Getting to Know the CISO with Chris Roberts

In this episode, we chat with Chris Roberts, CISO, Senior Director, Boom Supersonic Researchers, about what vendors should and should not do when engaging with C-Level Executives, the importance of relationship building, and some fun questions where we get to know Chris a bit better.

You can listen to our podcast here. 

Below is a transcript if you prefer to read about our session with Chris. 

Chris Blum: Welcome to the Security Sisters Network Podcast. Chris Roberts is joining us today, and our podcast is called Getting to Know the CISO. So Chris, thank you so much for joining us today.

Chris Roberts: Thank you for having me. Gratefully appreciate it. I got my cup of tea, and I’m awake, which is always a good thing at this time of the morning.

Chris Blum: We’ve also got Suzanne Higgs, one of the founders of Security Sisters Network, here with us today. Welcome, Suzanne.

Suzanne Higgs: Thank you.

Chris Blum: All right. So listen, heads-up, Chris, we want to thank you so much for taking the time to speak with us today, and we’re going to have some fun. So we’re going to ask you some businessy questions and then Suzanne’s going to jump in and ask you some fun questions so we can get to know you a little better because it’s all about building those relationships. And how do you build those relationships? By asking fun, awkward questions of people.

Chris Blum: Tell us a little bit about yourself, your journey to becoming a CISO and any other interesting facts you want to share with us.

Chris Roberts: I come armed with a funny accent. So I’ve been in the US since ’98. I got sent over here in ’98time, and I’ve been creeping around this bloody industry for more years than I think of. I was joking with somebody the other day. We pre-date anything from Basic to DOS, let alone Windows, for crying out loud. And I’m like, good grief. I feel old. And I think I was fortunate. I worked my way up. When I came out of the military, I went back into this industry when it was just technology, IT. And then we went IT to whatever the heck we ended up going on from there. So I’ve been fortunate. I’ve had my hands literally up to my elbows in tech ever since. And I’ve actually forayed into the CISO role before. Then I took a step back out of it and went back into the dreaded vendor side of the world.

So again, it’s one of those things now sitting in this role much more officially at Boom, as opposed to either running one of my own companies or running for a smaller role as a virtual CISO. Unfortunately, because I see both sides of the coin. I see the vendors having to actually go out there and look for business, but also being able to step back into this role, being able to go look, oh, I’m listening to my needs. And there’s a hell of a lot more of you. And it evolved a lot since I last put that hat on, should we say? Not necessarily all in a good way.

Suzanne Higgs: Awesome. Okay. So on your LinkedIn, you post a little bit about your fur babies. So can you tell us a little bit about what you have, their names, and anything you want to share about them?

Chris Roberts: Yeah. Milo was hanging out here just a minute ago, getting all slobbery because I had one of those stroopwafels. You know the Belgian waffles, stroopwafels. I had one of those for breakfast this morning, and he was just sitting there like mine, mine, mine, mine, mine. Which bit of this are you going to share? Are we negotiating, or am I just going to take the whole damn thing? So we have three Great Danes. We have Milo, Otis, and Daisy. This is going back four and changing years. We looked after our friend’s Great Dane. She was going through a rough situation, so she looked after her Great Dane for a couple of months. Absolutely fell in love with them. Once in my life as a kid, I remember having a dog, and that was about it.

And we had Izzy for a very, very short period of time. I got no fricking real good experience. I have exes with dogs, and I’ve interacted with them, but I’ve never actually had or owned a four-legged animal. So after babysitting Theo for a period of time, we end up rescuing Daisy. And as best as we knew, she was about four-ish years old. Three, four-ish years old. The absolute matriarch of the household at the moment, very grounded, very settled, does not beep or squeak or do certain other things the absolute and is very, very protective of the household. And I was out … Where the hell was I? I think I was at a DEFCON. I was in the madness in the desert. I was at a DEFCON Black Hat, and I got a phone call, “Hey, the place that vetted us to make sure that we were able to have big dogs had got another rescue in.” And it was Milosaying, and he was 4, 5, and 6 months old.

