You're leaving Providence Health and Services after 7 years as CISO to take on a new challenge at Core Security. Tell us about it!
It’s a big change in my life. I’m going to work for a high tech start-up, which is a very different environment from this very large catholic healthcare organization where I currently am. Core Security is essentially a startup in many ways. Although they have been around a long time, they are still fairly small, are focused on their core products and building customers and market share. A high tech startup is going to be a great adventure in terms of agility, market focus and just rolling up my sleeves and pitching in for success.
I’m going there as the VP, Advanced Security & Strategy. What that really boils down to is that I’m going to be responsible for security, but even more importantly, I think, I will be responsible for leading Core’s product capabilities, market direction and strategy. Along with that I will be a “voice of the customer”, working closely with customers and Advisory Boards to bring the perspective of the customer to the table. So far the company has done a great job with product capabilities, but I think we can really move forward with a strategy that focuses on how to fulfill the needs of CISOs.
What was behind your decision to make this change?
I was a very early adopter of Core Insight, and I’ve pushed the product hard to do the things I need done. That led to me getting to know Mark Hatton (Core’s CEO), Milan Shah, Terry Holberton and the rest of the management team at Core. This is a really great group of people who are working hard to solve some very challenging problems in the Information Security space. When Mark and I started talking about those challenges and how Core was working on solving them, we almost naturally migrated to a conversation about how I could help with the work.
When it became apparent that both Mark and I were interested in that possibility, we talked very seriously about me joining their team. I got a chance to meet a couple of the Board members, have some in depth conversations about how this would work and what value we could create. I got really excited about the chance to have a deep impact on a security platform that has genuine capability to make a difference in the Information Security space. I also saw the opportunity to contribute to a team that wants to meet the needs of the security practitioners, that wants to go far beyond selling yet another shiny security product.
This is something I have said a lot about over the years, mostly in fairly negative fashion towards product vendors and what I commonly refer to as “blinky light boxes” that they sell security teams. Well, Mark basically put me on the spot and challenged me to help Core meet the real needs of CISOs and their teams. I couldn’t refuse that offer, and here I am.
What have you learned as CISO at Providence over the last several years that you hope to take with you to your new engagement?
I have learned so much in the last 7 or so years that I am not sure I could share it all even if we had the time and space for it. I have grown as a security leader, a business leader, and a person. I do think that I have a few really key takeaways that will stick with me. And they might help somebody else, too.
Providence taught me to be relevant as a security leader. I mean that I needed to stop pushing what I thought was important and start finding out what actually was important for Providence. I needed to make sure that what I was doing as a security leader was relevant to Providence, made sense to the other leaders of Providence and was in line with where the company was headed operationally and strategically. This is completely the opposite of what most security leaders are telling each other; things like “we’ve got to get them to understand” and so forth. I became a really good CISO once I had myself pointed the same direction as the rest of the Providence executive team.
I really learned what it meant to be a leader of a business at Providence. I believe this is one of the hardest things for security people to learn. As a CISO, I was an executive of the company and had to “join the team”. My team was no longer the security department, or even IT, Compliance or whatever other group you might have an affinity for. Instead, my team was the executive leadership team of Providence. I had to become part of that team, live their life, understand their world, and help them to understand mine. I had to be part of a group of people who all had one thing in common, the success of our organization.
The last really important thing is how much I grew as a person. Providence taught me about calling, and about what it really means to be committed to your community. I went through Providence Leadership Formation, a 2 year process that prepared me to be one of the leaders of Providence. But, more than that, I learned much more about who I am as a person, learned to reflect upon myself and learned to be in the place that I was called to be.
This has been a truly great 7 years that has helped me to be who I am now.
Oh yeah, and I met my fantastic wife because of Providence, too. What could be better?
Additional thoughts or advice for others?
When opportunity knocks, you need to listen. When I went to work for EDS, for Providence and now for Core Security, I had an opportunity in front of me that I could have easily overlooked. I was fortunate enough to pay attention, because in none of these cases was I following a traditional job application process. Instead, each time, the opportunity came as a conversation, a relationship, an idea … and following that path ultimately led to a fantastic opportunity.
I think that to be a good executive, you have to fail sometimes. You have to experience some hard knocks, look your boss, your team, your wife or husband, in the eyes and say I made a mistake and now I’m going to fix it. You will learn a lot about yourself from this. And people around you will respect your honesty and determination to make it right. You have to own up to it and learn from it and move forward. I made plenty of mistakes over the years. The key was to pick up from there and move forward.
Do something every day that makes you a better person, spouse, parent, sibling, child, employee, boss, citizen. Somehow contribute to the world around you and to yourself. Do that every day. I have always regretted the days where I didn’t do something to be better, to improve, to contribute.