Cybersecurity is often framed as a technical challenge, but for top leaders, it’s also about strategy, risk management, and guiding organizations through uncertainty. CISO Diaries explores the daily realities of leading security teams, making high-stakes decisions, and balancing protection with business momentum. In this edition, we speak with Bryce Austin, a seasoned CISO and CEO of TCE Strategy, who shares insights from his years advising boards, responding to crises, and helping companies translate complex security challenges into clear, actionable strategies.
About the Interviewee: Bryce Austin
Bryce Austin is a recognized cybersecurity expert, author, keynote speaker, and advisor with over 15 years of experience as a Chief Information Officer and Chief Information Security Officer for global and midsize organizations. As CEO of TCE Strategy, he helps companies maximize the value of their technology while minimizing risk and cost, providing strategic guidance, incident response, and fractional CISO services.
An internationally recognized speaker and CISM-certified professional, Bryce advises boards across industries, from financial services and healthcare to retail and technology, translating complex security challenges into actionable, business-aligned solutions. Known for his crisis leadership and practical approach, he ensures organizations operate safely and efficiently in an increasingly complex cyber landscape.
How do you usually explain what you do to someone outside of cybersecurity?
3-second answer: I keep people safe from cybercriminals.
10-second answer: My team looks for ways to hack you before a cybercriminal does. We find the holes in your company’s current cybersecurity posture, and we can also help you plug those holes in a cost-effective, vendor-agnostic, and technology-agnostic way. We can also help you recover from a cyberattack if your company is under attack.
30-second answer: I help companies understand the minimum they need to do to keep their cybersecurity risk at a level where they can sleep at night. My team helps implement technical solutions, process/procedure changes, and cultural changes to mitigate significant cybersecurity risk. We perform penetration tests, run vulnerability scans, assess IT operations for cybersecurity vulnerabilities, and provide ongoing CISO-level advisory services. We also have a lot of experience with cybersecurity incident response, but we focus on prevention/detection whenever possible.
What does a “routine” workday look like for you, if such a thing exists?
A routine workday does not exist. Some days I’m on-stage giving cybersecurity presentations. Some days, I’m presenting to company leaders or boards of directors on cybersecurity findings. Some days I’m actively working on penetration test results, reviewing and prioritizing vulnerability scan findings, etc. Some days I’m fighting an active breach for a client (ransomware attack, wire fraud, data exfiltration, email account takeover, etc.). Most days, I’m learning something new about cybersecurity and strategizing on how to use that new knowledge to keep my clients safer than they were the day before.
What part of your role takes the most mental energy right now?
Changing company culture for my clients. Soooo many IT teams have their own way of doing things, and sometimes those ways are inherently insecure (logging in with domain admin accounts for everyday tasks, ignoring end-of-life systems, not having MFA on VPNs, etc.). Sometimes I have the other problem, where IT teams have things so locked down that they genuinely drag on company productivity while providing little in the way of improved security. Often, decisions are made more from the standpoint of who has the authority to control a given system, rather than what is in the best interests of the company and customers, depending on that system.
What’s one security habit or routine you personally never skip? (Work or personal.)
Always use my password keeper to make randomized, 12+ character passwords for all sites that I can. My only exceptions are for sites that I have to periodically type in the password manually, such as logins for Wi-Fi systems on airplanes, apps on my TV that aren’t integrated with a smartphone, etc.
What does your own personal security setup look like?
(Password manager, MFA, backups, devices, at a high level.)
I used a well-respected password manager with an annual fee so that it syncs across my devices. I have MFA on all email accounts, all bank accounts, all social media accounts, and almost any other site that supports it.
I perform manual data backups and keep them offline.
I use an office internal Wi-Fi and guest Wi-Fi setup to keep unsecure IoT devices away from my internal computer network.
I have everything set to auto-update that I can, including computers, smartphones, tablets, and even IoT devices. On rare occasion that does cause issues, but I feel the security benefits far outweigh the occasional headaches.
I assume negative intent on every email, text, phone call, or even letters from the Post Office. I’ve had all of these attack vectors used by cybercriminals to try to trick me or my team into giving up something we should not.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
Darknet Diaries by Jack Rhysider is my favorite cybersecurity podcast, hands down. For more technical deep-dives, Bruce Schneier is a legend in the cryptography and data privacy sectors. For journalism, I follow Brian Krebs, BleepingComputer, Wired, and the Wall Street Journal.
