Benjamin Corll’s transition to vendor CISO from enterprise CISO wasn’t anything he’d been aiming for. But when a great opportunity came his way, he took the leap.
“Opportunities are abundant if you’re willing to look for them or see them as an opportunity,” said Corll, now CISO in Residence at cloud security company Zscaler.
“I was a customer of Zscaler for five years. My last enterprise job was in manufacturing, which was a fantastic role for me at the time. But I wanted to move back to more of a technology-based company, a forward-thinking type of organization. And as a customer, I really liked my engagements with the senior leadership of Zscaler. It was an interesting role, so I moved over.”
The forward-looking aspect played a big part in his decision.
Corll, who got his start in information technology as a small computers specialist in the Marine Corps, built security programs for 25 years. But while some CISOs of his generation have stuck to the same hub-and-spoke format they used when starting out, times have changed, and so must the approach to security, he said.
“Some of the most dangerous words you can say are, ‘We’ve always done it this way, but I’ve been successful,’” he said. “Our adversaries have changed, and technology has changed.
“I joined Zscaler because I really do believe that to be successful into the future, we’re going to have to adopt this concept of zero trust. And Zscaler is on the forefront of that.”
Corll was offered the job after impressing Zscaler with a customer testimonial at the company’s annual conference. In this role, he engages with customers and prospects, writes articles, and speaks at conferences.
But while he isn’t directly involved in Zscaler’s security program, he and his teammates take a lot of the burden off of the enterprise CISO by talking to prospects, and working through their contracts and security questionnaires, he said.
And as a former customer, he can have conversations with product management about his personal experience with the platform and suggest possible tweaks or different perspectives. He also supplies product management with customer feedback.
Advocating for customers makes the product better, he said.
“My counterparts and I were all CISOs as customers in our previous lives, so it’s not just sales jargon,” he said. “I really advocate for our customers. It’s not an ‘us versus them.’”
Corll takes exception to the notion that he’s “gone over to the dark side.”
“One of the shocking things that I experienced was the number of CISOs who would say that to me,” he said. “That really bothered me because we’re supposed to be working on the same side. We’re working against the adversaries. They are the dark side. If we want our vendor partnerships to be better, isn’t going to work for a vendor a logical place to go?”
“I was really surprised that I was no longer eligible for membership in some of the groups that I had been in before because they no longer consider me objective,” he said. “It’s like you’re tainted. It’s insulting.”
Corll has been at Zscaler for a year now, and the transition has involved a culture shift. The pace is much faster. He’s in more of an advisory role, and doesn’t manage a team. He also doesn’t have human resources responsibilities.
The new role has also given him an opportunity to cultivate softer skills, like focusing on telling a more compelling story.
“It’s been great pushing that keyboard a little bit further away and focusing on relationship-building, focusing a little bit more on the presentation skills, and getting a little bit more dedicated time to focus on authoring some articles,” he said.
And the work-life balance is better.
“I do get to stop the day at a set time, and if things hit the fan, it’s unlikely that I’m going to get called in,” Corll said. “I don’t have that fear that at 2 o’clock in the morning, I’m going to get the call that ransomware is spreading around on my network.”
At the same time, he does miss the camaraderie of building a program together with a team, and the kinship that comes with working in the trenches together. He also misses the type of strategic thinking required to put together roadmaps – especially the longer-term ones that involve technology that hasn’t even been invented yet.
“I may jump back in and build another security program at some point in the future if the right opportunity arises,” he said.
Corll is also looking for opportunities to train the next generation, and “give back to a community that has given so much to me.”
“I needed that mentor years ago, and I like training others and helping others. It makes me feel good when I can help somebody else,” he said.
Right now he’s directly mentoring several people.
“That first role is extremely difficult. So I like to sit down with people, virtually and physically, and walk them through how they need to present themselves, and the training they should have,” he said.
“After they get a little bit of polish, I start using the professional network to make some introductions, after understanding what area of cyber they’re interested in.”
In another expression of his desire to give back, Corll is a board member of Join the Journey, an organization that gives microloans to businesses that would not be able to find other sources of funding.
“They give microloans to women in Zambia, and it allows them to start a business,” he said. “So it changes their lives. It betters the lives of their families and their communities.
“When I learned about the organization, I knew I had to go help there. I wanted to be more actively engaged than just throwing money at it. I wanted to employ skills I have learned in life to help this organization have a greater impact.
“I’ve only been with them 18 months, but it’s been long enough to truly believe in the vision.”