The Difference Between a Startup CISO and an Enterprise CISO | James J Azar

Interested in sponsoring an episode like this with your target buyer?

→ Reserve your sponsorship here. ($2,575)

Guest at a Glance

💡 Name: James J Azar

💡 What he does: James is currently the CISO/CTO at FinTech/SaaS and a host of Cyber Hub podcast, CISO Talk, Good by Privacy and Daily Cyber Hub podcast.

💡 Where to find James: LinkedIn 

Episode Insights:

• Discussing the difference between a startup CISO and a CISO within an enterprise organization
• Why is the maturity of security teams a real thing?
• Why defining security maturity in larger enterprises is difficult
• What is a startup CISO's bleeding neck challenge?
• The main factors in the decision-making process that trigger a startup CISO to buy a cybersecurity tool, product or service
• What are differences or anomalies in the cybersecurity market that partners can take advantage of to stand out?
• Why is podcasting still valuable in the cybersecurity community?
• Cardinal rules cybersecurity vendors are breaking in the eyes of a security practitioner

What is the difference between a startup CISO and a CISO within an enterprise organization?

Before his last few roles, James was the CISO for a $200 million a year company, so he clearly sees a huge difference and here is why:

In a big enterprise: 

You're less in the day-to-day of cyber operations and more in the day-to-day of building the bridges. You need to continue to develop your security program and then solve problems for your VIPs, directors, and then your downstream employees. 

In a startup:

The CISO role is far more intense and it's more intense for a whole slew of reasons. Startups don't have a lot of money. Knowing that you're building a product, it is really important to have security built in from the ground up, because it is a priority.

“So, you're a CISO but you're a security architect and you're security engineer and you're analyst. And your are dabbling with compliance and privacy. And you're doing everything and you're trying to do it on a shoestring budget and the creative-ness and your ability to squeeze the lemon for every single last piece of juice is so critical.”

“The one thing I would say about a startup CISO to an enterprise CISO, the difference is, and I'll compare it to food because everyone relates to food, it’s the difference between being in a restaurant where waste is acceptable to the new trend of zero waste in new chefs, where they use every single bit and piece of every vegetable, fruit or protein or carb.”

You have no room for error. You find yourself having to be very creative with the kind of vendors you pick because they become your partners and they truly do become your partners, the way you negotiate and buy from vendors and how you set those expectations.

"Everyone's so busy building their own thing that all they care about is just get me the layer of defense…I need to do this. And so you find yourself having to be more in tandem. And I think in a startup, because startups are smaller, the relationship aspect is much, much easier than per se in enterprise.” 

In an enterprise, everyone has a title and you have someone who you report to. There's kind of like the structure, the separation. But in a startup, everyone's with everyone.

Is the maturity of security teams a real thing?

Different organizations have different challenges. Maturity of the security team breaks down into two distinct things.

“I thought I had a very mature security team because I hired very, very smart people to do very smart work. In larger enterprises though, I can tell you that sometimes you have teams that are in play not because of maturity but rather because of immaturity and lack of innovation.” 

So people that are trying to maintain a system that really should be revamped, but no one wants to revamp it or there's a lot of headwind and revamping it for a whole slew of reasons, cost, talent potentially people thinking that if they revamp a product, they lose their job.

“I think there is such a thing as a mature security team, to answer your question bluntly. But I think that that's a bigger challenge in larger enterprises to define maturity.” 

Why is defining security maturity in larger enterprises difficult?

If you look at most large enterprises today, when you look at tech stacks and some of the bigger companies in the world and if you've ever sat with one of them, you would probably sweat a little bit more about the technology you use if you knew what was really powering it.

“It's not maturity of being able to kind of recognize what a team needs to do and what a team has to do to reach that kind of, I don't want to say ultimate goal. I think where my brain's going is to reach that implementation of it. You can have really smart people work on really dumb projects sometimes and I think in enterprise, a lot of times that's more common.” 

And then there's the issue of budgeting.

