Ray Espinoza -- The AppSec CISO, Vendor Relationships, and Mentoring

Show Notes

For Security Pros & Business Leaders | Strategic Insights & Leadership Lessons

🔒🌟 When Ray Espinoza joined Chris and Robert on the Application Security Podcast, he gave a treasure trove of insights for both security professionals and business leaders alike! Whether you're deep in the trenches of information security or steering the ship in business leadership, this episode is packed with valuable takeaways. Dive in to discover why this is a must-listen for professionals across the spectrum. 🌟🔒

For Security Professionals:
1. CISO Insights: Gain a glimpse into the strategic mind of a Chief Information Security Officer. Learn from their real-world experiences and challenges in aligning security with business goals.
2. Career Development: Get inspired by the speaker's career journey and learn the importance of mentorship in your professional growth.
3. Data-Driven Security: Embrace a data-driven approach to security solutions, focusing on tangible results and measurable outcomes.

For Business Leaders:
1. Strategic Security Understanding: Learn how information security is integral to overall business strategy and decision-making.
2. Universal Risk Management: Gain insights into risk management strategies applicable across various business aspects.
3. Communication & Relationship Building: Enhance your skills in effective communication and professional relationship building.
4. Leadership & Mentorship: Absorb valuable lessons in guiding and inspiring your team, crucial for effective leadership.
5. Adaptability in Leadership: Understand the importance of flexibility and adaptability in today's rapidly evolving business landscape.
6. Data-Driven Decisions: Embrace the power of data in driving efficient and accountable business processes.

Why Listen?
👉 For security pros, this is your chance to deepen your understanding of strategic security management and enhance your interpersonal skills.
👉 For business leaders, this episode offers a unique perspective on how security strategies impact broader business objectives and leadership practices.

Don't Miss Out!
🎧 Tune in now for an enlightening discussion filled with actionable insights. Whether you're an aspiring CISO, a seasoned security professional, or a business leader looking to broaden your horizons, this podcast has something for everyone.

👍 Like, Share, and Subscribe for more insightful content!
💬 Drop your thoughts and takeaways in the comments below!

#SecurityLeadership #BusinessStrategy #RiskManagement #CareerGrowth #DataDrivenDecisions #LeadershipSkills

---

Remember, your engagement helps us bring more such content. So, hit that like button, share with your network, and subscribe for more insightful episodes! 🌟🔊📈

Ray's Book Recommendation:
Extreme Ownership by Jocko Willink and Leif Babin
https://echelonfront.com/books/extreme-ownership/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Transcript

Chris Romeo: 0:00

We're privileged to host Ray Espinoza, widely recognized as the AppSec CISO. From his early days as a CISO to now, Ray's journey is filled with invaluable lessons, insights, and experiences that have shaped his approach to application security. We'll delve into Ray's initial challenges as a first time CISO, explore how he aligns AppSec with broader business goals, and uncover his strategies for fostering a security conscious culture within an organization. We'll also glimpse the CISO's mind on selecting the right tools, engaging with vendors, and the value of mentorship. Whether you're an aspiring CISO or someone passionate about AppSec, this conversation promises a wealth of knowledge. So, gear up for an enlightening discussion with Ray Espinoza. Hey folks, welcome to another episode of the application security podcast. This is Chris Romeo. I am the CEO of Devici and also the general partner at Kerr Ventures. So happy to be joined by my good friend, Robert, who is on this application security journey with me. Hey, Robert.

Robert Hurlbut: 1:45

Hey, Chris. Yeah, Robert Hurlbut. I'm a principal application security architect and threat modeling lead at Aquia. And yeah, what a journey, right?

Chris Romeo: 1:54

Definitely. I would love to spend about five minutes in witty banter, but we have a lot of questions for our guest, Ray Espinoza, today. So, Ray, let's just jump right into your security origin story. How'd you get started in security? Take us, take us back in time, tell us that story, and then bring us forward to where you are today.

Ray Espinoza: 2:11

Absolutely. So I had the honor and privilege of being at eBay in the very early days when people actually used eBay to buy stuff online before Amazon had Prime. It's almost amazing to even imagine at that point, but I started there very early in the year 2000 on the infrastructure side for the eBay. com. Uh, worked from, uh, engineer to team lead to manager, and after about six years of doing front end infrastructure, uh, for eBay. com, I felt like it was a bit of, like, this Groundhog's Day type of effect, where every day was the same, we always had, you know, small outages or issues, and just the variables changed, and it was right around that time that eBay had hired its first CISO. And, uh, one of my buddies that I had worked with who had been on the information security team at the time had approached me and said, Ray, you know, we, uh, we're building a security team now that we have our CISO. Um, you have all the relationships across the company, you know, you're a friendly guy, you understand how production works beginning to end. Um, we can teach you all the security stuff, would you come and build incident response and security monitoring for us? We feel that your background in operations and uh, availability and problem management, all of that would be extremely helpful to doing incident response. And at first, it took me like 30 seconds and in my head I'm like, ah, this is exactly what I wanted. Because I had read some Hacking Exposed books and I thought security is so glamorous and so cool and it's there's definitely something there and I was like, Oh, but do I want to change? Yes, definitely. Let's do it. And it took me again about 30 seconds of internal dialogue. And so that was really my cut into information security. And what an awesome ride that was having spent 10 years at eBay, having an opportunity to build incident response from scratch. We had an awesome partner. We worked with KPMG. At the time as well, and that enabled me to put some structure in some place, filling out what I had known and what I had done on the operation side and applying that to security and then learning from that, bringing on an MSSP to do like first line triage and monitoring and then building security operations center at eBay. Uh, and then continuing to expand off of that, but that was really my run into security and it just started with infrastructure.

Chris Romeo: 4:25

Who was that, that eBay CISO? Swear I've heard, say it again.

