Gerald is the Chief Information Security Officer/Vice President for Sprinklr’s products andcorporate assets.In his prior role as Chief Information Security Officer/Vice President for LogMeIn, he was responsible for the security, compliance, and technical privacy of LogMeIn’s products and corporate assets. Before, Gerald was Chief Security Officer for Demandware, a Salesforce Company, responsible for security and acting Chief Privacy Officer and Data Protection Officer for Demandware’s German subsidiary.Previously, he worked for Sun Microsystems, Inc. in various roles, including the BusinessAlliances Group of Sun’s Chief Technologist’s Office. He is a member of the Infragard Member Alliance Boston Chapter Board of Directors and the IT Sector Chief, as well as a National Subject Matter Expert for Infragard, and has served on the board of other national membership organizations.Gerald holds a Master of Science degree in theoretical physics.
Episode transcription:
[00:00:00] Gerald Beuchelt: [00:00:00] So the cyber security industry has been in some ways a wonderful opportunity to really start to rethink some of the controls, some of the technologies that are being used. I think for us as implementing companies, there's been definitely a bunch of challenges the first couple of weeks of the lockdowns, really, where it's like, how can I actually make sure that my employees can still work? Like at all? Right. It's like, I mean, there were simple civil artists, seemingly simple challenges. Like, does everybody have a laptop? It's like, no, like some people didn't say, how do you get laptops out there? It's like in a time when there was really a shortage of laptops, because everybody needed one, it's like going over monitors, webcams, right? It's like the whole nine yards. There's a lot of those kinds of trivial things. Thank you for listening to Ivy podcast where we feature. When leadership conversations with thought leaders and industry experts. Now here's your host bread, Fred Obiero. [00:01:04] [00:01:00] Fred Obiero: [00:01:04] Welcome to the Ivy Podcast, Gerald. I'm so happy to have you. [00:01:08] Gerald Beuchelt: [00:01:08] Thank you so much for having me. It's like, this is funny. It's like, I'm really doing this. [00:01:14] Fred Obiero: [00:01:14] All right. For all listeners that don't know you. Why don't you give us a brief introduction about yourself and your role and how you ended up in information security? [00:01:24] Gerald Beuchelt: [00:01:24] It's just like my name's Jared Michelle's, I’m the chief information security officer, of course, Bigler, we're a software as a service company, focusing on marketing tech, automation. And it's like, I just recently took up this position, so don't be too hard on me in terms of like, what's going on. It's like, I'm still learning. We're just part of the experience. I got into nineties. [00:01:49] Fred Obiero: [00:01:49] What's that? I'll take it easy on you. [00:01:50] Gerald Beuchelt: [00:01:50] Thank you very much. I appreciate that. Perfect. Now it's definitely been a long journey for me in many ways since like, it's been super interesting to see how information security, how the information industry in general has been changing over the last decades. Literally, it started out in a pre-sales kind of situation a long time ago which was something that I would actually encourage him. Anyone, but it's like, especially working in security too, to really do at some point in the careers, mainly because it's like, it gives you an appreciation for customers in terms of how to deal with stakeholders, et cetera. So I was like that. I think that was a really important part of the step, but really getting into information security. I got over time first focusing on interoperability between different systems. And if I look at interoperability then security often plays a pretty crucial role in terms of moving those things forward. I then got ultimately into a hardcore security by ways ofidentity management, which again was something a little bit more of a interoperable, interoperability kind of a play initially but then dug deeper and deeper instead of. Now been at my third software as a service company doing the CSO or security chief security guy role, which is obviously something that is particularly important for software as a service companies, given that customers trust us and our systems with their processes, their data, and their critical kind of business interactions that they add that they need to do. And I think that is really important to keep in mind. That that software as a service really needs to establish that trust with our customer base and then maintain it over time. [00:03:38] Fred Obiero: [00:03:38] You recently moved to sprinkler after spending time with me as a chief information security officer. And I think this is the perfect timing for us to have this conversation because transitional leadership is something that's very crucial to the success of any company that somebody may be taking over having transitioned from a previous organization. Talk us through some of the challenges that new leaders face when they transition into a new organization and also the best practices on how to effectively deliver on key strategic goals. [00:04:08] Gerald Beuchelt: [00:04:08] Sure love to. I think the key element here is to really understand as early as possible and as deep as possible, what that business is really about that you're getting yourself into. I mean, I always feel strongly about the idea that in order to be able to create a good security program, a good security strategy for any organization. You really need to understand the business objectives, the mission goals, whatever that organization does to the last teeth. Because it's like, if you do not align