This episode features an interview with Emily Heath. Emily is the Senior Vice President and Chief Trust & Security Officer at DocuSign. Before her tenure as DocuSign’s Chief Trust & Security Officer, Emily served as CISO for United Airlines and AECOM, held various other technology and strategy leadership roles, and began her career as a fraud squad detective in the UK police force. On this episode, Emily explains why ransomware is the fastest growing risk in cyber security today, how the pandemic affected DocuSign and Emily’s role, and why she predicts CSOs are going to be some of the highest paid professionals in the future.
“This landscape is changing and it comes to a point where I honestly believe CSOs are going to be some of the highest paid professionals in the future. And it's already heading in that direction. Over the last few years, we've seen a lot of change already, but this is going to be one of the most highest paid jobs in business because it will get to a point that you're not going to be able to pay people enough money to take on this amount of risk.” — Emily Health
-------
Episode Timestamps:
*(2:40) - How Emily and Jason met
*(3:10) - Emily’s first security job
*(4:10) - Emily’s current role at DocuSign
*(5:15) - Segment: Taboo Topics
*(6:35) - Paying ransom or not paying ransom
*(8:00) - Other rapid growing risks that people aren’t aware of
*(10:35) - Segment: Deep Dive
*(12:15) - Careers are jigsaw puzzles
*(15:05) - Differences and similarities between United Airlines and DocuSign
*(17:35) - The “Trust” portion of Emily’s DocuSign title explained
*(21:25) - How the pandemic affected Docusign and Emily’s role
*(26:50) - Segment: Feeling vulnerable
*(27:55) - Emily’s thoughts on gut made decisions vs. data/biased made decisions
*(31:25) - Why CSOs are leaving their jobs
*(37:40) - What retirement looks like for Emily
*(39:30) - Segment: Into the Future
*(42:40) - Segment: Quick Hits
Links
[00:00:00] Emily Heath: This landscape is changing and it comes to a point where I honestly believe CSOs are going to be some of the highest paid professionals in the future. And it's already heading in that direction over the last few years, we've seen a lot of change already, but this is going to be one of the most highest paid jobs in business because it will get to a point that you're not going to be able to pay people enough money to take on this amount of risk.
[00:00:25] Producer: Hello and welcome to Security Visionaries, hosted by Jason Clark, Chief Security Officer and Chief Strategy Officer at Netskope. You just heard from today's guest, Emily Heath, Senior Vice President and Chief Trust and Security Officer at DocuSign. It's been said that you don't get paid for how much you work, but for how much responsibility you have.
[00:00:47] And in today's modern business world, managing risk is a massive responsibility. As cybersecurity threats dominate the headlines, the role of security leads, whether they're Chief Security Officers or Chief Information Security Officers becomes one of the most important functions in the C-suite. They're responsible for safeguarding the data, money and everything else vital to the business.
[00:01:11] The role is anything but easy. And as Emily points out, individuals capable of shouldering this burden are going to become some of the most sought after executives in the world and Emily isn’t backing down from the challenge. In fact, she's encouraging her fellow CSOs, not to either. Before her tenure, as DocuSign's Chief Trust and Security Officer, Emily served as CSO for United airlines and AECOM, held various other technology and strategy leadership roles and began her career as a fraud squad detective in the UK police force.
[00:01:45] But before we dive in and hear more from him, Here's a word from our sponsor.
[00:01:49] Sponsor: The Security Visionaries podcast is powered by the team at Netskope. Netskope is the sassy leader offering everything you need to provide a fast data centric and [00:02:00] cloud smart user experience at the speed of business today.
[00:02:03] Learn more at netskope.com.
[00:02:08] Producer: Without further ado, please enjoy episode three of Security Visionaries with your host, Jason Clark and Emily Heath, Senior Vice President and Chief Trust and Security Officer at DocuSign.
[00:02:20] Jason Clark: So welcome to Security Visionaries. I am your host CSO at Netskope. Today. I am joined by a very special guest and good friend, Emily Heath. Emily, how are you?
[00:02:30] Emily Heath: Jason, always a pleasure to see you. I'm doing well. Thanks.
[00:02:33] Jason Clark: You know, I was thinking about this conversation. I'm thinking. When did I meet Emily? Like, do you remember when the first time we ever met was?
[00:02:42] Emily Heath: God, none of it going back a few years, buddy? Uh, probably I know it was it security advisors Alliance in Dallas, right?
[00:02:51] Jason Clark: Yeah. Yeah, it was. Yes. That's what I remember you. Um, you, I remember it was actually at the [00:03:00] bar and we both were ordering, it would be. And now we're like, Hey, we just kind of started talking. I think that was probably six or seven years ago. But, um, so getting started, what was your first tell us about your first security job.
[00:03:14] Emily Heath: Oh my gosh. My very first security job goes way back, 25, 30 years or so I used to be a police officer in England. I was a detective for many years, and this is kind of about the era when you know, cyber wasn't really a thing back then. But computer crime was starting to be a thing. And so I worked in the financial crimes unit and the, what we call the fraud squad.
[00:03:38] And that was the unit that was responsible for computer crime. And it was completely foreign. At the time. I mean, you know, going back in those days, you used to go do a raid on a business or a home, and you'd come out with hundreds of bankers boxes, full of contracts and, you know, documents. And it's just such a turn to see how that now is all translated to cyber.
