Episode 49: From CSO to CEO: Tyler Farrar's Journey in Tech

Narrator:

Welcome to 9 0 9 Exec, your source for wit and wisdom in cybersecurity and beyond. On this podcast, your host, veteran chief security officer and Cyber Aficionado Den Jones taps his vast network to bring you guests, stories, opinions, predictions, and analysis you won't get anywhere else. Join us for 9 0 9 exec, episode 49 with Tyler Farrar.

Den:

Okay everybody, welcome to another episode of nine nine Exec, your podcast for executives in tech. And hopefully you can join us in your journey. We join you on our journey or some, I dunno. I dunno. But every week, every week we try and drop an episode with an exciting guest. I got a returning guest who was on our Get it started. Get it Done Banyan podcast, and on this podcast, so Tyler Farrar, Tyler, I don't know where you can start with your title, man, because you're like CSO, CEO, you've got your hands, all sorts of pies. You're a man with an opinion. So welcome to the show and we're going to dig into some of your opinions today. So hey, welcome man.

Tyler:

Hey, thanks a lot Den. Good to be back.

Den:

Yeah, no, don't over the journeys when you have been on before. So we had you when you were the CSO at Exabeam and that's how we met through that relationship, and then you went on to do some other stuff. So why don't you share with everybody what are you up to these days?

Tyler:

Yeah, I've been busy in 2025. Started a role at Next Power as the CISO and head of infrastructure over there. It's been really good so far. And around that same time that I started launched my own LLC with a couple of co-founders stacking bytes. So I'm a CEO and co-founder over there. We kind of built the company initially on more like building niche cloud security type tools and I'm happy to go down that rabbit hole as well with you. But that's where we started. We kind of expanded from there and you go where the needs and the problems are. So we can do consulting. We are building our own product right now as well. Just things that we find that need help, we just go build it and try to solve a problem. And continuously doing the go to market advisory work as well for cybersecurity startups where they need it.

Den:

Yeah. Awesome man. So three things. Three

Tyler:

Things all LinkedIn.

Den:

Yeah. Why didn't you share next Tracker? So what is next Tracker? What do they do there and then what kind of are in

Tyler:

Yeah, so we just rebranded to Next Power last month. It's more fitting for the company that the strategy of the company, it's building more from literally a tracker company for renewable energy attaches onto solar panels, allow us to track sun, really get the best efficiency out of a solar field to all things solar energies. So you can think of it with how do the solar panels get cleaned, how do they get maintained? So there's robotics involved with that. How about power generation itself and things around software and what types of software AI and ML built into that can be leveraged to have the most efficient solar power plant That's possible.

Den:

That's pretty awesome. And yeah, I mean renewable energies is going to be a big thing still, right? I mean it depends who you ask, I guess

Tyler:

AI needs too.

Den:

Yeah. And your role there, so is it CSO and infrastructure? What do you cover?

Tyler:

Yeah, CSO and head of infrastructure. So if you want to call it traditional cybersecurity on the corporate side, we have a suite of products that we've built or acquired over the year. There's product security, there's ot, and so embedded devices, there's firmware, there's software, there's SaaS and everything in between. And then on the infrastructure side, it's kind of core IT infrastructure, so firewall, lan, wan, wifi, all that fun stuff too. So we're really focused on both. And I've always said good security structure with good it. So it's a good place to be in that I can manage and be responsible for both.

Den:

And it's interesting for me in the sense of that blended CSO CIO role. I think there's a lot of advantages to that. So there's a couple of questions for you. One is you've done this kind of work in software companies and now you're in one that is blended between software and hardware as a product, right? That's

Tyler:

Right.

Den:

What is the solar industry look like and differ from a CSO of a software company or a regular startup?

Tyler:

I'm learning more about industry standards and regulatory requirements where they're applicable and they may not be applicable to our company, but they may be applicable to our customers, which thus you always have contract flow down, supply chain, risk management, et cetera. So I learned, I've learned a lot through that. There are international standards that I wasn't aware of coming in. So I think it's always easier to learn those types of things that are related to the business itself versus try to learn just core cybersecurity or IT or whatever you want to call it. And then I can build my program around that. But at the end of the day, it's still a device. It's still on the network or it's off the network, but it's still an IT or OT device. And I rant about it sometimes, but the best two things you can do is good access controls and network segmentation.

