In this edition of CISO Conversations, we discuss the route, role, and requirements in becoming and being a successful CISO – in this instance with the cybersecurity leaders of two major vulnerability management firms: Jaya Baloo from Rapid7 and Jonathan Trull from Qualys.

Jaya Baloo had an early interest in computers, but never concentrated on computing academically. Like many youngsters at that time, she was attracted to the bulletin board system (BBS) as a method of improving knowledge, but repelled by the cost of using CompuServe. So, she wrote her own war dialing program.

Academically, she studied Political Science and International Relations (PoliSci/IR). Both her parents worked for the UN, and she became involved with the Model United Nations (an educational simulation of the UN and its work). But she never lost her interest in computing and spent as much time as possible in the university computer lab.

Jaya Baloo, Chief Security Officer at Boston-based Rapid7.

“I had no formal [computer] education,” she explains, “but I had a ton of informal training and hours on computers. I was obsessed – this was a hobby. I did this for fun; I was always working in a computer science lab for fun, and I fixed things for fun.” The point, she continues, “is when you do something for fun, and it’s not for school or for work, you do it more deeply.”

By the end of her formal academic training (Tufts University) she had qualifications in political science and experience with computers and telecommunications (including how to force them into unintentional consequences). The internet and cybersecurity were new, but there were no formal qualifications in the subject. There was a growing demand for people with demonstrable cyber skills, but little demand for political scientists. 

Her first job was as an internet security trainer with the Bankers Trust, working on export cryptography problems for high net worth customers. After that she had stints with KPN, France Telecom, Verizon, KPN again (this time as CISO), Avast (CISO), and now CISO at Rapid7.

Baloo’s career demonstrates that a career in cybersecurity is not dependent on a university degree, but more on personal aptitude backed by demonstrable ability. She believes this still applies today, although it may be more difficult simply because there is no longer such a dearth of direct academic training. 

“I really think if people love the learning and the curiosity, and if they’re genuinely so interested in progressing further, they can do so with the informal resources that are available. Some of the best hires I’ve made never graduated university and just barely managed to get their butts through High School. What they did was love cybersecurity and computer science so much they used hack the box training to teach themselves how to hack; they followed YouTube channels; and took inexpensive online training courses. I’m such a big fan of that approach.”

Jonathan Trull’s route to cybersecurity leadership was different. He did study computer science at university, but notes there was no inclusion of cybersecurity within the course. “I don’t recall there being a field called cybersecurity. There wasn’t even a course on security in general.”

Nevertheless, he emerged with an understanding of computers and computing. His first job was in program auditing with the State of Colorado. Around the same time, he became a reservist in the navy, and progressed to being a Lieutenant Commander. He believes the combination of a technical background (educational), growing understanding of the importance of accurate software (early career auditing), and the leadership qualities he learned in the navy combined and ‘gravitationally’ pulled him into cybersecurity – it was a natural force rather than planned career. 

Jonathan Trull, Chief Security Officer at Qualys.

It was the opportunity rather than any career planning that persuaded him to focus on what was still, in those days, referred to as IT security. He became CISO for the State of Colorado.

From there, he became CISO at Qualys for just over a year, before becoming CISO at Optiv (again for just over a year); then Microsoft’s GM for detection and incident response, before returning to Qualys as chief security officer and head of solutions architecture. Throughout, he has bolstered his academic computing training with more relevant qualifications: such as CISO Executive Certification from Carnegie Mellon (he had already been a CISO for more than a decade), and leadership development from Harvard Business School (again, he had already been a Lieutenant Commander in the navy, as an intelligence officer working on maritime piracy and running teams that sometimes included members from the Air Force and the Army).

This almost accidental entry into cybersecurity, coupled with the ability to recognize and focus on an opportunity, and strengthened by personal effort to learn more, is a common career route for many of today’s leading CISOs. Like Baloo, he believes this route still exists. 

“I don’t think you’d have to align your undergrad course with your internship and your first job as a formal plan leading to cybersecurity leadership” he comments. “I don’t think there are many people today who have career positions based on their university training. Most people take the opportunistic path in their careers, and it may even be easier today because cybersecurity has so many overlapping but different domains requiring different skill sets. Meandering into a cybersecurity career is very possible.”

