Have you ever wondered how to break into the tech industry with a non-traditional background? This episode has all the answers!
Guest: Drew Simonis, Chief Information Security Officer at Juniper Networks [@JuniperNetworks]
On Twitter | https://twitter.com/drewsimonis?lang=en
On LinkedIn | https://www.linkedin.com/in/drew-simonis-4893311/
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
This is a fascinating conversation with two world-class CISOs sharing their unconventional technological journeys. They discuss the importance of intentionally managing your career and the lessons learned from taking adjacent jobs and even stepping back to move forward. They also delve into the challenges of career progression, the need to support transformation, and those who prefer to stay in their current roles. Join us as we explore these topics and gain insights from our guest's experience transforming and growing teams in today's competitive job market. Don't miss out on this thought-provoking episode!
________________________________
Resources
What's next for Chief Information Security Officers (CISOs) in 2023?: https://www.juniper.net/us/en/the-feed/topics/security/whats-next-for-cisos-in-2023.html
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
________________________________
For more podcast stories from The Soluful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
[00:00:00]
Dr. Rebecca Wynn: Welcome to the Soulful CXO, I'm your host, Dr. Rebecca Wynn. We are pleased to have with us today, Drew Simonis. Drew is the Chief Information Security Officer at Juniper Networks. He has practiced information security for over 25 years as an analyst, engineer, consultant, and leader. His prior roles include serving as the Vice President of Global Security at Hewlett Packard, leadership roles at Willis and Symantec, recently acquired by Broadcom, Working in the ISP space, both for IBM Global Services and AT& T, and for several years working on one of the largest Department of Defense networks.
He's an industry expert, speaker and author. Drew, it's great to see you again. Welcome to the show.
Drew Simonis: Thank you, Rebecca. Thanks for having me.
Dr. Rebecca Wynn: Your background is very fascinating because you didn't start out in technology. Can you walk people through what you're going through in college and then how you got on this great road that you are now being [00:01:00] the world class CISO that you are?
Drew Simonis: Yeah, thank you. It's a good question. And I think for a lot of people at that time, it wasn't the traditional path into the technology field that maybe for some exists today. But I think just as much today. We welcome people with non traditional backgrounds. And so I was maybe a trailblazer in that My college studies were more aligned to political science.
I studied international affairs, a lot of military history, just what I was interested in. And one of my hobbies was technology and at the time there was a tremendous amount of demand. It was pre dot com leading into that. And the opportunities were abundant and I was in the right place at the right time and able to begin a technological journey and one that I've enjoyed being on ever since.
Dr. Rebecca Wynn: Now, one thing that you and I discussed prior to the show is that sometimes. Career [00:02:00] paths aren't a straight line. Sometimes you need to go ahead and maybe take a job that's an adjacent job, sometimes taking a step back actually brings you a step forward. Can you walk us through that journey and the lessons you've learned by doing that?
Drew Simonis: Yeah you really have to be intentional about managing your career. And I think if you're not, Then you run the risk of just drifting through it and being buffeted by the winds of change, rather than being in control of your own destiny. And when you're managing your career and you have a long term view, things like steps down or steps over don't really feel that way.
They feel like. Part of the journey to that destination. So like personally I was working in a, very large environment, but it was a public sector environment. And, I wanted to get into the the kind of security industry. I wanted to, be on the vendor side of the equation. And so I took a job at Symantec at the time [00:03:00] and, it wasn't a more senior job.
I think it paid less, not much less, but it paid less. And it opened doors, though and in doing that, it made me have a perspective of our industry that I wouldn't have had otherwise, if I was just a sort of perpetual customer of the security industry, rather than a participant in the security industry, I would have had a much different understanding about the way things worked, how products were developed.
And just having that familiarity enables me later in my career to be able to be a better customer to form better partnerships with my vendors to understand how to ask them questions about where their product direction is going. And I think my leadership journey was enabled by being willing to take a step down in a sense.
