Ashish Rajan: Hey, Jeff, welcome to the show.

Geoff Belknap: Thanks for having me.

Ashish Rajan: No problem. I must say people are excited about the trick that you to showed everyone. So I’m curious over the valve, so it can happen at any moment

Geoff Belknap: is what I understand. Yeah. But anyway, you have to pay attention to the whole podcast.

The one strange trick to be a successful CISO. It will be hidden somewhere in the

Ashish Rajan: podcast. Maybe even right in the end,

Geoff Belknap: maybe you already did it. You don’t know

Ashish Rajan: I wanted to start off by where did you start and how could you come to the CISO LinkedIn position? Like, what was your journey like for some of the audience members who probably are looking at becoming a CISO soon? Yeah, I

Geoff Belknap: think well, the, the journey began way, way long ago in the mid nineties where I started sort of doing network engineering and telecommunications was lucky enough to be doing that in the mid nineties, in the U S where.

Deregulation sort of started the rocket ship of innovation and growth for the internet industry. And I did that for you know, 10 to 15 [00:01:00] years and as most, you know, sort of visceral boys do when I was a kid, I wanted to be a cop or a firefighter, or I think a pilot. And I think those things never kind of leave you to some extent.

And I found myself going like, boy, I really wish I could be involved in something more sort of justice related and sort of scratch that itch that I always wanted to scratch. And I had an opportunity to join a startup in I want to say. 2005, 2010 timeline. And I joined a network security startup called Solera networks where they did a network packet capture and sort of reassembly of streams on the wire.

And I really got to learn I got to use my networking skills and learn security from that job. And it was fascinating. I got to get connected to the security community. You get to learn learn what it was all about or meet a bunch of great people. And from there I moved on to another job and I moved to California and joined a company called Palentier and ended up becoming the CSO there.

When I went from Palentier to another company called [00:02:00] Slack which some of you may have heard of was the CISO there for four years, took it public. And then after that, I was like, boy, I really would like to take a break. I’ll do something easy, like semi retirement and take the CISO job at LinkedIn.

And that is not at all. What the role at LinkedIn is like certainly I was mistakenly sort of, I was like, Oh, this is a big mature company. This’ll be a piece of cake. And really what I found was you know, high growth companies, don’t stop growing. They just get older. And LinkedIn has certainly been around for almost 18 years now, but the rocket ship has not stopped and where I’ve been used to being the CISO at a company that is early stage, but rocket ship a hundred percent year over year growth.

LinkedIn feels like that, but as a, an established mature company, and it’s been a really exciting challenge. That’s pretty

Ashish Rajan: awesome. I did not realize LinkedIn was 18 years

Geoff Belknap: old. It’s it is getting to the point where it can drink in certain situations. It can drive the car without permission. It’s going to move out and get its own apartment at some point, if Microsoft says that’s okay.

Ashish Rajan: One of the questions that I ask my guests who [00:03:00] come in is what does cloud security mean for you? And I get different definitions each time, but it’s always. Interesting to hear different people’s perspective. Like what does it mean for you per se Cloud security?

Geoff Belknap: I don’t think it means anything special to me. I think cloud security is just good data protection and data security extended into , a not on-prem environment. I think, you know, the connotation there is that it’s special. And the reality is, you know, there are some parts of it that are unique and are special in the sense that you can’t use the same tools and the same controls, the exact same way as you do in an on-prem or a data center centric environment, but all the modalities and sort of philosophy around how you’re going to do detection and response and prevention, they’re all the same.

It’s just a matter of you’re picking up one set of tools and replacing parts of them with another, because. In the cloud environment, for example you know, having done network capture a start up before network capture is less effective or used in a different way, the way you would use it in a on-prem environment and in an onprem environment where, you know, [00:04:00] where the four walls of the network cease to exist.

And you know, where traffic should go East, West or North, South in a cloud environment is a little bit different, right? You can’t capture everything that’s going through, going out the cloud environment. You have to sort of rely on networking techniques that help you get a sense of the visibility observability what’s going on in the network.

But a lot of what you’re going to rely on yeah. Are good controls, boundaries, trust boundaries. And they’re going to rely on detection on the host or on the end on the edge as much as possible. So while it’s different, I think from my perspective with my job and where I said, I don’t think about it any differently.

I just think about the philosophy of what we’re doing is the same. It’s just, you’re using slightly different techniques.

Ashish Rajan: That’s pretty awesome. And I’m glad you mentioned it as well, that a lot of people kind of forget the fact that fundamentals still remain the same irrespective of whether we move from a laptop to a virtual server from a virtual server to a data center and then from our data center to another data center, we just call it cloud, I guess.

Geoff Belknap: Yeah, exactly. It’s just somebody else’s computer.

Ashish Rajan: That’s pretty much it. As you were telling me your history in the [00:05:00] beginning about you kind of move from startup, then a few other companies, Slack, and then LinkedIn, which is still like a rocket ship.

As you mentioned, I’m curious to know from, I guess, for other CISOs who may be listening and what are some of the challenges that come with this kind of a role that some people may not be prepared for? Like a lot of people look at this go, Oh my God, CISO is the ultimate. I want to be there. And I was gonna, I was hoping you would break down the reality of , what it’s like to be a CISO.

What kind of challenges are kind of part of your usual life these days or were used to be part of it?

Geoff Belknap: Yeah, I think the best way to imagine it is if you work in security now, or even if you don’t, if you just work in tech, it’s little like what do you think being CEO is like? And I think you you’d recognize if you could imagine being, you know, the CEO or the CFO of a, of a large organization.

You probably sit there and go, I probably don’t have any idea what that really is like. And I think the CISO in, in many ways is the same and that it’s relatively [00:06:00] easy to be part of sales and go. I think I could be CEO. It’s relatively easy to be part of finance and, and look at CFL and go, I’d love to have that job.