Leadership is the one area that is not likely to be accidental. To misquote Shakespeare, some are born leaders, some achieve leadership. But all CISOs must be leaders. Every would-be CISO must be both able and desirous to be a leader. “Some people are natural leaders,” comments Trull. For others it can be learned. Trull believes he ‘learned’ leadership outside of cybersecurity while in the military – but he believes leadership learning is a continuous process.

Becoming a CISO is the natural target for ambitious pure play cybersecurity professionals. To achieve this, understanding the role of the CISO is essential because it is continuously changing.

Cybersecurity grew out of IT security some two decades ago. At that time, IT security was often just a desk in the IT room. Over time, cybersecurity became recognized as a distinct field, and was granted its own head of department, which became the chief information security officer (CISO). But the CISO retained the IT origin, and usually reported to the CIO. This is still the standard but is beginning to change.

“Ideally, you want the CISO function to be slightly independent of IT and reporting to the CIO. In that hierarchy you have a lack of independence in reporting, which is awkward when the CISO may need to tell the CIO, ‘Hey, your baby is ugly, late, making a mess, and has too many remediated vulnerabilities’,” explains Baloo. “That’s a difficult position to be in when reporting to the CIO.”

Her own preference is for the CISO to peer with, rather than report to, the CIO. Same with the CTO, because all three positions must work together to create and maintain a secure environment. Basically, she feels that the CISO must be on a par with the positions that have caused the problems the CISO must solve. “My preference is for the CISO to report to the CEO, with a line to the board,” she continued. “If that’s not possible, reporting to the COO, to whom both the CIO and CTO report, would be a good alternative.”

But she added, “It’s not that relevant where the CISO sits, it’s where the CISO stands in the face of opposition to what needs to be done that is important.”

This elevation of the position of the CISO is in progress, at different speeds and to different degrees, depending on the company concerned. In some cases, the role of CISO and CIO, or CISO and CTO are being combined under one person. In a few cases, the CIO now reports to the CISO. It is being driven primarily by the growing importance of cybersecurity to the continued success of the company – and this evolution will likely continue.

There are other pressures that affect the position. Government regulations are increasing the relevance of cybersecurity. This is understood. But there are further demands where the effect is yet unknown. The recent changes to the SEC disclosure rules and the introduction of personal legal liability for the CISO is an example. Will it change the role of the CISO?

“I think it already has. I think it has completely changed my profession,” says Baloo. She fears the CISO has lost the protection of the company to perform the job requirements, and there is little the CISO can do about it. The position can be held legally accountable from outside the company, but without adequate authority within the company. “Imagine if you have a CIO or a CTO that brought something where you’re not capable of changing or amending, or even evaluating the decisions involved, but you’re held liable for them when they go wrong. That’s an issue.”

The immediate requirement for CISOs is to ensure that they have potential legal fees covered. Should that be personally funded insurance, or provided by the company? “Imagine the dilemma you could be in if you have to consider mortgaging your house to cover legal fees for a situation – where decisions taken outside of your control and you were trying to correct – could eventually land you in prison.”

Her hope is that the effect of the SEC rules will combine with the growing importance of the CISO role to be transformative in promoting better security practices throughout the company.

[Further discussion on the SEC disclosure rules can be found in Cyber Insights 2024: A Dire Year for CISOs? and Should Cybersecurity Leadership Finally be Professionalized?]

Trull agrees that the SEC rules will change the role of the CISO in public companies and has similar hopes for a beneficial future outcome. This may subsequently have a drip down effect to other companies, especially those private firms intending to go public in the future. 

“The SEC cyber rule is significantly changing the role and expectations of the CISO,” he explains. “We’re going to see major changes around how CISOs validate and communicate governance. The SEC mandatory requirements will drive CISOs to get what they have always wanted – much greater attention from business leaders.”

This attention will vary from company to company, but he sees it already happening. “I think the SEC will drive top down changes, like the minimum bar for what a CISO must accomplish and the core requirements for governance and incident reporting. But there is still a lot of variation, and this is likely to vary by industry.”

But it also throws an onus on new job acceptance by CISOs. “When you’re taking on a new CISO role in a publicly traded company that will be overseen and regulated by the SEC, you must be confident that you have or can get the right level of attention to be able to make the necessary changes; and that you have the right to manage the risk of that company. You must do this to avoid putting yourself into the position where you’re likely to be the fall guy.”

