Cybersecurity as a Business Enabler with Eddie Borrero

Alberto Yepéz [AY]

Welcome to the Forgecast. I’m Alberto Yépez and I’ll be your host today. I’m pleased to introduce my good friend, colleague, and partner in crime: Eddie Borrero, the Vice President and Chief Information Security Officer of Blue Shield of California. Welcome.

Eddie Borrero [EB]

Thank you, Alberto. I really appreciate the warm welcome and the kind words. It’s great to be here.

AY

I hope you had a good night’s sleep. A lot of CISOs over the weekend didn’t have a fun time. For those in the audience, we are recording this episode right after the CrowdStrike incident has impacted many businesses. Maybe we can start there. Did you have a good weekend or was it a bit of a scramble?

EB

We were definitely affected. I didn’t get as much sleep as I usually do over the weekend. Instead of having to restore systems, we had to reconfigure systems, which is a little easier. We did a good job at recovering and it also highlighted some opportunities for improvement. We’re going to take this negative, impactful event and make it a positive.

AY

There’s always an opportunity to learn. To your point, sometimes you have all these plans for business continuity and disaster recovery, and they tend to be very academic exercises until you have to actually use them. I’m sure that you’ll find ways in which you can improve them.

AY

Getting back to you- we want to start with the human side first, how you got here. A lot of listeners aspire to be like you and are trying to make an impact in the industry. Then we can move on to some of the issues that are top of mind for our industry.

So who is Eddie Borrero and how did you get here?

EB

It’s important that I start from the beginning, at a very early age. When I was a teenager, my parents split up. It was such a bad split that my mom moved across the country and my dad went off and did his own thing. I ended up homeless. I had no place to go, so I did a lot of couch surfing and soul-searching. I depended a lot on God and the grace of people to survive my last year of high school. From that, I developed this real drive for success and survival. I did not want to be like the people I was staying with. I wanted to have more in my life. I wanted to not end up like my parents and many of my family members.

I joined the military because that was the best thing I could do to catapult me into college, get a place to stay, and pursue something that I could put on my resume and applications to accelerate my career. It was the best choice I have ever made. I joined the Navy, went to school, used a VA loan to buy a house, got married, and spent the next decade in learning mode. I worked full time and went to school full time. My wife and I were on a bit of an adventure. I got to meet a lot of great people along the way.

I’ve always had this natural gift to network, make friends, and just be good to people. Reflecting back to 30 years ago, that really was a helpful trait because I was always willing to help. I learned very early on that hard work pays off, so I worked really hard. I was working 40 or 50 hours a week, going to school 20 to 30 hours a week, being married, and paying bills- all those things adults do, all at a very young age.

I went to school for computer science at first. I really loved technology. I was passionate about it and wanted to understand it all. I thought it was super cool. My first job was as a consultant, and my leadership team would put me on engagements that I had no clue about. They would say, “You’ve got to do this email migration, or this client has this antiquated application that needs a database migration.” Back then, a lot of companies were going online- we called it e-commerce. To transform a client from a brick-and-mortar shop to an e-commerce solution, they’d have me oversee all of these transitions which I knew nothing about. Fortunately, my firm had a lab where I could find a solution and make sure the customer would be happy. I learned the concepts of customer obsession, hard work, and figuring things out.

Then all of a sudden, the ILOVEYOU virus came out and brought down one of the companies I was consulting for. That intrigued me. All I wanted to do was learn how to stop that from happening ever again. I fell in love with security.

I went to business school at St. Mary’s and I wrote a thesis on how to implement security affordably for small and mid-sized companies. As I was doing that, I interviewed high-end CIOs to get their perspective and include them as references in my thesis. One of the CIOs I interviewed with was Jennifer Hall at Intuit. She gave me an opportunity and introduced me to their security leadership team. It worked out great. The leader of security at the time, Jamie Jaworski, offered me a job.

Intuit became my first real cybersecurity job. Back then, cybersecurity wasn’t as meaningful as it is today. It was very technical and tactical, but I loved it. From there, I moved on to many different companies and worked in various industries. The whole time, I always wanted to be a leader. Thinking back to Intuit, Jamie was a great mentor and leader for me. I remember telling him that I wanted to lead teams. I said, “I can do what you can do” and inside, I thought, “I think I can do it better.”