[00:03:59] [00:04:00] But I like to think that from a cyber perspective, that was probably the very first job, um, trying to dissect computers.
[00:04:07] Jason Clark: Well, so, and, uh, and tell us a little bit about your job. And your current role at DocuSign?
[00:04:11] Emily Heath: Yeah. So my job at DocuSign now is a little varied actually. So I'm the Chief Trust and Security Officer.
[00:04:17] So there's a couple of sides to that. There's the usual cyber security related stuff that you would imagine. Security, architecture, engineering, security, operations, and all of those things. I also have the governance risk and compliance group I have fraud, physical security, health and safety as well. And then the trust side of the, the job is actually a very customer facing side of the job.
[00:04:40] So DocuSign has many people know as a really trusted platform and because we're a part of our customer's ecosystem, security and trust is super important. So I spent a ton of time with customers now, which I love.
[00:04:53] Jason Clark: I think that's sometimes I continue to have all for every company that is able to conduct.[00:05:00]
[00:05:00] Organizations that agree with more data driven economy that is, uh, you know, that the chief trust and security officer being very engaged with. Yeah, we'll call my, I think no arm. So getting, you know, our first kind of segment here is taboo topics.
[00:05:26] Jason Clark: This segments about security, taboos, misconceptions, controversial. And by the way, you can ask me anything, bring up anything you want to bring up, but you know, the first question for you on this is what do you believe is the fastest growing risk in cyber security today, right? That affect the most companies?
[00:05:43] Emily Heath: Yeah. Got the so many of them. It's hard to choose. One. I think ransomware is the one that just brings to mind, just because you think about the monetization of crime, when it comes to cyber, these attacks are no longer just to inconvenience organizations or [00:06:00] bragging rights. There's a lot of money in this crime, you know, long gone are the days where somebody walks into a bank with a shotgun and walks away with $20,000 at best.
[00:06:10] I mean, Millions and tens of millions for these types of crimes. Um, so I think ransomware, as we're just seeing the beginning of it, it's just, you know, and the more and more you see that companies are paying ransoms, it's just going to proliferate the problem. So it's, it's a trend, unfortunately, I don't think it's going anywhere anytime soon.
[00:06:30] Jason Clark: So it's the new bank robber basically, right? Yeah. So what's your thoughts around, you know, kinda this feeling like this taboo. What do you feel around should companies be paying the ransom or not be paying the ransom? What should legislation be around that?
[00:06:45] Emily Heath: That's such a tough one. I don't even know what the legislation can be involved in that it's a really slippery slope, right?
[00:06:52] Because there's a cost of doing business. And if this becomes a new cost of doing business, I mean, I'm not advocating for it in [00:07:00] any way, shape or form, but you know, every organization is different and until it hits you and until your operations are the ones that are crippled, it's really difficult to say whether or not you should or shouldn't pay a ransom.
[00:07:12] We all know that there's never any guarantee. That you're going to get out the other side of it anyway. But if you look at some of the companies recently that half paid ransoms were not in the room, we don't, we don't know the impact to their actual business function. And, you know, I just, I'm not sure whether this is going to end up being a legislation issue. It's a business issue.
[00:07:34] Jason Clark: Yeah. I mean, sometimes, you know, sometimes it can mean lives, right? You know, getting electricity turned back on or getting the medical assistance. You need turned back on that shouldn't be a choice that is made because of, uh, because of a law. Right. Uh, and you know, when you look at it, ransom is obviously a very, very hard problem and we just need to obviously get better at everything.
[00:07:56] I think, you know, curious, like if you think about [00:08:00] ransoms, okay. That's one, but what's one that you think is not, people are not aware of. What's the fastest growing risk as a CSO. Right? What do you thinks growing that? A lot of it organizations, a lot of boards are unaware of. So Ransom's on the news every single day, but is there anything else that you can think of that that is as a rapid growing risk? Those leaders should be aware of?
[00:08:24] Emily Heath: Yeah. You know that there is a little bit of a theme right now where you're seeing a lot of experienced security professionals leaving the industry. And my fear is that there's going to be a big hole, right? This business has been around for a while, but certainly not to the magnitude that it has been over.
[00:08:42] You know, four or five years or so. And a lot of the security professionals are leaving the industry to go vendor aside or the leaving to go to a VC side, you know, that. Talent and expertise that is leaving the security jobs as frightening. Don't know how you [00:09:00] solve that necessarily apart from, as a leader, you know, it's our job to make sure that we are investing and the leaders of tomorrow.
[00:09:08] And I think as an organization, I'm not sure there's this great organizational awareness to the big talent gap for senior leaders in the security business and really super talented folks who honestly. Moving to the vendor side and moving to the VC and vendor side. Quite frankly because there’s more money in it.
[00:09:25] Jason Clark: Let's talk about this a little later, because we'll talk about the future, but I think it's, there's more money, but also the CSO chop is extremely hard, very, very hard, right?
[00:09:35] And very taxing. I mean, there's many, many friends where they've been like, look, Jason, I've, I've given up my last vacation or I was the best for de Fairman on our RBC. Ready. I was the best man at a wedding. And I had to, I was told either go to the wedding or not, or stay here. But if you go to the wedding, [00:10:00] you won't have a job.
