Not Your Normal CISO: Lessons in Security Leadership, from Bartending to the Boardroom

Rob Hornbuckle's Headshot
Guest: Rob Hornbuckle

Chief Information Security Officer,
Allegiant Airways

EPISODE 15: THINK BAD, DO GOOD

Not Your Normal CISO: Lessons in Security Leadership, from Bartending to the Boardroom

Jonathan Reiber, VP, Cybersecurity Strategy and Policy, AttackIQ

Years before he became Chief Information Security Officer (CISO) at Allegiant Airways, Rob Hornbuckle studied acting and worked as a bartender – lessons that served him well as a four-time CISO. He understands business, he understands technology, but above all he understands human behavior.

“Something is eventually going to happen at any organization you potentially could work for,” says Rob. “If you work there long enough, something will eventually happen. What’s going to determine your success and your longevity long-term as a CISO is how you react to it, how you handle it, how well everyone trusts that you’ve both done the best you can, and that you’ve had the best interest of the organization in mind.”

Accountability matters a lot. “One of the most executive things you can ever do is stand up and take accountability when it’s your fault,” he says. “You will garner significantly more respect if you stand up and take accountability when it’s your fault than if you try to slough it off or if you act dodgy. It’s almost human nature to want to shy away, to want to not get in trouble, to want to try to curl up and defend yourself in some way. But the most executive thing that you can possibly ever do is stand up and take accountability when you were at fault either fully or even partially.”

In one of the most illuminating podcasts yet, Rob sits down with Jonathan to outline his vision for leadership development and success in security. Tune-in and read on for more.

Rob Hornbuckle's Headshot

Rob Hornbuckle

Chief Information Security Officer, Allegiant Airways

Rob Hornbuckle is a results-oriented technology leader currently serving as the CISO for Allegiant Airlines.  He is responsible for all aspects of information security, risk, compliance, and privacy for the leading ultra-low cost airline in the United States.  Prior to Allegiant Airlines, Rob served as the Interim CISO for United Technologies Aerospace Systems, a leading airplane parts manufacturer for both the private and government sectors as well as CISO for the Arby’s Restaurant Group, a leading international fast-food chain.  With over 20 years of experience, Rob also has experience in telecommunications, fintech, business to business, and health care sectors.  Multi-industry experience allows Rob to develop innovative solutions to complex business challenges, positioning him as a trusted adviser among senior leadership.

Rob holds both an MBA in Innovation Management and Business Model Disruption as well as a Master of Science in Information Security, which is rare among information technology experts.  He is passionate about aligning information security to business needs and leveraging technology for strategic advantage.  Rob is a sought-after consultant for startups, private equity, investment firms, and research institutions and has also served on the board of advisors for startup organizations.


Jonathan Reiber:
Hey everyone, and welcome to today’s episode of Think Bad, Do Good. I am super pumped to have Rob Hornbuckle the CISO of Allegiant Airways here with us today. How are you Rob?

Rob Hornbuckle:
I’m doing okay.

Jonathan Reiber:
It’s good to see you. And you are joining us from the woods of North Carolina. Is that true?

Rob Hornbuckle:
Yes, I consider it the woods. It’s actually Greensboro, but yeah.

Jonathan Reiber:
I love the woods so I’m jealous. I’d rather be there than in Oakland.
Rob has some tremendous experience as a CISO. Not only is he currently at Allegiant Air, he’s previously at UTC and he helped Arby’s managed their big breach a couple years ago, which I can’t help but ask, where is the beef? This would be the question as you have dealt with data exfiltration for a hamburger company. So Rob is going to talk to us today about all the lessons he’s learned as a CISO, which are many, even though he’s probably younger than I am, but he’s got a lot of lessons in there of being a CISO. And so without further ado, Rob, great to have you on the show.

Rob Hornbuckle:
Thank you much. I would say that Arby’s does not make any hamburgers though.

Jonathan Reiber:
Really?

Rob Hornbuckle:
Nope, not a single hamburger.

Jonathan Reiber:
See, this is how often I go to Arby’s. You’ve completely outed me. I don’t know anything. Tell us about – when were you at Arby’s?

