Welcome to episode 253 of the Nerd Journey Podcast [@NerdJourney]! We are John White (@vJourneyman) and Nick Korte (@NetworkNerd_) – two technology professionals with backgrounds in IT Operations and Sales Engineering on a mission to help others accelerate career progression and increase job satisfaction by bringing listeners the advice we wish we’d been given earlier in our careers. In today’s episode we share part 2 of an interview with Russell Swinney, detailing the role of the BISO (Business Information Security Officer), other types of executive leaders and their focus, how Russell builds trust as an interim leader, and advice for those seeking to get into cybersecurity.

Original Recording Date: 10-24-2023

Russell Swinney provides interim CIO, CISO, and CTO services for companies in times of transition or trouble through his company InterStructure. If you missed part 1 of our discussion with Russell, check out Episode 252.

Topics – The BISO Role and Path, Other Executive Lenses, Building Trust in the Interim, Cybersecurity Expertise and CISO Services, Advice for Those New to Cybersecurity and Parting Thoughts

2:58 – The BISO Role and Path

• We shouldn’t overlook the BISO role (Business Information Security Officer), which is essentially the CISO for a business unit or division inside a large company. This person’s job would be to embed deeply in the way the business is running.
  • The leader of the business unit is your partner in obtaining funding to keep the business unit running well. Russell says the BISO would be closer to the business than even a CIO might be.
  • The BISO is often overlooked but can lead to tremendous opportunities like a CISO role, a CIO role, a COO role, or even a divisional vice president role.
  • “They have to have an expert knowledge of every component, human and technical, and how to keep them functional, safe, secure…and it can be a game changer in terms of knowledge….They know how the entire division runs….In manufacturing, they know how the whole plant runs and works what it takes to make it run best. They are in the weeds of securing all those devices, which is a myriad things.” – Russell Swinney, on the role of the BISO in a manufacturing environment
  • Cybersecurity can become a profit center in the case of the BISO rather than just a cost center.
• The path to BISO can come from people with varying backgrounds (i.e. someone with operational knowledge who learns security, someone with security knowledge who learns operations, etc.). They need opportunity, mentorship, and training. In some cases they may need to learn people skills to progress into this role.
• John mentions we maybe don’t talk about the leaders of business units enough and gives the example of GE when it was the largest company in the world. Those different divisions of GE likely had different requirements for both operations and information security. It’s easy to see how specialization within a business unit could be a great stepping stone. Perhaps some companies would rotate people through different business units.
  • Russell says someone who has deep knowledge of the operations of a business unit being placed in other business units to expand their knowledge is on track to be president of the company.
  • Note we had one other guest who spoke of targeting leadership of a business unit, and that was Scott Egbert in Episode 227 (targeted the CFO of a business unit as his progression path).
• The BISO role was one Nick had not heard of previously (not having seen a job description for this anywhere).
  • Even the deeply technical person can pursue the BISO role and learn / go deep. It would allow that person to go deep into what makes the business work.
  • Moving to BISO is a move from cost center to profit center.
  • “It’s technical skills for a purpose, for a business purpose.” – Russell Swinney, on the deeply technical person who pursues a BISO role
• John and Nick have worked at companies which had business units with their own CTO (Chief Technology Officer). It would certainly make sense that there are other C-level roles within these business units, but John says it never really occurred to him. Would BISO be a job title or in the description of a job posting or perhaps something more general?
  • Companies may refer to the role of the BISO as Deputy CISO because it is similar to that. But a job description could reference either in title.
  • The O designating officer as part of a title is a big deal in the corporate world.
  • Some companies may have an ISO (Information Security Officer) and no CISO. This person (the ISO) would be responsible to the board as an officer for the security program. Some companies can get in trouble for this in compliance because they need someone at the Chief level (or executive level) driving the program.
  • Being named under director and officer insurance is extremely important for the CISO and other executives for protection and was a topic discussed at the RSA 2023 conference. Russell mentions the situation that happened related to this at Uber.
• What is the path to CISO / BISO from technologist or cyber specialist?
  • Russell feels the BISO role is excellent for a technologist who has been working with cybersecurity technology systems and programs. Some management experience may also be helpful here (but may not be required).
  • The primary focus for the BISO is the security of the business unit you’re in. People interactions are with peers up and down inside the business unit and with the main cybersecurity organization (likely central to the company).
    • A BISO would lobby for the security needs and tools of the division with support from the division’s president.
    • If you don’t have the people skills for a role like a BISO before taking it, the experience will help you learn them.
  • John and Russell agree some background in program management is very helpful to progress to the role of BISO.
  • A BISO might lead a DevSecOps team, for example, working to enable developers to build code rapidly that is safe to deploy.
    • “You want talent doing what talent does best and not getting slowed down by what bureaucracy does best.” – Russell Swinney