And apparently, somebody had him and were,, like, oh,, it’s a Great Dane, and didn’t realize the bloody things actually grow. And so by the time we got him, he could pretty much get up on my shoulders and just look me in the eyes. So I’ve had him now for four years. And then, about a year and a half, almost two years ago, we ended up doing the let’s start from scratch jobs. We ended up getting a puppy, and that’s Otis; he’s now coming up on two years old and is an absolute ham. So it’s really nice having them. They’re all absolutely totally different personalities. And yeah, the food bill gets a little expensive. We buy the pumpkin in six-pound cans because they get pumpkin with their meal. After all, it helps coat and vitamins, all that kind of good stuff.

And I’ve said I went through a rough patch a couple of years ago with just stuff. Life, stuff, work. Not necessarily work stuff, life stuff. And some shit I still have to deal with like falling out from a couple years ago with the One World Lab stuff. And it got pretty damn rough at one point, and yeah, I wouldn’t be here if it wasn’t for Milo, so I owe him big time. So yeah, we go out for pup cups. He’s up on Twitter. He’s up on LinkedIn. We are looking after him. He comes out to a couple of the conferences, and yeah, he’s my buddy.

Chris Blum: That’s awesome.

Suzanne Higgs: I love that.

Chris Blum: Okay. So let’s face it. The CISO, you’re the most sought-after executive in cyber security. Every startup and very big company is trying to get their products in front of you and win you over as the champion. What makes the vendors you engage with and support stand out to you? What are some of the effective tactics you’ve seen that win you over and start to engage with them?

Chris Roberts: I think it’s probably two different things. To your point and, as the CISO, my role, especially at Boom, was to come in … And thankfully, Charles is the CIO over there. Did an absolutely fantastic job of laying the groundwork. So seriously, you did an amazing job of laying the groundwork. So I literally had to come in and go, “Huh, I see what you’ve put in place. Love the ideas. Love where it’s going. Now let’s keep it going.” And so I have my hit list. So I think from a CISO standpoint, it’s two things. One, it has to be something that’s on my hit list and that’s near term, midterm hit list. In other words, what do I have to get done and report to the board in 2022, and what do I need to do for ’23 and beyond? So if it’s not on that list, the chances of me paying a huge amount of attention to it have actually greatly reduced.

Now that doesn’t mean it’s gone away because it might be something where somebody brings to me that, and I go, huh, didn’t think about that. Love the idea. Let’s have a conversation about it. And it gets out there. There’ve been a couple of things that have come up. But that’s a big part of it because I’ve had to put a roadmap in place. And if I put a roadmap in place, the chances are as any CISO, I’m being measured against that roadmap. So anything. Do I want to be distracted along the way? Chances are no unless I’m completely caffeinated this At .pothe int, I’m never going to do my roadmap, which means I failed as a fricking CISO. So that, I think, is where the vendors maybe don’t necessarily recognize that you can’t sell to everybody all the time because most of us have got an agenda that we are sticking to within certain kinds of reasons.

Secondly, I’m fortunate that I’ve been around the block a few times. Let’s be honest. And therefore, I know a lot of the stuff in the industry. I’m very fortunate to know which bits of the building block go together. So if somebody comes to me and goes, I’ve got an advanced quantum entangled engine for endpoint detection that makes it 100% perfect, they’re going to get tasered. And especially when they come to me and go, ours is better than these people’s or these people’s. And we have our stuff installed in these 100 places. I mean, you asshole.

First and foremost, you just rubbish the competition, which is never a good way to deal with me. And secondly, you just gave me 100 different companies you’ve quoted as your contacts about how wonderful they are. And so I think it’s the approach. It’s the approach. One of these things, especially in the Americas, still in Europe to some degree, but especially in the Americas, I’m going to sell to you first. When I’ve taken your money, then we can become friends. 

Chris Roberts: I think the big part of me is … treat me as a human. Come at me as a human, not as another number. It’s a dating game. To be perfectly honest, I don’t want to be another notch on somebody’s bedside table. That’s not what I’m looking for. Am I looking for you to wine, dine, cuddle, and love me before taking me to bed? No, I’m actually not looking for that, either. What I’m looking for is for you to understand who I am and what I’m doing, understand why I’m doing it, and understand the surroundings … Basically, situational awareness. Take the military approach.