Rob Hornbuckle:
So it was my second role in charge of a security program when I got hired on there. This was probably seven-ish years ago, maybe slightly longer. Arby’s picked me up to build out their security organization for them. They had recently been divested by Wendy’s and Wendy’s just left them where they were, and didn’t have too much going on. So they brought me in to build the program up and get it running for them.

Jonathan Reiber:
That’s really cool. And what a responsibility to ramp a program up. So that’s kind of startup-y right? What were some lessons you learned from that experience?

Rob Hornbuckle:
Well, a lot of it was just following the motions, because that would be the third program I had actually built from scratch, which is why they brought me in to do it. But you learned lessons with every single role that you go through. My hardest one and hardest learned lessons were actually at the roles before that one. That role was the first role that I took on where I really felt like I did have a good idea of what I was doing.

Jonathan Reiber:
Can you talk about some of the harder lessons because that’s interesting. The earlier ones.

Rob Hornbuckle:
The earlier hardest lesson that you end up having to pick up, especially going into a CISO role or a head of security role or whatever the senior most security position is at your organization is learning the technical knowledge isn’t necessarily what drives you forward anymore. It’s learning the interpersonal relationships, the business knowledge, developing all of these skills with communication and getting across to other people like board members and VPs and directors and anybody who’s a stakeholder in the company. You go from this highly technical security position to all of a sudden you are full blown in charge of a program leadership role; which the technical pieces no longer make up the majority of your role anymore. And learning those pieces and the lessons learned from that are very hard won and very necessary.

Jonathan Reiber:
So you’re talking about becoming a leader now?

Rob Hornbuckle:
Yes. You’re talking about becoming a leader and it’s hard in security. If you look at all of the senior executives at an organization, unless you have a chief data officer, which isn’t a lot of companies. The chief security or the chief information security officer is going to be the youngest role, as in it has existed for the least amount of time. It doesn’t have a mature evolution program as much as, say finance does. If you’re in finance and you’re on track to be a CFO, you have all these intermediary steps that you go through to get there. They’re predefined, they’re predestined. Everyone knows what they are. The director levels. You might go through FP&A, you might go through accounting, you might go through all these different other steps, and as you’re going up through those leadership changes, they’re teaching you these leadership lessons along the way.

And then by the time you make it to that CFO type role, you’ve learned them and you’re successful in it. A lot of CISOs get thrust directly from a technical role directly into that leadership role, and you don’t have those lessons, you don’t learn those skills. You don’t learn even beyond having the skills; the necessity for their use at those levels in order to truly be successful.

Jonathan Reiber:
That’s an amazing point. Can you talk about why you think it is that folks go from this technical competency to being thrust into leadership roles? I have an idea in my head, but I think you know better.

Rob Hornbuckle:
Again, it has to do with the fact that as a role, it’s so much younger compared to the other senior executive roles. There’s not as big a pool. Most of the time security departments are very, very specialized. So they’re significantly smaller than the other departments of that nature across the organization. And for that effect there aren’t a lot of intermediary steps. You probably have one minimal management role if that, the leader, and then all the individual contributors. Occasionally, you might have an extra director thrown in if you have a really mature and a fairly large organization. But the vast majority of the time, it’s like individual contributor to manager, to all of a sudden you’re in charge of the program.

Jonathan Reiber:
Have you seen CISOs come in who just don’t have the technical background like a technical analyst or a head of threat intel does? And how have they performed in those instances?

Rob Hornbuckle:
So it can happen, I’ve seen it happen before. Normally when it happens, it’s because they’re already a senior leader in some other part of the organization and they’re putting them in charge of this new idea of security that they’re bringing in. So they’re thinking this person will bring the leadership to it, even though they don’t have the technical knowledge and will put a director or somebody under them that has the technical knowledge, and between the two of them we can pull the roll off.

I don’t have a lot of luck with those kinds of things. I haven’t seen them be super successful in my opinion, but that doesn’t mean they can’t work and I’m sure they have worked that way in some organizations in the past. I feel a lot of the times they have a senior leader and they’re trying to find a place to put them and it just seemed like an easy and convenient place to stick them and then put somebody whose technical under them.