[00:10:01] Right. And that's a, that is emotionally taxing. Right? So we, I think we're, we're ending up in this world where the threats are getting worse, the problems getting harder. There's more data than. Right. We've got, uh, we have 57 zettabytes of data in the world. And by 2025, there'll be 175 zettabytes. So I think, as you think about that attack surface growing, and to your point, the people are getting harder to find that is that I love that you pointed that out.
[00:10:29] That is a, I think that's a great unknown. As you just said. So kind of going into a little bit of a deep dive (next segment).
[00:10:46] Jason Clark: Maybe walk us through how, how you pivoted from. And the Cheshire police to, to cyber what talk us through that transition.
[00:10:55] Emily Heath: When I was a detective, I took a career break for awhile and you can take a career break up [00:11:00] to three years and, and I did. And, um, the punchline is I taught myself how to code.
[00:11:04] Don't tell anyone. But I taught myself how to code and I actually started my own web design business during the career break. By the time I went back to the police, I realized that there was a big world out there and a world that I really wanted to explore. And so one of my former web clients, uh, actually called me one day and said, Hey, you interested in this opportunity at MGM studios in London.
[00:11:25] And it was working for a startup back in the days when DVDs were a thing, it was a startup that managed all of the DVD distribution and supply chain and inventory management for the movie studios. So I left the force, the floor enforcement and did that job. It was not a security job. I did many different areas of IT and technology before I kind of did full circle all the way back to security.
[00:11:48] But, um, I was the lead program manager on a software implementation for the studios. That's how I ended up in the U.S. maybe almost 20 years ago now, um, working with the MGM who got [00:12:00] acquired by Sony Pictures. So I worked with Sony for many years. And then ultimately when that little thing called PCI came along and, you know, I'd been running infrastructure teams, PMOs, web design teams and engineers.
[00:12:13] My boss at the time said, “Hey, Emily, you were. You are a cop, when you understand the law, can you figure out this encryption thing and this PCI thing, these laws that are coming in?” So it was really purely by accident that I ended getting into more of a legal compliance, security type role, but, you know, It's funny how you look back on your career and your life, and you realize that it's all one big jigsaw puzzle.
[00:12:38] You don't realize at the time how one thing leads to the next. And then when you look back, you realize my gosh, I wouldn't, I would not be set up for success in this job. Had I not done that job? And so, you know, it felt like coming home to me, my experience in technology, coupled with experience in law enforcement and they're two very different things.[00:13:00]
[00:13:00] But the skill sets that you bring with you from law enforcement, the skillsets were a lot about people. It was, you're dealing with people from all walks of life. And, and I translate that to the constituents within an organization, right? I mean, we deal with so many different stakeholders from so many different business units and, um, managing to navigate the corporate.
[00:13:22] In the corporate world is very much like law enforcement. You're just managing different characters. So it really did feel like coming home to me. And I took a very deliberate path to choose the CSO route and not the CIO route. I had opportunities a few years ago to go one way or the other. And I chose this route and I chose the right one for me.
[00:13:44] Jason Clark: Um, I’m constantly asked by CSOs, I coach about 15 different CSOs and I'm asked, “Hey, I've got this opportunity to become, you know, the CIO or the interim CIO,” And I actually generally coached them. No, I focus on CSO, focus on security as a specialty [00:14:00] that is going to grow increasing importance. And it's, you know, I, I basically tell them that they'll financially, I believe they'll make more or the same.
[00:14:09] You talked about. Kind of a little bit of your experience with PCI. I have to, I thank PCI to the start of my career as well. It was, uh, the, you know, I was, I was out of the army and the New York times got compromised and I got the seat of job at the New York times when I was, you know, 27 years old because they needed to have a CSO title.
[00:14:30] And it was driven by, you know, loss of credit cards and for one other business units. And, you know, I was asked to, I was asked to step in, and then when, when else can a 27 year old with cybersecurity experience and the fact that I had management experience cause I was military, you know, I mean, it's insane.
[00:14:46] Like that would not happen today. A 27 year old being a CSO that quickly. Right. So I think PCI as well.
[00:14:54] Emily Heath: Yeah. Oh, it's like the people ask, how, how, why did you choose cyber as a, as a career? And I said, I, I didn't [00:15:00] choose it. It chose me definitely twists and turns.
[00:15:03] Jason Clark: It's been amazing. So, you know, you were the, either the sea.
[00:15:08] So we met when you were the CSO for the United airlines and you know, you get tremendous responsibilities there. Um, what are the, the, the differences and the similarities between that and your current role at DocuSign.
[00:15:22] Emily Heath: So, I mean, a United Airlines, I don't think it gets much more complicated than a huge, big global airline, just the sheer scale and complexity of an organization like that is incredible.
[00:15:35] And obviously it's a much bigger company than coming to DocuSign. So the differences are scale and complexity. Very, very different. However, the types of issues that we deal with are very much the same. And no matter where I go at any company or advice, I give to two other CSO friends who are joining new companies, I asked myself five fundamental questions, which really doesn't matter which [00:16:00] organization that you're in.
[00:16:01] And it really comes down to. What's most important to you? First and foremost, a company like United what's most important is human life. You're flying people. Safety is number one company like DocuSign. We're a very data-driven company. So the agreements that people trust us with are what matter to us the most.
