The New CISO is hosted by Exabeam Chief Security Strategist, Steve Moore. A former IT security leader himself, Steve sits down with Chief Information Security Officers to get their take on cybersecurity trends, what it takes to lead security teams and how things are changing in today’s world.
Are You Ready to be a CISO? Why Mentors Matter with Mark Weatherford
In this episode of The New CISO, Steve is joined by returning guest Mark Weatherford, CSO and SVP of Regulated Industries at AlertEnterprise.
In last week’s episode, Mark shared how he set the foundation for his incredible career, from his start in the Navy to his time working for Governor Arnold Schwarzenegger. Today, Mark delves into his lasting legacy in the cyber security field. Listen to part two of this episode to learn more about being the plus one at security meetings, Mark’s mentorship perspective, and putting in the work to succeed.
Listen to Steve and Mark discuss what it means to be coachable and the importance of experience:
The White House Basement (1:33)
Host Steve Moore presses his guest Mark Weatherford on a meeting he attended in the White House basement.
Mark was initially instructed to use this meeting as a learning experience to see how things worked. Unexpectedly, John, the National Security Advisor, asked Mark his thoughts on an issue, and Mark answered on the spot.
Strong Leadership (6:44)
John asking Mark a security question showed strong leadership because it allowed Mark, who was new to the team, to be included.
When you’re the CISO in charge, you should bring a team lead or a middle manager to meetings, so they can learn and provide input. This type of experience will allow them to build skills and develop confidence, which they will need as they climb the cyber security ladder.
Mentorship Advice (10:29)
Mark advises the younger leader to always look for opportunities to mentor people. Generally, Marks tries to be available to those who ask him to chat about leadership and security.
On the other side, younger people need to be willing to ask for help.
The Mentorship Exchange (16:10)
Steve asks Mark what people should expect from mentorship lunches. Is it just lunch or something more pressing?
Mark explains how in his case, he was friends with his mentor, so they mostly just enjoyed meals together. However, his mentor would ask him questions about work to see how he could help. Of course, different dynamics operate differently, but the main thing mentees should consider about themselves is, “am I coachable?”
Steering The Mentee (19:47)
Mark and Steve discuss how to guide mentees away from vanity. Nowadays, new security professionals may focus too much on the job title than becoming a leader.
Mark then further explains what it means to be coachable: a willingness to take in the tough feedback to improve.
In the Meeting (21:24)
When Mark meets with potential mentees, he’ll give them a homework lesson and ask them what their goals are. He will also ask them what efforts they’ve made to achieve their goals.
With so many CISO opportunities out there, people are getting jobs without putting in the hard work, though having experience is essential.
The New CISO (24:08)
To Mark, being a new CISO is a wide-open field. One must understand the job's responsibilities and be creative with their resources. Ultimately, being a new CISO is having the experience that validates your position in the role.
Be the One Who Gets the Call - The Keys to Landing New Opportunities
In this episode of The New CISO, Steve is joined by guest Mark Weatherford, CISO and Head of Regulated Industries at AlertEnterprise.
After many years in CISO roles, Mark eventually found himself in the White House. Reflecting on his incredible career journey, Marks evaluates the opportunities that led him to success. Listen to part one of this episode to learn more about Mark’s navy experience, the importance of delegating in leadership, and how to become the guy who always gets the call.
Listen to Steve and Mark discuss when to put the fear aside and embrace the possibility of failure and the willingness to take on new opportunities:
Meet Mark (1:51)
Host Steve Moore introduces our guest today, Mark Weatherford. The current Chief Security Officer at AlertEnterprise, specializing in IT and OT security.
Before starting his cyber security career, Mark wanted to build dams and roads in the navy. Instead, the navy had other ideas and picked Mark to be placed in the advanced electronics program, leading him to the CISO industry.
Measuring Your Day (7:21)
Mark measures his work day by the goals his team achieved or when a project is done. Although it’s a different set of standards than when you see a road or other construction projects completed before you, cyber security work can also be assessed.
Life After The Navy (9:08)
By the time Mark started his job at Raytheon, the Navy had a contract to complete a security project with them. Already determining when he would leave the Navy, Raytheon called him about a position that fit his skillset: building a security operations center from the ground up.
Relying On Your Team (14:14)
Steve presses Mark on what he learned from managing the start of the security operations center. Mark gathered that no one can do everything and that it’s essential to have a core group of leaders to rely on.
Good leadership comes from delegating authority to people without micro-managing, empowering them to excel at their jobs.
