Cyber-attack. It’s an ominous word that strikes fear in the hearts of nearly everyone, but especially business owners, CEOs, and executives. With cyber-attacks resulting in often devastating results, it’s no wonder executives hire the best and brightest of the IT world for protection. But is that enough and do you understand your risks? What if the brightest aren’t always the best choice for your company?
In Christian Espinosa’s new book, The Smartest Person in the Room, he shows you how to leverage your company’s smartest minds to your benefit and theirs. Learn from Christian’s own journey from cybersecurity engineer to company CEO. He describes why a high IQ is a lost superpower when effective communication, true intelligence, and self-confidence are not embraced.
With his seven-step methodology and stories from the field, Christian aims to help develop your team’s technical minds so that they become better humans and strong leaders who excel in every role. This book provides an enlightening perspective of how to turn your biggest unknown weakness into your strongest defense.
Drew Appelbaum: Hey listeners, my name is Drew Appelbaum and I’m excited to be here today with Christian Espinosa, author of The Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity. Christian, thank you for joining, welcome to The Author Hour Podcast.
Christian Espinosa: Thanks for having me, Drew.
Drew Appelbaum: Let’s kick this off. Can you give us a rundown of your professional background?
Christian Espinosa: Yeah, I can give a quick overview. I started in cybersecurity when I graduated from the Air Force Academy. My first assignment was in the military at Brooks Air Force base in 1993. I’ve been doing cybersecurity since 1993.
Part of it has been in the military, the Air Force, then I was a defense contractor for several years after that. And then I was a freelancer for about six years and then I started Alpine Security, my company in late 2014. Throughout my career with the Department of Defense, commercial sector, military, I have been involved with cybersecurity along that whole route.
Drew Appelbaum: Now, why was now the time to write this book? You know, besides a large Russian hacking that happened recently.
Christian Espinosa: Yeah, well I definitely did not have more free time, I just decided to make it happen. What happened was, it was probably about four years ago, since I started my own company. I’m responsible for figuring pretty much everything out. There’s nobody else to turn to.
About four years ago, I was at a Zoom meeting, getting debriefed by my team about how a report review session went with a client and one of my lead engineers, he kept saying on that debriefing that the client just didn’t get it. Meaning, the client didn’t understand what my highly technical person was trying to convey to them.
I had heard this many times before in my career, but for some reason, maybe it’s because it’s my business, these are my clients, and revenue was at stake here. I’m not sure what was different, but it just struck me differently, and then all these dots started connecting.
I realized that this is something that is a global problem in my industry. And I needed to take some steps to figure it out for my own organization and through that journey of figuring those things out for my own organization, I figured that this is some stuff I’ve had to learn the hard way and we’re currently losing the cybersecurity war.
So, I figured, something needs to change, and I’ve gone through this journey with my own organization and made improvements in how our clients are able to improve their security. I thought, now is the time to contribute to the industry, contribute something to my fellow cybersecurity leaders, and put down my lessons in a book.
Drew Appelbaum: Now, while you’re writing the book, did you have any major learnings or breakthroughs?
Christian Espinosa: Yes, writing the book was very challenging and I had to do a lot of reflection while I was writing the book. And some of that reflection was seeing myself in these scenarios 15 years ago, even 10 years ago. I was one of the people that were highly technical with the same mindset that the client just doesn’t get it.
I saw myself in a lot of the stories and a lot of the things I was writing about, I saw an older version of myself before I gained the awareness of this problem in a different mindset.
Three Primary Audiences
Drew Appelbaum: Now, who is this book for?
Christian Espinosa: The book is really for three primary audiences. The first one is anyone that is a leader of highly technical people, that’s the primary audience. Someone that is a COO, an IT manager, information insurance director, a CISO, somebody that has a technical team they lead and they’re trying to get the most out of their team and improve their internal organization or a client organization’s ability to protect their data. That’s the primary audience.
The secondary audience is highly technical individuals in cybersecurity that might be struggling with how to communicate with clients, how to communicate with management, how to have more emotional intelligence. They would be the secondary audience.
Then the third audience is really, anybody that wants some insight and kind of a peek behind the curtain of what cybersecurity is like and what the personality types in cybersecurity tend to be like as well. Then also why we have a lot of challenges in cybersecurity, why we are not doing as good a job as we should be doing at protecting client data and keeping devices from being hacked.
