Getting to Know the CISO: John Sapp

Listen to the podcast.

Chris Blum: Hello, everybody, and welcome to the Security Sisters podcast, Getting to Know the CISO. Today we’ve got Suzanne Higgs on here. Suzanne is co-founder and CMO at Security Sisters Network. Good day, Suzanne.

Suzanne Higgs: Hi, Chris.

Chris Blum: And we have the privilege of having John Sapp. He is a CISO at Texas Mutual Insurance Company and was also the CISO at Orthofix, joining us today. Welcome, John.

John Sapp: Hello and welcome. Thank you for having me. I’m glad to be here.

Chris Blum: Awesome. So, as usual, we’ll spend some time getting to know John. We’ll do some fun personal questions and some business questions. So John, why don’t you tell our audience a little bit about yourself in case they aren’t familiar with who you are?

John Sapp: Well, I certainly can. So I started my career, gosh, about 30 years ago. That makes me sound old, but I guess I am. And as a developer, I didn’t go to college. I went to vocational high school, learned to write software in high school, and just went to work. And as I got further into my career, about 22 years ago, I realized that development was not a good path because developers were getting younger, cost less, and knew more languages than I did. And so I transitioned into security risk and compliance because that seemed to be the next wave of where things were going. And so it turned out to be a great time to get into security.

I’ve done many different things, starting as a GRC consultant and advisor for companies like McKesson, where I grew as a security practitioner. I spent ten years there with nine different roles that progressed from that GRC role into a senior director of security activities and productizing security and various security roles. And then transitioned into, got an opportunity to get into a CISO role at places like Orthofix, Bank of America, Oracle, and some of those places. So it’s been an exciting journey, continuously learning and growing. So that’s in a nutshell.

Chris Blum: Awesome, excellent Yeah, I think that’s what I love most about cybersecurity. There’s always something new to learn, and there’s always lots to grow. Okay, so let’s face it, as a CISO, you’re one of the most sought-after executives in cybersecurity. Every startup, every big company, wants to get their products in front of you, and they want to win you over as a champion. So we want to talk about that and how all that works. And one of the questions we want to ask you is, have you ever served on a CISO board as an advisor to one of these companies?

John Sapp: Yeah, so great question. And I’ll tell you one of my pet peeves is that when you reach… And I don’t mind having vendors and service providers contact me to discuss security. It’s when they start with, “Well, hey, I know you’re having these…” And they’ll list whatever challenge fits their product instead of starting with, “Hey, I just wanted to get to know you a little bit.” They always start with a product, and I’ve got the solution for you. This is what Gartner, Forrester, or whoever says are the top challenges for a CISO. And that may be accurate from a general perspective. Still, it usually does not fit the world where I’m operating or the challenges specific to my organization or industry.

So I prefer them just to reach out and ask for a conversation, which I’m perfectly fine with. I’ve participated on the advisory board of several different companies. I’m currently on the advisory board for, I’ll say, one of the top two endpoint protection providers in the marketplace. And it’s an excellent experience because you get an opportunity to provide insight and thought leadership and hear how other CISOs are actually addressing similar challenges that you’re facing. And you get to have a conversation around it. And that’s the thing that works for me. And I’ve had a couple of other vendor solution providers reach out and ask me to join their advisory boards. And really, that’s where I think it’s a great thing for them to be doing because it really helps them get a finger on the pulse.

Chris Blum: Awesome.

Suzanne Higgs: That’s great. Okay, so my turn, John. So what’s one thing you refuse to share?

John Sapp: One thing I refuse to share?

Suzanne Higgs: Yep.

John Sapp: I would say it’s generally things about my personal life, usually relationship status because that can be complicated. I guess it’s the best way to put it.

Suzanne Higgs: Yeah. All right.

John Sapp: So that’s probably it.

Chris Blum: Awesome. What are some of the biggest benefits you’ve seen for the companies where you served on the CISO advisory boards? What are some of the things that make them rise above the other vendors they’re competing with? And do you think the advisory board, how does that influence?

John Sapp: I’ll tell you, you guys have some really great questions because this really just, for me… One of the most significant benefits is, getting insight into the emerging technology and how these vendors solve the problem differently. They’re looking at solving what sets them apart from others. And you get an opportunity to see it without the negative viewpoint of them taking a negative approach to what their competitors are doing. You get a little insight into what’s typically called a battle card and how they are. And they take that battle card, look at it and go, “Okay, here’s how we’re going to solve the problem differently.”

And I think that’s what an advisory board allows you to do from the security practitioner side, and trying to develop your strategy is, what’s next? Because we never get ahead of our adversaries, we’re looking for an opportunity to stay close behind. We’re always trying to do accounts predictive analysis and determine what’s next. Are they going left, are they going, are they going up, down, or somewhere in between? And being on the advisory board and at that level of strategic thought with a vendor is a significant benefit.

Suzanne Higgs: That’s great. Okay. So would you rather have no cell phone access or no car access?

John Sapp: No cell phone access. And I’ll tell you why.

Suzanne Higgs: Yeah, that was my next question. And please tell me why.

