Data in the modern security org: a chat with Julie Chickillo, VP and Head of Cybersecurity at Guild

32:39 VIDEO

This episode features an interview with Julie Chickillo, VP and Head of Cybersecurity at Guild, a learning marketplace offering classes, programs, and accredited college degrees for working adults. Julie has over 20 years of experience in Information Security Governance, Risk and Compliance, Threat & Vulnerability, IT Audit, Privacy, DevSecOps and Legal. Julie has been recognized with the APEX CISO of the Year Award in Colorado and is one of the inspiring leaders of the Lacework Secured by Women Initiative.

Time Stamps

What does Guild do?
How does Julie’s team act as a business enabler?
Tell me about the merging of data ops and security
Is data scaling like security?
Is it worth having a data ops person on your cybersecurity team?
When do you know that your data is secure?
How is privacy keeping up with this shift to a data focus in cybersecurity?
Understanding the current and emerging threat landscape
What makes a good leader?
Guild is a woman-led organization. What advice would Julie give to women leaders in security?
Open Transcript

[00:00:00] Andy Schneider: Especially if you’re in the cloud, your data is moving very fast. We’re starting to see some really great technology coming out, and just a practice around. Not only where the data lives, but how you’re securing it, where it lives, how you secure it when it moves, and then understanding the privacy impacts. And really digging in, and understanding how many databases are there as just, it’s a really fascinating part of the industry that I’m very excited for.

[00:00:28] Andy Schneider: Welcome to Code to Cloud. I’m your host, Annie Schneider. And with me we have today’s guest, Julie Chiqui, vpn, head of Cybersecurity at Guild Education. Julie has more than 20 years of experience in information security, governance, risk compliance, threat vulnerability, IT audit, privacy. A couple of others and legal, we will talk about that legal as well. I’m Julie. You’ve won the Apex CS of the Year Award of Colorado and you’re one of the inspiring leaders of our Lacework Secured by Women Initiative. Welcome to the show, Julie.

[00:01:01] Julie Chickillo: Thank you. It’s great to be here, Andy.

[00:01:03] Andy Schneider: So before we dive into security, um, help me explaining what Guild Education is doing.

[00:01:09] Julie Chickillo: Sure. Um, Guild is a late stage startup and we help large companies, with their, uh, career advancement program. So we help their employees, find the right program for their career advancement path, choose a school or maybe a certification. we then coach them to stay in school, uh, and then help facilitate the payment. Back to the, uh, school, uh, without the students ever being out of pocket on money. So it’s a, it’s a great way if you’re looking to build up your, staff internally and you want to promote from within, it’s a great program to get involved with.

[00:01:44] Andy Schneider: Okay. So it’s some kind of marketplace you could say

[00:01:47] Julie Chickillo: It is a marketplace. Yeah, exactly.

[00:01:50] Andy Schneider: cool. So let’s start and dive into security. what our listeners usually are interested in, 

[00:01:55] Andy Schneider: how do you get security being a business enabler?

[00:01:59] Julie Chickillo: one of the first things I’ll do, uh, when I come into a company, I actually, take quite a bit of time to support the sales team first, uh, since this is actually one of. I think one of the areas, CISOs actually hate them a lot, but it actually gets you a lot of goodwill very, very quickly. And so when I move in, one of the first things I do is find out how to support the sales cycle. How do we help move the deals along? So once you can get into the contracts, that’s gonna help you a lot to understand the business. the stuff in the contracts is, is what’s important and you’ll start seeing what they’ll fight for, in the contract. So that’s one of the ways, that I do an imme. I get immediate, uh, kind of kudos or Bronny points, uh, when I start supporting sales. Um, the other thing when moving into a practice is I actually don’t attempt to change anything very quickly. Obviously, if there’s, a pretty big flaw that could cause major problems, we will work on that. But assuming you’re walking in and things are. Pretty okay. They could be better, but they’re okay. I kind of do a listening tour, stop and listen. really make a point to go to all the business meetings that I can get myself into. Go to all the strategy meetings and just listen for a while to understand like, where are the important pieces of the business? And really going back to those teams and, finding out how you can support them, before you even ask them to change anything. And I think that’s, that’s one of the big misses that we see in security or we have in the past. I think the a lot’s changing there, whereas security. I had a ciso he used to say, we can’t walk in with the big stick of No. and so he was very, very, very big. Early on in my career. I had a great CISO who, drilled into us, if you’re not supporting the business, you’re out of the business. And so I think just really having that mindset and understanding it’s not just about you. There’s a bigger business. That you really have to pay attention to.