I think that's another CISO question, which is, can you have mature programs? Then there's an issue of spending money. And sometimes you have to spend that money regardless so you end up buying things that you only maybe need 5% of it, but you're buying it and you're buying it to spend the money so that you don't lose that money next year.

"If someone is able to come under budget, don't take it away from them. Understand that they're probably trying to get things done."

It's easier to get things over the finish line in a startup than it is to get things across the finish line in an enterprise. 

“In startups, we want to get things done. That's that mentality. So if you're able to be a system in an enterprise or a startup mentality, run lean operating teams are able to get things through the finish line, I think most of our enterprises will be in much better shape.”

What is a startup CISO's bleeding neck challenge?

Budget. It’s always budget. You're always fighting for money as a startup - budget, always. Every conversation a startup CISO has is with a CFO.

“You're always having that conversation because you always want to keep the budget top of mind in a startup, because as they raise more money in the US, they're kind of looking to break funding down; you want to make sure you get yours.” 

As a CISO, that's the top responsibility - to make sure that you're constantly getting the allotment and understanding how finance works.

Some companies will use different buckets for different things and a lot of times we miss that as CISOs. 

“If I took an enterprise role again, I would have an accountant for my security team. I would have someone in accounting on my security team that would understand how the company's budgeting and different buckets worked so that I can maximize my budget gap. 

I would have an accounting in a marketing person on my team, no questions asked. Those would be two roles I would budget for and would have on my team. Because you can't run an enterprise without those tools.”

What are the factors in the decision-making process that trigger a startup CISO to buy a cybersecurity tool, product or service?

Product comparability. 

But equally of value is how supportive is that partner going to be to the CISO's program.

"So in the last year with vendors we worked with became friends and family with so many vendors because of the partnership we developed.

And so in a startup, I think the difference is you're looking for partners, you're not looking for vendors. The V word didn't exist in my lexicon in my last role. Everyone I met with was I'm looking for a partner. If you can be a partner, great. If you can't, then we probably won't work. 

And I can tell you I've passed on companies because I didn't feel like it was a partnership. I felt like they were looking for another logo.

And I'm not interested in your logo. I'm interested in having you be a security partner to my program. Meaning are you willing to jump on a weekly call or a midnight call if I need you to? Because I don't have the team. 

I don't have all the expertise and I'm going to need you to support us. And if you can do that, then we've got a contract and we've got a partnership and a long term one because I'll never forget it. If you stuck with me when I'm weak, when I'm big and strong, you'll never go anywhere unless your product becomes so away from what the market norms are and so neglected that you become a risk or liability from a program."

What are differences or anomalies in the cybersecurity market that partners can take advantage of to stand out?

Third-party collaboration products.

We're a dispersed workforce. People are all working not all over the country but all over the world. You can work. You can have people on your team that are in Israel, UK, Austin, Texas, San Francisco, California, Atlanta, Georgia, New York and Miami. And you can still have people in Bangladesh.

All these new collaboration software are now becoming a greater liability for an organization and they cost money. So you're paying for collaboration software but no one's thinking about that security. And the way that security works is it becomes kind of like a third party. 

“I think that's one anomaly where I think the more collaboration tools there are, the more DLP you're going to need and the more data visibility you're going to need. And I think that's going to be critical."

Why is podcasting valuable in the cybersecurity community?

There's inherent value in the conversation over text.

That's because we live in a social media world, we live in a Twitter world.

"For all of us in security, we look at that and we read research papers. And really, what most people don't know is, if you ask any CISO, two to three hours of their days are dedicated to reading, like literally reading, whether it be white papers, whether it be threat reports, whether it be architectural reviews or diagrams, you're really constantly reading. 

And there comes a point where your eyes are tired and your brain's exhausted and you want to listen. And podcasting tends to be that medium."

You're able to get more across in 10 minutes in a podcast every single morning, talking about all the headlines that are out there and picking four or five of them and going into what does it mean and what you probably should be doing this morning to address it than it is to go read an entire CVE notice and consider what it means.