But that doesn’t mean it can’t happen, it’s just the most successful CISOs aren’t going to have started that way. Because your job as the senior executive at the company in charge of security or anything else, it doesn’t really matter, you are in a senior executive role. Your job is to shepherd the company. Your job is to have the company’s best interest at heart and in mind. And you’re not going to get that unless you understand how the security implications fit into it. How security actually fits into the business model, where it supports it, what it does. And when you have both pieces separated like that to somebody who understands the business and somebody who has the technology pieces, you have almost an incomplete CISO.

Jonathan Reiber:
Wow. That is a very evocative statement. I have so many questions in response.

The first one, which is probably more tactical than some of the meat that I want to get at with you as a leader, which is really interesting. So you’ve now come into multiple organizations and built organizations, built the security program from the ground up. I want to ask you what that means, but in particular, how do you begin to think about the elephant? They talk about seeing pieces of the elephant at one time.

You just articulated this evocative vision of the CISO as being a business leader and what does that mean when you’re thinking about assets in general or business missions and business objectives in general, how do you begin to disaggregate what the business is doing and aligning it to your security objectives?

Rob Hornbuckle:
Well, the first thing is you have to understand business. It kind of goes back to, so I’ll explain my journey to getting to a CISO role.

Jonathan Reiber:
You said earlier, you’re a young CISO.

Rob Hornbuckle:
My journey through several of my initial roles in charge of security program, I was really technically inclined. I knew everything when it came to the security aspects. I could build it all out, I could monitor it, I could investigate it, I could do everything at the time. This is mid-2000 so it’s significantly different now, but back then I could do all of it that was there. I worked for a company in IT, eventually I liked security. I picked it up, and it became my entire job because I just kept taking responsibilities. They brought a CISO in on top of me, had me work with him to build out the program for that company. That company got bought by another, I got let go and then I got picked up by a company by myself to build another program. That was the company I was at right before I started working for Arby’s.

While I was there, I was brought in as the first employee, as the only security person and to build out their security organization. Ultimately, I did a pretty good job. I got it built out. They brought me in because they were having problems landing clients that required them to have security postures, and I helped them land their biggest client, which was Burger King.

But I wasn’t as successful at it as I would’ve liked. Everything was much harder than it seemed it should be. It didn’t seem like I had the influence that I needed to get things done in a timely manner or to not have to go around people or do these entire orchestrations. I learned that both I was kind of young so people wouldn’t necessarily give me as much credit for that, and I had to learn to influence people and I had to learn to have those business skills. Initially I started with, I was kind of young and I needed to address that. So I went back and got my master’s in information security.

Jonathan Reiber:
I was going to say, you grew a massive beard.

Rob Hornbuckle:
Yes, I grew a massive beard and started singing ZZ Top songs.

No, I went back and I got my master’s in information security, that way no one in the room could ever argue that I didn’t have technical mastery because I thought that’s what was holding me back. Turns out it’s helpful, but it wasn’t what was actually holding me back.

What was holding me back were those interpersonal skills, that business knowledge and that ability to speak and talk and influence. From there, I went and I got my MBA. I actually went to Temple University. I got a full-fledged MBA. My wife gives me hell about it because I have two master’s degrees now because of that. But I got all of the business knowledge and I made sure that I would understand the entirety of what it was. I’ve gotten to a point now in my career where I have as much business knowledge as I have security knowledge, so I can marry the two very easily.

I also started relying back on some old skills that I’d picked up in my youth that I didn’t even know would be necessary as a CISO. I was a bartender for six years in college, I used to do acting in high school, I graduated as a member of the National Thespian Society. All of these things about public speaking, all of these things about communicating and capturing interest and holding attention, all of a sudden became super relevant in my technology career, which I never expected. But I learned all of that through executive coaching and through this MBA program, which taught me all of those pieces and how integral they are to business. Marry the two together and then you get to that point where you can truly be effective. You learn the communication pieces and you learn exactly how to talk about all of the elements.

Jonathan Reiber:
That is so cool. And when I was first introduced to you over email, I have to say your name is such a cool name. Hornbuckle obviously would’ve been a great name if you’d become a famous actor. You may also have another career ahead of you. That’s really cool.

So how did you find your acting skills have helped you as a CISO? You’re able to berate people from across the room.