the security program with what the company or the organization is truly about, you end up missing the biggest point. It's like, because we're not doing security just for security sake or because it's important or because somebody else told us to, well, sometimes we do, but it's like at the end of the day, it should really be aligned with what the company does. So understanding the business is, I think that is the first, this is something that anyone who's in transitioning from one role to another should be probably doing as they go through the initial interview cycles. It's like, you've got to figure out what is a company that I feel comfortable with. And that was definitely something that I felt strongly about when I started to talk to the people that they're starting to look at, how they've been building their business and what their overall objectives are. So, that's the first step is it's like really that, and that happens long before you even start to transition. It's like then as it gets closer to service, like, one of the things that I've done and that I would recommend everybody do is stop reaching out, just like starting reaching out to the folks who we'll be working with. Start having some discussions, if you can afford that. And as far as timing goes, start to really dig one LA. Well down in terms of like, what's the organization look like? What's the culture at the company, right? How are the people actually interacting with each other and what are they, what do they think about security? It's like both the security team, but also the rest of the organization. For example, platform as a service privacies, as something that's important, how does it work? How's the legal team structured? But did they think about security and privacy? What do sales think about that? Right? It's like what is important to them? Do they see a lot of requests for security related conversations or not? So really start to dig one level deeper. Obviously you have to understand the technology. There's no question about that. But one of the things that I always like to say is that people process technology, literally in that order, as I started, I understand that people start out at the end of the processes and then also start to understand the technology that you're dealing with as you move forward. That should get you right to where you start. And then once you start, obviously, there's so many recommendations from the gardeners, the foresters and the analysts on the planet. Literally it's like, well, how should the first a hundred days for Cecil look like? And a lot of those are really good. It's like most of those have similar kinds of general approaches, assess the organization, make relationships with the people that you will be dealing with on a personal level. It's like to really understand how they tick and what they need from you and then it really starts as you move along, it's like starting to draft a story strategy in terms of like, what is most important to look at the crown jewels or the organization is that systems, is that processes, is that data? Is that a business relationship? I think all of those can be relevant in this context. And it's like, you really have to understand how you want to protect it, those things. And also start to really have a serious discussion about things like the risk appetite and tolerance, right? It's like for fast growing businesses that are moving quickly. And that really does not have a lot of time because there's a lot of market pressure on them. You may have a much bigger risk tolerance than lost large established businesses that have a lot to lose. Right? So you really want to find out from a leadership perspective, from a board level perspective, where are those lines being drawn? It's like, what's the minimum risk appetite. How much are you really pushing for people to take risks? And what's the top level we say is like, this is getting a little bit too problematic. Like all those kinds of things really need to happen almost in parallel. Right? It's like and then as you move forward and as you go in, depending on the size of the organization, you want to pull in some outside help as well. I would never claim in a million years that I understand enough about all aspects of security that I could really, as they come in as the genius and then, oh my God. It's like, I find everything about that needs to be found out. You want to have strategic assessments, but the companies that know how to do this, you want to probably do some offensive security poking around the company and not just like a simple pen test, but really something that is full scope, so to speak. So red teaming. You wanna try to look at the threat landscape that the company faces and those kinds of things for me, come at it a little bit of a later time. Once you start to really understand what's going on, but they definitely need to be part of your planning process as well. [00:09:04] Fred Obiero: [00:09:04] If I go piggyback off of what you just said about some of the things that come over in the long-term, let's talk about the 30, 60, 90 day timeframe for a leader, a strategic leadership. What are some of the things to the extent that you can share that part of the 30, 60, 90 day implementation, even though you have an eye to this strategy, strategic vision of the organization, what are some of those things that fall within the first three months of a transitional leadership? [00:09:34] Gerald Beuchelt: [00:09:34] I would say it depends a little bit again on the size of the organization and the size of the complexity of where you go. If you go into a fortune 10 company, there's a lot to learn. It's like, learning is probably going to be a huge element of the first 90 days, just to really understand who the people