The art of knowing when to speak up, when to listen, and when to engage.
Guest: Bob Turner, CISO & Cybersecurity Advisor
On LinkedIn | https://www.linkedin.com/in/bob-turner-9936993
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
As we progress in our careers and assume higher roles, it becomes essential to keep our hands in our pockets, figuratively speaking. This means being mindful of our words and considering their impact on those around us. Thoughtful communication fosters a positive work environment and strengthens relationships with colleagues and team members.
When speaking to our team members, valuing their opinions and thoughts is crucial, empowering them to bring their expertise to the table. On the other hand, when addressing higher-level executives, we should combine our deep understanding of the organization with the authority that comes with our position. Balancing both perspectives creates impactful conversations at all levels.
These takeaways are just the tip of the iceberg!
________________________________
Resources
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
________________________________
For more podcast stories from The Soluful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
Soulful CXO: Dr. Rebecca Wynn and special guest Bob Turner
Dr. Rebecca Wynn: [00:00:00] Welcome to the Soulful CXO. I'm your host, Dr. Rebecca Wynn. We are pleased to have with us today. Bob Turner. Bob is an award winning Chief Information Security Officer (CISO) serving the education sector. His positions have included CISO for education at Fortinet, where he was a senior level strategic business and technical advisor, developing security thought leadership and world class practices for the cybersecurity community and business executives.
He was the CISO at University of Wisconsin Madison, leading the development and delivery of comprehensive information security and privacy programs. His previous experience included managing consultants focused on cybersecurity policy and compliance with the assessment of information systems and cybersecurity inspection for education, healthcare, installation management, and energy clients.
He served in the U. S. Navy for 23 years as an enlisted telecommissioned officer. [00:01:00] operator, and then as a commission communications information systems officer. He has dozens of published works as a highly sought after speaker and panelist is on many advisory boards. Bob, my friend, welcome to the show.
Bob Turner: Thank you for having me. This is a great opportunity to have a wonderful conversation with somebody I respect greatly.
Dr. Rebecca Wynn: Thank you, Bob.
Bob, your background is really interesting. Your educational background, your military background. Can you walk our audience through that? And then how that, that led you to be the great CISO that you are today.
Bob Turner: Yeah in the, Ted Baxter from the Mary Tyler Moore show, it all started in a 1000 watt radio station on the USS Omaha in 1978, 79. Anyway, long time ago. I got my my technology chops actually from my dad. My dad introduced me to shortwave radio CB, single sideband and all those.
And I was always [00:02:00] amazed at how I could sit in the Pacific Northwest and talk to somebody with the right atmospheric conditions in Florida. And so that got me interested in technology and I had an opportunity to to join the Navy right after high school and which was really probably one of the best things I did and I was remarking to a friend of mine that that we both arrived in boot camp shortly after our 18th birthday in the middle of the night but from there I don't know if we've really ever slept since then because of all the things that have gone on.
I learned technology. I learned to operate within the submarine force, which is really unique because there's operators and then there's technicians on the submarine. You don't have that many spare beds. So I was the operator, but I was also the technician. So I got a deep technical understanding of telecommunications, how information systems worked.
And also just, okay. Sort of the [00:03:00] being always on and paying attention to what's going on. That, that kind of built my my story there. It had a good career in the military did some great things served in, in some important positions. And then time was up it was, time to go and do something else.
And one of my first roles I landed in was another role where I got to get back to those technical roots because that, I think in any job, there's a point where, you as you elevate in rank or stature within the organization, you have to learn to put your hands in your pockets. And, what I learned in the, in my last several years of my career was keep your hands in your pockets and, be thoughtful about how you communicate to, the people around you, both the people who work for you, work with you and the people you work for.
Just really be careful about how you communicate. So then I got the first job out. [00:04:00] I, was actually back in the button pushing again. I got to work on a baseline system for a an important experimental facility. So every time they came in and did an experiment, they brought their own things. And then at the end of it, they took their stuff away.
Which which was a good. Deceleration from military leadership. So get back in there. I went into work with a a consulting firm and I got a great opportunity to get in on the ground floor when the military was still trying to figure out if cyber was an adjunctive reverb. And from there progressive assignments and understanding risk management certification, how to accredit systems under the.
