Navigated to #242 - The Secret to Career Success: Your Personal Board of Directors - Transcript
Get the app

Log in
CISO Tradecraft®

·E242

#242 - The Secret to Career Success: Your Personal Board of Directors

Episode Transcript

Hey, do you have a board of directors?

I'm not talking about where you work, I'm talking about who you are.

'cause if you don't have a personal board of directors, you're missing out on some real great opportunities.

So stick around.

I've got somebody who's gonna give you some great information on how to improve your game.

Hello and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.

My name is G Mark Hardy.

I'm your co-host for today, and I have with us, Ross Young, whom you've seen before, and I think you're gonna see a little bit more of because he is a great guy.

He knows an awful lot of stuff, and quite frankly.

Somebody has some brilliant ideas.

Now, quickly, if you are just finding us for the first time, don't forget to subscribe.

Also, follow us on LinkedIn.

We're a whole lot more than a podcast.

We have a Substack newsletter.

We have little shorts that we put out, and a high signal, low noise news broadcast that'll come out on LinkedIn, pretty much on a regular basis, but we're not gonna spam you with anything.

if you're listening to us on our podcast channel, don't forget to give us a thumbs up or a five star just so other people can find us a little bit easier.

Don't forget to share with everybody else where you're getting your knowledge for your CISO Tradecraft.

So Ross, welcome back to the show.

Hey, thank you.

It's a pleasure to be here.

So we were talking a little bit beforehand about the concept of a personal board of directors.

Now for some people they're saying, ah, come on, really, but there's actually something to that.

Can you tell us a little bit more about this concept and perhaps where you first ran across it?

Yeah, so I was in a meeting this week and, we were discussing all sorts of being a mentor, being a mentee, and how to help.

And, there was this very astute, lady who I won't name, but she, mentioned having a personal board of directors and, it was also shared, a number of different resources, which we'll put as show notes.

But, it's an interesting thought.

CEOs get smarter by having this board of directors that they can get counsel from with different perspectives.

There's the chief finance officer usually on a board of directors.

There's former CEOs, other things that can provide perspectives of been there, done that.

So the CEO doesn't have to make the mistake as a first time CEO, and I just think that's so brilliant.

And how do we bring that to cyber professionals?

it's an interesting concept.

Now we think about on the corporation and the way that governance is organized is that we have a board of directors who is responsible for the overall direction of the organization.

But the CEO is a person who's supposed to execute that mission from the board of directors.

So to a certain extent, the CEO Slant President, and by the way, they're different roles and if you're not familiar with the roles.

President is basically a functionary role.

Okay.

Who's the president of Microsoft?

Brad Smith.

Everybody knows that, right?

No.

Satya Nadella is the guy everybody knows and he's A CEO.

it turns out that the president is a functionary requirement.

You have to have one for an organization.

They preside over meetings and things such as that, and they also have certain legal responsibilities.

But the CEO.

Is appointed by the board.

And it turns out that from that perspective, the board is telling the CEO, here are your goals, here are your objectives.

Here's what you're gonna do.

And oh, by the way, yes, you can learn along the way, but if you don't execute, you get fired.

Now we are reversing the dynamic a little bit.

We're saying, Hey, here, the personal CEO Me is going to be, if you will, employing the board not to go ahead and follow their direction, but rather to see clarity.

And advice and insight from them.

Is that a correct what we're talking about?

Yeah, we're, hiring these folks who can help us, without, essentially hiring people to fire us out of our own, roles, if you will.

And, I think it's a powerful thing, like we all need feedback.

And, I would even say that some of this feedback doesn't even have to come from a person.

It could come from a book, right?

So if you think, Hey, I really need to get financial literacy skills.

You could probably read a book on that could just help you just as much.

But sometimes having a real person where you can ask questions is just so valuable when you're hung up on a certain concept.

Now you talking about hiring them?

Do I need to break out my checkbook and say, I'm sorry.

I'd like you to be on my board of directors.

What?

Your hourly rate, or is this something that's more of a relationship based, engagement?

I.

I have found my best relationships not to be informal programs.

I'm not to say, those don't work for people, but they didn't work for me.

And what I found was I wanted to find someone that I naturally clicked with, where we just had, matching personalities a little bit and.

And then from that, building that relationship.

And one of the other big, things you need to understand is a good relationship isn't just taking information from the mentor.

The mentee should also be a mentor to the mentor in, some ways.

and I know it's a little confusing, but think about it this way.

A CISO probably hasn't been a first time coder, in 20 years in their career.

So they don't actually know what the onboarding process is for new developers.

