Cloud Security Today

Book review: CISO Evolution

Matthew Chiodi Season 3 Episode 3

Send us a text

On this episode, the Founder of CISO Evolution LLC, Matthew Sharp, joins Matt to talk about his book, CISO Evolution. Prior to founding CISO Evolution LLC, Matt served as a strategic advisor to CISOs of Fortune 500 and global institutions. He holds a Bachelor of Science (BS) in Electrical and Computer Engineering from the University of Colorado and a Master of Business Administration (MBA) from Colorado State University. Matt is a co-author of "The CISO Evolution: Business Knowledge for Cybersecurity Executives."

Today, Matthew talks about his 2012 sabbatical, walking the Camino de Santiago, and the CISO Evolution book. Why does process matter more than analysis? Hear about value creation, business negotiations, and Matthew’s formula for personal growth.

Timestamp Segments

·       [02:06] A bit about Matthew.

·       [04:30] Matthew’s sabbatical & the Camino de Santiago.

·       [09:21] What prompted the book?

·       [12:23] Why does process matter more than analysis?

·       [19:08] Did Matthew’s MBA lead him down this path?

·       [24:22] Value creation.

·       [27:40] Standard metrics.

·       [31:23] Why is it important for a CISO to know terms?

·       [33:32] Negotiations and decision-making.

·       [37:19] What’s Matthew’s formula for personal growth?

·       [41:12] Matthew’s words of wisdom.

 

Notable Quotes

·       “If you want to be in the room where it happens, then you have to be equipped to participate in the conversation.”

·       “Ask the questions that go unasked.”

·       “Don’t be afraid to go and look like an idiot in front of another business stakeholder.”

The future of cloud security.
Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Narrator (00:00):

This is the Cloud Security Today Podcast, where leaders learn how to get cloud security done. And now your host Matt Chiodi.

Matt Chiodi (00:13):

You want to be a CISO; well then if you want to be a CISO or maybe you are already a CISO, you're definitely going to want to listen to this episode. And here's why, this is a book review, and the book is called the CISO Evolution Business Knowledge for Cybersecurity Executives. And I was lucky to get one of the authors, Matthew Sharp on the podcast. I think you're really going to enjoy this, the book is not what I'd expected. And I said this during the interview, I really expected a book that was technical and talking about cybersecurity issues. And what I found is that this book is primarily about the business side of cybersecurity. In fact, let me just read you from the Inside Jacket.

Matt Chiodi (01:03):

It says, in this book, readers will learn how to establish an executive presence and provide critical messages to senior leadership and a language they will understand and in a way that secures the engagement in interest of corporate boards. Therefore, this book was really unique. I'm fairly familiar with a lot of different financial terms, however, this book is excellent because it covers it in a way that's not disconnected from the concepts of risk in cybersecurity. Therefore, like most episodes, get your pen ready, and get ready to take notes, because Matt Sharp is really going to dig deep into some of these concepts. And I truly believe that if you want to succeed as a CISO, or as a security leader, you've got to understand these business concepts. Get ready and go!

Matt Chiodi (01:55):

Matt, welcome to the show.

Mathew Sharp (02:00):

Thanks, Matt. I'm glad to be here, and I appreciate the opportunity.

Matt Chiodi (02:04):

This is going to be fun, let's jump a little bit into your background. I looked at your LinkedIn profile, and it looks like, and tell me if I'm wrong, you've been formally in security since 2006. Is that generally right?

Mathew Sharp (02:23):

Yes, that's right. I went to school for computer electrical engineering, graduated and spent a year and a half or so in a computer animation company doing website design or basically framing out websites. Therefore I was a web developer for a brief stint. Then I knew I didn't want to write code, and I interviewed at Coalfire for a help desk role. And I also interviewed at Chili's for a server role, however, I did not get the Chili's role.

Matt Chiodi (02:58):

Oh, you are lucky.

Mathew Sharp (03:00):

Yes

Matt Chiodi (03:00):

There you go; there's a lesson to the audience. We'll call it the Chili's test, that's very awesome. Let's talk about the last two years. What have you been up to for the last two years besides writing books? We'll jump into your book here in a minute or two. I know you're at logicworks. Let's just talk about the last two years; what are you doing?