The not only the DoD framework, but then the NIST frameworks that were emerging at the time. Eventually, I got that leadership bug. And I said, I think I'd like to try for this here CISO the thing that is going around [00:05:00] and I applied to a couple of different organizations and I ended up at the University of Wisconsin, Madison.
Where timing is everything they were ready for me to come in and help them develop a program that was going to be a fitting of the university and their reputation. And I got to do that for six and a half years. And then Fortinet came along and said, we have this special position we're creating called the Field Sees Over Education.
I saw that as, oh, this is nice. And then when they started talking to me about it, it was not just Higher education. It was K 12, community colleges, higher education, research universities, and state and local governments. And so that to me was, wow, I get to, I get really give back to the public sector from the things that I had been given throughout my career.
And that kind of leads me to where we're at today. I am in a position to continue that thought leadership. [00:06:00] I'm in a position to, to continue delivering great work to great customers. And that's what I intend to do from now until the time that the wife says we've got enough, why don't you stop.
Dr. Rebecca Wynn: You said something earlier when you were speaking about. One of the lessons that you learned in your military career about when to put your hand in your pockets, keep your head down, and be wise. I'm going to say a little different, be wise about your words. That's such a challenge today, knowing when to speak up, when not to speak up, when to turn the other way, not turn the other way.
Can you walk us through a little bit more about your process on determining when to engage, when not to engage, when to listen more. That's really a challenge today, especially with CISOs, where at times, we can take a backseat too much when we should have actually spoke up and said what was on our heart.
Bob Turner: Yeah that's, a really great great question, and I'll [00:07:00] address it in two ways. First of all, not everything that goes through my head needs to be expressed in public. And that's just because there's a lot of things going on up there. But I really find out that when when it needs to be a technical discussion and there are people from all levels of the organization in the room, my job as a CISO is to sit back and let the experts bring what they have in their heads and what they have in their experience to the table, because that nothing empowers them more than knowing that I value their opinion and I value their thoughts and I appreciate the skill that they bring to the table. Likewise, if I am talking to the C suite, the board the leaders in the organization, I should be doing that based on what I know from the people who are working for me and also my years of experience.
But it has to come out as [00:08:00] I'm speaking as an authority with the C in front, or I'm speaking as somebody who just genuinely understands what's going on. I think that you can rack both of them into a conversation at any level of an organization. If you know what's going on, plus you have that authority, that makes it impactful for who you're talking to for the moment you're talking in.
Dr. Rebecca Wynn: You know, one of the challenges for a lot of CISOs right now, A lot of flux, a lot of people changing the positions. And when you're going to that new position, you're inheriting a team that might not be the team that you would hire having those positions. Maybe they're actually do not have the years of experience that you need.
But in today's world, a lot of people on this career trajectory, every six months, they want people to keep going ahead and getting promoted. How do you advise people to deal with that? That's one thing that I've seen very inexperienced staff with inflated titles. So they don't know what they don't know yet, but you got [00:09:00] to get the work done at the same time.
So you have to actually change to be a little bit more of a coach and you end up being, you have to be more technical because there, that there's a gap there, but HR doesn't realize that because they're worried about career paths so much and giving people new titles every six months.
Bob Turner: Yeah, I I, know how the titling thing works.
And I understand how the compensation models work and everybody wants to be on that continual upward trajectory. But sometimes you really have to bloom where you're planted. And I, think that the, technologist who is a great technologist doesn't necessarily want to. Speak well in public and doesn't necessarily want to have that seat at the big table.
They have a very special place in an organization and you should nurture them for those skills. But along the way, if you know that they have the potential, you should be coaching. So, some of it is you're just. Simply having them at the table just for their knowledge [00:10:00] and understanding.
But another part of that is when they get into that technical conversation with senior level leaders, you can help coach them into an answer that is going to help those senior level leaders understand better, in other words, use an analogy. Make it into a business problem that you're solving by doing technical task X.
And I like to work with HR and help have them understand where we're at. And I've been in organizations that didn't necessarily have the job description thing down really well. I've, served as a consultant to those kinds of organizations too. And I said, is that really what you're asking for?
Cause you're asking for somebody who knows everything and does everything, but will only talk in authority when necessary. Or you're asking for one or two people to have the knowledge and experience of 12. And when you look at the position descriptions that are out there they have 15 or 16 primary tasks [00:11:00] for a CISO to do.
