The Path to CISO

Welcome to Cybersecurity Business. I'm your host, Kevin Pouchet. Today's episode is all about the path to becoming a CISO and what happens once you're in that seat. Our guest is Jeff Spear, CISO at Tufin. As a first -time CISO, Jeff brings a fresh perspective on executive accountability, security as a business enabler, and the evolving expectations placed on modern security leaders and really... What does it mean to be a modern CISO in today's world? We'll talk about Jeff's journey into the role, how leadership changes at the C -level, and what every CISO should be thinking about right now. Jeff, awesome to have you here. Pleasure to be here and look forward to chatting about all the above. I was going to say you're on the hook to chat about a lot. Don't be ready. I am ready. I am ready. I distilled those talking points down into. My origin story as a CISO, what it means, what business enablement means to me and how I learned that style of being a CISO. And that really ties in really well with my path to CISO because I had a lot of good mentors and collaborators on that road. And then where we are today and how to be a modern CISO in this AI era, because I think it's inescapable no matter how hard you try. Completely. Well, I appreciate that. And I do want to talk about your sort of somewhat unconventional path to CISO. But, you know, before we do that, I just wanted to touch on what you've been dealing with, at least over the past couple of weeks, knowing that you have a presence in an office in Israel. I know that's been sort of occupying some of your time in which the world we live in. And it's sort of evidence that the job of the CISO is. is really tied into in some level politics and in general, what's going on in the world. So if you could touch on that, I, I, and hopefully I assume your team and everybody's all safe. Yes. Everybody's all safe. Um, to date. And it's, it's definitely, uh, been a tough couple of weeks, uh, for a lot of people involved in the organization and ongoing. Right. Um, and not only that, this is the second. Test of our cyber resilience and business continuity since I've become CISO, right? So I joined 2Fin in June and no sooner had I joined then and scheduled my trip to Tel Aviv to greet everybody, start networking, understand who were the key players and stakeholders, you know, conflict with Iran erupted. So the first, my first few days was, all right. I guess we're going to figure out if the BCT plan that was inherited to me works. And I give all the kudos to our IT operations team and other folks involved in the organization prior to me that they had everything really well thought out. And from my perspective, I could execute at the high level that I wanted to be without getting into the weeds of, all right, how do we replicate system A, B, and C? It was all. uh well well structured and considered so that was maybe a silver lining if there can be such as a silver lining as uh involved with you know missiles and projectiles raining down from above So, yeah, that's where we are again. The gold standard for me now for BCP plans is they must have survived two wars to be considered relevant. Well, I mean, look, I mean, that's high stakes, stressful stuff for sure. So glad that the company is all in unison and working together. And I think, you know, that what you're doing now, right, I think parallels what I think is probably one of your more defining moments in your career and what led you to. being a CISO, and I'd like you to talk about that. And that's, right, a different type of disaster, a natural disaster through like Superstorm Sandy, which ultimately pulled you and thrusted you into sort of that leadership role. So I'd love for you to talk about that a little bit. Yeah, of course. So a few companies ago, working for a fintech firm, and the majority of our clients were very well -known addresses on Wall Street, high rises in the financial district of New York. Superstorm Sandy, if people don't recall, was a hurricane that basically rammed right into New York in 2012. And in my role, I was on the database and server administration team for this fintech firm. And all of our clients were asking about, hey, like, we got to fail over our... trading systems. You know, New York's going to be underwater tomorrow. Nobody's coming in the office and the markets are still going to be open. So we need to trade. What are we going to do? So I was leading that team and it was in no way connected to security, but there was a large component of security, which is crisis management and reaching out about the status of your business. And that's when I crossed paths with my mentor to this day, who observed me during that crisis, leading that team saying like, Hey, you're pretty. cool headed and making, helping people get through, follow the plan. And you have a backbone of technical expertise. You can take that and convey it confidently to clients. And I think you could be really, really, really helpful on the security team. And I was like, tell me more. So fast forward after that disaster, I was ultimately put into a role of associate director of security programs, which. In security program speak is you build up all the stuff that's not