One of the most important functions of the CISO is to recruit and retain a successful security team. In this instance, ‘retain’ means keep people within the industry – it doesn’t mean prevent them from moving to more senior security positions in other companies.

Apart from finding applicants during a so-called ‘skills shortage’, an important need is for a cohesive team. “A great team isn’t made by one person or even a great leader,’ says Baloo. “It’s like soccer – you don’t need a Messi; you need a solid team.” The implication is that overall team cohesion is more important than individual but separate skills.

Obtaining that fully rounded solidity is difficult, but Baloo focuses on diversity of thought. This is not diversity for diversity’s sake, it’s not a question of simply having equal proportions of men and women, or token ethnic origins or religions, or geography (although this may help in diversity of thought). 

“We all tend to have inherent biases,” she explains. “When we recruit, we look for things that we understand that are similar to us and that fit certain patterns of what we think is necessary for a particular role.” We subconsciously seek out people who think the same as us – and Baloo believes this leads to less than optimum outcomes. “When I recruit for the team, I look for diversity of thought almost first and foremost, front and center.”

So, for Baloo, the ability to think out of the box is at least as important as background and education. If you understand technology and can apply a different way of thinking about this, you can make a good team member. Neurodivergence, for example, can add diversity of thought processes irrespective of social or educational background.

Trull agrees with the need for diversity but notes the need for skillset expertise can sometimes take precedence. “At the macro level, diversity is really important. But there are times when expertise is more essential – for cryptographic knowledge or FedRAMP experience, for example.” For Trull, it’s more a question of including diversity wherever possible rather than shaping the team around diversity. 

Mentoring

Once the team is gathered, it must be supported and encouraged. Mentoring, in the form of career advice, is an important part of this. Successful CISOs have often received good advice in their own journeys. For Baloo, the best advice she received was handed down by the CFO while she was at KPN (he had previously been a minister of finance within the Dutch government, and had heard this from the prime minister). It was about politics. 

‘You shouldn’t be surprised that it exists, but you should stand at a distance and just admire it.’ Baloo applies this to office politics. “There will always be office politics. But you don’t have to play – you can observe without playing. I thought this was brilliant advice, because it allows you to be true to yourself and your role.” Technical people, she says, are not politicians and should not play the game of office politics.

The second piece of advice that stayed with her through her career was, ‘Don’t sell yourself short’. This resonated with her. “I kept putting myself out of job opportunities, because I just assumed they were looking for someone with far more experience from a much larger company, who wasn’t a woman and was maybe a bit older with a different background and doesn’t’ look or act like me… And that could not have been less true.”

Having reached the top herself, the advice she gives to her team is, “Don’t assume that the only way to progress your career is to become a manager. It may not be the acceleration path you believe. What makes people genuinely special doing things well at a high level in information security is that they’ve retained their technical roots. They’ve never completely lost their ability to understand and learn new things and learn a new technology. If people stay true to their technical skills, while learning new things, I think that’s got to be the best path for the future. So don’t lose that technical stuff to become a generalist.”

One CISO requirement we haven’t discussed is the need for 360-degree vision. While watching for internal vulnerabilities and monitoring user behavior, the CISO must also be aware of current and future external threats.

For Baloo, the threat is from new technology, by which she means quantum and AI. “We tend to embrace new technology with old vulnerabilities built in, or with new vulnerabilities that we’re unable to anticipate.” The quantum threat to current encryption is being tackled by the development of new crypto algorithms, but the solution is not yet proven, and its implementation is complex.

AI is the second area. “The genie is so firmly out of the bottle that companies are using it. They’re using other companies’ data from their supply chain to feed these AI systems. And those downstream companies don’t often know that their data is being used for that purpose. They’re not aware of that. And there are also leaky API’s that are being used with AI. I genuinely worry about, not just the threat of AI but the implementation of it. As a security person that concerns me.”

Related: CISO Conversations: LinkedIn’s Geoff Belknap and Meta’s Guy Rosen

Related: CISO Conversations: Nick McKenzie (Bugcrowd) and Chris Evans (HackerOne)

Related: CISO Conversations: Field CISOs From VMware Carbon Black and NetSPI

Related: CISO Conversations: The Legal Sector With Alyssa Miller at Epiq and Mark Walmsley at Freshfields