Many organizations hire Chief Information Security Officers (CISOs) expecting them to be security experts who can implement controls and prevent breaches. But as Dr. Pablo Breuer learned through 22 years in Navy cyber operations and leadership roles spanning National Security Agency red teams to Fortune 50 financial firms, the fundamental challenge isn’t technical — it’s that most companies don’t understand what they actually need from a CISO in the first place.

“The difference between a manager and a leader is the manager comes in every day, and they look at the list of to-do, and they just go through the rote steps,” Pablo explains. “The leader is able to look out a little bit further, and really anticipate what the challenges are going to be, and communicate those challenges not as technical challenges, but as business challenges.”

The most effective CISOs don’t function as organizational brakes — they operate as racing brakes, enabling companies to go as fast as safely possible. But this requires more than security expertise. It demands translating engineering requirements into business language, converting CEO vision into actionable technical architecture, and understanding that the first letter in CISO is “C” — meaning chief executive, with all the strategic leadership responsibilities that entails.

In this episode of Velocity’s Edge, Pablo and host Nicko Goncharoff explore what separates security management from security leadership. They tackle essential questions: How do you build a security-minded organizational culture when the solutions are fundamentally cultural, not technical? What questions should CEOs ask when hiring their first CISO? Why do the best CISOs spend their first 90 days listening rather than implementing changes? How do you maintain political capital and avoid the common pitfalls that lead to rapid CISO turnover?

The conversation reveals why successful security programs aren’t built by the most technically sophisticated leaders — they’re built by those who understand that their primary client is the business itself, and their job is enabling growth while reducing risk.

Dr. Pablo Breuer is an expert in cybersecurity and information warfare, with leadership experience spanning the military, government, and private sector. He has held top roles at U.S. Special Operations Command (he served as the United States’ first Chief Information Security Officer for coalition forces in Afghanistan), the NSA, and at U.S. Cyber Command. He co-founded the Cognitive Security Collaborative and co-authored the DISARM framework, used internationally to combat disinformation. Pablo is also a sought-after speaker and educator in cybersecurity strategy.

As in all our episodes, we speak in plain, executive-summary business terms, framing complex business and technology strategic challenges in context, using language that makes them more accessible and actionable.

Listen here, download it from Apple Podcasts, Spotify, or find it wherever you get your podcasts.

Episode Information
Season 1, Episode 8
Length: 17 minutes, 51 seconds
Host: Nicko Goncharoff
Guest: Dr. Pablo Breuer
Recorded: VOXPOD Podcast Studios, Parsons Green, London
Engineer: Dayna Ruka
Editor: Dayna Ruka, Jeet Vasani

Episode Transcript

Nicko Goncharoff: This is Velocity’s Edge podcast. I’m Nicko Goncharoff, and joining me today is Dr. Pablo Breuer. Pablo! Good morning.

Dr. Pablo Breuer: Good morning, Nicko. Thanks for having me.

NG: Do you want to just introduce yourself?

PB: Sure. Dr. Pablo Breuer. I’m a 22-year veteran of the United States Navy, where I spent most of that time actually working in what we now call cyber, both on the offensive and defensive side. I had the distinct privilege of being the very first Chief Information Security Officer for coalition forces in Afghanistan in 2004/2005. Before that, I was on the NSA red team. I also helped stand up U.S. Cyber Command, and then towards the end of my career, I was the CIO/CISO for U.S. Naval Forces in Central Command, which is everything in the Middle East. Then finished up as the innovation officer at U.S. Special Operations Command. Since then, I’ve gotten into industry, and I’ve been a CISO for a subsidiary of Helm and have worked for a Fortune 50 financial firm.

NG: With that illustrious background, if I may say, I think you are highly qualified to discuss today’s topic, which is: What makes a great CISO?

PB: Yeah. I think what that really means is, throughout a long and distinguished career, I’ve made all of the mistakes that can be made, so I’m here to tell you how not to make those mistakes.

NG: Right. Well, one thing you and I have in common is long careers. I don’t know if mine’s illustrious, but I’ve certainly made plenty of mistakes.

PB: That’s the only way to really learn anything.

NG: Pablo, you and I in the past have talked about this idea of security managers versus security leaders. Can you elaborate on that?