Mathew Sharp (03:21):

Logicworks is a company that essentially digitally transformed the MSP experience. We have what we call a cloud reliability platform, and it's a SRE take on managed services for folks who operate workloads in the cloud. And I've been the CISO for Logicworks since 2017; starting post PE investments, and we've recently sold the company to Cox Communications a week or two ago.

Matt Chiodi (03:56):

Congratulations.

Mathew Sharp (03:59):

Its exciting stuff, we're happy to have strategic investment and I think that there's a fantastic growth story. I think that we're going to be bringing together capabilities from an asset that already existed in the Cox portfolio, the rapid scale organization. And we're going to be merging those capabilities with logicworks to basically provide A to Z IT services for folks in the club.

Matt Chiodi (04:27):

I always research my guests, and one thing that I've got to ask you about is the sabbatical you took in 2012. You had a lot of things there; you did the Camino de Santiago pilgrimage, which is where you walked over 800 kilometers, and around 500 miles. I had two questions, what were the signals that you needed to take the sabbatical? And why the pilgrimage?

Mathew Sharp (04:55):

Those are a great couple of questions. I was burnt out, at the time, if I go back, I was a Director of strategic services at Fishnet. I was travelling 80%, my health was not great, and my relationships were not great. I had more points than I could spend on the airlines and in the hotels. And it was clear that I had overinvested in my career and underinvested in all of the other things like health & wellbeing, family & friends and all the other things. Therefore, it was an opportune time for me to step back and hit the reset button; that was definitely it. It's interesting that you made that comment because at the time, and I think I even wrote about this in the book, I went out of my way to basically justify. And the signals or the signs didn't matter. I was going to draw the conclusion that I needed to go on another adventure anyway. Therefore, I probably had less courage and more confirmation bias working against me in that decision. It's funny to step back and think about that now, but I was burnt.

Matt Chiodi (06:31):

That is always a good reason. There's been a lot of discussion on LinkedIn around CISO burnout, and so I'm always asking professionals around if there were early signals? I think the younger you are in your career, the more you want to do everything; you want to take on all the work. I can do it, I can do it. And I've had a similar scenario in previous jobs where I was on the plane 80/90% of the time, and you kind of just get used to the rhythm of it. And you come home and you're like, these relationships feel different; it's colder and it's more distant. This isn't a counselling session, but I think this is something that's really common, which is why I asked if there are signals? And the goal is as we get older, we should try to identify those sooner rather than later.

Mathew Sharp (07:25):

I remember trying to walk across the street and there was a car coming and I tried to move quickly and I had spent so much time sitting down that my knee was fatigued and I couldn't even jog out of the way. I was 30 or something years old, so that was obvious. Therefore yes, there's an inflection point. I have managed to stretch my marriage to its capacity a couple of times, and it's always a clear observation that there's an amount of travel that you take where people are excited for you to come home. And then there's the amount of travel that you take where people are just disrupted by your presence.

Mathew Sharp (08:12):

Therefore think 80/20 on either side, 80% home, or 20% away; people are happy, and then you flip that. Well now you're disrupting my cadence of daily life. I think that was definitely something that was pretty explicitly stated that sort of prominently features in my mind right now. It was the hurting knee and the "Why the heck are you here?" When you're actually at home is a good indicator.

Matt Chiodi (08:49):

I love that, that is a really good signal. And I'm glad you highlighted that, because now that you say it, I can remember both of those. And I think it's that's a benchmark that I'm going to use moving forward; are they actually happy to see me come home? Is it because I leave so rarely, or is it the latter, now you're bothering my schedule because I've built my life with you not being here, which is not what you want in a relationship.

I appreciate you sharing that. I think it's really useful for our audience.

Matt Chiodi (09:20):

Let's jump to the book; the CISO Evolution. Everybody writes a book for a reason, if somebody else was kind of talking about it, or at least talking about it in a way that you thought was useful, you wouldn't write the book. So my question for you is, what was missing in the market that prompted you to actually write the book?

