113. Transforming with Samm MacLeod
It’s our last episode for the season, and we are joined by a very good friend of Claire’s and of the podcast, Samm MacLeod. Samm and Claire discuss what's been happening since we caught up with her 12 months ago in season eight, when Samm generously shared her CISO journey through burnout and recent sabbatical. She's now back CISO-ing, and this time they covered digital transformations and security transformations.
Samm MacLeod is an experienced Information Security Executive with experience across multiple industry verticals including tech, financial services, and critical infrastructure. Having led several cybersecurity transformation programs, Samm helps organisations imbed effective security practices through cyber security strategy, security operating models, and risk management frameworks. Samm’s experience with boards, audit & risk committees, and executives allows her to bring a unique set of experiences and perspective to the management of technology and cyber risk and the delivery of security best practice. She is currently an appointed Netskope Security Board Advisor and has previously held non-executive positions on a critical infrastructure board (AEMO Cybersecurity Board), securitisation & financial services board (MEPM) and Information Security education and research board (Deakin Executive Board). Based on the Bellarine Peninsula, Samm is an industry speaker and writer, and an advocate for diversity in cyber.
Links:
The Security Collective podcast is proudly brought to you in partnership with LastPass, the leading password manager.
Transcript
CP: Hello, I'm Claire Pales, and welcome to The Security Collective podcast. Today's guest is a very good friend of mine and friend of the pod, Samm MacLeod. If you're a longtime listener, Samm needs no introduction. If you just joined us, Samm is the VP of security and risk at Culture Amp. Culture Amp is a rapidly scaling HR tech company that prides itself on knowing the value of data. In today's episode, Samm and I discuss what's been happening since we caught up with her 12 months ago in season eight, when Samm generously shared her CISO journey through burnout and recent sabbatical. She's now back CISO-ing, this time we've covered digital transformations and security transformations. Samm shared what it was like working with me as an interim CISO, and it wasn't all bad I promise, and how different her role in working in a scale up has been compared to her previous life in banking and critical infrastructure. While Samm is a good friend and neighbour of sorts she's also a fellow fellow of ASIA, and one of the most well respected CISOs in Australia. So please enjoy my latest chat with Samm MacLeod.
CP: Samm MacLeod, welcome back to the podcast.
SM: Thank you, good to talk to you again.
CP: So last time we spoke, you kindly shared your personal story of your sabbatical and what that meant for you over the last few years. And now you're back CISO-ing. How's the journey been for you from CISO, to organic shop owner, to consultant, back to CISO, now global one, tell us all about what's been happening.
SM: It's been busy, I think the idea of originally taking the sabbatical was to travel and to chill out and not work. And that didn't happen, I actually ended up taking on more side hustles than I had, before I took the sabbatical. But look, it's been fun, lots of lessons learnt. One of them in particular being that I really need to challenge my brain, and I have a passion for cyber that I kind of lost for a little while in the throes of doing the day to day. So coming back into it with a little bit of gusto is good. But I'm also still challenging some old habits. So I do find myself in CISO-land, again, working for a vendor, which is a bit different to what I've done before, but still trying to balance that personal investment and self care and keeping that at the forefront, while I'm really trying to challenge where I'm at what I'm doing and not falling into some of the, you know, forgetting about me, and just focusing on the role that I'm in and playing the role. For me, it's about knowing what companies I want to work for, and what type of CISO roles really match me and what I'm prepared to dive into and do and how I show up every day. So the particular vendor I'm working for at the moment is scaling. So they've gone from start-up to scale up and they're growing, and there's lots of problems to solve and opportunities to jump into. And for me, that brings the fun and the passion out. It also presents an opportunity for me to do really cool security things and get creative. And therefore it's not the you know, the drudgery of day to day so much as it is trying to do really cool new things.
CP: You were also kind enough to share what happened to you throughout the sabbatical around burnout. And now you're going back to a permanency CISO role, do you feel like you've set yourself up for success in what you're just talking about around self care, and challenging yourself to make sure that happens?
SM: I think so, there are days already where I've found myself having to go, hey, hey, you said you weren't going to do this, come on, you know, figure out a better way to go and navigate this so that you're not putting yourself at risk and keeping an eye on who you want to be and how you show up. I was really lucky in that the conversation I had with my new company, we talked about roadblocks, and we talked about the things that I had bought into my life to try and have more balance and how important they were. And it gave me an opportunity to explain where I've been, why it's important and why I want to be able to nick off at lunchtime or do yoga class or sitting in an infrared sauna, or you know why if I start early, I'm going to finish early or why I still want my Fridays. And then rather than seeing them as actual roadblocks it was how do we create a job that makes sense for me, but also helps them get the outcomes they need by having a CISO and a risk leader that can dive in and be passionate about what they're doing without risking burnout again. It's all on me, really, the organisation is incredibly supportive, but I have to just make sure that I'm monitoring what I'm doing and how I'm doing it and don't fall into those old patterns of giving everything up and diving into a role and forgetting about what I need.