And so if you can share that with them and show 'em how it's broken as the mentee in that relationship, you are mentoring the CISO, right?

So things like that where it's a give and take back and forth, I think makes a super productive thing so that the mentor wants to continue to learn from the mentee, in this relationship.

that sounds good.

Now, for a matter of terminology, for people who maybe think of it as a protege or a mentee, we're equating them.

Sit down in Florida, we think of mentees is those big things that float slowly around, but of course the manatees.

But whatever term you use, in the military, we called it, mentor and protege, and we had mentorship programs because in the that type of an organization, you're constantly training your replacement.

There's always a goal to be able to help the next generation.

Become this gen, the following generation of leadership.

And as a result, you don't hold back.

And they say if you, if you're irreplaceable, you can't be promoted.

And so from that perspective, what you wanna be able to do is twofold.

One is train your replacement, which is gonna, we think of as a mentorship.

Also seeking out the advice counsel and wisdom and direction of people who are more senior to you or more experienced than you, which is what we're talking about here from mentorship.

Now as we look at a personal board of directors, are there any other goals other than mentorship that we could consider as being a good reason for doing so?

So even beyond mentorship, I think sponsorship is huge, right?

Because let's say you decide to get someone who's, three levels above you as one of your mentors, and it may not even be in your own division, but all of a sudden they take notice of wow.

This is really, helpful.

I, think this person's a rockstar and they're doing really, good things.

A lot of times those people will notice things at their level that are not visible to the mentee.

Hey, this person's gonna retire in two months.

We need to plan the transition of who's going to replace that person.

Or we're gonna do, some big thing that's a temporary effort and we need a champion to lead this initiative just for three months.

And so their ability to sponsor and say, have you considered this person?

He's just been really solid and I think you do a, an excellent job, him or her in that role.

that can be another fascinating thing to get not just, advice, but also sponsorship.

Yeah, and I think that's really important because as we talked about several times on the show, there's different phases of careers.

We start out in a technical phase, and then from there, if we do well, we're given management.

Execute on time, on budget.

When we get to the CISO level, we're looking at leadership roles, being able to set the vision, motivate your team, et cetera.

But when the sponsorship is really that fourth level, which is the political layer, which is really where things happen, and we find out that in many organizations.

Some of the best technical people never do well in management or don't get to management.

If they don't get to management.

By the way, it might be a good thing, unless you're in an upper out career, like the military, some of the best managers just can't, they couldn't lead people out of a burning building, and some of the leaders may be inspirational and people who do anything for them, but with a blindness.

I toward the politics of an organization, they're going to stall out and retire as a leader.

And they might be perfectly fine with that.

But at the CISO level, it's more than just leadership.

It's leadership and political acumen.

You're correct.

We've left our technical skills behind.

To a certain extent, the management is delegatable to those whom are who are direct reports.

Leadership falls squarely on our shoulders, but to even get to our job, let alone succeed and progress, we need that political acumen, and that's where the correct selection of these personal board of directors can really be.

Helpful.

So with that in mind, what do we look for as we're quote unquote recruiting our board of directors?

And will people just say yes, or how do we coach that in a way that's gonna cause them to be more likely to say yes than no?

I, think the first board of director member, that I would look for is someone who's been in the role that I aspire to.

So maybe I am a head of AppSec and I desire one day to be a CISO.

I think the best advice is probably gonna come from someone who's been a CISO or is currently a CISO, right?

and Steve Jobs has this famous quote where, they were looking at bringing all these consultants in.

And, while they understood management, they didn't grow up through the ranks, so they didn't know anything.

And he calls 'em bozos because, the people weren't able to learn from them and they had to let them all go.

And so I think that's the first thing.

Find people.

Who've done things, because what you're going to find is there's a proven pattern, right?

How is it that someone becomes a CISO?

if you look, there may be four traditional routes that people grow through.

They grow up in the SOC, they grow up on the GRC side of the house.

They grow up in, AppSec Vuln management.

Or maybe they grow up in a non-traditional path.

If you don't see yourself going up those traditional recommendations, you have a much harder job trying to get those same opportunities when you don't look same-same, as what normally gets promoted, right?

And I think what you'll find is you're really key to point out that there are multiple pathways to becoming a CISO.

Lemme draw again a parallel.

To my military career.

And so for those of us who had made it to O-6 captain and every captain thinks they're gonna be a great admiral, the reality of it is one half of 1%.

Captains will promote to Rear Admiral.

And so there's that eye of the needle and we all figure we're great.

So what happens?

You tend to look for the people who get selected this year and they say, what job did they have?

Oh, they were in this particular assignment.

