CyberPsych Episode 2: Paragliding: Security Leadership Without Fear with Jamie Fullerton, Head of Security, Branch

Dr. Stacy Thayer: Hello and welcome to CyberPsych, a Netography podcast where we talk with industry professionals about the human side of Technology how it relates to the field of security, and how it impacts the overall business I’m your host Dr. Stacy Thayer and I’m a cyberpsychologist and Senior manager research and engagement at Netography so I’m excited to say that I’m here today with our special guest Jamie Fullerton head of security at Branch Jamie has had a long career in information security starting his early days as a professional hacker where he helped to today where he helps uh organizations build Security Programs Jamie’s built Security Programs for startups and Enterprises and his work uh in software vulnerability research and exploit development has been widely published and he’s here today to talk about some of the challenges uh of building security teams from both the business and human perspective. So Jamie it’s awesome to have you here today 

Jamie Fullerton:  Hey thanks I appreciate it thanks for having me.

Dr. Stacy Thayer: great so we were talking a little bit before uh actually getting record as we do um wanted to just kind of kick-off though with what are the foundations of building out a security program so let’s kind of start at Ground Zero and um what is it that you’ve done what’s your experience been and um then we’ll kind of get into the nitty-gritty of the um cheers and tears of it all.

Jamie Fullerton:yeah sure first off I’m a big believer that it starts with the the team that you build and that uh that’s a very non- Kool-Aid uh topic I I think there there’s no Kool-Aid here it really is about the about the team that you build when when you’re you’re building a security team especially a new security team or new security program you you have to admit to yourself a few things you’re probably never going to have the size of the team that you want and you’re likely going to have to do whatever you can with whatever you have you’re going to have to start by focusing on the fundamentals the important things that all Security Programs hold as important at the same time you’re going to have to be ready to Pivot strongly in any given moment and you you can’t be you can’t be chasing shiny things and bright lights but you have to maintain those fundamentals at the same time as being ready to Pivot uh quickly for the business as things evolve um it’s it’s different for folks who are just getting into building the program or building the first uh or early stage security program at a a smaller or perhaps loosely formed company than it would be at a at a Fortune 50 company where you’ve got a lot of past experience you’ve got sizable teams and sizable resources so I think that’s that’s where it starts is is that that initial spark of what you’re going to create the strong foundations of what you need to be successful and then being ready to adapt quickly grow quickly with that small team and take on different scenarios as they come at you typically at high speed with tight deadlines 

Dr. Stacy Thayer:  It’s a really good point I think about setting expectations realistic expectations that one of the things is I’ve talked to people about burnout and stress and everything it’s like there’s just on one hand we we need more talent but there’s just not enough resources to be able to hire the talent that you need so there’s like so many programs are just understaffed

Jamie Fullerton:  Yeah it’s it’s true and and you know the the I think the the common joke in the security industry is that it’s it’s job security like there’s not enough of of us in the industry to solve the problem I think that’s that’s great and funny but at the same time it it is a very difficult cell uh to come into a place that’s trying to get its footing overall that that maybe it’s a business that’s trying to reach profitability maybe it’s a a a company that’s trying to find a fast exit strategy like an IP or or to run through an m&a or maybe they’ve got a really tricky market they’re working in it’s highly saturated and they’re they’re focusing all their efforts on the competitive Advantage how do we gain the upper hand here as a as a business and here you are coming in to build a security program and and to be frank a lot of times um that’s a a method for adjusting the risk reward relationship for that company and you’re there to um slow things down and be more careful and guard against risk and and that’s sometimes the anti the to moving faster and reaching that that profitability goal or that IPO goal um you have to you have to go into it ready to get your hands dirty and you have to go into it knowing it’s going to be a tough sell the entire way until you can convince the organization the business that your presence is impactful in improving the overall decisions and outcomes that the company makes and as we’re a new thing security teams and programs being a relatively new thing there’s there’s not a lot of backstory there like there would be in a find a core financial organization or a sales organization so you have to go into this thing like being being ready for that being aware of that 

Dr. Stacy Thayer: That’s actually a problem I hear a lot, is how do they communicate the value to the board if they even have a board seat and what’s the business argument for security like I previous job had worked in the developer community and it blew my mind how easily they just got funding oh I need a new hire boom no problem oh you want a $40,000 sponsorship for a six-foot booth sure we have that for our developers and it was like the land of milk and honey compared to the security industry and what resources they get um what how can they communicate their value or what advice is there for that because that’s a big stressor for a lot of Security leaders.

