Cloud Security Today
The Cloud Security Today podcast features expert commentary and personal stories on the “how” side of cloud security. This is not a news program but rather a podcast that focuses on the practical side of launching a cloud security program, implementing DevSecOps, and understanding the threats most impacting the cloud today.
Cloud Security Today
Attracting and retaining cyber talent
Meg Anderson, the CISO at Principal Financial Group, discusses her 17-year tenure as a CISO and the factors contributing to her long-term success. She attributes her longevity to her passion for the job and the opportunities for growth and development at Principal. Meg emphasizes the importance of understanding the business impact of cybersecurity and holding people accountable. She also highlights the significance of focusing on the basics of cybersecurity and not getting caught up in the latest trends. Meg shares her experience with mentorship and its role in her career. She also discusses the programs implemented at Principal to attract and retain cyber talent, such as a formal mentorship program and a robust internship program.
Takeaways
- Passion for the job and naivete can contribute to long-term success as a CISO.
- Understanding the business impact of cybersecurity and holding people accountable is crucial.
- Focusing on the basics of cybersecurity is essential, rather than getting caught up in the latest trends.
- Mentorship plays a significant role in career development.
- Taking time away from work is essential for personal growth and avoiding burnout.
Chapters
- 00:00 Introduction and Long-Term Success as a CISO
- 03:15 The Importance of Naivete and Passion
- 06:34 The Role of Mentorship
- 10:54 Attracting and Retaining Cyber Talent
- 12:50 Organizing a Cyber Youth Summit
- 21:13 Building a Cyber Program Around Company Culture
- 28:07 Focusing on the Basics of Cybersecurity
- 36:19 Personal Growth and Parting Words
Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.
Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
Matt (00:01.706)
Meg, thanks for coming on the show.
Meg Anderson (00:04.145)
Thanks, glad to be here, Matt.
Matt (00:05.774)
This is awesome. I was looking at my notes, before the show, the first time you and I spoke was may of 2019. So it's been a couple of years. It's been a couple of years. So I don't know you remember how we met. was at a, it was like an Accenture. Like security lunch or something like that. I don't know. was some ISAC event maybe down in Florida. Yeah, it was in Florida. So it's been a while. Fun, fun, fun. So when I looked at your profile.
Meg Anderson (00:14.289)
Wow. Yeah.
Meg Anderson (00:26.845)
I was wondering if it was in Florida. Okay. Yeah. Fun. Yeah.
Matt (00:35.854)
The thing that caught my attention immediately was that, you know, I did some research and the average tenure of a CISO these days is between 18 and 26 months. 18 to 26 months, very short tenure for most CISOs. You've been the CISO at principal for 17 years. What's your secret?
Meg Anderson (00:58.429)
secret. The secret sauce, of course. I thought you were going to say 18 to 26 years. That's the average tenure. So 18 to 26 months. I have heard that stat before and I have met a few who have probably contributed that stat. But, you know, from a personal point of view, I think it's just passion for the job and there's probably some naivete as well that's important in this job. It's funny when I accepted the job.
Matt (01:04.782)
No.
Meg Anderson (01:28.185)
I had asked my boss at the time, how long do you expect me to stay in the role? Because I had previously worked at principal. And he said, well, three to five years, because it's a complex space. at year four, I said, are you going to want me to rotate into something new? Because I'm having fun. I'm having a blast. And he said, no, you can stay as long as you want. So here I am, still here. But it's really allowed me to grow and develop and grow with the company as well.
So we've grown globally, which offers new challenges from a information security perspective, from a technology point of view and regulatory compliance and truly understanding the nature of cyber from a global point of view. And still at principle, it's a growing company. We're very well known for being a great place to work.
and just a positive work environment, love the people they work with, of course, that's always something that people will cite. And it's just, there's never been a dull moment. So I'm not a person that enjoys the mundane. I want to make sure there's change and there's always exciting and new things to do, especially when it comes to technology and cyber. And I've had those opportunities here. So that's why I'm still here. I know a few others with long tenures and I think that we all,
appreciate what the company stands for and the culture of the company and that's one of the reasons that we've all stuck around.
Matt (02:59.426)
You mentioned something that stood out to me in your response. You, you mentioned a certain, I think you said naivete talk, talk a little about, that was tongue in cheek or cheek or what, but I'd be curious to hear just a little more. Is that, is that like curiosity? Like, what is that? What did you mean by that?