PB: The difference between a manager and a leader is the manager comes in every day, and they look at the list of to-do, and they just go through the rote steps. The leader is able to look out a little bit further, and really anticipate what the challenges are going to be, and communicate those challenges not as technical challenges, but as business challenges. The difference between an experienced CISO and an infosec professional that just happens to be sitting in the CISO seat is the ability to take those engineering and technical requirements and convert them into business speak, and then take things like the CEO’s vision, which is normally in business speak, and convert that into engineering requirements so that they can be built. You can lead the target a little bit so that by the time the business says we need X capability, that capability has already been built.

NG: Okay. So you need to be technically well-versed. You need to be a good communicator. You need to have really good manager skills. You probably need to be good at the art of persuasion. It sounds like this is not an easy job.

PB: No, and it’s not meant to be. One of the things that people tend to forget is the first letter in CISO is “C.”" That means you’re a chief executive, just like a Chief Executive Officer or a Chief Operating Officer. You need to operate at that level.

Unless you work for a company whose business is providing infosec, nobody is going to be really excited about spending money on infosec, because it’s going to be seen as a sunk cost. It’s going to be seen as something that takes away from the bottom line of the company. So you really need to be able to convince the executives that information security doesn’t take away from the bottom line, it enables the bottom line.

A lot of CISOs and security personnel see themselves as brakes, meaning they slow things down to make things safer. I like to think of a good CISO as being more like racing brakes. Meaning I’m going to enable you to go as fast as safely possible. I don’t want to slow things down. I want to make sure that you can go as fast as possible and just be safe about doing it.

NG: There are a number of aspects to what you just said, but one is organizational. I have been in organizations where the CISO wasn’t necessarily… the “C” was in the title, but not necessarily in terms of how they functioned in the organization. They were seen as maybe apart from the senior management team.

PB: Yeah, that’s absolutely a recipe for failure. If you go back and read any paper or any book on information security, the first thing that they tell you they need is leadership buy-in. If you’re not sitting at the table, if you’re not sitting next to the other chief executives, and you’re not talking to the board, you’re probably not getting that buy-in.

Certainly when I’ve interviewed with companies in the past, the first question I ask is, “Who do I report to? And how often do I get to speak to the CEO and the board?” And if the answer is, “Well, you don’t,” that’s probably not somewhere I want to invest my time, because I’m just not going to be given the horsepower to really enable the organization to do things it needs to do.

NG: Right. Let’s say that you have found the organization, and you’ve decided to join them as a CISO. You come in there. How are you going to build a security-minded organizational culture? One of the things in Velocity’s Edge, a recurrent theme, is that these problems are not necessarily technical. They can be, but they’re often organizational and cultural. I’m assuming that coming in and putting in place a good security program is as much organizational and cultural as it is technical, if not more.

PB: I would 100% agree. I’d actually go a step further. The technical solutions are known, and they’ve been known for 30… 35 years. The technology itself, much to the chagrin of technology providers, really hasn’t fundamentally changed. The basics are the basics. It really is cultural.

I think what a lot of CISOs and security personnel get wrong is they go to either the regulation, or they go to the procedure that is written down, and they just enforce that without thinking about what the intent or the purpose of the procedure was– or the regulation was.

The reason that companies pay a lot of money for CISOs is A. in regulated industries, they have to have one, but B. they don’t want to figure out the techno-babble. They don’t care about IPs and subnet masks, and they don’t care about self-propagating code, and they don’t care about clickjacking. They want to make money, and they want to not get in trouble with their shareholders, their boards, or with regulators.

The first job of a CISO is to sit in the back of meetings for all of the different departments, and all of the meetings with senior executives, and try to figure out what their goals are, and then come back with a way to enable them to complete their goals more safely by reducing risk. And that’s really the conversation that needs to be had. If you go in talking about “HIPAA requires this” or “the office of comptroller concurrency requires that,” the only person that’s going to cheer for you is probably going to be legal counsel, and everybody else is going to roll their eyes and go, “Okay, you’re just going to make things harder for me.”

Really, the way to look at it is everybody’s got a customer, everybody’s got a client. Your client as the CISO is the business. It’s the other chief executives. It’s the business units. So how are you going to provide them value? How are you going to reduce their risk and still enable them to do the things that they need to do?