Jamie Fullerton: It’s true so you mentioned the board and I I think that’s really important uh and this is another you know recent history thing where it wasn’t wasn’t too long ago where where the CISO role really became a thing an accepted industry standard thing and it was even more it was even less common for that type of role in the company to be connected to the board so um as quickly as you’re able to as a security leader. This is highly dependent on on again just the structure of the organization you want to have your your program elements your discussions your talking points your goals along as closely as possible with the overall business goals and then you really want to get FaceTime at the executive level and the board level it’s it’s really challenging because we’re still at that phase where a lot of security leaders are more it focused uh more technology focused um maybe that’s not the right way to say it but they’re they’re not as sales and revenue and book of business and focused as they are technology focused so I’m sure sure we’ll talk about balance there a bit but um really get yourself in there in aligned and be at the table when when these discussions happening when budget uh budget planning happens when resource planning happens when people talk about expectations for revenue they talk about expectations for bringing a product to market you’ve you’ve got to be there in that in that maybe new and uncomfortable way where you’re not talking about securing the network or securing the platform or securing the thing with technology solutions so it’s it’s a really interesting thing I think 

Dr. Stacy Thayer: You know it’s funny that you we’ve known each other a really long time uh and and you longer than either of us I think could count uh as we were talking about earlier but um you know for so many people who got into the security business it was all about your technical acumen and it was almost just like you know the the days of your uh you never we never talked business no it was always it was always technical gaps and now as people are in these management positions or the what’s stressing them out like is is basically this balance of technical knowledge or people who have worked their way to that leadership role due to their technical acumen um and so it seems to me that a lot of security leaders really they have to be able to have that technical acumen to be able to speak to their staff and and the people who are working for them because that you go to you know a conference like black hat versus you know some of the other conferences or Defcon or RSA or you know everybody’s kind of got their their opinion about whether or not something should be more technical or business um what do you think is I mean that seems like a huge challenge for security leaders to be able to balance that acumen of business and and knowledge and then of course I’m here throwing in you also need to know the human side of it um but we’ll get to that later but anyway that’s my question for you 

Jamie Fullerton: yeah it’s it’s for me it’s a balancing act and I I came into this much like a lot of our friends and colleagues it was it was a a technical ability thing my career started with the ability for me to hack fast and hack well and and you know we I mean there’s there’s a lot of like early ego around that and a lot of early pride around technical skills I I’m still very much involved in the day-to-day technical things as the head of security I I actively still read and write code I actively still get involved in our Cloud infrastructure I have hands on the keyboard frequently and it it’s a muscle that I still train actively I still go out and learn new programming languages learn new technologies and I feel like I had to be fast on my feet and also leverage my experts on my team and know when my boundary ends and theirs begins but um that other side of it is is as important if not on a daily basis for me in my role more important that I have to speak to the business about the business um for me the turning point was coming out here to the West Coast and and working for you know one of the well-known companies out here in in the Redmond Area and meeting the executive team and and coming in as you know a a hairdyed you know traditional 1990s hacker Persona and going in and talking to those Executives and having them look at me like I was some strange onf fire creature and and I I spent a lot of time after that reflecting like what am I what am I doing wrong here and and it was literally just did not have the Lexicon to talk to people who made multi-billion dollar business decisions you know from meeting to meeting throughout the day uh I I am I a huge believer that you maintain the balance there and you have to shift that balance occasionally for the moment or for the situation so there are times when I I put down the keyboard the the code side of things entirely for weeks and months on end and I focus purely on strengthening my business interface game and the human thing I think I’ll probably generalize here but for a lot of us who are,  you know nerdy hacker types, we’re not people people and that thing in between the business side and the tech side the the people connector there is the thing I think gets most overlooked and and under under exercised there and that’s the thing that joins both those sides together so what I’m saying is you can be really good at the business side of things you can be really great at the technology side of things and still not master the whole puzzle because maybe your people interface skills are not where they need to be for the situation that you’re in so what I’m saying is like if you’re going to be the head of security or a seil or however you want to name that thing you got to be ready to play the full game and it’s not always a fun game to play but you’ve got to admit to yourself you’ve got to take that leap from one side to the other whichever direction that is you’ve got to commit to that does scare away do scare a whole bunch of people away from wanting to be a head of security maybe but I mean that from my experience you you have to engage in the full spectrum of the game 