Mathew Sharp (09:41):

I just felt like for 15 years I was looking for the answer, how to speak to the business in business terms. And I would hear this cliché sort of statement issued again and again and again. And what I wanted was a framework or a structured approach or a way to pry that open and to really functionally develop the skills. People use these terms like executive presence and gravitas and a handful of other things. And then you ask them what they mean, and you get answers that are incredibly vague. Like, it's like pornography, you know it when you see it which isn't helpful when you set out to systematically develop the skill set. And so I think that was what initially triggered me to go get an MBA. And then after the MBA it was clear to me, because I went in with the intent of capturing business knowledge. How could I convey the information that I was learning as it directly relates to the role of a cyber security professional?

Mathew Sharp (10:49):

And then midway through my MBA, I transitioned from consulting to being an operator, and I ran the global security program for Crocs. And so I think the goal was to really share some structured approaches that have worked for me and maybe some lessons learned about opportunities or instances where we've failed. It was to articulate the opportunity more clearly, highlight where successes and failures had happened, and then give concrete case studies in an MBA format. And then I think obviously Rock brought the inspiration and really brought the whole book together because he came to a birds of a feather session at RSA 2020 and sort of stemming out of that conversation we agreed to write a book. However, the key piece was, let's give people a structured approach to develop business acumen that's relevant and tailored to cybersecurity.

Matt Chiodi (11:55):

I love that, and I'll be honest with you, when I started reading the book, I was like, wait, this is not what I was expecting. I expected what I had read in dozens of other cybersecurity books, and so that's what I appreciate about this book. It is very Harvard Business Review-like, and that is with the way it's written with the case studies...If we jumped to chapter three, it's on making business decisions and you went down a different route than I thought you would. You cited Daniel Kahneman's research on decision science, tell me this; why does process matter more than analysis? And what's the impact and application for security leaders who often have to make decisions quickly?

Mathew Sharp (12:52):

Well, okay, I thought what our approach was to say, in an ideal world, we're all speck and we make these rational decisions, but the reality is that's not what happens at all. We make these totally irrational decisions, and it turns out there's this entire field of study that explains different biases and systematic cognitive sort of malfunctions that cause us to make these really unusual decisions. And so when we start to apply that to cybersecurity, cybersecurity professionals, by and large, are influencing. You're framing up risks and asking other people to make decisions. So for me, it was let's lay a foundation or of the groundwork basic understanding of decision science and then leverage tools like choice architecture and influencer and others in order to give a structured approach to as you said put a process in place that allows folks the opportunity to systematically improve the kinds of decisions that get made. And also to influence decisions to be made in a way that they would prefer.

Mathew Sharp (14:10):

It's both about influence and it's also about creating a more predictable way to create more solid outcomes on the whole. And that could be, should we fund this project? Should I hire this person? Should I fire this person? Should I stay in this job? All of those kinds of decisions are basically subject to all of these biases and can be improved by having a systematic approach. And then the second piece, which I think I'm learning more and more now is having a systematic approach also creates defensibility and allows you and an independent peer or another executive to run through that approach and essentially derive the same conclusions, hopefully. Therefore, in a world where there's increasing levels of litigation and personal liability falling on CISOs having a structured approach and framework to make decisions, I think especially in short periods of time with lots of pressure can be very valuable.

Matt Chiodi (15:16):

From an example perspective, what is a practical example of that? How have you used it? What's something you could share to give us something concrete on what this might look like?

Mathew Sharp (15:32):

The funding decision is the decision that comes up all the time, right? As is no secret, many CISOs are underfunded and as a result, they struggle with a lot of the things that we talked about before; burnout and frustration and the like. Therefore one of the things that you want to do when you're framing up a decision for an executive is to obviously understand the influence factors that are going to create bias. Who are the people that surround them? What are the key initiatives and structure of the business that's going to formulate a foundation for decision making? And then in addition to that, what are the likely biases that you need to overcome? And how can you develop choices and articulate those choices in a way that's not going to result in an answer that you don't want. For example, AppSec, you want to get an AppSec program funded, you can go in and say, we've got pies and criticals everywhere, and our production software is a mess. And all of those kinds of things.

Matt Chiodi (16:44):

I've never heard that.