Drew Appelbaum: Let’s start from the basics. What’s with people not being able to protect their own passwords? Is this an actual threat at the highest levels? I remember that George Bush got hacked from his password.
Christian Espinosa: Right. These tie together. You can have a super-secure, 20-character password with all uppercase, lowercase, all these other things. But if that password is stolen from a data breach, then it doesn’t really matter how secure that password is.
We’re talking in the book here, a little more, not so much from an awareness perspective of how to secure your passwords, how to develop more complex passwords, but this is a larger issue, which is, “How do we, as cybersecurity leaders, help our people perform at a higher level so they can protect the database of passwords from being stolen?”
Because what happens is, like I said, it doesn’t matter how secure your password is. If it’s stolen in a breach–let’s say LinkedIn is compromised and somebody figures out your password. If you use that same super complex password on hundreds of other systems on the internet, then you’re at risk yourself, and the same thing with a company.
Drew Appelbaum: Now, how much of an issue are cyber thieves? I like that you call them cyber thieves because sometimes, people hear the word hacker and they can’t really relate to it and cybersecurity sometimes think, “That’s above my pay grade.” But everybody knows a thief, and everybody knows they don’t like thieves.
Christian Espinosa: Yeah, it’s a big issue, it’s no different than typical criminals or thieves. But right now, we’ve got a lot of people that have shifted their criminal revenue-making model from more traditional attacks to cybercrime because cybercrime can be more lucrative. It can be hard to get caught and it’s relatively simple to get a big return on your investment.
Drew Appelbaum: Now, what does protection against these thieves look like? Can you give us your definition of cybersecurity?
Christian Espinosa: Cybersecurity from my definition point of view is reducing the risk to an acceptable level that somebody can alter your data, steal your data, or create an outage for your customers. The reality is, we’re never going to reach a point where your data is 100% protected. It’s about reducing the risk to an acceptable level.
Drew Appelbaum: Now, why do you say that cybersecurity measures as a whole are not nearly good enough right now?
Christian Espinosa: Well, I don’t think you have to take my word for it. If you listen to the news or read the newspaper or anything, there’s a different data breach pretty much every single day. We just had one a couple of weeks ago that affected the most secret areas of the government supposedly, and many corporations, the SolarWinds breach.
These things happen on a routine basis and it always makes me think, “If we’re so good at what we’re doing, then why are these things still occurring on a daily basis and on a massive scale?”
It’s almost like, just when we think the biggest breach has ever happened, a week later, there’s a bigger one with more users compromised and more data compromised. What we currently have been doing that has not been working is really the challenge we have.
Drew Appelbaum: Now, you take an interesting turn in the book and you say that the software itself is pretty good, but the people and their egos are at the nexus of the industry’s failings. Can you talk about that?
Christian Espinosa: Yeah, there’s a lot of emphasis in cybersecurity on technology and the process, and some on people. The bottom line is, in the industry, we keep looking for the silver bullet from a technology perspective, this new firewall or artificial intelligence, or intrusion detection system that’s going to solve everything, but that’s not the case.
The people and their egos are at the nexus dimension. Primarily because, from my experience, the personality types that are attracted to the industry tend to want to be the smartest person in the room, which is why I titled the book the title I did.
What that prevents is some open communication that prevents somebody from saying they just don’t understand something. It prevents simple solutions because people think if the solution is too simple, you know, they’re not smart enough to come up with a more complex solution.
But really, if we were to analyze most of the most recent breaches, it’s typically because of a misconfiguration or an unpatched system. It’s not some super complex way somebody got into the environment.
Look for Fit First
Drew Appelbaum: When you’re hiring, are there some techniques that you have used to make sure that you’re getting the right people in your organization?
Christian Espinosa: Yes, and this is not a perfect process, some of the techniques that we’ve used that we’ve had success with is to look for someone’s motivation and behavioral characteristics first, to see if they’re a good fit culturally and a good fit for the position.
This could be something like a disc assessment or a TriMetrix HD assessment but looking at the person from a more holistic perspective, instead of just their technical skills. In the industry of cybersecurity, there’s a lot of organizations that make hiring decisions purely on someone’s college degree or certifications, which don’t necessarily equate to how effective that person may or may not be at the role that they’re going to be put into.
Drew Appelbaum: Now, specifically for one of the top roles, the chief information security officer, what should companies look for when hiring for that role, and in terms of what you’ve seen with other companies, have they been doing a good job with these hirings?
