On today’s episode, Steve Marshall, the CISO of the UK Group for Byte Software, discusses how he moved from biophysics to cyber security, how security impacts business decisions, and why he thinks the hiring process of the industry is overlooking talent for certifications.
Steve’s Journey
Steve originally studied physiology and was on his way to receiving his PhD when the IT world called to him. He ended up not completely his degree to work in IT and become the head of the department, and eventually, move into security across North America and the UK. For the past fifteen years, he’s been in a management position. Listen to the episode to hear more about his journey and how he went from physiology to CISO and CIO.
What is “good”?
Steve thoughtfully questions what a “good” CISO is in this episode. He believes there is no single answer, as each company needs something different. Steve also observes that the industry is moving towards having people of blended skill sets and different backgrounds, and therefore “good” for one organization could mean adequate for another. As technology is changing so quickly, the traditional standards of what a CISO should be, what qualifications they should have and what they should do are rapidly changing.
To Steve, a “good” CISO fulfills the needs of the individual company, as well as challenges that company to do better.
Security and Business
Like many CISOs, Steve initially struggled with talking to boards. He understands that many security people are really passionate about security and care about the business, so when they see the business making decisions that put them at a greater risk, they are bothered. However, Steve believes that they aren’t seeing the whole picture and miss out on the other factors that are driving these decisions.
Reach Across the Aisle
In order to get around this tunnel vision, Steve encourages CISOs to build connections with the movers and shakers of the other teams, so that you can better understand what drives decisions.
Steve goes on to explain why understanding different teams is imperative for business decisions, internal support, and collaboration. He stresses that the key is to listen. For Steve, he attends different meetings across different fields within the company to have a better idea of what each team is working on and what their needs are. Additionally, he tells a humorous story about how listening to the conversations during a smoke break made him well respected in his company. Listen on to hear that story and how connecting with other leaders makes you and the company stronger.
Steve’s Two Roles
Due to the dual nature of his roles, Steve has to sit in many sales meetings, while the typical CISO does not. No matter your role in security, every company is trying to sell a product, and it’s important to understand the sales team so that you can better assist, but also so that your voice is respected and heard when you have something to say.
Who Owns the Risk?
While many CISOs feel they own the risk, as we have discussed many times on this podcast, Steve feels that he doesn’t own the risk. Instead, he feels the business does as it’s the one who succeeds or fails based on the risk itself.
Steve’s perspective is that he’s in charge of understanding the data and making that data clear to the higher ups, but he doesn’t own the data itself. We talk about how you need to have a mature and respectful conversation with the other teams in the business in order to come to a consensus about risk. Listen to the episode to hear of Steve’s perspective and how this view of ownership affects the communication around the risk level, the proper controls the security team needs to put in place, and who signs off on risk decisions.
Reporting
When...
