Risk Grustlers EP 22: The real cost of cyber leadership

In this episode of Risk Grustlers, Nicholas Muy, CISO at Scrut Automation, sits down with Larry Whiteside Jr., Co-Founder and President of Confide Group, for a direct conversation about the real weight of cyber leadership.

Larry reflects on how he got into security, why the mindset behind the work felt familiar long before the title did, and how the CISO role has grown into one of the hardest jobs in tech. The discussion moves from software risk and business pressure to the rising exposure of small and mid-sized businesses, the value of peer community, and the market gap that led to the creation of Confide Group.

Catch the full episode here.

Here are some key highlights from the episode.

Nick: How did your journey into cybersecurity begin?

Larry: I did not set out to build a career in cyber. My path started in the U.S. Air Force, at a time when security was starting to become more central to how organizations thought about technology. Firewalls had become a real thing, and the Air Force was building around the idea of defense in depth.

Before that, my work was rooted in networking and switching. I was managing technology for the base, running infrastructure with my teams, and learning how these systems had to work together. Security came into focus as part of that evolution.

What made it click for me was not just the technical side. The mindset felt familiar. Growing up in an underserved community taught me to pay attention, read situations, and stay aware of what could go wrong. That way of thinking translated naturally into security.

Nick: Why did security resonate with you beyond the technology itself?

Larry: The technical part drew me in, but the mindset is what made it stick.

Security is about awareness. It is about understanding your environment, noticing what others miss, and thinking clearly about where risk is coming from. That connected with how I grew up and how I had already learned to move through the world.

So while I fell in love with the technology over time, the way security makes you think was already something I understood.

‍Nick: Why has the CISO role become one of the toughest jobs in technology leadership?

Larry: Because the role is under pressure from every direction.

You have the board, the executive team, business peers, threat actors, industry pundits, and thousands of vendors all pushing at once. Everyone has an opinion on what you should do. Everyone has a problem they think you should prioritize. At the same time, there is no standard playbook for how to be a CISO, because the role changes from one company to the next.

What makes it worse is that the CISO often has all of the responsibility and very little of the authority. You are expected to carry the risk, but you do not always control the decisions or the resources needed to address it. That makes influence essential, even though it should not have to be the defining skill of the job.

Nick: Why is it unrealistic to think companies can eliminate every risk in software?

Larry: Because software is built under business pressure.

Developers are expected to move at the speed of the business. They are not given unlimited time to build for every possible scenario, and the business is not going to pause revenue goals so engineering can chase perfection. So teams do the best they can with the time, priorities, and constraints they have.

Threat actors do not operate under those same constraints. They can keep trying until they find one opening. That is the imbalance. Security does not get to work in a perfect environment, and attackers only need one mistake, one gap, or one missed detail.

The point is not to pretend every risk can be removed. The point is to know the risk is there, acknowledge it, and make smarter decisions about what matters most.

Nick: Why are small and mid-sized businesses now so exposed?

Larry: Because attackers realized they do not need to spend a year trying to break into a massive enterprise when they can hit a smaller company faster and more repeatedly.

For a long time, security was treated like a problem for big corporations. That is no longer true. Smaller companies hold data, move money, and operate inside third-party ecosystems that matter. They may also have fewer resources, less mature programs, and less room to recover from a serious incident.

That makes them attractive targets. And when smaller businesses are hit, the impact does not stay isolated. It affects employees, customers, partners, and the broader communities that depend on them.

Nick: Why is security now a business issue for smaller companies, not just a technical one?

Larry: Because security has become table stakes.

Customers, partners, and third parties are going to hold smaller companies accountable to a baseline of security expectations. That means companies can lose business if they have not thought ahead and put the right controls in place.

This does not mean every smaller business needs to build a giant enterprise-grade program overnight. It means they need enough in place to show they take risks seriously and can be trusted. At that point, security stops being just a defensive function and starts becoming a business enabler.

Nick: You helped build the CISO Society. What problem were you trying to solve with that community?

Larry: Community.

I have learned more from peers, conversations, and direct exchanges with other security leaders than I ever learned from formal training. That is why the CISO Society mattered from the beginning. It started as a small group, then grew organically because people found real value in having a place to share what they were dealing with.

The point was not performance. It was honesty. People could talk about what went wrong, what they were struggling with, and what had actually worked. In a role that can feel isolating, that kind of space matters.

At this point, it has grown to around 1,800 cyber executives, and that growth happened because members kept bringing in others who needed the same kind of support.

Nick: Why do communities like this matter so much for CISOs?

Larry: Because a lot of people in these roles feel like they are carrying the pressure alone.

When you hear from others dealing with the same tension, the same frustration, and the same uncertainty, it changes how you see your own situation. It gives you perspective. It helps you learn. Sometimes it is practical advice. Sometimes it is simply the reminder that you are not failing alone in a broken setup.

That is why I say it can feel almost like therapy. Not because people want sympathy, but because they need a place where the reality of the role does not have to be explained first.

Nick: Where did the idea for Confide come from?

Larry: It came from a pattern we kept seeing inside that community.

A huge amount of the conversation was about security spend, vendor decisions, and whether a tool was actually worth buying. CISOs were constantly asking each other which companies were credible, which ones had overpromised, and who had real experience solving a given problem.

And the answer was always the same: people were relying on each other because they did not have time to sort through the market themselves. There was too much noise, too many companies, and too many claims.

That is what led to Confide Group. The idea was to help shrink the market for CISOs and narrow a crowded field down to one or two vendors that actually aligned with what they needed.

Nick: If you could redesign the CISO role, what would you change?

Larry: I would stop treating it like an operational dumping ground.

Over time, the role kept absorbing more and more responsibility. Security leaders asked for more ownership, and the domain expanded. Now, many CISOs are sitting on a mix of governance, technical leadership, operational oversight, and functions that are closer to CIO work than security strategy.

My view is that the CISO role works better as a risk and governance role. It should report to the CEO, have a dotted line to the board, help define controls and risk appetite, and actively monitor how the organization is operating against that standard. The operational execution should sit elsewhere.

Right now, too many CISOs are being held responsible for everything while still lacking the authority to make the changes they are expected to deliver.

Nick: What do people get wrong when they say they want to become a CISO?

Larry: A lot of people want the title without understanding the job.

They see the visibility, the access, and the prestige. What they do not always see is the grind, the volatility, and the toll the role can take on you. The further up you go, the further away you get from being purely technical. You are no longer just a security expert. You are expected to operate like an executive, manage at scale, influence across the business, and carry accountability at the highest level.

That is why I ask people why they want the role. If the answer is that they love being technical, then this is probably not the right destination. The job asks for something very different.

‍Nick: What helped you stay grounded through the role?

Larry: Leadership.

What kept me going was helping people grow. When I stepped into a CISO role, one of the first things I did was meet with everyone on the team and ask them what they would be doing in their ideal world. Not what they thought they should say. What they actually wanted.

That mattered to me because if I could help people move closer to the kind of work that energized them, I felt like I was doing something meaningful. The role may be grueling, but that part of it never felt empty to me.

‍