Ray Espinoza: 4:31

Dave

Chris Romeo: 4:32

Okay. I think I've heard him speak at different events and I just couldn't remember who it was. I'm like, I've heard the eBay's first CISO speak. So, okay. Very cool.

Ray Espinoza: 4:42

Kolaning? There was a few other folks who had a similar type of role, but they weren't necessarily given that title. Um, but, uh, but yeah, I mean, when I started, there were like 300 employees at eBay, and when I left, there were like 14, 000. Um, so it was, you know, huge growth during that 10 year journey.

Chris Romeo: 4:59

now in your role as a CISO today, do you take lessons learned all the way back from what Dave was doing at eBay? Like, was there, was there like, is that the foundation of, of your CISO career today?

Ray Espinoza: 5:14

Uh, it's interesting. I feel like I take little bits from so many different leaders that I've had along the way, and yet I still made my own mistakes, and some of them were sort of guidance and whatnot that I was warned about, and at the time I felt like I was doing the right thing. Um, but I learned lots of great things from Dave, uh, in the very early days around, you know, being able to get, um, you know, executive team buy in and, and how to drive communication and really how to build a high performing and high caliber team. Uh, and I look back at that time, I see, like, my goodness, you know, there's, uh, many folks that were part of that eBay security team are, you know, a large part of, like, who's who in security now that have gone on to do some really cool things. Um, but, um, you know, I spent time, four years, at Cisco Systems. Working with folks like Gavin Reed and, and, you know, other folks, and, you know, again, it's, it's really those little bits that I have learned along the way. Um, my first CISO level role was over at Proofpoint, and that was in 2015. Uh, and, um, I still had all these grand visions of how things were going to work and, and it was a really interesting journey for me in that I'm a clear, honest, transparent guy, you know, I like to go in and just say what I mean and expect that everybody there in the room is going to have that same level of, uh, of buy in of like, they're just going to say what they mean, we're going to be honest, we're going to be transparent and how naive sort of looking back, but it was such, you know, a great experience Uh, for me in, um, in just, you know, making mistakes and making assumptions and, uh, and really having to learn along the way. I mean, one of the, the first things that I can think of where, uh, you know, was such like a big miss for me is, you know, as I go around and I'm trying to build relationships and get to meet each of these different general managers and, and different leaders in each of these different business units. You know, I would always ask what, what do you need from my organization and how can I be of service to you and having that conversation and feeling like I had, I walked away with a decent level of understanding of what they needed and, um, and whether it was, uh, what they wanted me to hear or, uh, or it was just what I had heard as a part of the conversation. One of the first failings that I had was to go back and to validate. Uh, you know what, Chris, this is what I heard you say, and this is what I'm planning on doing. You know, how does that sound? Are we still aligned? Did I hear you right? Um, so, and you know, it was basically, like, the three of us have a conversation, and I walk away thinking, here's what we're going to do, and they're not going to hear about it again until we're in front of all the execs in the leadership team meeting, and I'm going to talk about my overall strategy, only for them to be like, uh, that's not going to work for me. Uh, that's not what I signed up for. Uh, this is not going to work. And so that, that was one of, like, the first early failings. That I've since taken with me is just not circling back and, and really not making sure and validating that what I had heard and what my plan of action was, that it's still aligned to, A, what do they care about? And B, it's, it's going to move the needle tangibly for us as a part of our overall strategy. But that, that was one of the, uh, when you're standing on a stage and you figure out you got it wrong and the amount of heat and pressure that you feel from, uh, from other folks in the room, it was, um, it was a, a teachable and growing moment for me, for sure. Transcripts provided by Transcription Outsourcing, LLC. Transcription Outsourcing,

Chris Romeo: 8:26

You only have those happen one time, in most cases though, because it hurts so much, it's like, I'm not going to let that happen again, I'm going to make sure I have the solution, so. I've always wanted to ask a CISO this question, so this is a new segment called Ask a CISO. I just made up on the fly here. What um, how much, how much of a CISO's job is security? versus everything else that you have to do with. Like, I've always, and I'll tell you what, I'll give you my kind of imaginary answer, because I've never been a CISO. Um, I've worked with CISOs and whatnot, but just, I've never been in the role. And I would guess it's about 50 50, and that is a complete guess. Now, Robert, what's your guess? How much time does a CISO segment here, how much time do you think CISOs spend on security versus all the other things they have to do?

Robert Hurlbut: 9:21

I'd like to think maybe even 70, 30, but yeah, probably reality is more like 50, 50, or sometimes 40, 60, because, uh, you know, in terms of, of interacting with others in the business and, and, uh, and so on. But, um, yeah, I'm interested in knowing as well.

Chris Romeo: 9:40

All right, Ray, enlighten us.

Ray Espinoza: 9:42

Um, so I'm going to caveat this and say that it's slightly dependent on the size and maturity of the company. Uh, I've, I've been at, you know, uh, pre seed or seed startups all the way up to extremely large fortune three companies. And, um, and it's, it's quite a bit different there. So I would say it's probably closer to 50 50 on average, but maybe most of the time, even 40 60, you know, as a, as a CISO and a leader. Uh, you know, I found that if I surround myself with people that are a lot smarter than I am or just awesome in, in different ways, we're collectively stronger as a group, but it enables me an opportunity to get out of the way and let the magic happen from them, be here to clear roadblocks. But a lot of those roadblock clearing and strategy and, and driving roadmap and, um, evangelism and whatnot, I'm, I don't know how much I would consider that, you know, security as a whole. And again, if you said how much time hands on keyboard security, You know, is that I would say, well, and my current company, where we're a series a, uh, a startup, it's probably like, um, 70, 30, 60, 60, 40 or so, but, but quite a bit less, you know, and some of those larger, larger companies, just because there is so much that's required for the organization, the security organization to succeed, it requires lots of relationship building and relationship maintenance and driving communication and seeking feedback and a lot of those soft skills that really are required to get buy in or to validate that we're continuing to win and move the needle. Thank you. I don't know how much of that is considered, you know, real security, but it's 100 percent necessary because I've asked me how I know when you don't validate and you don't have those conversations, you don't build those relationships in time of need. It's really tough when you, you know, try to dial your lifeline and nobody's there to answer.