Mathew Sharp (16:46):

Right? Well, so we say this all the time or you can say we have to have security in our software in order to develop trust with our customers. And that directly ties to the growth of our revenue and the retention of our customers over the long-term. Or having this level of security gives us access to a market because we can't sell to customers in financial services or healthcare until we satisfy certain compliance obligations. And so it's about trust and revenue growth as opposed to highs and criticals. I think that's tailoring the audience, if you highlight what are some of the opportunity costs of not doing it for folks, and if you think about before you go into the conversation what are the likely objections then you can short circuit that.

Mathew Sharp (17:47):

In a lot of instances, you can decide oh, my CFO's objection is actually really valid and I need to refactor and think about this proposal in a different way. Or you can say Hey, I've thought about that and I ran a Monte Carlo analysis and using a Monte Carlo analysis, I'm able to demonstrate that the net present value of this investment is going to be by and large positive. I'm trying to give you some tangible examples on how you can architect choices and present options and leverage some additional context in order to enrich decisions.

Matt Chiodi (18:28):

I've been in this position myself where there's a cyber risk that I've identified in our program that had no investment around it. And if you talk purely to the budget holder or the stakeholders in terms of cyber risk, that is not how they see the world. That's not what shows up on an annual statement or a quarterly statement unless you've got a breach and you have to disclose it, but that's separate. However, that's not usually part of the lexicon, right? Therefore I think it's actually very helpful. You mentioned that you got your MBA, was that part of what led you down this path to start even thinking about, okay, I've got this business knowledge of financial accounting, annual statements, statements of cash flow. All these types of things, that if you are on more of the pure business side that you would be more aware of in that kind of language; do you feel that getting your MBA is what led you down this path of discovery?

Mathew Sharp (19:42):

No, I don't think so. I don't think I got my MBA until 2016, and I think I enrolled in 2013 and I was already starting to do research and pay attention to that narrative a long time before that. At fishnet I always felt a little imposter syndrome because here I was, this consultant and I was meeting CISOs across the country; Denver, Dallas, Omaha, North Cal, South Cal, a bunch up by Kansas City, and some up in Minnesota. Therefore I had seen a large percentage of challenges, questions and problems from a lot of CISOs, but I hadn't been an operator myself. And one of the things that always came up to me is, what's the disconnect? Or why are people experiencing the pain points or the conflict that they are?

Mathew Sharp (20:38):

And then for those folks who were successful, who I observed as strong executives, why were they not? And so I think probably before the MBA was through, I had the consulting experience. I look back at people like Sean Irving, Jeff Weeks, Rick Howard, and a handful of others who have done a fantastic job. Who do carry all of the things that you would think of gravitas and executive presence and all of the rest. And I started asking what was different about the way that they behaved, the way that they described their problems, and the way that they engaged with their teams in front of us as consultants. I think that probably pushed me in a direction, and as for the MBA, we go back and forth. Do you need an MBA to be an executive? I think the answer is no, but you do need the core fundamental knowledge. It's probably the quickest way to get it if you don't have it already. And I'm a frameworks kind of guy, I like structure and organization. Therefore, that was a nice way for me to capture or gain that knowledge. If you look across the board, I don't necessarily know if Sean, Jeff or other folks that I mentioned necessarily had MBAs, but then you also see a lot of really fantastic strong leadership coming out of the military. And of course they're doing the same kinds of things but they add certain elements. We had some exposure through the Blackstone portfolio when I was at Crocs; we had some of the military leaders come in and present and talk about their experiences.

Mathew Sharp (22:42):

And the storytelling that those guys presented was phenomenal. I mean, not only was this super interesting because we had the former head of NSA talking about an experience or interaction with Rumsfeld and how that dialogue around cyber risk went. It was interesting because it was at a level that most people will never, ever, ever get an opportunity to see, but the storytelling was so compelling it was like an amazing movie as well. The way that they delivered the content was really engaging and interesting. It had twists and turns, a climax, a surprise and all of these other things; funny jokes and all of that. Charisma I think is definitely an observation, and also storytelling is an observation that I think came more out of interactions with folks that have military backgrounds for me.