[00:16:19] So what matters most? Where is it? How will you secure it? Where are you most vulnerable and at risk? And how resilient are you when it hits the fan and you need to bounce back? And I think if you go into any new job and ask yourself those five questions, it doesn't matter what company it is. It doesn't matter what entity it is.
[00:16:40] Those five questions are still very relevant because if you understand what matters to you the most, you've got a framework to prioritize. The task that's undoubtedly ahead of you. So the challenges are the same, that's the same, same kind of people, same kind of adversaries, um, scale and [00:17:00] complexity is very different, but how you run a security program is fundamentally the same thing.
[00:17:06] Jason Clark: Yeah. A hundred percent, right. It's just, it's just different complexities scale was one, but then when you're a tech company, you have a different set and you know, and it isn't harder or. When you said when it hits the fan, I love how you said when it hits the fan. I quickly imagined the scene in Airplane, the movie airplane right here, where the shit literally did hit the fan.
[00:17:31] That was, that's what I put your brother. So look, I love, I love your title, Chief Trust and Security Officer. So, you know, talk to us a little bit about what, what, what additional responsibilities you have and how. You know how this changes the way either your company or your customers perceive you with the word trust in there?
[00:17:53] Emily Heath: Yeah. So, you know, trust to me , the security side is what we all understand. The securing, the nuts and [00:18:00] bolts and securing the technology and all those things. When you start layering in this concept of trust, it's about that intangible. It's the relationships that you're building with people. So when we're building relationships with customers, you cannot trust people that you don't know.
[00:18:16] So therefore the time I spend with customers is to build relationships with them because I see it as my duty and my obligation to be completely transparent about what we're doing. I think the foundations of how you built trust, build trust are truly embedded in that. So I'm not talking about just zero trust as a framework or trust as.
[00:18:37] What we traditionally have called trust within the security realms. It goes way beyond that. To me, it really is a lot about the you’ve got to walk your walk. You've got to show up, you've got to be transparent. You've got to be upfront and be honest. And, and it's actually more than just security. So for example, I help also help run our ESG [00:19:00] program, the environmental, social, and governance program, because as part of a chief trust officer role, it's not just security. What are the other elements of trust and what does that mean to your organization? So I get heavily involved in topics like DNI. Um, you know, I'm a huge advocate of diversity and inclusion and belonging, as you know, you know, the ESG type programs that any organization runs that all falls under a trust umbrella.
[00:19:26] So it's really broader than just the traditional security, physical security, cyber cybersecurity type realms, because it's about your organizations trust and what that means to your customers, your partners and your employees. So, um, it's something that. You know, we're evolving. Like every other company, I feel very strongly that we shouldn't be using words like trust, unless we know what that actually means to us.
[00:19:51] And that we actually do something about that. This is not just a word, it's a way of being, it's the, not just what you do, it's the, who you are while you're doing it [00:20:00] piece to me. So lot to do with the relationships and that spirit of transparency. And, uh, like I said, you can't trust people that you don't know, so,
[00:20:08] Jason Clark: oh, you present, this is a lot around the purpose of the company, right?
[00:20:12] And you're, you're trying to purposely evoke an emotion from your customers and your employees, right? How are you partnering with marketing to, uh, to make that happen?.
[00:20:23] Emily Heath: Yeah. So we've got, we're actually going through some, uh, branding and marketing right now. And trust is one of our central pillars. You know, DocuSign has been around for 18 or so years, and most people know us for the e-signature and we've evolved way beyond that, into what we call the agreement cloud.
[00:20:38] And now the smart agreement cloud. Trust is a fundamental part of that. And if you think about what people actually trust us with all of their sensitive agreements, I mean their signatures, For goodness sake. Like if you can't trust us, who can you trust? There's a, there's a, the such an embedded element of that within. Who we are as an organization that [00:21:00] as it's been there for, from the very beginning of time for, for DocuSign.
[00:21:04] But, um, we see now how, just how important that is and the fact that we're a part of our customer's ecosystem and we have to take that really seriously. So it's, yeah, it's a lot about the culture and it's a lot about what matters to your organization, but like I said, it's the, it's the who you are while you're doing it pieces as well.
[00:21:25] Jason Clark: So as we've, you know, as this, this unfortunate pandemic has happened for the last 18 months, you know, what, what is, how has this changed and affected your role? And just obviously you're employees at DocuSign as they try to engage in performance?
[00:21:45] Emily Heath: Yeah. So from the very beginning of COVID, when that happened, you know, we w we already had a pretty large remote workforce.
[00:21:53] So thankfully we already had the technologies, like the Slacks and the Zooms to support us. So we were ahead of some companies [00:22:00] in that respect. However, as we all know, it's a definite shift when you've now got full workforce, who's all working remote on home computers and all those kinds of things. I led the COVID what we called the COVID-19 Task Force at the time, which was essentially.
[00:22:15] You know, classic crisis response, right? Which is you get cross-functional teams together. At the very outset, we were meeting multiple times a day and we went to daily and then we went to weekly meetings, but it was a way to bring the whole organization together from every department so that we could consider all the moving pieces across our employees and, and customers because you know, much like you and many other companies, we had lots of life events that we had to then transition to virtual. We had to all of the employees to make sure that they've got all the equipment that they need onboarding thousands of people since COVID, we've grown so much, we've onboarded thousands of people, uh, as new employees and all that comes with a lot of [00:23:00] logistics.