So then everybody applies for that assignment, figuring that was the magic.

But then it turns out that, nope, next year was somebody.

And they're all chasing around like a crowd looking for the last winning lottery ticket.

G Mark, I think I've heard you on an earlier episode, said, there's traditional paths.

Like you're either a subsurface, let's call it, submarine officer that gets promoted.

You are a surface warfare officer, someone running the big ships or you're a pilot.

Those are like the most likely path to get, to be, an admiral in, the Navy.

Is that still the case?

The big bucket.

But now we're saying as you get closer to the top in that career, you're not gonna cross over.

Although it's interesting because again, staying with the Navy analogy for a moment, from my experience has been in the Navy Reserve at O-5 A Commander, that's your last opportunity as a pilot to get command.

You get command of a squadron, which is big deal.

it's huge.

You've got hardware, you've got millions of dollars of equipment, dozens of men and women, and you have a real mission assignment there.

And then what happens at that point?

when you pin on your Eagles and you become an oh six.

You get lumped in with all the surface warfare officers.

Now think of the culture of your organization if you are a CSO or a leader and you have to groom the next generation of leadership.

We had a saying in the Navy, in the surface warfare community where I grew up, that, woes.

Eat, they're young, meaning what?

You look for any possible defect they made, and boy golly, you're gonna document the fact that they screwed this up and they screwed that up.

And so you pick up a lot of dents and dings and errors along the way.

And your record.

And your record reflects the fact, you're human.

the pilots we used to joke, they said if you had 10 pilots, they all got ranked one out of 10.

One outta 10.

One outta 10.

what used to be before they computerized everything is the Squadron Co, is the admiral said, here's what you do.

Don't send them all in at once.

Like you're supposed to send 'em in one at a time and then two days later, send the next one, send the next one.

The bureau's not gonna sort it out.

So what happens when you're up for oh six?

'cause I sat on that oh six command board and I noticed that the surface warfare officers went like this, and the aviators look like that.

And the admiral said, Hey, by the way, this is why.

These guys do so well and women at this level and beyond.

So understand the culture of your organization.

If you have a zero defect mentality and therefore you're looking for perfection, but your organization doesn't share that, you're gonna do some real damage.

Or if we look at Steve Balmer when he was at Microsoft, one of the big sources of angst there was what he required each business unit to bottom blow.

10% of their organization every year.

If I had 10 PhD Nobel Prize winning scientists.

I'd have to fire one of them every 12 months and it was just unilateral.

And that was one of the number of things that created some toxic culture there.

But back to the personal board of directors, as we look at that, your insight is excellent.

Find somebody who has served and been successfully served at the level that you wanna do.

I'll go one beyond that and that person also has to take.

A personal and professional interest in your success.

I can't just walk up, to Phil Venables and said, Hey, wow, you've been like world class C all the time.

So be my mentor.

I've had people come to me all the time, be my mentor.

I taught for Sands for almost 10 years, and people at the end of my leadership class, you're my mentor.

Like they're ordering me.

You are gonna be my mentor.

Doesn't work that way.

So how do we entice somebody who is very busy, very reasonably successful, and probably doesn't have a whole lot of stake in your.

Professional and personal success.

How do we convince these people that they should be on our board?

So one of the first thing that I have seen is cyber is a very generous community.

Most people want to help the next generation 'cause I think many of us.

Didn't really get good guidance and help growing up through the ranks.

So like Phil Venables has an amazing blog.

He's very much one to give back.

the second thing that I would say is if you really want someone to help you, make sure you are not wasting their time.

If you go to a meeting and you're like, I don't know, tell me everything I need to do, that's a very one-sided meeting versus if you go to a meeting.

You bring an agenda saying, here's five to 10 questions I'm really struggling with right now, and I'd love to maybe just to ponder and talk through these thoughts and these things and get your recommendations.

That is a really rewarding meeting for a mentor to give advice to, and they don't feel like they're wasting their time.

And so I think of are you putting as much prep into making that a very productive meeting?

If you do that, you have the best chance of making it.

Very rewarding.

And then I think the other thing I would say is also find a way to connect on a human level.

for example, a lot of times when I'm in conversations with people, I usually ask people about what are their favorite hobbies, what do they like to do?

And then just talking about their hobbies, which most people are not interested in your hobbies, just opens them up and then they're like, man, I really like talking to this person because we have just these interesting conversations.

Instead of, how's the weather?

What'd you do?

Oh, I went shopping at Costco over the weekend and nothing.

Interesting.

And you gotta make sure, of course, you're not making them feel.