But if you’re part of IT or technology role in general, or we’re part of information security, it’s, you know, the chances are, you’re not really sure what the CISO does all day. And what I can tell you is a lot of what we do is worry all day, and all night sometimes, but the thing we really spend most of our time on is, the sort of administrivia of being an executive or a senior leader for part of the business.

It’s not, absolutely not, you know, the smartest security person in the whole organization. As I have to remind to people who are like, Oh, you’re kind of dumb. Sometimes it was like, yeah, I’m not the smartest person. That is part of our security organization. My responsibility is really to, to first and foremost, be accountable and be responsible for the execution of the security program for for LinkedIn in this case or whatever organization I’m representing.

And really what that means is I have to, take responsibility and accountability for identifying, [00:07:00] communicating and managing a security risk in the organization. I have to ensure that, as the executive accountable for security and the organization that we are. Operating a security program that’s sufficient to meet the needs and the business needs and the objectives of the organization and and sort of make sure at the same time that we’re accountable for all these things that are sort of intangible that we’re operating and making good technical choices and good investments in what we do and bringing good people into the organization to help make those choices for us and help execute, you know, whatever technical whatever strategy we come up with executed technically and executed well with our cross-functional partners.

And I’ll say that’s probably the other thing I spend a significant amount of my time doing as CSO is just working with my cross-functional partners. Security is inherently a multidisciplinary practice, but also just a cross-functional or a horizontal function across the organization. There’s very little, a security team can do all by itself.

And I think certainly we’re security teams fail and where security leaders fail is where they try to go do everything by [00:08:00] themselves, where they try to be the only person that drives a security thing forward. And what I’ve learned is you, you have to go build relationships with all the other people in engineering and all the other people in finance and legal and privacy and and sales because you have to treat all those people like your stakeholders, you’re doing security for them.

And they’re depending on you to deliver some functional component of what they do all day. So it’s not all just, writing Python and fighting bad guys. It’s a significant amount of people like me sitting in a meeting trying to figure out how do we get head count budget. And then where do we find great new people to bring to the organization?

Ashish Rajan: Wait. So you’re saying it’s more fun at all. It’s like outside, not CIA.

Geoff Belknap: I think certainly it’s great that people think you’re this super spy Ninja person. And sometimes you get to do things that are really fun and feel like, you’re in a movie. But I think the reality is my job is mostly sitting in meetings and I can assure you that having brought my daughter my oldest daughter to bring your child to work day several times, she just like, this [00:09:00] is your job.

Like,

Ashish Rajan: wait, I thought you were in CIA. Like you were doing all this, like go hoodie when you go into the office and just go to this basement on the office. None of that.

Geoff Belknap: None of them. I mean, look, I work in Silicon Valley, so there’s a lot of hoodies where at least there pandemic, but yeah, no, it’s mostly a boring day job in the same, in the sense where if boring is the, you know, if boring is at any moment, if I make a mistake or make a poor choice, I could be putting at risk, the data of, several hundred million of our members and customers.

So with boring is the fact that you make a wrong decision and everything is on your shoulders then. Yeah. It’s boring. But the reality is a lot of that just happens in the same, making slides and meeting with people and try to adjust budgets and advocating for what we’re trying to do and trying to either talk somebody out of something silly or talk them in to something that would be a good idea.

And it’s just, what I find is it’s a lot of relationship building and dealing with people and helping them manage risk in ways that, they just [00:10:00] hadn’t spent much time.

Ashish Rajan: It’s pretty awesome to have you mentioned the relationship management part as well, because I think it’s definitely not spoken enough about, and I’m glad you mentioned that, but curious, you mentioned COVID as well, has COVID kind of changed anything about security or becoming a CISO for you or that you see around in your circle, I guess.

Geoff Belknap: First and foremost, the other question I get the most is as it changed anything about how you do your job and the reality is not really I think. You know, there was certainly a lot of fear about that and I would be lying if I didn’t say we changed a few things, you know, you make changes to your VPN set up, you make changes to, you know, sort of assumptions that you’ve made a threat model based on the fact that now, instead of just a couple of people being traveling, you know, maybe they’re coming from, you know, maybe you’ve got a a hundred people at any given moment coming onto the VPN from a hotel or some other untrusted place.

Well, now everyone’s coming from that untrusted place. And I think what I’ve said before in other public places is like, whatever your roadmap was for the next five years, probably some part of it was the concept of zero trust. We’re having people. [00:11:00] Come in via the internet and access a lot of their web apps and other things than they might be using in your organization without being on VPN.

Well, that is now like that, you moved that forward to now, and even if you were using VPN before now, you’ve accelerated, you know, all the things you needed to do to build capacity or move people off it, if that was appropriate. So I think there’ve been tactical things like that, but I think the other side of that is, we’ve all had to adjust.

We have hired a number of people that I’ve never met before. Right. I brought on a new senior leader that joined my staff. Who’s responsible for, maybe a good third of my organization. I have never met him in person. We, it was like, this is this funny thing of I was talking to this guy, this guy, his name’s lodge.

We were talking before the pandemic and then the pandemic hit and we sort of paused all the hiring because we had just done like a video call, get to know you for, for whatever reason we didn’t have a coffee meeting, then we’re gonna bring them on board. We had to pause hiring. And then when we, and hiring back up with that was it, we weren’t meeting people in person.

So I have not only senior leaders, but I have a [00:12:00] number of individual contributors on the team that I’d liked very much. And I’ve like have never met them in person. And the flip side is true. Like those people have never met their peers in person. They’ve never had the benefit of like LinkedIn has an amazing, beautiful campus and lots of amenities.

Like there are gyms and basketball courts and all these things that you, you know, there’s sort of like parents these of themselves, but it’s one of those sort of traditional. You know, sort of like Silicon Valley things you might think of on TV and it’s great, but there are people that have never experienced that.