Meg Anderson (03:15.485)
I mean, not knowing what you're getting yourself into. So I'm guessing that people who have short 10 years have clear expectations of what they intend to do, what they intend to get from their employer, what they intend to give to their employer. For me, I jumped into the job from an IT director role and I didn't have a lot of expectations. I really thought
the job was going to be very focused on identity and access management and understanding compliance and regulations around cybersecurity. And so what I learned is information security is much, much broader than those two things. And that's kept me here because it's allowed me to continue to grow and learn. So yeah, back to your curiosity comment.
Matt (04:06.862)
So you've pretty much answered part of the question I was gonna ask you, which is that, what do you know now about cybersecurity that you wish you knew 17 years ago? What would you add to that?
Meg Anderson (04:17.693)
Yeah, that breadth is definitely one thing on my mind. And, you know, the other part of that is cyber is really business focused. Even though I report into our CIO and reporting to technology and have very close ties with technology, truly understanding the business impact of cyber is probably something I wish I knew back in 2008. Also the need to hold people accountable.
Matt (04:27.575)
Hmm.
Meg Anderson (04:45.863)
We're a very collaborative culture. And while we probably felt myself and my team, we were holding the organization accountable, probably weren't as clear as we could have been. So what I know now is that clarity that you create and drive when you have a responsible, accountable, consulted, informed, racy type model is really, really helpful for all of your employees or leaders or decision makers. So they know what you expect of them.
Matt (05:06.968)
Hmm.
Meg Anderson (05:14.363)
and they know what to expect of you as well. You know, there's probably a couple other things that as I was thinking about this is FOMO. So there were times throughout my career where I thought, well, we need to have this kind of technology or we need to have a certain sort of service because it was the new next great thing in cyber. And so what I've learned throughout the years is the basics.
Are really, really important and so not worrying so much about the next thing on the road map. The next thing Gartner's talking about or other industry groups or peers are talking about trying to focus on making sure the foundation and the fundamentals are covered is something I wish I would have known them. And then maybe lastly, truly important. This really came clear in the pandemic. Make sure you're developing your team.
Matt (06:10.872)
Hmm.
Meg Anderson (06:11.015)
building a team, developing delegates, making sure everybody has great opportunities. And I say during the pandemic because we certainly saw turnover increase during that time period, as well as new people come into the organization. So it's really important to make sure when you have those new people, giving them opportunities, making sure they know clearly what their boundaries are and making sure we can exploit their talent too.
Matt (06:34.766)
That makes a lot of sense. you know, when we were doing kind of the pre -show for this call, we talked about mentors. And so I'd love to hear for you, maybe talk a little bit more about the role mentors have played in your career. And then the second part of that would be how, you've put that into practice at principle.
Meg Anderson (06:55.229)
Sure. Yeah, I thought a little bit about that. I have a kind of a what I would call a long short list of people who really stand out as mentors for me. And I'll start with one, Jim Ralph, who you may or may not know, but Jim was part of the financial services ISAC at the time that I became CISO. And he really was helpful in shepherding me through the organization, helping me understand. I didn't have knowledge of the ISAC. I didn't have any background in how the
Matt (07:08.002)
Yep.
Meg Anderson (07:24.049)
government works and this is an organization supported by the government with lots of government types involved in it. So truly, yeah, truly understanding how it worked. You know, it's a nonprofit type organization, but this information sharing thing that we were all talking about that back then was really important. And I remember one time where we were at a ISAC conference and Jim's like, hey, come with me.
Matt (07:31.98)
and acronyms.
Meg Anderson (07:51.813)
And I separated me from the other person on my team who I was with and somebody else from the ISAC organization. And I went and sat with CISOs from like Goldman Sachs MasterCard. And so he brought me to this table to intentionally introduce me to his network. And that was really valuable. And so I try to make sure I share my network with up and coming CISOs, new people, make those introductions and be very open about.
Matt (08:09.549)
Hmm.
Meg Anderson (08:20.445)
who you know and how they might be able to help you and make those connections. So he's one person that I always think about when I think about somebody who's mentored me through my early days. And then another one is Laura Dean, I don't know if you know Laura, Matt, she's the CISO at Northwestern Mutual. Really great to share frustrations with her, successes as well. They have a similar company culture. She's based out in New York City. Of course, I'm based out of Des Moines.