[00:23:00] So, um, I think this is where CSOs and people who are used to dealing with crisis response are really best suited for these types of, um, uh, these types of initiatives, because we kind of have that crisis response muscle, where we used to bring in cross-functional teams together to organize. And it was just a, nobody asked me to do it.
[00:23:23] I just kind of assumed the role and pulled, pulled the company together and played my part. And you know, my team did an exceptional job as did the rest of the organization, but, uh, it's been tough. I think for a lot of employees, just the same as every other company everyone's got a little COVID burnout, fatigue and zoom fatigue and all those things.
[00:23:43] Um, we're, we're taking this opportunity to really listen to our employees and see what they want. So we're highly likely to have a much more distributed workforce and a more remote workforce moving forward. We're going to be pretty much completely hoteling, so no dedicated desks or [00:24:00] offices, uh, anymore.
[00:24:01] And that's what our employees want. They want the flexibility. So, um, you know, we're taking the opportunity to give them.
[00:24:08] Jason Clark: So I, I, you know, there's no doubt it's been challenging. I've heard a lot of CSOs and even using us as an example, myself and Lamont our CSO, right. It was a, it was a moment for him to step up.
[00:24:18] He, you know, has helped to lead and has been part of our COVID leading our COVID community. Right. He also leads, you know, D&I as well, just to say that this is, this is our moment to make sure we're embracing and engaging our, our employees. Right to the max we can. I do think like you're right, we have this muscle already.
[00:24:38] And so there, there has been, it's been really good for, I think in the end, like you think about it just, it forget security being able to work from home wouldn't have not, would not have been really possible without IT without digital, without technology, without VPN. Right. Um, without, without cloud here, [00:25:00] like how would we have done this?
[00:25:02] We would have had an automated decision of. Or write, or, or, or people will get potentially you have more, have more vulnerabilty and more deaths. And so I think he has been an interesting, kind of quiet hero in this.
[00:25:19] Emily Heath: I did so much like, um, you know, as. Uh, society we've been forced to think differently. We would never have many companies would never have taken the steps that they'd take taken.
[00:25:32] If we weren't all forced to be in this situation. And you know, for us, from a business perspective, it's been incredible. Of course, you know, it's been. For our company's growth, but you know, what really struck me at the very beginning of the pandemic was we were literally in the trenches with the state departments and the federal governments to try and move PPE around.
[00:25:54] You still need to do, to do that with a signature. And, you know, it's, there's this [00:26:00] kind of common misconception, I guess that the government agencies move so slow. Well sometimes. Yeah, but when they're forced into a crisis in this way, The work that they did. Uh, and we had a front row seat to that. Our customer support folks were working morning, noon, and night in the trenches with them to get them set up so that they could digitize and transform, uh, their own businesses and kind of these own situations where we had to move equipment around.
[00:26:28] And it forced us all to pivot really quickly. And it's, I think in some ways, many, many companies have leapfrogged that digital transformation because now they see that they can get.
[00:26:39] Jason Clark: I've seen a lot of my own customer adoption to, to actual DocuSign, right. That was, that's been a big part of their transformation, right.
[00:26:48] Especially healthcare, very, very big in healthcare. So transitioning to our next. Which is called feeling vulnerable...
[00:27:03] Jason Clark: And so in this, in this segment, we're going to kind of walk through kind of what, what are we trying to avoid? What are our vulnerabilities? And just, again, just feeling vulnerable, right? Being, being very open, which we both are already are in this conversation. So let's not have people measure with.
[00:27:17] Right. And they like example starts in the water. Right? I was on vacation just just, uh, two weeks ago. And it was a friends and there was a shark in the water. And, you know, one of the, one of the people were with swam as fast as possible to the lifeguard. Like, so there's a shark, there’s a shark and yelling to the shark to everybody.
[00:27:36] And everybody's looking at looking at this person, and the lifeguard goes, yeah, we have sharks, you know, They don't bite anybody. Um, and it's like, what are you doing? Like, oh my, oh my gosh, like we have to react to this. Right. And it's like, I'm like shark desk, or like, you know, not a whole lot per year out of six or 7 billion people.
[00:27:56] How much do you think that we are kind of [00:28:00] maybe security or IT or making decisions off my gut instinct versus really looking at the mathematics of the risk. Right. Or, or just trying to drive checkboxes. Like, what's your, what's your thoughts on just maybe this issue amongst security in not really w we, we by-product cause everybody else is buying product or doing this cause everyone was doing this versus saying, was that the real issue?
[00:28:22] Is that the real risk? By the way, I just went on the phone with somebody in a financial, who said we're doing segmentation because the auditors and the regulators say we have to, and I think it's the dumbest thing. Because I'm already segmented in the end, at the end point and at the network layer. And I should be doing these other five projects, but instead this is my biggest project my year, because the auditor and the regulator say, yeah,
[00:28:42] Emily Heath: Yep.