working in the security team or that we don't have yet that we need. And it was really a great opportunity to get my hands dirty with building core tenants of security program. The first program I went on to build there was the vulnerability management program. So, all right, figuring out the stakeholders, you know, what is, what does this mean to the business? What does vulnerability management need to do? to deliver value, right? Why are we even doing this? Navigate bringing together security, IT operations, business applications, all of the normal stakeholders in that process and getting in place a successful vulnerability management program. We went from, oh yeah, we ran a scanner for the audit, you know, we run it twice a year and then we save the PDFs to, okay, let's do something a little more involved. we put into place a full vulnerability management program with scanning and patching and reporting and metrics for success and then that eventually evolved into red teaming so okay we know where all the vulnerabilities are and we're paying a lot of money to manage all the pen tests that was another aspect of the vulnerability management program i got to engage with all of our pen testers and scope and run all those engagements uh which Fired up my interest in offensive security. So I was like, well, I want to do some of this stuff too in -house. So basically I hooked all of the output of our vulnerability program into server game intelligence, call it, for our red teaming program. So if our patching and vulnerability works, then the red team shouldn't be able to abuse those to then demonstrate impact. So let me ask you this. Yeah, well, wait, don't gloss over that couple of hops because I think those hops are so important and I have so many questions around them. I guess what's running through my head right now is, so you're in information security, you're clearly making an impact and it sounds like you found a really great home that... took your technical skills and your business skills and combine them. But at what point does becoming a CISO feel like a goal? And how did you, how did you make those small next steps that we gloss over that are actually big steps? How did you do it? So in that program's director role, I got the lay of the land. What is this at? And I say lay of the land, and I know this is my experience, right? My lived experience is, and that's in software companies, right? particularly Boston -based software companies. One of the things that I picked up on quickly is that the community is small, right? Or not small, but regional. If I started to understand who was where and how they ran their programs, because the entire security team would go to a couple of events a year. I'm not plugging any of that in any capacity, but there's one that's at the Heinz Convention Center every spring. It's everybody in Boston goes. And I got involved there and started building a network. And this was modeled for me, right? So this is how the leader of our program at the time did it. And I started building a network, making connections. And those connections and community are really what then opened the doors, right? I sat tight. I picked up every skill I could in that associate director program's role. I learned about security awareness training. I learned about... ISO audits and GRC. I learned about telling an effective story and building a deck to present at an adaptive level on the topics of security. And every time that I would come in contact with the folks that are in my network, slowly but surely, the phone would start ringing and say, hey, I think I have something you can help me with, or can you help me with this? Thinking back on the timing, it was... a former director of business applications who had made the jump into a CIO role. And he phoned me up and he goes, I'm here. I just landed at this next org and I really need some help with security. And I really liked working with you when we worked together at our last shop. Can you come over here and help me build a program from the bottom up? And I was like, well, yeah, well, tell me more. That definitely sounds intriguing. And, you know, this is my chance to put what I've learned to date into action. Tell me more. And I moved, right? And it wasn't a security to security poll either. It was all of the people that I worked with cross -functionally and the network I had to then say, oh, I need help here building a security program. Can you help out? While I was there, I had the chance to build a security program from the ground up, right? I put in place. Awareness training, email security, cloud security, vulnerability management. I think my official title was information security officer, but there was no C. And I was like, all right, I guess this proves that I can do this. What's the next step look like? Right. And then back to that experience and passion for red teaming, my network came through again and said. Hey, does this interest you? We need help with application security. And I was like, yes, I like software companies. The prior company had been hospitality and rehabilitation. So it had a PHI footprint, which was interesting. So I ticked off all of the compliance checkboxes that I could get exposure to. And