Unspoken Security
Unspoken Security is a raw and gritty podcast for security professionals who are looking to understand the most important issues related to making the world a safer place, including intelligence-driven security, risks and threats in the digital and physical world, and discussions related to corporate culture, leadership, and how world events impact all of us on and off our keyboards.
In each episode, host AJ Nash engages with a range of industry experts to dissect current trends, share practical insights, and address the blunt truths surrounding all aspects of the security industry.
Unspoken Security
If You Aren't Using Intelligence You're Chasing the Threats
In this episode of Unspoken Security, AJ Nash is joined by Lisa Ackerman, the Deputy Chief Information Security Officer for GSK (formerly known as GlaxoSmithKline, a British multinational pharmaceutical and biotechnology company.
Lisa and AJ talk about the value of building Intelligence-driven security programs, particularly the vital aspect of impacting decision-making. They also both shared the complicated - perhaps unusual? - ways that career Intelligence professionals think and communicate about threats, risks, and preparedness.
Perhaps most interestingly, Lisa shares how she not only took her skills from the Intelligence Community (IC) into the private sector to build threat intelligence programs based on the IC’s best practices, but has become one of the very few Intelligence professionals to become a leader in the CISO career path.
Having transitioned from being a provider of Intelligence to being more of the consumer (on the CISO side), Lisa talked about how her perspective has changed, how it hasn’t, and who she thinks CISOs trust the most these days…the “CISO Whisperer” is.
Finally, as always, the show wraps up with Lisa revealing something that had, to this point, gone "unspoken”...and Lisa delivered some great stories and insights about how having the guts to leap into challenging situations can be a key to growing a career.
Unspoken Security Ep 7: If You Aren't Using Intelligence You're Chasing the Threats
Lisa Ackerman: [00:00:00] being able to take information that you can get and glean that intelligence from that. And then use that to get it to the right people, like our executives, uh, or defenders or whoever that is that needs that, that intelligence to help them make decisions to either protect a building or protect a network or bank accounts or whatever it is, you are ahead, a step ahead of the actors.
Right. And that's really where you want to be
AJ Nash: [00:01:00] Hi, and welcome to another episode of Unspoken Security, brought to you by ZeroFox, the only unified external cybersecurity platform. I'm your host, AJ Nash. And for those who don't know me personally, or are first time listeners, I'm a traditional intelligence guy who spent nearly 20 years in the intelligence community, both within the US Air Force, and then as a defense contractor.
Most of that time was spent at NSA. I've been in the private sector for about eight years now, uh, primarily building or helping other people build effective intelligence driven security practices. I'm passionate about intelligence, security, public speaking, mentoring, and teaching. I'm also deeply committed to servant leadership, which is why I completed my master's degree in organizational leadership.
At Gonzaga University. Go Zags! Uh, the goal of this podcast is to bring all of these elements together with some incredible guests and have authentic, unfiltered conversations, even debates, about a wide range of challenging topics most of us are faced with [00:02:00] today. This will not be the typical polished podcast.
You may hear or see my dog. She's right over here right now. Uh, people may swear here. Uh, we may argue or debate and that's all okay. Uh, think of this as the podcast, you know, this podcast is like a conversation you might overhear at a bar after a long day at one of the larger cybersecurity conferences.
These are the conversations we usually have when nobody's listening.
So today our guest is Lisa Ackerman. Lisa's an Air Force veteran, security and intelligence expert, and the current deputy CISO for the British multinational pharmaceutical and biotechnology giant GSK. Lisa, uh, to help the audience understand you and better connect with you.
Like, obviously we know each other, uh, cause we've been friends for a while and you should pick better friends, but to help the audience connect, can you tell us more about your background and a little bit about your current role at GSK? What's that look like?
Lisa Ackerman: Absolutely. Thank you for having me on the show. I really appreciate it. I'm glad to see you put this together. Uh, so as AJ said, my name is Lisa Ackerman and I'm currently the deputy CISO and vice president of cybersecurity [00:03:00] strategy and solutions at GSK. I've been in place for almost around 10 months now and, uh, recently coming from the financial sector where I was the global head of cyber threat intelligence.
And then prior to that, I worked for the U. S. government in some capacity my entire life. Uh, so I joined the Air Force right out of high school. Um, I was a SIG inter for those of you who know what this is. Did it, it, it, it, it, it, it, it was my role. Only I listened. I didn't actually send it. Um, So, uh, I was in the Air Force for a bit, uh, uh, like I said, signals intelligence, and then I got out of the Air Force and worked for many, um, large and small contractors, uh, supporting the government, and then did a stint as civil service in the middle of my career, where I was an information system security manager for a military base.
Uh, seen a lot of different things. I've had a lot of different kinds of roles, uh, never focused in one particular area other than intelligence, uh, for almost all of that time. I've been working in cybersecurity since the late nineties, and I am very passionate about teaching people about cybersecurity and cyber awareness.
Um, I actually, uh, just, I was quoted saying as it should [00:04:00] be second nature, like brushing your teeth. Also should be like, uh, crossing the street, whether you look left or right, if you're in the other part of the world, um, make it just part of who you are, uh, because cybersecurity is everyone's responsibility.
I like to use intelligence, uh, to support that, um, and being threat driven and everything that I do, um, at GSK, uh, my role is, um, uh, different than what I have done in the past, uh, here I'm actually responsible for our cybersecurity architecture and engineering. Making sure that we build the right solutions for our defenders to protect the organization.
So taking what I've done, um, and applying that to what our defenders need. Uh, it's a really good benefit for GSK, I think, and for me, because I get to learn a lot about building the solutions that we need versus just using them.
AJ Nash: That's very cool. I remember when you said you were going to move over to GSK, how excited I was for you. I mean, it's a, it's an interesting gig, right? A huge company, massive landscape, obviously everybody knows who GSK is. And, and I say that out loud for those who may not realize the branding Glaxo SmithKline is some people may still remember, remember that name, right?
But GSK is, is everywhere. Right. [00:05:00] And, uh, I was really excited for them, frankly, as much as for you. Cause I, you know, we go back a ways, I was saying, we'll talk about your background, but I think they were very lucky to get you in. And to have a chance to really, you know, add to their skillset and get stronger and safer.
So it was pretty exciting. And, you know, as an Intel monkey myself. Seeing somebody with an Intel background moving in that CISO track. And I know we're going to talk a little about that going forward is interesting, right? There aren't a lot of folks who came out of the IC came out of the Air Force and intelligence backgrounds who've moved into that track yet.
I think we're starting to see more of it. Um, so I definitely want to dig into that a little bit and see. You know, hear from you on how that's been going and how that feels. But I'm, I'm pretty excited about, uh, learning about that. And obviously, you know, thrilled that you were able to make it today. You know, we're lucky to have you to have you with us.
So, and interesting for anybody who didn't recognize that, that, that, that, that, uh, you know, obviously it's Morse code. Uh, Lisa was we would call a diddy bopper in the air force. Um, you know, it's, uh, she was Morse code. I was a linguist. So we sit next to each other a lot of times. It's just her language is all bits and dots and ours is something.
Thank you. That you might get to read on a menu at a restaurant. So, uh, very cool stuff, uh, similar backgrounds. Uh, all right. So let's, jump into the heart of the [00:06:00] discussion today. So today's podcast is entitled. If you aren't using intelligence, you're chasing the threats. Now, listen, that's a pretty bold title.
You know, we helped come up with it. So, you know, obviously, you know, we both feel pretty strongly about the concept of being proactive. I know that, right. You know, we talked a lot about proactive security. You know, it's, you know, if you talk about, say, looking at JP two dash zero, um, you talk about being on a, on a proactive scale.
You know, and everything else is reactor, right? And I'm a big believer in that. You know, I've I've leaned into that heavily. I know you have to. You've built teams and career off of this. So, you know, with that is the foundation for the chat. I do want to take a look at some comparatives here. You know, what do you see having come out of the government space and been in the private sector now on having such a wide aperture?
You know, what do you see is the biggest differences in how we think about security, physical and cyber? Really? Um, you know, in the private sector is compared to, say, military and defense backgrounds.
Lisa Ackerman: So I think, um, it's changed a lot just since I've been in the private sector. Um, when I first came into the private sector, I got asked a lot. Why intelligence, um, because a lot of, uh, private entities [00:07:00] did not really have a big intelligence organization. Some of the bigger firms did, right? But the smaller ones, no.