are that you're actually dealing with. If you go into a startup with 20 folks, then one of the people is actually pretty quick. Because it's like, so that's a bunch of meetings and then you'd done it and you can really roll up your sleeves and get to work. So I don't think there's a one size fit, all fits. All right. Like there's this typical thing that you would do for organizations of certain sizes, certain complexities, certain market segments. Right? If you start thinking about, If I were to go into a highly regulated industry, like in healthcare or government or what have you, the first 30 days would be looking at somewhat differently if I'm at versus like going into some larger company, perhaps that is totally unregulated, right? That it's just like moving at the speed of light, pretty much in terms of moving forward. So I'm always somewhat skeptical. I was like, Oh, you've got it. Within the first 30 days, you gotta do X, Y, and Z. And then 60 days you're gonna need to have X, Y, and Z. This is achieved, et cetera, that fields too much cookie cutter. And it's like, I think it's not really a consideration of what I was saying before is like really learning the business, really understanding what the motivator is for the company writ large and the individuals that are making up the company. It looks like, but Evan said that. It's always okay. But then a couple of things you can do is like I said, it's like meet the right people, like meet your team, right? If you're coming into a security team, you really want to understand how the security team works. There's no question about that. Because I mean, those are the guys and gals that you're working with on a daily basis. So I was like, what their motivator is, what their concerns and challenges are. I think that's most important, right? It's like, get the team, they get to learn the team, get behind the team in any way possible. And that, depending on the size of the team that can take some time, I think the next step then is obviously to work with the stakeholders, right? Like I was saying before legal sales, finance, HR, literally across the entire security tends to be a very all encompassing discipline. Like there's everything that we do can negatively or positively impact the security. So say you really want to make sure that you understand everything at the horizontal level, but also at the vertical level, right? It's like, you want to make sure that you get the opportunity to talk to senior leadership, to talk to the board, to talk to those folks that are really having risk on their mind in a language, in a way that is relevant to them, right? It's like, if you go into the wall, I found X, Y, and Z vulnerabilities in my first week. It's like, yeah, good job. But that doesn't necessarily mean something for somebody who's looking at how to develop the corporation over the next two or three years. Right. So it was like really find the right audience, find the right level and talk to them. Then the sec, like I said, I think it's like understanding the long-term mid-term and long-term strategy for the company. It's like understanding the business goals, the way the company aims to achieve them. I think it's critical in terms of moving forward with your strategy. So that could be in the kind of like 60 day category, if you want a really starting to formulate that. And then in parallel, really starting those kinds of external assessments that I was talking about is like, what, Steve what's this really independent third party. Think about the overall security posture that we have today is like does that compare to industry standards of where we are? How does it look from an offensive security perspective? It's like, if we can start to fish, people's like, how does that feel like, is that lateral movement in the networks? Do we have the necessary controls in place to prevent, but also then react to potential security issues as they may arise and go through all those kinds of things, then that would be something of more than 90 days. And then it's really a rinse and repeat it's like the threat landscape never stands still technology, certainly never. And still people move forward. Business changes, customer expectations, regulatory expectations, change on a go on, go on basis. And as all those kinds of things before you really need to make sure that what you've done the first couple of weeks, months, really adjusts appropriately with what you're doing in the long-term. [00:14:01] Fred Obiero: [00:14:01] Wonderful to me, the biggest takeaway from everything you just went over and you mentioned some really great points, but the biggest takeaway for me is building those relationships ahead of time so that when you hit the ground running, you already know how people react, what they like to do, where those needs for improvement. I think once you solidify that it makes it an easier transition. So that's one of the biggest takeaways for me, as far as what you just covered. Makes sense. [00:14:26] Gerald Beuchelt: [00:14:26] Yep. Yeah. I think that's super important. Right? [00:14:31] Fred Obiero: [00:14:31] The COVID-19 pandemic has made many organizations adapt their operations by transitioning into working remote for a large majority of the employees. What are some of the major risks that this sudden change caused to the cyber security industry? And what strategies did you implement to ensure a smooth transition? [00:14:51] Gerald Beuchelt: [00:14:51] So, the industry I think has been really sort of a cyber security industry has been in some ways a wonderful opportunity to really start to rethink some of the control, some of the technologies that are being used. I think for us as implementing companies there's been definitely a bunch of challenges. The first couple of