NG: What’s an example of how you communicate the business benefits of a robust security program? I’m just going to add: there’s a lot of talk about shifting left, right? In all areas of technology, but in security in particular, building security, not into just product development, but actually into strategy development– into engineering. But how do you make the case to the CEO, to the COO, about what the business benefits of that are?

PB: Usually the business benefits… You always want to answer the same questions. What do I get if I follow your advice? What do I lose if I follow your advice? What does it cost me: time, money, effort? And the last one, the most important one, is “Why do I care?” And that’s really what you’re getting to, is the “Why do I care?”

Usually it’s a very simple conversation. You point out that if you’re doing things in serial, meaning you’re going through and you’re coming up with a business need, and then you’re engineering a solution, and then you’re going to security– you’re really doing these things in serial. And you’re going to have to go back and do usually some fairly substantial re-engineering. And certainly if you’re having to review things after they’ve already been built, it takes longer.

What you point out is that by having the security personnel in the early ideation stages, you can point out things to avoid. You can point out what risks are, and then you can start thinking about, “Well, what are really the security requirements?” and “How can I enable those at design time, so I don’t have to do it after the fact?” So that by the time my engineering is done, I’m really ready to go to production, as opposed to start the security review.

NG: If you’re looking for a new CISO or you’re hiring your first CISO, what are some of the questions that you would ask? What should a CEO ask? Obviously, given our conversation, they should be involved in this decision. Clearly it shouldn’t be farmed out to someone reporting to them. What type of criteria should a CEO… let’s just say they want to hire somebody tomorrow… what should they be looking for?

PB: Well, if you’re hiring a CEO or CISO tomorrow, you’re already behind the eight ball. This is a significant decision, right? You want to spend some time and make sure you choose the right person. It’s not just a technology fit. It very much is a cultural fit. And it’s a cultural fit on both sides. It’s for the organization, but also for the CISO.

Most CISOs are only going to last 18 to 24 months. That’s just the reality of the matter, and you can’t afford to waste their time, and you can’t afford to waste the company’s time. So a couple of things you need to communicate are, “Why are you really hiring a CISO? What are you hoping to get out of it?”

The CISO is going to need to know that. They’re going to need to know what their level of influence is going to be, how often they have access to leadership. “Do I get to sit at the table with the other chief executives or not? How often do I get to talk to the board?” Also, you need to communicate what you think your current challenges are.

A couple of questions that I always like to ask candidates: The first one is very simple. I usually hand them some sort of vulnerability announcement, or some announcement from CISA, and go, “Why do I care about this? Can you convert this into language that I care about as a business person?” If they can’t do that, that’s a bit of a warning sign.

I also look at little things like how they communicate in email. Unfortunately technical people, one of the things we often ignore is how to write properly, and the reality of the matter is that’s how we mostly communicate is emails and documents. If you can’t communicate effectively, that’s going to be an issue.

The other thing I like to do is, I ask them, “What are you going to do in the first 90 days?” If the first thing that they tell me is how they’re going to go through and make changes, that’s a warning sign. You need to take a look at the current state of the organization. You need to talk to the customer, figure out what are their challenges, what are their goals, what don’t they know that they need to know, what do they want from their CISO, and really take a look at what it is that needs to be done before you start making changes willy-nilly.

Oftentimes if you do that, change is hard. Nobody likes change. It’s just a human nature thing. There’s going to be some cultural friction. So if you go in there and you start making changes, that’s going to cost you politically. That’s political capital. You want to make sure that you’re really getting the organization where they need to be by making those changes, as opposed to making changes that you think are needed without really looking around and then realizing, “Oh, I’ve made a mistake.” And now you’re having to burn twice as much capital to not only make the change that’s needed, but undo the damage you’ve done.

NG: Right. That’s where attending all those meetings and sitting at the back of the room and just listening and tallying up all the different challenges and requirements of the different business units comes into play.

PB: Yeah, absolutely. One of the funny things when I mentor young people and they ask me about interviews… you always get to the part of the interview where they go, “Well, what questions do you have for us?” And so I always recommend the same questions.