Matt (08:35.351)
I don't.
Meg Anderson (08:50.321)
When I'm there, she'll make time to have a cup of tea, cup of coffee, and just get caught up and truly understand the life of the CISO and what's going on. So she's been great. Another one is Biatas Wingenberg. She works at ING in the Netherlands and she helps me understand the importance of getting away from the job. She has a culture of holidays, right? So she's always...
Matt (09:18.478)
syrup.
Meg Anderson (09:19.985)
doing some sort of holiday. And so it's great to be reminded that as tough as the CISO job is, it's really important to just get your mind free and break away. And maybe I'll add a couple more locally. James Johnson is the CISO at John Deere. Andy Neller is, I think he's the Deputy CISO at Walmart, which is a Blue Cross and Blue Shield organization here. Learned a lot from them. They're sort of what I would call my technical mentors. They have their hands.
Matt (09:48.195)
Hmm.
Meg Anderson (09:49.445)
in things a little bit deeper. And, you know, we trade war stories and approaches to board reporting and things like that through our technology association of Iowa CISO group. And then Phil Venable. So Phil is CISO at Google. His blog, think, is great. It's his pragmatic. And you're able to read what he shares and then share it within your organization because it's pretty much in
plain English and doesn't use a lot of cyber security jargon.
Matt (10:24.896)
One of the things I hear often from junior members, either on my team or previous teams is that they're looking for how do they get to that next step of their career? Right. And I think personally for me, mentorship has helped me personally to get to that next step. How have you, when you, when you look at development and we'll talk, we're to talk a little bit more later about attracting and retaining talent, but I guess as one part of that for your internal team, how do you, how do you see mentorship working?
How does that work?
Meg Anderson (10:55.035)
Yeah, well, at principle, we have a formal global mentorship program where people can choose different characteristics or different things they're looking to develop. And then they're matched. And that's a six month long program. So you have the opportunity to do that a couple of times a year. And that's a formal mentorship type program. So I definitely participate in that as many opportunities it can take because
being able to talk about cybersecurity with somebody who's outside of the cybersecurity organization is great. But inside the organization, there's also inside my team, lots of opportunities to mentor up and coming high potential talent, both in cyber and technology, we have a program as well. So I take those opportunities. also work with an NYU program to mentor their
CISO program that they've started and actually I got involved with that through Jim Ralph. So those are the kinds of opportunities and and things that come from networking and mentors.
Matt (12:05.786)
I found that in my own experience as well that the obviously there's things you do inside your company, but being able to go to events, have people that you know who can say, Hey, I think you should meet X. think you should meet Y make those introductions. Those for me have been just so powerful. And then being able to introduce people on your team to those people. found being a connector is equally as powerful. don't know if that's been your experience.
Meg Anderson (12:32.201)
yeah, absolutely. Like last week I had mentioned to somebody in a FSISOC CSO meeting that I was in, hey, my team has been through that. If you want me to connect, let me know. I was able to connect them to the experts on my team and both sides learned something from it. And now they have that connection. So absolutely love doing that.
Matt (12:50.016)
Yeah, it's powerful. That's powerful. So I think this is very closely related to attracting and retaining cyber talent, right? It's a challenge for most companies. And quite frankly, I was doing research a couple of weeks ago. It's a challenge, not just in cyber, it's a challenge for companies in general. I'm curious from your perspective at Principle, maybe what programs have you implemented around attracting talent, retaining talent?
And how do you measure success of those programs? What do you look at?
Meg Anderson (13:22.503)
Yeah, that's a great question, especially the measurement part, right? Because we might come up with some great ideas and putting it into action and making sure it's working two different things. So I'm lucky to be part of our IT organization that has a really great internship program. So we attract talent from all over the United States. And I believe this year we had our first international intern as well. So benefit from that.
We are seeing incredible talent come from that program. Years ago being CISO for so long, the talent that we had, they might have been an IT major with a cyber class. Now there's cybersecurity degrees, information assurance degrees, minors, all kinds of things. So very, very lucky that our program is so strong. So we measure
talent in general based on turnover metrics and employee opinion surveys, which we call our Pulse surveys. So through both of those, the metrics that we watch, lots of demographic characteristics about gender of hires, turnover based on gender, all kinds of indicators, and we're able to filter that information and really be able to watch that on a quarterly basis to make sure that diversity is top of mind for us.