weeks of the lockdowns,it's like, how can I actually make sure that my employees can still work? Like at all? I mean, there were simple civil or seemingly simple challenges. Like, does everybody have a laptop? It's like some people didn't say, how do you get laptops out there? It's like in a time when there was really a shortage of laptops, because everybody needed one, it's like going over monitors, webcams, right? It's like the whole nine yards. There's a lot of those kinds of trivial things the network bent with on the last mile was an issue. And definitely more than what, just one or two sick areas. Literally hundreds and hundreds of people were going online during the day. Some of them streaming, some of them trying to work, everybody's like transporting video signals in some form or another, the bandwidth, which is sometimes not there, both at the residential or at the last mile, as well as at the VPN concentrators are some of the data centers where companies were just set up to have people work from the office and not having to provide like massive amount of VPN. So from that perspective, I think testing to this situation that you went from, depending on what kind of company, was almost zero work from home to a hundred percent work from home literally overnight. And in some cases I think there were huge logistical challenges, huge operational challenges. Which was really part and parcel of the capability of the IT teams and security teams to move things forward. So, it was really important to be very agile in terms of your rollout. I think those companies that most deeply invested in software as a service infrastructure, zero trust kind of infrastructures were really getting away the easiest. It's just like, I remember it's like we, I'd log me in at the time we had pretty much everything on the business back and wherever possible. It's like a software, as a service, kind of as a set up, like appropriate identity protections, et cetera. And then really moving things forward in a most efficient kind of way. So it's like, from that perspective at those kinds of things were most critical. [00:17:30] Fred Obiero: [00:17:30] I've spoken to some CSOs in the past with a beat on the podcast webinars. So just no conversations on hallways. One of the things that was a big challenge during the pandemic was when people are now fully working remote. Not all employees are going to be within the boundaries of, let's say, the United States. Some people may be in Spain. Some people may be in Cuba. What are some of the challenges that come with that kind of a diversified and widespread workforce? Do you have bigger threats if people are working, let's say, EST hours, but they're based in Spain or somewhere in Europe. Is that an issue that you guys face? [00:18:09] Gerald Beuchelt: [00:18:09] I would say. From a security person, I mean, from an IT perspective, logistics and coordination meetings, it's time zone politeness to some extent, definitely was an issue as well. I was like, Hey, I got to schedule a meeting. It's like, Oh, I never realized it was two o'clock in the morning. And I don't know India or Australia or whatever. It's like, I think it happened to a lot of us who've not been really used to that. So I liked driving. That was really important. It's like making sure that we were able to still continue working appropriately. I think from a security perspective, one of the things that was really a problem at the beginning, was along the lines of that we really ended up being in a situation where we were no longer able to reach employees the same way we were able to reach them while they were in the office. It's like in the office, we have digital signage, we have posters, we have outreach, we have little flyers or all kinds of ways of really interacting with employees in a very dynamic, kind of a way, reminding them of their security responsibilities, reinforcing security awareness over and over again. And that kind of went out the window again overnight. Right? It's like, along with the fact that a lot of people were really concerned about what was going on, just like from a health perspective, from an economic perspective, et cetera. So there was a lot of lack of focus. It sounds like that's something, what I mean? It was really a lot of focus, other topics that were more important to employees at the time, everybody at the time, so that security to some extent, started to take a step back and it's like if call the initial fishing, and fish fishing activities and scams and ransomware, they really started at that time were focused around the pandemic, around the lockdowns. It's like, John Hopkins University map application, which was like, kind of silly. In and by itself, it was really successful in getting a lot of bad code on people's machines because people were clamoring for information. So that breakdown of communications from the security teams to the individual employees in the very beginning of the lockdowns, I think was problematic, right? People were clicking stuff out of fear, because they were interested in terms of what was going on, et cetera, et cetera. And those kinds of things really made it. I think I've adjusted fairly well over time, by changing the way we interact with each other, the way we started to do all kinds of it's like online meetings, coffee hours or a Thursday afternoon. It's like just a happy hour or whatever. It's like those kinds of things that really brought people to get together. And I think that really made a difference in terms of the ability to reach out. It's like, I remember we had back in the days long ago and we used to have virtual, we used to have security escape rooms, right. Just to get people interested and it's like playing around with stuff. And it's like, really