Commercial (23:34):

Prisma Cloud secures infrastructure, applications, data and entitlements across the world's largest clouds, all from a single unified solution. With a combination of cloud service provider APIs in a unified agent framework, users gain unmatched visibility and protection. Prisma Cloud also integrates with any continuous integration and continuous delivery workflow to secure cloud infrastructure and applications early in development. You can scan infrastructure as code templates, container images, server less functions, and more, while gaining powerful full stack runtime protection. This is unified security for DevOps and security teams. To find out more, go to Prismacloud.io.

Matt Chiodi (24:22):

You open chapter four on value creation with a quote from Oscar Wilde, and it says, "Nowadays people know the price of everything and the value of nothing." How does that quote relate to cybersecurity and the rest of the chapter on value creation?

Mathew Sharp (24:45):

I think your CFO knows how much they're spending on the cyber program. Therefore whatever that number is, they know how many headcount, and they know how much in CapEx and opex; they know how much they're spending. That's the price. The value is much more difficult to understand, and if you don't understand the core tenets of value, and I think in the book, we break it down by basically who, what, where, when, why, and how. If you don't decompose value in that way, then you might be speaking to the wrong audience, or you might not necessarily understand the types of valuation methods that are applied, the core metrics that drive value, or the delivery mechanisms for value. And if you don't understand those fundamentals, then how can you possibly articulate what is the value of the cybersecurity program?

Mathew Sharp (25:46):

If you can't say, we're investing in cybersecurity to make sure that we build trust with our customers, and also to make sure that the assets that we build in terms of intellectual property don't contain the wrong kinds of licensing that could devalue our company, if we go to raise funds in a capital markets. If you're not telling that story in addition to we're driving down the vulnerabilities or in addition to its more than just a software, it's also protecting the pipelines, and here's why you need to protect the pipelines. Then I think it's difficult for somebody to understand anything more than the price. And I think Paul Proctor just posted a fantastic comment on "Are you sure we spent enough on this said no CFO ever." It's so relevant because CFOs don't ask that question anywhere else in the business. And in some cases, they are asking CISOs, did we spend enough? And that's not the right question. You're trying to build a capability to produce an outcome that is reduced risk, increased trust, stronger assurance, compliance revenue growth, or something like that; that's the capability that you're building. Anyways, they know how much they're spending, and they don't know why they're spending it.

Matt Chiodi (27:10):

I think you're spot on with that observation. They know how much they're spending, but what is that actually equating to? I think that is where many security leaders are struggling. They are struggling with finding what the value is from what’s being created from the investments in the cyber program. You talked about this elsewhere in the book, but I think you touched on it a little bit right now, but are there any specific metrics? Are there ones that you have used consistently in your cyber programs to demonstrate, to tell the story of the value that's being created? Or is it highly subject to the actual company, and things like that? Are there any reusable ones? I'll be honest again, Paul Proctor has done a bunch of really great research. They created some leading risk indicators that really apply to specific business models. I think in his research, they do this fantastic example where he talks about preventing downtime having a direct impact on keeping trucks in a fleet, and those trucks in a fleet have a direct impact on revenue for the business. And the primary driver for value in the business is revenue growth, or something like that. The first thing is to understand what kind of industry you're in and how you deliver value, and in order to do that, you should understand valuation models and you also should understand at least a little bit of the calculations.

Mathew Sharp (29:01):

Therefore are you using multiples? Are you doing an intrinsic valuation? Are there any other kinds of valuation? You understand your audience, so are you owned by a PE firm? Are you owned by a privately owned family, or a holding company? Are you owned by a publicly traded organization? And then what are the things that people use to determine what the current value is? Once you understand that, then you can pry apart the business model, and you can understand supply and demand sides of your business and understand exactly which of those are driving the most value in the company. Therefore if you're focused on revenue growth; top line growth then it's going to be very different in a high growth company than in a much more mature industry with very slim margins, and it's all about volume. Then you would have to get more efficient and manage costs down. I think those are the starting points, and then once you've understood your business model and understood your value drivers then you can start to think about how to structure the decisions in your team. How big are you going to make your team? Are you going to have more security champions, or are you going to build a fairly robust security engineering capability? Does it make sense for you to essentially have control of a bunch of stuff, or should you be leveraging outsourced opportunities through partners? And how is that all going to hit the income statement and the balance sheet? Where are you going to be able to essentially differentiate your business or add competitive advantage? I think without things like value chain mapping, business models and valuation metrics it's very difficult to make strategic decisions about the way that you staff, about the software purchases that you buy, and even basic decisions like build, buy or partner. I think they become much clearer based on some of those other fundamentals.