I've also taken steps over leaving the technology industry. A lot of people told me that you're going to regret that. It's going to be really difficult to get back in and you're going to find jobs outside of the [00:04:00] technology industry to be boring or uninteresting or whatever. There were all sorts of people who were giving me cautious advice and.
But I took a role ended up being a CISO role in a, insurance brokerage. And I was there for eight years and I learned a lot about risk management. I learned a lot about working in a regulated environment. And, again the steps I took subsequent to that back into the technology technology field were, made much more fruitful by the, by that decision.
So I think you, you have to first and foremost, have a well rounded perspective in order to be useful as a leader. You have to understand and be able to understand different perspectives and different experiences. And it's hard to do that. If you stay on rails, it's much easier to do that. If you forced yourself into those positions and learn from them and really been intentional about them.
Dr. Rebecca Wynn: Now, there's a trend right now that I see where people are trying to grab [00:05:00] people who are, if you're from the technology sector, I'm already going to hire someone technology sector, if you're healthcare, I'm going to hire you from healthcare, if you're financial services, or financial services and things along those lines.
I work four different sectors pretty consistently besides mergers and acquisitions, and I intertwine with all of them equally I think behind the scenes, our job as CISOs, is the same. And if you're a person who's already keeping up with a lot of regulations and privacy and things like that, I seamlessly go in between the two.
How do you feel about that? I don't like the biases that you can't hire someone for financial services and technology because they won't understand because they're coming from financial services. I think that gives us, unfortunately, our knowledge that gets really narrow because we only have like minded thinkers around us.
How do you feel?
Drew Simonis: Yeah, no I agree a hundred percent. I think that there's a lot of risk aversion within the hiring process companies they're just, many of them are just learning about what [00:06:00] security means for them and how a cyber security professional and a cyber security program can benefit their business and really protect their ability to be successful and competitive in the marketplace today.
And if you're approaching something you're unfamiliar with, you're going to be naturally, maybe for a lot of people, a little more cautious and that caution is going to lead you to be afraid to take a gamble on somebody. I think that's a big part of it. And I also think is a, it contributes significantly to the burnout that we see.
I saw a study recently, 84 percent or something of cyber practitioners are experiencing burnout and, I think it's not necessarily the stress of the work because that's been there forever. And I think a lot of cybersecurity professionals enjoy that like, they're adrenaline junkies in a sense.
If you're handling incidents every day, like that's something you're thriving off of, perhaps. I think what maybe contributes to the burnout is the lack of any future. [00:07:00] If companies only see us in that narrow window of the identity that we hold today, and they, don't see us in the same light as other leaders I was talking with someone just today about this.
If I'm in ops or if I'm in sales or if I'm in other things that are a little more core to a business. Record of their understanding of their own business, and I'm a future leader. I might be in a company funded MBA, program. I might be getting executive coaching. I might be going to mentoring programs and all these other things.
I might get a rotation or a secondment to a faraway. place where I can learn about different parts of the business. And those opportunities are seldom presented to cyber leaders. And there are other leaders in the company who are in the same boat that we are, that, that are seen as less future generalists in leadership and more specific subject matter experts.
And so like the more specific subject matter expertise, we are seen as in that context of the [00:08:00] harder it is for people to give us a. A chance to say, golly I don't recognize the general nature of your skills. So if you don't understand regulated environments in, my specific niche, then I'm not going to give you a shot at this role.
And so I hope over time people begin to understand our job a little bit more and understand us as leaders rather than as functional experts. And maybe those things start to change the way people hire and the way they promote and manage and help us manage our careers.
Dr. Rebecca Wynn: I always tell people, I lean on critical thinking, do you go ahead and think through the solution.
Do you think about how it affects other parts of the business, other parts of the industry? Peers things along those lines. And so really at heart. Are you really a true analyst? I think if you do those really well, you'll have a great career. Do you feel the same way that those are to seem to be critical areas?
