I didn't want to become a CISO.
Over the past year, I thoroughly enjoyed my time at YL Ventures as their CISO-in-Residence, meeting brilliant entrepreneurs and brainstorming creative approaches for solving wickedly hard problems in cybersecurity. The team at YL Ventures is truly world class and I learned a lot about venture capital through the decisions that the partners made and the discipline that they showed in a red-hot market with rocketing valuations. I also had the chance to test my Cyber Defense Matrix to see if it can be used to find gaps in the market and promising investment opportunities. (It worked in finding gaps, but it'll be a few years before we see if the gaps were actually good investments.) Although the partners at YL Ventures graciously gave me the opportunity to serve longer, I felt that the CISO-in-Residence role is one that, in my humble opinion, deserves someone with fresher ideas and more recent scars from hard fought battles. And so, as I approached the end of a self-imposed one-year term, I kept an eye open for opportunities that would align well with my long-term interests...
... which didn't include becoming a CISO.
My interests did include finding more use cases for the Cyber Defense Matrix and the DIE Triad, but the longer that I stayed away from the heat of the battle, the more intense the feeling that my ideas were becoming more theoretical and less practical. Although the Cyber Defense Matrix and the DIE Triad were originally born out of practice, many of the newer use cases that I developed really only lived on PowerPoint and had not been tested in the real world. While many CISOs were excited by the possibilities when I shared these use cases with them, they simply did not have the time or engineering resources to put them into practice in their environment. My fellow practitioners needed an "Easy Button" so that they could put the use cases of the Cyber Defense Matrix and the DIE Triad into immediate practice. However, I realized that I cannot make it easy until I put the use cases fully to practice myself.
And so, I decided to become a CISO.
But not just at any company. I needed a way to turn my slideware into software. So, I wanted to join a company that had a working product flexible enough to incorporate my many use cases. I wanted to ensure that they would agree to open-source the use case implementation. I wanted to make sure that the founder shared the vision that I had. And most importantly, I wanted their product to be capable of automating the bulk of the CISO work for me so that I could spend more of my time doing what I really enjoy: discovering new use cases and exploring repeatable patterns/anti-patterns that can advance our field of practice.