Self-conscious because some of us get so involved in our job and our life and everything else like that.

Our hobbies have set to the side.

I remember I did a, presentation up at, fort me a couple years ago, and the two stars said, hey, this is G Mark and tell me about your hobby.

And it's Man, my hobby has been my podcast, and this doesn't sound like a really fun hobby.

but I am restoring my old car.

Yeah.

I've still got my first car in 1960 Corvette.

That's the good news.

The bad news is it's been waiting for me to replace a fuel pump for three years.

It's still up on, on the ramps.

It's come on, Hardy.

It's been forever.

it's just a matter of maybe finding.

Technical mentor, like somebody who works in a garage or likes old cars and said, Hey, wanna come on over here and, we'll cook dinner, cook ribs, something like that, and, make it worth your while because rather, or could just drag the thing into a shop and have somebody do that.

we can't just drag ourselves into the shop, but as you said, find something that personally connects them and that's really key.

The other thing also is this, as a mentor, when I'm approached by a protege or a potential protege saying, Hey, would you like to help me out there is.

An assignable risk to me, is a mentor that I have to accept.

What do I mean by that?

If I am a mentor and I choose to accept somebody as a protege who is not gonna follow through, who doesn't do their homework, who ends up not becoming successful in a failure, what does that do to my reputation among my peers?

this Hardy guy and every, he just push everybody who goes to him fails.

So you are causing a perception of risk when you go to a successful mentor.

What's the best way, in your opinion, to reduce that vision of risk?

In fact, maybe even make it look like a positive risk.

I think you go in and honestly, I don't think you ask for a formal mentoring relationship.

I think you just go in and ask them questions, say, Hey, I'd like your advice on the following, and then you just go and naturally connect.

I don't think anybody, when they meet their, spouse for the first time says, Hey, do you wanna get married?

I think you, you come in a little softer than that, right?

and I think that same advice applies in a mentorship, right?

It doesn't have to be so formal.

And you know what?

After that first meeting, if it's terrible, you never have to meet that person again in a, in that type of capacity.

But if it's really, good at the end of the meeting, be like, you know what?

I really enjoyed this conversation.

I'd love to continue it again.

Maybe we can meet up for, lunch in a couple months or, in two, three weeks.

whatever you feel the timing is appropriate, Mm-hmm.

and, then just leave it like that and see how it goes.

And I think just that more casual, natural progression makes a lot more sense.

And then you're just building up these natural friendships that also turn into really good advisory panels for you.

And that's a good point.

One, it's, the interesting thing is, so I, had worked with some students here in the Tampa Bay area and I had, one of the students, I met her at one of the security conferences here that I spoke at, I'm trying to remember which one.

something or there and they said, Hey, you're wanna get into security.

She's a junior electrical engineer, but like cybersecurity.

And we buy a ticket to BSides and then afterwards we had to come over the house.

Mike made us lunch and things like that.

And we talked about different projects.

Elland do hardware.

I said, hey, I've got a couple raspberry pies.

Let's go ahead and I, let me set out this.

Concept of this project I have in mind, and we worked on it and things such as that.

And we said, okay, she wanted to write it up.

So I said, take the, take 'em home with you.

So I figured I'd get back like a one paragraph.

I'm, I just pulled it up right now.

So there's a three page, outline, not an outline, a summary of, two G Mark Hardy from this person.

Overview of what we did with a statement of the problem, a statement of the solution flow of how it would work, what we did today, what I learned, key takeaways and my next steps, and the deadline is what I'm gonna do for an upcoming goal.

wow.

So this is a university junior who's already got this well organized.

Now some people might say, yeah, she fed it all to chat GPT or something.

I don't care.

The point is that, what does that tell me as a mentor?

As to what risk, if you will, that I'm taking.

This is a person who's going places, so I bought her a ticket again this year to come to BSides, and we stayed in touch.

And so as a result, if you finish up instead of, Hey, I'd love to get together for lunch in a month or two, what I would recommend going one more.

I said, Hey, based upon our conversation, there's two or three takeaways that I have.

And I'm gonna commit to doing them and let's talk about it in a month or so over lunch to see how well I did.

Now at that point, I know you have a stake in following through in my advice, and you're right, people feel good about being a mentor.

And oh, by the way, I've always been told in the venture capital world, if you ask somebody for money, they're gonna give you advice.

But if you ask somebody for advice, they might offer you money.

So keep that in mind.

It's not a hard and fast rule, but a general rule.

Yeah, I like that advice and thank you for sharing that.

I think that's really key.

another aspect I think we should also be discussing is.

Who else should be on the board of directors?

