CIO Exchange Podcast

CxO Conversations with Jason Conyard: The Relationship between CIOs and CSOs - Guest: Alex Tosheff, VP & CSO, VMware

Episode Summary

This episode of CIO Exchange is a part of our CIO Unplugged series where Jason Conyard, VMware’s CIO, has candid hallway-style conversations with other technology leaders about what’s at the top of his mind right now. In this episode, Jason speaks with Alex Tosheff, the Chief Security Officer at VMware, about the relationship between the CIO and CSO. During the conversation they cover the classic tensions between technology and security teams, the strategic importance of those roles and the relationship, as well as some critical components of their own leadership principles and management styles.

Episode Notes

This episode of CIO Exchange is a part of our CIO Unplugged series where Jason Conyard, VMware’s CIO, has candid hallway-style conversations with other technology leaders about what’s at the top of his mind right now. In this episode, Jason speaks with Alex Tosheff, the Chief Security Officer at VMware, about the relationship between the CIO and CSO. During the conversation they cover the classic tensions between technology and security teams, the strategic importance of those roles and the relationship, as well as some critical components of their own leadership principles and management styles.

Jason Conyard on LinkedIn:

Alex Tosheff on LinkedIn:

CIO Exchange on Twitter:

Yadin Porter de León on Twitter: 


[Subscribe to the Podcast] 

On Apple Podcast: 

For more podcasts, video and in-depth research go to

Episode Transcription

Yadin Porter de...:         Welcome to the CIO exchange podcast, where we talk about what's working, what's not, and what's next. I'm Yadin Porter de Leon. This episode is part of our CIO unplugged series where Jason Conyard, VMware CIO, has candid hallway style conversations with other technology leaders about what's top of mind for him right now. In this episode, Jason speaks with Alex Tosheff, the chief security officer at VMware about the relationship between the CIO and CSO. The first voice you'll hear will be Jason's

Jason Conyard:              As I was thinking about today's conversation and catching up, because you and I speak frequently, one of the things I was reflecting on was how many conversations I have with peers, and they tell me how challenging, and I'll put it politely, challenging the relationship can be, not always, but can be between a security function and a technology function. And that often they find themselves struggling to execute because of a lack of alignment around security or compliance controls and other things. And that not only makes it difficult to move the business forward, but it also creates an environment that doesn't feel great. And I hear folks talk about that. And then I reflect on the relationship that you and I have, that more importantly, probably our teams have, and I am both surprised and astonished, but I guess I'm lucky. So why do you think that so many other leaders find themselves in that situation and what do you think's different? And do you think that there are things that we could suggest other than counseling?

Alex Tosheff:                 I'm so glad to be here to chat on this stuff. We talk constantly, which is good. I think it's not this feeling of impact, I would just say, and maybe a sense of friction to processes that are not specifically like security. It's not just limited to technology functions. In security, we have the distinct pleasure of impacting all areas of the company. And by doing that, we have a serious responsibility to ensure that we have two halves to the same two pieces to this. So the first piece is that yeah, we are a governance function. We're a function that puts in controls. Those controls are designed to protect things. So in many ways we're seen as something that just by definition, a function that stops certain things from happening. Now, we want to stop certain things from happening. That's part of the job. But at the same time and in the same breath, I really feel strongly that we're an enabling function.

Alex Tosheff:                 And I feel we're an enabling function first and foremost, because the table stakes are incredibly high around cybersecurity. And companies who don't raise the bar are going to feel impact. They're going to feel business impact. And they're going to realize business risks. So I think there's two halves to this story. And I think I have been around security professionals who kind of come at things from very pedantic like check the box mentality, which is like, Hey, we have to do our job. You need to help us do our job, and can you just comply? And so it's sort of the whole, like the beatings will continue until morale improves. But that's a wrong mindset. And I've always felt this way. And I felt that my background has been pretty varied, and I've had experience even like caring quota, a point of my career where I have that much higher level of empathy.