And there are people telling jokes about, Oh my God, butter chicken day was the best day in the cafeteria. And they’re like, yes, I’ve heard about that. I have never experienced it. Could we, could we please stop talking about it? But they’ve missed out on this camaraderie and the relationship building.

So everybody has had to move from like, you build relationships by going to grab a coffee with somebody or meeting them on the way to lunch or in a hallway to having to be intentional about how you how you make time for that stuff.

Ashish Rajan: It’s pretty awesome. And it good to know there’s butter chicken day as well.

That definitely got me curious, like [00:13:00] the Indian in me, like I wonder what that’s about.

Geoff Belknap: Yeah, they finally actually published the butter chicken recipe because it was so sought after. And then when the kitchen closed, people were like, Hey, you know, there were all these people sort of work in the back channels of like, can I get the recipe for that?

And so it’s actually online. Now, if you can look for the LinkedIn butter chicken recipe, it’s amazing.

Ashish Rajan: All right. I’m going to add that in the show notes, because clearly I imagine there will be a lot of people interested with stuck at home, Bob, possibly like some of us. So I’m pretty sure they can make something interesting at their home to make their lockdown

interesting.

Geoff Belknap: I’ll warn you. It is not for beginners. Because I took a look at it. I was like, I’m pretty good at cooking. I can make this. And I was like, no, I can’t. I don’t. Oh,

Ashish Rajan: okay. Okay. I I’ll, I’ll take that. I’ll probably be a challenge accepting. A challenge accepted, but I’m going to include my wife in there.

Cause she’s, she’s the one with the smell and everything she’s going to, I think she, she definitely has the art focusing much more than I do. I’m just usually chopping vegetables, I guess.

Geoff Belknap: Yeah. Well you’re good. I mean, Hey, the world needs ditch diggers too. If you can shop that you’re using when you’re kitchen, just

Ashish Rajan: as much.

That’s right. Say I’ve got a [00:14:00] question here from Vineet . How do you find managing people in security teams?

Geoff Belknap: How do I find it? I mean, look, I really enjoy people and managing people, which is funny because I find myself to be a very stereotypical introvert. But

I sort of ironically really like talking to people and getting to know them and which is why I started my career as an engineer you know, working literally in the field. I was working at a cable company for a great while towards the beginning of my career, digging in the dirt and helping you know connect the first sort of pre DOCSIS cable modem infrastructure in the U S but I pivoted to management because what I really liked doing was sort of working with people and helping them find what they needed to focus on and developing them and having them move through their career.

And I have found it one of the things that I thought magical about working in networking was like, you connect a piece of fiber optic on one end piece of fiber optic on the other end, Like literally light just flows between them and it converts it to bits. And you’re communicating across these great distances.

Like there’s something magical in there. Even if you understand how it [00:15:00] all works. On the other side on management, I’ve really found it magical that you can invest in people and help them work through their problems and see them grow in their career. And I’ve been very fortunate to see people that I’ve worked with, take on other CISO roles.

They kind of other senior leadership sort of engineer roles. So I really liked doing that. So for me, managing people yeah, is both the single hardest thing that I do all day in that you. You can definitely let people down and you can definitely under prepare to, to help people and you can phone it in, and that impacts what people do.

But at the same time, if you invest and you pay attention and you listen and you follow up and follow through, you can watch people just flourish and grow just take things off, whether it be a project or their career. It’s super rewarding. I think what I have found no specific to security is it attracts a lot of unique personalities.

And it attracts a lot of people that might be thought of differently where it might [00:16:00] be, you know, might not be ideal candidates for other roles, but insecurity, I think where you, you know, where you’re sort of neuro-diverse or you have a different perspective, and maybe you, maybe you come from a different country or maybe you come from a different background or maybe you were in physics or medicine.

Like all those things are amazing and security. It’s a melting pot of different perspectives. Like if you grew up somewhere differently than the rest of my team did, that brings an amazing new, fresh perspective to whatever we’re working on and the bad guys also have different perspectives than what we’re working on.

So I think it’s amazing. So I think there are there are a lot of rewarding opportunities there and there are a lot of unique individuals insecurity, but I have found it to be something that I really enjoy doing.

Ashish Rajan: To your point about helping other people achieve greater things, I think the whole analogy of teaching someone fishing versus fishing for them, I guess kind of goes fairly well in there as well.

It I hope that answered your question Vineet so thanks for that question, man. I was going to ask in terms of other aspects of becoming a CISO, some of the conversations, and I think you wrote an article about this ages ago as [00:17:00] well, was having conversations with board members. And over the past few years, CSOs have kind of almost gone to that point where.

In a lot of organizations, it’s not just reporting to a CTO or a CIO, they’re actually at the same level as the CTO or CIO. I guess people who are looking at that and going or hard to communicate information to board, they don’t care about security.

There’s a lot of, kind of like, I guess, misnomer around the, sometimes I feel like at least I’ve been fortunate, the board members that I’ve spoken to, they’re quite aware of security. So keebn to know from your experience as well. What’s like without ditching any of your board members, what’s your experience been like and what is something that has helped you in situations where you might feel it’s been difficult?

I guess.

Geoff Belknap: I think I’ve been really fortunate in that all my board members have been really engaged. I think you know, there’s always exceptions and some people that understand sort of the deep technical stuff differently, but the key part about it is, all the board members I’ve worked with have all understood.

The [00:18:00] value of security, the risk of, under-investing or not paying attention to security. And you know, you, I can’t put a price on that. I certainly have peers and friends that aren’t that lucky. I think the tide is turning though the amount of board members that can walk around blissfully ignorant of security is dwindling quite dramatically, right?

there is no part of your business today. If you’re an established organization that is not impacted by cyber security, either policy or specific actions by actors. And you know, if you’re a board member, you have to have some awareness of what that means, but let me be clear. The way I approach board members is talking about security in the terms that they can understand and appreciate.