I know we mentioned, someone in that role that you aspire to and, I think there's other types of folks.

What, do you think are some of the other roles that we should put on our panel, if you will?

I'm gonna go back to an author from 1937.

Napoleon Hill wrote a book called Think and Grow Rich, and one of the things he has in terms of his.

Recommendations for success is Mastermind.

And not just a Mastermind, but the power of the Mastermind by being able to say, if you want to be successful, what you wanna do is create a group.

And the idea is no individual may have great power without valuing himself.

Considering Okay.

Himself.

Herself.

But this is 1937 of the Mastermind.

And so the idea here is, that the author is suggesting that you can.

accumulate through other people that you associate with in a spirit of sym sympathy and harmony.

I would say more synthesis, I guess probably different words that we use 90 years later, but the whole idea was, is that he is suggesting that what you do is by creating this personal board of directors, what he called your mastermind is that these people are going to be able to assist you in different areas.

And one of the concepts is that imagine that you had.

Great people throughout history.

You had, not only Napoleon Hill, but he's talking about, let's say you had Abraham Lincoln sitting around and maybe Julius Caesar and perhaps Decar or whatever.

Now you can't just pick these names out of a hat.

You have helped to have read a lot about them.

In a way, it's almost like we become our own AI system.

We've read enough.

Information about a particular person that we think would be a great historical mentor if they're not physically here today, that if we sat down and men in our mind, imagine them having a face-to-face conversation with this person who I deeply respect, what would they say in this context?

And so from that perspective, your imagination kind of runs wild.

Here we have the opportunity to use real life people, but.

Do your homework a little bit too.

So if I know that Ross Young is writing a book and he's talking about what about your budgets and why your money is wasted, then he's got some expertise that he has spent in working on his book about understanding how to correctly allocate funds.

If I wanna become a CISO, that's a core element of my ability.

To hold that job and to be successful is to be a good fiduciary, responsible nature for the funds that I get, and to successfully lobby for the ones that I do need to grow my security programs.

because I did my homework on this guy, I'm not gonna ask him about other things such as, what's the best way to work on my golf swings so I could go ahead and play golf with a CEO?

No, do your homework.

Understand what these people can potentially bring to the table.

So beyond just the CISO, think of where we might have either blind spots or weak spots.

Some things that we may not do all that well.

And for example, people who wanna get to public speaking, they say, go to Toastmasters.

It's a great opportunity and I've been speaking and presenting for years.

And people say, did you ever do Toastmaster?

They said, no.

Why I just grounded out the hard way.

I just did hundreds and hundreds of presentations and over the time learned my own technique.

That said, however, if somebody wants to be better at that area, they know that they're, yeah, whisper, whatever, all the things that don't work too well.

As a public persona doesn't have to necessarily mean I have to have a personal speaking coach.

There are resources out there as well that you can take advantage of if you make the time commitment to it.

So speaking of time commitment, what allocation of time should we be making toward this improvement on our skill sets?

And what time commitment do you think that we could reasonably request out of mentors?

I think one hour every two to three weeks, if it's someone that you're pretty close with, makes sense, right?

Maybe you go out to lunch every two or three weeks with someone.

I think, if it's someone that you're not as close with, maybe once a quarter is probably more, appropriate.

It all comes back to how often are things changing, right?

That you need new advice.

If you don't have anything new to tell this person, then you're just wasting their time, unless you really have a lengthy conversation that didn't finish and you need more time.

So I would look for, Hey, these 10 new things happen to me and now I need, this new advice.

the other thing that I would also say maybe on our previous, discussion here.

Is, I would tell people to look for what I'm gonna call grave diggers.

People who know where the dead bodies are in the organization and where things have gone and, struggled and, you just think about it, there's probably some people who are architects that have been in the company for 20 years.

They know.

The broken processes, they've probably tried to do things and been shot down by previous management or leadership.

And so I think if you go and you talk to those folks and you say, Hey, tell me something that we should do that we haven't done yet, you can learn a lot from those discussions.

And it's not just the architects, it's also the customer help desk.

Like what?

Tickets, do we get the most of that?

Are just wasting your time.

That if we fix, would just make your life better.

So having those people who know where these dead bodies are that need to be, fixed in our organization.

'cause we're just getting more of them.

I, think is a really other important thing to add to our board of directors.

Excellent insight and one of the things that, a reference that you had actually introduced me to from the University of Georgia on a personal board of directors is it recommends having seven different categories of people, a challenger, someone who is gonna try to push you.

I.

To doing something that you might not do on your own otherwise, but that encouragement gets you a cheerleader who's always going and motivating you.