It set me off on this journey to a leadership role in the cybersecurity world. I started to ask questions like “How do I organize engineers that don’t have a lot of great social skills to do meaningful work for large organizations?” The excitement of it all was really important. We were stopping hackers, and advanced persistent threats (APTs) were on the rise as I worked for Electronic Arts, PG&E, and Amgen. The threat environment was so big and it was pretty exciting to work for critical infrastructure companies like PG&E.

AY

Wow, what an amazing career and humble beginnings. It is very inspirational to see how you always wanted to advance and use what was available to you, while also realizing your environment didn’t have to completely define you at the beginning. Then, later in your career, it did help define you in a positive way, helping you see opportunities to contribute. I guess that’s what makes effective leaders and managers: the context in which you need to act derives what your action should be.

I always talk about the concept of context and contacts. The context helps you define and makes you aware of the situation to see what you need to do and act upon. The contacts along the way are the people that really make the difference. More than the context, the contacts are what define us.

AY

Back to your career path which is so interesting- you worked at Intuit, which at the time was not only doing QuickBooks but also became a bank, so within regulated industry. You later went on to work at Electronic Arts and worked around the hype of gaming. When you start comparing and contrasting those different businesses and the role of cybersecurity, along with the increasing responsibilities you took on, how do you think someone like you can take advantage of opportunities to make an impact on the business?

EB

In my tenure, I’ve seen cybersecurity go from being technical and tactical to being more strategic, and in some cases helping companies be a differentiator in their industry. In the realm of business strategy, business growth, disrupting an industry, cybersecurity has an ability to be an enabler. It has an ability to lead the way. There is really an opportunity to make a big difference because of what we do. There is a whole trillion-dollar industry in cybersecurity nowadays. Those products and services are game changing for many people and many different organizations, especially when you plug them into industries that need them to grow like critical infrastructure and product companies. What would Tesla be without security? You would have zero trust in driving electric vehicles. I think the future is bright for cybersecurity professionals because we are super technical, and we work within the business world. We have to understand customers, politics, growth opportunities, profit and loss models, audit and compliance. You mentioned regulation. Regulation is just getting harder and harder. I think as a country, we are a legal society nowadays. We have a lot of law, a lot of politics, a lot of regulations that are coming down on the pipe. Those regulations can be impediments to progress and success. So, how do you navigate that? How do you influence that? Who knew that starting in cybersecurity, my career would end up in this role that has such a multifaceted skill requirement that’s really just different that most other roles in corporations today.

I’d also say that this concept of context and contacts. I have had so many great people open doors for me, support me, pull me up along the way that they inspire me to be like them. So, I have a great passion for growing teams and helping people. I didn’t realize this until recently, but it has transformed me into a great leader. I consider myself a humble person. I don’t brag. I don’t go out there and promote myself a lot. What I take the most pride in is my team telling me I’m a great leader, and people wanting to join my organization because of the leadership and culture that we build within our cybersecurity teams here. I’ll take some pride in that. I think this concept of growing people, helping others both below and above you, just expands your opportunities, opens up more doors for you, and allows you to transform your job into something that’s so meaningful and purposeful because you’re helping. You’re helping organizations, you’re helping people, you’re changing lives. With some of the work I do with the underprivileged and veterans, I’ve gotten to see over the years how it’s not just changed their lives, it’s changed the lives of their kids, maybe even generations to come. There’s nothing more meaningful to me than helping people.

AY

What a wonderful example of service leadership. A lot of people ask me, what are the different skills that I need to be a CISO? You just talked about leadership, impact, and the ability to create high performance teams. But if you step back, what are the key three or four characteristics needed for a CISO to help cybersecurity impact the business?

EB

There’s a couple of things. The first thing, the most important thing is to be cool and collected under pressure. I have a bunch of analogies going through my head. One is like the duck on the water, where the feet are going crazy, but everyone sees the duck moving smoothly. The other is a general in wartime. The general is in the field with the people. He’s got to be cool, calm, and collected while bullets are flying, people are dying, and systems are going down. If you can’t be calm under high stress and high pressure, it’s impossible to do this job.

