On today’s episode, Steve Marshall, the CISO of the UK Group for Byte Software, discusses how he moved from biophysics to cyber security, how security impacts business decisions, and why he thinks the hiring process of the industry is overlooking talent for certifications.
Steve’s Journey
Steve originally studied physiology and was on his way to receiving his PhD when the IT world called to him. He ended up not completely his degree to work in IT and become the head of the department, and eventually, move into security across North America and the UK. For the past fifteen years, he’s been in a management position. Listen to the episode to hear more about his journey and how he went from physiology to CISO and CIO.
What is “good”?
Steve thoughtfully questions what a “good” CISO is in this episode. He believes there is no single answer, as each company needs something different. Steve also observes that the industry is moving towards having people of blended skill sets and different backgrounds, and therefore “good” for one organization could mean adequate for another. As technology is changing so quickly, the traditional standards of what a CISO should be, what qualifications they should have and what they should do are rapidly changing.
To Steve, a “good” CISO fulfills the needs of the individual company, as well as challenges that company to do better.
Security and Business
Like many CISOs, Steve initially struggled with talking to boards. He understands that many security people are really passionate about security and care about the business, so when they see the business making decisions that put them at a greater risk, they are bothered. However, Steve believes that they aren’t seeing the whole picture and miss out on the other factors that are driving these decisions.
Reach Across the Aisle
In order to get around this tunnel vision, Steve encourages CISOs to build connections with the movers and shakers of the other teams, so that you can better understand what drives decisions.
Steve goes on to explain why understanding different teams is imperative for business decisions, internal support, and collaboration. He stresses that the key is to listen. For Steve, he attends different meetings across different fields within the company to have a better idea of what each team is working on and what their needs are. Additionally, he tells a humorous story about how listening to the conversations during a smoke break made him well respected in his company. Listen on to hear that story and how connecting with other leaders makes you and the company stronger.
Steve’s Two Roles
Due to the dual nature of his roles, Steve has to sit in many sales meetings, while the typical CISO does not. No matter your role in security, every company is trying to sell a product, and it’s important to understand the sales team so that you can better assist, but also so that your voice is respected and heard when you have something to say.
Who Owns the Risk?
While many CISOs feel they own the risk, as we have discussed many times on this podcast, Steve feels that he doesn’t own the risk. Instead, he feels the business does as it’s the one who succeeds or fails based on the risk itself.
Steve’s perspective is that he’s in charge of understanding the data and making that data clear to the higher ups, but he doesn’t own the data itself. We talk about how you need to have a mature and respectful conversation with the other teams in the business in order to come to a consensus about risk. Listen to the episode to hear of Steve’s perspective and how this view of ownership affects the communication around the risk level, the proper controls the security team needs to put in place, and who signs off on risk decisions.
Reporting
When reporting to the CEO, Steve recommends focusing on the impact of the business, the future of the business, and the overall picture. As other guests have said, Steve encourages CISOs to align their reports with business strategy. The CEO doesn’t care, or has time to hear all the nitty, gritty details—that’s why they hired you.
Steve chooses to focus on security as it relates to the objectives of the business, and what will impact that or support that from an acceleration or goals-based perspective. It’s about speaking the business’s language, and not boring the management with unimportant details they don’t care about. Listen to the episode for more in depth advice on how to effectively communicate security issues with management.
Answering Security Questions
Oftentimes, management teams will reach out and ask CISOs questions about security risks they’ve read in the news. Not all management teams will be as proactive, but you will eventually find yourself in a situation where you have to answer unprompted questions. Steve’s view on this is that the higher up you go, the less time people have, so he suggests answering in a succinct way that explains how the security question relates to them.
Diversity in the Hiring Process
The last topic Steve dives into is the perspective on hiring and talent. He points out that people used to start on the factory floor and work their way up to CEO. However, that doesn’t happen anymore and sometimes as a result, leaders can lack a holistic perspective.
Steve believes there is value in having different backgrounds, even non-technical ones. The hiring attitude of the business sometimes emphasizes the degree so much that it overlooks talent, experience and those who would actually be best for the job. When hiring, it’s important to remember that not everyone has the same access to education and may have more experience as a result. He encourages those in hiring positions to put together the most diverse team possible, those who will challenge your beliefs and look at a problem from a different angle than you would. It’s the only way to push yourself and your team to be better.
Listen to the episode to hear more on Steve’s view of talent, education, and experience, and how those three factors can intersect in different ways in each individual, who may have more to offer than what’s on the paper.
Links: