EPISODE 073 – Chief Persuasion Officer: The New CISO Mindset

Join host Nabil Hannan in conversation with Rick McElroy, Chief Executive Officer at NeXasure. The two discuss the evolution of the CISO role, career advice for those looking to remain successful in cybersecurity, and how AI is being utilized in the industry today. 

Show Notes: 

• 01:56 – The Evolution of the CISO Role
• 03:13: Practices of a Successful CISO 
• 05:39: Advice for New CISOs 
• 07:35: How to Prepare for Technological Changes 
• 12:00: Benefits of Leveraging AI 
• 15:30: Issues With Utilizing AI 
• 18:12: AI Recommendations as Solutions 
• 21:41: Shifting From Reactive to Proactive 
• 25:16: Rick’s Personal Life 

Transcript between Nabil and Rick

Topics covered: CISO role, cybersecurity, threat hunting, endpoint detection, business leadership, soft skills, AI adoption, security advisory, proactive security, vendor collaboration, risk management, technology advancements, business enablement, security influence, career advice

This transcript has been edited for clarity and readability.

Nabil Hannan: Hi everyone. I’m Nabil Hannan Field CISO at NetSPI, and this is Agent of Influence. Today we have with us Rick McElroy, CEO of Nexasure. Rick, welcome to the show. To get us started, Rick, why don’t you tell us a little bit more about yourself and where you are today in your professional career. 

Rick: You know the long, strange journey of cybersecurity. I’ve been doing this 26 years. I really started my life over on the red team side of the house, did that against the U.S. government for a number of years, and then I decided that the offensive side was too easy, so I started building security programs out in San Diego, and did that for a number of companies, and then got really lucky and met the co-founders of Carbon Black. I went over as their principal strategist, got to fly all over the globe to work with customers of all sizes to really lead threat hunting and endpoint detection and response in the market. Subsequently, we were purchased by VMware that obviously gave me access to almost every company on the planet to talk about their security needs and what they’re doing. And then after Broadcom had the buyout, I was like, What are we going to do now? And so I decided to start a cyber advisory firm, and we’re out there with small and mediums really helping them plan the future of their businesses and keep them up and running so that they can achieve their business goals.  

Nabil: So with having this plethora of experience and also being in the space you’re in, safe to assume you spend a lot of time with the CISO role at all these organizations in your advisory capacity.  

Rick: Yeah, I fancy myself what I call a CISO in rehab. So I’m still tightly coupled with all of my CISOs friends. We still do a lot of virtual CISO work and fractional CISO work and all of those things, but that’s what I kind of groomed myself in my career to do. And I still very much emotionally connect with the pain of CISOs and like to help them with their pain.  

01:56: Being in the industry for now 27 years, are there any big shifts you’ve seen in how the CISO role itself has evolved to what it is today than what it was viewed as traditionally?

Nabil: So with being in the industry for now 27 years, are there any big shifts you’ve seen in how the CISO role itself has evolved to what it is today than what it was viewed as traditionally? 

Rick: Absolutely. I mean, when I think back to my first CISO role, first off, it was undefined. There wasn’t a definition of what an actual CISO was. I think there was a handful on the planet at the time, and so you had to educate your company on what that actually meant to start. They had this idea of, like, security as like a Paul Blart: Mall Cop. You kind of observe, you know, you do those things. I would say the shift over the last 10 years has really been from being a business enabler to a business leader, right? And so that’s the big one. You heard this years ago at RSA, hey, CISOs really need to understand business enablement, but really we need to lead our businesses and participate in those conversations to, again, make sure we’re tracking risk over time, minimizing that risk, and keeping the company safe and healthy so that they can do all the things that they need to do to grow that business and continue to employ people. And ultimately, we work for them. They pay our paychecks. If they’re not healthy and growing, well, we’re gonna get laid off and their security program goes away anyway. 

03:13: Is there a better way to describe what makes a CISO more successful today? How do you define or determine what is the right balance? 