The other thing is you’ve got to be able to lead and influence. Not just lead the people that are under you but lead a company, influence other teams, other organizations, your supply chain, your business partners, your customers. Build trust in what you do and the products that you deliver. You have to be a leader and influencer for sure. Then, you have to be good at your trade. The technical and tactical skills of security professionals are real. I’ve seen many different types of CISOs in my lifetime. Some are business CISOs that are great at business but don’t understand the technical and the tactical. I think that’s a disservice to them since they hire up and they build teams that are much more technical and tactical than they are. I think what makes a great CISO is someone that has the understanding of their products and technology and can bring that to the table as a business leader. Those would be the three things: staying calm, being a great leader and influencer, and having some technical and tactical chops.

AY

Speaking of influences, one of the biggest challenges for CISOs is working with the board. I know that you have a particularly unique and interesting approach to interacting with your board. Would you care to share some of that? How were you able to engage and keep that engagement live and vibrant?

EB

I think the secret is in people. Once again, I’m going to go back to this concept you bring up of contacts. When you’re presenting to the board, you can’t present to them as if you haven’t met them. I believe that it’s really important to get to know your board individually, especially the key players in the board, the chairman of the board, the chairman of the audit committees. If you’re in a technology committee, the chairman of the technology committee. Understand who can be your advocates within the board. Get to understand what their expectations are. Build those relationships so that even when it is your first time presenting to the board, you know what the expectations are.

Many CISOs make the mistake of presenting what they think the board wants to hear. Many boards are not so technical. You may have one or two technologists on the board but still speak a completely different language than the board members you are presenting to. So, getting to know them and getting to understand their expectations is very important. That is a political effort because in many cases the CEOs of companies have roles and engagements with board members. You have to get to work with your CEO immediately and figure out how to best connect with the board. The CEO will give you some guidance, and if you’re good, you’ll get to build those relationships with the board individually to help them understand what you do. You’ll get to understand their expectations so that when you present, it’s not new news. You build a level of confidence within the board, because that’s what they’re looking for, especially in a CISO. Do we have someone that understands our business? Do we have someone that understands the risks of cyber to our business? Do we have someone that can actually drive and manage those risks effectively? They’re looking to have confidence in your ability to protect the company and their customers.

AY

I think that’s great advice because a lot of people talk about increasing the level of awareness and IQ on boards regarding risk, cyber, regulatory compliance, and everything else. To your point, they are not experts. Most of them are businesspeople or former executives within the industry. Most people think “That’s the board, they ought to know,” but that’s often far from the truth. Connecting with them on a human level and asking what they really want to know is key. Many CISOs fall into the trap of delivering the same reports, often in a technical language that doesn’t resonate with the board. When you engage at a more personal level and approach them as a peer—while also being open to their feedback—you move beyond just presenting a quarterly scorecard and start making a real impact. I think that’s very savvy of you. To your point, it’s very political because perhaps the CISO is not just reporting to CEO, but to the CIO or CFO as well. The content of the report matters less than the ability to lower defenses and express a genuine interest in understanding what the board wants to see. It’s very sound advice.

EB

It’s not an easy thing because you can’t have just an open dialogue with board members. You still have to have some structure. It’s about getting people involved, getting your boss involved, getting the CEO involved, getting folks to give you guidance around what the conversation could be like. You could have a very formal discussion that gives you informal results. I think setting expectations is really important.

I also think it’s really important to have a narrative, a storyline, that’s consistent throughout your career. I see many CISOs throw out metrics that people don’t really understand all the time. More importantly, they don’t understand how it connects back to the broader business mission and vision of the company. So, how do you create a story that really connects with your work, with the mission and vision of the company, and ultimately to the customers that you serve? You’ve got to have that great storyline.

One of the tips I’ll share is that I have this whiteboard right here, and I’ll put up my board decks like it’s a movie. I’ll create an actual dialogue on the board that is a storyline that tells the story, but there’s always a consistent theme that I follow. That theme stretches into multiple meetings with our board of directors and audit committees. The other thing that’s cool about what we’re doing today is that the story can’t be standalone. It has to connect into the IT strategy and the business strategy. You have to show those linkages so that every time you present you can connect the dots. The board members start to see the storyline of how technology can help differentiate your business and how we are managing the risk of those things effectively.

Without that, it’s just a piecemeal. It’s like being shown 30 seconds or 10 minutes of a movie without understanding the beginning, the end, or ever seeing a trailer. You have to be able to tell the story effectively.