People always, for example, an engineer and [00:09:00] an engineer is not an analyst. I tell people watch TV. Who do they bring on to explain to you? What's going on? They bring an analyst, not an engineer. And I'm a senior principal engineer and a senior principal analyst. So I just tell people I'm on both sides of the fence myself too.
Drew Simonis: Yeah engineers have the reputation that they do. Analysts can also have some pitfalls, they can be over analytical and I think in both of those cases this concept of your strength can become your weakness and, so that's back to managing your careers like what do I want to be what skills do I have that I need to round out with other skills and how do I develop those and how, Thank you.
Do you have a conversation with your senior leader to say, here's support, I need to round out these skills. This is where I'd like to be in three, four, five years. That's a difficult conversation to have in a lot of places. So being analytical, being able to to look at a problem and see it from all sorts of different angles and really [00:10:00] understand why it is and how it is, tremendously important.
But. But I'd also add to that, that we've got to be able to break out of our own shell and be able to convey that analysis to others in a way that works for them. Earlier in my career, I had a colleague who always was complaining, why is it always our fault when these other people just don't get it?
And I was like because we are the ones who suffer the consequences. And so We have to find a way to communicate to them in a way they do get it. We can't just float something out there and say, this was our best effort, and you either take it or leave it, buddy. We've got to be able to say, you know what, it's important that audience understands my message, and they didn't this time.
I'm gonna have to go back and rethink about how I convey that, and I'm gonna have to re engage with them in a way that's, candid about... Really my own failure to properly convey this message and rather than putting the blame on them for my own [00:11:00] ego and edification. And so it's just selfness self selflessness and just the willingness to be introspective and, analytical about oneself is, another dimension of that analyst mindset that is beneficial to us.
Dr. Rebecca Wynn: I think one of the challenges as well too, is we have. People are so worried right now about career progression I, every six months I got to have a new title and because you're really good technologists, I'm immediately going to throw you into management because it's my betterment. I think if we learn to play to people's strengths and their true love their authentic self, that helps the person who goes ahead and does an analysis and writes a great technical report.
You need those technical reports, especially if you end up getting into lawsuits. It does not necessarily mean that person is the person who's going to write the executive summary. For the executives. And I think that's the thing is, when you try to force people out [00:12:00] of their uniqueness, that's what we see problems as well, too.
Do you agree with that?
Drew Simonis: Yeah, and it's one thing I've really enjoyed about being back in the technology sector.
Both Juniper and my prior employer had A non manager career path that enabled you to rise in the ranks, but remain in your niche. And so there wasn't necessarily that pressure to become a manager because that's my next step in promotion. You could rise all the way up to the vice president level as a, as an individual contributor technician.
And I think making sure that companies have the opportunity for people to do that is, is a need that's far beyond the, tech sector. Like every company is a tech sector company to some degree. We see Clorox, a manufacturer of household chemicals major supply issues as a result of a cyber event.
[00:13:00] You've got to have top quality, technical people to run any kind of business today. And we've got to find ways to make sure that those people have fulfilling careers that don't derail them. Don't force them out of a comfort zone that they don't want to get out of. On the other side of the coin, we have to support people who do want to transform. Caterpillars become butterflies and that's pretty awesome, but some people want to be caterpillars. So you've got to be able to accommodate both. And, I think you've got to be really good at accommodating both and focused on, on becoming as good as you can be.
Dr. Rebecca Wynn: You've been really good over the years about transforming teams and about growing teams. In today's world, it's pretty much challenging in the fact that if you put a job description out there, 2, 000 people apply for the position. People are using AI and machine learning to try and scan resumes, and I know personally I like to look at all the resumes that doesn't show me because that's usually where I find the gems.
How do you [00:14:00] work through that? Because I know that's another frustration on people. Job descriptions are 25 pages long, and it doesn't matter who you are. You can't meet those expectations. So how do you suggest people work through that, as there's a lot of people out there who are looking for the right company for them and their next opportunity.
Drew Simonis: Yeah. I tell the story from time to time. My very first full time cyber position, it was an internal transfer was what gave me some advantage. I could speak to the hiring manager. I knew the team, I knew what they did. And I was looking at the job description and it had a laundry list of requirements.