Rob Hornbuckle:
No, it’s not berating. It’s the smaller things. Things that you wouldn’t think of or things that you wouldn’t expect. The expression to hold on your face, the eye contact to hold with a person. Learning to read the emotions or the feelings off another person so that you can learn how to communicate with them, where to communicate with them, what communication is working, what isn’t. And then that just stacked on top of the skills I had as a bartender; both being as a bartender and because it is the best place you could ever sit in any kind of social situation and just observe human behavior. I saw so much and I learned so much about human behavior and what results are and how everyone reacts in different circumstances. And it gives you the knowledge necessary to be able to meet someone where they are and communicate with them in the most effective way there is for communicating with them.

Jonathan Reiber:
Have you put this down anywhere? Have you written this down or codified these lessons?

Rob Hornbuckle:
Like in a resume maybe, what’re you talking about?

Jonathan Reiber:
Well maybe this podcast is your first go at putting this down into an article or something. I think you’ve got really good experience here that folks should definitely tune into and pay a lot of attention to. Cause I love those experiences as a description of how you learned to lead. I’ve never thought about a bartender as being an observer of human behavior. When you think about it, folks who come to the bar just unload on you, I’m sure, a lot.

Rob Hornbuckle:
Not only that, if they’re not paying attention to you, you’re sitting in a position to watch everyone that’s there and no one is going to be upset in any way, if you’re looking in their direction, because they just think you’re looking to see who wants to order a drink next.

Jonathan Reiber:
See, now that sounds like a skill for the intelligence community. That’s another option.

This is great. I think for some practical lessons now on the basis of your leadership background. I just want to pull a little bit of a strength to see if we haven’t covered it, you said you’re not a normal CISO earlier. Is that some of the reason why you’re saying it?

Rob Hornbuckle:
Generally, these are the things I’m referring to when I say that. Part of it too, is I’m fairly young. I’m very young for this to be my fourth role as a CISO. But outside of that, it’s mostly those skills that I was referring to and those experiences that allow me to be successful in what I’m doing. Regardless of how you look, regardless of your age, regardless of, well, your clothing has a little bit to do with initial perception. Regardless of those pieces, if you can go in there, if you can look the part and if you can talk where it’s not just you know what you’re talking about, but everyone perceives that you know what you’re talking about, the other parts start to fall away.

Jonathan Reiber:
Now I want to ask you about readiness. I think you’ve got some interesting thinking when it comes to preparing for the next attack. At AttackIQ, we like to say, “Are you ready for the next attack?” Which is, could lead you to a bunch of different answers, but I’m very curious to hear your thinking on this. Particularly as you talk about looking at younger CISOs coming up or folks that are trying to think about what the CISOs job is.

How do you think about readiness?

Rob Hornbuckle:
I think that readiness is a false assumption when it comes to the CISO role because everything is happening all the time. There’s never a minute out of the day where something isn’t trying to do something against your networks, unless you’re doing security for a small mom and pop of 20 people that no one’s ever heard of and you have the benefit of security by obscurity for the time being. You are getting bombarded constantly. So saying readiness almost assumes that there’s this lull or this period of nothing happening where you can attempt to “get ready.” It’s like getting ready for a pitch in baseball. If the balls are just constantly going down, there’s no chance to stop and get ready. You just do your best and take a swing. In some ways, security does follow that same mindset. In others, it puts you in this circumstance where you just have to always be ready. You just have to roll with the punches. You have to accept the fact that it’s not your job to necessarily prevent attacks.

It’s not your job to think nothing can happen on my watch. I’ve seen a lot of CISOs over the years where they have this badge of courage or this medal, they wear that they’ve anointed themselves with, where nothing has happened while they’ve been CISO. And this concept of, “if something were to happen while I was CISO, that’s it for me. My career’s over, everything’s done.” That’s really not the case.

Something is eventually going to happen at any organization you potentially could work for. If you work there long enough, something will eventually happen. It may be minor, it may be small, it may be big. What’s going to determine your success and your longevity long-term as a CISO is how you react to it, how you handle it, what you do, how well you’re able to minimize it, how well everyone trusts that you’ve both done the best you can and that you’ve had the best interest of the organization in mind and have produced on those results. That actually will help your career better than never having a breach ever.