What’s a lesson you learned the hard way in your career?
There are so many to choose from… First, I’ve learned that cybercriminals are motivated. They are focused. They are, for the most part, amoral and do not care what collateral damage they cause. Their behavior often represents the worst attributes that humanity represents, and the thought that some sort of worldwide moral code or set of laws is going to solve the problem is not realistic. It’s up to us to make cybercriminals’ job of stealing from us so hard that they move into other lines of work.
Second, I’ve learned that it’s often more difficult to implement positive cybersecurity changes than to identify them. Change often involves telling someone that the way they have been doing things for years and years isn’t OK anymore. No one wants to hear that. Often, egos get in the way of productivity, which is challenging. I’ve found that a softer approach that slowly escalates an issue normally yields better results than recommending sweeping change over a very short timeline.
What keeps you up at night right now, from a security perspective?
Over 10% of all Meta social media ads are spam or downright malicious. According to Reuters, Meta knows it, but they made $16 billion from those spam ads in 2024, so there is no incentive for them to be more diligent about identifying and stopping them. This keeps me up at night.
The devices we hook up to our home and business networks are often insecure right out of the box, and efforts to change that have had mixed results. There have been a few examples of trying to put a “cybersecurity seal of approval” on products, but I often see enterprise-class equipment that is inherently insecure. That keeps me up at night.
How do you measure whether your security program is actually working?
An independent general cybersecurity assessment is a great way to measure the effectiveness of a cybersecurity program. Monthly internal vulnerability scans help a lot as well. There isn’t a single answer here, as measuring a cybersecurity program is a lot like measuring a “get healthier” program. Many data points (in the “get healthier” example: diet, exercise, stress levels, sleep habits, lab test results, etc.) are important for getting an overall picture.
What advice would you give to someone stepping into their first CISO role today?
First, look at your technical resources and advisors. No one person can know everything about cybersecurity. A good CISO needs a team of advisors to keep him/her up to date on the state of the industry. Many CISOs aren’t used to bringing in trusted advisors to help them be successful.
Second, look for fatal cybersecurity flaws: Untested data backups. Critical systems without MFA. End-of-life systems with known-exploited critical vulnerabilities. Etc. Develop a tactical approach to address them.
Third, look at the IT team: Are accounts following least-privileged methodology? Are system accounts from 10+ years ago still active, but no one is sure what they do? Are team members given technical training on cybersecurity best practices? Develop tactical approaches to address these.
Fourth, look at the technology stack: Are end-of-life systems performing critical business functions? If so, what documentation exists on how to support them? What sort of security can be wrapped around them to make them reasonably cybersecure?
Fifth, look at critical vendors/customers. Which vendors have internal access to your network? How do you know they are following a reasonable cybersecurity program? Which vendors are supplying pieces of your critical infrastructure, and do you have valid support contracts with them? Which customers of the company are the largest (and/or most profitable), and what cybersecurity expectations are they likely to have of your company? These data points are critical to developing a 3-5 year cybersecurity roadmap for any company.
Finally, look at the company culture: What is the risk tolerance of the owners of the company (or the sector the company is in if it’s publicly traded)? What sort of safety programs outside of IT exist? Can you bring in cybersecurity awareness training as part of other existing programs?
What do you think will matter less in security five to ten years from now?
Authentication. If passkeys and other FIDO2-compliant authentication mechanisms continue to spread, the issue of authentication should slowly improve. Also, as more and more people are growing up in the Internet age, assuming malicious intent in any/all electronic communications will become more inherent to culture as a whole.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Vendor management. We are outsourcing more and more of our core technology stack, which has pros and cons to it. For some areas, such as email services, outsourced companies almost always do a better job of cybersecurity than companies that don’t specialize in email hosting. For other outsourced services, there are many companies with lousy cybersecurity that need a copy of your critical data or access to your internal network to do whatever service they provide.
It’s important to make cybersecurity assessments of your vendors part of the vendor selection process. It’s also important that the assessments you do are reasonable: I’ve seen many 300+ question surveys from customers buying non-technical products from a company. Throwing the kitchen sink at every vendor isn’t a good solution, but requiring reasonable responses to a tailored set of questions pertinent to the product, service, or type of data in question is critically important.