13:30 – Other Executive Lenses

• John wonders what other lenses might he also need to look at a business through which he has not been doing to this point.
• The role of CRO (Chief Revenue Officer) is something Russell has actually be doing for a while. He had incorrectly assumed the CRO was the financial person or was only concerned about money.
  • “In reality the CRO role is about ensuring the product and the marketing and everything is lined up right with all the right resources to deliver the goods to the customers and stacked in such a way that you have the short term revenue to get through to develop the long term vision….That just lines up perfectly with I’ve been doing as a business leader for many years.” – Russell Swinney
  • Nick thought it was a fancy term for a high ranking sales leader.
  • Russell tells us the role allows a company to move things around such that product is what customers actually want.
  • The ideal candidate for the role is someone with knowledge of customers and the technology stack.
  • This person doesn’t have to come from sales or finance but could be someone with a more technical background.
• We mention the CFO and other C-levels John has seen speaking about the business being managed through their lens. Even though they spoke about the business in this way it was for the same high level goal.
  • Russell stresses the importance of hugging a cactus when starting one of these roles as well. John says we need goal alignment.
• This goes back to conversations we’ve had about the CEO / board of directors setting the company vision which is then translated into lower levels of strategy and trickles down to employees (who we hope can understand how the work they do fits into the larger company vision).
  • Russell says the attractiveness of agile is aligning the CEO’s business purpose with the person writing lines of code.
  • Russel says we might be missing out if we’ve never worked somewhere that allows us to interact with executives.

19:09 – Building Trust in the Interim

• How does Russell build trust with the employees he is leading when stepping in as an interim CISO / CIO / executive leader and determine what the focus of the team should be? This advice would apply to anyone taking over as the leader on a team because unless the role never existed, someone was there before you were.
  • Normally Russell is pulled in to fix a problem (a direction, a structure, an issue with a process or technology, etc.). There is little to no trust at first, but there is also a sense of relief amongst the teams to see a new face.
  • “At the very least I’m not that person.” – Russell Swinney, on stepping in as interim CIO / CISO
  • One of the first things Russell will do is break down barriers and start hugging the cactus (seeking to make allies).
  • Organizations can go off the rails when talented people leave. This can often be due to poor leadership.
  • “To gain trust you have to earn it. It’s person by person. You have to be open minded. You have to listen to them honestly.” – Russell Swinney
    • Russell likes supporting the expertise people have and looks to them for guidance on how things should be done.
    • He will also support and protect the team from perceptions of other groups and organizational bureaucracy.
    • Making hard decisions is part of the job when Russell steps into one of these situations.
    • Russell earns trust by listening to everyone at every level to get their take on why the company got into the current situation and get ideas on how to remedy the situation. Russell can take notes from these conversations back to the board of directors who hired him and present solutions.
  • “I just talked to your people. They knew all along. The secret is that solutions to all the company problems were likely already solved by the teams, but their ideas weren’t listened to. That’s a key point.” – Russell Swinney, on listening and building trust as an interim leader and presenting ideas to the board of directors
  • Another challenge is motivating people over a short time period, which is driven by relationships.
  • Vision casting is also important. Russell tells us this is about describing a picture of how he sees things should look.
  • Lots of 1-1 mentoring is helpful to boost morale of employees, especially if the recent times have been challenging.
    • Russell highlights the importance of human beings taking care of one another. If there is a staffing shortage which needs to be addressed it is Russell’s job as an advisor to communicate the need and find the right resources so the company can somehow address it.
  • “But the other thing is…an interim CIO doesn’t come in because I know the answers….I just know how to work with people. I just help each person I encounter be better, be the person they know they want to be.” – Russell Swinney
  • “I’m not a respecter of titles, honestly. I treat everyone the same.” – Russell Swinney, on working inside big companies
  • Russell works with other leaders to understand the kind of person they need. One of the services he provides as an interim leader is hiring his replacement.
    • Upon arriving at a company in an interim situation, Russell begins to ask other leaders about the type of person who needs to be in the role / the type of person they want for the role. People begin to see Russell is helping them solve the problem for their benefit, which can disarm potential enemies.
    • Russell really loves it when he can find someone inside a company he is working with who is a perfect fit for the open role but who might need some polishing and maybe a little push. He is willing to help others develop to be effective in the role. Once the company realizes they have a strong internal candidate they may ask Russell to stay engaged longer to help with the roadmap he’s created for them.
  • “Tribal knowledge is both good and bad…. It’s great to know how things work internally, but there’s also a great deal of freedom in not being tied to some silly internal thinking….It’s about meeting the business need.” – Russell Swinney
  • As an interim leader, Russell says he is not tied to or limited by the tribal knowledge. Russell is known for getting problems solved quickly (often times short circuiting internal processes), replacing himself, and getting out.
• Do people ever ask Russell to come in and execute on a vision someone else was not able to execute?
  • Russell says this can be because there was a flaw in the vision, a flaw in the hiring process, or a flaw in HR that wouldn’t allow firing someone.
  • Russell likes to get the vision from the board to hear if they have a direction the C-suite is planning to pursue. If the company does have a vision, Russell will try to follow it. In some cases the company vision might need a minor adjustment to achieve what company leaders really want or to bring it into clearer focus.
  • Usually Russell is called in when there is a problem. He helps identify and understand the problem, bringing a solution set in to help solve it.
  • Nick remembers reading Ben Folds’ biography (A Dream about Lightning Bugs) and hearing about the idea of turning on the brown water so the clear water eventually comes out of the water spout (getting the bad ideas out so you can get to the good ones).
  • Russell says a company vision is somewhat fluid, and when the board meets together they will make adjustments as needed, even if they are very small.
  • John says someone may need to learn that visions are fluid, and they must be this way because current events cannot be projected forward.
  • “What I think is great about the vision statement is that it helps you align…Everyone in the company is making 100 decisions a day, from the smallest decision to the bigger decisions that require huge budgets…that affect how the company is working. So the vision allows you to align those generally.” – Russell Swinney, on vision and alignment with the simplification of decision making