Den:

No, you do rant about stuff a little bit. So before we get into the rants, why don't you share with everybody more about stacking bytes and the cyclops? What is it? I mean both of these for me, it seems like there's a bit of an overlap, right?

Tyler:

Yeah. So stacking bytes, again was founded on the premise of good customized cheaper niche kind of tooling for cloud security. I won't go into the whole story, but in a past life, Google, S-E-C-G-C-P-S-E-C customer, when they decided they were going to charge for that product line, it was about 2% of annual spend and that was a multimillion dollar problem that just sat on our lap. There's just no way that my security budget was going to get an extra few million dollars added to it because Google decided that they were going to charge for this. And so we decided to look at alternative options. And my cloud solutions architect said, I think I can build something in-house. It's not going to be sexy, not going to get a sweet ui, but it's going to work. And we did. And that multimillion dollar a year problem went to a $6,000 a year problem.

So when we transitioned out of that company and moved on, we were like, you know what? Maybe we just go do this for fun and maybe there's other people that face the same problems that we do and whether or not it's Google or something else, maybe they need help with these types of things and building these custom bespoke tools as well. So that's how we started. And then from there we just through networking and just things online, et cetera, you start to get the attention to people. It's like, Hey, I need help with CMMC or I need help with something else. So we help on the services side and do consulting, but we've also launched a product, it's called CRS stands for contract reviews suck. So if you do contract reviews and you're listening to this, you're watching this, I hope you could feel that pain. And if you're not using a tool, we built one. We have a lot of ideas also for we want to take it, but there are tools out there. We try to be affordable and not be a quarter million dollar problem, but that's kind of what we based everything off of.

Den:

Yeah, I think it's interesting how there are so many small mid-size companies actually that just don't have the budget. So how do they protect themselves without having, I always say to people, my career at Adobe and Cisco, it's like not everybody has the Adobe and Cisco money, but not everybody has the Apple meta name, your other big tech giant company. So company money. So now we mentioned this a minute ago, you are not shy of calling some bullshit out in the world. So let's looking back at 2025, you and I, we had some really good discussions over the year where we were talking about some things in the industry that just kind of suck are bullshit. So yeah, you've done a few good controversial posts. I'll say they're thought provoking maybe is probably a better word. So why don't you give us a highlight and let's dig into this a little bit, a highlight of your favorites from the year and let's dig into why did they get you ruffled so much and let's have that conversation.

Tyler:

Yeah. So again, for the listeners, I do like to write, I try to write about things that I either am familiar with and have some sort of knowledge and expertise or I have an opinion about, if you go Google my name at csso online to the other side of that. And that's primarily where I do publish my articles today. And there were quite a few this past year that I published some alongside Den as a co-author to those. So thanks a lot. And other CISOs out there have also been willing and volunteered their time to help co-author some of those. I think we start off the year like the letter to the CEO and if any security leader, you don't have to have a C in your title, but if you are the senior security leader at your organization, I'm sure you feel some of that difficulty when working with executive leadership and how is that person that CISO treated, how are they seen upon rest of the organization?

And no, I don't think that that CISO has the same level or seen the same way as your CIO or CFO or COO, whatever other C letter title. And so it was an open letter to the CO to kind of like, Hey, look at us, look who we can be and who we are and try to do almost a wake up call of that. So that was one. I think another one that got a lot of feedback from was around hiring. And so again, this isn't about just hiring the CISO role, but if you have been looking for a job at all within the last, let's say now a year and a half, it's probably been pretty hard. Some of you may still be looking and it's taken months for some of my closest friends and colleagues to find jobs. It's not just the market, it's not just an industry. It's a fundamental problem with the hiring process. And so that article talks a lot more about that and there's faults on many sides. But again, check that one out.

To all the CISOs listening, I did publish one on CISO Ego, and if you're a vendor sales rep, I'm sure you've felt some of that CISO ego and I talk about how we as an industry created it. Power can get to people's heads and some individuals don't know how to effectively manage power and really harness it with responsibility. So that one's pretty interesting. That one got a lot of feedback. And then the most recent one was just around, again, just the overall noise within our industry. I do find when I go to security events that there are less practitioners in the room than vendors or those vendors have never been a practitioner before and many call themselves still being in cybersecurity. And so I sometimes smirk at that comment, but it's really more about how there's this three groups of people, there's the practitioners and CISOs, there's the vendors, the sales reps, and then there's the investors, the VCs, the PEs, and we've all created this mess where all these security tools are out there, thousands of security vendors are out there, and some of these are like tier two, tier three level tools that you're just never going to implement and really integrate into a program.