Nabil: Is there a better way to describe what makes a CISO more successful today? Because CISOs have to play both the technical advisor role to the business, to guide the business to make secure decisions, or decisions with security in mind, but also beyond the technical there’s the communication soft skills that are becoming more and more important, in some cases, maybe even more important than the security technical skill itself. I’m curious, what are you seeing in that space, and how do you define or how do you determine what is the right balance? 

Rick: Yeah, in my career, I certainly felt that highly technical skills were valued when I started. Do you understand firewalls, intrusion detection, systems, antivirus now? Do I understand your business, and can I actually provide you the guidance and wisdom? And that’s okay, but that doesn’t get people to change their behavior, right? So, I think, for me, the way I’ve seen the role of Security Leadership shift is we have to be in the business of positively influencing behaviors. That’s not a tool, that’s not a technology. You really have to start to think about persuasion, who you are as a team, how you show up for your company. Are you in the room trying to help them solve problems, or are you telling them no all the time? So, I think for my mentors that are out there, for my peers, we’ve really had to work really, really hard on these soft skills, and so now we really want to educate all of the new CISOs that are coming in as security leaders. Because frankly speaking, in my humble opinion, I think if you stay technical, you aren’t going to be very successful as a CISO. I think you really have to understand business. I’m not saying everybody needs to go get an MBA as a CISO. It certainly helps, but I think thinking of yourself more as the chief persuasion officer than the chief information security officer will help you frame the human element of security in a way that does influence people to change their behavior, because we’re all humans. I don’t like changing my behavior. I certainly operate. We know the adversary certainly repeats their behaviors all of the time. But what are the ways in which you can help influence that organization and put programs in place to get people to even if it’s one step better and they don’t click, you know, 10% of your people aren’t clicking, well, that’s better than yesterday. How are you going to enact that change? I think those are the things we have to think about. 

05:39: Do you have any advice for someone who is venturing into the CISO or Security Leadership space for the first time? Where would you recommend they start if they get started on a new role? 

Nabil: Do you have any advice for someone who is maybe venturing into the CISO or Security Leadership space for the first time? Where would you recommend they start if they get started on a new role? 

Rick: Certainly get a lay of the land. Fundamental mistakes I believe lots of CISOs and security people make is thinking let me walk in and on day one, tell you all your problems, but you’re ignoring a staff that has bled for projects, worked at 2am. Of course, everything’s not configured correctly. That’s your job to help put it back on the rails. So I think your upfront approach, when you come in, should be ask lots of questions, don’t say lots of things, simply get a lay of the land. Start to figure out who the influencers in your company are. They don’t all have leadership positions. You may have a system admin that influences the rest of your system admins behavior, and that’s important. That’s someone that you should keep close to you, because if ultimately you can convert that person, well they’re going to convert lots of people on their team, and I’ve seen that as a successful model all over. So, I think coming in, obviously, you want to look at your threats, your volumes, all of that good stuff. But I think understanding the humans and who actually leads in the company, and then becoming very good friends with them as much as you can in a professional sense, and that might mean that you’re spending a whole lot of time with these humans. Because two years from now, if you take a senior developer that is anti-security, and you flip them to be a security champion, that pays off in spades for the rest of the program’s life. I’m a big believer in looking for those humans, obviously talking to the smart ones, asking them what they think the problems are. Starting to put together that picture, you start to develop your strategic plan and those things. But I think we miss the influencers inside of a company that aren’t in a named position in an office somewhere. 

07:35: if we look forward to what things might look like even one or two years from now, what advice would you have for security leaders and practitioners on how to prepare for changes that are coming down the line that may heavily be impacted by some of the technological changes? 