this new one I went into, which was another SaaS -based fintech. with a portfolio of 13 different financial services products, had PCI compliance. If there was a software stack that you could build with, they built something on it with 13 different offerings. If there was a cloud you could deploy in, they deployed in it. And I inherited securing all of those code bases. So it was a real, real test of my technical limits that I really savored. Looking back on it fondly, it didn't feel that bad at the time. That's for sure. Because I'm technical, but I am not a software developer and I can run right up to the edge of being a software developer. But again, I didn't get a degree in computer science. Right. And then from there, again, another. Person from my network pulled me or pulled me and called me up and said, hey, we need to bring a CISO in here at 2Fin. And the differentiator they're looking for is somebody that can be client facing and represent the security program and articulate how we keep ourselves secure and how our product could provide value to their security programs. So to be the other CISO on the other side of the table whenever they're engaging clients. And I said, no problem. I came through client service. That was my database and server administration role. That was a function of client service. So that, again, that path to CISO is all about the network. I had the skills. I applied myself to acquire the skills that I knew that I needed. I got the certifications along the way and checked off all the screening boxes so that when the call came, I was confident in saying, yes, this is the right opportunity. Now, when that call came. Was it initially, hey, I want you to be the CISO here, or was it, hey, I want you to lead the team, and did you have to justify the title? No, I didn't have to justify the title. That was part of the prerequisites of me having the conversation. It was like, you need a CISO, right? And they were like, yes, we need a CISO. They had prior CISOs in the role, but there's a couple of ways. This was a transition they were making and why they went my direction for CISO, right? um a lot in some organizations that have grown security programs organically they come out of i .t right or they are a function of i .t they may roll up into the cio in software organizations i've found the best reporting line is generally under the umbrella of risk right and where does the umbrella of risk roll into the legal counsel so this was the second organization where security rolled up into a legal organization. And it was my CLO that gave me the call that said, hey, I'm making this change here to bring security under the legal umbrella and sever the reporting lines between IT and security. Because at the end of the day, how is somebody in the same reporting line hold somebody else accountable when you both roll up into the same executive? If I tell somebody in IT they're not doing something right, now it's coming from the perspective of, hey, legal. says we need to do this or there's outsized risk that can be introduced to the organization. Different conversation track in my experience. Right. Well, I like that story so much, Jeff, because I talk to a lot of people, let's say that aren't CISOs. It could be anywhere from a senior manager to a director, even a VP. And these people are all good and they all have aspirations to move up to the CISO position. The challenge is that A lot of them face are right. Their current company isn't ready for the title. There may be a smaller company or the somebody above them that isn't necessarily going anywhere. That's a CISO. And they can't necessarily go to another company because a new company want somebody that has been a CISO, right? They want someone that's been through a lot of the natural disasters and the crisis that you have. And, you know, the three things I heard you say on your journey were your network. your network and your network. And I think that's important. And funny enough, I'm having this conversation with my son, who's now looking at colleges about the value of the institution that you choose to go to. And I was talking to him last night about the network that you're going to build and take into the career that you choose. And that's going to be one of the vehicles to get you in the door somewhere. And he was having trouble wrapping his head around. that concept of people helping you get in the door somewhere. And that sounds like it's been the trajectory to your success. A hundred percent. And before I even jumped into security, I was fortunate enough to be put in a leadership role, right? So by time as part of that role, I learned very, very quickly that higher educational institutions that have co -op opportunities are a goldmine, a goldmine for talent and candidates. to bring onto the team. And to this day, like whenever I see Northeastern, RIT, a couple other places that have co -op programs, those candidates, if there's a junior opening, those candidates always won out, in my experience. So you've been there 10 months as CISO, right? Yep. So what did you decide to prioritize in, let's say, the first 90 days and why? I call it the 90 -day listening tour. You know, a lot of listening to