Um, but we've had a lot of events, uh, since then that have actually turned people's heads and really want to understand the value of intelligence. I used to laugh actually, when I got the question, what values are in cyber intelligence. And I would just laugh because to me it's second nature, like I mentioned before, right?
Um, so I think about that kind of stuff all the time. but the layperson does not. Um, you know, you've got our kids who are all over TikTok and... Don't understand, I don't understand, um, why anybody would want their data if they don't know the term influence operations, right? Uh, or, even other social media, you know, we're, we're so prone to brag about what we do and, and how we do it.
Um, and then just kind of changing that mindset, right? And even from a physical and a cyber perspective, um, know, in the government, physical and cyber, we're together. Right. We hand in hand, we did it. Um, when I was, um, civil service, I actually was part of a group called the threat working group and we brought in physical and cyber, um, threats [00:08:00] and we talked about it as a group, um, and decided, you know, do we need to raise or lower our.
Uh, threat or information conditions. You're familiar with that term. did it as a group and we took that recommendation to the base commander, and then we implemented controls around that, right? Either to protect the base or our users, our network. I mean, I was doing fishing exercises before fishing was even a thing. Um, you know, it was, uh, it's just a adjustment, right? And so, but physical and cyber, we're very much together. In the private sector, you see a little bit of that, um, depending on who's running operations, but generally they're separate. Um, but during COVID and the Russia Ukraine war, you really started seeing those come together.
Um, because intelligence brings in a lot of information and it could be related to fraud, uh, at an ATM, it could be related to, um, uh, protests at a building, you know, you want to make sure that you're getting that information to the right people because the whole value of intelligence is decision advantage.
mean, you can sum it up in those 2 words, the more information that you have, the better you are equipped to make decisions and smart decisions at that. Um, and so trying [00:09:00] to bring that concept in because a lot of organizations are very risk focused. What's my risk of this? What's my risk of that? Well, a really good friend of mine that you and I both know advised me once that you can't understand your risk.
Without intelligence, and I heard that and I took that and I dry with that. Right. And so trying to
AJ Nash: You want credit to who that was? If you don't, that's cool. If you don't want to, you don't embarrass
Lisa Ackerman: know, is Levi a gundered over it to record a future.
AJ Nash: Ah, now I know why you didn't say that. It's okay. We'll cut that one out later. We'll cut that one out. Don't worry about it. He's right though, but we'll cut that one out.
Lisa Ackerman: He's definitely right. Um, but really, if you think about it from that perspective, it puts, it puts it into perspective, right? Um, being able to take information that you can get and glean that intelligence from that. And then use that to get it to the right people, like our executives, uh, or defenders or whoever that is that needs that, that intelligence to help them make decisions to either protect a building or protect a network or bank accounts or whatever it is, you are ahead, a step ahead of the actors.
Right. And that's really where you want to [00:10:00] be, uh, regardless of who the actor is in this case, but
my take on it.
AJ Nash: think, no, I think you're right. I mean, I think those are some excellent points, right? And you know, I, I think the difference between the government side and the private sector, right. Obviously I came out as well. And I think the first one was the big one, right? You said like, just to help people understand, like, why, what's the mindset?
What's intelligence? Why do we think about it this way? You know, why does it matter? Like I spent a lot of time on the, just what is intelligence? I was surprised at how much time I was going to put into explaining that, which is nobody's fault, it's just my ignorance. Having come out of the government space, you know, we spend so much time doing this and you said you've been doing this your whole life, right?
I know, you know, before we got on, you mentioned you went in right out of high school, like you were 17 when you're force. So like literally your entire adult life, you've been doing Intel. I was a little bit older. I went in my early twenties, but the thing is, yeah, this is all normal for like, this is how we think.
I didn't realize how differently we in the Intel community think until, you know, I started making comparative notes with just like friends, you know, and, and you talk about just anything from like going to dinner to traveling, whatever. And you realize that [00:11:00] what we think about. It's just different, right?
That's second nature thing. You know, I, I, I still look for like exit paths when I go to restaurants and people don't do that. Like worst case scenario, thought process popping in my head on all sorts of things. People like, oh, you're a downer. I'm like, no, I'm not negative. This is just how I think. Like, I don't think this will happen, but here's the worst case.
I'd like to prepare in advance for stuff. And you just realize, like, it's second, like you said, second nature. I've been doing it for So security
Lisa Ackerman: say my back to the door.
AJ Nash: That's right. Yeah, every restaurant, you can tell when we get seated, you know, which side of the table I want, you know, people are with me. Don't have to ask, you know, exactly which side of the table I'm going to want.
Um, you know, so, you know, we go into movie theaters. I'm looking for people with packages. You know, I had that happen. It wasn't that long ago as well. Now it was because I'm old. It was a few years ago in Maryland. We had a folks show. We went to a movie. It was, uh, one of the Batman movies and somebody came in with a suitcase and sat down next to us.
Now, it turns out the mall in Maryland where I used to live, uh, is near the airport. I guess it wasn't an uncommon occurrence for people to have delayed flights or whatever. And so they catch a movie, but there had just been a serious attack at a movie theater somewhere else in the country. And I was very unnerved.
[00:12:00] And this guy also was just acting sort of sketchy. And so, you know, We ended up leaving before the movie started. I was like, he sat next to me. It was, it was in a perfect spot. If you want to blow up the theaters in the middle of the theater, like get all the right locations. I was like, I'm sure he's nothing, but I just couldn't get comfortable.
So I left and had to talk to the management. I got my money back, but I also was trying to explain to them, maybe there's a better policy here. Maybe you can lock up bags someplace where. They couldn't. I mean, they had no understanding why I was this guy. Why? Why would I even think this way? I was like, I don't know.
I can't. But, um, I was like, this is that's just the way we think. Right. And so, of ruined the night for myself and my date who, you know, we were fine. We didn't see the movie. The theater did not blow up. We saw the movie day. Yeah, but I couldn't not see it. Once I saw this guy and I kept watching his behavior and I was like, this is something off here.
And maybe there was just wasn't that apparently, um,
Lisa Ackerman: you often get accused of being paranoid?
AJ Nash: Oh, yeah, often. And I try to tell people I am not paranoid because, you know, you know, I'm just prepared. There is a difference. Right? I don't think these things are gonna happen. I don't tell people, you know, stairs and start planning about like, I [00:13:00] think it's coming.
I do these things to be prepared. There's a difference. It's subtle and can be lost on people, I think. Um, but no, I don't consider myself paranoid. Now, there's also the old joke. You know, if, if you think everybody's following you, you're not a certain pair of line. Maybe they really are. But, uh, I don't think they really are.
Lisa Ackerman: Yeah, I tell everybody I'm not paranoid. I'm educated.
AJ Nash: That's right. And that's the challenge, right? You know, so I will say, you know, a couple of years ago. Um, I mean, listen, for the last several years now, the company, the country's had some turmoil. I don't know what's going details when I get very political. Let's just say the, the country is not in agreement on a lot of things.
There's a lot of things going on and it's become challenging. Right? And we've seen some of that. I've seen security. We see it in physical security and cyber and we see, you know, fomenting of, of just, of uh, Discontent on social media and where that goes and we've seen more, you know, random acts of violence and whatever it might be indoctrination.
So there was a point a few years ago now where I was like, you know, I need to start preparing for some worst case scenarios. Uh, and so I sat down with, uh, my girlfriend at the time and said, I need to get you prepared. So you don't think i've gone crazy because i'm about to do some things that you might think.
Mean that I've just somehow [00:14:00] snapped. So I want you to know exactly my thought process here I'm just as rational as I was yesterday I've just to reach a point where I think there's some decisions I'd like to make and some things I'd like to Acquire for worst case scenarios that I didn't currently own And so I didn't go full prepper and dig, you know, dig a trench in the backyard I don't have you know pallets of MREs and and all that but I did buy some things That I didn't own that.
I didn't think I would need. And I said that I was like, but if you do, I'm a big believer in, you know, better to have it, not need it than need it, not have it. And being prepared isn't a bad thing. You know, when the pandemic happened and people were stocking up on toilet paper, uh, you know, I bought, uh, 50 pounds of dried milk and, you know, and like 10 pounds of yeast.
I was like, I got a year's worth of milk and yeast. Things really go bad. Toilet paper won't be our biggest concern, frankly. Um, you know, I also. Bought guns and ammo. Uh, you know, I can get all the toilet paper I want, I suppose, if things, if you really think society is going to end, I don't think toilet paper is going to be your solution, but yeah, it's, you know, those kind of things.