Matt Chiodi (31:21):

In this chapter, I think you touched on some of these things already. You do spend a lot of time talking about what I would consider some fairly deep financial terms like discounted cash flow, enterprise value, and EBITDA. We touched on this a little bit, but why is it important for a CISO or a security leader to know what these terms are? And quite frankly, the only reason I know what these terms are is from the last 20 years of personal finance. Looking at stocks and evaluating these models, otherwise, I wouldn't have known them from what I learned in even going through a business information systems program at university, which was half computer science, and half business. I wouldn't have known what these were or how they're used. Therefore, why is it important for a security leader to know what these terms are?

Mathew Sharp (32:14):

The first thing that comes to mind is this vision of sitting at Thanksgiving dinner. And you have all the parents at one table, and you have the kids at a different table, and the dialogue is different at each of those tables. Which table do you want to sit at? You self-opt in, right? If you sit down at the adults table and they're having an adult conversation, you're talking about something in a different direction, or distracting from the conversation, or causing a disruption to the flow of the dialogue because your vocabulary is not correct, or because the topics are not appropriate. Or because the maturity of your discussion points don't really resonate with the group, then you get invited to go sit with the kids. And I think the same thing applies here. If you want to be in the room where it happens to quote Alexander Hamilton then you have to be equipped to participate in the conversation. And if folks are talking about a bunch of terms that you don't understand then it's very likely that you're going to say something that's not very aligned with the broader dialogue.

Matt Chiodi (33:29):

That makes sense. And in chapter 12, getting toward the end of the book was one of my favorites. It was the topic of negotiation. From my experience of doing cybersecurity for over 20 years, CISOs generally fall into one or two camps. One is like my way or the highway, and I see that less now, but generally more in typically highly regulated industries; where I think they have more to kind of stand on and point to. Or on the other end of the spectrum, which is like, “Hey, what can I really do to stop the business?” They always get what they want. Where does negotiation kind of come in and what have most CISOs and security leaders missed?

Mathew Sharp (34:15):

Well, again, if you just look at the cadence of what we're presenting, it's the understanding of how decisions are made, the understanding how to engage in the dialogue, the understanding how to present a business case. Now at the back end of the book, the question is how do you do that in an appropriate way? First of all, chapter 12 was based on some work by a former FBI negotiator. It's all about his techniques in negotiating hostage situations. And he talks about these concepts of creating tactical empathy, in other words, getting yourself to sit on the same side of the table and jointly staring down a problem. That for me really resonated because if you're sitting on the same side of the table as your executive team and saying, how can we actively manage this cybersecurity challenge in a way that's appropriate for our business, then it doesn't force you into this fool's choice of it's either my way or the highway, which is not an effective way to manage anything. It doesn't work with your kids, it doesn't work with your wife, it doesn't work with animals, and it doesn't work with anything. And then if it's not that approach then just being railroaded and being scapegoat at the end of a terrible outcome, of course, is not the right way to do things either. Therefore we've got to find ways to not be the department of "no" and to create buy-in and ownership of the outcomes that we jointly achieve. And I think again, having an ability to navigate saying no, but having it be someone else's idea is a critical component. Therefore, it's not just getting to the right answer, but it's also what's the journey to getting there, and how does the relationship get affected as you traverse that journey?

Mathew Sharp (36:25):

And at the end of the day, I think my term with Crocs, I went in, we busted heads. About 10,000 vulnerabilities were remediated in the first 120 days, and then it was a very challenging path forward for me because I didn't build relationships and I burned a bunch of bridges. And so going forward, although we managed to not get fined and a bunch of other things, going forward was actually a difficult slog. Therefore I think the key lessons were how you get the outcomes that are necessary for the business and educate people along the way while protecting relationships as you do that. That's been my approach with this which has been just about six years with Logicworks now.