AY

I love the analogy because in addition to being able to engage your board, you speak to security being an enabler for transformation, expanding into new markets, or helping the business achieve their critical goals. You need to do the same thing to influence each of the business unit managers by communicating how your strategy aligns with the business’s goals, how you’re measuring progress, and what potential risks exist. Always give them the storyline because you need to engage with the executives as well, not just your boss or the people responsible. It’s great that you’re spending time with leaders across all Blue Shield’s different business units.

EB

Admittedly, I can do better. I always think I can do more. I should be doing more. I think that’s just part of who I am as an individual. I’m always striving to make progress–not be perfect but make more progress every single time. When I think about all the business leaders that I have relationships with, there is still an opportunity to do more. I say that because I want to ensure people know that I’m not perfect. It’s a game of progression for CISOs. What are the relationships I need to build? What are the contacts I need to make within the organization? Who are the sponsors I need to be successful? We have to always think that way and recreate it constantly because it changes. People change, roles change, efforts change, business units change, products change. How do we change in line with the company? When you said that, it triggered this thought in me. We have new executives that I haven’t even reached out to yet. It’s a skill set that every CISO needs to have–being able to constantly build those relationships.

I actually have a list of critical contacts that include who I need to be talking to. I write it down in a meeting with them and my staff go through them and talk about whether we are connecting at the strategic level enough. Another point I want to make is that CIOs and CISOs have historically failed to connect their initiatives to the business strategy and figure out how what they do helps customers. Making those linkages is so important. Those relationships are essential for us to connect the dots. When you want to do something in technology that impacts the business and you don’t have those relationships and linkages, it is an uphill battle.

AY

Amazing reflections. As you pointed out, cybersecurity is always viewed as tactical and technical, but at the end of the day, it must be strategic and impactful. That’s why you start with the board. You start with the operating plan for the business. What are we trying to accomplish in the next year, in the next two to three years? What are the capabilities that we need? It’s very easy to get bogged down with all the operational issues. Of course, at the end of the day, you’re responsible for that, but still, try to create that ecosystem and build a team that you have confidence and trust in.

Oftentimes you provide context to discuss tradeoffs of implementing a new technology or shifting business strategy. I’m sure every CISO is having a hard time responding to their board on what generative AI is. Are we secure? Are we exposing our data? How do we put our arms around it? What are you doing about that? What are the steps you’re taking to take advantage of the opportunity with generative AI, but simultaneously manage the technology responsibly?

EB

I’ll say a couple things before I directly answer your question. Another great opportunity for CISOs is to feed innovation within a company. I remember when cloud was considered taboo. I also remember when platforms like Salesforce were considered taboo. If you are a smart CISO, you position yourself as an enabler. You’ve got to be out in front of this innovation. You must help lead the company there. Maybe you put your products and services in those areas first and foremost so that the company builds a level of trust for those new things. When I worked at Robert Half, they jokingly called me the Chief Marketing Officer because I was promoting a new way of thinking.

I think of generative AI in the same way. We have to get in front of it. We have to lead as much as we possibly can by leveraging it so that people can feel safe and trust what we are doing. Then, we can develop the right level of rules, regulations, and guard rails. To do that you need a good governance model for AI. What that takes is a good understanding of the risks and concerns out there. With generative AI, there are risks of biases, wrong answers and actions, divulging too much data, and regulations are changing rapidly. So, how do you build a governance model that helps you as a CISO position yourself to be an enabler, drive innovation, understand and manage the risks from a cybersecurity and business perspective? I will always play an enabler role. We will work to experiment with new ideas and understand the risks.

It’s another political opportunity where you have to get the right people in the room. You have to have the legal team. You have to have business leaders. You have to have our compliance teams. PwC coined the term fusion center. AI governance is very much like that. You have to bring all the right people together so that we can innovate, experiment, and then eventually drive a big differentiator in our business, products, and capabilities.

When it comes to our business products, there are a million things generative AI can do depending on what industry you’re in. And note: generative AI is just another version of artificial intelligence. It’s an enhancement of something that’s been around for 40-50 years already. There’s going to be a new iteration. There are going to be new large language models in the future. There’s going to be large growth in how we do things visually through video and voice. You hear about all the deepfakes. All these are business opportunities. You’ve got areas of focus, but you’ve got to be the one to help make all this innovation safe – and that’s a good governance model.