the classical escape room kind of thing, the team was able to move this over to do a virtual escape room for that. And as a matter of fact, it's like we ultimately replaced the boring computer-based training for employee onboarding with that virtual escape room ultimately, it actually is too. So I think there's a lot of good stuff that came out of it, but it definitely took a while to really get those kinds of communication flows going. [00:21:43] Fred Obiero: [00:21:43] That's interesting. I had never heard of the virtual escape room, but it's definitely something that I probably should try. My team here processes it. [00:21:51] Gerald Beuchelt: [00:21:51] Yeah, no, it's great fun. And it's much more playful, is that the gamification of learning stuff I think has really been one of the best developments in terms of how we deal with security overalls, like going away from these, like here's a half hour worth of. But slides you've got to click through, which nobody did. It was like nobody paid attention.Let's be all real, to something where you really have to in some form or another interact with your respect for PS. I think that makes a huge difference with regards to how sticky the content ultimately gets, because it's like, if you, if it becomes an interactive kind of a setting, it is much more of a topic that the people engage with and then take more learnings from it. [00:22:41] Fred Obiero: [00:22:41] IT and information security have been front and center for supporting workforces around the world. And at the same time, as companies were dealing with business disruptions and loss of revenue, What recommendations can you share on how to influence corporate leaders to invest in cybersecurity? When revenues may have fallen across the board, due to the pandemic? [00:23:01] Gerald Beuchelt: [00:23:01] Oh, there's always the shortfall in budgets that we're facing. Right. It's like, whether it's a lockdown, a pandemic, an economic downturn, I mean, I think it looks like security is not the only thing that is relevant and important. This many other aspects of a business that are very relevant as well. And that needs to be balanced against security goals. I think what it really comes down to, like I was talking in the beginning of psych, is that an organization really needs to understand the security and risk posture. It has to identify for itself, whether that's acceptable or not. It's like we can, there's a lot of different ways in terms of like how you can I deal with a security risk. You can, mitigated in some form or another, by lowering the likelihood you can lower the potential impact and event may have. Which is the traditional kind of way of looking at security. But you can also transfer risk, right? It's like you get cyber insurance. Is that going to have an impact on your business if you have an event? Absolutely. But at the very least you're capable of recovering portions of a, or maybe it was like a lot of the potential loss that you move maybe facing from a problematic event. You can also accept the risk, right? I mean, at the end of the day, it's like if it comes down to being able to go to the market fast or securing your systems in the long run, sometimes you just want to accept the risk and say like, look, we know probably if something bad is going to happen on the way, we don't know exactly what it's going to be. We want to mitigate this to the extent possible, where we have to take this risk, because if we don't, then the risk of us going out of business would be bigger. So, a long story is like how you would deal with these kinds of things. At the end of the day, the rationalization around whether I want to invest in security or how I want to look at security really comes back to this, like where do I stand from a security posture? Risk posture perspective that is commensurate with my goals is like, is not investing. Security is something that I can afford. Right. Because if you look at secondary and tertiary effects of what can happen, you may end up being in a position where losing confidence, your customer's confidence in your ability to deliver a secure service may ultimately take down your business. And whatnot. Right? So it's like these kinds of calculations really have to have to get into play. And based on that, I think it really then comes down to an investment decision as like, do we invest more in security? Do we keep it even, but do we maybe even remove some funding from security in order to be able to fund other activities in the company? Haven't said that it's like, I think one thing that's super important is security and the threat landscape changes on a constant basis. And I usually like to compare, it's like driving a security program, like splitting up a river, right? If you exert some forces, you have to exert some fools, you have to exert some growth and some strength just to stay away. You walk, otherwise you gotta be washed down the river. Right. So if you stop and in terms of what's going on, your security posture is going to go down. I'll put time, just because of the way things work. You have to really actively move forward. And yeah. That comes sometimes with additional investment that comes sometimes with the restructuring of the kind of resources you have at the time, but standing still and just hoping that everything has kind of stayed away. It’s definitely going to increase your security exposure. [00:26:41] Fred Obiero: [00:26:41] Going into your new role at Sprinklr. What are some of the strategic initiatives that you believe new leaders should focus on to obtain buy-in from their teams and also to build a strong foundation following the negative impact of the pandemic? [00:26:55] Gerald Beuchelt: [00:26:55] I think what's really important at this point in time