Securing a Cybersecurity Organization Chief Information Security Officer of Netskope, Lamont Orange, talks with Steve Moore about the unique differences between working as a CISO for a private company versus doing it on the vendor side of things; securing a cyber security organization.  As cyber security becomes entrenched in the business cycle, other business functions have expanded their interactions with security teams. That said, the understanding of what a CISO does hasn't always followed the same trajectory. How do we as security professionals, help our organizations interact with our security teams and help them understand the role we play in an increasingly at risk world?     The major difference between being a CISO for a vendor vs private organization  Working for a vendor, you have a direct line into change and solving the problems that really need to be solved.   Working with a private organization, it's everybody's opinion and no one knows really what you're talking about.   Lamont encourages everyone to spend time in both worlds because when you're working for a company, you're in a particular vertical so you have ground floor opportunity to understand all the challenges, whether they're business challenges, technology challenges, people challenges, you really get to understand the industry in which you're working and serving some of that.     How did Lamont get his start?  He has had the opportunity of serving in a consulting capacity to organizations. That gave him more of that, that multi vertical multi industry perspective. Lamont wanted to give back and go to an organization where he got to grow something from the ground up, watch it grow and watch it be something really valuable and a differentiator to the business.  He also wanted to see what the opportunities were on the vendor side because it seemed very intriguing and an opportunity was presented. What he found is that the language barrier is gone. The challenge then became to take all of that industry expertise and all of that business knowledge and apply it to a way where he can lead the vendor side.  When you're on the vendor and product side, you get to effect masses of companies. You get to interact with so many different thought leaders and coaches. You get to make the industry better from the solutions and tools perspective that we have to offer. But you're also growing people’s careers at the same time discussing the path that you've gone through.  Find opportunities to speak. There's just so much goodness in it that helps you grow as a professional also. There are so many lives that you can touch from a career perspective and making a difference and how we deal with our adversaries.     Figuring out how to share in the security community  When you look at our adversaries, they're definitely sharing. They talk about the latest way they use and abuse. We need to do some of the same thing. “This is what was effective with this particular adversary.” “This was what was effective in this particular vertical because this is how we do business and this is what's effective”. Those types of conversations are priceless and we need to figure out a way to have more of them.       What is change management?  There'll be changes in infrastructure. There'll be changes in operating model and there's a board that we have to go through to get the changes approved.  We implement those changes. If we start going back to fundamentals and what's happening in cybersecurity, what's happening with the role of the CISO and the CSO and all the technology players, we are back to the basic definition of change management. Not only do we have to adapt to change, we have to embrace it for what it brings.  We have to look forward to what the positives are with this change. We have to demonstrate to others why this change was either good or is not the best plan of attack, and then we adjust. You don't want to have a stagnation in anything that you do