Meet our CISO – Rex Booth

The SailPoint Blog
| SailPoint | Market Views

CISOs are busy. They are in a mad dash to secure their enterprise while juggling an overwhelming number of competing priorities, budgets, driving efficiencies, all while evolving the digital ecosystem to match pace with the speed of innovation and change happening across the business. So, if you get a moment of their time, you better make it count.

We were able to sit down with our new CISO, Rex Booth, and learn more about his background in security and what advice he would give to others looking to step up their security game. Follow along below.

Tell us about you and your journey to SailPoint.

I took a meandering path to get here. The super high-level summary of my career is developer -> consultant -> vendor -> Fed -> SailPoint. Along the way, I was lucky enough to have some cool opportunities, like creating a public sector cybersecurity consulting practice, being at Mandiant during the release of the APT1 report, serving as the chief of cyber threat analysis at CISA, and most recently, helping stand up the Office of the National Cyber Director at the White House. It’s been a fun ride!

Who has been the biggest mentor in your career path?

There’s a phrase I picked up ages ago – “we claim no monopoly on good ideas.” That’s certainly true for me, but I apply it to others as well. So, I like to crowdsource guidance when I need it, reaching out to trusted people I’ve worked with who I know can provide thoughtful insights. Those can be people who’ve already traveled the road in front of me, peers who see me through objective lenses, or really anybody with a valuable perspective. Ultimately, I really treasure anybody who gives me honest, constructive criticism – it’s hard to improve based on introspection alone, so I love getting solid feedback.

What makes you most excited about the future of SailPoint?

Man, have you seen our Glassdoor ratings? They’re off the chart! People love it here, and for good reason. We’re doing important work, we’re challenged but not overwhelmed, we’re surrounded by world-class talent… but most important is that it’s a pleasant place to be. I’ve had the good fortune to work in some very interesting places on very interesting things. Still, nothing beats waking up in the morning and knowing everybody you meet is going to be looking for mutual victories. That’s an amazing feeling, and I wouldn’t trade it for the world.

What are the biggest challenges impacting CISOs today?

I think the biggest challenge for a CISO, or any professional, will always be communication. It’s a challenge for anybody. But those of us in the security field tend to see life through a different lens – a bit more suspicious and risk-aware, and it’s easy to forget that the rest of the world has their own lenses. So, the burden is on us to not only express our thoughts clearly but express them in a way that aligns with the lens of our audience. It’s not easy, and many of us underestimate the magnitude of the challenge.

Any advice for building a solid cybersecurity team?

Chase talent where it exists, pursue diversity, and extend trust as far as possible. For the former, that’s become easier with the expansion of remote work, but the chase extends beyond the physical, too. Talent exists well beyond traditional workforce development channels like colleges and universities. We need to hire for capabilities, not pedigree.

Which helps feed diversity, too. Not only hiring from among traditionally underrepresented populations – which is important – but hiring for diverse experience sets, personalities, and perspectives. A core part of the cybersecurity mission is to prevent adversaries from exploiting systems in unexpected ways. We’re best able to do that when we gather a diversity of perspectives and avoid groupthink.

But all the talent and diverse perspectives in the world won’t help if you don’t extend trust. Once you’ve gathered your team, you must minimize boundaries and let them do their job. You hired them for a reason, right? Get out of their way.

What advice would you give someone trying to move into a cybersecurity-centric role?

A career is multi-dimensional. It centers around the job, but orbiting around the job are your relationships and networks, your education, industry groups, and personal projects. Finding that first job can be hard if that’s all you’re focused on, but those other aspects can help clear a path for you. Find an industry group and volunteer. Come up with a fun project that helps you learn. Find a way to make some contacts who are already in the industry. Actions like that will not only help you find opportunities and open doors; they’ll make you a more compelling candidate when you’re being interviewed.

Why should enterprises care about identity management?

They should care because it’s absolutely fundamental to both cybersecurity and modern digital enterprises. Cybersecurity has been traditionally seen as a “stop bad things from happening” function. And that’s true, but it’s a subset of our mission. Our job is to enable the business by ensuring that the right people have the right access to the right things. This is obviously simplistic, and the corollary is that we also ensure that the wrong people don’t have access that they shouldn’t. But can’t accomplish any of that without identity awareness and, more broadly, effective identity management.

What would you suggest a company do in its first step to identity management?

The first step is to pause. Before doing anything, organizations need to assess their needs and compare them to their future state. I’d love to say, “Step 1: call SailPoint”, but in reality, companies first need a clear understanding of what they’re trying to accomplish and what they’re already able to do before they rush to fill the gap. As Simon Sinek says, start with “why.” A great place to start would be our Identity Security Maturity Assessment. This 6-question tool can help you discover where your enterprise is in its journey and educate you on what to do next to ensure its protection.