RADLEY MEYERS

>> Craig Gould: Radley Meyers, thank you so much for joining me today on the podcast. Radley, you’re a partner at SPMB, one of the nation’s leading executive search firms specializing in placing transformational leaders across technology, innovation and growth sectors. And you specifically specialize in CISO searches. In CISO is where I’d love to kind of dive in and talk with you more today. It’s a role that’s evolving and is of growing importance and. But Radley, I love to start all of these conversations with one common question, which is what are your memories of your first job?

>> Radley Meyers: Yeah, my, my first job was out of college joining Target actually in their in their, their leadership program in Chicago. So I was working in a high risk store on the south side of Chicago running a, basically running a supermarket within a large Target store. And it was really fantastic work. Like it was a, it was an interesting time in the economy. We were in a recession and so I was, you know, I was kind of just looking for any job and at post college and it was a fantastic place to, you know, I was 21 years old leading a group, you know, 2, 100 to 200 people who were older, more experienced than me. And the framework that it set from a leadership and management standpoint was really, really critical in what I’ve gone on to do in my future, but also just setting the standard for hard work. I was in a store, sweeping floors and managing, like I said, a high risk environment. M. So it was a really fantastic experience that I look back really fondly on, that really set the table for kind of my future in recruiting though. I didn’t know my future was in recruiting at the time.

>> Craig Gould: Well, I mean, I feel like a lot of us have those jobs that allow us to kind of frame the rest of our experiences, you know, even if it’s just like avoiding complaining about the nature of what we do now. Right. Just like, man, I could be from dusk to dawn sweeping the floors and trying to handle scheduling, you know, 100 employees. And you know, sometimes those jobs really allow U.S. perspective.

>> Radley Meyers: 100, 100, 100%. And you know, I’m, I’m from a very blue collar family. And so you know, it was, it was, it was good to kind of reinstill some of those, those habits post college.

>> Craig Gould: So how did you get into executive search?

>> Radley Meyers: Yeah, so I started my career doing, or started my recruiting career, I should say doing venture backed sales roles at a firm called Bets Recruiting here in the Bay Area. And I was one of their first 10 employees. And it was incredible. It was fast paced. We were growing like crazy. It was a lot of fun. I fell into recruiting. I was actually a candidate for Bets looking for a sales job, and kind of fell into recruiting at that time. But during that experience, I knew that I wanted to continue my career in recruiting, but wanted to get out of contingency, which is very transactional, and, into something slightly more strategic and higher stakes. So after six years at Bets and helping them grow from, you know, 10 people to 120, opening offices around the globe, I let my CEO know that I was going to be leaving and started to talk to recruiting firms, which was the first time I got to really move careers within my career, my chosen career. And so spent time with about 20 firms in the Bay Area, big and small. And, and SPMB was not originally on my short list. And it was really clear that it became the best fit fit for me both from a reputation and longevity standpoint, but also just cultural standpoint. So, I jumped in knowing recruiting, but not really knowing executive search. And that was kind of. That jump started my journey into kind of building the security practice at the firm.

>> Craig Gould: I don’t want this to sound like an ad, but what do you feel sets SPMB apart?

>> Radley Meyers: Yeah, I think there’s a couple things that were. And this is what stood out to me actually in the interview process because I was talking to so many firms was. I remember sitting down with Eamon Tucker and Mike Dunan and two of the managing partners. And they were just flatly like, we don’t walk away from searches. And I know that seems like a little thing, but a lot of firms, will get to a point where they’re just like, we can’t do this and walk away. And they’re like, hey, keep the final retainer and you know, whatever it is. And we don’t do that. We finish the searches. And sometimes clients will cancel searches or whatever. That’s out of your control. But like, that mentality of we start something and finish something was really core to my values. And so that stuck out, I think how we structure, our teams, we put full teams on searches and we take lighter search loads so we can actually be hands on at the partner level. Like those things are, are unique. Even though they seem very, very, you know, like, they seem like common sense. they’re, they’re, they are, you know, they’re core to kind of how successful we can be executing on searches, taking the people who are the Experts at the partner level and actually putting their expertise to work for clients. Like that’s, that is I think, a huge, huge advantage for us.