Alex Tosheff:                 As leader in security, you have to develop that empathy to get people to understand the value of what you're bringing. And it's not easy. It takes time, but it's really good work when you're working on it. So I think just to answer your question, maybe more pointedly, is a lot of it comes down to how humans interact, and how people understand each other's priorities, and how you come to the conversation versus just showing up and throwing requirements at people.

Jason Conyard:              Do you think it's a sense of shared outcomes and responsibility to achieve those outcomes?

Alex Tosheff:                 Yeah. And fundamentally, my own personal leadership philosophy is you align teams to a vision, to a mission. And when people feel strongly aligned to a mission, they tend to work together towards that mission. They tend to err on the side of trust and like good intent. And those things which are deeply rooted in all of our relationships are things that actually kind of carry the momentum forward when things are hard and when there is potential conflict, because you have the mindset of, Hey, this person's coming to the table because they have my interests in the front. And I, likewise I have their interest in the front. And when we do that, like to me, that's like one of the prime components of a high performing team, is when people come together with aligned self interest.

Jason Conyard:              I don't want this conversation turned to a mutual admiration society, although it could. I remember my first day actually at VMware and I was introduced to you. And the then CIO, [Baskeya 00:04:39], was walking me around introducing me to people. And I think you were in a conference room. And he's like, "Well, let me introduce you to the head of security for the company." And I walked into the room and there you were. And I think you were wearing a Star Wars t-shirt. Is that right? And I think I was wearing a Star Wars t-shirt. I knew then the world was going to be good. I think that's ...

Alex Tosheff:                 Well, I would like to correct you on that. And I'm sorry to kill the mythology that was being created over the years.

Jason Conyard:              What were you wearing?

Alex Tosheff:                 Definitely was wearing a t-shirt. I probably was not wearing a Star Wars t-shirt.

Jason Conyard:              Oh no. But in my mind you were.

Alex Tosheff:                 Even a Star Trek t-shirt, by far the superior universe.

Jason Conyard:              Oh, this conversation's going to really taper then. Okay. All right. Moving swiftly on. So I know one thing that I think surprised people is you and I have presented in front of our collective teams and in front of other teams and other organizations. And I've talked about the importance of security and you've talked about the importance of experience. And I think that surprised people, but I also think there's an important message in there for listeners as well, which is that you and I have consistently said, to compromise experience for security is really detrimental because what you are doing is creating an environment that encourages people to do the wrong thing, rather than encouraging people to do the right thing. How would you say that and how would you build on that?

Alex Tosheff:                 Yeah, it is a great point. It is also sort of a foundational element to what I believe is like a really good security strategy. You're right, people go around bad experiences. My belief is functions, support functions in particular, the support component of some functions, because I do believe CIO is incredibly strategic. I think CSO's strategic as well and, and so on. So I just don't think the back office definition is correct. This is actually front and center for the success of the business where I think people think of us in that way. There is a magic combination of great security and a great experience. It is worth striving for. To me it's like an invariant, you have to work towards a good security experience and you have to be ready to make an earlier investment and to hold that investment for a longer period of time. But you will see better returns over the life cycle of whatever you're developing.

Alex Tosheff:                 One good example, like a concrete example of that would be, together, we collectively came together and we realized we needed to change some core experiences in [inaudible 00:06:58] security experiences. They were core colleagues engaged with our technology. One of those was like how you got on to our wireless networks, if you remember. And so we used that as an opportunity to come together collectively. And this was, I think what was for me very remarkable and super welcome and not unexpected honestly about our relationship, of the CIO and CSO, is that we both agreed on the experience part and we both agreed on the security part, and it was hard to tell who agreed on which more. And I thought that was a really telling thing right there. And our teams see that. And what we did was we refactored and we drove a zero trust model very early.