John Sapp: I can unplug, and then I can get in the car and go wherever I want to go.

Suzanne Higgs: Oh, that’s awesome.

John Sapp: I can go off the grid, and if I just want to disappear, that allows me to do so without anybody being able to track me.

Suzanne Higgs: I love it. I love that answer.

Chris Blum:  So why do you think so few companies have advisory boards? I mean, I’ve worked in tech for 25 years, a lot of cybersecurity and all startups, and most didn’t take the time to put together an advisory board. And I always felt that was kind of a fatal flaw. So what are some reasons you think so few companies don’t have an advisory board in place?

John Sapp: I don’t think they are looking at it from a strategic thought leadership perspective because it would help them drive innovation if they did. And I don’t think they look at it from that perspective. They aren’t considering. They get so caught up in the technical minutia and trying to create these data sheets that they will sell them right off the top. And what I think they miss by not doing an advisory board is developing a go-to-market plan and strategy that will shorten the sales cycle.

And they don’t understand. They come in, and they go, “Hey, I’ve got this shiny new object, and don’t you love it? Don’t you want to buy it right now?” They’re not thinking about taking into account the procurement process and that whole cycle. And doing an advisory board helps them understand what their sales cycle really could be versus what it is right now. But it also helps them become more in touch with their sales cycle. And that’s been one of my pet peeves is that they come in, and they could truly have a great product, and it could meet my needs or help me achieve those outcomes that I’m after, but they want to do it in two weeks. And we all know that every one of these things goes through a contract process that involves legal, and we know what the red lines are like.

Chris Blum: Six months at a minimum.

John Sapp: Yes. And what they end up doing, and I think by not having an advisory board, they also hurt themselves with the sales forecasting because they don’t understand the sales cycle. And then they get themselves in a position where accounts account executive is now in a place where they’ve communicated and forecasted that they will close a deal in Q2. It ended up being Q4 because they didn’t think about all the other things that had to happen. And sometimes it’s almost like… And this is my opinion, no one has said this to me, but I almost feel like they put me in a position where they want me to help them overcome that by doing whatever I need to do to sign a deal so that they can close it and book it and I just don’t work that way.

Chris Blum: Yeah, I think you’re a hundred percent right on that. I’ve even heard sales teams tell people, “You got to work with them to get the contract signed.” It’s like, “Well, there’s a process.”

John Sapp: Exactly. And I can’t circumvent that process because I find myself looking for a job and not interested in that.

Suzanne Higgs: That’s great. So you’ve talked a lot about your business pet peeves, and I’m adding this one I didn’t have after listening to you. So what would be a personal pet peeve of yours aside from business?

John Sapp: Personal pet peeves?

I would say somebody who comes into my personal space uninvited and or even invited but leaves things out of order. If I invite you to my house, don’t come in and leave a path of destruction, move things around, or just don’t move my cheese.

Suzanne Higgs: What’s funny, JohnJohn, is I’ve always said that leave a space better than how you found it.

John Sapp: Yes. That’s it.

Suzanne Higgs: Yep. Yep.

Chris Blum: Awesome. Okay, so you’ve been on a couple of advisory boards already. Why are you giving up your time to help them?

John Sapp: Part of it is my way of giving back to the security community. I find that the most effective way to have an impact is to be a thought leader and make a difference because we often hear security leaders or IT leaders, in general, talking about wanting to make an impact and making a difference. And I think being on the advisory board is the number one way to provide y thoughts on something. And I just think the diversity of thought is one of the key and critical success factors of innovation, and its advisory boards are the way to gain that level of diversity of thought. And I think I have a different perspective than others, and I like to try to contribute in that way.

Chris Blum: Yeah, I agree. I mean, everybody’s always drinking their accounts predictiveaccountsKool-Aid, and they need somebody to come in and tell them their baby’s ugly. What advice would you give to a company considering an advisory board?

John Sapp: Start understanding what you want to get from an advisory board. Ask yourself the honest question, why do I want to do this? And what am I looking to get out of it As a vendor trying to establish an advisory board? But also, it is reaching out and working with somebody who’s done it before. Don’t try to do it just off the cuff by the seat of your pants because it never goes well. You end up wasting time and money, and you don’t get the desired outcomes that you’re after.

Chris Blum: And so many startups, this is their first rodeo or maybe their second rodeo where they don’t have 20 years of experience working in the industry. So having that perspective can be really useful.

John Sapp: Absolutely.

Suzanne Higgs: Okay, so if you were in a made-for-TV movie, who would you want to play you?

John Sapp: Who would I want to play me? Wow. I’m going to go with Michael B. Jordan.

Suzanne Higgs: Oh. Oh, that’s a great one.

John Sapp: Yeah, I was going to go with Denzel, but that was a little too obvious. I wanted a little bit of a younger version of myself.

Suzanne Higgs: I love it. I love it.

Chris Blum: Okay. So how did you decide which advisory board to be a part of? Is it based on relationships, technology, or a mix of both? Why did you choose to join the advisory boards that you’re on?