>> Craig Gould: You’re talking about stopping searches and yeah, how that’s not something SPMM does. But related to that, when we start talking about CISOs, sometimes people are asking for you to do a search maybe before they’re even ready and you need to kind of consult them that maybe now’s not the right time. Ah, for them specifically. Can you kind of talk to that?

>> Radley Meyers: Yeah, I think that’s been something that’s happened a lot more over the last five or six years as security has evolved. And early, earlier stage companies that were never thinking about having a quote unquote CISO are starting to have those conversations. A lot of that is led by the investors and the board seeing scary news and being like, oh, we need to be buttoned up here. So I’ve spent a lot of time with earlier stage companies who think they need a ciso. and in some cases they do. But, but a lot of times, you know, a true CISO is a, is a real executive who should be strategic and action oriented. And, but the strategic part often means, you know, building some level of structure into the organization. And a lot of those companies are really looking for a director who can be a player coach. And and that’s okay. Ah, but, but it’s not a, it’s not a ciso. And so a lot of those conversations really come down to, you know, what are the needs of the business. Are you, are you looking to build a moat or are you looking to appease your, your investors and say, hey, we have somebody leading security. And if that’s the case, you probably are able to hire a director level person to come in and quench that. If you’re looking to expand globally and you need somebody who understands kind of the regulatory environments that have shifted internationally over the last few years. Or if you’re looking to productize data in a way that you need to develop a really strong DevSecOps function, or you’re going public, right. Like at that stage, like it makes sense to hire a true executive. But, but, but, but an often, oftentimes you’re, you’re, you’re better off having somebody who can be a player coach in that role and maybe grow into it with the company. and so oftentimes, you know, I’ll get on those calls and I’ll tell them, yeah, you don’t need me. And, and they’re not used to. They’re not used to that. Right. They’re used to being sold services and just doesn’t make sense in many cases.

>> Craig Gould: It’s an emerging role. It’s an evolving role. I assume that in the past it’s been maybe a hat that a CIO would wear and maybe there was a certain amount of whack, a mole. Right. But can you talk about the drivers that have created the need for it? I mean, is it, is it just the prevalence of data, the necessity of compliance that is growing, the pressures from customers and investors? What has really driven the need to have somebody look over this every day?

>> Radley Meyers: Yeah, I mean, if you. So if you go back 10 years, when I was first starting out kind of doing this work, a lot like you said, a lot of CISOs were still tucked under it. They were measured on controls and compliance and kind of keeping the lights on in, for lack of a better term, I would say, you know, today it’s a lot of. It’s board driven. So boards are asking CISOs to be more strategic operators. They’re asking them to translate risk into business decisions and outcomes there. So, there’s a few things, I think, that have played into this. Like public companies now have to disclose material cyber incidents quickly and explain governance. So Ciso’s work shows up in the 8K and the same way like a major financial event would. and that change has pulled the, the role more into the boardroom. And so kind of once you’re advising at the board level, the job is less about being the traditional office of back office, kind of office of no, and more about figuring out ways to enable revenue and build customer trust and kind of build resilience into the business. And so with that has come like a shift in scope. Right. Like most CISOs are now interfacing beyond that board. They’re with customers, they’re with vendors, they’re with regulators. They’ve always kind of been with regulators, but even more so. and so that has translated into them now, in turn, shaping product roadmaps and shaping vendor strategy, and they’re partnering with data and AI leaders. And so, you know, like I said earlier, many companies over the last few years have recognized that they’re sitting on this treasure trove of data, and they want to figure out a way to productize or monetize that. and so that becomes a product problem, but it also becomes innately a security problem because you want to develop products securely, you want to make sure that data is secure so you don’t run into any other issues. And so there’s just a heightened level of involvement from security teams in this process. And so that’s now taken a shape of some evolution in kind of how the role is titled in scope. So you’ve seen some people experimenting with this Chief Trust Officer that kind of blends security and privacy and reliability. but you’ve also seen that CIO CISO relationship almost flipped on its head in many ways, because a lot of these CISOs have grown up under it. They’ve absorbed some of the it functions into the security group as those have blended. And so you’re actually, I’ve actually taken a lot of calls and speaking of advising companies on what to do or not to do, where they’re not hiring a cio, they’re hiring a CISO who is essentially the cio. Like they will own IT and security. Instead of having, you know, a CIO who has a minor in security, and having a VP of security who’s the ciso, you’re having a CISO who’s hiring a VP of it, who’s, who’s more of the de facto cio. And so that, that evolution has, has really been interesting.