Jonathan Reiber:
That’s incredible. So last week we had Juliette Kayyem on [Think Bad, Do Good] and she is a former assistant secretary of Homeland Security and has written this book called The Devil Never Sleeps. She opens it up talking about the word “astro” from disaster planning and it comes from the stars. It then correlates into the word “disaster” and it correlates into the word “catastrophe.” She says that she doesn’t care about when and how something happens, you have to think that it’s always going to happen.

The thing that I love about what you just said is you talked about relationships and you talked about the mindset of the CISO. One thing that I think is useful for our readers and for our listeners, watchers, all the above, all platforms, is that CISOs have this terrible mental health burnout process, and I think if you go into the job saying, “Nothing’s going to happen, my job is to prevent bad things from happening.” Then you’re probably going to bust a gasket. Isn’t that right?

Rob Hornbuckle:
Yeah, that’s where the majority of burnout happens is from CISOs who personally take it upon themselves, like they are Gandalf standing on the bridge and no attacker shall pass.

Jonathan Reiber:
“You shall not pass!”

Rob Hornbuckle:
That’s really not what you’re there for. What you’re there for is to explain security in a business mindset to all the people that need to know it in order to make appropriate business decisions. When risk-based decisions are made involving security, to run the programs that they’ve chosen as stewards of the business with your assistance as efficiently and as effectively as you can, that doesn’t mean that you stop everything.

In fact, inherently in that entire setup, you are looking at risk mitigation. You’re accepting that there’s residual risk. You’re automatically accepting that something could happen. You’re just reducing those chances. So thinking that nothing should ever happen is folly from the start from a business mindset.

So instead of placing all that time and energy and worry into making sure that nothing ever happens or making sure that something doesn’t slip past me or thinking my career’s over if somebody clicks on the wrong phishing email, it should be placed into preparation of how to handle any situation that may come up because something happened. Having the wherewithal to run the exercises so that people will understand how they would eventually be communicated to in the case that something happens. Running through the plans of this is how we address it and this is how we minimize impacts to the business when something happens and just accepting that it will happen at some point.

Jonathan Reiber:
That’s amazing. Again, so many questions like who are your key partners in getting to that place of trust and communications?

Rob Hornbuckle:
It’s going to change a little bit based on your business model, which takes us back to business knowledge.

You need to understand what a business model is, how a business model works, and what the business model for your organization is. Then from that point, you look at where your incomes are, where your costs are, where you could potentially affect the organization. You could even throw in how security could potentially be a business differentiator for your market. Then you’re plussing yourself in the eyes of anybody that’s from a business standpoint and how you’re addressing it. If you go into those conversations that way, it’s going to buy a whole lot from the very beginning, but you take all those pieces and just put it together for your organization.

For mine, there’s a bit in operations because we are an airline, so operations is a big thing. For all intents and purposes, we are a marketplace, just like a Sears or a Arby’s. We sell a product. Our product happens to be moving people in a big metal cylinder through the sky, but it’s still a product.

My job is to do everything that I can to associate making sure that happens and making sure that we can sell tickets to beyond that product. So therefore, eCommerce is a really major partner because that’s going to be our main intake. Operations is going to be a very major partner, cause that keeps it going. Then your senior most leadership is going to be a major partner because they make the final call and the final decision, which includes your board of directors, as well as your CEO. Then finance becomes a very major partner as well because they’re handling the purse strings and everything else that’s going on to mitigate these risks. As far as major groups that I’m leaving out, the only one that’s really there that I’m leaving out my circumstance right now would be marketing. That’s just because we’re both very important, but we don’t really have an effect on each other so much in this business model.

Now, if my business model was different, then those key stakeholders would be completely different. Let’s say I was an ad agency. Well now marketing is my business. They become a very key partner that I need to work with on a daily basis. So you really need to understand the full business model and how your company operates, so that you can find those key stakeholders.

Jonathan Reiber:
That’s interesting.

Rob Hornbuckle:
I think I went around about a little bit, sorry.

Jonathan Reiber:
No, no. That was incredibly valuable. Incredibly valuable for how you think about, well, instead of me projecting what I think, I want to ask you.