is to make sure that all the good stuff that we already have is fully accounted for. And that we can really align the business objectives that we have for the company with the security program itself, right. Just like security programs, like I said, never stand on their own. It's like, they're not in an empty space and it's like as the company moves forward and grows as quickly across the board across a large variety of customers that we're serving, we really need to make sure that the security program supports these. So for example, we recently earlier this year, we achieved a FedRAMP readiness status for a file product, which means that they are ready to be used in the context of federal activities, which is awesome. This is really great to see the possibility of a much improved customer experience, not only in the commercial sector, but also for citizens. It's like really making. The interaction with the IRS. So the social security administration, more pleasant. I know it can sound a little weird, but I think we can't get there. But in order to be able to get to that point, it's obviously very important to me, to all the kinds of requirements that are very different from a public sector perspective, versus like a private sector perspective and security can definitely play a big role in this. So it was like helping to move those kinds of strategic initiatives forward. I think it's going to be a very important point as we move on. [00:28:36] Fred Obiero: [00:28:36] Digital risk management is now in the forefront of business models with the increase of remote workers. What are some of the emerging threats that companies need to prepare for going forward? [00:28:47] Gerald Beuchelt: [00:28:47] So, I mean, it's usually what's the crystal ball for 20, 21 and 22. Right? It's like that's predicted. I think it's, there's a couple of interests, trends happening across the board. I think what we are seeing, which is to some extent a result of the experiences that a lot of companies have during the lockdowns and the sudden explosion of work from home, is that the reliance on a utility computing model like through software, as a service. That has shown to be very resilient, right? If you run your own email server from a basement and suddenly nobody can get to that basement anymore because he can't go there because everything's closed down that spells trouble is like just it realistically speaking. And obviously it hasn't been that bad for most companies. But it's, I mean, that's the general kind of a just way to go on. If you instead are capable of really relying on. On the expertise and really the knowledge of service companies to provide you in. Like I said, a utility form of computing across critical business functions that you're not an expert in yourself then I think that's a much more, same model for it. So it's like the security challenges around that are going to be, how do we now really integrate all these things securely? Because if we don't, then we see that employees are starting to go off and say like, Hey, I really want to do X, Y, and Z. But the company is a collaboration platform or information sharing platform or whatever. It's like, doesn't really support it. I'm just going to open up a new Google account and then I'm just going to put it on Google drive, what can possibly go wrong? Right? So those kinds of making sure that the organizations are agile and resilient enough in order to be able to address the needs from employees while still maintaining this high degree of resiliency across the business operations. I think that's going to be the theme and topic for you for the next couple of years, as we revisit our business continuity plans, as we are starting to really look more into making sure that security can actually help to drive those kinds of topics forward. And this kind of change, obviously to a more service oriented utility is thought computing. It does come with a bunch of changes. You can't rely on just everything surrounding everything with a firewall, and they're calling it a day. It's just not working any longer. So it's like, you have to think about what is the new perimeter? And as I've been saying for a while now, that does like, as the firewall, as a traditional kind of security control becomes less relevant. , the identity of the users that are interacting with you is, , becoming more and more important. So it's like securing the ability for it to identify the users through appropriate single sign on multi-factor. If I'm metric whatever is appropriate. And in this kind of context, I think it is really important. And then really making sure that all the applications that rely on things are capable of actually leveraging this kind of identity. And then starting to move. I think there are other things just like we've seen that ransomware like just not just stubbornly, not going away. So I think eradicating the ability is there, it's going to be hard. We've seen that patching stuff, as we know how, is at the same time we're seeing now how hard it sometimes can be to patch stuff. So, I think those kinds of operational excellence, the topics, they're going to be front and center for a lot of discussions as well. [00:32:35] Fred Obiero: [00:32:35] Earlier, when you were talking about how to handle risk, easily accept the risk transfer, mitigate, and so on and so forth. It reminded me of how people handle risk and project and program management. And that's actually my background. And I was curious to know what role does project management play in your profession and what strategies have you utilized to ensure its effectiveness? [00:32:56] Gerald Beuchelt: [00:32:56] So very good point is like, I think project managers are sometimes the most underappreciated team members in the security teams. I