Alex Tosheff:                 Sort of the thinking around that, where we moved to certificates, we moved to managed endpoints, but managed in a way that was not impacting boot times and other experiential things that people depend on in our laptop states. But we didn't make a big deal about it. Like my family owns restaurants, which is possibly the worst investment you can make with your family. But I would just say one of the things we learned there is like, you don't do grand openings. You don't do big splashes because you set expectations unreasonably high, and it's very hard to carry that forward. And the better way to bring on new technology, new experiences just is to make sure that they are rock solid. And then people will advocate for you over time. You just got to kind of put your ego behind and not look for the immediate gratification of, Hey, we did a great job, but knowing you did a good job and knowing you're more secure at the better experience, kind of carries you through the period of time.

Alex Tosheff:                 And we started hearing within weeks from the most curmudgeony developers you can imagine saying like, "Thank you. I can get onto the network anywhere. And I don't have to keep putting my password in." We got rid of passwords and we enabled zero trust architecture. And that was really a two prong effort that was focusing on both security and experience and capabilities.

Jason Conyard:              You touched on something important there and something I'm proud of, we should be collectively proud of, is that I think we've set a tone with our teams around how we work together, but also how we expect them to work together. And the truth is if it was left to you and I, not an awful lot will get done. We have incredible talent, but what would you say about that leadership? What do you think that other leaders need to engender in their organizations, or bring from a leadership perspective, especially as it relates to security, and especially working with different technology functions?

Alex Tosheff:                 It's a really interesting kind of leadership principle, I think. And it's for me, my basis is about so-called servant based leadership, something I was introduced to very early in my career. I'm naturally wired to want to help. When you run into like minded folks who are not like, you're not thinking exactly the same way, there's lots of diversity in how things are, you're coming up problems and all that and different perspectives. But the fundamental thing we modeled, I think, and I think we should continue to model and we have to pay attention to that, it's a relationship and all relationships need care and feeding, is that we show people when there are decisions being made. We, for example, my team knows that you can come in and drive a decision and a priority and they don't have to come running to me and be worried about it.

Alex Tosheff:                 They know that you and I are connected as leaders and then your voice is my voice in situations. And I think that's a very different mindset. I think a lot of that has to do with consciously pulling back on ego, which leaders, you need ego to survive. In some ways, from leadership perspective, you got to deal with things and politics and drive and all that. But I also think can get in the way. So I think that's a behavior component. And then the technology alignment happens because we do so much intermixing of the teams. Like the teams work together, my team members come to your [inaudible 00:10:25]. It's an open door policy. We consciously don't have silos in the organization from that perspective.

Jason Conyard:              Interesting you say that, actually. I'm just thinking about how I have been in organizations before, where if someone from another team shows up, the dynamic changes. Not necessarily good or bad, it just changes. They're in the meeting. I'm actually happy to see them. It's like, oh, great. How you doing? What's going on? Blah, blah, blah. See, it's not even, it just happens.

Alex Tosheff:                 It may happen because I think there's a cautionary point here too, is that like for you and I just how we're wired, but for many people there is a natural, and some level of appropriate concern about, will my project be impacted? Will I not be measured appropriately because I had to reprioritize based on some other group's priority? That's also a point where you do have to be very deliberate about surfacing, shared accountability goals, like you mentioned earlier. And that could happen, we could pull that down from like company objectives and then sort of show our alignment, which is what we typically do I know. But that's also part of the narrative. That's important to pay attention to that because it is people will have these concerns and they're valid concerns in many ways. But they're also teachable moments for people to understand really how to come together more in that situation. I know we deal with that too from time to time where we do have some conflict in our internal channels.

Jason Conyard:              As I think that through, I also think about managing up as well because you and I both lead large teams and manage budgets on behalf of the company and responsibilities on behalf of the company. That also means bringing people along as well and bringing other leaders along. When you talk to your peers about securing investments around security and improving and hardening technology and capability, what sort of things do you hear and how does that differ from your experience at VMware?