You mentioned e-commerce and operations. When you think about cybersecurity risk from an operations’ standpoint and you’re talking to the director of operations, what’s your starting point with them? It depends obviously what the controls are in place when you get there, what the security team is, where they already are. But what are some starting points for empathy that you have when you’re thinking about engaging that community?

Rob Hornbuckle:
You go into it as a leadership within security, you go into it from a standpoint of “what are your pain points. What’s going on that makes you dislike security right now? Where is it the most painful for you to accomplish your goal?” You are connecting with them on a personal basis, because you’re talking about things that affect them more than you are necessarily anything else, which is always going to draw somebody in.

But you’re also getting information on where clashes have happened in the past on the biggest friction points between your two sets of organizations. Then from there, it is asking questions, especially in the beginning, especially if you’re first starting as a CISO: you need to understand where they are and what they’re doing. You need to understand what they’re having issues with. Not just from a security standpoint, not just from an IT standpoint; you eed to understand from a business standpoint how they work and how they operate.

Assuming you just became a CSO, you’re now a senior leader at that organization. You are expected to transcend what you actually got there to do. You’re at that table because you’re an expert in security, but people at that table are expected to know everything about the business so they can appropriately be stewards of it. You’re finding out from operations how they work, what they do, where they are, where their pain points are. Basically, you’re almost interviewing to be a person who works for the COO, and that gives you insight into that organization. Then look at where your security stuff overlays and how security affects what they’re doing. Maybe talk about ways you could improve what they’re doing, increase their efficiencies by changing things here or there.

You wouldn’t even be able to have that conversation if you didn’t find those things out first.

Jonathan Reiber:
That’s incredibly helpful for implementing strategy and up leveling an organization’s defense posture. Can you talk a little bit about how that helps in an incident?

Rob Hornbuckle:
In an incident, if you’ve been doing that the entire time, you are now a trusted advisor. You’re not just this security guy coming in with their hair on fire because something just happened. You are this person who understands what they do, who understands the organization, who understands the business, who understands how everything fits together; who’s now coming in with an incident that’s happening that needs to be addressed and they trust, and they know that you’re coming into it with the best interest of the business at heart and in mind.

Fairly early in my career, it was explained to me this way. At the time I didn’t take it very well. In fact, I was kind of upset when it was explained to me. But over the years afterwards, it started to settle in. I had a gentleman who was actually a Chief Project Officer, so he ran the PMO, came to me and I was exasperated, I couldn’t get things to work the way I needed to. I couldn’t get the influence done like I wanted. I was technically sound in all my arguments, but people were still choosing other things.

I went to him specifically for feedback. This is one of the things I’d learned through my education and I knew I wanted to get better, so I took the initiative to ask, “What’s going on? What am I doing wrong?” I was basically told that it doesn’t matter if you’re the smartest person in the room. It doesn’t matter if you know exactly what you’re talking about. If people don’t trust you, you might as well just be sitting there shoveling sand into a bucket. The way it was being explained to me, that I was alluding to, is most of the senior executives of this company have been there for a very long time.

Occasionally, I find a company where that’s not the case, but at least some of them or the most trusted ones will have been there for a very long time. They’ve seen this company grow, they’ve nurtured this company, it’s generally come from something small to something large. They view it almost like you would a child. You have this child that is the company. You’re feeding it appropriately, you’re caring for it appropriately, you’re watching it grow. You have this attachment to it because of this. So you have to have the same level of trust that someone would have for you to watch their child; for them to trust you completely with what’s going on with the business in an incident. That’s the level of trust you need to make a goal and be striving to try to build at those levels.

Jonathan Reiber:
The only experience I have in that is anytime anyone touches any of my content, I’m like, “Ahh. Handle with version control. Did you mess with the words? Did you mess with the pictures? Don’t mess with it.” I’ve written a lot about trust actually with between the private sector and the US government, because there have been a number of historic breaches of trust from the national security community, dealing with the private sector. I’m sure vice versa although it’s harder to probably write about that.

What are some lessons that you’ve found? You just talked about the process for building relationships and I’m sure there’s overlap between building trust and building relationships, but what are some key lessons about building trust?

