Sep 3, 2020
Early Days of Security at Morgan
Steve first began working in cybersecurity at JPMorgan, then known
as Morgan Guarantee. He recounts the attitude towards CISOs in the
1980s, where many people didn’t really have a concept of cyber
security or what it looks like. When Steve started, he had to
change access rules and work against the resistance to PCs and
Apple technology in banks. Listen on to hear his stories and how he
overcame skepticism towards cybersecurity.
Building an Active Community
One of the many amazing experiences Steve tells is how all the data
security officers from the NY banks would get together every three
months. They would spend the morning
eating donuts and drinking coffee, but also exchanging contact
information, discussing what was going on in the field, and
brainstorming together. Before Twitter—or even just internet—the
CISOs would connect over breakfast and help each other out. In this
episode, Steve recounts how 12 officers from different banks helped
him make a deal with a difficult vendor.
A Board Presentation and its Lessons
One of the best, and most valuable stories Steve describes is in
the early 80s, when he and his team discovered several PC viruses.
When he told his boss, Steve had to stand in front of
the Board of Directors with zero prep work and explain what
computer viruses were and how they can impact Morgan. In under
three minutes, he had acquired $400,000 to implement antivirus
techniques. In this episode, he relays the incredible story and the
life lessons he learned about communicating with executives and why
being transparent is best.
Effective Explanations
Steve puts forth his theory on how most executives view
themselves and how this influences the way in which you need to
explain cybersecurity matters. He urges CISOs to go through
everything carefully and logically, and to rehearse your
explanation beforehand. He says your explanation needs to pass the
“grandma test” before you speak to an executive. Listen to the
episode to discover what he means by this. Steve also
illuminates why a lot of security people struggle to explain
themselves. He points to who they surround themselves with and how
they need to shift their thinking when
speaking to leadership.
Unrealistic Expectations and Stress on CISOs
In this episode, we also touch on how studies have shown that
CISOs tend to have high levels of substance abuse, divorce,
physically poor health all from stress, as we’ve discussed in
previous episodes. Steve believes the problem is in how we define
what goes with the job. CISOs go in afraid of being fired after a
breech, but the industry hasn’t accepted the fact that a
breech will happen. Every CISO gets fired at some point, but Steve
states that you should get fired for doing the right thing, not the
wrong thing. He encourages CISOs to come into the job by being
clear about what’s feasible and what’s not. To explain that there’s
no perfect cure, but we can reduce risk, and build trust and
credibility with the executives. Most of all, don’t make promises
you can’t keep. On this topic of the relationship to executives,
Steve encourages CISOs to get to know
the leadership before there’s a problem or breech, so they know who
you are when it happens. Let them know why you’re there and what’s
important to them, not to you, by focusing on
business risks. Present these risks as you understand them, their
impact, and the ways you can potentially mitigate. To help buffer
personal stress, he explains why the ultimate risk is on the
business itself and not on you, and how who you are isn’t the same
as what you do.
What Steve Loves about the Job
While there are many stresses to the job, Steve brings up what he
loves most about it. He feels stimulated by the constant challenges
and loves the cybersecurity community. Listen to the
episode to hear more about why this community means so much to him
and why, in his opinion, it’s the best professional community out
there.
The New CISO
Lastly for Part 1, we discuss what the new CISO means to Steve. His
answer may surprise you. Tune into the episode to find out what
that is.
Links: