An Interview with a CISO: Brad Gorka

Jaymes Nowicki, SVP Director of North America at Intaso, had the pleasure of sitting down with Brad Gorka, former Deputy CISO at Norfolk Southern, and CISO at Commscope to discuss all things CISO, including:

  1. CISO: Good to Great
  2. Risk Strategy
  3. Cyber products and tooling
  4. Emerging technology
  5. Emerging threats
  6. Closing the hiring gap for entry-level and diverse candidates

Foreword from Jaymes:

Over the course of several meetings, we covered a wide range of topics. All of this was in an effort to peel back the layers of who Brad is as a person, leader, and cybersecurity SME. What is offered here is just a small fraction of what we discussed.

What I uncovered throughout time together is that Brad is a people-first, servant leader who truly believes if you can build and grow an exceptional team, the cybersecurity mission will be achieved.

This is his MO. This is how he operates.

He takes cybersecurity very seriously, believes there is a place for diversity in cybersecurity, and is passionate about giving unproven professionals a path forward. Brad is actively exploring new opportunities in cybersecurity leadership, covering information security transformation, program leadership and greenfield team builds. He undoubtedly will make a significant impact, no matter where he lands.

Brad, thank you so much for your time over the past month. It has been a pleasure getting to know you.

What takes a CISO from good to great?

For starters, a great CISO builds great relationships within IT but also the wider business to develop a reputation as a trusted advisor. A key element within a high-functioning team is that they trust each other and you (the CISO).

Additionally, It’s not about how many tools you acquire, but how well you use them. A great CISO knows that it is easy to get carried away with too many tools & solutions and that it is better for the budget and the team to have fewer tools that you obtain maximum benefit and capability from.

As a CISO, what is your strategy and approach to managing risk when entering a new organization?

There’s many points that come into play when joining a new business. You must build relationships with both the IT team and the leadership team; be sure to ask lots of questions to discover what risks or concerns are on their radar and and put steps in place to address them. A great starting point is to take a look at their InfoSec Risk Register. If they don’t have one, start building one right away (low-tech is fine).

I will always review the past year of security incidents to find out if there are any urgent or recurring risks that need a quick tactical response, as well as talking to leadership to understand the organization’s risk appetite. Ensure proper risk-ownership (because it isn’t usually the InfoSec function or IT’s risk) and advise those risk owners so they can make well-informed decisions.

Finally, I’m really big on process analysis. Sometimes, there’s some low-hanging fruit which will allow you to make some minor adjustments to security processes to make them more efficient for all relevant stakeholders. This can also be a great way to help you build positive new relationships throughout the company by making it easier to ‘do business’ with the security function.

What is your perspective on the overall landscape of hiring in cyber security? What must change or improve?

I think generally there are too many jobs out there stating they want someone with 5+ years of experience. By doing so, they are limiting a lot of great potential candidates that are totally new to InfoSec or trying to get into it.

Bottom line, many of the roles we need are trainable, especially in the GRC space. For many of the more technical InfoSec roles, we can find candidates from other areas of IT that are well-suited for security. For example, a software programmer moving into running a Secure Coding program makes complete sense.

What can organizations do to create a positive experience for applicants?

If they are new to security, focus on their aptitude and willingness to learn and just tell them “Hey, it’s ok if you don’t have a ton of experience, we will teach you!” Ask them questions that will shed light on their aptitude/drive and don’t embarrass them with a bunch of high-level jargon-filled stuff that you know they won’t know.

Strong communication is vital. I’ll always ensure that the HR folks and hiring manager (or team) are keeping my applicants informed of what’s going on. Additionally, if you are legitimately interested in a candidate, but not quite ready to extend an offer, you need to tell them because there’s a good chance they could receive or be considering some other offer, and it’s not fair to keep people waiting like that and you could end up losing the candidate you really want.

I think that companies need to get better at finding ways of giving some type of feedback to candidates who have been deselected. I know this is a complicated thing to do and there are legal risks, but it’s a real bummer to get a very generic “it’s not you it’s us” message that is automatically generated out of the HR system. I want to find a way to give candidates some kind of closure or let them know what they need to do better on. I realize this is easier said than done but I like a good challenge!

What are your overall thoughts on cyber security product vendors?

When you’ve got a company that is post-breach or facing a lot of regulation, I’ve seen a ton of tools get purchased and it’s not uncommon for many of these tools to become shelfware, or products that just don’t deliver much value.

I’d also say there are far too many vendors and solutions that do the same thing. The space is oversaturated. There are also a lot of solutions out there that just don’t work or don’t live up to the marketing material and promises.

More importantly, there’s a ton of products out there that are only designed to address the least likely risks, and I believe we have a shortage of products that address some of our most common risks, particularly with regards to vulnerability management.