Alex Tosheff:                 It's a mixed bag. Overall, I'd say security budgets have been on the rise. From an industry perspective, I think that data is believable for me, from what I see. Where we invest can be different. There's a challenge here in the sense that security investments are like preventative medicine, or about exercising every day and eating well and all that. Like those are the best kind of security investments. But we often find ourselves as an industry in like pain therapy mode where we want to pop a pill to feel better. And I think those two modes have to, they coexist as a practical matter. So what I see oftentimes is my peers will come in. I've had peers from time to time have told me they've gone in, they've really landed a super, super hard message with like the board or the audit committee. They're flagging a problem that they see, but they don't get the results they want because what they don't realize is that that level they're flagging it, boards aren't management. And it's truly a management problem first, well before it becomes something that a board would want to pay attention to.

Alex Tosheff:                 And it shouldn't. Like the board should be appropriately judiciously involved to their interests and what the needs are for the company. And I think that's the miss. I think lots of times, it's very, very hard to bring like a line management or a service manager or GM, one of those folks along for the security investment story. And so a big part of that is like, did they take the time to build the relationships early, and so they're ready for these discussions? And that's something that's very hard to back into. You end up having to wait for a crisis to make big change happen, which I don't think is healthy for organizations.

Alex Tosheff:                 I know it's worked well for my career, coming to VMware, spending enough time to understand what's a good day, what's a bad day for people that would be stakeholders, who would be impacted by the security function. Giving your leaders and folks who come into your organization that same kind of permission, if it were, to go form those relationships, which may slow down immediate execution, but these are long term investments. When security is thought of this way, I think you get a better result.

Jason Conyard:              I think one of the things that's obvious in this conversation to me, but I think maybe a surprise to others is your use of the word empathy. And it's certainly one of the principles that I have, and I try and lead by and work by. But I don't know how many people would normally talk about security and empathy in the same sentence.

Alex Tosheff:                 Honestly, when I talk to the organization, I use that word very specifically. Like lake Wobegon, all of my security children are above average. No, but I tell the team this because back office functions, air quoting there, or support functions, IT functions, critical enabling functions, like security, and IT, and tech, and all that, our remit is to serve the whole enterprise and the whole business, which means you have to have an understanding of how things work, not in just your function. And so a specific example would be, I tell my team,

Alex Tosheff:                 "Hey, it's quarter close. You should not be surprised if you get calls or asks from folks in the field and folks on the sales teams who are trying to close a contract. This is how they put food it on the table. You need to understand that they're not coming at it with a negative intent. They're trying to solve a problem that they are chartered to solve. That's their job. And so you have to think about that and you should be ready in that timeframe. And you should prepare them to be as self-serving as possible and have the resources they need well ahead of time." And that's the kind of empathy outcome I think that really matters here is that when you take the time to understand someone else's position, you can help them and enable them to have a better outcome. And it could be anything from a security control environment to honestly like closing a contract. And those things all come under our influence by security teams.

Jason Conyard:              I remember a case a year or two ago where we had a process for our support organizations needing VPNs to engage with certain customers. And that process, and I'm going to get this a bit wrong, but I think the process used to take about three weeks, and now it takes seconds or minutes. And that includes the security controls and the checks as well. And that's a great example of having the empathy and time to engage and listen understand, and then say, "Wow, we can transform what we're doing here. We can fundamentally change how we do this without diminishing, and possibly even improving our security posture." And that's the sort of thinking and approach that I think is very powerful.

Alex Tosheff:                 Yeah. And I agree. And it's up to leaders in companies to set that tone. And this is back to your point about managing up, leading up. You really do need to put the effort into building an understanding around the value of doing these things. And then that way you get the support for investments in the function. And I've got some strategies that work around that that and have some learnings around how you could do that. One of them, I kind of call my infomercial strategy, which is not mine obviously, but it's this theory that the more time you spend on a problem, the more invested you are in the problem, and the more you want to solve the problem. One of the things we like to do is to make sure that we are inclusive. Like we bring in those other perspectives, those other diverse thoughts into the conversation so we get a better understanding. And that's another way you can actually drive empathy. And honestly, you could build collaboration more effectively that way too, when you ...