Chris Romeo: 11:28

Yeah, I guess you, you really just need enough security knowledge and experience as a CISO to be able to interpret whether somebody's telling you the truth or not. Is that, uh, would you agree with that statement?

Ray Espinoza: 11:42

I think there's definitely, you know, you need to have a BS meter, uh, and try to understand if folks are trying to prolong or delay or trying using, uh, uh, lots of words to try to say like, uh, you know, I got a little busy or maybe I was a little lazy or something's not really working, or we can't really support you in this way because of all these other things that you just don't understand. So I think having requisite understanding around Um, what we're trying to accomplish, what the problems really are, and what that goes into. Like having a background on the infrastructure side, which included some network, you know, earlier in my career as well. It was great in having some of those conversations, because then you can kind of spot like, Oh, you know, we can't do this, we're doing, we're taking this maintenance window, we're doing these things. And I'm like, hold up, wait a minute. Maybe things have changed in the time since I did it, but it's still these things, right? Yeah, but, and so having the ability to kind of wade through some of that, there's always going to be pieces of that, but, you know, again, I'm a big believer, if I can spend time investing in building relationships and getting back to the core of who I am, is just being honest and transparent, and let's be real. You have things that you care about, I have things that I care about. I know that we can't do everything, so what makes sense for the business for us to accomplish together? And can we align on that? And then we can be transparent with everybody else around that decision that we made. Having, like, getting there, I feel, is what, you know, what really matters. But also being able to challenge each other, too, of like, yeah, that doesn't seem off, or that doesn't seem right, or Come on, Robert, are you serious? Like, that's, I know you're telling me this, but I'm, I'm not, you know, I'm not picking it up. So you definitely have some of those, but those relationships, that's where they, they really come into play.

Chris Romeo: 13:18

think in this conversation, I'd be the one telling you the story. You'd be, it would be like, Robert, give me the straight answer here. What, uh, what this guy's got to say to me here. So, but I've also heard you talk a number of times already here about your team and the power of your team. And I guess, If you have a strong team that you've built around you with knowledge and experience and security and technical ability, you don't have to be the expert anymore because you trust them to be your eyes and ears, to be the people that are out there making things happen from a technical perspective. And they likely have the knowledge and experience to be able to do the deep technical things. But by having them and having a high performing team, you can work on those relationships and connecting with other parts of the business and, and buy in and communication and metrics and all the things that define your success while still letting them do the things. That maybe earlier in your career, you thought were the fun parts of doing this stuff. You can enable and empower other people to be successful.

Ray Espinoza: 14:25

That's 100 percent right. And really, I mean, when you think about surrounding yourself with senior level people, principal level people, that's where, you know, you validate their assumptions, you make sure that we're aligned on where we're headed. And then again, get out of the way, clear those roadblocks. But it's also extremely important to continue to develop your bench strength, right? You're bringing along Uh, you know, interns or new college grads or folks earlier in their tenure, maybe not necessarily even in their career, but you're still providing them just enough guidance and support where maybe they can make some of those mistakes, which I think we all agree, sometimes are pretty helpful in overall development, uh, without like a catastrophic failure. But, you know, so there's times, you know, the new college grads or interns, you're very pointed. This is the expectation. This is the outcome here. So I believe that you can get there. If you think there's another way, fantastic. Let's talk about it. I'll let you know if I agree and we'll continue to go. So it's, you know, it's almost like parenting. I have four kids, you know, two in their, you know, mid twenties and one in high school and one in elementary school. And they're all a bit different in the relationship and their personalities and how they need to receive feedback. And I find that very similar to how, you know, I've had to lead different teams of, you know, you treat them slightly different of what's really going to hit home for them. And, you know, having to work through a problem or having to work through some feedback, the approach. You know, it's slightly different in the way that it's delivered and, you know, I found management and leading very similar to that and just leading with a ton of empathy and honesty up front. And then, you know, being able to call BS when I feel like it's, it's not there and we need to move past

Chris Romeo: 15:57

And Robert, I swear we're going to get to the application security strategy question. That's coming up next. I got one more based on something you said though, because you were talking about bench strength and, and interns and, and growing your pipe, having, I'm going to assume this is kind of a pipeline, a talent pipeline, I guess, coming into your organization. Very seldom do I hear people Talk about that and, and have a strategy. I mean, everybody would tell us if they were here. Oh yeah, we do. We have a strategy for that, but you're, you're talking about it and it's, and, and the way you're talking about your team and all these other things, it's making me think you have a more in depth approach to this and so. Are you of thinking about the bench on like a year to year perspective about how you're going to grow the team and grow capabilities and you're bringing some percentage of new people are coming in from college? Like, tell us more about that strategy because the way you're talking about it, I think there's more to it that people can really learn from.

