“I spend a fair amount of time coaching and educating folks on how to handle personal communications and deal with the quirks that make each person unique.”

Twitter: @x509v3 • Website: www.linkedin.com/in/wdburns/

Bill Burns is currently Informatica's chief information security officer and head of privacy protection, ensuring that customers can trust Informatica with their most important data.

Bill has built and grown high-scale security programs at Accenture, Netscape, Netflix, and Informatica; worked security from both IT and R&D perspectives; and shaped information security investment strategies when in venture capital. His teams have been part of digital transformations on a global scale, incorporating security, compliance, and risk into companies' corporate DNA.

Bill has two computer security patents, is an active startup adviser, and in his free time trains disaster preparedness and emergency communicators in Northern California. Bill has 25+ years of security experience and holds degrees in electrical engineering and business from Michigan Technological University.

Do you believe there is a massive shortage of career cybersecurity professionals?

I believe there's a shortfall, but I don't believe it's as massive as we read in the press. When security is held as a corporate goal and incorporated into the organization's DNA, my thesis is that untapped capacity will reduce the perceived cybersecurity skills gap and improve the overall cybersecurity posture.

I believe there is a shortage of companies that set and enforce an appropriate tone of cybersecurity expectations at a company culture level. There is a shortage of employees with cybersecurity-related goals in their annual objectives and measures, tied to tangible outcomes like bonus payouts or department funding, for example. We still need deep security expertise reserved for career cybersecurity professionals, and this need is growing, but we cannot expect that a dedicated team can be responsible for “security goals” while the rest of the business has “business goals” that are separate and distinct.

Modern business skills now need to include security aspects. A company's cultural values need to be consistent with its security and risk appetite, setting a tone of what is accepted and expected to properly run the business. Otherwise, either business decisions are made in a vacuum, outside the scope of the cybersecurity team, or the business decisions are set and then taken to the security team for sign-off afterward. In the former case, business decisions create a growing backlog of security debt, and in the latter case the security team is seen as a business inhibitor instead of a business partner because the security impact is evaluated too late in the decisioning process to have strategic impact.

What's the most important decision you've made or action you've taken related to a business risk?

We were releasing a new product on a new platform and architecture. There was considerable pressure to release this to market, and while it was a familiar product that we had deployed before, it was on an unproven platform and had very little dwell time—so there was considerable risk of operational unknowns: things we hadn't yet anticipated or experienced. In particular, we were concerned with availability risk: either technical or process snafus that could create unplanned outages while we all got more familiar with the differences in our product on the new platform. We were familiar with our old platform, but it had been a while since we launched with this much operational and process change underneath a product.

Up until that time, our typical process was to release the product to customers and let them experience it in a preview/nonproduction mode, collect feature feedback to incorporate into enhancements and adjustments, and then eventually release it to production. The alternative in this case was to not release/delay the product until it was ready: a binary decision.

As a newly combined product launch/readiness team, some of the members hadn't considered that we had a “third option”: to incorporate security/risk metrics into their readiness checklist. By identifying the failure modes and risk use cases, we could tie risk metrics to readiness triggers that could add a more holistic measure of when the product was ready/good enough to release to the next level. And by setting objective, measurable metrics, we could all observe the same effects over time and make a data-informed decision. We time-boxed the measurement period so that the maximum amount of product delay was mutually agreed upon but reasonable enough to ideally capture a failure that we anticipated.

Because we positioned the problem statement and potential solution the way we did, the security/risk team wasn't seen as the “team of no.” We were seen as a true business partner and aligned to the same high-level business objective of making a great product available to customers as early as practical. We also were actively engaged and part of the solutioning as well, not just pointing out potential problems or risks and leaving it to business owners to figure it out. No one on the team wanted to release an unstable product before it was ready, but everyone was eager to get the early product out to our customers for their feedback.

In the end, we finally launched the product to the customers later than originally planned, but we learned several key technical and process-related lessons during that period. Thankfully, we did experience a previously unexpected failure mode in an underlying third-party architecture. When the product was finally released, the whole team was collectively more confident in the product's operations and stability and ultimately released a more stable product to customers.

How do you make hard decisions? Do you find yourself more often making people, process, or technology decisions?