was like, I would make the case that if you have any kind of reasonably complex security program, security initiative in order to drive forward, you cannot do this without program management. That's just absolutely not possible because like I was saying earliest, like security tends to Interact with a lot of parts of an organization or a company, right? It's like you have to talk to HR in order to make things work, you have to talk to finance. It's like operations departments, like sales, coordinating all those kinds of interactions with people who are more centered around the security like driving the security technology is going to be insanely complicated and it's not effective. It's like if I have somebody who's really good at creating new infrastructure on AWS in a very secure way. I don't want them to do program management because they're not very good at this and it distracts them from the stuff that they are good at. So I think every security team should have at least one project or program manager to help them organize those kinds of complicated tasks. Look at, for example, identity management across an organization, right? It's like, not only setting up a single sign on, but it's like including onboarding and offboarding processes for employees or contractors. Those are really complicated business processes, you need to take a look at that really affect pretty much the entire organization. And just relying on a really good security engineer is not going to get you there. It's like they may eventually be able to solve that crack that not as well. Because they're usually pretty smart, but it'll take longer. It'll be harder and it won't be a pleasant experience. So I think that's why I love program management across the board. [00:35:01] Fred Obiero: [00:35:01] Geralnd, there's a lot of questions that I can keep asking you. Because I know you're a treasure trove of information, especially when it comes to information security. But I have one last question for you. This is one of the favorite questions that are like asking all my guests. What has helped you get to where you are and what word of advice would you give to someone that wants to pursue a career that's similar to yours? [00:35:23] Gerald Beuchelt: [00:35:23] Oh, boy. It's like what advice you wanted to give a dude for certain careers and we'll advise, like, that's an open question, but if you set your mind to it, there's a lot of things to peel on. You have to get engaged. You have to really get down and dirty in terms of what security means. You have to understand what's going on, but also keep in mind the whole thing about people processing technology, right? This is not only about finding out what the latest mouse greatest mouse trap is. And then it's like setting it up as a security. You have to be interested in making sure that you become a teacher mentor and educator, whatever it's like in terms of helping other people understand the relevancy of security as you move forward. So, I think this, like somebody who wants to get into this kind of general line of business and further start to play with stuff, stuck to start to play with the system, start to play with processes, be interested in understanding how things work and sometimes also how to break them because that's usually how the adversary works and it's like, that's a larger topic. I was like, you have to think like an adversary. It's like, you have to think like, how could I possibly attack X, Y, and Z, and then it becomes real. And then you can start to devise about the second step, which is like, okay, now I know how to break things, to try to prevent them from breaking. I usually like to say that people ought to be passionate about stuff and it's like, I still maintain that but sometimes you also need to realize that when you're not particularly good at something, it's hard to be passionate about it, right. If you really stink at putting, I dunno, whatever together, then it's not as fun, right? It's like as you really learn more about an area as it gets deeper and deeper into it, it becomes more interesting. And you automatically to some extent, hopefully become more engaged and more passionate about it. So I was like, but seeing whether your engagement with security topics with people, process and technology actually gets you excited. If you see that that's moving forward, then it's like just fine. Then just follow your passion. [00:37:44] Fred Obiero: [00:37:44] Gerald. Thanks a lot for coming on the show and sharing your insights with us. I'm really looking forward to catching up with you in the near future. [00:37:52] Gerald Beuchelt: [00:37:52] Thank you, Fred. This was a lot of fun and I hope to see you soon. Thanks. We hope you've enjoyed this episode of Ivy podcast. Please take a moment to rate, review and subscribe on your preferred podcast listening platform. And we really appreciate that effort until next time.
Welcome to Ivy Podcast! On this Executive Leadership Podcast we interview top executives from Fortune 500 with a focus on strategy, innovation, negotiation and everything about leadership.
Our Podcast for Executives features Thought Leaders who share practical insights for effective leadership, continuous innovation and strategy execution.
Ivy Podcast is a rapidly growing Executive Podcast, which covers topics like Hiring and Retention Strategies, Talent Acquisition, Innovation, Digital Transformation and much more.
On this Leadership Podcast, you will find conversations with the most accomplished executives from Fortune 100 companies. We aim to cover a broad range of industries and create a learning platform for the most ambitious and high potential professionals who are looking to learn from the most accomplished Executives on this Business Leadership Podcast.