Dr. Stacy Thayer:  It’s funny and talking about you know how you and I have known each other and so um those listening Jamie and I worked together uh back when I was working on Source conference this is 2009 we did Source Seattle and we had two tracks business and and technology or security and so okay that that’s you we weren’t quite uh as old as we are now but still seeing this coming down the pike of the business of the security industry is coming it’s coming fast and furiously and how do we bridge that gap between security and business and we were trying to answer that question in 2008 or 2009 with with the with the group of um the advisers and and everything and it’s so great to talk to you now you know we’ve got few more gray hairs here and a little more experience but there’s still that the same the same problem and looking around like that understanding of everything as you you alluded to um it’s stressful for the security industry and for people in leaders how often do you see when you’re working with your team when you’re working with other Security leaders um why do you think it it is so stressful to to them and how do what do you see as the effects of that how do you see that stress burdening and playing out for them 

Jamie Fullerton: yeah I see it every day and and even earlier today you know I had discussions with with people I work with about stress and it I I I can say this safely confidently that this is the most stressful part of my career I’ve ever experienced the point where I’ve remodeled a lot of my life around it you know like the I’m I’m a very physical person outside the office I spend a lot of time in the mountains um climbing and flying and and doing extreme Mountain Sports and and things and and that for me is like a stress balancer same with my teams you know I I en I encourage discussion about it we we talk about it frequently and openly as a team uh how we manage our stress and and we talk a lot about what people do outside of work or during work how they manage that stress and and I if you if you ask me you know what what is the source of that stress like what makes that stress uh again I I’ll I’ll defer to something I said earlier this this thing that we’ve um been a part of and that we largely have helped build over the last few decades is new and shiny and there’s a lot of unanswered questions there’s a lot of unexplored territory and we’re still having businesses and other organizations collectively learn how to get the most out of that and again tying that to the the earlier comments of your team’s never going to be as big as you want it to be and and there’s not enough of us to field the whole problem I mean it’s it’s really kind of a a if not a perfect storm like a pretty strong one and until we have fundamental shifts in in the investment of security teams and programs widely adopted by differing organizations and how they perceive like size and Effectiveness or resourcing and Effectiveness I think I think it’s going to stay this way for quite some time so you know I don’t have the best answer about why the stress exists Beyond this is a new thing and we’re all trying to figure it out and it’s in high demand and there’s a lot going on and we’re a fastpaced type of environment anyways but um also just how many security teams and how many Security leaders take the time out of their day or their week to sit down with their team and just dissect the stress the stressors and the way that the team moves and and understand like how can we affect change here beyond the standard offerings of things that you get from say your HR teams which are really helpful but we are in this weird niche here so you know we got to take ownership of it obviously but we’re still exploring that and so again like this is definitely the most stressful thing I’ve ever done in my life it is incredibly stressful to be a CISO um but I love it I love every minute of it so I spend a lot of time like thinking on it and dissecting it and trying to guide my team through it hopefully hopefully to positive effect.

