Q&A with Christopher Gerg, CISO in Residence

We’re excited to welcome Christopher Gerg as CISO in Residence at SecurityPal. Christopher brings a wealth of expertise, drawing on decades of experience navigating the complex and ever-evolving cybersecurity landscape. Over his career, he’s held pivotal positions, including serving as CISO at Perforce and Tetra Defense, where he tackled challenges in highly regulated industries such as banking, healthcare, and government. With a foundation rooted in hands-on technical roles — ranging from Windows system administration to network security management — Christopher has built an impressive repertoire of skills that he leverages daily.

In this Q&A, Christopher shares his path from technical support to CISO, key insights on leadership and communication, and advice for aspiring cybersecurity professionals, offering a candid look at the skills, strategies, and lessons that have defined his career.

Can you share a bit about your journey into the field of cybersecurity? 

I like to say that I have mud on my boots. I started my IT career working for Microsoft doing third-shift technical support for the launch of Windows 95. That was a baptism by fire. From there I was a Windows system administrator. I then moved into network engineering, and then was invited to join a new team that was being built that did penetration testing. I was lucky to join some of the most intelligent and clever people I have ever worked with. The company I worked for was building out data centers and had a lot of highly regulated tenants. I moved from offense to defense and became a network security manager, where I did a lot of work with preventative and detective controls as well as intrusion detection systems. 

Leveraging this experience, I wrote an O’Reilly and Associates book, “Managing Network Security with SNORT and IDS tools”. From there my career included Security Architect, compliance audit QA, CISO, and consultant in various regulated industries: banking, finance, payment card, healthcare, state and federal government, defense department, and nuclear. I still fall back on my experience as an admin and network engineer every day. The fundamentals I learned as an admin and network engineer are invaluable.

What are the biggest challenges you've faced in your career as a CISO, and how have you overcome them?

Managing teams and being a part of the leadership team for a company has its challenges (that are not unique to the role of the CISO). The CISO has additional challenges — primarily communicating the ROI for investment in something that (if successful) results in something not happening. If your controls are functioning well, your company does not get ransomware or become a threat to their customers through a supply chain attack. 

The only way forward for a successful CISO is strong communication skills and relationship building. The bottom line is that it is demonstrably true that a secure environment is an efficient and predictable environment. You can have security without it being a bottleneck. Having your finger on the pulse of what’s going on in the industry and sharing that information with the leadership team keeps their eye on the goal — don’t end up in the news like these other organizations that don’t take the risks seriously.

In your experience, what skills are most critical for success as a CISO, and how can professionals in the field develop them?

The technical stuff is important. You need to know what you’re working with and first-hand experience is invaluable, but the essential skillset is around communication. You need to help non-technical people understand the risks the organization faces and the most effective way to reduce those risks. It involves diplomacy, compromise, consensus building, and trust. 

Often the security aspects of a decision are just one of the variables in the calculus — the business might overrule what you’d ideally like to see happen. Developing communication skills  involves (very often) checking your ego at the door and trusting your technical experts as well the experts in other departments to understand what they are working with (all while looking at things with a critical eye). Buddhism and Stoicism are good teachers here (only slightly joking). Ironically, the best way to develop communications skills is to talk less.

Could you discuss a project or initiative that you’re particularly proud of? What made it successful, and what lessons did you learn from it?

I was brought into a company that was essentially three companies bolted together by a private equity company to be the CISO. I did an initial threat, risk, and information security maturity assessment to get the lay of the land. (All security projects start with an inventory!) I found that it was unsurprisingly three different IT departments who each did things very differently. I had a conversation with senior management about the risks of all this (which are innumerable) and was handed ownership of the entire infrastructure and engineering department. I agreed to this with a limited timeline. Once the teams were unified and we had a single way to work, it would get handed off to a VP of IT (or equivalent) and I could move on to focusing on being the CISO. It was successful because of a good group of people that really wanted to do the right thing — I heard repeatedly, “Just tell us what to do and we’ll do it!”.

Long story short, it was an exercise in standardization and consolidation of technology, teams, and process. We literally had t-shirts printed with “Pick something, dang it.” on them. I learned in this effort about the value in choosing technology and solutions that work with things you already have and already know how to use. You don’t always get the latest and greatest technological marvel available, but having something that works and provides sustainable benefit is much more valuable.

What are some common misconceptions about cybersecurity that you've encountered, and how do you address them in your work?

That cybersecurity is a cost center. I have seen and demonstrated several times that a secure environment (one with updated operating systems and applications, robust and repeatable processes, mechanisms that work well together and are well monitored, and well documented requirements) is efficient, reliable, and effective. That way you’re not stuck with trying to calculate an ROI that something didn’t happen as your metric (although there is ABSOLUTELY a return on investment for an organization not getting ransomware!).

How do you stay current with the rapidly evolving regulatory landscape and emerging risks? Any specific resources or strategies you recommend?

There are a wide variety of threat intel sources (and general technology news). A nice curated list is here: A curated list of awesome Threat Intelligence resources. 

Other worthy mentions include:

• The Register
• CISA
• Krebs on Security
• Dark Reading
• ThreatPost

My advice? If something looks interesting, dig deeper. If you find a rabbit hole, jump in and explore it to the end.

What advice would you give to someone who is just starting their career in cybersecurity? 

Find a particular aspect that interests you. Saying “a career in cybersecurity” is like saying “a career in construction”. There are many different paths to take — governance, compliance, threat hunting, code review, application security, cloud security, assessment and audit, SOC/monitoring, EDR/MDR, etc… Find someone in the industry who’s been around the block and ask their advice. Heck, reach out to me if you’d like.

How do you approach collaboration between security and company leadership to ensure strategic alignment?

Having a seat at the table is vital. You need to know what the overarching business and technology strategy is to ensure that you’re aligning with the goals of the organization and that you have a good pre-emptive understanding of the risks associated with that strategy. Plan ahead and think about what might break (and then go back to my comments about relationships, trust, and communication).

What trends do you see shaping the future of cybersecurity, and how can organizations prepare to adapt to these changes?

Consolidation in the industry brings some opportunities for standardization and consolidation. It seems that we’re in an industry phase where a lot of mergers and acquisitions are taking place. This can bring some chaos, but it helps you with the path of finding solutions that work well together (getting you closer to the fabled “single pane of glass” to manage everything). Another important trend and change that is starting to happen: the days of VERY inexpensive cybersecurity insurance are coming to an end. Not only is it going to be more expensive, you’re going to need to do a lot of work proving to the insurance company that you have a robust information security program to get a palatable rate (or coverage at all!).

Looking back on your career, is there anything you would have done differently? What would you consider your biggest professional lesson?

Honestly, it feels like each step in my career has built on the last (and everything I learned has been useful). I might have done a better job investing and saving for retirement, but I’ve met amazing people and done interesting things. What more could you ask for? I’ve worked remotely for 25 of the last 30 years — I have helped many people figure out how to be successful doing so during the global panini of 2020 and beyond (joking, of course — the covid pandemic). My biggest professional lesson was the importance of getting to know people in the company that aren’t part of your team (particularly in IT and information security). Building trust and establishing credibility is vital.