Nabil: One thing that I really like is that change is the only thing that’s constant. So with that being said, with advances in technology, and you know, we’re at RSA, and you can’t walk more than two steps without hearing about another AI thing that’s out there, I feel like technology around AI and capabilities leveraging AI are rapidly changing faster than things ever changed in the past, and we’re going to probably see an acceleration, or continued acceleration of that rate of change. So, if we look forward to what things might look like even one or two years from now, what advice would you have for security leaders and practitioners on how to prepare for changes that are coming down the line that may heavily be impacted by some of the technological changes? 

Rick: I’ll start with the practitioners. You can look at the latest job numbers to see this: 23 percent reduction in job listings for analyst two, 26 percent for analyst one. If you start to couple that with like strategic roadmaps that CISOs are producing, you can see if you’re an analyst one, you may want to start to pivot some of these skills towards actually understanding how to bring AIS together, the impact of that to this overall security program, because, frankly speaking, everybody’s coming after thick piles of data that provide false positives. I mean, I’ve talked to 60 or 70 vendors that are really focused on just reducing the noise in the sod. Well, that’s going to have an impact to the humans. So, I think for the leaders, what they’re really looking at doing is the pressure from the boards, right? So, I want to talk about this for a second, because I’ve heard this from several people this week. What was your last board meeting? Like board comes in and says, This is awesome. How are you going to do it with 30 percent less people? Because our plan over the next three years is not to hire people back into the organization, so they’re not planning on massive layoffs, but as a job role leaves the organization, they want to know if that can be replaced with AI, certainly in the case of certain security roles, I just mentioned analyst one and two. I think that’s achievable in a near term timeline, longer term timeline. I really think if you want to be in the room as your business is deciding to redo their entire business, this is what we see from our clients all the time, a complete flip of how they’re doing business, how they’re planning the future of their business, and their absolute embrace of AI to do that. If we don’t understand how to guide them on that journey safely, we’re going to be out of the room, out of the deal, and frankly speaking, you’re probably not going to have a job very long if you stand in the way of that bus because the profit margins and bottom lines dictate that this is what the organizations are going to do. And I don’t say any of that stuff out of doom and gloom. I say it all out of like a near term horizon of hey, as leaders, this is the reality of what’s happening right now for businesses. We need to make sure that we can guide them through this journey, and that journey will include that eventually you will have a smaller team, you will be more laser focused on risk management than you are on actual tactical security today. Because where is that going? Well, that’s going towards very smart AI plans that then send agent swarms out to do all kinds of stuff. Endpoint vendors are working on this for remediation. You’ve got the network side doing it. And so, as you can imagine, well, do I actually need responders in the future? This is a consideration that lots of people are starting to plan for today. So, I would say, I think there’s certain skill sets that need to pivot immediately. My historical example of this is when we went to the cloud, I had lots of friends who did data center management and on-prem Windows management. Some of my friends aren’t around in the industry anymore because they didn’t take the cloud seriously. If you’re not taking agentic AI seriously in security, I just think two years from now, you’re not going to have a place, and maybe I’m overestimating the speed at which we’ll get there, but we’re talking the next five to 10 years, and if you’re planning a career to stay around for 20 to 30 years, these are the challenges that are going to help you kind of map your own reverse engineering into what your future role is. 

12:00: Given your exposure to different systems and solutions, are there certain technologies or certain systems you’ve seen that are leveraging AI that are really providing immediate return on investment and value to a business? What are you seeing out there, and are there any specific examples that you’ve really been impressed by? 

Nabil: So, it’s obviously not a question anymore on if businesses will adopt AI. It’s happening faster than ever. I feel like a lot of people have compared AI to when cloud first came out as being similar from an impact perspective, or the internet in terms of like the overall, broad, overarching impact it has on human life as a whole. But I feel like the unfair component of that is for cloud adoption, there was a lot of resistance upfront adopting cloud technologies. I think we didn’t see that sort of resistance when it came to adopting AI. It was obviously a big focus for many people to try and enable the business and I personally feel many businesses are probably adopting AI for the sake of adopting AI when they can maybe solve it with non-AI based solutions even better. So the question I would love to understand better from you is given your exposure to different systems and solutions, and I know it’s unfair to ask this question to you, there’s too many out there, but are there certain technologies or certain systems you’ve seen that are leveraging AI that are really providing immediate return on investment and value to a business? What are you seeing out there, and are there any specific examples that you’ve really been impressed by? 

