Cloud Security Today

Book Review: Startup Secure

September 21, 2022 Matthew Chiodi Season 2 Episode 9
Cloud Security Today
Book Review: Startup Secure
Show Notes Transcript

Book Review: Startup Secure with Chris Castaldo

Episode Summary

On this episode, CISO at Crossbeam and Author of Startup Secure: Baking Cybersecurity into your Company from Founding to Exit, Chris Castaldo, joins Matt to talk about startups and security. Chris is an industry-wide recognized CISO, having over 20 years of experience in cybersecurity.

Today, Chris talks about his book, Startup Secure, his move to startups from the public sector, and the different startup development phases. What should startups focus on during the different development phases? Hear about security trust centers, the top startup security sins, and get Chris’s formula for personal growth.


Timestamp Segments

·       [02:03] What prompted Chris to write Startup Secure?

·       [04:57] What has changed during the writing process?

·       [06:47] Critical decisions throughout Chris’s career.

·       [11:17] Moving from public sector to startups.

·       [15:39] Startup development phases.

·       [20:16] When certifications don’t make sense.

·       [26:09] Mistakes in communicating to customers.

·       [30:16] Security trust centers.

·       [32:45] Startup security sins.

·       [35:38] Chris’s formula for personal growth.

·       [39:06] Chris’s parting words.


Notable Quotes

·       “You’re not the target. You’re just the jumping point to that target.”

·       “I don’t need to review the security of a company we’re buying desks from.”

·       “You just can’t expect everyone to be a cybersecurity expert.”


Relevant Links

Buy the Book:


Secure applications from code to cloud.
Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

(Intro  0:00-0:12)  

This is the Cloud Security Today Podcast, where leaders learn how to get cloud security done. And now your host, Matt Chiodi.


Matt Chiodi  0:13  

A Book Review. That's right. So, this episode is going to be our first, and hopefully, not the only podcast that we use to interview authors of popular books. So in this episode, I have the privilege of interviewing Chris Castaldo. Now, Chris, he is currently the CISO at Crossbeam. But more importantly, he's also the author of ‘Start-Up Secure: Baking Cybersecurity Into Your Company from Founding to Exit’. Now, I found this particularly interesting because, obviously, I am now in the startup world once again. And I've always wondered, as you're building a company, where do you start focusing first? Now, like any company, startups have limited budgets, perhaps more limited than larger more well-established companies. So, there's only certain things that you can focus on right? You don't have a CISO. You don't have large security teams, or maybe not even a security team, as you'll learn? So, tune in, even if you're not at a startup, I think you will enjoy this conversation with Chris. And hopefully, you'll take something away from it. Enjoy the episode.  Chris, thanks for joining us today.


Chris Castaldo  1:31  

Thanks for having me. I'm really excited to be here.


Matt Chiodi  1:33  

Yeah, I'm really excited as well. I think you and I actually met, it was a couple years ago. Was that at some kind of dinner, wasn't it? Was it in Philadelphia, I don't remember, or New York?


Chris Castaldo  1:42  

Yes. Yeah. I think it was palo dinner or something like that. I can't remember. But yeah, it was in Philly. I was on my way home. I got off the train, went to the dinner, and then took the next train back on my way home from New York to Baltimore.


Matt Chiodi  1:57  

Nice free palo dinner. They always taste the best.


Chris Castaldo  2:01  

It was great. Yeah. It was a good time.


Matt Chiodi  2:03  

So we're here to talk about your new book, which congratulations by the way. I know writing a book is not easy. So, congratulations on publishing. Tell us a little bit. Just, for me, it was a fascinating read. The book is called Start-Up Secure. And just let's just start with what prompted you to write it.


Chris Castaldo  2:25  

Yes. So, I read through a lot of the top 10 books every founder should read, and not a single one mentioned security. Not a single one. Not even general risk or anything like that. So, it seemed like there was one gap in just kind of the knowledge base for founders. And then, with my background, I've mostly worked at startups, so kind of solving the same problems over and over again. And that led me to kind of think, “Well, clearly there's something here that is kind of being missed at the foundation point of a business.” I think everyone kind of thinks about funding. Like, you need to have runway, so you get that. You kind of think about product market fit. Maybe you think about accounting a little bit and how you're going to count the pennies at the end of the day. And maybe a little bit of how you'll sell to customers. But not a single thing about securing the business, securing your product, and making security a part of the value prop for whatever it is you're selling to set you apart from your competitors. So, that was the catalyst to writing the book. And then, four or five years later, here we are recording today a year of sales in the books, so to speak. So yeah. It's been good so far.


