Emily Heath (00:00): This landscape is changing and it comes to a point where I honestly believe CSOs are going to be some of the highest paid professionals in the future, and it's already heading in that direction over the last few years. We've seen a lot of change already, but this is going to be one of the most highest paid jobs in business because it will get to a point that you're not going to be able to pay people enough money to take on this amount of risk.
Producer (00:25): Hello and welcome to Security Visionaries, hosted by Jason Clark, chief security officer and chief strategy officer at Netskope. You just heard from today's guest Emily Heath, senior vice president and chief trust and security officer at DocuSign. It's been said that you don't get paid for how much you work, but for how much responsibility you have. And in today's modern business world managing risk is a massive responsibility. As cybersecurity threats dominate the headlines the role of security leads, whether they're chief security officers or chief information security officer, becomes one of the most important functions in the C-suite.
Producer (01:06): They're responsible for safeguarding the data, money, and everything else vital to the business. The role is anything but easy, and as Emily points out, individuals capable of shouldering this burden are going to become some of the most sought after executives in the world. And Emily isn't backing down from the challenge. In fact, she's encouraging her fellow CSOs not to either. Before her tenure as DocuSign's chief trust and security officer, Emily served as CSO for United Airlines and AECOM, held various other technology and strategy leadership roles, and began her career as a fraud squad detective in the UK police force. But before we dive in and hear more from Emily, here's a word from our sponsor.
Sponsor (01:50): The Security Visionaries Podcast is powered by the team at Netskope. Netskope is the sassy leader offering everything you need to provide a fast, data centric, and cloud smart user experience at the speed of business today. Learn more at netskope.com.
Producer (02:08): Without further ado, please enjoy episode three of Security Visionaries with your host Jason Clark and Emily Heath, senior vice president and chief trust and security officer at DocuSign.
Jason Clark (02:21): So welcome to Security Visionaries, I am your CSO at Netskope. Today I am joined by a very special guest and good friend, Emily Heath. Emily, how are you?
Emily Heath (02:31): Jason, always a pleasure to see you. Doing well, thanks.
Jason Clark (02:34): I was thinking about this conversation. I'm thinking, when did I meet Emily? Do you remember when the first time we ever met was?
Emily Heath (02:42): God, now you're going by a few years, buddy. Probably, I don't know was it Security Advisors Alliance in Dallas?
Jason Clark (02:51): Right.
Emily Heath (02:51): Right? Yeah, it was.
Jason Clark (02:53): Yes, the Advisor Alliance in Dallas and I remember you, I remember it was actually at the bar and we both were ordering I think it was
.
Emily Heath (03:02): That would be a good choice.
Jason Clark (03:05): And then we were like, hey, and we just kind of started talking. I think that was probably six or seven years ago.
Emily Heath (03:09): Yeah.
Jason Clark (03:10): So getting started what was your first, tell us about your first security job.
Emily Heath (03:14): Oh my gosh. Well my very first security job goes way back 25, 30 years or so. I used to be a police officer in England, I was a detective for many years. And this is kind of about the era when cyber wasn't really a thing back then but computer crime was starting to be a thing. And so I worked in the financial crimes unit in what we called the fraud squad, and that was the unit that was responsible for computer crime. And it was completely foreign to me at the time, I mean going back in those days you used to go do a raid on a business or a home, and you'd come out with hundreds of bankers boxes full of contracts and documents. And it's just such a turn to see how that now is all translated to cyber. But I like to think that from a cyber perspective that was probably the very first job trying to dissect computers.
Jason Clark (04:09): And tell us a little bit about your job today and your current role at DocuSign.
Emily Heath (04:12): Yeah, so my job at DocuSign now is a little varied actually. So I'm the chief trust and security officer, so there's a couple of sides to that. There's the usual cyber security related stuff that you would imagine, security architecture, engineering, security operations, and all of those things. I also have the governance risk and compliance group. I have fraud, physical security, health and safety as well. And then the trust side of the job is actually a very customer facing side of the job. So DocuSign as many people know is a really trusted platform because we're a part of our customer's ecosystem, security and trust is super important. So I spent a ton of time with customers now, which I love.
Jason Clark (04:53): I think that's something that's going to continue to evolve for every company that is a [inaudible 00:05:00] technology organization. [inaudible 00:05:02] economy that is, the chief trust and security officer being very engaged with the customers will come, I think, the norm.
Emily Heath (05:11): Yeah, exactly.
Jason Clark (05:12): So getting, our first kind of segment here is taboo topics.
Jason Clark (05:26): Well this segment's about security taboos, misconceptions, controversy. And by the way, you can ask me anything, bring up anything you want to bring up. But the first question for you on this is what do you believe is the fastest growing risk in cyber security today, right? That effects most companies?