And I hearken back to some advice I got from a, an executive at the University of Wisconsin. And that executive said that if you have more than three priorities, you don't have any priorities. So important to understand that in your business, your priority should be keeping the data safe and secure, keeping the systems operating.
And you're doing that by your understanding your people's understanding and also the technology in front of you.
Dr. Rebecca Wynn: Yeah, I agree with you when they basically are just doing a dump of the NIST CISO manual out there and saying, you must do all these at all points in time. It makes, the job pretty tough.
One of the things I see too, is, you and I both came up through School of Hard Knocks, we both went, did different work, certificates at the Post Naval Graduate School and different places like that, hands on learning day in and day [00:12:00] out. A lot of times now, people go ahead and they Google it, maybe ChatGPT or something like that and oh, here must be the answer without necessarily having that broader, understanding of where can affect other areas in the business where it can affect other architectures that are going on those lines I call it critical thinking and critical business thinking, but do you see that as well?
Bob Turner: Yeah, so so there's two real two sides of the conversation there. The first is where do you get your knowledge from and how are you expressing that knowledge in written form in public and speaking engagements, etc. And the other is. What is behind that? Where did you get the learning from?
Where did you get the understanding? So I had my hands in the, equipment when I was young and junior and learning a lot, but I wasn't invited to the adult conversations about strategy and [00:13:00] tactics. Then I evolved up into the, yeah we're creating the tactics. We're creating the strategy.
And then it was the, and now I'm in charge of it. And that, to me seems like understanding where you're at in the strata and understanding also that not everybody has had the same career path, not everybody who's on the same journey and, motivations are different between people.
And that's really the understanding humans at the transactional face to face hand to hand level. How do you have that relationship with the CEO? Or how do you have that relationship with a board member? And how is that relationship being nurtured? And what are you bringing to the table to help make that relationship better?
And that's where we get into the, what is the C level anyway? They're, paid to make good decisions that make the company continue to thrive. But if the C level leader is [00:14:00] not also all of the above as far as their coaching style, their leadership traits their the way they interact with people how they and their opinions versus technical knowledge behind them. That's, the important thing that I, really like to lean on is that I have been given that over my career as progressive leadership roles and progressive management roles and understanding that at the end of the day, I have to be in charge of what comes out of my head and I also have to make sure that it's appropriate for the situation that I'm dealing with.
C level is, that's just where it's at. The CXO needs to be able to understand where they're at and, be able to, do the things that are necessary for leaders to do.
Dr. Rebecca Wynn: And one thing I've seen over, I would say really last year or two, it seems like CISOs [00:15:00] have gone backwards where we were like almost C suite light in several areas.
And now we've gotten shifted way to the left where it's. We want a security engineer who we will give a CISO a title. We want someone who is security operations who will give the title, networking a new title. And I've talked to other CISOs over this past year, probably like 50 of them. And we're all feeling that there is a it's almost like a downshift of our field.
What's your viewpoint on that and why do you think that might be happening? Is it because of the burnout? And so many of us had gotten burnout because we were burning the candle at both ends during 2020 to 2022?
Bob Turner: You know, I I like to treat that era as an anomaly in the way we should be working.
Now the, one of the great things that came out is that remote work is popular now and I truly enjoy that. But [00:16:00] what we do and, how we do it when, you're talking about an organization that Is full time face to face. There's a meeting at nine o'clock and then there's another one at 10:30 and then there's another one at one o'clock and you're pretty much saying the same thing at every meeting.
That that's a company that is meeting centric. And that's, I don't know if they're really getting a lot done individually but the collective is obviously working or they wouldn't still be in business in. In understanding how to deal with that, how to have those conversations, how to have those executive conversations.
I think that's the CISOs have probably been growing over. Like you said, the last. Couple of years and let's take it from 2018 forward and let's set the COVID world aside for a second because what we got is we got recognition. We got that opportunity. [00:17:00] And in a lot of organizations, they said the CISO is the authority. And when we have a security issue, when we have a data privacy issue, when we have a technical issue denial of service, etcetera, we depend upon the CISO to lead the team that's going to get us out of it. And that team is not only just those that are direct down downstream reports from the CISO, but, it's also everybody else in the organization that the see so has to interact with. It's HR. It's finance. It's operations. It's the leadership components that are developing things. CISOs, should not work for the Chief Technology Officer. I could go either way on whether the CISO should work for the CIO.