Right. But like you said, so people don't think you're paranoid having that discussion. Be like, listen, I haven't snapped. Nothing's changed about me. These are the reasons I'm making these choices. [00:15:00] I know it's an edge case. It probably won't matter, but I don't want to find us in a bad spot and have to explain.
I knew this was a possibility and I didn't prepare for it. I thought about it and did nothing, you know, so. Yeah.
Lisa Ackerman: I'm never out of toilet paper now though, I'll tell you that.
AJ Nash: It's funny when that run happened just by pure luck because I'm 80 D and don't pay attention to things a lot. We had just bought like 100 rolls. And so I went out and bought 100 more. I had an endless supply turned out of toilet paper very quickly. I didn't mean to hoard it. We
Lisa Ackerman: You could have sold it.
AJ Nash: Yeah, probably. I mean, we buy it, you know, bulk, bulk buying places and we just happen have a bunch of it. I did buy an inordinate amount of hand sanitizer. I I have gallons of it still probably around here, um, and masks and, you know, all those things I did buy some stuff, but I'm about like water purification stuff in case things went really, really bad.
You know, I went some directions where we could be more self sufficient. Um, built the house here and I'm in the process of making it more self sufficient. I'm probably gonna get a whole home generator for the. Twice a year to probably get used, but I don't want to be without power. The power grids are, you know, changing a bit and I don't want to be in that position.
I might put [00:16:00] solar on the house, you know, it's preparing, but again, not going down, you know, too far down the rabbit hole. Right? And that's tough. I think for folks like you and me, because like you said, we're educated. We've seen a lot. It's easy to say. These things are possible because they are, we know they are, and others realize they are, but they become more probable for us if you see them a lot, I think, and I have to remind myself how it's improbable, so it's possibly improbable, uh, I realize is a whole nother thought process people don't have.
I've had to explain how many times, I gotta ask you, how many times have you had to explain people that don't seem possible and probable and likely and less likely and more likely
Lisa Ackerman: more times than I can count.
AJ Nash: huh. I all the time I try to explain to people, you know, I don't speak in absolutes very often. I try not to.
Um, but, uh, the difference in possible problems is big, you know, and in most people's lives, it's not. It's just a, they're almost synonymous. So Intel people think differently. We speak differently. Um, so, yeah, I found that was something I really had to explain. So I, Thank you. Um, I don't know if I can tell this story or not. Yeah, I think I can. Whatever. It's my podcast. So, um, when I first went to the private sector, I was working with an organization who was in the process of signing an [00:17:00] agreement to do business with a company, um, in a nation that could be challenging. I'm gonna really kind of clean this a bit. So I don't cross any lines.
And so I had a private session that said, have you talked to the State Department yet? And this person looked at me like I had three heads. Why would I talk to the State Department? And he said, well, there are some challenges with the company you're talking about and some of the individuals I'm curious if you've, you know, done the security assessment, et cetera, and I was clearly alien and I finally had to say, I said, listen, I don't know how to be too much more clear about this.
You know, where you hired me from. It's my first job in the private sector, our first conversation, I am aware of the company and some of the people you're discussing. You're going to have to draw your own conclusions as to why I might be have that awareness already and whether what I'm saying makes sense,
Lisa Ackerman: Mm
AJ Nash: it wasn't persuasive at all.
They went and signed the contract anyway. It didn't matter. And I was like, okay, this is a whole different world. I can't explain everything I need to explain. And some people just aren't going to see things the way I see them. And so I spent a lot of time instead trying to mitigate risks that were related to that relationship.
and I was like, all right, I'm just gonna help from that side. But I realized in that [00:18:00] moment, and you know, these were experienced, professional, executive people. They didn't get here from nothing. But I saw, we had a completely disconnect on something that they just had no background on. And I'm sure I seemed paranoid right away.
we business all over the world. It's not a big deal to do business with some of these foreign companies. I'm like, uh, some people you gotta be more careful about. so I, you know. Oh, yeah. Yeah, it's, it's remarkable. And I think another good point you mentioned was, you know, having worked with the threat group where physical and cyber were together, right, where they hand in hand, uh, I don't know about you.
I've seen, I think that's improving it from what I'm perception is that's improving in private sector, but it didn't used to exist at all. Right. They were just sort of siloed. Um, so I, I just, have you seen the same thing that that's connecting more now?
Lisa Ackerman: Absolutely. I mean, especially during covid. Um, and then again with Russia and Ukraine, like for for covid, you know, I was on the financial sector then and information sharing is huge there. Right? And we were getting lots of information, both physical and cyber and legal and retail. I mean, we're getting all kinds of information to share.
And then you start seeing [00:19:00] protests at, you know, different kind of facilities because of either they were creating a vaccine or something to do with with with it. Right? And so we would share information with with our physical security people. And then, you know, if we have locations where those protests were happening, they were able to take that information and go.
You know, put protections in place or, you know, notify the residents of those buildings that there's going to be protest and get defenses ready. Um, you know, those kinds of things are very important. Um, and then where I'm at now, we have manufacturing facilities, uh, not just, you know, we don't just do everything online, right?
We, uh, not are, are not just a pharma company, but we also do manufacturing. Uh, so we want to make sure and share that information as we get it. So there's really big, uh, shift if you will, in, in, especially like with Russia, Ukraine, where that's at, you have people who are in global and global locations.
Near, near, they might, they might not be in the war zone, but they're near it. And imagine an air and missile hitting a NATO country.
AJ Nash: [00:20:00] Sure.
Lisa Ackerman: A lot of different problems, right? So. Using, but using that intelligence to inform our decision makers on do I need to move my people? Do I need to, you know, make some changes?
Do we need to have more resiliency in place? Which is another thing we could
AJ Nash: Yes.
Lisa Ackerman: on. Right. But how, how do you take that intelligence and use it to your advantage again? And I'm starting to see a big shift. I've been seeing the shift in that physical cyber relationship. It's very, very critical.
AJ Nash: Yeah. You make excellent points, obviously. And, and the connection between physical and cyber and, and those, those potentials that people don't necessarily think about, like you said, you know, what about an errant missile? I'm sure there are people doing business right now in countries that are adjacent, uh, to the hostilities.
Uh, we're like, well, we're hundreds of miles away. We, this isn't our problem, right? We're politically neutral on the subject. Nobody cares about us and, and, and helping people understand bad things can happen that aren't intended. You can become a target by accident, or somebody can perceive you as part of their target package.
Even if you haven't, you may think you're neutral, [00:21:00] but somebody might've decided you're not something you did, you know, feeds a third party, you know, supply chain, whatever adversaries will, will decide who they're going to go after And helping people understand you, you may not be. Uninvolved just because you want to be uninvolved or or intend to be or plan to be or trying to be, you may still become involved and become a target, right?
Um, both physically or through cyber. I think that's a really, really good point.
Lisa Ackerman: Well, insider threats, another use case, right? If you, if you think about it from an insider risk or insider, Threat perspective. I've heard both names used, right? Um, but the more that you can connect those dots between what somebody is doing physically and what they're doing in the cyber world and you start connecting those dots, you can really paint a big picture and it gives you a lot of good.
Um, evidence, if you need to go after someone or actually help to prevent things from happening, if you are sharing information, uh, and do that collaboration, that's, that's another really important use case for physical and cyber.
AJ Nash: 100%. And I think you make a good point about, you know, whether I think it probably should be called insider risk and not [00:22:00] insider threat, right? It's, I mean, we can have this, right? You know, it's the threat. Plus, you know, opportunity gets you that risk factor, right? I think most people are really concerned about what's the risk of something happening, whether it's an insider outsider, you know, there's, there's threats everywhere.
I suppose, you know, disgruntled employee is a threat, but if they have no, if they're strong employee, right. Yeah. Has no access to anything. The risk is pretty low, right? You know, the scrum employee is is a one day a week, uh, groundskeeper, uh, who never can get inside of a facility there. The risk is probably pretty low.
If the scrum employee is a C level executive with, you know, with access to everything, the risk is much higher. Everybody inside of a good point about risk. And you mentioned that earlier, and it was a point I probably should double down on. You know, Intel helping people make informed decisions, which you've said a couple of times.