If I have the time (in other words, it's not an urgent and hard decision), I try to collect and consider as much perspective and feedback about the problem as I can. Getting a broad set of viewpoints about the problem helps ensure that you're solving the right problem and have considered what impact your decision will have on the stakeholders who will be impacted by the decision.

Cultural-level decisions typically have the broadest impact. Those don't (shouldn't) change often, but are most important when you're building from scratch or transforming a company. They also tend to have a lasting impact on stakeholders today and in the future, and they typically also affect downstream policy, process, and technology choices.

How I divvy up focusing on people, process, or technology changes; this is largely dependent on what stage of growth the company and department is in. In the early stages, there are a lot of architecture and technology choices to make—rapid innovation that becomes hindered by too much process, where the team needs to quickly build/test/learn/adapt/repeat. Making the right people choices at this stage are also critical: the amount of responsibility and leverage each new person on the team has is immense. In more mature phases of a company or department, the focus tends to be on efficiency and optimization. There is more emphasis on people, from a process and responsibility perspective (e.g., RACIs/DACIs). The same feedback loop happens—you're swapping out less technology and doing it less often, but you still use feedback loops with stakeholders to stay aligned.

As our programs mature, I find that my teams and I are more frequently engaged on business-process level decisions. In this feedback model, stakeholders operate in a “thrower” and a “catcher” mode—someone is producing output from one process or service, which is received by another person or team. These work units have requirements, specifications, and RACI/DACI “contracts” associated with them.

At the end of the day, I tell my teams that to be effective at business you need to focus on both results and relationships. While the program or project outcome is important, we eventually have to work with another person in our line of work. This means working with people who have personalities and backgrounds different from your own. I spend a fair amount of time coaching and educating folks on how to handle personal communications and deal with the quirks that make each person unique.

What's something that you struggle with as a leader and how do you overcome that?

I struggle with “good enough.” I take a lot of pride in my work and my teams' work. I love to learn new technologies, better ways of working, and new ways to be more efficient and effective. I appreciate lean and MVP approaches, delivering “something useful” that's fit for purpose, and the endless journey to improve something if it's not quite right, especially if you're in a building/innovation phase.

I've learned to dampen perfectionism by collecting outside feedback from stakeholders, measuring value at critical milestones to help quantify when improvements or changes produce diminishing returns on investment. Even if the measurements and feedback are qualitative, the process of getting an outside-in perspective helps counter the inner dialogue to keep improving or solve all the corner cases of “What if…?” When stakeholders and/or I are sufficiently satisfied with a decision or a deliverable, it's refreshing to then get excited about working on the next idea or invention.

One of the most challenging roles in my career was when I went into a completely different industry and role than than I had experienced before, in the venture capital space. Although it was related to a domain I had deep expertise in, the skills and tools used were quite different. It was challenging in different ways, and yet very rewarding—much like I would imagine if an expert athlete trained in one sport had to cross over and become skilled at a different sport. Interestingly, as I got into my groove in the new role, I relied on many of the “soft skills” that I had built over the years and found that my professional network was incredibly helpful in the new role.

How do you lead your team to execute and get results?

Start by setting a clear vision for the high-level objective(s) and share as much context as you can about the decision to be made, the constraints that are known, and the business impact the objective(s) will have. Ask up front what resources the team needs and clear any roadblocks or prewire any conversations you anticipate will be needed.

During execution, ensure that the teams and stakeholders receive and/or provide frequent updates, especially as assumptions or parameters change, and give feedback to key members and/or solicit feedback frequently to ensure you're on course or to make any small course corrections. Afterward, capture lessons learned and share them broadly to empower others to be able to do even better for the next objective.

Do you have a workforce philosophy or unique approach to talent acquisition?

I don't think I have a unique approach, but I feel blessed to have worked alongside so many brilliant, passionate people in my career so far. While I do rely on past experience as a predictor for future performance when I'm getting to know potential candidates, when I ask them about situations they've been in previously, I'm listening for more than just achieving objectives. I'm listening to the context in their answer: what did they learn, how high is their emotional intelligence, what soft skills did they use to accomplish the task, do they have a growth mindset, how well do they handle unknowns and ambiguity, what motivates them to keep doing what they enjoy, how do they stay motivated when doing things they don't necessarily enjoy, and what causes them to move on from previous roles?