Emily Heath (05:43): Yeah. God, there's so many of them it's hard to choose one. I think ransomware is the one that just brings to mind just because you think about the monetization of crime when it comes to cyber, these attacks are no longer just to inconvenience organizations or bragging rights, there's a lot of money in this crime. Long gone are the days where somebody walks into a bank with a [inaudible 00:06:07] shotgun and walks away with $20,000 at best. I mean you're talking millions and tens of millions for these types of crimes. So I think ransom is, we're just seeing the beginning of it. And the more and more you see that companies are paying ransoms, it's just going to proliferate the problem. So it's a trend unfortunately I don't think is going anywhere anytime soon.
Jason Clark (06:30): So it's the new bank robber basically, right?
Emily Heath (06:34): Yeah.
Jason Clark (06:34): So what's your thoughts around, kind of this feeling like this taboo topic, what do you feel around should companies be paying the ransom or not be paying the ransom? What should legislation be around that?
Emily Heath (06:45): God, it's such a tough one. I don't even know where the legislation can be involved in that. It's a really slippery slope because there's a cost of doing business, and if this becomes a new cost of doing business, I mean I'm not advocating for it in any way shape or form, but every organization is different and until it hits you and until your operations are the ones that are crippled, it's really difficult to say whether or not you should or shouldn't pay a ransom. I mean we all know that there's never any guarantee that you're going to get out the other side of it anyway. But if you look at some of the companies recently that have paid ransoms, we are not in the room, we don't know the impact to their actual business function. And I just, I'm not sure whether this is going to end up being a legislation issue, it's a business issue.
Jason Clark (07:34): Yeah. I mean sometimes it can mean lives, right? I mean getting electricity turned back on or getting the medical systems you need turned back on, that shouldn't be a choice that is made because of a law, right? And when you look at it, ransom is obviously a very, very hard problem and we just need to obviously get better at everything. I think, curious like if you think about ransoms, okay that's one, but what's one that you think people are not aware of? What's the fastest growing risk as a CSO? What do you think is growing that a lot of IT organizations, a lot of boards are unaware of? So ransoms in the news every single day, but is there anything else that you can think of that is a rapid growing risk that you think those leaders should be aware of?
Emily Heath (08:24): Yeah, there is a little bit of a theme right now where you're seeing a lot of experienced security professionals leaving the industry. And my fear is that there's going to be a big hole, right? This business has been around for a while but certainly not to the magnitude that it has been over the last four or five years or so. And a lot of the security professionals are leaving the industry to go vendor side, or they're leaving to go to a VC side. The talent and expertise that is leaving the security jobs is frightening. Don't know how you solve that necessarily apart from, as a leader it's our job to make sure that we are investing in the leaders of tomorrow. And I think as an organization I'm not sure there's this great organizational awareness to the big talent gap for senior leaders in the security business and really super talented folks, who honestly are moving to the vendor side and moving to the VC side because quite frankly there's more money in it.
Jason Clark (09:25): Let's talk about this a little later because we talk about the future but I think it's, there's more money but also the CSO job is extremely hard, very, very hard and very taxing.
Emily Heath (09:37): Super stressful.
Jason Clark (09:37): I mean there's many, many friends where they've been like, look Jason, I've given up my last vacation, or I was the best, Dave Fairman at RBC, he said, Jason, I was the best man at a wedding and I was told either go to the wedding or stay here, but if you go to the wedding you won't have a job. And that is emotionally taxing. So I think we're ending up in this where the threats are getting worse, the problem's getting harder, there's more data than ever, we have 57 zettabytes of data in the world and by 2025 there'll be 175 zettabytes. So I think as you think about that attack surface growing, and to your point the people are getting harder to find, that is, so I love that you pointed that out. I think that's a great unknown risk as you just said. So kind of going into a little bit of a deep dive.
Jason Clark (10:46): Maybe walk us through how you pivoted from in the Cheshire police to cyber, talk us through that transition.
Emily Heath (10:55): When I was a detective I took a career break for a while, and you can take a career break up to three years. And I did and the punchline is I taught myself how to code, don't tell anyone. But I taught myself how to code and I actually started my own web design business during the career break. By the time I went back to the police I realized that there was a big world out there and a world that I really wanted to explore. And so one of my former web clients actually called me one day and said, hey, are you interested in this opportunity at MGM studios in London? And it was working for a startup back in the days when DVDs were a thing, it was a startup that managed all of the DVD distribution and supply chain and inventory management for the movie studios. So I left the force, I left law enforcement and did that job. It was not a security job. I did many different areas of IT and technology before I kind of did full circle all the way back to security.
Emily Heath (11:48): But I was the lead program manager on a software implementation for the studios, that's how I ended up in the US maybe, almost 20 years ago now, working with MGM who got acquired by Sony Pictures, so I worked with Sony for many years. And then ultimately when that little thing called PCI came along, and I'd been running infrastructure teams, PMOs, web design teams, and engineers, my boss at the time said, hey, Emily, you were a cop. You were a cop, weren't you? You understand the law, can you figure out this encryption thing and this PCI thing, these laws that are coming in? So it was really purely by accident that I ended getting into more of a legal, compliance, security type role. But it's funny how you look back on your career and your life and you realize that it's all one big jigsaw puzzle. You don't realize at the time how one thing leads to the next. And then when you look back you realize, my gosh, I would not be set up for success in this job had I not done that job.
