Future of CISO Careers: Perspectives from a Student and Practitioner
Blog Post
Future of CISO Careers: Perspectives from a Student and Practitioner
Veronica Wolf
March 9, 2023
This month, we had the incredible opportunity to interview Dustin S. Sachs, a highly accomplished information security and risk management professional with extensive experience working on ambitious cybersecurity projects. A self-declared future CISO and a student practitioner, Dustin offers a unique vantage point for other aspiring professionals on CISO careers and what it takes to become a CISO today.
Here are a few highlights from our thought-provoking conversation with him.
Tell us a little about yourself and your current roles.
I’m Dustin Sachs, Senior Information Security Risk Management Manager at World Fuel Services. I’m the leader of governance, risk, and compliance for World Fuel Services. I lead a team that deals with corporate information security risks, handling third-party risk management, security awareness, training, and overseeing the Vulnerability Identification Program.
In addition, I’m a doctoral student in the Doctor of Computer Science program focusing on cybersecurity and information assurance at Colorado Technical University.
As a student and practitioner, what have you learned on the job that you couldn’t learn in school?
I’ve learned that the questions we’re looking at and researching in academia need to have a connection to reality. The other thing I’m learning on the job that you can’t learn in school is the cause and effect of things.
Everybody in cybersecurity has an opinion about something. The problem is when you ask people to explain or give backing for their opinion; they usually aren’t giving detailed explanations. Instead, they say, “Well, it’s just what I believe, or what I’ve learned, or what my experience has been.”
One of the things I’ve been able to do is in every one of the articles I post on LinkedIn, I include references, detailed references of where I got the information from, or what I’m using to back up my information.
With a particularly unique vantage point of both a practitioner and scholar, what lessons or advice do you gather from your current role that you envision applying to your future CISO self?
The first thing I’m taking away is the importance of continual learning. As I’ve said before, in cybersecurity, you have to learn something new every minute, every hour, and every day, because that’s how fast things are changing. Because I was in an incident response role, I’ve always been very reactionary. So, I’m learning to stop, take a breath, and consider what’s being asked.
The other thing is trust. While I might be able to do this specific assignment or task myself, there’s value in having somebody less experienced do it because that’s how they’re going to learn. So, mentorship is really important. Finding ways to make security explainable to non-security people and doing it in a way that will resonate.
Cybersecurity is a team sport. None of us can do it alone, and there’s no need for me to spend 15 minutes or 3 hours trying to build something if 15 others had done this and already created the document before.
I have a doctoral professor who I refer back to all the time. She always talked about finding the golden nuggets in everything you do, everything you’re reading, and everything you’re working on. I always keep the term golden nuggets in my head. So, I think, “What is the golden nugget that I need to take away to make sure that the next time I’m going to be a little bit better?”
What do you believe it takes for the future CISO to succeed?
Delegation. It’s easier for me to do than try to explain to somebody else, but I’ve also learned through my doctoral studies that there’s value in taking an idea and articulating it to somebody and having them understand what you’re doing.
The lesson is you have to find your niche. Because I think the challenge we have in cybersecurity is that everybody wants to be an expert, but no one will be an expert in all of cybersecurity. You’re an expert in this tiny little piece of cybersecurity. So, you know, you’ve got to get super narrow, and the third-party vendor selection process is my passion area.
Successful CISOs are pliable, willing, and open-minded. They’re willing to accept that their opinion or view of the world may be wrong. Certainly, they want evidence. They want someone to help convince them and persuade them appropriately.
What skills are mandatory to become a CISO today? What has changed?
I feel like you have to have a strong network. We’re becoming more global, more cloud-centered, and more decentralized. The days of every company having their server physically in their building in a server room are going away, if not gone already. So, you must have a connected network of individuals and vendors. Everything’s about relationships.
As a doctoral student, how does your current role help you apply real-world experiences to your thesis?
The biggest thing about my current role is that it has helped me better understand the concepts being talked about. So, when I’m asked, “How do you balance security with running a business? How do you do that tradeoff?” Without being in my current role and having had the experience I’ve had; I wouldn’t be able to answer that question effectively.
You know, I think that first of all, my problem statement and purpose for my dissertation is drawn from real-world experience, seeing how vendors are selected or seeing how risk assessment is done and trying to identify: Why is there variation?
Any advice you like to share with aspiring CISOs?
I would encourage anybody who wants to reach a goal to read the book “Atomic Habits” by James Clear. It’s one thing to say “I want to be a runner;” it’s another thing to start running. The minute you start running, you’re a runner. And that’s the mindset you need to have. You don’t have to be the number one influencer on LinkedIn, Twitter, or TikTok to be an influencer. All you have to do is impact one person.
Our conversation with Dustin made it clear that information security is not easy, but you don’t have to go it alone. Blue Lava provides a comprehensive security management platform made by the CISOs of today for the benefit of future CISOs. And with the backing of a platform made with, by, and for CISOs and security leaders, you can measure, optimize, and communicate the business value of security to other stakeholders with confidence and ease.
Interested in testing out Blue Lava? Click this link to request a free demo!