John Sapp: It’s really a mix of both. Everything I think in this industry starts with relationships, and I’ve placed a premium on relationship building and management over my career. And that is just, I think, a crucial part of everything I do, whether professional or personal and technology is the other part. I think you’ve got to have an outstanding balance of both. And I’ve kicked the tires on a lot of technologies. I’ve got some of those relationships. People reach out to me and say, “Hey, give me your honest opinion of this technology. Is it something you would buy?” And they’re not in the process of trying to sell it to me, but they just want to know what I think about it.

And that’s why I think relationships and technology it’s a combination of the two because it is one, I like to see emerging technologies. And as I said earlier, seeing people think about the problem differently because of that diversity of thought and diversity of ways to approach solutions to challenges is one of those things that I just feel is what I really look for. And it’s just that, I think it’s just both relationships and technology.

Chris Blum: Do you have an example of a time you’ve been part of an advisory board and your feedback made it into the product or the brand, and how it makes you feel?

John Sapp: So the topic of cyber risk quantification is something I’ve been working on for the past ten years. And one of the things with that is people have solved that problem for years with spreadsheets. And in 2015, I was a CISO at Orthofix, and there was a good friend of mine called me up and as he always did, and said he was the CEO of this group. And so he’s like, “Hey, I want you to tell me what you think about this.” And so I started looking at it, and I realized that what he had done was… We had a CISO round table dinner in a wine cellar up at Napa 2011 during RSA… Best place to do a round table, by the way.

Chris Blum: Oh, for sure.

John Sapp: We had come, so I moderated that round table on trying to quantify risk. And at the time, we were talking about application securities, and how do you quantify that? How do you help people understand the risk versus the reward or the return on the investment from a risk perspective? And so fast forward four years later, those things from the napkins we scribbled on and took all ended up in a Cyber Value-at-Risk product.

Chris Blum: That’s awesome.

John Sapp: Then that turned into a new product on the market that I won’t go into. It does risk modification that actually, when I was at Accenture, I built a service offering around that product, and they continued to evolve it based on input and feedback that I provided into it. And so that is my number one success story for being part of an advisory.

And it wasn’t even so much an advisory board that was one of two advisors to them. They hadn’t created an entire board out of it, but they understood the value of taking insight from somebody thinking along that lines. And that vendor is one that I’m probably going to be circling back with Security Sisters Network because it’s somebody that I would like to see you guys work with to build out an advisory board for them. After all, I think they’re solving, I believe, the next big problem is how to do visibility from a and providing cyber risk governance because visibility is the key at this point.

Chris Blum: Awesome. So what suggestions do you have for vendors looking to build these relationships with CISOs? Maybe they are looking to start an advisory board where they’re, “I don’t even know where to start.” What kind of suggestions would you give them to get that built or started?

John Sapp: Well, the number one advice is to connect with someone with a network of CISOs who trusts them. And then by virtue of… And then they have to have someone who introduces them from a position of trust. Coming out of left field out of nowhere and bombarding CISOs with, “Hey, would you like to join?” And I get these emails all the time for people I don’t know, and I’m not interested in joining a random advisory board for the sake of being on one. It always starts with that relationship. And so, they need to reach out to someone who has trusted relationships and has had conversations with those CISOs who are part of their network. “Hey, here’s one I think is a good fit for you. Would you like to have a conversation about it?” They have to have an introduction.

Chris Blum: Yeah, I think that’s key. CISOs are a very tight community, and they are very sought after.

John Sapp:  We are. And we respect and appreciate that. We want to help, but we also want people to respect the fact that we only have so much time because we still have to do our day job.

Chris Blum: Yeah. Suzanne, do you want to ask the last question?

Suzanne Higgs: Oh, oh, oh. All right. So, John, I can give you a little time to think about this question after I ask you if you want. So don’t say your answer right away.

Chris Blum: Okay.

Suzanne Higgs: But who’s your favorite Security Sister?

John Sapp: Oh my God. Can I say it’s a tie?

Suzanne Higgs: You can. Certainly.

John Sapp: I’m going to go with it. It’s a tie between you and Brooke. I tell you, I was just sitting here thinking this morning about just how far back we all go. And I just have such respect for both of you and appreciation and-

Chris Blum: Oh, thank you.

John Sapp:… I have to go with it. It’s a tie.

Suzanne Higgs: Okay.

John Sapp: I can’t choose.

Suzanne Higgs: I had to throw that one in there. I told Chris, I’m going to ask. Hopefully, he’ll laugh.

Chris Blum: I love it. I love it. Thank you so much for taking time out of your busy day to talk to us. I learned a lot. This was fabulous.

Suzanne Higgs: This was good, John. Thank you.

Chris Blum: Yeah, thank you so much.

John Sapp: Well, thank you, guys, for having me, and I appreciate it. I enjoyed it, and I’m always here for whatever you guys need from me.

Suzanne Higgs: Thank you. We appreciate that, and Happy New Year.

John Sapp: Thank you. Happy New Year to you guys, and we’ll be talking with you soon, I’m sure.

Suzanne Higgs: Absolutely.

Chris Blum: Wonderful. Well, thank you so much. Thank you, everybody, for joining us today, and have a great rest of your day.