[00:03:51] Andy Schneider: absolutely. there’s one thing, I listened the Data Cloud podcast, maybe for our listeners, you can look that up. Data Cloud podcast and then look for Julie. You will find it. It’s very interesting where you talk about DataOps. It was more. DataOps than really, let’s say cloud security. But there was that, you were talking about the emerging disciplines of. Data ops and, security operations. And this was really fascinating could you walk us through what, what’s on your mind if you think about data ops, security ops, and the emerging, of these two disciplines?

[00:04:28] Julie Chickillo: I think it’s been a couple years in the making. We’re starting to see data ops. not every company’s gonna have a data ops team, but we are starting to see this becoming. Really important to most companies. If your data’s moving very, very quickly, uh, it’s sort of like at the beginning of the DevOps, practice where you were starting to see how can we ship small things? How can we move very quickly and how can we make small changes, with big impacts, uh, without having to wait six months for it to happen? You’re starting to see, or not starting, this is happening in the data ops industry. there is a real big move. For data to support the business. And I think you’ll see that. I think people don’t always name it, uh, I don’t think they always talk about it in this way, but really your data ops team is looking to transform the business and support it through data. And what that means, especially if you’re in the cloud, your data is moving very fast. they’re able to build out. Databases quickly, they’re able to move data, um, much faster than they used to be able to. Not only just one cloud, multi-cloud, if you, you might have that. and the concept of like data loss prevention from a network is, no longer in existence. And so as you start watching this happen at the company, you’re realizing that it’s, Building out a lot in the way that DevOps did and that there are people who are managing how the data moves. There are people who are building out pipelines similar to what you would see for a secure code, uh, or for code practice. And the security that you use with the engineering team for, like a DevOps practice. It doesn’t translate. And so there’s new technology emerging. We’re starting to see some really great technology coming out, and just a practice around. Not only where the data lives, but how you’re securing it, where it lives, how you secure it when it moves, and then understanding the privacy impacts. in particular, as you look at the privacy laws, there’s a lot of movement around like, who owns the data? How is the data? You know, there’s a lot of around who owns the data. So as data moves, as it transform, The ownership can also change. And so really trying to understand the impacts, that the transformation has on the privacy rights for the data is, is just another aspect of it. And so as you look at your company, maybe your clouds, you’re just moving to the cloud or you’re already in the cloud and really starting to ask, how’s the data moving? Asking for the data flow diagram. And really digging in, and understanding how many databases are there as just, it’s a really fascinating part of the industry that I’m very excited for.

[00:07:04] Andy Schneider: so what would you say is, data, scaling more up like security from a people’s perspective. So we know that there are more engineers than security people do. What do you think about data?

[00:07:18] Julie Chickillo: I think they’ll scale faster than your security team will. So in your scenario where you had a smaller security team, I do still think you’ll see that, in Guild, like we definitely are investing in the data side. it’s critical to how the company works. And so I think as more people have the freedom, As, as you start seeing this movement, with the data and more freedom and, and more ability to do more with the data, I think these teams will scale, for sure. I don’t think they’ll be as big as your engineering team. I don’t think we’ll see that even, at least not in the near future. I mean, ask my data colleagues and they might disagree with me, but, I do see that team scaling. I do, I do see it scaling in other places as well. And I start, you start noticing, the hiring practices around it. And I think this is definitely an area of interest. and I think it should be an area of interest for security professionals being able to track what they’re doing and understanding that practice, uh, is going back to how we talked about needing to understand the business. This is a whole new emerging practice and you can’t just assume it’s running like engineering because it’s not. and, and the philosophy’s a little bit different as well. And so I think it’s just another area that will scale. I don’t think it’ll be as big, but I think security teams will have to support. probably in, I would say in the next two to five.