CP: You know, I'm very fortunate to have been able to work with you for a couple of years in our business together and you know, I can absolutely testify that Fridays you set aside and that was a day that was pretty sacred and that you didn't do work on those days. And you know if the house was on fire, you would help. But you were very structured about that. And I guess while we worked together, you got to experience the interim CISO life. So you know, not being that permanent leader and having the flexibility of just not working five days a week. And I'm interested, what that was like for you being an interim, where you know, you're caretaking. And so does it feel temporary? How did you approach being an interim leader as opposed to maybe how you've approached your more permanent role now?
SM: It did feel temporary. And it's funny, I learnt so much, I had a wonderful experience going into lots of different organisations, which gave me exposure to how execs work and lots of different execs. So you learn the different personalities, the different approaches, what they brought with them along the way from their careers, and how they apply that everywhere they go. But also some exposure to the boards in different kinds of organisations as well, and what level of understanding they have around cyber and how they operate together and what's important to them, and what experience they're bringing from different boards that they're on into the organisations they're in. So the exposure was fantastic, and the learning was incredible. I also saw new security problems I'd never seen before, and that to figure out how to solve those in a very structured way, some in creative ways. But what I did find really interesting is being a temp was different depending on the organisation you're in. So some organisations completely ignore that, and you end up just being part of the furniture part of the family, and you're just getting stuff done. Whereas others still keep that kind of line in the sand that you know, from a trust point of view, you're temporary, you're here to fill a role, we're waiting for the more permanent one to come on board before we do anything cool and funky. So I had to kind of adjust through that process around the ones who really wanted to embrace me and embrace the process, it was about just diving in and getting stuff done and becoming part of that crew, whereas the ones who had kind of a little bit of a line in the sand and the sense that it was in the interim vibe, if I felt it was sort of impeding the engagement at all, took a very consultative role instead, which was just very much around questioning and helping with objectives and trying to figure out where they wanted to go and what they wanted to do. And then that sense to focusing a lot more on leveraging our networks and figuring out the recruitment side for them, so they could get that trusted person in really, really quickly, because I wasn't going to be it, I was just there to fulfil a role for a while. But I think during that time, you know, I've a very strong sense of responsibility and accountability and wanting to own things and wanting to solve problems. And she kind of had to sit in the corner a bit and just be quiet because it is as interim, and it was about bringing some expertise and some support, but not necessarily taking on all of that accountability and responsibility. So there was a little bit of FOMO, watching the rest of the business move when I couldn't kind of move with them of being in an interim role. That's where I started to naturally kind of gravitate, when I fell into this new company that I'm in, it was very much we want you here. And you know, there's lots we can do and lots of opportunity. And those lines got blurred very, very quickly. And that kind of grabs that accountability and responsibility side of me and went yeah, I could actually deliver this stuff and do some really cool things. So whilst the interim is good, and I absolutely support and believe in finding those different opportunities for all sorts of interim execs to step in, and help and bring new learning even to the organisations in a different flavour of skill and the expertise they've got for a temporary period of time. For me, I did it a couple of times and learnt a lot. But I was just screaming out for a little bit more belonging, I think.
CP: It's definitely not for everybody, I totally understand that. And the idea that when you're permanent, your ability to make change, and even just small decisions that you make are more likely to stick, I think, than when you're in a consulting interim role,. Where, as you said, some organisations will overlook decisions or recommendations because they might see you as a consultant. And also because our business model was such that we're not there five days a week, and so sometimes out of sight out of mind can come into play as well. And yeah, I'm not surprised that you're that you're back in a permanent seat, because, yeah, there is always a draw to being back in the fold and be much more influential, I think is the word I'm trying to look for.
SM: Absolutely, yeah.
CP: I want to be cheeky for people who didn't go to ASIA this year, which was includes me, they wouldn't have seen you speak. And you spoke this year about digital transformation, and particularly about security transformations. I'd love to hear the highlights of the session, and what were you hoping the audience was going to take away from it?