Ray Espinoza: 16:56

it. And so I'll caveat this with, you know, how we're currently operating at, you know, our, our small startup of 30 people where I joined at employee 11. We think about it slightly different, um, because the needs of the business are different and every single individual hire is so much more impactful. But if I take it back to, you know, when I was at Cobalt. io or if I, when I was at Cisco or, or even at, at Proofpoint, understanding where does the business want to get. And being able to chart a path to ensure that we can support the business to get there allows us to say, okay, that's the end goal. Now, let's work backwards from there. And what do we need from a resourcing perspective? Does a business want us to be somewhere where we feel like we don't have the expertise to be able to deliver? Or is there a large gap? Is there a large item on the risk register that we feel like we There's no way we can help the business win and get to where they want to get to and have like this risk, this gap, this, this issue that we haven't been able to address. And so thinking about filling that gap, you know, I think is critical. And so I end up thinking about that really on like an annual basis. You know, deliver on a quarterly basis, but think about like the year and staffing and whatnot on an annual basis so that you can make small pivots and changes as the landscape changes, as the business changes. You know, I was at Medallia prior to joining my current startup, and I didn't expect we would get acquired by private equity, you know, a few months into my tenure there. And so that drastically changed, uh, You know our overall strategy and approach. So those types of things definitely come into play, but when you take a step back, you can't just hire as awesome as it is to surround yourself with a bunch of super ninjas. It's equally important to remember that, hey, we were all those young folks or, uh, you know, making a career switch or had this, you know, knowledge and expertise, but weren't security experts by any means. But we were hungry for that knowledge. How do we continue to grow folks into that role and allow them, you know, so as our senior folks, maybe they move on to become CISOs. Maybe they move on to, uh, an additional technical path or they just. Decided to do something different. The business isn't falling over because we had one critical person and we weren't thinking about, you know, redundancy and, um, and, you know, overall backfill. But, uh, again, you know, if you take a step back and, and thinking about that, it's, it recognizing you can't, you can't hire all senior. Uh, and I've also had the, the privilege of hiring folks directly outta college or having folks, uh, come in for their internship and just be completely blown away by. Either their technical aptitude or their ability to learn, and maybe even more important, thinking outside the box. I can think one of the best hires that I made of a new college grad who I continue to be just wowed back at Cisco. Um, you know, he was, uh, maybe he was RIT or there was some, you know, very prestigious and awesome college that he came from. Um, but like he just continued to deliver and continue to learn and continue to, uh, exceed our overall expectations for somebody who was a new college grad. And sometimes you find those folks along the way and you want to, um, you know, nurture them and help put them in a path. So they continue to feel challenged and there's training and they have opportunities. So they stay, um, and just thinking about it in that same direction. And maybe not everybody comes along like that one individual. But surely you can continue to, uh, hire folks, continue to mold them, provide them support and guidance and training and watch them grow into these other roles. I have another person who, you know, I, uh, came in as an intern and then I was able to hire as a new college grad and recently became a manager. And, you know, the dad in me wants to help celebrate some of that. You know, I get tears a little bit even, you know, when we had that conversation. But it's awesome to be able to think, you know, you can give somebody an opportunity. And drive them to success. So it still comes back to business outcomes and how do we best support that. And then, you know, what's my salary cap that I get to work with, you know, using that sports analogy, you know, how do I, you know, gamble or, or kind of bank on some of these younger folks, if we can surround them with the right amount of support, we can grow them to be, you know, what the business needs.

Robert Hurlbut: 20:48

So you mentioned several things there that kind of related to this next question, but how do you align your application security strategy with the broader business objectives of the organization?

Ray Espinoza: 21:00

A lot of it comes down to having conversations with the different product teams around how do they view bugs and when, how do they, how does work come in and how does work get out and what's the most impactful thing to them while they're trying to develop new product. And again, this was something that I ended up learning, you know, during those early proof point days and making all these assumptions of like, you all care about security, right? So clearly we're going to do X, Y, and Z, but getting a good understanding of if we identify vulnerabilities after a product shift, uh, and. And we find it in the pen test or it comes through our bug bounty program. How impactful is that to the business? And is it, and depending on that, can I sell you on the ability for us to go beyond some of the compliance based trainings of ensuring that our developers know how to develop securely and they know how they know what a fix is for some of these vulnerabilities that are coming in and can we get iteratively better over time and, um, developing code more securely. both from a training perspective, from additional tooling during that development process, so that we can limit the amount of interrupt that the product team experiences while they're trying to deliver features overall. And so that was ultimately what I came to to get much better buy in of like, I want you to have less bugs, less security bugs that are coming in after a product shift. So what are the best ways that we can do that? And then being pragmatic from there, I made the mistake again, early on of like, let's do all the things like let's, let's get security tools plugged into the IDE. Let's make sure we do training, you know, let's, let's add security tests to the, uh, to the pipeline and trying to do all of those and having, you know, like developers, you know, um, you know, basically call a strike and say like, you know, we can't operate under these conditions. We need things to change. And it gave me an opportunity to kind of pull things back and say, well, what are the things that you care about? You know, what are you incentivized by and how do I align our security needs as close as I can to those first? And, you know, depend, that only goes so far and then from there of like, well, we all care about security. We care about not being on front page of, uh, of the, you know, Wall Street Journal or those things. Now, these are some of the things that I, that we can practically do. And if we roll them out in phases and we validate that they're having the intended results. Can I continue to get buy in and can we make iterative improvement over time through there? Um, and so that's, that's what started to help, uh, me really move the needle on getting AppSec much more, um, of an accepted program overall with different product teams as kind of leading from there. Uh, and then just being smart about it, getting, uh, developer feedback early on of like, we're rolling out this thing and here's what we need you to do. We've rolled out this thing, how is it working for you and how can we make it better for you? You know, recognizing that the business needs to win. Devs need to write code, but what I've found many times, a lot of them are like, I would love to write secure code. Sure, I've just never been given the opportunity or not really given the training. Can we do this without adding huge amounts of overhead? Or maybe bite sized chunks works. What do you all think? And not making those assumptions for them, continuing to get some of that feedback. And then, you know, building programs like Security Champions and whatnot. You know, those are all things that continue to reinforce and reiterate. But gosh, again, it kind of goes back to those central themes of communication, buy in, validation, and then just being pragmatic with our approach to rolling out new capabilities.