[00:08:35] Andy Schneider: if we look at, DevOps and DevSecOps, so like the security there is often translated as embedding security into DevOps, so that DevOps is doing parts of security. If we look at data DataOps, do you think that they shall also do security related to datas aware, like you said, Where it lives, like things like ownership, more privacy related topics, is that then a task that the data ops team should do?

[00:09:05] Julie Chickillo: I do think they will own a piece of it. this actually became so important to my team last summer. We ended up giving up an FTE from our team to DataOps, specifically to support our team, uh, and help with some of some of the work that, that even we’re wanting to get out of the data. And, and so we are building out a very close relationship with that team. We have a full team that supports us now. and we, do have people on that team that are probably gonna end up being somewhat close to like what you would call a security champion for, the engineering side. So I do think the data ops team. I, I think they will. you’ll probably have somebody specialize like you do on DevOps. So we have somebody on our DevOps team who specializes in support security. I could see the same for data ops, although, maybe even, to a greater extent as you look at like your data governance teams, that you might have, or, uh, for the more technical sites, you might even have more support, I think on the data. I think they also lean further into the data privacy and security conversations. I think it’s a natural part of their industry and so, we tend to find there’s a lot more interests when we go and talk to them than maybe there is when we go to talk to the engineering teams.

[00:10:16] Andy Schneider: Absolutely. from a skill perspective, so do you have that DataOps skills in your security team, or is that specifically, like you said, you, gave away that headcount, so is it. uh, security headcount in the DataOps team? A little bit like you described that champion principle, or is it, do you also have the skills in your team?

[00:10:37] Julie Chickillo: we did not have the skills in our team and we didn’t think we would. So that’s why we gave up to fte. We do require, uh, everybody on my security operations team to know Python, and. Just knowing that is really helpful. Um, when we start working with the data ops team, I do believe I’m gonna have to hire somebody to support, support this role, kind of like DevSecOps and, and AppSec engineer. I am gonna have to hire somebody. I’m still kind of building out what this might look like and thinking about the practice, the tools we might use. I’m not sure what that job description looks like yet. I think that’s why I’m hesitant to, you don’t tend to find people in security with this knowledge. Uh, in fact, my own team, when we started looking into it, was like, I don’t know how to handle this. Uh, which is why we pulled back a little bit and said, okay, then we’re gonna build it out. Let’s do it the right way. So, it’s a great question. I, I do think it’s an interesting area for people to be getting into, but I just don’t know, I don’t think the skill sets are there.

[00:11:36] Andy Schneider: if you go really completely up and look at the Caesar, so the role of the Caesar is changing. So, I also see like, privacy and security like coming together where they are very separated in different countries for several reasons, but I believe it should be, it’s better to have that in one role. But actually there’s no experience and no skills out there yet to do that. So the big question is for me, always. Just from a security perspective, when is something secure? So, uh, when do you know that your environment and your application and your data are secure? 

[00:12:15] Julie Chickillo: I don’t know that I have a full definition of done on this one, but I’ll tell you what, I’m probably working towards the especially as we think about a cloud environment for me. where I wouldn’t feel comfortable until we know where all the data is and we’re able to track it. and we do currently have, a new product that we’re working with, that looks at the metadata. So we’re able to track when data is moving, through metadata, which is, really quite, quite interesting. But for me, like it’s not. Where is the data? it’s who owns the data? so combining where the data went with the data lineage, plus having the visibility into the security around those databases or your, your buckets, I think that’s when I would say we’re done outside of also meeting the compliance regulations, like right to be forgotten or. portability, things like that. I think those are just sort of your basics at this stage. So moving beyond the basics, I would have to understand, I would want full visibility and I think that is what’s really lacking right now is there’s so many tools out there and they’ll give you a snapshot of, you can see little pieces of it, but you can’t see everything together. This mythical, one pane of glass that we’re always looking for in security, but for privacy, I do. We might actually get to that one pane of glass. I think it might be a little bit easier to get there than it has been on the security side. so I’m at least hopeful. But I think the one pane of glass, for me would be a definition of done.