We also, those poll surveys I mentioned, though we get the results from the poll surveys I mentioned, we get the results from them in almost real time. And we're able to take action on them as a leadership team and understand and trend if questions are used from quarter to quarter, we're able to turn those questions and really get into the minds of our current employees to figure out how can we make
How can we make improvements? And what I like to stress, sometimes people can be skeptical of whether or not action is being taken or is management really listening to us. And so I like to be able to talk about if we don't hear your voice, we'll never know what needs to be changed, right? We can't improve without change. So sometimes employees are fearful of change and what it might.
Matt (15:26.273)
Yeah.
Matt (15:38.017)
Hmm.
Meg Anderson (15:45.725)
Due to them personally in our last town hall We did a little Slido during the town hall meeting to talk to people to get what was on their mind regarding change So what are you most excited about with regard to change and what are you most fearful about regarding change? That was really good anonymous way for people to give us sort of those one -word answers One of the things that came from this poll served one of the poll surveys that we did
Matt (15:48.291)
Hmm.
Meg Anderson (16:15.887)
was creating a meeting we call Open Mic. And Open Mic was created in, I don't know, four or five years ago to really help people have a forum to ask any questions that they want, what's on their mind, as well as for management, myself, my directs, and anyone else, to give accolades and recognition for the good work that they were seeing done. That really became this meeting where the chat just blew up.
Matt (16:19.745)
Hmm.
Matt (16:41.805)
Hmm.
Meg Anderson (16:41.841)
with coworkers thanking other coworkers for the great work that they did, for pitching in. Yeah, so it's a really uplifting meeting. And I think from a retention point of view, while I can't measure the impact that that has, from time to time we have asked, is this meeting still worthwhile? Because we also talk about being a heavy meeting culture. Do we wanna keep having this meeting? And that's one that consistently people are very thankful to have. So that one's worked out well.
Matt (16:45.68)
That's awesome.
Matt (17:01.986)
Hmph.
Meg Anderson (17:10.683)
I think also just at principal from a retention and attraction point of view, we are a culture that values in office. So three days a week in the office from a hybrid point of view, we also have employers, employees who are fully remote, including me. I have a couple of directs who are fully remote, but principal encourages time out of the office. have flexible time off policy that
is encouraged, like we do encourage people to be out of the office, clear their heads, as well as volunteering and just overall having a work life fit or work life flexibility, whatever you might want to call it. And I hear from employees, I meet with all of the new employees in my department for half an hour after about 45 days in, and this started during the pandemic because I was a little worried I wouldn't know, wouldn't recognize people when we got back into the office, little did I know how long that was going to actually take.
Matt (17:59.607)
Yeah.
Matt (18:04.654)
None of us did.
Meg Anderson (18:05.137)
But it's, yeah, it served me really well because I have the opportunity to meet everyone from entry level on up. And I do hear a little bit about previous companies that they worked at, why they were attracted to principal. And so over and over, I hear about our work life flexibility, opportunity to grow and develop in their career, ability to focus on a certain skill.
So it's really a positive message for me to hear from new people. They really appreciate what the company is bringing.
Matt (18:38.03)
was pretty powerful. I love those different mechanisms that you've put in place. And I'll go back to one thing that you mentioned a couple of minutes ago, and that's your, your internship program. There's, there's a lot of organizations that have those. And, know, I was an intern many moons ago and I remember I won't say the company was part of the, it was good that had an intern program, but they didn't have a way to then take someone from being an intern to making them be a full -time employee. was almost like it was a separate experience. I'm curious, like,
Meg Anderson (18:46.679)
huh.
Meg Anderson (19:05.201)
Yes.
Matt (19:07.096)
Do you, how does principal address that? Like, do you guys have something that actually says, Hey, we're going to take a certain percentage or what does that look like?
Meg Anderson (19:15.153)
Yeah, we do. can't I can't share with you the exact percentages because I simply don't know. I'm not close enough to it, but we definitely see our internship program as a feeder pool for entry level talent. And the way we look at it in my area is who were the top interns? How many do we think we can take before we ever let the recruiting committee know how many interns we want for a summer? And I think last I think this particular summer we had eight or ten interns.