And the breaches are still going to happen because we've completely just stopped doing the fundamentals of cybersecurity. I told you the first two network segmentation and access control can get you really, really far, but it's getting back to that stuff and stop chasing all the tools. There's some really good ones out there, but hey, let's pause for a second. This is a nightmare.

Den:

Yeah, no, that's brilliant. Now we're going to pause for a second. Now we're pausing for a second for just a brief message. Hey folks, just want to take a minute to say thanks for listening to the show, watching the show, however you engage with us. If you're liking the conversations, if you think we're adding some value, we'd love you to subscribe and share the show with your friends. If you know of anyone else that would benefit ideally for us that will help us be able to grow the show, invest more in the quality, get some more exciting guests and keep bringing you some executive goodness. Thanks everybody. Take it easy and enjoy the rest of the discussion.

So welcome back everybody. Tyler, you just ran through some of your gripes last year, man, and I actually, I love them. So I think the open letter to the ceo, right? I think I am always saying this, I've never met a CEO EO that woke up in the morning and thought I'd love to spend more money on it and security. But when shit hits the fan, then all of a sudden they're forced to spend money and usually a lot more money on IT security. And I always look at it and what was great about that article was it really just prizes apart the conversation of a lot of other C-level roles, which I do think are more established than the CSO role. So we've kind of got to acknowledge that. But the reality is, is there's a lot of responsibility and sometimes personal liability that you get as a CSO that you don't get in some of the other roles. The CMO is not going to get the same legal responsibility as a cso. The closest role we get is closer to the CFO. There's a lot of responsibility there. I'd even say the CIOs in some cases depend on the industry, don't have the same one either. So there's a lot of expectation. There's a lot of personal risk and liability when you get breached, then you generally get to be the scapegoat and the one that gets marched out the building depending on your leader.

Leader, excuse me, but not like the CIO would get that or the CM or any other C level person. So see, I know where you saw the past. Where do you see the future in the relationship and just the CISO as a role in the industry do you think is going to get better?

Tyler:

I am a little skeptical at this point. I am curious to see what happens. And maybe you know what company just recently introduced this concept of multiple CISOs, one of the larger orgs just did that. Maybe there's something to that.

Den:

Yeah, that's been there. I mean when I was at Cisco then there were several people across business units with CSO titles. The larger the organizations tend to have CSOs within business units. So I see that as a, that's a thing for the larger company, but if you're like 5,000 people or less, I don't think there's any business having more than one in that organization.

Tyler:

Yeah, perhaps it's a named individual. I think it's interesting. I think there's a drastic misunderstanding what cybersecurity is. There's a lot of ignorance, whether or not that's purposeful ignorance to what cybersecurity is, and I've thrown up a chart once of this mind map, just throw up every single word you can think of when cyber, again, if you're in cybersecurity and hearing this, all the things that cyber is, and it's a lot, right? Some people try to speak more programmatically, vulnerability management program, bug bounty program, like trusted access program, blah, blah, blah. Because all these programs do fit under that cybersecurity umbrella and it shows, oh wow, you have a lot of programs and maybe that's a good way to talk about it, but I still think there's a lot of leadership that's like, I don't really, it's over there. You got it. But if you really look at it and if you've been a CISO and like you said, especially the larger the organization, the more complexity in their technological environment there is, it's a lot. And I'm not saying that one person can't do it. I think there just needs to be better understanding that there is so much to this role and it's not just about security anymore. We are, like I said, I'm doing infrastructure. There's so much aspects to technology this day

And whether or not that continued integration with A CIO or do these terms kind of go away. And maybe there's somebody that's really good at applications E-R-P-C-R-M and they're that technical leader. And then you've got an infrastructure leader that's good with security on-prem cloud and maybe you're focused more around the technology itself versus pinho people into you're the CIO and you're the ciso, whatever like that.