Intel is about decision making, right? And I think risk is a huge part of this factor is people want to make decisions based on risk. We can't stop everything. You know this. I know Everybody listening. I'm sure does. There's always gonna be a risk. You know, the goal is to be able to quantify it and to manage it and to accept what that is and [00:23:00] mitigate what you can.
And I think that's the key piece that we talked about with Intel and becoming more proactive and understanding. Everything. We don't want to have risks that we don't even know or exist. Right? So, uh, with that in mind, I got to get to the next question. I keep telling people there's three questions is all we have for the show.
And it sort of is, there's a lot of sub questions in there. I'm going to get poked by people, I'm sure, but I am trying to stick to the three. And so the second one we had on here, uh, you know, without violating any confidence, obviously. Um, can you talk a bit about your journey? So your last role before GSK was at State Street.
That's where you and I met, obviously, and I'm interested in your journey there. You went from being the new hire to eventually the global head of cyber threat intelligence. I mean, you built and led this, this incredible intelligence team that was responsible for, you know, helping with informed security decision making.
Right? And I think it's a unique effort to continue that. Uh, journey, you know, I, I, I was excited to be friends with you and to walk through that and see how it progressed because a lot of organizations don't have Intel, uh, or they do, but they're struggling to get traction to get, you know, buy in to get funding to become important to become valuable to [00:24:00] become impactful.
Um, they're always where the next budget cuts can be, you know, they're gonna go first, et cetera. And so I'd love to know more about your journey and dig in a bit of your journey at State Street from new hire to, to what you built there, um, and the successes again, without evaluating any NDAs or anything like that, of course.
So, uh, yeah, let's talk a bit about that though. How's your path there.
Lisa Ackerman: sure. So I was actually recruited, uh, to go to, uh, State Street by, uh, Mark Morrison, who I used to work for in the government. So, you know, they were, State Street was smart in bringing somebody in from the government who really understood, um, operations, right? And, um, so he was brought in as a CISO over at State Street.
Um, and him and Dee Moran were there and I worked with both of them, uh, my time around DIA. And, he's like, I told him I was looking for something and he's like, well, I, I've got, you know, I've got something in mind and, and actually I, I was seconded when I first went to State Street. Um, so I didn't go to State Street in the sense I was hired on by State Street to support the financial systemic analysis and resilience center.
So up to this point in my career, I had been active duty military. I had worked for large and [00:25:00] small contractors, seated contractors, um, and been civil service. So I had done like almost everything you could do for the government, except I'd never been a partner with them. Um, and so this gave me an opportunity to come out of, you know, directly supporting the government, to partnering with the government, to help, um, in, in this mission to protect.
Uh, the, uh, critical infrastructure of the financial services system. So, really big mission. I was very mission focused. I still am, you know, this was protecting your retirement, uh, or your money, you know, um, for State Street's behalf, it would be retirement, but for, you know, other partners that we had, your ATMs that you went to to get money out of, or, you know, You know, your bank accounts where your check was deposited, things like that.
so we, we have the systemic risk, which, you know, could proliferate across the, the, the financial system. Um, and so I was actually brought on board by Mark and Dave to, um, make sure that we set up, um, our intelligence function. So I was, uh, intelligence lead for that. And I actually helped build, uh, the FS arc at the time.
Now it's just the arc. Uh, so we've, we dropped the financial sector. Um, but yeah, it was really [00:26:00] good opportunity to take everything that I had done in my past. Um, and, um, I had, uh, helped Mark, uh, stand up a couple of organizations previously. So, you know, I had that experience. So really, establishing those relationships with our government partners and our peers, uh, to determine and define.
What does it mean to, you know, not just identify the risk, but to protect against those systemic risk and threats to the financial sector. So partnering with the government is a big deal. Um, so I did that for about a year. Um, and then, um, I went to state street. Um, so I can't say I went back to state street cause I never worked there proper.
Um, and then, uh, I, uh, worked, uh, as the SecOps director, so. Um, I was, uh, the security operations, uh, manager, I guess, uh, I handle handle incident response and, uh, all of our security tools and intelligence. And we had a couple of pieces. I did that for a few years. Um, and then. 2020. Y'all know what happened in 2020.
Um, well, we had a CISO change there. Um, and, uh, you know, I got a peek. That's actually probably [00:27:00] when I really got interested in, in the CISO world. I got a big glimpse into what that, that took and what, you know, what, what it means to be a CISO. Um, and, and I guess. Probably started thinking, maybe that might be, you know, something good for my career path.
Um, we got a new CISO in, uh, towards the end of the year. Um, and then she asked me to focus on intelligence. And so I became the head of cyber threat intelligence for State Street. Um, and in that, I was allowed to build a team, uh, which I have to say was a rockstar team. I love that team still. Um, and we built out, uh, adversarial modeling, uh, which some people call threat modeling.
I call it that because everybody thinks the software, um, but, trying to identify those, those threat actors deemed the greatest threat to us so that we can make sure we had the defenses in place, uh, brought in the right tooling that we needed, um, and the, and the right people and just developed a bunch of products and, had to fight for budget, had to fight for, you know, all of that to be able
AJ Nash: Uh, let's talk about that for a second. So that's, that's where, sorry to interrupt you and dig hardest part, but [00:28:00] that's where people talk to me a lot about, Hey, if you get to the point where they hire a, an Intel professional, or somebody internally, you know, gets it and wants to do this right. I hear over and over again, the challenges getting buy in, getting budget, you know, how do I convince leadership that this is going to make us safer?
It's proactivity. I may or may not have metrics to support it right away. Like, do you have any insider tricks on how do you, how do you justify, you know, budget and, and a process? Like, you know, do you come in and ask for a giant number? Do you come in and say, I just want a little bit and try to nibble away at it?
Like, what was your secret to success?
Lisa Ackerman: Yeah, I think first and foremost is being able to tell a story. Um, even as a CISO, you have to be a good storyteller, right? Um, and it's, you got to show that return on investment. Uh, what is it that you're going to get out of this tool? How's it going to impact my risk? How's it going to impact my bottom line?
How's it going to enable me to make better decisions? So you really have to be able to tell that story and why we want to invest in this program. I was very fortunate that my CISO. Understood the value of intelligence.[00:29:00] Um, and so
AJ Nash: Well, yeah, Mark, right. Uh, was Mark gone by then?
Lisa Ackerman: Liz was the last with Joyce, um, and she definitely understood intelligence and the value of it, which is why she asked me to build that for her. Right? Um, and so, uh, not everybody is that lucky, uh, in that they get somebody who actually just already understands it. Uh, so while storytelling is important, um, the support at the top is probably the key.
Um, so you have to have that across all of cybersecurity, you've got to have that support at the top. And I mean, even like now you've got SEC saying we've got to have CISO presence or, you know, that kind of skill at the board level.
getting that much, uh, of an important, uh, aspect of all business, right?
Cyber is a business problem. It's not a security problem. Um, and so, you know, you want to make sure, uh, that you have that buy in, um, and then don't ask for an elephant, like take it a bite at a Like, I don't want to buy some big, beautiful, majestic elephant. I just need this one capability. And then you get that capability work and then you add another capability.
Cause be realistic. If you try to buy everything at once and you don't have the [00:30:00] people, you can't build it all at once. No, you got to do it a little at a time. I think that's the best way to do it in order to be successful. Uh, at least that's what I've, I've found it has worked for me. Um, so that, that's how I would go at it.
Um, it's just a little bit at a time and then be a very, very good storyteller.
AJ Nash: I think those are huge points. I will say it's interesting. So I, I took a slightly different path, but not entirely. Right. So, the last, you know, large project I took on to build program, I did have a leader who was advocate, which helps them into a background, but this was an advocate. And so I, I wanted to go a little bit of a shock and awe.
I was like, let's find out if you really want to invest in this. Like, let's look at the far end is going to be. So I projected out like Perfect case scenario, global team, different areas, all the tools, everything with a really big number knowing I couldn't get it all today. But I was like, let's find out what I didn't what I feared and you overcame this.
But I feared getting a little nibble and then just not getting anymore. Right? And it's just enough so they could check a box. And now I'm frustrated as an intel guy because I You know, we have a small team and we can't actually accomplish anything. We can't count the number of companies I've run into a [00:31:00] massive team.
And you find out their Intel is one person and that person actually has three other jobs, you know, like, uh, you're not really doing Intel. So, uh, I came in with like this giant, grandiose picture. And then from there it was okay. It's stages, right? Okay. We're not gonna do all the day, but these are all things about, but I want you to get the budget now.