[00:13:43] Andy Schneider: Absolutely. So, like, I don’t want to mention like a seam. It feels like old-fashioned technology, but like a seam for everything in a new cool way. So putting everything in a. I dunno. Data lake and doing it in a

[00:13:58] Julie Chickillo: That’s what we do. Yeah. So you, you are starting to see there are, I guess I’ll call ’em Sims for privacy. when you go to the privacy conferences, there were, you’re starting to see what a trend in the industry where people who were in security, they’re now building out privacy tools. And so as you start looking at them, they actually look a lot like security. Tools on the front end, like as you look at them, some of them do look like Sims. but I, I think Sims are limited. And so I think some of these tools also are limited in their visibility and their scope. And so going back to that security log data lake, where I control what goes in, I control what I wanna see out of it, that’s a different way of thinking than just the sim that’s gonna tell you what you want, what they want, what it wants you to see. Um, and so I think for privacy, you’ll have to get to the same level of. What matters to your business and what do you want to see out of it? and so not just relying on a sim.

[00:14:53] Andy Schneider: Fantastic. That’s really, really super interesting because I would say I’m good in that security part. But I always felt like a newbie in that, privacy part, I was always fighting with my privacy office or we were doing things together, but it felt like he didn’t understand technology and I have a pure technology mindset, so, but it’s good to hear that this is changing. So if the, you could say the privacy industry is also getting more tech savvy. I think there are huge opportunities bringing both worlds together, just from a technology point of view.

[00:15:29] Julie Chickillo: when I look at privacy, to me it’s about 10 years behind security right now. as you go to the conferences and you think about, What you’re hearing, a lot of what we’re hearing on the stage is, I, I don’t have a seat at the table. I can’t get buy-in in the company. I don’t know how to get training out there. And so a lot of the things you were hearing early on or about 10, 15 years ago that were just so, present in the security industry, you’re seeing that in privacy. And I think. there’s still gonna be a world where, where there’s a lot of attorneys or a lot of the people focused on the regulation, but if they’re really gonna have to start bringing on more technologists, um, and understanding, privacy and technology at the same time. And I think that that is something that is a huge skill gap right now. And somewhere that, could be an interesting career for people starting out.

[00:16:16] Andy Schneider: how would you define a good leader or security? Next to the communication skills that you mentioned.

[00:16:25] Julie Chickillo: I think it’s industry and business specific. So I, I think matching your skill set to the type of business you’re in. Um, I think we mentioned at the beginning, I am a risk taker. I am willing to take risks. I match very, very well with a startup or another company that’s really pushing the bounds of the technology. They’re, they’re using. I do not match well with like a large bank. my temperament is different. I’m willing to take more risks than they’re usually happy with. And then vice versa, like understanding, like if you really like that regimented part of security, if you like the part where you’re following every regulation to a t. The, you know, going into a startup is probably going to be hard for you, or going into to a company that’s pushing the bounds on technology, you’re probably not going to succeed. And so I think it’s really taking a look at your skillset and your philosophy and how you view security and risk and compliance and matching it up with the right business. I think that’s so critical. The other thing that’s really, really important for a leader, especially in our industry is, skilling up your own staff. And I do drink the Kool-Aid here at Guild on this one. Uh, I do think it’s so important to support your team and, and to understand the skills that they need to grow and, and move. And sometimes it’s move within and sometimes it’s move out. but if you don’t really invest in your own team, I do think it limits your practice. I do think it limit. The kind of technology you’re gonna be able to support, you know, two to five years from now. I was gonna say 10, but I can’t even imagine the technology in 10 years. and so really even just constantly talking about skill sets and, and building them up and helping them to become the next leaders, I, I think that’s also important.

[00:18:10] Andy Schneider: I really love that. So, making the way for the next generation so that you skill them up, it’s, it’s super essential. OneNote to Gil Education. So it’s a women-owned, technology startup. that’s right. And as far as I know, everyone who reports to you is a woman. is that right?

[00:18:28] Julie Chickillo: That’s correct. Yeah. Um, I, I haven’t added up the numbers. I’m either, I think I’m actually, probably over 50% women on my team as well. Uh, so that includes, the more technical parts of my team. So, Uh, we make a real effort. We do also make a real effort with DE and I. and so I think that’s the other thing is like being open to, I think this is the other area I would say like I think makes a good leader in security. Don’t just be looking for that credential Or the right school or things like that. Like finding the right mindset and the right person, I think is, is going to open up your ability to hire within the de and i, framework and then to support that next generation. Because if we only focus on that next or, the school, uh, I think it limits your who, who you’re gonna.