Rick: Yeah, I won’t call anybody out, but you can probably infer who I’m talking about. I think instant impacts, we talked about, like immediate reduction in false positives. I can think of five companies off the top of my head that you should probably talk to them if your SOC team cannot get through their alerts or triage alerts. I think that’s where we see ML and language models, especially from a contextual perspective—the security copilots of the world, we’ve seen what Microsoft’s up to, all of those good things. But what I would say is, here’s the fundamental problem with technology and security: we have what I refer to as legacy security solutions, and everything built in the last two years seems like legacy. We’re bolting on a layer of language models and AI to make a product that had some holes a little bit better. I don’t know that it makes it a rapid leap better. I’m not really hearing that. We’re closing that to an effective degree. So I am encouraged by what I see from a lot of the new startups and a lot of them built in the last two to three years, because they’re really embracing agentic, and they don’t have these legacy stacks that they then have to go do that with, right? So, what I am encouraged by now is the interesting things I hear out of the big vendors, these projects that are going on over here that are eventually going to make their way in and our custom built over the last few years. There’s been a fair amount of, like, language models make our stuff better, sure, but you could have done that before language models came out, right? And so I do think it’s a little bit of pixie dust on some fundamental problems, but we’ll get there, yeah. We’ll see some vendors wash out and not make it. That’ll probably happen. A lot of consolidation is going to happen over the next five years, and then a whole lot of new, cool solutions, too. 

15:30: Are there problems you’re seeing people trying to solve with AI that’s maybe overhyped or maybe just plain unnecessary, because there are just non-LLM based solutions out there that are just equally effective, not better? 

Nabil: If I can ask the question in the opposite direction, which is, are there any AI based solutions, and you don’t have to name names, but are there problems we’re seeing people trying to solve with AI that’s maybe overhyped or maybe just plain unnecessary, because there are just non LLM based solutions out there that are just equally effective, not better? 

Rick: Well, I’ll give you one that’s killing me right now. So you talked to a lot of the agentic, kind of sucked sore space—we’re able to ingest all of these different data sources and contextualize it faster, and we have a loop for optimization. But I’m like, cool, that’s not what people are asking for. I would like it to start taking action in my environment. I have plenty of mature playbooks. They just run through humans. When can we get to the point that vendors decide, hey, it’s not going to be our agentic AI. We need something over here to control them, all right? Here’s an example. We work in shops that have multiple versions of endpoint, multiple versions of firewalls and routers. And it’s like, cool, I can go rewrite a firewall rule or perhaps isolate a host. That’s how far we’ve gone in AI in the last three years. That’s not good. I want endpoints that attack themselves and then heal themselves based on the minor attack framework that got through before the customer knows. Our customers don’t want us. They don’t want to remediate. They’re like, I’m paying you to handle all of this. 24/7, we’re giving you permission, right? And these aren’t, you know, our customers. It’s not NASA, right? We’re not doing rocket science out there. And so, it’s like, well, this is great. We’ve got a whole bunch of new, kind of younger CEOs that are willing to embrace this model of things that just happen in the background, and they just work, and that’s what they really want. I don’t care about the mess that occurs on the way to make it work. They just want to make it work and grow their business, right? And so, I think, you know, again, this is where we are. Every board is pushing every vendor to say they’re doing something about AI; the market is pushing that as well. And so I think for the marketing teams, the challenge right now is, how do you be laser clear about that, not only laser clear in the broad messaging, but how are you enabling the rest of the people in that company to tell the same story and that across the board, because it’s various sales teams, customer support teams. The message gets lost. And then people start to say, we solve everything with AI. And then other people go, I don’t believe you, and I’d rather have someone believe me from the start. I’d be very honest about what it does, rather than having to unwind their belief that I’m just lying to them about the capabilities of AI, right? 