AY

Great. I agree that it’s key to make sure that everyone is around the table and that they can provide insight to formulate that governance framework. As we come to the end of our interview, I know service leadership has been core to you. You mentioned in the beginning that there were a lot of people that impacted your career. Fast forward to now and you’ve become very active in your community. I think the first time we met was at HITEC. For those who don’t know, HITEC is an organization of technology leaders who happen to be Hispanic all dedicated to expanding opportunities for the next generation to step into executive roles. Now you are on the board of HITEC. You are also on the board of Cristo Rey Network, which is serving the underprivileged by demanding high academic performance and providing professional development opportunities to aspiring leaders. I know you have a number of other activities that you take upon yourself to help your community and veterans. Most recently, you were nominated to be one of the finalists for the ORBIE award for BayAreaCISO, and you happen to be the chairman of BayAreaCISO. That’s amazing. Why do you dedicate so much time to helping the community?

EB

I had a mentor, Guillermo Diaz. He said something to me many years ago that changed the core of who I am, the core of how I think about my role, the core about how I think about myself as a man. Part of my job now that I have made it as a CISO for a multibillion-dollar company in a thriving industry is to give back and to pull up others. The key to that is it’s part of my job. It’s part of my role, part of who I am now. I didn’t think about it that way before. I always thought about it as if I’m going to dedicate time to help an organization like HITEC, Cristo Rey, Empower, or ORBIE, it was seen as extra. It was more time to do more things that took me away from what I’m supposed to be doing. But the second I saw it as part of my job, I knew that I had to do this so well because I take pride in the work I do. I want to be the best CISO I can possibly be. I want to be the best I can be for a company. That’s just the selfish part of me. When I thought about it being included in what I have to do as an executive leader, it changed me.

Now I make time because it’s part of what I’m supposed to do. I just turned 50 recently, and I feel like I have 20, 25, maybe 30 more years if I’m lucky. I don’t plan on retiring, but I do plan on continuing to try to be a strategic leader that drives innovation and change. Part of that is pulling people up. So, it really changed me. I think I’ve always had a heart to help because I used to be that kid trying to find a place to stay, trying to find food to eat. Now I’m the man who serves a great role at a great company, a father, and a leader. I know that I can make a difference. Even if it’s just a one kid’s life or one person’s life, how amazing is that? I think because it’s part of my job, it’s part of my heart, and part of my belief system, I can’t see not trying to help others. I love it, and I think every leader should be a mentor, should be pulling people up. You see many of the greats helping others and opening doors.

It leads to one more thing I didn’t mention. You asked me what are the traits of a good CISO? What are the skills you need? I talked about influencing and leadership, but more importantly, it comes down to building a great team that you can depend on and trust. Part of that is pulling people up and getting people to believe in what you are doing, your mission, your vision, your company’s mission, their vision. That’s a skillset because without that team, it is an impossibility. I admittedly have an amazing team and have been lucky to hire people better and smarter than I am that for some reason really like to work with me. For a fruitful career, that’s just so important. So again, giving back and pulling up the community unselfishly helps them, but selfishly helps you build a great team, build a better company, build a pipeline for your organization. It’s a win-win, and I love these win-win situations.

AY

It’s interesting because you learn a lot by engaging. You’re serving as a board member of HITEC. Every meeting you learn something new and meet new people. As much as you say, I’m giving back, you’re getting a lot back. You’re getting a multiplier. One of the most rewarding things is when somebody that you mentor, whether it is in your direct line or in a different company, exceeds and goes to the next level. That is very rewarding. This has been great Eddie. You are a trailblazer. You are Hispanic. You are a veteran in an industry that demands a lot from its leaders. You’re humble and service leadership is part of your core. Don’t lose it. Keep on building that momentum. Here at Forgepoint, we are very honored to have you as a member of our Advisory Council. You make time to talk to our team about the latest in cybersecurity. I really appreciate that. I wish you continued success and look forward to our next paella.

EB

Alberto, it’s been awesome. Thank you so much for the opportunity. I really appreciate it. If I may, I’d love to end with this. You inspired me to remember this. The greatest mentorship relationships are when you can’t tell the difference between the mentor and mentee. I think you’re right. We get a lot out of it. Similarly, I get a lot out of spending so much time with you. What a great leader you are with what you’re doing for the cybersecurity industry and how much Forgepoint is doing to help us fight the good fights. Thank you for that. I really appreciate it.

AY

Thank you, Eddie. Looking forward to more battles together.

EB

Awesome.

AY

Cheers.