And what I mean by that. And I guess this would be one of the secrets of of being a successful CISO is understanding that it’s not my job to teach board members to be more technical. It’s not my job to make them understand what a pen test is or, you know, how a certain flaw works. Certainly if they’re interested, [00:19:00] I’m happy to engage and deep dive.

But my job is to represent security in business terms, like, how is this going to impact the business? What, what part of the business growth outlook are we impacting by investing at this level versus another level of security or what is some security risks that we’ve discovered? How can that or how did that impact the organization?

And what I found is communicating with board members in terms that they already understand and understanding their world, understand. I think that they’re thinking about PNL and sort of the balance sheet. And they’re thinking about how the business is growing very differently than what is the new, what is the tech stack, right.

That it has been the secret to winning them over. I think the other part is really understanding, and I learned this from one of the general councils I work with that a board is oversight, not management, right? You’re not going to the board to ask permission to do something. You’re not necessarily going to the board to get them to approve a budget or a head count or something like that.

Maybe in smaller organizations. , they’ve got tighter oversight, but you’re going to the board to tell them we have identified these risks, these problems, [00:20:00] here’s what we’re doing to address them. And here’s the progress we’ve made on that. And they’re going to ask you very difficult, very hard questions.

And it might be difficult because they’re coming from a board member perspective instead of a technical perspective, but those questions should inform how you’re thinking about it. And they should inform how you’re working with your team to make them see the boards thinking about it this way.

Let’s make sure we’re grounding, whatever our answer is. And something that the board is also gonna understand. And that doesn’t mean adjusting what we do, but it means understanding, like what are the financial impacts of what we’re doing. What what are the technical impacts? Like, how is this, are we slowing down growth?

Are we going to make it harder for developers did with deploy things? Are we going to add friction to how our users sign up or engage with our content or our products? All those things have to come into play because all those things impact how the business operates.

Ashish Rajan: Great answer. And I love the perspective of it not being just about security and our job is not to teach security to someone else.

Although it does get hard. I think sometimes I put it across this way. I mean, you’re a security person and you see. [00:21:00] You’re such a great way to see that you’re going into this technical mortar. The other person doesn’t understand is another person starts rolling eyes and falling away. Oh my God, this guy’s going, Oh, are you going on again?

So probably a great sign. When you talk to a board member and they’re like rolling their eyes probably should reel down a bit, I guess.

Geoff Belknap: Yeah. I think again, sort of having a high EQ and understanding when you’re losing somebody and what a subtle eye roll means in the real world.

And being able to adapt is really important because you’re like, okay, they’re rolling their eyes. I better get more technical.

Ashish Rajan: Oh yeah, don’t do the opposite of what it’s happening. Like this guy doesn’t know anything. So I should go even more deeper into Python version 2.7.

Geoff Belknap: Yeah. , it’s helpful to remember.

I think I picked this Statistica from ed Amoruso. So I don’t blame me if it’s wrong, but yeah. We’re at a talk once and he sort of threw this thing out that I found to be very true. But he said, you know, the average board member at a public company is 62 and a half year, a 62 and a half year old white man.

And their technical skills at that age, like that’s, [00:22:00] don’t put a password on it, iPad, cause I won’t be able to open it. Right. Is like their level of skill is they really understand sales strategy go to market, product, market, fit, marketing skills. They don’t understand cybersecurity.

Most of them though understand how those risks can impact the business. And I think it’s just, you have to put yourself in that mindset of who you’re communicating with when I say I’ve been lucky though, like out here in Silicon Valley, a lot of your board members are other people that have run very technical companies and they’ve been founders or things like that.

So they can engage at a much deeper layer of technology, which. Is good and bad. They can go ask you like, Oh, or, you know, what platform are you using for data pipelining? And you’re like, ah, like, sure, we can talk about that. And that’s fun sometimes, but it’s good to keep it at the board level.

Ashish Rajan: Let me call my expert as I’m talking about pipelines fair enough. Of what our question here from Shaneecia who got I hope I pronounce your name, right? Shaneecia how do you decide what metrics are most important to present to your board?

Geoff Belknap: It depends on your business. [00:23:00] At the end of the day, there’s some key things that you always need to be present in your board, and it’s just you know, what the metric you use is sort of a up to you.

I go back to, when I give mentees advice about finding a job I tell them at the same thing, I would tell everybody listening today, if you’re looking for a job, step one, get a LinkedIn account. All there’s a lot of good jobs out there. That’s how recruiters are going to find you.

But step two, when you’re mailing your resume in, or you’re applying or you’re filling out the thing where you’ve sent your resume in, and then they’ve asked you to reenter it a second time and you’re screaming a deep visceral scream. What you should be doing is adapting your resume to fit, you know, sort of the circumstances and the context of that job.

And that doesn’t mean lying or making stuff up. It just means. There are ways to talk about the work that you do, the skills that you have that are contextually relevant for the job that you’re applying to. Right? If you’re going to talk about that job, if you’re going to talk about, I have security skills and you’re applying to a big four consultancy, or you’re applying to a manufacturing company, like the way you frame your skills is [00:24:00] naturally going to be different because those organizations are going to value different things.

And you’re going to highlight different things that come out. Those are all still your skills. You still have, you know, all those expertise, but you’re going to like tease out things that are more relevant to the audience. The same thing is true for boards. Boards at different companies are focused on different things.

They have different people. No one board is the same. They’re all made up of people with different skill sets. So when I communicate with a board. My main focus is going to be on, you know, let’s talk about the risks that exist in the organization. Like I said before, what are the risks? What are we doing about them?