Matt Chiodi  4:00  

I love it. I love it. So, you saw you saw a need, and you're like, “I'm going to address that.” Now, if I heard you correctly, you said “It's been five years”, was it five years ago that you realized that there was nothing around it? Talk a little bit about that timeline just because it got me curious now.


Chris Castaldo  4:16  

Yeah, it's been, let's see, 2022. So, maybe, five, six years from the very start when I started the first chapter or a chapter, really, I didn't know what order they'd go in initially, it was really just putting thoughts down into a document. I signed the deal with Wiley in 2019. And then, delivered the final manuscript at the end of 2020. And then, it was printed, and published, and out for sale May of last year, so May 2021. So, we just surpassed a little over a year now since the book’s been out.


Matt Chiodi  4:56  

So if it's been a multi-year process in writing, and we didn't talk about this beforehand, but I'm curious, has anything changed? So, five years ago, and it's roughly five, six years since now it's out, it's been out for about a year. Did anything change during those years where you were kind of like writing those different pieces?


Chris Castaldo  5:14  

Oh, yeah. I was editing up to the last moment that I submitted what's defined as the final manuscript. Things like companies merging, or being purchased. Products changing where I mentioned… I tried to give folks a little direction, obviously, there's Gartner or [?D2?] and those types of resources a founder could go to and just say, “Show me a list of companies that do X.” You might not be able to figure out which is the best fit for your organization just yet, but I wanted to give folks a direction of like, “Hey, here's products in this space that you can go look at and compare to other players.” Obviously, there's always going to be new startups, I get that writing the book. But interesting things like Google workspace rebranded, so that I think happened after I submitted the final. But then, there's copy editing and that type of stuff. So, I did have the chance to go back to do a ‘control find and replace’ for G Suite to workspace, and just small things like that. I really tried to keep it at the most basic level, really not talking about academic theories of how to apply cybersecurity. Username and password - that's still around. MFA - that's still around. I tried to keep it on topics that I knew would last for at least a decade. Well, hopefully, passwords don't last much longer, but we'll see.


Matt Chiodi  6:47  

So, let's back up a little bit. Maybe some of our listeners aren't familiar with you personally. So, I want to dig a little bit into your background, then we'll kind of swing back around to the book, if that's all right.


Chris Castaldo  6:57



Matt Chiodi  6:59

So, you're both a veteran of both the US military. So thank you for your service, I really appreciate it. I came from a long family of veterans, so I know the sacrifice that goes into that. So, thank you so much for that, I really do appreciate it. 


Chris Castaldo  7:12

Absolutely, thank you.


Matt Chiodi  7:13

And you're also a veteran of the security industry. As you mentioned a little bit, you've been in startups for a while. I think one of the things that, especially someone who is new in cybersecurity, someone who is maybe in IT and they want to move over into cybersecurity or any other field, maybe walk us through some critical actions or decisions that you've made over your career that got you from the US Army where you started to where you are today as a CISO. And feel free. I want to hear a little bit about what you're doing today. So, walk us through maybe a few critical decisions that got you from the US Army all the way to where you are today as CISO. 


Chris Castaldo  7:55  

So, I definitely did some technical work while I was in the army. When I deployed to Iraq, that was not technical work whatsoever. I was doing convoy security with human intelligence teams. So definitely no computer stuff there. No InfoSec. And I got out, I was very interested still in cybersecurity, I had done that before in the army. So, went through the dot-com bubble and all that fun stuff. So I was already in cybersecurity, generally. My interest came about probably middle school, high school, when I found out about 2600 and DEFCON and that type of stuff. It purred a lot of questions of, “Oh, you could do other things that weren't intended with computers.” So, after leaving the army, I was very interested in penetration testing, which is I think kind of the first thing most people think about. If you're going to stereotype cybersecurity, that's like the cool sexy side. 