We don't specify what year they are in college. So sometimes it's a crapshoot where you might get two people who will be looking for that full -time job. And sometimes it might be five people looking for that full -time job, which as you can imagine, that might be harder to place five. But we do approach it as we're going to offer you a job at principal. won't necessarily be in security. It's going to be at principal. for security or in IT, in security it's
Matt (19:59.31)
Sure.
Meg Anderson (20:13.069)
More of a yeah, we probably want you to be in security if you've gone to school for a cyber security degree or cyber security major. We probably do want you. We do offer full time employment to the top interns that we have each summer. And so far it hasn't been problematic to slot them in to open positions due to growth or turnover that we might have. But we definitely want to make sure that we are having an internship program.
that creates full -time jobs for our technology and security employees. We do. And get your applications in early because I think the applications close by the end of the year, right? And a lot of times I hear from people who are looking for internships in March and I'm like, eh, you're a little late for our program. So come back next year. And we offer repeat internships as well. So if you're good and you want to come back, we'll let you come back.
Matt (20:48.056)
So future interns that are listening, you know, you, you have a target, you have a target to go after here. So.
Matt (21:09.358)
That's powerful.
Matt (21:13.016)
So company culture has a big impact on the success of, of cyber programs. And I'm curious, you know, we talked about this a little bit, but maybe walk us through how you've intentionally built your cyber program over the last few years, specifically around principles culture. You mentioned it's a collaborative culture, but maybe what are, what are some things that have worked? Maybe some things that even backfired. We'd love to hear that. Everybody likes to, everybody loves to hear a train wreck. So if you have one of those stories, that'd be awesome.
Meg Anderson (21:13.543)
complete.
Meg Anderson (21:36.957)
Sure. Well, you know, if you don't make mistakes, you'll never improve. So everything doesn't always work out great. But one of the things I'm really proud of is our Business Information Security Officer program. And I think one of the reasons that it's been successful is because of our company culture. We are in a centralized team in information security, but the Business Information Security Office are
Matt (21:46.306)
That is true.
Meg Anderson (22:06.543)
officers are aligned to specific business areas, so retirement, benefits and protection, et cetera. And they really get embedded in the strategy of the business that they're aligned to. They understand the regulatory requirements for those particular businesses. They can have one -on -one conversations with engineers in that business area to help them understand
perhaps maybe different secure software requirements or policy changes. And that's really how the company has operated over the last few decades that I've been here is truly knowing the business is really important. And I didn't have those for the first five years of my CISO gig. And it became painfully obvious to me that as the importance of security to
business strategies such as, we're going to do a mobile app, you know, back 10 years ago to really engage and embed. There was going to need to be more of me than I could spread across the business area. And so these business information security officers have done a fantastic job of truly understanding what's going on and have been welcomed by the business unit leadership and have become point people. And they have small teams.
Matt (23:14.286)
sure.
Meg Anderson (23:29.649)
to really help the business unit with their information security frustrations, challenges, or opportunities. I have business information security officers who will speak externally to customers on behalf of those business units. So it really has created this opportunity to differentiate what we're selling when it comes to cyber. So it's been really good. They've been invaluable. So that's definitely worked.
So what's not worked? I agree. That's a harder question to answer because nobody wants to air their dirty laundry, so to speak. Principle is a very pragmatic company. And I also mentioned earlier, we're very highly collaborative. So when you put those two things together, sometimes it can create a speed problem where you're thinking about things, you want to make sure that you're getting your money's worth, you're rationalizing them.
Matt (24:00.142)
Yeah.
Meg Anderson (24:23.385)
You're collaborating, being in a centralized area that supports multiple business units. You need to make sure all the business units agree and that collaboration can truly slow things down. So while I don't have a specific example to share, I do think, you know, we just tend to be a culture where we need to convince people and rationalize things. What I've learned from that and what I try and coach and develop my team is people need to understand why this matters.
And it's not, it doesn't matter what whatever the is is, whatever the thing is. It doesn't matter because the information security area or the see so said so it matters because our mission is to protect the data and money of our customers, right. And our company. So helping people understand why a decision needs to be made quickly, why a decision needs to be made to invest money is important or to make changes, whatever it is. So I think.