I was telling the CISO then I was like, we should try to secure all of this. So it's available. I got very lucky in that we got. Uh, and then I spent it all immediately because, you know, good old government backgrounds. When you get money, you spend it. You don't sit on it because they can take it back any day.
and so us, we spent a lot really fast people, tools, everything. I also hired a few people from the government. So I people with background that could hit the ground running, which helped. And then, uh, lo and behold, when budget cuts came, uh, they came looking to cut things. I said, well, you can't cut anything.
I've already sent through your contracts with everybody. And we've already hired these people. There'd be no reason to get rid of the people. You've already paid for the tools, get rid of the tools, cause we're already contracting. You might as well keep the people. So, uh, uh, old government trick for anybody who's never been in the government when you get budget, we've always been taught, make sure you spend it and spend it, spend it well, but spend it quickly and spend it all.
Lisa Ackerman: Yes.
AJ Nash: Don't leave any behind because they'll [00:32:00] assume you need less next year. Um, and locking in three year contracts, you know, I was able to justify it. We did get better pricing, but I also knew it insulated my team from cuts. I had a hunch budgets were going to cut eventually and you can't, they're not going to cut something that's already paid for and committed and not going to cut the people that are doing it because they might as well at that point, some So, um, but I think. I think your point on storytelling is huge, you know, being able to explain, I think you mentioned two things we talked about all the time, which is you got to be able to tie it to somebody's risk and somebody's bottom line, right? That's all. In my opinion, that's all I've seen that leadership cares about or can about, frankly, is does this make us safer in a measurable way?
Or does this make us more money? Either cutting costs or raising revenues, right? If you can't do those things, it just seems so hard. So it's nice to hear that you had the same, the same experience in terms of trying to get the budget due. And then so, so, okay, you've, you've, you've been recruited. You've moved your way up in the company.
You've been, you've had to change in CISOs. Another brilliant CISO comes in and you guys want to go intelligence driven. And so you're building this Intel team and you're, you're taking bytes away. [00:33:00] So then how are you reporting back and showing those metrics? The, the, that risk is lowering that, you know, progress is happening.
I need more. We need to build the next layer. How are you doing that?
Lisa Ackerman: I think, the work that we were able to do during COVID and Russia, Ukraine, uh, really helped, um, not to keep going back to that. But, we really had the spotlight on us. So at first they're like, why are you reporting on COVID or. Why are you reporting, you know, what, why are you reporting on the Russia?
I mean, we were reporting on Russia Ukraine before it happened, right? Like
we were trying to prep, um, and we had some people are like, well, this isn't going to impact us and we're like, oh yeah, it will, you know, you just don't know how yet. So we just, you know, trying to get that in. And then during COVID we actually briefed every single day to our C-suite.
Here's, here's the threats we're seeing here. You know, here's what we were going, what's going on around the world. I'm bringing in a lot of, uh, the, uh, data that we were getting from our information sharing, uh, channels that we had. And then we really just got, and it became where people started knowing who [00:34:00] you were.
So we, we actually presented our value. You know what I mean? On a daily basis, people were seeing what value they can get out of the work that we were doing. And it just kept growing from there. And so when Russia, Ukraine kicked off. It was immediate. Like we were, we were running the daily briefings. We were running all of that to, to advise our leadership and our peers on what they needed to know from that perspective.
So, I think those 2 events were instrumental in our success because when we said we needed something. We were able to get it and justify it because they were able to see the results immediately. It wasn't like strategic activities. This was tactical activities that happen every day. Right? But then, you know, by being able to build out our team, then we started being able to be really strategic looking out with, okay, we've got this stuff going on.
These are the long term impacts. These are the things we need to think about. We started getting involved in a, uh, which, by the way, if you don't have Intel involved in M&A,
AJ Nash: Oh God. Please do. Yes. Preach. I've been talking about this too. Gotget [00:35:00] involved. M&A is is not just do, do they fit our portfolio and do they have any open lawsuits against them? And no offense to people doing MAI know there's more to it than that, and you're lot smarter than I'm in a lot of business stuff, so I'm not trying to pick fights to people,
Lisa Ackerman: So much value. So much value.
AJ Nash: Yes. Please get Intel involved. The threats, uh, it's unbelievable. The risks take on and don't realize it. And they like, Oh, I didn't realize we bought a pig in a poke, sure did
Lisa Ackerman: Yep. And then, uh, during COVID also supply chain attacks, right? We were able to, oh my gosh, like we, we just ratcheted the support there, um, on all of our 3rd, 4th, 5th, I just call it nth party. Um, because. And then you learn, Oh, by the way, yeah, I've got this third party, but they've got two other, you know, vendors that are working for them that are preventing me from getting that service that really shine the light on that.
Um, so all these different scenarios where we're proving the value of what we were doing. So we didn't just have the support of our team, but others in the company, because they started coming to us asking for help. So I was really good. Um, you know, any, any time we got in any kind of new [00:36:00] business, um.
Function or trying to build something, they would come to us and ask for help. So really just that, um, being able to show and be on the on stage, if you will, uh, we were providing regular briefings. We were regular products out. Um, and it was just. It was great. We were rocking and rolling. Um, and it geopolitical events have a huge impact on business.
and I don't think that that's
AJ Nash: talked about enough or accepted enough. Cause agree.
Lisa Ackerman: Yeah. So,
um, I think that's, um, you know, one of the things that we probably should talk about more because, there is a cause and effect there. Right. Um, sometimes it takes a little longer to realize it, but there's definitely cause and effect there. Um,
but I think
AJ Nash: Yeah, and that ties into, you know, obviously, again, the name of the show right there for this episode, you know, talking about if you're not, you know, if you're not proactive, you're chasing the threats, right? If you're not doing Intel, by definition, if you're not doing Intel, you're not proactive.
I talk to CISOs all the time. They all say they want to get ahead of threats. We want to be proactive and ask them how much they're investing in Intel and suddenly the crickets are chirping and I have to give the bad news that you're not proactive. Like, by definition, you're not. Well, you know, as soon as we got a signature, we reacted or we, you know, we took action.
Well, then you [00:37:00] reacted. It was in your environment already. Even if nothing bad happened yet. I get it. You're early in the reaction side. Yeah. But you're reacting proactive as being able to see things that haven't happened yet. Like, like you were talking about, why do we care about Russia and Ukraine? Why are you talking about this?
A war hasn't even broken out yet. But an Intel leader says, we've got to look at the possibilities and potentials. Now you can't look at everything. Of course, we can't spend on every possible scenario. So, but that one seemed like a likely challenge. You, you obviously were able to see it as a lot of other people, you know, did and said, Hey, this could have major impacts on, you know, global economics and shipping and all sorts of things.
Right. And to be ahead of the curve, and I suspect when things started happening, uh, you picked up a lot of credibility along the way, like, well, Lisa told us this was going to happen, or this might happen, at least probable possible, you know, again, you know, the terminology we use, uh, and cause I've seen some of the same things, but as you said, people, I think there's still not enough discussion or investment or willingness to invest in strategic because metrics can be difficult.
You know, we tell you about world events every day and you know what's going on and potentials, et cetera. A lot of those things don't become anything [00:38:00] or they do in eight, nine months and you've forgotten somebody briefed you eight months ago about it. But if you don't understand the global picture, you know, people don't have a globalism all the time.
We're all connected to everybody at this point pretty much, right? Whether it's supply chain, whether it's financial systems, whether it's pharmaceuticals We're all kind of connected, right? So I think I still struggle with organizations that are just tell me about threats to me I was really, really myopic.
I get that. That's important. Don't get me wrong. We'll always tell you about threats to you. Uh, some of them go, well, just my industry. Okay. It's getting better. Well, just my geography. I'm getting a little better, but it's really all of the above. Right. Um, and how many people understand that? Because a lot of those things in, in my experience, and you tell me if you're seeing it differently.
The further away you get from the target from yourself, the metrics get tougher, right? Because, you know, I, okay, Russia, Ukraine, two months before it happened. Well, why are you telling me this? Well, here's the importance to it. But I can't tell you today. The money we spent in the time we spent making this report, you can't do anything with it.
Like it's not actionable, right? So a lot of folks keep talking about actionable intelligence, actionable, actionable, which I think is really, really [00:39:00] important, of course. But I spent a lot of time saying you got to also remember the value of informational because that often becomes actionable. You know, I used to say, uh, in the government, you know, we had tens of thousands of intel analysts and everybody's not focused on just China, Russia, North Korea, and Iran.