But I think that if the C is there, we all have to come to the table with our respective strengths. And that's where how we should be acting with each other. We are sliding back in [00:18:00] some ways. And, a lot of that is because now that they have CISOs and they know what to do with them, they're rethinking the way that the rest of the company hierarchy interacts with this brilliant person that we've just hired to do this tough job that nobody else wants to do.
So how do we deal with that? How do we get ourselves out of that particular mode and, really just be seen as an equal player at the table in the C suite?
Dr. Rebecca Wynn: Yeah, I think it's been a tough task. I have had a good, really, CTO before in my past who was very supportive. But again, availability always trumps when you have that's what you're referring to.
And I have had a very good CIO, but they were very strong engineer, architecture, and things like that, and so they'd listen to me. But I agree with you. I think it's really tough right now if we get embedded deep within IT. For like that ancillary budget for what is the check the box to get us through [00:19:00] PCI or what have you and our voices aren't always heard because they want to run the business and what I'm leaning towards is that how do we balance because this is what I'm seeing with a lot of younger CISOs is I'm playing well with the business.
I'm running well with the business. And so I'm just going to go ahead and put my hands in my pocket and put my head down. And I'm just going to play along when the company is actually taking more risk that's outside of the risk tolerance, the enterprise risk management that they said that they were going to be held to, which is our responsibility to go ahead and let them know you're going out of that risk tolerance.
So how do you advise people to get around that? I think that's also what's causing us to keep shifting to the left.
Bob Turner: I agree. And we have to be there and we have to be relevant.
We have to take our risk management background and understanding of the fundamental [00:20:00] risk equations. And we really need to make sure that if we see something that crosses those boundaries, we speak up. If we don't say anything. Will anybody else? I'd really rather to be on the front end of that and build it up and maybe our risk strategy is off.
Let's be part of the team that is fixing that risk strategy rather than motoring along on our own and not worrying if we're steering into a ditch. The the risk manager, the slips and falls and hazardous substances person at an organization is just as important in identifying and helping to mitigate risk as the CISO is, as the CFO would be, as any of the other operating units or departments within an organization.
When you're at that level of leadership, it is all about risk at the end of the day. And if, we're not managing the cyber risk [00:21:00] as vigorous as we're managing product risk or managing business risk over leveraging in, in certain areas or under leveraging in certain areas then, we're not necessarily doing what we're supposed to be doing.
And that is watching out for the business. We're at that level where a lot of the, a lot of the compensation packages are designed on how well the business is doing. So you do have a stake in it. Everybody has a stake in it is if they are wanting the company to be survive and thrive in today's world.
Dr. Rebecca Wynn: And I think one of the things that also throws a monkey wrench into it is that we as CISOs, can do jail time.
Bob Turner: Yeah. That whole Wells notice thing, huh?
Dr. Rebecca Wynn: Yeah. You have GDPR and stuff like that.
And I'm not saying we have to report into the CEO. I'm not going to get into that. I want to make sure I have the best advocate for me, but we don't have a voice. We can immediately lose our career in a [00:22:00] nanosecond. We don't have those same protections in place. How do you advise young CISOs?
I know you mentor like I do. How do you advise them? I know I've written out there, don't aspire to be a CISO. Getting back to your earlier point, aspire to be the best cyber person as you possibly can be and enjoy what you're doing. And if it ends up being that you go to CISO, that's fine, but don't do that career path that I need to be a CISO because the liabilities for us are getting deeper and deeper.
And a lot of our support structures is getting smaller and smaller unfortunately.
Bob Turner: Yeah, and I would like to think of if the world were perfectly round and I working for the day then every company would, build in that that fail safe for the CISO. I remember there was certain politicians that were talking about the CIO and the, and or the CEO and CISO should go to jail the next time you're breached and rhetoric like that, I don't think is helpful, but it's okay to be accountable.
[00:23:00] Especially if that's your role. That's your mission. And if you miss on something, then let's have that moment of accountability. But it doesn't always have to be we're going to we're going to haul you away in a different set of bracelets that's not I don't think that is helpful.
I think that influences people to do, things that are safe versus things that are the right thing to do and in the world of cybersecurity, anything that causes corporate information to be breached systems to be compromised systems to be taken offline at the whim of the adversary and not at the whim of the company.
