For Cassio Goldschmidt, cybersecurity is an arms race, trying to stay one step ahead of the enemy. That’s why building alliances is so important.

“I think the only way to really succeed as a CISO is to create allies,” said Goldschmidt, the Chief Information Security Officer at ServiceTitan, a cloud-based platform that helps home services companies streamline operations and improve customer service.

“It’s a matter of talking to the people you work with, and arming them with the tools to actually be able to detect malicious activities or anything that could get in their way,” he said. “It’s getting them to understand what the crown jewels are, what needs to be protected, what is public information, and bringing everyone to the battle. Not only your staff, but employees, vendors, partners and even customers.”

Goldschmidt has been fascinated with software since his early teens, and started his professional career developing enterprise software for Fortune 500 companies. He began working with the security community 16 years ago, doing both product and program-level security.

“I’ve always been in high tech companies. Software is what they sell, and security is paramount because it touches their reputation,” he said. “So having been the one actually developing code and being in the trenches really creates a lot of empathy and understanding of what it really takes in order to develop good software, and security plays an intrinsic part.”

He was working at Symantec as a software engineer when he was nominated to become security lead for the group that was developing anti-virus software. With a master’s degree in software engineering bolstered by an MBA, he was soon leading the product security group.

From Symantec, he went on to Intuit Financial Services, which was one of the first companies with financial data to move to AWS, and then served as vice president of the cyber resilience practice at Aon, a forensics company.

A successful CISO must be a technical person but above all a business person, Goldschmidt said.

“Constantly communicating with the business is paramount,” he said. He meets frequently with customer success and legal because he sees his role as a business facilitator and not an obstacle.

“A lot of times, security is the Department of No, which stops things from moving forward,” he said. “But you have to really work with other teams and make sure that you can go as fast and securely as possible. The CISO has to understand that this is not a game of liability. Let me work together with various different teams in order to achieve what needs to be achieved and be as proactive as possible.”

Because every CISO has limited resources, it’s important to invest in partnering with other companies and to know where to invest resources, “because there are some great companies out there,” he said.

“CISOs really need to be one step ahead if they really want to be effective and provide value to the business,” Goldschmidt said. “Challenges vary by industry, but in my case, I really think the technology and the regulations are the real challenge.”

Goldschmidt meets with vendors several times a week to both understand what they’re doing and to influence their products so they can actually fit his company’s needs, he said. He sees that kind of collaboration with vendors expanding industrywide, especially in tight financial times when CISOs are looking to optimize solutions they already have.

“We’re working with our vendors to see what else we might have overlooked in the set of things that we already purchased that can help us,” he said.

Working closely with vendors is also critical to maintaining customer trust in an age when companies use a lot of SaaS and other software CISOs can’t control. For one small vendor, he not only wrote the security agreement, but also helped to find their first security hire, he said. “This partnership is more important than ever,” he said.

Keeping up with the rapidly changing security landscape is his biggest challenge.

“CISOs really need to be one step ahead if they really want to be effective and provide value to the business,” Goldschmidt said. “Challenges vary by industry, but in my case, I really think the technology and the regulations are the real challenge.”

“We’re living in unprecedented times,” he added.

“Everyone knows what AI can do, and that includes not only the good guys, but particularly the bad guys. And everyone is turning to security and asking, how should we use this technology? What is good, what is possible and what’s prohibited? You need to understand the technology really well, and at the same time, be able to provide insightful comments to people who are potentially ahead of you in the use of these things.”

In a “very, very short period of time,” he predicted, the solutions CISOs have relied on for years won’t be effective anymore because malicious actors will also be leveraging AI, he said.

“Business email compromise, for example, is going to be very different,” he said. “Once an account is compromised, AI will pick up from the last email the victim sent, continuing the conversation using the same writing style as the person who was victimized, building confidence through multiple emails before making a malicious request. And there won’t be any way for current software to actually detect this because it is a trusted email with multiple messages and so on.”

Because it will take time for tools to catch up, educating employees in security will be more crucial than ever and very challenging because people will also be writing messages like computers as they leverage AI, he said.

“We have to get this information in digestible forms continually to people, and in a meaningful way so they don’t skip it,” he said.

ServiceTitan has augmented its annual security awareness training with its Phish a Phriend contest, which invites employees to write their own phishing emails based on public information about the company available on the internet. The infosec department then sends out these employee-generated phishing messages to employees throughout the organization. By creating the phishing messages themselves, employees learn more about the concept of phishing, how it’s done and how to detect it.

Another big challenge for today’s CISO are the ever-changing laws around privacy issues, especially in the absence of unified legislation.

“Today, the CISO really needs to have a deep understanding of privacy. They have to create a trusted brand,” he said. “A lot of companies are creating the position of chief trust officer, and that is something CISOs have to do these days. They have to talk to customers to make them feel comfortable and confident not only about the security mechanisms in the software, but also how their data is safeguarded.”

Goldschmidt is a long-time contributor to the security community. He has worked closely with open web applications, holding multiple positions at OWASP and co-authoring white papers for SAFECode.org. He has also volunteered for ISC2, advised VC firms and startups, and served on the CISOs Connect C100 Distinguished CISO Board of Judges since 2021.

“I think whatever time I put into the community I got back in the sense of learning from others, sharing experience and getting experience from others,” he said. “I am very thankful for all this time that I spent and continue to spend with various communities.”

When Goldschmidt has time, “I still like to get my hands dirty and do some software just for fun to understand the technology,” he said. He also composes electronic music, “which tends to confuse my wife, who’s thinking that I’m still working when I’m just having fun,” he quipped.

He also makes family videos, and has won awards in international competitions, including for his film of a family trip to Yosemite using a 360 camera.

“Other places, you usually point a camera one way, because the other way is not as pleasant,” he said. “But when you go to a blessed place like Yosemite, there’s some places there that are just really beautiful all around.”