Five Minutes With: A Threat-Hunting CISO

Bernard Brantley explains the pros and cons of moving from a tech giant to a cybersecurity startup

What was your route into cybersecurity?

Back in the mid-2000s, I struggled to find a career that truly excited me. I switched between construction and retail sales, but neither felt like a long-term fit. At one point, I needed access to a Wi-Fi network but couldn’t find the password. So I taught myself how to audit and access nearby networks using the BackTrack (now Kali) toolset. The cycle of learning, failing, refining and finally succeeding was addictive. I was hooked. Those Linux skills became my ticket into a support role at a data center – and from there, everything fell into place.

If you could retrain for a dream job, what would it be?

I am currently in training for my dream job. I’m a strong believer that, good or bad, everything that’s happened up to this point was required to get you ready for the now. Along the way, I’ve gained knowledge to make more intentional decisions and position myself for new opportunities. I see my future self as a founder, investor, or large enterprise CISO. I’m extremely blessed that my current role provides access to individuals and experiences in all of those worlds for me to learn from.

What has been your most challenging role to date?

My time as a security engineer at Microsoft. I moved from a small MSSP start-up to the well-oiled Microsoft engine. I had just enough experience to be dangerous but lacked a deeper understanding of big company dynamics. I got to work on incredible projects and deliver impact in ways I could have never imagined. But I also experienced a lot of self-inflicted challenges trying to navigate large company structures and figuring out the right pathways necessary for career progression.

What’s the biggest misconception about cybersecurity?

That you need to be a technical expert to be successful. Cybersecurity touches every part of the business and all that’s required is knowledge, grit and a little bit of productive paranoia. Not every cybersecurity person writes code, analyses logs or “hacks”. There is a ton of value in risk assessment, reporting, project management and other hands-on work.

“The key challenge is embedding security into each business function, making it a direct partner in execution.”

Best and worst thing about your job?

The best thing is undoubtedly my team. It’s a privilege to work alongside such talented individuals who are committed to driving real impact. The worst part of the job is the limited resources that you typically have in a smaller company. Every decision to pursue an initiative means pulling a small team off another critical project, sometimes for weeks or months. This leads to sometimes difficult trade-offs.

What advice would you give to industry n00bies?

Learn as much as you can about “value”. I struggled with the concept of value versus “this is cool to do”. Understanding how you can leverage the cool thing to maximise value for your team and company is the way to go.

What’s the biggest as-yet-unsolved problem in cybersecurity?

The persistent siloing of security teams from the rest of the business. Without seamless integration, security remains a standalone function rather than an enabler of business goals. The key challenge is embedding security into each business function, making it a direct partner in execution.

“When you love what you do, you never work a day in your life. I don’t ever feel like I’m working that hard.”

Tell us a guilty secret

When you love what you do, you never work a day in your life. I don’t ever feel like I’m working that hard.

Where do the biggest risks lie with enterprise/government AI adoption?

Balancing security and innovation. Security teams are working to assess threats and implement controls, while business units are pushing to deploy AI for competitive advantage. If these two functions aren’t aligned, organisations risk either over-restricting AI – blocking access to tools like OpenAI due to uncertainty – or rushing ahead with AI initiatives without properly addressing security concerns.

What’s the difference in culture like between working for a tech giant like Microsoft and a smaller player?

Startups foster an environment of experimentation, where often bold bets are made, and failures are seen as learning opportunities. But at a larger company, innovation often happens in isolated pockets. A single team may be responsible for a new product, and its successes or failures remain largely within that group rather than impacting the entire organisation. That said, big companies do offer the advantage of deep specialisation. With more resources and time, employees can develop highly focused expertise in a particular domain, whereas in a startup, adaptability and broad problem-solving are more essential.