18:12: Do you have any heuristics or snip tests that you recommend people do that help them understand if an AI solution is just overhyped and it’s more messaging than actually the solution to a problem? 

Nabil: So in that case, do you have any heuristics or snip tests that you recommend people do that help them understand if an AI solution is just overhyped and it’s more messaging than actually the solution to a problem? 

Rick: Yeah, I would say I’m lucky. I know lots of people, so I asked the very smart people that actually put hands on it and test it. We do this a lot for startups, right? So, we’ll see a lot of things. We run them through paces, make lots of recommendations and changes in the product, but no, I have to see it work. And I think that’s one of the other issues right now is lots of teams don’t understand how their things working. And so, their showcases of that are tough to ingest on the buyer side and on the CISO side. You’ve got to show proof of that work. You can’t just tell me you’re doing that, like we’re not the industry for that. Maybe we get there one day. So I think again, being laser clear about that broad messaging and then how are people interacting with customers, and bringing that message out to market? It’s going to get a little wonky during these times, but I think good enablement programs are helpful, making sure your channel is enabled is also helpful, and telling the same story, because you want your customers to believe you when you want them, right? Like, let’s end kind of this animosity between CISOs and vendors. This is another weird thing that exists. It’s like, I don’t hear carpenters yell at their hammer makers as often as we yell at vendors. And it is complex. I used to do this before I went over to a vendor, right? So, to be fair, I was one of those people. And then when you kind of move over to the vendor side and see all the hard work and everything that’s going on, you just get a better appreciation of the tooling and the people behind the tooling, I don’t think it should be adversarial. I think we should be deeply engaged and helping them, whoever it is, make that product better. Part of what we try to do is like, let’s not be adversarial. Wealth is relationships. 

Nabil: I feel like the only way we improve as an industry is to collaborate—whether it is a practitioner and a vendor.  

Rick: For me and my successful CISO friends, that’s one of the things—they proactively bring vendors in. They want relationships with their vendors. They consider their vendors part of their security. I think that’s another thing that security leaders miss is, they’re not on my team, I just buy things from them. Wrong, like it’s a true partnership. 

Nabil: I have the opportunity of working with various companies as well as being on the vendor side, and to be honest with you, the ones I enjoy working with the most, they treat us as a partner. They envision us as a partner. That’s enabling them to be successful, and in turn, it allows us to do better things and improve going forward, to help them be even more successful. I love that actually, about the industry I’m in, and opportunities I get to work with people on daily basis. 

Rick: That’s just better. It’s just better, right? Yeah. So, let’s as an industry, we can do this as a community. We don’t need someone else telling us, we should just work this out amongst themselves. 

21:41: What are things you advise people to do that make that shift from reactive? 

Nabil: Let’s talk a little bit about the need for proactive security. It’s understandable that there are maybe smaller companies or newer businesses that are still reactive, but what are things you advise people to do that make that shift from reactive?  

Rick: A lot of our clients have zero starting point for security, so a big part of this is like, let’s up level them to a point where their prevention actually works. This is another thing that’s killing me in our industry. We’ve spent billions of dollars on detection and response, basically finding the things that the prevention doesn’t do. There are rock solid prevention tools out there. They’re a little bit harder to get in up front. It takes a little bit more political capital to get there, but the benefit over time is great. So, what we hear from a lot of people is, do you see what my budget is for all of these logs that just sit around? This is getting pricey, and I can’t go to my chief financial officer and defend this anymore. And everyone’s looking at us like, well, wait a second, if a car comes from the factory with airbags, turn signals, rear view mirrors, seat belts, and brakes, why does my infrastructure not come with that? I think the CEO’s perspective is, we’ve given you enough time to figure this out. I should just have a thing that works out of the box at this point, and we’re all trying to get there, right? And again, this is very complex. I don’t want to oversimplify the problem, but I think this is the way we need to start thinking about designing our tools, designing our programs. It’s got to get in. It’s got to get past and it can’t require 50 meetings out of an executive team. They’re over it. 