What’s the progress we’ve made since last time we spoke. And then generally you’re gonna talk about, you know, anything that’s top of mind, like, did we have an incident? Did we, you know, was there a significant departure from a talent perspective? Was, you know, was there something else that’s urgent that needs to come up that they need to be aware of?

Honestly, that’s mostly just of what I would present to a board. And if I go back to the last time I was presenting to a public company board, it at Slack, that was it. Those were my slides. Like that was it. Now there was a lot of context and maybe we looked at different numbers that talk about the progress that we’ve made for different [00:25:00] projects or different initiatives or different risks, but it’s tailored to that level of conversation because that’s generally what a board wants to know.

And I don’t know, we’ll talk directly to Microsoft board and part of the leadership group. That’s all the security leaders at Microsoft. We have one corporate CISO that primarily is the the main face that talks to the board. Although we all interact with the senior leadership team.

But you know, even Microsoft board, that’s what they’re focused on. Like what are the risks to us and to our customers and to our engaged members and partners, how are we doing against those risks? How are we doing against our own initiatives to address those risks and to improve our products, et cetera.

And what are we doing next? And what’s the progress we’ve made. All the conversations generally center around those things. So your metrics are all going to center around how you communicate those things. And they’re going to evolve, meeting to meeting. There’s going to be things that are consistent, things that you, as you interact with the board, you get the sense that like they enjoy consuming that they find it valuable to consume a metric that you share, but you’re going to adjust you’re not going to thrive, Ash.

You’re not going to [00:26:00] make the whole deck, this the different every quarter that you meet with them, but you’re going to evolve the way that you’re communicating and evolve. The kind of things you’re speaking about. So it’s never really the same. And I’ll point that out, like when you are wondering what you should present to your board, focus on the first principles of what they need to know and worry less about.

I see this all the time , from peers and colleagues, Hey, can I get a copy of your board deck? Don’t don’t do that. Like, it is definitely helpful to understand and what other the people are doing. So you can get an idea of how you want to evolve what you’re doing, but nobody’s board deck is going to work for you.

It all is a, an amalgam of what your board members need to know what you need to tell them. And what the best way to communicate with them is.

Ashish Rajan: Awesome answer. I was going to say, can you explain what first principle is? Cause I, I feel like a lot of people in the Valley use it. I’ve kind of got my own definition of it, but a lot of people hear first principle and go, what do you mean by a first principle?

Geoff Belknap: I should probably Google it. It’s an easy way for me to just say let’s break the problem into, you know, sort of the key elements let’s go back to, instead of making a decision based on how we feel or what we’re [00:27:00] seeing in the moment, let’s zoom out to go. What, what are the principles by which we might make a decision?

And then like, let’s draw all the problems that we’re having back to those principles and make sure that we’re for deciding a policy or making a really difficult choice about technology. Let’s go back to a principle view of how we’d approach that. At least that’s how I interpreted it. I didn’t go to Stanford business school or anything.

So maybe I’m learning the wrong usage of it, but

Ashish Rajan: no, that’s my understanding as well, but because I’ve always asked why don’t just call, like, what’s our goal as a business and stick to it. But people like to say first

principle.

Geoff Belknap: Yeah. Well, I think you can use it in every context. It’s like, you know, what are our goals in security or what are our goals with this detection and response program?

Or I think the time that I end up using it all the time is okay. If we’ve got a risk management program, like what are our goals here? Are we trying to reduce risk or reduce, reduce actual harm to humans? So let’s make sure the decisions we’re making are rooted there because it’s so easy as you get, you know, as you deep dive into like a data protection issue or privacy issue to [00:28:00] look at just the problem right in front of you.

And you can sort of miss the forest for the trees and get back to paint yourself into a corner or get backed into a corner about decisions you made at the micro level, instead of zooming out to the macro. And I think if you’re making complex decisions in a very challenging environment, it’s easy to lose sight of that.

Ashish Rajan: I appreciate that. And hopefully we answered your question there. So by the, by the way, congratulations on your job as well as officially joined Microsoft recently. So you might have a colleague walking down, well, walking down your virtual hallway when you guys go to the office, because I guess

Geoff Belknap: we can send each other gifts on teams.

It’ll be great.

Ashish Rajan: You can definitely do that. Switching gears back to I guess the topic we are having obviously boards have different perspective, different sizes. So definitely appreciative of the answer that you gave there. What about the different kinds of businesses, like, you know, between B2B and B2C seem to sell?

You’re done some stints in both and I’ve personally been primarily in the B2B space and for B to C like, Oh, so I’m curious to know from your side, what do you see are key differences in our CISOs [00:29:00] role between say B2B versus B2C? I guess.

Geoff Belknap: I, you know, I struggle with how to answer this question mostly because I’ve been enterprise or B2B for almost my entire career.

And LinkedIn’s my first foray into something that is. Very heavily B2C or consumer focused, although we have a significant amount of enterprise business. So it was a good opportunity for me to sort of do both things. And what I have learned is that it’s really not all that different.

I think the things that are different are. You are making different calculations and understanding how different people perceive risks enterprises when they engage. And they sort of engaged like you know, can we trust you? How do we build that trust with you? When they engage and sort of understand whether you’re an organization and a security program that they can trust, the way they approach it is very different than consumers.

And I think there are two sides of trust in any organization. There’s that foundational trust. The thing that, you know, if a bank is going to sign up for an enterprise [00:30:00] license on something, they want to make sure you’re going to be a business that is around that. You’re, you know, you’re not just going to fold overnight.

And, and certainly LinkedIn, as part of Microsoft, they’re not worried about that. But what they want to see is that you have sufficient controls that a security program and an audit that shows that you have a well-functioning control environment. But on the consumer trust side, on that individualized trust side, that is how you as an individual interacting with whatever this product or services, that’s how you perceive it.