Working With Fear (22:07)
“That’s all part of learning. Things are going to break now and then,” Marks explains when expanding on his leadership philosophy.
Reflecting on his own experience with gaining new skills, Mark’s advice to anyone is that mistakes happen when you’re learning. We may be uncomfortable when things are unfamiliar, but as long as we’re not doing anything malicious, we can figure things out.
What Happens Next (24:14)
One day Mark received a call from his boss about a project with the Federal Government in Colorado. A year later, Mark got another call from his next job, leading him to a cabinet position.
Through his impressive work experience, Mark was considered for exciting political opportunities impacting our country.
That’s Politics (28:53)
Mark discovered pretty quickly in politics that people aren’t always truthful. Unfortunately, he understands that this is the industry's nature, and that is how things are. As a result, it’s natural to become wary and not take everything you hear at face value, although Mark still gives people the benefit of the doubt.
Working With The Legislature (31:13)
Mark’s work in government allowed him to influence policy as well. Mark learned about the trade-offs in politics during this experience and why opposition can create barriers to security policy.
Becoming The Terminator’s CISO (34:58)
After leaving Colorado, Mark was called for the opportunity to work for Governor Arnold Schwarzenegger in California.
Mark recognizes that the secret to his success derives from being prepared for new positions when they arise. Mark never directly worked with Governor Schwarzenegger, but...
Learning From a Layoff: Career Growth, Change, and Opportunity
In this episode of The New CISO, Steve is joined by guest Sandy Dunn, Lead Consultant, and Founder at Quark IQ.
After spending years in healthcare, Sandy pivoted into a start-up before being laid off. Now embarking on the next stage of her career, Sandy shares the valuable lessons she’s learned and how she embraces life’s challenges. Listen to the episode to learn more about Sandy’s strengths as a CISO, the correlation between motherhood and leadership, and how to navigate the start-up industry.
Listen to Steve and Sandy discuss the benefits of failure and maintaining an authentic mentor/mentee relationship:
Meet Sandy (1:43)
Host Steve Moore introduces our guest today, Sandy Dunn. Sandy has been a CISO for eight years at both a healthcare company and a startup.
As she tackles her newest endeavor as the lead Consultant at Quark IQ, Sandy acknowledges that her strengths in the cyber security world are her persistence and passion for creating well-functioning systems. Although she may not think of herself as the most brilliant person in the room, her determination has been an asset everywhere she goes.
Nothing To Prove (4:26)
Sandy recognizes the leadership benefits of not needing to prove her brilliance. Since she doesn’t mind admitting when she doesn’t understand something, others can gain clarity, and she can identify unknown issues. She asks the questions others are afraid to ask for the benefit of her team.
Although others may feel subject to imposter syndrome, Sandy reminds listeners that everyone has a vital role in the room.
Having a Softer Side (10:46)
As an executive who is also a mother, Sandy can use that nurturing skill set to motivate and manage her team. Sandy has become a stronger leader by putting her employees’ needs first, much like her children.
Managing In The Moment (13:46)
Steve presses Sandy on how she deals with team members prone to tantrums. Similar to her approach with her children and horses, Sandy’s first instinct is to understand her employees, how they think, and what upsets them. Like what drove her to cyber security, Sandy loves puzzles, including what puzzles her about people.
In general, Sandy believes diversity in views and backgrounds is highly beneficial to a department because different perspectives bring different skills and abilities to the table.
Potential Red Flags (20:09)
Sandy is consistently asked to be a mentor, which she is grateful to do. However, she feels a person lacks curiosity if they ask her questions answerable through a quick google search.
If someone fails to take the initiative to learn themselves, a job in cyber security would not be a good match for them.
Resume Review (21:38)
During a cyber security career day, Sandy reviewed resumes and determined who she felt were great candidates.
Sandy, also an adjunct professor, found this experience rewarding because she had the chance to talk with and guide individuals on their CISO journeys.
The Mentee/Mentor Relationship (25:21)
Steve and Sandy discuss the mentor and mentee relationship.
Sandy doesn’t love those terms because it’s too official for the nature of the dynamic: relationship-building. Instead of asking someone you admire to be their mentee, ask them what they are working on and how you can help, and a mutually collaborative relationship can form.
Taking A Chance (30:31)
Steve presses Sandy on her move from an established company to a start-up.
Sandy recognized that she was no longer growing as a CISO at her healthcare job, so she jumped into a start-up business. Although she put too much trust into this company before they earned it, she did feel like it was a risk worth...
