Brian Haugli, Founder and CEO of SideChannel, brings his CISO expertise to the security podcast this week for a discussion about strategy and leadership in cybersecurity. Working alongside CISOs and fractional VCISOs, Brian has seen his share of leadership mistakes and has learned about the purposeful approach that security needs along the way. In this episode, Brian revises the mantra of “people, process, and technology,” to include the first and most important element in your security success: purposeful strategy.

Be sure to subscribe to Hacker Valley Studio, the premiere cybersecurity podcast for cybersecurity professionals.


Timecoded Guide:
[02:01] People, process, and technology in your leadership strategy
[05:12] Tenants of a strong security strategy
[13:11] Setting up new fractional CISOs for success
[18:29] Creating SideChannel & walking the line between CISO vs consultant
[27:44] Thriving professionally by thriving personally
 
Sponsor Links:
Thank you to our sponsors Axonius and NetSPI for bringing this episode to life!

The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.
 
What has been your philosophy throughout the years when it comes to leadership versus technology? 
The security adage of “people, process, technology” isn’t one combined concept. That is, in Brian’s opinion, why so many leaders make the mistake of prioritizing technology as a central part of their strategy. Strategy is not what technology you use, and you can’t buy your way out of every security conflict with a shiny new product. Ask yourself what problem you’re supposed to solve, not which tech is going to solve your problems. 
“Strategy is not technology, it's figuring out what you want to look like when you grow up, in a sense. Everyone jumps to the shiny object. What can I buy to go solve this problem? You never stop and question: Was that the first problem I was supposed to solve?”
 
What are the tenants of making sure that you've done the work of creating a strong security strategy?
The North Star of your security strategy should be the identity and purpose of your business, according to Brian. If you don’t have a current assessment of your current capabilities, assets, resources, and objectives, you aren’t positioning yourself for success. Strategy comes from a knowledge and understanding of where you are now, and where you need to be. When your company “grows up,” what do you want security to look like for you? Understanding that guides you towards your target state without wasting your time on the wrong problems or objectives. 
“I think a lot of people throw strategy around as a grander concept and don't actually think about the elements that need to go into building one. You need to align to a definition that supports your business and outcomes, and that's what is strategic. The idea is not strategic.”
 
Let's say I'm a brand new fractional CISO and I have my first client. What are the top three questions I'm going to ask of this organization to set me on the right path?
When dealing with a new client, fractional CISOs have to understand why they’re involved with this client in the first place. Why are you here? Who brought you here? And, most importantly, what is the reason security is being addressed now? A fractional CISO can’t defend what they don’t know exists, and they can’t meet a deadline without first understanding what this company’s unique security environment needs are. 
“You don't jump into, ‘Okay, well, what's t