And then at the end was must be fluent in Portuguese and Spanish. And, at that point I realized. This is a wishlist. This isn't really what they need. If I was on the outside looking in, or if I didn't have the connections I had, I might not have drawn those conclusions and may never have really entered the career field, but that's the key lesson for me is as, a [00:15:00] hiring manager, writing these things is there's not 35 things I need someone to do.
It's not a wishlist. It's got to be a very focused. set of expectations. If you can't get a job down to three things, how is that person going to be successful? Like we talk about burnout. If you roll into work and they say, are you working on one of these 18 things today? Which of those is a priority? You don't have a priority at that point.
You're just being dragged from issue to issue, everywhere you look. So so only not only to support the employee once they take the role, but to support acquisition of employees, you've got to be sharp about what you actually need done. You've got to be honest with yourself back to that analytical mindset.
You have to focus that. I think you also have to be willing to take a gamble. You talked earlier about aptitude and looking for that kind of flexible mindset. I had a great leader at a [00:16:00] prior job whose philosophy was like, if somebody's 80 percent of the way they're good enough. And, maybe they're really a top talent or an up and comer.
You take that risk earlier, give people something to grow into. And, if you don't, what are you giving them? You're just giving them money. And if all you have to offer is money, then you're going to be outbid, you're going to lose good candidates, someone who can pay a little bit more or all that person is going to want from you is money, and when that money isn't coming because of rough time or whatever, they're going to leave looking for more.
If you can show people you're investing in them and helping them become more valuable and giving them rewarding work and a clear purpose, then that's worth money for a lot of people. And those kind of people are the ones you want. I think also once you adopt this mindset of giving people a shot, it enables you to work back in the, into the career path and say, you know what I thought this had to be a senior person, but it can be a mid career person.
I thought this had to be [00:17:00] mid and it could be entry level or early career. And I thought that early career person had to have a college degree or some skill base, but really I can train them. Because the reality is that everything I know I didn't learn in kindergarten I've learned within the last year or two on the job, I learned about what my current employer's trying to do and how they're trying to do it and how I can help what I knew 10, 15, 20, 25 years ago is less and less relevant with every year.
So you're going to have to train your people. That's going to have to be a focus if you want those people to be affordable and if you want some stickiness to their employment. And you want them to have a career path that enables them to grow with you, then taking a gamble and, being clear about what you can gamble on and what you can't I think are two crucial bits of information.
Dr. Rebecca Wynn: I think people forget too, is that we're interviewing the company, they have a position to potentially offer you, but you're giving up, everyone [00:18:00] says 2080, it's usually a lot more than those hours a year into them and are they worth your time if someone is going to go ahead and have a laundry list that no one on the planet can meet, says to me is, are they organized, are they focused, are they going to support me in this position, do they know where they're going, do they know what their priorities are they setting me up for success?
And if not, it's okay to say no and walk away because if you don't, you're missing the people who really can use you. How do you walk through that? Do you do the same thing I do along those lines, research a company? Get that gut check. And if it doesn't seem that they have their ducks in a row, I say no thank you and move on to
Drew Simonis: yeah
Dr. Rebecca Wynn: opportunity for myself.
Drew Simonis: Yeah, it's too dangerous to do otherwise. You know our job over the last three to five years has become so increasingly high stakes that [00:19:00] taking a gamble like that, this company has no idea what they really want me to do, that means that there's a high probability they may not be able to support you in doing it or they might have an argument with you about when you try to really force that prioritization and say, I need to focus here and here. And they say, no, we want you to focus there and there. And those things are hard to suss out in the interview process. So I like to look for companies that know what they want and why they want it. There's three things I always look for.
It's, do you have an interesting problem? That's going to help me be engaged and give me an opportunity to grow as a leader. And as a security practitioner do you have the desire to solve that? It's like a lot of companies out there have problems, but they have bigger problems that are in front of it in the pipeline.