Den:

And some level, I mean there's technical acumen, but there's also leadership acumen and business acumen. And I really think, again, this all depends on the size of the company and the industry and whatever. There's a bunch of factors, but the reality is most of the people at the C level that able, they have a level of business acumen and traditionally a lot of people in that IT security space didn't evolve like that. And then CIOs I think have been more recognized in the last 10 years is requiring business acumen to be a successful CI. I think for CISOs, we have to have that. If we want to be at the table with the adults, then we are going to have to have that. I mean, you and I are in a lot of the same circles and a lot of the people we know, there's a lot of them that have that. But unfortunately, there's actually a lot that I've encountered over the years that are just technically gifted and don't know the business side of the conversation. It doesn't mean they're not great at that thing, but I don't think we're going to see any change in 2026 on the relationship between the CEO and the cso. With one exception. I think we're going to continue to see a bit of an exodus of CISOs not wanting to be CSOs.

Tyler:

Yeah, I was going to say the same thing. I agree with you. I think part of the problem with the business acumen side is again, personal opinion here, but I can step into an organization and if you don't give me a seat at the table, well then it's very hard to understand completely about the business. I can understand how we make money, but the decisions being made behind closed doors don't give me any insight into the decisions I can make. And I'm speaking freely. I'm not saying that this is my present employer or anything like that. The secondary thing is there are so many things to establishing a cybersecurity program that need to happen that are not invisible, and yet it's very difficult to tie to the business. It's like just if you let me do it, let me get it in. You'll see the bigger picture and I'll start to align more and more to the business.

But I can't really spit out data handling requirements until maybe I get threat detection and nobody else cares about sim, but me and my team. So I think there's these other hidden parts of cyber that because they don't tie directly to the business, then you're not seen as the business leader. And it's chicken and egg. It's like, well, we have to get these things in. And I totally agree with you. I think then you get a product of, well, what is the leadership of the organization over that ciso? And if it's poor, if that individual doesn't feel like, Hey, I'm getting done what I need to get done, I'm feeling like I'm included as part of this leadership team, et cetera, you're going to see good people leave the industry.

Den:

Yeah, and it's interesting because I look at it, I guess most businesses recognize you need it done to run your business successfully. You mentioned CRM and ERPs. Yeah, so we know that that quote to cash process and whatnot, nobody looks at a CISO in the same light. They're not seeing that direct tie to the business. But I certainly think though, that if you're not at the table, then you can never have the opportunity to add the value

And you'll also never get the opportunity to grow and add the value. And I do see a lot more blended roles. Actually two of our clients, we act as the CSO and the CIO as a blended role. And I think in that context, it saves the client money because they don't need to hire two leaders, but they can bring us in. And then the other thing though is we're continually looking for the balance between using technology to accelerate the business and using the technology and the people and the processes to accelerate and reduce the risk. So accelerate the business, reduce the risk. Do you see in the future more and more companies opting to blend that role? I

Tyler:

Think so. I think there's just still this traditional aspect of it that many of us, including myself, didn't come through. So I'm getting a lot of exposure in my role now, like I mentioned on the application side, okay, Okta is fine. And yeah, I get O 365, but when you get into the business applications, there's a lot of value in understanding that what I want to do that full time is also another question. If it came under me. I mean, it's something different and your users are really heavily interacting with those applications, but it's important. It might, but I don't know if the roles are going to come together more or just maybe we stop trying to pinhole people into these titles. And we talk more about technology because technology is what's enabling the business. If you get a good leader there to leverage the technology, then I think you're going to be more successful than deciding what three or four letters are going to start before their name.

Den:

Yeah, that's true. Now, to get a good leader though, you need to hire a good leader. Now, one of your rants of last year was the whole hiring ecosystem. And I definitely love joining in on that conversation because we launched a little pet project 9 0 9 ic, and that was about getting students into the ecosystem as part-time employees before they graduate. So blended apprenticeship and internship, and you had a take on this. And then actually I saw a post today, chase Cunningham done another rant about, because he's another guy that I love, he's straight shooter. And the thing I loved about it was people would knock on his door and ask him for, Hey, do you know anybody that can do blah? And then he sends 'em over and then the ghost the person. And I've seen that shit happen all the time. But Liz, why don't you dig into your observations of just the ecosystem on hiring, and then we will peel that back for the minute.