The first one is very telling. I say, “Listen, if you hired me today and I could wave a magic wand and solve a problem for you, what would that problem be?” I ask that in interviews. And that’s a question that I ask all of the business units when I first get in an organization, because that’s very telling. You can usually pick up themes there of, “What are the processes that are causing the most pain?”

Now, what you may get incorrect from the response is what the source of that pain is. Everybody has a different idea about what’s causing the pain, or what the root cause of the pain is, so you may have to do a little investigation there, but you’ll get a theme as to what processes and functions are causing pain.

The other one that I ask is, “Listen, if you were going to tell me that you were going to hire me in the next 45 to 60 days, what would you have me concentrate on learning and becoming an expert in so that I could come in and hit the ground running?” And that’s also very telling about what procedures and what technologies and really where the pain points are. And between those two, you can usually get a pretty good indication about what you’re going to be working on in your first nine months.

NG: And I’m guessing, I’m going to take a leap here, and say that when you talk to people about their pain points, it’s almost never technology. It’s processes; it’s organization; it’s communication.

PB: It is almost 100% communications and processes. The reality of the matter is that, again, unless you work for a technology firm or an infosec firm, you’re talking to non-technologists. They know about the technology that they know. And I always use the engineering requirements example of, somebody goes to a trade show and they come back and they go, “I really want a Ferrari.” And you go, “Okay, great. You want a Ferrari? What do you want to do with it?” “Well, you know, I want to take the kids to soccer, and I want to be able to pick up groceries, and I want to be able to go on road trips.” And you go, “Let me introduce you to a minivan.” It’s the right tool for the right job.

Non-technologists see tools, they see the slick brochures, and they work. But they don’t understand the underlying technology, so oftentimes they come to you with a desired solution as opposed to the problem they need solved, and letting the experts really pick the solution for them.

NG: I was taken by something you mentioned earlier– that CISOs only last 18 to 24 months. That’s somewhat different from other senior executive roles. Why is that?

PB: There’s a host of reasons for that. The first one is that a lot of organizations still really don’t know what they want or they need from a CISO, and so there’s a little bit of a disconnect there. The second reason is that a lot of people that are sitting in the CISO seats, that function really hasn’t been around very long, so they come from varied backgrounds.

Sometimes you get an engineer that they’ve just been there the longest, and so they’re the senior security person. They’ve become the CISO, but they haven’t had any leadership or management or writing training, and so they fall apart talking to non-engineers.

Sometimes you get business people that work in the business. So, maybe if you’re working in a financial institution they’re a banker, but they’re not a technologist. And so now they fail on the cultural side, talking to the engineers.

Most often what happens is one of two other things. Either after 18 to 24 months, they’ve really used up their political capital, so they find it hard to make additional change. They’re not effective, so one side or the other decides it’s time to move on.

Or the last one, and I’ll just be very honest, is there’s a lot of people searching for good talent. So if you’re a good CISO, you’re going to have almost never ending opportunities to to move up and move out. And so if you feel like there’s not the right kind of challenge, you’re not having the right kind of effect, you’re not being compensated fairly… there are going to be other people courting you.

NG: So another lesson for CEOs is that if you want to keep your CISO, make sure they have an ample supply of political capital at their disposal.

PB: 100%. Everybody wants to feel valued. Everybody wants to do their job. We spend a lot of time at our job. We’re passionate about our jobs. So when we no longer feel like we’re having a positive effect, it’s very easy to become disenfranchised.

Something else that happens, and this is sometimes the fault of the CISOs, is they get complacent and comfortable. One of the warning signs I always look out for is when I see something that isn’t working quite right, and I go, “Why are we doing it this way?” And they go, “We’ve always done it this way,” or “I’ve been at the firm for X amount of years. We’ve done it that way.” That’s usually a warning sign.

The people that are really best at pointing this out are the people that are least empowered at doing it. It’s usually the junior people. And they go, “Why are we doing it this way? This wasn’t what I learned at school. This doesn’t make sense.” And if you can’t explain it simply to your new employee, you probably need to go back and evaluate why you’re doing it. Right? Einstein said if you can’t explain it simply, you probably don’t understand it well enough yourself. That holds.

NG: Yes, that is very true. Thank you so much for taking the time to talk with us today.

PB: Thanks so much for having me, Nicko. This was fun.

NG: This is Velocity’s Edge podcast. I’m Nicko.