'cause let's face it, we're human.

Sometimes we get demotivated.

A coach, is a little bit different than a cheerleader, of course, is that a coach is gonna go ahead and put you through your paces and require you to do certain things, which you might not like at the time.

But that discipline is what you're gonna gain from that.

A connector, which we've already talked about, somebody who could link you in with other people in the organization.

Absolutely essential, particularly when you're realizing that you're getting to that political layer and relationships are the currency of that realm.

Not money, not accomplishment, and not even reputation.

then there's a mentor, which we've been talking about a lot, which is someone to help you develop your skills.

We've mentioned role models, somebody who's already been successful in that, and you've also mentioned sponsor, somebody who could introduce you to that next level and say, Hey, welcome if you will, to the neighborhood.

like the welcome wagon, to the executive suite.

And you've covered a lot of those things, so it seems like intuitively you've got an excellent grasp on doing this personal board of directors.

So well done Yeah, and I'll give you one more that you may not think about.

everybody always wants to talk to the leader, but most big leaders in big organizations have an admin or a chief of staff, and those people know the secrets about that person because their whole job is really, how do I make this life or this person's life easier?

And so if you go and you talk to 'em and be like, Hey, what would really work well with this?

Or, who do you think you know this person would really, agree with?

Or who, should we talk to?

You might be surprised to learn that they know that this person spends all their time with here.

These are the people this person goes to for advice.

And using that as a way to influence or increase your influence with some of these organizational leaders can be really powerful.

And, that's a, brilliant insight.

For example, if I wanna influence the President of the United States on something, it's very unlikely I'm gonna get a one-on-one meeting.

But if I can find the people who are advising the president, somebody who has that person's ear, yeah, I, listened to that.

Maybe get to that person.

Even that advisor.

Look for the people that are trusted by your.

For lack of a better word, target.

And if I'm trying to create an initial relationship with somebody who is perhaps two or three levels above where I just can't walk in the front door, I'm gonna get turned away.

Find out who gives them advice, be polite, be nice, create a friendly relationship.

And then at that point in time, they may get you onto the person's calendar.

It's a little, it's not manipulation, it's basically understanding how politics works.

Yeah, if John always trusts Jackie, 'cause Jackie is just brilliantly smart and just executes to the nines and Jackie says, you know what?

We ought to take a risk on Ross.

Naturally, I have this level of trust coming in.

So if you can think about those things, those high valued referrals, I think that's a, fantastic place to look at.

And, that's a, it's a very good point.

And so as we do that, and as we look at these potential third parties, of course recognize that they will be a little bit initially guarded.

why are you trying to talk to the big boss?

You're not.

But if you approach them.

Build a trust with them first, then you're not going at 'em with an agenda.

At least it's not an obvious agenda, but at which point you can say, Hey, I'm really struggling with this issue.

If you know anybody who could help me out, of course they know somebody can help me out.

It's the person you're looking for.

And so what we are finding then is that a personal board of directors should include a range of different capabilities.

do these people all have to be friends with each other?

Do they even have to know each other, or can I do this?

Asynchronously rather than call my board of directors meeting once a month.

I don't think they have to know about each other.

I don't think they have to be involved with each other.

The one thing I would always say is make sure it's someone that you have a really good, trusted relationship with.

there's a lot of people who could be amazing board of directors for other people.

But I just don't connect with on a deep, personal level, and so if I don't really connect with them, I think it's really, hard to spend more and more time with them to make valuable relationships with those.

Now, don't get me wrong.

In any role, there are people you are forced to connect to.

If you're the CISO, you're gonna spend time with legal, you're gonna spend time with hr.

And maybe you don't want to connect with those people, but you need to.

But that doesn't mean they have to be your board of directors or your mentor for really important thing.

Maybe you get a chief of HR from a different company who you do connect with on that personal level, and they give you just as great advice.

That's true.

So some relationships, if you will be transactional and other are gonna be more substantive.

And really what we're looking at here is going beyond the transactional relationship to one where we're, transcending just the, Dispensation of professional ad advice, Lucy, the psychiatrist is in 5 cents for advice.

but rather to create, if you will, more of a personal interest.

And we do so as you had suggested by maybe taking some interest, man, what are their hobbies?

What do they like to do outside of the workplace?

Most people do have something.

Some people are just so focused on what they do.

That they don't have that.

And so be careful that if they're feel self-conscious about being put on the spot, hey, tell everybody about your hobby.

yeah, it's like fixing the car that I haven't been fixing on for three years.

Yeah, it was a little bit embarrassing.

I've got a better, I got a better answer today.