Matt Chiodi  9:03

Yeah, the hoodie on. 


Chris Castaldo  9:05

Yeah. Had a hoodie on. Wore a hoodie to every interview.


Matt Chiodi  9:09



Chris Castaldo  9:10

So, I had a lot of interest in that still. And probably within a year of getting out, that's when I started my interview process. That's kind of usually what's suggested if you're not planning to re-enlist, is a minimum of six months start interviewing before you get out. So, a small company that is willing to give me a chance. Not an expert, this is pre-web technology. Web Apps didn't really exist still like networking, pen-testing. So my previous job before the army where I was doing mostly IT stuff, that was hugely beneficial. I understood how networks worked at a fundamental level. I understood how Windows networking worked and the difference between lags and how a packet is written to the wire, that type of stuff. So, that was helpful to kind of speak to the general side when I was doing interviewing, the foundational stuff of cybersecurity. Then, left that and went back to government work, and that was kind of the next catalyst. I did a lot of IC hands-on engineering work, really enjoyed that for many years. And then found that I was really enjoying mentoring folks on my team, and helping people progress in their careers or move up into something different. And as a contractor on the government, you only have so many areas and abilities to help folks succeed. Like, a government employee can't report to you like a traditional manager or something like that. So, I ended up leaving for the private sector and have been in startups ever since. And found a lot of passion on helping the next generation of folks get into cybersecurity or move up if you're already in cybersecurity, and do what they're passionate about.


Matt Chiodi  11:16  

So obviously, along that way, let's talk maybe about one inflection point, and then we'll come back to the book here. You mentioned about moving from the public sector to startups. So, you had to make a decision at some point there. And I know I've spoken to people who are in government, they see that I've done a couple of startups and they’re like, “How do you make that switch?” And I've talked a little bit about myself, but I'm curious for you. Even if you're not an employee of the government, and you're just a contractor working for the government, there is a certain amount of stability that you're giving up when you move to a startup depending upon what stage they are, and things like that. But nonetheless, it is more risky, pretty much every way I can think about it, moving from a federal contract to a startup. What was it that kind of led you to go down that path? Were there certain decisions? Ways that you thought about it? I'm just kind of curious to get into your head, especially, because I know there are people that, again, they were you were back then, they're there now. They're thinking like, “How do I do that?” What were you thinking about that kind of led you to make that jump?


Chris Castaldo  12:24  

Well, I'd first say everyone looks at risk a lot differently. Everyone's risk tolerance is very different. When it comes to starting a new job, that does not feel risky for me at all. I enjoy that newness feeling, not really knowing the ropes yet, not really knowing the company politics and culture. You get a sense of that from interviewing, but you really don't know until you're having to solve problems with your team when you're there. So, when I was thinking about that, I don't think there was really a risk-based decision, it was, “Can I have more impact?” I felt like I kind of had maxed out my ability to have impact in my organization, in the government. On the people's side, I could have continued till this day to be an individual contributor and impacting lots of great things to protect our nation, but there were just other things I wanted to do and get job fulfillment from. So, looking at it from the aspect of, “Okay, what do I want to do? Do I want to come in and build a cybersecurity program? Do I want to take over something and just maintain it?” And I very much have realized I like building things regardless of where I go. So, I enjoy coming… Maybe it's a small team, and they're ready to scale. And taking that from two engineers to 20, or something like that. So, I really enjoyed that part. And I think someone leaving the government needs to figure out what exactly do you want out of that role. Certainly, there is a stability difference, but there's nothing saying you have to go to a startup.There’s plenty of massive enterprises with huge security teams that specifically poach people out of the military and government because they know the experiences that they're bringing in. They know, especially on the military side, that your experiences in the military are probably going to be a lot different than the private sector. You're going to be able to deal with conflict, and change, and stress in a different way. Coming back from Iraq, getting shot at everyday changes your perspective on a lot of things. So, I'd say to someone that's looking to leave the military or government -- and I would kind of just bucket it as all the same, very similar hierarchy and rule-following -- just be prepared to not have a very clear path. Military; you shouldn't have any questions. Everything is spelled out for you. They remove as much questions and ambiguity, maybe not so much on the government side, but there's definitely a lot more reliance on yourself to figure things out and get things done depending on the organization. 