30:44 – Cybersecurity Expertise and CISO Services

• Where did Russell’s expertise in information security originate? Since he’s providing leadership services in this area, we wanted to make sure we got the full story.
  • “When I started doing cybersecurity it wasn’t called cybersecurity. It was just called secure networking….It was just good technology practice at the time, and then it became…cybersecurity.” – Russell Swinney
  • Russell did technology consulting for CIO roles for 15 years, which included a great deal of security. As cybersecurity terms gained popularity and use, Russell went out and took the CISSP exam. He decided to not just advertise CIO services provided by his company but to expand it to CISO services as well.
  • Russell progressed as a technologist on the technical side and then in management. He added to that security information he learned along the way as well as cybersecurity certifications.
  • Russell stresses the importance of cybersecurity experience and understanding for CIOs in today’s world.
    • “You couldn’t be a CIO of a major corporation without having a thorough understanding of at least the concepts involved in cybersecurity….That was the bridge. You took the technical work you are doing and you begin aligning it with the concept of compliance or risk in an organization. That’s the thread that takes you to the C-suite for sure.” – Russell Swinney
    • John mentions there was absolutely a time before the CIO role was called out specifically despite someone doing that work already or having the expertise (analogous to Russell adding in CISO to his list of interim services).

34:02 – Advice for Those New to Cybersecurity and Parting Thoughts

• What is Russell’s advice for those wanting to break into cybersecurity? This topic came up at the North Texas ISSA conference Nick and Russell recently attended in the Dallas area.