And that's okay but I don't want to be sitting on a cyber time bomb while other issues take the fore. So that's for me a, no thank you. And then finally is do you have the wherewithal? [00:20:00] So, yeah, we want to solve this problem, but it's way bigger than we can do right now. That's also a no thank you.
And you can look at the process as well, what the interview process tells you about decision making within that company is pretty enlightening. Are you talking to 10 or 11 people? Are you being dragged out over a period of weeks or months? If that's the case, how important is it?
And how difficult is it going to be when you have a business case for change, how many people are you going to have to go to? So can that company act quickly in the face of the emerging threats that we're encountering? And if they can't act quickly when they're placing the role, maybe they have some challenges when the role is being executed within too.
Dr. Rebecca Wynn: I agree with you. I tell people I've gone through panels or 16 people, 18 people. If I come on, I think I should have 16 or 18 advocates. That's all I am. If I'm doing panels and people on there, if I say yes to you, I'm saying yes, that I'm going to be fully [00:21:00] in to help you be successful in this corporation.
And that's one thing that you'll hear over and over again as we talk to CISOs and other people who are in the field and other professional technologists, is that you have that whole song and dance before you sign the contract. And once you start the contract, it's does anybody know I'm here? How are you setting me up for success going forward?
And I think that's a failure, not only on HR, but I think failure of us. Giving that person the warm fuzzies. Yes you're, we're inviting you to the barbecue and you're welcome. How do you think that we can holistically do that as a community better, because you can lose those people very quickly because your personal onboarding is crappy and I will call myself out.
I've done it myself too, when I've been over inundated. And if I don't block my schedule out saying I have four hours every day, then I want to go ahead and work with this new hire because I need to set them on the right path.
Drew Simonis: Yeah, I really like the [00:22:00] concept of the onboarding buddy. It's been something I've benefited from in my own career and something that that, people that I'm affiliated with benefit from people on my team. There's people who have been around who know the ropes and who know the politics and who are the players, like who are the real players, not the titular players.
And and, are eager to share that too, that like they're, willing and really supportive kind of people finding them within your organization. And it doesn't have to be in your direct line, right? It can be adjacencies maybe it's somebody in the audit function who's really well connected and can help you become that way to getting that level of support, not just for the first 30, 60, 90 days, but the first nine months, the first year, somebody who you can go to with a question. Like I saw this and it was weird. It didn't make any sense. Help me contextualize it or, help me [00:23:00] with the connection to somebody who can that's, crucial.
And it's free, it's easy to do it's well worth it. And I, couldn't recommend doing so more.
Dr. Rebecca Wynn: And I just tell companies out there, if you're going to set up a buddy, that buddy has to be all in. I've had that happen with companies, and the buddy's I don't have time for you, I'm not going to meet with you, maybe I can meet with you in two months.
That's not a good onboarding experience. No, it's got to be someone who that pretty quickly.
Drew Simonis: Yeah, it's got to be somebody who, like a people person who there's they're out there and not everyone is a people person to your point, like the person who has the best organizational knowledge might also be more introverted.
They might be overworked. They might because of that knowledge, or maybe that's how they get the knowledge is because they're working on so many projects. So you've got to be smart and balanced and say, who's the person who has the right level of insights and connectivity, but also has the desire and time to do it.[00:24:00]
And they're out there that's. I think it's, they're worth finding.
Dr. Rebecca Wynn: You've been a CISO multiple times, bigger organizations, and you might be given compared to some people might be in startups or stealth or medium size where you have your 30 day, 60 day, 90 day, a hundred day, 120 day man.
And I've seen them too. And I've read the books. But there's a lot of people out there that after day one, it's you're supposed to be out to the races. How do you suggest that people deal with that stress and that expectation? Because the one thing that happens is you end up putting in those 18 hours, 20 hours, trying to get err done.