And certainly almost every enterprise product that people buy. There’s still an individual. There’s somebody like me or you or the people watching this, that use the thing. And there’s how they feel about it. However, if you’re buying enterprise productivity management software, something to operationalize an optimize the way you manufacture a widget or something like that. Yeah. People, aren’t going to worry about like, am I going to get harassed in this product? Or, you know, do I know if my boss is watching me? Like you don’t have as much of that. There’s a little bit of that.

But if you’re buying email or if you’re a member of LinkedIn, certainly you have a [00:31:00] lot of questions of like, what happens if if I engage with somebody who’s in plight or harassing, what if I have an interaction with somebody where I think that might be fraud. Those things are how we respond and how that gets handled and how you can report that, those influence how you feel about trust.

So I think if you’re a CISO at your organization and certainly I’m not responsible for all things trust, I’m a big stakeholder and how we handled that at LinkedIn, it influences how you make decisions. Because again, I come back, that’s the first principle principle of I’m trying to minimize as much as, as possible individual harm to a person or a group of people.

That drives a lot of decision making that I have to do. I wanna make sure that like great. I might make a decision about some technical control that we’re going to do that might really be the most technically correct thing ever. But if that’s going to position something where employees or members or somebody else might be at risk or might not have a good experience that’s not something that I want to do.

I want to optimized for that outcome. So we’re really just comes down to how are you [00:32:00] optimizing your decisions? How are you making decisions about risk? And what’s informing that. And in a business to consumer environment, you’re going to be much more informed by risks that might be dangerous to individual humans versus, how a company interacts with us or how they might decide to renew or not.

And. At the end of the day, it’s still the same thing. Whether a bank is buying from you or whether you Ashish are buying as a member of LinkedIn I want you to do business with us. I have to protect your data that you are entrusting me with. And I have to do it to the same degree, whether it’s you Ashish or whether it’s a large manufacturing company.

Ashish Rajan: That’s pretty awesome. I was talking about a consumer when we were kind of agreeing on the concept that always would come on the show and all that it was, that was really interesting thing that Todd, that came to my mind was I wonder if the LinkedIn platform would be able to take on the LinkedIn fee.

So coming on the LinkedIn platform, I wonder if there’s like a, like extra compute being provided for that particular streaming. So it was at that point, I clearly we’ve been stable so far, so I’m not gonna knock on the word. I’m not going to jinx that, [00:33:00] but I totally agree. As a consumer, they’re very different problems.

Like availability is probably a lot more different and louder. I imagine when people can’t access a service, even if it’s a free service that accessing, they just happy to go on Twitter rant about I can’t access LinkedIn right now. What are you doing

Geoff Belknap: super worried about about us overloading the platform for me? I I’m flattered that you think I’m that big of an attraction?

Ashish Rajan: Well, we have to do the trick though. So I’m just waiting for when the trick happens there. Like compute services is coming out everywhere.

Geoff Belknap: That’s it we’ll spin up. We’ll spin up more stuff on Azure.

It’ll be fun.

Ashish Rajan: It’s a great answer because a lot of people who may be in the B2B space I know I joke about this, but it’s really hard privacy for an individuals, especially. If you consider as humans, we have rewards so much, and there’s so much I guess, diversity and perspective as well, that you have to cater for like thinking for every possible perspective on this world.

It’s not an easy thing just to be respectful for them and having a platform which is safe, man. I think it’s so it’s [00:34:00] hard, easy job.

Geoff Belknap: There are a lot of people working hard to make that happen. I can’t take credit for much of it at all. Because I have lots of peers, like I said, there’s a group of people that make up the trust organization across privacy, safety, security, legal at the data organizations.

And I apologize if you’re a part of, one of the organizations that I’m leaving out, watching this on our own platform, but there’s a lot of people that come together that focus on that. And I’m really thankful to join an organization that. Really prioritizes that. And the reality is like, I just couldn’t join an organization that didn’t care about this, that it wasn’t a priority for, because it’s a priority for me.

And, you know, all the organizations that I’ve joined in the last 15 years have all been places that I felt like at the time that I joined they aligned to, my personal philosophies, the way I think about, you know, morality and ethics and sort of my personal principles. And I’m really very lucky to have been able to be choosy about those kinds of things.

Ashish Rajan: That’s really good to hear. And I’m happy for you as well, you’ve been able to consistently go down that path as well. So taking on [00:35:00] that experience then I’m sure a lot of people listening to this are going, yeah. Great 15 years the first 15 years as a CISO or 15 years

Geoff Belknap: insecurities, just over, I think I’m just over 10 years as a CISO, about 15 years in security.

I dunno. I don’t know how math works. It feels like all the days blend into one at this point. Ashish, I think I’ve been at home working for about 20 years at this point. Oh,

Ashish Rajan: yeah. I think each day is just another day. And you’re like, what day was it again? I’m just like, I don’t know. You take the dog out, I guess it’s morning now.

So the dogs come out by the way, dog pictures on LinkedIn have been really interesting. Not not that I’m saying I’ve been envious of how beautiful your dog is. Cause my dogs get certain attention as well, as long as it doesn’t bark in doing live streams

Geoff Belknap: I got kids yelling and dogs barking during meetings.

Why not during live streams, right?

Ashish Rajan: Yeah, totally, totally works. I was also gonna ask based on say the 10 years experience, you’ve had a CISO and continue to go down this path, a lot of people kind of are also looking for what’s next offer CISO. So usually like, [00:36:00] or is it like you become a B2B CISO, so you kind of grow into that and kind of go to different companies or B2C CISO

so, and you just go into there or kind of like what you’ve done yourself. We’ll from B2B to B2C what’s the next goal after that? Is that it, like you become a CEO after that?