I need you to actually understand the lay of the land before you try to actually sell me shit. Because, unfortunately, you’re trying to sell me stuff that maybe I don’t need, and I do, but how you have approached perhaps, it has absolutely failed miserably. We can blame automation for a lot of it. We can blame sales statistics. We can blame the vulture capitalist side of the world. We can blame it’s a money game, not a protection game. We can blame so many different things for it. But at the end of the day, it comes down to the humans. And I think it’s also listening. I ran into a situation. I put a LinkedIn post out a couple of days ago, and I ended up using the weird, crazy thing from the Aliens movie because it was-

I’m listening to this, and it was an engineer. I mean, it was a sales engineer, but it was an engineer that just wasn’t listening. They had their demo, and be damned, they were going to go for it. And 90% of it, I didn’t want and I literally hung up. I got 30 or 40 minutes into it, and I tried to inject it a few times. And in the end, I’m like, I’m done. I just hung up. I’m like, I need my time back because this is not a valuable use of my time. The product might be great. And I might go back and revisit it, but I’m sure not going to revisit it in the same way. So it literally is situational awareness, and that’s tough.

Chris Blum: It is.

Chris Roberts: Because again, I put my vendor side of the world on, I have my metrics, I have my numbers. If you are measuring me by how many calls I’ve made and how many I’ve made and everything else, you’re not going to care about me as a human. You’re literally just looking to see if I get buy signals if I have the money, all this stuff. And it sucks because that’s a terrible way to do business.

Chris Blum: It is. Yeah. I agree. Coming from a marketing background, that always makes it really challenging for me to do my job when the sales team’s looking at numbers. And guys, you need to build relationships.

Chris Roberts: I think the other part of it is as well, and this is where I’ve done the virtual CISO. I’ve done the advisory for a number of companies in the vendor space. This is why I love Dani. Dani is just one of those people that’s family. Dani’s family at the end of the day because they listen, and we work out how to do things right. So when the tech people and marketing work together, then you can see a huge difference in that message. So much of our industry has turned into over promise, under deliver. Just no two ways about it. I will come to you and tell you I’ll install my new software for you in two weeks time, and everything will be perfect and hunky dory. And as a CISO, especially one that’s got a few scars, that’s never the case.

Chris Blum: There’s always a problem, right? There’s always an integration issue or something along those lines.

Chris Roberts: Be realistic with me. Come at me and say, “Hey those,,, look, typically our installs take a month or two. And we are going to have this. We’re going to see this, and we’re going to have hiccups. And as we have those hiccups, we’ll work with you.” Those are the words I’m looking for. I don’t need a vendor anymore. I need a partner. I need somebody who is going to walk with me, right alongside me, and help and not do a change order for a cost change unless it’s necessary. At this point, no problem paying for it. Yeah, it’s tough.

And I’ve said a couple of times on LinkedIn, which is we spend 24 by 7 worrying about the adversaries that we have to deal with and doing what we can to understand how they’re going to get into our networks. I don’t need to spend 24 by 7 looking over my back to see which vendors stuck the new knife in. And I think that’s part of the problem is we are facing too many different foes, especially from within our own ranks. And that’s not easy. So yeah, anybody comes at me and says, hey, I’ve done this. And it’s more than that superficial. Funnily enough, I think people are finally starting to read the LinkedIn post finally because I’ve got an opening sentenceanybodyHey, I’m approaching you with whiskey and biscuits: ” and can I sell you shit?”

Chris Roberts: Because you know they read, opening a couple of sentences, but they didn’t look up because I featured a couple of on them at the top of my profile. I featured a couple of posts that are like, don’t do shit that to me. You do, and it’s just like, and we’re done because you ain’t listening.

Suzanne Higgs: I totally could agree.

Suzanne Higgs: Are you ready for a fun one now?

Chris Roberts: Go for it.

Suzanne Higgs: So what’s a hobby you enjoy or have enjoyed but you never seem to have time for now? It could be at any point in your life.