“What podcasting is all about to me is the ability to articulate ourselves and create a community. And you feel something when you want to talk with people that are listening to us, they'll relate to our personalities based on how our voice makes them feel, based on the way we communicate and what we say and how we say it.

I think that's very different from reading because I don't know, I read a lot. You can tell behind me there's a whole slew of books and there's even more. I've got a whole library upstairs. I enjoy reading, but when I read, you kind of imagine the author's voice, but when you're listening to a podcast you get the author's voice.”

What are the top three things that stood out to you or surprised you from all your conversations with those CISOs?

1. The challenges of yesterday remain the challenges of today. Smart people and security, thinking outside the box, a lot of CISOs share that kind of challenge. 
2. Getting security top of mind across your executive leadership. 
3. How do we get security top of mind at the board? How do we communicate security? How do we build our ROI out of security? 

There are a lot of things that are top of mind for a CISO and there's a big difference between young CISOs and more mature, more experienced CISOs.

"I've had the opportunity to speak to both on CISO Talk, and you'll see that the younger CISOs are more concerned with technology, while the older, more mature, more experienced CISOs are more concerned about relationships and visibility. 

That kind of goes to how when we're young, we tend to want to solve all the problems. And as we grow older, we realize that the only way you can solve problems is if people have visibility to the problem you have. 

So if you don't know that you have a problem, if that problem isn't being communicated effectively, then it's going to be very hard to solve."

Cardinal rules cybersecurity vendors are breaking in the eyes of a security practitioner

• Get away from buzzwords and just give a one-minute video of what's the problem you solve. If you can't tell them what you're doing in 60 seconds, they are probably not taking the meeting.
• "Just give me 15 minutes. Can I get 15 minutes on your calendar?" CISOs don't have 15 minutes most of the time.
• A lot of times people are approaching the CISO thinking they're going to go top-down approach.

“And at least my style is you're going to go to the people who your products is going to be helping them make better decisions and get better visibility, be able to operationalize if they're interested in the product, if they see it as being something that adds a lot of value to them, that's a conversation and I'm willing to get on.

But what I'm not going to do is get on a 15-minute call for no reason. And I also think that you really, really need to train your SDRs. That's often overlooked but if your SDR doesn't come from a cyber background, investing in having them speak, you're going to burn your company, have an inexperienced SDR, jump on a call and say, we guarantee that this will never happen with our product. 

Like right then and there we go, all right, how do you guarantee it? And within 2 minutes, I shred that poor person's confidence, not because I want to but because he's been restrained to go back to his boss and get the proper training of what to say and not to say."

• AI. "My favorite one is when people drop, AI do this. I'm like, so tell me the basic principles of how your AI operates? And they can't answer that." 

A kind and critical request from James

Follow the passion you've got in security to the max. Don't be afraid to fail in security. Security is 95% trial, 5% success. 

You're going to try a lot of different things and fail before you find the right solution. Whether being enterprise or startup, don't be afraid to take that risk. 

“And I think for security partners listening, get rid of the word vendor and start using the word security partner in everything you do. Look, how do we foster partnerships? Talk to your solution architects about that partnership and make that word a dollar in the pot every time it's used in a sales call. 

A lot of them use all these different kind of sales performance tools on Zoom calls. But make the word partnership kind of like a word goes on the board and gets counted positively. I think we all want to work with good partners, but we want to feel the same way. I've told security partners and I've told vendors before.

A difference between a vendor and a partner is that I hear from them every month even though I don't need to."

---

Whenever you're ready, there are 3 ways I can help you and your go-to-market team:

1. Conduct a one-to-one interview with an existing or ideal customer and extract the most useful insights and recommendations for action.

2. Run a focus group with our CISO Panel to validate an idea, trend, message, service or product.

3. Plan and facilitate a customer advisory board (CAB) with your key customers to drive loyalty for your company's brand.

Interested in sponsoring an episode like this with your target buyer?

→ Reserve your sponsorship here. ($2,575)