Chris Romeo: 24:16

and I've experienced the same thing. Developers are craftspeople. At the end of the day, they want, they don't, they don't want to write bad stuff. They don't want to write buggy stuff. They take pride like the, the, the, I mean, there are probably some people that don't care as developers, but in general, the people that I've worked with, the people that I've known, they take pride in what they build and they, if you, if you provide them with something they can use to improve their output and their product, then. They, they almost always get behind that idea because they, like I said, they want to be, they want to be the best. They want to build the best and they don't want to, they don't want to be known with something that was insecure.

Ray Espinoza: 25:00

Absolutely. Well, I will add just one small point that there are some who say exactly what you said. I care about what I write. I stand by what I write. But they're not incentivized, uh, to, to do other things, like if their, if their quarterly bonus is tied to these specific deliverables or these specific goals, and none of these happen to be security. Then it's tough to get that buy in. I've had very, you know, tough but honest conversations of like, I would love to help, but this is, if I do this, it takes away from my opportunity of, of getting 100 percent of my bonus. So then that's an opportunity for me to go and say, how do we get this as a goal that is also included? And once, you know, um, I've had that fight at a couple of places of taking that up to either the CEO or, you know, GM of a product group of how do we get this as a goal that people, Actually have to work towards here's how it affects the business positively and here's how your folks can gain buy in I've had to go that route as well because I'm many times They're like I would love to help but I can't

Chris Romeo: 26:00

Yeah, and we're putting them in a challenging situation.

Ray Espinoza: 26:04

absolutely which I have a lot of empathy for

Chris Romeo: 26:06

I can take my kids to Disney World, or I can fix your security bugs. Those are my choices. Like, I mean, I don't blame them. I mean, that's, that's, I get why they're saying it's not their fault, it's the system's fault. That it was set up in such a way to, to not make security an incentive. So I think that's, that's something that, uh. Sounds like, you know, you, you've had some good success in approaching that and, and adjusting, getting those policies changed by helping

Ray Espinoza: 26:34

after a lot of failure and a lot of wrong turns Finding that that right channel that seems to to address that that definitely helps Absolutely.

Chris Romeo: 26:45

Let's switch gears a little bit and talk about tools and technology, because I'm always curious, given that you hear stories about the average CISO has, I don't know how many different tools and technologies they claim now and in the surveys, but it's never, it's never like, The average CISO has three tools. It's always like the average CISO has 47 different tools in their tool belt that they use to, to, you know, improve security or whatever. So, like, from your perspective, how are you evaluating, how are you choosing the right tools for your organization?

Ray Espinoza: 27:21

Um, I've learned to adopt an approach and I can't remember if it was just prescribed to me or, um, or how it really came about. But ultimately, trying to tie back what problem are we trying to solve? Every tool or every new piece of technology or every dollar spent towards security should have a reason why. I should be able to stand in front of any sort of committee, the ELT, the board, and said, we made this investment because of this problem, and we were measuring success in this way, and here's how we know whether it's working or not. And so those are the things that, um, that I've, I've worked towards, uh, ever since kind of picking through some of that, of working towards basically a business proposal and a write up. But it usually starts with, there's a problem we need to solve. Or, we don't have anything and this is Greenfield and the business wants us to get to a SOC2 Type 2. So here's the pieces of technology that are going to be required for us to meet some of those controls. And so it really depends on what that driver is, but ultimately it's still the same. What problem are we solving? Um, how is this solution going to fit? Um, what other solutions are we looking at? What does success look like when we're done with an evaluation? How do we believe this is the right solution that's going to work? And then how are we going to continue to measure success? You know, if we're going to put a WAF in place and we expect it to block, you know, X percentage of attacks or categories of attacks, etc. We should continue to measure that so by the time, you know, six months in, three months in, I can stand up and somebody says, hey, you're spending half a million dollars with, uh, insert your WAF provider here, you know, is, you know, are they actually doing anything? And I've been that guy in the room to be like, I think so, but We're not 100 percent sure. And now I've since learned, you know what? Yes, here's what we, here's how we were measuring it. And here's what the impact has been compared to last year or whatever. And so, um, that's the overall type of approach. Um, I love looking at it also from like a risk register perspective. And so we're really solving problems that, that are driving real risks towards the organization. Again, those other ones are, yeah. Compliance driven. And then that last piece really ends up coming down to, is there something new, cool and innovative that, you know, I don't have to wait to be in an accident, uh, you know, down the road and I know it's going to happen. I don't have to wait to get there to, to realize I need to make a change or do something different. And, you know, I'm. I have the opportunity, I'm an advisor for Wild Ventures and for a few other VCs. And so that gives me an opportunity to talk to, um, you know, founders who haven't even developed a product yet, but they're looking at solving specific problems. Or maybe they've come up with an overall approach. They want some validation that's afforded me an opportunity to be like, wow, there's been like very little innovation in this space. And you, you all are onto something. I think I want to be a design partner. I want us to be able to solve this problem because I can think about it. CISO, and the problems that I've had in previous life, and then what I also need now. And so, some of that is also sort of opportunistic in a way of, you know, big problems that many of us have where there's not great solutions out there. So, it ends up being sort of a combination of those three. But still, even if I'm going to bring in anything as a design partner, it still comes down to... You know, why, what problem does it solve? How are we going to measure? And, um, and then we should be able to have the data to be able to tell the tale. It can't be anecdotal. Ask me how I know, uh, you know, I've learned that lesson.

Chris Romeo: 30:44

Yeah, and I think that's a, that's a formula for many things beyond tools, right? Of, of understanding why, and then understanding how you're going to measure the impact and then being able to report on that over a period of time and, and justify whatever the decision was that you made. I mean, that's a framework for solving a lot of different things in the business world specifically.