  • Learn how to learn, and develop a passion for learning.
  • “Every day if I don’t learn 2 or 3 new things, I’m history.” – Russell Swinney, on learning and the requirement to stay current
  • Russell tells us he learns from those he mentors.
  • We should find something interesting or inspiring and dive into it, even if you end up not liking it. In doing so you may find something else you might want to pursue.
  • Seek out advice from peer groups and mentors for advice on where you should focus next in your role (i.e. perhaps a topic centered on AI, for example).
    • Russell mentions ARPANET and how it was going to change the world (and it did when it led to the internet).
  • Russell says one does not necessarily need to go to school to be in this field and that some of the best people are self-taught.
  • Cybersecurity beginners can find free training at TryHackMe.com.
  • Russell would encourage others to seek out mentors.
  • Work with others who are trying to learn as well. This can be very helpful. Russell says he learns new things visually and that he is a “shared people learner.”
    • “If two of us are learning something together, I learn so much better. And it’s more fun….Don’t write off the nerd next to you. They may have the answer you need.” – Russell Swinney
  • For those just starting out, Russell would encourage learning a specific technology and learning some popular acronyms and what they mean like IAM, IPAM, etc.
  • Russell likes certifications because they force us to learn something new and will pursue them now and then. They are not quite the same as real life experience.
    • “Certifications help as an indicator that you can learn. That to me is a big deal.” – Russell Swinney
  • Russell tells us cybersecurity frameworks are a great source for learning as well. Russell often takes a framework and digs into one of its foundational pillars (lots of detail in these).
    • The CIS framework may be a good place to start.
  • Russell seeks out resources where he can learn about current technologies and new ideas.
  • Russell enjoys going to technology conferences. He tells us that while many avoid vendors at conferences, he seeks out vendors with a passion when attending events.
    • He looks for new vendors solving interesting problems to learn about how they are doing it.
    • In addition to this, Russell will look at “old” vendors / existing vendors who maybe have not spent enough in research and development to see what may have changed. He wants to if these vendors have invested in innovations in their roadmaps since the last interaction with them. One example Russell shares is a vendor-sponsored briefing he recently attended that made him very excited about what the vendor in question has coming with their product offerings in the future.
    • Russell meets a lot of people at conferences and cites recently having met some mentees at the North Texas ISSA conference from which he has learned a great deal already. He also uses conferences as a way to meet peers in the industry.
    • Russell says they do a lot of cybersecurity happy hour events in the Dallas / Fort Worth area.
    • Russell also tells us he will attend a Data Connectors conference next, and you can check out the site and find one in your area as another cybersecurity community. This is what Russell would call a high quality sleeper conference and has both vendors and attendees at all job levels.
    • “People in leadership are not the ones with the most innovative ideas, so seek out those that are new to the field…or they’re new to being in a crowd…especially a crowd of executives….It may look and feel uncomfortable.” – Russell Swinney
    • Russell thinks introverts may have the best ideas, and many in cybersecurity are introverts. He tells us he can be an extrovert for a time and then needs to recharge.
    • John says in summary those who are new to the field will likely be the most sensitive to the lack of knowledge in others.

• “If you’re getting into cyber or you’re getting into any kind of new role, the fact is, even management, we’re all a bunch of knuckleheads. None of us know enough. We all need each other. So jump in. It’s ok not to know the right answer. It’s ok to ask questions. And if it’s ever not ok, you’re in the wrong room.” – Russell Swinney

• To follow up with Russell on this discussion…

  • You can find and connect with Russell on LinkedIn.
  • Russell also says if you see him at a conference, please find him and talk to him because he wants to talk to people.

• Mentioned in the outro

  • We call out a couple of conferences in the discussion, but they are part of larger cybersecurity communities.
    • ISSA or Information Systems Security Association – a global organization for cybersecurity professionals with local chapters in many places who sponsor events / conferences; it is a paid membership
    • Data Connectorsis another community group focused on cybersecurity which holds different community events, mainly in North America. They also have a newsletter.
  • Russell takes a very humble approach in talking to people at various levels across the organizations he is serving instead of just his executive peers.
    • In doing this, he is effectively completing the research needed to choose a proper replacement for the role he is filling on an interim basis and ensure his successor will meet the needs of the business and its people.
  • Confidence that the people working at a specific company already know how to solve the problems at hand is a call back to part of the reason Russell wanted to pursue leadership in the first place (after seeing many potentially impactful ideas overlooked). He’s giving people a voice by supporting their ideas at a leadership level. You can hear more about that in Episode 252.
    • A fresh face in leadership could be a chance to gain support we didn’t previously have. But we might not see the opportunities when leadership changes happen and should keep an open mind as we evaluate the effectiveness of the new leader(s).
  • The BISO (Business Information Security Officer) was not a role Nick had previously heard mentioned before this discussion.
    • This is likely to exist only in larger companies and is a true partnership with the operations leader for the business unit in question.
    • The BISO is certainly a business focused CISO (one of the two types Russell highlighted in part one of our discussion). Helpful skills coming into the role could be program management, people management, or project management.
    • There may be other technology leadership opportunities within business units like a CIO, CTO, or maybe even technology operations leader.
  • For those new to cybersecurity or trying to break into it, remember to check out Episode 239 and Episode 240 with Kenneth Ellington, founder of Ellington Cyber Academy.
  • Maybe another way to gain experience is to work for a consulting firm that provides interim type positions, even if it’s not interim CIO or CISO. Think about a specific project you can work with a company on for a time and then move along to other projects with other customers. This allows working with a wide variety of people and customers. Some recommended listening based on those who have worked for consulting firms:
    • Episode 229 – A Depth and a Breadth with Chris Williams (1/3)
    • Episode 230 – A Steward of the Community with Chris Williams (2/3)
    • Episode 231 – It Comes Back Tenfold with Chris Williams (3/3)
    • Episode 119 – Tinkering into Specialty with David Klee (1/2)
    • Episode 120 – A Time to Build with David Klee (2/2)

Contact us if you need help on the journey.