Jason Conyard:              So empathy first. But the other thing that you are saying that definitely resonates with me and I connect with well, is bringing the whole organization along .because you can't, one of the things I've watched you do, I've admired, is how you have made security truly something everybody's mindful of. And it doesn't mean that everybody's doing it every day, but the fact that people understand the importance of it, the fact that people understand that they have a role to play, it really takes care and time and thought to connect with people in a new way. Because otherwise, people are like yeah, whatever. It's a little bit like the stop sign, you might slow down. But I really feel like people understand they have a role to play. And it's a positive thing. It's not just a punitive thing. I think that's something that I've really admired.

Alex Tosheff:                 I thank you for that. I feel you're probably giving me way too much credit simply because there are so many circumstances where we are reminded how important security is in our businesses, how we conduct business and in the industries in particular. We have such a reliance on technology, and security is a big part of that. So yeah, probably a little too much credit, but thank you. Appreciate it.

Jason Conyard:              Take it.

Alex Tosheff:                 I would just say also that there are teachable moments in security for organizations. One of the things I've learned is when the timing is there, when it's right, so there may be something happening in the industry where the company is reacting to, it's really good to enlist the full support of all the leadership in the company. And don't be shy about setting the tone for helping the CEO set the tone for the company, for example, which I'm very fortunate that we have a CEO who's very supportive of that. That is also a way you can sort of manage the company's perception.

Alex Tosheff:                 I'm definitely a glass half full optimist. After 25 plus years of doing this, I feel pretty good about having that still as part of my makeup. But I would just say that there are moments where things are like really challenging. But those are the moments that really define the character of your organization. And so those are the moments where you need to spend a lot less time pointing at things and where things went wrong, and spending time focusing on your energy, together, collectively on how you improve, move through the crisis curve, and then take those lessons and then turn those into strategies for further success. And that's deliberate. That's important.

Alex Tosheff:                 That's a pretty well known discipline around crisis management. But it's something that's easy to lose sight of in the moment. So there's some discipline required for that. I think one huge component of that, and I'll give probably not enough credit to give here, not possible to give too much credit for these folks, but that's where your program management teams and your project managers like really shine because they come forward. They're the glue that holds everything together, and keeps all the things moving, on track. And so my hat's off to those folks, especially during a crisis.

Jason Conyard:              Yeah, absolutely. And without talking about anything that's possibly occurring right now, because that's always sensitive, one of the things that you spoke about earlier is the importance of developing cultivating relationships early, potentially before you have to rely on them. And I think that's one thing I've seen recently is we've been dealing with some security challenges that the whole planet is dealing with right now, is that those relationships are in place already. The programs and structure is in place already. And it may be a different challenge, and it could be a different risk or security vulnerability we have to deal with. But people know what to do. They know how to come together. They know how to work the issue. And I think that's incredibly powerful and it talks to that investment, that early investment.

Alex Tosheff:                 See, it's not a secret, but really, security is really just about resiliency at the end of the day. It's about how resilient is your business to unexpected change. Security is one component, definitely a somewhat unique beast, deep and wide so the risk potential is high for many things. Building a strong resilience muscle in a company is paramount activity. It should be something that's in the mindset of the company broadly. And there's many areas that can weigh in on that. But I think that's something that we did here early at VMware, an enterprise resiliency capability. It's got multiple pillars in there from crisis management, communications, to business continuity planning, to disaster recovery, and emergency response for physical issues. But those things come together in concert with many teams working on them, but we practice that. And that practice is really what helps. And then you should never be shy about bringing those folks who are decision makers into those practice sessions early.

Jason Conyard:              So here we are, beginning of a new year, and obviously we did a lot of work on planning last year. And as the old Eisenhower quote goes, "Planning is everything. The plan is nothing," what do you anticipate we will be working on, and our teams will be working on together this year?