Matt Chiodi  15:37  

I love that. I appreciate that response. So, getting back to the book. And the reason I ask those questions is I think what it does is it shows, I think, how uniquely qualified you are to write this book. So ‘Start-Up Secure: Baking Cybersecurity Into Your Company from Founding to Exit.’ And I wanted to start with on page four, you have a visual that shows the startup development phases from ideation all the way through establishment. So, what's different about the various phases that a startup goes through in that lifecycle, and what should a startup be focusing on in one versus the other?


Chris Castaldo  16:18  

So, I'd say at the ideation phase, so let's say, group of founders, say the company is incorporated, and you've raised a pre-seed round. So, really fundamental things. MFA, password security, having a password manager. Maybe a consumer-grade antivirus is probably reasonable. But I would expect that stage probably don't have a product just yet. It's still maybe a pitch deck, maybe you've got some wireframes together, but you don't have something running compute workload in some cloud. Asure, GCP, AWS. Pick whatever the fit is. At that later stage, at growth round, now you're putting gas on the fire, your post C series may be pre D series, 100 plus employees. You've got real customers, it's not just friends and family willing to sign a pilot or design agreement or something like that, and you're willing to look past that. You have no certifications, you have no pen-test. They're using a real product and putting possibly real data in that. So at that point, you're most likely going to need a CISO or head of security, that I have a whole chapter on, like how to nuance that and when to hire, where they report to. But there's a lot of changes that happen in there. I really love... I love that diagram because it's things that other founders have seen and are familiar with. So, I want to have a lot of familiarity in there. Like, “Okay. I see, this is our phase, I'm familiar with that. I know we don't have a CFO yet and I see we need this security thing now.” I try to draw as much from their existing understanding, and capability, and ability to apply security in their organization with little to no help. Because, at some point, you'll have hundreds of millions in the bank, you'll be really well funded, be able to hire whoever you want, and the biggest team you want, but at some point, it's all on your shoulders. I'll give you a great example, before I started at Crossbeam, they were SOC2 audited before I joined. They didn't have a CISO or head of security at that point, it was either someone on the executive team running that. So, making sure you've got the right guidance and resources at each of those phases. Again, which is why I emphasize a lot in the book; pushing on your VCs, pushing on your investors of, “Hey, where can we go for help for this thing?” You don't expect a pre-seed company to have a CFO either. That's maybe IP owed five companies, you're also not going to hire a CISO at that point either. So, try to make it as applicable and digestible as possible.


Interlude: (Matt Chiodi  19:27-19:15)

Prisma Cloud secures infrastructure, applications, data, and entitlements across the world's largest clouds, all from a single unified solution. With a combination of cloud service provider APIs, and a unified agent framework, users gain unmatched visibility and protection. Prisma Cloud also integrates with any continuous integration and continuous delivery workflow to secure cloud infrastructure and applications early in development. You can scan infrastructure as code templates, container images, serverless functions, and more while gaining powerful full stack runtime protection. This is Unified Security for DevOps and security teams. To find out more, go to 


Matt Chiodi  20:15

Now, what's at risk If somebody gets some of these security things out of order? Let's say, you mentioned how the company you're at right now; Crossbeam was SOC2 before you joined. I think you said SOC2. Can you do that too early in the process? Is there a certain point where certifications don't make sense? 


Chris Castaldo  20:38  

If you're B2C, that's probably a great example I try to spell out in the book. There's typically two types of companies, some will skirt the line like Instacart for example. Me as the end user might use Instacart, but they've got deals and partnerships with other businesses. But I would say, B2C, that's probably an easy one. You probably don't need a SOC2 audit if you're making some mobile app game where you're hitting buttons, a Candy Crush type thing, probably don't need SOC2. Maybe later on, maybe if you got some payments platform you’re building there, or you start taking in PII from your users, or something like that. But typically, our industry is very small. Low probability some just general users is going to ask you for your SOC2 audit, and you're probably not going to provide that to an individual. No one's going to sign an NDA and all that stuff. I'd say what people could probably do too early would be over-indexing on hiring. People don't scale. This is at pre-seed all the way to you've IPO’d and you have a thousand employees. You've got to have the right tooling in place to make sure things are scaling with the business, people are able to work on the hard problems products can solve. Buying a solution can solve something, but you don't want someone sitting there making entries in Excel spreadsheet to manage your asset management or something. It's something I mentioned in the book, if your asset management Excel document, if you have to scroll in it to see the data, then it's time to buy a tool. 