Dr. Stacy Thayer: I like the fact that it the only way to get through it is to go right through it right to the heart of it and address it full on.  That’s taking on a a lot so I’m thinking that not only are you just you’re responsible for making sure uh that there’s no breaches that all your vendors are in line you know so there’s that technical side of it then there’s the business side of it and then right we’re throwing in the human side of it do Security leaders  have the bandwidth with to take that on so if you’re managing a team of five or six people not only you’ve got kind of you know the the business over here the the tech here and then your your team and then also as we said you not everybody is comfortable with that human personal side and so where if if you’ve got a security leader who maybe isn’t comfortable going through and saying okay we’re all going to talk about what what stress it is I mean I’ve heard everything from like there’s no such thing as soft skills you know suck it up and deal and and not everybody thinks that way and and that’s good but there are definitely some uh people who work for people that have that attitude and they’re they’re flailing  how can we help security leaders manage everything like that coming at them all all of those those pillars to worry about

Jamie Fullerton: yeah it’s interesting I guess I’ll lead with there there isn’t enough bandwidth right now just generally speaking I I think some I think some security teams and programs have it easier than than others you know I think that that’s a fair assessment there’s never enough time in a day to get it all done and and the landscape is Shifting and changing the situations are changing so quickly throughout a given fiscal cycle it’s not like you can prepare for the majority of things you have to tackle beyond on paper when it comes to managing it and you know managing it within the team and across the business I think there’s a few important things first off you’ve got to have the same level of discussion with business leadership the organization as a whole and and the audience that’s being serviced by the security team you’ve got to have the open discussion about what the capabilities can be and and what the expectations are and what um what outputs can be achieved from a security team so uh when I work when I work with c teams oftentimes the CEO is very vocal about their time and their bandwidth and their availability and they’ve got this very uh nice nicely um established Shield of uh corporate administrative services and uh SWAT teams around them to help manage uh Peril and and like excitable things and they’ve got folks in front of them that field certain questions and direct it to the the the CEO and you’ve got lots of filters set up and things and it’s very active discussion like the CEO is always projecting if they’re good at their job they’re projecting how much uh they can give and how much they need to take I don’t know that we found our stride in in security leadership how to have that dialogue in the same way way and be perceived at that level in the company so that’s one part of it um the other thing is bad things happen all the time and when you’re the team that handles the bad things while also trying to project deflecting the risk and also building the systems that anticipate and measure and like gauge the risk and all these things like uh you’ll find yourself in firefighting mode the majority of the time no matter how good you are at the job that’s it uh and so how do you how do you fix that um constant dialogue with the business and the team constant analysis constant hindsight analysis of what’s gone on and then just being willing to accept uh what you can change and what you can’t change and have the business be there with you to accept how much risk versus reward is happening and at some point you just kind of gotta let some things fall I always feel um empathy towards folks that have been big breaches and immediately people Heap on and say well you should have done this if you had done this it wouldn’t have happened all you had to do was this one thing and you failed at it and I and I often look at that and say Ah that’s 99.9% of the time that’s not the case like that was the thing that got dropped of all the things that they’re holding up all the time in no sleep mode as a security team that was the one thing they let fall and it happened to be the tragedy so I think that’s a big part of it um but again you know we’ve only been around for a little while brief moment in history here so I think there’s also just a lot that we can’t answer a lot of things we have to learn 

Dr. Stacy Thayer: One of the things said I pulled this from um a really great LinkedIn post that you had made and you had said it’s important for the security program to not only span all major pillars of the business but to also take part in significant decision making for all of them so that’s one part so I’ll stop there and can you talk more about that part then I have another quote that I pull from it that I’d love to hear more about so 

