With over 25 years of experience in security across the public and private sector, Gary Hayslip has built a reputation as a strategic CISO, advisor, and prolific author. He joined CEO Ryan Noon to share his background and provide a quick but authoritative guide for new security leaders when they join an organization.

How’d you get into security?

I started with 20 years in the U.S. Navy, gradually shifting heavily into security because I just found it fascinating. When I left the military, I worked for the federal government running network and security teams while also managing audit and risk. During my MBA at San Diego State University, I started working extensively with startups. San Diego has a sizable cyber ecosystem and startup community. People go to the Bay Area to get the money, but they go south to San Diego, where rent is cheaper, the staff is more affordable, the weather is better, and there’s excellent beer and fish tacos. I spent time with several incubators and just loved getting involved with the community. 

Eventually I outgrew my role and landed my next gig as the first security hire at the City of San Diego. When I got the job, they had no idea what a security program needed to run. I had to do an assessment, establish our baseline, look at our networks, etc. I talked with the mayor and the city’s attorneys and convinced them to let me partner with six cybersecurity startups in the community to help build out my security stack. I told the startups they could use the city’s networks as a testbed for free for 18 months, and if they needed help with a funding round, I’d talk to whomever they wanted to help get them there. All the companies stayed with me for four years, and one of them was acquired by Webroot after I helped with the due diligence on the acquisition. In the process, Webroot found they needed a CISO, and that’s how I left the city. I had a great few years there as the CISO and eventually moved over to Softbank.

How should an incoming CISO approach building strategic relationships at a new job?

I like to look at it as concentric rings. The closest ring of personnel will be people that you interact with daily. For example, I deal extensively with Risk, Compliance, Legal, and Audit at Softbank. These are the people that I wanted to meet immediately to find out not just who they are so we get comfortable with one another but also how they work, what issues they have, and what audits or new things are coming up. I typically meet with them within the first two weeks to get their insight as I understand what I will need to build or adjust and discover any gaps.

Then there's the second group of people I serve—something in my security program will be a service that will touch them. At Softbank, it's predominantly the Deals teams, so I purposely introduced myself to many of the partners and managing partners on the deals team within the first month or six weeks. These folks also become your champions for many things, so you need to know them well.

The third ring is third-party contractors, vendors, and other people we're interacting with daily to build out our security program. Usually, I'll set up a one-on-one meeting with them and my team to learn how they've interacted with us prior, who to reach out to in emergencies, who my counterpart is, and so forth.

What if the security function was in a crisis before you were hired? How do you stop the bleeding?

It requires a lot of beer and fish tacos! All jokes aside, you’ll need to meet these people face to face and listen to how pissed they are at you and everyone. You’ll need to lay out the issues and what security will do to fix them. They need to understand that security is holding ourselves accountable and working on these issues with the support of others. Transparency is crucial here. I’ve found that bringing the team out from behind the door so everyone can see what we’re working on helps from a cultural standpoint. Then, we can admit when we’ve messed up and share how we plan to fix it. If you start with addressing the issues, then the second round of going out and meeting people gives you a lot more leeway because you’re building trust, and they know you’re working on these things.

What if the CISO is hired in peacetime?

Well, I'm paranoid, so I don't believe in peacetime. If it's quiet, I worry because it's not normal. Adversaries aren't silent. That's why I continually assess our program every six months.

When I brief the board, they know there's an 18-month security roadmap and that I update it every six months, depending on business needs. I'm always looking at where we're at and what gaps we have. I'm constantly testing, and I change technologies all the time. Just because I signed a contract doesn't mean I will be with XYZ for the next four or five years. Vendors have about 12 to 18 months because I'm constantly looking at things. And if it's something solid, platform-wise, and I'm using three or four different services you offer, you'll probably be there a little longer because I've found a good use. But I'm always looking at where I can make changes that make my program better for the organization.

There are very few of us CISOs that sleep well at night. Now, all of a sudden, going to jail seems to be in my job description. You have all these things where you must be on a continuous firm footing. So I don't believe in peacetime.

You're only as good as your roadmap. What questions can a new CISO ask to understand better the risks and challenges an organization faces on day 1?

Typically you'll get your list of things needing fixing that the previous auditors provided. You'll tackle this list of issues since we need to keep the regulators happy, and the board wants this done now. But then you need 30 to 60 days to run a personal assessment. This way, you can establish a baseline, figure out any gaps, and then be able to put together a strategic plan of what you're willing to do moving forward after we get the remediation work done. You'll typically reach an agreement that you're going to be running this in parallel, putting out the fires you inherited while putting together your long-term strategic plan on how you will grow and mature the security program.