Tyler:

Yeah, I mean, a lot of that data comes from personal experience along with just talking with a few dozen other CISOs and security leaders that have gone through this. And I read a lot of your LinkedIn posts out there, watchers, and I see other people going through the same struggles, and some of it is attributed to just the company never had a real role to begin with. We see that kind of ghost tiring type of thing just to prop up the fact that it looks like they're a growing company, but they're really not. But I think there's a major problem with the hiring manager. Going back to our last conversation with how complex cybersecurity is. The hiring manager doesn't know what they're hiring for. So the job description is, the job description probably was generated by Gemini or chat GPT, and it's so high level.

And then they get these candidates, they don't know really what they're looking for, and it's a pain. You add into that the whole, well, the fact that we've moved away from posting this job in the newspaper and then people walk into the building and they're real, and here's my resume, and it's on paper to anybody. Anybody can go on LinkedIn and apply for this job. And a lot of the times that anybody is nobody and they're bots, and so suddenly you've just, your pool of people is thousands and thousands and there's physically no, it's impossible for somebody to go through all that. So your a TS systems try to screen through that, and you have highly qualified people. And again, hopefully some of you watching this have been on that. And I'm sorry you have, if I've seen some of you in Slack, see shows out there, say within minutes this role I was declined for and I know you and you were highly qualified for the role.

So how you were not based on some scripts that ran that said, you don't meet all the buzzwords of this, and they let you go, I'm sorry, but that's a problem. And then you get to the actual HR team itself and they're understaffed, they're hiring for multiple roles. Again, they don't know cybersecurity whatsoever, so they're not understanding how to screen for the role, and then they forget you and they move on something else, and suddenly you're ghosted, or your interview process is now months long because they forgot about you, or they're just too busy. And so you have all these things I'm sure I wrote about more too, but there's all these things that come up during this hiring process and it's a nightmare.

Den:

Yeah, I mean, there's so many dynamics to this one because I think there's people applying for jobs that they have no business applying for. Then there's people tailoring their resume, specifically adding buzzwords in so that they can beat the AI machine or adding whatever in so they can beat the AI machine.

And then the fact that we're having to use AI to screen stuff is, for me, just indicative of the problem anyway. But then there's also, there's so many people out there in the job market looking for work, and I didn't think about it until this year, but companies creating fake job postings for whatever reason, some of them, because they're just trying to build up the resumes in their system so that when something comes up, they got a bunch of people. And I know as well, I mean, shit, we are guilty of, for me, we are trying to look for good quality contractors to come and work on nine to nine cyber work. And it is a chicken and egg scenario for us because we are talking with hiring managers all the time for staff augmentation. Do I wait until I have the conversation or do I meet contractors first and screen contractors? We don't have all the time in the world to screen random contractors that we don't have work for, but we also don't want to be meeting a client. And then for common positions, you're like, oh, we don't have something available right now. So we want to make sure we're balancing that. And I find that piece for me is tricky, but the contract market I think is uniquely different than the full-time market.

So yeah, we don't really play in the full time market. We play in the contract market. But I look at it, if you're a company and you're just posting full time positions just for shits and giggles, then you're just adding to the problem, right? So yeah, it's not helpful. And it's interesting. I do see one of the things that we're hedging our bets on is that the freelance market is going to continue to grow because AI is going to impact the full-time market, and there's going to be a lot of more people looking for work. But B, I think there's going to be more companies thinking that they don't want to hire somebody, but they'll be happy to do 10 hours a week.

Tyler:

Yeah, yeah, absolutely.

Den:

So yeah, we're keenly paying attention to that space. I think that'll be interesting. Okay, so a lot of rants and opinions for 2025. We are recording this, the start of December 8th, and this will release probably about next week. So just a week before Christmas break. What do you think is going to happen next year, Tyler? What's on your crystal ball?

Tyler:

I mean, I used to play more into this with the overall cybersecurity industry and threat actors, et cetera. At this point, I don't know. I think we'll see a lot of the same that we have in the us, whether it be with the hiring we just talked about, the job movements. I think that freelance contracting work is going to continue to be a thing, be interesting to see what happens more geopolitically. It's always interesting to see how organizations make decisions on moving into new global economies. And so there comes with a cyber price of that. And where I think there's a major gap today, I hope, and this is actually something that I would like to work on as a CEO and co-founder, is how do we stay abreast or better stay abreast of all of the regulations out there. So expect to see more of that. I mean, these European member states are rolling out their N two compliance directives and there's a bunch of other EU AI acts and other countries have their AI acts and there's all the privacy stuff out there, more states that's going to be a pain next year. How are you going to watch it update your policies, et cetera. So I think that's a big one.