Chris Roberts: Oh man, there’s been a couple. Quite a few actually. So I used to do a lot of track and field. I’m very, very fortunate that I got to Olympic trials a number of times for hammer throwing. So typically hammer, some javelin, and discus in there as well, but mostly hammer throwing. And so, for me, it was a stress relief. There fantastic were a couple of tracks. There was actually one here. What the hell do they call them? School of Mines. Colorado School of Mines has a really nice track facility and used to go down there and go hammer throwing down there, which was an amazing stress relief. And I end up training a bunch of the kids down there as well. And it was good and bad because there’s a road that runs next to the School of Mines, and unfortunately, there were a few times when I was doing some speed training that I’d throw and tangle it up right next to the road. So they ended up putting a big side of the cage up for me. Bless them.

So that was great because I used to just basically go out there. Now, there are two reasons why I don’t do it. One time. But secondly, my ass is not getting any younger. I used to lift silly weights and do all sorts of silly things. Yet you can’t. Really frustrating. I’m stupid competitive. I don’t typically do something unless I know I can do very, very well at it. And so I’ve yet to find something else that I’m really happy with. I went back to climbing again, which was really nice. But it was like, I’m kind of grumpy about it. I got a couple of bikes that I must get my ass on, and I should pedal the stupid things.

Yeah. It’s tough. I listen to a lot of music. To me, these days, I’ll put headphones on, or when we move into the new house, I’ll have everything set back up again. But from a hobby standpoint, it used to be track and field. I used to rally drive as well. So I was very, very fortunate years and years ago. I really drove and did some stuff for Prodrive and various other fun teams. And so, again, I’m fortunate. I get to go out in some nice cars and go drive the hills and roads, but I haven’t actually done a rally course in a couple of years. So it’s like, go play again.

Suzanne Higgs: Maybe get you thinking about getting back into it now.

Chris Roberts: Yeah. At some point. At some point. But again, I’ve been upside down enough times as a youth. Again, I’m getting a little old. The gray is definitely gray, not blue when it is. And therefore upside down in a ditch, just kind of giggling is probably not really something I need to be doing too often anymore.

Chris Blum: Well, speaking of upside down a ditch, that’s a perfect transition. So what are some of the worst tactics you’ve seen vendors use? I’ve seen you vent about it, but what are the ones that just get your blood boiling, and you’re just like, “Guys. Come on. Just get it together.” They’re upside down in a ditch in their car.

Chris Roberts: Oh yeah, totally. Yeah. They’re on fire. It’s dump fire day. Let’s see. I mean, some terrible ones. I think some of the worst ones are when the second email, there are the third email comes in on the third day. Day one. Hey, we’d love to connect. Day two. Hey, did you see the message? Day three. Hey, we’re bubbling this up to the top of your inbox. Day four. Hey, look, we know you’re busy. Can you give me some … I just had one this morning. Came in. Hey, I know you’re busy. Do you want to point me t another executive at your company? And I’m like, I’m going to find you too, and I’m going to hunt you down. I’m going to gut you with a spork.

Yeah, that one’s a terrible one. I lit into somebody because they sent Charles, again, who’s my CIO. I have a protective streak for Charles, and somebody sent him the message, and it was like, do you want to be another statistic? And they must have found the worst chart about the amount of companies being breached and all this stuff. You’ll be here as a statistic if you don’t listen to me. I lit into them. I responded back not just to them, but I was fortunate I knew a few people at the company in the leadership role. And I mean, I was not a happy bunny. I’m like, “How dare you do this?” Fear, uncertainty, doubt, all that bullshit. Thankfully Charles knows our industry. Again, another one that’s been in the trenches. Knows the industry, knows the CISO stuff, knows the CIO stuff.

But it’s like, how dare you do that? We don’t sell with fear, uncertainty, and doubt anymore. I think that’s another one. And the other one that I think really annoys the hell out of me is absolutes. When you tell me you’ll keep me 100% protected and all these other words that go along that, basically everything will be fine if only you just buy our stuff.

Chris Roberts: Yeah. I guess add the fourth one, which is the ender, and I had this a couple of weeks ago. Somebody couldn’t get a hold of me, and I said, “Hey,, look, not really. Not this.” They went and hit the staff. They went and hit my team. I’m like, and I’m going to kill you. I got a backhoe, and I know how to use it.

Chris Blum: Exactly.

Suzanne Higgs: Okay. So what’s one thing you refuse to share?