[00:19:17] Andy Schneider: Absolutely. and do you have any tips for women? how can we get more women into, the cyber industry or privacy industry? I think both, uh, if they emerge, are essential because I’ve just don’t see enough women. And let’s say it’s not just women. we need like, diverse teams. They are much. Efficient, effective, they bring better results. That’s proven. So how can we change that? You obviously did that, so how can you do that?

[00:19:48] Julie Chickillo: Yeah, the first is being open to people not having the right credentials on their resume. I think that’s number one. there’s a lot of research out there that that’s gonna help you, I think in supporting women, uh, women I think actually do very, very well in security. for many reasons, especially as you look at the DevSecOps industry and probably what’s emerging on the data ops practice. they tend to. Be able to do the communication better. They tend to be able to network really well. and this really helps to build up the trust that you need with these other teams. And so I think supporting some of the skill sets that don’t seem traditional in your security, um, stack, really will help you bring on some people who, you might. Be able to bring on initially. I think the other thing is just being open to mentoring, and supporting some of the groups out there that there are, you know, like all of the women in security groups that are out there. and to be honest, like I think, Supporting women, giving them awards, uh, making them visible in the industry, giving them a voice. Uh, certainly today’s podcast, is a great example of that. I just, I think those are the ways that you lift them up. and then I think the last thing is that we are really going to have to start going. Earlier than high school. If we’re gonna be talking about moving into the de and I like moving into de and i and, supporting women in particular. By the time you’ve hit high school, you’re probably starting to have already made decisions about what your career path might look like. We really have to go earlier. They have to see visibility in the elementary school, probably middle school, where they’re seeing, role models that they can look up to or what that career path might look like. I think high school’s too late.

[00:21:32] Andy Schneider:

[00:21:32] Andy Schneider: before we talk about, How you can become a Caesar or your tips. in every episode I talk about failures that I did. So this time I will just mention it’s very long ago. where I had to learn the OWA failed securely principle, the very hard way. So, uh, not everyone knows that I did, serve the military in Germany. 24 years ago, so really long time ago. But I was good in computers, so I stitched together computer parts and sold that to other colleagues. Super expensive.

[00:22:05] Julie Chickillo: Oh.

[00:22:05] Andy Schneider: of money with that. There was one problem, so I now know that in the US and Canada there’s that you have 110 voltage in most countries. In Europe you have 220, and I didn’t look at that physical switch on the power supply, so it was switched to 110 voltage. And what happened when? When I, plugged in the computer that I stitched together, the whole power of the building went down and I was in a building for the German Commander Chorus. So this is like an elite train training unit. So they. They were called out because someone thought someone did some nasty thing and they had to go into the woods over the weekend. So it was, the winter, so it was really cold. I was the only one that they forgot because I wasn’t a part of that. I’m not a pacifist, but yeah, I, I had to do that, but more or less I caused that problem. Because I did not look at that fail securely principle, so it failed and brought down the whole power supply of the building. It’s just a, uh, uh, but yeah, it’s, uh, but I think we, we should talk more about failures. That’s why I usually reveal that we are doing a lot of failures in our career. And it’s good if we talk about that. But you don’t have to reveal all the failures that you did. I just do that for fun. Um, but what has been your biggest learning in your career?

[00:23:39] Julie Chickillo: Oh, well, luckily I haven’t brought any buildings down. Um, uh, power failure, that’s a great story though. I think the hardest lesson for me, and one that, you know, I still continue, daily to work on is. the communication piece. And so I think there’s so many times where I’ll, like my next stage of growth for me will be because I failed communication in one stage and sort of really. do you could derail a project or something didn’t move forward because of a lack of communication or how I communicated something or fail. Failing to really bring the business along as to why it was important. And so I think this is one area and I, uh, I even see this with my team where I do talk about communication quite a bit, where it can be really, really hard if you’re just really in that technical part of the security and you’re not understanding. how to get across why what you’re doing is important or why what you found matters. it can really like, cause you to, to not move forward and it can cause your whole project to fail. and so I think that is something like, especially early on, just not understanding, I think we talked about like stop and listen and not stop and listen. Is just really, I think it’s hard to control the impulse when you think you’re in the right and you’re think, you need to listen to me. I’m the expert. Why aren’t you listening to me? And I think that is just, there’s been many times in my career where I’ve overstepped this bound or I’ve, I’ve said the wrong thing. And it just causes you to move backwards. Two steps. Uh, and especially as you move up, as you think about, Hey, I want to get to that next position. The level of communication and precision that you need in your communication just gets even greater. like if you’re gonna think about communicating to a board or a C level or, or any, like even VP plus, it’s just so paramount that you’ve taken time to listen to them and that you’re not just starting to talk about everything that you. when you start out. And so I would say I didn’t bring down a building, through power, but I’ve definitely brought things down through lack of, precise communication.