Matt Chiodi (37:15):

You've had a very progressive career in terms of learning from past mistakes, which is not always the case with people. I remember very early on in my career back at Johnson and Johnson, I was talking with one of my colleagues who was much more experienced, and I was talking about somebody else, and I said, "Wow, they've got 25 years of experience." And he said, "No, Matt, they have 1 year of experience, 25 times." And as a young buck at a university, I was like, oh, wait, there's people who actually learn from their mistakes, and there are some people that are doing the same thing over and over again. Therefore, a long way of saying that, you seem to have learned a lot over the last couple years, both from signals that are, it's time to take a break, or to grow. However, more generally, Matt, when it comes to personal growth for you, what's the formula that works for you? How do you continue to grow, and as Stephen Covey would say, "sharpen the saw"? And interestingly enough, I do hear a saw behind you, so it's like perfectly on cue. It's the ghost of Stephen Covey.

Mathew Sharp (38:36):

Nice, yes, the audio. We do have a small construction project going on, so I apologize for the audio background. We're actually presenting on this very topic at RSA, which is cool. We spent a lot of time paying attention to these broader signals, like you mentioned. We're going to talk about different data sources to get you more tapped into what's coming; what's on the horizon from a geopolitical, or a macro-economic perspective. And to quote Gretzky, "skate where the puck is going". And so for me, that's been a part of the learning curve. I finished my time with Crocs, which is a wholesale retail manufacturer, and was fairly vertically integrated with more than 600 points of presence and a global footprint. I decided that I wanted to do something that I was much more passionate about in terms of technology, so that's why I pursued this emerging concept of DevSecOps which had yet to take center stage. And that digital transformation was, I think you could say, starting to touch some of the early adopters. And so that was the driving decision there, and then I think in the past, I really liked learning and tackling the growth curve. And so as I bounced around through consulting roles, it was just one thing or another that was interesting, technically, probably more than anything. Now I think there's probably a bit more of a focus on helping develop other leaders, giving back to a broader community, and trying to help people short circuit or not repeat the same mistakes that I did. Just imagine if folks had all of this information that I have taken 20 years to get, and they got it in three or five years instead how much better off would we be? So I think that's the evolution, but we're going to be talking about betting the farm on digital disruption at RSA. And I think we'll be touching on a lot of this framing up career development and thinking about how to attack that.

Matt Chiodi (41:06):

Well, that's exciting. I'll be at RSA, so I'm going to make sure I sign up for your session. Are there any parting words that you would have for our listeners or perhaps something that you wanted to share that I didn't ask you about?

Mathew Sharp (41:20):

Yes! Ask the questions that go unasked, don't be afraid to go and look like an idiot in front of another business stakeholder. They don't know about cybersecurity and you don't know about their discipline, and I think it’s okay to walk in front of the head of marketing and understand the strategy and approach. Or go and stumble through a challenging conversation with the FP&A folks to understand how to derive value. I think shying away from that will only bolster the imposter syndrome. I think that's what I would really like to encourage folks to do, take a proactive approach and get to know other parts of the business in a more intimate way. And you're going to look like an idiot, but that's okay, like Silicon Valley says, "Go fast and break things" or whatever. Therefore we obviously want to do that with an appropriate level of concern for your career and personal reputation and all the rest. However, you're not going to get better if you don't break some things or make some mistakes.

Matt Chiodi (42:40):

Matt, well, this has been a fascinating discussion and I think this is probably gonna be a very well listened to podcast. There's a lot of nuggets in there, both from your personal life as well as the book. Thank you so much for coming on the show.

Mathew Sharp (42:52):

Hey, man, I appreciate it. I'm always happy to sit down and share the information and I'm super excited to have the opportunity to be on one of the Premier Cloud security podcasts out there.

Matt Chiodi (43:02):

Thanks Matt.

Narrator (43:03):

Thank you for joining us for today's episode. To find out more, please visit us at cloudsecuritytoday.com.