SM: The highlights really were we've still got a number of organisations going through their own digital transformations. Whether that's trying to keep up with their competitors, whether that's bringing new product to market, whether that's diverging into other industries, whatever it is, with that comes innovation, emerging technology and lots and lots of change. So really talking about, well, if this is happening in organisations, what does that actually mean for security? And then what does security need to do to step up and support that? But at the same time, is that the best time to start thinking about security transformation itself and actually stepping into keeping up with that pace of change? And if the business is transforming in a particular way over to the right, what should security be doing over to the left to kind of keep up with that and modernise practices and what they're doing. So we talked a lot about the risks and the security challenges that come from digital transformation. But then also, how does the security team get ahead of that plan, or be part of that plan so that they can lay a foundation? You know, we talked a lot about being able to see around corners. And there's a really cool book that I referenced by Rita McGrath, which talks about all of big tech, actually, and some of the really big organisations like Amazon and others who have been able to completely disrupt marketplaces, and their security piece actually comes along with that, and how do they support these organisations to be so successful by laying a foundation, becoming an enabler, or being able to get in front of what that changes the businesses doing so that all the security things or the data protection things or you know, whether it's privacy regs, and so on, are all thought about, well in advance of the change actually taking place. But then we also talked about, you know, beating the business that their endgame. If they're looking for emerging tech, if they're looking for innovation, security should be doing the same thing. It's not stagnant anymore and some of the old practices that we have, from a security point of view, are built around enterprise models and on prem technologies. And so we've talked a fair bit of around, you know, what does it mean to actually become predominantly SAS driven. Whether that's just in the business itself, or whether that's also the security tools. And what risks does that present, but what opportunity does it also bring for security to do really cool and funky things and take some of the friction out of what we do for the business and enable them to move at pace and quicker. So there were some of the highlights, we talked a lot about security teams. So I took the opportunity to discuss some of the work that we've done in the past around, how do you sit back and go, this is the business strategy, this is the technology strategy, or the innovation strategy could even be the data strategy. And then how do you build a security strategy that underpins that and supports it? But then how do you sit back and look at your practice and look at what capability do we need? Therefore, what skill do we need? And is the team ready for that? And where could individuals step up? And how do you train? And how do you develop and then how do you build out a group of people that can actually take security on its own transformation journey, but also support the business who's doing the same. So talked a lot about operating models, and how that all fits into getting ready to support a business that's going to go through massive change.
CP: I'm interested to know why you chose this particular topic. Because, I mean, you're great at public speaking and it's not for everybody. But to get the opportunity at AISA to take some time in front of these security leaders and other execs that go to these events. What drove you to choose transformation op models, you know, that particular topic when there are 50 things you probably could have spoken on.
SM: My partner in crime and I did a little bit of, it was a joint prezzo, so we did a little bit of brainstorming around where we think there's still challenges and understanding how to support businesses that are going through massive change. And you can call it transformation, you can call it change, but the digital pace just simply comes in because their prolific use of data and the need to know the value of your data and expose your data in order to have a business that's got some value to it, seems to be the leading charge for a lot of organisations. So what does that mean for security, and are we still seeing a lot of organisations who are going through change, but security lagging? And there had been a number of different research papers and things floating around that talks to, you know, SecDevOps and how well or not embraced that is still in organisations? How are we helping organisations to move at a rapid pace so they can remain relevant? And so we just ended up sort of brainstorming around that and thinking well, there was nothing else on the AISA agenda that talked about how you transform a security organisation to meet a transforming business organisation. So the opportunity was there. It originally started out as more of a technology conversation and look, the first half of the presentation was quite tech focused because it was all about digital and emerging tech and innovation. But the second half was, there's a whole heap of other things that come into play around your traditional tech, people, process. Now I went down the people and process path and what doews that mean and what does it look like. Myself and my co presenter have both had experience in supporting transforming organisations and also having to transform security teams, so we brought all of that together to try and paint a picture around, it's challenging, but it can also be quite fun at the same time modernising a security team.
CP: I guess you're in the throes of that now working in an organisation that's transforming. And, you know, having, I guess, worked previously in banking and critical infrastructure that are traditionally changing organisations, but they've got, you know, long histories, you're now in a startup where things are probably moving at a rapid pace. And as you said earlier, it was a startup now its a scale up, How's it different for you working in an organisation that is transforming just purely due to the nature of the size and scale of the business and the products, as well as you having to keep up with that in a very different way, I think to how you were probably working in transformations in banking, or, or critical infrastructure.