Emily Heath (12:50): And so it felt like coming home to me, my experience in technology coupled with experience in law enforcement. And they're two very different things, but the skill sets that you bring with you from law enforcement, the skill sets were a lot about people. It was, you're dealing with people from all walks of life. And I translate that to the constituents within an organization, right? I mean we deal with so many different stakeholders from so many different business units, and managing to navigate the corporate world is very much like law enforcement, you're just managing different characters. So it really did feel like coming home to me and I took a very deliberate path to choose the CSO route and not the CIO route. I had opportunities a few years ago to go one way or the other and I chose this route, and I chose the right one for me personally.
Jason Clark (13:44): I'm constantly asked by CSO's, I coach about 15 different CSOs and I'm asked, hey, I've got this opportunity to become the CIO or the interim CIO. And I actually generally coach them no. Focus on CSO, focus on security as a specialty that is going to grow increasing importance. And I basically tell them that financially I believe they'll make more or the same. You talked about kind of a little bit of your experience with PCI, I thank PCI to the start of my career as well. I was out of the army and the New York Times got compromised, and I got the CSO job at the New York Times when I was 27 years old because they needed to have a CSO title and it was driven by loss of credit cards and for one of their business units and I was asked to step in. And when else can a 27 year old with cybersecurity experience and the fact that I had management experience because I was military, I mean it's insane. That would not happen today, a 27 year old being a CSO that quickly. So I thank PCI as well.
Emily Heath (14:53): Yeah, I know. It's like the people ask why did you choose cyber as a career? And I said, I didn't choose it, it chose me. Definitely twists and turns.
Jason Clark (15:04): It's been amazing. So you were the CSO, we met when you were the CSO for United Airlines, and you had tremendous responsibilities there. What are the differences and the similarities between that and your current role at DocuSign?
Emily Heath (15:22): Yeah. So, I mean United Airlines I don't think it gets much more complicated than a huge, big, global airline. Just the sheer scale and complexity of an organization like that is incredible. And obviously it's a much bigger company than coming to DocuSign, so the differences of scale and complexity are very, very different, however the types of issues that we deal with are very much the same. And no matter where I go, or any company, or advice I give to other CSO friends who are joining new companies, I ask myself five fundamental questions, which really doesn't matter which organization that you're in. And it really comes down to what's most important to you first and foremost? A company like United, what's most important is human life. You're flying people, safety is number one. A company like DocuSign, we're a very data driven company so the agreements that people trust us with are what matter to us the most.
Emily Heath (16:19): So what matters most? Where is it? How are you securing it? Where are you most vulnerable and at risk? And how resilient are you when it hits the fan and you need to bounce back? And I think if you go into any new job and ask yourself those five questions, doesn't matter what company it is, doesn't matter what entity it is, those five questions are still very relevant. Because if you understand what matters to you the most you've got a framework to prioritize the task that's undoubtedly ahead of you. So the challenges are the same, it's the same kind of people, same kind of adversaries, scale and complexity is very different, but how you run a security program is fundamentally the same thing.
Jason Clark (17:06): Yeah, 100%. It's just different complexities. Scale is one but then when you're a company you have a different set, and it isn't harder or easier. When you said, when it hits the fan, I love how you said when it hits the fan, I quickly imagined the scene in Airplane, the movie Airplane, right? Where the shit literally did hit the fan, that's what I picture [inaudible 00:17:35]. So look, I love your title, chief trust and security officer. So talk to us a little bit about what additional responsibilities you have and how this changes the way either your company or your customers perceive you with the word trust in there?
Emily Heath (17:53): Yeah. So trust to me is, the security side is what we all understand. It's securing the nuts and bolts and securing the technology and all those things. When you start layering in this concept of trust it's about that intangible. It's the relationships that you're building with people. So when we are building relationships with customers, you cannot trust people that you don't know. So therefore the time I spend with customers is to build relationships with them because I see it as my duty and my obligation to be completely transparent about what we're doing. I think the foundations of how you build trust are truly embedded in that. So I'm not talking about just zero trust as a framework or trust as in what we traditionally have called trust within the security realms, it goes way beyond that to me. It really is a lot about the, you've got to walk your walk. You've got to show up. You've got to be transparent. You've got to be upfront and be honest.
