Sign up to save your podcasts
Or
Share Lessons Learned from the “First CISO” Part 1
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Lessons Learned from the “First CISO” Part 1
Early Days of Security at Morgan
Steve first began working in cybersecurity at JPMorgan, then known as Morgan Guarantee. He recounts the attitude towards CISOs in the 1980s, where many people didn’t really have a concept of cyber security or what it looks like. When Steve started, he had to change access rules and work against the resistance to PCs and Apple technology in banks. Listen on to hear his stories and how he overcame skepticism towards cybersecurity.
Building an Active Community
One of the many amazing experiences Steve tells is how all the data security officers from the NY banks would get together every three months. They would spend the morning eating donuts and drinking coffee, but also exchanging contact information, discussing what was going on in the field, and brainstorming together. Before Twitter—or even just internet—the CISOs would connect over breakfast and help each other out. In this episode, Steve recounts how 12 officers from different banks helped him make a deal with a difficult vendor.
A Board Presentation and its Lessons
One of the best, and most valuable stories Steve describes is in the early 80s, when he and his team discovered several PC viruses. When he told his boss, Steve had to stand in front of the Board of Directors with zero prep work and explain what computer viruses were and how they can impact Morgan. In under three minutes, he had acquired $400,000 to implement antivirus techniques. In this episode, he relays the incredible story and the life lessons he learned about communicating with executives and why being transparent is best.
Effective Explanations
Steve puts forth his theory on how most executives view themselves and how this influences the way in which you need to explain cybersecurity matters. He urges CISOs to go through everything carefully and logically, and to rehearse your explanation beforehand. He says your explanation needs to pass the “grandma test” before you speak to an executive. Listen to the episode to discover what he means by this. Steve also illuminates why a lot of security people struggle to explain themselves. He points to who they surround themselves with and how they need to shift their thinking when speaking to leadership.
Unrealistic Expectations and Stress on CISOs
In this episode, we also touch on how studies have shown that CISOs tend to have high levels of substance abuse, divorce, physically poor health all from stress, as we’ve discussed in previous episodes. Steve believes the problem is in how we define what goes with the job. CISOs go in afraid of being fired after a breech, but the industry hasn’t accepted the fact that a breech will happen. Every CISO gets fired at some point, but Steve states that you should get fired for doing the right thing, not the wrong thing. He encourages CISOs to come into the job by being clear about what’s feasible and what’s not. To explain that there’s no perfect cure, but we can reduce risk, and build trust and credibility with the executives. Most of all, don’t make promises you can’t keep. On this topic of the relationship to executives, Steve encourages CISOs to get to know the leadership before there’s a problem or breech, so they know who you are when it happens. Let them know why you’re there and what’s important to them, not to you, by focusing on business risks. Present these risks as you understand them, their impact, and the ways you can potentially mitigate. To help buffer personal stress, he explains why the ultimate risk is on the business itself and not on you, and how who you are isn’t the same as what you do.
What Steve Loves about the Job
While there are many stresses to the job, Steve brings up what he loves most about it. He feels stimulated by the constant challenges and loves the cybersecurity community. Listen to the episode to hear more about why this community means so much to him and why, in his opinion, it’s the best professional community out there.
The New CISO
Lastly for Part 1, we discuss what the new CISO means to Steve. His answer may surprise you. Tune into the episode to find out what that is.
Links:
Exabeam: Website
New CISO Podcast
LinkedIn: Steve Katz
View all episodes
By Steve Moore
4.9
3737 ratings
Early Days of Security at Morgan
Steve first began working in cybersecurity at JPMorgan, then known as Morgan Guarantee. He recounts the attitude towards CISOs in the 1980s, where many people didn’t really have a concept of cyber security or what it looks like. When Steve started, he had to change access rules and work against the resistance to PCs and Apple technology in banks. Listen on to hear his stories and how he overcame skepticism towards cybersecurity.
Building an Active Community
One of the many amazing experiences Steve tells is how all the data security officers from the NY banks would get together every three months. They would spend the morning eating donuts and drinking coffee, but also exchanging contact information, discussing what was going on in the field, and brainstorming together. Before Twitter—or even just internet—the CISOs would connect over breakfast and help each other out. In this episode, Steve recounts how 12 officers from different banks helped him make a deal with a difficult vendor.
A Board Presentation and its Lessons
One of the best, and most valuable stories Steve describes is in the early 80s, when he and his team discovered several PC viruses. When he told his boss, Steve had to stand in front of the Board of Directors with zero prep work and explain what computer viruses were and how they can impact Morgan. In under three minutes, he had acquired $400,000 to implement antivirus techniques. In this episode, he relays the incredible story and the life lessons he learned about communicating with executives and why being transparent is best.
Effective Explanations
Steve puts forth his theory on how most executives view themselves and how this influences the way in which you need to explain cybersecurity matters. He urges CISOs to go through everything carefully and logically, and to rehearse your explanation beforehand. He says your explanation needs to pass the “grandma test” before you speak to an executive. Listen to the episode to discover what he means by this. Steve also illuminates why a lot of security people struggle to explain themselves. He points to who they surround themselves with and how they need to shift their thinking when speaking to leadership.
Unrealistic Expectations and Stress on CISOs
In this episode, we also touch on how studies have shown that CISOs tend to have high levels of substance abuse, divorce, physically poor health all from stress, as we’ve discussed in previous episodes. Steve believes the problem is in how we define what goes with the job. CISOs go in afraid of being fired after a breech, but the industry hasn’t accepted the fact that a breech will happen. Every CISO gets fired at some point, but Steve states that you should get fired for doing the right thing, not the wrong thing. He encourages CISOs to come into the job by being clear about what’s feasible and what’s not. To explain that there’s no perfect cure, but we can reduce risk, and build trust and credibility with the executives. Most of all, don’t make promises you can’t keep. On this topic of the relationship to executives, Steve encourages CISOs to get to know the leadership before there’s a problem or breech, so they know who you are when it happens. Let them know why you’re there and what’s important to them, not to you, by focusing on business risks. Present these risks as you understand them, their impact, and the ways you can potentially mitigate. To help buffer personal stress, he explains why the ultimate risk is on the business itself and not on you, and how who you are isn’t the same as what you do.
What Steve Loves about the Job
While there are many stresses to the job, Steve brings up what he loves most about it. He feels stimulated by the constant challenges and loves the cybersecurity community. Listen to the episode to hear more about why this community means so much to him and why, in his opinion, it’s the best professional community out there.
The New CISO
Lastly for Part 1, we discuss what the new CISO means to Steve. His answer may surprise you. Tune into the episode to find out what that is.
Links:
Exabeam: Website
New CISO Podcast
LinkedIn: Steve Katz
More shows like The New CISO
View all
Security Now (Audio)
1,965 Listeners
Risky Business
360 Listeners
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
628 Listeners
a16z Podcast
1,000 Listeners
CyberWire Daily
1,014 Listeners
Smashing Security
314 Listeners
Cybersecurity Today
165 Listeners
CISO Series Podcast
186 Listeners
Defense in Depth
78 Listeners
Life of a CISO with Dr. Eric Cole
32 Listeners
Cyber Security Headlines
118 Listeners
CISO Tradecraft®
48 Listeners
CISO Stories Podcast (Audio)
11 Listeners
Risky Bulletin
33 Listeners
Bulletproof Cyber
7 Listeners