Somebody is studying Bolivia someplace. I don't think Bolivia is a threat to us. I haven't heard anything about it. But if tomorrow Bolivia becomes a threat, tomorrow's way too late to start learning about Bolivia. The government prints money so they can, they can hire people to sit in corners and study all the countries.
And we can't do that in private sector, of course. but it feels like you've got to be able to expand that aperture. Right. And that's why people like you, like Intel leaders in these positions who, who, as we said, think differently, see the world differently, are able to stand and can tell good stories to prove the points are able to say.
I see some things you might not see. I mean, probably a more polite way to say it. Um, but, you know, I see the world differently and there are some other things on the horizon that I think are worth investing time and energy to understand because if bad things happen, you're caught in the back foot. I mean, imagine if you hadn't done that work at State Street and prepared for the possibilities with Russia and Iran, uh, Russia [00:40:00] and Ukraine, not Iran, as far as I know, Russia Ukraine.
Uh, yeah, I'm not making new news over here, anybody. I don't think they're at war. Russian Ukraine or, or as you said, this COVID was kicking off, right? How's this going to affect us? Um, you know, M&A, I mean, you mentioned I got to dig in really quickly. Um, I won't call out names, but, uh, a while ago I had a customer, a different company, they were massive pharmaceuticals.
It turns out was not GSK you know, they were an Intel customer and they came to us and said, Hey, we've got a challenge. Our CEO has just publicly announced a partnership with a quote unquote non government organization from China. And we don't know anything about the organization or any of the risks, risks or threats.
I said, okay, well, that's challenging. This isn't quite M&A, but it's in the, it's in the ballpark, right? So we did the research. We had a brilliant person do this. Um, and lo and behold, this non government organization in China, you'll be surprised to know it wasn't quite non government turns out their office was co located with, well, it was two PLA at the time, I think, and all of the people that were on their, their orchard, we got pictures of all of them in Chinese military uniforms as well.
Um, and so then we have to report this negative news back that says, Hey, I got some bad news for you. You should probably not do this arrangement. Well, we can't. It's already public. [00:41:00] It's already announced, et cetera. And so then you should expect all of your IP to end up in Beijing, uh, because there's massive risk here.
There's massive threat. Uh, there's a pattern here that suggests now, even if you tried to back out, they're probably just gonna try to steal it from you anyway. and sadly the response to this wasn't thank you. Oh my God, great Intel. We should try to at least prepare ourselves, look for things. Uh, the response was we can't tell our CEO this.
We can't tell our CEO this. We'll get fired. So they fired me instead. Uh, I was like, oh, okay, well that, that'll, that'll go well. I'm sure that that fixes your problem. Like, feel free to turn the lights off and pretend that the room isn't infested. You'll be fine. Like it's good. Uh, you know, I don't believe anybody's still from that org works at that org anymore.
Um. But I mean, it was, it was a wake up for me when I realized, you know, yeah, yeah, I was, I mean, it was a wake up call for me. It was the one that crystallized. I got to start telling people more about get us involved in M&A, get us involved in partnerships before they happen, because I don't think I'd quite talked much about that until that moment.
I realized, oh, man, we're way late. I would have hoped they would have asked us the question before they did this, but also we hadn't educated them that this is an area where Intel belongs or we should help. So I own some [00:42:00] of it, too. I was like, man, we've got to start banging the drum. Please don't get into partnerships without talking to Intel.
Please don't acquire companies. I'll talk to Intel. Go ahead.
Lisa Ackerman: Yeah, and pre deal for. Mm
AJ Nash: Yeah, after it's too late. Yeah. I can't help you then. Right. Once the horse is out of the barn, don't, don't ask me what we should do at the door. Um, you're right. No pre deal. Like I've worked with orgs now. Uh, I work on Intel requirements a lot with organizations.
Cause as you know, most organizations don't have Intel requirements. Most don't even know what they are. It takes somebody like you or me or some others out here to say, Hey, we got to talk about how to make this systematic. And I talked to people in those Intel requirements about. You know, acquisition M& A is one of the categories I talk about.
And who do you work with on this? And how do you get into that cycle? How do you get in with the execs and the lawyers, et cetera, and show value? Because they all want to do well. And if they understand the risks and I'm sure every one of them probably has a horror story about a company they bought and didn't realize.
How about that third party risk? Company looks great. They're clean. Well, if you dig a little deeper, you find out that the next layer, everything they do is in some area that's, you know, either physically risky, you know, hostile, or maybe they're [00:43:00] not vetting people while they're hiring. And there goes all your IP out the door, you know, because I got some, you know, somebody in a, in a third world country is underpaid and has a chance to sell your IP.
Um, I think those are all areas where we have opportunities to educate folks on how to be more proactive. Again, this whole proactive approach, get ahead of the deal, get Intel involved. You're already paying for this Intel team. You bought the tools, you bought the people, you got a Lisa on board.
Who's amazing and sees the world differently and has brought in these rock stars. That was a great team. I'm sure the one you have now is great too. You got to use them. You know, I tell people a lot of times it's about value. You've already spent the money. You want to value. Put Intel into more places, stop burying it in the sock.
I mean, I know you think this way to like, rise it up, right? And you did some of that, right? You were able to elevate Intel and, and support more groups like Insider, as you mentioned, and physical and all these places. Um, so like it was amazing to see that journey. Um, you know, and, and what you, what you did there was, was outstanding.
Um, but now, uh, I got a transition, right? So we got one more question. So. Now that you're not doing that, now that you're on the CSO side of the wall, [00:44:00] right, you're, you're not actively doing until you're not, you're not leading it until the owner used to work with him. Now you're on the CSO side, right? The dark side, perhaps.
Sorry, So, but now that you're over there, I mean, a couple of questions with it, kind of a question, sub question, like, first of all, are you still an advocate for investigating Intel driven security? It's easy for me to talk about all the time. an Intel guy. People say, well, he's a vendor. Of course, you advertise for Intel.
They sell it. Um, you know, but now as the customer side, which I consider CISO to be customers, are you still an advocate for investing in Intel driven security? And then the second piece is, what, if anything, being on that side of the wall, what, if anything, do you see differently? How's your perception changed?
Your perspective changed on Intel, on security, on all these things we've been talking about. Mm hmm.
Lisa Ackerman: Yeah. So that's a really good question. Um, so a thousand percent, definitely. I mean, if you can't tell that by what I've been talking about, I'm quite passionate about intelligence and I see my role now is, uh, you know, taking intelligence to the C suite, so to speak. Um, making sure that they, they can understand the value of that intelligence again for decision [00:45:00] advantage.
But being on this side, I can. You know, see how we can better use intelligence to support our operations. You know, it's, it's really important to be able to connect those dots, so to speak. And you're right. There's not a lot of, uh, intelligence professionals on this side of the house. So we have kind of a different perspective and again, we think differently.
So we're going to be thinking about risks differently. We're going to be thinking about threats to those risks differently. Um, and, and being able to, to make sure that, that. Folks around me understand that value. Um, luckily, uh, RC so here understands the value of intelligence. So you see a theme I'm working for people who understand the value of intelligence.
So, um, you know, I, I think it's so good because, um, you know, when they don't understand it's harder, uh, but when they do, they are understanding and getting that value out of it. So even my boss's leaders want to see that intelligence. So it's, it's really. Heartwarming to see that transition and that happened around the company.
So I think it's, it's really good to have that. Um, you still have to think about the bottom line. You still have to think [00:46:00] about your return on investment. You got to make sure you've got the right partners. You got to make sure you don't have overlap of your tools, you know, things like that. So. Looking at it from a holistic perspective, do we have the right protections?
Do we have the right capabilities? and so part of my job is to make sure we have those right tools, right? My team's responsible for building those tools. If we don't have them and make sure that the defenders have the right tools to secure the company. So seeing it from that perspective, it actually is teaching me in the same process.
I'm teaching them, but they're also teaching me because I was brought here to help build what we need because I know what we need.
AJ Nash: Mm hmm.
Lisa Ackerman: Um, and, and seeing that, that part of it is, is really good, but on that return on investment, it's always about, you know, what am I getting for my dollar or my pound in this case?
Um,
AJ Nash: Right. British company. Yes.