her, organizational archaeology, trying to understand why certain decisions were made two or three leadership groups ago, and then applying Chesterton's fence, right? Like, why is this fence here? Get rid of it. What? Now the cows got out. Oh, that's why it was there. You know, trying to figure out what is going on in the environment. What's our true risk profile? What are... the real needs of the organization from a security standpoint and distilling that all into a security roadmap right the first day during that 90 day listening tour is also about understanding who key stakeholders are in the organization where does the executive leadership team sit on budgeting and what are their views of security from that those mentors and relationships i knew One of the key elements of a CISO is the ability to tell a story and to always have a deck, always have a deck ready and a topic that you can engage with either the executive team all the way down to your people leaders on a security topic. And that's what I did for the first 90 days, be listening and build that security roadmap. And in the background, while I'm listening, I have a playbook in my head of what's going on. looking to set up a governance structure, developed executive buy -in, right? So in my case, I call it the information security committee. Who's on the committee? Well, it's the CEO, the chief legal officer, chief finance officer, the COO, myself, and the director of IT and CIO. And when I take that opportunity to set up that structure, I say, hey, we're going to meet every quarter. Bang, now I have an audience every three months with all of the key executives in the organization. I set the story in and cadence early. Here's what we're going to talk about. If you want to talk about a certain security topic that you're curious about, let me know. I'm your security concierge. We're going to help you sleep at night because we're taking care of security. And this has worked. I've seen it work on in three separate organizations. Again, my lived experience is software organizations. So your mileage may vary, but that's what I found works great for me. Do you think establishing those relationships early on like you did, and you're clearly somebody who values relationships, I have to think that helped build faster trust with some of the executive team early on? Exactly. Exactly. That's what you're looking to get. If you need to go and sit with this group and be like, here's the bad thing that happened with this incident. You don't want that to be your first introduction with them, right? Hey, we have an incident. We're about to blow through our $20 ,000 retainer with Palo Alto. And this is probably going to run into the six figures. If that's your first conversation with your CISO, good luck. Right. I think what you, what, what you seem to be aspiring to be in frankly are now is sort of that notion of being a modern CISO. And if. Well, if we didn't talk about AI at least once, I think you and I would be completely irrelevant since there's not a conversation that happens every day without AI coming up in some way. And, you know, it's obviously expanding both opportunity and it's also expanding risk. And so how is AI changing the scope and responsibility of our modern CISO right now? Because this is really happening at the speed of light. A year ago, yes, we were talking about AI, but completely different context than we're talking about it now. Exactly. You know, one of the things that you need to do to enable the business is understand your business, right? If you're in healthcare or finance, you have some very, very heavy regulatory burden. So this is the calculus as I did it in my head as my company is considering risk in the AI space. I consider myself fortunate that the data types that we handle is... very seldom, if ever, highly regulated, right? We're a network security vendor. What do we handle? IP addresses. Well, they're not linked with names, so they're not sensitive. Okay. We are primarily deployed in clients' infrastructures. So we're not managing critical infrastructure, although we are used in critical infrastructure. We don't have that regulatory over it. All right. So what does this mean in the lens of AI? All right. So we're not handling this data. So there's no risk of this data bringing down the regulatory hammer, so to speak, or getting us fined. So what does that mean we can do with AI? Well, that means we have a lot more AI options. We have a lot more AI leverage we can apply. We build software. Whoa. Okay. We build software. How does that link to our business? The more software we ship, the better software we ship, the more money we make. Okay, that's a pretty basic calculus, right? Oh, so if we can have AI write software faster and ship it, but we still have our application security program in place. And now all of those pull requests are still reviewed using the same code scanners. We don't have an AI security incident on our hands. We have a Tuesday, right? OK, there's a vulnerability in the code. The tools caught it. That vulnerability would have been in the code. Arguably, more vulnerabilities are in the code when they're written by humans. But this just happened to have an AI write it. And we already