Jamie Fullerton: Back to that point about us typically being it or or technology facing and and not always having a lot to do with other business functions I’m a big believer in being involved in as much as you can so what I’m saying there is uh you know get get out from um from technology patrolling land uh get out of maybe your main focus of guarding the network or the platform or the or the technology or the thing and and get involved in other key areas areas of the business where you or your colleagues might not even know the inherent value you bring to the table uh and the example I use most often is sales I’m a huge fan of sales teams and I’m a huge fa fan of of being there to generate Revenue security teams are almost uh almost always viewed as a cost center they’re they’re an incurred cost uh they’re a pay to play this is the price you had to pay to be secured in your industry to be accepted by your customers etc etc um go to those weekly sales standup meetings and talk to your sales team and your sales leaders about how you can be present in the sales cycle to accelerate Revenue generation go to your uh Chief Revenue officer or your CFO and have regular discussions about levels of security problem or abuse or fraud or other things that you deal with that are definitely cost centers and have those conversations about your relevant data and their needs and find out how you can how you can achieve some things there go to your HR team and talk readily about onboarding and offboarding and and uh employee training and all these things that you might be kind of tangentially connected to by way of owning some of the content but maybe you’re not like a direct U engine for accelerating those programs so all I’m saying there is like be ready as a security leader to tackle any number of problems across the entire organizational landscape that might not be first and foremost in your mind but where you are as a business are maybe more pertinent than like your day-to-day security operations does that does that make sense?

Dr. Stacy Thayer: It does, I mean every organization uh is well there’s something called system psychology right and so it’s like you know if if your hand’s moving over here it affects your other hand over here you know there’s just and and every work environment it is it’s a system that is impacted one way or another and the more that you can step out of those silos um and it creates something some empathy as well like when you can actually understand oh this is what you’re going through um actually I just had to go through something where we had to um practice just sales pitch just to be able to have empathy and compassion for what our sales reps were going through and it it took me out of myself and what my day-to-day is what I focus on to go oh okay let me see what this new role is because we don’t always see what it’s like from other perspectives in the organization and how we’re all one big system together so I think that that makes a lot of sense

Jamie Fullerton:  Yeah absolutely and you you you you want all that exposure you want all those new perspectives and experiences and then they also you have to have a handle on it because for every new organization that you visit and every new thing that you you try to be a part of there’s a propensity for the business to say great that’s working now we want more of it and then as a security leader you have to balance that right I work with with sales teams very frequently and they always need and want the extra help and so you find yourself having to balance that now to make sure that you’re also not moving into the sales organization and then leaving someone else out in the cold so again back to that you know uh fixed resource concept that you’ll never have uh as much as you wish you had uh you’re back to that balancing game and and all the while while you’re doing all these things that you should be doing you’ve got to maintain the foundation and keep it strong so that as you’re off doing different things that your core team and your core functions are all being maintained so um it’s easy to say that out loud like oh yeah you should just get up in the morning and go talk to more people across the business and learn what their problems are help solve them right I mean uh but that is that’s the right answer but then you have to be you have to be a sensible leader and and do it correctly 

Dr. Stacy Thayer: One thing I’ve done is uh I always with people in my team have uh sometimes 15-30 minute once a month even just to kind of reach across the aisle and say like hi I’m alive um how are you doing over there and even though there’s sometimes I’m like I want to skip it you know whatever I’m always enlightened to hear what my teammates are working on and what’s important to them um but especially in a remote environment um it’s so easy just to get wrapped up in what’s right in front of you and what you get those blinders on um plus if you don’t like speaking to people no I’m just gonna sit here and I am 100% guilty of this of like oh great another meeting another person to talk to and then I’m glad I do but it’s a force function 

Jamie Fullerton: yeah yeah it’s it’s muscles you have to exercise I I’m I’m around introvert and I’m I’m absolutely incapable of mapping faces to names right up front it takes me so long to map a name and a face and and a thing you know that the context is helpful but that’s how my brain is wired and and this stuff is not easy I mean it’s really it’s it’s often out of the comfort zone and uh you know you mentioned stress a few times it’s stressful I I don’t I’m not designed to be in sales that’s not my persona that’s not my my my makeup as a person and so getting involved in in the sales side even today is still like really stressful and really sometimes uh emotionally and physically draining like the energy level is a different kind of energy and a different level of energy um so you you also have to take stock in what you’re able to accomplish because you don’t want to run in there and just create a catastroph and I’ve had my fair share of those uh you don’t want to do that either so that’s also part of the equation 

Dr. Stacy Thayer: yeah well and then another thing you said that was understanding where your security program ranks uh is something to consider can you talk a little bit more about that?