Christian Espinosa: So, what people should look for, for a CISO role is not somebody extremely technical is the easiest way to put it. That role is really a C-level role, a chief role that primarily interfaces with the board or CEO. For that role, they need to understand cybersecurity in terms of the overall business, and how cybersecurity can mature with the business. It is more of a leadership-type role so that I wouldn’t say being able to, go configure a firewall or have hands on the keyboard type-skills is a requirement for a CISO role.
It’s more about how to communicate effectively, how to understand strategy, and how to implement that strategy that aligns with the business goals.
Drew Appelbaum: Now one of the cool things about your book is that you don’t just write about, you know, a how-to on various topics. You actually bring a lot of yourself and your career into the book. You had a successful career in cybersecurity with the military and then at the public collaboration, you know, you went on your own for a while, and then you decided to leave a pretty comfortable job and start your own firm. What caused this decision for you?
Christian Espinosa: Good question. I had a job where I was the VP of the company. I was making a good salary and was living the American Dream, as some people would say. I had met the definition of success according to a lot of people, but I wasn’t feeling fulfilled. There was some misalignment between my view and the CEO’s view. I just felt like there was more that I could be doing, so I decided to leave that job and it was the first job I had left without having something else lined up.
I decided, “You know what? I’ve had enough.” Something just snapped for me and I just decided, “I’ll figure this out without having the job lined up, but I’ve had enough of this.” What I was doing had a lot of merits, but it wasn’t really congruent with who I felt I was. I just decided to quit. And after I quit that job, I started a freelance career and worked with all my contacts. And after five or six years of that, I decided that freelance work was easy.
I was making a lot of money, but I didn’t feel like I was growing as an individual. I thought, “What other way to grow besides start a company? So, I have to grow so that the company can grow. And then I can hire people and contribute jobs to society.” Contribute on a higher level.
Drew Appelbaum: Now when you went off on your own as you said, you did a lot of hiring, and to make sure you did the right hiring you created the secure methodology and a method to show you exactly how to boost your technical staff’s people skills so you could have open, honest, and effective communication. Can you tell us a little bit about the secure methodology and some of the steps involved?
Christian Espinosa: So, the secure methodology is what I ultimately ended up creating with my own company. I had, kind of through trial and error, and a lot of testing, implemented and trained my people on various aspects of this methodology. And then when I started writing the book, it became more and more clear that this methodology really had seven major steps to it and the steps go in order.
The first step is awareness and with awareness, if you’re not aware of your interactions in the world–your blind spots, your world view, then it is going to be hard to change. So that’s why that’s step one.
Because I tie all of these steps to the industry as well, we talk a lot about that this is what I coined, “uninformed optimism.” It’s almost better to have your head in the sand and not know how badly your security posture is. That’s a mindset a lot of people have but when you have informed realism, then you’re in a position to change and a position to improve but you have to be comfortable with that informed realism.
Then the second step in the methodology is mindset. Without having a growth mindset, then you’re not going to want to take the other steps in the methodology. And the growth mindset is really realizing that if I have a high IQ, for instance, I can also develop my EQ skills. They’re not mutually exclusive. A lot of people like to use that as an excuse to not develop people skills, basically.
The third step in the methodology is acknowledgment. And this is something I struggled with in the past, which is acknowledging the work I’ve done to get to where I currently am. With highly technical people, it is a challenge to develop technical skills, although, they should be acknowledged for where they’ve gotten to from a technical perspective and the skills they have.
The fourth step is communication. Communication is a massive topic within itself. Within the world of cybersecurity though, communication is extremely important. There’s a lot of speaking over people’s heads in cybersecurity and there’s a lot of poor listening if you’re trying to explain a problem. If a highly technical person is trying to explain a problem to a board of directors and the board of directors is not receiving the message, then the communication is not effective.
I am a big fan of the saying, “A way to measure how effective your communication is, is by the response you get.” If your clients or your board of directors or your management or your girlfriend or anybody is not responding the way you intend to, then your communication is part of the problem.
The fifth step is mono-tasking. I am a big fan of mono-tasking. In the world today, we like to talk a lot about multi-tasking. But the reality is, with multi-tasking we end up doing a lot of things but getting nothing done. I talk about mono-tasking in the book because, in order to move the needle with cybersecurity and to be a better communicator, we need to mono-task and be present when we are listening to somebody.
Because if we are trying to communicate and we’re multitasking, our mind is not there, and we are going to miss what the person is asking of us. I talk a lot about mono-tasking from the point of view of how to be more effective with your time and also how it affects being present with people you’re working with.