>> Craig Gould: I’ve had this realization lately that there are so many companies that are hanging their hat on AI in the name of their company and how they are branding what they do, how they, you know, it dawns on me that five, 10 years from now AI is going to be a part of every business. And even the ones that are calling themselves an AI driven business, it’s just going to be the engine. And they probably won’t really refer to themselves as an AI business anymore. Right. And so I’m just wondering if at some point these CISO role, is that really going to become the CIO role? And there you’re really, you know, you’re going to need to have that, that security strength in, in your resume and in how you manage. But maybe, maybe not even specifically be called the CISO at that point. I mean, what do you think?

>> Radley Meyers: I think there’s going to be a shift in how the roles are titled. I mean, I have a, I have a close friend who was the CISO at a company called Gigamon and, and, and they’ve now taken the title of Chief AI Officer and Security Officer. And so like, like, you know, these, these, I think these. And this is company specific and, and individual specific. Right. I think the person has to have, credibility and experience in order to, But I don’t think, I don’t I just, I don’t think there’s going to be a one size fits all when it comes to companies. And, and these security roles as they evolve, I think you’re going to see different companies in different industry, in similar industries who have people in in that security role who have a totally different scope. And so it’s, it’s not going to be cookie cutter. It’s really going to be dependent on, you know, who the CEO of that company is, what the needs of the business are, what that evolution will look like, and then who that CISO is and what, what their depth of experience really is. and I think there’s some trends that are, are, are lending towards, a shift there. And, and I think one of them is you go back, you know, 15 years ago, basically all of the security bench of talent was really coming from highly regulated industries. It was banking and healthcare were the two. Or, finance and healthcare were the two industries where you had deep security investment. So you had a deep bench of security people. Technology had security folks, but they were a function of it and they were to be seen and not heard right in many respects. But as things have evolved, like much of the security bench over the last eight years has been built in big tech companies and emerging tech companies where you have security CISOs who have grown up in engineering and not IT. And so that now creates a totally different breed of leaders who are, who are capable to take on a variety of different functional responsibility. And so that’s where I think the next five to 10 years is going to be really interesting on how it evolves because like there’s, there’s, there’s no, there’s no linear path anymore. It’s, it’s really going to continue to be dependent upon the company, the industry, and kind of what, what shifts we see in technology.

>> Craig Gould: You mentioned there that in the past a lot of those guys had been kind of relegated to it or, you know, kind of lived in a world kind of separate of the organization. Can you talk about the challenge for some of the folks that are probably really well qualified or well suited for, you know, moving up to CISO that maybe haven’t had the exposure to the entire organization and kind of what the expectations are at the C level in terms of your breadth of knowledge and understanding at the board level, you know, the vision for the company?

>> Radley Meyers: It’s hard because I think the, so often in the past, some security leaders really leaned into having their voices heard by stoking fear and that started to fall on deaf ears pretty quickly. And I think most security leaders also agreed that that was not the, not the proper way to get exposure and a voice at the table when they were, when they were not. I think there’s, there’s, there’s really kind of three things that help to up level the role if you’re, if you’re looking to do that. I think one is, you know, one is just being a strong communicator, you know, making, speaking in plain English, right, Making risk legible to the board and actionable to the business is really, really key. It’s got to be simple and straightforward. I think the second thing is really focusing on team building, focusing on being a talent magnet. I think if you are trying to increase visibility into that part of the business, you have to make sure things at home are really, taken care of. And so I think when you build a strong team, it allows you to kind of have that 10,000 foot view and then be able to then expose yourself to the folks that are going to have the most influence over the business and how security is then funded. And then I think the last part which kind of falls into that is just being a, a really pragmatic leader, a pragmatic operator and knowing, not focusing so much on what security does and how that can impact the business, but knowing what the business wants to do and what the crown jewels are of the business and then align your security goals with that so you can show immediate. So when you’re, when you’re going back to the first part, which is talking to the board, you’re then aligning what you’re doing with what the company’s trying to do. And I think that will that will always, you know, always help to elevate the role.