Rob Hornbuckle:
You have to be honest. People can tell when you’re lying, you can’t fake it. I talked about acting skills and I talked about observation. They’re all helpful for helping you come to a realization, but if you aren’t earnest, and if you don’t really mean it, people could be momentarily fooled, but they will ultimately find out. They will ultimately figure it out. It will ultimately come to light. You need to find it within yourself to have that empathy, to have that understanding to really care, because if you don’t, it’s all for naught in the long run. That’s probably the biggest major lesson out of that that I have taken.

Jonathan Reiber:
It makes me think like one of the reasons why people lie or hide the truth is they’re afraid. They’re afraid of being punished or afraid of getting in trouble. You also have to have courage in order to build trust cause you got to be honest.

Rob Hornbuckle:
One of the most executive things you can ever do is stand up and take accountability when it’s your fault. You will garner significantly more respect if you stand up and take accountability when it’s your fault, than if you try to slough it off or if you act dodgy or if anything. The second something wrong happens and you know that you were either in charge of the people that had it go wrong or that you yourself were responsible, you, at the very first opportunity, take accountability for it and start to address it and take action immediately. That’s going to be significantly more respected than any other outcome, but it’s almost not human nature to do that.

It’s almost human nature to want to shy away, to want to not get in trouble, to want to try to curl up and defend yourself in some way. But I’ll say again, the most executive thing that you can possibly ever do is stand up and take accountability when you were at fault either fully or even partially.

Jonathan Reiber:
Who are some of your heroes, Rob?

Rob Hornbuckle:
I don’t know, I’m not really good with the hero thing. My answers would be ridiculous. I grew up on GI Joe and Teenage Ninja Turtles, so I don’t know if heroes is really anywhere to go on it.

Jonathan Reiber:
Oh man, sometimes people ask me this. I had one character in a novel who was a hero of mine, that was an old one. But in either in history or in popular culture, I think one of the things about life in our country today is, there aren’t a lot of heroes walking around, you know what I mean? People need role models.

Rob Hornbuckle:
I don’t believe in heroes outside of the fictional scenario. Everyone’s human. Everyone makes mistakes. I believe that there’s people that you can watch the decisions that they made, and you can find the good ones to take example from. You can find the bad ones to make sure you don’t repeat, but nobody is perfect. The concept of a hero in that aspect is fictional, which is why my heroes are fictional.

Jonathan Reiber:
I love that. We can actually learn a lot from fiction. I like your point about being a bartender. In fiction, you can observe human behavior. You can put your mind inside of the characters and learn to empathize with human experience. It can take you out of the world that you think you know, and put you in a different one. So I really like that. Rob, it’s been great having you on today. Is there anything we haven’t talked about that you wish we had?

Rob Hornbuckle:
I think we covered maybe one of the subjects we had talked about before having this particular interview. I think I might have taken down a couple of tangents I wasn’t intending on, but nothing specific. Thank you for having me.

Jonathan Reiber:
This was great. This was one of the most interesting conversations I’ve had in recent times. The marriage of security and leadership and business that you articulated, I think is not something that most CISOs hear, and particularly for folks looking to go into the role, the lessons you outlined, you should write the stuff down.

Rob Hornbuckle:
There is one other one real quick. I get this question fairly regularly from people that I meet that have seen me talk at different places. Like I said earlier, I’m fairly young, especially for having four CISO roles, So I always get, “how does one become a CISO? What do you need to do it?” How did I do it at the ages that I was at? And the answer to that question is very simple. Take the jobs nobody else wants. Take the jobs that don’t pay as well, but pay you in experience and pay you in opportunity. Take the jobs while you’re young and while you can that give you the experiences necessary to grow, and if you want to grow fast, that’s the way to grow, as fast as you can.

Jonathan Reiber:
That’s awesome. What a great lesson. Folks, Rob Hornbuckle coming to us from the quasi-woods of North Carolina. It’s a pleasure to have you and we’ll have the transcript up on the site, which I think for folks that want to read it, you can see Rob’s lessons and we’ll break it down clearly to scan through. So, Rob, thanks for coming on and certainly you’re welcome back anytime.

Rob Hornbuckle:
Not a problem. Thank you very much, and anytime.