You know, there have been times where not starting with that why is probably backfired. You know, where we've led with we need to purchase this particular security technology without helping people understand why. Once you help them understand why you have to ensure that you're patching in the cloud, for example, or things like that, like, hey,
You actually have a regulator that requires this or, your customers keep asking about this and we need to make sure that we can satisfy the due diligence requests of your customers that are bringing in revenue for your business area, right? We're not doing this for the sake of our roadmap. We're doing this to make sure that the company can be successful in all the markets that we do business in. So I think that that sometimes is a little source of friction.
Matt (26:12.526)
Yeah, I think so. And getting back to your comment earlier about the BISO program, the BISO business information security officer program that you put in place a number of years back. I've also found that in, especially when I've worked in, you know, larger, you know, fortune 100, fortune 500 type of companies, you need those roles because they are embedded, right? And each line of business is just so radically different from the next.
Meg Anderson (26:34.716)
Yes.
Matt (26:39.826)
You need someone that's embedded, someone that can hear, that can understand, can literally be there. Because like you said, there's only one of you and you may have N number lines of business. So definitely the BISO programs I think can be incredibly, incredibly powerful. So I guess the other piece too, I wanted to go back to you had mentioned about this. was the beginning of our conversation about FOMA when it comes to technology and
Meg Anderson (26:55.879)
Mm
Matt (27:09.106)
I've been there. I have absolutely been there. You go to a conference, you hear about something. It's really cool. They've got really great marketing and maybe it, maybe it does solve some problem, right? But the question always, you know, it needs to come down to what risk does this solve for us? And, you know, do we, are we doing the boring things really well? Right. I'm curious for your take on, was speaking with another CISO yesterday in the consumer product space and he was basically saying that, you know, they're, they're ruled the way they look at this.
Meg Anderson (27:27.505)
Right.
Matt (27:38.734)
is they look at their base operational metrics from a security perspective. And they use that to help inform future investments around new products, like something that's covering some risk. Let's use AI, for example, the thing everyone's talking about. I'm curious for you, how do you guys look at that? How do you bring those things together, doing the basics really well, like patching? This is something we've been dealing with for 20 plus years now.
so many breaches happen because things are not patched. So how do you look at doing the basics right and at the same time making sure that you are staying ahead of say something like an AI or an emerging type risk? How do you look at that?
Meg Anderson (28:11.399)
Right?
Meg Anderson (28:22.225)
Yeah, the way we look at the basics really is through our what we call our compliance dashboard. So you can slice and dice it a bazillion ways so that you can get down to a specific team to truly understand are they doing what they need to do relative to the thresholds that we've established for certain metrics. Patching is a good example. Of course, phishing metrics are one that we talk about as well as
Matt (28:48.866)
important.
Meg Anderson (28:52.643)
metrics around awareness and making sure that CBT's computer -based training is taken on time for new hires and for experienced employees as well. So definitely there's a focus on the numbers and from that compliance dashboard then we have a set of metrics that we also use for the board of directors and so we do review those metrics on at least an annual basis to say are these still the things that are associated with
the most important risks. So as an example, third party risk has really ratcheted up over the last few years and we didn't have a metric to say how well we're redoing with regard to the third parties that we're doing business with and are we managing risk associated with that. And so we added a metric associated with third parties. I don't know that we think it's the best metric ever, but it's what we had. So we do struggle with what data do we have? it
Matt (29:28.514)
Yeah.
Meg Anderson (29:51.195)
data that we can trust the integrity of the data, you know, what is it going to take to get there? So we might delay a metric a year or a quarter and say, let's add that when the data is clean, because that's, that's super important. That's an area where people get burnt, right? You, somebody's looking at the numbers and then you investigate and find out you have a data quality error. So definitely leverage metrics throughout the organization and getting better at making sure those at a more personal level.
Matt (30:06.69)
Yeah, absolutely.
Meg Anderson (30:20.923)
a leader, a department, something like that, so that it's not just a company -wide metric, because that sort of leads people. A quote that I read recently was, everybody feeds the dog, the dog's going to die, or if nobody feeds the dog, if everybody's responsibility to feed the dog, the dog's going to die. So you really have to know whose responsibility is it to improve this particular control, this particular metric, to make sure it actually gets done.