>> Craig Gould: You’ve been placing lots of top security leaders. And I’m just wondering from your perspective and your experience, you know, what, what distinguishes a truly world class transformational ciso? What, what does that person look like? What are they bringing to the table?

>> Radley Meyers: Yeah, I think some of this is kind of what I talked about earlier where it’s, it’s being a really strong communicator, it’s being a talent magnet and it, and it’s being you know, pragmatic. I think what’s often undervalued in this is just that high eq, calm, repeatable kind of leadership under stress Persona. you know, having somebody with a steady hand in a breach is worth millions. Right. And so, so I think what people, what people often overvalue is kind of raw technical depth in a single domain. They want somebody who’s kind of seen their product, their industry and can get deep on the technical side. And don’t get me wrong, a baseline industry or technology wise is essential. But at the enterprise level it comes down to influence and prioritization over kind of that encyclopedic or technical knowledge. And so this goes back to what I was talking about earlier. If you build a strong team that can do the blocking and tackling and they’re going to follow you from place to place and they know you well, that allows you to be at that true kind of enterprise level. leader who can drive transformation. And transformation comes down to people, process and technology. everybody thinks of technology, and talks about technology first because it’s kind of sexy, but that’s really the rocket fuel. Like if you don’t get the people in process part right, the technology point is totally moot.

>> Craig Gould: What do skins on the wall look like for a ciso? Right? Because I mean you think about a sales organization, you know, maybe, you know, you can talk about. Well I, I grew my head count, I grew the revenue. you know, it looked like this, but for ciso, is it having been in an organization where you, you have no record of any big breaches or is it being able to show that you survived a breach and that you have this applicable experience? I mean like how, how does this get weighted?

>> Radley Meyers: Yes, obviously like not having a material breach is a, is a huge badge of honor for security leaders, but it’s almost like you have to have, you have to go through it. Right. And so I don’t think there’s any security leader out there who is upset that they went through a breach. I think it’s, it’s an, it’s critical to kind of gain exposure to that in order to be successful in that, in the, in the industry. I, I think when I talk. So there’s, you know, there’s obviously the, the, the measurables. Right. You can, you can use a framework and kind of measure. Hey, when I walked in on the NIST scale, we were, you know, a one and now we’re a three. And that’s, that’s shown, that’s kind of shown how we’ve led product program maturity within security. I think when I talk to security leaders, the thing that they wear as a badge of honor is we walked into an organization where security was the office of. No, they were the dmv. They were a process slower and a group that people avoided at all costs. And they’re able to say, I turned this around, where security is done by everybody and security is a community effort. And now, you know, the board is talking about security, the CEOs talking about it on earnings calls. Like when, when security becomes a function of, of, of growth and, and of the business. And that’s, that’s, I think, the number one most important kind of. You said skin on the wall. Like when they can shift a culture to a security culture. Like, there’s tons of other, you know, there’s tons of other KPIs and measurements that security leaders are going to, you know, celebrate. but when it comes down to it, like, that’s, that is the big mover.

>> Craig Gould: How do you match a candidate to a company’s stage and whatever scar tissue they have, one company may need to build something from scratch, another may be ready to scale. another company may have had a material breach and needs, Needs to clean house. Like, how, how do you match the right candidate with the right opportunity?