Emily Heath (18:54): And it's actually more than just security. So for example, I also help run our ESG program, the environmental, social, and governance program. Because as part of the chief trust officer role it's not just security, what are the other element of trust and what does that mean to your organization? So I get heavily involved in topics like DNI, I'm a huge advocate of diversity and inclusion and belonging, as you know. The ESG type programs that any organization runs, that all falls under a trust umbrella. So it's really broader than just the traditional security, physical security, cybersecurity type realms because it's about your organization's trust and what that means to your customers, your partners, and your employees.
Emily Heath (19:40): So it's something that we are evolving like every other company. I feel very strongly that we shouldn't be using words like trust unless we know what that actually means to us and that we actually do something about that. This is not just a word, it's a way of being, it's the not just what you do, it's the who you are while you're doing it piece to me. So lot to do with the relationships and that spirit of transparency. And like I said, you can't trust people that you don't know.
Jason Clark (20:08): So how are you, this is a lot around the purpose of the company, right? And you're trying to purposely evoke an emotion from your customers and your employees, right? How are you partnering with marketing to make that happen?
Emily Heath (20:23): Yeah, so we're actually going through some branding and marketing right now and trust is one of our central pillars. DocuSign's been around for 18 or so years, and most people know us for the e-signature. And we've evolved way beyond that into what we call the agreement cloud and now the smart agreement cloud, trust is a fundamental part of that. And if you think about what people actually trust us with, all of their sensitive agreements, I mean their signatures for goodness sake. We're like if you can't trust us who can you trust? There's such an embedded element of that within who we are as an organization that it's been there from the very beginning of time for DocuSign, but we see now just how important that is in the fact that we are a part of our customer's ecosystem and we have to take that really seriously. So yeah, it's a lot about the culture and it's a lot about what matters to your organization. But like I said, it's the who you are while you're doing it piece as well.
Jason Clark (21:25): So as this unfortunate pandemic has happened for the last 18 months how has this changed and affected your role, and just obviously your employees at DocuSign as they try to engage and perform their duty?
Emily Heath (21:45): Yeah. So from the very beginning of COVID when that happened we already had a pretty large remote workforce, so thankfully we already had the technologies like the Slacks and the Zooms to support us so we were ahead of some companies in that respect. However, as we all know it's a definite shift when you've now got a full workforce who's all working remote on home computers and all of those kinds of things. I let the COVID, what we called the COVID 19 Task Force at the time, which was essentially classic crisis response, which is you get cross-functional teams together. At the very outset we were meeting multiple times a day, then we went to daily, and then we went to weekly meetings.
Emily Heath (22:27): But it was a way to bring the whole organization together from every department so that we could consider all the moving pieces across our employees and customers, because much like you and, and many other companies, we had lots of live events that we had to then transition to virtual. We had all of the employees to make sure that they've got all the equipment that they need, onboarding thousands of people since COVID. We've grown so much, we've onboarded thousands of people as new employees, and all that comes with a lot of logistics. So I think this is where CSOs and people who are used to dealing with crisis response are really best suited for these types of these types of initiatives. Because we kind of have that crisis response muscle where we are used to bringing cross-functional teams together to organize it. And it was just a, nobody asked me to do it I just kind of assumed the role and pulled the company together and played my part. And my team did and exceptional job as did the rest of the organization.
Emily Heath (23:32): But it's been tough I think for a lot of employees, just the same as every other company. Everyone's got a little COVID burnout fatigue and Zoom fatigue and all those things. We are taking this opportunity to really listen to our employees and see what they want. So we're highly likely to have a much more distributed workforce and a more remote workforce moving forward. We're going to be pretty much completely hoteling, so no dedicated desks or offices anymore. And that's what our employees want, they want the flexibility so we're taking that opportunity to give them just that.
Jason Clark (24:08): So there's no doubt it's been challenging. I've heard a lot of CSOs, and even using us an example myself and Lamont our CSO, it was a moment for him to step up. He has helped to lead and has been part of leading our COVID community, he also leads DNI as well. Just to say that this is our moment to make sure we're embracing and engaging our employees to the max we can. So I do think you're right, we have this muscle already. And so it's been really good for, I think in the end you think about just IT, forget security, being able to work from home would not have been really possible without IT, without digital, without technology, without VPN, without cloud. How would we have done this? We would've had to either made the decision of lose business or people will potentially have more vulnerability and more deaths. And so I think IT has been an interesting kind of quiet hero in this.
Emily Heath (25:19): And it's almost like as a society we've been forced to think differently. Many companies would never have taken the steps that they'd taken if we weren't all forced to be in this situation. And for us from a business perspective it's been incredible, of course. It's been great for our company's growth, but what really struck me at the very beginning of the pandemic was we were literally in the trenches with the state departments and the federal governments to try and move PPE around, you still need to do that with a signature. And there's this kind of common misconception I guess that the government agencies move so slow. Well sometimes yeah, but when they're forced into to a crisis in this way, the work that they did, and we had a front row seat to that, our customer support folks were working morning, noon, and night in the trenches with them to get them set up so that they could digitize and transform their own businesses and kind of these situations where we had to move equipment around. And it forced us all to pivot really quickly. And I think in some ways many companies have leapfrogged that digital transformation because now they see that they can do it.
