ICYMI — CISO Gary Hayslip shared loads of advice for newly hired security leaders in part 1 of this blog series: “Crisis, fish tacos, and beer — a condensed guide for newly hired security leaders with SoftBank CISO Gary Hayslip.”. In part 2, we dig into learnings from both the private and public sector, why and how Gary started writing, and what he'd change about the security industry.

What can private sector security folks learn from the public sector? How can you drive outcomes in the public sector when you have even less power than a private sector CISO?

Some departments did not want to deal with me. That was fine. I recommend you find early adopters you can work with, champion them, and help them with their projects. You build momentum this way by grabbing early wins for these stakeholders. Slowly you start learning who's friends with who and who can help influence others. Eventually, the more stubborn stakeholders will have a big project with infrastructure requirements such as PCI, and they have no idea what PCI is. That's my ballgame. I need to walk them through it and explain how to get PCI certified. And by the way, that requires auditing their applications. Eventually you become friends because you're helping them with a project. You can wait them out or become an accelerant instead of an impediment. Once you do that, you've got them.

Other teams also need to be aware of what's happening in security, from who you're helping to what projects you're doing. Having this information out in the open has always been super helpful. Start small, learn negotiation and compromise, and understand how to partner to get things done.

Going private was just the next step in my career progression. Webroot had nine product lines, and I was coming in to run the GRC and risk and security team. I got to stand up an AppSec team and work with Dev. Plus, we were international, so I could travel to meet many different dev teams and work with many other departments. I reported to the CFO and the board, where I got to see how a company runs, including the decisions made and the work between my peers and other departments. We also had a committee of some of our larger MSP customers, and I would do a security briefing with them. It allowed me to see how MSPs were run and how they sold our product to customers. It was a fun three years and a good baptism into the private industry.

Eventually, we were acquired, and the parent company did not need another CISO. I worked in product for a bit and then decided I preferred being a CISO. So I consulted for about two months and then landed at Softbank, going on three and a half years now.

Softbank is a totally different industry, and I deal with six international regulators, plus 20 offices worldwide. Every place I've been has had a different infrastructure. I've had to build a unique security stack for each of them. For me, cyber is like water. You have to be flexible. You need to be able to flow and change depending on the business needs. You can't be rigid. I've always looked at it as a business executive that manages risk through technology, people, and policy. Sometimes my executive teams buy that, and sometimes it takes a while for them to understand it. But overall, it's been a lot of fun.

I think a lot of CISOs would want to write more. Why did you start to write books and how do you find the time?

The key is stories. I have found so many times that when I go before a board, even when it was a group of us before Congress talking about the weaponization of AI, you get more done with stories than just facts. I have found using stories helps people relate because they start putting themselves into the plot. Then you can weave in where you're going, what you're trying to do, and what you're trying to achieve.

My whole thing with books was actually by accident. I had started writing articles for fellow veterans about why and how to get into cybersecurity. One day I was at a local San Diego startup incubator event, sitting and chatting with Matt Stamper and Bill Barney over beers. Matt turned to me and said, "All the writing you're doing is really good. You need to write a book." And, of course, I was like, "No, that's way too much work. I have no idea how to write a book." But Bill jumped in, suggesting that all three of us do it together. I think all three of us talked each other into it.

Being on many different keynotes and panels over the years, I always kept a list of questions that were asked. When we started writing, I probably had a list of 500+ questions. So we put all of those together in one big spreadsheet and realized, "Wow, we have about 19 chapters worth of content in specific areas." So we used the questions and mind-mapped out what each of the chapters was going to be on and the specific questions we would answer in each chapter. 

We put together a timeline to hold each other accountable and met every couple of weeks. I got into a nice writing flow for about one hour a night. It allowed me to take breaks and not end up angry or pissed off and burnt out. Bill, Matt, and I would always review each other's work, adding critiques, checking for citations needed, etc. We've gotten better with every book since!

Over the years, we've branched out, and we even have new authors coming to us asking to self-publish underneath our publishing house. We've sold books in roughly 20+ countries and about 20 languages.

If you could change one thing about our industry, what would it be?

We need a mandatory program of cyber apprenticeships. Unfortunately, there's no easy way for entry-level people to get into this community. It's extremely difficult.

For companies that have sensitive data or fall under some regulatory regime, it's required to have a cyber apprenticeship program that the government helps fund. I would love the government to have a program like that where they would help fund private industry as well. It allows us to grow the generation of people that we need to replace those aging out, retiring, or burning out. I wish we could build a cyber apprenticeship program where it's a win-win for both business and government.

It's really about an onramp to get them started. With cyber, we're in so many different areas. Even if you come in as an apprentice and work in one area, you're working with all sorts of teams before you know it. What I mean by apprenticeship is that you're not an FTE. Maybe you're in college, and part of your college program is that you have to do this apprenticeship. We need to have an apprenticeship program where you can get that experience so that by the time you're done with your college degree, you have at least two years of experience working in different environments. Now you have a bit more to put on your resume. For us security leaders, we then see someone with some experience who can come in and learn in the next six to twelve months. They already know some stuff, they can already start working with the team, and they get up to speed a lot faster.

To learn more about Gary, check out his resources including his latest book, The Executive Primer, as well as these LinkedIn articles:

• Life Lessons Learned from a career in Cyber
• CISO Manifesto: Rules for vendors — 2023 Edition 
• The Importance of Resilience to the CISO Role