>> Radley Meyers: Yeah, it’s, it’s, it’s a little, it’s a little like, matchmaking in a lot of ways. Right. oftentimes the easiest answer is, you know, you’re doing a search for Visa. Go look at all the people from Amex and look at all the people from MasterCard. Right? and that’s, that’s generally not where your answer is. It might be, but, but, but it’s, it’s, it’s often not. And so what, what we like to do is really take a step back and say, okay, what, you know, to your point, what are you, what are you going through? You’re going through a breach. Was it a, was it a third party? Was it an insider? Was it, just a, you know, a nation state, whatever that looks like? And what stage of company are you. Are you going through a cloud transformation? Are you going through a major, kind of. Right now everybody’s doing, massive data and AI initiatives. and then we go back and we’ll do the research or pull on our existing experience and say, okay, what companies went through this before and at what stage did they go through it? And who was the person leading that during that phase? And that might sound like common sense, but it’s, but it’s, it’s not and it’s in it. And it’s a lot of effort on the front end to go and figure out when companies were going through these exact cycles and who was the one leading them through that, because it could Be, a totally different industry that, that the hiring manager or the CEO would never think that they would hire somebody from, you know, Taco Bell just making stuff up into Visa, right? Because they went through this and it’s not as public that, that, that, that they did go through that. And so it takes a lot of effort on our end, on the front end, to kind of figure out who and where to look at these people from. And then the harder part is matching those personalities. Right? Like, I have to spend a lot of time understanding who the people are at the business, what the culture of that company is, and then spending, you know, hours with candidates who probably sometimes in 10 minutes, I recognize, like, you’re just not going to be this person’s person. and even though everything else kind of aligns, it doesn’t make sense for, for, for the culture or for the personalities are going to clash to make that match. And so, it’s a lot of matching, you know, people and experience and finding them at the intersection at the right time. You know, that. That takes a lot of effort. But, but it’s, but we’ve got a deep network of these people, and so oftentimes we can kind of skip ahead and get to it a little bit quicker.

>> Craig Gould: Corporations are being asked to utilize AI to increase the speed of the operating, the efficiency of the business, try to enable their employees to do more, faster. But that means that if they’re doing it homegrown, the data is just getting bigger and bigger and bigger, and that’s a much bigger footprint that a black hat can utilize AI to, to try to find weaknesses, vulnerabilities. And, you know, the conversations I’ve been having with cybersecurity folks lately is you have to assume breach. You have to, assume that the most mundane, smallest corner of your, of your technical infrastructure can be of, you know, vulnerability. And it sounds like AI is, is getting smart about how it’s able to attack in small ways in, multiple places in the organization. It’s change. You know, we’re really changing at a hyper rate here. And how do you stay one step ahead?

>> Radley Meyers: AI has definitely created a, a bit of a, split screen when it comes to cyber security. Like, on one side, you have attackers that are using AI to scale social engineering and, you know, generate, like, things like deep fakes, and they’re able to move a lot faster once they’re in. And so, you know, things like ransomware. I do a annual survey of thousands of CISOs every year, and ransomware remains the top threat consistently year over year. And AI enables a lot of bad actors in that way. And so you’ve got a massive increase of volume and capabilities that AI helps to allow. I think on the flip side, a huge part of what I’m talking to leaders and candidates and clients about is how AI can, is also companies are figuring out how AI can help defenders kind of triage alerts and spot those anomalies and shorten that dwell time. And so, what’s funny is security teams have historically, outside of a few industries, have historically been understaffed and they’ve always kind of been told to do less or do more with less. And so that’s already ingrained into a lot of these security leaders. And so now I think what’s, what’s interesting is they’ve, they’ve been conditioned to do more with less and now you’ve actually got some of these tools that are emerging that are going to arm security leaders with, with the real options to be able to do more with less. And, and and so I think that, you know, like I said, it’s, it’s kind of a dual edged sword. Like there’s, there’s this increase, but there’s also this massive, massive growth of new tools. And so I think, I think boards are, boards are asking CISOs to govern AI safely and, and leverage it internally, intelligently. and, but also, but also, you know, giving the, the ability for, for CISOs to go out and help innovate, whether it’s internal tools or internal, internal processes or bringing in external tools to help kind of drive, drive down risk through and drive up efficiency within the security team, leveraging AI?

>> Craig Gould: What would you suggest to somebody that is, in the middle of their career and they’ve heard everything you’ve just said about the, the life of a ciso and they’re, they are thinking, well, you know what, I think I’d like to aspire to that. What are tangible steps? You know, if, if somebody is in it or if somebody’s in engineering but they’re in the middle of their career, what, what steps should they take to make themselves, a viable candidate five or ten years from now?