Ray Espinoza: 31:08

Absolutely. And being honest, when something doesn't work out, we had everything we thought lined up, and it's just not meeting, or the problem changed, or we didn't understand the problem. I just, again, leading with a lot of honesty of here's the assumptions we made. Here's what the data told us and here's what it ended up coming out to. And so this was a miss. And so here's now we're going to pivot and we're going to address it in this way. Again, you know, I find just being honest and not trying to make a bunch of excuses. Uh, it leads to, you know, a lot more credibility and a lot more support overall, because everybody knows nothing's perfect and no one's going to be right 100 percent of the time. Um,

Chris Romeo: 31:45

you're not offering that of, well, it just felt like it was going to be the right solution. It feels like it's the right solution. I mean, how many times in our careers have we heard people say that though? And it's like now I think all of us have been around the block enough times where we're just going to look at them, look at them and say, wait, what? Come on, you can't feel like this is going to be a solution. There has to be some data that's backing up whatever you're trying to say. There's no feelings, like feelings are great, but there's no feelings when we're making a purchasing decision.

Ray Espinoza: 32:16

absolutely.

Robert Hurlbut: 32:19

So talked about tooling, uh, and, and picking tools and so forth, but thinking about the other direction, uh, coming from outside. So a vendor who's wanting to pitch their products, what's the right way for them to, uh, do that, to approach a CISO and pitch their own products? Mm-Hmm?

Ray Espinoza: 32:40

So first I'll say there's probably not one right way, um, that I can talk about a few ways that, uh, that folks have been able to reach me. Uh, one, I'll also caveat and say I'm now at a security, uh, you know, provider and I also have at, at numerous times in my career, I have a lot more empathy for folks, uh, you know, reaching out, um, and being on the other side of the table of, of trying to, you know, establish contact and grains, gain some level of credibility and whatnot's a lot of what I talk to my, uh, go to market team, you know, here at our current company is how do you build trust? And so something that's continued to work with me really over the years is somebody taking the time to really meet and, um, and. Not be so focused on just making the sell but trying to one understand are there problems that I'm willing to talk about and are they actually willing to listen or are they so excited that, you know, they're waiting for me to finish my sentence so they can talk about their product and be, you know, right in there, but, you know, get those folks who have taken the time to either. maybe slow play building a relationship. Um, those are ones that even whether they're still at that same company or they move on to somewhere else, if they've taken that time to just check in, ask questions, be honest, be professional. Um, those are ones that I will typically make time to continue to have conversations with. Um, there are others who, you know, will, will just say, hey, you know, no pressure. Would you invest 15 minutes and then be honest and schedule 15 minutes of like, we'd love your feedback on just the approach. And if this is something you're interested in, great. If not, that's totally okay as well. Um, I've had some of those of like, you know, we want some validation. And if it's at an area where I have either, I've experienced pain, or I have deep expertise, or like I mentioned before, I'm just sure, you know, this area is right for me. For innovation, I may take the time to, you know, to learn. Um, but there's times where I'm just busy, you know, like I'm, I'm busy with the day job, busy with the family. Also coach high school football, you know, like this doesn't afford me lots of time to just, to give it away. Um, and so, um, you know, sometimes I just, I'm trying to be honest and I try to be quick if somebody reaches out and they say, Hey, we want your time. It's just not a great time. I'm really busy, but maybe come back in a few months. And, you know, I've had folks, you know, be like, not all that awesome, even with that, you know, response from, uh, from me. And they're like, Oh, well, clearly you don't care. Or, you know, they say things like that because they're upset, you know, like they're not going to get the meeting or whatever. That's definitely one quick way to get blackballed. Um, and, uh, sadly I've had things like that happen. So, you know, being honest, being clear about the value and asking, you know, for time and just being respectful that. Now may not be a great time. It may be a great time for you because you're trying to generate opportunities and you have a quota to hit, but that may not mean that it's something that I have a strong interest in now and just being respectful of that. The folks who have done that, I typically make time for them afterwards, especially if they follow up when I told them, hey, you know, early, it's early summer and you know what, maybe in early September, it'll be a better time for us to maybe have this conversation. And I may revisit and say, sorry, I got to punt one more time or you know what? I'll take that 30 minutes because I'm still interested and I want to understand and learn. Um, but, but folks who are professional, who knew that that would be the secret sauce of like, hey, be professional when you reach out. Uh, that, that tends to be, you know, the real big, you know, differentiator, but the ones who have sold me like big are ones who they've, they've worked to build a relationship and, and again, they've moved on and every time they call or every time they reach out, I'm like, heck yeah, I'm gonna, I'm gonna, you know, take that meeting and, and listen. But, um, but yeah, that, that seems to resonate pretty well of just. Being professional and being honest.

Chris Romeo: 36:17

And that's really helpful because often vendor representatives We only are shown examples of the worst case scenarios of what happens. Cause there's a number of, and we've all seen them. There's a number of the posts will go by on LinkedIn and you're never going to believe this company did this and, and whatnot. And it's like, these are people that are trying to feed their families too. Like they're, you know, they're not in. And so I love the fact, I love what you're saying here about. If somebody approaches you, they're professional, they're respectful, then you will return the same favor to them. Um, it's, it's only when somebody does something that doesn't, is just off the wall and is not respecting you, not, not, uh, not really caring about you is when they're going to, it's going to be more of a challenge. I think, so I think we need more, we need to see more conversations about the right ways for people to do this because, you know, these are people too. At the other side of the phone, they're not, it's not AI. If it's AI reaching out, then you can yell at them. Sure. But it's not AI. These are people.