Jamie Fullerton: Each time you’re entering a new organization or maybe building a team or maybe you’re adopting a team as a new security leader I think one of the first things you have to do and hopefully you get a bit of this during the interviewing process for the role is how the organization perceives the security function the the leader the program the team how does the organization perceive uh what that function does for the business how they interface with it and leverage it and get value out of it uh well there was there was a really great corporate sentence right there um but also to to be perfectly frank like what is their attitude towards the security team I’ve had my fair share of organizations where I’ve been welcomed warmly is great this is a continuation of a thing that we we know how to flex and we we like to use I’ve also had my fair share of experiences where I’ve come into what looks like you know a phoenix situation where something is just finished burning down to the ground and your job is to rise From the ashes and and show an organization that it’s it’s not going to be like it was before and that’s that’s a tough one for everybody so uh you again I’ll use this phrase taking stock in something take stock in um take stock in the notion of how the organization views you your program your team and from all angles are they impressed with what’s happened to this point for the sake of the company do they know how to leverage you properly are they going to are they going to re use your resources in a way that’s beneficial for everyone and and and again like the points of are you raising the quality of the decisions made by the business are you showing and demonstrating value is it measurable all the all these like key performance indicators of a a person at a company regardless of role what’s their take about security teams and programs and leaders it’s super important to know and also to steer and guide as much as you can to positive intent and benefit right and then 

Dr. Stacy Thayer: As a security leader having all that in mind do you then use that and communicate that to your security team um to to guide them?

Jamie Fullerton: Yeah for sure and and security teams as you know are are always interesting creatures and and and and almost always a really interesting blend of very deeply technically oriented introverted minds and and then more extroverted you know non non solely technically oriented people who have to deal with business problems and back to that that set of ingredients that makes your ideal team who you bring on board and how you scale them out how you how you build them as people people and how they build themselves so at the ground level I think all of us have had a security team where we’ve had a really really smart person who just stays in the background with the door shut and just just does incredible technical things and how do you get that person out into the open engage with the sales team that’s one of those long-standing challenges yes um and how do you how do you bring in folks um I think another interesting one is folks who live in compliance land who are really interested in technology and really want to ramp up in deep technical stuff because they they’ve gathered that interest from their interface with audits and policy and things how do you provide a platform where they can get out in the business and say start impacting security changes in product like hands-on keyboard how do you do that and how do you do that in a way where everyone in the business sees the value of that and wants to support it and resource it and fund it and all these things. By the way, I don’t have the final answers for any of these things but that’s the core idea right how do you flex both sides of this thing as the person between the team and the company to great effect

Dr. Stacy Thayer: Right well and there in lines, I think the heart of why it’s such a stressful industry and what a lot of security leaders are going through um managing up down sideways and then also uh trying to keep their own oxygen mask on if you know like to stay sane.  what advice do you have for people who are building out uh security programs or you know do you have any recommended books or podcasts or resources and what gets you through it because I mean you’re you’re speaking to these because you faced these challenges and and you’re living them every single day so how do you cope with it what do you what do you use for your resources and coping mechanisms?