>> Radley Meyers: So if you’re in an adjacent function and want to get into it, I think there’s so many clear overlaps between the two now that you can, you can obviously start to get more aligned with security. And I think there’s still a dearth of talent in, in security. So I think more and more folks who are interested in the work Getting into, you know, if you’re in, if you’re a traditional software engineer and want to get into security engineering, like there’s a clear, clear path to start, to start to blur those lines and then, and then ascend in security. I think the best thing for me about the CISO community is the community and I think if, if, if you are looking to evolve and grow and ascend, as I said earlier, like, there’s no shortage of highly experienced, high profile security leaders who will not spend time mentoring you. There’s tons of you know, I even hear about it when I’m talking to leaders like, oh yeah, your, your, your name was in our Slack group or like you’re, you know, the role that you’re recruiting on was shared around amongst us. or you know, whatever it is. Like this is a, this is a community unlike other executive communities that really is so hyper focused on building great talent and the greater good and spreading that talent out as much as they possibly can. That like, I can’t say it enough. Go out, find mentorship. It’s a, it’s a really easy door to open and that will help to guide, kind of guide these, these, these people.

>> Craig Gould: So how many of the people that you, you talk to have a background in hacking? Because, I mean, it seems like it would almost be helpful to, to think like a hacker.

>> Radley Meyers: Yeah, yeah, anecdotally. So I ask every security leader when I first talked to them, how did you get into security? And I would say, oh gosh, like 70% of them at some point did some form of hacking. Whether it was, you know, whether it was, it was like just when they were starting kind of learning about security and wanted to learn, you know, ethical hacking and started that way or actually had a, you know, early stage career on, you know, as, as a white hat or whatever.

>> Radley Meyers: And so, so it’s a high number. Like it, it really. And I don’t know, I’d have to like, think back to when I first started doing this if that. It feels to me like that number has shifted dramatically where that is where a lot of folks are coming from. and I think it goes back to some of the things I was talking about earlier, but it, but it’s definitely more, more, more of a prevalent answer now than it was for me years ago.

>> Craig Gould: If we sat down and had this conversation five years from now, how do you think things might be different?

>> Radley Meyers: Yeah, I think you’re seeing it happen now and I think, I think we’ll really see the security role functionally change in a couple of ways. I think in product led data heavy companies, I think we see a consolidation towards that trust leadership I was talking about earlier where security, privacy, reliability and parts of safety are kind of under a single executive who owns customer trust as a, as a business kind of KPI. And then and then also, you know, we’ll have a, continue to have a heavier role in leading, you know, product development as a product security organization. So depending on the company, like that’s going to, that’s just going to be kind of who’s leading these, these security organizations. I think you know, one evolution we’re seeing more, more consistently though not, not, you know, it’s not the majority is that CISO role being elevated to a CEO report. I think as, as security continues to be front and center so often, my hope is in five, you know, five years that you know my, my survey I alluded to earlier. You know, five years ago when I first started doing it, it was, it was 10% of security leaders were reporting to CEOs. Now it’s closer to I think 25%. So that number has gone up significantly. and I, and I’m hoping in five years that that number is, is, is the majority and companies are as the, as, as it makes sense and as security leaders are taking on a broader role like, like and security continues to rise in importance, that, that is an outcome that we’ll see.

>> Craig Gould: Radley, I, I really appreciate you being my guest today and I, I want to give people an opportunity to, to learn more about you guys. So where can people find out more about SPMB? Where can people find.

>> Radley Meyers: Yeah, so, more on SPMB is SPNB.com so pretty straightforward there. You know we have obviously are very active on LinkedIn and whatnot. So you can go to our LinkedIn page as well. and then yeah, for me, it’s really on LinkedIn as well. So you know, Radley Myers, I think I’m the only Radley Myers out there. so pretty easy to find.

>> Craig Gould: Well again, I really appreciate you being my guest and you know, shining a light on this particular role. It’s really been an illuminating conversation. I really appreciate you being my guest today.

>> Radley Meyers: Yeah, thanks Craig. This is great.

>> Craig Gould: Awesome.