Chris Roberts: Ooh. A, I won’t let our company be used. So on the professional side, I won’t let our company’s stuff be used. Secondly, this whole, hey, we’ll pay you $500 for half an hour of your time to share info. No, go pound sand on that one. In my personal life, I put a lot of my stuff on LinkedIn about me and all this kind of good stuff about me, but I also keep any relationships or any of that stuff I had out of life. I’m fortunate I got somebody in my life that actually puts up with me, for crying out loud. And so I’m a pain in the ass. Let’s just be perfectly honest. But I have somebody in my life that actually puts up with me, but I keep them completely out of it.

So very, very few people know who they are, what they are, where they are, or any of that kind of stuff. And I will not share that. That is not something I will share. There are other things I will very rarely share. Viewpoints, political viewpoints typically. I mean, most people probably know where I am. I will definitely share philosophical viewpoints. I will share my viewpoints on how I feel about what’s happening in the world on certain things. But I try to keep that … I don’t want to say the minimum because I can provoke things sometimes. But yeah. There are certain things I don’t share.

Suzanne Higgs: Awesome. It was kind of a trick question. I thought you would just kind of giggle and move on, but I’m glad you-

Chris Roberts: No, no, it’s actually very, very true because there’s stuff that’s out there. I’ll share passwords with people. It’s good luck trying to get in on multifactor, but that’s fun. Have at it.

Chris Blum: So now we’re going to share. So people are listening to this. Maybe some of the vendors that reached out to you got your blood boiling or vendors who’ve done the things you’ve just mentioned. What suggestions do you have for these vendors to work on building the relationship with the CISO so that they can learn from other people’s mistakes and not make those same mistakes and do a better job of actually gaining the respect of the CISO?

Chris Roberts: I think it’s probably a few things. First and foremost, for whatever reason, we’ve evolved two ears and one mouth. Use them in that ratio. We’ll start with an easy one. Secondly, do not treat us like the statistic. I know we are. I know we’re in a database, but do me a favor. Don’t put me in the database that says spam me every five minutes with 25 different things because you think I need it. Because you know what? I don’t. If I’m of any use as a CISO, the chances are I’ve got a good network of people. I tend to ask them before I’m going to look at the propaganda you are sending me. Thirdly, approach with caution. We’re busy. Very. If we ain’t busy, we’re probably not doing that job properly, or we got our priorities wrong. And so respect that. Hey, asking for 30 minutes of my time in the next 24 hours or 48 hours ain’t going to happen unless you have something that literally is the ultimate answer to anything. And by the way, none of you have got it. Fourthly, quit the acronyms. Quit creating more bloody acronyms. Grief-

Suzanne Higgs: Yes, we can all get on that one.

Chris Roberts: I had it. I ran into this, and I will name names here because I am. I ran into this with Attivo. So Attivo was fantastic. But their marketing team decided that they were no longer just deception, that they were going to be the endpoint, this, that, and the other. So they came up with these new sodding acronyms to describe what they did in the endpoint and tried getting them adopted by the market. Apparently, that’s how you get noticed is you get your acronym. I’m like, get the hell out of here. Going off on your own shows no ability to collaborate, no ability to cooperate. Therefore, why the hell would I go with somebody who wants to go out on their own? It isn’t going to happen. That’s a big part of it.

The other one is I don’t need to be wined and dined. Now I think this is an interesting one because I think I probably take a slightly different view than a number of CISOs. I know others are similarseveral and others,,, are constrained. To me, it’s a philosophical viewpoint. I don’t want you to take me out for lunch. I don’t need tickets to a bloody ball game. I don’t want any of this stuff. I don’t need you to wine me, dine me and spend money on me because far as I’m concerned, now I’m beholden to you. I’m not taking a freebie. I’m not taking advantage of any of that bullshit. Again, I think because I’ve got the vendor perspective as well. I don’t want that.

The most I want from you is maybe we sit down at a conference, or we hang out, and we sit down and go grab a cup of tea or coffee together. I might let you pay,  might not do. Depends on what mood I’m in. Or if we’re to meet at a conference, the chances are I’ve got the whiskey case with me at the conference. So maybe we’ll sit down over a drink and have it. But you turn up with a bottle and give it to me; I’m probably going to give it back to you, but , but I’m going to say, “Thanks, but no thanks. Go give it to somebody else.” I have no desire to have somebody hold something over me. Whether I like it or not, that’s how I feel.