They're used to you to be on steroids all the time. That sometime. Your system is going to not have resilience anymore. And so you're still giving 100 percent of what you can give, but maybe your 100 percent now is the 75%. Do you suggest that they start out on just throttle it back? How [00:25:00] do you think that they should manage that expectation?
Because I know that's a big challenge.
Drew Simonis: It is a big challenge. It's a racehorse challenge. You could go as fast as you can out the gate and wear yourself out. You can wear yourself out in the middle of the race. Or you can save what you have for the big push at the end. And I think there's a case for all of that.
And there's, You know, this is by the time you're in the seat of a CISO, I hope you have enough industry experience that you know, which of those scenarios you need to to be in. I have to make a big splash because I was brought in as a firefighter and there's a big issue I need to really address.
I need to be hitting it and running like you better be finding that out in the interview process. Why are you hiring a CISO? What changed about your business that, that, you're hiring this role now? And, if you have to, I have no problem personally asking for an NDA as part of the [00:26:00] interview process.
Are there things I need to know that will help me be successful on day one? And maybe it is we have a, customer expectation or some regulatory pressure. We want to get our program into a little bit better shape. That's a whole different level of energy that you're going to have to expend in, and that's more mid race.
You're going to have time to plan and prepare, and then you're going to have to get to work and really start shoring up the program. And then there's that execution long tail. But you're going to have a big business case challenge potentially in the middle of that. And then there's the people who need to save up for the big kick.
Like we need help pushing this project over the last mile. That's a different thing. So you really have to know what you're walking into. You have to know why the company has the need that they do, and you've got to have your own sense of awareness about your energy and where it can be most impactful.
And, that comes back down to as well, what jobs you take and don't take some [00:27:00] people are builders and some people are shopkeepers and, if you're not excited about the job of building a program from scratch, you're going to be exhausted by it. Likewise, if you're not excited about the job of, diligent execution and really refining and perfecting and maturing a program, then you're probably not going to be excited.
You're not going to be successful in that kind of role either. So you have to know who you are. You have to know what they want. You have to find that. Back to our earlier points. So many companies are doing this for the first time. They don't know either. They don't know for sure what they want.
And that's why so many CISOs are burned out or failing is because they didn't know, like they took a job to get a title and were excited about their career progression. And they didn't know how to ask the right questions to feel an opportunity out. The company hiring them didn't know enough about what they needed to be able to answer them if they were asked.
And so people are ending up. Using the same words, but [00:28:00] talking about very different concepts. So I think it comes down to just measuring your energy and applying it to the places that are going to be most effective. And I think that's true regardless of company size, just a little harder to sort it out sometimes in, in, smaller companies who are earlier in their journey.
Dr. Rebecca Wynn: Yeah, be true to yourself. And I tell the people out there, if you've been in a situation like that, it's not about you. Try to assume that they had good intentions. You had good intentions they're just not in the place that they thought they were. So that's right. You're going to be okay. Pick yourself back up and learn from it.
Drew Simonis: Yeah. Every opportunity is a learning opportunity. Even if you have nothing but bad experiences, you better be learning from that and realizing okay, these were the things that caused me to have that bad experience. These were the things I did that contributed to that bad experience. I joke, but I was a horrible CISO for years.
Probably because this was 20 years ago and we're just [00:29:00] CISOing for the first time both myself and the industry, there wasn't an established pattern to learn from. And for many people, they're in that boat still. They there's, it's hard to find a mentor that they could learn from, but it's worth trying and reaching out and trying to build a connection to someone who can help you down that path.
Dr. Rebecca Wynn: Drew, our time has totally flown by. What is the best way for people to reach out to you for speaking engagements and learn more about your company?
Drew Simonis: I think the best way to learn about Juniper is, through our website, juniper. net. I'd be excited for people to go there and learn about the networking technology that we sell.
I think it's pretty good. I, learning about me I'm pretty transparent on LinkedIn and I can connect to people there and through there we can share more details if people are interested in, chatting in further depth.
Dr. Rebecca Wynn: Drew, thank you for being on the show. You are a Soulful CXO.