Then the sixth step is empathy. One of the challenges with highly technical staff is empathy. And in our world today, we focus a lot on our differences rather than what we have in common or our similarities. It’s hard to have empathy with people when you purely focus on the differences. For example, in cybersecurity, there are the engineers also known as the nerds or the geeks, and then there’s management, then there are the customers.
There are all these groups, and the reality is they’re all just humans with a different role or different job to do. If you look at the similarities, it makes it easier to communicate and to understand the world from that person’s point of view.
The seventh step is Kaizen. Kaizen is just a Japanese word for constant and never-ending improvement. When we’re looking at the secure methodology, it’s really a journey to improve your team’s ability to win the cybersecurity war and also improve their ability to be better human beings. It’s not a panacea, it’s a journey, and that the journey is going to be different for everybody. It is important to understand you’re not going to master these skills from day one.
For instance, we can always become more aware, mastery is a journey, and it’s important to take the baby steps and realize this is not going to be an easy journey but as long as you’re improving that’s all that we can shoot for.
A Step by Step Methodology
Drew Appelbaum: Now what is the balance in these steps? Can you pick and choose the ones that catch your eye in the beginning, or is this something where you really need to go through the steps one by one as they build on each other?
Christian Espinosa: You can look at it both ways. Realistically, you need to go through them, at least from my point of view, in the order I have laid out. But you can take any step, read that step and learn something from that step and implement it immediately.
If you’re used to multi-tasking and you read the chapter on mono-tasking, where I talk about how to schedule your day using time blocks, for instance, that is something you can implement immediately and get some return on the investment from it. But if you just read mindset without looking at awareness, it is hard to have the proper mindset unless you have some awareness of your own blind spots. They all build on each other but some of them you can take individually and apply as well.
Drew Appelbaum: You also offer a lot of resources along the way in the book. Can you talk about some of the resources found inside of it?
Christian Espinosa: I don’t remember how many different resources there are, but as you are going through the book, I want to at least point them towards resources to help them improve their ability. Some of the resources are as simple as another book to read or an exercise to do such as, like, ‘The Seven Levels Deep’ exercise, which is really about finding your underlying root reason for doing things.
I give exercises like that, and I tie in my own experience, where applicable because I wanted the book to not be theoretical. I want it to be, that you can apply the information and it is tangible. That was one of the requirements I had when I wrote the book–I wanted people to not just read this and think, “Oh that’s cool. You know that’s something that sounds interesting.” I wanted them to read it and if they wanted to really improve in these areas, I wanted there to be enough information from me, as well as additional resources to help them connect the dots.
Drew Appelbaum: Yeah, it’s very much where you lay the groundwork but if you do use those resources, you can tailor it to your individual situation, which is really great.
Christian Espinosa: Yeah, exactly.
Drew Appelbaum: Christian, I just want to say writing a book especially like this one that’s going to help so many business professionals out there is no small feat, so congratulations on finishing, writing, and publishing.
Christian Espinosa: Well, thank you.
Drew Appelbaum: Now one last question, if readers could takeaway only one thing from the book, what would you want it to be?
Christian Espinosa: That’s a good question. There are a lot of nuggets in the book. If I had to narrow it down to one thing, I would focus on the ego. There’s a saying I have in the book that “your ego is not your amigo.” Because ultimately, our ego shows up in lots of different ways that can negatively impact your life, and we don’t even realize it because our ego is trying to protect this identity, that we don’t necessarily need to protect.
This is important to me because when I was in college, my grandfather had a heart attack over Christmas break. I was there in the waiting room and he was basically dying, and for some reason, I couldn’t even hold his hand or tell him I loved him because there were people around, nurses and staff, and I felt embarrassed. I basically denied my grandfather something that I should have told him, and it was because of my ego. Because my ego was in the way and I have felt horrible about it ever since.
Drew Appelbaum: This has been a pleasure and I am really excited for people to check out this book. We just scratched the surface here. Everyone, the book is called, The Smartest Person in the Room, and you can find it on Amazon. Christian, besides checking out the book, where can people connect with you?
Christian Espinosa: They can go to my website. It’s christianespinosa.com, they can connect with me there or on LinkedIn, Twitter, the normal social media channels.
Drew Appelbaum: Thank you so much for coming on the show today Christian and best of luck with the book.
Christian Espinosa: Thank you, I appreciate it.