Secret CSO: Gary Hayslip, SoftBank Investment Advisers

Name: Gary Hayslip

Organisation: SoftBank Investment Advisers

Job title: Global CISO

Date started current role: August 2019

Location: San Carlos, CA

Gary Hayslip is an experienced Global CISO with repeated success delivering innovative security programs to safeguard billion-dollar enterprises at every touchpoint. Intensely focused on driving continuous improvement that maximises security program efficiency and minimises costs. An insightful thought leader with proven business acumen and commitment to organisational mission, values, and goals. Demonstrated ability to collaborate at all levels to champion new ideas, gain buy-in, and build consensus. Hayslip brings this wealth of information technology, security leadership, and risk management experience to his role as the CISO, for SoftBank Investment Advisers – The Vision Fund & Vision Fund II and SoftBank Group International – The LATAAM Fund, The Opportunity Fund and The Tech Fund. Hayslip’s previous executive roles include multiple CISO, CIO, Deputy Director of IT and Chief Privacy Officer roles for the U.S. Navy (Active Duty), the U.S. Navy (Federal Government employee), the City of San Diego California, and Webroot Software. Hayslip is currently on four security & technology advisory boards and writes for Forbes Technology Council. Hayslip is an active member of the cyber community with memberships in the professional organisations ISC2, ISSA, ISACA, and Infragard.

What was your first job? I was 12 years old working on my grandfather’s farm and several local farms in the area. I did everything from taking care of the farm animals, clearing out stalls, planting and harvesting food, bailing hay bales, and storing it in barns. It was hard work, but I did it, and the money I earned I gave to my single mother to take care of my younger brother and sister.

How did you get involved in cybersecurity? I was working heavily in IT as a Network Architect managing several teams and I found myself constantly looking at the security of the networks and assets connecting to them. In the process of protecting my organisations networks, I became fascinated with cyber and gradually moved into the field.

What was your education? Do you hold any certifications? What are they? I have a B.S. in Information Systems and an MBA. Over my 20+ years in IT and Cybersecurity, I have had 20+ different certifications of which I only keep 5 current (CISSP, CISA, CRISC, CDPSE, and QTE).

Explain your career path. Did you take any detours? If so, discuss. My career path started in the military (US Navy) where my job was to work with advanced weapon systems. So, I was heavily focused in electronics, computers, and phased array radar systems. However, I had always loved computers and was constantly working with the IT teams and helping them on the side, and eventually my job changed to that field.

Was there anyone who has inspired or mentored you in your career? I have had many mentors in my career, one of my first was Scott Hammer who taught me a lot about cybersecurity, hacking and the wonders of the Linux operating system. Then there was Palmer Taskerud, who taught me the importance of managing teams and taking care of our customers – our employees. Finally, some of my current mentors are Julian Waits, Macy Dennis, Kirsten Davies, Will Lin, Chris Roberts, and Allan Alford, to name a few, and they keep me grounded and focused as a senior level security executive, servant leader, and mentor.

What do you feel is the most important aspect of your job? Managing relationships and the expectations of my customers (employees, vendors, peers, partners). Managing technology, risk, and compliance is easy, but the people component is hard and it’s a continuous process.

What metrics or KPIs do you use to measure security effectiveness? All of my current metrics/KPIs are focused on impact to business operations. I also report on current projects, resource allocation, and timelines to completion. Periodically, I report on the latest threat analytics we are tracking so the board is aware of what we are managing within the security stack, and I also report on current trends that are impacting the business vertical my company operates in to provide my leadership context on the selected controls we have implemented and the frameworks I follow as CISO.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? I haven’t had an issue finding staff to hire. Our biggest challenge is that some areas take longer to hire staff due to the local laws and regulations. It’s hard when you find a great security engineer and give them an offer and then you must wait 90 days before you can onboard them.

Cybersecurity is constantly changing – how do you keep learning? I focus on reading articles on a weekly basis and reading at least two books a month. I also do a lot of research on specific security related subjects and use that information to write articles and pre-plan new books. I also periodically select a certification I want to work on. Right now I am working on my AWS certs and after I complete them, I will look at IAPP’s privacy certs. To me, continuously learning is how you deal with cyber’s ever-evolving environment. I also am very active in the cybersecurity community and spend time talking with peers, security startups, and vendors. I will also attend events to learn about a new subject and bring all of this information and experience with me when I serve on boards.   

What conferences are on your must-attend list? Typically, pre-COVID I liked to attend RSA, Black Hat, BSidesLV & BSidesSF, Gartner Security & Risk Management Summit, and either ISACA or IAPP’s conferences. This changes a lot if I am keynoting, but on average, I usually attend about six conferences or events per year.

What is the best current trend in cybersecurity? The worst? I think one of the best trends I am seeing is a focus on data security, especially in cloud environments. One of the worst issues is companies trying to recreate a technology that has already been out for 10+ years, with extensive competition. This second issue that drives me crazy is when companies are just repeating the same old “we do it better,” when we don’t want it better, we want something new.

What’s the best career advice you ever received? Just after I finished my MBA, my boss and mentor at the time, Palmer Taskerud, told me it was time for me to leave government service and go into private industry. He basically told me that I had outgrown where I was currently working, and that the Federal Government had no role for me at the level I wanted to go into with cybersecurity, so it was time for me to take the risk and move on. It’s some of the best advice I have ever received from a mentor and friend.

What advice would you give to aspiring security leaders? To really understand this job is a marathon, it’s stressful and you need to have a long view to be successful. With that strategic view, make sure to manage your self-care and also make sure your teams do as well, so you can reduce career burnout as much as possible.

What has been your greatest career achievement? With each of my CISO roles, I have had achievements that I have both learned from and matured with as an executive and servant leader. With the Federal Government and US Navy, my biggest achievement was the consolidation of five corporate networks into one enterprise network for 5k employees in a major manufacturing environment, and then getting that new network certified to Department of Defense standards. As the CISO for the city of San Diego, it involved building the security program from the ground up, establishing the security teams, and assisting with many of the large smart city projects. At Webroot, it involved maturing the Office of the CISO organisation, leading the ISO 27001 certification effort, and helping with the due diligence of Webroot’s acquisition by Carbonite. Finally, at SoftBank, it involved the buildout of a full 100% SaaS infrastructure and security stack, plus providing due diligence services for new investments and vCISO services to portfolio companies. Each role has been unique with different challenges, but I have thoroughly enjoyed them and have continued to mature as a senior security executive.

Looking back with 20:20 hindsight, what would you have done differently? Recognising sooner that soft skills are just as important as technical skills and certifications, especially if you are going to be leading teams and reporting to executive staff.

What is your favourite quote? “In the midst of chaos, there is also opportunity” ― Sun Tzu What are you reading now? I usually read a professional book and a science fiction book. Currently I am reading Shoshana Zuboff’s The Age of Surveillance Capitalism, and for science fiction I am reading Steven Erikson’s Deadhouse Gates: Book Two of The Malazan Book of the Fallen. I am a huge reader with an extensive collection of books, both digital and paper. In my spare time, I like to… Spend time with family, write, read books, travel, build and collect Star Wars LEGO sets. Most people don’t know that I… grow and crossbreed roses – I have about 13 different varieties. I started it years ago to help manage stress. Ask me to do anything but… I hate washing dishes but to keep my wife of 34 years happy, I will do them, but I don’t like to 😊.