Matt Chiodi  22:34

That's a great benchmark.


Chris Castaldo  22:34

And it really goes back to things break down 3s and 10s, it's the same thing for security. It's really, very analogous to exactly how the business is scaling, and exactly how operations scales with the business. Operations being security, legal, HR, all of that stuff.


Matt Chiodi  22:57  

So, let's take a real-life example. So, I recently joined a startup, Servy. And we have a handful of paying customers. We're just over…We're in the 50s in terms of employees. We just did a seed round in the last few months. Where would we fall on that development map? And what should we be focused on?


Chris Castaldo  23:17  

So, this is where it gets really interesting, and I try to give a lot of different examples. I think you said you have 50 employees right now?


Matt Chiodi   23:28

Yeah, just over 50.


Chris Castaldo  23:31

That's unique for your phase and funding. It's a little out of order of what you typically see in a SAAS company. So, that's one of the catalysts I bring up in the book. So, it's number of employees, your stage and funding, whether it's pre-seed, A round, B round. and then, your industry or vertical that you're selling into. Do you have PCI, EPA, Tri-data that's going to push things forward? You're going to need to do things earlier. Company that size, you've got paying customers, you're probably beyond the lighthouse customers. So now you're signing on enterprise deals most likely. Have sort of a go-to market team. You've got some AEs, and maybe some STRs.


Matt Chiodi  24:24  

You're painting a very accurate picture. (Laughs)


Chris Castaldo  24:27  

At that point, what I would expect to see is a lot of asks especially since the space you're in, you're selling a security product. And I know my peers, and I have sold to many of them, and some are more pleasant than others to deal with on the security side, so, I know your shoes are even more difficult to fill. So, building a security product for security people; lots of evidence required. So, easy stuff, ISO, well, not so easy. There's a lot of work to put into that. ISO certification, SOC2 audits, and I specifically say audits, they are not certifications. It's an opinion, not a certification. It’s confused quite a bit in marketing materials. And then, an emphasis on repeatability, internal security controls. So, yes, the product is secure. Yes, that's getting pen-tested, but how many times have we seen security companies and tools, IT service companies being used as a jumping point to some actors and target? Like, you're not the target, you're just the jumping point to that target. And then, focusing on building that executive team. You're obviously there. So they've got that portion done. So, those are kind of the three, four main areas that I would expect focus to be given at that size, at that stage.


Matt Chiodi  26:06  

Skipping forward a little bit, so in chapter 11 of the book, you talk about very much related to what we were just talking about which is communicating your security posture to customers. What do startups typically get wrong when it comes to this area? What should they be doing?


Chris Castaldo  26:25  

Making it difficult to find is what I see most getting wrong. And gating it behind multiple hoops that someone has to jump through. So, I'll exclude cybersecurity, your company, just for the time being, just talk general SAAS business tools. So, trying to figure out what it is my company is buying, and then, do I actually need to review their security? I don't need to review the security of a company we're buying desks from. Like, we're giving you a credit card, or an ACH transfer. Okay, if that gets compromised, we've got the bank protections. I don't think many people really worry about their credit card getting compromised anymore. But let's say it's a SAAS platform, let's say HRIS, yes, that's a great one. I need to look at this tool. My customers probably really don't care for putting a lot of emphasis on protecting employees' personal data, but that's my responsibility. It's our responsibility as an employer to protect our employees' data as much as possible. So, like having to jump through hoops and figure out, “Okay, I get it. It's an HRIS system, what data is going to go in there?” Just real plain English. And I can guess because I bought these before, but maybe someone hasn't. Maybe someone doesn't really know how an HRIS system works. So, having it easily accessible, easily understandable. Again, if you want to put things like a pen-test, or SOC2 behind an NDA, but making that really easy, especially for your sales team who's getting stuck in the middle. So, your AE has made the sale. Your business stakeholder, the executive buyer at the customer or prospect end, they said, “This is the product we're going to buy,” and now it goes through procurement. So now, that AE now has to resell the product again to legal, to security, possibly if privacy is separate from legal, to that team. So, all these people are now involved in your deal basically grinding it to a halt, and they're trying to answer very specific questions. I think legal does a better job, most people post their terms publicly. But gating a SOC2 behind all these different steps is just kind of bizarre to me. Not sharing a full pen-test. And I can get it and empathize with it from our peers' standpoint of, “I don't want to get into this debate about why this one finding isn't fixed or why that finding wasn't fixed in this certain amount of time.” But in my experience, it's never really stopped a deal completely when you share the full report. I think the more information you share gives that kind of comfort and builds that trust with that team to say, “Oh, this company, they've got it figured out. I see all the normal stuff that I'd want to see. No further questions. Buy the product.” So, I think that's really what I see wrong most of the time is just gating that stuff and making it really difficult for part of the buying chain to not get access to it, and forcing other people into that process that don't need to be involved. Your AE doesn't need to be the middle person in that. The buyer doesn't need to be in the middle of that. It just doesn't make sense. Help folks sell faster. 