Ray Espinoza: 37:25

a absolutely. And I've, I have so much more empathy now, you know, supporting a Go-to-market team, or even at previous organizations and understanding what they're trying to get to. You know, many times I had one tell me, you know, early on. of like, I wish somebody would just respond and say, no, thank you, you know, or, you know, it's not a great time. And so I, I make it like, uh, if you reach out, I'm going to respond to you and say this works or, or it doesn't. I'm, I'm going to give you that 15 seconds of a response because I have respect for you as another professional, you know, who's, who's trying to work that hustle. And I've had folks be like, oh, but maybe I can. I'm like, again, I appreciate the hustle. That's not a good time, and it's usually, and as long as they leave it there, I'm fine to leave it there as well and pick it up and revisit, but I just, I don't assume negative intent, or, you know, maybe I have a larger amount of, of patients than others, but, um, but just that understanding that they're trying to feed their families, he said it really well, um, that's a good perspective to have.

Chris Romeo: 38:20

I love that. I appreciate the hustle. That's a good, it's a really nice way of saying, I'm not having this conversation now. And, and nice try on the, and I appreciate the fact that you, that you reached out a second time, but that's, it's, as I'm kind of unpacking that in my head, I'm like, that's a really nice way of saying, this is the last time you're going to hear from me. If you don't, if you don't read between the lines about what I'm trying to tell you here, appreciate the hustle. Reach out to me in three months and we'll talk again.

Ray Espinoza: 38:46

100%. You should put it on a t shirt or something. Who knows?

Robert Hurlbut: 38:54

Do you think, um, and this is, uh, we've been talking a lot about, you know, your role as a CISO and, and some of the things that you've learned, but do you recommend that other folks, uh, strive to become a CISO? And if so, do you have some practical tips that they could, uh, use to prepare themselves?

Ray Espinoza: 39:13

I believe that if somebody wants to continue to grow in their career, there's more than one way to grow as a security practitioner. There's not the only path. If you want to grow, you grow into a CISO and that's it. Uh, you know, I mean, so I've been really big at some of the organizations that I've been out of. You know, we need to expand the technical track. You know, we may have somebody who's like a principal architect and we need to work towards like, you know, um, a principal fellow or something else. Somebody should be able to make their living if they love being a technologist and they want to be, you know, deep in the weeds. We should support them to be able to go down that path or to find success and be able to and enable them and support them in moving laterally and trying new things within their career. So that's sort of like my first thing of like, you don't have to be a CISO when you grow up, if you're in security, but if you strive to do that. One I would say is that, you know, do you, do you genuinely care about other people's success and helping others succeed? Is that something that will bring you joy? And if the answer is no to either of those two, then I probably say, you know what, maybe that's not like the right path for you to go. Because, you know, I've, there's, again, there's no one way or right way. You know, to, to do this, but I find being a servant leader, uh, to folks within the organization tends to yield, you know, the highest output and the highest outcome and the best team morale. Um, and so, um, I usually start there, but if they, if they do have an interest, then it becomes, well, especially if it's somebody within my staff, can I provide opportunities and position you to. Drive and oversee a program to gain some level of visibility with the executive team to understand what the business outcome is that they're expecting and how do we translate that into deliverables that the team can execute on and whatnot. So a lot of that continues to become, how do you set folks up for success and how do you give them experiences? So when, when the time calls and that seat's vacant, that they're a viable candidate and a viable option to be able to step into that role. Many of us who are CISOs weren't born CISOs. And so somebody took a chance on us to be able to step in and, and to drive and be successful. And so I think, you know, there's, there's ways that folks can continue to support and, and do that. Um, so that, that goes back to if somebody wants to, if you want to be a CISO, fantastic, do it. You know, there's many organizations that need high quality. Security guidance, and it should be talked about at the executive and the board level, um, and, and, you know, help somebody get there, um, but, uh, but also understand, too, it comes with, you know, um, sometimes a lot of stress, and, you know, there's a lot of responsibility and whatnot, and so I try to just be real, uh, with, with folks who have asked me this question or say, hey, I want to go and do this thing, You know, what do I need to do? Or what should I do? What should I be thinking about? A lot of times I just lay it out. Here's all the things that I've learned along the way. And if you still, uh, have a strong interest, fantastic. I would love to help support you in any way that I can. Um, but I say the same thing as somebody says, Hey, I think I want to be a manager. Uh, it goes down kind of that, that same route, that same thinking of, uh. You know, getting joy from helping others succeed.

Chris Romeo: 42:13

And that really leads us into the final question before the lightning round, and that's in regards to mentoring. Um, hearing you talk about your teams and the way you care for them, and I know you're a super mentor person already, but let's talk about your philosophy behind this and, and uh, you know, whatever you want to talk to us about in regards to mentoring.

Ray Espinoza: 42:35

Uh, I think it's super important to give back. Uh, I've had many folks throughout my career invest their personal time to help me develop, uh, to answer my questions, provide me guidance, coaching, and support. And, uh, I felt like it was my calling to, uh, to help others in the same way. Uh, I, I grew up in, you know, a pretty bad neighborhood, you know, didn't have a ton. Uh, um, and just so many, uh, things along the way where I felt like, you know, Others positively impacted my development to help me get to, you know, where I am, you know, even as a, you know, young child and, you know, up until adult and then even still, you know, having reached what maybe some might say is like the pinnacle of your career when you've made it as a CISO, where do you go, you know, then I found like, wow, I really need executive coaching because not having graduated from college, um, you know, being a teenage parent, you know, I took the long road or a little bit of a harder road to get to where I am, but the first time I walked into a board meeting or, uh, uh, an executive leadership team meeting, and I was the only person who didn't have a college degree or, you know, I was the only person, you know, who was different looking than everybody else. How do I project confidence and how do I, you know, find success going in that way? And so, um, there's absolutely, uh, needs and, and ways to be able to support and get out there from, you know, coaching, uh, exec coaches and mentoring, et cetera. Um, I'm a, um. A board member for RaicesCyber, uh, which helps, uh, folks of, uh, of Latin descent identify that there are opportunities in cybersecurity and help provide some mentorship. I've had, uh, the privilege of, uh, mentoring with, uh, with black girls in cyber and, and helping, you know, women transition into cyber and, and helping support them and identifying roles and helping them find success and get training so that they can be successful there, uh, as well. And I've, I mentor with, uh, Everwise. Um, and UpNotch. Again, it's if I can be a value enough service to somebody, gosh dang it, that just feels good. And I want to be able to do that. And it doesn't mean that whatever I say is solid gold, but sometimes that they come up with a, with a scenario or they're dealing with something that I've experienced well, and I've had some level of hardship and I can provide at least an approach or some level of guidance or something that may help them through, or books that I've read to help me communicate better, or have better executive presence and so, um, So I'm a big believer in giving back and I really do believe that if you help others and you can, you can make a positive impact in one person, who knows what they're going to be able to do for somebody else. And if we all did that, hate to get all sort of kumbaya on this and whatnot, but gosh, if we, if we all gave like a little bit to help somebody else find success without expecting anything in return, other than maybe the world's a better place, that's pretty dang good. And it's a lot of the same reason why I coach