Jason Clark (26:39): I've seen a lot of my own customer adoption to actual DocuSign. That's been a big part of their transformation. Especially healthcare, very, very big in healthcare. So transitioning to our next segment, which is called feeling vulnerable.
Jason Clark (27:04): And so in this segment we're going to kind of walk through kind of what are we trying to avoid? What are our vulnerabilities? And just again, just feeling vulnerable. Being very open, which we both already are in this conversation. So lot of times people measure risk differently. Like an example, sharks in the water. I was on vacation just two weeks go with a bunch of friends and there was a shark in the water. And one of the people I was with swam as fast as possible to the lifeguards like, there's a shark, there's a shark, there's a shark, yelling there's a shark to everybody. And everybody's just looking at this person and the lifeguard goes, yeah, we have sharks. They don't bite anybody. And it's like, what are you doing? Like, oh my gosh, we have to react to this. And I'm like, shark deaths are not a whole lot per year out of six or seven billion people.
Jason Clark (27:56): How much do you think that we are kind of maybe in security or IT making decision off of gut instinct versus really looking at the mathematics of the risk? Or just trying to drive check boxes? What's your thoughts on just maybe this issue amongst security in not really, like we buy product because everybody else is buying product, or were doing this because everybody else is doing this versus saying, was that the real issue? Is that the real risk? By the way, I just was the phone with somebody in a financial who said, we're doing segmentation because the auditors and the regulars say we have to, and I think it's the dumbest thing ever. Because I'm already segmented in the end, at the end point, and at the network layer, and I should be doing these other five projects but instead this is my biggest project of my year because the auditor and the regulators say I have to.
Emily Heath (28:42): Yeah, I can absolutely understand that. I think as much as we want to be science and data driven all the time, that's the ideal, right? You always want to have the data and the fact in front of you, but the truth of the matter is it's not always that tangible. And I think there are times when CSOs use their best judgment, and their experience, and their expertise in order to make decisions. Sometimes I think that's appropriate because otherwise, I mean at some point you've got to make a decision and move on. And those are the things sometimes you end up looking in the rear view mirror and go, did I make the right decision on this one or could I have done that differently? But at the time you don't always have the benefit I guess of weeks, or days, or months ahead of you to go collect all that data. And even if you wanted to it probably doesn't all exist.
Emily Heath (29:39): So there's a reality to the job that we do that's a little bit of art and a little bit of science that you have to use your best judgment in order to make those calls. I'm always an advocate for using data because a lot of the times what we try and do is explain situations to people who are not technical or explaining situations and translating them into operational or business risk, because ultimately that is our job. It's not always that straightforward to get data that will point you directly to a decision A, decision B, or decision C. So there's a little bit of an art and a science in what we do. And let's face it, if there was a book that you could pick off the shelf that showed a blueprint and how to do this job we would all love that. But the reality is that that just doesn't exist, we're facing new threats, and new adversaries, and new ways of operating every single day that you have to use your best judgment.
Emily Heath (30:38): And that comes from experience. Sometimes early in our careers we've made some decisions that perhaps weren't the best ones but we learn from it. And the big thing for me is this is why the security community is really special because we share things with each other when our lawyers tell us not to. We share things with each other because we care about one another and nobody wants to see anyone else in the headlines. I have never experienced, or seen, or heard of a community like this one. And it really is special, it's something else.
Jason Clark (31:10): That's amazing. I agree, there is nothing. We are one because, probably because we have a common enemy. And it is tremendous and it's in the end and why I think a lot of our us love this industry and have not changed industries. So it kind of, as we think through this a little bit to your point earlier, we're talking about this industry. We talked about part of the risks are security leaders leaving the industry, why do you think that is? Why do you think that they're saying, okay, you know what? I'm going to go do something different, I've done this three times now. We do love this industry but why are they leaving the operational CSO gig? Because it pays well, there's no doubt they can make seven figures. They're working at the top of their game so why are we seeing people leave these jobs to go, most of the time honestly take less money doing something else?
Emily Heath (32:11): Yeah, and I think it's a combination of what we were talking about earlier. Look, this job has gotten more visibility over the last few years without doubt, and that's something that you've heard CSO's beg for in the past and now I think that's all coming to fruition. And there's good sides and bad sides to that. You want all the visibility, you want the company to take it seriously, well guess what, they're taking it seriously. The flip side of that is the pressure that comes with it. This is a very high risk job. And it's a high risk job because we are managing programs that have so many facets and components that are not in our control. We rely on many, many different constituents to do things in certain ways in order for every body to succeed. I mean if you think about a lot of companies that have thousands of applications but let's say that the access controls were not up to snuff on 10 or 20 or 100 of those. It can't just be the CSO's fault, it's impossible. The CSO's one person, the security teams can only do so much.