[00:25:51] Andy Schneider: where did your journey in security start? How did it.

[00:25:57] Julie Chickillo: I have sort of a convoluted, path. I would say I have sort of a snake-like path in, into security. Um, I actually started out working for the Department of Justice. We, uh, we did environmental law and water law, things like that. And so actually had nothing to do with technology in the beginning. Uh, spent time as a paralegal, uh, right at the time they were starting to go to e-filing in the, industry. And so I ended up, running the e-filing database, mainly cuz I like to excel. At the time there was some thought that maybe liking Excel translated into being a person who can run a database. Um, but really enjoyed it. and then from there, I actually moved into, the IT audit industry very early on, uh, when audit was starting to do, um, IT audits and support of the financials. And so I got sort of. Up upfront, training for that and, and just really some great training at the state of Colorado where we looked at systems ranging from mainframe all the way to, just pre-cloud. Uh, we were just starting to get in the cloud at the time. and then, R uh, moved from audit into risk. So, uh, risk and compliance more from the, perspective of being the person who got audited, uh, by many federal agencies. And then also the emerging risk practice for the state of Colorado. it was also here where I got exposure to project management or like a project management office where we really started to think about, as a security team, how do you move security into earlier parts of the life? Uh, especially if you’re doing waterfall or, or very, very large projects, uh, that you might see in the federal or state arena. These projects could take anywhere from six months to two years and waiting to do security until the end, uh, was really detrimental. And we were having a lot of problems. And so that team at the state really worked hard to get, security into the life cycle of a very long project. So this was, leading up to. My move into, DevSecOps where I already, came to that philosophy, with the engineers saying like, Hey, let’s try and move security early, as early in the life cycle as possible. So when I had the opportunity, to help, uh, an emerging DevOps practice, and get, get security in there, it was already natural for me to be having those conversations. So that was a, it was a really great to be early on in. On the DevSecOps movement. our company even made everybody read the Phoenix Project, which was quite entertaining at the time. from, from there. Yeah, it’s classic. I know, could see every part of security. I’d worked with everybody in that book, uh, in my, in my life. Uh, and so from there I got to move to guild, where continue to build out. Devs got practice. And then moving more into some of the more modern practices that we’re starting to see emerge here, which I believe we’ll get into, such as security log, data lake, and what I believe to be an emerging practice between data, data ops, and privacy and security.

[00:28:54] Andy Schneider: Oh, that’s fascinating. So it sounds a little bit like not a planned career, it sounds like, uh, it more or less happened. Uh, is that right?

[00:29:03] Julie Chickillo: it was a mix of being in the right place at the right time and willing to take risk. And so every one of these moves where I moved into the next emerging practice, I definitely, uh, had to think about it. You know, I was moving into something I didn’t know anything about, being willing to try something new. so right place, right time, but also having the mindset of, I’m gonna take a risk and try.

[00:29:26] Andy Schneider: that’s super fascinating.

[00:29:27] Julie Chickillo: Yes, you had to be looking for the right door or window. I don’t think I know any Cecils who started out and said, I’m gonna be a CISO someday. I, I just don’t know anybody who was in college and said that, maybe now we’re starting to see some, some more career growth being built out in the industry and some more clear paths. I still think it’s not a clear path. I think there’s many, many ways to get there. but probably people at least saying, Hey, someday I want to be a ci.