So, are any products worth the hype?

I’ve been a big fan of SentinelOne for many years and collaborated with them in a few areas. They make great solutions and are just good people to do business with. They’ve always had my back when I needed them.

Microsoft continues to invest heavily and they’ve got a lot of great tools today. I’m not going to say they are all exceptional but they’ve got some good stuff. I realize this is an unpopular opinion but I’ve seen these things in action, and they work – it’s a great value proposition too.

A company called Inky makes an awesome anti-phishing solution for email. If your company still has the static red banner that goes on all inbound messages or appends the subject line [Caution – External Sender!] go check out Inky! After people see that standard warning that never changes about 300 times their brains tune it out.

What is your approach on tooling or retooling for an organization to see ROI?

A requirement for me is for all tools to demonstrate value and/or directly reducing or managing risk to the organization. I look for metrics and reporting that can prove objectively what they are (or are not) providing to us.

I’ll also look at any stalled or slow projects that need to be killed or revamped. Generally, I’d rather have 6 tools that we’re getting tons of value from and exploiting their full capabilities, than have 16 tools that are all halfway implemented.

The bottom line is every tool must be providing the right value, the right capabilities, and at the right price.

What is your perspective on emerging technology in cyber security? For example: AI, Blockchain, Quantum Computing, IoT, Biometric Authentication, Threat Intelligence Platforms, VR/AR?

Lately, I’ve been interested in ChatGPT. I’ve actually published an article recently on how people are using it in pig butchering scams.

On the positive side, ChatGPT has the capability to make it a lot easier for us to do Risk Assessments, quantify risk, etc. I’m excited to see how we can drive value from AI in such ways but also concerned of what might go wrong.

How do you stay up to date on emerging trends and threats in cyber?

There’s a few blogs I subscribe to; notably Brian Krebs, FBI Cyber and CISA.

I also participate in a quarterly gathering of local CISOs where we can privately talk about what’s going on, threats, products, processes, strategies, etc. This kind of networking is really useful, and I’d advise other CISOs to get together with other like minded people in cybersecurity and information security to professionally discuss what they think is happening in the industry. Additionally, this is a team sport and we should be helping others.

When you take a step back to assess emerging trends or threats that organizations need to be aware of, what is at the top of your list?

Theft of IP by China is the top threat and affects many, if not most, companies. This is a major risk to business, our national security, and our economy.

Now, let’s learn a little more about you! What has been your biggest contribution to closing the gap in hiring entry level employees in cyber security?

I have successfully hired or transferred numerous people from different areas of IT (and even outside of IT) and helped them become exceptional Information Security professionals. I’ve tried to help people while they were working and going to college at the same time, paid for tons of training classes, certifications, conferences, and more to build their skills. My team has also been first in line to ask for college interns and we have converted several into full time employees.

I have personally mentored many people and shared with them anything that is inside my head to make them more effective at their jobs. This massively benefits the overall team and company by growing the total capacity and capabilities we have. It’s been a real pleasure to see them grow and to enter a great career that will serve them well for probably the rest of their working years.

What is your biggest contribution to closing the gap in hiring diverse candidates in cyber security?

I like to look for candidates that have something other than a “straight line path” in their lives. For example, exploring the diversity of where they have worked in the past; I think especially folks who have worked in restaurants or retail bring a great perspective to the team and really know what hard work is. Generally, I like to find people who have done all sorts of other jobs in the past – it just brings a diversity of thought. We also don’t get too crazy on what type of degree people have.

I’ve been saying this for a few years now, but you don’t need a college degree in order to do information security work. I have hired several individuals without degrees and they are some of the best professionals around. I am confident that with the right aptitude and training that I could hire someone right out of high school, or even a GED, and turn them into a great security pro.

I’ve also intentionally sought to fill vacancies with women and other underrepresented groups throughout the years which has been rewarding for the team and the company.

And finally, your favorite book?

It’s a tie between Team of Teams (Gen Stanley McChrystal) and Extreme Ownership (Jocko Willink)

About Brad

Brad Gorka is a senior information security and technology executive with a track record building and leading high-functioning teams with a servant-leader style. He has a breadth of technical experience, while his business acumen supports effective communication and collaboration with board of directors and peer executives.

His career highlights include starting the information security department for Arris with zero budget and personnel, achieving compliance with ISO27002 framework, and consolidating and rebuilding the entire program after the merger with CommScope.

In his most recent role as Deputy CISO for Norfolk Southern, he co-led the information security function and had direct supervision of four teams.

Brad has an excellent track record of negotiating budget and maximizing value from current tools before investing in new ones. Brad’s unwavering commitment to delivering a people first culture, strong customer service and depth of cyber experience makes him an excellent leader for any information security or technology organization.