Matt Chiodi  30:13  

I was just thinking about that. So, I know that there's got to be startups that help automate that process. I'm not sure if you're familiar with any of them, but I'd be curious, is there a market for this actually making this easier for startups to do so they're not putting their AEs and their SDRs between that?



Chris Castaldo  30:35  

Yep. So, I think the market is kind of called security trust centers. So, there's definitely folks in that space now. Crossbeam uses one. And I'll caveat that I'm an investor and advisor there. They're called SafeBase. So you can go to And if you're already a customer, you can download everything while you already have an agreement NDA confidentiality in place. If you're not, it's very simple and open terms. We use Common Paper if you're familiar with them. Company trying to standardize SAAS agreements and NDAs. So, really super friendly customer-focused NDA. Makes it really easy for folks to just, click it, “Yes, I accepted the NDA on behalf of our company,” and boom, there's a SOC2, two years worth of pen-test, BC, BCPDR, tests tabletop exercises, pretty much every security questionnaire you can think of is pre-populated and filled out. Because my job as the security leader and part of operations is making sure the sales team and our customers are as enabled as possible. I can't be the single point of failure answering, “Do we support SSO?” Yes,” we support SSO, here's all the ways we support it.” Yeah, let's keep going. I know that's important to a lot of people. There's no reason to hide that information. Simple NDA for maybe the more sensitive stuff, but other than that,  you should just be able to download it. It answers your questions, right?


Matt Chiodi  32:17  

I've been on the other side of that, as I'm sure you have, in the past where I've wanted to work with a vendor and it has been extremely painful to get those details, which should be, like you said, simple detail. So, I appreciate that you've also felt that pain, and that there are a number of companies out there that are working to actually make that much easier on both sides, both the sales side as well as the consumer side. So, if you had to… You've been around startups for so long, if you had to list maybe the top five or the top three security sins that you see startups do, what would they be?


Chris Castaldo  32:56  

That's a really good one. So I'd say, number one; not having MFA enabled everywhere it possibly is supported. Super easy. If you're building your start… I don't think I've talked to a startup in the last two years that either hasn't been on Google Workspace, or O365. Those are pretty much the two main business directory operations email solutions most startups gravitate to. I'm sure there's others maybe I don't know about, but that's usually the default. Fairly easy to force MFA on all your users. So, if you do that from the beginning, people come into that and like, “Oh, that's just how it works. That's just how I log in.” And things have gotten so much better where it's based on if it's a new device, you're not getting hit with MFA every single login. Your session’s still valid, it's in the browser. So, it's a lot more user-friendly to force those just very easy security controls. I'd say the other; I've talked to very, very early stage SAAS companies missing out on basic endpoint security. So, if you look at it, look at all the TTPs out there, there's some really basic flows that an attacker takes. phishing, compromise an account, get on to a system and pivot from there. Let's say your end goal is getting to AWS, well, I need to get to probably someone in the engineering org, maybe an SRE. So, just having those basic security controls in place. Even if it's a consumer, or even a prosumer antivirus. I think most of us would prefer to see some type of more enterprise like an EDR on those endpoints, like just missing those easy to check off items that are mostly easy to deploy. You don't have to be very technical to run a DMG file or EXE or what have you. Maybe on the more complex side, getting email security, whether it's  kind of legacy segwhere you're chaining MX records, or maybe it's a scanning from the side API tool. I'd say those are kind of three main misses when I asked more pointed security questions, if I see something missing and answers I've gotten back.