[00:29:53] Andy Schneider: let’s talk about your background. So you have that legal background. Um, you went from legal to audit, and then over to risk. So did that legal background and that audit. Background help you, because somehow for me, very often I hear from other Caesars or security teams like DevSecOps and legal or DevSecOps in audit are like, like on the opposite side. So how do you solve that or do you even see that, problem between them?

[00:30:24] Julie Chickillo: I don’t see that problem. I, I can see how you would see that problem. Um, I think where the legal and audit and even risk helped me in DevSecOps, first of all was, was knowing how to negotiate. So, there’s a lot of negotiating that has to happen between a security team and your, a developer team or your, your engineers, your DevOps team, and I think understanding. How that works, how that chess game has to play out, and understanding how to get people to buy into your story and buy into your way of thinking, that is really important. Uh, as you think about any lawyer or even with a, a well run audit, you’re gonna have to do that. And so I think that’s where it helped me. I think having done legal and audit plus risk, moving into risk after audit, I think it was a great opportunity for me to see the business can’t do everything. So when you’re on the audit side, you’re coming in and you’re saying, thou shult comply, thou must. Do everything that I’m saying. And I think as you’re, as you move into risk and you start looking at the business from a business perspective, you can’t do everything. And so that’s where your risk starts coming in and you say, okay, what is the risk to the business and what do we. Actually have to do, and what are the things that we can, can do, but maybe we’re just barely meeting it. And what are the things that are actually the most important? And so I think those things actually help you in your DevSecOps program. When you’re talking to your engineers or your, DevOps team, really understanding from their perspective, they are the business at that point. They are the business you are trying to understand. You really have to dig in what is the biggest risk to. and a lot of times in DevSecOps it’s time and so your scanner, if your program, you come in and say, my scanner’s gonna take 24 hours and they wanna move code in under 10 minutes, you’re injecting a huge risk into their process. And so I do think all of these things actually helped me with DevSecOps. I don’t see them being at odds. I think it’s just a different way of looking at it.

[00:32:25] Andy Schneider: I like that. So the two things I, I have to note down is, being a negotiator, I think that’s a very, Critical, uh, skill of a c of every c being a good negotiator between all the different parties and time, that’s actually what I’ve seen also quite a lot. So if you slow down development, you are like, the preventer of business. So,

[00:32:48] Julie Chickillo: you are at that point. Yes.

[00:32:51] Andy Schneider: This was brilliant. So I, I have a couple of takeaways. talk to sales. There’s something you mentioned in the beginning,

[00:32:58] Julie Chickillo: Yes,

[00:32:59] Andy Schneider: because Caesars or security practitioners, hate to talk to sales, but it’s essential that’s where the business is made. So talk to sales, get closer to the business, read the contracts and help. Being successful, then you earn your kudos and then you are more, no longer the preventer of the business. So that’s, that’s what you said. Time in is essential if you do DevSecOps. So if you slow them down, you will create enemies. The Caesar should be like a negotiator. I really love that. So negotiator and communicator. Like key skill you should have. And I really like that. And not looking at, let’s say the degrees or the standard path, but, giving the chance to everybody to start in security. And for every one of us, we should be role models. I really like​​ the conversing. Julius was brilliant. I loved

[00:33:57] Julie Chickillo: Oh, thank you. I had a great time.

[00:34:00] Andy Schneider: Thank you. where can we find you? Is it LinkedIn?

[00:34:04] Julie Chickillo: LinkedIn. Yes, I’m, that’s the only social media I do. So, uh, you can find me on LinkedIn.

[00:34:10] Andy Schneider: Perfect. So find Julie on LinkedIn and follow her. You can also follow me and hope to see you next time on our Code to Cloud podcast.

About the guest

Julie Chickillo
Julie Chickillo

This episode features an interview with Julie Chickillo, VP and Head of Cybersecurity at Guild, a learning marketplace offering classes, programs, and accredited college degrees for working adults. Julie has over 20 years of experience in Information Security Governance, Risk and Compliance, Threat & Vulnerability, IT Audit, Privacy, DevSecOps and Legal. Julie has been recognized with the APEX CISO of the Year Award in Colorado and is one of the inspiring leaders of the Lacework Secured by Women Initiative.

Try Lacework for free

Spot unknowns sooner and continuously watch for signs of compromise. Take us on a test drive to see for yourself.