Chris Romeo: 45:20

we've all, we can all list, we could all sit here and list the people. who got us to where we are today. Nobody, there is no such thing as somebody who's completely self made. Like, I just sat in a room and read books and watched YouTube videos, and then I went and I got the job the next day, or, you know, whenever. Like, that is everybody, everybody has leaned into different people in their career to help them learn things or get pointed in the right direction. And so, yeah, I'm with you, I'm the same way. Like, I mentor lots of different startups now because I've gone through bootstrapping a startup to exit through M& A and everything. Like, I'm happy to talk to... Any startups out there that I can just offer some advice to and I do like open hours at RSA and Black Hat and just tell people you can schedule 30 minutes. I'm here. We'll sit down. You can ask me whatever you want and I'll try to help you. And the same thing with individuals. Like I think, and I think that, you know, to your point, like this is such an important thing and it's, it's an obligation for all of us that have been around for a while. Like, we need to do this. Like, it is our, it is our responsibility. And if we don't, the next generation is not going to be able to exceed what we've done and really push themselves forward. So, it's our responsibility as some of us are in the upper, upper parts of our career. Um, Robert. No, just not Robert. That's me too. Robert and I are the same here. But, like, we have a responsibility to do that, so. Alright, we gotta do the lightning round here. I've been, I've been waiting for a long time to hear Ray's answers to the lightning round, and then he blew me away with all these other things, and I kept asking him more questions, but I wanna hear the lightning round, so Robert, take us into that.

Robert Hurlbut: 47:04

right, so we have three questions. Uh, first one is what's your most controversial opinion on application security, and why do you hold that view?

Ray Espinoza: 47:13

I'd say AppSec is not hard. Uh, I think we can find ways to make it simple. We can manage expectations and be a little bit patient with how we roll it out. But I've, I've heard it as AppSec is too complex, too hard, too difficult to do or to do well. And I think that's false.

Robert Hurlbut: 47:33

Uh, number two, what would it say if you could display a single message on a billboard at the RSA or BlackHat conference?

Ray Espinoza: 47:42

Give back to others.

Robert Hurlbut: 47:47

And then, uh, final question, uh, number three, what, what's your top book recommendation, and why do you find it valuable?

Ray Espinoza: 47:55

Uh, so I have two, uh, the one that, that I felt was so impactful for me though, and I had read is Extreme Ownership, Jocko Willink, uh, taking his SEAL approach to, um, communication and just owning the outcome and how do you drive improvement. I'm very big and, and will over pivot on owning. And so I had at one point made it sort of mandatory reading for my leaders. I mean, you have to subscribe to it, but getting a stronger understanding of how I work, uh, is key. So, I recommend that highly for anyone. Uh, there was another one around, uh, executive presence, communication, and, and the author, uh, it escapes me. But there were, there was a period of time, and I talked a little bit about, you know, imposter syndrome and not having the confidence and stepping into a room. We're others that didn't see me as a peer and still being able to speak authoritatively and confidently to ultimately win, you know, their trust and their buy in. I think that's hugely undervalued right now. And I know there's many folks that have been in that situation where they can benefit from it. And, you know, having tactical tips to be able to say, when you approach, you know, do X, Y and Z. When you go in, you understand, make sure you have specific piece of data that you want to hit home and stand a specific spot and, you know, figure out what works for you in the way that you can project the most confidence. You know, I don't think many folks talk about that a lot, but I felt like it made a big difference for me in being able to just, um, you know, gain some credibility, especially if you're new in an organization.

Chris Romeo: 49:18

Alright, well, we've come towards the end of the conversation, Ray, but I'd like to... Give you an opportunity to share a key takeaway, a call to action. Is there something you want the audience to do as a result of our conversation here?

Ray Espinoza: 49:32

Uh, if you have any questions on talking security, you want to talk about mentorship, you're looking for guidance and support, uh, feel free to reach out. I'm pretty active on LinkedIn, uh, as well as on Twitter at RayEspinozaSec. Uh, if I can be of service to you or point you in the right direction, or maybe there's a match and there's a way that I can invest some time and help you, definitely reach out. And I would encourage other leaders and, and, and mentors as well. And, uh, you know, and, uh, I apologize for being, you know, pedantic on the topic, but, but gosh, if somebody can reach out and be bene and be benefited by the experiences that you've had, see if you can make just that little bit of time to be able to, uh, help them out. It may go a long way.

Chris Romeo: 50:11

Ray, thanks for joining the Application Security Podcast, for sharing all of your wisdom and lessons learned and best practices and just passions. It was so great to hear this and we can hear it come out in your voice. I can tell your team likes working for you and people are going to be looking for job openings wherever you are. I can tell just by listening to you. So thanks for sharing that with our audience.

Ray Espinoza: 50:33

Chris, Robert, thank you so much for having me on the show. I really appreciate it.