I'm basically becoming a pizza chef.

I bought a pizza oven and now I'm fresh pizzas last night from homemade dough and they're still getting there and they're almost round, I guess I'm told it takes a few more tries before you really.

Get it and you can flip 'em up in the air.

But that's something interesting and fun to do, and totally orthogonal to everything else I'm doing, which is sometimes what your hobbies are.

Now, if you find somebody who's never given advice before, maybe being a mentor or on a board of directors is something new for them, or even if they have been doing it.

One caution is, that just because they give you advice doesn't mean it's accurate for you.

So how do we use our own discernment when somebody says, close your eyes and let go of the rope and fall to the floor, and you think you might be 20 or 30, 50 meters up, and when you let go.

You're only this far away and, but you didn't know that, but they did.

Or maybe you fall and crash and burn.

How do we discern that?

So the first thing I will say is a lot of really important discussions.

You shouldn't just have one.

Conversation with one person.

You should have a sounding board across multiple people, right?

So let's just say there's, an opportunity for you to step into a new role, but you don't think it's a good fit, right?

Maybe you've always been in cybersecurity and they're like, Hey, we want you to take this role where you're gonna head the PMO in the IT department, and you're like.

Ugh, I, that sounds horrible.

I don't want to deal with budgets and money and all of these things, and, you have that insight and you're like, I think this would be just terrible.

I just wouldn't like it.

And, you talk to three or four people and they say, you know what?

I.

If you're actually going to manage a billion dollar program, you better understand how to manage the budget, and that's what you're gonna get in this role.

And it's a trial role before we promote you into that larger role.

And if you don't do this, you're not gonna get those aspirational roles that you want.

And you hear that from a couple people.

You should really pay attention.

But if you only hear that from one person and you don't hear that from the rest of your, cadre, and they're like, no, this person just wants you in that role.

'cause he's trying to fill a vacancy, that's where it's you, need a sounding board across multiple people to understand how it, helps you in your, career set.

Yeah, and it's interesting because you're absolutely right.

I had an opportunity where I was offered to be the acting Chief Information Officer for the United States Navy.

Wow.

As a reservist, they're gonna get called back to active duty and become the CIO.

And you know what an awesome opportunity, and this is what, 15 years ago, but.

What came out of that was a couple of things that were head scratchers.

First of all, the incumbent CIO, who was also a reservist, he was gonna mobilize to go over to the Gulf, but he said, you can't use my office and you can't use my title.

You gotta go sit in the other room with the Booz Allen consultants.

I red flag one, and then do I get to go ahead and interview with your boss?

No red flag too.

And, it's like something, I ended up not taking the position and it turned out that, and what I found out is that this person, nothing against him, 'cause he understood the politics of his organization better than I did, but he did not want someone to be wildly successful.

The idea was he wanted someone who could keep the organization running long enough for him to come back.

Rescue everything after six months, be the hero and get a promotion, which he eventually did.

but I just did not want to be that column fodder of that.

You also mentioned about somebody wanting to fill in that role.

about a month later I got a interview with a three star admiral who wanted me to become his CIO and that was Naval Installations Command.

A multi-billion do, basically anything the Navy has that doesn't float is Naval Installations Command, which is a lot around the world, and that was a huge job.

But two things.

One was, as you'd point out at the beginning of the show, I'm a chief.

I'm not a chief information.

Officer career track in the Navy.

I'm a surface warfare officer.

Alright?

And so that would be tangential track.

And it turned out his real agenda was that they had, Navy had direction to build up Guam.

And so he basically needed someone to create all the IT infrastructure in Guam, half a world away.

Nothing to say Guama is in a nice place, but that was going to be essentially where I'd be living for two years, making that happen.

And so as a result, we want to go ahead and, as you had said, try to discern what is the motivation behind it.

Is somebody giving you good advice or is somebody.

Just trying to plug a square peg in a square hole and move on to it and really is not interested in you, just wants that job done.

The other thought that occurred to me when you're mentioning about one person being one odd out, let's imagine for example, let's bring it back home more toward a security example.

I need, for some reason, a copy of True Crypt.

I found an old encrypted drive or all encrypted file that I needed to decrypt.

I got rid of the software.

true Crypt is no longer support anymore.

And yeah, I know this other thing be crypt, but let's stay with true Crypt.

The last official release came out in 2012.

It was version 7.1 alpha.

you can find if you search around a 7.1 Bravo, a 7.2, and even an eight, all of those are Nonofficial versions and they might be Trojan.

And even if you found one labeled 7.1 Alpha, how do you know that's not a Trojan version of software?