Nabil: There’s a there’s a big gap in education, I think too, that’s part of the problem. If you think of any field of engineering or architecture, other than software engineering or computer engineering, all those fields, they have dedicated courses as part of the curriculum that focus on failures that have happened and how to never have that failure happen ever again. We don’t have that in computer science and software engineering courses. In fact, there are still examples in old textbooks where there are code examples and design examples that actually have flaws and bugs. So that’s how we are teaching the actual discipline of software engineering. I feel like there’s still a big gap in the software space. 

Rick: And just to put an addition on that, lots of young people graduate, and they weren’t around 25 years ago when we made those mistakes, and don’t have the historical context. So, what we see from a lot of the startups is they’re doing things that we used to do that didn’t work. We’re ultimately, at scale, proven not to and so it’s like you do have to understand a bit of that historical and you do have to understand where we failed, and that, I think, if you’re designing anything on the defensive side of the house is good to know to help you frame what you’re actually trying to build.  

Nabil: I feel like we need to have you back and we can do a whole episode on maybe funny interactions we’ve had with newer generation about the Y2K bug. I’ve had some amazing conversations with some people who are not around during the Y2K bug. 

Rick: Every five years, someone goes, is the only thing you’re going to die? And I go, no, I was just very busy coding. This entire industry was ripping things out as fast as possible. 

25:16: So what are some things you like to do when you’re not working on security? 

Nabil: I keep telling people to go watch the movie Office Space, because that was the epitome of what happened and they were hiring developers to just go fix date fields across the whole software everywhere. Well, one thing we always like to talk about before we let any of our guests go is non-security related things that they like to do for fun when they’re not working in the security space. So what are some things you like to do when you’re not working on security? 

Rick: I have two amazing rescue dogs. I hang out with them. I’ve got a wonderful home life. I’ve been married 25 years, just amazing. But for my hobby, I play a lot of big tournament poker. So, if you’re into big data analytics and probabilities and risk, there’s a lot of parallels that you can draw to security programs. There’s telemetry you got to gather. When do you actually make the risk and take a chance on that risk? Because it’s your money, so I spent a lot of time on the weekends unplugging from cyber and strictly focused on probabilities and numbers at the table.  

Nabil: Are you a poker player online or a poker player in person? 

Rick: Both. Permeations of hands is really what it comes down to. So, everybody has the 10,000 hands. It’s more than that in poker, but you really can’t get there playing in person. You have to do it online and just know you’re gonna lose a lot before you get through all of the hands that you need to see to start making some better decisions, much like insecurity and mistakes that you make early in your career. 

26:50: If I classify poker as a game of skill versus a game of chance, what is the ratio of skill to chance to be successful?

Nabil: So, here’s a question for you, and this is controversial to many people, but if I classify poker as a game of skill versus a game of chance, what is the ratio of skill to chance to be successful? 

Rick: Much higher on the skill side. Do people get lucky? Yeah, I lost a hand the other day to someone with a .01 chance of winning by the river. I asked ChatGPT to give me an analogy for that, and it said that other player flipped the coin 10 times and it always landed on heads. So yes, you still lose to people who get lucky. But if you look at again, if you’re gathering the right telemetry and looking at over the lifetime of your play, you really have to understand that the probability puts itself on the side of making a good play, and sometimes that good play is not going to work out. The adversaries still get us, even with the best tech and the best teams. Sometimes it’s not going to work out, but over the long haul, it will. And so, as a big data poker player, that’s what you work out. 

Nabil: Love that. Rick, thank you so much for being here.  

Rick: Thanks for having me. This is great. It was a lot of fun. We’ll have to do this again. 

Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence. If you want to be a guest or want to recommend someone, please fill out this short form to submit your interest.