エミリー・ヒース(33:22): その結果、それはより知名度の高い仕事ですが、リスクは計り知れません。 今でもCSOが訴えられているという話を聞き始めていると思います。 ゲームは変化しており、この状況は変化しており、CSOは将来、最も高給の専門家の一部になると正直に信じています。 そして、それは過去数年間ですでにその方向に向かっており、すでに多くの変化が見られました。 しかし、これはビジネスで最も高給の仕事の1つになるでしょう、なぜならそれはあなたがそれに伴うかもしれない訴訟のためにこの量のリスクを引き受けるのに十分なお金を人々に支払うことができないようになるからです。 そして、あなたはそれがその役割にとって何を意味するのかを考え始めます、それは非常に、非常に異なる球技です。
エミリー・ヒース(34:12):あなたは今、取締役会が通常何に責任があり、それに伴うリスク、またはCEOが責任を負うリスク、またはそのことについてはCFOの領域で話しています。 ですから、リスクと純粋な責任だけが高まり続けており、人々は燃え尽き症候群に苦しんでいると思います。 そして、それはすべて財政的ではなく、間違いなく財政的要素がありますが、それはすべて財政的ではありません。 それが生活の質であり、厳しいポイントが来ますよね? それは簡単なルートではなく、簡単な役割でもありません。 ご存知のように、あなたはそれをしました。
ジェイソンクラーク(34:52):それは価値がありません。 ええ、それは、大丈夫、私はこれを何度もやったが、それは難しくなっているようなポイントになります。 そしてさて、あなたが今言ったように、私は十分に節約しました。 そして、法的な懸念は厄介だと思います。 そして、それはCSOのようではありません、私が驚いていることの1つは、彼らが私の契約で必ずしもパラシュートを取得していないということです。 私は素晴らしい[聞こえない00:35:20]になっているかもしれませんが、彼らも保護されるべきです。 私はCSOと多くの会話をしていて、彼らが何かを決定したり、同意しない何かに署名したりするように迫られていますが、彼らはそれを見ています、まあ私はこの高価な家を持っていて、私立学校などを持っていますそれが何であれ、私は上司にノーと言う余裕はありませんその時は去ってしまうからです。
ジェイソンクラーク(35:41):そしてそれは良くありません。 あなたがあなたの組織に同意しない場合、あなたは彼らに挑戦したい、そしてあなたは言っている、私はそのリスクを承認しない、彼らが保護されることができる、多分それは6ヶ月の収入の標準ですか? しかし、今は2〜3か月です。 そして、私はそれがあまりにも頻繁に起こるのを見てきました。 しかし、全体として、私はジェイソン・ウィッティと話していたと思います、そして彼がJPモルガンを去ったばかりであることは公にされています。 それはただの問題です、私たちは私たちの専門知識でもっと多くのことができるので、あなたが言及したエミリー、ベンチャーキャピタルについて話し始めるとき、潜在的にもストレスが少なく、あるいはさらに高い収入で行うことができます。 しかし、問題は、私たちが何をするにしても、次世代の準備ができていることを確認する必要があるということです。
エミリーヒース(36:44):私は守られていますよね。 つまり、責任の問題のポイントに到達しており、取締役と役員はその責任をカバーしていますが、CSOはそうではありません。 ですから、ある時点で別の会話をする必要があります、さもなければそれはあなたがこの仕事をするのに十分なお金を人々に払うことができないようになるでしょう。 なぜなら、CSOが誠意を持って取った行動または他の誰かがとらなかった行動のいずれかの最終結果または潜在的な結果である場合、その結果が彼らにすべてを失う可能性がある場合、または神が刑務所を禁じている場合、あなたはもう仕事をしている人々にそれをさせるつもりはありません。
ジェイソンクラーク(37:20):その通りです。 身代金を支払うように言われた場合や、リーダーシップから報奨金を支払うように言われた場合のように。 そうです、それは怖いです。 しかし、私たちはこれを乗り越え、最終的にはあなたと私、そして他の多くの人々が他の人のためにそこにいなければならないと思います。 彼らがアドバイスを必要とするとき、私たちは彼らを指導します、私たちは彼らの背中を持っています。 それで、私はこのトピックに興味がありました、あなたにとって退職後の生活はどのように見えますか?
