Preview Mode Links will not work in preview mode

The New CISO

Oct 1, 2020

On today’s episode, Charlie McNerney discusses shared responsibility in cybersecurity, the idea of trust, and how diagnosing a problem before treating it has aided him in his career. 


Early Retirement and Intellectual Income 

After working 25 years at Microsoft, Charlie retired early. Six months later—after getting a boat and a dog—he found himself bored and seeking, what he calls, an “intellectual income experience.” After a phone call from a friend, Charlie ended up consulting for Expedia Group, and eventually came on as a full-time CISO. Listen to the episode to hear more about what an intellectual income is and what it means to Charlie. 


Shared Responsibility 

In setting up Expedia to understand what they need in a CISO, Charlie had to encourage them to question if they understood their risk posture now, and who was responsible for risk. He delves into how a company can value risk and actively try to understand it, as the Expedia Group does, but still wonder who certain tasks fall to. Charlie relays how imperative it is to convey that everyone shares the responsibility of risk. We discuss the importance of recognizing how anyone can impact risk and how the security team needs to articulate this to the rest of the company. 


Trust in a Company 

Charlie also touches on how every company is at risk nowadays to hackers or breaches, as every company is now a tech company. As a result, trust in the company, for the customers, supplies or between the employees is so important. In order to be effective, the security needs the support and trust from the rest of the company, especially from company boards. If boards can value the trust in the company and understand how that impacts finances, then the security can be more effective.


The Medical Model for Security 

Charlies believes in following the medical model in his approach to cyber security. What he means by this is to copy the way doctors tackle illness: symptoms, diagnoses, treatment, recovery. If you treat a problem before you diagnose, it leads to malpractice—the same applies to security. When you discover symptoms, you need to put the security risk in terms of their transactions, not in terms of risk. Charlie encourages the CISO to not sensationalize and scare people until you actually know what’s going on.

Building Trust During a Crisis 

As we’ve discussed before on this podcast, having a playbook before there’s a crisis is imperative. What Charlie points out is also making sure everyone is aware of the playbook and comprehends it before a breach. His advice for a CISO during a breach: focus on data and not feed into fear. In addition, it’s important to communicate properly with other teams within the company. Liston on to hear what Charlie believes security teams need to convey to other departments in the business.  

Competition and Cooperation 

Charlie reflects on what advice he would’ve given his younger self. To him, when you’re younger and trying to understand your position in the company, you can get competitive with yourself and others. When you’re in that competitive mindset, you miss out on the cooperative mode. Charlies delves into how focusing on a title can lose relationships that you will need later. He shares his advice for how to be collaborative with others and how to have better emotional intelligence. Listen on to hear more about why cooperation is better than competition in the workspace.  

Being a Respectful Leader and Finding Respectful Leadership

In this episode, we converse on how you need to love what you do and how even if you enjoy your job, if you hate your boss, you’ll hate your days. Charlie disagrees with the mentality of living for the weekend. Hear what else he has to say on the significance of work culture. 

Legacy in Leadership 

Charlie brings up being cogitative of legacy when you are a leader. He challenges our audience to ask themselves if the work they’re doing is something they’re willing to put their name on. He urges people to be intentional about the jobs you take and what you do for those jobs. Listen on to hear more about how legacy can take on many forms and be remembered in different ways.



Charlie dispels the idea that your boss always needs to be your mentor. Instead, he encourages you to search out other mentors and to keep seeking until you find someone who can guide you. He believes that having the right mentor will separate you in your career. 


Hiring Process during COVID

Though COVID has disrupted our everyday lives, Charlie iterates that hiring remotely doesn’t need to be difficult. He is still looking for someone with energy and who wants to be at the company. Those young, energetic people are who Charlie wants to build up and help grow. In addition to the hiring process, he discusses how to be an engaged leader when it comes to promotions. He emphasizes specificity and clarity in reviews and feedback. Listen to the episode to hear more on how to change meetings into coachable moments. 


The New CISO

Where thinking about the new CISO, Charlie encourages those in cybersecurity to really think about the nature of protection that you can provide to different positions within the company. He believes the new CISO must think of risk in a holistic way. Listen to the episode to hear more on this. 


Exabeam: Website

New CISO Podcast

Charlie McNerney - LinkedIn