[00:28:42] I can absolutely understand that. I think, you know, as much as we want to be science and data-driven all the time, that's the ideal, right? You always want to have the data and the facts in front of you. But the truth of the matter is it's not always that tangible. And I think [00:29:00] there are times where. CSOs use that best judgment and their experience and their expertise in order to make decisions.
[00:29:11] Sometimes I think that's appropriate and because otherwise, I mean, at some point you got to make a decision and move on, and those are the things. Sometimes you end up looking in the rear view mirror and go, did I make the right decision on this one? Or could I have done that differently? But at the time you don't always have the benefit, I guess.
[00:29:32] Weeks or days or months ahead of you to go collect all that data. And even if you wanted to, it probably doesn't all exist. Right? So there's, there's a reality to the job that we do. That's a little bit of art and a little bit of science that you have to use your best judgment in order to make those calls.
[00:29:49] I'm always not advocate for using data because a lot of the times what we try and do is explain situations to people who are not technical or explain that. Situations [00:30:00] and translating them into operational or business risk because ultimately that's, that is our job. It's not always that straightforward to get.
[00:30:10] Data that will point you directly to A decision, a decision B or decision C so there's a little bit of an art and a science in what we do. And, you know, let's face it. If there was a, if there was a book that you could pick off the shelf that showed a blueprint and how to do this job, we would all love that.
[00:30:27] But the reality is that that just doesn't exist. We're facing new threats and new anniversaries and new ways of operating every single day that you have to use your best judgment. And that comes from experience. You know, it's, uh, sometimes early in our careers, we've made some decisions that perhaps weren't the best ones, but we learned from it.
[00:30:44] And the big thing for me is this is why. The security community is really special because we share things with each other. When our lawyers tell us not to, we share things with each other because we care about one another and nobody wants to see anyone else [00:31:00] in the headlines I have never experienced or seen or heard of a community like this one.
[00:31:06] And it really is special. It's uh, it's something else. That's
[00:31:10] Jason Clark: amazing. No, I agree. There, there is nothing. We are one because probably because we have a common. Right. And then it is tremendous and it's, it's in the end. And why, I think a lot of us love this industry. Right. And have not changed industries. So it kind of was, as we think through this, what a, you know, a little bit to your point earlier, right?
[00:31:32] We talked about this industry, you talked about, you know, part of the risks. Are it security leaders leaving the industry? Why do you think that is. Why do you think that they're saying, okay, you know what? It's just, um, I'm going to go, I'm going to go do something different. All right. I've done this three times now.
[00:31:50] You know, we do love this industry, but why are they leaving the operational CSO gig? Right? Because it pays well. There's no doubt they can make seven [00:32:00] figures and working out at the top of their game. So, so why are we seeing people leave these, these jobs to go some, a lot, most of the time, honestly, take less money doing something else?
[00:32:11] Emily Heath: Yeah. And I think it's a combination of what we were talking about earlier. You know, there's this well, this, this job has gotten more visibility over the last few years without doubt. Um, and that's something that you've heard CSOs beg for in the past. And now I think that's all coming to fruition and there's good sides and bad sides to that.
[00:32:29] You know, you want all the visibility, you, you want the company to take it seriously. Well, guess what, they're taking it seriously. The flip side of that is the pressure that comes with it. This is a very high risk job, and it's a high-risk job because we are managing programs that have so many facets and components that are not in our control.
[00:32:50] We rely on many, many different constituents to do things in certain ways, in order for everybody to succeed, [00:33:00] maybe think about a lot of companies that have thousands of applications. Right. But let's say that the access controls were, were not up to snuff on 10 or 20 or a hundred of those. It can't just be the CSOs fault.
[00:33:14] Like it's impossible. You, the CSOs one person, the security teams can, can only do so much. And, and as a result of it, yes, it's a higher profile job. But the risks are enormous. Um, I think even now you're starting to hear about CSOs getting sued. You know, the game is changing. This landscape is changing and it comes to a point where I honestly believe CSOs are going to be some of the highest paid professionals.
[00:33:46] In the future and it's already heading in that direction over the last few years, we've seen a lot of change already, but this is going to be one of the most highest paid jobs in business, because it will get to a point that you're not going to be able to pay people enough money [00:34:00] to take on this amount of risk because the, the lawsuits that might come with it and, you know, you start thinking about.
[00:34:08] What that means to, to the role. It's a very, very different ballgame. Uh, you're you're talking now in realms of what board of directors are usually responsible for the risks that goes with that, or CEO's are responsible for, and the risk that goes with that or CFOs for that matter. Um, so I think the risk and just the sheer responsibility, uh, is continuing to climb.
[00:34:33] People are suffering from burnout and it's not all financial, you know, there's definitely a financial component to it, but, it's not all financial. It comes a point where it's a quality of life and, uh, it's, it's tough. Right? It's it's not, it's not an easy route. It's not an easy role as you well know, you've you've done it.
[00:34:52] Jason Clark: It's not worth it. Right? Yeah. There becomes a point where it's like, okay, I've done this multiple times, but it's getting harder. Um, [00:35:00] and. Okay. I've saved enough, right? Like you, like you just said, and I do think the legal concerns are troubling and it's not like CSOs. One thing I, when I, when I'm surprised about as are not getting, um, necessarily the parachutes in the contracts, I might be getting great comp, but they also should get protected.