エミリーヒース(37:51):私はまだそこにいませんが、まだタンクにたくさん残っています。 しかし、私にとっての引退生活は、このコミュニティから本当にプラグを抜くことができるかどうかはわかりません。 つまり、私は今日、公開ボードとプライベートボードに座っており、上場企業としてノートンLifeLockの取締役会に所属しており、プライベートGRCプラットフォーム企業であるLogic Gateの取締役を務めています。 CSOが持っている経験と深さのために、取締役会の生活には多くの価値がありますが、それでも理解が不足している分野であり、追加する価値がたくさんあります。 ですから、それは私の将来の一部であり続けると確信しています。 私はあなたがしたように、あなたがしたように、私たちが次世代を助けなければならない重要な部分であるという理由だけで、まったく利益がなく、経済的利益もまったくないのと同じように、多くのアドバイスをします。 そして、私はそれがなくなることはないと思います。 その一部があります。 いつの日か、私は運用生活の外に移行しますが、まだそこにいません。 私が言ったように、私はまだ私のためにタンクにもっと持っています。 しかし、セミリタイアは、私が想像するいくつかの理事会に参加し、非営利団体やアドバイザリーの仕事をしているように見えるかもしれないと思います。
ジェイソンクラーク(39:07):取締役会、コーチング、アドバイス、業界の支援。
エミリーヒース(39:10):ええ、その通りです。
ジェイソン・クラーク(39:12):しばらくの間、どこかのビーチや山に座っています。
エミリーヒース(39:15):うん。 おそらくヨーロッパを旅行する、多分プロヴァンスかそのようなもの。 プロヴァンスから数回のズーム通話を受けても大丈夫かもしれません。
ジェイソンクラーク(39:21):少し。 はい、私はしたいです、私の夢は毎年夏にそれをして、毎年夏の間そこから働くことです。
エミリーヒース(39:29):どうぞ。
ジェイソンクラーク(39:31):大丈夫、未来について考えています。 私たちがそれについて話しているとき、私たちが時間内に前進することができれば、CSOは彼らが投資して将来に報われることを望んでいると思いますか? 5年後、10年後のことを考えて、人以外にできる最も重要な投資は何ですか?
エミリーヒース(40:04):人以外に、保険。 おそらく保険はそれらの1つであり、非常に深刻です。 しかし、より多くのテクノロジーについて話しているのであれば、クラウドセキュリティに適切に投資していない企業はまだたくさんあります。 彼らが持っているクラウドセキュリティのビットとネイティブのAWSとAzureタイプの機能に依存している人々は、ある程度は問題ありませんが、世界が完全にクラウドになり、誰もがベアメタルから離れるとき、既存のクラウドプロバイダー、構成、シークレット、管理、およびそれに付随するすべてのものに関するセキュリティスタック。 多くの企業がクラウドセキュリティに正直にリップサービスを払っているのではないかと心配しています。
ジェイソンクラーク(40:54):それは、私自身の質問に対する私の答えは、データセキュリティを考えるということです。 それがデータに関するものであるように、それが私たちが保護しているものです。 DocuSign、それはこれらの署名、これらの契約、それはデータに関するものであり、私の会話では、データセンターにあるデータに慣れており、この大きな境界があるため、データ保護の考え方が非常に未熟であると感じています。 そして、それは私のデータがどこにあり、どのように保護されているかを理解するための非常に投資不足の領域だと思いますか? そこにあるリスクは何ですか? どのような影響がありますか? それはどれくらい敏感ですか? それが増殖するからです。
エミリーヒース(41:31):もう一度これらの5つの質問ですよね? それはこれらの5つの質問です、私にとって最も重要なことは何ですか? それはどこですか。 どのように保護していますか? 私はどれほど脆弱で危険にさらされていますか?そして、それがファンに当たったとき、私はどのくらい準備ができていますか? それを分解するととても簡単に聞こえますが、それがセキュリティプログラムの基本です。 そして、それは会社ごとに異なります。 そして、それを行うのは難しいです、そのすべてを発見するのは難しいです。 これらの質問には、すべてのデータがどこにあるかを理解し、それらをサポートしている資産を理解し、ちなみに、それらはすべて正しい方法でプロビジョニングされているという仮定が満載されているためです。彼らはすべてのセキュリティまたはすべてのアクセス制御を持っている必要がありますか? とてもシンプルに聞こえますが、私は同意できませんでした。 私たちにとって、その多くをクラウドに変換するのは、明らかにそれが環境が向かっている場所の多くだからだと思います。
ジェイソンクラーク(42:19):つまり、クラウドはソリューションがどこにあるかではないため、最初は難しくなると思いますが、最終的には私たちにとって簡単になると思います。 [聞こえない00:42:30]のように、できることはたくさんあります。 ですから、一時的には奇妙な場所のようですが、最終的には、そして将来、私たちは本当に良くなると思います。 だから最後のセグメント、クイックヒット。 あなたへの簡単な質問とちょうど迅速な答え。 準備はできたか?
エミリーヒース(42:54):私は準備ができています、それを持ってきてください。
ジェイソンクラーク(42:57):わかりました。 履歴書に載っていない才能やスキルは何ですか?
エミリーヒース(43:02):私はレイキヒーラーであり、訓練を受けたレイキヒーラーです。
ジェイソンクラーク(43:05):うわー、それはかなりクールです。
エミリーヒース(43:08):まったく違うもの。
ジェイソンクラーク(43:10):それが何であるかさえわかりません。 それは何ですか、エミリー?