Lisa Ackerman: yeah, we've, we've, we've got the right stuff in place. I think that's really, uh, where I'm seeing the value and it's, a two way street for me now. I think you're always learning in your career. Um, you never should stop learning and this is yet another, um, A path for me to learn and, um, I just think it's good, but that's my perspective.
AJ Nash: [00:47:00] So you mentioned, uh, you know, that you've been lucky in that the last few places you've been, you know, you've worked for CISOs that understood Intel, right? And now you do as well. is that luck? Is that, is that intentional? Are you interviewing CISOs? Are you choosing positions? Are you, do you read a CISO's resume before you decide if you had an interest in going there?
Um, you know, I, I will tell you, you know. I do. Uh, so, you know, I, I've gotten to the point now where I, I have friends who say, you know, what do you think about this gig? And I've, I generally start by reading the CISO's resume first. I'm like, Oh, this is likely to be what this person's background based on the background is like me, how they think about things.
This may be a harder path. This is somebody who's a straight technologist. No, maybe it won't be, I don't discount. But, uh, you know, whereas somebody came out of the government, I back out this, the org they were in it really, they're probably gonna be really deep on this, et cetera. Have you done the same things?
When you've made these moves to kind of, you know, say, Hey, is this a C? So I think I'm going to blend well with, are they going to get the value of Intel? It was gonna be a harder sell or an easier sell for me.
Lisa Ackerman: Absolutely. I mean, I think that, um, you're interviewing as much as you're interviewing them as much as they're interviewing you when you're, especially when you're at this level, right? And you're going into to a new place. and I actually, you know, [00:48:00] told my currency, so it's Mike Elmore. And I said, um, if you want me to come, I'm bringing intelligence with me. I can't not, because that's my life, you know, that's who I am. It's, it's in bread and everything that I do. Um, and he just smiled. He was so happy. Right. Um, and he says, you got it. I said, because, you know, that's, that's how I'm going to be. And, and really, I think. You know, he, he mentioned that 1 of the values that I bring is, is that threat driven lens of being able to identify what threats can make our risk be realized.
And that was a lot. We've talked a lot about that before. I decided to make that that move. So it's really important to have those discussions so that he can understand what I'm bringing, uh, To them, just as much as I'm going to get out of that relationship as well. So it was very important for me to, to still be able to bring that intelligence lens, and even though I'm not responsible for intelligence, still be able to impart my experience, um, in, you know, been doing this forever.
So, you know, I've got a lot to teach, I think. Um, so the fact that they were willing, willing to let me do [00:49:00] that was, was really good and, and necessary for me.
AJ Nash: That's Yeah, I think that's fantastic. So being on that side, it's like I'm gonna ask you may not be a Lancer. This one. We'll see. so, you know, we talked earlier about the frustrations in building Intel teams. A lot of times, especially on the CISOs is, you know, winning them over getting budgets. Um, you know, listen, I'm gonna focus on the budget one for a minute, right?
Is, you know, budget and value, et cetera. Now that you're on the other side and you get to see the bigger budget, the CISO budget, I don't see on my side when I'm begging for, for my, you know, change is, is, do you see it differently? Is it, do you better understand? You don't necessarily have to share anything.
I'm not asking you to give away any secrets, but better understand how CISOs think about budget versus how I think about it when I'm trying to build an Intel team and, you know, without giving away too much. Are they right? And like, should I stop beating up CISOs trying to get money out of them? Should I, is there something we should be doing on this side to better understand and, and connect?
As opposed going, you're not spending enough on Intel. I mean, I just said that earlier. You want to be proactive, you don't spend on Intel. You know, I, I admit there's some, some blaming to that and some finger pointing, which isn't necessarily constructive. [00:50:00] So, is there anything you've learned on the other side of the fence that you can throw over and help say, Hey, here's some ways to better connect on these things.
Lisa Ackerman: Yeah. So first and foremost, uh, Intel's not the only thing to see. So spends money on,
AJ Nash: What? What?
Lisa Ackerman: I didn't know that either. So I
AJ Nash: Damn CISOs. Boy, you really have drank the Kool Aid now, haven't you?
Lisa Ackerman: So always think it was just me, um, but, you know, we have a myriad of different, you know, capabilities that we're trying to provide for the organization from governance, governance, risk and compliance to resiliency, um, our sock operations, uh, intelligence, um, you know, all the different functions that we do.
Um, and you, you only have a certain amount of money to be able to spend across all of that. So you have to have very good, strong leaders under you that also know that. Um, and they're realistic about what they come back for and ask. And then you always have to have, you know, things in the background, making sure that we're spending the right money on things, uh, kind of like auditing yourself, right.
Um, making sure that, uh, you know, if, Intel needs [00:51:00] something, do we have to take that away from another area? Um, and it's really about a balancing act. Um, it's about making sure that we're putting our money where we need it the most. Um, and then all rebalancing that a lot, right? You, you can't start the beginning of the year and say, this is what we're going to spend our money on because things happen throughout the year, things change and you need to adjust.
So it's being able to adjust as well. Um, but have good program managers, uh, you know, good chiefs of staff, uh, good leaders, uh, that can help you with all this because the CISO can't do it by themselves.
AJ Nash: Who does the CISO trust the most? I know this is a generalized question, but who do you, in your experience, who do you think the CISO trusts the most? When they go to advice, you know, they've gone through all this, you've talked to all the vendors, you're trying to figure out and juggle what's staying, what's going, we don't have enough money for everything, etc.
Like who generally do you think has the most, is it the chief of staff? Is it the person who runs the sock? Is it, is it their puppy dog on the car ride in? Like, who do you think is the CISO whisperer?
Lisa Ackerman: So I, I think it depends because there's so many different functions. I [00:52:00] think in a lot of ways, the chief of staff does, um, I think a lot of ways the sec ops person does, I think it just, it truly depends on what's actually going on. Um, and that's why I, I, I stated, you have to have strong leadership across all your teams.
Those people have to be able to communicate and talk about the problems or whatever it is that they're seeing and be able to negotiate amongst each other so that when the CISO asks. We're not telling different stories. We're all on the same page. We're all in this mission together and we're all fighting for the same thing.
And we, and it's a give and take. Right. So I think it depends. I'm not to dodge your
AJ Nash: No, no, it's good. No, I
Lisa Ackerman: seen it
I've seen it in different ways. Right.
AJ Nash: yeah, that makes sense. It was not going to be an easy question. I mean, there's, there's no
one
Lisa Ackerman: CCC member, how's that?
AJ Nash: you're CISO whisper. All right. That's good to know. I got to talk to, to Lisa offline later about that and see how they're, how they're doing.
I know they're Intel driven, so sure. You know, zero Fox be chat you guys about all
the things we
do too. That's right. I'm sure, I'm sure we can chat about that for a while. All right. So we're rolling in on the end here. Those are the three big questions, but you [00:53:00] know, as with every episode, I like to close, I've got a bonus question for all the guests, which is kind of a challenging one sometimes.
But, uh, you know, so the name of the podcast is Unspoken Security. So tell me something you've never told anyone. Something that's, you know, so far been unspoken.
Lisa Ackerman: Wow. Huh. Good talk. Talk about a few things. Um, I think, um, man, I think probably whenever I took the role at state, state street to come into state street, um, uh, we, we had, uh, our CISO between, uh, Mark and Liz was, Adil Saeed. And, uh, the first thing he, he wanted me to do was, um, MSS recompete. And I said, are you crazy?
He says, why? And I said, because. I don't know State Street. I don't know operations. I'm an intel professional. I've, you know, I don't know the stuff. He's like, going to be fine. You're neutral. You're not jaded. You're going to be able to make the right decision.
Okay. Got it. About halfway through that process.
I want you to be a SecOps director. I said, are you crazy? Now, me talking to the CISO. I'm asking [00:54:00] twice if he's crazy.
He says, no,
AJ Nash: way start your new job.
Lisa Ackerman: You're going to do great. So he was right. Both times he was right. Like he was able to see something in me to do it. I didn't have the confidence in myself to do it.
Right. I didn't think I had the chops.
Um, and then, you know, fast forward a little bit. We had, um, uh, our lead incident responder had left and I had to get called into to do incident response because it rolls up to me because responder was there. I was scared out of my mind. I don't know how to do this.
I've never done this before. Um, so I get on the phone and, and what I haven't told you is that I am a, a certified FEMA instructor for teaching emergency response, disaster management,
got that wrong, disaster response, emergency management. Um, and so I actually teach this to civilians on how to be safe in your neighborhood.