Geoff Belknap: Oh, no, , I had a fantastic recruiter that I think was mentored me very well in the early phases of my career.

And one of the things that I learned from him was it’s very valuable. Even if you found something you’re really good at right. And I don’t know. I’ll preface this all by saying one of the best things you can learn for you as somebody building a career for yourself is get really good at something.

Find some part of what you’re doing and where you’re working. Now, if you want to work in that space, if your insecurity, whatever it is, like find some part of security that you can get really, really good at it. It doesn’t necessarily have to be something you’re passionate about, but once you’re really good at it, you find that the passion usually follows.

If you can get really, really good at it, you can make a career out of just that thing by doing this, by going and saying like, great, can I do that [00:37:00] thing for a company that consumes product? Can I do it for a company that sells product? Can I do it for a company that, you know, produces the parts that you make?

And you can become really well-rounded by working in a couple of different places that have different takes on what you’re doing. And I’ll give you an example. When I learned this from him and Matt, I can’t remember his last name. His name’s Paul works is a recruiter out of Buffalo. New York is a fantastic guy made a huge difference in my career.

So thank you if you ever see this, but I was in networking and he was like, great, Jeff, you’re a network engineer now for a cable company. Go be a network engineer for a company that buys internet services from you. Right? That’s like a, and I eventually went to go work for a financial services firm and I worked in a bunch of different ways there, but like I worked at an ISP or did a cable company or a company that bought ISP services from other cable providers.

I worked at companies that sold you know, sort of network services and data services. And I think once you’ve seen all aspects of that industry that you’re in and you could be in the same role, you’ve really grown and you really grown [00:38:00] your ability to contribute to a business that you work for because you’ve seen these different aspects of the problem.

So I think the same thing is true in CISO land. If you’re a CISO, you could be a CISO in healthcare and you could be an, a CISO that works with hospitals or works at insurance providers. If you’re a CISO that is a CISO now in finance, you could be. On all different aspects of whatever the market that you’re in.

And I think there’s a lot of growth there, but you could also go great. I’m a CISO now in enterprise and I’m going to be a CSO and consumer, I might be in media or I might go to finance. I think the more you do that and the more you, you see different perspectives on security from different places, the more valuable it makes you as an individual that might be skilled, whether as a CISO or , as an analyst.

But it also gives you just a lot more depth of experience to draw on. One of the things that I feel really privileged to have done is I’ve had a number of jobs in my career. And while, although it’s been pointed out to me by some peers been able to maintain uncertainty length of of CISO holding a CISO job for as long as possible, which is unusual [00:39:00] sometimes for CISOs, I’ve held lots of different jobs at lots of different places, you know, maybe for three, four or five years and all of that has been really incredible for understanding how to interact with boards differently, understanding how different companies approach different problems and understanding how our customers have different perspectives when they approach us.

So , I think the next job after a CISOing for me is either you know, being a starter at a golf course, or like a, a coach at a swimming, swimming pool or something like that, but relaxing because boy, I could really use to relax more. But I think it’s just, you know, the next CSO gig after this if I decide to take one would probably just be, you know, in a space that is new to me, but somewhat related to something I’ve done before, so I can continue to like grow and learn and bring value to whatever I do.

Ashish Rajan: Interesting answer. And curious to know what options do exist when you’ve been at CISO for awhile, because CISO advisory is another one that people keep talking about. And obviously this is talking about in general as a CISO workflows, a lot of people [00:40:00] make the career part thinking, Oh, that’s the, that’s the angle that I’m negotiating.

That’s kind of where the question was coming from as well. , do you, among your peers, you see, what are the other paths people take? That’s where the CEO joke came in from, by the way?

Geoff Belknap: Yeah, I think, well, I think I certainly have known people that have become CEOs and founded their own companies.

There are people that go advise companies or might go to the VC space and invest in the security space. I think there are CISOs that then go work for security startups that might be addressing some niche space that they have some deep expertise and passionate about. But I think. Look, CISO is if you’re into management and leadership, it is sort of the top of the stack, as far as that’s concerned.

I think board opportunities becoming more and more an option, although that’s not really a full-time job necessarily, unless you have a lot of work. But I’ve seen also people transition to you know, running, I’m running it as well as security full time. And I have not a majority of my peers, but I know a significant number of my peers are managing security plus it, and sort of a quasi CIO CSO, a [00:41:00] hybrid role.

And that’s very interesting. I don’t think that would be for me, but I’m seeing that become a more of a growth path or an opportunity for some people. I’m really quite happy with where I’m at. I can’t imagine doing something else, although I wish sometimes I was good at something else.

Certainly be very stressful sometimes. And I’ll tell you like, Even still I get woken up or have to work late and you know, that like incidents always happen. But I can’t imagine doing something else completely.

Ashish Rajan: I guess the question over here from Obaid, which is kind of like, I think I was going to ask a similar question. Maybe you can answer them together. Because my question was more around, like as a CSO, who’s looking ahead and making, building roadmaps. What are some of the trends you’re seeing for, for people should be looking out for?

I think you do that yearly LinkedIn article that you’ve been doing that kind of inspired this question as to, I wonder, what are you looking at? Say five years down the track and kind of goes back to what Obaid is asking as well. Like what are you thinking from risk and threat perspective? Where do you see this go?

I guess.

Geoff Belknap: I think the place that I see a go most often is just [00:42:00] the adversary. And really, I almost hesitate to use the word adversary is as broadly or generically as I have in the past, because, you know, you think about adversaries, like a bad guy, who’s trying to steal something from you or ruin your business, or maybe they’re like a foreign intelligence service or a state level actor, but it’s really the gulf has widened significantly between, you know, the kinds of actors that you find in your environment.