Those are the things that we need to be guarding against. Those are the things that we need to study to understand how they happen and how we can mitigate the issues that are part of that. But it's also how do we communicate that to the people that need to know and that involves and when I say communicate to the people that need to know that's from the last person hired to [00:24:00] the senior most executives and the president of the board.
That broad spectrum of awareness is really something that the CISO should be taking as a personal challenge and making sure is operating well. We should have that ability and an invitation to talk to the C suite and talk to not only our peers in the organization, but also the those senior to us in the organization.
And it also means that the board of directors who are making other key decisions. They need to hear about what we know as well. And we have to be able to present that in a way that it's going to make sense to them and not just be a Charlie Brown's teacher report the wah, in the background.
Dr. Rebecca Wynn: Yeah, the, we'll give you 15 minutes and then you show up 12 minutes, 10 minutes. You got 12 seconds.
Bob Turner: Yeah.
There you go. But always have a briefing ready to hand them so they can read it in the car on the way back.
Dr. Rebecca Wynn: As we go towards 2025, 2030, one of the other things that we see is putting a lot of stress on our field right now [00:25:00] is the fear of AI machine learning. AI has been around since 1950, machine learning has been around since 1960s. We do use AI machine learning in our tools and things like that, but there is a cusp where people are thinking that they need less people like for governance risk compliance, because I can just have ChatGPT, write me a policy and procedure. That's not mean that you're having security and compliance and enterprise management by default and by design when you use these tools. How do you feel about that? I think they can really go ahead and do a lot of those mandate tasks that we have.
But if you're thinking that they're going to replace the security staff, I think that's also going to lead companies to danger.
Bob Turner: Yeah I agree. And the way I look at it is the, AI Revolution, it brings us opportunities, but it also brings us challenges. So if somebody creates that ultimate third party risk assessment [00:26:00] based on what they got off of the internet, and there's no validation of that, is it really an assessment?
The process you go through to do any kind of a risk assessment or any kind of a security statement has to become one of here's the basic information. We put it in this format. Does that make sense? And is it true and valid? And does it help the situation? And I can see that AI is going to also be a great tool for us because, as you said, we've been using artificial intelligence (AI) in the cyber world forever.
Anybody who is using a SIM or EDR is using AI. And we know that. We know that intrinsically because we have studied what those tools are like, but helping to get that thought across to the rest of the world ChatGPT is, a language model, and it's going to absorb what it is and put it in the, what it sees and put it in the right order so that it [00:27:00] makes sense.
To that language model. It's not necessarily going to be the type of AI that we really need. We need that SIEM with AI. We need that endpoint detection and response capability that is powered by AI derived from indicators of compromise and other signatures that are available. Either through our provider or out in the open as it is as far as you can go find things on the dark web.
But it if we're going to focus on the right thing and that's doing the job and making the company's data as safe and secure as possible. Then. We have to understand that AI is one of the tools in the toolbox. Machine Learning (ML) is helpful to that because it's going to it's going to listen and make adjustments and the programming for that.
And the technology that drives that. That's where we should be putting the focus. Do we have the right technology to build? The AI that is going to be helpful. [00:28:00] Do we have the right people that understand that technology in order to build it so it meets the company's needs? And it's not just an off the shelf product.
A. I. R. S.
Dr. Rebecca Wynn: I think one of the dangers is when people go ahead and they think it's set and forget it.
Bob Turner: You have to you have to have an analyst at some point. And I think that the. The key skill in any successful analyst is curiosity. So if that analyst can look at that report and say that makes perfect sense to me, everything is in line and there's nothing that makes me curious, then that's probably a good report.
But I would wonder why they didn't light on any one of the many details in that report and say, how did they get that conclusion? And that's the curiosity I want in an analyst. That's the curiosity I want in, anybody who has got the title of leader or manager in their, job description. And, that's where we have to make sure that we are rewarding the curiosity that comes up with [00:29:00] the right questions.
Dr. Rebecca Wynn: Absolutely. Our time has just totally flown by. What is the best way for people to reach out to you for advisory services, speaking engagements, and things along those lines?
Bob Turner: Yeah, I think the best way is to look me up on LinkedIn. The that's a best channel and I do monitor frequently, but not always on Saturdays.
Dr. Rebecca Wynn: Yeah, I do take social breaks on Sunday. I do not do any social media on Sunday. Bob, thank you so much for being on the show. You are a Soulful CXO.
Bob Turner: Thank you for that honor.