Matt (30:37.729)
Yeah.
Yeah, yeah.
Matt (30:51.52)
sense. makes sense. I was looking at LinkedIn, you know, I always stalk my guests before these things. And I saw that back in July, you did a cyber youth summit. And I'd love for you to talk more about that. You what was the goal? How did you pull it off?
Meg Anderson (31:03.835)
yeah.
Meg Anderson (31:08.229)
Yes, I'm super proud of how it turned out and I know that my team is really proud as well of being completely candid. When I first throw the idea to them, I think there was a little bit of, you know how much work we have to do? And I'm like, come on, it'll be simple. So it was a great team effort. We even got our interns involved, which gave our interns great exposure presenting to
groups and event planning and they got exposure to our local CSAR representative as well as planned a networking event. So the way it came about is an employee who works in a different state had reached out to me and said, hey, my daughter is in high school and she's really interested in cybersecurity and I was wondering if your team ever does any job shadowing.
And my team allows job shadowing all the time. In particular, the cyber defense team seems to be the area that people are most interested, you know, sitting in the sock for a day or something like that. It's the, it's the, it's the thing people think of when they think about cyber. And she happened to be the second person in a week. And then like the very next day I had another person, Hey, my next door neighbor.
Matt (32:04.878)
Hmm.
Matt (32:16.759)
Yeah.
Meg Anderson (32:26.757)
And I'm like, you we should do something a little bit more formal. Number one, it will be more efficient for the team if we do it sort of once and done and advertise it and say, Hey, we have this opportunity. So that was really the goal was to think about how do we give friends and family members of employees the opportunity to learn more about cyber and create. just a biased free opportunity for them to learn more about it without.
feeling like they're going to ask a stupid question or ruin the chance to work here someday. So get them early before they've made any decisions about college to get some insight into what a day in the life of various people in cybersecurity looks like. So that was was pretty much the goal. Of course, we would want them all to choose a career in cyber as a result. The team did a great job pulling it all together. We got
Feedback, some of the feedback was really interesting. One of them was about it was great and I got a lot out of it. It was really informative and from a parent's perspective, they're like, hey, if my child says informative, that means it was great. Yeah, that's really good. Somebody else said that the student that they brought, I think it was a neighbor, enjoyed it and was going on and on to their parents about it last night. So really, really good.
Matt (33:39.342)
That's a win.
Meg Anderson (33:54.781)
There were also, I want to say there was like at least 25 % females in the room, which was really encouraging for me to see high school girls come and express interest in cyber. So it was great. All around, it was a success. And I think the team would be really eager to do it again.
Matt (34:18.318)
Well, that's powerful. That's something I think we need to see more of in cyber. And that's why I caught my attention. I really haven't seen too many companies do that. Do you think this will be something you guys do annually?
Meg Anderson (34:21.991)
Mm -hmm.
Meg Anderson (34:29.085)
I think so. think so. From my point of view, I think the positives outweigh the time that was invested in wanting to plan an event like this. We also had Mexican food for lunch. I won't mention the brand. But we did get really positive comments on a free lunch. So it didn't cost a lot of money. It didn't take a lot of time. Once you've done it, we can just rinse and repeat.
Matt (34:52.384)
You guys are doing a lot of, a lot of great work for the industry, but also to, I think, grease the skids for your, your cyber program and making sure you have a good line of talent. So I guess that leads me to the question, are you hiring? Maybe if you are hiring, tell us about some of the roles and what you're looking for.
Meg Anderson (35:01.403)
Yes.
Meg Anderson (35:10.203)
Yeah, at this point in time, we are hiring. We have a couple of roles that I'm aware of and maybe a couple that might be coming soon to principle .com slash careers, I think is our career site. One of them that frankly, we've had a little bit of a challenge finding candidates for is an enterprise architect who's focused on the security space and in particular the space around governance, risk and compliance and data protection. And so
That's an open position. actually reports into our enterprise architecture area, but we'll be supporting my team. And then one of the other positions we have open is around information, it's an information security engineer position. And that would be supporting one of those VSO teams I mentioned in our retirement space. So those are the two that I'm aware of that are out now. I don't know what stage they're in, but I would encourage anyone listening to this to always look at our career site because there's tons of opportunities.