It used to be like, you know, maybe five, 10 years ago, it was a lot of espionage. And then a lot of like, you know, people clicked on things and maybe a computer got compromised here or there, and it wasn’t dramatically impactful to the business. Well, now what I would say is commercial enterprise of crime has become a significant driver.

Right. And I think. Being able to monetize some part of a cybersecurity incident is a big part of what happens in the space today. So I would say to some extent, the espionage foreign intelligence type stuff has gone has shrunk and the vast majority of sort of market [00:43:00] of a total addressable market for crime that you can commit is really done by organized crime groups.

Now. So the thing that I worry about is if you’re a foreign intelligence service looking to, you know, execute actions against a target that might be legitimate for your government, you have a fair amount of money. You can invest in R and D. But you’re still a government. There’s still somebody at the end of the day, you’re making slides for it.

You’re meeting with your boss. Like you have a job that you hate as much as any government worker. But if you’re a criminal enterprise, there’s a significant market incentive for you to get good and commit resources to developing techniques and tactics that are going to be effective against a target.

More so maybe then a foreigner or a nation state. And what concerns me is the rapid pace at which, you know, people are advancing and how inexpensive it’s getting to successfully execute an attack. Maybe five years ago executing a two factor off bypass or an interception.

You were like, okay, that’s only going to be, you know, the top, top of the top, the ATM of some nation, state adversary, or [00:44:00] some exceptionally talented, you know, criminal element. Well, nowadays that’s. That’s cheap. It’s inexpensive. It’s still difficult, but it’s a lot easier than it used to be.

So I worry about like, great. Not, not just me, but all of my peers, because a rising tide we’re falling tide lifts, all boats we’re impacts us all directly. , if we’re putting products out that don’t have 2FA or we’re, don’t have advanced, you know, sort of, I’m not gonna say fishing proof, but difficult to fish you know, two factories, if you don’t have a solution like that for your product, you’re really, behind the times.

And I think about like, that’s very present now, especially as people are talking so much in the industry about zero trust, which really just means you don’t trust your networks, you treat everything as internet, and sometimes you’re going to have internet facing you know, access for a lot of your applications.

You’re exposing yourself to a risk landscape that’s significantly more sophisticated and advanced than it used to be. Even 18 months ago. So I worry about those risks that are accelerating. I worry about the kind of things that, you know, we’re [00:45:00] all walking around with someday. I’m going to get this project done and worrying about the timeline for that project.

You know, maybe being too long or maybe the investment being not enough. And the reality is none of us have enough money or people to spend on security. I effectively have an infinite amount of money and people do invest in things and that’s still not enough. Right? You have to prioritize where you invest in when you invest.

And that’s the hardest thing. So I would say like for me, the threat landscape is rapidly expanding successful, more advanced attacks are becoming less expensive for people. And. I, and my other peers are still struggling with how do we get smart people in the door? How do we keep them happy?

And how do we have them focused on the right work? And it can be quite a lot to balance. It’s easy to work on offense. You only have to be right once I have to be right every single time. And when I’m not right, I have to be really effective at moving. And addressing that time that , I made a mistake where we didn’t get it quite right.

That’s much more expensive than running an offensive program. So I realized that’s sort of [00:46:00] abstract, but I think it really just comes down to like hiring people and getting good at it is a, business risk is a technology risk. Cause it can dramatically slow how fast you can move. And then that is weighted against how fast the adversary, where the bad guy is moving.

And all those things equal. You know, you can’t take your eyes off the ball.

Ashish Rajan: That’s a great answer. But before we end thank you so much for coming on the show, where can people find you, but can they connect with you?

Geoff Belknap: I would say LinkedIn is a great place.

Ashish Rajan: I’ve heard of its a great place to hang

Geoff Belknap: go live stream. Yeah, I think you can find me on LinkedIn. You can find me on Twitter, although I’ll warn you.

My Twitter I used to be much more much less professional than I am on Twitter or on LinkedIn rather. And then you can find me on clubhouse and or in person in the San Francisco Bay area.

Ashish Rajan: Awesome. I I’ve just got to hope. I was hoping you were dropping your podcast as well as we started doing recently.

Yeah,

Geoff Belknap: I have a podcast that I co-host with David spark and the CISO series network defense in depth. Check it out. I also have a a regular show I do with my friend Joel Della Garza, who used to be a CISO at box and is now at [00:47:00] Andreessen Horowitz. We do a thing every Thursday on clubhouse called the breech of the week where we talk about breaches that have happened in the industry.

We’re trying to de-stigmatize breaches and talk about what we can learn from them and sort of interesting stuff that’s happened around this space. And there’s probably other stuff I’m doing that I’m forgetting and I’m sorry, but I think, you know, we’re all at home. Every one of you has at least one podcast you are recording right now that you are making, and I can’t wait to be a guest on it.

As soon as my calendar opens up.

Ashish Rajan: Awesome. And thanks for sharing that as well, by the way, I would definitely recommend people to check out the club house and specifically you’ve kind of really find out the frolic and fun Jeff for the person he is. But

Geoff Belknap: I find that I’m clubhouse before my comms team makes me stop doing it.

Ashish Rajan: Yeah, that’s right. Before they identify clubhouse as a platform, they can talk like endlessly and people could be recording on the other end. Exactly. Exactly. Awesome. Thank you so much again. I definitely can’t wait to have your back again, but I left, I encourage everyone watching to connect and probably get some mentorship and stuff from your side as well.

I’m sure your [00:48:00] wisdom that you bring in with the 10 plus years of CISO and 15 years is definitely worthwhile tapping into, especially with experience like Slack and LinkedIn and stuff as well. So thank you once again. I really appreciate it. And for everyone else, I’ll see you all next weekend. Thanks

Geoff Belknap: Jeff.

Thanks for your soon man.

Ashish Rajan: Oh, thank you. All right. Bye.

Geoff Belknap: Cheers.

‍