Chris Blum: That’s a really interesting point of view. I haven’t heard that before.

Chris Roberts: And unfortunately, I know in our industry there are a lot of folks who are, should we say, not of that ilk, which is why these $200 Amazon gift cards and all that crap actually works. Because I mean, it does, but that’s not how I see things. I’m like, you and I are going to do business because it’s the right thing to do, not because I feel bad and need to take a meeting from you because you gave me a $200 bottle of whiskey.

Chris Blum: And it’s funny because we were doing that during the pandemic at my last company. And because we couldn’t do fun things like door openers because you couldn’t send it to somebody’s house. That’s even creepier. And it kind of was lukewarm, and we had an option for a donation, make a donation to a charity. And I was actually surprised how many people chose to donate to a charity as opposed to taking the $200 bottle of whiskey or whatever it was to take the meeting. And we were selling a product that was, at the time, it was very perfect timing because it helped with all the remote workforce, so it was a perfect storm for product. But it was really interesting that a lot of people, probably half, donated the gift to a charity.

Chris Roberts: And I think I have no problem with that. There are a few things I’m doing at the moment where they make a contribution to the Innocent Lives Foundation. And so I see that appear, and I’m like, great, that’s what I want to see. But I’m also very, very careful of who I let that happen with. Because again, I don’t need that. Another one of those beholden things. So it’s a careful balance.

Chris Blum: It really is. It’s tricky. Yeah. It’s challenging as a marketer, too, especially during COVID. Now that a lot of people aren’t in the office, it makes the whole thing even more challenging than it’s ever been.

Chris Roberts: Yeah. I think I’ll look at vendors. There are some good vendors out there who have given back to the community. They’ll hang out at the B-sides. They’ll take time. They’ll interact. They’ve got cool stuff going on. There’s one that does a lot of work in the active directory space, and they came up with this really cool thing, the purple night thing. And it was fantastic because it was free. I know how much work they put in because I was hanging out behind the scenes on it. But they just dropped it out there for free and said, have at it. There was no registered firewall. There was no, you have to give us information before you … That’s the other thing. Hey, we got this really cool thing. You got to register. No, go pound sand because I know I’m going to get yelled at. Just give me the shit. Worst case, I’m going to break into your bloody website and just take it anyway because it’s easy and fun to do that sometimes. But if you’ve got free stuff, then hand it out. We’ll come back to you. We’ll remember this stuff.

Chris Blum: Yeah. If it’s interesting enough, then it’s going to speak for itself. And if it’s not, then it’s going to be gone.

Suzanne Higgs: All right, Chris, we have one final question for you. Why did you agree to speak with us today? Of all the reach outs and everything, how come you gave us your time today?

Chris Roberts: I think a couple of things, and there’s a little bit of honesty in here as well. A couple of things. One the way you reached out. It was the conversation, the way it happened. It was not an immediate ask. There was a treat like a human, have a gentle conversation and hey, would you mind? It was the way it was phrased. It was the way it was put together. It was the way it was done. I think there’s a huge part there. Secondly, and probably equally as important, if not more important, I’m not talking to a mirror. So I’m not talking to another old white guy in the industry as blunt as I can probably put it. And whether people like that or don’t like that, I really don’t care. We don’t have enough diversity in this industry by a long way.

And so anything that comes along that’s not … I mean, don’t get me wrong. I mean, there are some amazing podcasts out there and I’m fortunate I’ve started some, I’ve done some and all this stuff. I think that another reason I love Dani is Dani brings multiple different diversities to the table, and I love it because it’s a different mindset. It’s a different viewpoint. It’s a different set of eyes. It’s an other way of thinking of things. So I tend to like those conversations more. Very, very truthful. And so I think that brings a lot of it, and anything that I can do on that side of it is just, yep, sign me up. It’s as simple as that. There are the big reasons.

Suzanne Higgs: Awesome. Awesome. Well, I appreciate the time you’ve taken today. I’ll probably reach out to you again. Don’t be alarmed.

Chris Blum: Thanks, Chris. Thanks, Suzanne. This was a great podcast and be sure to follow us and tune in again.