Protecting Your Revenue with Machine Learning and Data Science
In this episode of The New CISO, Steve is joined by returning guest Steve Magowan, VP of Cyber Security at Blackberry.
Steve returns to dig into the reality of data science and AI and ML in cyber security. Breaking through the buzzwords, Steve understands the current state of technology and how it's used to protect revenue today. Listen to the episode to learn more about communicating expectations, using risk management to generate funding and the current landscape of security threats.
Listen to Steve and Steve discuss educating executives and how utilizing data science in your security program can reduce friction and translate risk:
Welcome Back, Steve (1:45)
Host Steve Moore reintroduces our guest today, Steve Magowan. As a reminder, Steve manages everything security-related for Blackberry, from corporate security development to spearheading IoT initiatives.
When asked to define AI, Steve Magowan explains that what AI means to the security world today is machine learning, both unsupervised and supervised, to prevent risk. In general, AI is still being widely researched and is often a buzzword thrown around, but full-on AI remains theoretical.
Turning AI Into Action (6:22)
Steve asks Steve Magowan how he handles the AI suggestion from executives, who may need more clarification on how this tech is used.
Steve Magowan recognizes that he is a business enabler whose job is not only to protect data but to protect revenue. He would need to keep his company's resources in mind when discussing AI and determine if this type of tech is necessary for the goals ahead.
Protector of Revenue (11:30)
Steve Magowan has the unique position of protecting revenue for his company, an uncommon skill set for CISOs. Steve uses ML technology to map business activities and relate that to security. Having that ability allows him to communicate with executives in business terms to ensure their funds remain safe.
Clear Lines (15:34)
Although Steve has this authority, he believes CISOs should refrain from reporting to a CFO or CIO because their mandates conflict. Although executives wish to simplify their correspondence by going to a CIO for a one-stop shop, conflating their roles with a CISO would downplay both positions and render them less effective.
Understanding Risk Management (19:10)
Steve Magowan always tells leaders that risk management is the language in which security leaders gain money because you can turn security problems into dollars and cents. Pulling data allows you to understand and pitch how to receive resources based on the security issues faced.
Ultimately, Steve's job is not to separate operations and business. His role is not to achieve technical outcomes but business outcomes using technical outcomes.
Walking Through Detection Triggers (27:22)
Steve asks Steve Magowan why the detection of bad things has shifted from signatures to "normal vs. abnormal."
Steve Magowan explains how the landscape has changed and that cybercriminals now have more money to commit crimes and have the same education as security professionals. With cyber criminals getting more clever, ML is the only way to detect patterns that don't make sense, though even that is getting challenging.
Staying Resilient (32:42)
When facing sophisticated threats, you must ensure that you have data backups that cannot be breached and limit the scope of the hacker's blast radius for any hit. There will always be threats, but you must do your best to remain resilient.
The Bias Problem (34:58)
Steve Magowan outlines the risks of building your own ML program, such as personal biases that can skew the results of your data. The biggest lesson is that data...
Life After Breach: How Hospitals Can Protect Patient Data
In this episode of The New CISO, Steve is joined by Jackie Mattingly of Owensboro Health.
With a passion for technology since childhood, Jackie first began her career in IT. Today, she shares how an experience with a malicious insider transitioned her into a career in information security. Listen to the episode to learn more about Jackie’s career journey, navigating company acquisitions, and protecting patients’ data.
Listen to Steve and Jackie discuss the unique challenges of working as a healthcare CISO and handling security breaches:
Meet Jackie (1:51)
Host Steve Moore introduces our guest today, Jackie Mattingly. Jackie is the CISO for Owensboro Health, a three-hospital system in Kentucky serving eighteen counties and two states.
Jackie knew she wanted to work in technology since she was a little girl, first sparked by the game Oregon Trail. Getting her degree in computer programming, Jackie reflects on how she gained the work experience needed to have the career she wanted.
News Days (7:04)
Steve asks Jackie about her time working at a local news publication and if she has met anyone interesting while there. Jackie shares that she mainly worked alone at night, loading the news articles to the website.
The Radiology Center (8:41)
Jackie’s next move into information technology was at a radiology imaging center, whose owner understood the importance of keeping up with technology.
In one of the first radiology centers with an MRI machine, Jackie reflects on connecting the other radiology systems to that machine and what you should consider when working with a new device.
Transitioning Through Acquisitions (13:18)
When Owensboro Health acquired the radiology center, Jackie’s lifestyle changed. Now at a much larger organization with never-ending hours, Jackie had to meet the challenges of serving a 24-hour operation.