[00:35:22] You know, I see, I have a lot of conversations with seasons where they're being pushed to decide something was sign something, but they don't agree. But they're looking at it saying, well, I've got this expensive house and I've got private school or whatever it is. And I can't afford to say no to my boss, cause I'm going to be gone then.
[00:35:41] Right. And that is, that is not good. They should all be protected that if you disagree with your organization, you want to challenge them. And you're saying, I will not sign off on that risk that they can be protected for. Maybe it's a standard of six months income. Right. Um, but right now, [00:36:00] You know, it's, it's two to three months and, uh, I've seen that happen way too much too often.
[00:36:06] But overall I think that it, I was talking to Jason Witty, right. And, and, and, and he, and this is public, right. That he just left JP Morgan. And it's just a matter of, we can do so much more with our expertise that we can do with less stress potentially. Even, or even higher income when you start talking about like you mentioned Emily more capital.
[00:36:33] Right. But, uh, the thing is, is we, we do all weather, whatever we do, we need to make sure that the next generation is ready. Right.
[00:36:44] Emily Heath: And protected, right? I mean, it's getting to the point of liability issues that, you know, directors and officers have liability coverage for that CSOs don't. So there's a different conversation that needs to be had at some point.
[00:36:58] Otherwise it will get to a point where you're not going [00:37:00] to be able to pay people enough money to do this job because if the end result or the potential consequence. For either an action that a CSO took in good faith or an action that somebody else did not take. If the consequence could result in them losing everything or God forbid jail, you're not going to get people in the job to do that anymore.
[00:37:20] Jason Clark: Exactly. Yeah. Like if you're told to pay a ransom or you're told to pay a bounty right by your leadership. So, yeah, I, it, it is scary, but, uh, you know, we'll, we'll work through this and in the end, I think, you know, you, you and I, and many others just have to be there for others when they, when they need advice or coach them will have their back.
[00:37:43] So, um, so, so moving, you know, moving on, I was curious on this topic, what does, what does retirement life look like?
[00:37:51] Emily Heath: I'm not quite there yet, but you know, I, I've still got a lot left in the tank yet, but retirement life for me is, I don't know whether I will ever [00:38:00] really unplug from this community. I mean, I sit on a public board and a private board today.
[00:38:05] I'm on the board of Norton LifeLock, uh, as a publicly traded company and for, uh, Logic Gate who are a private GRC platform company. There's a lot of value for CSOs in the board life, because the experience and depth that they have, and it's still such an, you know, such an area where there's a lack of understanding, there is so much value to add.
[00:38:28] So I'm sure that that will be continued to be a part of my future. You know, I do a lot of advising just like you do. You know, no benefit at all. Just no financial benefit, just because it's an important part of, like you said, we, we have to help the next generation and I don't think that will ever go away.
[00:38:48] Um, there'll be parts of that. One day. I'll transition outside of operational life, but, um, I'm not there yet. Like I said, I still have more in the tank for me yet, but I would imagine, I would imagine [00:39:00] semi-retirement might look. You know, serving on a few boards, I would imagine I'm doing some non-profit and advocacy
[00:39:07] Jason Clark: boards, coaching, advising, helping the industry.
[00:39:11] And you're sitting on a beach or the mountain somewhere for awhile.
[00:39:15] Emily Heath: Yeah. Traveling Europe, perhaps, maybe in Provence or something like that. Taking a few zoom calls from Provence might be okay.
[00:39:21] Jason Clark: My dream is to do that every summer and just work from there where every single summer, um, there you go.
[00:39:31] So, uh, so, okay, so, so kinda thinking about the future...as we're, as we're talking about that, you know, if we can go forward in time, what do you think CSOs wished well, wish they have invested in that, that, uh, that will pay off for the future, right? Like what, what do you, what do you, what would you be suggesting everybody, like thinking about five and 10 [00:40:00] years from now.
[00:40:00] What are those most important investments they could be making other than people,
[00:40:04] Emily Heath: other than people? Insurance, probably insurance is one of them quite seriously. Um, but, but if you talking kind of more technology, um, there are still a lot of companies who are not investing appropriately in cloud security.
[00:40:20] You know, there are bits of cloud security that they have, and people relying on native AWS and Azure type capability, which is fine to a point. But when the world is going completely cloud and everybody's moving away from. You can't rely on just the incumbent cloud providers, security that the security stack around configuration, secrets management and all the, all of the stuff that comes with it.
[00:40:49] I fear that a lot of companies are just paying lip service to cloud security honestly.
[00:40:54] Jason Clark: I think that's my answer, by the way to my, my own question would be I think data [00:41:00] security, like it is about the data. That's what we're protecting. Right DocuSign that, that, that your, your it's, these sicknesses, these contracts it's about the data.
[00:41:08] And I felt like in my conversations were very immature when a data protection thinking, because we're used to the data sitting in our data center and we have this great program. And I think that is a very under invested area, understanding where my data is, how is it protected? What's the risk? What's the impact?
[00:41:27] How sensitive is it? All of that? Right? Um, cause it proliferates,
[00:41:31] Emily Heath: it's those five questions again, right? So it's five questions. What matters to me most? Where is it? How am I protecting it? How vulnerable at risk am I and how prepared? I mean, for when it hits the fan, it's, you know, it sounds so simple when you break it down to that.