Jamie Fullerton: I read a lot and I talk to a lot of my colleagues many of whom you you know I think it’s extremely useful to have the ears of folks that are uh in your similar surroundings who have been there and I’m talking both about people who’ve had a really good outcome and people who haven’t had a really good outcome I think that’s essential I read a lot and uh I do read a fair amount of technical specs and and uh you know programming guides and all sorts of you know nerdy stuff but I’ve been spending a lot of time reading books about professional sports coaching and uh books about how to go to market and uh books about how to IPO books about how to run an M&A books about how to build a board of directors and and I’m I Ido that because I’m trying to reach either above where I’m at or off into another parallel from where I stand so I can understand the perspective there um it also I think also if it has a strong tether to your personal life something that you do again for me it’s the extreme Mountain Sports I’m really interested in how to coach people I’m really interested in how to coach myself and navigate myself through really stressful um situations so books I read are are are maybe oriented towards how to how to deal with the stress of a really hard um Mountain scenario like how do I get up the mountain and down and down safely uh I think that that perspective helps me build more effective armor so um I can give you a quick example when I’m teaching a new student how to paraglide one of the big things is is how to I go up like how do I take this this soft fabric wing and how do I go up into the sky 15,000 ft like they’re doing up there and these are new students and and you’ve got to coach the the sensible path to going from standing on the ground to being 15,000 feet off the ground underneath fabric and string and um you know you mentioned earlier you use the phrase you have to go through it you have to move through it and that’s exactly what it’s like to ride a thermal and a paraglider you you can’t dance around the edge of a rising column of air and expect to go up like like a like a a bird of prey does you’ve got to engage that thermal directly you’ve got to feel and sense where it is the size and shape and scope and upper trajectory of that thing and you’ve got to develop the skills to get your wing into it and to pivot and ride that rising column of air steadily thousands and thousands of feet you’ve got to get in there and you’ve got to ride it and it’s going to kick you out and it’s going to deflate your wing and it’s going to throw you all over the place and it’s it’s physically uncomfortable and sometimes it’s really scary and um if you if you focus on like the fear and the apprehension and the overall uh sensation of it and map that against your actual rist scenario of being in like a really well-built paraglider that has a lot of safety features and your your your secondary shoot you can throw your your emergency shoot and everything uh if you drill down on the psychological side of it why am I afraid like why am I apprehensive why am I not charging into this thing that’s going up meters per second like why am I afraid to hit 15,000 ft and dot out into the sky if you focus on that aspect of it and go beyond like the I know I need to know how to fly a paraglider really well yeah but you also need to deal with the stress of falling several hundred feet vertically before you get your wing open again and so that’s why I mentioned things like sports psychology or core fundamental classes and books on building business and navigating like boardrooms or exit strategies or just go to market strategies don’t have to be an expert in it but you got to expose yourself to all the stressors and risks and and like scary things and get a perspective of how other people deal with that so that that’s way more useful to me now than like the the latest O’Reilly book and like how to how to crank out go I mean it’s just it’s so far down on the stack now 

Dr. Stacy Thayer: What I’m what I’m hearing is is pushing your comfort zones knowing your recognizing your own stressors but also recognizing what stresses other people out too because that’s what whatever ever the CEO is stressed about is going to impact you whatever the revenue officer is stressed out about is going to impact you I mean again it comes kind of back to that system um I mean I’m scared just listening to you talk about paragliding so I know where I stand but um but I think whatever it is yeah it’s it’s recognizing you know so so for me my stress management what what heals me not just like you know zoning out and binging my TV shows or playing my video games but for me is travel and uh we were talking about I just went to um Africa by myself and the what I get a lot of is like oh that’s so brave and it’s like well no I know what to expect I know where my risk factors are I know when I you know get off the the um the plane somebody’s going to be there waiting for me with a sign in my name so okay so I know that my plane was late at one point and I’m trying not to panic but I had to think out okay what’s the worst that can happen what’s my plan um and so again the the old adage the more you know 