SM: It's really, really different. So yeah, as you said, it's a startup that, you know, only two years ago had about 400 people in it, and now is up around 1100/1200, they're scaling at a rapid pace. And the growth trajectory is quite significant. So when I came in as an interim, and before I decided to stay, it was fascinating to me the amount of success that the organisation had had, in spite of how, to me, coming out of very structured organisations, it looked quite scrappy, you know. Everyone all hands to the deck all the time. Super, super smart people, you know, it's a tech company with lots and lots of clever tech people, but it's about rapid delivery of capability to customers, whilst also kind of being an organisation that's growing in its data, and what it can do with its data. So, you know, it might be HR tech, but it's rapidly becoming a data company that is also a research company. It's full of young entrepreneur types who have come to work at the organisation, not just to do a job, but also to learn from founders. Because they have ideas, and they've got big ideas, and they can practice those in this kind of environment, and then potentially go off once they have more ideas and do things for themselves in that entrepreneurial mindset. It's also very different being in an organisation that's founder lead. In my experience in some of my previous organisations, when you sit down and you talk about security and security risk, you're doing that with a bunch of people who understand risk for each of their specific areas, whether it's operational, strategic, market risk, credit risk, whatever those things are and a CEO who's got a strategy that they're leading on behalf of a whole heap of shareholders. Being in a founder led organisation, in this instance, the three key people that I'm speaking with on a regular basis, they know their business, inside and out. They're dealing with risk every single day, even if they don't call it that. They know how it all hangs together in minute detail. They know what the future vision is, they know what the technology should be able to do they know how they want to unlock and get the value out of the data. And so selling, in inverted commas, a security message or the benefit of having security or security risk management, or I have accountability for enterprise risk as well. So what does that actually mean for an organisation like this? So it's less about talking about regulations, because we're not a highly regulated environment. It's less about compliance, but it's really, really driven by culture. And because we're a culture company, talking about security culture becomes fascinating. You know, sit down, have a wine and to the fat around, well, what does that kind of culture mean, as opposed to a really cool culture in general for the company? And how do we get aligned? And how are the messages made crisp and clear, and you know, you can't be flaky, you can't have FUD, and you got to be really, really respectful of you're there to serve a purpose to help the business be a success and continue to grow and reach its target. As opposed to, you're not core to its creation, and you're not core to what it's going to continue developing over time. So it's very much just about joining in the scramble and trying to catch the stuff that's happened in the past in order to help remove any kind of tech debt and things like that. But then trying to build something in the background that's, you know, repeatable and proactive. And, you know, if we ever get to a point where we need to be more robust, that foundation is there, so that it can be relied upon. So it's a very different kind of approach to what I've done before. So it's probably a little bit of the creativity and the innovation around security that I got to play with at ME Bank being a smaller bank, even though it was highly regulated. And a whole heap of the stuff that we did around digital within AGL and kind of bringing that together and going if I unpick it what makes sense for this company. And how do I apply that and you know, how's it going to be received too. So being in this kind of organisation that's all about culture, the values are very different. The trust models are very different. And the focus on how we embrace or embed controls is very different as well. So being able to pick and choose which ones are going to be culture and people lead versus which ones are going to be technology and enforced. And so there's lots of conversations around what makes sense to still empower our people to have lots of flexibility. But then what are the ones that we really need severe robustness around in order to protect our data and our customers.
CP: And I think being a founder, you know, after six and a half years, my business is like one of my kids. So if someone was coming along and saying to me, well, this is what we think you need to do with your business, it's actually really a hard pill to swallow. I think, because as you said, that the founders know, well, they know where the bodies are buried, I guess, but they're to the minute detail about how things operate. And over time, obviously, that knowledge shifts a little bit because they start to entrust others with tasks in the business. But at the end of the day, they really do know the kind of guts of how everything goes on. And that's probably a much more challenging conversation than, as you said, to have it with a CEO who's responsible for an organisation, but wasn't there when they were bootstrapping and trying to get the plane off the ground.
SM: Yeah, you know, the founders are entrepreneurial, they're super smart, they know what they want this to be, it's their baby. And, you know, you got to be really careful not to go in and say, yeah sorry, but your baby's ugly! You know, I've taken a lot of time since I stepped in, even in the interim capacity to really understand, you know, where the business has come from, and why certain decisions were made, and how they got to the place that they're in now and how they've been so incredibly successful. But then also, where are those little challenges and little things that might trip up at some point, that we need to kind of get in front of now and solve for. And for lots of different business reasons, not just because I have a security framework that says we should have these things in place. So it's a slightly different mindset to how I would go about it from a regulatory or compliance point of view, I suppose. And it's very much customer led and data led too.
CP: Which many organisations I guess I like that, but you know, every business is so different, and you're going in as a CISO. Even if you'd gone into another bank or another critical infrastructure operator, it would still be different. You know, I think that's the challenge that we see in our industry is that not all CISOs are built the same. And not all organisations are built the same. And, yeah, look, at the end of the day, I think having an opportunity, like you've had to see what interim life is like and, you know, stepping in and out of organisations quite rapidly in the scheme of things. And now be back in the permanent seat, you know, I think Culture Amp are so lucky to have you. Yeah.
SM: Thank you.
CP: Samm, it's always amazing to have you on the podcast. I think this might be our fourth chat or fourth invitation and we'll definitely have you back again. Thanks for sharing your wisdom and for being part of a really great community. It's really, really great to have you thanks.
SM: Thanks for having me. It was good fun, I love a chat.