Because there's no official distribution.

And so from a security perspective, you'd go and maybe go to five different places, and I think I did that five or six different sites.

Then I did, a hash on each one of them.

I shot 2 56 and found out that five of the six matched, and one of them didn't match.

Which one do you think was the Trojan software?

I'm pretty sure it was the one that didn't match.

And so I used went with crowdsourcing and I got the right version and I was able to decrypt that thing.

So that tells us then that we can, don't just walk away and someone gives you something, Hey Ross, do this.

And you go, okay, SDO this.

And it just happens.

Vet that, run it by other people.

And if somebody says, this is non-intuitive.

It doesn't make sense to you now, and I get that it doesn't make sense to you now, but we've been talking for months.

I care about you.

I wanna see you succeed.

This is something that is going to be critical for your success, and it's because of its very non intuitiveness that it's going to give you an advantage over somebody else trying to do what you want to do.

Now.

That's the leap of faith.

That's let go of their open fall to the floor.

It might happen.

And I think that's a great thing.

I, when I look back in my career.

I say, what are the jobs I'm most happy I took?

They're not the jobs that I expected them to be.

The jobs that I went in thinking this is gonna be the coolest job a lot of times weren't my favorite jobs, three years later.

And in these jobs that I took, because, someone recommended me and there was an opportunity to go over here and I'm like, okay, let me go over here and just fill some time for a little bit and, learn some new things.

Oh my goodness.

Did those things take off?

And I'll just tell you one role.

I went into to one role where I ended up learning DevOps and I ended up learning cloud, AWS and this was in 2014, timeframe.

And it was so different than offensive cyber, which had historically been my track.

fast forward to 2025, where I'm at, cloud is everywhere.

DevOps is everywhere.

And by being a pioneer in some of those spaces, I was able to set up a much larger career.

And so understanding where technology is going to evolve, and I think the answer right now is AI machine learning.

And in some of the way, AI generative code is changing things.

Getting a really good understanding of being on that emerging tax sometimes can be a massive bonus for years later.

That's a very good insight and as we get close to the end of the show, let's summarize what we've been talking about.

We issue is the idea of a personal board of directors other than a corporate board of directors, where the flow, the direction is really coming from you trying to learn from the board rather than a corporate where the board.

Just telling the CEO to do.

You'd also pointed out the importance of having different elements on that board of directors.

People who could challenge you, who could be your coach or mentor, or a role model or a sponsor.

And don't just limit yourself to five people that are in that same role.

Maybe diversify across that.

We talked about creating a bidirectional relationship where a mentor.

Assuming responsibility for somebody else's success takes on the risk of that person not being successful.

So you wanted to do everything you can to convince that person that it's worth their time and effort.

To help you along because your success is gonna reflect very well on that person and that person's career.

And then lastly, as we look at some of the opportunities that are out there, some may be non-intuitive.

As you had said, some of your best career opportunities weren't what you were looking for, but it turned out in the long range.

Two have worked out really, well for you.

So don't reject something out of hand simply because it doesn't match your prior pattern of behavior.

'cause if you do what you've been doing, you're gonna get what you've been getting.

And what we want is to do something a little bit different.

Any other thoughts you have?

I'll just give you one last one that I've been tinkering with a lot lately.

A lot of times I use chat GPT or Claude for queries and I'll use a.

Query, based on everything I've ever asked, what do you think I should do?

or I'll ask about technologies and, ask for recommendations and get some really interesting things.

So sometimes it doesn't even have to be a human.

I mentioned earlier, maybe you're reading a book from an expert, but, I would tell you also consider some of these LLMs that you can ask questions with.

And if you're asking, dozens of questions every day, it knows probably about.

As much as your best friend about you and some of its advice can actually be really, good.

Well, Ross, with that excellent advice, I think we're gonna wrap up the show for today.

Thank you very much for being part of our audience out there at CISO Tradecraft.

Whether you're watching or listening, we're glad to have you.

We hope that this information has been helpful and valuable for you in your career and moving you along in your own.

Tradecraft for your career journey.

This has been Ross Young, I'm G Mark Hardy.

We're pleased to spend this time with you, and if you love this episode, give us some feedback.

Go ahead and connect with us on LinkedIn.

We're both on LinkedIn plus CISO.

Tradecraft is there and give us some questions.

Who knows?

Maybe if you put all this to good work, you might pick up one of these people as a mentor if you think we could help you out.

So until next time, thank you very much for being part of CISO Tradecraft and stay safe out there.

Never lose your place, on any device

Create a free account to sync, back up, and get personal recommendations.

Create account