エミリーヒース(43:13):それは実践的な癒しのテクニックです。
ジェイソンクラーク(43:15):ああ、かっこいい。 私はそれを研究するつもりです。 2つ目は、ネットワーキングとセキュリティに携わっていなかったら、何をしていたでしょうか。
エミリーヒース(43:23):私はシェフになります。 私は絶対に料理が大好きです。 私はただ、それは私のジャムです、それは私がリラックスする方法です。 私はただ、食べ物で人々を幸せにするのが大好きです。
ジェイソンクラーク(43:34): そして、私もシェフであり、それは非常に難しい質問ですが、あなたの好きな料理の種類は何ですか?
エミリーヒース(43:43):ああ、それは難しいです。 イタリア料理が最高なので、ボロネーゼのレシピを15年ほど完成させてきました。 私は時々炭水化物が少し好きすぎることを意味しますが、イタリア料理は私にとってそれがあるところです。
ジェイソンクラーク(44:01):ああ、私のものはおそらくアジア人です。 ただアジアン、たくさんのアジアンフレーバー。 しかし、私たちはどこかでアマルフィ海岸でしばらく会い、たむろしていくつかの良いものを持っている必要があります-
エミリーヒース(44:15):そうしましょう。
ジェイソンクラーク(44:18):そして最後の質問ですが、初めてのCSOへの一番のアドバイスは何ですか?
エミリーヒース(44:23): ああ、助けを求めると思います。 前に話したように、このコミュニティは素晴らしく、あなたの旅を喜んで助けてくれる人がたくさんいます。 最初はもっと助けを求め、すべてが解決されていないことを知るためにもう少し謙虚になればよかったのにと思います。 そして、それはこのキャリアに来る人々が考える1つの大きな間違いです、彼らはそれをすべて知らなければならないということです、彼らはこれらすべての動く部分を知るために。 それは不可能です。 つまり、マルウェアをリバースエンジニアリングする必要がある場合、私はそれを行うのに世界で最悪の人であり、それを行うことができる本当に賢い人々が私のチームにいました。 私がすべてを知る方法はありません。 だからあなたは助けを求め、指導を求めます。 このCSOコミュニティには、あなたの道に沿ってあなたを助けるために少しでもぎくしゃくする意欲的で信じられないほどのリーダーがたくさんいるので、助けを求めることを恐れないでください。
ジェイソンクラーク(45:17):私はそれが大好きです、それは素晴らしいです。 だから見て、それは私たちが持っているすべての時間です。 エミリー、これはすごいです。 そして、私は私たちが持っているすべての会話が大好きで、おそらく4時間簡単に行くことができたと思います。 人々が助けを求めたい場合、メンターシップなどのためにあなたと関わりたい場合、私があなたを手放す前に、彼らがあなたと関わるための最良の方法は何ですか?
エミリーヒース(45:44):ええ、LinkedInで私にpingするのが最も簡単な方法です。 これは最も速く、最も簡単な方法です。 私がすでに関わっている多くのネットワークがあり、ジェイソン、あなたも知っているように、私は多くの人々を指導し、指導しています。 あなたはこのコミュニティにも多くの時間を費やしています。 そして、私たちは100人を引き受けることはできませんが、私が好きなのは、あなたが道を持っていて、あなたが行って尋ねることができる場所を持っているなら、ねえ、私はこのことに苦労しています、あなたはこの状況で何をしましたか? ちなみに、私はいつもCSOとそれをしています。 私が苦労していることがあれば、私は同じことをします、私は友人に手を差し伸べて言います、見てください、これは私が本当に苦労していることです、どうやってそれをしましたか? だから私はLinkedInで私に手を差し伸べ、ツイッターで私にpingを送ると言うでしょう。 とにかくあなたの多くはすでに私のメールアドレスと私の携帯電話番号を持っています。 しかし、はい、私はコミュニティのためにここにいます、そして私も私のためにそこにいてくれたコミュニティに感謝したいと思います。
ジェイソンクラーク(46:36):完璧です。 さて、私たちに参加してくれてありがとう、そしてみんなに感謝します。
エミリーヒース(46:40):ありがとう、ジェイソン。
スポンサー(46:43):セキュリティビジョナリーポッドキャストは、Netskopeのチームによって提供されています。 デジタルトランスフォーメーションの旅を可能にする適切なクラウドセキュリティプラットフォームをお探しですか? この Netskope Security Cloud は、ユーザーを任意のデバイスから任意のアプリケーションに直接安全かつ迅速に接続するのに役立ちます。 詳しくは Netskope.comをご覧ください。
プロデューサー(47:04):セキュリティビジョナリーを聞いていただきありがとうございます。ショーを評価してレビューし、知っている人と共有してください。 隔週でリリースされる新しいエピソードをお楽しみに、次のエピソードでお会いしましょう。
){kind=icon}
