From Unassuming Beginnings to CISO Excellence: A Journey with Andrew Wilder

With more than two decades in cybersecurity, including multiple stints as a CISO, Andrew Wilder now pays it forward as an Adjunct Professor at Washington University in St. Louis, Mo. In episode 96 of The New CISO Podcast, Andrew shares tales from his executive cybersecurity learning program and more: “We teach deputy CISOs and vice presidents who are looking to get into that CISO role,” he says of his program. “It also includes CIOs who want to have a better understanding about cybersecurity.” The goal is to blend leadership finesse with technical prowess, fostering the next generation of CISOs.

Real-life Dunder Mifflin 

Andrew’s career began as many do, with an unglamorous role at an unglamorous company. It was so unremarkable, in fact, that he jokingly compares it to Dunder Mifflin, the fictional paper company from “The Office.” But in this not-so-glamorous setting, Andrew morphed into a jack-of-all-trades.  

“My role was customer service. But I did finance, I did marketing and sales, I did inventory. When we get really busy, I’d go out in the warehouse and drive the forklift and pick pallets and put orders on the truck. And so I knew the whole business from beginning to end,” he recalls.

One day, the company owner approached him with a challenge: Replace the old mainframe setup with Windows servers and workstations. Andrew spent three grueling months working nights and weekends, manually converting data. 

“I realized, ‘Hey, maybe I should stop working for the paper company and start doing this IT thing as a full-time career.’”

Following a two-week Microsoft Bootcamp and seven different exams, he earned his stripes as a Microsoft Certified Systems engineer, stepping into the IT consulting world. Before he knew it, he was working for major companies like HP, Bank of America, and DHL. Nestlé, however, presented some of his most exciting opportunities. In a span of 18 years, he rose from Senior Cybersecurity Consultant to Regional CISO of the Americas, Asia, and Europe. 

Five steps of mentorship

Andrew has a golden rule for security professionals: nurture self-empowerment alongside mentorship. “One thing that I think is really clear is nobody is going to care about your career for you. You have to care about your own career and your own development,” he advises

He encourages professionals to find a mentor or coach. If the perfect mentor seems elusive, explore formal mentorship programs or expand your LinkedIn network.

“The worst thing that can happen is they say no or they don’t have time,” he shrugs. 

That being said, Andrew stipulates that the mentor-mentee relationship needs to be mutually beneficial, with each party gaining insight. After all, valuable relationships thrive on reciprocity.

Andrew propounds a five-step plan he imparts to his mentees.

• Step one: Scrutinize your current job description and identify developmental gaps.
• Step two: Craft and review these development plans with your mentor.
• Step three: Consider your next desired role. What skills need developing to get you there? 
• Step four: Create a vision board. “I try to not put any rules around the vision board,” Andrew clarifies. It could be anything from a collage to an Excel spreadsheet. “You print it out and you put it on the wall behind your monitor, or you put it on your refrigerator, and you look at that thing every single day and you say, what am I doing? What incremental step am I taking today in order to achieve my goals and my dreams?”
• Lastly, step five, he says, is the scariest one: “Go and apply for that next job that you want. Whether or not you get it, the experience of doing that, getting ready for that, getting your resume ready, going through that process and getting the feedback afterwards will really help you grow as a professional.”

70-20-10 learning model

Straight from Nestlé’s learning and training department, Andrew unveils the 70-20-10 learning model, a blueprint that informs career education.

Put simply, this model delineates three key aspects of an employee’s educational investment: 

• 70%learning by doing: This chunk involves tasks assigned by your supervisor that enhance your value.
• 20% learning through relationships: This is about networking and learning from individuals who can enrich your knowledge.
• 10% formal education: This category embraces structured learning, be it in-person courses, online programs, or certifications.

This blend has proven effective not just, in cybersecurity, but across a diverse spectrum of industries.

Man overboard

Looking further the road to potential board roles, Andrew offers perspective on the pros and cons, especially in a security advisory capacity. “If you get contacted about doing a board role, you really gotta do the homework on your side,” he warns. Probe and question: Is this organization a good fit? What kind of risks do they have? How does the company’s culture align with cybersecurity principles? Do they have a technology and cyber risk committee?

He adds, “If I’m gonna be advising about cybersecurity, I want to know about the CISO… Also looking at any kind of audit reports, incident reports, any kind of historical stuff that you can see. A lot of times companies are looking for this type of expertise in a situation where they’ve already had some kind of a breach or, or negative situation, which is not bad.”

Parting thoughts

​​Andrew closes his time on the New CISO Podcast with some words of wisdom: “I’m a strong believer that if we’re not constantly learning and growing and progressing, that we will become obsolete.”

And he’s right. The skills and tools cybersecurity professionals wielded five years ago differ from the ones they’re using today. 

“I think being a new CISO is seeing cybersecurity as a business enabler,” he concludes. “What I want to see as a new CISO is ways that we can enable business to happen, enable data to flow, but do it in a secure way.”

To learn more, listen to the episode or read the transcript.