What is the most critical metric for demonstrating the effectiveness of a security program to a board? What if someone is joining and has a board-facing role for the first time?

You'll find that some of your peers in other departments have already reported to the Board. Chat with them first. Learn about the board members, including the different characters and the types of questions they ask. Understand if it's a formal process or more relaxed. Are they sticklers about technical data and want to dive into it deeply? Or is it a broader discussion where you'll get 5-10 minutes at the 10,000-foot level? Ask to see previous slide decks so you can understand the format. Get an idea of what you're walking into regarding culture and how the board meetings run.

I have found that they want to look at ongoing threats and risks as well as paid projects and their statuses. Typically you'll brief your management first as well. Make sure you know your numbers inside and out. I can guarantee that one of your board members will dig into that data just because they're curious. You better be able to explain your data and never bullshit any information you put on a board slide. The biggest thing a CISO or a security manager has is your reputation and trust. If you screw that up, you're done.

If you find a strong practitioner on your team how do you start to grow them into a leader?

Start giving them projects with deadlines and deliverables and where they have to manage a few people or partner with other functions. This helps teach them how to work cross-functionally, work within a timeline, and how to manage that type of stress.

As CISOs, we don't sit in a box. Security is like water. It flows throughout the organization and gets in all the nooks and crannies. So you have to be able to operate cross-functionally.

With security, it can feel like everything is broken. How do you motivate your people?

Break it down into pieces. Get your team to focus on their specific task without overwhelming them with the larger picture. Put together your 18-month strategy and then focus on six-month increments. Within that six-month increment, there may be five or six projects. Work with team members to focus them on their assigned tasks and security stack technologies they own. They don't need to worry about the rest. Focus them on what's theirs and be willing to assist in an emergency.

I brief my team periodically on the larger strategic plan so they know where we're heading. And if things change, I ensure they're informed so they know where they're going and can see the horizon. They know their piece and how it contributes to the larger goal. But I'm managing that goal; they don't have to worry about that. They can focus on the smaller things that they're doing. That's how I was trained in my 20 years managing teams in the U.S. Navy. Give them the larger view, but then make sure they understand how their specific work is woven into the larger mission of where we're going.

I also do touch points all the time with my staff. My direct reports and senior staff get 1:1s. That hour is theirs from a career perspective. We may cover something in one of my books, they may have a question about a project, or we may talk about some new threats that will pertain to us. But that hour is theirs, and I let them run it. I'm there to mentor or assist them, but I find doing the 1:1 gives me a bit of a tempo as to where they're at. I ask about family, significant others, hobbies, pets, parents, etc. Taking that approach helps provide better insight into what's happening and I can back off if I notice that they're starting to stress.

I'm also straight up with them and ensure they know not to lie to me. They know that I handle all the flack from above. But if they break something, they need to own it. In cyber, we break things. Just because you broke something doesn't mean I'm going to chew you out for it. I expect you to be honest that you broke it. And then surprise me! You and your team start researching and troubleshooting to figure out what you're going to do so that we, as a team, can fix it and move on. We break things, and that's fine. But if you lie to me or blame somebody else, you will not be on this team very long.

Lastly: what if an organization can’t afford you? What advice would you give to leadership at small or medium-sized companies as they start to think about spinning up a dedicated security program?

You don't have to hire a senior-level CISO. You need to hire someone to manage security or find someone willing to step up and take ownership of it. Maybe you have a network architect that's decided she wants to come over to the dark side and give it a try being a security engineer or a security manager. Typically I'd start with someone over in IT if I was in an SMB rather than bringing someone else in.

First, I would find somebody that's competent. Usually, it's going to be one of your network engineers because they understand networks, how things are built, and how things break. Next, I'd ask her what she thinks about running security. Then you also need to invest some money in the program to help bring in a third-party MSP with virtual CISO hours and mentorship options to get her started.

As she learns and matures, she builds a team out. You should never have a security manager and a bunch of small analysts. You should always have a team of graduated depth so that if your security leader decides to leave, the team is still in place. That's where you pay for virtual CISO hours to bring someone in temporarily until you find a suitable replacement, whether within the team or externally. One of the biggest things I remind companies of is not to be afraid of someone leaving. I look at it as graduation. They move on, but they've built a team and program. Now you add to it.

This interview with Gary had so many awesome learnings that we had to split it into two pieces. For part 2, check out the sequel here.

And to learn more about Gary, check out his resources including his latest book, The Executive Primer, as well as these LinkedIn articles:

• Life Lessons Learned from a career in Cyber
• CISO Manifesto: Rules for vendors — 2022 Edition 
• The Importance of Resilience to the CISO Role