Hiring the right person for a particular job is a mix of all of these. Retaining them is also a mix of all of these and is unique to each person-role combination.

Have you created a cohesive strategy for your information security program or business unit?

I've ended up creating different strategies for each of the security teams I've built in my career. Each was at a different phase of the company's journey, each had different needs and constraints, and each had different underlying business objectives. The programs shared similar sets of core services and deliverables, but they were delivered differently because the overall corporate culture was different and/or the stakeholders interacted with the rest of the business differently. It was important in each case for the success of the security program (and the company) to be aligned and compatible with the existing cultural norms and ways of working.

Bringing a high-control, regulated security program into an innovation-driven, rapid growth–phase company would come across as “tone deaf” and ultimately not be successful. This is where it's important that your security program and leadership teams are aligned in terms of both culture and outcomes: if a new security program is designed to support a cultural change (say, from rapid innovation to high-efficiency or increased regulations), then it's important to use that context as the leadership team introduces changes throughout the company and works with stakeholders.

What are your communication tips for interacting with executive leadership?

Here's a few tips:

• To communicate effectively, use the style and method most compatible with your audience (e.g., are they a “bullet list” kind of person or a “storyteller” with lots of detail; are they qualitative or quantitative; do they prefer tables or graphs?).
• Prewire and socialize decisions ahead of time.
• Use bottom line, up front (BLUF). Put your summary up front and then get into the details. Make the summary brief and focused on the business risk and impact. Tell the receiver why you're speaking or presenting to them: are you asking for guidance, providing an update, asking for a decision among choices, providing direction, etc.?
• Don't be afraid to deliver “bad news.” It's worse to withhold news that then becomes a “surprise” (hint: time delays usually don't help make matters better in those situations). It's better to share early and involve executives in the decision-making process or let them know that the situation is being worked on, is under control, and when they can expect a decision or another update. You'll also likely get quick feedback on how/when they'd like to be communicated with for similar events in the future.
• Don't provide a single “option” when asking for a decision. Show your work on how you came to your recommendation, typically from a narrow set of final potential options. This gives them a chance to share some context or experience you perhaps hadn't considered, but be prepared to defend your recommendation.
• When dealing with people I directly support or my peers, I ask a lot of questions, both to learn about the problem space but also to understand how much the person I'm talking to has done their homework and gathered the appropriate context of the situation. Actually, I do that in pretty much every conversation.

How do you cultivate productive relationships with your boss, peers, direct reports, and other team members?

Start with forming a common ground: what problem or goal do we share? Get to know the other party so that you can be of assistance with something you might have now or in the future: expertise, knowledge, resources, or someone else in your network. Understand their communications preferences and style; personal profile queues are also helpful to be more effective and efficient when interacting with them (e.g., Insights, DISC, etc.). Get to know the other person at a personal level too; you're likely going to be spending a lot of time with them throughout the work week!

Check in with your network, even when neither of you needs something specific. Even if it's a quick, touch-base meeting or a short hallway conversation/email/call—you don't want a purely transactional relationship with the folks you work with; we're all humans after all! Sometimes the best exchanges I've had have started with “Hey, I don't have anything urgent, just checking in to see how you're doing.”

Have you encountered challenges collaborating with revenue-generating teams like sales and product development?

Of course, and I've also had the opportunity to be embedded in such teams in order to build and grow new programs. It's given me a new perspective on how those teams operate, what their norms are, and how to best interact with them. The best partnerships I've developed have started with building a shared context and set of goals, in many cases to act as a bit of a “translator” between our organizations and a trusted partner.

Do you have any favorite books to recommend for people who want to lead cybersecurity teams?

Off the top of my head, only one comes to mind quickly: The Effective Manager by Mark Horstman (and the Manager Tools podcast). While it's not technology- or security-specific, it's excellent, business-centric advice that prepares you to be effective in any leadership role. And for people interacting with leaders, it makes them more effective businesspeople because it provides a glimpse into what's most important (or should be) to the leaders they work with.