Matt Chiodi  35:38  

Let's switch gears a little bit. So when I look at… I've studied leaders over the years, and obviously, you fit into that category. So I'm just curious from your perspective, when it comes to personal growth, what's the formula that works for you?


Chris Castaldo  35:54  

So, leaning on my network as much as possible. Even if it was a situation that I felt worked out really, really well, I might go to one of my mentors and just see how they would handle it. I don't always bring problems, I just want to see how someone else might have approached that problem if there was a different path to success. So that's one. If there's really great leadership books, there's a couple of really great authors, I try to follow, and I'll read them as they're published. If they come out with a new book, I know how difficult it is to write a book, so I don't expect that many all the time from some of my favorites. And rereading them, I have found to be really beneficial. So, many years ago, when Kim Scott's book came out; Radical Candor, I read that, I was like, “Oh, this is really amazing.” A lot of it resonated with me, and tried to practice some of the things she talks about in the book. And then read it a couple of years later, actually, and found either I backslid in some areas, and wasn't staying true to what I want to be as a leader, or just miss something. I don't remember really reading this part, or this is interesting, or I'd approach it differently. Because you continue, obviously, to have new and different experiences, and new and different challenges at work to solve. So, going back to that stuff, especially the things that resonate with you originally, I think can be really beneficial. And then, just kind of stepping out and offering to solve problems. I think that's something I've found as I transitioned from IC to manager, to leader, executive, whatever you want to call it. Always trying to offer up a solution. Maybe it's not your wheelhouse, maybe that's not your area, but so many times, I've gotten feedback and I think cybersecurity and engineering teams are maybe more in tune, sort of speak the same language. And I'll get great ideas from engineering, like, “Hey, we're doing this thing this way, what do you think about that? Doing it this way? Or is there a reason we're doing it that way?” I find those like questions and suggestions to be really helpful because it also helps me kind of rethink and re-explain something we put in place. Like, I’ll just give you a basic one, like why do we turn on MFA? I think most of us in security, well, I get why you turn that on. But having to explain that, put the words to paper or to Slack DM or something, I think really helps it put the ‘why’ behind everything, because you just can't expect everyone to be a cybersecurity expert, which is why I wrote the book.


Matt Chiodi  39:06  

So are there any other parting words you would have for our listeners, or perhaps something you wanted to share that I didn't ask you about?


Chris Castaldo  39:13  

The only thing to mention is I am donating 100% of my royalties from the book. So, today, I actually just donated my first year of proceeds, and I've decided to just do that in perpetuity. So if you happen to pick up a copy, hardback, audiobook, Kindle, whatever way you like to consume content. I'll be continuing to donate my proceeds to veteran's charities.


Matt Chiodi  39:43  

That's awesome. That's awesome. And I'm just curious. So the audible version, did you read it? If I get the audible version, will I hear Chris's voice? 


Chris Castaldo  39:50  

I did not. So, it has been really interesting to get that feedback so far. Some people really liked that. Some people really like to hear the author reading it. I thought it was really awesome. I got a pretty good, complete luck of the draw, they just assigned the narrator to me, but really, really famous narrator. I think he did Hillary Clinton's autobiography and a bunch of other really, really big titles. So, I felt honored, and he's got a great voice, so I can't complain.


Matt Chiodi  40:24  

I love it. I love it. Well, you've heard from Chris, the book is called ‘Start-Up Secure: Baking Cybersecurity Into Your Company from Founding to Exit’, and I'm sure you can get that anywhere books are sold, or you can get along on audible as well. Chris, thanks for joining us. 


Chris Castaldo  40:38  

Thank you so much.


(Outro 40:41-40:49)

Thank you for joining us for today's episode. To find out more, please visit us at



[End Of Audio]