Infosecurity transformation and building proactive mitigation strategies
Marcos Christodonte II, CISO at Unqork, spent his career leading information security for large, complex enterprises. His focus on information security began when he served in the U.S. Army, where he spent years identifying vulnerabilities and working on mitigation strategies to protect the network. From there, he served with NATO, where he played a very active role in cultivating a proactive security culture.
After switching to the private sector, he worked at Booz Allen Hamilton, where he advised CISO clients on cybersecurity strategies, and then led information security for a number of departments at Bridgewater Associates. In his latest role before joining Unqork, he served as global CISO at Gartner for nearly four years.
In this interview with Help Net Security, Marcos discusses his path in the industry as well as lessons learned along the way. He talks about the skills gap, the cybercrime economy and offers his predictions for the near future.
You’ve been in the cybersecurity industry for a long time. What career experiences unquestionably shaped the way you are now? What lessons have you learned along the way while at Gartner and Booz Allen Hamilton?
Effective cybersecurity requires deep integration within all aspects of the business—in a seamless, yet tangible way. Achieving this requires security professionals to build stronger business partnerships across a given organization. This doesn’t always come naturally, as security teams are often more siloed than other functional areas in a business. I have seen this firsthand, having been part of, and led, teams that did not have strong business relationships.
Early-on in my career, I realized how important it was to build relationships and trust by aligning strategically with the business and finding ways to add business value.
In one role, I established relationships with business partners to make sure I was brought in early on acquisition discussions and significant process outsourcing programs. In another instance, I helped a business partner gain buy-in on an early SaaS platform migration—back when cloud wasn’t a popular decision due to security concerns. Using the platform helped the business accelerate their HR transformation and paved the way for other secure cloud expansions.
In all these instances, it was relationships that helped deliver business transformations with security embedded by design, and allowed the business to keep pace with evolving cyber threats.
The cybersecurity skills gap is still a major issue, which means there are plenty of opportunities for competent people to build a good career. What advice would you give to those just entering this industry? What pitfalls can they expect?
You are the “CEO” of your career. Approach your career through that lens, and take control over your path.
Focus on work that is challenging, fulfilling, and intellectually stimulating. You should be learning something new every day. Learning is not only essential to your personal growth, it’s critical for keeping up with the rapid pace of innovation and change within the technology industry.
Especially when you are starting out in your career, it can be tempting to focus on general certifications, and seek to learn a little bit about everything. Instead, challenge yourself to master practical, hands-on knowledge. Being an expert on anything – no matter how specific – helps you walk in the door and immediately make a tangible contribution to a team. This is one of the fastest ways to become indispensable to an organization.
Finally, be open to everything. Always be willing to help others and take on new responsibilities, even if they fall outside of your job description. You never know which experiences will inspire you, or which relationships may open doors for you. Sometimes it’s the most unlikely experiences that have the biggest impact on the future of your career.
Year after year, data breach losses continue to rise and the cybercrime economy thrives. What is the cybersecurity industry doing wrong? There’s plenty of innovation, yet most organizations are not even doing security hygiene right.
A lot of the challenges that we are seeing within enterprise cybersecurity are not just security issues – they point to a larger problem within enterprise software.
Most enterprises are still relying on traditional coding to build their mission-critical software. Code takes a long time to master, few people can understand it, and it’s vulnerable to bugs. In house engineering teams are stretched thin and depend on code to build, maintain and protect an entire organization’s software.
Because they are code-based, those applications often contain significant software vulnerabilities on day 1—many that go undetected or unresolved until after a security incident. As every business continues to increase the amount of software it creates, more code is deployed into an organization creating more potential vulnerabilities.
The industry needs a completely different approach to keep up with the speed of technology and business change—and growing backlog of software vulnerabilities for attackers to target. We need to take a step back and examine how our reliance on code is impacting cybersecurity and other business outcomes.
This industry essentially thrives on disaster. Yet, most of the people I’ve talked to over the years would genuinely like to see organizations adopting sound security practices and cybercriminals getting the shorter end of the stick. What do you think about this paradox?
It’s important to remember that, while we do see a lot of reactive spending and action around breaches, there is a much larger opportunity for the industry to be proactive.
While it’s certainly important to respond forcefully when a breach happens, that’s typically just the tip of the iceberg in terms of cybersecurity risks.
It’s important to take a step back and identify issues before they arise and move to solve them. If you approach it in this way, there’s no shortage of opportunity and it makes cybercriminals less successful.
What do you see as the key challenges for the information security industry over the next five years?
We must address the massive amount of legacy code within our institutions, and even the more current software releases deployed with tech debt. Enterprises are creating software at an astonishing rate, which means new vulnerabilities are being created at the same rate.
We need to move fast to identify and resolve the existing backlog of vulnerabilities within legacy code, while also evolving the way we build software to reduce vulnerabilities from the start.