Jamie Fullerton: Absolutely and you’ve you’ve built that framework of risk reward uh scenarios and you’ve built that framework of risk management and you also have fallback procedures for when something goes wrong you know when we’re in the air and something goes wrong like we we do train we have specific things we do in specific orders to deal with a very fast situation to make things right again and that’s the same with you know the other other sports like rock climbing or or downhill mountain biking or whatever it might be like think and respond in an orderly fashion wire yourself to the problem and solve it mid problem um and that’s about as that’s as much about knowing your limits as a person like when does stress push you into a nonfunctioning state like where’s your what are the stressors that drive you to be unable to physically or mentally react clearly and of course we’re talking about business here so I know it’s a little funny but you know when you’re dealing with billions of dollars worth of of company and you’re dealing with perhaps um you know millions of customers I feel like it’s the same level if you can equip yourself with those those things build those into your system whatever it might be it frees up a lot of bandwidth which you don’t have enough already it frees up the bandwidth to think and process and develop solutions if you are a longtime pilot when you have a collapse and you and you fall it’s not always a big stressor it’s more of an annoyance to get back onrack to where you are and where you want to be you’ve internalized that you’ve you’ve practiced it you’ve rehearsed it and you’ve reinforced mentally your your stress model so you can kind of push it back and you can you can solve the problem very similar to how people are trained to deal with combat situations right it’s very well published thing and very well discussed thing mapping all the way back to like you’re never going to have as much as you need and you’re probably not going to have enough bandwidth in any given day you might as well build and practice these systems as much as you can to open up as much bandwidth as you can to like thinking and logically processing and moving through the problem again and not professing to be the expert or have all the answers but that’s the system that a lot of us use out in the mountains I find it’s really useful to bring it into the business environment and I know there’s a lot of executives out there who are very proud of like climbing big mountains and that’s part of what they’ve done to achieve that

Dr. Stacy Thayer:  Well the more you put yourself in those situations or the again as we said going through it and saying okay I’m going to face this head on what the challenges are what my fear points are how can I lead my team How can I communicate the value how can I get people to support me um facing all of those builds the strength to be able to um also handle it when they do go sideways or to be able to anticipate um and a lot of people who are in security also have that reaction mechanism of what am I going to do in case of a breach and to be able to not freak out not panic but think clearly so to take that skill set and apply it in also a business and a human setting as well well um to take it on I think that makes

Jamie Fullerton: It’s going to happen it’s going to happen you’re going to have a day where you wake up and you’re going to have a breach or you’re going to have a serious problem if and if you can admit like day one on any job that it’s going to happen don’t don’t go in and be the security leader who says I’m here it’s not going to happen on my watch and I think we all say that have said that out loud at one point in my career like over my dead Body or not well not not on my watch and it it’s going to happen so if you just go in there you knowI’ve had I’ve had incidents out in the mountains and things and and you know there’s injury and there’s all sorts of stressors and things and and yeah there there are people out there that have definitely lost their lives doing that kind of thing and and I know many of them and they still went out there and did it and admitted to their themselves like hey I want to be a CISO and uh there there’s a lot of humor around this part of being a CISO like it you know it’s it’s a it’s got a shelf life and and you’re going to get whacked. Both of those things are true so if you build that entire system around that notion at least again you can free up the bandwidth to deal with as much as you can until you get whacked and when you do you can hopefully process a lot that a lot easier a lot better than if you didn’t have that construct but be ready for it like I guess the biggest part of like this whole conversation is if you’re going to be a security leader like get ready to get dirty get ready to get whacked and get ready for some really stressful times in your life and if you love it you love it yeah yeah and that then and prepare with those coping mechanisms and all the resources you know that you talked about because you can get through it and there’s a lot of really successful CISOs out there that um that even you know do get whacked or do struggle with stress but um when it’s your calling or it’s something you love to do um you find your way through it 

Jamie Fullerton: You’re definitely not alone. There there are so many stressed and emotionally impacted and damaged CISOs out there who have seen a lot more than I have who are still standing and are still performing marvelously in the industry and they’ve just developed really good coping mechanisms and then of course, as you know we go off we pull off steam and we go out there and we do things that are seemingly crazy to like reset ourselves and I think that’s great

Dr. Stacy Thayer: Jamie, thank you so much for your time and your Insight it’s been awesome to have you here love catching up and just chatting um so great to have you, and to all the listeners thank you so much for uh turning in tuning in to this episode of CyberPsych and I will see you next time thank you