Hey, We're gonna replace our firewalls. looking for a larger, secure platform.
And this new one that we're looking at, I'm gonna need someone with experience with that. And currently, I don't have anybody, we're an on-prem organization now looking to go into the cloud. The stack's going to shift
You know, now all of a sudden you're gonna be very focused on IAM and you're gonna be very [00:08:00] focused on data security. And my staff may be focused on traditional endpoint security and all of a sudden, you know, hey, I'm gonna need some people that understand, , 2FA that understand, how we're going to go ahead and handle 300 plus SaaS apps and I'm gonna have to go ahead and assign business owners to them, or audit them.
the security issues and risks are still there, but your stacks is gonna change. The technologies you use may shift because you're looking at things differently. Now. As you go more on the digital side, you go more cloud. That's going to cause you to have to change your team, through training,
For the change that's coming or you know, you do a little bit of each, you know, I'm gonna go ahead and train people and bring on one or two senior people that'll go ahead and lead. You know, these change projects that we have coming up, and then I'll build a team around them it's a matter of, you know, doing the continuous assessment, partnering with, the departments around you that kind of help level set you and keep you aligned to the business, and then they're aware of what you're doing so that as you start.
The [00:09:00] third piece, as you start moving towards your projects that go ahead and deal with your risk, you don't interfere with the business. internally you start looking at who you have hired, what you're going to need. Who you're gonna go ahead and train.
You start looking at skillsets,the last piece from a technology standpoint is what are you gonna decommission? What are you gonna get rid of? Is there a way, possibly, over the strategic plan you're putting together?
Can we consolidate? Can we remove five different platforms and consolidate to one or two, that now provide more services. some interesting companies out there now that at one time used to only offer one or two products and now they offer seven or eight, and they're building out these platforms .
That's when you start having this discussion of, okay, I've got my prioritized list. I've been told to go forward I've looked at my team. I've already kind of, you know, laid out what I'm going to need from a skills perspective. The departments around me know what we're working on.
Leadership knows what we're working on. I've got budget now. How do we consolidate and integrate? How do we get better? And then the last piece is just [00:10:00] understanding. This is gonna take time.
You're gonna need to go ahead and do this in increments. I usually do it in 12 month increments, and I'm constantly reassessing, it makes it easier to report where you're at within projects, how you're doing with resources you have, how are you doing with the FTEs you currently have, and what you're going to need, you know, for the next 12 months as specific projects come along, ?
They're all intertwined. you don't want to do it behind closed doors. keep the departments involved be visible so people know what you're working on, ? And the reason is, is everything that you do is going to impact the business.
You know, it's unfortunately , we're change magnets, , CISOs and security teams impact the business. You don't want it to be negative you want them to understand the value of what you're bringing, and there may be a little bit of pain as you adjust to something new.
the culture. May not like new things, but if you've done your job and they see, everything's visible and they know your team members and they know what you're working on and you've done brown bag sessions and they can see where you're going, they're willing to give you a benefit of doubt.
They're willing to trust [00:11:00] you that, , hey, This may be painful, but yeah, we're gonna do 2FA, this may be painful, but yeah, this new email platform actually does provide us better security, ? It's those kind of steps. You gotta get, everybody involved document and you gotta go ahead and, and as you're moving forward, you're continually assessing and you're always reviewing and managing your team to make.
Not only do they have the technical resources, but they also have, the skill sets and everything that they need to be successful
Dr. Rebecca Wynn: you know today, right now the CSO in our structure is in flux. cloud infrastructure teams who think they should be able to control everything.
You have standard infrastructure, think they should control everything. You end up having engineering who thinks they should control. You have product development who thinks of control, and a lot of times, When we talk about things that used to be underneath us, they're not underneath us. then you're talking about being a business enabler and you're like, I just got hit out of the blue.
Don't even know what you guys were doing because we approved a budget and you did something opposite How do you navigate that successfully? that's the real challenge in [00:12:00] today's CISOs.
Gary Hayslip: You know and you're right.
The job you and I knew 10, 15 years ago is not it today. it's changed a lot it's actually a good thing. but the change is coming extremely fast. a lot of businesses are still trying to figure out how to use this role because when you look at it, cybersecurity is a domain of different types of knowledge.
And, and when you get an executive coming in who has 10 or 15 years of experience within. They just don't have, you know, experience in training and education in one area. They have a broad, , breadth of knowledge. And a lot of times organizations aren't really sure how to use, an executive with those types of skill sets.
And sometimes they tend to use her, you know, him or her for three or four different things, you know, and it tends to scatter CISOs as they try to figure. And get the replaced within the organization as to, okay, this is, this is what I'm actually supposed to be here for, and instead they're like, okay, I'm here for this.
And also this, and also this, you know, and it just kind of grows,
To [00:13:00] go ahead and kind of control a lot of that I think that, you know, being involved. with the other departments having them in. You know, myself, the way I've done it in the past is I've gotta head in. I've had peers involved with everything I'm working on.
I'm briefing them. I do my, monthly security committee briefing where I'll have people from other departments sitting in, so they're, they're aware of what we're dealing with what threats we're blocking and what projects we're working on. Getting them involved.
Even in the initial phase when I'm doing assessments and I'm having them go through and not just look at it from a security, lens, but a business lens, so that I can prioritize what issues I need to work on. They've got buy-in so they kind of own a little bit of the security program, because they're, involved with my team,
another thing as a CISO, there are some things that, may be better, , in other departments, when I was at WebRoot, , I constantly work back and forth with the VP of Dev, and we had about eight development teams and I finally decided, okay.
I [00:14:00] can't have a security AppSec team periodically potshot the dev team. the security team is part of dev and the leader, reports to me, it's easier to do it that way, now I've got insight. I know what they're working on, but that team is embedded works with them, does standups, sprints, scrum calls, periodically I might every once in a while sit in, just so I see what they're doing. but I don't need to control that team.
That team can run. the leader of that team can do one-on-ones chat see where they're at, what they need, and periodically sync up with the rest of the security teams to do like larger security training. But you gotta
be okay with satellite teams, be okay to go ahead and embed security. My thing is, is I don't, I'm not worried about managing and controlling the people. I'm worried about managing the risk across the whole business. And if that's what I need to do, that's fine. You know, I'm more than happy to go ahead and partner with, , dev or partner with, production or whoever, , I need to, and if we wanna bake security in and.
When we take a look it's a lot easier to have the team with them than it is with [00:15:00] me. From a skillset perspective, I can grab a couple of the dev people that wanna learn security, that are actually very, knowledgeable and add one or two FTEs and spin that up.
We can get a quick, security team running fast. I can start managing those risks and let that run you don't need to control at all.
There's specific things in operations and stuff like that that you're going to need to manage. It just basically fall within your area. But there's gonna be things where you gotta be comfortable with, where, you know, other departments will have to manage and you just partner with them.
Dr. Rebecca Wynn: That's great. Gary, really appreciate your time.
Gary Hayslip: Thank you very much.