How to Thrive as a CISO: Award-Winner Brennan P. Baybeck Shares His Perspective

Brennan Baybeck
Author: ISACA Now
Date Published: 11 March 2021

Brennan P. Baybeck, CISA, CISM, CRISC, CISSP, recently was named 2021 CISO of the Year in the APEX Awards, hosted by the Colorado Technology Association. Baybeck, VP & CISO for Customer Services at Oracle Corporation, was ISACA’s 2019-2020 board chair and remains an ISACA board director.

At university, Baybeck started as an accounting major but quickly gained an interest in information systems, prompting him obtain a degree in Computer Information Systems and to answer a newspaper classified ad for an EDP auditor job at a bank fresh out of Western Michigan University. That role steered Baybeck toward joining the Electronic Data Processing Auditors Association (later renamed ISACA), which provided professional networking and credentialing support as he gained a stronger sense of the potential career opportunities ahead.

Once he relocated from Michigan to Colorado, Baybeck became heavily involved with the Denver ISACA Chapter and leveraged the involvement to become a better business leader in the Denver area, while also learning more about how IT audit and IT security were interconnected. He left what had once been his “dream job” with Arthur Andersen to focus more intently on security roles, eventually ascending to his current position with Oracle.

“ISACA’s been there throughout my whole career,” Baybeck said. “If you look at my involvement in both ISACA and my professional career, both have complemented and supplemented each other well. They’ve helped me become the executive leader that I am today in the cybersecurity and risk space.”

Baybeck recently visited with ISACA Now to discuss his 2021 CISO of the Year Award and provide his perspective on how up-and-coming security professionals can grow into a CISO role.

ISACA Now: When did you first know you wanted to be a CISO?
I first realized that I wanted to be a CISO when I was working as a consultant. I was providing recommendations to many customers on how they could improve their security, but never had the chance to execute those recommendations. When I left consulting, I was the security officer for a start-up company and was now responsible for building and executing a security program for a services company. What I liked about that role was it was customer-facing and it was a service company, just like I’d been in at Arthur Andersen. In the services industry, you’re interfacing with customers all the time and have the opportunity to provide significant value to global customers, which is very important to me.  Working at a small start-up – it was a joint venture between Qwest Communications and KPMG Consulting – we ended up having a global customer base of over 200 global customers across various industries, and we were designing and managing security services for them.

The CISO role helps the business become better at managing risk, but it also helps the business grow and add value, and that’s what I really liked about the CISO role.  Ever since the beginning of my career in security, my objective was always the same: I wanted to become a chief information security officer for a multi-national, multi-service company that enables the business. That’s been my objective for a long time.

ISACA Now: How can security practitioners know if they have the makings of being an effective CISO?
When I first started out in security, there were really two paths that you could take. You could be a really technical person, like a developer or engineer focused on security, or you could follow a management path, focused more on the “business of security.” What I’m finding out is those are kind of coming together, and probably starting around 10 years ago, they started to merge. The security people in the cloud world all have development and engineering backgrounds. For me, I still believe that to be a CISO, you’re going to be a business leader at your company, so you’ve got to have that business experience and acumen to be successful. You have to understand the business and understand the value that the CISO brings to the business, but at the same time, you must have the necessary technical skills to understand and leverage emerging technologies, such as cloud.

Around 10-15 years ago, the typical CISO was a compliance person and the kind of the person who said ‘No’ all the time. We joked it was like sales prevention versus sales enablement. You have to be an enabler now, and you have to demonstrate value to the business. CISOs are business leaders sitting at the table with other executives advising and enabling the business. I think that’s the most important trait right now because there are many security jobs that are technical analysis or coding, but to be a CISO, you have to be business-focused and be an executive leader because you’re going to be interfacing with the board, CEOs and other executives. You can’t just be talking about compliance and security all the time. You have to be helping to drive the business and directly aligning the security strategy activities to the business strategy, with a focus on enabling business.

ISACA Now: Along those lines, what specific advice might you have for young security professionals who might want to prepare themselves to become a CISO later in their career?
Having that engineering or development background is going to be important for the new CISOs that are coming because you have to have that balance now. Now it’s truly technology and technical skills, and deep understanding of the transformative technologies businesses are using to digitally transform their companies, and how to properly enable and, of course, protect the business and its customers. You must have that understanding, and most of the time companies are pulling from engineering and development backgrounds for that. Additionally, you should strive to find opportunities to work with the business leaders at the company to get a very good grasp on how your business operates so that you can determine the best ways to help the business be successful and add value.

Security jobs are very vast now. There are so many different paths you can go down, but to be an executive in this field, you definitely need a combination of the technology and a solid understanding of the business. The technology part you can get from a technology job and foundational credentials like ISACA’s Information Technology Certified Associate (ITCA), or maybe you start off in college going down an engineering or technology path, but then you really need to get a business degree or solid experience. The most successful CISOs that I know always lead their discussions about security by starting off discussing the business challenges and how security is helping solve those business challenges, while at the same time addressing security risk.  You really have to come up with a path to develop in both of those areas in order to ensure you are getting the coverage that you need. I use ISACA as an example of a good balance because you learn about business and at the same time you are learning technology.

And the other thing I would mention is the need for good mentors and surrounding yourself with good people.  Much of the business knowledge comes from mentors, so don’t simply surround yourself with mentors in the security space … find people who are business leaders at their organizations that help you understand that perspective and give you advice about how you can become more valuable to the business.

ISACA Now: How has the pandemic recalibrated your role?
I think I’ve become a much more engaged manager and leader because of the situation that we’re dealing with here, where people are at home and we’re not seeing them in person. I had to learn to better engage through technology and communicate more regularly, providing more recognition, because I don’t get to see my people in person on a regular basis. And while I consider myself very adaptive and flexible, I made a pact with myself to be more progressive and transformational in my leadership style.

ISACA Now: When people think of the CISO role, one of the things that often comes to mind is stress and potential for burnout because it can be so demanding. What do you do to keep your energy and mental health where it needs to be?
It’s tough because a lot of the job is putting out fires. There is also a lot of negativity around the job due to this constant firefighting mode and having to point out risks on an ongoing basis. It’s almost like being a police officer – they see some really bad things and it definitely affects them. What I like to do is look for positive aspects of the job and the positive things that we can do in the job. I like to focus on solving customer problems because there is so much satisfaction in that, and then helping the business grow and always seeking out those opportunities. I am also a lifelong learner, and I recommend learning new things that will help you be successful, both professionally and personally, which helps shed a positive light on the work we do.

And then the last thing is getting actively involved in the humanitarian and social aspects of working in the security space. Driving the diversity aspects of the industry, like what ISACA is doing with the One In Tech Foundation, gives me a lot of satisfaction because we are leveraging the security profession to do things to improve the world, while helping our companies and our customers. These are real business problems we can actually help solve in the technology and the security industry, and they’re intersecting with humanitarian and social issues. You can really help drive change through what we do in our profession.

Editor’s note: Find out more about Brennan and his 2021 CISO of the Year Award in the Denver Business Journal and in a related video. You can also read more about Brennan in his #IamISACA story here.