Den:

Yeah, I mean, you can't avoid the whole AI conversation and the impact that that's going to have. And I look at it like 26 from a cyber perspective. I just think we're going to see more AI obviously used in attacks and defending, but I just look at it, and we mentioned this earlier, the basic blocking and tackling. I think there's no getting away from the, we need to continue to do a good job at getting the basics. And ai, for me, I don't see it introducing new TTPs other than leveraging AI to accelerate and then improve the quality of the attacks. So I think you're going to see the consumerization of AI being used because you get more people that aren't traditionally attackers. And I think I saw a chase post the other week on this as well, where he's basically running through stuff, and it's a case of you're going to get people, they could make a hundred grand a year just because they're writing some code using Claude, and they're using that as the attack factor.

And I think it's just the accessibility is going to be better. And I think people that thought that they could avoid being breached, it wouldn't happen to them. I think the reality is you're just going to see a wave and a bigger influx of attackers because it's code that's accessible and there's going to be more as a service. So I think the basics are going to matter more than ever. So I don't think it's new attack vectors still fishing. It's still social engineering. It's the odd vulnerability that we didn't patch, which is still stupid to think you're not patching your shit these days. Default creds, no MFA, I mean, just

Tyler:

Hygiene stuff. But it'll also be really important with processes. And I think there's some cool AI tech out there nowadays that's able to detect is this synthetic, but now everything's going to be synthetic. So it's more about intent based. What is the intent of this message?

Den:

What

Tyler:

Do they want from me? Why do they want it? And confidence scoring versus this is bad or it's not. It's like I'm highly confident it is bad, and here's why. But to your point where it's going is I'm going to tug at the heartstrings of people and I'm going to get them to do things for me, whether it's reset creds, give me a password, give me an MFA token, whatever it is, I'm going after that because it's the weakest link still. And I got really good tech now to make it look as real as possible.

Den:

And I stick to the same conversation, which is if it was an unexpected communication with a sense of urgency and it's asking for something IE money, gift cards, personal information to be exchanged, give them your pin number for your OTP or whatever, any of that shit, if there's a sense of urgency and it raises your blood pressure, then you got to be suspicious.

Tyler:

Exactly. And I just tell my employees, slow down business is important, but just slow down for a sec.

Den:

Yeah,

Tyler:

Think about it for one more second and you'll see,

Den:

Yeah, not everything's urgent. And if it still looks and feels like Tyler's on video, it could also be a deep fake.

Tyler:

I know. I know. Yeah.

Den:

Yeah, man. So thank you once again for dropping in and hanging out and chatting and share some wisdom before I let you go, what advice do you have for CSOs? Let's talk about new CSOs. They've obviously worked a career, they've got into the position of now being given the full responsibility of the organization security. What one piece of advice would you give that person?

Tyler:

I'm going to quote a book and I ask the folks on my team and kind of sister functional areas to read it, and it's their choice, but extreme ownership is the book and everyone should practice it. Everybody should read that book. But there is no such thing as a bad team, only a bad leader. So don't be that bad leader. So outside of practicing some of the tens of the book, look into what is good leadership? Have you experienced good leadership and practice that don't suck as a leader because as soon as you do, your entire organization will fall apart because you've now created this bad team because you are the bad leader. So

Den:

Awesome, Tyler. Thanks, man. That's good advice. And we will be sure to add the link to the book in the show notes that would help people out. Well, Tyler, Farrar, CSO, CEO, founder, writer, author, speaker, whatever. I mean, I dunno, man. We can all the fancy shit. But again, that goes back to the ego of cso, which your ego is pure. Thank you, bud.

Tyler:

Thank

Den:

You. Appreciate it. And we'll have to get you back on the show middle of the year and just see what you're up to and see how all of these irons and the fires are growing. Thanks, man.

Tyler:

Great. Thanks Den.

Den:

Take it easy. See you.

Narrator:

Thanks for listening to 9 0 9 exec. Subscribe wherever you get your podcasts, and don't miss an episode of your source for wit and Wisdom in cybersecurity and beyond.

‍