Matt (36:08.878)
That's fun. That's great. So all right, let's switch gears. Let's talk about you when it comes to personal growth. What's the formula that works for you?
Meg Anderson (36:19.589)
I don't know that I would call it a formula necessarily, but you know, I think a balance with taking a more hands -on approach from time to time. as a former IT professional, was a COBOL programmer. know, technology experts never want to get their hands completely out of the technology. I shouldn't say never, but they always want to have something
connected to the roots and technology. So a lot of times as a CISO, it's really easy to say, can you brief me on this subject? Can you write a report? Make a recommendation. I try and get my hands dirty a little bit on those things and sort of pick and choose. I'm doing a presentation for a closed peer group in a couple of weeks around deep fakes, for example.
I could ask my team, go out and get me all everything that you know around deep fakes. But I, that's the kind of thing I choose to do myself so that I can grow my mind and learn that way. Also, I think teaching other people is the best way to learn. just, you know, especially if you're a little bit of a perfectionist, right? You want to know all the answers before you.
Matt (37:36.226)
Yes.
Meg Anderson (37:43.559)
teach somebody because they're gonna ask you questions while you're teaching and you need to be able to answer them. So I think that's really important. So I think sharpening your knowledge through teaching others is one of the words of wisdom I guess I would have around that. And I mentioned earlier, the only way to do something right is usually to make mistakes along the way and figure it out and be willing to take those risks to try new things knowing they might not work.
Lastly, think I mentioned this too, is taking time away from the job. Vacation's on my mind today. you know, taking time away from the job, avoiding burnout, clearing your head. That's also definitely something that's really important for growth. Probably good for your brain.
Matt (38:29.356)
It is, there's definitely a science behind that. I'm glad you mentioned that because I think you're the first guest I've had in almost four years to say that as part of their, as part of their growth piece. Cause usually people think it's, pushing yourself more. It's doing more. It's whatever, but I fully agree with you. just, I just took two full weeks as the first time I had two full weeks off in a couple of years. And it was just, it was amazing and I needed it.
Meg Anderson (38:31.704)
Yeah.
Meg Anderson (38:53.585)
Yeah, were you able to completely disconnect? Yeah, that's great.
Matt (38:55.848)
I did. actually did not. I didn't look at Slack or email once. And I will admit, I felt guilty for the first probably three, four days, but after that fourth day, I didn't miss it.
Meg Anderson (39:06.269)
Yeah, I can compartmentalize pretty good. Sometimes I have to move my work related apps to a different page of my phone. So you don't see those badge notifications or turn off notifications completely. But I probably can't disconnect 100 % like you did. I admire that.
Matt (39:13.542)
yes.
Matt (39:18.328)
Yeah.
Matt (39:24.019)
It was hard. It was hard, but I'm glad I did. I'm glad I did. to be truthful, my boss was very supportive. I've had some leaders in the past who would never allow that. would get the guilty pings, the things like that. Like, hey, I noticed you weren't online. So I think that is a big part of it. And I'm grateful that you brought that up as part of growth. So this has been a great conversation.
Meg Anderson (39:46.087)
Yeah. Good.
Matt (39:50.336)
Are there any parting words that you would have for our listeners or perhaps something you wanted to share that I didn't ask you about?
Meg Anderson (39:57.275)
Yeah, I think just from a parting words point of view, one of the things that I think about as, you know, having a lengthy career, there are a lot of people that don't know very much about cybersecurity. And was sharing with somebody that I golfed last Friday with my husband and two gentlemen that I hadn't met before and they were older and retired. And so when they found out that I worked in cybersecurity, I evangelized a little bit, right?
basically said use multi -factor authentication, don't use the password for all your important financial sites. Any opportunity you have as a cyber professional to do a little bit of evangelizing is really important. know like how many stories we see of people getting duped through phishing or smishing or vishing on LinkedIn and saying hey, this was a really good one, if I wasn't working in cyber, I might have fallen for it type of thing.
I do think it's really important to share the love and passion of cyber and fighting cyber criminals if you work in cyber.
Matt (41:04.034)
I love that. love that. Well, Meg, thanks for coming on the show. It's been fun.
Meg Anderson (41:06.951)
Yeah, thanks. It was great getting caught up, Matt. Appreciate it.