Um, and I've had, uh, incident commander training. And that just kicked in and I just took charge and I did fine. And I was like, I was afraid I was going to make the wrong decisions. I was afraid I was going to say something [00:55:00] stupid. Um, you know, cause I'm not an IT kind of person. I mean, I've had IT but I'm not an IT person, you know?
Um, and I, and my training just took over. Uh, and I guess the point of that is like, if you're in a situation and you think you can't do it, just rely on what you know.
You know, go back to what you know, and you'll be fine. Uh, and it, and it really was, it, it was, it was hard, but it was fun and it was good.
And in the end I learned a whole lot. Um, and, uh, the incident response, I actually loved doing incident response today. So
AJ Nash: Now, did anybody know either? Did you tell people? Hey, I don't know what I'm doing. I'm gonna figure it out or did anybody figure it out? Or did you, is this a fake it till you make it.
lutealize people?
Lisa Ackerman: I'll admit it today that that one call was a fake it till I make it thing. Cause I was on the inside. I was scared on the outside.
AJ Nash: I think, you know, it's funny. Um, this is becoming a bit of a pattern. I've had some of these conversations. Obviously, I'm early to the podcast here. We don't have a lot of guests yet and some, some that haven't been public yet, but will eventually, uh, but there's a, there's a bit of a pattern in our industry.
Yeah. [00:56:00] I think, and I don't know if it's other industries, the only one I know, a lot of people have a similar, it may, it may, this, it's a different piece, but a lot of, I had an opportunity to do something. I wasn't quite certain I could or couldn't do it. I hadn't done it before or whatever, but I, I just jumped in and did it right somewhere between, um, I want, you know, about taking the risk and, or about having confidence in yourself or just, you know, it had to get done or, or I wanted the job or whatever it might be.
Right. There's, it seems, I'm starting to wonder if that isn't something in the nature of people in our industry. That it's just I'll figure it out. Like we're, you know, a lot of bright, bright, confident people, not arrogant people, but confident say, you know what, it's got to get done. I'll figure it out.
Um, and not one yet has said it didn't work, right? Not one has crashed and burned or failed or anything. They have, in fact, just figured it out. And, um, I think it's a good message to hear. And it's from people high up, you know, CISOs and deputy CISOs and, you know, CEOs and leaders saying, yeah, this is right.
This is a thing now. Obviously, I wouldn't tell anybody like, you know, don't fake a bunch of things in your resume. Don't lie about your background. Don't don't don't bite off more than you truly can chew, which I was a tough question. You're like, well, [00:57:00] I can't do this. Can I can't I? But like you said, leveraging past knowledge.
The FEMA training makes perfect sense. Incident commander's incident commander, you know, in a sense, right? Makes perfect sense. You had the training and you know, I have, I have times we're taking things on. It doesn't make sense. I'm like somewhere in the military training or Intel training. I've got something that probably relates to this.
I can, you know, I can figure this out. My dog has an opinion on the subject
apparently Yeah, yes, yes. Right. It's good. She's actually warning me. This is how it works. This is my, my warning system here about threats and risks. but yeah, you know, it's being able to leverage past experience and say.
Uh, yeah, I probably have something in the file. It also helps to be old like I am now. You aren't, but I am and have all these experiences. I'm worried because I'm gonna start forgetting the experiences I should be leveraging and then I'm probably gonna be done for. But, no, I think, I think it's, it's a threat, right?
I think it's, I think it's great to see. know that you did that and then you were successful and I assume it, you know, built confidence. You said now you felt, you know, you really like incident response, right? It's like a cool thing, right? You know, fighting fires. [00:58:00] So, uh, thanks for sharing that, uh, you know, with me and, and with the audience.
Um, because I think it's a message people can't hear enough that I don't know of anybody who's made it, whatever made it is. I don't know if you feel like you did. I, I haven't yet and know what made it is. Right. Exactly. That's the other thing. None of us think we've made everybody's like, Oh, I think you've made, I'm like, I've made what, uh, but I don't know anybody who's, who's at some established level who doesn't have one of these stories where they, they took a leap and they did a thing, or, you know, this isn't the case here, but you know, somebody, we've all got a failure story someplace too.
I'm waiting for people are going to start telling me some of their failure stories. Cause I've got plenty of them, but you did it. Cause you're like, Hey, I got to take a shot. Right. And, and just being able to grow and learn from those, I think. Yeah. It's challenging coming up to think you have to know everything, right?
Uh, we talked about applying for jobs. You see that, you know, the the job description I don't I don't have this i'm a year short here. I'm like, oh my god, please just apply And uh, the only time i'm going to mention it, uh is it for this show is here I see that there's a big disparity in that and guys Versus women, like I know dudes who have no experience, no qualifiers.
Like, um, you know, I haven't heard of [00:59:00] computers. I could probably be the CSO. Let me throw my resume in. And I know brilliant women who somehow convinced themselves. Well, it says seven years. I only have six years and nine months. I should wait to apply. And I, I'm, I'm, I'm, I'm like, Oh no, go apply. Trust me.
Like that's, that's a unicorn, you know, description. You're brilliant. You're qualified. Um, you know, have you seen that too? Oh, you've been, you've been doing this a while too. yeah,
Lisa Ackerman: gosh. Yeah. There's actually statistics out there around that. You know, women have to be about a hundred percent qualified to apply where as men don't. I mean, and even like when I was applying for my civil service job, they wanted a doctorate. I'm
AJ Nash: that seems reasonable.
Lisa Ackerman: yeah. And I was no. So I still applied and I got it and I got promoted twice.
You know what I mean? So it, it just don't let that stop you. Uh, whoever you are, if, if you have a desire, uh, to want to, to do that job and you think you're even remotely qualified, go for it. Who, who are, who are they to say, don't apply, right? Um, whoever they is, but you know, go for it. You never know because, um, sometimes [01:00:00] the opportunities that you miss out on are the ones that you don't even try for.
AJ Nash: 100%. And some of those vacancies sit for a long time because people apply, right? You know, you can't, it's the old cliche, you know, 100 percent of shots, you miss 100 percent of shots you don't take, right? But it's true. You see vacancies that go months and months and months. You're like, gosh, I wonder why nobody's taking it.
And then after a while, people are like, well, it must be an undesirable job that nobody's taking the job. I'm like, no. Maybe nobody applied because they wrote a terrible job description that created a unicorn status and everybody self selected out of the position without trying. Uh, I'm a big advocate in applying.
Like we're saying happens is you won't get interviewed or you won't take the position. Whatever. It doesn't hurt. You know, applications don't cost a lot of money. Those government ones take a lot of time though. So you better be committed if you want to work there.
Lisa Ackerman: Very long time. I actually turned down the job once because it was, it was offered a position with the government and it was gonna take eight months to place me.
AJ Nash: eight I hope they are getting better at that and working at the government that struggles to get some of the best talent. I think just because they run out of time, like people, can't do that. And then, of course, they may not be competitive financially either. So eight months by then you get a [01:01:00] job in the private sector.
It's harder to reel them back in. But anyway, it's a whole different topic for another day. So listen, we're going to wrap up here. Thank you for coming on. First of all, Lisa, thank you for making the time. Thank you for all you've done to make for State Street safer. And now what you're doing at GSK. Thanks for being my friend.
Thank you. Obviously, I appreciate it. It's great to be able to talk to you, not just here, but elsewhere. I learned from you, uh, all the time and I'm gonna keep doing. I took some good pieces just out of today that I hope others did as well. Um, you know, but I appreciate you being on with me. I hope we'll be able to get you back here at some point.
Uh, know, I'd love to talk more. About things that we can share with folks, but, but thanks for coming on and spoken security today. Uh, I look forward to talking with you more here and elsewhere. Uh, look forward to more opportunities and thanks for everybody who's listened to this podcast. Uh, I hope you'll continue to tune in and I hope we're, we're both entertaining and informational.
Um, and if we're neither or one, but not the other, feel free to let me know, please. Try to be kind about it. It's not the easiest gig. Um, but you know, I'll throw tomatoes if you need to, whatever it takes. Uh, but anyway, that's it. We're going to wrap up this episode of Unspoken Security. And until next time, uh, thanks everybody.
Talk to you [01:02:00] soon.
Lisa Ackerman: didn't take it that long. Absolutely. Thank you.