Preventing Burnout (17:17)
To prevent her staff from burnout, Jackie rotated calls and cross-trained each person so no matter what, people could take on each other’s roles during their on-call shift.
Jackie would also be available to dive into on-call sessions because she likes to help and get into the weeds of technology.
Leveraging The Team (20:30)
Jackie has tested new technology for her companies throughout her career. Now managing the information technology for a hospital, Jackie recognized the difficulty of getting advanced technology for a larger company.
While it is understandable that the hospital focuses more on patient care than tech, Jackie shares how she and her staff were leveraged to get the hospital’s systems up to par.
Updating The Voice Network (25:43)
Steve presses Jackie on her role in upgrading the hospital’s voice network. With so many providers’ offices and clinics to service, Jackie did have to hire a consulting company to help with the project.
Although Jackie does not have a project management certificate, she does believe that training is valuable.
Phasing Into Information Security (29:32)
One day the FBI showed up at the hospital to state that an employee was stealing patients’ identities through their systems. Still, in her IT management role, Jackie was less information security-minded at the time.
Jackie was brought on to navigate this investigation and fell in love with the security world, leading to the next phase of her career. During this time, Jackie learned that she couldn’t quit obsessing over this breach and had the drive to solve security problems.
Becoming The CISO (34:22)
In 2013, Jackie moved from being the IT leader to officially the security leader. She then started auditing access to patients’ charts and...
Building Your Framework for Fulfillment
In this episode of The New CISO, Steve is joined by Demetrios “Laz” Lazarikos, three-time CISO and Co-founder of Blue Lava Security.
A naturally curious child, Laz became interested in technology early, prompting his life-long love of learning. Today, he shares how different lessons from childhood and the airforce led to his fulfilling CISO career. Listen to the episode to learn more about Laz’s fascinating cybersecurity journey, the influence of his family, and how to become a more effective mentor.
Listen to Steve and Laz discuss his approach to career development and how his passion for learning led to his success:
Meet Laz (1:43)
Host Steve Moore introduces our guest today, Laz Lazarikos. With over thirty years of security experience, Laz wanted to build a platform where security leaders could measure, optimize, and develop their security programs, which he accomplished with Blue Lava.
As a child, Laz’s mother encouraged his interest in technology. Passionate about solving tech problems at an early age, Laz credits his childhood interest as his cyber security start.
Growing Up Greek (6:56)
Laz shares what it was like growing up in a traditional Greek family, which he compares to the film My Big Fat Greek Wedding. From a family of entrepreneurs, Laz felt pressure to take over the family business but instead started a security career.
At twelve years old, Laz’s mother advised him to go to his uncle, a loan shark, for a loan to buy tech, which he paid back with interest. Laz appreciates the lessons he received from his mother and credits her for giving him valuable life experience.
Meeting Carl Sagan (10:46)
At ten years old, Laz heard Carl Sagan, of the original Cosmos fame, speak during a field trip. Much of Carl’s speech resonated with Laz, including that anyone could do anything they wanted if their actions aligned with their goals.
Going Into The Airforce (13:13)
Steve asks Laz about his time in the airforce. While being recruited, Laz became interested in how systems and machines worked. Before he joined, the airforce promised he would get much training and education around security communications, which secured his interest.
At seventeen, Laz’s mother allowed him to emancipate, and he officially joined the airforce and learned foundational lessons for functioning in society.
A Foundation Of Learning (18:30)
Steve presses Laz on what he is doing today in his pursuit of education. Laz shares how his mother took him to the library every weekend as a kid and how his father had him complete writing exercises based on the newspaper.
Today, Laz looks at education as something you can never lose and can apply to life and work. Still a lover of libraries, Laz has three library cards for three cities and looks to history to improve his efforts.
Working Backward To Move Forward (22:32)
In terms of mentorship, Laz recommends thinking about your goals and working backward. This approach has always worked for Laz and other CISOs as well.
Laz puts thought into how he uses his time for personal growth and looks to the great CISOs of history to evaluate actions for success.
MBA Or Side Hustle (30:00)
Steve presses Laz on if CISOs should get an MBA or do a side hustle to build a security network.
To make this decision, you should evaluate the cost and time investments required and determine if either opportunity is needed for your overarching goals. You have to make choices based on what’s best for you.
Advancing Through Mentorship (36:58)
To Laz, your CISO career boils down to mentorship, and he acknowledges that his mentors were his family and, later, the airforce. With meaningful relationships, training, and...