have the checks and balances in place from our application security controls to accelerate with AI and use it as leverage. So that's a little bit of how we're thinking about AI risk, right? Where are we applying it? On the governance side of things, I think. With everything AI, everything's rapidly evolving, right? So we are strategically positioning ourselves with AI governance of, okay, we need to have an AI inventory, which will ultimately evolve into AI bill of materials, similar to software bill of materials. And whenever you're going to be engaging in deals, other organizations are ultimately going to evolve to the point where procurement's going to say, show me your AI bill of materials. We want to bring out an AI tool. All right, let me add it to the inventory and get a risk assessment. What data types is it touching? All right, well, there's not really many sensitive data types in our organization that it can touch that we don't already have rock solid controls, whether AI is in place or not. So I think we're at a very uniquely positioned. vertical where AI can be used as a business lever much more rapidly than in say healthcare. Well, right. You mentioned, so this isn't necessarily an AI driven question, but you talked about software launch and it made me wonder when talking about the modern CISO, is the authority, or I guess maybe influence might be a better word of the modern CISO increasing meaning, right? Do some of the modern CISOs have the ability to influence or block a risky software launch, a risky product launch, an unsafe vendor. Like, do you see... I did. You did. I did it yesterday. I don't think that was always the case. No, definitely wasn't. I think it does come down to that, the trust and the relationships before you can implement a no. And I generally don't ever say, No, absolutely not. Never. I usually frame it as not yet. Not yet. That's generally how I approach scenarios where I have to say no. It is like the business is coming to me asking me to use something like they see value in it. Okay, let's help them see the risk in it. And I helped them see the risk and they were like, yeah, that's probably a more prudent approach. No, listen, this is great, Jeff. I mean, I love your insight. And before we jump, I do have a few rapid fire questions for you that are sort of more personal. And I want to fire these off to you. Before I do that, I just want to share a data point that I recently saw that I think you'll find pretty neat. When I was doing a bit of research into what is a modern CISO right now in 2026, key skills that define a modern CISO, believe it or not, was crisis leadership. And we know crisis comes in many forms and we've talked about many of those forms today. So that falls right into becoming a modern CISO and you are a modern CISO. So, you know. Congratulations on your trajectory and your success. And thanks for sharing all that with us. Yeah, it's been a great chat and I'm a big believer in we are the stories we tell ourselves. So having the chance to tell these, this story out loud is valuable to me. So thank you. It's really fun. All right, you ready for some rapid fire questions? Let's do it. So first one, if your CEO gave you unlimited budget for one thing, what would you spend it on? Hiring. People love that. That's my answer. Yeah. What's the latest book you read or listened to? The latest book I read, well, it was a reread, but they were doing a leadership development course here for Tuesdays with Maury. So I reread that, which I hadn't read in a while. And another one on topic is Tracers in the Dark. which is how they traced a lot of the Silk Road Bitcoin to ultimately take down that dark market. It's good. Whose Day is Good, Maury? That's an older book, right? I definitely read that a long time ago. Yeah, it's about keeping things in perspective, right? Yeah. What's important in life? People. People is right. All right, next question. If you could instantly master any new skill, it could be personal, professional, doesn't matter. What would it be? Vibe coding. All right. So you're sticking to the professional angle unless you personally would enjoy it. I would say getting better at mountain biking. Oh, okay. Hopefully on a downhill mountain biking. I did that once and it was pretty scary. Going downhill, but all of the above. Your focus has to be in the present when you're mountain biking. You risk bodily peril. Yeah. You're going over those handlebars. If you weren't in cybersecurity, what would you be doing? I've put time into this. I'd probably be teaching. Oh, awesome. And then last question. What's one piece of advice you wish you had when you first started your career? That resilience and persistence went out. Right. You're living proof of that, right? Yeah. Awesome. Well, Jeff, this was a really great. podcast. You had so much good stuff to say and share with us on sort of your journey to a CISO and what the modern CISO looks like. And I think people will really love it. So I really enjoyed the conversation. So thank you so much. And for our listeners, be sure to subscribe and hear this episode. We'll see you next time on Cybersecurity Business. Jeff, it's been a pleasure. Thanks so much. Thanks, Kevin. Take care.