Alex Tosheff:                 We have initiated some big change in the company over the last five years, honestly. And we've been marching down a path towards a true zero trust architecture, which I feel we largely have in place. We've pushed a stronger initiative starting last year around what we call beyond zero trust, which is our internal project or program level names around continuing to improve our hygiene. Recognizing that our responsibility for our customers success is incredibly high, and we need to continuously improve to live up to that promise. And so some of the big areas I think we're going to continue to focus on is like deepening our already strong foundation around access management in the company. There's some technologies around that I think we're going to continue to drive. Blending that into our R and D engineering portfolio more aggressively. I think there's things we're doing, we're learning as we're doing. Like all companies, dealing with like, Hey, do you understand your assets? What are those assets? What is the status of those assets? Ownership, all those things.

Alex Tosheff:                 Those are all kind of specifics that I know we're going to work on. But principally, I would say 2022 for us, which we've been in for a while, because we're on a fiscal calendar. VMware's transforming our portfolio to more SaaS delivery to our customers. We have a incredibly strong perpetual license model we've got with our customers that will be there for many, many, many years. But we also are recognizing that we need to deliver our capability to our customers in a way that they need to consume in today's reality. And that is about multi-cloud capability. And our internal transformation has to be to bring that together and to bring functions that normally might have been okay to sit a little siloed with how we've grown as a company. Those models don't work in delivering in a SaaS world.

Alex Tosheff:                 So how we bring together development, how we bring together operations, how we bring together security, those functions need to be highly integrated and have seamless response patterns. I think the velocity of risk is greatly increased in SaaS delivery. And so as a company, we need to rotate. In security, we're doing the same thing. We've taken this to heart. We look at every component in security in every functional capability and we ask ourselves the question like, "Can we drive this to an automated, scalable outcome?" And it's not just about buying products from other companies, it's about integrating with good process, having the teams aligned, and ensuring that we're doing things the time scales that SaaS operates on, which is the minutes and hours, and not days and weeks.

Jason Conyard:              Yeah. I think that moving the whole company towards a fundamentally more agile approach in everything we think about and everything we do, is both a challenge and a huge opportunity. We're going to wrap in a second, but I'm going to ask you three quick personal questions. Here we go. Ready?

Alex Tosheff:                 Okay. I'm ready.

Jason Conyard:              Favorite book.

Alex Tosheff:                 Dan Simmons. Hyperion.

Jason Conyard:              Okay. Favorite motorcycle ride.

Alex Tosheff:                 Favorite motorcycle or ride?

Jason Conyard:              You choose.

Alex Tosheff:                 BMW R1250 GS Adventure is my favorite motorcycle. My favorite ride is always got to be in the Southwest of Utah, driving through Zion and Bryce and doing those rides.

Jason Conyard:              Oh wow. Yeah, we have to do that sometime. And the last one we're going to go out on is own food, which is favorite pizza.

Alex Tosheff:                 Hey, classic 92nd Neapolitan pizza.

Jason Conyard:              Okay. Right.

Alex Tosheff:                 Just a classic simple all straight out of my 900 degree oven.

Jason Conyard:              There you go. All right. Alex, it's always a pleasure to talk to you. And I thoroughly enjoy and appreciate working with you. And maybe we can ask some of the listeners to give us some suggestions on topics they'd like to hear us discuss. We can go a little deeper on some things. That would be great. And until then, thank you.

Alex Tosheff:                 Yeah. Hey, it was my pleasure. I really appreciate being here. I love these conversations, man. Anytime.

Jason Conyard:              All right mate, cheers. Bye.

Alex Tosheff:                 Cheers.

Yadin Porter de...:         Thank you for listening to this latest episode. Please consider subscribing to the show on Apple podcasts, Spotify or wherever you get your podcasts. And for more insights from technology leaders, as well as global research on key topics, visit