[00:41:45] But that’s the fundamentals of the security program right there. And it's different for every company. And it's hard to do that. It's hard to discover all of that, right? Cause it's that those questions are fully loaded with assumptions that, Hey, you understand [00:42:00] where all your data is and you understand the assets that are supporting them.
[00:42:03] And oh, by the way, are they all being provisioned in the right way? Do they have all the security and access controls as they should be at? It sounds so simple, but I couldn't agree more. I think, you know, and a lot, a lot of that for us, I translate it to cloud because obviously that's a lot, a lot of where the environments are going.
[00:42:19] I mean, I think cloud
[00:42:20] Jason Clark: in a way makes it harder in the beginning because it's not what your solutions are, but in the end I actually thinks that makes it easier for us. Like, you know, we have radius. I mean, there's a lot of things you can do. You know, so there's like, it's like a weird spot temporarily, but in the end, in the future, I think we're going to be really good.
[00:42:39] So, so last segment, you know, quick hits...quick questions to you. Um, maybe, you know, just quick answers. So, so are you ready?
[00:42:55] Emily Heath: I'm ready. Bring it.
[00:42:56] Jason Clark: All right. What's one talent or a skill. [00:43:00] You have that dot on your resume.
[00:43:02] Emily Heath: I'm a Reiki, healer trained Reiki hill Heela.
[00:43:06] Jason Clark: That's pretty cool.
[00:43:07] Emily Heath: It's something completely different.
[00:43:10] Jason Clark: I don't even know what that is. What is that?
[00:43:11] Emily Heath: It's a hands-on healing technique is what it is.
[00:43:15] Jason Clark: Oh, cool. I'm going to have to research that. That's so cool. Second one, if you weren't in networking and security, what would you be doing?
[00:43:23] Emily Heath: I’d be a chef. I absolutely love to cook. I just, it is, it is my jam. It is how I relax. I just, I love to make people happy with food.
[00:43:33] Jason Clark: And I know this is a hard question cause I'm a chef as well. And it's a very, but, but what is, what's your favorite cuisine type?
[00:43:43] Emily Heath: Ooh, that's tough. I've been perfecting my bolognese recipe for like 15 years. Um, it, Italian food is just. The best. I mean, I’m a lover of carbs a little bit too much sometimes. But Italian food is where it's at for me.
[00:44:00] Jason Clark:. Oh man. Mines, mines. Um, is probably Asian, right? Just Asian, lots of Asian flavors. But, uh, when you know what we need to meet some time and, and, uh, and I'm on the Amalfi coast somewhere. And hang out. Um, so in, uh, last question, right?
[00:44:19] What would be your top piece of advice for a first time CSO?
[00:44:23] Emily Heath: Oh, I would say, ask for help. You know, as we talked about earlier, this community is incredible and there are so many people. Willing and able to help you on your journey? Um, I wish I had asked for more help in the beginning and, and had a little more humility to know that I don't have it all solved.
[00:44:43] And that's one big mistake that people coming into this career think is that they have to know. They have to know it all. I have to know all these moving pieces. It's impossible. To do that. I mean, if we would need to reverse engineer malware, I'm the worst person in the world to do that. I got really smart people on [00:45:00] my team who can do that.
[00:45:01] There's no way I can know everything. Right. So you ask for help, ask for guidance. There are so many willing, incredible leaders in the CSO community. Um, that will chomp at the bit to help you along your way. So just don't be afraid to ask for help.
[00:45:16] Jason Clark: I love it. That's awesome. So that's all the time that we have, uh, Emily, this is, this has been amazing.
[00:45:25] And you know, I, I love every conversation we have and I feel like we could have gone probably for four hours easy. But before I let you go. If, if people do want to ask. If they do want to engage with you for some mentorship or whatever that may be, what is the best way for them to engage?
[00:45:44] Emily Heath: Yeah. Ping me on LinkedIn is the easiest way. It’s is the fastest, easiest way. There's many networks I'm already involved with and I do mentor and coach a lot of people, as I know you do too. Jason, you get, you give a lot of your time to this community also. [00:46:00] And, you know, whilst we can't take on a hundred people, What I love is that if you've got a, an avenue and you have a place where you can go and ask, Hey, I'm struggling with this, this thing, like, what did you do in this situation?
[00:46:14] I do that all the time with CSOs, by the way, if there's something that I'm struggling with, I do the same thing. I reach out to friends and say, look, Uh, it's just something I'm really struggling with. Like how did you do it? So I would say reach out to me on LinkedIn. Ping me on Twitter. A lot of you already have my email address anyway, my cell phone number.
[00:46:31] Um, but yeah, I'm here for the, for the community and I also want to thank the community for being there for me too.
[00:46:36] Jason Clark: Perfect. Well, thank you. And thank you everybody for, uh, for joining us.
[00:46:43] Sponsor: The Security Visionaries podcast is powered by the team at Netskope looking for the right cloud security platform to enable your digital transformation journey?
[00:46:51] The Netskope security cloud helps you safely and quickly connect users directly to the internet from any device to any application. [00:47:00] Learn more at netskope.com.
[00:47:04] Producer: Thank you for listening to Security Visionaries, please take a moment to rate and review the show and share it with someone you know. Stay tuned for new episodes releasing every other week. And we'll see you in the next episode.